oracular (7) filter_backends.7.gz

Provided by: filtergen_0.12.8-3_amd64 bug

NAME

       filter_backends - output drivers for the filtergen packet filter compiler

INTRODUCTION

       This  document  describes  the status and feature-set of the currently available filtergen
       backends.

IPTABLES, IP6TABLES

       Most development  is  done  first  against  the  iptables  driver.   It  supports  reject,
       masquerading,  transparent  proxying,  logging  (with  text)  and sub-groups, all of which
       should work fine (though the latter has only recently been fixed).

       The ip6tables driver is the IPv6 equivalent of the iptables driver.

IPTABLES-RESTORE, IP6TABLES-RESTORE

       The iptables-restore driver supports all of the features of the iptables driver. It  emits
       a ruleset that is loaded atomically into Netfilter using iptables-restore.

       The ip6tables-restore driver is the IPv6 equivalent of the iptables-restore driver.

IPCHAINS

       The  ipchains  driver  supports  all  of the above features, too.  Its state model is much
       weaker though, of course.  The forwarding  support  should  work  OK,  though  it  is  not
       possible to support "local"-only packets.

IPFILTER

       The ipfilter backend is incomplete.  It supports accept, drop, reject and logging, but not
       masq, transproxy or sub-groups.  It should be easy for someone with knowledge of  ipfilter
       to add support for the other features.  Options for OpenBSD "pf" features and syntax would
       be nice, too.  It has received no testing; I don't even know if the generated filters  are
       syntactically correct.

CISCO

       The  cisco driver is in roughly the same sort of state as the ipfilter one.  Additionally,
       because of the limitations of IOS ACLs, it supports only a limited set  of  features.   It
       cannot support reject or transparent proxying, and may not be able to support masquerading
       either.  An option for reflexive (stateful) ACLs would be very useful.

       I understand that Cisco PIX firewalls use a variant of this syntax --  it  would  be  very
       nice to support them too.

SEE ALSO

       filtergen(8), filter_syntax(5)

                                         January 7, 2004                       FILTER BACKENDS(7)