12. Internals

Rule compilation: "unfolding"

Contents

Rule "unfolding"
Head rule unfolding
IP addresses merging
Unsupported IP-Filter keywords

IP-Filter doesn't support rules with multiple values for address, port or interface. Isba supports it for ipf rules, and for nat rules in certain cases: at compile time, rules with multiple values are unfolded into as many `sub-rules' as necessary to match IP-Filter's syntax.

For example, if the object addr-group contains, say, three addresses addr1, addr2, addr3, the following rule created
with isba ...

(1) pass in quick from addr-group to any

 

... means: "a packet coming from an address of addr-group, to any will pass immediately".

It is equivalent to saying successively:

 

"a packet coming from addr1 to any, will pass immediately";
"a packet coming from addr2 to any, will pass immediately";
"a packet coming from addr3 to any, will pass immediately".

So at compile time, rule (1) is unfolded into three IP-Filter plain rules:

(1.1) pass in quick from addr1 to any
(1.2) pass in quick from addr2 to any
(1.3) pass in quick from addr3 to any

 
Head rules unfolding
 

When a head rule has multiple values for address, port or interface, the user-specified group must be duplicated into as many groups as there are `sub-rules' for this rule. The duplicated groups numbers are the sum of the user-defined
group number and a `duplication serial number' placed on the thousands and tens of thousands figures. So in isba,
user-defined group numbers must be less than 1000.

 

Say rule 2 has two interfaces and five source addresses, and is the head rule of group 25:

(2) block in on i1|i2 from a1|a2|a3|a4|a5 head 25

 

Rule (2) means: "All packets coming on interface i1 or i2, from address a1, a2, a3, a4 or a5, are blocked so far. Now let's check the rules of group 25".

It is equivalent to saying successively:

 

"All packets coming on interface i1 from address a1 are blocked so far. Now let's check the rules of group 1025" and then duplicate all group 25 rules to a new group 1025;

"All packets coming on interface i1 from address a2 are blocked so far. Now let's check the rules of group 2025" and then duplicate all group 25 rules to a new group 2025;

...

"All packets coming on interface i2 from address a5 are blocked so far. Now let's check the rules of group 2025" and then duplicate all group 25 rules to a new group 10025;

That is to say rule (2) is equivalent to 10 IP-Filter plain rules:

(2.1) block in on i1 from a1 head 1025
(2.2) block in on i1 from a2 head 2025
(2.3) block in on i1 from a3 head 3025
(2.4) block in on i1 from a4 head 4025
...
(2.8) block in on i2 from a3 head 8025
(2.9) block in on i2 from a4 head 9025
(2.10) block in on i2 from a5 head 10025

Now, when a head rule is unfolded, new group numbers are generated, so that all subsequent rules belonging to that head rule's group are duplicated in the created sub-groups.

Warning: because of the unfolding process, there shouldn't be any head and group numbers in verbatim rules. Such numbers wouldn't be synchronized with the generated head numbers.

The final ipfilter group number being less than 65535, it means that each head rule can be unfolded 64 times.

Groups of hosts/nets: IP addresses merging
 
Isba works on sets of hosts and nets, possibly negated, that is to say sets of "x.y.z.t/n" and "!x.y.z.t/n" nets, with 0 <= n <= 32.  

At compilation time, if a group contains two nets, one of which is included in the other, the smaller net is ignored (generates no ipfilter rule). For example, suppose group nets-G contains 10.0.0.0/8, 192.168.0.0/16 and 10.0.1.0/24: the last net is included in the first one, so the isba rule:

(3) block in from nets-G to any

will be compiled into only two rules:

(3.1) block in from 10.0.0.0/8 to any
(3.2) block in from 192.168.0.0/16 to any

and the 10.0.1.0/24 net will be ignored.

If a host/net group contains "positive" nets and negated nets, the positive nets are merged together, then the negated nets are merged together.

 
Unsupported IP-Filter keywords
 
Some IP-Filter keywords are not yet supported by isba standard rules:
Keyword Status
skip not supported
dup-to intf supported
dup-to intf:host not supported
with ipopts supported
detailed ip options, ipsec not supported
host/net negation
(from !10.0.0.0/8)
supported for individual hosts/nets only, not supported for groups
a.b.c.d/n this is the only supported mask specification
a.b.c.d mask x.y.z.t not supported
a.b.c.d mask 0xhhhhhhhh not supported
one bound ranges supported (port < x, port > x)
inside port range supported (x >< y)
outside port range not supported (x <> y)
Isba also introduces some minor differences to enhance readability:
Keyword Status
any is not displayed in the GUI. An empty box means 'any'.
all is not displayed either.
proto there is no 'proto' column, the protocol is included in the service. If in some rule you want, say, "proto udp" without specifying a port, you can use the predefined pseudo-service proto-udp.
source port in order to save some width in the display, isba has no column to specify the seldom used source port in ipf rules. The source port, if any, can be specified through the Misc column right-click popup (along with TCP flags, keep state, etc).

Isba User's Guide - last modified on 09-Jan-2002 22:48 MET - Copyright (c) 2001