Checks the syntax of filter rules.
The ckfilt command checks the syntax of the filter rules. IPsec stateful filter rules allow for actions such as IF, ELSE and ENDIF. Thus it is possible to have syntax errors in the rules set, such as IF with out and ENDIF, or an ELSE or ENDIF with out a preceding IF. The ckfilt command checks for such errors. Nesting of IF rules is permitted. The ckfilt command displays the filter rules, indenting the rules within IF statements in a scoping fashion. If the -O flag is used, filter rules and all of their attributes are displayed in a scoped fashion. IPsec filter rules for this command can be configured using the genfilt command, IPsec smit (IP version 4 or IP version 6), or Web-based System Manager in the Virtual Private Network submenu.
Item | Description |
---|---|
-O | Displays filter rule attributes. |
-v 4 | 6 | Specifies IPv4 or IPv6. |
This command returns the following exit values:
Item | Description |
---|---|
0 | The command completed successfully. |
non-zero | An error occurred. |
This command is only executable by root.
Attention RBAC users and Trusted AIX® users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.
genfilt -v4 -a I -s 192.168.100.101
-d 192.168.100.102 -c tcp -O eq -P 21 -D "IF ftp-cmd being used"
genfilt -v4 -a I -s 192.168.100.101
-d 192.168.100.102 -c tcp -O eq -P 1525 -D "IF 1525 port starts being used"
genfilt -v4 -a D -s 192.168.100.101
-d 192.168.100.102 -c tcp -O eq -P 37 -D "if scope: deny time"
genfilt -v4 -a L -s 192.168.100.101
-d 192.168.100.102 -c tcp -D "ELSE"
genfilt -v4 -a D -s 192.168.100.101
-d 192.168.100.102 -c tcp -O eq -P 13 -D "else scope: deny date"
genfilt -v4 -a E -s 192.168.100.101
-d 192.168.100.102 -c tcp -D "ENDIF"
genfilt -v4 -a L -s 192.168.100.101
-d 192.168.100.102 -c tcp -D "ELSE"
genfilt -v4 -a D -s 192.168.100.101
-d 192.168.100.102 -c tcp -O eq -P 20 -D "else scope: deny ftp-data"
genfilt -v4 -a E -s 192.168.100.101
-d 192.168.100.102 -c tcp -D "ENDIF"
%lsfilt -v4 -O
1|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|udp|eq|4001|
eq|4001|both|both|no|all packets|0|all|0|||Default Rule
2|*** Dynamic filter placement rule for IKE tunnels ***|no
3|if|192.168.100.101|255.255.255.255|192.168.100.102|
255.255.255.255|yes|tcp|any|0|eq|21|both|both|no|all packets|0|all|0|||IF ftp-cmd being used
4|if|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|eq|1525|both|both|no|all packets|0|all|0|||IF 1525 port starts being used
5|deny|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|eq|37|both|both|no|all packets|0|all|0|||if scope: de ny time
6|else|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|any|0|both|both|no|all packets|0|all|0|||ELSE
7|deny|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|eq|13|both|both|no|all packets|0|all|0|||else scope: deny date
8|endif|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|any|0|both|both|no|all packets|0|all|0|||ENDIF
9|else|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|any|0|both|both|no|all packets|0|all|0|||ELSE
10|deny|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|eq|20|both|both|no|all packets|0|all|0|||else scope: deny ftp-data
11|endif|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|any|0|both|both|no|all packets|0|all|0|||ENDIF
0|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|
any|0|both|both|no|all packets|0|all|0|||Default Rule
%ckfilt -v4
Beginning of IPv4 filter rules.
Rule 2
IF Rule 3
| IF Rule 4
| | Rule 5
| ELSE Rule 6
| | Rule 7
| ENDIF Rule 8
ELSE Rule 9
| Rule 10
ENDIF Rule 11
Rule 0
%ckfilt -v4 -O
Beginning of IPv4 filter rules.
2|*** Dynamic filter placement rule for IKE tunnels ***|no
IF 3|if|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|eq|21|both|both|no|all packets|0|all|0|||IF ftp-cmd being used
| IF 4|if|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|eq|1525|both|both|no|all packets|0|all|0|||IF 1525 port starts being used
| | 5|deny|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|eq|37|both|both|no|all packets|0|all|0|||if scope: deny time
| ELSE 6|else|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|any|0|both|both|no|all packets|0|all|0|||ELSE
| | 7|deny|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|eq|13|both|both|no|all packets|0|all|0|||else scope: deny date
| ENDIF 8|endif|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|any|0|both|both|no|all packets|0|all|0||| ENDIF
ELSE 9|else|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|any|0|both|both|no|all packets|0|all|0|||ELSE
| 10|deny|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|eq|20|both|both|no|all packets|0|all|0|||else scope: deny ftp-data
ENDIF 11|endif|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|any|0|both|both|no|all packets|0|all|0|||ENDIF
0|all packets|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|0|???|0|???|0|?????|????????|no|???????|0||0|||
%lsfilt -v4 -O
1|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|udp|eq|4001|eq|4001|both|both|no|all packets|0|all|0|||Default Rule
2|*** Dynamic filter placement rule for IKE tunnels ***|no
3|if|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|eq|21|both|both|no|all packets|0|all|0|||IF ftp-cmd being used
4|deny|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|eq|37|both|both|no|all packets|0|all|0|||if scope: deny time
5|else|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|any|0|both|both|no|all packets|0|all|0|||ELSE
6|deny|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|eq|13|both|both|no|all packets|0|all|0|||else scope: deny date
7|endif|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|any|0|both|both|no|all packets|0|all|0|||ENDIF
8|else|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|any|0|both|both|no|all packets|0|all|0|||ELSE
9|deny|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|eq|20|both|both|no|all packets|0|all|0|||else scope: deny ftp-data
10|endif|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|any|0|both|both|no|all packets|0|all|0|||ENDIF
0|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|any|0|both|both|no|all packets|0|all|0|||Default Rule
%ckfilt -v4
Beginning of IPv4 filter rules.
Rule 2
IF Rule 3
| Rule 4
ELSE Rule 5
| Rule 6
ENDIF Rule 7
No preceeding IF statement for filter rule 8.
The filter rules failed the syntax check.
%ckfilt -v4 -O
Beginning of IPv4 filter rules.
2|*** Dynamic filter placement rule for IKE tunnels ***|no
IF 3|if|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|eq|21|both|both|no|all packets|0|all|0|||IF ftp-cmd being used
| 4|deny|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|eq|37|both|both|no|all packets|0|all|0|||if scope: deny time
ELSE 5|else|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|any|0|both|both|no|all packets|0|all|0|||ELSE
| 6|deny|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|eq|13|both|both|no|all packets|0|all|0|||else scope: deny date
ENDIF 7|endif|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|any|0|both|both|no|all packets|0|all|0|||ENDIF
No preceeding IF statement for filter rule 8.
The filter rules failed the syntax check.
/usr/sbin/ckfilt
Item | Description |
---|---|
/etc/security/ipsec_filter | This command reads the /etc/security/ipsec_filter ODM database. Rules are inserted and changed in this database using the genfilt and chfilt commands. |