This manual page documents briefly the
netscript command from the netscript router/firewall network configuration
package.
This command is used to configure/reconfigure the interface
configuration, ipchains filter setup, and ip route service (
QoS ) setup that are configured in netscript's configuration files. It can
manipulate individual interfaces, and reconfigure the iptables filter
contents and firewall setup, or reconfigure the
QoS setup.
It is rather incomplete as it does not describe fully the
finely tuned manipulations that happen due to netscript's design which
enables a Linux box to serve as a high availability heavy-duty
mission-critcial network router or firewall.
COMPILE CONFIGURATION MODE
The rules can be compiled and automatically loaded on boot
by setting the IPV4_CONFIGURE_SWITCH switch in
network.conf(5) to the value of the function used to configure the kernel.
Net-compile(8) creates this function as 'Configure'. If this switch is set,
the netscript startup will run
netscript-compile(8) to make sure everything is up to date and load the rules from
/etc/netscript/ipfilter-defs.conf, and the relevant settings in
network.conf(5) which are used to establish packet grooming and configure
the built in kernel netfilter INPUT and FORWARD chains in
the filter table. If compilation fails, the previous rule
set is not replaced and it is used instead.
A similar mode exists for IPv6, but it is not fully implemented yet.
IPTABLES CONFIGURATION MODE
This configuration mode corresponds to the old method of doing it using
iptables-save (8) and
iptables-restore (8). This is the default for operation, and occurs if the IPV4_CONFIGURE_SWITCH
is not set in
network.conf(5) .
This is the metoh still used by IPv6 as well.
OPTIONS
start
Set up networking configruation by loading ipcahins filters, setting
up bridge, configuring interfaces and running any configured lower
layer protocol daemons or commands. For use from a startup script.
stop
Shut everything down. For use from a startup script.
reload
Refresh the setup of netscript except for iptables from the configuration
files in /etc/netscript
restart|force-reload
Stop everthing and then start everything again. For use from a startup
script.
ifup <interface-name>|all
Bring interfaces(s) up by starting any protocol daemons,
and configuring interfaces.
ifdown <interface-name>|all
Shutdown said interface(s) by doing reverse of ifdown.
ifqos <interface-name>|all
Reload QoS configuration for interface(s).
ifreload <interface-name>|all
Refresh the interface setup and implement any configuration changes.
ifreset <interface-name>|all
Shutdown and then restart interface(s), reloading configuration from
lower layer up to the network layer.
compile [ -fhq ] [ -b max-backup-level ]
Compile the new definitions in /etc/netscript/ipfilter-defs directory into
a new set of functions in the /etc/netscript/ipfilter-defs-compiled.conf
file. See the
netscript-compile (8) and
ipfilter-defs (5) manpages for details.
ipfilter load|reload
Load/reload the IPv4 iptables filters and reconfigure the firewalling,
from that saved in
/etc/netscript/iptables (via
iptables-restore(8) ), and the QoS fair queuing setup,
or by excuting the requisite configuration function from
/etc/netscript/ipfilter-defs-compiled.conf if using
ipfilter-defs (5) mode.
ipfilter save
Save the IPv4 iptables configuration to /etc/netscript/iptables via
iptables-save(8) , after backing it up to
/etc/netscript/iptables.1 and cycling the previous backup files down through the configuration history.
This does not work if the IPv6 side of netscript is operating in
ipfilter-defs (5) mode.
ipfilter usebackup [ backup-number ]
Restore setup from the IPv4 iptables backup configuration from
/etc/netscript/iptables.n ( default 1 ) via
iptables-restore(8), or if the ipfilter-defs (5) backend is used, the requisite backup number from the
/etc/netscript/ipfilter-defs.conf history files.
ipfilter clear|flush
Remove iptables and any firewall setup, and if IPV4_FWDING_KERNEL is set
to FILTER_ON (see
network.conf(5) ), disables all IPv4 packet forwarding on the router. Very useful for
debugging protocol problems on a firewall by enabling a reasonably
safe check to be made with the filtering down.
ipfilter forward|fwd
Turns on the IPv4 kernel forwarding switch manually. This is irrespective
of the setting of IPV4_FWDING_KERNEL (see
network.conf(5) ). Use with
caution as it will allow traffic through the box.
ipfilter noforward|nofwd
Turns off the IPv4 kernel forwarding switch manually. This is irrespective
of the setting of IPV4_FWDING_KERNEL (see
network.conf(5) ). Use with
caution as it will cut off reachability.
ipfilter fairq
Reload the IPv4
fairq chain that marks the packets for the
QoS interface transmit queues.
ip6filter load|reload
Load/reload the IPv6 iptables filters and reconfigure the firewalling,
from that saved in
/etc/netscript/ip6tables (via
ip6tables-restore(8) ), and the QoS fair queuing setup,
or by excuting the requisite configuration function from
/etc/netscript/ipfilter-defs-compiled.conf if using
ipfilter-defs (5) mode.
ip6filter save
Save the IPv6 iptables configuration to /etc/netscript/iptables via
ip6tables-save(8) , after backing it up to
/etc/netscript/ip6tables.1 and cycling the previous backup files down through the configuration history.
This does not work if the IPv6 side of netscript is operating in
ipfilter-defs (5) mode.
ip6filter usebackup [ backup-number ]
Restore setup from the IPv6 iptables backup configuration from
/etc/netscript/ip6tables.n ( default 1 ) via
ip6tables-restore(8), or if the ipfilter-defs (5) backend is used, the requisite backup number from the
/etc/netscript/ipfilter-defs.conf history files.
ip6filter clear|flush
Remove IPv6 iptables setup, and if IPV6_FWDING_KERNEL is set
to FILTER_ON (see
network.conf(5) ), disables all IPv6 packet forwarding on the router. Very useful for
debugging protocol problems on a firewall by enabling a reasonably
safe check to be made with the filtering down.
ip6filter forward|fwd
Turns on the IPv6 kernel forwarding switch manually. This is irrespective
of the setting of IPV6_FWDING_KERNEL (see
network.conf(5) ). Use with
caution as it will allow traffic through the box.
ip6filter noforward|nofwd
Turns off the IPv6 kernel forwarding switch manually. This is irrespective
of the setting of IPV6_FWDING_KERNEL (see
network.conf(5) ). Use with
caution as it will affect reachability.
ip6filter fairq
Reload the IPv6
fairq chain that marks the packets for the
QoS interface transmit queues.
