npfctl —
control NPF packet filter
  
    | npfctl | command [arguments] | 
The npfctl command can be used to control the NPF packet
  filter. For a description of NPF's configuration file, see
  npf.conf(5).
The first argument, command, specifies the
    action to take. Valid commands are:
  - start
- Enable packet inspection using the currently loaded configuration, if any.
      Note that this command does not load or reload the configuration, or
      affect existing connections.
- stop
- Disable packet inspection. This command does not change the currently
      loaded configuration, or affect existing connections.
- reload[path]
- Load or reload configuration from file. The configuration file at
      /etc/npf.conf will be used unless a file is
      specified by path. All connections will be preserved
      during the reload, except those which will lose NAT policy due to removal.
      NAT policy is determined by the translation type and address. Note that
      change of filter criteria will not expire associated connections. The
      reload operation (i.e., replacing the ruleset, NAT policies and tables) is
      atomic.
- flush
- Flush configuration. That is, remove all rules, tables and expire all
      connections. This command does not disable packet inspection.
- show
- Show the current state and configuration. Syntax of printed configuration
      is for the user and may not match the
      npf.conf(5) syntax.
- validate[path]
- Validate the configuration file and the processed form. The configuration
      file at /etc/npf.conf will be used unless a file
      is specified by path. The path
      may also be set to "-" for reading from
    stdin.
- rulename- add⟨rule-syntax⟩
- Add a rule to a dynamic ruleset specified by name.
      On success, returns a unique identifier which can be used to remove the
      rule with rem-idcommand. The identifier is
      alphanumeric string.
- rulename- rem⟨rule-syntax⟩
- Remove a rule from a dynamic ruleset specified by
      name. This method uses SHA1 hash computed on a rule
      to identify it. Although very unlikely, it is subject to hash collisions.
      For a fully reliable and more efficient method, it is recommended to use
      rem-idcommand.
- rulename- rem-id⟨id⟩
- Remove a rule specified by unique id from a dynamic
      ruleset specified by name.
- rulename- list
- List all rules in the dynamic ruleset specified by
      name.
- rulename- flush
- Remove all rules from the dynamic ruleset specified by
      name.
- tablename- add⟨addr/mask⟩
- In table name, add the IP address and optionally
      netmask, specified by ⟨addr/mask⟩.
      Only the tables of type "lpm" support masks.
- tablename- rem⟨addr/mask⟩
- In table name, remove the IP address and optionally
      netmask, specified by ⟨addr/mask⟩.
      Only the tables of type "lpm" support masks.
- tablename- test⟨addr⟩
- Query the table name for a specific IP address,
      specified by addr. If no mask is specified, a single
      host is assumed.
- tablename- list
- List all entries in the currently loaded table specified by
      name. This operation is expensive and should be used
      with caution.
- tablename- replace[- -nnewname]
    [- -ttype]
    ⟨path⟩
- Replace the existing table specified by name with a
      new table built from the file specified by path.
      Optionally, the new table will:
    
    
      - -nnewname
- be named newname, effectively renaming the
          table. If not specified, the name of the table being replaced will be
          used.
- -ttype
- be of type type; currently supported types are
          ipset,lpm, orconst. If not specified, the type of the table
          being replaced will be used.
 
 
- save[path]
- Save the active configuration with a snapshot of the current connections.
      The data will be stored in the /var/db/npf.db file
      unless a file is specified by path. Administrator
      may want to stop the packet inspection before saving.
- load
- Load the saved configuration file and the connections from the file. Note
      that any existing connections will be destroyed. Administrator may want to
      start packet inspection after the load.
- stats
- Print various statistics.
- debug(- -a|- -bbinary-config |- -cconfig) [- -ooutfile]
- Process the active configuration (if -ais set),
      the given binary configuration (if-bis set) or
      the given the plain configuration (if-cis set).
      Print the byte-code of each rule and the encoded configuration data. Also,
      if-ois set, write the binary configuration data
      into the given file.This is primarily for developer use. 
- list[- -46hNnW] [- -iifname]
- Display a list of tracked connections:
    
    
      - -4
- Display only IPv4 connections.
- -6
- Display only IPv6 connections.
- -h
- Don't display a header.
- -N
- Try to resolve addresses.
- -n
- Only show NAT connections.
- -W
- Restrict the display width.
- -iifname
- Display only connections through the named interface.
 
 
 
Reloading the configuration is a relatively expensive operation. Therefore,
  frequent reloads should be avoided. Use of tables should be considered as an
  alternative design. See
  npf.conf(5) for details.
  - /dev/npf
- control device
- /etc/npf.conf
- default configuration file
Starting the NPF packet filter:
# npfctl reload
# npfctl start
# npfctl show
 
Addition and removal of entries in the table whose ID is
    "vip":
# npfctl table "vip" add 10.0.0.1
# npfctl table "vip" rem 182.168.0.0/24
 
Replacing the existing table which has ID "svr" with a
    new const table populated from file "/tmp/npf_vps_new", and
    renamed to "vps":
# npfctl table "svr" replace -n "vps" -t const "/tmp/npf_vps_new"
 
NPF first appeared in NetBSD 6.0.
NPF was designed and implemented by Mindaugas
  Rasiukevicius.