trusty (7) filter_backends.7.gz

NAME

       filter_backends - output drivers for the filtergen packet filter compiler

INTRODUCTION

       This document describes the status and feature-set of the currently available filtergen backends.

IPTABLES

       Most  development  is  done  first  against  the  iptables  driver.   It  supports  reject, masquerading,
       transparent proxying, logging (with text) and sub-groups, all of  which  should  work  fine  (though  the
       latter has only recently been fixed).

IPCHAINS

       The  ipchains  driver supports all of the above features, too.  Its state model is much weaker though, of
       course.  The forwarding support should work OK,  though  it  is  not  possible  to  support  "local"-only
       packets.

IPFILTER

       The  ipfilter  backend  is  incomplete.   It  supports  accept,  drop,  reject and logging, but not masq,
       transproxy or sub-groups.  It should be easy for someone with knowledge of ipfilter to  add  support  for
       the other features.  Options for OpenBSD "pf" features and syntax would be nice, too.  It has received no
       testing; I don't even know if the generated filters are syntactically correct.

CISCO

       The cisco driver is in roughly the same sort of state as the ipfilter one.  Additionally, because of  the
       limitations  of  IOS  ACLs,  it  supports  only  a  limited set of features.  It cannot support reject or
       transparent proxying, and may not be able to  support  masquerading  either.   An  option  for  reflexive
       (stateful) ACLs would be very useful.

       I  understand  that  Cisco PIX firewalls use a variant of this syntax -- it would be very nice to support
       them too.

SEE ALSO

       filtergen(8), filter_syntax(5)

                                                 January 7, 2004                              FILTER BACKENDS(7)