Manualshelf

HP-UX IPFilter Version 16 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
31323334353637383940
block|pass in|out [processing_options] [proto protocol] ip_selector
with v6hdrs ipv6_header
where:
processing_options is one or more processing options, such as quick. See “Processing
Options: Logging Packets, Optimizing Rule Processing, and Specifying Interfaces” (page 24) for
more information.
ip_selector is the IP address specification using the keyword all, or the from and to
keywords and IPv6 addresses and optional ports. See “Basic Rule Syntax: Specifying the Action,
Direction, Protocol, IP Addresses, and Ports” (page 21) for more information.
protocol is the protocol name or number. See “Basic Rule Syntax: Specifying the Action,
Direction, Protocol, IP Addresses, and Ports” (page 21) for more information.
ipv6_header is a series of one of the following IPv6 header extension types, separated by
commas (,):
dstopts (Destination options header)
hopopts (Hop-by-hop options header)
mobility (Mobile IPv6 Mobility header)
routing (Routing options header)
ah (IPsec Authentication Header)
esp (IPSec Encapsulating Security Payload)
ipv6 (IPv6 tunneled packets)
For example, to block all TCP packets with a Routing options header, use the following rule:
block in proto tcp from any to any with v6hdrs routing
To block all UDP packets with destination option and mobility headers, use the following rule:
block in proto udp from any to any with v6hdrs dstopts,mobility
NOTE: Extension headers are matched explicitly. A packet with only a destination option
header will not match the previous rule. Only packets with both mobility and destination option
headers will match the rule.
Filtering Tunneled Packets
HP-UX IPFilter can filter the following types of tunnel packets:
6-in-4
Use the following rule to filter 6-in-4 tunnel packets:
block in proto 41 from any to any
6-in-6
Use the following rule to filter 6-in-6 tunnel packets:
block in proto 41 from any to any
4-in-6
Use the following rule to filter 4-in-6 tunnel packets:
block in proto ip from any to any
Filtering IPv6 Fragments
You can filter IPv6 fragments by specifying the v6hdrs frags keywords. Use the following
rule to filter IPv6 fragmented traffic:
block in proto udp from any to any with v6hdrs frags
Unlike IPv4, IPFilter does not maintain a fragment cache for IPv6 fragments.
IPv6 Filter Rule Syntax Differences 39