[ Previous | Next | Contents | Glossary | Home | Search ]
AIX Version 4.3 Commands Reference, Volume 1

chfilt Command

Purpose

Changes a filter rule.

Syntax

chfilt -v 4|6 -n fid [-a D|P] [-s s_addr] [-m s_mask] [-d d_addr] [-M d_mask] [-g Y|N] [-c protocol] [-o s_opr] [-p s_port] [-O d_opr] [-P d_port] [-r R|L|B] [-d I|O|B] [-l Y|N] [-f Y|N|O|H] [-t tid] [-i interface]

Description

Use the chfilt command to change the definition of a filter rule in the filter rule table. Auto-generated filter rules and manual filter rules can be changed by this command. If an auto-generated filter rule is modified by chfilt, it will then become a manual filter rule.

The chfilt command changes the content of a filter rule in the filter rule table. Auto-generated filter rules and manual filter rules can be changed by this command. If an auto-generated filter rule is modified by chfilt, it becomes a manual filter rule. This requires that the filter rule is manually removed if the tunnel is deleted.

Flags

-a Action. The value of Deny (D) will block traffic, and the value of Permit (P) will allow traffic.
-a Action. Deny (D) or Permit (P). Default is D.
-c protocol Protocol. The valid values are: udp, icmp, icmpv6, tcp, tcp/ack, ospf, ipip, esp, ah, and all. Value all indicates that the filter rule will apply to all the protocols. The protocol can also be specified numerically (between 1 and 252).
-c protocol Protocol. The valid values are: udp, icmp, icmpv6, tcp, tcp/ack, ospf, ipip, esp, ah and all. Value all indicates that the filter rule will apply to all the protocols. The protocol numbers (between 1 and 252) are also valid.
-d d_addr Destination address. It can be an IP address or a host name. If a host name is specified, the first IP address returned by the name server for that host will be used. This value along with the destination subnet mask will be compared against the destination address of the IP packets.
-d d_addr Destination address. It can be a IP address or a host name. If a host name is specified, the first IP address returned by the name server for that host will be used.
-f Fragmentation control. This flag specifies that this rule will apply to either all packets (Y), fragment headers and unfragmented packets only (H), fragments and fragment headers only (O), or unfragmented packets only (N).
-f Fragmentation control. Specifies how this rule apply to all packets (Y), fragment headers and unfragmented packets only (H), fragments and fragment headers only (O), or unfragmented packets only(N).
-g Apply to source routing? Must be specified as Y (yes) or N (No). If Y is specified, this filter rule can apply to IP packets that use source routing.
-g Apply to source routing? Must be specified as Y (yes) or N (No). Default is yes (Y).
-i interface The name of IP interface(s) to which the filter rule applies. Examples are: all, tr0, en0, lo0, and pp0.
-i interface The name of IP interfacing(s) on which the filter rule apply. The examples of the name are: all, tr0, en0, lo0, pp0. The default value is all.
-l Log control. Must be specified as Y (yes) or N (No). If specified as Y, packets that match this filter rule will be included in the filter log.
-l Log control. Must be specified as Y (yes) or N (No). Default value is N (no).
-M d_mask Destination subnet mask. This will be applied to the Destination address(-d flag) when compared with the destination address of the IP packets.
-M d_mask Destination subnet mask.
-m s_mask Source subnet mask. This will be applied to the Source address (-s flag) when compared with the source address of the IP packet.
-n fid The ID of the filter rule you want to change. It must exist in the filter rule table and for IP version 4, it cannot be 1 (rule 1 is a system reserved rule and is unchangeable).
-nfid The ID of the filter rule you want to change. It must exist in the local filter rule table and cannot be 1 (rule 1 is a special rule and is unchangeable).
-O d_opr Destination port or ICMP code operation. This is the operation that will be used in the comparison between the destination port/ICMP code of the packet with the destination port or ICMP code (-P flag). The valid values are: lt, le, gt, ge, eq, neq, and any. This value must be any when the -c flag is ospf.
-O d_opr Destination port or ICMP type operation. This is the operation that will be used in the comparison of the destination port/ICMP type (-P flag). The valid values are: lt, le, gt, ge, eq, neq and any. Default value is "any". This value must be any when -c option is ospf.
-o s_opr Source port or ICMP type operation. This is the operation that will be used in the comparison of the source port/ICMP type of the packet with the source port or ICMP type (-p flag) specified in this filter rule. The valid values are: lt, le, gt, ge, eq, neq, and any. The value must be any when the -c flag is ospf.
-o s_opr Source port or ICMP type operation. This is the operation that will be used in the comparison of the source port/ICMP type (-p flag). The valid values are: lt, le, gt, ge, eq, neq and any. Default value is "any". This value must be any when -c option is ospf.
-P d_port Destination port/ICMP code. This is the value/code that will be compared to the destination port (or ICMP code) of the IP packet.
-P d_port Destination port / ICMP type. This is the value/type that will be used in the comparison of the destination port (or ICMP type).
-p s_port Source port or ICMP type. This is the value/type that will be compared to the source port (or ICMP type) of the IP packet.
-p s_port Source port or ICMP type. This is the value/type that will be used in the comparison of the source port (or ICMP type).
-r Routing. This specifies whether the rule will apply to forwarded packets (R), packets destined or originated from the local host (L), or both (B).
-r Routing. This specifies whether the rule will apply to forwarded packets (R), local packets (L), or both (B)
-s s_addr Source address. It can be an IP address or a host name. If a host name is specified, the first IP address returned by the name server for that host will be used. This value along with the source subnet mask will be compared against the source address of the IP packets.
-t tid ID of the tunnel related to this filter rule. All the packets that match this filter rule must go through the specified tunnel.
-t tid ID of the tunnel related to this filter rule. All the packets which match this filter rule should go through the tunnel.
-v IP version of the target filter rule.
-v IP version to which the filter rule will apply.
-w Direction. This specifies whether the rule will apply to incoming packets (I), outgoing packets (O), or both (B).
-w Direction. This specifies whether the rule will apply to incoming packets (I), outgoing packets (O), or both (B).

[ Previous | Next | Contents | Glossary | Home | Search ]