IPFWASM(8) BSD System Manager's Manual IPFWASM(8)NAMEipfwasm - assemble a BSD IP Filter
SYNOPSISipfwasm [-S] [-f filename] [-o output] file
DESCRIPTION
The ipfwasm utility assembles the BSD IP Filter assembly program stored
in file. If file is specified as ``-'' then the program is read from
standard input. In this case, a filename may be specified by the -f op-
tion to be used when reporting errors.
If output is specified by the -o option, the resulting bpf machine code
is written into the file named output. If not specified, the machine code
is written to file.filter (after stripping any .ipfw suffix from file.)
Before assembling the program, and if file is not specified as ``-'',
ipfwasm preprocesses the program with cpp(1).
Line comments are introduces by the character sequence // and extend to
the end of the line. C style comments may also be used. A program is
simply a series of instructions. Instructions have the following form:
[Lnum:] mnemonic operands [;]
Normally instructions are terminated by the end of the line, though mul-
tiple instructions may be placed on a single line by separating them by
the ; character. Labels are always of the form L num.
By default, ipfwasm will optimize the code to remove redundant loads,
dead code, jumps to jumps, etc. To disable optimization the -S option
may be used.
The following instructions are available:
ADD X Add the value in X to A.
ADD #k Add the value k to A.
AND X And the value in X to A.
AND #k And the value k to A.
CALL #k Call the filter in location k in the call list.
Set A to the return value of the filter.
DIV X Divide the value in A by the value in X.
DIV #k Divide the value in A by k.
JEQ X tlabel flabel Forward jump to tlabel if the value in A is equal
to the value in X, else jump to flabel.
JEQ #k tlabel flabel Forward jump to tlabel if the value in A is equal
to k, else jump to flabel.
JGE X tlabel flabel Forward jump to tlabel if the value in A is
greater than or equal to the value in X, else jump
to flabel.
JGE #k tlabel flabel Forward jump to tlabel if the value in A is
greater than or equal to k, else jump to flabel.
JGT X tlabel flabel Forward jump to tlabel if the value in A is
greater than the value in X, else jump to flabel.
JGT #k tlabel flabel Forward jump to tlabel if the value in A is
greater than to k, else jump to flabel.
JLE X tlabel flabel Forward jump to tlabel if the value in A is less
than or equal to the value in X, else jump to
flabel.
JLE #k tlabel flabel Forward jump to tlabel if the value in A is less
than or equal to k, else jump to flabel.
JLT X tlabel flabel Forward jump to tlabel if the value in A is less
than to the value in X, else jump to flabel.
JLT #k tlabel flabel Forward jump to tlabel if the value in A is less
than k, else jump to flabel.
JMP label Forward jump to label.
JNE X tlabel flabel Forward jump to tlabel if the value in A is not
equal to the value in X, else jump to flabel.
JNE #k tlabel flabel Forward jump to tlabel if the value in A is not
equal to k, else jump to flabel.
JSET X tlabel flabel Forward jump to tlabel if the value in A has any
of the bits set that are also set in the value in
X, else jump to flabel.
JSET #k tlabel flabel Forward jump to tlabel if the value in A has any
of the bits set that are also set in k, else jump
to flabel.
LD #LEN Load A with the length of the packet.
LD [k : width] Load width bytes into A with the value located k
bytes into the packet. If width is not specified
then a width of 4 is assumed. The value of width
must be 1, 2 or 4.
LD #k Load A with the value of k.
LD [X + k : width] Load width bytes into A with the value located X +
k bytes into the packet. If width is not speci-
fied then a width of 4 is assumed. The value of
width must be 1, 2 or 4.
LD M[k] Load A with the value stored in scratch memory
word k. Each of the 16 scratch memory words is 32
bits.
LD R[k] Load A with the value stored in the kth prom loca-
tion. These locations are filled in by the kernel
prior to calling the filter. Current possible
values are:
0 Auxiliary return status information
(such as an ICMP code and type)
1 Index number of source interface (in-
put and forwarded packets only)
2 Index number of destination interface
(output and forwarded packets only)
3 Index number of the return interface
(input and forwarded packets only)
4 The mbuf's m_flags value.
LDB [k] Load A with value of the byte k bytes into the
packet.
LDB [X + k] Load A with value of the byte X + k bytes into the
packet.
LDH [k] Load A with the value of the two bytes k bytes in-
to the packet.
LDH [X + k] Load A with the value of the two bytes X + k bytes
into the packet.
LDX #LEN Load X with the length of the packet.
LDX #k Load X with the value of k.
LDX M[k] Load X with the value stored in scratch memory
word k. Each of the 16 scratch memory words is 32
bits.
LDX R[k] Load X with the value stored in the kth prom loca-
tion.
LDX 4*([k]&0xf) Load X with the low order nibble of the byte lo-
cated k bytes into the packet, multiplied by 4.
(In other words, load the ip header length of the
packet).
LSH X Shift the value of A left by X bits.
LSH #k Shift the value of A left by k bits.
MUL X Multiply A by X.
MUL #k Multiply A by k.
NEG Negate the value of A.
OR X Or the bits in X into A.
OR #k Or the bits of k into A.
RET A Exit the filter with the value in A.
RET #k Exit the filter with the value of k.
RSH X Shift the value of A right by X bits.
RSH #k Shift the value of A right by k bits.
ST [k : width] Store the lower width bytes of the A register k
bytes into the packet.
ST [X + k : width] Store the lower width bytes of the A register X +
k bytes into the packet.
ST #k Store the value of A into the scratch memory word
k.
STX [k : width] Store the lower width bytes of the X register k
bytes into the packet.
ST R[k] Store the value of A into the kth prom location.
STX #k Store the value of X into the scratch memory word
k.
STX R[k] Store the value of X into the kth prom location.
SUB X Subtract the value in X from A.
SUB #k Subtract k from A.
TAX Transfer the value of A into X.
TXA Transfer the value of X into A.
As a convenience to writing macros, any of the LD, LDB, and LDH instruc-
tions may be followed by an arithmetic operation and a constant numeric
value or X. This will cause the generation of an additional bpf instruc-
tion. The available operations are:
& And the value in A with the operand.
+ Add the value in A with the operand.
* Multiply the value in A with the operand.
/ Divide the value in A with the operand.
- Subtract the value in A with the operand.
| Or the value in A with the operand.
<< Left shift the value in A by the operand.
>> Right shift the value in A by the operand.
Constant numeric values are always preceeded by #. If the numeric portion
is enclosed in parentheses then multiple values may be combined using |
and +. For example: #(0x80 | 0x7) is the same as #0x87.
There are several special forms of numeric values:
filter(name)
Use the index number in the call chain of the filter having the
tag name. For example: filter(DNS-filter). This is evaluated at
the time the program is loaded into the kernel by ipfw(8).
host(name)
Use the first IP address found which evaluates to the host called
name. This is evaluated at the time of assembly.
interface(name)
Use the index number of the interface specified by name. For ex-
ample: interface(exp0). This is evaluated at the time the program
is loaded into the kernel by ipfw(8).
service(name/proto)
Use the port number for the service name using the protocol
proto. For example: service(telnet/tcp). This is evaluated at the
time of assembly.
SEE ALSOcpp(1), ipfw(8), ipfwcmp(8), ipfwdis(8)
June 12, 1997 5