NAME
nsh
—
network configuration shell
SYNOPSIS
nsh |
[-v ] [-i
rcfile] [-c
config-script-file] |
DESCRIPTION
nsh
is a command interpreter intended for
both interactive and shell script use. nsh
is an
alternative to: ifconfig(8), sysctl(8), route(8),
and encapsulates configuration for other daemons into one place.
nsh
provides an alternative to:
netstart(8) and parts of
rc(8).
nsh
has its own command language similar to the
configuration language used by many network appliance vendors.
nsh
encapsulates the many available
networking services and daemons that are included in
OpenBSD base, see the
SEE ALSO section for a complete list.
nsh
is a shell to configure
OpenBSD kernel's networking functions such as
routing of packets, firewalling, network address translation, rate limiting,
bandwidth queueing, LAN bridging, IP tunnelling, and encryption.
nsh
provides simple wrappers around these functions
to aid setting up a network. The goals of this software are:
- Make the command syntax uniform
- Bring all configuration together in a single configuration file
- Provide a wrapper for any OpenBSD ctl utility such as ospfctl(8), ipsecctl(8), and bgpctl(8).
nsh
encapsulates those configuration
files, so that their native configuration files are encapsulated within the
nsh
configuration framework.
nsh
does not in any way obfuscate the configuration
syntax that is utilised or provided by these ctl.c based programs.
nsh
allows the administrator to view and edit all
configuration in one place.
COMMAND LINE ARGUMENTS
When nsh
is run without arguments it loads
an interactive shell.
The options are as follows:
-v
nsh
produce verbose output-c
config-script-filensh
execute the command(s) in the config-script-file. This is typically used to implement scripted changes to configuration.-i
rcfile- load the initial system configuration from the command(s) in the
rcfile. This is typically used to clear the
configuration and load a full
nsh
configuration script from rcfile .
INTERACTIVE FEATURES
When run without any command line arguments,
nsh
presents an unprivileged shell to the user. All
nsh
interactive command line modes allow basic
command line editing features from editline(7) library. The command history of the current
session is available through the up / down arrow keys.
It is possible to repeat the commands from the command history.
Any command can be abbreviated as long as the abbreviation is not ambiguous. e.g. 'show running-config' can be abbreviated to 'sho run'.
If the user enters a command that is ambiguous
nsh
warns the user with 'Ambiguous argument'
message, e.g. ambiguous command entry.
nsh/show i % Ambiguous argument i
Command line completion
nsh
has double <Tab> command line
completion for user convenience if the command is not ambiguous double
<Tab> completes the command. If what is typed is ambiguous double tab
presents the administrator with the available command line options that
match what has been typed thus far.
- E.g. command line completion display
nsh(p)/i ifstate inet ip ipsec ike interface ip6
Command History
Use the up arrow on most keyboards to review the previous commands entered in the current session. The command being currently viewed can be repeated by hitting enter.
Reversing Commands
nsh
commands can be reversed in the
following ways:
- Any affirmative commands that do not contain
enable
keyword can be reversed with theno
keyword in front of the affirmative version of the command. e.g. reverse allowing IP packet forwarding.nsh(p)/ip forwarding nsh(p)/no ip forwarding
- Any affirmative commands that contain
enable
keyword can be reversed withdisable
keyword. E.g reverse enabling packet filter firewall command.nsh(p)/pf enable %pf enabled nsh(p)/pf disable %pf disabled
Standard Prompt vs Privileged Prompt
nsh
shell starts as an unprivileged prompt
which displays as the text of the FQDN (fully qualified domain name) of the
machine followed by a forward slash.
- e.g. standard prompt of the device firewall.machine.com
firewall.machinename.com/
- e.g. privileged shell prompt of the device firewall.machine.com
firewall.machinename.com(p)/
For the purposes of this manual, any examples the machine is
called nsh
- e.g. standard prompt appearing in examples in this manual
nsh/
- e.g. privileged prompt appearing in examples in this manual
nsh(p)/
INTERACTIVE COMMANDS
? | help
[nsh-command]
Display available commands and options that can used in the
current nsh
mode. The help or ? can be followed by a
nsh
command, nsh
displays
the purpose of the specified command.
- E.g. display help on the rtable command
nsh(p)/? rtable % rtable: Routing table switch
- E.g. display help for all available commands.
nsh/help % Commands may be abbreviated. % Commands are: hostname Set system hostname interface Modify interface parameters rtable Routing table switch group Modify group attributes arp Static ARP set bridge Modify bridge parameters show Show system information ip Set IP networking parameters ip6 Set IPv6 networking parameters mpls Set MPLS network parameters ddb Set DDB parameters pipex Set PIPEX parameters flush Flush system tables enable Enable privileged mode disable Disable privileged mode route Add a host or network route pf Packet filter control ospf OSPF control ospf6 OSPF6 control eigrp EIGRP control bgp BGP control rip RIP control ldp LDP control relay Relay control ipsec IPsec IKEv1 control ike IPsec IKEv2 control dvmrp DVMRP control rad Router advertisement control sasync SA synchronization control dhcp DHCP server control snmp SNMP server control ldap LDAP server control smtp SMTP server control sshd SSH server control ntp NTP synchronization control nppp PPP server control ifstate ifstate server control ftp-proxy ftp-proxy server control tftp-proxy tftp-proxy server control tftp TFTP server control dns DNS rule control motd Message of-the-day inet Inet super-server control ping Send IPv4 ICMP echo request ping6 Send IPv6 ICMP echo request traceroute Print the route to IPv4 host traceroute6 Print the route to IPv6 host ssh SSH connection to remote host telnet Telnet connection to remote host reboot Reboot the system halt Halt the system write-config Save the current configuration verbose Set verbose diagnostics editing Set command line editing who Display system users ! Invoke a subshell ? Print help information quit Close current connection
hostname
[hostname]
hostname without arguments displays the current configured hostname of the system. hostname with an argument will set hostname to the argument's value.
- e.g. set hostname to the myfirewallname.com .
nsh(p)/hostname myfirewallname.com myfirewallname.com(p)/
enable
Start a privileged shell to allow the user run privleged configuration
commands. i.e. enable privileged command shell mode. If an enable secret or
password is set, the user shall be prompted to enter the password to access
the privileged shell.
[no] enable
secret
Set or the password that an administrator would enter to access the privileged shell.
- e.g. Set a password manually to yourpassword
nsh(p)/enable secret yourpassword
- e.g. Set a password using a previously set encrypted password
nsh(p)/enable secret blowfish $2b$10$kKSJFDd....NqIUaTCZ0=
Exit privileged mode. Useful if you have completed configuration
but still want the ability to run diagnostics in an unprivileged
nsh
shell.
[no] rtable
[table-id] [name]
rtable when used with a specified table-id can execute services, diagnostic commands (ping, traceroute) and set routes under alternate routing tables. The default OpenBSD kernel can accommodate 256 rtables. They have a 1:1 relationship with routing domains, except that routing domain 0 can contain multiple routing tables. In addition, routing tables initialized prior to their corresponding routing domain, shall be initialised with a routing domain of 0.
- e.g. Create a new routing table rdomain 3 create a loopback for rdomain 3.
nsh(p)/interface lo3 nsh(interface-lo3)/rt nsh(interface-lo3)/rdomain 3 nsh(interface-lo3)/ip 127.0.0.1/8
- configure a physical interface
nsh(p)/interface em0 nsh(interface-em0)/rdomain 3 nsh(interface-em0)/ip 10.255.0.10/24
- Once the rdomain has been initialized (by creating a loopback inside the
rdomain) the administrator can add routes to the rtable.nsh(p)/rtable 3 customer label network3 nsh(p-rtable 3)/route 0.0.0.0/0 10.255.0.1
- One can configure any service or daemon inside that routing domain e.g. to
setup ssh in rdomain 3
nsh(p-rtable 3)/sshd edit nsh(p-rtable 3)/sshd enable
- The rtable command also supports unprivileged mode usage to execute
diagnostic commands in the respective route domain / VRF.
nsh(p)/disable nsh/rtable 3 nsh(rtable 3)/ping 10.255.0.10 %PING 10.255.0.10 (10.255.0.10): 56 data bytes %64 bytes from 10.255.0.10: icmp_seq=0 ttl=255 time=0.090 ms
- To leave the rtable menu the user can type rtable 0 to return to the main
routing table.
nsh(p-rtable 3)/rtable 0 nsh(p)/
[no] group
[group-name] [carpdemote
]
[demotion-counter]
Modify group attributes for the group-name named group. TBC
[no] arp
[IPv4-Address] [MAC-Address]
Set or remove a static IP address and MAC address binding for Address Resolution Protocol. TBC
[no] bridge
[bridge-name]
Modify bridge configuraiton on the named bridge. See also OpenBSD manual pages for bridge(4) and ifconfig(8) (accessible via the following nsh commands):
!man bridge !man ifconfig
- e.g. configure bridge settings on bridge1. and display bridge configuration help.
nsh(p)/bridge bridge1 nsh(bridge-bridge1)/? % Commands may be abbreviated. % Press enter at a prompt to leave bridge configuration mode. % Bridge configuration commands are: description Bridge description member Bridge member(s) span Bridge spanning port(s) blocknonip Block non-IP traffic forwarding on member(s) discover Mark member(s) as discovery port(s) learning Mark member(s) as learning port(s) stp Enable 802.1D spanning tree protocol on member(s) maxaddr Maximum address cache size timeout Address cache timeout maxage Time for 802.1D configuration to remain valid fwddelay Time before bridge begins forwarding packets hellotime 802.1D configuration packet broadcast interval priority Spanning priority for all members on an 802.1D bridge rule Bridge layer 2 filtering rules static Static bridge address entry ifpriority Spanning priority of a member on an 802.1D bridge ifcost Spanning tree path cost of a member on 802.1D bridge link Link level options txprio Priority in tunnel protocol headers rxprio Source used for packet priority vnetid Virtual interface network identifier parent Parent interface tunneldomain Tunnel parameters shutdown Shutdown bridge ? Options
ip6
[?
| forwarding
|
mforwarding
| multipath
|
maxifprefixes
|
maxifdefrouters
|
maxdynroutes
]
Configure IPv6 networking parameters, such as forwarding, multicast forwarding, multipath routing, etc.
- e.g. list available IPv6 configuration options
nsh(p)/ip6 % Commands may be abbreviated. % 'ip6' commands are: forwarding Enable IPv6 Forwarding mforwarding Enable IPv6 Multicast Forwarding multipath Multipath routing maxdynroutes Max IPv6 Dyn Routes ? Help
[no] ip6 forwarding
Enable or disable forwarding (routing /NAT) of IPv6 packets through the kernel.
nsh(p)/ip6 forwarding
[no] ip6 forwarding
Enable or disable forwarding of IPv6 multicast packets through the kernel.
nsh(p)/ip6 mforwarding
[no] ip6 multipath
Enable or disable multipath routing for IPv6 addresses. If multipath is disabled, only the first selected route is used for a given destination regardless of how many routes exist in the routing table.
nsh(p)/ip6 multipath
[no] ip6 maxdynroutes
[max-route-value]
Set or disable the limit on maximum number of IPv6 routes created as a result of incomming ICMPv6 redirects. The max-route-value can be set to any value 0-20480 or -1. A value of 0 prevents any routes being created as a result of incoming ICMPv6 redirects. Set to -1 to disable the limit. The default value for maxdynroutes is 4096.
nsh(p)/ip6 maxdynroutes 8192
mpls
[?
| ttl
|
mapttl-ip
| mapttl-ip6
]
Configure MPLS (Multi Protocol Label Switching) network parameters in the
kernel.
nsh(p)/mpls ? % Commands may be abbreviated. % 'mpls' commands are: ttl MPLS ttl mapttl-ip MPLS mapttl IPv4 mapttl-ip6 MPLS mapttl IPv6 ? Help
[no] mpls ttl
[0-255]
Configure the default MPLS (Multi Protocol Label Switching) TTL (time to live) in the kernel for MPLS shim headers of generated (not forwarded) MPLS packets. The default value is 255.
nsh(p)/mpls ttl 64
[no] mpls mapttl-ip
[0-1]
Set or unset whether the kernel decrements the TTL of the IP packet header that is encapsulated in mpls packet, when the packet is mpls label switched (forwarded via MPLS). This is useful when diagnosing failures in the forwarding path of an MPLS tunnel. If set to 0, the encapsulated payload IP header TTL is not modified while passing through MPLS and the MPLS label stack. The default value is 1.
nsh(p)/mpls mapttl-ip 1
[no] mpls mapttl-ip6
[0-1]
Set or unset whether or not the kernel decrements the TTL of the IPv6 packet header that is encapsulated in mpls packet, when the packet is mpls label switched (forwarded via MPLS). This feature is useful when diagnosing failures in the forwarding path of an MPLS tunnel. If set to 0, the encapsulated payload IPv6 header TTL field is not modified while passing through MPLS and the MPLS label stack. The default value is 0.
nsh(p)/mpls mapttl-ip6 1
[no] ddb
[?
| panic
|
console
| log
]
Configure or remove kernel debug (DDB) options.
nsh(p)/ddb ? % Commands may be abbreviated. % 'ddb' commands are: panic DDB panic console DDB console log DDB log ? Help
[no] ddb panic
Enable or disable dropping the system to the kernel debugger in the event of a system panic. By default, dropping to the ddb debugger in a system panic is enabled.
nsh(p)/ddb panic
[no] ddb console
Enable access to the kernel debugger from the console using an architecture-dependent magic key sequence on the console or a debugger button. When running OpenBSD with a securelevel(7) greater than 0, this feature cannot be enabled. By default accessing the ddb debugger from the console is disabled.
nsh(p)/ddb console
[no] ddb log
Enable or disable logging the output of the kernel debugger in the kernel message buffer. By default ddb debugger output logging to the kernel message buffer is enabled.
nsh(p)/ddb log
[no] pipex
[?
| enable
]
Enable or disable pipex(4) processing on pppac(4) and pppx(4) interfaces. pipex(4) handles PPP frames and forwards IP packets in-kernel. It accelerates the performance of packet forwarding, because it reduces copying of packets between kernel and userland. By default pipex is disabled.
nsh(p)/pipex enable
pf
[?
| enable
|
disable
| edit
|
reload
]
Control the configuration and operation of the pf (Packet Filter) firewall.
nsh(p)/pf ? % Arguments may be abbreviated enable enable service disable disable service edit edit configuration reload reload service
pf edit
Open the default system editor and edit the firewall configuration. The edited ruleset is automatically validated on saving and exiting the editor. Note! firewall configuration changes DO NOT take effect until the "pf reload" command is entered. The editor used by nsh can be customised to your preferred editor using the EDITOR and VISUAL environment variables. For packet filter configuration syntax, refer to pf.conf(5).
nsh(p)/!man pf.conf nsh(p)/pf edit
pf reload
Once the pf ruleset has been
edited and validated the modified pf configuration can be applied with this
command.
nsh(p)/pf reload
ospf
[?
| enable
|
disable
| edit
|
reload
| fib
|
log
] Enable, disable or configure
ospfd(8), the OSPF (Open
Shortest Path First) daemon.
nsh(p)/ospf enable
ospf edit
Edit the configuration of the
OSPF daemon. The edited ruleset is automatically validated on saving and
exiting the editor. Note ospfd configuration changes DO NOT take effect
until the "ospf reload" command is entered. The editor used by nsh
can be customised to your preferred editor using the EDITOR and VISUAL
environment variables. For OSPF configuration syntax, refer to
ospfd.conf(5).
nsh(p)/!man ospfd.conf nsh(p)/ospf edit
ospf reload
Reread and apply the OSPF
configuration.
nsh(p)/ospf reload
ospf fib
[?
|
couple
| decouple
|
reload
]
Configure whether or not ospfd(8) updates the forwarding information base (the active kernel routing tables). The decouple feature is useful for monitoring OSPF networks without affecting the routing table of the system. OSPF decouple should only be done where there is only one link between the system and the rest of the OSPF network. The ospf fib reload command re fetches and relearns the routes in the FIB and passes them to the ospfd daemon for processing.
nsh(p)/ospf fib decouple
ospf log
[?
|
verbose
| brief
]
Configure the detail level of ospfd(8) logging messages. Set ospf log verbose to enable detailed debug log output from ospfd. set ospf log brief to disable detailed debug log output from ospfd.
nsh(p)/ospf log verbose
eigrp
[?
| enable
|
disable
| edit
]
[options
]
Enable or disable or configure the
eigrpd(8) Enhanced Interior
Gateway Routing Protocol daemon. The configuration of
eigrp
daemon can be edited with
edit
command, the configuration syntax of
eigrp
daemon is documented in
eigrpd.conf(5) manual
page. Thre are a number of options
that can be used
to control the operation of eigrpd(8) daemon, these options are documented in the
eigrpctl(8) manual
page.
bgp
[?
| enable
|
disable
| edit
]
[options
]
Enable or disable or configure bgpd(8), the Border Gateway Protocol daemon. Configuration of
the bgp
daemon can be edited with
edit
command, the syntax is documented in
bgpd.conf(5). Thre are a
number of options
that can be used to control the
operation of bgpd(8),
documented in bgpctl(8).
rip
[?
| enable
|
disable
| edit
]
[options
]
Enable or disable or configure the ripd(8) Routing Information Protocol daemon. The
configuration of rip
daemon can be edited with
edit
command, the configuration syntax is documented
in ripd.conf(5). Thre
are a number of options
that can be used to control
the operation of ripd(8)
daemon, these options are documented in ripctl(8).
ldp
[?
| enable
|
disable
| edit
]
[options
]
Enable or disable or configure the ldpd(8) Label Distribution Protocol daemon. The configuration
of ldp
daemon can be edited with
edit
command, the configuration syntax of
ldp
daemon is documented in
ldpd.conf(5). Thre are a
number of options
that can be used to control the
operation of ldpd(8) daemon,
these options are documented in ldpctl(8).
relay
[?
| enable
|
disable
| edit
]
[options
]
Enable or disable or configure the
relayd(8), a load balancer
and TLS termination daemon. The configuration of
relay
daemon can be edited with
edit
command, the syntax is documented in
relayd.conf(5). There
are a number of options
that can be used to control
the operation of relayd(8)
daemon, these options are documented in relayctl(8).
ipsec
[?
| enable
|
disable
| edit
|
reload
]
Enable or disable or configure the
isakmpd(8) Internet Key
Exchange version 1 IKEv1 ISAKMP / Oakley daemon. The configuration of
ipsec
daemon can be edited with
edit
command, the configuration syntax of
ipsec
daemon is documented in
isakmpd.conf(5) and
ipsec.conf(5).
ike
[?
| enable
|
disable
| edit
]
[options]
Enable or disable or configure the iked(8) Internet Key Exchange version 2 IKEv2 daemon. The
configuration of ike
daemon can be edited with
edit
command, the configuration syntax of
ike
daemon is documented in
iked.conf(5).
options to control the iked(8) daemon in a similar manner to
ikectl(8) i.e to force ike
daemon to run in active mode or passive mode, or reload the the daemon
configuration. These features are documented in
ikectl(8).
dvmrp
[?
| enable
|
disable
| edit
]
Enable or disable or configure the
dvmrpd(8) Distance Vector
Multicast Routing Protocol daemon. The configuration of
dvmrp
daemon can be edited with
edit
command, the configuration syntax of
dvmrp
daemon is documented in
dvmrpd.conf(5) manual
page.
rad
[?
| enable
|
disable
| edit
]
Enable or disable or configure the rad(8) Router Advertisement daemon for IPv6. The
configuration of rad
daemon can be edited with
edit
command, the syntax is documented in
rad.conf(5).
sasync
[?
| enable
|
disable
| edit
]
Enable or disable or configure the
sasyncd(8) IPSec Security
Association synchronisation daemon for failover gateways. The configuration
of sasync
daemon can be edited with
edit
command, the configuration syntax of
sasync
daemon is documented in
sasyncd.conf(5).
dhcp
[?
| enable
|
disable
| edit
]
Enable or disable or configure the
dhcpd(8) Dynamic Host
Configuration Protocol daemon. The configuration of
dhcp
daemon can be edited with
edit
command, the configuration syntax of
dhcp
daemon is documented in
dhcpd.conf(5).
snmp
[?
| enable
|
disable
| edit
|
trap
] [options]
Enable or disable or configure the
snmpd(8) Lightweight
Directory Access Protocol daemon. The configuration of
snmp
daemon can be edited with
edit
command, the configuration syntax of
snmp
daemon is documented in
snmpd.conf(5).
ldap
[?
| enable
|
disable
| edit
]
[options]
Enable or disable or configure the
ldapd(8) Lightweight
Directory Access Protocol daemon. The configuration of
ldap
daemon can be edited with
edit
command, the configuration syntax of
ldap
daemon is documented in
ldapd.conf(5).
options to control the
ldapd(8) daemon in a similar
manner to ldapctl(8) e.g.
to set log verbose vs brief or to compact / re-index the LDAP database are
documented in ldapctl(8).
smtp
[?
| enable
|
disable
| edit
]
[options]
Enable or disable or configure the
smtpd(8) OpenSMTPD Simple
Mail Transfer Protocol daemon. The configuration of
smtp
daemon can be edited with
edit
command, the configuration syntax of
smtp
daemon is documented in
smtpd.conf(5) manual
page.
options to control smtpd(8) in a similar manner to smtpctl(8) i.e pausing / resuming mta (mail transfer agents) / mda (mail delivery agents) are documented in smtpctl(8).
sshd
[?
| enable
|
disable
| edit
]
Enable or disable or configure the sshd(8) OpenSSH secure shell daemon. The configuration of
sshd
daemon can be edited with
edit
command, the syntax is documented in
sshd_config(5).
ntp
[enable
| disable
|
edit
]
Enable or disable or configure the ntpd(8) Open network time protocol daemon. The configuration
of ntp
daemon can be edited with
edit
command, the syntax is documented in
ntpd.conf(5).
nppp
[?
| enable
|
disable
| session
|
monitor
| edit
]
[clear
? |
all | ppp-id |
address | interface |
protocol | realm |
username] [session
? |all | brief |
packets] [monitor
? | all |
ppp-id | address |
interface | protocol |
realm | username]
Enable or disable or configure the
npppd(8) new Point-to-Point
Protocol daemon. The nppp
daemon supports
termination of PPPoE, PPTP and L2TP PPP tunnels.
npppd(8) works with
pipex(4) for improved
throughput through the ppp tunnels.
The configuration of nppp
daemon can be
edited with edit
command, the syntax is documented
in npppd.conf(5).
ifstate
[enable
| disable
|
edit
]
Enable or disable or configure the
ifstated(8) interface
state daemon. The configuration of ifstate
daemon
can be edited with edit
command, the syntax is
documented in ifstated.conf(5).
ftp-proxy
[enable
| disable
] Activate
or deactivate the local ftp proxy on the system. ftp-proxy in order to
function properly requires pf to be enabled on the system.
nsh
starts ftp-proxy on 127.0.0.1 (rdomain 0) by
default. Redirect rules in pf must be used to direct outside traffic from
any rdomain to the local tftp daemon.
- e.g. enable ftp-proxy
nsh(p)/ftp-proxy enable
tftp-proxy
[enable
| disable
]
Activate or deactivate the local tftp proxy on the system.
tftp-proxy in order to function properly requires pf to be enabled on the
system. nsh
starts tftp-proxy on 127.0.0.1 (domain
0), port 6969 by default. Redirect rules in pf must be used to direct
outside traffic from any rdomain to the local tftp proxy.
- e.g. enable tftp-proxy and redirects needed to use it.
nsh(p)/tftp-proxy enable
- Add firewall rule in pf to divert tftp requests to tftp proxy
nsh(p)/pf edit pass in quick on $int_if inet proto udp from $lan to port tftp divert-to 127.0.0.1 port 6969 pass out quick on $ext_if inet proto udp from $lan to port tftp group proxy divert-reply
tftp
[enable
| disable
]
Enable or disable the tftp daemon. nsh
starts tftpd on 127.0.0.1, port 69 by default.
dns
[local-control
|
dhcp-control
| edit
]
Configure Domain Name Service client on the system.
local-control is for manual statically configured DNS
client setup. dhcp-control is to allow dhcp client to
update DNS client settings from recieved DNS servers in a DHCP offer.
edit
command, is used to statically configure DNS
options, the syntax is documented in resolv.conf(5).
inet
[enable
| disable
|
edit
]
Enable or disable or configure the
inetd(8) inet superserver
daemon. The configuration of inet daemon can be edited with
edit
command, the syntax is documented in
inetd.conf(8).
ping
[options] host
Send ICMP ECHO_REQUEST packets to an IPv4 network host, specified by name or IPv4 address. The options are documented in the ping(8).
ping6
[options] host
Send ICMP ECHO_REQUEST packets to an IPv6 network host, specified by name or IPv6 address. The options are documented in the ping6(8) manual page.
traceroute
[options] host
Trace and print the route packets take to an IPv4 network host, specified by name or IP address. The options are documented in traceroute(8).
traceroute6
[options] host
Trace and print the route packets take to an IPv6 network host, specified by name or IP address. The options are documented in traceroute6(8).
ssh
[options] [-p
port] host
Open a OpenSSH ssh(1) session to the remote system host, specified by name or IP address. The port is the TCP port on the remote host which you wish to connect. The options are documented in ssh(1).
telnet
[options] [host] [port]
Open a telnet(1) session to the given TCP port on the remote server host, specified by name or IP address. If the port is not specified the IANA assigned port 23 for telnet will be used. The options are documented in telnet(1).
Restart the system. Warning no confirmation prompt is issued, configuration changes are NOT automatically saved! User must save configuration manually BEFORE using reboot. Requires privileged access.
- E.g. restart the system
nsh(p)/reboot % Reboot initiated
halt
shut down the system. Warning no confirmation prompt is issued, configuration
changes are NOT automatically saved! User must save configuration manually
BEFORE using halt. Requires privileged mode.
- e.g. shutdown the system
nsh(p)/halt % Shutdown initiated
write-config
Save the running configuration to the permanent configuration space. On the next startup of the system, this saved configuration is used.
- e.g. save the configuration on the system
nsh(p)/write-config % Configuration saved
[no] verbose
Verbose mode sets nsh to display extra information on entered commands. It is useful during a diagnostic and troubleshooting session.
- E.g. enable verbose output
nsh/verbose % Diagnostic mode enabled
- If you do not wish to have the extra information displayed, you may
disable verbose mode.
nsh/no verbose % Diagnostic mode disabled
show
[hostname | interface | route | route6 | sadb | arp | kernel | bgp | ospf |
ospf6 |eigrp | rip | ldp | ike | ipsec | dvmrp | relay | dhcp | smtp | ldap |
monitor | version | users | running-config | startup-config |? | help]
The main diagnostic and informational command is 'show'. show without arguments displays the available diagnostic show sub commands.
- E.g using show and its built in help
nsh(p)/show % Commands may be abbreviated. % 'show' commands are: hostname Router hostname interface Interface config route IPv4 route table or route lookup route6 IPv6 route table or route lookup sadb Security Association Database arp ARP table kernel Kernel statistics bgp BGP information ospf OSPF information ospf6 OSPF6 information eigrp EIGRP information rip RIP information ldp LDP information ike IKE information ipsec IPsec information dvmrp DVMRP information relay Relay server dhcp DHCP server smtp SMTP server ldap LDAP server monitor Monitor routing/arp table changes version Software information users System users running-config Operating configuration startup-config Startup configuration ? Options
show hostname
Display the system's currently assigned hostname.
- e.g. display the name of the device
nsh(p)/show hostname % devicename.com
show interface
[interface-name]
Display essential information about the system network interfaces including any network bridges / switches. show interface without any arguments displays information about all interfaces available on the system.
show interface interface-name Display information about a specific interface.
- e.g. display information about the loopback interface.
nsh/show interface lo0 % lo0 Interface is up (last change 22:07:02), protocol is up Interface type Loopback Internet address ::1/128, fe80::1%lo0/64, 127.0.0.1/8 rdomain 0, MTU 32768 bytes 4 packets input, 160 bytes, 0 errors, 0 drops 4 packets output, 160 bytes, 0 errors, 0 unsupported
- "Interface is up" means that the interface is turned on in software. "Protocol is up" means that the interface is configured and ready to run. The "Interface type" explains what the interface is used for on the system. Some interfaces are not intended to pass traffic for network users, and instead handle internal functions on the system. See ifconfig(8) for more information on interface types supported by OpenBSD.
- "Internet address" shows the IPv4 and IPv6 addresses configured for the interface, if any. IPv6 addresses with a % sign are "link-local" and not valid outside of the context of the interface name specified. MTU describes the Maximum Transmission Unit, the largest size of a packet which the kernel can transmit on this interface.
- The statistics show the number of packets, bytes, errors, and dropped packets in both incoming and outgoing directions. The average input/output sizes describe the median size of packets going in and out the interface. Note that the total bytes in and/or out may not be accurate. OpenBSD uses an unsigned long type to hold the byte count. When the byte count exceeds the storage limit of an unsigned long (4,294,967,295 on a 32 bit architecture or 18,446,744,073,709,551,615 on a 64-bit architecture), the counter will overflow, causing it to roll over to 0. The average packet size is inaccurate when the total byte count rolls over, because the total number of packets reflects bytes that are no longer counted.
- With verbose mode enabled, 'show interface' displays the raw kernel flags
for an interface. See ifmedia(4) for an explanation of these flags.
nsh(p)/show interface lo0 % lo0 Interface is up (last change 22:13:28), protocol is up Interface type Loopback Internet address ::1/128, fe80::1%lo0/64, 127.0.0.1/8 rdomain 0, MTU 32768 bytes 4 packets input, 160 bytes, 0 errors, 0 drops 4 packets output, 160 bytes, 0 errors, 0 unsupported Flags: <UP,LOOPBACK,RUNNING,MULTICAST> Hardware features:
- With a bridge, verbose mode displays spanning tree member states and
bridge members.
nsh/show int bridge0 % bridge0 Bridge is up (last change 00:00:21), protocol is up Interface type Ethernet Bridge 0 packets input, 0 bytes, 0 errors, 0 drops 0 packets output, 0 bytes, 0 errors, 0 unsupported Flags: <UP,RUNNING> STP member state: sis0: listening
- With an IEEE 802.11 wireless interface, verbose mode displays the network
ID, network key, and power-saving mode (if enabled).
nsh/show int athn0 % athn0 BLah blah IEEE 802.11 network id blah network key blah powersaving (111 ms)
- With an interface that supports media commands, including Ethernet and
IEEE 802.11 wireless interfaces, verbose mode displays which media types
are available.
nsh/show int sis0 % sis0 Supported media types: media none media 10baseT media 10baseT, mediaopt full-duplex media 100baseTX media 100baseTX, mediaopt full-duplex media autoselect
show route
Display a dump of the kernel routing table, including ARP entries.
e.g. display contents of the routing table.
nsh/show route Flags: U - up, G - gateway, H - host, L - link layer, R - reject (unreachable), D - dynamic, S - static % IPv4 routing table: Destination Gateway Flags Refs Packets Mtu Interface 0.0.0.0/0 172.20.1.1 UGS 3 57502 - sis0 127.0.0.0/8 127.0.0.1 UGRS 0 0 33224 lo0 127.0.0.1 127.0.0.1 UH 2 12 33224 lo0 172.20.1.0/24 link#1 U 0 0 - sis0 172.20.1.1 8:0:20:71:22:e7 UHL 1 0 - sis0 172.20.1.2 127.0.0.1 UGHS 0 0 33224 lo0 172.20.1.23 link#1 UHL 1 1764 - sis0 172.20.1.255 link#1 UHL 2 1555 - sis0 224.0.0.0/4 127.0.0.1 URS 0 0 33224 lo0
- The destination column is simply the destination network which the route describes. The gateway is the next hop for this route to pass through. Gateways which are described as 'link#' are local area networks or members of local area networks.
- The flags are useful to determine if the kernel is using a particular route or not.
- U - up
This route is active G - gateway
The destination of this route is behind a gateway (next hop). H - host
This route describes a host on the local network. L - link layer
The destination has been or needs to be discovered through a layer 2 protocol R - reject
This route is unreachable, and therefore marked unusable in the kernel D - dynamic
This is a dynamic route which has is managed through routing software on
the local system (such as ripd, ospfd or bgpd) S - static
This is a static route set by a user
show monitor
start an interactive console monitor mode for the system's routing socket. The monitor displays raw descriptions of the data passing into the kernel's routing socket and dumps of the kernel's routing messages to the machine. Press enter or control-C to exit this mode.
show version
This displays basic information about the host and about NSH, such
as the version of NSH installed, the system's uptime and kernel version. It
also shows both the kernel that NSH was compiled under, and the current
kernel that NSH is running under. nsh
should always
be running on a kernel that is of a similar version to the version of the
kernel/header files that NSH was compiled under. This ensures that
nsh
can interact with the kernel properly (and vice
versa).
nsh/show version % NSH v1.0 Compiled 03-Apr-22 06:03 by _pbuild@amd64-1.ports.openbsd.org uptime: 1 day, 2 hours, 17 minutes system: OpenBSD/amd64 version 7.1 cpu: Intel(R) Core(TM) i7-10610U CPU @ 1.80GHz memory: 8175MB kernel: OpenBSD 7.1 (GENERIC.MP) #459: Mon Apr 4 18:16:13 MDT 2022 deraadt@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
show running-config
Display the current running configuration on the system, including interface and bridge configurations, routes, the system hostname, firewall rules, and other information compiled by nsh.
show startup-config
Display the startup configuration on the system, read
from nshrc, including interface and bridge configuration, routes, the system
hostname, firewall rules, and other information compiled by
nsh
TBC
flush
[routes
| arp | line | bridge-dyn | bridge-all | bridge-rule | pf | history |? |
help]
Clear various system tables.
flush routes
Clear the system routing table.
flush arp
Clear the system arp cache and static arp table.
flush bridge-dyn
bridge-name
Clear dynamically learned members from the named bridge.
nsh/flush bridge-dyn bridge0
Delete all dynamically learned members from bridge0. Note! any members set manually (static members) are not removed by this command.
flush bridge-all
bridge-name
Clear dynamically and statically learned members from the named bridge.
nsh/flush bridge-all bridge0
flush bridge-rule
bridge-name interface-name
Clear all rules on the named bridge on the named interface.
nsh/flush bridge-rule bridge0 vether0
flush history
Clear the command history
[no] route
[destination]
[/prefixlen | netmask]
gateway [flags]
Add or remove static routes. IPv4 addresses can be configured with prefix length in CIDR or dotted decimal IP netmasks (e.g. 255.255.255.0) to describe the route. The IPv6 address may only be configured with a prefix length. This command only runs in privileged mode.
- e.g. setup routes on the system
nsh(p)/route 192.168.0.0/16 1.2.3.4
- is equivalent to:
nsh(p)/route 192.168.0.0/255.255.0.0 1.2.3.4
- Use the
no
keyword to remove the specific route (if present) in the routing table.nsh(p)/no route 192.168.0.0/16 1.2.3.4
- If you do not specify a mask,
nsh
assumes you are routing a host address (/32 in ipv4).nsh(p)/route 10.6.6.4 1.2.3.4
- Routing flags may be defined after a route.
nsh(p)/route 127.0.0.0/8 127.0.0.1 reject
- or
nsh(p)/route ::/96 ::1 reject
Route Flags
Flags: blackhole
|
cloning
| iface
|
llinfo
| nmpath
|
nostatic
| proto1
|
proto2
| reject
[mtu
mtu-bytes] [expire seconds]
blackhole RTF_BLACKHOLE discard packets for this route cloning RTF_CLONING generate a new route on use iface !RTF_GATEWAY destination is directly reachable llinfo RTF_LLINFO translates proto addr(l3) to link addr(l2) nompath !RTF_MPATH do not allow multiple gateways for this route nostatic !RTF_STATIC do not save this in the static routing table proto1 RTF_PROTO1 protocol specific flag #1 proto2 RTF_PROTO2 protocol specific flag #2 reject RTF_REJECT reject packets with ICMP unreachable
quit
exit nsh
[no] verbose
Sets verbose mode on / off. (By default verbose mode is off). Use
the no
keyword turn verbose mode off.
nsh(p)/verbose % Diagnostic mode enabled nsh(p)/no verbose % Diagnostic mode disabled
[no] editing
Set command line editing on / off. (If defaults to on). Use the
no
keyword to turn command editing mode off.
nsh(p)/editing % Command line editing enabled nsh(p)/no editing % Command line editing disabled
nsh(p)/!
[shell-command
] argument-1
[argument-n]
Invoke a shell or run an entered shell-command with arguments if required. (requires privileged mode). The active users login shell is the shell that is invoked by this feature. This feature disabled to enhance security.
E.g. list files in /root
nsh(p)/!ls /root helloworld.c helloworld2.c nsh(p)/! OpenBSDshell#
[no] ip
[arptimeout
| arpdown
|
carp
| carp-log
|
carp-preempt
| forwarding
|
mforwarding
| mtu-path-disc
| mtu-disc-timeout
| ipip
|
gre
| wccp
|
etherip
| ipcomp
|
esp
| esp-udpencap
|
esp-udpencap-port
| ah
|
sourceroute
| encdebug
|
send-redirects
| ifq-maxlen
| directed-broadcast
|
multipath
| default-ttl
|?
]
Modify system kernel ip processing parameters or features. (requires privileged mode).
All commands in this category allow the 'no' modifier to disable the option.
nsh(p)/ip ? % Commands may be abbreviated. % 'ip' commands are: arptimeout Seconds for ARP entries to remain in cache arpdown Seconds before resending unanswered ARP requests carp Allow CARP carp-log CARP Logging Priority carp-preempt CARP Virtual Host Preemption forwarding Enable IPv4 Forwarding mforwarding Enable IPv4 Multicast Forwarding mtu-path-disc Enable IPv4 MTU Path Discovery mtu-disc-timeout Seconds that MTU entries remain in Path MTU discovery cache ipip Allow IP-in-IP Encapsulation gre Allow Generic Route Encapsulation wccp Allow Web Cache Control Protocol etherip Allow Ether-IP Encapsulation ipcomp Allow IP Compression esp Allow Encapsulated Security Payload esp-udpencap Allow ESP encapsulation within UDP esp-udpencap-port UDP port number for encapsulation ah Allow Authentication Header sourceroute Process Loose/Strict Source Route Options encdebug Enable if_enc debugging send-redirects Send ICMP redirects ifq-maxlen IPv4 ifqueue max length directed-broadcast Allow directed broadcasts multipath Multipath routing default-ttl Default IP packet TTL ? Options
ip arptimeout
seconds
Sets the timeout (seconds) for ARP entries to remain in cache on this system.
When the system stops receiving ARP packets from the host and, the
arptimout
seconds pass, the arp entries are removed
from the ARP cache. If a service or user requests to communicate with the IP
address of the removed cache entry the system requests via broadcast an ARP
request. Lower arptimeout
values increase the
broadcast traffic on the underlying network. While higher
arptimeout
values increase the time it takes to
resolve a host. This setting should be the same or lower on a router than
the bridge MAC table timeout on an intermediate bridge.
nsh(p)/ip arptimeout 300
[no] ip arpdown
seconds
Set or remove configured timeout (seconds) the system waits before resending an unanswered ARP request.
If the ARP system fails to resolve a MAC address, the system waits
for ip arpdown
number of seconds before
retrying.
Lower settings increases the broadcast traffic on the underlying network while higher settings increases the time it takes to resolve a host (after the host boots up) and on a network that is experiencing packet loss.
nsh(p)/ip arpdown 20
[no] ip carp
Enable or disable carp(4) functionality in the system kernel. Carp is a BSD licensed technology for router redundancy utilising a virtual ip that floats between 2 or more routers on a LAN segment, it is similar to VRRP or HSRP.
nsh(p)/ip carp
[no] ip carp-log
0-7
Enable or disable logging of carp state change, bad packets and other errors in the system kernel. carp-log may be set to a value between 0 and 7 corresponding with standard syslog(3) priorities. The default value is 2, which limits logging to changes in CARP state.
nsh(p)/ip carp-log 7
[no] ip carp-preempt
Enable or disable the device taking master role from an existing master carp router
nsh(p)/ip carp-preempt
[no] ip forwarding
Enable or disable IP packet forwarding in the system kernel. This must be set in order to use routing, NAT, IPsec or packet filter features.
nsh(p)/ip forwarding
[no] ip ipip
Enable or disable IP-in-IP encapsulation in the system kernel.
nsh(p)/ip ipip
[no] ip gre
Enable or disable Generic Route Encapsulation in the system kernel. Must be used to enable gre(4) interfaces.
nsh(p)/ip gre
[no] ip wccp
Enable or disable GRE-based Web Cache Control Protocol packets to manage caching device. Must be used to enable WCCP on gre(4) interfaces.
nsh(p)/ip wccp
[no] ip etherip
Enable or disable GRE-based Ether-IP encapsulation in the system kernel.
nsh(p)/ip etherip
[no] ip ipcomp
Enable or disable IPComp internet protocol compression in the system kernel.
nsh(p)/ip ipcomp
[no] ip esp
Enable or disable IPsec Encapsulated Security Payload procesing in the system kernel. (Enabled by default.)
nsh(p)/ip esp
[no] ip esp-udpencap
Enable or Disable
processing of UDP encapsulated ESP packets in the system kernel. (Enabled by
default.)
nsh(p)/ip esp-udpencap
[no] ip esp-udpencap-port
0-65535 Sets the value of the UDP port that triggers
decapsulation for incoming UDP encapsulated ESP packets. (The default port
is 4500) udp encapsulated esp packets are useful for traversing NAT
routers.
nsh(p)/ip esp-udpencap-port 4600
[no] ip ah
Enable or disable IPsec Authentication Header processing in the system kernel. (Enabled by default.)
nsh (p)/ip ah
[no] ip sourceroute
Enable or disable processing loose or strict source routing options on IP packet headers. Do not enable this option on systems connected to the public internet.
nsh(p)/ip sourceroute
[no] ip encdebug
Enable or disable printing debug messages for the enc(4) interface to the kernel output. Note! Requires a kernel compiled with ENCDEBUG option.
nsh(p)/ip encdebug
[no] ip send-redirects
Controls whether or not the system sends ICMP redirects to local hosts. (Enabled by default).
When there is a direct path on the local network from one host to another, but one of those hosts chooses to talk through the router instead, the system sends an ICMP redirect to the originating host. This redirect tells the host the direct path on the network to send further packets.
nsh(p)/ip send-redirects
[no] ip directed-broadcast
Enable or disable kernel forwarding of IP traffic to the broadcast address of any interface on the system. This setting is useful for limiting certain types of DoS attacks.
[no] ip multipath
Enable or disable ip multicast forwarding in the system kernel. (Disabled by default.)
nsh(p)/ip mforwarding
[no] ip default-ttl
ttl
Sets the default ttl used on IP packets originating from this system. Valid ttl value is in the range 1-255.
The TTL, or time-to-live, is decremented by one each time the packet passes through another router on the internet. The default TTL that the system uses is 64, therefore it allows for the packet to pass through up to 64 routers (also called hops) before reaching its destination. The main purpose of the TTL is to avoid routing loops in the network.
nsh(p)/ip default-ttl 128
ip ?
Displays the help menu and available ip command options.
nsh(p)/ip ?
interface
[ip | alias |
description | group | rdomain | rtlabel | priority | llpriority | mtu | metric
| link | arp | lladdr | nwid | nwkey | powersave | txpower | bssid | media |
mediaopt | auth | peer | pppoe | tunnel | tunneldomain | txprio | rxprio |
vnetid | vnetflowid | parent | patch | keepalive | mplslabel | pwe | syncdev |
syncpeer | maxupd | vhid | advbase | advskew | carppass | carpdev | carpnode |
carppeer | balancing | pflow | debug | dhcrelay | wol | mpls | inet6 |
autoconf6 | autoconfprivacy | temporary | monitor | wgpeer | wgport | wgkey |
wgrtable | trunkport | trunkproto | shutdown |?] interface mode commands, are
commands that can be applied to a specific named interface.
nsh(interface-em0)/? % Commands may be abbreviated. % Press enter at a prompt to leave interface configuration mode. % Interface configuration commands are: ip IP address and other parameters alias Additional IP addresses and other parameters description Interface description group Interface group rdomain Interface routing domain rtlabel Interface route labels priority Data packet priority llpriority Link Level packet priority mtu Maximum Transmission Unit metric Routing metric link Link level options arp Address Resolution Protocol lladdr Link Level (MAC) Address nwid 802.11 network ID nwkey 802.11 network key powersave 802.11 powersaving mode txpower 802.11 transmit power bssid 802.11 bss id media Media type mediaopt Media options auth PPP authentication peer PPP peer authentication pppoe PPPoE settings tunnel Tunnel parameters tunneldomain Tunnel routing domain for transit txprio Priority in tunnel protocol headers rxprio Source used for packet priority vnetid Virtual interface network identifier vnetflowid Use part of vnetid as flowid parent Parent interface patch Pair interface keepalive GRE tunnel keepalive mplslabel MPLS local label pwe MPLS PWE3 syncdev PFsync control message interface syncpeer PFsync peer address maxupd PFsync max updates, defer first packet vhid CARP virtual host ID advbase CARP advertisement interval advskew CARP advertisement skew carppass CARP passphrase carpdev CARP device carpnode CARP additional vhid/advskew carppeer CARP peer balancing CARP balancing mode pflow pflow data export debug Driver dependent debugging dhcrelay DHCP Relay Agent wol Wake On LAN mpls MPLS inet6 IPv6 autoconf6 IPv6 Autoconfigurable address autoconfprivacy Privacy addresses for IPv6 autoconf temporary Temporary addresses for IPv6 autoconf monitor Monitor mode for incoming traffic wgpeer Wireguard peer config wgport Wireguard UDP port wgkey Wireguard private key wgrtable Wireguard routing table trunkport Add child interface(s) to trunk trunkproto Define trunkproto shutdown Shutdown interface ? Options
[no] ip
[dhcp] |
address/prefix-length |
address/netmask
Adds or removes the main IP address and other related parameters on the interface. IPv4 addresses can be configured with CIDR bitlength, or classic netmask. The IPv6 address may only be configured with a bitlength.
nsh(interface-lo0)/ip ::1/128
nsh(interface-fxp0)/ip 192.168.100.1/24
nsh(interface-fxp0)/ip 192.168.100.1/255.255.255.0
[no] alias
address/prefix-length |
address/netmask
Deprecated, adds or removes additional IP address and other related parameters on the interface. IPv4 addresses can be configured with CIDR bitlength, or classic netmask. The IP address may only be configured with a bitlength.
[no] ip dhcp
Enables or disables dhclient on a given (broadcast and layer2 capable) interface.
DHCP client notes: DHCP client mode takes control of default gateway route. There is currently no way to control default gateway if DHCP client is used on multiple interfaces. The first DHCP client interface to succeed in obtaining a lease sets the default gateway.
If /var/db is kept across reboots, (such as in a configuration
where nsh
is used on a hard disk)
/var/db/dhclient.leasees.$if files may exist where not desired. The presence
of /var/db/dhclient.leases.$if (where $if is the interface name) triggers
DHCP mode to be turned on in saved nsh
configurations (write) and in displayed nsh
configurations (show running-config). If you are using
nsh
on a system where /var is kept persistently,
look at the running configuration and execute 'no ip dhcp' for insterfaces
on which you do not intend to use DHCP.
nsh(interface-fxp0)/ip dhcp
[no] description
text
Adds or removes a descriptive label to the interface.
nsh(interface-em0)/description Chris-WAN01-Link
[no] group
group-name [another-group-name...groupname-N]
Adds or removes a group label to the interface. The group can then be referred to in other configuration such as the firewall pf configuration. This is useful for grouping similar interfaces together and, can reduce the size of your firewall rule set. An interface can be a member of multiple groups.
nsh(interface-em0)/group WAN
[no] rdomain
routing-domain-number
Sets the routing domain of an interface. Note that this command clears all existing ip configuration on the interface.
[no] rtlabel
[rtable-id]
TODO Set or remove the rtable id on an interface. TODO better explanation needed!
[no] priority
0-15
Set the interface routing priority to a value in the range of 0 to 15 with smaller numbers being better. The default priority of an interface is 0, except for IEEE 802.11 wireless interfaces (priority 4), umb(4) interfaces (priority 6), and carp(4) interfaces (priority 15). The default priority of newly connected routes (routes created by configuring an IP address on an interface) is calculated by adding 4 (RTP_CONNECTED) to the interface priority. The default priority of new static routes added to the kernel is calculated by adding 8 (RTP_STATIC) to the interface priority.
[no] llpriority
0-7
Sets or remove the priority for link layer communications on the interface
to a value between 0-7 (arp (4), bpf(4), pppoe(4).
nsh(interface-em0)/llpriority 7
[no] mtu
mtu-bytes
Add or remove a configured Maximum Transmission Unit (MTU) on the
interface. This is the maximum packet size that the operating system is
permitted to transmit. Use the no
keyword to set
mtu
to reset the interface MTU to the default value
for that interface type.
The output of 'show interface' displays a 'hardmtu' value which is the maximum mtu value supported by the hardware and driver currently installed. The mtu command fails gracefully if the specified mtu exceeds the hardmtu value of the interface.
A larger MTU is particularly useful for underlay interfaces which encapsulated tunneled traffic traverses or for features which stack tags, such as PPPoE, MPLS tagging and QinQ (svlan) tagging.
nsh(interface-vr0)/mtu 1600
[no] metric
0-2147483647
Set routing metric for the interface. Using
no
keyword before metric sets the interface metric
to the default value of zero.
nsh(interface-fxp0)/metric 2
[no] link <0|1|2>
Set any of the link flags on the interface. Using
no
keyword before link XYZ
removes the specified link flags 'XYZ'. Using no
keyword before link
removes all link flags from the
interface.
nsh(interface-gre0)/no link 0
[no] arp
Enable or disable Address Resolution Protocol ARP on the interface. (Enabled by default.)
nsh(interface-fxp0)/arp nsh(interface-fxp0)/no arp
[no] lladdr
mac-address | random
Set or remove the mac address on the interface. The administrator can specific a macadress in colon notation e.g. 00:11:22:33:44:55 or random to request a random mac address assignment for the interface.
nsh(interface-vether3)/lladdr random nsh(interface-vether3)/lladdr 00:11:22:33:44:55
[no] nwid
network-id
Set or remove the configured network ID for an 802.11 capable
interface. Use the no
keyword before the
nwid
to reset to the default value of a blank
network ID.
[no] nwkey
key
Set the WEP network key for an 802.11 capable interface. Use the
no
keyword before nwkey to turn off WEP.
[no] powersave
time
Set the 802.11 powersaving mode to X ms of time. Use the
no
keyword before powersave to set the powersave
mode to the default powersave time.
[no] txpower
dBm
Set the transmit power on an 802.11 radio network interface
manually. Power units are in dBm. Use the no
keyword
before txpower
to set the radio transmit power to
automatic.
E.g to set the tx power of iwn0 to 10dBm simply enter the command below:
nsh(interface-iwn0)/txpower 10
[no] bssid
mac-address
Set or remove the configured BSSID of a radio interface to a specific MAC address, the mac-address should be entered in semi colon format e.g. 12:34:56:78:9a:bc.
E.g. set the bssid of radio interface iwn0
nsh(interface-iwn0)/bssid 12:34:56:78:90:12
[no] media
[type] [instance]
Set the media type of the interface. Entering media without an argument diplays help for the media settings available for the interface.
E.g. show media settings supported by an intel pro 1000 em(4) interface
nsh(interface-em0)media
%autoselect | 10baseT | 100baseTx | 1000baseT.
E.g to set the speed of the network interface speed to 1000mb/s
nsh(interface-em0)/media 1000baseT
nsh(p)/verbose % Diagnostic mode enabled nsh(p)/sho int vr0 % vr0 Interface is up (last change 37d 12:16:02), protocol is up Interface type Ethernet (Broadcast), hardware address 00:0d:b9:29:6b:50 Media type autoselect (100baseTX full-duplex), status active Internet address 100.64.0.1/24, fe80::20d:b9ff:fe29:6b50%vr0/64 Routing Domain 0, MTU 1500 bytes (hardmtu 1740), Line Rate 100 Mbps 187081496 packets input, 232860544316 bytes, 19 errors, 0 drops 102231197 packets output, 21564487790 bytes, 0 errors, 3267264 unsupported 1244 input, 210 output (average bytes/packet) 0 collisions Flags: <UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> Hardware features: <CSUM_IPv4,CSUM_TCPv4,CSUM_UDPv4,VLAN_MTU,VLAN_HWTAGGING,WOL> Supported media types on vr0: media none media 10baseT media 10baseT, mediaopt full-duplex media 100baseTX media 100baseTX, mediaopt full-duplex media autoselect
nsh(interface-vr0)/media 10baseT
[no] mediaopt
option
Set or remove media options such as full-duplex / half-duplex.
e.g to set vr0 interface to full-duplex mode:
nsh(interface-vr0)/mediaopt full-duplex nsh(interface-vr0)/no mediaopt full-duplex
[no] auth
proto
pap | chap
name
name-text
key
key-text
Set or remove the PPP authentication parameters for the interface.
[no] peer
proto
pap | chap
name
name-text
key
key-text
[flag
callin |
norechalange]
Set or remove configured peer PPP authentication parameters for the interface.
[no] tunnel
source-ip
destination-ip [ttl
0-255] [df] [ecn]
Set or remove tunnel assignments with this command. Note that tunnel assignments are only valid on gif and gre interfaces at this time. TODO
nsh(interface-gre0)/tunnel 12.3.3.3 12.6.6.6
[no] tunneldomain
[rdomain-id]
Set or remove tunnel routing domain over which tunnel encapsulated packets are to be exchanged between tunnel ip endpoints.
[no] txprio
[0-7 |
packet | payload]
Set or remove configured transmit priority of the headers of a tunnel interface. Valid options are standard traffic priority values (0-7) or set the headers according to encapsulated packet or payload priority.
E.g. to set the priority of headers of the tunnel gre1 to match that of the payload.
nsh(interface-gre1)/txprio payload
[no] rxprio
[0-7 |
packet | payload]
Set or remove configured receive priority of the headers of a tunnel interfaces are standard traffic priority values (0-7) or set the headers according to encapsulated packet / payload priority).
E.g. to set the priority of headers of tunnel gre1 manually to 7 regardless of payload:
nsh(interface-gre1)/rxprio 7
[no] vnetid
[0-16777215 | 1-4094]
Set or remove the 24 bit virtual network identifier tag. Virtual network identifier tags are typically used in large multi tenant VXLAN multiple routing domain environments. If vnetid invoked inside a vlan interface the acceptable range is the standard 12-bit vlan id 1-4094 of the IEEE 802.1Q VLAN tag.
E.g. set gre1 vnetid to 8192.
nsh(interface-gre1)/vnetid 8192
[no] vnetflowid
Allow or disallow the interface to use a portion of the virtual network identifier space as a flow identifier. This allowOBs loadbalancing of the encapsulated traffic over multiple links.
E.g. enable vnetflowid load balancing for gre1.
nsh(interface-gre1)/vnetflowid
[no] parent
parent-interface
Set or remove the parent interface for a vlan interface
E.g. set the parent interface of vlan1024 to em0.
nsh(interface-vlan1024)/parent em0
[no] patch
pair-interface-name
Set or remove patch (layer1+ connection) between current interface and another pair(4) interface. A patch is a CPU efficient way of forwarding packets between two pair(4) interfaces, the forwarding mechanisim is layer1 like a cable what is sent by one pair(4) interface is recived by the other pair(4) interface and vice versa. Patch can only connect two pair(4) interfaces, no other interface types are supported.
E.g. To connect pair1 and pair2 interfaces with a virtual patch cable.
nsh(p)/interface pair1 nsh(interface-pair1)/patch pair2
[no] keepalive
[period count]
Enable or disable gre / gre based interfaces sending keepalive
packets sent every period seconds. A second timer is run with a timeout of
count * period. If no keepalive response is received during that time, the
link is considered down. The minimal usable count is 2 since the round-trip
time of keepalive packets
needs to be taken into account.
E.g. enable keepalives on interface gre1 at 1 second interval and down count of 3.
nsh(interface-gre1)/keepalive 1 3
[no] mplslabel
[16-1024575]
Set or remove the local MPLS label to the specified mplslabel this label on the local system shall de-encapsulated for input. (MPLS labels 0-15 inclusive are reserved labels and cannot be used). MPLS labels are supported for mpe(4), mpip(4) and mpw(4) interfaces.
E.g. set the mpls label to 10240 on interface mpe1.
nsh(interface-mpe1)/mplslabel 10240
[no] pwe neighbor
[neighbor-label neighbor-ip]
Set or remove the configuration of the PWE3 neighbor, configured with an MPLS neighbor label and a neighbor ip. neighbor-label can be any value 16-1024575. neighbour-ip should be set to the ip address of the PWE3 neighbor.
[no] pwe
[cw]
Enable or disable the use of PWE3 Control Word. The control word is used to facilitate fragmentation across mpls packets. This option supported on the mpip(4) and mpw(4) interfaces.
E.g. enable control word on an mpls pseudo wire interface mpw1.
nsh(interface-mpw1)/pw cw
[no] pwe
[fat]
Enables or disables the use of PWE flow-aware transport FAT flow label. This option supported on the mpip(4) and mpw(4) interfaces.
E.g. Enable flow-aware transport flow label on mpls ip interface mpip1
interface-mpip1)/pw fat
[no] syncdev
syncdev-name
Configures or removes the data interface through which pfsync update messages are sent. Note that the pfsync protocol currently includes no authentication method. It is advisable to layer authentication, signing and (possibly encrypted tunnels for the underlay interfaces. For simplicity on co-located pfsynced firewalls a secure way to use pfsync, is through a a direct (layer1 (i.e. no switches)) cable connecting directly between two pfsync capable devices (i.e. a conenction made with an ethernet patch cable). This command is valid only for pfsync(4) interfaces.
E.g. Set the physical interface em1 as the pfsync0 syncdev
nsh(interface-pfsync0)/syncdev em1
[no] syncpeer
[ipv4-peer-pfsync-address]
Set or remove a manually entered ip address of the pfsync interface of a peer pf sync firewall. By default, state change messages are sent out on the synchronisation interface using IP multicast packets to the 224.0.0.240 group address. When syncpeer ip address is set the sync messages are sent via unicast to the specified ipv4-peer-pfsync-address. This command is valid only for pfsync(4) interfaces.
E.g. set sync messages to use unicast peer ip address 192.0.0.10 which is reachable via syncdev interface.
nsh(interface-pfsync0)/syncpeer 192.0.0.10
[no] maxupd
0-255
[defer]
Configures or removes the maximum number of updates which are collapsible into one for a single state. The default value is 128. The transmission a pfsync update packet shall be delayed by a maximum of 1 second. The defer flag defers the first packet of each connection from being delivered until the state is active on pfsync peer. This command is valid only for pfsync(4) interfaces.
E.g. set the pfsync to aggregate the maximum number of state changes before sending a pfsync update message (reduce pfsync traffic updates)
nsh(interface-pfsync0)/maxupd 255
E.g. set pfsync to aggregate a max of 32 state changes in one packet and delay fowarding of new connection packets until peers pfstate is synchronised use:
nsh(interface-pfsync0)/maxupd 32 defer
[no] vhid
[1-255]
Configure or remove the virtual host ID for the Common Address Redundancy CARP protocol. vhid is valid for carp(4) interfaces only.
E.g. set virtual router host id on carp0 interface to 12.
nsh(interface-carp0)/vhid 12
[no] advbase
[0-254]
Configure or remove the advertisement interval in seconds for the master host to advertise itself. advbase is valid for carp(4) interfaces only.
E.g. set the advertisement interval to 10 seconds on carp0 interface.
nshpromot(interface-carp0)/advbase 10
[no] advskew
skew
Configure or remove the carp advertisement skew on the active carp interface. The formula is advbase + (advskew / 255). If the master does not advertise within three times this interval, this host assumes master role and starts advertising as master. The device with the highest advskew value is least likely to become master, a device with a high advskew only becomes master if all other devices are offline. advskew is valid for carp(4) interfaces only.
E.g. set the advskew to 20 on carp0 interface.
nsh(interface-carp0)/advskew 20
[no] carppass
passphrase
Configure or remove the CARP passphrase of the active interface. The passphrase can be up to 19 characters long and can contain special characters. There is no passphrase by default. carpass is valid for carp(4) interfaces only.
E.g. Set carp0 carp passphrase to 19CharPassphrase!!! including exclamation marks.
nsh(interface-carp0)/carppass 19CharPassphrase!!!
[no] carpdev
[interface-name]
Set or remove the interface on which the selected carp interface's carp advertisements are sent and received. The carpdev is the "real interface" over which the carp virtual IP is accessible. carpdev is valid for carp(4) interfaces only.
E.g set carp0 to use vlan10 as its carpdev.
nsh(interface-carp0)/carpdev vlan10
[no] carpnode
[vhid]
[advskew] [state]
Set or remove carpnode parameter on a carp interface. carpnode facilitates loadbalancing across carp nodes. Each carpdevice that you wish to loadbalance should have a carpnode and advskew entry on each carp device. carpnode is valid for carp(4) interfaces only.
E.g. For a 3 node carp cluster, one can setup carpnode loadbalanced entries as follows.
on carp router 1
nsh(interface-carp0)/carpnode 1 10
nsh(interface-carp0)/carpnode 1 20
nsh(interface-carp0)/carpnode 1 30
[no] carppeer
[peer-ip-address]
Set or remove the carppeer ip address of a carp peer on the active carp interface. carppeer is valid for carp(4) interfaces only.
E.g. set carppeer to 10.2.3.4 on carp0 interface.
nsh(interface-carp0)/carppeer 10.2.3.4
[no] balancing
[none
| ip | ip-stealth |
ip-unicast]
Set or remove the balancing mode on the active carp interface. Valid balancing modes are as follows:
- none no load-balancing.
- ip IP load balancing on top of Layer 2 multicast MAC (requires multicast mac support on the network switch)
- ip-stealth carp wont send packets with its own virtual MAC address as
the source. Stealth mode prevents a switch from learning the virtual
MAC address, therefore the switch would unicast flood traffic to all
switch ports
(unless there is some swithc acls to prevent flooding unnecessarily. - ip-unicast Used in conjunction with a HUB or a switch that can replicate packets (monitoring or mirror) or other non-standard switch forwarding mechanism.
balancing is valid when used in carp(4) interfaces.
E.g. enable standard IP balancing over layer2 multicast mac on carp0 interface
nsh(interface-carp0)/balancing ip
[no] pflow
[sender
sender-ip receiver
receiver-ip:port] [version
5 | 9 |
10]
Set or remove pflow export to a pflow interface. plfow without arguments displays command help. To set a up a pflow export the sender-ip and receiver-ip:port must be specified. The specified pflow sender-ip address must exist on an interface on the system already. The receiver-ip:port is the address of the flow collector in your network. version specifies the export flow prtocol i.e. netflow version (5 or 9) or the standardised IPFIX (10).
The pflow interface attempts aggregate multiple pflow records in one export UDP packet. The aggregation algoritim record for longer than 30 seconds. The packet size and thus the maximum number of flows is controlled by the mtu of the inteface the flows are exported via.
There is a one-to-one correspondence between packets seen by bpf(4) on the pflow interface and packets sent out to the flow receiver. I.e. if a packet with 30 flows on pflow, then the same 30 flows were sent out to the receiver.
pflow command is valid only on a pflow(4) interface.
E.g. to setup a pflow export from 10.1.1.1 to an IPFIX flow collector listening on another server on 10.1.1.2 port 4739.
nsh(p)/interface pflow0 nsh(interface-pflow0)/pflow sender 10.1.1.1 receiver 10.1.1.2:4379 version 10
[no] debug
Set or remove the driver-dependant debugging flag for an interface. Useful for troubleshooting.
E.g to set debugging on a carp0 interface.
nsh(interface-carp0)/debug
[no] dhclrelay
[dhcp-server-ip]
Set or remove dhcp relay service on the selected interface. The dhcrelay service listens on the selected interface for broadcast dhcp requests and then wrap the recieved broadcast request in a unicast ip packet and send it to a DHCP server specified by dhcp-server-ip.
E.g. set up dhcprelay on em0 and send requests to DHCP server 10.1.1.2
nsh(interface-em0)/dhcrelay 10.1.1.2
[no] wol
Enable or disable WOL (wake on lan) functionality on the selected interface. The interface and device bios or firmware must support WOL functionality.
E.g. to enable wake on lan on interface em0.
nsh(p)/interface em0 nsh(interface-em0)/wol
[no] mpls
Set or remove the MPLS flag on the selected interface,if mpls is set on the interface, the interface can send and receive mpls traffic.
E.g enable mpls on em0
nsh(p)/interface em0 nsh(interface-em0)/mpls
[no] inet6
Enables or disables ipv6 (inet6) link local address on the selected interface.
E.g. to enable ipv6 link local address on em0
nsh(p)/interface em0 nsh(interface-em0)/rad
[no] autoconf6
Enable or disable IPv6 auto configuration of Ipv6 address on the inteface. If autoconf6 is used alone (without temporary or autoconfprivacy being set on the interface then the autoconfigured address assigned is repeatable based on the MAC address of the interface (EUI64).
E.g. enable ipv6 autoconf address on the interface em0.
nsh(p)/interface em0 nsh(interface-em0)/autoconf6
[no] temporary
Configure or remove temporary address extension for stateless ipv6 autoconfiguaration. Temporary address assignments prevents a repeatable IPv6 address being assigned to the device to reduce the possibility of longterm external tracking of device (users) activity.
E.g. enable ipv6 autoconf with a temporary address on the interface em0.
nsh(p)/interface em0 nsh(interface-em0)/autoconf6 nsh(interface-em0)/temporary
[no] autoconfprivacy
deprecated. alias for Cm temporary above. Randomised addresses used to be called autoconfprivacy extensions for IPv6. Temporary addressing is a better description as privacy is not necessarily guaranteed by random IP addressing of a device.
E.g. enable ipv6 autoconf with "privacy" random temp address on the interface em0.
nsh(p)/interface em0 nsh(interface-em0)/autoconf6 nsh(interface-em0)/autoconfprivacy
[no] monitor
Configure or remove the monitor flag on the selected interface. Prevents the packets being processed in the network stack. Useful for intrusion detection sniffing and other diagnostics.
E.g. to enable ipv6 autoconf with "privacy" random temp address on the interface em0
nsh(p)/interface em0 nsh(interface-em0)/monitor
[no] wgpeer
[public-key] [endpoint
endpoint-ip:port | aip
allowed-ip/prefix | psk
pre-shared-key | pka
interval-sec]
Configure or remove a wireguard peer with the peers publickey. The public-key is 32 bytes and base64-encoded.
pka
interval-sec The
persistent keep alive (pka) option sets the interval of keepalive packets in
seconds. By default pka is is disabled i.e. the interval is 0. pka can help
maintain connectivity to a peer that would otherwise be denied unsolicited
traffic by an intermediate firewall or NAT device. Empirically, an interval
of 25 seconds should suffice for most firewall configurations.
psk
pre-shared-key
The psk and preshared-key is optional but recommended as it supplements the
public key cryptography with symmetric key cryptography.
aip
allowed-ip/prefix Set the peer's allowed IPv4 or IPv6
addresses or prefixes for tunnelled traffic. The option be repeated to set
multiple allowed ip/ranges. No addresses are allowed by default.
- E.g set the a peer with the following requirements:
- public key EJqeFntM71Dfvn/LDu88gLOWw8aeOHoxrshOEHFd6lQ=
- from an ip of 10.1.2.3/32
- with a keep alive packet interval of 25 seconds
nsh(p)/interface wg0 nsh(interface-wg0)/wgpeer EJqeFntM71Dfvn/LDu88gLOWw8aeOHoxrshOEHFd6lQ= aip 10.1.2.3/32 endpoint 10.1.2.3:5252 psk oJo0kNhoF3TElGUXDg4b0H6IJvOiVCAc/tuaJa1nmVU=
wgkey
[privatekey] Set the private
key of the current wireguard interface. When wgkey
is
run without an argument a new wireguard key is generated for the interface.
The privatekey is 32 bytes and base64-encoded.
E.g. set the private key of wireguard interface wg0 to a specific key.
nsh(p)/interface wg0 nsh(interface-wg0)/wgkey QComa+ca+mWih+Vl/5G/p+UwhYy17hw5vdwysZpIAn0=
[no] wgport
0-65535
Set or remove the configuration for the local UDP port to be used
by the current wireguard interface when exchanging traffic with its
wireguard peers. The interface binds to INADDR_ANY and IN6ADDR_ANY_INIT. If
wgport
is entered without an argument wireguard
selects its own port automatically.
E.g. set wireguard interface wg0 to listen on 18443 UDP.
nsh(p)/interface wg0 nsh(interface-wg0)/wgport 18443
[no] wgrtable
[rtable-id]
Set or remove the configuration of which routing table the Exchange traffic with peers under. The routing table choice is made using rtable-id which would be a value between 0 and 255 on a default OpenBSD kernel. The routing domain of the rtable does not need be in the same routing domain to which the interface is attached. wgrtable configures which rdomain the interface's tunnelled traffic appears.
E.g. set wireguard interface wg0 routing table to routing domain 5.
nsh(p)/interface wg0 nsh(interface-wg0)/wgrtable 5
[no] shutdown
Administratively turn off or on the current interface.
Using this command to shutdown and then turn up an interface resets the interface.
nsh(interface-de0)/shutdown nsh(interface-de0)/no shutdown
Section 5 > Bridge mode commands
see the following man pages for information
!man bridge
!man ifconfig
Section 6 > PF mode commands
see the following man pages for information
!man pfctl !man pf.conf
Section 7 > Adding system users to
nsh
OpenBSD has facilities for a user to be able to login directly to nsh without having access to a typical bourne or C shell.
Configure the user so they can run /bin/nsh from sudo. You must do this in /etc/sudoers, like this:
nshuser ALL=NOPASSWD:/bin/nsh
Another way to configure sudoers is to allow all users that are members of a certain group to run NSH through sudo, like this:
%nshgroup ALL=NOPASSWD:/bin/nsh
Compile nwrapper (in the nsh distribution):
cc -static -o nwrapper nwrapper.c
mv nwrapper /bin/nwrapper
usermod -s /bin/nwrapper nshuser
Do NOT add nwrapper (or nsh) to /etc/shells. They should not be entered here.
Common interface types
Packet Filter Logging: This interface is used to pass traffic logged by the firewall to software which can record it. These interface names start with 'pflog'.
IPsec Loopback: This interface is used internally in the system to pass decapsulated IPsec traffic. All traffic from this interface has already been authenticated and unencrypted from the IPsec subsystem. This is useful when writing firewall rules. These interface names start with 'enc'.
Generic Tunnel: This interface is used to configure a network tunnel to another host or router. It follows the RFC1933 tunnelling standard. These interface names start with 'gif'.
Ethernet Bridge: This interface is used to configure layer 2 bridging between physical and virtual network ports on a system. These interface names start with 'bridge'.
Ethernet: This is a physical Ethernet interface, running at 10, 100, or 1000 megabits per second. These interface names are based on the name of the driver, and vary with different Ethernet chip types.
IEEE 802.1Q Virtual: This is a virtual Ethernet, Token Ring, or FDDI interface. It uses the IEEE 802.1Q protocol to segment real Ethernet interfaces into multiple layer 2 networks. These interface names start with 'vlan'.
Virtual: This is a virtual interface of any type. Often several different interfaces use this type. Several versions of OpenBSD use this type to denote virtual IEEE 802.1Q interfaces, described above.
PPP: This interface implements the Point to Point Protocol (PPP). PPP, described in RFC 1661, creates a network over serial communication lines. It is used over modem connections, direct serial links, leased lines, and over virtual IP based connections such as in SSH sessions. These interface names start with 'ppp' when referring to a version which supports serial and modem connections. Other interface types may also implement the Point to Point Protocol.
IEEE 802.11 Wireless: This interface implements the IEEE 802.11 wireless LAN protocol. Many implementations of this network have little or no security unless used with proper encryption such as IPsec. These interface names are based on the name of the driver, and vary with different wireless chip types.
Interface flags
UP
Interface is upBROADCAST
broadcast address validDEBUG
debugging enabed (only some network drivers use this)LOOPBACK
Interface is a loopback network (internal to the machine)
POINTOPOINT
Interface is point-to-point link
NOARP
Address Resolution Protocol is disabled on this interface
PROMISC
Interface is in promiscuous mode, the system's software to receive all packets visible to the network card, even if they are not destined for this hostALLMULTI
This causes the interface to receive all multicast traffic, even for multicast networks that it was not signed up for
OACTIVE
Transmission in progress. An interface that displays this flag continuously may be stuck. You may be able to reset an interface that is in this state by using and then reversing the 'shutdown' command from the interface menu.
E.g. reset an interface.
nsh(p)interface vr0 nsh(interface-vr0)/shutdown nsh(interface-vr0)/no shutdown
SIMPLEX
Can't hear own transmissions
LINK0
This flag has different meanings with different interface types
LINK1
This flag has different meanings with different interface types
LINK2
This flag has different meanings with different interface types
MULTICAST
This interface supports multicast
ALTQ notes
TODO
Interface-specific notes
There are several special interfaces.
gre
The gre interface allows for tunnel construction using the Cisco
GRE encapsulation protocol.
You can use the tunnel command under interface mode to create a tunnel.
nsh(interface-gre0)/tunnel 1.2.3.4 5.5.5.5
enc (specifically, enc0) is the encapsulating interface. It is a software loopback mechanism used to control non-encapsulated IPsec traffic using the pf firewall ruleset. It allows an administrator to see outgoing packets before they have been processed by IPsec, or incoming packets after they have been processed.
All traffic out of enc0 is already decrypted and authenticated via IPsec. Thus, it is helpful when writing firewall rulesets.
ppp (Point to Point Protocol)
The serial line Point-to-Point protocol uses this interface.
sl (Serial Line Interface Protocol)
The Serial Line Internet Protocol uses this interface.
tun (Tunnel Interface)
This is another software loopback mechanism. It allows user processes to create their own virtual network interfaces. It is used by the PPPoE implementation.
gif
This interface is used for RFC 1933 IPv[46] to IPv[46] tunnels.
nsh(interface-gif0)/tunnel 1.2.3.4 5.5.5.5
nsh(interface-gif0)/tunnel 1.2.3.4 5.5.5.5 rdomain 5
pflog
Packets logged from the packet filter are visible on this interface
vlan
This interface type allows virtual LANs to be setup over an Ethernet port using the 802.1Q protocol. E.g. setup a virtual interface with the 192.168.44.1 IP address, with 802.1Q trunking on the fxp3 physical interface, and a vlan ID of 4.
nsh(interface-vlan0)/vnetid 4 nsh(interface-vlan0)/parent fxp3 nsh(interface-vlan0)/ip 192.168.44.1/24
Svlan
This interface type allows virtual LANs to be setup over an Ethernet port using 802.1AD provider bridge.
This product includes software developed by the University of California, Berkeley and its contributors.
This product includes software developed by Jason L. Wright
This product includes software developed by the NetBSD Foundation Incorporated and its contributors.
EDITOR
was used to specify the name of an
(old-style) line editor, such as ed(1), and VISUAL
was used to specify a
(new-style) screen editor, such as vi(1). Hence if VISUAL
is set, it overrides
EDITOR
. TODO
FILES
- /etc/nshrc
- global configuration file
- ~/.profile
- user's login profile
- /etc/shells
- shell database
- /etc/suid_profile
- privileged shell profile
SEE ALSO
Chris Cappuccio, http://www.nmedia.net/nsh/, 2014.
Chris Cappuccio, https://github.com/yellowman/nsh, 2022.
Stephen G. Kochan and Patrick H. Wood, UNIX Shell Programming, 3rd Edition, Sams, 2003, ISBN 0672324903.
AUTHORS
This shell was originally designed and written by Chris Cappuccio <chris@nmedia.net>, and is now co-maintained by Tom Smyth <tom.smyth@wirelessconnect.eu>.