NAME

Filter - The PCXFireWall Filter Table Module.


SYNOPSIS

  use PCXFireWall::Filter;
  my $obj = PCXFireWall::Filter->new(configObj => $configObj,
            interfaceObj => $interfaceObj);


DESCRIPTION

Filter is the Module for the PCXFireWall representing the Filter Table.


FUNCTIONS

  scalar new(configObj, interfaceObj)
    Creates a new instance of the PCXFireWall::Filter
    object.  This is called by the generator script.  configObj
    allows us to be aware of the config changes the user makes in
    regards to the installPath, comments, etc.  interfaceObj allows
    us to be aware of the network interfaces the user defines.
  void policy(chain, policy, preComment, postComment)
    Sets the default policy of chain to policy.  Valid values are
    INPUT, OUTPUT and FORWARD for chain and ACCEPT or DENY for policy.
  void createChain(name, preComment, postComment)
    Makes an entry in userChains for the specified chain and then makes
    an entry in rules for the command to create the chain.
  void flushChain(name, preComment, postComment)
    name can be 'All' which will empty all user defined chains.
    A rule will be added which would flush the specified chain.
  void deleteChain(name, preComment, postComment)
    name can be 'All' which will delete all user defined chains.
    The chain(s) will be removed from userChains (if present) and then
    a rule(s) will be added which would delete the chain.  The chain(s)
    will have rules created to flush them before we delete it so that
    it will always work.  Thus you don't need to call flushChain unless
    you are not planning on deleting the chain.
  Valid parameters for the "rules" methods.  If string is empty, then
  that parameter is left out of the generated rule and iptables will
  use whatever default it deems fit.  Items marked with a * are boolean
  values and take 1 or 0.  If 0, then they are ignored (they default to
  being 0).  Any parameters marked with a ** are required.
  i = input interface (only valid in INPUT, PREROUTING, FORWARD)
  o = output interface (only valid in OUTPUT, POSTROUTING, FORWARD)
  s = source address (if value is inInterfaceIP then I will substitue
                      the IP address of i, else if value is
                      outInterfaceIP then I will substitue the IP
                      address of o, else we use the specified value.
                      If value is !inInterfaceIP or !outInterfaceIP,
                      then the resulting IP Address is prefixed with
                      a ! space.
                      inInterfaceBroadcast and outInterfaceBroadcast
                      will use the value of the shell variable
                      <interface>BROADCAST for the source address.)
  d = destination address (same as s for inInterfaceIP/outInterfaceIP
                         and inInterfaceBroadcast/outInterfaceBroadcast)
  f = fragment *
  nf = ! fragment (nf and f can not both be 1) *
  tcp-flags format is "!? flag,flag,flag flag,flag" (? = optional)
  syn = --syn *
  nsyn = ! --syn (syn and nsyn can not both be 1) *
  mac = -m mac (only valid with chain = PREROUTING, FORWARD or INPUT) *
    mac-source = !? MAC address to match (mac must = 1)
  limit = -m limit *
    limit-rate = --limit rate (limit must be 1)
    limit-burst (limit must be 1)
  multiport = -m multiport *
    source-port (multiport must be 1)
    destination-port (multiport must be 1)
    port (multiport must be 1)
  mark = -m mark *
    mark-value = --mark value
  state = -m state *
    states = --state
  unclean = -m unclean *
  tos = -m tos *
    tos-value = --tos tos
  chain = name of chain to use (INPUT, OUTPUT, FORWARD or user defined)**
  p = protocol (tcp, udp, icmp or "" = all)
  dport = destination port
  sport = source port
  (dport and sport are only valid when p = tcp or udp)
  int = interface ("" = all interfaces)
  insert = insert the rule at the specified offset. *
  append = append the rule to the chain. *  (This is the default action)
  rule-offset = Offset to insert the rule at.  Defaults to 1.
  (If append = 1 (by default) and insert = 1 then the insert and
  rule-offset values will be used, else we append the rule.)
  log (in all rules except log, generate a log rule before the action) *
    log-level = syslog level (defaults to notice)
    log-prefix = string to identify the log entry by.
    log-tcp-sequence *  (This is a security risk)
    log-tcp-options *
    log-ip-options *
    (to use any of these options, log must be = 1 or in rule log)
    log-limit = -m limit *
    log-limit-rate = --limit rate (log-limit must be 1)
    log-limit-burst (log-limit must be 1)
  tcp-option (only valid with p = tcp)
  icmp-type (only valid with p = icmp)
  ttl = --ttl ttl
  preComment - text before the rule.
  postComment - text after the rule.
  ruleMode - (setup or normal) Allows you to specify which array the rule
              should be placed in so that it gets output correctly.
  See the man page for iptables for valid combinations.
  NOTE: When using any of the following methods and you specify log => 1,
    you must also specify log-limit, log-limit-rate, log-limit-burst
    as seperate from limit, limit-rate and limit-burst if you want to
    limit the log rule and the parent rule at different rates.  If you
    only specify limit, limit-rate and limit-burst then only the parent
    rule will be limited, the log rule will not be limited.  Thus if you
    want to limit both the log and the parent rule you must specify both
    limit, log-limit, limit-rate, and log-limit-rate, etc.  This allows
    you to limit the logging but not the rule itself, and vice a versa.
    The parent rule will set log = 0 to make sure that any limiting you
    wanted to be done will take place.
  void log()
    A rule will be created to log the specified packets based upon the
    given parameters.  If nothing is specified, then the rule will be
    generated for all chains, all protocols, all interfaces.
  void accept()
    A rule will be created to ACCEPT the specified packets based upon
    the given parameters.  If nothing is specified, then the rule will be
    generated for all chains, all protocols, all interfaces.
  void drop()
    A rule will be created to DROP the specified packets based upon
    the given parameters.  If nothing is specified, then the rule will be
    generated for all chains, all protocols, all interfaces.
  void return()
     A rule will be created to RETURN to the calling chain.
  void queue()
     A rule will be created to QUEUE the packet to user space.
  void jump(dchain)
    A rule will be created to JUMP to the specified chain based upon
    the given parameters.  chain must be specified.  dchain is the
    destination chain to jump to and must also be specified.  dchain can
    only be a user defined chain.
  void reject(reject-with)
    A rule will be created to REJECT the specified packets based upon
    the given parameters.  You can only reject tcp or icmp packets.
    See man page for values of reject-with.
  Helper methods for /proc entries.
    You must use the Proc modules methods.
  Internally used methods.
  void display(fh, mode)
    This routine will write the rules to the file via fh.  This is called
    by the generator script.  If mode = 'normal' then we display all rules
    from the rules array, else if mode = 'setup' then we display all
    rules from the setupRules array which contains chain creation,
    flushing, etc. and any rules that are detected to relate to DNS.
  void appendRule(rule, mode)
    This routine will append the rule to the end of the rules array.
    This is called internally by all the rule generating routines in this
    module.  If mode = 'normal' then the rule is appended to the rules
    array else if mode = 'setup' then the rule is appened to the
    setupRules array.

  scalar lookupAlias(int)
    requires: int - interface (i or o value)
    returns: alias associated with that interface uppercased.


VARIABLES

  userChains - The chains that the user creates.  Type is hash.
  rules - All rules that will be generated are stored here.
          Type is array.
  setupRules - All setup and dns related rules will be stored here.
               Type is array.
  NOTE:  All data fields are accessible by specifying the object
         and pointing to the data member to be modified on the
         left-hand side of the assignment.
         Ex.  $obj->variable($newValue); or $value = $obj->variable;


AUTHOR

Xperience, Inc. (mailto:admin at pcxperience.com)


SEE ALSO

perl(1)