Overview

Fast Path Filtering IPv6 provides IPv6 filtering in the fast path.

To ensure maximal performance, this module implements simple functions based on information found in the shared memory.

If the module cannot find in the shared memory the relevant information based on L3, L4, and L5 headers, the fast path raises an exception.

In accordance with configured filter rules with higher priorities, this exception:

  • interacts with other 6WINDGate entities, or,

  • drops the packet for security reasons.

Features

  • Filtering, stateless 5-tuple based ACLs (Netfilter)

  • Support filter, mangle and raw tables

  • Rules per VR

  • “Netfilter-like” connection tracking (limited to tcp, udp, sctp, gre, ah, esp and ipip protocols)

  • Fast lookup tables

  • RPF Check

  • Support for the following netfilter targets
    • DROP

    • ACCEPT

    • RETURN

    • MARK

    • DSCP

    • TOS

    • REJECT

    • CHECKSUM

    • NOTRACK

    • CT (limited to –zone and –notrack)

    • CONNMARK

    • CLASSIFY

    • user-defined chains

  • Support for conntrack zones

  • Support for the following netfilter matches:
    • BPF (cBPF only)

    • comment

    • connmark

    • conntrack (–ctstate only)

    • dscp

    • frag

    • hashlimit

    • icmp

    • icmp6

    • limit

    • mac

    • mark

    • multiport

    • nfacct (limited support)

    • physdev

    • policy (see limitations below)

    • rpfilter

    • sctp

    • set

    • state

    • tcp

    • tos

    • u32

    • udp

  • Support for the following ip set types:
    • hash:ip

    • hash:net

    • hash:mac

    • hash:net,net

    • hash:net,port

    • hash:net,port,net

    • hash:ip,port

    • hash:ip,port,ip

    • hash:ip,port,net

  • Next hop marking (if fast path filter module is present)

policy match support

Options supported: –dir {in|out} –pol {none|ipsec) –proto {ah|esp} [!] –mode {tunnel|transport}

All other options are not supported.

Dependencies

6WINDGate modules

Linux