Provided by: filtergen_0.12.8-1_amd64 
NAME
filter_backends - output drivers for the filtergen packet filter compiler
INTRODUCTION
This document describes the status and feature-set of the currently available filtergen backends.
IPTABLES, IP6TABLES
Most development is done first against the iptables driver. It supports reject, masquerading,
transparent proxying, logging (with text) and sub-groups, all of which should work fine (though the
latter has only recently been fixed).
The ip6tables driver is the IPv6 equivalent of the iptables driver.
IPTABLES-RESTORE, IP6TABLES-RESTORE
The iptables-restore driver supports all of the features of the iptables driver. It emits a ruleset that
is loaded atomically into Netfilter using iptables-restore.
The ip6tables-restore driver is the IPv6 equivalent of the iptables-restore driver.
IPCHAINS
The ipchains driver supports all of the above features, too. Its state model is much weaker though, of
course. The forwarding support should work OK, though it is not possible to support "local"-only
packets.
IPFILTER
The ipfilter backend is incomplete. It supports accept, drop, reject and logging, but not masq,
transproxy or sub-groups. It should be easy for someone with knowledge of ipfilter to add support for
the other features. Options for OpenBSD "pf" features and syntax would be nice, too. It has received no
testing; I don't even know if the generated filters are syntactically correct.
CISCO
The cisco driver is in roughly the same sort of state as the ipfilter one. Additionally, because of the
limitations of IOS ACLs, it supports only a limited set of features. It cannot support reject or
transparent proxying, and may not be able to support masquerading either. An option for reflexive
(stateful) ACLs would be very useful.
I understand that Cisco PIX firewalls use a variant of this syntax -- it would be very nice to support
them too.
SEE ALSO
filtergen(8), filter_syntax(5)
January 7, 2004 FILTER BACKENDS(7)