The keywords described in this section are used to describe attributes of the packet to be used when determining whether rules match or don't match. The following general-purpose attributes are provided for matching, and must be used in this order:
tos
packets with different Type-Of-Service values can be filtered. Individual service levels or combinations can be filtered upon. The value for the TOS mask can either be represented as a hex number or a decimal integer value.
ttl
packets may also be selected by their Time-To-Live value. The value given in the filter rule must exactly match that in the packet for a match to occur. This value can only be given as a decimal integer value.
proto
allows a specific protocol to be matched against. All protocol names found in /etc/protocols are recognised and may be used. However, the protocol may also be given as a DECIMAL number, allowing for rules to match your own protocols, or new ones which would out-date any attempted listing.
The special protocol keyword tcp/udp may be used to match either a TCP or a UDP packet, and has been added as a convenience to save duplication of otherwise-identical rules.
The from and to keywords are used to match against IP addresses (and optionally port numbers). Rules must specify BOTH source and destination parameters.
IP addresses may be specified in one of two ways: as a numerical address /mask, or as a hostname mask netmask. The hostname may either be a valid hostname, from either the hosts file or DNS (depending on your configuration and library) or of the dotted numeric form. There is no special designation for networks but network names are recognised. Note that having your filter rules depend on DNS results can introduce an avenue of attack, and is discouraged.
There is a special case for the hostname any which is taken to be 0.0.0.0/0 (see below for mask syntax) and matches all IP addresses. Only the presence of "any" has an implied mask, in all other situations, a hostname MUST be accompanied by a mask. It is possible to give "any" a hostmask, but in the context of this language, it is non-sensical.
The numerical format "x/y" indicates that a mask of y consecutive 1 bits set is generated, starting with the MSB, so a y value of 16 would give 0xffff0000. The symbolic "x mask y" indicates that the mask y is in dotted IP notation or a hexadecimal number of the form 0x12345678. Note that all the bits of the IP address indicated by the bitmask must match the address on the packet exactly; there isn't currently a way to invert the sense of the match, or to match ranges of IP addresses which do not express themselves easily as bitmasks (anthropomorphization; it's not just for breakfast anymore).
If a port match is included, for either or both of source and destination, then it is only applied to TCP and UDP packets. If there is no proto match parameter, packets from both protocols are compared. This is equivalent to "proto tcp/udp". When composing port comparisons, either the service name or an integer port number may be used. Port comparisons may be done in a number of forms, with a number of comparison operators, or port ranges may be specified. When the port appears as part of the from object, it matches the source port number, when it appears as part of the to object, it matches the destination port number. See the examples for more information.
The all keyword is essentially a synonym for "from any to any" with no other match parameters.
Following the source and destination matching parameters, the following additional parameters may be used:
with
is used to match irregular attributes that some packets may have associated with them. To match the presence of IP options in general, use with ipopts. To match packets that are too short to contain a complete header, use with short. To match fragmented packets, use with frag. For more specific filtering on IP options, individual options can be listed.
Before any parameter used after the with keyword, the word not or no may be inserted to cause the filter rule to only match if the option(s) is not present.
Multiple consecutive with clauses are allowed. Alternatively, the keyword and may be used in place of with, this is provided purely to make the rules more readable ("with ... and ..."). When multiple clauses are listed, all those must match to cause a match of the rule.
flags
is only effective for TCP filtering. Each of the letters possible represents one of the possible flags that can be set in the TCP header. The association is as follows:
F - FIN
S - SYN
R - RST
P - PUSH
A - ACK
U - URG
The various flag symbols may be used in combination, so that "SA" would represent a SYN-ACK combination present in a packet. There is nothing preventing the specification of combinations, such as "SFR", that would not normally be generated by law-abiding TCP implementations. However, to guard against weird aberrations, it is necessary to state which flags you are filtering against. To allow this, it is possible to set a mask indicating which TCP flags you wish to compare (i.e., those you deem significant). This is done by appending "/<flags>" to the set of TCP flags you wish to match against, e.g.:
... flags S
# becomes "flags S/AUPRFS" and will match
# packets with ONLY the SYN flag set.
... flags SA
# becomes "flags SA/AUPRFS" and will match any
# packet with only the SYN and ACK flags set.
... flags S/SA
# will match any packet with just the SYN flag set
# out of the SYN-ACK pair; the common "establish"
# keyword action. "S/SA" will NOT match a packet
# with BOTH SYN and ACK set, but WILL match "SFP".
icmp-type
is only effective when used with proto icmp and must NOT be used in conjunction with flags. There are a number of types, which can be referred to by an abbreviation recognised by this language, or the numbers with which they are associated can be used. The most important from a security point of view is the ICMP redirect.