PacketFilter¶

Header Format¶

targets:
    packetfilter: filter-name {inet|inet6|mixed} {in|out} {nostate}

filter-name: a short, descriptive policy identifier
inet: specifies that the resulting filter should only render IPv4 addresses.
inet6: specifies that the resulting filter should only render IPv6 addresses.
mixed: specifies that the resulting filter should only render IPv4 and IPv6 addresses (default).
in: match ingoing packets (default: both directions).
out: match outgoing packets (default: both directions).
nostate: do not keep state on connections (default: keep state).

for common keys see common.md
destination-exclude: Exclude one or more address tokens from the specified destination-address
destination-interface: Specify the destination interface. Implicitly changes the term direction to out for this term. Mutually exclusive with source-interface:.
source-interface: Specify the source interface. Implicitly changes the term direction to in for this term. Mutually exclusive with destination-interface:.
logging: Specify that this packet should be logged via syslog.
source-exclude: exclude one or more address tokens from the specified source-address.
verbatim: this specifies that the text enclosed within quotes should be rendered into the output without interpretation or modification. This is sometimes used as a temporary workaround while new required features are being added.

ack: Match on ACK flag being present.
all: Matches all protocols.
established: Only match established connections, implements tcp-established for tcp and sets destination port to 1024- 65535 for udp if destination port is not defined.
fin: Match on FIN flag being present.
is-fragment: Matches on if a packet is a fragment.
psh: Match on PSH flag being present.
rst: Match on RST flag being present.
syn: Match on SYN flag being present.
tcp-established: Only match established tcp connections, based on statefull match or TCP flags. Not supported for other protocols.
urg: Match on URG flag being present.