Provided by: filtergen_0.12.4-5ubuntu1_amd64 bug


       filter_backends - output drivers for the filtergen packet filter compiler


       This  document  describes  the status and feature-set of the currently available filtergen


       Most development  is  done  first  against  the  iptables  driver.   It  supports  reject,
       masquerading,  transparent  proxying,  logging  (with  text)  and sub-groups, all of which
       should work fine (though the latter has only recently been fixed).


       The ipchains driver supports all of the above features, too.   Its  state  model  is  much
       weaker  though,  of  course.   The  forwarding  support  should  work OK, though it is not
       possible to support "local"-only packets.


       The ipfilter backend is incomplete.  It supports accept, drop, reject and logging, but not
       masq,  transproxy or sub-groups.  It should be easy for someone with knowledge of ipfilter
       to add support for the other features.  Options for OpenBSD "pf" features and syntax would
       be  nice, too.  It has received no testing; I don't even know if the generated filters are
       syntactically correct.


       The cisco driver is in roughly the same sort of state as the ipfilter one.   Additionally,
       because  of  the  limitations of IOS ACLs, it supports only a limited set of features.  It
       cannot support reject or transparent proxying, and may not be able to support masquerading
       either.  An option for reflexive (stateful) ACLs would be very useful.

       I  understand  that  Cisco  PIX firewalls use a variant of this syntax -- it would be very
       nice to support them too.


       filtergen(8), filter_syntax(5)

                                         January 7, 2004                       FILTER BACKENDS(7)