HP-UX IPFilter V17.05 Administrator Guide HP-UX 11i v2 and HP-UX 11i v3
3.5.3 Specifying IP options: with opt and ipopts
IPFilter can filter packets based on IP options using the with opt and with ipopts keywords.
Use the with opt keywords to filter packets with one or more IP options as follows:
with opt option[,option]
where option is one of the following abbreviations for an IP option:
addext (Address Extension)
cipso (Commercial Security)
e-sec (Extended Security)
eip (Extended Internet Protocol)
encode (Encode)
finn (Flow Control - experimental)
imitd (IMI Traffic Descriptor)
lsrr (Loose Source Route, or Loose Source Record Route)
mtup (MTU Probe - decremented)
mtur (MTU Response - decremented)
nop (No Operation)
rr (Record Route)
satid (Stream ID)
sec (Security)
ssrr (Strict Source Route, or Strict Source Record Route)
tr (Traceroute)
ts (Time Stamp)
visa (Access Control - experimental)
zsu (Measurement - experimental)
The IANA list of assigned IP option numbers specifies the numeric values for the IP options and
lists the documents that define these options. This list is available at the following URL:
http://www.iana.org/assignments/ip-parameters
For example, the following rule blocks all IP packets with the Loose Source Record Route (LSRR) or
Strict Source and Record Route (SSRR) option set:
block in quick all with opt lsrr, ssrr
3.5.3.1 Specifying options not set: not opt
You can also configure rules to pass or block packets that do not have a specific option set:
with [opt option] not opt option
For example:
pass in from any to any with opt ssrr not opt lsrr
3.5.3.2 Specifying any IP options: ipopts
Use the keywords with ipopts to select packets with any IP options set or with not ipopts
to select packets that have no IP options set. For example:
block in all with ipopts
3.5.4 Selecting fragmented IP packets: with frag and with short
The with frag and with short keywords enable you to select IP packet fragments and short
IP packets.
22 Configuring and loading IPv4 filter rules