Technical data
pfmod(7M) STREAMS Modules SunOS 5.5
commands and their semantics.
PACKET FILTERS A packet filter consists of the filter command list length(in units of u_shorts), and the
filter command list itself. (The priority field mentioned above is ignored in this imple-
mentation.) Each filter command list specifies a sequence of actions that operate on an
internal stack of u_shorts (“shortwords”). Each shortword of the command list specifies
one of the actions ENF_PUSHLIT, ENF_PUSHZERO, ENF_PUSHONE, ENF_PUSHFFFF,
ENF_PUSHFF00, ENF_PUSH00FF,orENF_PUSHWORD+n, which respectively push the next
shortword of the command list, zero, one, 0xFFFF, 0xFF00, 0x00FF, or shortword n of the
subject message on the stack, and a binary operator from the set {ENF_EQ, ENF_NEQ,
ENF_LT, ENF_LE,ENF_GT, ENF_GE,ENF_AND, ENF_OR, ENF_XOR} which then operates on
the top two elements of the stack and replaces them with its result. When both an action
and operator are specified in the same shortword, the action is performed followed by
the operation.
The binary operator can also be from the set {ENF_COR, ENF_CAND, ENF_CNOR,
ENF_CNAND}. These are “short-circuit” operators, in that they terminate the execution of
the filter immediately if the condition they are checkingfor is found, and continue other-
wise. All pop two elements from the stack and compare them for equality;ENF_CAND
returns false if the result is false;ENF_COR returns true if the result is true; ENF_CNAND
returns true if the result is false; ENF_CNOR returns false if the result is true. Unlike the
other binary operators, these four do not leave a result on the stack, even if they continue.
The short-circuit operators should be used when possible, to reduce the amount of time
spent evaluatingfilters. When they are used, you should also arrange the order of the
tests so that the filter will succeed or fail as soon as possible; for example, checking the IP
destination field of a UDP packet is more likely to indicate failure than the packet type
field.
The special actionENF_NOPUSH and the special operator ENF_NOP can be used to only
perform the binary operation or to only push a value on the stack. Since both are (con-
veniently) defined to be zero, indicating only an action actually specifies the action fol-
lowed by ENF_NOP, and indicating only an operation actually specifiesENF_NOPUSH fol-
lowed by the operation.
After executing the filter command list, a non-zero value (true) left on top of the stack (or
an empty stack) causes the incoming packet to be accepted and a zero value (false) causes
the packet to be rejected. (If the filter exits as the result of a short-circuit operator, the
top-of-stack value is ignored.) Specifying an undefinedoperation or action in the com-
mand list or performing an illegal operation or action (such as pushing a shortword
offset past the end of the packet or executinga binary operator with fewer than two
shortwords on the stack) causes a filter to reject the packet.
EXAMPLES The packet filter module is not dependent on any particular device driver or module but
is commonly used with datalink drivers such as the Ethernet driver. If the underlying
datalink driver supports the Data LinkProvider Interface (DLPI) message set, the
appropriate STREAMS DLPI messages must be issued to attach the stream to a particular
hardware device and bind a datalink address to the stream before the underlying driver
7M-256 modified 18 Sep 1992