npf-params
—
tunable NPF parameters
NPF supports a set of dynamically tunable parameters.
All parameter values are integers and should generally be between
zero and INT_MAX
, unless specified otherwise. Some
parameters values can be negative; such values would typically have a
special meaning. Enable/disable switches should be represented as boolean
values 0 ("off") or 1 ("on").
bpf.jit
- BPF just-in-time compilation: enables or disables
bpfjit(4) support. Some
machine architectures are not presently supported by
bpfjit(4). Setting this
parameter to off stops NPF from trying to enable this functionality, and
generating a warning if it is unable to do so. Default: 1.
ip4.reassembly
- Perform IPv4 reassembly before inspecting the packet. Fragmentation is
considered very harmful, so most networks are expected to prevent it;
reassembly is enabled by default. However, while the packet should
generally be reassembled at the receiver, reassembly by the packet filter
may be necessary in order to perform state tracking. Default: 1.
ip6.reassembly
- Perform IPv6 reassembly before inspecting the packet. Discouraged in
general but not prohibited by RFC 8200. Default: 0.
gc.step
- Number of connection state items to process in one garbage collection
(G/C) cycle. Must be positive number. Default: 256.
gc.interval_min
- The lower bound for the sleep time of the G/C worker. The worker is
self-tuning and will wake up more frequently if there are connections to
expire; it will wake up less frequently, diverging towards the upper
bound, if it does not encounter expired connections. Default: 50 (in
milliseconds).
gc.interval_min
- The upper bound for the sleep time of the G/C worker. Default: 5000 (in
milliseconds).
state.key
- The connection state is uniquely identified by an n-tuple. The state
behavior can be controlled by including (excluding) some of the
information in (from) the keys.
interface
- Include interface identifier into the keys, making the connection
state strictly per-interface. Default: 1.
direction
- Include packet direction into the keys. Default: 1.
state.generic
- Generic state tracking parameters for non-TCP flows. All timeouts are in
seconds and must be zero or positive.
timeout.new
- Timeout for new ("unsynchronized") state. Default: 30.
timeout.established
- Timeout for established ("synchronized") state. Default:
60.
timeout.closed
- Timeout for closed state. Default: 0.
state.tcp
- State tracking parameters for TCP connections. All timeout values are in
seconds.
max_ack_win
- Maximum allowed ACK window. Default: 66000.
strict_order_rst
- Enforce strict order RST. Default: 1.
timeout.new
- Timeout for a new connection in "unsynchronized" state.
Default: 30.
timeout.established
- Timeout for an established connection ("synchronized"
state). Default: 86400.
timeout.half_close
- Timeout for the half-close TCP states. Default: 3600.
timeout.close
- Timeout for the full close TCP states. Default: 10.
timeout.time_wait
- Timeout for the TCP time-wait state. Default: 240.
portmap.min_port
- Lower bound of the port range used when selecting the port for dynamic NAT
with port translation enabled. Default: 1024 (inclusive; also the lowest
allowed value).
portmap.max_port
- Upper bound of the port range as described above. Default: 49151
(inclusive; 65535 is the highest allowed value).
An example line in the
npf.conf(5) configuration
file:
set state.tcp.strict_order_rst on # "on" can be used instead of 1
set state.tcp.timeout.time_wait 0 # destroy the state immediately
NPF was designed and implemented by Mindaugas
Rasiukevicius.