Creating Packet Filters 12-5
Table 12-2 describes the instructions and stacks of a packet filter.
Table 12-2 Packet Filter Instructions and Stacks — Descriptions and Guidelines
Element Descriptions and Guidelines
Instructions Each instruction in a packet filter definition must be on a separate line in the packet
filter definition file.
Instruction format
An instruction consists of an opcode followed by explicit operands and a comment.
Although comments are optional, it is recommended that you use them throughout
the packet filter for easier administration of the filters. The opcode includes an explicit
operand size specification.
The general syntax of an instruction is:
<opcode>[.<size>] [<operand>...] [# <comment>]
For example:
pushliteral.l 0xffffff00 #load the type field mask
Use any combination of uppercase and lowercase letters for the opcode and size.
The contents of a line following the first # (outside a quoted string) are ignored.
Operand sizes
The following operand sizes are supported:
■ 1 byte = .b
■ 2 bytes = .w
■ 4 bytes = .l
■ 6 bytes = .a (Included primarily for use with 48-bit, IEEE, globally assigned MAC
addresses)
Maximum length
The maximum length for a filter definition is 4096 bytes.
Stack The packet filter language uses a stack to store the operands that will be used by an
instruction and the results of the instruction.
Operands are popped from the stack as required by the instructions. An instruction
using two or more operands takes the first operand from the top of the stack, with
subsequent operands taken in order from succeeding levels of the stack.
The stack is a maximum of 64 bytes long, with space in the stack allocated in multiples
of 4 bytes. This rule provides for a maximum of 16 operands on the stack.
An address size operand (.a) consumes 8 bytes on the stack, decreasing the maximum
number of operands on the stack.