What is BPF filter program?

A BPF Filter Program is an instructions array, with all branches forwardly directed, terminated by a return instruction. Each instruction performs some action on the pseudo-machine state, which consists of an accumulator (A, DWORD, 4 bytes), an index register (X, DWORD, 4 bytes), scratch memory store (DWORD M[16]), and an implicit program counter - pc.

BPF instructions allow you to create various rules for filtering network packets.

BPF instruction format is defined by HN_BPF_INSTRUCTION structure:

[C/C++]
typedef struct _HN_BPF_INSTRUCTION
 {
   WORD  Code;  // Instruction code
   BYTE  jt;    // Jump if true
   BYTE  jf;    // Jump if false
   DWORD k;     // Generic multiuse field

 }HN_BPF_INSTRUCTION, *PHN_BPF_INSTRUCTION;

[Delphi]
HN_BPF_INSTRUCTION = record
  Code : WORD;   // Instruction code
  jt   : BYTE;   // Jump if true
  jf   : BYTE;   // Jump if false
  k    : DWORD;  // Generic multiuse field
end;
PHN_BPF_INSTRUCTION = ^HN_BPF_INSTRUCTION;

The k field is used in different ways depending on different instructions, and the jt and jf fields are used as offsets by the jump instructions. The opcodes are encoded in a semi-hierarchical fashion. There are eight classes of instructions: BPF_LD, BPF_LDX, BPF_ST, BPF_STX, BPF_ALU, BPF_JMP, BPF_RET, and BPF_MISC. Other various mode and operator bits are added to the class to give the actual instructions.

In the Packet Sniffer SDK library a BPF Filter Program is defined in the HN_BPF_PROGRAMM structure.

To simplify the BPF Filter Programs creating the HNUserFilter component is implemented, which also alows to control HN_BPF_PROGRAMM and HN_BPF_INSTRUCTION structures.