VPF Options

These options control the behavior of VPF on TNSR.

To configure VPF options, run the vpf options command from config mode to enter config-vpf-option mode.

VPF Options Mode Commands

The commands in this section are all available inside config-vpf-option mode.

Interface Options

These commands associate VPF rulesets with interfaces to activate VPF functions on packets traversing those interfaces.

Note

Each interface may only have one ruleset. That one ruleset controls filtering for inbound and outbound packets.

interface <if-name> filter-ruleset <name>:

Associates an VPF filter ruleset with an interface.

Once an interface is associated with an VPF filter ruleset, VPF activates on that interface and filters packets as they enter (ingress) and exit (egress) through that interface.

Warning

VPF rulesets block by default unless packets are passed explicitly by filter rules. Ensure there are rules to pass desired traffic both in and out each interface configured for use with VPF.

Note

If VPF is not active on an interface, VPF does not perform any filtering on that interface.

interface <if-name> nat-ruleset <name>:

Associates an VPF NAT ruleset with an interface.

Once an interface is associated with an VPF NAT ruleset, VPF will perform network address translation operations on packets traversing that interface, based on the rules in the associated ruleset.

Runtime Options

This set of VPF options controls how VPF behaves while it is processing packets.

runtime drop-options (ip4|ip6) (false|true):

Determines whether or not VPF will drop packets containing IP options even if a filter rule would otherwise pass the packet. IP options are common on certain multicast packets, such as those for IGMP, however, IP options have also been a potential security and privacy concern in the past.

The default value is false, which will pass packets containing IP options provided that the packet matched a pass rule or was part of an existing connection passed by stateful inspection.

runtime tcp max-ack-win <value>:

Maximum TCP acknowledgment (ACK) window, in bytes. TCP ACK packets beyond this window are dropped as invalid.

The default value is 66000 bytes.

runtime tcp strict-rst-order (false|true):

Determines whether or not VPF enforces a strict TCP reset (RST) order by inspecting and validating the sequence (SEQ) numbers on TCP packets and ensuring they are valid for existing connection states.

If this is true and TNSR receives an RST packet that doesn’t match the expected SEQ value, VPF treats it as a packet for new connection and compares it against the ruleset instead of the state table.

The default value is true.

runtime timeouts generic (closed|established|new) <sec>:

Configures timeouts for non-TCP connection states, in seconds. When TNSR receives a packet that matches an existing state, either the timers get reset or the session transitions to a different state type.

Note

Technically these protocols are stateless, but VPF has enough information to track and decide which packets belong to a given session based on the properties of the packets and these timers.

new <sec>:

Timeout for new sessions, which have only had one packet in one direction.

If the peer responds, the session changes to an established state.

Default value is 30 seconds.

established <sec>:

Timeout for what VPF considers an established session with packets exchanged in both directions.

A non-TCP session can only leave this state when this timeout expires, which is why it is typically kept to a low value between 60 seconds for most cases up to 900 for environments where non-TCP sessions may remain active for long periods of idle time, such as certain VoIP systems.

Default value is 60 seconds.

closed <sec>:

Timeout for a closed session which has expired from an earlier state.

Default value is 0 seconds.

runtime timeouts tcp (closed|established|half-closed|new|time-wait) <sec>:

Configures timeouts for TCP connection states, in seconds. When TNSR receives a packet that matches an existing state, either the timers get reset or the session transitions to a different state type.

new <sec>:

Timeout for new sessions, which have only had one packet in one direction. For example, a TCP SYN sent from a client to a server, to which the server has not yet responded.

If the other peer responds and they complete the TCP handshake, the session changes to an established state.

Default value is 30 seconds.

established <sec>:

Timeout for established sessions, which have completed a TCP handshake.

If either peer closes the connection gracefully using by issuing a FIN packet, the session will transition to a half-closed state. If either peer sends an RST packet, the session changes to a time-wait state instead.

Default value is 86400 seconds.

half-closed <sec>:

Timeout for sessions where one peer has attempted to close the connection but the other side either has not responded or still has data to send. Once the peer sends its own FIN packet, the session changes to a time-wait state.

Default value is 21600 seconds.

time-wait <sec>:

Timeout for sessions that were either closed gracefully via FIN packets from both peers or reset with RST packets. Sessions remain in this state for a short period of time to ensure all remaining packets for the connection have either arrived or expired.

Default value is 240 seconds.

closed <sec>:

Timeout for sessions that are considered completely finished and closed.

Default value is 10 seconds.

Startup Options

These options control behavior of VPF configured when the dataplane starts.

startup max-connections-per-thread (ip4|ip6) <value>:

The maximum number of IPv4 or IPv6 connections to track per CPU thread.

The default values are 131072 for IPv4 and 32768 for IPv6.

startup port-mapping (max-port|min-port) <port-number>:

Controls the range of ports VPF uses when performing dynamic port translation.

The value of max-port must be higher than min-port.

The default values are a min-port of 1024 and a max-port of 49151.