static struct bpf_insn BPFAcceptEtherSource[] = { // Hardcoded Source Address: 00.A0.CC.30.57.B7 // Check Source Ethernet source address High DWORD At Offset 6 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, 6), // BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x01020304, 0, 3), //Source == 1.2.3.4 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x00A0CC30, 0, 3), //Source == 1.2.3.4 // Check Source Ethernet source address Low WORD At Offset 10 BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 10), // BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x0506, 0, 1), //Source == 5.6 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x57B7, 0, 1), //Source == 5.6 BPF_STMT(BPF_RET+BPF_K, (UINT)-1), // Accept. Value is bytes to be BPF_STMT(BPF_RET+BPF_K, 0 ) // Reject }; #define TPF_ETHERSOURCE_PROGLEN 6 // 6 BPF Instructions static struct bpf_insn BPFAcceptEtherDest[] = { // Check Source Ethernet destination address High DWORD At Offset 0 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, 0), // BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x01020304, 0, 3), //Source == 1.2.3.4 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x00A0CC30, 0, 3), //Source == 1.2.3.4 // Check Source Ethernet destination address Low WORD At Offset 4 BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 4), // BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x0506, 0, 1), //Source == 5.6 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x57B7, 0, 1), //Source == 5.6 BPF_STMT(BPF_RET+BPF_K, (UINT)-1), // Accept. Value is bytes to be BPF_STMT(BPF_RET+BPF_K, 0 ) // Reject }; #define TPF_ETHERDEST_PROGLEN 6 // 6 BPF Instructions DWORD TPF_ConcatEtherSource( struct bpf_program *pBPFProgram ) { DWORD nResult; nResult = _TPF_BPFProgramAppend( pBPFProgram, BPFAcceptEtherSource, TPF_ETHERSOURCE_PROGLEN ); return( nResult ); } extern DWORD TPF_ConcatEtherSource( struct bpf_program *pBPFProgram ); // This filter only accepts IP packets with IP source address // which is exactly 1.2.3.4. This address will be altered later by SetIPMine. static struct bpf_insn BPFAcceptIPSource[] = { // Check Ethernet Protocol Word At Offset 12 BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 12), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ETHERTYPE_IP, 0, 3), // Check Source IP address At Offset 26 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, 26), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x01020304, 0, 1), //Source == 1.2.3.4 BPF_STMT(BPF_RET+BPF_K, (UINT)-1), // Accept. Value is bytes to be BPF_STMT(BPF_RET+BPF_K, 0 ) // Reject returned }; // Accept Any IP Packet static struct bpf_insn BPFAcceptIP[] = { // Check Ethernet Protocol Word At Offset 12 BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 12), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ETHERTYPE_IP, 0, 1), BPF_STMT(BPF_RET+BPF_K, (UINT)-1), // Accept. Value is bytes to be BPF_STMT(BPF_RET+BPF_K, 0 ) // Reject }; #define TPF_ACCEPT_IP_PROGLEN 6 // 6 BPF Instructions // Reject Any IP Packet static struct bpf_insn BPFAcceptIP[] = { // Check Ethernet Protocol Word At Offset 12 BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 12), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ETHERTYPE_IP, 0, 1), BPF_STMT(BPF_RET+BPF_K, 0 ), // Reject BPF_STMT(BPF_RET+BPF_K, (UINT)-1) // Accept. Value is bytes to be }; // This filter only accepts IP packets with IP dest address // which is exactly 1.2.3.4. This address will be altered later by SetIPMine. static struct bpf_insn BPFAcceptIPDest[] = { // Check Ethernet Protocol Word At Offset 12 BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 12), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ETHERTYPE_IP, 0, 3), // Check Dest IP address At Offset 30 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, 30), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x01020304, 0, 1), //Dest == 1.2.3.4 BPF_STMT(BPF_RET+BPF_K, (UINT)-1), // Accept. Value is bytes to be BPF_STMT(BPF_RET+BPF_K, 0 ) // Reject returned }; // This filter only accepts IP packets with IP source address 1.2.3.4 or // dest IP address 5.6.7.8 OR IP source address 5.6.7.8 and IP dest address // 1.2.3.4. This address will be altered later by SetIPMine. static struct bpf_insn BPFAcceptIPPair[] = { // Check Ethernet Protocol Word At Offset 12 BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 12), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ETHERTYPE_IP, 0, 8), // Check Source IP address At Offset 26 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, 26), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x01020304, 1, 0), //Source == 1.2.3.4 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x05060708, 2, 5), //Source == 5.6.7.8 // Check Dest IP address At Offset 30 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, 30), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x05060708, 2, 3), //Dest == 5.6.7.8 // Check Dest IP address At Offset 30 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, 30), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x01020304, 0, 1), //Dest == 1.2.3.4 BPF_STMT(BPF_RET+BPF_K, (UINT)-1), // Accept. Value is bytes to be BPF_STMT(BPF_RET+BPF_K, 0 ) // Reject returned }; // This filter only accepts IP packets with IP source OR dest address // which is exactly 1.2.3.4. This address will be altered later by SetIPMine. static struct bpf_insn BPFAcceptIPMine[] = { // Check Ethernet Protocol Word At Offset 12 BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 12), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ETHERTYPE_IP, 0, 5), // Check Source IP address At Offset 26 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, 26), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x01020304, 2, 0), //Source == 1.2.3.4 // Check Dest IP address At Offset 30 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, 30), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x01020304, 0, 1), //Dest == 1.2.3.4 BPF_STMT(BPF_RET+BPF_K, (UINT)-1), // Accept. Value is bytes to be BPF_STMT(BPF_RET+BPF_K, 0 ) // Reject returned }; #define TPF_IPM_PROGLEN 8 // 8 BPF Instructions void SetIPMine( unsigned int addr ) { BPFAcceptIPMine[ 3 ].k = addr; // Overwrite constant Value BPFAcceptIPMine[ 5 ].k = addr; // Overwrite constant Value }