Cluster I/O Protocols (CIP) Configuration and Management Manual (H06.16+, J06.05+)

ManualsBrandsHP ManualsServerHP Integrity NonStop J-Series

341

342

343

344

345

346

347

348

349

350

u32

Tests whether quantities of up to 4 bytes extracted from a packet have specified values. The

specification of what to extract is general enough to find data at given offsets from tcp headers

or payloads.

[!] --u32 tests

The argument amounts to a program in a small language described below:

tests := location "=" value | tests "&&" location "=" value

value := range | value "," range

range := number | number ":" number

a single number, n, is interpreted the same as n:n. n:m is interpreted as the range of numbers

>=n and <=m.

location := number | location operator number

operator := "&" | "<<" | ">>" | "@"

The operators &, <<, >> and && mean the same as in C. The = is really a set membership

operator and the value syntax describes a set. The @ operator is what allows moving to the

next header.

udp

Matches UDP-specific values.

[!] --source-port | --sport port[:port]

[!] --destination-port | --dport port[:port]

Extensions with an asterisk (*) are not supported but are not disallowed by CIP.

Target Extensions ip

The supported target extensions are based on the Linux iptables man pages. They are subject to

future changes made by Linux iptables implementation.

log

When the LOG target is set for a rule, the Linux kernel will print some information on all matching

packets (i.e., most IP header fields) to syslog. This is a "non-terminating target", i.e. rule traversal

continues at the next rule. If you want to LOG the packets you refuse, use two separate rules

with the same matching criteria, first using target LOG, the next using DROP (or REJECT).

LOG has the following options:

--log-level level

Level of logging (keyword or numeric): debug (or 7), info (or 6), notice (or 5), warning (or 4),

err (or 3), crit (or 2), alert (or 1), emerg (or 0).

Default is warning if not specified. If the specified severity of log-level is 'info' or above (e.g.,

warning), the log message is also sent to NSK host generating a 5232 EMS event in $0.

NOTE: Care should be used so as to not flood EMS with events.

--log-prefix prefix

Prefix log messages with the specified prefix; up to 25 letters long, and useful for distinguishing

messages in the logs.

--log-tcp-sequence

Log TCP sequence numbers. This is a security risk if the log is readable by users.

--log-tcp-options

Log options from the TCP packet header.

--log-ip-options

Log options from the IP packet header.

344