Lines Matching full:rule
57 Ethernet filtering provides rule-based blocking or passing of Ethernet packets.
62 Queueing provides rule-based bandwidth control.
67 Packet filtering provides rule-based blocking or passing of packets.
116 are relatively fast, making a single rule with tables much more efficient,
119 differ only in IP address (either created explicitly or automatically by rule
130 (see below for details on the various rule types).
176 when the last rule referring to it is flushed.
205 A filter rule is set up to block all traffic coming from addresses listed in
348 The adaptive timeout values can be defined both globally and for each rule.
349 When used on a per-rule basis, the values relate to the number of
350 states created by the rule, otherwise to the total number of
447 remove rules that are a subset of another rule
461 A side effect of the ruleset modification is that per-rule accounting
463 If per-rule accounting is important for billing purposes or whatnot,
547 This might happen when a nat or route-to rule uses an empty table as list
548 of targets or if a rule fails to create state or source node.
691 Preserve rule counters across rule updates.
692 Usually rule counters are reset to zero on every update of the ruleset.
696 and preserve the rule counters.
708 The last matching rule decides what action is taken.
709 If no rule matches the packet, the default action is to pass
722 The rule parameters specify the packets to which a rule applies.
725 If a parameter is specified, the rule only applies to packets with
729 generates all needed rule combinations.
732 This rule applies to incoming or outgoing packets.
737 are specified, the rule will match packets in both directions.
739 If a packet matches a rule which has the
741 option set, this rule
742 is considered the last matching rule, and evaluation of subsequent rules
745 This rule applies only to packets coming in on, or going out through, this
753 Packets matching this rule will be sent out of the specified interface without
756 This rule applies only to packets of this protocol.
765 This rule applies only to packets with the specified source and destination
769 Packets matching this rule will be assigned to the specified queue.
775 Packets matching this rule will be tagged with the
784 meaning that the packet will be tagged even if the rule
785 is not the last matching rule.
791 to match the rule.
960 option prefixed to a scrub rule causes matching packets to remain unscrubbed,
986 any packet filtering rule can reference the defined queues by name.
1323 The first pipe or queue number will be used to shape the traffic in the rule
1326 If the rule does not specify a direction the first packet to create state will
1337 such a rule as long as they are not blocked by the filtering section of
1348 Packets that match a translation rule are only automatically passed if
1418 rule specifies a bidirectional mapping between an external IP netblock
1423 rule specifies that IP addresses are to be changed as the packet
1459 rule may cause the source port to be modified if doing so avoids a conflict
1468 rule.
1481 The first matching rule decides what action is taken.
1485 option prefixed to a translation rule causes packets to remain untranslated,
1489 If no rule matches the packet it is passed to the filter engine unmodified.
1548 , the last matching rule decides what action is taken.
1553 If no rule matches the packet, the default action is to pass
1562 rule can behave when blocking a packet.
1568 option, or on a per-rule basis with one of the following options:
1580 This causes ICMP messages to be returned for packets which match the rule.
1597 packets that match explicit rules is specify a first filter rule of:
1610 rules in that parameters are set for every rule a packet matches, not only
1611 on the last matching rule.
1631 rule, a state entry is created; for subsequent packets the filter checks
1641 rule applies to the connection.
1688 if this is the last matching rule.
1696 The rule parameters specify the packets to which a rule applies.
1699 If a parameter is specified, the rule only applies to packets with
1703 generates all needed rule combinations.
1706 This rule applies to incoming or outgoing packets.
1711 are specified, the rule will match packets in both directions.
1758 If a packet matches a rule which has the
1760 option set, this rule
1761 is considered the last matching rule, and evaluation of subsequent rules
1764 This rule applies only to packets coming in on, or going out through, this
1772 This rule applies only to packets of this address family.
1778 This rule applies only to packets of this protocol.
1797 This rule applies only to packets with the specified source and destination
1854 When the interface name is surrounded by parentheses, the rule is
1925 this rule only applies to packets of sockets owned by the specified group.
1927 This rule only applies to packets of sockets owned by the specified user.
1982 This rule only applies to TCP packets that have the flags
2042 This rule only applies to ICMP or ICMPv6 packets with the specified type
2060 This rule applies to packets with the specified
2092 rule, packets that pass the filter based on that rule (last matching)
2094 For packets that match state, the rule that initially created the
2098 rule that is used when a packet does not match any rules does not
2101 Adds a label (name) to the rule, which can be used to identify the rule.
2104 shows per-rule statistics for rules that have labels.
2122 The rule number.
2144 Add an identifier (number) to the rule, which can be used to correlate the rule
2150 Packets matching this rule will be assigned to the specified queue.
2166 Packets matching this rule will be assigned a specific queueing priority.
2186 Packets matching this rule will be tagged with the
2195 meaning that the packet will be tagged even if the rule
2196 is not the last matching rule.
2211 be tagged with the given tag in order to match the rule.
2241 A probability attribute can be attached to a rule, with a value set between
2243 In that case, the rule will be honoured using the given probability value
2245 For example, the following rule will drop 20% of incoming ICMP packets:
2253 If a packet matches a rule with a route option set, the packet filter will
2255 When such a rule creates state, the route option is also applied to all
2265 rule creates state, only packets that pass in the same direction as the
2266 filter rule specifies will be routed in this way.
2299 rule options) for which there is a single redirection address which has a
2353 to the map-e-portset nat rule.
2398 rule to a TCP connection,
2405 directive implicitly keeps state on the rule and is
2480 per-rule basis.
2487 must be specified explicitly to apply options to a rule.
2491 Limits the number of concurrent states the rule may create.
2495 Prevent state changes for states created by this rule from appearing on the
2501 Changes the timeout values used for states created by this rule.
2513 States created by this rule are exported on the
2526 (max 100, source-track rule, max-src-nodes 75, \e
2535 .It Ar source-track rule
2536 The maximum number of states created by this rule is limited by the rule's
2541 Only state entries created by this particular rule count toward the rule's
2545 Each rule can specify different
2549 options, however state entries created by any participating rule count towards
2550 each individual rule's limits.
2561 source address can create with this rule.
2594 keyword kills all states created by the matching rule which originate
2599 offending host, regardless of which rule created the state.
2608 by the block rule.
2750 rule applies to a fragment or
2768 For instance, the rule
2862 rule,
2876 matched by any rule within the anchor.
2887 rule will be attached under that anchor point.
2915 This loads a single rule into the
2921 rule after the
2923 rule:
2943 rule is only evaluated for matching packets.
2974 will evaluate each rule in each anchor attached to the
3002 rule.
3004 Filter rule
3048 modifier is given, packets matching the translation rule are passed without
3071 rule excludes protocol AH from being translated.
3268 line = ( option | ether-rule | pf-rule | nat-rule | binat-rule |
3269 rdr-rule | antispoof-rule | altq-rule | queue-rule |
3270 trans-anchors | anchor-rule | anchor-close | load-anchor |
3271 table-rule | include )
3289 ether-rule = "ether" etheraction [ ( "in" | "out" ) ]
3294 pf-rule = action [ ( "in" | "out" ) ]
3324 nat-rule = [ "no" ] "nat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
3331 binat-rule = [ "no" ] "binat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
3338 rdr-rule = [ "no" ] "rdr" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
3344 antispoof-rule = "antispoof" [ "log" ] [ "quick" ]
3348 table-rule = "table" "\*(Lt" string "\*(Gt" [ tableopts-list ]
3357 altq-rule = "altq on" interface-name queueopts-list
3359 queue-rule = "queue" string [ "on" interface-name ] queueopts-list
3362 anchor-rule = "anchor" [ string ] [ ( "in" | "out" ) ] [ "on" ifspec ]
3451 "source-track" [ ( "rule" | "global" ) ] |