chfilt Command

Purpose

Changes a filter rule.

Syntax

chfilt -v 4|6 -n fid [ -a D|P|I|L|E|H|S] [ -s s_addr] [ -m s_mask] [ -d d_addr] [ -M d_mask] [ -g Y|N] [ -c protocol] [ -o s_opr] [ -p s_port] [ -O d_opr] [ -P d_port] [ -r R|L|B] [ -w I|O|B] [ -l Y|N] [ -f Y|N|O|H] [ -t tid] [ -i interface][ -D description] [-e expiration_time] [-x quoted_pattern | -X pattern_filename | -C antivirus_filename]

Description

Use the chfilt command to change the definition of a filter rule in the filter rule table. Auto-generated filter rules and manual filter rules can be changed by this command. If an auto-generated filter rule is modified by the chfilt command it will then become a manual filter rule. IPsec filter rules for this command can be configured using the genfilt command, IPsec smit (IP version 4 or IP version 6), or Web-based System Manager in the Virtual Private Network submenu.

Flags

Item Description
-a Action The following Action values are allowed:
  • D (Deny) blocks traffic.
  • P (Permit) allows traffic.
  • I makes this an IF filter rule.
  • L makes this an ELSE filter rule.
  • E makes this an ENDIF filter rule.
  • H makes this a SHUN_HOST filter rule.
  • S makes this a SHUN_PORT filter rule.
-C anitvirus_filename Specifies the antivirus file name. The -C flag understands some versions of ClamAV Virus Database (http://www.clamav.net).
-c protocol Protocol. The valid values are: udp, icmp, icmpv6, tcp, tcp/ack, ospf, ipip, esp, ah, and all. Value all indicates that the filter rule will apply to all the protocols. The protocol can also be specified numerically (between 1 and 252).
-d d_addr Destination address. It can be an IP address or a host name. If a host name is specified, the first IP address returned by the name server for that host will be used. This value along with the destination subnet mask will be compared against the destination address of the IP packets.
-D Filter description. A short description text for the filter rule.
-e expiration_time Specifies the amount of time the rule should remain active in minutes. The expiration_time does not remove the filter rule from the database. The expiration_time relates to the amount of time the filter rule is active while processing network traffic. If no expiration_time is specified, the live time of the filter rule is infinite. If the expiration_time is specified in conjunction with a SHUN_PORT (-a S) or SHUN_HOST (-a H) filter rule, then this is the amount of time the remote port or remote host is denied or shunned once the filter rule parameters are met. If this expiration_time is specified independent of a shun rule, this is the amount of time the filter rule will remain active after the filter rules are loaded into the kernel and start processing network traffic.
-f Fragmentation control. This flag specifies that this rule will apply to either all packets (Y), fragment headers and unfragmented packets only (H), fragments and fragment headers only (O), or unfragmented packets only (N).
-g Apply to source routing? Must be specified as Y (yes) or N (No). If Y is specified, this filter rule can apply to IP packets that use source routing.
-i interface The name of IP interface(s) to which the filter rule applies. Examples are: all, tr0, en0, lo0, and pp0.
-l Log control. Must be specified as Y (yes) or N (No). If specified as Y, packets that match this filter rule will be included in the filter log.
-M d_mask Destination subnet mask. This will be applied to the Destination address(-d flag) when compared with the destination address of the IP packets.
-m s_mask Source subnet mask. This will be applied to the Source address (-s flag) when compared with the source address of the IP packet.
-n fid The ID of the filter rule you want to change. It must exist in the filter rule table and for IP version 4, it cannot be 1 (rule 1 is a system reserved rule and is unchangeable).
-O d_opr Destination port or ICMP code operation. This is the operation that will be used in the comparison between the destination port/ICMP code of the packet with the destination port or ICMP code (-P flag). The valid values are: lt, le, gt, ge, eq, neq, and any. This value must be any when the -c flag is ospf.
-o s_opr Source port or ICMP type operation. This is the operation that will be used in the comparison of the source port/ICMP type of the packet with the source port or ICMP type (-p flag) specified in this filter rule. The valid values are: lt, le, gt, ge, eq, neq, and any. The value must be any when the -c flag is ospf.
-P d_port Destination port/ICMP code. This is the value/code that will be compared to the destination port (or ICMP code) of the IP packet.
-p s_port Source port or ICMP type. This is the value/type that will be compared to the source port (or ICMP type) of the IP packet.
-r Specifies whether the rule will apply to forwarded packets (R), packets destined or originated from the local host (L), or both (B).
-s s_addr Specifies the source address. It can be an IP address or a host name. If a host name is specified, the first IP address returned by the name server for that host will be used. This value along with the source subnet mask will be compared against the source address of the IP packets.
-t tid Specifies the ID of the tunnel related to this filter rule. All the packets that match this filter rule must go through the specified tunnel.
-v Specifies the IP version of the target filter rule.
-w Specifies whether the rule will apply to incoming packets (I), outgoing packets (O), or both (B).
-X pattern_filename Specifies the pattern file name. If more than one patterns are associated with this filter rule, then a pattern file name must be used. The pattern file name must be in the format of one pattern per line. A pattern is an unquoted character string. This file is read once when the filter rules are activated. For more information, see the mkfilt command.
-x quoted_pattern Specifies the quoted character string or pattern. The -x pattern flag is compared against network traffic.

Security

Attention RBAC users and Trusted AIX® users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.