Skip to content
/ npf Public

NPF: packet filter with stateful inspection, NAT, IP sets, etc.

License

Notifications You must be signed in to change notification settings

rmind/npf

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

NPF: stateful packet filter supporting NAT, IP sets, etc

Build Status

NPF is a layer 3 packet filter, supporting stateful packet inspection, IPv6, NAT, IP sets, extensions and many more. It uses BPF as its core engine and it was designed with a focus on high performance, scalability, multi-threading and modularity. NPF was written from scratch in 2009. It is written in C99 and distributed under the 2-clause BSD license.

NPF is provided as a userspace library to be used in a bespoke application to process packets. It can run on Linux, typically, in combination with such frameworks like Data Plane Development Kit (DPDK) or netmap.

Features

NPF offers the traditional set of features provided by packet filters. Some key features are:

  • Stateful inspection (connection tracking).
  • Network address translation (NAT):
    • Static (stateless) and dynamic (stateful) translation.
    • NAPT and other forms of port translation (e.g. port forwarding).
    • Inbound and outbound NAT as well as bi-directional NAT.
    • Network-to-network translation, including NETMAP and NPTv6.
  • Carrier-grade NAT (CG-NAT) capability: known to serve over a million connections.
  • Tables for efficient IP sets, including the longest prefix match support.
  • Application Level Gateways (e.g. to support traceroute).
  • NPF uses BPF with just-in-time (JIT) compilation.
  • Rule procedures and a framework for NPF extensions (plugins).
  • Extensions include:
    • Rate limiting (traffic policing).
    • Traffic normalization.
    • Packet logging.
  • Data Plane Development Kit integration.

For a full set of features and their description, see the NPF documentation and other manual pages.

Usage

You can try NPF-Router as a demo NPF+DPDK application, running a virtual test network with Docker containers.

Documentation

See on Github Pages. Source in the docs directory.

Dependencies

  • libnv: git clone https://github.com/rmind/nvlist
  • thmap: git clone https://github.com/rmind/thmap
  • libqsbr: git clone https://github.com/rmind/libqsbr
  • liblpm: git clone https://github.com/rmind/liblpm
  • bpfjit: git clone https://github.com/rmind/bpfjit
  • libcdb: git clone https://github.com/rmind/libcdb

Each repository provides the build files for RPM (cd pkg && make rpm) and DEB (cd pkg && make deb) packages. You can also check the Travis file for an example of how to build everything.

Source code structure

app/                - NPF-Router demo application (NPF + DPDK + Docker)
docs/               - documentation source
src/                - root source code directory
    kern/           - the kernel component (npfkern library)
    lib/            - extension libraries complementing npfctl
    libnpf/         - library to manage the NPF configuration
    npfctl/         - command line user interface to control NPF
    npftest/        - unit tests and a tool to debug NPF
pkg/                - packaging files (RPM and DEB)
misc/               - auxiliary helper scripts

Packages

To build the libnpf library (link using the -lnpf and -lnpfkern flags) packages:

  • RPM (tested on RHEL/CentOS 7): cd pkg && make rpm
  • DEB (tested on Debian 9): cd pkg && make deb

Who is using NPF?

Outscale innofield AG NetBSD BisonRouter