Znyx Networks bh5700 Manuale Utente
The type can be preceded by ! to match any message except the type listed, for example, --
icmp-type ! 1
Specifying TCP or UDP ports
If the protocol is TCP or UDP, the -s ( or --sport) and -d (or --dport) options specify the
TCP or UDP ports to match.
TCP or UDP ports to match.
A range of ports can be specified by giving the first and last ports separated by a :, as in --
dport 0:1023. It is also possible to precede the port specification with a ! to match all ports
which are not included in the range, for example, --sport ! 0:1023. However, the range of
ports must be a power of two, starting with a port number which is a multiple of the range.
dport 0:1023. It is also possible to precede the port specification with a ! to match all ports
which are not included in the range, for example, --sport ! 0:1023. However, the range of
ports must be a power of two, starting with a port number which is a multiple of the range.
Specifying TCP flags
If the protocol is TCP, a match on particular TCP flags is specified by listing the flag names; for
example, -p tcp --syn.
example, -p tcp --syn.
Specifying an Interface
The -i (or --in-interface) and -o (or --out-interface) options specify the name of an
interface to match. An interface is the physical device the packet came in on (-i) or is going out
on (-o). You can use the ifconfig command to list the `up' interfaces (for example, working
at the moment).
interface to match. An interface is the physical device the packet came in on (-i) or is going out
on (-o). You can use the ifconfig command to list the `up' interfaces (for example, working
at the moment).
As a special case, an interface name ending with a + will match all interfaces, whether they
currently exist or not, which begin with that string. For example, to specify a rule which matches
all zhp interfaces, the -i zhp+ option would be used.
currently exist or not, which begin with that string. For example, to specify a rule which matches
all zhp interfaces, the -i zhp+ option would be used.
Filter Rule Targets
As mentioned above the
-j
construct within a rule specifies which target is to be used in filter rule
to define a target.
Supported Targets
The following are the supported targets. The switch has many additional targets that are software
based (example Network Address Translation or generic connection tracking).
based (example Network Address Translation or generic connection tracking).
Classical Targets
DROP This drops the packet.
DROP This drops the packet.
ACCEPT
Accepts the packet
ZNYX Targets
ZACTION
This is the ZNYX Action target.
Parameters for ZACTION:
Ethernet Switch Blade User's Guide
release 3.2.2j
page 63