Znyx Networks bh5700 manual Restrictions on Implementation

you may want to move your set of iptables commands to a start up script to run upon initialization. This could be accomplished by creating a standalone "S" script and placing that script into / etc/rcZ.d.

Restrictions on Implementation

Several restrictions exist on the rules that can be implemented on the FFP hardware. These include:

Actions

DROP the packet. ACCEPT the packet.

Output Port

Should be specified if the action is ACCEPT, if no output port is specified, an IRULE table entry is generated for every port.

Field values

If specified as ranges, they must be on power of two boundaries.

Negation

Can only be used for icmp, tcp, or udp fields.

Fields supported are: Source IP address, destination IP address, IP protocol, TCP or UDP source port or destination port, ICMP type, and TCP flags bits (such as SYN).

The input port and output port may also be specified as either zre<n>, where <n> is one of the 48 physical ports, or as zhp<n>, where the zhp interface used must be previously defined using

zconfig.

A restriction on the fields supported is the size of the IMASK table. There are only 16 entries per port available, which means only 16 combinations of fields can be used at any time.

Conflict Resolution

There are differences from the expected behavior of implementing iptables in a host: Although the rules are taken from the FORWARD and INPUT chains, they are applied to all packets, including those destined for the local CPU. The order of application of the rules is not necessarily the order in which they appear in the chains. If a rule uses a mask that is less restrictive than another rule, it will be applied first. The last rule that is matched determines the action that will take place. For example, the rules:

result in SMTP packets received on any port in zhp3 to be sent for any port in zhp1; all other packets from zhp3 would be dropped. The order of the two rules in the FORWARD chain does not matter.