NAME

       filter_backends - output drivers for the filtergen packet filter compiler

INTRODUCTION

       This  document  describes  the status and feature-set of the currently available filtergen
       backends.

IPTABLES

       Most development  is  done  first  against  the  iptables  driver.   It  supports  reject,
       masquerading,  transparent  proxying,  logging  (with  text)  and sub-groups, all of which
       should work fine (though the latter has only recently been fixed).

IPCHAINS

       The ipchains driver supports all of the above features, too.   Its  state  model  is  much
       weaker  though,  of  course.   The  forwarding  support  should  work OK, though it is not
       possible to support "local"-only packets.

IPFILTER

       The ipfilter backend is incomplete.  It supports accept, drop, reject and logging, but not
       masq,  transproxy or sub-groups.  It should be easy for someone with knowledge of ipfilter
       to add support for the other features.  Options for OpenBSD "pf" features and syntax would
       be  nice, too.  It has received no testing; I don't even know if the generated filters are
       syntactically correct.

CISCO

       The cisco driver is in roughly the same sort of state as the ipfilter one.   Additionally,
       because  of  the  limitations of IOS ACLs, it supports only a limited set of features.  It
       cannot support reject or transparent proxying, and may not be able to support masquerading
       either.  An option for reflexive (stateful) ACLs would be very useful.

       I  understand  that  Cisco  PIX firewalls use a variant of this syntax -- it would be very
       nice to support them too.

SEE ALSO

       filtergen(8), filter_syntax(5)

                                         January 7, 2004                       FILTER BACKENDS(7)