Lines Matching full:rule
57 Ethernet filtering provides rule-based blocking or passing of Ethernet packets.
62 Queueing provides rule-based bandwidth control.
67 Packet filtering provides rule-based blocking or passing of packets.
129 are relatively fast, making a single rule with tables much more efficient,
132 differ only in IP address (either created explicitly or automatically by rule
143 (see below for details on the various rule types).
189 when the last rule referring to it is flushed.
218 A filter rule is set up to block all traffic coming from addresses listed in
368 The adaptive timeout values can be defined both globally and for each rule.
369 When used on a per-rule basis, the values relate to the number of
370 states created by the rule, otherwise to the total number of
454 remove rules that are a subset of another rule
468 A side effect of the ruleset modification is that per-rule accounting
470 If per-rule accounting is important for billing purposes or whatnot,
557 This might happen when a nat or route-to rule uses an empty table as list
558 of targets or if a rule fails to create state or source node.
703 Preserve rule counters across rule updates.
704 Usually rule counters are reset to zero on every update of the ruleset.
708 and preserve the rule counters.
721 The last matching rule decides what action is taken.
722 If no rule matches the packet, the default action is to pass
735 The rule parameters specify the packets to which a rule applies.
738 If a parameter is specified, the rule only applies to packets with
745 generates all needed rule combinations.
748 This rule applies to incoming or outgoing packets.
753 are specified, the rule will match packets in both directions.
755 If a packet matches a rule which has the
757 option set, this rule
758 is considered the last matching rule, and evaluation of subsequent rules
761 This rule applies only to packets coming in on, or going out through, this
771 Packets matching this rule will be sent out of the specified interface without
774 This rule applies only to packets of this protocol.
783 This rule applies only to packets with the specified source and destination
787 Packets matching this rule will be assigned to the specified queue.
793 Packets matching this rule will be tagged with the
802 meaning that the packet will be tagged even if the rule
803 is not the last matching rule.
809 to match the rule.
986 option prefixed to a scrub rule causes matching packets to remain unscrubbed,
1012 any packet filtering rule can reference the defined queues by name.
1349 The first pipe or queue number will be used to shape the traffic in the rule
1352 If the rule does not specify a direction the first packet to create state will
1368 rule, subsequent rules will see packets as they look
1435 rule specifies a bidirectional mapping between an external IP netblock
1439 rule and an inbound
1441 rule.
1523 such a rule as long as they are not blocked by the filtering section of
1530 Packets that match a translation rule are only automatically passed if
1554 option prefixed to a translation rule causes packets to remain untranslated,
1558 If no rule matches the packet it is passed to the filter engine unmodified.
1571 The first matching rule decides what action is taken.
1616 , the last matching rule decides what action is taken.
1621 If no rule matches the packet, the default action is to pass
1630 rule can behave when blocking a packet.
1636 option, or on a per-rule basis with one of the following options:
1648 This causes ICMP messages to be returned for packets which match the rule.
1665 packets that match explicit rules is specify a first filter rule of:
1678 rules in that parameters are set for every rule a packet matches, not only
1679 on the last matching rule.
1702 rule, a state entry is created; for subsequent packets the filter checks
1712 rule applies to the connection.
1755 if this is the last matching rule.
1763 The rule parameters specify the packets to which a rule applies.
1766 If a parameter is specified, the rule only applies to packets with
1770 generates all needed rule combinations.
1773 This rule applies to incoming or outgoing packets.
1778 are specified, the rule will match packets in both directions.
1837 If a packet matches a rule which has the
1839 option set, this rule
1840 is considered the last matching rule, and evaluation of subsequent rules
1843 This rule applies only to packets coming in on, or going out through, this
1853 This rule applies only to packets of this address family.
1859 This rule applies only to packets of this protocol.
1878 This rule applies only to packets with the specified source and destination
1935 When the interface name is surrounded by parentheses, the rule is
2006 this rule only applies to packets of sockets owned by the specified group.
2008 This rule only applies to packets of sockets owned by the specified user.
2078 This rule only applies to TCP packets that have the flags
2138 This rule only applies to ICMP or ICMPv6 packets with the specified type
2156 This rule applies to packets with the specified
2188 rule, packets that pass the filter based on that rule (last matching)
2190 For packets that match state, the rule that initially created the
2194 rule, that is used when a packet does not match
2198 Adds a label (name) to the rule, which can be used to identify the rule.
2201 shows per-rule statistics for rules that have labels.
2219 The rule number.
2241 Add an identifier (number) to the rule, which can be used to correlate the rule
2244 Measure the rate of packets matching the rule and states created by it.
2245 When the specified rate is exceeded, the rule stops matching.
2262 Create a one shot rule.
2263 The first matching packet marks the rule as expired.
2272 Packets matching this rule will be assigned to the specified queue.
2288 Packets matching this rule will be assigned a specific queueing priority.
2311 Packets matching this rule will be tagged with the
2320 meaning that the packet will be tagged even if the rule
2321 is not the last matching rule.
2336 be tagged with the given tag in order to match the rule.
2360 A probability attribute can be attached to a rule, with a value set between
2362 In that case, the rule will be honoured using the given probability value
2364 For example, the following rule will drop 20% of incoming ICMP packets:
2372 If a packet matches a rule with a route option set, the packet filter will
2374 When such a rule creates state, the route option is also applied to all
2384 rule creates state, only packets that pass in the same direction as the
2385 filter rule specifies will be routed in this way.
2418 rule options) for which there is a single redirection address which has a
2472 to the map-e-portset nat rule.
2521 rule option. If a table is used with IPv4 and IPv6 addresses, first the IPv6 addresses
2531 rule to a TCP connection,
2538 directive implicitly keeps state on the rule and is
2614 per-rule basis.
2621 must be specified explicitly to apply options to a rule.
2625 Limits the number of concurrent states the rule may create.
2629 Prevent state changes for states created by this rule from appearing on the
2635 Changes the timeout values used for states created by this rule.
2647 States created by this rule are exported on the
2660 (max 100, source-track rule, max-src-nodes 75, \e
2669 .It Ar source-track rule
2670 The maximum number of states created by this rule is limited by the rule's
2675 Only state entries created by this particular rule count toward the rule's
2679 Each rule can specify different
2683 options, however state entries created by any participating rule count towards
2684 each individual rule's limits.
2695 source address can create with this rule.
2728 keyword kills all states created by the matching rule which originate
2733 offending host, regardless of which rule created the state.
2742 by the block rule.
2884 rule applies to a fragment or
2902 For instance, the rule
2996 rule,
3010 matched by any rule within the anchor.
3021 rule will be attached under that anchor point.
3049 This loads a single rule into the
3055 rule after the
3057 rule:
3077 rule is only evaluated for matching packets.
3108 will evaluate each rule in each anchor attached to the
3136 rule.
3140 rule can also contain a filter ruleset in a brace-delimited block.
3184 rule is used with the
3186 modifier, packets matching the translation rule are passed without
3275 rule excludes protocol AH from being translated.
3407 line = ( option | ether-rule | pf-rule | nat-rule | binat-rule |
3408 rdr-rule | antispoof-rule | altq-rule | queue-rule |
3409 trans-anchors | anchor-rule | anchor-close | load-anchor |
3410 table-rule | include )
3428 ether-rule = "ether" etheraction [ ( "in" | "out" ) ]
3433 pf-rule = action [ ( "in" | "out" ) ]
3465 nat-rule = [ "no" ] "nat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
3472 binat-rule = [ "no" ] "binat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
3479 rdr-rule = [ "no" ] "rdr" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
3485 antispoof-rule = "antispoof" [ "log" ] [ "quick" ]
3489 table-rule = "table" "<" string ">" [ tableopts-list ]
3498 altq-rule = "altq on" interface-name queueopts-list
3500 queue-rule = "queue" string [ "on" interface-name ] queueopts-list
3503 anchor-rule = "anchor" [ string ] [ ( "in" | "out" ) ] [ "on" ifspec ]
3592 "source-track" [ ( "rule" | "global" ) ] |