NPFCTL(8) System Manager's Manual NPFCTL(8)
NAME
npfctlcontrol NPF packet filter
SYNOPSIS
npfctl
command [arguments]
DESCRIPTION
The npfctl command can be used to control the NPF packet filter. For a description of NPF's configuration file, see npf.conf(5).
 
The first argument, command, specifies the action to take. Valid commands are:
start
Enable packet inspection using the currently loaded configuration, if any. Note that this command does not load or reload the configuration.
stop
Disable packet inspection. This command does not change the currently loaded configuration.
reload [path]
Load or reload configuration from file. The configuration file at /etc/npf.conf will be used unless a file is specified by path. The reload operation (i.e., replacing the ruleset) is atomic.
flush
Flush configuration. That is, remove all rules and tables. This command does not disable packet inspection.
table tid
List all entries in the currently loaded table specified by tid. Fail if tid does not exist.
table tid <addr/mask>
Query the table tid for a specific IPv4 CIDR, specified by addr/mask. If no mask is specified, a single host is assumed.
table tid [add | rem] <addr/mask>
In table tid, add or remove the IPv4 CIDR specified by <addr/mask>.
PERFORMANCE
Reloading the configuration is a relatively expensive operation. Therefore, frequent reloads should be avoided. Use of tables should be considered as an alternative design. See npf.conf(5) for details.
FILES
/dev/npf
control device
/etc/npf.conf
default configuration file
EXAMPLES
Starting the NPF packet filter:
# npfctl reload # npfctl start
 
Addition and removal of entries in the table whose ID is 2:
# npfctl table 2 add 10.0.0.1 # npfctl table 2 rem 182.168.0.0/24
SEE ALSO
HISTORY
NPF first appeared in NetBSD 6.0.