Lines Matching full:rules

39 packet filter modifies, drops or passes packets according to rules or
53 rules with large numbers of source or destination addresses.
64 Translation rules specify how addresses are to be mapped or redirected to
125 processor usage and memory consumption, than a large number of rules which
129 Tables can be used as the source or destination of filter rules,
131 rules
133 translation rules such as
142 and in the routing options of filter rules, but not for
161 same time as other rules are loaded, atomically.
181 flag forces the kernel to keep the table even when no rules refer to it.
215 will exist even when no active filter rules reference it.
403 rules which do not specify
416 rules) to 20000.
452 remove duplicate rules
454 remove rules that are a subset of another rule
456 combine multiple rules into a table when advantageous
458 re-order the rules to improve evaluation performance
463 ordering of quick rules to actual network traffic.
472 be added to all of the accounting rules to act as optimization barriers.
527 rules present.
555 option sets the behaviour of rules which should pass a packet but were
624 option sets the state options for states created from rules
707 set pf will attempt to find matching rules between old and new rulesets
719 goes out through an interface, the filter rules are evaluated in
734 .Ss Parameters applicable to layer 2 rules
758 is considered the last matching rule, and evaluation of subsequent rules
799 processed by translation rules.
804 Further matching rules can replace the tag with a
823 option, added to filter rules.
943 rules can also be specified in their own ruleset.
947 If there are such rules present they determine packet reassembly behaviour.
948 When no such rules are present the option
953 rules can take all parameters specified above for a
955 option of filter rules and 2 more parameters controlling fragment reassembly:
960 rules, fragments can be reassembled by normalization.
963 The advantage is that filter rules have to deal only with complete
983 from broader scrub rules.
986 rules in the
991 rules must not have the direction (in/out) specified.
1011 rules will be queued, while for
1013 rules it specifies where any resulting ICMP or TCP RST
1279 Packets can be assigned to queues based on filter rules by using the
1300 The queues may then be referenced by filtering rules (see
1360 rule, subsequent rules will see packets as they look
1362 These rules will therefore have to filter based on the translated
1376 rules.
1380 on inbound rules, and a source address of the resulting translation
1399 For example, the following rules are identical:
1410 In the reverse case the following rules are identical:
1473 In addition to modifying the address, some translation rules may modify
1513 rules can also be specified in their own ruleset.
1520 Filter rules will therefore have to filter based on the translated
1530 rules.
1532 The following rules can be defined in the NAT ruleset:
1542 options for filter rules.
1552 Evaluation order of the translation rules is dependent on the type
1553 of the translation rules and of the direction of a packet.
1555 rules are always evaluated first.
1558 rules are evaluated on an inbound packet or the
1560 rules on an outbound packet.
1561 Rules of the same type are evaluated in the same order in which they
1565 Translation rules apply only to packets that pass through
1602 For each packet processed by the packet filter, the filter rules are
1611 , rules are evaluated every time they match; the pass/block state of a packet
1657 packets that match explicit rules is specify a first filter rule of:
1666 rules differ from
1670 rules in that parameters are set for every rule a packet matches, not only
1696 If it does, the packet is passed without evaluation of any rules.
1722 Also, looking up states is usually faster than evaluating rules.
1734 rules, in order to track address and port translations and reverse the
1806 it logs the packet on all subsequent matching rules.
1832 is considered the last matching rule, and evaluation of subsequent rules
1976 rules with the
2034 Forwarded packets with unknown user and group ID match only rules
2118 rules,
2136 This parameter is only valid for rules that cover protocols ICMP or
2167 For example, the following rules are identical:
2187 any rules, does not allow IP options or option headers.
2193 shows per-rule statistics for rules that have labels.
2302 processed by translation rules.
2307 Further matching rules can replace the tag with a
2316 rules in addition to filter rules.
2319 Used with filter, translation or scrub rules
2382 is useful only in rules that create state.
2398 rules, (as well as for the
2441 rules, the
2452 rules, the
2456 interface and pass rules for encapsulated packets are required in addition
2469 rules, the
2532 rules to prevent ACK storms.
2571 Rules with
2622 Automatically allow connections related to this one, regardless of rules that
2649 The number of states created by all rules that use this option is limited.
2706 For example, the following rules will protect the webserver against
2762 Filter rules can enforce policy at any level of operating system specification
2797 directive expands to a set of filter rules which will block all
2813 For non-loopback interfaces, there are additional rules to block incoming
2828 Caveat: Rules created by the
2848 rules as described in
2852 One alternative is to filter individual fragments with filter rules.
2860 Filter rules with matching IP header parameters decide whether the
2868 option can be used to restrict filter rules to apply only to
2870 Filter rules without the
2888 rules.
2895 rules with the
2918 is a container that can hold rules, address tables, and other anchors.
2925 attaching child anchors to it or loading rules into it.
2930 translation rules, for example, may also be contained in any anchor.
2936 of rules:
2941 rules in the specified
2946 rules in the specified
2951 rules in the specified
2954 Evaluates the filter rules in the specified
2960 Loads the rules from the specified file into the
2969 will proceed to evaluate all rules specified in that anchor.
2971 Matching filter and translation rules marked with the
2973 option are final and abort the evaluation of the rules in other
2984 rules are evaluated relative to the anchor in which they are contained.
2987 rules specified in the main ruleset will reference anchor
2990 rules specified in a file loaded from a
2994 Rules may be contained in
2996 attachment points which do not contain any rules when the main ruleset
3011 all rules in the
3038 it will also load all the rules from the file
3044 rules can specify packet filtering parameters using the same syntax as
3045 filter rules.
3057 The rules inside
3103 anchor, which will evaluate the rules in the
3112 In that case, no separate loading of rules into the anchor
3114 Brace delimited blocks may contain rules or other brace-delimited blocks.
3158 inspecting subsequent filter rules: