Provide access to the local system packet filtering
Add a counting rule and return the rulenum used. If a rulenum is specified, it is used. Potential arg keys: * input <interface>, watch incoming interface * output <interface, watch outgoing interface * marker 0-7, watch traffic with marker num only
Add an input blocking rule and return the rulenum used. If one is specified, it is used Potential arg keys: * dst <cidr> - destination address as a CIDR * src <cidr> - source address as a CIDR * proto <num> - protocol number * sport <num> - single source port as a number * dport <num> - single destination port as a number
Add a marking rule and return the rulenum used. If a rulenum is specified, it is used Potential arg keys same as blocking filter plus: * marker 1-7, ipprecendece value to set on the matching packets
Remove all blocking filters that we installed on this node
Delete all counting filters that we installed on this node
Delete the filter with the associated rulenum
Remove all marking filters that we installed on this node
Filter implementation for IPFW based systems such as FreeBSD
ipfw lets us delete using just the rulenum we provided
Filter implementation for a Linux/Netfilter based system
MARK isn’t used as a target so the mark values are always 0. Matching NOT mark means that this match is always true anded with the next matches. We use it for id’ing our rule later on in a quick fashion
Netfilter doesn’t have ‘global’ rulenums so we need to remember the command we used to add the filter and use the same to delete it.