|
|||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
IP-Filter doesn't support rules with multiple values for address, port or interface. Isba supports it for ipf rules, and for nat rules in certain cases: at compile time, rules with multiple values are unfolded into as many `sub-rules' as necessary to match IP-Filter's syntax. | |||||||||||||||||||||||||||
For example, if the object addr-group contains, say, three addresses
addr1, addr2, addr3, the following rule created (1) pass in quick from addr-group to any |
|||||||||||||||||||||||||||
... means: "a packet coming from an address of addr-group, to any will pass immediately". |
|||||||||||||||||||||||||||
It is equivalent to saying successively: |
|||||||||||||||||||||||||||
"a packet coming from addr1 to any, will pass immediately"; |
|||||||||||||||||||||||||||
So at compile time, rule (1) is unfolded into three IP-Filter plain rules: (1.1) pass in quick from addr1
to any |
|||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||
When a head rule has multiple values for address, port or interface,
the user-specified group must be duplicated into as many groups as there
are `sub-rules' for this rule. The duplicated groups numbers are the sum
of the user-defined |
|||||||||||||||||||||||||||
Say rule 2 has two interfaces and five source addresses, and is the head rule of group 25: (2) block in on i1|i2 from a1|a2|a3|a4|a5 head 25 |
|||||||||||||||||||||||||||
Rule (2) means: "All packets coming on interface i1 or i2, from address a1, a2, a3, a4 or a5, are blocked so far. Now let's check the rules of group 25". |
|||||||||||||||||||||||||||
It is equivalent to saying successively: |
|||||||||||||||||||||||||||
"All packets coming on interface i1 from address a1 are blocked so far. Now let's check the rules of group 1025" and then duplicate all group 25 rules to a new group 1025; "All packets coming on interface i1 from address a2 are blocked so far. Now let's check the rules of group 2025" and then duplicate all group 25 rules to a new group 2025; ... "All packets coming on interface i2 from address a5 are blocked so far. Now let's check the rules of group 2025" and then duplicate all group 25 rules to a new group 10025; |
|||||||||||||||||||||||||||
That is to say rule (2) is equivalent to 10 IP-Filter plain rules: (2.1) block in on i1 from a1
head 1025 Now, when a head rule is unfolded, new group numbers are generated, so that all subsequent rules belonging to that head rule's group are duplicated in the created sub-groups. |
|
||||||||||||||||||||||||||
The final ipfilter group number being less than 65535, it means that each head rule can be unfolded 64 times. |
|||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||
Isba works on sets of hosts and nets, possibly negated, that is to say sets of "x.y.z.t/n" and "!x.y.z.t/n" nets, with 0 <= n <= 32. | |||||||||||||||||||||||||||
At compilation time, if a group contains two nets, one of which is included in the other, the smaller net is ignored (generates no ipfilter rule). For example, suppose group nets-G contains 10.0.0.0/8, 192.168.0.0/16 and 10.0.1.0/24: the last net is included in the first one, so the isba rule: (3) block in from nets-G to any will be compiled into only two rules: (3.1) block in from 10.0.0.0/8
to any and the 10.0.1.0/24 net will be ignored. If a host/net group contains "positive" nets and negated nets, the positive nets are merged together, then the negated nets are merged together. |
|||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||
Some IP-Filter keywords are not yet supported by isba standard rules: | |||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||
Isba also introduces some minor differences to enhance readability: | |||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||
Isba User's Guide - last modified on 09-Jan-2002 22:48 MET - Copyright (c) 2001 |