Npfctl : Network packets filter
This module provides network packet filtering function.
User can use the following code to import the npfctl module.
var npfctl = require('router/npfctl');
Support
The following shows npfctl module APIs available for each permissions.
| User Mode | Privilege Mode | |
|---|---|---|
| npfctl.mac | ● | |
| npfctl.ip | ● | |
| npfctl.tcp | ● | |
| npfctl.udp | ● | |
| npfctl.get | ● | |
| npfctl.delete | ● |
Npfctl Object
npfctl.mac(ifname, allow, mac[, opt])
ifname{String} Network interface name.allow{Boolean} Whether to allow.mac{String} MAC address.opt{Object} Options.nforward{Boolean} Only denied routing forwarding when blocking. default:falsedenied all.
- Returns: {Integer} Index number of this rule.
Add a MAC filtering rule to the specified network interface.
Example
// Disallow the specified MAC address packet
npfctl.mac('en1', false, '00:11:22:33:44:55');
npfctl.ip(ifname, allow, ipStart, ipEnd[, ipStartPairs, ipEndPairs][, opt])
ifname{String} Network interface name.allow{Boolean} Whether to allow.ipStart{String} Starting IP address.ipEnd{String} End IP address.ipStartPairs{String} Starting IP address pairs.ipEndPairs{String} End IP address, pairs.opt{Object} Options.nforward{Boolean} Only denied routing forwarding when blocking. default:falsedenied all.
- Returns: {Integer} Index number of this rule.
Add a IP filtering rule to the specified network interface. If ipStartPairs is specified, ipEndPairs must be specified, this feature indicates that this filtering rule agrees on the address range of both communication parties, this feature is valid in EdgerOS 2.1.4 and above.
Example
// 'ipStart' address must be less than 'ipEnd'
npfctl.ip('en1', false, '10.0.0.3', '10.0.0.50');
npfctl.tcp(ifname, allow, ipStart, ipEnd, portStart, portEnd[, ipStartPairs, ipEndPairs, portStartSrc, portEndSrc][, opt])
ifname{String} Network interface name.allow{Boolean} Whether to allow.ipStart{String} Starting IP address.ipEnd{String} End IP address.portStart{Integer} Starting TCP destination port.portEnd{Integer} End TCP destination port.ipStartPairs{String} Starting IP address pairs.ipEndPairs{String} End IP address, pairs.portStartSrc{Integer} Starting TCP source port.portEndSrc{Integer} End TCP source port.opt{Object} Options.nforward{Boolean} Only denied routing forwarding when blocking. default:falsedenied all
- Returns: {Integer} Index number of this rule.
Add a TCP filtering rule to the specified network interface. If ipStartPairs is specified, ipEndPairs, portStartSrc, portEndSrc must be specified, this feature indicates that this filtering rule agrees on the address range of both communication parties, this feature is valid in EdgerOS 2.1.4 and above.
Example
// 'ipStart' address must be less than 'ipEnd'
npfctl.tcp('en1', false, '10.0.0.3', '10.0.0.50', 80, 80);
npfctl.udp(ifname, allow, ipStart, ipEnd, portStart, portEnd[, ipStartPairs, ipEndPairs, portStartSrc, portEndSrc][, opt])
ifname{String} Network interface name.allow{Boolean} Whether to allow.ipStart{String} Starting IP address.ipEnd{String} End IP address.portStart{Integer} Starting TCP destination port.portEnd{Integer} End TCP destination port.ipStartPairs{String} Starting IP address pairs.ipEndPairs{String} End IP address, pairs.portStartSrc{Integer} Starting TCP source port.portEndSrc{Integer} End TCP source port.opt{Object} Options.nforward{Boolean} Only denied routing forwarding when blocking. default:falsedenied all
- Returns: {Integer} Index number of this rule.
Add a UDP filtering rule to the specified network interface. If ipStartPairs is specified, ipEndPairs, portStartSrc, portEndSrc must be specified, this feature indicates that this filtering rule agrees on the address range of both communication parties, this feature is valid in EdgerOS 2.1.4 and above.
Example
// 'ipStart' address must be less than 'ipEnd'
npfctl.udp('en1', false, '10.0.0.3', '10.0.0.50', 180, 360);
npfctl.get()
- Returns: {Array} List of all filtering rules added previously.
Each rule is an object in the array, which contains the following properties:
ifname{String} Network interface name.index{Integer} Index number of this rule.rule{String} Type of this rule:'MAC','IP','TCP'or'UDP'.allow{Boolean} Whether to allow.nforward{Boolean} Only denied routing forwarding when blocking.mac{String} If it is a MAC filtering rule, this attribute holds the MAC address. (Only in'MAC'rule)ipStart{String} Starting IP address. (Only in'IP','TCP'or'UDP'rules)ipEnd{String} End IP address. (Only in'IP','TCP'or'UDP'rules)portStart{Integer} Starting TCP or UDP destination port. (Only in'TCP'or'UDP'rules)portEnd{Integer} End TCP or UDP destination port. (Only in'TCP'or'UDP'rules)ipStartPairs{String} Starting IP address pairs. (Only with pairs arguments rules)ipEndPairs{String} End IP address, pairs. (Only with pairs arguments rules)portStartSrc{Integer} Starting TCP or UDP source port. (Only with pairs arguments rules)portEndSrc{Integer} End TCP or UDP source port. (Only with pairs arguments rules)
Example
var rules = npfctl.get();
console.log(rules);
npfctl.get(ifname)
ifname{String} Network interface name.- Returns: {Array} List of all filtering rules for the specified network interface added previously.
Same as npfctl.get(), only list the rules for the specified network interface.
Example
var rules = npfctl.get('en1');
console.log(rules);
npfctl.get(index)
index{Integer} Index number of rule.- Returns: {Object} Rule object corresponding to index.
Same as npfctl.get(), but only get the rule specified by index.
Example
var index = npfctl.mac('en1', false, '00:11:22:33:44:55');
var rule = npfctl.get(index);
console.log(rule);
npfctl.delete()
- Returns: {Boolean} Whether the operation was successful.
Delete all filtering rules added in this process.
Example
npfctl.delete();
npfctl.delete(ifname)
ifname{String} Network interface name.- Returns: {Boolean} Whether the operation was successful.
Delete all filtering rule of the specified interface.
npfctl.delete(index)
index{Integer} Index number of this rule.- Returns: {Boolean} Whether the operation was successful.
Delete the filtering rule of the specified index number.
Example
var index = npfctl.mac('en1', false, '00:11:22:33:44:55');
npfctl.delete(index);
陕公网安备61019002002605号