NPFCTL(8)               NetBSD System Manager's Manual               NPFCTL(8)

     npfctl -- control NPF packet filter

     npfctl command [arguments]

     The npfctl command can be used to control the NPF packet filter.  For a
     description of NPF's configuration file, see npf.conf(5).

     The first argument, command, specifies the action to take.  Valid com-
     mands are:

        start   Enable packet inspection using the currently loaded configura-
                tion, if any.  Note that this command does not load or reload
                the configuration, or affect existing sessions.

        stop    Disable packet inspection.  This command does not change the
                currently loaded configuration, or affect existing sessions.

        reload [path]
                Load or reload configuration from file.  The configuration
                file at /etc/npf.conf will be used unless a file is specified
                by path.  All sessions will be preserved during the reload,
                except those which will lose NAT policy due to removal.  NAT
                policy is determined by the translation type and address.
                Note that change of filter criteria will not expire associated
                sessions.  The reload operation (i.e., replacing the ruleset,
                NAT policies and tables) is atomic.

        flush   Flush configuration.  That is, remove all rules, tables and
                expire all sessions.  This command does not disable packet

        show    Show the current state and configuration.  Syntax of printed
                configuration is for the user and may not match the
                npf.conf(5) syntax.

        validate [path]
                Validate the configuration file and the processed form.  The
                configuration file at /etc/npf.conf will be used unless a file
                is specified by path.

        rule name add <rule-syntax>
                Add a rule to a dynamic ruleset specified by name.  On suc-
                cess, returns a unique identifier which can be used to remove
                the rule with rem-id command.  The identifier is alphanumeric

        rule name rem <rule-syntax>
                Remove a rule from a dynamic ruleset specified by name.  This
                method uses SHA1 hash computed on a rule to identify it.
                Although very unlikely, it is subject to hash collisions.  For
                a fully reliable and more efficient method, it is recommended
                to use rem-id command.

        rule name rem-id <id>
                Remove a rule specified by unique id from a dynamic ruleset
                specified by name.

        rule name list
                List all rules in the dynamic ruleset specified by name.

        rule name flush
                Remove all rules from the dynamic ruleset specified by name.

        table tid add <addr/mask>
                In table tid, add the IP address and optionally netmask, spec-
                ified by <addr/mask>.  Only tree-type tables support masks.

        table tid rem <addr/mask>
                In table tid, remove the IP address and optionally netmask,
                specified by <addr/mask>.  Only tree-type tables support

        table tid test <addr>
                Query the table tid for a specific IP address, specified by
                addr.  If no mask is specified, a single host is assumed.

        table tid list
                List all entries in the currently loaded table specified by
                tid.  This operation is expensive and should be used with cau-

                Save all active sessions.  The data will be stored in the
                /var/db/npf_sessions.db file.  Administrator may want to stop
                the packet inspection before the session saving.

                Load saved sessions from the file.  Note that original config-
                uration should be loaded before the session loading.  In a
                case of NAT policy changes, sessions which lose an associated
                policy will not be loaded.  Any existing sessions during the
                load operation will be expired.  Administrator may want to
                start packet inspection after the session loading.

        stats   Print various statistics.

        debug   Process the configuration file, print the n-code of each rule
                and dump the raw configuration.  This is primarily for devel-
                oper use.

     Reloading the configuration is a relatively expensive operation.  There-
     fore, frequent reloads should be avoided.  Use of tables should be con-
     sidered as an alternative design.  See npf.conf(5) for details.

     /dev/npf       control device
     /etc/npf.conf  default configuration file

     Starting the NPF packet filter:

           # npfctl reload
           # npfctl start
           # npfctl show

     Addition and removal of entries in the table whose ID is 2:

           # npfctl table 2 add
           # npfctl table 2 rem

     npf.conf(5), npf_ncode(9)

     NPF first appeared in NetBSD 6.0.

     NPF was designed and implemented by Mindaugas Rasiukevicius.

NetBSD 6.1                     February 16, 2013                    NetBSD 6.1

You can also request any man page by name and (optionally) by section:


Use the DEFAULT collection to view manual pages for third-party software.

©1994 Man-cgi 1.15, Panagiotis Christias <>
©1996-2017 Modified for NetBSD by Kimmo Suominen