Zhone 2004 ユーザーガイド
C-8
2 0 0 0 - A 2 - G B 2 2 - 0 0
pass
will flag the packet to be let through the filter.
The next word must be either in or out. Each packet moving through the
system is either inbound (just been received on an interface) or outbound
(transmitted or forwarded by the stack, and on its way to an interface). There
is a requirement that each filter rule explicitly state which side of the I/O it is
to be used on.
system is either inbound (just been received on an interface) or outbound
(transmitted or forwarded by the stack, and on its way to an interface). There
is a requirement that each filter rule explicitly state which side of the I/O it is
to be used on.
Options
The list of options is brief. Where options are used, they must be present in
the order shown here. These are currently supported options:
the order shown here. These are currently supported options:
quick
allows "short-cut" rules in order to speed up the filter or override
later rules. If a packet matches a filter rule which is marked as
quick, this rule will be the last rule checked, allowing a "short-cir-
cuit" path to avoid processing later rules for this packet. The cur-
rent status of the packet (after any effects of the current rule) will
determine whether it is passed or blocked. If this option is missing,
the rule is taken to be a "fall-through" rule, meaning that the result
of the match (block/pass) is saved and that processing will con-
tinue to see if there are any more matches.
later rules. If a packet matches a filter rule which is marked as
quick, this rule will be the last rule checked, allowing a "short-cir-
cuit" path to avoid processing later rules for this packet. The cur-
rent status of the packet (after any effects of the current rule) will
determine whether it is passed or blocked. If this option is missing,
the rule is taken to be a "fall-through" rule, meaning that the result
of the match (block/pass) is saved and that processing will con-
tinue to see if there are any more matches.
on
allows an interface name to be incorporated into the matching pro-
cedure. If this option is used, the rule will only match if the packet is
going through that interface in the specified direction (in/out). If this
option is absent, the rule is taken to be applied to a packet regard-
less of the interface it is present on (i.e. on all interfaces). Filter
rulesets are common to all interfaces, rather than having a filter list
for each interface.
cedure. If this option is used, the rule will only match if the packet is
going through that interface in the specified direction (in/out). If this
option is absent, the rule is taken to be applied to a packet regard-
less of the interface it is present on (i.e. on all interfaces). Filter
rulesets are common to all interfaces, rather than having a filter list
for each interface.
This option is especially useful for simple IP-spoofing protection: packets
should only be allowed to pass inbound on the interface from which the
specified source address would be expected, others may be logged and/or
dropped.
should only be allowed to pass inbound on the interface from which the
specified source address would be expected, others may be logged and/or
dropped.
Matching Parameters
The keywords described in this section are used to describe attributes of the
packet to be used when determining whether rules match or don't match. The
following general-purpose attributes are provided for matching, and must be
used in this order:
packet to be used when determining whether rules match or don't match. The
following general-purpose attributes are provided for matching, and must be
used in this order:
tos
packets with different Type-Of-Service values can be filtered. Indi-
vidual service levels or combinations can be filtered upon. The
value for the TOS mask can either be represented as a hex number
or a decimal integer value.
ttl
packets may also be selected by their Time-To-Live value. The
value given in the filter rule must exactly match that in the packet
for a match to occur. This value can only be given as a decimal
integer value.