Filtering can be applied to packets that are forwarded between differing segments, i.e. the D.M.Z. and LAN, the
D.M.Z. and WAN, and the WAN and LAN segments. Filtering is executed based on the following information.
Protocol type (Type field in Ethernet)
IP address
TCP/UDP port number
ICMP message type
FEF Engine-filtering function
There are two filters, one for inbound packets, and the other for outbound packets.A maximum of 64 entries can
be set per filter. Filtering can be applied to both IPv4 and IPv6 packets. Filtering can also be executed on packets
that include IP frames such as PPPoE session stage packets. In addition, filtering can also be applied to the L3/
L4 information of AH packets, and the IP addresses of ESP type IPsec packets. The relation between the filter
and FEF is shown in “NAT/IP forwarding function overview”. When the Host Interface block receives a packet
from the switch block, it is first checked by the Rx filter and then forwarded to the NAT/IP forwarding block. The
Tx filter is applied after the packet has been processed by the NAT/IP forwarding block.
Filter Logging
This device can record several characteristics of the packets dropped by the filters. There are counters that can
record the number of packets dropped, and buffers that can store the first 60 Bytes of up to four packets that
were dropped by the filters.
Each of the 64 filter Table entries (for both the input and output filters) has a counter that can count up to 255.
If the counter overflows, it is informed to the host by asserting an interrupt signal. The host may poll the counter
instead if required.
The buffers that store the headers of the packets (i.e. the first 60 bytes of the packet) can be configured to have
the packets that match the condition (1) constantly overwrite the previously stored packet data, or (2) not overwrite
the previously stored packets but assert the interrupt signal as soon as all four buffers have been occupied.