TUBS-IBR-LINUX-NETFILTER-MIB DEFINITIONS ::= BEGIN
-- @(#) $Id: TUBS-IBR-LINUX-NETFILTER-MIB,v 1.7 2002/08/26 16:46:14 wellnitz Exp $
IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE,
Unsigned32, Counter64
FROM SNMPv2-SMI
TEXTUAL-CONVENTION, TruthValue, StorageType, RowStatus, TimeStamp
FROM SNMPv2-TC
MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP
FROM SNMPv2-CONF
SnmpAdminString
FROM SNMP-FRAMEWORK-MIB
InetAddressType, InetAddress, InetAddressPrefixLength
FROM INET-ADDRESS-MIB
ibr
FROM TUBS-SMI;
lnfMIB MODULE-IDENTITY
LAST-UPDATED "200207230000Z"
ORGANIZATION "TU Braunschweig"
CONTACT-INFO
"Frank Strauss, Oliver Wellnitz
TU Braunschweig
Muehlenpfordtstrasse 23
38106 Braunschweig
Germany
Tel: +49 531 391 3283
Fax: +49 531 391 5936
E-mail: {strauss,wellnitz}@ibr.cs.tu-bs.de"
DESCRIPTION
"Experimental MIB module for the Linux 2.4 netfilter
subsystem."
REVISION "200207260000Z"
DESCRIPTION
"The initial revision of this module. This revision does
not cover any match extensions and target extensions."
::= { ibr 13 }
--
-- The various groups defined within this MIB module:
--
lnfObjects OBJECT IDENTIFIER ::= { lnfMIB 1 }
lnfTraps OBJECT IDENTIFIER ::= { lnfMIB 2 }
lnfConformance OBJECT IDENTIFIER ::= { lnfMIB 3 }
--
-- Textual Conventions:
--
LnfTarget ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"This data type represents an action that is about to
be applied to a packet.
none(1): No action, except increasing counters.
other(2): An unknown extension action which cannot
be described by the values specified below.
drop(3): Drop the packet on the floor.
accept(4): Let the packet through.
queue(5): Pass the packet to userspace.
return(6): Stop traversing this chain and resume at the
next rule in the previous (calling) chain.
chain(7): Jump to the user chain specified by a
related object.
"
SYNTAX INTEGER {
none(1),
other(2),
drop(3),
accept(4),
queue(5),
return(6),
chain(7)
}
--
-- Object definitions:
--
lnfLastChange OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The time of the last netfilter configuration change of any kind,
including any creation, deletion or modification of any table of this
MIB."
::= { lnfObjects 1 }
lnfTableTable OBJECT-TYPE
SYNTAX SEQUENCE OF LnfTableEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A list of all tables installed on the netfilter subsystem."
::= { lnfObjects 2 }
lnfTableEntry OBJECT-TYPE
SYNTAX LnfTableEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry describing a particular netfilter table."
INDEX { lnfTableAddressType, lnfTableName }
::= { lnfTableTable 1 }
LnfTableEntry ::=
SEQUENCE {
lnfTableAddressType InetAddressType,
lnfTableName SnmpAdminString,
lnfTableLastChange TimeStamp
}
lnfTableAddressType OBJECT-TYPE
SYNTAX InetAddressType { ipv4(1), ipv6(2) }
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The address type for which the netfilter table works."
::= { lnfTableEntry 1 }
lnfTableName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE (0..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The name of the netfilter table."
::= { lnfTableEntry 2 }
lnfTableLastChange OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The time of the last modification of this netfilter
table, including the creation or deletion of a netfilter
chain that belongs to this table."
::= { lnfTableEntry 3 }
--
lnfChainTable OBJECT-TYPE
SYNTAX SEQUENCE OF LnfChainEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A list of all chains installed on the netfilter
subsystem."
::= { lnfObjects 3 }
lnfChainEntry OBJECT-TYPE
SYNTAX LnfChainEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry describing a particular netfilter chain."
INDEX { lnfTableAddressType, lnfTableName, lnfChainName }
::= { lnfChainTable 1 }
LnfChainEntry ::=
SEQUENCE {
lnfChainName SnmpAdminString,
lnfChainPackets Counter64,
lnfChainOctets Counter64,
lnfChainTarget LnfTarget,
lnfChainLastChange TimeStamp,
lnfChainStorage StorageType,
lnfChainStatus RowStatus
}
lnfChainName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE (0..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The netfilter chain to which the rule belongs."
::= { lnfChainEntry 1 }
lnfChainPackets OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of packets that passed this chain since
the rule was installed or reset."
::= { lnfChainEntry 2 }
lnfChainOctets OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of octets that passed this chain since
the chain was installed or reset."
::= { lnfChainEntry 3 }
lnfChainTarget OBJECT-TYPE
SYNTAX LnfTarget { drop(3), accept(4), return(6) }
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The action that shall be applied to a packet if no rule
within the chain matches. Note that user-defined chains
only allow return(6)."
DEFVAL { return }
::= { lnfChainEntry 4 }
lnfChainLastChange OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The time of the last modification of this netfilter
chain, including the creation or deletion of a netfilter
rule that belongs to this chain."
::= { lnfChainEntry 5 }
lnfChainStorage OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object defines whether this row is kept in
volatile storage and lost upon reboot or whether it
is backed up by stable storage or builtin."
::= { lnfChainEntry 6 }
lnfChainStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object is used to create and delete rows in the
lnfChainTable."
::= { lnfChainEntry 7 }
--
lnfRuleTable OBJECT-TYPE
SYNTAX SEQUENCE OF LnfRuleEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A list of all rules installed on the netfilter
subsystem."
::= { lnfObjects 4 }
lnfRuleEntry OBJECT-TYPE
SYNTAX LnfRuleEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry describing a particular netfilter rule. Rules
of different netfilter tables and chains are
distinguished by the corresponding index objects."
INDEX { lnfTableAddressType, lnfTableName,
lnfChainName, lnfRuleIndex }
::= { lnfRuleTable 1 }
LnfRuleEntry ::=
SEQUENCE {
lnfRuleIndex Unsigned32,
lnfRuleProtocol Unsigned32,
lnfRuleProtocolInv TruthValue,
lnfRuleSourceAddress InetAddress,
lnfRuleSourceAddressPrefixLength InetAddressPrefixLength,
lnfRuleSourceAddressInv TruthValue,
lnfRuleDestinationAddress InetAddress,
lnfRuleDestinationAddressPrefixLength InetAddressPrefixLength,
lnfRuleDestinationAddressInv TruthValue,
lnfRuleInInterface SnmpAdminString,
lnfRuleInInterfaceInv TruthValue,
lnfRuleOutInterface SnmpAdminString,
lnfRuleOutInterfaceInv TruthValue,
lnfRuleFragment TruthValue,
lnfRuleFragmentInv TruthValue,
lnfRulePackets Counter64,
lnfRuleOctets Counter64,
lnfRuleTarget LnfTarget,
lnfRuleTargetChain SnmpAdminString,
lnfRuleTrapEnable TruthValue,
lnfRuleLastChange TimeStamp,
lnfRuleStorage StorageType,
lnfRuleStatus RowStatus
}
lnfRuleIndex OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A unique number identifying the rule within a netfilter
chain."
::= { lnfRuleEntry 1 }
lnfRuleProtocol OBJECT-TYPE
SYNTAX Unsigned32 (0..255)
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The protocol of the rule. The number zero matches all
protocols."
DEFVAL { 0 }
::= { lnfRuleEntry 2 }
lnfRuleProtocolInv OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This flag specifies whether the lnfRuleProtocol test
has to be inverted."
DEFVAL { false }
::= { lnfRuleEntry 3 }
lnfRuleSourceAddress OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The source address of a packet. The exact format depends
on the address type specified by lnfRuleAddressType.
This test is applied for an address prefix whose length
is specified by lnfRuleSourceAddressPrefixLength.
If a new row is created this object should default to
an all-zeros value with a length approrpiate for the
corresponding lnfRuleAddressType object value."
::= { lnfRuleEntry 4 }
lnfRuleSourceAddressPrefixLength OBJECT-TYPE
SYNTAX InetAddressPrefixLength
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The network prefix length associated with
lnfRuleSourceAddress."
DEFVAL { 0 }
::= { lnfRuleEntry 5 }
lnfRuleSourceAddressInv OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This flag specifies whether the lnfRuleSourceAddress
and lnfRuleSourceAddressPrefixLength test has to
be inverted."
DEFVAL { false }
::= { lnfRuleEntry 6 }
lnfRuleDestinationAddress OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The destination address of a packet. The exact format
depends on the address type specified by
lnfRuleAddressType. This test is applied for an address
prefix whose length is specified by
lnfRuleDestinationAddressPrefixLength.
If a new row is created this object should default to
an all-zeros value with a length approrpiate for the
corresponding lnfRuleAddressType object value."
::= { lnfRuleEntry 7 }
lnfRuleDestinationAddressPrefixLength OBJECT-TYPE
SYNTAX InetAddressPrefixLength
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The network prefix length associated with
lnfRuleDestinationAddress."
DEFVAL { 0 }
::= { lnfRuleEntry 8 }
lnfRuleDestinationAddressInv OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This flag specifies whether the lnfRuleDestinationAddress
and lnfRuleDestinationAddressPrefixLength test has to
be inverted."
DEFVAL { false }
::= { lnfRuleEntry 9 }
lnfRuleInInterface OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE (0..16))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"Name of an interface via which a packet is going to be
received (only for packets entering the INPUT, FORWARD and
PREROUTING chains). If the interface name ends in a '+',
then any interface which begins with this name will match.
If this is an empty string, any interface name will match."
DEFVAL { "" }
::= { lnfRuleEntry 10 }
lnfRuleInInterfaceInv OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This flag specifies whether the lnfRuleInInterface test
has to be inverted."
DEFVAL { false }
::= { lnfRuleEntry 11 }
lnfRuleOutInterface OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE (0..16))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"Name of an interface via which a packet is going to be
sent (for packets entering the FORWARD, OUTPUT and
POSTROUTING chains). If the interface name ends in a '+',
then any interface which begins with this name will match.
If this is an empty string, any interface name will match."
DEFVAL { "" }
::= { lnfRuleEntry 12 }
lnfRuleOutInterfaceInv OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This flag specifies whether the lnfRuleOutInterface test
has to be inverted."
DEFVAL { false }
::= { lnfRuleEntry 13 }
lnfRuleFragment OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"If this flag is true, the rule only refers to second and
further fragments of fragmented packets. Since there is
no way to tell the source or destination ports of such a
packet (or ICMP type), such a packet will not match any
rules which specify them."
DEFVAL { false }
::= { lnfRuleEntry 14 }
lnfRuleFragmentInv OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This flag specifies whether the lnfRuleFragmentInv test,
if true, has to be inverted. An inverted rule will only
match head fragments, or unfragmented packets."
DEFVAL { false }
::= { lnfRuleEntry 15 }
lnfRulePackets OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of packets that matched this rule since
the rule was installed or reset."
::= { lnfRuleEntry 16 }
lnfRuleOctets OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of octets that matched this rule since the
rule was installed or reset."
::= { lnfRuleEntry 17 }
lnfRuleTarget OBJECT-TYPE
SYNTAX LnfTarget
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The action that shall be applied to a packet if the
rule matches. If the value is chain(7), then jump to
the user chain specified by lnfRuleTargetChain."
DEFVAL { none }
::= { lnfRuleEntry 18 }
lnfRuleTargetChain OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE (0..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The name of the target chain if the value of
lnfRuleTarget is chain(7)."
::= { lnfRuleEntry 19 }
lnfRuleTrapEnable OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Indicates whether lnfRuleMatch traps should be
generated for packets matching this rule. Note
that it's up to the implementation to delay and
accumulate mutliple traps in order to reduce the
number of emitted traps."
DEFVAL { false }
::= { lnfRuleEntry 20 }
lnfRuleLastChange OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The time of the last modification of this netfilter rule.
If it has been unchanged since the last re-initialization
of the local network management subsystem, then this
object contains a zero value."
::= { lnfRuleEntry 21 }
lnfRuleStorage OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object defines whether this row is kept in
volatile storage and lost upon reboot or whether it
is backed up by stable storage or builtin."
::= { lnfRuleEntry 22 }
lnfRuleStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object is used to create and delete rows in the
lnfRuleTable."
::= { lnfRuleEntry 23 }
--
-- Notifications:
--
lnfNotifications OBJECT IDENTIFIER ::= { lnfTraps 0 }
lnfRuleMatch NOTIFICATION-TYPE
OBJECTS { lnfRulePackets, lnfRuleOctets }
STATUS current
DESCRIPTION
"A lnfRuleMatch trap signifies that the rule to which
the lnfRulePackets and lnfRuleOctets objects belong
was matched by at least one packets since the last
trap for the same rule was emitted.
The agent may delay and accumulate mutliple traps in order
to reduce the number of emitted traps, but the time for
accumulation should be no more than 60 seconds.
Note that detailed information on the packet(s) that
triggered a trap is not available from the trap's
objects. This would cause problems with the accumulation
of matches and/or increased trap traffic."
::= { lnfNotifications 1 }
--
-- Conformance statements:
--
lnfCompliances OBJECT IDENTIFIER ::= { lnfConformance 1 }
lnfGroups OBJECT IDENTIFIER ::= { lnfConformance 2 }
lnfCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for an SNMP entity which
implements the Linux Netfilter MIB."
MODULE -- this module
MANDATORY-GROUPS { lnfGeneralGroup, lnfNotificationGroup }
-- OBJECT lnfTableAddressType
-- SYNTAX InetAddressType { ipv4(1), ipv6(2) }
-- DESCRIPTION
-- "Other address types than IPv4 and IPv6 are not required."
::= { lnfCompliances 1 }
lnfGeneralGroup OBJECT-GROUP
OBJECTS {
lnfLastChange,
lnfTableLastChange,
lnfChainPackets, lnfChainOctets, lnfChainTarget,
lnfChainLastChange, lnfChainStorage, lnfChainStatus,
lnfRuleProtocol, lnfRuleProtocolInv,
lnfRuleSourceAddress, lnfRuleSourceAddressPrefixLength,
lnfRuleSourceAddressInv, lnfRuleDestinationAddress,
lnfRuleDestinationAddressPrefixLength,
lnfRuleDestinationAddressInv, lnfRuleInInterface,
lnfRuleInInterfaceInv, lnfRuleOutInterface,
lnfRuleOutInterfaceInv, lnfRuleFragment,
lnfRuleFragmentInv, lnfRulePackets, lnfRuleOctets,
lnfRuleTarget, lnfRuleTargetChain, lnfRuleTrapEnable,
lnfRuleLastChange, lnfRuleStorage, lnfRuleStatus
}
STATUS current
DESCRIPTION
"A collection of all Linux Netfilter objects of
the core table."
::= { lnfGroups 1 }
lnfNotificationGroup NOTIFICATION-GROUP
NOTIFICATIONS {
lnfRuleMatch
}
STATUS current
DESCRIPTION
"A collection of all Linux Netfilter notifications."
::= { lnfGroups 2 }
END