.TH ENET 4 "17 January 1986" Stanford
enet \- ethernet packet filter
.B "pseudo-device enetfilter 64"
provides a raw interface to Ethernets and similar network data link layers.
Packets received that are not used by the kernel
(i.e., to support IP, ARP, and on some systems XNS, protocols)
are available through this mechanism.
The packet filter appears as a set of character special files, one
file may be opened multiple times, allowing each interface to be used by
The total number of open ethernet
files is limited to the value given in the kernel configuration; the
example given in the SYNOPSIS above sets the limit to 64.
are associated with interfaces when the system is booted.
is associated with the first Ethernet interface ``attached'',
minor device 1 with the second, and so forth.
(These character special files are, for historical reasons,
Associated with each open instance of an
file is a user-settable packet filter which is used to deliver
incoming ethernet packets to the appropriate process.
Whenever a packet is received from the net,
successive packet filters from the list of filters for
files are applied to the packet.
When a filter accepts the packet,
it is placed on the packet input queue of the
If no filters accept the packet, it is discarded.
The format of a packet filter is described below.
Reads from these files return the next packet
from a queue of packets that have matched the filter.
If insufficient buffer space to store the entire packet is specified in the
read, the packet will be truncated and the trailing contents lost.
Writes to these devices transmit packets on the
network, with each write generating exactly one packet.
The packet filter currently supports a variety of different ``Ethernet''
packets consist of 4 or more bytes with the first byte
specifying the source ethernet address, the second
byte specifying the destination ethernet address,
and the next two bytes specifying the packet type.
(Actually, on the network the source and destination addresses
are in the opposite order.)
.IP "byte-swapping 3mb Ethernet" 1.5i
packets consist of 4 or more bytes with the first byte
specifying the source ethernet address, the second
byte specifying the destination ethernet address,
and the next two bytes specifying the packet type.
\fBEach short word (pair of bytes) is swapped from the network
byte order\fR; this device type is only provided as a concession
to backwards-compatibility.
packets consist of 14 or more bytes with the first six
bytes specifying the destination ethernet address,
the next six bytes the source ethernet address,
and the next two bytes specifying the packet type.
The remaining words are interpreted according to the packet type.
Note that 16-bit and 32-bit quantities may have to be byteswapped
(and possible short-swapped) to be intelligible on a Vax.
The packet filter mechanism does not know anything about the data portion
of the packets it sends and receives. The user must supply
the headers for transmitted packets (although the system makes sure that
the source address is correct) and the headers of received packets
are delivered to the user. The packet filters treat the entire packet,
including headers, as uninterpreted data.
calls may be applied to an open
The first two set and fetch parameters
for the file and are of the form:
.B #include <sys/types.h>
.B ioctl(fildes, code, param)
.ta \w'struct 'u +\w'u_char 'u
with the applicable codes being:
Fetch the parameters for this file.
Set the parameters for this file.
The maximum filter length parameter en_maxfilters indicates
the maximum possible packet filter command
list length (see EIOCSETF below).
The maximum input wait queue size parameter en_maxwaitingindicates
the maximum number of packets which may be queued for an
ethernet file at one time (see EIOCSETW below).
The maximum priority parameter en_maxpriority indicates the highest
filter priority which may be set for the file (see EIOCSETF below).
The en_addr field is no longer maintained by the driver; see
The read timeout parameter en_rtout specifies the number of clock ticks to
wait before timing out on a read request and returning an EOF.
This parameter is initialized to zero by
indicating no timeout. If it is negative, then read requests will return an
EOF immediately if there are no packets in the input queue.
(Note that all parameters except for the read timeout are read-only
and are ignored when changed.)
is used to get device parameters of the ethernet underlying the
minor device. It is of the form:
.B #include <sys/types.h>
.B ioctl(fildes, EIOCDEVP, param)
.ta \w'struct 'u +\w'u_short 'u
u_char end_addr[EN_MAX_ADDR_LEN];
u_char end_broadaddr[EN_MAX_ADDR_LEN];
Specifies the device type; currently one of ENDT_3MB, ENDT_BS3MB or ENDT_10MB.
Specifies the address length in bytes (e.g., 1 or 6).
Specifies the total header length in bytes (e.g., 4 or 14).
Specifies the maximum packet size, including header, in bytes.
The address of this interface; aligned so that the low order
byte of the address is the first byte in the array.
The hardware destination address for broadcasts on this network.
The next two calls enable and disable the input
for the file and are of the form:
.B #include <sys/types.h>
.B ioctl(fildes, code, signp)
is a pointer to a word containing the number
to be sent when an input packet arrives and
with the applicable codes being:
Enable the specified signal when an input packet
is received for this file.
If the ENHOLDSIG flag (see EIOCMBIS below) is not set,
further signals are automatically disabled
whenever a signal is sent to prevent nesting and hence
must be specifically re-enabled after processing.
When a signal number of 0 is supplied,
this call is equivalent to EIOCINHS.
Disable any signal when an input
packet is received for this file
This is the default when the file is first opened.
The next two calls set and clear ``mode bits'' for the
for the file and are of the form:
.B #include <sys/types.h>
.B ioctl(fildes, code, bits)
is a short work bit-mask specifying which bits to set or clear.
Currently, the only bit mask recognized is ENHOLDSIG, which (if
means that the driver should
disable the effect of EIOCENBS once it has delivered a signal.
means that you need use EIOCENBS only once. (For historical reasons, the
default is that ENHOLDSIG is set.)
The applicable codes are:
Sets the specified mode bits
Clears the specified mode bits
call is used to set the maximum size
of the packet input queue for
.B #include <sys/types.h>
.B ioctl(fildes, EIOCSETW, maxwaitingp)
the input queue size to be set.
If this is greater than maximum allowable
size (see EIOCGETP above), it is set to the maximum,
and if it is zero, it is set to
call flushes the queue of incoming packets.
.B #include <sys/types.h>
.B ioctl(fildes, EIOCFLUSH, 0)
call is used to set the packet filter
.B #include <sys/types.h>
.B ioctl(fildes, EIOCSETF, filter)
.B struct enfilter *filter
where enfilter is defined in
.ta \w'struct 'u \w'struct u_short 'u
u_short enf_Filter[ENMAXFILTERS];
A packet filter consists of a priority,
the filter command list length (in shortwords),
and the filter command list itself.
Each filter command list specifies
a sequence of actions which
operate on an internal stack.
command list specifies an action from the set {
} which respectively push the next shortword of the
of the incoming packet on the stack, and a binary operator
which then operates on the
top two elements of the stack and replaces them with its result.
When both an action and operator are specified in the
same shortword, the action is performed followed by the
The binary operator can also be from the set {
}. These are ``short-circuit'' operators, in that they terminate
the execution of the filter immediately if the condition they are checking
for is found, and continue otherwise.
All pop two elements from the stack and compare them for equality;
returns false if the result is false;
returns true if the result is true;
returns true if the result is false;
returns false if the result is true.
Unlike the other binary operators, these four do not leave a result
on the stack, even if they continue.
The short-circuit operators should be used when possible, to reduce the
amount of time spent evaluating filters. When they are used, you should
also arrange the order of the tests so that the filter will succeed or fail
as soon as possible; for example, checking the Socket field of a Pup packet
is more likely to indicate failure than the packet type field.
perform the binary operation or to only push a value on the stack.
Since both are (conveniently) defined to be zero, indicating
only an action actually specifies the action followed by
indicating only an operation actually specifies
After executing the filter command list, a non-zero value (true)
(or an empty stack) causes the incoming
packet to be accepted for the corresponding
file and a zero value (false) causes the packet to
be passed through the next packet filter.
(If the filter exits as the result of a short-circuit operator,
the top-of-stack value is ignored.)
Specifying an undefined operation or action in the command list
or performing an illegal operation or action (such as pushing
past the end of the packet or executing a binary operator
with fewer than two shortwords on the stack) causes a filter to
In an attempt to deal with the problem of
overlapping and/or conflicting packet filters,
the filters for each open
file are ordered by the driver
according to their priority
priority is 0, highest is 255).
packets, filters are applied according to their
priority (from highest to lowest) and
for identical priority values according to their
relative ``busyness'' (the filter that has previously
matched the most packets is checked first) until one or more filters
accept the packet or all filters reject it and
Filters at a priority of 2 or higher are called "high priority"
Once a packet is delivered to one of these "high priority"
no further filters are examined,
the packet is delivered only
which accepts the packet.
A packet may be delivered to more than one filter with a priority
below 2; this might be useful, for example, in building replicated programs.
However, the use of low-priority filters imposes an additional cost on
the system, as these filters each must be checked against all packets not
accepted by a high-priority filter.
with length 0 at priority 0 by
and hence by default accepts all
packets which no "high priority" filter
Priorities should be assigned so that, in general, the more packets a
filter is expected to match, the higher its priority. This will prevent
a lot of needless checking of packets against filters that aren't likely
The following filter would accept all incoming
packets on a 3mb ethernet with Pup types in the range 1-0100:
.ta \w'stru'u \w'struct ENF_PUSHWORD+8, ENF_PUSHLIT, 2, 'u
10, 19, /* priority and length */
ENF_PUSHWORD+1, ENF_PUSHLIT, 2,
ENF_EQ, /* packet type == PUP */
ENF_PUSHWORD+3, ENF_PUSHLIT,
0xFF00, ENF_AND, /* mask high byte */
ENF_PUSHZERO, ENF_GT, /* PupType > 0 */
ENF_PUSHWORD+3, ENF_PUSHLIT,
0xFF00, ENF_AND, /* mask high byte */
ENF_PUSHLIT, 0100, ENF_LE, /* PupType <= 0100 */
ENF_AND, /* 0 < PupType <= 0100 */
ENF_AND /* && packet type == PUP */
Note that shortwords, such as the packet type field, are byte-swapped
and so the literals you compare them to must be byte-swapped. Also,
although for this example the word offsets are constants, code that
must run with either 3mb or 10mb ethernets must use
offsets that depend on the device type.
By taking advantage of the ability to
specify both an action and operation in each word of
the command list, the filter could be abbreviated to:
.ta \w'stru'u \w'struct ENF_PUSHWORD+3, ENF_PUSHLIT | ENF_AND, 'u
10, 14, /* priority and length */
ENF_PUSHWORD+1, ENF_PUSHLIT | ENF_EQ, 2, /* packet type == PUP */
ENF_PUSHWORD+3, ENF_PUSHLIT | ENF_AND,
0xFF00, /* mask high byte */
ENF_PUSHZERO | ENF_GT, /* PupType > 0 */
ENF_PUSHWORD+3, ENF_PUSHLIT | ENF_AND,
0xFF00, /* mask high byte */
ENF_PUSHLIT | ENF_LE, 0100, /* PupType <= 0100 */
ENF_AND, /* 0 < PupType <= 0100 */
ENF_AND /* && packet type == PUP */
A different example shows the use of "short-circuit" operators to
create a more efficient filter. This one accepts Pup packets (on a 3Mbit
ethernet) with a Socket field of 12345. Note that we check the Socket field
before the packet type field, since in most
packets the Socket is not likely to match.
.ta \w'stru'u \w'struct ENF_PUSHWORD+3, ENF_PUSHLIT | ENF_CAND, 'u
10, 9, /* priority and length */
ENF_PUSHWORD+7, ENF_PUSHLIT | ENF_CAND,
0, /* High word of socket */
ENF_PUSHWORD+8, ENF_PUSHLIT | ENF_CAND,
12345, /* Low word of socket */
ENF_PUSHWORD+1, ENF_PUSHLIT | ENF_CAND,
2 /* packet type == Pup */
de(4), ec(4), en(4), il(4), enstat(8)
The current implementation can only filter on words within
the first "mbuf" of the packet; this is around 100 bytes (or
Because packets are streams of bytes, yet the filters operate
on short words, and standard network byte order is usually opposite
from Vax byte order, the relational operators
are not all that useful. Fortunately, they were not often used
when the packets were treated as streams of shorts, so this is
probably not a severe problem. If this becomes a severe problem,
a byte-swapping operator could be added.
Many of the "features" of this driver are there for historical
reasons; the manual page could be a lot cleaner if these were
8-Oct-85 Jeffrey Mogul at Stanford University
Revised to describe 4.3BSD version of driver.
18-Oct-84 Jeffrey Mogul at Stanford University
Added short-circuit operators, changed discussion of priorities to
18-Jan-84 Jeffrey Mogul at Stanford University
Updated for 4.2BSD (device-independent) version, including
documentation of all non-kernel ioctls.
17-Nov-81 Mike Accetta (mja) at Carnegie-Mellon University
Added mention of <sys/types.h> to include examples.
29-Sep-81 Mike Accetta (mja) at Carnegie-Mellon University
Changed to describe new EIOCSETW and EIOCFLUSH ioctl
calls and the new multiple packet queuing features.
12-Nov-80 Mike Accetta (mja) at Carnegie-Mellon University
Added description of signal mechanism for input packets.
07-Mar-80 Mike Accetta (mja) at Carnegie-Mellon University