4-4
C
HAPTER
4: F
ILTERING
C
APABILITIES
The OR operation can be implemented by successive rules. For example, to accept
a packet if the source address is xxx, or the destination address is yyy, the
following rules are used:
BR-ETH:
1 ACCEPT src-addr=00-20-69-00-00-01;
2 ACCEPT dst-addr=00-20-69-00-00-02;
999 DENY;
The following table describes the keywords for the bridge protocol section and
their legal operators used in the rule syntax. (xx is a hex number).
Generic Filter Rule
The syntax for generic filters is slightly different than that for other protocol filters:
<line #> <verb> GENERIC => ORIGIN = FRAME/OFFSET = <# of bytes>/
LENGTH = <# of bytes>/MASK = < 0x Mask>/VALUE = <0x value>
■
ORIGIN
- The location in the packet to start the offset count. This is at byte 0
(FRAME).
■
OFFSET
- The number of bytes from the origin to skip before comparing the
value to the packet contents.
■
LENGTH
- The number of bytes in the packet to compare to the value.
■
MASK
- The mask to logically "and" with the packet contents before
comparing with the value (hex).
■
VALUE
- The value (hex) to compare to the packet contents.
For example, a generic bridge filter to prevent all IP packets from being bridged is:
BR-ETH:
1 reject
generic=>origin=frame/offset=12/length=2/mask=0xFFFF/value=0x0800;
Step by Step Guide to
Creating Filter Files
This section presents a step-by-step guide for creating and applying filters. These
steps assume that the filter file is created on a remote workstation and then
transferred to FLASH memory using TFTP. If you use the CLI create text command
to create the filter file, you can omit steps 9 and 10.
To create a filter file:
1
Open a new text file. Enter the file descriptor on the first line:
#filter
2
Enter the section header followed by a colon for the protocol rules you want to
define. For example:
BR-ETH:
3
You can comment a section header out by placing a # sign before the section
header. This is useful if you want to insert a placeholder for a protocol section you
Table 4-2
Protocol Keywords
ProtocolSection
Keyword
Operators Description and Value Range
BR-ETH
src-addr
dst-addr
generic
=, !=
=, !=
=
Source MAC address (xx-xx-xx-xx-xx-xx)
Destination MAC address (xx-xx-xx-xx-xx-xx)
Generic filter