Overview¶
Fast Path Filtering IPv4 provides IPv4 filtering in the fast path.
To ensure maximal performance, this module implements simple functions based on information found in the shared memory.
If the module cannot find in the shared memory the relevant information based on L3, L4, and L5 headers, the fast path raises an exception.
In accordance with configured filter rules with higher priorities, this exception:
interacts with other 6WINDGate entities, or,
drops the packet for security reasons.
Features¶
Filtering, stateless 5-tuple based ACLs (Netfilter)
Support filter, mangle, raw and NAT tables
Rules per VR
“Netfilter-like” connection tracking (limited to tcp, udp, sctp, gre, ah, esp and ipip protocols)
Fast lookup tables
RPF Check
- Support for the following netfilter targets
DROP
ACCEPT
RETURN
SNAT
DNAT
MARK
DSCP
TOS
REJECT
CHECKSUM
MASQUERADE
NETMAP
NOTRACK
CT (limited to –zone, –notrack and –helper)
CONNMARK
CLASSIFY
user-defined chains
Support for conntrack zones
- Support for the following netfilter matches:
addrtype (limited to –src-type and –dst-type with unicast, local, broadcast, multicast, blackhole and throw route types)
BPF (cBPF only)
comment
connmark
conntrack (limited to –ctstate, –ctdir, –ctstatus)
devgroup
dscp
frag
hashlimit
icmp
icmp6
limit
mac
mark
multiport
nfacct (limited support)
owner (limited support)
physdev
policy (see limitations below)
rpfilter
sctp
set
state
tcp
tcpmss
tos
u32
udp
- Support for the following ip set types:
hash:ip
hash:net
hash:mac
hash:net,net
hash:net,port
hash:net,port,net
hash:ip,port
hash:ip,port,ip
hash:ip,port,net
policy match support¶
Options supported: –dir {in|out} –pol {none|ipsec) –proto {ah|esp} [!] –mode {tunnel|transport}
All other options are not supported.