NAME¶
filter_backends - output drivers for the filtergen packet filter compiler
INTRODUCTION¶
This document describes the status and feature-set of the currently available
filtergen backends.
IPTABLES¶
Most development is done first against the iptables driver. It supports reject,
masquerading, transparent proxying, logging (with text) and sub-groups, all of
which should work fine (though the latter has only recently been fixed).
IPCHAINS¶
The ipchains driver supports all of the above features, too. Its state model is
much weaker though, of course. The forwarding support should work OK, though
it is not possible to support "local"-only packets.
IPFILTER¶
The ipfilter backend is incomplete. It supports accept, drop, reject and
logging, but not masq, transproxy or sub-groups. It should be easy for someone
with knowledge of ipfilter to add support for the other features. Options for
OpenBSD "pf" features and syntax would be nice, too. It has received
no testing; I don't even know if the generated filters are syntactically
correct.
CISCO¶
The cisco driver is in roughly the same sort of state as the ipfilter one.
Additionally, because of the limitations of IOS ACLs, it supports only a
limited set of features. It cannot support reject or transparent proxying, and
may not be able to support masquerading either. An option for reflexive
(stateful) ACLs would be very useful.
I understand that Cisco PIX firewalls use a variant of this syntax -- it would
be very nice to support them too.
SEE ALSO¶
filtergen(8),
filter_syntax(5)