3com 2200 用户手册
12-8
C
HAPTER
12: C
REATING
AND
U
SING
P
ACKET
F
ILTERS
Implementing Sequential Tests in a Packet Filter
Filter language expressions are normally evaluated to completion —
a packet is accepted if the value remaining on the top of the stack is
non-zero. Frequently, however, a single test is insufficient to filter packets
effectively. When more tests are warranted, you want to accept a packet
that either:
a packet is accepted if the value remaining on the top of the stack is
non-zero. Frequently, however, a single test is insufficient to filter packets
effectively. When more tests are warranted, you want to accept a packet
that either:
■
Satisfies at least one criterion specified in two or more tests (that is, ORs the
results of the tests), or
results of the tests), or
■
Satisfies all criteria specified in two or more tests (ANDs the results of the
tests)
tests)
The accept and reject instructions are used to implement sequential tests,
as shown in Figure 12-2. When using accept or reject, construct the packet
filter so that the tests more likely to be satisfied are performed before tests
that are less likely to be satisfied.
as shown in Figure 12-2. When using accept or reject, construct the packet
filter so that the tests more likely to be satisfied are performed before tests
that are less likely to be satisfied.
Figure 12-2 Accept and Reject Instructions
Accept
(Use for OR-ing tests)
Reject
(Use for AND-ing tests)
First test
Non-zero
result?
Accept packet
and terminate
test sequence
and terminate
test sequence
Next test
Yes
No
Reject packet
and terminate
test sequence
and terminate
test sequence
First test
Non-zero
result?
Next test
Yes
No