J.D. Bronson wrote:
> At 11:10 AM 04/10/2007, Darren Reed wrote:
>
>> Going further along with adding new things to IPFilter, some of
>> the recent things I've worked on adding code for are:
>>
>> * selective flushing - to flush just things matching port 80:
>> # ipnat -m 'tcp.port=80' -F
>> # ipf -m 'tcp.port=80' -Fs
>> A list can be given - "tcp.port=25,80". The full list of currently
>> allowed words is:
>> ip.addr, ip.p ip.src, ip.dst, tcpc.port, tcp.dport, tcp.sport,
>> udp.port,
>> udp.dport, udp.sport
>>
>> * the matching from flushing also applies to listing active entries:
>> # ipnat -m 'port=80' -l
>> # ipfstat -m 'port=80' -sl
>> will respectively show only NAT or state matcing port 80.
>>
>> * the above syntax can be used in ipf rules like this:
>>
>> pass in exp { 'tcp.port=25,80' } keep state
>>
>> (this is really experimental - how many fields are required for it
>> to be attractive or is it just a waste of time?)
>>
>> * Active NAT/state entries can now be printed out in columns:
>> # ipnat -O all -l | head -1
>> # ipfstat -O all -sl | head -1
>> will print out the names of columns. A list can be given:
>> # ipnat -O oldsrcip,newsrcip,olddstip,newdstip -l
>> And you can change the name at the top
>> # ipfstat -O src=saddr,dst=addr -sl
>> or just not print out the heading line at all;
>> # ipnat -O all= -l
>>
>> Comments/thoughts/criticisms welcome.
>
> is this production ready or still in development?
Still in development. For starters, there's no documentation for it
aside from email, at present and feedback on these ideas is greatly
appreciated.
Darren
