npf man page on NetBSD

Man page or keyword search:  
man Server   9087 pages
apropos Keyword Search (all sections)
Output format
NetBSD logo
[printable version]

NPF(3)			 BSD Library Functions Manual			NPF(3)

NAME
     npf — NPF packet filter library

LIBRARY
     library “libnpf”

SYNOPSIS
     #include <npf.h>

     nl_config_t *
     npf_config_create(void);

     int
     npf_config_submit(nl_config_t *ncf, int fd);

     void
     npf_config_destroy(nl_config_t *ncf);

     int
     npf_config_flush(int fd);

     nl_rule_t *
     npf_rule_create(char *name, uint32_t attr, u_int if_idx);

     int
     npf_rule_setcode(nl_rule_t *rl, int type, const void *code, size_t len);

     int
     npf_rule_setkey(nl_rule_t *rl, int type, const void *code, size_t len);

     bool
     npf_rule_exists_p(nl_config_t *ncf, const char *name);

     int
     npf_rule_insert(nl_config_t *ncf, nl_rule_t *parent, nl_rule_t *rl);

     int
     npf_rule_setprio(nl_rule_t *rl, pri_t pri);

     int
     npf_rule_setproc(nl_config_t *ncf, nl_rule_t *rl, const char *name);

     void
     npf_rule_destroy(nl_rule_t *rl);

     nl_rproc_t *
     npf_rproc_create(char *name);

     bool
     npf_rproc_exists_p(nl_config_t *ncf, const char *name);

     int
     npf_rproc_insert(nl_config_t *ncf, nl_rproc_t *rp);

     nl_nat_t *
     npf_nat_create(int type, u_int flags, u_int if_idx, npf_addr_t *addr,
	 int af, in_port_t port);

     int
     npf_nat_insert(nl_config_t *ncf, nl_nat_t *nt, pri_t pri);

     nl_table_t *
     npf_table_create(u_int id, int type);

     int
     npf_table_add_entry(nl_table_t *tl, int af, in_addr_t addr,
	 in_addr_t mask);

     bool
     npf_table_exists_p(nl_config_t *ncf, u_int tid);

     int
     npf_table_insert(nl_config_t *ncf, nl_table_t *tl);

     void
     npf_table_destroy(nl_table_t *tl);

DESCRIPTION
     The npf library provides an interface to create an NPF configuration hav‐
     ing rules, tables, procedures, or translation policies.  The configura‐
     tion can be submitted to the kernel.

FUNCTIONS
   Configuration
     npf_config_create()
	   Create a configuration.

     npf_config_submit(ncf, fd)
	   Submit configuration ncf to the kernel.

     npf_config_destroy(ncf)
	   Destroy the configuration ncf.

     npf_config_flush(fd)
	   Flush the current configuration.

   Rule interface
     npf_rule_create(name, attr, if_idx)
	   Create a rule with a given name, attribute and priorty.  Name can
	   be NULL, in which case rule has no unique identifier.  Otherwise,
	   rules shall not have duplicate names.  The following attributes,
	   which can be ORed, are available:

	   NPF_RULE_PASS
		   Decision of this rule is "pass".  If this attribute is not
		   specified, then packet "block" (drop) is the default.

	   NPF_RULE_FINAL
		   Indicates that on rule match, further processing of the
		   ruleset should be stopped and this rule applied instantly.

	   NPF_RULE_STATEFUL
		   Create a state (session) on match, track the connection and
		   therefore pass the backwards stream without inspection.

	   NPF_RULE_RETRST
		   Return TCP RST packet in a case of packet block.

	   NPF_RULE_RETICMP
		   Return ICMP destination unreachable in a case of packet
		   block.

	   NPF_RULE_IN
		   Rule may match only if incoming packet.

	   NPF_RULE_OUT
		   Rule may match only if outgoing packet.

	   Interface is specified by if_idx, which is a numeral representation
	   of an interface, given by if_nametoindex(3).	 Zero indicates any
	   interface.

     npf_rule_setcode(rl, type, code, len)
	   Assign compiled code for the rule specified by rl, used for filter
	   criteria.  Pointer to the binary code is specified by code, and
	   size of the memory area by len.  Type of the code is specified by
	   type.  Currently, only n-code is supported and NPF_CODE_NC should
	   be passed.

     npf_rule_setkey(rl, type, key, len)
	   Assign a key for the rule specified by rl.  Binary key is specified
	   by key, and its size by len.	 The size shall not exceed
	   NPF_RULE_MAXKEYLEN.

     npf_rule_insert(ncf, parent, rl)
	   Insert the rule into the set of parent rule specified by parent.
	   If value of parent is NULL, then insert into the main ruleset.

     npf_rule_setprio(rl, pri)
	   Set priority to the rule.  Negative priorities are invalid.

	   Priority is the order of the rule in the ruleset.  Lower value
	   means first to process, higher value - last to process.  If multi‐
	   ple rules are inserted with the same priority, the order is unspec‐
	   ified.

	   The special constants NPF_PRI_FIRST and NPF_PRI_LAST can be passed
	   to indicate that the rule should be inserted into the beginning or
	   the end of the priority level 0 in the ruleset.  All rules inserted
	   using these constants will have the priority 0 assigned and will
	   share this level in the ordered way.

     npf_rule_setproc(ncf, rl, name)
	   Set a procedure for the specified rule.

     npf_rule_destroy(rl)
	   Destroy the given rule.

   Rule procedure interface
     npf_rproc_create(name)
	   Create a rule procedure with a given name.  Name must be unique for
	   each procedure.

     npf_rproc_insert(ncf, rp)
	   Insert rule procedure into the specified configuration.

   Translation interface
     npf_nat_create(type, flags, if_idx, addr, af, port)
	   Create a NAT translation policy of a specified type.	 There are two
	   types:

	   NPF_NATIN	     Inbound NAT policy.

	   NPF_NATOUT	     Outbound NAT policy.

	   A bi-directional NAT is obtained by combining two policies.	The
	   following flags are supported:

	   NPF_NAT_PORTS     Indicates to perform port translation.  Other‐
			     wise, port translation is not performed and port
			     is ignored.

	   NPF_NAT_PORTMAP   Effective only if NPF_NAT_PORTS flag is set.
			     Indicates to create a port map and select a ran‐
			     dom port for translation.	Otherwise, port is
			     translated to the value specified by port is
			     used.

	   Translation address is specified by addr, and its family by af.
	   Family must be either AF_INET for IPv4 or AF_INET6 for IPv6
	   address.

     npf_nat_insert(ncf, nt, pri)
	   Insert NAT policy, its rule, into the specified configuration.

   Table interface
     npf_table_create(index, type)
	   Create NPF table of specified type.	The following types are sup‐
	   ported:

	   NPF_TABLE_HASH   Indicates to use hash table for storage.

	   NPF_TABLE_TREE   Indicates to use red-black tree for storage.  Ta‐
			    ble is identified by index, which should be in the
			    range between 1 and NPF_MAX_TABLE_ID.

     npf_table_add_entry(tl, af, addr, mask)
	   Add an entry of IP address and mask, specified by addr and mask, to
	   the table specified by tl.  Family, specified by af, must be either
	   AF_INET for IPv4 or AF_INET6 for IPv6 address.

     npf_table_exists_p(ncf, name)
	   Determine whether table with ID tid exists in the configuration
	   ncf.	 Return true if exists, and false otherwise.

     npf_table_insert(ncf, tl)
	   Insert table into set of configuration.  Routine performs a check
	   for duplicate table ID.

     npf_table_destroy(tl)
	   Destroy the specified table.

SEE ALSO
     npfctl(8), npf_ncode(9)

HISTORY
     The NPF library first appeared in NetBSD 6.0.

BSD				January 5, 2013				   BSD
[top]
                             _         _         _ 
                            | |       | |       | |     
                            | |       | |       | |     
                         __ | | __ __ | | __ __ | | __  
                         \ \| |/ / \ \| |/ / \ \| |/ /  
                          \ \ / /   \ \ / /   \ \ / /   
                           \   /     \   /     \   /    
                            \_/       \_/       \_/ 
More information is available in HTML format for server NetBSD

List of man pages available for NetBSD

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net