Zhone 2004 ユーザーガイド

ページ / 216
A p p l i c a t i o n   N o t e s
C-7
nummask = host-name [ "/" decnumber ] 
host-num = digit [ digit [ digit ] ] 
port-num = service-name 
decnumber 
withopt 
= [ "not" | "no" ] opttype [ withopt ] .
opttype 
= "ipopts" | "short" | "frag" | "opt" ipopts  .
optname   =ipopts [ "," optname ] .
ipopts  
= optlist | "sec-class" [ secname ] .
secname   = seclvl [ "," secname ] .
seclvl
= "unclass" | "confid" | "reserv-1" | "reserv-2" | "reserv-3" | "reserv-4" | 
"secret" | "topsecret" .
icmp-type = "unreach" | "echo" | "echorep" | "squench" | "redir" |"timex" | 
"paramprob" | "timest" | "timestrep" | "inforeq" |"inforep" | "maskreq" 
| "maskrep"  | decnumber 
icmp-code = decumber | "net-unr" | "host-unr" | "proto-unr" | "port-unr" | "need-
frag" | "srcfail" | "net-unk" | "host-unk" | "isolate" | "net-prohib" | 
"host-prohib" | "net-tos" | "host-tos" .
optlist
= "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" | "tr" | "sec" | 
"lsrr" | "e-sec" | "cipso" | "satid" | "ssrr" | "addext" | "visa" | "imitd" | 
"eip" | "finn" 
hexnumber= "0" "x" hexstring 
hexstring = hexdigit [ hexstring ] 
decnumber =digit [ decnumber ] 
compare
= "=" | "!=" | "<" | ">" | "<=" | ">=" | "eq" | "ne" | "lt" | "gt" | "le" | "ge" .
range
= "<>" | "><" 
hexdigit
= digit | "a" | "b" | "c" | "d" | "e" | "f" 
digit
= "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" 
flag
= "F" | "S" | "R" | "P" | "A" | "U" 
This syntax is somewhat simplified for readability, some combinations that 
match this grammar are disallowed by the software because they do not make 
sense (such as tcp flags for non-TCP packets).
Filter Rules
The "briefest" valid rules are (currently) no-ops and are of the form:
block in all
pass in all
Filter rules are checked in order, with the last matching rule determining the 
fate of the packet (exception, see the quick option below).
Actions
The action indicates what to do with the packet if it matches the rest of the 
filter rule. Each rule MUST have an action. The following actions are 
recognized:
block
indicates that the packet should be flagged to be dropped.