Filter rules, Actions – Verilink 8100A (34-00237) Product Manual User Manual

D-8

8 0 0 0 S e r i e s

opttype

= "ipopts" | "short" | "frag" | "opt" ipopts .

optname =ipopts [ "," optname ] .
ipopts

= optlist | "sec-class" [ secname ] .

secname = seclvl [ "," secname ] .
seclvl

= "unclass" | "confid" | "reserv-1" | "reserv-2" | "reserv-3" | "reserv-4" |

"secret" | "topsecret" .

icmp-type = "unreach" | "echo" | "echorep" | "squench" | "redir" |"timex" |

"paramprob" | "timest" | "timestrep" | "inforeq" |"inforep" | "maskreq"
| "maskrep" | decnumber

icmp-code = decumber | "net-unr" | "host-unr" | "proto-unr" | "port-unr" | "need-

frag" | "srcfail" | "net-unk" | "host-unk" | "isolate" | "net-prohib" |
"host-prohib" | "net-tos" | "host-tos" .

optlist

= "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" | "tr" | "sec" |

"lsrr" | "e-sec" | "cipso" | "satid" | "ssrr" | "addext" | "visa" | "imitd" |
"eip" | "finn"

hexnumber= "0" "x" hexstring
hexstring = hexdigit [ hexstring ]
decnumber =digit [ decnumber ]

compare

= "=" | "!=" | "<" | ">" | "<=" | ">=" | "eq" | "ne" | "lt" | "gt" | "le" | "ge" .

range

= "<>" | "><"

hexdigit

= digit | "a" | "b" | "c" | "d" | "e" | "f"

digit

= "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9"

flag

= "F" | "S" | "R" | "P" | "A" | "U"

This syntax is somewhat simplified for readability, some combinations that
match this grammar are disallowed by the software because they do not make
sense (such as tcp flags for non-TCP packets).

Filter Rules

The "briefest" valid rules are (currently) no-ops and are of the form:

block in all

pass in all

Filter rules are checked in order, with the last matching rule determining the
fate of the packet (exception, see the quick option below).

Actions

The action indicates what to do with the packet if it matches the rest of the
filter rule. Each rule MUST have an action. The following actions are
recognized:

block

indicates that the packet should be flagged to be dropped.

pass

will flag the packet to be let through the filter.

The next word must be either in or out. Each packet moving through the
system is either inbound (just been received on an interface) or outbound
(transmitted or forwarded by the stack, and on its way to an interface). There