genfilt Command

Edit online

Purpose

Adds a filter rule.

Syntax

genfilt -v 4|6 [ -n fid] [ -a D|P|I|L|E|H|S ] -s s_addr -m s_mask [-d d_addr] [ -M d_mask] [ -g Y|N ] [ -c protocol] [ -o s_opr] [ -p s_port] [ -O d_opr] [ -P d_port] [ -r R|L|B ] [ -w I|O|B ] [ -l Y|N ] [ -f Y|N|O|H ] [ -t tid] [ -i interface] [-D description] [-e expiration_time] [-x quoted_pattern] [-X pattern_filename ] [-C antivirus_filename]

Description

Use the genfilt command to add a filter rule to the filter rule table. The filter rules generated by this command are called manual filter rules. IPsec filter rules can be configured by using the genfilt command or the IPsec smit (IP version 4 or IP version 6).

Flags

Item Description
-a Action The following Action values are allowed:
  • D (Deny) blocks traffic.
  • P (Permit) allows traffic.
  • I makes this an IF filter rule.
  • L makes this an ELSE filter rule.
  • E makes this an ENDIF filter rule.
  • H makes this a SHUN_HOST filter rule.
  • S makes this a SHUN_PORT filter rule.
All IF rules most be close with an associated ENDIF rule. These conditional rules can be nested, but correct nesting and scope must be adhered to or the rules will not load correctly with the mkfilt command.
-C antivirus_filename Specifies the antivirus file name. The -C flag understands some versions of ClamAV Virus Database (http://www.clamav.net).
-c protocol The valid values are: udp, icmp, icmpv6, tcp, tcp/ack, ospf, ipip, esp, ah, and all. Value all indicates that the filter rule will apply to all the protocols. The protocol can also be specified numerically (between 1 and 252). The default value is all. Value tcp/ack implies checking for TCP packets with the ACK flag set.
-D description A short description text for the filter rule. This is an optional flag for static filter rules, it's not applicable to dynamic filter rules.
-d d_addr Specifies the destination address. It can be an IP address or a host name. If a host name is specified, the first IP address returned by the name server for that host will be used. This value along with the destination subnet mask will be compared against the destination address of the IP packets.
-e expiration_time Specifies the expiration time. The expiration time is the amount of time the rule should remain active in seconds. The expiration_time does not remove the filter rule from the database. The expiration_time relates to the amount of time the filter rule is active while processing network traffic. If no expiration_time is specified, then the live time of the filter rule is infinite. If the expiration_time is specified in conjunction with a SHUN_PORT (-a S) or SHUN_HOST (-a H) filter rule, then this is the amount of time the remote port or remote host is denied or shunned once the filter rule parameters are met. If this expiration_time is specified independent of a shun rule, then this is the amount of time the filter rule will remain active once the filter rules are loaded into the kernel and start processing network traffic.
-f Specifies the fragmentation control. This flag specifies that this rule will apply to either all packets (Y), fragment headers and unfragmented packets only (H), fragments and fragment headers only (O), or unfragmented packets only (N). The default value is Y.
-g Apply to source routing? Must be specified as Y (yes) or N (No). If Y is specified, this filter rule can apply to IP packets that use source routing. The default value is yes (Y). This field only applies to permit rules.
-i interface Specifies the name of IP interface(s) to which the filter rule applies. The examples of the name are: all, tr0, en0, lo0, and pp0. The default value is all.
-l Specifies the log control. Must be specified as Y(yes) or N (No). If specified as Y, packets that match this filter rule will be included in the filter log. The default value is N (no).
-M Specifies the destination subnet mask. This is used in the comparison of the IP packet's destination address with the destination address of the filter rule.
-m Specifies the source subnet mask. This is used in the comparison of the IP packet's source address with the source address of the filter rule.
-n Specifies the filter rule ID. The new rule will be added BEFORE the filter rule you specify. For IP version 4, the ID must be greater than 1 because the first filter rule is a system generated rule and cannot be moved. If this flag is not used, the new rule will be added to the end of the filter rule table.
-O Specifies the destination port or ICMP code operation. This is the operation that will be used in the comparison between the destination port/ICMP code of the packet with the destination port or ICMP code (-P flag). The valid values are: lt, le, gt, ge, eq, neq, and any. The default value is any. This value must be any when the -c flag is ospf.
-o Specifies the source port or ICMP type operation. This is the operation that will be used in the comparison between the source port/ICMP type of the packet with the source port or ICMP type(-p flag) specified in this filter rule. The valid values are: lt, le, gt, ge, eq, neq, and any. The default value is any. This value must be any when the -c flag is ospf.
-p Specifies the source port or ICMP type. This is the value/type that will be compared to the source port (or ICMP type) of the IP packet.
-P Specifies the destination port/ICMP code. This is the value/code that will be compared to the destination port (or ICMP code) of the IP packet.
-r Routing. This specifies whether the rule will apply to forwarded packets (R), packets destined or originated from the local host (L), or both (B). The default value is B.
-s s_addr Specifies the source address. It can be an IP address or a host name. If a host name is specified, the first IP address returned by the name server for that host will be used. This value along with the source subnet mask will be compared against the source address of the IP packets.
-t Specifies the ID of the tunnel related to this filter rule. All the packets that match this filter rule must go through the specified tunnel. If this flag is not specified, this rule will only apply to non-tunnel traffic.
-v Specifies the IP version of the filter rule. Valid values are 4 and 6.
-w Direction Specifies whether the rule applys to incoming packets (I), outgoing packets (O), or both (B). The default value is B. It is not valid to use the (O) outgoing direction with the -x, -X, or -C pattern options. It is valid to specify the (B) both directions with the pattern options, but only the incoming packets are checked against the packets.
-X pattern_filename Specifies the pattern file name. If more than one patterns are associated with this filter rule, then a pattern file name must be used. The pattern file name must be in the format of one pattern per line. A pattern is an unquoted character string. This file is read once when the filter rules are activated. For more information, see the mkfilt command.
-x pattern Specifies the quoted character string or pattern. This string specified is interpreted as an ASCII string unless it is preceded by a 0x, in which case it is interpreted as a hexadecimal string. The -x pattern is compared against network traffic.

Security

Attention RBAC users and Trusted AIX users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.