Zhone 2004 ユーザーガイド
A p p l i c a t i o n N o t e s
C-9
proto
allows a specific protocol to be matched against. Protocol names
may be used. However, the protocol may also be given as a DECI-
MAL number, allowing for rules to match your own protocols, or
new ones which would out-date any attempted listing.
The special protocol keyword tcp/udp may be used to match either a TCP or
a UDP packet, and has been added as a convenience to save duplication of
otherwise-identical rules.
a UDP packet, and has been added as a convenience to save duplication of
otherwise-identical rules.
The from and to keywords are used to match against IP addresses (and
optionally port numbers). Rules must specify BOTH source and destination
parameters.
optionally port numbers). Rules must specify BOTH source and destination
parameters.
IP addresses may be specified in one of two ways: as a numerical address/
mask, or as a hostname mask netmask. The hostname is of the dotted numeric
form.
mask, or as a hostname mask netmask. The hostname is of the dotted numeric
form.
There is a special case for the hostname any which is taken to be 0.0.0.0/0
(see below for mask syntax) and matches all IP addresses. Only the presence
of "any" has an implied mask, in all other situations, a hostname MUST be
accompanied by a mask. It is possible to give "any" a hostmask, but in the
context of this language, it is nonsensical.
(see below for mask syntax) and matches all IP addresses. Only the presence
of "any" has an implied mask, in all other situations, a hostname MUST be
accompanied by a mask. It is possible to give "any" a hostmask, but in the
context of this language, it is nonsensical.
The numerical format "x/y" indicates that a mask of y consecutive 1 bits set is
generated, starting with the MSB, or a hexadecimal number of the form
0x12345678. Note that all the bits of the IP address indicated by the bitmask
must match the address on the packet exactly; there isn't currently a way to
invert the sense of the match, or to match ranges of IP addresses which do not
express themselves easily as bitmasks.
generated, starting with the MSB, or a hexadecimal number of the form
0x12345678. Note that all the bits of the IP address indicated by the bitmask
must match the address on the packet exactly; there isn't currently a way to
invert the sense of the match, or to match ranges of IP addresses which do not
express themselves easily as bitmasks.
If a port match is included, for either or both of source and destination, then
it is only applied to TCP and UDP packets. If there is no proto match
parameter, packets from both protocols are compared. This is equivalent to
"proto tcp/udp". When composing port comparisons, either the service name
or an integer port number may be used. Port comparisons may be done in a
number of forms, with a number of comparison operators, or port ranges may
be specified. See the examples for more information.
it is only applied to TCP and UDP packets. If there is no proto match
parameter, packets from both protocols are compared. This is equivalent to
"proto tcp/udp". When composing port comparisons, either the service name
or an integer port number may be used. Port comparisons may be done in a
number of forms, with a number of comparison operators, or port ranges may
be specified. See the examples for more information.
The all keyword is essentially a synonym for "from any to any" with no other
match parameters.
match parameters.
Following the source and destination matching parameters, the following
additional parameters may be used:
additional parameters may be used:
The with keyword is used to match irregular attributes that some packets may
have associated with them. To match the presence of IP options in general,
use with ipopts. To match packets that are too short to contain a complete
header, use with short. To match fragmented packets, use with frag. For
more specific filtering on IP options, individual options can be listed.
have associated with them. To match the presence of IP options in general,
use with ipopts. To match packets that are too short to contain a complete
header, use with short. To match fragmented packets, use with frag. For
more specific filtering on IP options, individual options can be listed.
Before any parameter used after the with keyword, the word not or no may
be inserted to cause the filter rule to only match if the option(s) is not present.
be inserted to cause the filter rule to only match if the option(s) is not present.