IPFWCIRCUIT(8) BSD System Manager's Manual IPFWCIRCUIT(8)NAMEipfwcircuit - set / delete / modify BSD IP Filter circuit
SYNOPSISipfwcircuit [filter] [-Fv] [-f number] [-i index] [-m mask] [-s size] [-T
tag] [-w [src | dst]] [-N maxcircuits] [-n ticks] [-t
tickrate]
ipfwcircuit [filter] [-v] [-a serial] [-w [src | dst]] [-H -hitcode] [-M
-misscode] addr1 [addr2] ports
ipfwcircuit [filter] [-v] [-d serial] [-w [src | dst]] addr1 [addr2]
ports
ipfwcircuit [filter] [-v] [-D serial]
ipfwcircuit [filter] -e serial [-n ticks] [-t tickrate]
DESCRIPTION
The ipfwcircuit utility is used to create and maintain circuit caches.
This utility mostly exists for testing purposes. It is expected that
most real world situations will warrant a custom program to maintain the
circuit cache.
The filter argument, if specified, must be one of:
pre-input
A filter on all IP packets as they first enter IP processing
input A filter on IP packets destined for the local machine, after
fragment re-assembly.
forward
A filter on IP packets being forwarded through this machine.
pre-output
A filter on all IP packets leaving this machine, prior to rout-
ing.
output A filter on IP packets generated locally by this machine.
call Not an actual filtering point, this chain should contain filters
to be called from a BPF based filter. This is the default chain
of filters used.
The following options are available:
-a Add an entry to the filter specified by serial.
-D Display the number of entries in each bucket for the circuit
cache specified by serial.
-d Delete the entry specified in the circuit cache specified by
serial.
-e Expire old circuits. In this mode the program does not return
but checks every tickrate seconds for circuits that have not been
used in the past tick intervals (or tickrate * tick seconds).
-F For TCP circuit caches turn on the following of FIN's and RST's.
-f Insert the newly created filter at location number in the call
list.
-H When used with the -a flag specify the return value on a hit
-i Specify interface to restrict filtering to. Currently this must
be the interfaces index number.
-m Set the mask of the first 32 bits of the data packet to examine
to mask. By default all 32 bits are examined.
-N Set the maximum number of circuits allowed in the cache to
maxcircuits.
-n Set the number of ticks before an entry expires. Defaults to to
128, which is also the maximum value.
-s By default all circuit caches have 997 buckets. This is good for
up to 10,000 entries. An alternate size my be specified with -s.
-T Specify the tag to be used for this filter.
-t Set the tick rate for expiration. Defaults to 225 seconds per
tick. When combined with a 128 ticks (the default) the expira-
tion rate is 8 hours.
-v Be verbose about what is going on.
-w By default both the source and destination IP addresses are used.
Specifying src or dst with the -w flag will limit the usage to
only that entry. Providing -w src -w dst allows the insertion of
a uni-directional circuit cache using both addresses.
If none of -a, -d, or -D are specified then a new circuit cache is creat-
ed.
When adding or deleting any entry to the circuit cache, the same -w flags
must be passed as were used in the creation of the filter. When -w is
not used addr1 and addr2 specify the two addresses. The first 32 bits of
data will be treated as two 16 bits words. If addr1 is the destination
address of the packet being checked then the 16 bit words will be swapped
prior to checking. Even if the mask is zero, ports must be specified
(the pattern to compare the first 32 bits of data to after masking).
SEE ALSOipfw(8), ipfwdump(8), ipfwlog(8)
June 16, 1997 2