ckfilt Command

Purpose

Checks the syntax of filter rules.

Syntax

ckfilt [ -O ] [ -v 4 | 6 ]

Description

The ckfilt command checks the syntax of the filter rules. IPsec stateful filter rules allow for actions such as IF, ELSE and ENDIF. Thus it is possible to have syntax errors in the rules set, such as IF with out and ENDIF, or an ELSE or ENDIF with out a preceding IF. The ckfilt command checks for such errors. Nesting of IF rules is permitted. The ckfilt command displays the filter rules, indenting the rules within IF statements in a scoping fashion. If the -O flag is used, filter rules and all of their attributes are displayed in a scoped fashion. IPsec filter rules for this command can be configured using the genfilt command, IPsec smit (IP version 4 or IP version 6), or Web-based System Manager in the Virtual Private Network submenu.

Flags

Item Description
-O Displays filter rule attributes.
-v 4 | 6 Specifies IPv4 or IPv6.

Exit Status

This command returns the following exit values:

Item Description
0 The command completed successfully.
non-zero An error occurred.

Security

This command is only executable by root.

Attention RBAC users and Trusted AIX® users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.

Examples

  1. To create a set of nested if-else-endif filter rules, use the genfilt command as follows: 
    genfilt -v4 -a I -s 192.168.100.101 
-d 192.168.100.102 -c tcp -O eq -P 21 -D "IF ftp-cmd being used"

genfilt -v4 -a I -s 192.168.100.101
-d 192.168.100.102 -c tcp -O eq -P 1525 -D "IF 1525 port starts being used"

genfilt -v4 -a D -s 192.168.100.101
-d 192.168.100.102 -c tcp -O eq -P 37 -D "if scope: deny time"

genfilt -v4 -a L -s 192.168.100.101
-d 192.168.100.102 -c tcp -D "ELSE"

genfilt -v4 -a D -s 192.168.100.101 
-d 192.168.100.102 -c tcp -O eq -P 13 -D "else scope: deny date"

genfilt -v4 -a E -s 192.168.100.101 
-d 192.168.100.102 -c tcp -D "ENDIF"

genfilt -v4 -a L -s 192.168.100.101 
-d 192.168.100.102 -c tcp -D "ELSE"

genfilt -v4 -a D -s 192.168.100.101 
-d 192.168.100.102 -c tcp -O eq -P 20 -D "else scope: deny ftp-data"

genfilt -v4 -a E -s 192.168.100.101 
-d 192.168.100.102 -c tcp -D "ENDIF"
    The output of the lsfilt command will look similar to the following: 
    %lsfilt -v4 -O
1|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|udp|eq|4001|
eq|4001|both|both|no|all packets|0|all|0|||Default Rule

2|*** Dynamic filter placement rule for IKE tunnels ***|no

3|if|192.168.100.101|255.255.255.255|192.168.100.102|
255.255.255.255|yes|tcp|any|0|eq|21|both|both|no|all packets|0|all|0|||IF ftp-cmd being used

4|if|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|eq|1525|both|both|no|all packets|0|all|0|||IF 1525 port starts being used

5|deny|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|eq|37|both|both|no|all packets|0|all|0|||if scope: de ny time

6|else|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|any|0|both|both|no|all packets|0|all|0|||ELSE

7|deny|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|eq|13|both|both|no|all packets|0|all|0|||else scope: deny date

8|endif|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|any|0|both|both|no|all packets|0|all|0|||ENDIF

9|else|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|any|0|both|both|no|all packets|0|all|0|||ELSE

10|deny|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|eq|20|both|both|no|all packets|0|all|0|||else scope: deny ftp-data

11|endif|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|any|0|both|both|no|all packets|0|all|0|||ENDIF

0|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|
any|0|both|both|no|all packets|0|all|0|||Default Rule
    The output of the ckfilt command will look similar to the following: 
    %ckfilt -v4
Beginning of IPv4 filter rules.
Rule 2
IF Rule 3
|    IF Rule 4
|    |    Rule 5
|    ELSE Rule 6
|    |    Rule 7
|    ENDIF Rule 8
ELSE Rule 9
|    Rule 10
ENDIF Rule 11
Rule 0
    OR 
    %ckfilt -v4 -O
Beginning of IPv4 filter rules.
2|*** Dynamic filter placement rule for IKE tunnels ***|no
IF 3|if|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|eq|21|both|both|no|all packets|0|all|0|||IF ftp-cmd being used

|    IF 4|if|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|eq|1525|both|both|no|all packets|0|all|0|||IF 1525 port starts being used

|    |    5|deny|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|eq|37|both|both|no|all packets|0|all|0|||if scope: deny time

|    ELSE 6|else|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|any|0|both|both|no|all packets|0|all|0|||ELSE

|    |    7|deny|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|eq|13|both|both|no|all packets|0|all|0|||else scope: deny date

|    ENDIF 8|endif|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|any|0|both|both|no|all packets|0|all|0||| ENDIF

ELSE 9|else|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|any|0|both|both|no|all packets|0|all|0|||ELSE

|    10|deny|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|eq|20|both|both|no|all packets|0|all|0|||else scope: deny ftp-data

ENDIF 11|endif|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|any|0|both|both|no|all packets|0|all|0|||ENDIF

0|all packets|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|0|???|0|???|0|?????|????????|no|???????|0||0|||
  2. If incorrect if-else-endif rules are created, the ckfilt command will find and report the error as follows: 
    %lsfilt -v4 -O

1|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|udp|eq|4001|eq|4001|both|both|no|all packets|0|all|0|||Default Rule

2|*** Dynamic filter placement rule for IKE tunnels ***|no
3|if|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|eq|21|both|both|no|all packets|0|all|0|||IF ftp-cmd being used

4|deny|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|eq|37|both|both|no|all packets|0|all|0|||if scope: deny time

5|else|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|any|0|both|both|no|all packets|0|all|0|||ELSE

6|deny|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|eq|13|both|both|no|all packets|0|all|0|||else scope: deny date

7|endif|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|any|0|both|both|no|all packets|0|all|0|||ENDIF

8|else|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|any|0|both|both|no|all packets|0|all|0|||ELSE

9|deny|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|eq|20|both|both|no|all packets|0|all|0|||else scope: deny ftp-data

10|endif|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|any|0|both|both|no|all packets|0|all|0|||ENDIF

0|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|any|0|both|both|no|all packets|0|all|0|||Default Rule

%ckfilt -v4
Beginning of IPv4 filter rules.
Rule 2
IF Rule 3
|    Rule 4
ELSE Rule 5
|    Rule 6
ENDIF Rule 7
No preceeding IF statement for filter rule 8.
The filter rules failed the syntax check.

%ckfilt -v4 -O
Beginning of IPv4 filter rules.
2|*** Dynamic filter placement rule for IKE tunnels ***|no
IF 3|if|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|eq|21|both|both|no|all packets|0|all|0|||IF ftp-cmd being used

|    4|deny|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|eq|37|both|both|no|all packets|0|all|0|||if scope: deny time

ELSE 5|else|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|any|0|both|both|no|all packets|0|all|0|||ELSE

|    6|deny|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|eq|13|both|both|no|all packets|0|all|0|||else scope: deny date

ENDIF 7|endif|192.168.100.101|255.255.255.255|192.168.100.102|255.255.255.255|
yes|tcp|any|0|any|0|both|both|no|all packets|0|all|0|||ENDIF


No preceeding IF statement for filter rule 8.
The filter rules failed the syntax check.

Location

/usr/sbin/ckfilt

Files

Item Description
/etc/security/ipsec_filter This command reads the /etc/security/ipsec_filter ODM database. Rules are inserted and changed in this database using the genfilt and chfilt commands.