The Packet Filtering Language 319The Packet FilteringLanguageYou define packet filters using a stack-oriented language, which uses aLIFO (last in, first out) queue when the packet filter is running. Theprogram places values (called operands) on the stack and tests them withvarious logical expressions (called operators), such as and, or, equal, andnot equal. These expressions typically test the values of various fields inthe received packet, which include MAC addresses, type fields, IPaddresses, or any field within the first 64 bytes of any frame.Principles for Writinga Custom FilterBefore you write a packet filter, understand these basic principles:n How the Packet Filter Language Worksn What Can You Filter?n Implementing Sequential Tests in a Packet FilterA packet filter program is stored in a preprocessed format to minimize thespace that is required by the packet filter definition. Comments arestripped. When assigned to a port, the packet filter is converted from thestored format to a run-time format to optimize the performance of thefilter. Each module is limited to a maximum of 16 packet filter programs.How the Packet FilterLanguage WorksA program in the packet filter language typically consists of a series ofone or more instructions that results in the top of the stack containing abyte value after execution of the last instruction in the program. Thistop-of-stack byte value determines whether to forward or discard thepacket.In this stack-oriented language, instructions:n Push operands onto the stackn Pop the operands from the stack for comparison purposesn Push the results back onto the stackTherefore, with the exception of the push instructions, instructions (suchas logical operators) locate their operands implicitly and do not requireadditional operand specifiers in the instruction stream.Opcodes are the variables that are used to identify the type of operandsand operators you are specifying in the packet filter instructions.
