packetfilter(SFF)
packetfilter --
SLIP and PPP packet filter specification file format
Format
tag keyword expression
[ keyword expression ]
[ keyword expression ]
Description
The /etc/pppfilter file stores packet filter specifications for
both PPP and SLIP network interfaces.
A PPP packet filter specification
provides a means of limiting what packets pass through, bringup
or reset the idle timer for a PPP network interface.
A SLIP packet filter specification
provides a means of limiting what packets pass through a
SLIP network interface. The /etc/pppfilter file
is implemented by means of
bpf(ADMP).
Each entry in /etc/pppfilter is a separate packet filter
specification.
Each entry consists of a tag and one, two, or three keywords.
Each keyword requires an expression.
Each field is separated from others by white space or a tab.
Each entry may consist of up to 6144 characters.
An entry may extend beyond a single line by ending each line of the
entry but the last with a backslash (``\'').
Comments begin with a ``#'' and extend to the end of the line.
Blank lines, or lines beginning with a ``#'', are ignored.
Both PPP and SLIP use the value of the ``tag''
field to assign a filter specification to a network interface.
For PPP, a link configuration entry in
/etc/ppphosts includes the
parameter ``filter=tag''
to specify a filter specification (see
ppphosts(SFF)).
For SLIP, the -p option with
a tag value is passed to the slattach
command (see
slattach(ADMN)).
Each interface may have its own packet filter specification or
two or more interfaces may share the same specification.
PPP and SLIP interfaces may share the same specification.
SLIP will only recognize the ``pass'' keyword (i.e. it will ignore
the ``bringup'' and ``keepup'' keywords.
The keywords
For each of following keywords the absence of an expression indicates
that all packets are considered to meet the
selection criteria.
Otherwise, only packets for which the expression is ``true'' are
considered to meet the selection criteria.
bringup-
This keyword may be used only in a PPP packet filter specification.
By default, any type of packet causes a PPP network
interface (if down) to be brought up.
The expression following this keyword specifies what
packets will be allowed to bring up a PPP interface,
initiating establishment of a PPP link.
Packets of this sort also must qualify
to ``pass'' the link.
pass-
This keyword may be used in both PPP and SLIP packet
filter specifications.
By default, any packet is allowed to traverse a SLIP or PPP
network interface.
The expression following this keyword specifies what
will be allowed to traverse the interface.
For PPP, only packets which would be
passed can cause the link to be brought up.
keepup-
This keyword may be used only in a PPP packet filter specification.
By default, any packet may reset the interface idle timer,
expiration of which causes the interface to be shut down.
The expression following this keyword specifies what
packets will reset the idle timer, thereby
keeping the PPP network interface up.
The expressions
expression consists of one or more primitives.
Complex filter expressions may be built up by using the words
and, or, or not to combine primitives
(for example, ``host foo and not port
ftp and not port ftp-data'').
To save typing, multiple primitives within the same entry which
only differ by the value of the primitive variable may be combined.
For example, the following
`dst port ftp or dst port ftp-data' could be combined as
`dst port ftp or ftp-data'.
Allowable primitives are:
dst host HOST-
True if the IP destination field of the packet
is HOST,
which may be either an address or a host name.
src host HOST-
True if the IP source field of the packet
is HOST,
which may be either an address or a host name.
host HOST-
True if either the IP source or destination field of the
packet is HOST,
which may be either an address or a host name.
dst net NET-
True if the IP destination field of the packet includes
a network number of NET,
which may be either an address or a host name.
src net NET-
True if the IP source field of the packet includes a
network number of NET,
which may be either an address or a host name.
net NET-
True if either the IP source or destination field
of the packet includes a network number of
NET, which may be either an address or
a host name.
dst port PORT-
True if the packet is IP/TCP or
IP/UDP and has a destination port value
of PORT. PORT can
be a number or a name used in /etc/services. If
a name is used, both the port number and protocol are
checked. If a number or ambiguous name is used, only the
port number is checked (for example, dst port 513
will be true for both TCP/login traffic and
UDP/who traffic, and
port domain will be true for both TCP/domain and
UDP/domain traffic).
src port PORT-
True if the packet has a source port value of PORT.
port PORT-
True if either the source or destination port of the
packet is PORT. Any of the above port expressions can be
prepended with the protocol name ``tcp'' or ``udp'' as in:
tcp src port port
The above expression matches only TCP/IP packets.
less LENGTH-
True if the packet has a length less than or equal to
LENGTH.
This is equivalent to ``len <= LENGTH''.
greater LENGTH-
True if the packet has a length greater than or equal
to LENGTH.
This is equivalent to ``len >= LENGTH''.
ip proto PROTOCOL-
True if the packet is an IP packet of protocol
type PROTOCOL.
PROTOCOL can be a number or one of the
names icmp, udp, or tcp.
tcp, udp, icmp-
Replaces three separate instances of ``ip proto
PROTOCOL''
where PROTOCOL is one of the above protocols.
ip broadcast-
True if the packet is an IP broadcast packet. It checks for
both the all-zeroes and all-ones broadcast conventions and
looks up the local subnet mask.
ip multicast-
True if the packet is an IP multicast packet.
EXPR RELOP EXPR-
True if the relation holds, where RELOP is one
of: >, <, >=, <=, =, or != and EXPR
is an arithmetic expression composed of
integer constants (expressed in standard C syntax), the normal
binary operators: +, -,
, /, &, |, a length operator,
and special packet data accessers.
To access data inside the packet, use the following syntax:
proto [ expr : size ]
proto must be one of ip, tcp, udp,
or icmp, and indicates the
protocol layer for the index operation. The byte offset,
relative to the indicated protocol layer, is given by expr.
size is optional and indicates the number of bytes in the
field of interest; it can be either one, two, or four, and
defaults to one. The length operator, indicated by
the keyword len, gives the length of the packet.
For example, the expression ``ip[0] & 0xf != 5'' catches all
IP packets with options. The expression
``ip[2:2] & 0x1fff = 0'' catches only unfragmented datagrams
and fragment zero of fragmented datagrams. This check is
implicitly applied to the TCP and UDP index operations.
For instance, tcp[0] always means the first byte of
the TCP header and never means the first byte of an
intervening fragment.
Primitives may be combined using a parenthesized group of
primitives and operators:
Negation (``!'' or ``not'')
Concatenation (``and'')
Alternation (``or`')
Negation has highest precedence. Alternation and
concatenation have equal precedence and associate left to
right. Note that explicit ``and'' tokens, not juxtaposition,
are required for concatenation.
Examples
The following filter specification describes the default behavior
for a dynamic PPP link:
default bringup !port ntp and !port who and !port route\
and !port timed and !port bgp and !ip proto 8\
and !ip proto 63 and !ip proto 89 and icmp[20]!=9\
and icmp[20]!=10
pass \
keepup !port ntp and !port who and !port route\
and !port timed and !port bgp and !ip proto 8\
and !ip proto 63 and !ip proto 89 and icmp[20]!=9\
and icmp[20]!=10
The above specification does not allow ntp, rwhod,
routed, timed, gated, and irdd
packets to bring up or keep up the link.
The above specification does allow all packets to pass the link.
Files
/etc/pppfilter
See also
bpf(ADMP),
pppd(ADMN),
ppphosts(SFF),
slattach(ADMN)
© 2003 Caldera International, Inc. All rights reserved.
SCO OpenServer Release 5.0.7 -- 11 February 2003