ckfilt 命令
用途
检查过滤规则的语法。
语法
描述
ckfilt 命令检查过滤规则的语法。 IPsec stateful 过滤规则考虑到 IF、ELSE 和 ENDIF 之类的操作。 这样,规则集中就可能有语法错误,例如 IF 没有 ENDIF,或者 ELSE 或 ENDIF 之前没有 IF。 ckfilt 命令检查此类错误。 允许嵌套 IF 规则。 ckfilt 命令显示过滤规则,以限定作用域的方式缩进 IF 语句中的规则。 如果使用了 -O 标志,那么将以限定范围的方式显示过滤规则及其所有属性。 可以使用虚拟专用网子菜单中的 genfilt 命令, IPsec smit (IP 版本 4 或 IP 版本 6) 来配置此命令的 IPsec 过滤规则。
标志
| 项 | 描述 |
|---|---|
| -O | 显示过滤规则属性。 |
| -v 4 | 6 | 指定 IPv4 或 IPv6。 |
退出状态
本命令返回以下退出值:
| 项 | 描述 |
|---|---|
| 0 | 命令成功完成。 |
| non-zero | 发生错误。 |
安全性
该命令仅由 root(用户)执行。
RBAC 用户和可信 AIX® 用户注意: 此命令可以执行特权操作。 只有特权用户才能执行特权限定的操作。 有关权限与特权的更多信息,请参阅安全性中的“特权限定的命令数据库”。 有关与该命令相关联的特权和权限的列表,请参阅 lssecattr 命令或 getcmdattr 子命令。
示例
- 要创建一组嵌套的 if-else-endif 过滤规则,请按如下所示使用 genfilt 命令:
genfilt -v4 -a I -s 192.168.100.101 -d 192.168.100.102 -c tcp -O eq -P 21 -D "IF ftp-cmd being used" genfilt -v4 -a I -s 192.168.100.101 -d 192.168.100.102 -c tcp -O eq -P 1525 -D "IF 1525 port starts being used" genfilt -v4 -a D -s 192.168.100.101 -d 192.168.100.102 -c tcp -O eq -P 37 -D "if scope: deny time" genfilt -v4 -a L -s 192.168.100.101 -d 192.168.100.102 -c tcp -D "ELSE" genfilt -v4 -a D -s 192.168.100.101 -d 192.168.100.102 -c tcp -O eq -P 13 -D "else scope: deny date" genfilt -v4 -a E -s 192.168.100.101 -d 192.168.100.102 -c tcp -D "ENDIF" genfilt -v4 -a L -s 192.168.100.101 -d 192.168.100.102 -c tcp -D "ELSE" genfilt -v4 -a D -s 192.168.100.101 -d 192.168.100.102 -c tcp -O eq -P 20 -D "else scope: deny ftp-data" genfilt -v4 -a E -s 192.168.100.101 -d 192.168.100.102 -c tcp -D "ENDIF"lsfilt 命令的输出将类似于以下内容:%lsfilt -v4 -O 1|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|udp|eq|4001| eq|4001|both|both|no|all packets|0|all|0|||Default Rule 2|*** Dynamic filter placement rule for IKE tunnels ***|no 3|if|192.168.100.101|255.255.255.255|192.168.100.102| 255.255.255.255|yes|tcp|any|0|eq|21|both|both|no|all packets|0|all|0|||IF ftp-cmd being used 4|if|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255| yes|tcp|any|0|eq|1525|both|both|no|all packets|0|all|0|||IF 1525 port starts being used 5|deny|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255| yes|tcp|any|0|eq|37|both|both|no|all packets|0|all|0|||if scope: de ny time 6|else|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255| yes|tcp|any|0|any|0|both|both|no|all packets|0|all|0|||ELSE 7|deny|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255| yes|tcp|any|0|eq|13|both|both|no|all packets|0|all|0|||else scope: deny date 8|endif|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255| yes|tcp|any|0|any|0|both|both|no|all packets|0|all|0|||ENDIF 9|else|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255| yes|tcp|any|0|any|0|both|both|no|all packets|0|all|0|||ELSE 10|deny|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255| yes|tcp|any|0|eq|20|both|both|no|all packets|0|all|0|||else scope: deny ftp-data 11|endif|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255| yes|tcp|any|0|any|0|both|both|no|all packets|0|all|0|||ENDIF 0|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0| any|0|both|both|no|all packets|0|all|0|||Default Ruleckfilt 命令的输出将类似于以下内容:%ckfilt -v4 Beginning of IPv4 filter rules. Rule 2 IF Rule 3 | IF Rule 4 | | Rule 5 | ELSE Rule 6 | | Rule 7 | ENDIF Rule 8 ELSE Rule 9 | Rule 10 ENDIF Rule 11 Rule 0或%ckfilt -v4 -O Beginning of IPv4 filter rules. 2|*** Dynamic filter placement rule for IKE tunnels ***|no IF 3|if|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255| yes|tcp|any|0|eq|21|both|both|no|all packets|0|all|0|||IF ftp-cmd being used | IF 4|if|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255| yes|tcp|any|0|eq|1525|both|both|no|all packets|0|all|0|||IF 1525 port starts being used | | 5|deny|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255| yes|tcp|any|0|eq|37|both|both|no|all packets|0|all|0|||if scope: deny time | ELSE 6|else|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255| yes|tcp|any|0|any|0|both|both|no|all packets|0|all|0|||ELSE | | 7|deny|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255| yes|tcp|any|0|eq|13|both|both|no|all packets|0|all|0|||else scope: deny date | ENDIF 8|endif|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255| yes|tcp|any|0|any|0|both|both|no|all packets|0|all|0||| ENDIF ELSE 9|else|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255| yes|tcp|any|0|any|0|both|both|no|all packets|0|all|0|||ELSE | 10|deny|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255| yes|tcp|any|0|eq|20|both|both|no|all packets|0|all|0|||else scope: deny ftp-data ENDIF 11|endif|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255| yes|tcp|any|0|any|0|both|both|no|all packets|0|all|0|||ENDIF 0|all packets|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|0|???|0|???|0|?????|????????|no|???????|0||0||| - 如果创建了不正确的 if-else-endif 规则,那么 ckfilt 命令将查找并报告错误,如下所示:
%lsfilt -v4 -O 1|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|udp|eq|4001|eq|4001|both|both|no|all packets|0|all|0|||Default Rule 2|*** Dynamic filter placement rule for IKE tunnels ***|no 3|if|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255| yes|tcp|any|0|eq|21|both|both|no|all packets|0|all|0|||IF ftp-cmd being used 4|deny|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255| yes|tcp|any|0|eq|37|both|both|no|all packets|0|all|0|||if scope: deny time 5|else|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255| yes|tcp|any|0|any|0|both|both|no|all packets|0|all|0|||ELSE 6|deny|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255| yes|tcp|any|0|eq|13|both|both|no|all packets|0|all|0|||else scope: deny date 7|endif|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255| yes|tcp|any|0|any|0|both|both|no|all packets|0|all|0|||ENDIF 8|else|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255| yes|tcp|any|0|any|0|both|both|no|all packets|0|all|0|||ELSE 9|deny|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255| yes|tcp|any|0|eq|20|both|both|no|all packets|0|all|0|||else scope: deny ftp-data 10|endif|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255| yes|tcp|any|0|any|0|both|both|no|all packets|0|all|0|||ENDIF 0|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|any|0|both|both|no|all packets|0|all|0|||Default Rule %ckfilt -v4 Beginning of IPv4 filter rules. Rule 2 IF Rule 3 | Rule 4 ELSE Rule 5 | Rule 6 ENDIF Rule 7 No preceeding IF statement for filter rule 8. The filter rules failed the syntax check. %ckfilt -v4 -O Beginning of IPv4 filter rules. 2|*** Dynamic filter placement rule for IKE tunnels ***|no IF 3|if|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255| yes|tcp|any|0|eq|21|both|both|no|all packets|0|all|0|||IF ftp-cmd being used | 4|deny|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255| yes|tcp|any|0|eq|37|both|both|no|all packets|0|all|0|||if scope: deny time ELSE 5|else|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255| yes|tcp|any|0|any|0|both|both|no|all packets|0|all|0|||ELSE | 6|deny|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255| yes|tcp|any|0|eq|13|both|both|no|all packets|0|all|0|||else scope: deny date ENDIF 7|endif|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255| yes|tcp|any|0|any|0|both|both|no|all packets|0|all|0|||ENDIF No preceeding IF statement for filter rule 8. The filter rules failed the syntax check.
位置
/usr/sbin/ckfilt
文件
| 项 | 描述 |
|---|---|
| /etc/security/ipsec_filter | 此命令读取 /etc/security/ipsec_filter ODM 数据库。 使用 genfilt 和 chfilt 命令在此数据库中插入和更改规则。 |