HP-UX Reference (11i v2 03/08) - 4 File Formats (vol 8)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

251

252

253

254

255

256

257

258

259

260

ppp.Filter(4) ppp.Filter(4)

NAME

ppp.Filter - PPP packet ﬁlter speciﬁcation ﬁle format

DESCRIPTION

The ﬁle

/etc/ppp/Filter

describes how on-demand PPP links are to be managed. By default, any

type of packet causes the link (if down) to be brought up (connected to its remote end); any packet is

allowed to traverse the link; and any packet is sufﬁcient to reset the idle timer, expiration of which would

cause the link to be shut down. This combination is not always appropriate behavior, so the ﬁlter ﬁle

allows individual control based on the packet type and its source or destination. These selection criteria

may be speciﬁed for any of the three phases of operation: bringing up the link, passing packets on the

link, and shutting down the link due to inactivity. Packet logging detail may also be selected using the

same criteria.

Format

Comments begin with a ‘#’ and extend to the end of the line; blank lines, or lines beginning with a ‘#’, are

ignored. Upper/lower case distinctions are ignored in hostname speciﬁcations, but are signiﬁcant else-

where. Fields are separated by horizontal or vertical white space (blanks or tabs or newlines).

If a line begins with a hostname or IP address or the special word ‘default’, that line is considered to be

the beginning of a new set of ﬁltering speciﬁcations. The ﬁltering speciﬁcations will be applied to any

packet crossing the point-to-point link connecting this host to the peer named by that initial hostname or

IP address. The hostname or IP address in the ﬁrst column of the ﬁlter ﬁle refers to the peer (system or

router or terminal server) at the remote end of the point-to-point (PPP or SLIP) link. The hostname or IP

address in the ﬁrst column of the ﬁlter ﬁle, and associated with the link peer, is unrelated to the source or

destination IP address of any packet crossing the link. If the link peer’s address doesn’t match any name

or address speciﬁed in the ﬁrst column of ﬁlter ﬁle, the ﬁlter speciﬁcation following the special word

‘default’ will be used.

If a newline is followed by white space, that line is a continuation of the ﬁltering speciﬁcation already in

progress.

There are four keywords to describe the actions taken by

pppd in response to a particular packet:

bringup Describes those packets that will cause a call to be placed and a connection initiated.

Packets of this sort also must qualify to ‘pass’ across the link, either by being explicitly

mentioned or by inclusion in a larger class in the ‘pass’ section.

pass Describes those packets that will be allowed to traverse the link on an already-

established connection. Only packets which would be passed can cause the link to be

brought up. Any packet that is not passed is optionally logged, then discarded.

keepup Describes packets that will reset the idle timer, thereby keeping the line connected.

log Describes packets whose headers or contents are to be noted in the log ﬁle.

After each action keyword comes stanzas, separated by white space, describing packets that ﬁt the cri-

teria for that action. Each stanza is processed in the order shown in the ﬁle, and contain restrictions or

permissions on the packets encountered. As soon as a pattern or a condition is found that matches the

packet in question,

pppd takes the indicated action and ignores the rest of the listed stanzas (i.e.

inclusive or with shortcut evaluation).

Stanzas may contain IP protocol numbers, optionally hyphen-separated ranges of TCP or UDP port

numbers along with the

/tcp or /udp qualiﬁer, numbers representing ICMP message types or codes

(which can be found in <netinet/ip_icmp.h>) along with the ‘/icmp’ qualiﬁer, service names

corresponding to entries in /etc/services, or names or IP addresses of hosts or networks, or the spe-

cial keyword ‘all’, which is the default for all actions except ‘log’, where the default is ‘!all’. (Usually, it is

unnecessary to use ‘all’; as a convenience, pppd automatically adds a ‘!all’ at the end of a stanza list if the

last stanza is not negated, and add an ‘all’ at the end of a stanza list if the last stanza is negated. For

example, in the typical case of ‘log’ this sensibly results in only those packets matching the stanzas shown

being logged, and no others. In the typical case of ‘pass’, this results in certain listed packets being res-

tricted, but allowing the passage of all others.)

If a network is speciﬁed, either by name or by address, then the corresponding network mask must also

be speciﬁed if it is of a different size than the default for that class of network. The network mask and

additional ‘and’ conditions within a stanza are separated by slashes (‘/’), and may be speciﬁed either as a

series of decimal numbers separated by periods, or as a single 32-bit hexadecimal number. The sense of a

stanza may be negated by preﬁxing it with an exclamation mark (‘!’).

HP-UX 11i Version 2: August 2003 − 1 − Hewlett-Packard Company Section 4−−243