VPF Options¶
These options control the behavior of VPF on TNSR.
To configure VPF options, run the vpf options
command from config
mode
to enter config-vpf-option
mode.
VPF Options Mode Commands¶
The commands in this section are all available inside config-vpf-option
mode.
Interface Options¶
These commands associate VPF rulesets with interfaces to activate VPF functions on packets traversing those interfaces.
Note
Each interface may only have one ruleset. That one ruleset controls filtering for inbound and outbound packets.
- interface <if-name> filter-ruleset <name>:
Associates an VPF filter ruleset with an interface.
Once an interface is associated with an VPF filter ruleset, VPF activates on that interface and filters packets as they enter (ingress) and exit (egress) through that interface.
Warning
VPF rulesets block by default unless packets are passed explicitly by filter rules. Ensure there are rules to pass desired traffic both in and out each interface configured for use with VPF.
Note
If VPF is not active on an interface, VPF does not perform any filtering on that interface.
- interface <if-name> nat-ruleset <name>:
Associates an VPF NAT ruleset with an interface.
Once an interface is associated with an VPF NAT ruleset, VPF will perform network address translation operations on packets traversing that interface, based on the rules in the associated ruleset.
Runtime Options¶
This set of VPF options controls how VPF behaves while it is processing packets.
- runtime drop-options (ip4|ip6) (false|true):
Determines whether or not VPF will drop packets containing IP options even if a filter rule would otherwise pass the packet. IP options are common on certain multicast packets, such as those for IGMP, however, IP options have also been a potential security and privacy concern in the past.
The default value is
false
, which will pass packets containing IP options provided that the packet matched a pass rule or was part of an existing connection passed by stateful inspection.- runtime tcp max-ack-win <value>:
Maximum TCP acknowledgment (ACK) window, in bytes. TCP ACK packets beyond this window are dropped as invalid.
The default value is
66000
bytes.- runtime tcp strict-rst-order (false|true):
Determines whether or not VPF enforces a strict TCP reset (RST) order by inspecting and validating the sequence (SEQ) numbers on TCP packets and ensuring they are valid for existing connection states.
If this is
true
and TNSR receives an RST packet that doesn’t match the expected SEQ value, VPF treats it as a packet for new connection and compares it against the ruleset instead of the state table.The default value is
true
.- runtime timeouts generic (closed|established|new) <sec>:
Configures timeouts for non-TCP connection states, in seconds. When TNSR receives a packet that matches an existing state, either the timers get reset or the session transitions to a different state type.
Note
Technically these protocols are stateless, but VPF has enough information to track and decide which packets belong to a given session based on the properties of the packets and these timers.
- new <sec>:
Timeout for new sessions, which have only had one packet in one direction.
If the peer responds, the session changes to an established state.
Default value is
30
seconds.- established <sec>:
Timeout for what VPF considers an established session with packets exchanged in both directions.
A non-TCP session can only leave this state when this timeout expires, which is why it is typically kept to a low value between
60
seconds for most cases up to900
for environments where non-TCP sessions may remain active for long periods of idle time, such as certain VoIP systems.Default value is
60
seconds.- closed <sec>:
Timeout for a closed session which has expired from an earlier state.
Default value is
0
seconds.
- runtime timeouts tcp (closed|established|half-closed|new|time-wait) <sec>:
Configures timeouts for TCP connection states, in seconds. When TNSR receives a packet that matches an existing state, either the timers get reset or the session transitions to a different state type.
- new <sec>:
Timeout for new sessions, which have only had one packet in one direction. For example, a TCP SYN sent from a client to a server, to which the server has not yet responded.
If the other peer responds and they complete the TCP handshake, the session changes to an established state.
Default value is
30
seconds.- established <sec>:
Timeout for established sessions, which have completed a TCP handshake.
If either peer closes the connection gracefully using by issuing a FIN packet, the session will transition to a half-closed state. If either peer sends an RST packet, the session changes to a time-wait state instead.
Default value is
86400
seconds.- half-closed <sec>:
Timeout for sessions where one peer has attempted to close the connection but the other side either has not responded or still has data to send. Once the peer sends its own FIN packet, the session changes to a time-wait state.
Default value is
21600
seconds.- time-wait <sec>:
Timeout for sessions that were either closed gracefully via FIN packets from both peers or reset with RST packets. Sessions remain in this state for a short period of time to ensure all remaining packets for the connection have either arrived or expired.
Default value is
240
seconds.- closed <sec>:
Timeout for sessions that are considered completely finished and closed.
Default value is
10
seconds.
Startup Options¶
These options control behavior of VPF configured when the dataplane starts.
- startup max-connections-per-thread (ip4|ip6) <value>:
The maximum number of IPv4 or IPv6 connections to track per CPU thread.
The default values are
131072
for IPv4 and32768
for IPv6.- startup port-mapping (max-port|min-port) <port-number>:
Controls the range of ports VPF uses when performing dynamic port translation.
The value of
max-port
must be higher thanmin-port
.The default values are a
min-port
of1024
and amax-port
of49151
.