<box begindoc>**This is automatically generated documentation.**  Edit after the "[[#COMMENTS|COMMENTS]]" heading; changes to the main body will be lost.</box>

====== IPFilter Element Documentation ======

===== NAME =====

**IPFilter** -- Click element;
filters IP packets by contents

===== SYNOPSIS =====

IPFilter(ACTION_1 PATTERN_1, ..., ACTION_N PATTERN_N)

**Ports**: 1 input, any number of outputs\\ 
**Processing**: push\\ 
**Package**: ip (core)\\ 

===== DESCRIPTION =====

Filters IP packets. IPFilter can have an arbitrary number of filters, which
are ACTION-PATTERN pairs. The ACTIONs describe what to do with packets,
while the PATTERNs are [[tcpdump]]-like patterns; see [[IPClassifier]] for a
description of their syntax. Packets are tested against the filters in
order, and are processed according to the ACTION in the first filter that
matched.
Each ACTION is either a port number, which specifies that the packet should be
sent out on that port; %%'%%''allow''%%'%%, which is equivalent to %%'%%''0''%%'%%; or %%'%%''drop''%%'%%
, which means drop the packet. You can also say %%'%%''deny''%%'%% instead of
%%'%%''drop''%%'%%, but see the compatibility note below.
The IPFilter element has an arbitrary number of outputs. Input packets must
have their IP header annotation set; [[CheckIPHeader]] and [[MarkIPHeader]] do
this.


===== NOTES =====

Every IPFilter element has an equivalent corresponding [[IPClassifier]] element
and vice versa. Use the element whose syntax is more convenient for your
needs.
**Compatibility note**: %%'%%''deny''%%'%% formerly meant %%'%%''1''%%'%% if the element had at
least two outputs and %%'%%''drop''%%'%% if it did not. We decided this was
error-prone; now it just means %%'%%''drop''%%'%%. For now, however, %%'%%''deny''%%'%% will
print a warning if used on an element with more than one output.


===== EXAMPLES =====

This large IPFilter implements the incoming packet filtering rules for the
"Interior router" described on pp691-692 of //Building Internet Firewalls,
Second Edition// (Elizabeth D. Zwicky, Simon Cooper, and D. Brent Chapman,
O'Reilly and Associates, 2000). The captialized words (''INTERNALNET'',
''BASTION'', etc.) are addresses that have been registered with
[[AddressInfo]]. The rule FTP-7 has a port range that cannot be implemented
with IPFilter.
    IPFilter(// Spoof-1:
             deny src INTERNALNET,
             // HTTP-2:
             allow src BASTION && dst INTERNALNET
                && tcp && src port www && dst port > 1023 && ack,
             // Telnet-2:
             allow dst INTERNALNET
                && tcp && src port 23 && dst port > 1023 && ack,
             // SSH-2:
             allow dst INTERNALNET && tcp && src port 22 && ack,
             // SSH-3:
             allow dst INTERNALNET && tcp && dst port 22,
             // FTP-2:
             allow dst INTERNALNET
                && tcp && src port 21 && dst port > 1023 && ack,
             // FTP-4:
             allow dst INTERNALNET
                && tcp && src port > 1023 && dst port > 1023 && ack,
             // FTP-6:
             allow src BASTION && dst INTERNALNET
                && tcp && src port 21 && dst port > 1023 && ack,
             // FTP-7 omitted
             // FTP-8:
             allow src BASTION && dst INTERNALNET
                && tcp && src port > 1023 && dst port > 1023,
             // SMTP-2:
             allow src BASTION && dst INTERNAL_SMTP
                && tcp && src port 25 && dst port > 1023 && ack,
             // SMTP-3:
             allow src BASTION && dst INTERNAL_SMTP
                && tcp && src port > 1023 && dst port 25,
             // NNTP-2:
             allow src NNTP_FEED && dst INTERNAL_NNTP
                && tcp && src port 119 && dst port > 1023 && ack,
             // NNTP-3:
             allow src NNTP_FEED && dst INTERNAL_NNTP
                && tcp && src port > 1023 && dst port 119,
             // DNS-2:
             allow src BASTION && dst INTERNAL_DNS
                && udp && src port 53 && dst port 53,
             // DNS-4:
             allow src BASTION && dst INTERNAL_DNS
                && tcp && src port 53 && dst port > 1023 && ack,
             // DNS-5:
             allow src BASTION && dst INTERNAL_DNS
                && tcp && src port > 1023 && dst port 53,
             // Default-2:
             deny all);


===== ELEMENT HANDLERS =====


 ? **program (read-only)**
 ! Returns a human-readable definition of the program the IPFilter element
is using to classify packets. At each step in the program, four bytes
of packet data are ANDed with a mask and compared against four bytes of
classifier pattern.


===== SEE ALSO =====

[[IPClassifier]], [[Classifier]], [[CheckIPHeader]], [[MarkIPHeader]], [[CheckIPHeader2]],
[[AddressInfo]], tcpdump(1)


Generated by 'click-elem2man' from '../elements/ip/ipfilter.hh' on 24/May/2007.


===== COMMENTS =====