filter_backends

FILTER BACKENDS(7)     Miscellaneous Information Manual     FILTER BACKENDS(7)



NAME
       filter_backends - output drivers for the filtergen packet filter
       compiler


INTRODUCTION
       This document describes the status and feature-set of the currently
       available filtergen backends.


IPTABLES, IP6TABLES
       Most development is done first against the iptables driver.  It
       supports reject, masquerading, transparent proxying, logging (with
       text) and sub-groups, all of which should work fine (though the latter
       has only recently been fixed).

       The ip6tables driver is the IPv6 equivalent of the iptables driver.


IPTABLES-RESTORE, IP6TABLES-RESTORE
       The iptables-restore driver supports all of the features of the
       iptables driver. It emits a ruleset that is loaded atomically into
       Netfilter using iptables-restore.

       The ip6tables-restore driver is the IPv6 equivalent of the iptables-
       restore driver.


IPCHAINS
       The ipchains driver supports all of the above features, too.  Its state
       model is much weaker though, of course.  The forwarding support should
       work OK, though it is not possible to support "local"-only packets.


IPFILTER
       The ipfilter backend is incomplete.  It supports accept, drop, reject
       and logging, but not masq, transproxy or sub-groups.  It should be easy
       for someone with knowledge of ipfilter to add support for the other
       features.  Options for OpenBSD "pf" features and syntax would be nice,
       too.  It has received no testing; I don't even know if the generated
       filters are syntactically correct.


CISCO
       The cisco driver is in roughly the same sort of state as the ipfilter
       one.  Additionally, because of the limitations of IOS ACLs, it supports
       only a limited set of features.  It cannot support reject or
       transparent proxying, and may not be able to support masquerading
       either.  An option for reflexive (stateful) ACLs would be very useful.

       I understand that Cisco PIX firewalls use a variant of this syntax --
       it would be very nice to support them too.


SEE ALSO
       filtergen(8), filter_syntax(5)



                                January 7, 2004             FILTER BACKENDS(7)