npf-params —
tunable NPF parameters
NPF supports a set of dynamically tunable parameters.
All parameter values are integers and should generally be between
    zero and INT_MAX, unless specified otherwise. Some
    parameters values can be negative; such values would typically have a
    special meaning. Enable/disable switches should be represented as boolean
    values 0 ("off") or 1 ("on").
  - bpf.jit
- BPF just-in-time compilation: enables or disables
      bpfjit(4) support. Some
      machine architectures are not presently supported by
      bpfjit(4). Setting this
      parameter to off stops NPF from trying to enable this functionality, and
      generating a warning if it is unable to do so. Default: 1.
  - ip4.reassembly
- Perform IPv4 reassembly before inspecting the packet. Fragmentation is
      considered very harmful, so most networks are expected to prevent it;
      reassembly is enabled by default. However, while the packet should
      generally be reassembled at the receiver, reassembly by the packet filter
      may be necessary in order to perform state tracking. Default: 1.
- ip6.reassembly
- Perform IPv6 reassembly before inspecting the packet. Discouraged in
      general but not prohibited by RFC 8200. Default: 0.
  - gc.step
- Number of connection state items to process in one garbage collection
      (G/C) cycle. Must be positive number. Default: 256.
- gc.interval_min
- The lower bound for the sleep time of the G/C worker. The worker is
      self-tuning and will wake up more frequently if there are connections to
      expire; it will wake up less frequently, diverging towards the upper
      bound, if it does not encounter expired connections. Default: 50 (in
      milliseconds).
- gc.interval_min
- The upper bound for the sleep time of the G/C worker. Default: 5000 (in
      milliseconds).
  - state.key
- The connection state is uniquely identified by an n-tuple. The state
      behavior can be controlled by including (excluding) some of the
      information in (from) the keys.
    
      - interface
- Include interface identifier into the keys, making the connection
          state strictly per-interface. Default: 1.
- direction
- Include packet direction into the keys. Default: 1.
 
- state.generic
- Generic state tracking parameters for non-TCP flows. All timeouts are in
      seconds and must be zero or positive.
    
      - timeout.new
- Timeout for new ("unsynchronized") state. Default: 30.
- timeout.established
- Timeout for established ("synchronized") state. Default:
        60.
- timeout.closed
- Timeout for closed state. Default: 0.
 
- state.tcp
- State tracking parameters for TCP connections. All timeout values are in
      seconds.
    
      - max_ack_win
- Maximum allowed ACK window. Default: 66000.
- strict_order_rst
- Enforce strict order RST. Default: 1.
- timeout.new
- Timeout for a new connection in "unsynchronized" state.
          Default: 30.
- timeout.established
- Timeout for an established connection ("synchronized"
          state). Default: 86400.
- timeout.half_close
- Timeout for the half-close TCP states. Default: 3600.
- timeout.close
- Timeout for the full close TCP states. Default: 10.
- timeout.time_wait
- Timeout for the TCP time-wait state. Default: 240.
 
- portmap.min_port
- Lower bound of the port range used when selecting the port for dynamic NAT
      with port translation enabled. Default: 1024 (inclusive; also the lowest
      allowed value).
- portmap.max_port
- Upper bound of the port range as described above. Default: 49151
      (inclusive; 65535 is the highest allowed value).
An example line in the
  npf.conf(5) configuration
  file:
set state.tcp.strict_order_rst on       # "on" can be used instead of 1
set state.tcp.timeout.time_wait 0       # destroy the state immediately
 
NPF was designed and implemented by Mindaugas
  Rasiukevicius.