-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathFILTERS
More file actions
52 lines (37 loc) · 1.57 KB
/
FILTERS
File metadata and controls
52 lines (37 loc) · 1.57 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
# $Id$
* Design notes for NCAP filter specifications
Generally, a filter specification is a sequence of filters, each being
introduced by its family name and containing one or more family-specific
rules. The point isn't to duplicate what BPF can do, but rather to make
it unnecessary to think in BPF. NCAP filter specifications are application
specific, and filter can internally generate BPF to save on context switches.
* Filter Family: "dns"
regex[=#]RE/opts
regex must match (or not) the presentation form of a message, with
options like "i" for ignore-case
initiator[=#]address[,...]
message initiator must be (or not) on this list
target[=#]address[,...]
message target must be (or not) on this list
flags[=#]tc,aa,ra,rd,qr
these message flags must be set (or unset)
rcode[=#]noerror,formerr,servfail,nxdomain,notimpl,refused
these message response codes are wanted (or unwanted)
(note, they are only checked on responses, not initiations)
opcode[=#]query,update,notify
these message opcodes are wanted (or unwanted)
qname=name
query name must match name
qtype=rrtype
query type must match rrtype
* Filter Family: "icmp"
type[=#]echoreply,unreach,sourcequench,redirect,echorequest,routeradvert
type[=#]routersolicit,timxceed,paramproblem,tstamprequest,tstampreply,
type[=#]inforeq,inforeply,maskreq,maskreply,traceroute
these icmp types are wanted (or unwanted)
type[=#]<type>
where <type> is an integer in the range 0..255
this icmp type is wanted (or unwanted)
code[=#]<code>
where <code> is an integer in the range 0..255
this icmp code is wanted (or unwanted)