Options, Matching parameters – Verilink 8100A (34-00237) Product Manual User Manual
Page 301
A p p l i c a t i o n s N o t e s
D-9
is a requirement that each filter rule explicitly state which side of the I/O it is
to be used on.
Options
The list of options is brief. Where options are used, they must be present in
the order shown here. These are currently supported options:
quick
allows "short-cut" rules in order to speed up the filter or override
later rules. If a packet matches a filter rule which is marked as
quick, this rule will be the last rule checked, allowing a "short-cir-
cuit" path to avoid processing later rules for this packet. The cur-
rent status of the packet (after any effects of the current rule) will
determine whether it is passed or blocked. If this option is missing,
the rule is taken to be a "fall-through" rule, meaning that the result
of the match (block/pass) is saved and that processing will con-
tinue to see if there are any more matches.
on
allows an interface name to be incorporated into the matching pro-
cedure. If this option is used, the rule will only match if the packet is
going through that interface in the specified direction (in/out). If this
option is absent, the rule is taken to be applied to a packet regard-
less of the interface it is present on (i.e. on all interfaces). Filter
rulesets are common to all interfaces, rather than having a filter list
for each interface.
The
on
option is especially useful for simple IP-spoofing protection: packets
should only be allowed to pass inbound on the interface from which the
specified source address would be expected, others may be logged and/or
dropped.
Matching Parameters
The keywords described in this section are used to describe attributes of the
packet to be used when determining whether rules match or don't match. The
following general-purpose attributes are provided for matching, and must be
used in this order:
tos
packets with different Type-Of-Service values can be filtered. Indi-
vidual service levels or combinations can be filtered upon. The
value for the TOS mask can either be represented as a hex number
or a decimal integer value.
ttl
packets may also be selected by their Time-To-Live value. The
value given in the filter rule must exactly match that in the packet
for a match to occur. This value can only be given as a decimal
integer value.
proto
allows a specific protocol to be matched against. Protocol names
may be used. However, the protocol may also be given as a DECI-
MAL number, allowing for rules to match your own protocols, or
new ones which would out-date any attempted listing.