DOC HOME SITE MAP MAN PAGES GNU INFO SEARCH
 

packetfilter(SFF)


packetfilter -- SLIP and PPP packet filter specification file format

Format

tag keyword expression [ keyword expression ] [ keyword expression ]

Description

The /etc/pppfilter file stores packet filter specifications for both PPP and SLIP network interfaces. A PPP packet filter specification provides a means of limiting what packets pass through, bringup or reset the idle timer for a PPP network interface. A SLIP packet filter specification provides a means of limiting what packets pass through a SLIP network interface. The /etc/pppfilter file is implemented by means of bpf(ADMP).

Each entry in /etc/pppfilter is a separate packet filter specification. Each entry consists of a tag and one, two, or three keywords. Each keyword requires an expression. Each field is separated from others by white space or a tab. Each entry may consist of up to 6144 characters. An entry may extend beyond a single line by ending each line of the entry but the last with a backslash (``\''). Comments begin with a ``#'' and extend to the end of the line. Blank lines, or lines beginning with a ``#'', are ignored.

Both PPP and SLIP use the value of the ``tag'' field to assign a filter specification to a network interface. For PPP, a link configuration entry in /etc/ppphosts includes the parameter ``filter=tag'' to specify a filter specification (see ppphosts(SFF)). For SLIP, the -p option with a tag value is passed to the slattach command (see slattach(ADMN)). Each interface may have its own packet filter specification or two or more interfaces may share the same specification. PPP and SLIP interfaces may share the same specification. SLIP will only recognize the ``pass'' keyword (i.e. it will ignore the ``bringup'' and ``keepup'' keywords.

The keywords

For each of following keywords the absence of an expression indicates that all packets are considered to meet the selection criteria. Otherwise, only packets for which the expression is ``true'' are considered to meet the selection criteria.

bringup
This keyword may be used only in a PPP packet filter specification. By default, any type of packet causes a PPP network interface (if down) to be brought up. The expression following this keyword specifies what packets will be allowed to bring up a PPP interface, initiating establishment of a PPP link. Packets of this sort also must qualify to ``pass'' the link.

pass
This keyword may be used in both PPP and SLIP packet filter specifications. By default, any packet is allowed to traverse a SLIP or PPP network interface. The expression following this keyword specifies what will be allowed to traverse the interface. For PPP, only packets which would be passed can cause the link to be brought up.

keepup
This keyword may be used only in a PPP packet filter specification. By default, any packet may reset the interface idle timer, expiration of which causes the interface to be shut down. The expression following this keyword specifies what packets will reset the idle timer, thereby keeping the PPP network interface up.

The expressions

expression consists of one or more primitives. Complex filter expressions may be built up by using the words and, or, or not to combine primitives (for example, ``host foo and not port ftp and not port ftp-data'').

To save typing, multiple primitives within the same entry which only differ by the value of the primitive variable may be combined. For example, the following `dst port ftp or dst port ftp-data' could be combined as `dst port ftp or ftp-data'.

Allowable primitives are:


dst host HOST
True if the IP destination field of the packet is HOST, which may be either an address or a host name.

src host HOST
True if the IP source field of the packet is HOST, which may be either an address or a host name.

host HOST
True if either the IP source or destination field of the packet is HOST, which may be either an address or a host name.

dst net NET
True if the IP destination field of the packet includes a network number of NET, which may be either an address or a host name.

src net NET
True if the IP source field of the packet includes a network number of NET, which may be either an address or a host name.

net NET
True if either the IP source or destination field of the packet includes a network number of NET, which may be either an address or a host name.

dst port PORT
True if the packet is IP/TCP or IP/UDP and has a destination port value of PORT. PORT can be a number or a name used in /etc/services. If a name is used, both the port number and protocol are checked. If a number or ambiguous name is used, only the port number is checked (for example, dst port 513 will be true for both TCP/login traffic and UDP/who traffic, and port domain will be true for both TCP/domain and UDP/domain traffic).

src port PORT
True if the packet has a source port value of PORT.

port PORT
True if either the source or destination port of the packet is PORT. Any of the above port expressions can be prepended with the protocol name ``tcp'' or ``udp'' as in:

tcp src port port

The above expression matches only TCP/IP packets.


less LENGTH
True if the packet has a length less than or equal to LENGTH. This is equivalent to ``len <= LENGTH''.

greater LENGTH
True if the packet has a length greater than or equal to LENGTH. This is equivalent to ``len >= LENGTH''.

ip proto PROTOCOL
True if the packet is an IP packet of protocol type PROTOCOL. PROTOCOL can be a number or one of the names icmp, udp, or tcp.

tcp, udp, icmp
Replaces three separate instances of ``ip proto PROTOCOL'' where PROTOCOL is one of the above protocols.

ip broadcast
True if the packet is an IP broadcast packet. It checks for both the all-zeroes and all-ones broadcast conventions and looks up the local subnet mask.

ip multicast
True if the packet is an IP multicast packet.

EXPR  RELOP  EXPR
True if the relation holds, where RELOP is one of: >, <, >=, <=, =, or != and EXPR is an arithmetic expression composed of integer constants (expressed in standard C syntax), the normal binary operators: +, -, *, /, &, |, a length operator, and special packet data accessers. To access data inside the packet, use the following syntax:

proto [ expr : size ]

proto must be one of ip, tcp, udp, or icmp, and indicates the protocol layer for the index operation. The byte offset, relative to the indicated protocol layer, is given by expr. size is optional and indicates the number of bytes in the field of interest; it can be either one, two, or four, and defaults to one. The length operator, indicated by the keyword len, gives the length of the packet.

For example, the expression ``ip[0] & 0xf != 5'' catches all IP packets with options. The expression ``ip[2:2] & 0x1fff = 0'' catches only unfragmented datagrams and fragment zero of fragmented datagrams. This check is implicitly applied to the TCP and UDP index operations. For instance, tcp[0] always means the first byte of the TCP header and never means the first byte of an intervening fragment.


Primitives may be combined using a parenthesized group of primitives and operators:

Negation (``!'' or ``not'')
Concatenation (``and'')
Alternation (``or`')

Negation has highest precedence. Alternation and concatenation have equal precedence and associate left to right. Note that explicit ``and'' tokens, not juxtaposition, are required for concatenation.

Examples

The following filter specification describes the default behavior for a dynamic PPP link:
default  bringup  !port ntp and !port who and !port route\
                  and !port timed and !port bgp and !ip proto 8\
                  and !ip proto 63 and !ip proto 89 and icmp[20]!=9\
                  and icmp[20]!=10
         pass     \
         keepup   !port ntp and !port who and !port route\
                  and !port timed and !port bgp and !ip proto 8\
                  and !ip proto 63 and !ip proto 89 and icmp[20]!=9\
                  and icmp[20]!=10
The above specification does not allow ntp, rwhod, routed, timed, gated, and irdd packets to bring up or keep up the link. The above specification does allow all packets to pass the link.

Files

/etc/pppfilter

See also

bpf(ADMP), pppd(ADMN), ppphosts(SFF), slattach(ADMN)
© 2003 Caldera International, Inc. All rights reserved.
SCO OpenServer Release 5.0.7 -- 11 February 2003