From owner-freebsd-questions  Fri Jul 25 08:42:49 1997
Return-Path: <owner-freebsd-questions>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id IAA09021
          for questions-outgoing; Fri, 25 Jul 1997 08:42:49 -0700 (PDT)
Received: from imdave.pr.mcs.net (imdave@imdave.pr.mcs.net [205.164.3.77])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id IAA09012;
          Fri, 25 Jul 1997 08:42:43 -0700 (PDT)
Received: (from imdave@localhost)
	by imdave.pr.mcs.net (8.8.6/8.8.6) id KAA01722;
	Fri, 25 Jul 1997 10:42:39 -0500 (CDT)
Date: Fri, 25 Jul 1997 10:42:39 -0500 (CDT)
From: Dave Bodenstab <imdave@mcs.net>
Message-Id: <199707251542.KAA01722@imdave.pr.mcs.net>
To: brian@freebsd.org, dburr@POBoxes.com, freebsd-questions@freebsd.org
Subject: Re: iijppp and debug level?
Sender: owner-freebsd-questions@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

>
> My iijppp is redialing like crazy.  I'd like to find out what types of
> packets are causing the redial, so that I can write an appropraite DFILTER
> entry.  But there is almost no documentation (that I could find) about the
> iijppp "set debug" option.  I don't even know if "set debug xxx" can tell
> me what type of packet caused the dial!  Can anyone help me out here?  If
> so please e-mail!  Thanks!

By coincidence I just went thru something like this in the past
couple of days.  I wanted to filter out all the packets from
ad.doubleclick.net, so I needed to figure out what packets to filter
and how to specify the filtering rules.  I got the latest ppp source from
http://(www.freebsd.org/~brian,ppp-970713.src.tar.gz and dove in.  I know
next to nothing about tcp and ppp protocols, but I figured out enough
for me to do what I wanted.

Here are the notes I made for myself for the set log command, the
syntax for the set filter commands, and (for what it's worth) the filter
commands I'm now using to successfully filter out ad.doubleclick.net.  BTW,
there's a bug in the set filter code.  The first chunk fixes what appears
to be a typo, and the second chunk eats a ``proto'' argument following a
single address; the fix is:

--- filter.c	1997/06/28 01:34:03	0.970713
+++ filter.c	1997/07/25 06:41:59	0.970713.1.2
@@ -308,7 +308,7 @@
 
   argc--; argv++;
 
-  if (ofp->action == A_DENY) {
+  if (fp->action == A_DENY) {
     if (STREQ(*argv, "host")) {
       fp->action |= A_UHOST;
       argc--; argv++;
@@ -331,6 +331,8 @@
 	if (proto) {
 	  argc--; argv++;
 	}
+      } else {
+	argc--; argv++;
       }
     } else {
       LogPrintf(LogWARN, "Parse: Address/protocol expected.\n");


Anyway, I think you just need to ``set log +TCP/IP'' to get a trace of
the packets.

Hope this helps.  (If you find something here that's incorrect, or if
there's a better way to do this, I'd appreciate a pointer.)

Dave Bodenstab
imdave@mcs.net

------------------------------------------------------------

Here are my notes:

SET LOG
-------

set log [-+]<log type>...

			   syslog
			  Priority   What it does
			 ========== ===================================
<log type> ::= Async	- LOG_INFO  Data read/written to modem
	       Carrier	- LOG_INFO  Matched line containing "CARRIER"
	       Chat	- LOG_INFO  Dialing and login conversation
	       Command	- LOG_INFO  ppp.conf/linkup and interactive commands
	       Connect	- LOG_INFO  Matched line containing "CONNECT"
	       Debug	- LOG_DEBUG  
	       HDLC	- LOG_INFO  HDLC packets?
	       LCP	- LOG_INFO  Initial negotiation packets
	       Link	- LOG_INFO  Breaks out OS Linkup/down and hisaddr= info from LCP
	       LQM	- LOG_INFO  LQR packets?
	       Phase	- LOG_INFO  State changes
	       TCP/IP	- LOG_INFO  Routing and TCP packet headers
	       Tun	- LOG_INFO  Inserts ``tunN'' in log messages
	       Warning	- LOG_WARN  
	       Error	- LOG_ERR   
	       Alert	- LOG_ALERT  


SET FILTER
----------

>From ``set log tcp/ip'' we see that each packet can be identified by:

	TYPE / DIRECTION / source ADDRESS / destination ADDRESS

where TYPE is tcp/udp/icmp, DIRECTION is input/output, and ADDRESS is
ip-number:port

In the BNF grammar that follows, TYPE corresponds to <proto>, DIRECTION
corresponds to the filter types `ifilter' and `ofilter', and ADDRESS is
the ip/port combination.  (How do afilter and dfilter fit in?)



BNF grammar:

<filter command> ::= 'set' <filter type> -1
		   | 'set' <filter type> NUMBER 'clear'
		   | 'set' <filter type> NUMBER <action> <proto>
		   | 'set' <filter type> NUMBER <action> <destination address> <proto>
		   | 'set' <filter type> NUMBER <action> <source address> <destination address> <proto>

<filter type> ::= 'afilter'             ;  keep Alive
		| 'dfilter'             ;  Dial
		| 'ifilter'             ;  Input
		| 'ofilter'             ;  Output

<action> ::= 'permit'
	   | 'deny' <deny type>

<deny type> ::= <empty>
	      | 'host'
	      | 'port'

<proto> ::= 'tcp' <tcpudp args>
	  | 'udp' <tcpudp args>
	  | 'icmp' <icmp args>

<tcpudp args> ::= <empty>
	        | 'src' <op> <port> <estab>
	        | 'dst' <op> <port> <estab>
	        | 'src' <op> <port> 'dst' <op> <port> <estab>

<op> ::= 'eq'
       | 'lt'
       | 'gt'

<port> ::= NAME
	 | NUMBER

<estab> ::= <empty>
	  | 'estab'

<icmp args> ::= <empty>
	      | 'src' 'eq' NUMBER

<source address> ::= <address>

<destination address> ::= <address>

<address> ::= 'MYADDR' <bits>
	    | 'HISADDR' <bits>
	    | NUMBER.NUMBER.NUMBER.NUMBER <bits>

<bits> ::= <empty>                ;  /32 assumed 
	 | / NUMBER



------------------------------------------------------------

Here is the section from ppp.linkup containing my filtering rules:

# Set routing
# Filter out packets from/to ad.doubleclick.net and the like
MCS:
  delete ALL
  add 0 0 HISADDR
  set ifilter 0 deny host 199.95.208.0/24 MYADDR tcp src eq http
  set ifilter 1 deny host 199.95.207.0/24 MYADDR tcp src eq http
  set ifilter 2 deny host 204.71.191.209 MYADDR tcp src eq http
  set ifilter 3 permit 0/0 0/0
  set ofilter 0 deny host 199.95.208.0/24 tcp dst eq http
  set ofilter 1 permit 0/0 0/0

------------------------------------------------------------