Skip to content

IPFilter

Jump to bottom Edit New page
Tom Barbette edited this page May 7, 2020 · 3 revisions

IPFilter Element Documentation

NAME

IPFilter — Click element; filters IP packets by contents

SYNOPSIS

IPFilter([CACHING,] ACTION_1 PATTERN_1, ..., ACTION_N PATTERN_N)

Batching: Batching natively supported
Ports: 1 input, any number of outputs
Processing: push

DESCRIPTION

Filters IP packets. IPFilter can have an arbitrary number of filters, which are ACTION-PATTERN pairs. The ACTIONs describe what to do with packets, while the PATTERNs are tcpdump-like patterns; see IPClassifier for a description of their syntax. Packets are tested against the filters in order, and are processed according to the ACTION in the first filter that matched.

Each ACTION is either a port number, which specifies that the packet should be sent out on that port; 'allow', which is equivalent to '0'; or 'drop' , which means drop the packet. You can also say 'deny' instead of 'drop'.

One can load rules from a file with the "file" ACTION and the path as PATTERN. E.g., where firewall.rules is a file with one rule per line following the ACTION-PATTERN described above:

  IPFilter(file firewall.rules);

The IPFilter element has an arbitrary number of outputs. Input packets must have their IP header annotation set; CheckIPHeader and MarkIPHeader do this.

Arguments:

  • CACHING — Boolean. Enables or disables caching. Defaults to false (i.e., no caching).

NOTES

Every IPFilter element has an equivalent corresponding IPClassifier element and vice versa. Use the element whose syntax is more convenient for your needs.

EXAMPLES

This large IPFilter implements the incoming packet filtering rules for the "Interior router" described on pp691-692 of Building Internet Firewalls, Second Edition (Elizabeth D. Zwicky, Simon Cooper, and D. Brent Chapman, O'Reilly and Associates, 2000). The captialized words (INTERNALNET, BASTION, etc.) are addresses that have been registered with AddressInfo. The rule FTP-7 has a port range that cannot be implemented with IPFilter.

  IPFilter(// Spoof-1:
           deny src INTERNALNET,
           // HTTP-2:
           allow src BASTION && dst INTERNALNET
              && tcp && src port www && dst port > 1023 && ack,
           // Telnet-2:
           allow dst INTERNALNET
              && tcp && src port 23 && dst port > 1023 && ack,
           // SSH-2:
           allow dst INTERNALNET && tcp && src port 22 && ack,
           // SSH-3:
           allow dst INTERNALNET && tcp && dst port 22,
           // FTP-2:
           allow dst INTERNALNET
              && tcp && src port 21 && dst port > 1023 && ack,
           // FTP-4:
           allow dst INTERNALNET
              && tcp && src port > 1023 && dst port > 1023 && ack,
           // FTP-6:
           allow src BASTION && dst INTERNALNET
              && tcp && src port 21 && dst port > 1023 && ack,
           // FTP-7 omitted
           // FTP-8:
           allow src BASTION && dst INTERNALNET
              && tcp && src port > 1023 && dst port > 1023,
           // SMTP-2:
           allow src BASTION && dst INTERNAL_SMTP
              && tcp && src port 25 && dst port > 1023 && ack,
           // SMTP-3:
           allow src BASTION && dst INTERNAL_SMTP
              && tcp && src port > 1023 && dst port 25,
           // NNTP-2:
           allow src NNTP_FEED && dst INTERNAL_NNTP
              && tcp && src port 119 && dst port > 1023 && ack,
           // NNTP-3:
           allow src NNTP_FEED && dst INTERNAL_NNTP
              && tcp && src port > 1023 && dst port 119,
           // DNS-2:
           allow src BASTION && dst INTERNAL_DNS
              && udp && src port 53 && dst port 53,
           // DNS-4:
           allow src BASTION && dst INTERNAL_DNS
              && tcp && src port 53 && dst port > 1023 && ack,
           // DNS-5:
           allow src BASTION && dst INTERNAL_DNS
              && tcp && src port > 1023 && dst port 53,
           // Default-2:
           deny all);

ELEMENT HANDLERS

  • program (read-only) — Returns a human-readable definition of the program the IPFilter element is using to classify packets. At each step in the program, four bytes of packet data are ANDed with a mask and compared against four bytes of classifier pattern.
  • cache_hits_count (read-only) — If CACHING is enabled, the IPFilter element stores the last rule in a cache. This handler returns the number of cache hits (i.e., number of input packets that matched directly the cached rule, thereby did not have to traverse the classification tree). If CACHING is disabled, this handler returns -1.
  • cache_misses_count (read-only) — If CACHING is enabled, the IPFilter element stores the last rule in a cache. This handler returns the number of cache misses (i.e., number of input packets that did not match the cached rule, thereby had to traverse the classification tree). If CACHING is disabled, this handler returns -1.
  • cache_total_count (read-only) — If CACHING is enabled, the IPFilter element stores the last rule in a cache. This handler returns the number of total accesses in the cache (i.e., the summary of hits and misses). If CACHING is disabled, this handler returns -1.
  • cache_hits_ratio (read-only) — If CACHING is enabled, the IPFilter element stores the last rule in a cache. This handler returns the ratio of cache hits over the total number of accesses in the cache. This ratio ranges in [0, 100]. If CACHING is disabled, this handler returns -1.
  • cache_misses_ratio (read-only) — If CACHING is enabled, the IPFilter element stores the last rule in a cache. This handler returns the ratio of cache misses over the total number of accesses in the cache. This ratio ranges in [0, 100]. If CACHING is disabled, this handler returns -1.

SEE ALSO

IPClassifier, Classifier, CheckIPHeader, MarkIPHeader, CheckIPHeader2, AddressInfo, tcpdump

Generated by click-elem2man from ../elements/ip/ipfilter.hh:9 on 2020/05/07.

Add a custom footer
Clone this wiki locally