1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
|
.\" Hey, EMACS: -*- nroff -*-
.\" First parameter, NAME, should be all caps
.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
.\" other parameters are allowed: see man(7), man(1)
.TH NETSCRIPT 8 "January 9, 2014"
.\" Please adjust this date whenever revising the manpage.
.\"
.\" Some roff macros, for reference:
.\" .nh disable hyphenation
.\" .hy enable hyphenation
.\" .ad l left justify
.\" .ad b justify to both left and right margins
.\" .nf disable filling
.\" .fi enable filling
.\" .br insert line break
.\" .sp <n> insert n+1 empty lines
.\" for manpage-specific macros, see man(7)
.SH NAME
netscript \- netscript network configuration command
.SH SYNOPSIS
.B netscript start|stop|reload|restart
.br
.B netscript ifup|ifdown|ifqos|ifreload
.I <interface-name>|all
.br
.B netscript ipfilter load|clear|fairq|flush|reload|save
.br
.BI netscript\ ipfilter\ usebackup\ [ \ backup-number\ ]
.br
.B netscript ipfilter exec
.I <function-name1>|<function-name2> [chain p1 p2 ...]
.br
.B netscript ip6filter load|clear|fairq|flush|reload|save
.br
.BI netscript\ ip6filter\ usebackup\ [ \ backup-number\ ]
.br
.B netscript ip6filter exec
.I <function-name1>|<function-name2> [chain p1 p2 ...]
.br
.SH DESCRIPTION
This manual page documents briefly the
.B netscript
command from the netscript router/firewall network configuration
package.
This command is used to configure/reconfigure the interface
configuration, ipchains filter setup, and ip route service (
.B QoS
) setup that are configured in netscript's configuration files. It can
manipulate individual interfaces, and reconfigure the iptables filter
contents and firewall setup, or reconfigure the
.B QoS
setup.
It is rather incomplete as it does not describe fully the
finely tuned manipulations that happen due to netscript's design which
enables a Linux box to serve as a high availability heavy-duty
mission-critcial network router or firewall.
.SH IPTABLES CONFIGURATION
Configuration saving is done by
.BR iptables-save (8)
and
.BR iptables-restore (8).
.SH OPTIONS
.TP
.B start
Set up networking configuration by loading iptables filters, setting
up bridge, configuring interfaces and running any configured lower
layer protocol daemons or commands. For use from a startup script.
.TP
.B stop
Shut everything down. For use from a startup script.
.TP
.B reload
Refresh the setup of netscript (except for kernel modules) from the
configuration files in /etc/netscript
.TP
.B restart|force-reload
Stop everything and then start everything again. For use from a startup
script.
.TP
.BI ifup \ <interface-name>|all
Bring interfaces(s) up by starting any protocol daemons,
and configuring interfaces.
.TP
.BI ifdown \ <interface-name>|all
Shutdown said interface(s) by doing reverse of ifdown.
.TP
.BI ifqos \ <interface-name>|all
Reload QoS configuration for interface(s).
.TP
.BI ifreload \ <interface-name>|all
Refresh the interface setup and implement any configuration changes.
.TP
.BI ifreset \ <interface-name>|all
Shutdown and then restart interface(s), reloading configuration from
lower layer up to the network layer.
.TP
.B ipfilter load|reload
Load/reload the IPv4 iptables filters and reconfigure the firewalling,
from that saved in
.I /etc/netscript/iptables
(via
.B iptables-restore(8)
), and the QoS fair queuing setup.
.TP
.B ipfilter save
Save the IPv4 iptables configuration to /etc/netscript/iptables via
.B iptables-save(8)
, after backing it up to
.I /etc/netscript/iptables.1
and cycling the previous backup files down through the configuration history.
.TP
.BI ipfilter\ usebackup\ [ \ backup-number\ ]
Restore setup from the IPv4 iptables backup configuration from
.I /etc/netscript/iptables.n
( default 1 ) via
.B iptables-restore(8).
.TP
.B ipfilter clear|flush
Remove iptables and any firewall setup, and if IPV4_FWDING_KERNEL is set
to FILTER_ON (see
.B network.conf(5)
), disables all IPv4 packet forwarding on the router. Very useful for
debugging protocol problems on a firewall by enabling a reasonably
safe check to be made with the filtering down.
.TP
.B ipfilter forward|fwd
Turns on the IPv4 kernel forwarding switch manually. This is irrespective
of the setting of IPV4_FWDING_KERNEL (see
.B network.conf(5)
). Use with
.I caution
as it will allow traffic through the box.
.TP
.B ipfilter noforward|nofwd
Turns off the IPv4 kernel forwarding switch manually. This is irrespective
of the setting of IPV4_FWDING_KERNEL (see
.B network.conf(5)
). Use with
.I caution
as it will cut off reachability.
.TP
.B ipfilter fairq
Reload the IPv4
.I fairq
chain that marks the packets for the
.B QoS
interface transmit queues.
.TP
.B ip6filter load|reload
Load/reload the IPv6 iptables filters and reconfigure the firewalling,
from that saved in
.I /etc/netscript/ip6tables
(via
.B ip6tables-restore(8)
), and the QoS fair queuing setup.
.TP
.B ip6filter save
Save the IPv6 iptables configuration to /etc/netscript/iptables via
.B ip6tables-save(8)
, after backing it up to
.I /etc/netscript/ip6tables.1
and cycling the previous backup files down through the configuration history.
.TP
.BI ip6filter\ usebackup\ [ \ backup-number\ ]
Restore setup from the IPv6 iptables backup configuration from
.I /etc/netscript/ip6tables.n
( default 1 ) via
.B ip6tables-restore(8).
.TP
.B ip6filter clear|flush
Remove IPv6 iptables setup, and if IPV6_FWDING_KERNEL is set
to FILTER_ON (see
.B network.conf(5)
), disables all IPv6 packet forwarding on the router. Very useful for
debugging protocol problems on a firewall by enabling a reasonably
safe check to be made with the filtering down.
.TP
.B ip6filter forward|fwd
Turns on the IPv6 kernel forwarding switch manually. This is irrespective
of the setting of IPV6_FWDING_KERNEL (see
.B network.conf(5)
). Use with
.I caution
as it will allow traffic through the box.
.TP
.B ip6filter noforward|nofwd
Turns off the IPv6 kernel forwarding switch manually. This is irrespective
of the setting of IPV6_FWDING_KERNEL (see
.B network.conf(5)
). Use with
.I caution
as it will affect reachability.
.TP
.B ip6filter fairq
Reload the IPv6
.I fairq
chain that marks the packets for the
.B QoS
interface transmit queues.
.SH FILES
.I /etc/netscript/if.conf, /etc/netscript/ipfilter.conf,
.br
.I /etc/netscript/network.conf, /etc/netscript/qos.conf,
.br
.I /etc/netscript/iptables, /etc/netscript/ip6tables,
.br
.SH SEE ALSO
.BR if.conf (5),
.BR ipfilter.conf (5),
.BR network.conf (5),
.BR qos.conf (5),
.BR ip (8),
.BR tc (8),
.BR iptables (8),
.BR iptables-restore (8),
.BR iptables-save (8),
.BR ip6tables (8),
.BR ip6tables-restore (8),
.BR ip6tables-save (8),
.BR brcfg (8).
.br
.SH AUTHOR
This manual page was written by Matthew Grant <matt@mattgrant.net.nz>,
for the Debian GNU/Linux system (but may be used by others).
.SH BUGS
I wrote this manpage when I was half asleep...
|
