| version 1.39, 2014/02/14 01:52:58 |
version 1.40, 2014/05/15 02:34:29 |
|
|
| .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
| .\" POSSIBILITY OF SUCH DAMAGE. |
.\" POSSIBILITY OF SUCH DAMAGE. |
| .\" |
.\" |
| .Dd February 14, 2014 |
.Dd May 15, 2014 |
| .Dt NPF.CONF 5 |
.Dt NPF.CONF 5 |
| .Os |
.Os |
| .Sh NAME |
.Sh NAME |
| Line 155 block out final pcap-filter "tcp and dst |
|
| Line 155 block out final pcap-filter "tcp and dst |
|
| .Pp |
.Pp |
| Fragments are not selectable since NPF always reassembles packets |
Fragments are not selectable since NPF always reassembles packets |
| before further processing. |
before further processing. |
| |
.Ss Stateful |
| |
Stateful packet inspection is enabled using |
| |
.Cd stateful |
| |
or |
| |
.Cd stateful-ends |
| |
keywords. |
| |
The former creates a state which is uniquely identified by a 5-tuple (source |
| |
and destination IP addresses, port numbers and an interface identifier). |
| |
The latter excludes the interface identifier and must be used with |
| |
precaution. |
| |
In both cases, a full TCP state tracking is performed for TCP connections |
| |
and a limited tracking for message-based protocols (UDP and ICMP). |
| |
.Pp |
| |
By default, stateful rule implies SYN-only flag check ("flags S/SAFR") |
| |
for the TCP packets. |
| |
It is not advisable to change this behavior, however, |
| |
it can be overriden with |
| |
.Cd flags |
| |
keyword. |
| .Ss Map |
.Ss Map |
| Network Address Translation (NAT) is expressed in a form of segment mapping. |
Network Address Translation (NAT) is expressed in a form of segment mapping. |
| The translation may be dynamic (stateful) or static (stateless). |
The translation may be dynamic (stateful) or static (stateless). |
| Line 252 rule-list = [ rule new-line ] rule-list |
|
| Line 271 rule-list = [ rule new-line ] rule-list |
|
| |
|
| npf-filter = [ "family" family-opt ] [ "proto" protocol [ proto-opts ] ] |
npf-filter = [ "family" family-opt ] [ "proto" protocol [ proto-opts ] ] |
| ( "all" | filt-opts ) |
( "all" | filt-opts ) |
| static-rule = ( "block" [ block-opts ] | "pass" ) [ "stateful" ] |
static-rule = ( "block" [ block-opts ] | "pass" ) |
| |
[ "stateful" | "stateful-ends" ] |
| [ "in" | out" ] [ "final" ] [ "on" interface ] |
[ "in" | out" ] [ "final" ] [ "on" interface ] |
| ( npf-filter | "pcap-filter" pcap-filter-expr ) |
( npf-filter | "pcap-filter" pcap-filter-expr ) |
| [ "apply" proc-name ] |
[ "apply" proc-name ] |
![[BACK]](/icons/back.gif){kind=icon}
Return to npf.conf.5 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [cvs.NetBSD.org] / src / usr.sbin / npf / npfctl