Provided by: netscript-2.4_5.2.9ubuntu1_all bug

NAME

       netscript - netscript network configuration command

SYNOPSIS

       netscript start|stop|reload|restart
       netscript ifup|ifdown|ifqos|ifreload <interface-name>|all
       netscript compile [ -fhq ] [ -b max-backup-level ]
       netscript ipfilter load|clear|fairq|flush|reload|save
       netscript ipfilter usebackup [ backup-number ]
       netscript ipfilter exec <function-name1>|<function-name2> [chain p1 p2 ...]
       netscript ip6filter load|clear|fairq|flush|reload|save
       netscript ip6filter usebackup [ backup-number ]
       netscript ip6filter exec <function-name1>|<function-name2> [chain p1 p2 ...]

DESCRIPTION

       This   manual   page   documents   briefly   the  netscript  command  from  the  netscript
       router/firewall network configuration package.

       This command is used to configure/reconfigure the interface configuration, ipchains filter
       setup, and ip route service ( QoS ) setup that are configured in netscript's configuration
       files.  It can manipulate individual  interfaces,  and  reconfigure  the  iptables  filter
       contents and firewall setup, or reconfigure the QoS setup.

       It  is rather incomplete as it does not describe fully the finely tuned manipulations that
       happen due to netscript's design which enables a Linux box to serve as a high availability
       heavy-duty mission-critcial network router or firewall.

COMPILE CONFIGURATION MODE

       The   rules   can   be  compiled  and  automatically  loaded  on  boot  by   setting   the
       IPV4_CONFIGURE_SWITCH  switch  in network.conf(5) to the value of  the  function  used  to
       configure  the  kernel.  Net-compile(8) creates this  function  as ┬┤Configure┬┤.   If  this
       switch is set, the netscript startup will run netscript-compile(8) to make sure everything
       is   up   to  date  and  load  the  rules  from /etc/netscript/ipfilter-defs.conf, and the
       relevant  settings  in network.conf(5) which  are used to establish  packet  grooming  and
       configure the built in kernel netfilter INPUT and FORWARD chains  in the  filter table. If
       compilation fails, the previous rule set is not replaced and it is used instead.

       A similar mode exists for IPv6, but it is not fully implemented yet.

IPTABLES CONFIGURATION MODE

       This configuration mode corresponds to the old method of doing it  using  iptables-save(8)
       and   iptables-restore(8).   This  is  the  default  for  operation,  and  occurs  if  the
       IPV4_CONFIGURE_SWITCH is not set in network.conf(5).

       This is the metoh still used by IPv6 as well.

OPTIONS

       start  Set up networking configruation by loading ipcahins  filters,  setting  up  bridge,
              configuring  interfaces  and running any configured lower layer protocol daemons or
              commands. For use from a startup script.

       stop   Shut everything down. For use from a startup script.

       reload Refresh the setup of netscript except for iptables from the configuration files  in
              /etc/netscript

       restart|force-reload
              Stop everthing and then start everything again. For use from a startup script.

       ifup <interface-name>|all
              Bring   interfaces(s)   up  by  starting  any  protocol  daemons,  and  configuring
              interfaces.

       ifdown <interface-name>|all
              Shutdown said interface(s) by doing reverse of ifdown.

       ifqos <interface-name>|all
              Reload QoS configuration for interface(s).

       ifreload <interface-name>|all
              Refresh the interface setup and implement any configuration changes.

       ifreset <interface-name>|all
              Shutdown and then restart interface(s), reloading configuration from lower layer up
              to the network layer.

       compile [ -fhq ] [ -b max-backup-level ]
              Compile  the  new  definitions in /etc/netscript/ipfilter-defs directory into a new
              set of functions in the /etc/netscript/ipfilter-defs-compiled.conf  file.  See  the
              netscript-compile(8) and ipfilter-defs(5) manpages for details.

       ipfilter load|reload
              Load/reload  the  IPv4  iptables filters and reconfigure the firewalling, from that
              saved in /etc/netscript/iptables (via  iptables-restore(8)  ),  and  the  QoS  fair
              queuing   setup,   or   by  excuting  the  requisite  configuration  function  from
              /etc/netscript/ipfilter-defs-compiled.conf if using ipfilter-defs(5) mode.

       ipfilter save
              Save the IPv4  iptables  configuration  to  /etc/netscript/iptables  via  iptables-
              save(8) , after backing it up to /etc/netscript/iptables.1 and cycling the previous
              backup files down through the configuration history.  This does  not  work  if  the
              IPv6 side of netscript is operating in ipfilter-defs(5) mode.

       ipfilter usebackup [ backup-number ]
              Restore    setup    from    the    IPv4    iptables   backup   configuration   from
              /etc/netscript/iptables.n  (  default  1  )  via  iptables-restore(8),  or  if  the
              ipfilter-defs(5)   backend   is   used,   the  requisite  backup  number  from  the
              /etc/netscript/ipfilter-defs.conf history files.

       ipfilter clear|flush
              Remove iptables and any  firewall  setup,  and  if  IPV4_FWDING_KERNEL  is  set  to
              FILTER_ON  (see  network.conf(5)  ),  disables  all  IPv4  packet forwarding on the
              router.  Very useful for debugging protocol problems on a firewall  by  enabling  a
              reasonably safe check to be made with the filtering down.

       ipfilter forward|fwd
              Turns  on  the IPv4 kernel forwarding switch manually.  This is irrespective of the
              setting of IPV4_FWDING_KERNEL (see network.conf(5) ). Use with caution as  it  will
              allow traffic through the box.

       ipfilter noforward|nofwd
              Turns  off the IPv4 kernel forwarding switch manually.  This is irrespective of the
              setting of IPV4_FWDING_KERNEL (see network.conf(5) ). Use with caution as  it  will
              cut off reachability.

       ipfilter fairq
              Reload  the  IPv4 fairq chain that marks the packets for the QoS interface transmit
              queues.

       ip6filter load|reload
              Load/reload the IPv6 iptables filters and reconfigure the  firewalling,  from  that
              saved in /etc/netscript/ip6tables
               (via  ip6tables-restore(8)  ),  and the QoS fair queuing setup, or by excuting the
              requisite configuration function from /etc/netscript/ipfilter-defs-compiled.conf if
              using ipfilter-defs(5) mode.

       ip6filter save
              Save  the  IPv6  iptables  configuration  to /etc/netscript/iptables via ip6tables-
              save(8) , after  backing  it  up  to  /etc/netscript/ip6tables.1  and  cycling  the
              previous  backup  files down through the configuration history.  This does not work
              if the IPv6 side of netscript is operating in ipfilter-defs(5) mode.

       ip6filter usebackup [ backup-number ]
              Restore   setup   from   the    IPv6    iptables    backup    configuration    from
              /etc/netscript/ip6tables.n  (  default  1  )  via  ip6tables-restore(8),  or if the
              ipfilter-defs(5)  backend  is  used,  the  requisite   backup   number   from   the
              /etc/netscript/ipfilter-defs.conf history files.

       ip6filter clear|flush
              Remove  IPv6  iptables  setup,  and  if IPV6_FWDING_KERNEL is set to FILTER_ON (see
              network.conf(5) ), disables all IPv6 packet forwarding on the router.  Very  useful
              for  debugging  protocol problems on a firewall by enabling a reasonably safe check
              to be made with the filtering down.

       ip6filter forward|fwd
              Turns on the IPv6 kernel forwarding switch manually.  This is irrespective  of  the
              setting  of  IPV6_FWDING_KERNEL (see network.conf(5) ). Use with caution as it will
              allow traffic through the box.

       ip6filter noforward|nofwd
              Turns off the IPv6 kernel forwarding switch manually.  This is irrespective of  the
              setting  of  IPV6_FWDING_KERNEL (see network.conf(5) ). Use with caution as it will
              affect reachability.

       ip6filter fairq
              Reload the IPv6 fairq chain that marks the packets for the QoS  interface  transmit
              queues.

FILES

       /etc/netscript/if.conf, /etc/netscript/ipfilter.conf,
       /etc/netscript/network.conf, /etc/netscript/qos.conf,
       /etc/netscript/ipfilter-defs.conf,
       /etc/netscript/ipfilter-defs-compiled.conf,
       /etc/netscript/ipfilter-defs directory,
       /etc/netscript/iptables, /etc/netscript/ip6tables,
       /etc/netscript/ipfilter-defs-compiled

SEE ALSO

       netscript-compile(8),  ipfilter-defs(5),  if.conf(5),  ipfilter.conf(5),  network.conf(5),
       qos.conf(5),   ip(8),   tc(8),   iptables(8),    iptables-restore(8),    iptables-save(8),
       ip6tables(8), ip6tables-restore(8), ip6tables-save(8), brcfg(8).

AUTHOR

       This  manual  page  was written by Matthew Grant <grantma@anathoth.gen.nz>, for the Debian
       GNU/Linux system (but may be used by others).

BUGS

       I wrote this manpage when I was half asleep...

                                         January 24, 2003                                  NET(8)