[excerpt from 3Com "Internetwork Bridge Operation Guide"]
Filters Parameter
This parameter creates, deletes, or manipulates custom filters.
Creating a Filter
Use the following command syntax to create or modify a filter:
ADD FILTERS !<filterid> [~]<list of patterns>
In this syntax, filterid is the filter number. The bridge can contain up to eight filters, so the filterid can range from 1 to 8. If the filter specified does not exist yet, it creates the filter. If the filter already exists, the patterns are added to the list of patterns already assigned to the filter.
A pattern is the condition that the packet must meet before being forwarded or discarded. The pattern has the following format:
<offset>:[!]<mask>
The meanings of individual fields in the pattern are explained later in this section. If you specify more than one pattern for a single filter, you must use a comma (,) to separate the patterns. For each filter, you can specify up to four patterns.
Two kinds of filters can be manipulated by the ADD command:
When no tilde (~) precedes the list of patterns, packets that meet all the conditions specified are discarded. This is called a custom filter.
When a tilde precedes the list of patterns, the filter is called a reverse custom filter. This means that only packets that meet the conditions specified are forwarded.
CAUTION: If a reverse filter is defined, no packets other than the ones that meet the conditions of the reverse filter or subsequent reverse filters are forwarded. Be sure that you have read all the instructions and examples in this manual on reverse filters and have understood their functions before you create one. Defining a reverse filter improperly may cause the bridge to discard some packets that you actually wish to forward.
Each pattern includes an offset and a mask. Enter the offset and mask according to the following guidelines:
Enter them in hexadecimal, preceded by a percent sign.
Use the correct number of hexadecimal digits for your intended mask size.
The ADD FILTERS command include the optional logical operator "not". This operator is applied to the mask and the specified byte. The operator, its meaning, and its effect is summarized in Table 7-5. If no operator is included, the condition is met when the bytes starting at offset are equal to the mask
Table 7-5. Logical Operators in the ADD FILTERS Command
Symbol Name Meaning Example
! not The condition is met if the value --
found at the specified location
does NOT equal the mask.
When specifying filter, be sure to specify the custom filters first. The bridge compares every packet received to each custom filter. If the packet meets all the conditions specified in ANY custom filter, it is discarded immediately. Otherwise, the bridge compares it to each reverse custom filter, if there is any. (If there are no reverse custom filters, the packet is forwarded.) If the packet meets all the conditions specified in any reverse custom filter, it is forwarded. If the packet does NOT meet ALL the conditions in any reverse custom filter, it is discarded.
Before you create a filter, you should display all the filters (using the SHOW FILTERS command), because if you inadvertently define a reverse custom filter with the filterid of an existing custom filter, the existing custom filter will be deleted, and the filterid will refer to the reverse custom filter you just defined. The same happens to an existing reverse filter if you define a custom filter with the reverse filter's number.
For example:
add filter !1 %12:%0426
add filter !1 ~%C:%0600
The first ADD command creates a custom filter (filter 1) that discards packets that have the value %0426 at byte %12. If later you enter the second command, this custom filter is deleted. Now filter 1 is a reverse filter that makes the bridge forward ONLY XNS packets (i.e. type field (%C) = 0600 hexadecimal).
Examples
This section provides several examples showing how the FILTERS parameters affect packet forwarding.
Example 1
add filters !1 %0:%FFFFFFFFFFFF,%C:%0600
The following table explains what the conditions in filter 1 mean.
Offset Contents Mask Operator Effect
First 0 First 6 fffffffffff None If first 6 bytes
condition bytes of f of destination
destination address are
address ffffffffffff, the
condition is met.
Second C Packet type 0600 None If the packet is
condition an XNS packet, the
condition is met.
All broadcast packets, which have a destination address of %ffffffffffff, meet the first condition of filter 1. Because only XNS packets meet the second condition, the bridge discards all XNS broadcast packets according to filter 1.
Example 2
add filters !2 %12:%0426
add filters !3 %C:%0600,%13:%01
This example assigns two filters.
According to filter 2, if a packet has the value %0426 at byte %12, it is discarded.
For a packet to be discarded according to filter 3, it must meet both conditions of the filter. Only a packet with the value %0600 at offset %C and the value %01 at offset %13 would be discarded by filter 3. A packet with the value %0600 at byte %C, but with a value OTHER than %01 at offset %13 would NOT be discarded.
In filter 3, the mask %0600 at offset %C indicates that all XNS packets should be filtered, an the mask %01 at offset %13 indicates that all routing packets should be filtered. Any packets that meet both of these conditions (XNS routing packets) will be discarded according to filter 3.
Example 3
add filters !4 %C:!%0600
This example shows the use of the logical "not" operator. The example filters ALL packets EXCEPT those that have the value %0600 at byte %C. The value at this location determines the packet type, so a filter like this one passes packets of a give type, and filters all other packet types. This example passes all XNS packets, and allows no other packet types through.
Example 4
add filters !1 %C:%9001
This example filters Bridge/3Com bridge "netmap" packets, i.e., packets with value of hexadecimal 9001 at byte %C (XNS netmap packets).
Example 5
add filters !2 %C:!%0806,%0:%FFFF
This example filters ALL broadcast packets EXCEPT ARP (Address Resolution Protocol) packets. The first condition targets all non-ARP packets; the second condition targets all broadcast packets. Both conditions must be met before a packet is filtered. As a result, only non-ARP broadcast packets are filtered.