filtergen

FILTERGEN(8)                System Manager's Manual               FILTERGEN(8)



NAME
       filtergen - packet filter compiler


SYNOPSIS
       filtergen [ -h | --help ] [ -V | --version ] [ -c | --compile ] [ -t
       target | --target=target ] [ -o outfile | --output=outfile ] infile

       filtergen [ -h | --help ] [ -V | --version ] [ -c | --compile ] [ -t
       target | --target=target ] [ -o outfile | --output=outfile ] [ -F
       policy | --flush=policy ]


DESCRIPTION
       filtergen compiles a high-level filtering description language into a
       variety of target formats.


USAGE
       filtergen reads the ruleset from the infile specified on the command
       line (or standard input if infile is "-") and outputs to standard
       output (or outfile) via an optionally specified backend.


       Both short and GNU-style long option options are accepted:


       -c, --compile
              Only try to "compile" the input, and do not generate any output.
              This may be useful to check that an input file has no syntax
              errors in it before one attempts to use the result on a live
              server.


       -t target-filter, --target=target-filter
              If specified, target-filter will be used to select an output
              filter type, otherwise the default of iptables will be used.
              Supported backends are iptables, ip6tables, iptables-restore,
              ip6tables-restore, ipchains, ipfilter and cisco (for Cisco IOS
              access-lists).


       -F policy, --flush=policy
              Flush mode.  Generate a set of rules for clearing all rules from
              the packet filter.  Useful for firewall scripts that need to
              `shutdown' the firewall.  You can supply a policy argument in
              place of the usual filename, to specify whether the flushed
              filter should default to accept, reject, or drop.  It defaults
              to accept, equivalent to having no filter loaded at all.  It is
              not necessary to specify an infile when using flush mode.


       -o outfile, --output=outfile
              Write output to outfile instead of standard output.


       -h, --help
              Show command help.


       -V, --version
              Show program version.


BUGS
       Not all backends implement all features.

       The packet filter is not optimised.


SEE ALSO
       fgadm(8), filter_syntax(5), filter_backends(7)


AUTHOR
       filtergen was originally written by Matthew Kirkwood.  Jamie Wilkinson
       <jaq@spacepants.org> then rewrote a lot of the internals, added some
       features, and took on maintenance of the project.



                                January 7, 2004                   FILTERGEN(8)