1 /*#define CHASE_CHAIN*/
3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998
4 * The Regents of the University of California. All rights reserved.
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that: (1) source code distributions
8 * retain the above copyright notice and this paragraph in its entirety, (2)
9 * distributions including binary code include the above copyright notice and
10 * this paragraph in its entirety in the documentation or other materials
11 * provided with the distribution, and (3) all advertising materials mentioning
12 * features or use of this software display the following acknowledgement:
13 * ``This product includes software developed by the University of California,
14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
15 * the University nor the names of its contributors may be used to endorse
16 * or promote products derived from this software without specific prior
18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
23 static const char rcsid[] _U_ =
24 "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.221.2.52 2007/06/22 06:43:58 guy Exp $ (LBL)";
32 #include <pcap-stdinc.h>
34 #include <sys/types.h>
35 #include <sys/socket.h>
39 * XXX - why was this included even on UNIX?
48 #include <sys/param.h>
51 #include <netinet/in.h>
67 #include "ethertype.h"
72 #include "sunatmpos.h"
78 #define offsetof(s, e) ((size_t)&((s *)0)->e)
82 #include <netdb.h> /* for "struct addrinfo" */
85 #include <pcap-namedb.h>
90 #define IPPROTO_SCTP 132
93 #ifdef HAVE_OS_PROTO_H
97 #define JMP(c) ((c)|BPF_JMP|BPF_K)
100 static jmp_buf top_ctx;
101 static pcap_t *bpf_pcap;
104 /* Hack for updating VLAN, MPLS, and PPPoE offsets. */
105 static u_int orig_linktype = (u_int)-1, orig_nl = (u_int)-1, label_stack_depth = (u_int)-1;
107 static u_int orig_linktype = -1U, orig_nl = -1U, label_stack_depth = -1U;
112 static int pcap_fddipad;
117 bpf_error(const char *fmt, ...)
122 if (bpf_pcap != NULL)
123 (void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE,
130 static void init_linktype(pcap_t *);
132 static int alloc_reg(void);
133 static void free_reg(int);
135 static struct block *root;
138 * Value passed to gen_load_a() to indicate what the offset argument
142 OR_PACKET, /* relative to the beginning of the packet */
143 OR_LINK, /* relative to the link-layer header */
144 OR_NET, /* relative to the network-layer header */
145 OR_NET_NOSNAP, /* relative to the network-layer header, with no SNAP header at the link layer */
146 OR_TRAN_IPV4, /* relative to the transport-layer header, with IPv4 network layer */
147 OR_TRAN_IPV6 /* relative to the transport-layer header, with IPv6 network layer */
151 * We divy out chunks of memory rather than call malloc each time so
152 * we don't have to worry about leaking memory. It's probably
153 * not a big deal if all this memory was wasted but if this ever
154 * goes into a library that would probably not be a good idea.
156 * XXX - this *is* in a library....
159 #define CHUNK0SIZE 1024
165 static struct chunk chunks[NCHUNKS];
166 static int cur_chunk;
168 static void *newchunk(u_int);
169 static void freechunks(void);
170 static inline struct block *new_block(int);
171 static inline struct slist *new_stmt(int);
172 static struct block *gen_retblk(int);
173 static inline void syntax(void);
175 static void backpatch(struct block *, struct block *);
176 static void merge(struct block *, struct block *);
177 static struct block *gen_cmp(enum e_offrel, u_int, u_int, bpf_int32);
178 static struct block *gen_cmp_gt(enum e_offrel, u_int, u_int, bpf_int32);
179 static struct block *gen_cmp_ge(enum e_offrel, u_int, u_int, bpf_int32);
180 static struct block *gen_cmp_lt(enum e_offrel, u_int, u_int, bpf_int32);
181 static struct block *gen_cmp_le(enum e_offrel, u_int, u_int, bpf_int32);
182 static struct block *gen_mcmp(enum e_offrel, u_int, u_int, bpf_int32,
184 static struct block *gen_bcmp(enum e_offrel, u_int, u_int, const u_char *);
185 static struct block *gen_ncmp(enum e_offrel, bpf_u_int32, bpf_u_int32,
186 bpf_u_int32, bpf_u_int32, int, bpf_int32);
187 static struct slist *gen_load_llrel(u_int, u_int);
188 static struct slist *gen_load_a(enum e_offrel, u_int, u_int);
189 static struct slist *gen_loadx_iphdrlen(void);
190 static struct block *gen_uncond(int);
191 static inline struct block *gen_true(void);
192 static inline struct block *gen_false(void);
193 static struct block *gen_ether_linktype(int);
194 static struct block *gen_linux_sll_linktype(int);
195 static void insert_radiotap_load_llprefixlen(struct block *);
196 static void insert_ppi_load_llprefixlen(struct block *);
197 static void insert_load_llprefixlen(struct block *);
198 static struct slist *gen_llprefixlen(void);
199 static struct block *gen_linktype(int);
200 static struct block *gen_snap(bpf_u_int32, bpf_u_int32, u_int);
201 static struct block *gen_llc_linktype(int);
202 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int);
204 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int);
206 static struct block *gen_ahostop(const u_char *, int);
207 static struct block *gen_ehostop(const u_char *, int);
208 static struct block *gen_fhostop(const u_char *, int);
209 static struct block *gen_thostop(const u_char *, int);
210 static struct block *gen_wlanhostop(const u_char *, int);
211 static struct block *gen_ipfchostop(const u_char *, int);
212 static struct block *gen_dnhostop(bpf_u_int32, int);
213 static struct block *gen_mpls_linktype(int);
214 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int, int);
216 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int, int);
219 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int);
221 static struct block *gen_ipfrag(void);
222 static struct block *gen_portatom(int, bpf_int32);
223 static struct block *gen_portrangeatom(int, bpf_int32, bpf_int32);
225 static struct block *gen_portatom6(int, bpf_int32);
226 static struct block *gen_portrangeatom6(int, bpf_int32, bpf_int32);
228 struct block *gen_portop(int, int, int);
229 static struct block *gen_port(int, int, int);
230 struct block *gen_portrangeop(int, int, int, int);
231 static struct block *gen_portrange(int, int, int, int);
233 struct block *gen_portop6(int, int, int);
234 static struct block *gen_port6(int, int, int);
235 struct block *gen_portrangeop6(int, int, int, int);
236 static struct block *gen_portrange6(int, int, int, int);
238 static int lookup_proto(const char *, int);
239 static struct block *gen_protochain(int, int, int);
240 static struct block *gen_proto(int, int, int);
241 static struct slist *xfer_to_x(struct arth *);
242 static struct slist *xfer_to_a(struct arth *);
243 static struct block *gen_mac_multicast(int);
244 static struct block *gen_len(int, int);
246 static struct block *gen_ppi_dlt_check(void);
247 static struct block *gen_msg_abbrev(int type);
258 /* XXX Round up to nearest long. */
259 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1);
261 /* XXX Round up to structure boundary. */
265 cp = &chunks[cur_chunk];
266 if (n > cp->n_left) {
267 ++cp, k = ++cur_chunk;
269 bpf_error("out of memory");
270 size = CHUNK0SIZE << k;
271 cp->m = (void *)malloc(size);
273 bpf_error("out of memory");
274 memset((char *)cp->m, 0, size);
277 bpf_error("out of memory");
280 return (void *)((char *)cp->m + cp->n_left);
289 for (i = 0; i < NCHUNKS; ++i)
290 if (chunks[i].m != NULL) {
297 * A strdup whose allocations are freed after code generation is over.
301 register const char *s;
303 int n = strlen(s) + 1;
304 char *cp = newchunk(n);
310 static inline struct block *
316 p = (struct block *)newchunk(sizeof(*p));
323 static inline struct slist *
329 p = (struct slist *)newchunk(sizeof(*p));
335 static struct block *
339 struct block *b = new_block(BPF_RET|BPF_K);
348 bpf_error("syntax error in filter expression");
351 static bpf_u_int32 netmask;
356 pcap_compile(pcap_t *p, struct bpf_program *program,
357 const char *buf, int optimize, bpf_u_int32 mask)
360 const char * volatile xbuf = buf;
367 if (setjmp(top_ctx)) {
375 snaplen = pcap_snapshot(p);
377 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
378 "snaplen of 0 rejects all packets");
382 lex_init(xbuf ? xbuf : "");
390 root = gen_retblk(snaplen);
392 if (optimize && !no_optimize) {
395 (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0))
396 bpf_error("expression rejects all packets");
398 program->bf_insns = icode_to_fcode(root, &len);
399 program->bf_len = len;
407 * entry point for using the compiler with no pcap open
408 * pass in all the stuff that is needed explicitly instead.
411 pcap_compile_nopcap(int snaplen_arg, int linktype_arg,
412 struct bpf_program *program,
413 const char *buf, int optimize, bpf_u_int32 mask)
418 p = pcap_open_dead(linktype_arg, snaplen_arg);
421 ret = pcap_compile(p, program, buf, optimize, mask);
427 * Clean up a "struct bpf_program" by freeing all the memory allocated
431 pcap_freecode(struct bpf_program *program)
434 if (program->bf_insns != NULL) {
435 free((char *)program->bf_insns);
436 program->bf_insns = NULL;
441 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates
442 * which of the jt and jf fields has been resolved and which is a pointer
443 * back to another unresolved block (or nil). At least one of the fields
444 * in each block is already resolved.
447 backpatch(list, target)
448 struct block *list, *target;
465 * Merge the lists in b0 and b1, using the 'sense' field to indicate
466 * which of jt and jf is the link.
470 struct block *b0, *b1;
472 register struct block **p = &b0;
474 /* Find end of list. */
476 p = !((*p)->sense) ? &JT(*p) : &JF(*p);
478 /* Concatenate the lists. */
487 struct block *ppi_dlt_check;
489 ppi_dlt_check = gen_ppi_dlt_check();
491 if (ppi_dlt_check != NULL)
493 gen_and(ppi_dlt_check, p);
496 backpatch(p, gen_retblk(snaplen));
497 p->sense = !p->sense;
498 backpatch(p, gen_retblk(0));
502 * Insert before the statements of the first (root) block any
503 * statements needed to load the lengths of any variable-length
504 * headers into registers.
506 * XXX - a fancier strategy would be to insert those before the
507 * statements of all blocks that use those lengths and that
508 * have no predecessors that use them, so that we only compute
509 * the lengths if we need them. There might be even better
510 * approaches than that. However, as we're currently only
511 * handling variable-length radiotap headers, and as all
512 * filtering expressions other than raw link[M:N] tests
513 * require the length of that header, doing more for that
514 * header length isn't really worth the effort.
517 insert_load_llprefixlen(root);
522 struct block *b0, *b1;
524 backpatch(b0, b1->head);
525 b0->sense = !b0->sense;
526 b1->sense = !b1->sense;
528 b1->sense = !b1->sense;
534 struct block *b0, *b1;
536 b0->sense = !b0->sense;
537 backpatch(b0, b1->head);
538 b0->sense = !b0->sense;
547 b->sense = !b->sense;
550 static struct block *
551 gen_cmp(offrel, offset, size, v)
552 enum e_offrel offrel;
556 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v);
559 static struct block *
560 gen_cmp_gt(offrel, offset, size, v)
561 enum e_offrel offrel;
565 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 0, v);
568 static struct block *
569 gen_cmp_ge(offrel, offset, size, v)
570 enum e_offrel offrel;
574 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 0, v);
577 static struct block *
578 gen_cmp_lt(offrel, offset, size, v)
579 enum e_offrel offrel;
583 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 1, v);
586 static struct block *
587 gen_cmp_le(offrel, offset, size, v)
588 enum e_offrel offrel;
592 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 1, v);
595 static struct block *
596 gen_mcmp(offrel, offset, size, v, mask)
597 enum e_offrel offrel;
602 return gen_ncmp(offrel, offset, size, mask, BPF_JEQ, 0, v);
605 static struct block *
606 gen_bcmp(offrel, offset, size, v)
607 enum e_offrel offrel;
608 register u_int offset, size;
609 register const u_char *v;
611 register struct block *b, *tmp;
615 register const u_char *p = &v[size - 4];
616 bpf_int32 w = ((bpf_int32)p[0] << 24) |
617 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3];
619 tmp = gen_cmp(offrel, offset + size - 4, BPF_W, w);
626 register const u_char *p = &v[size - 2];
627 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1];
629 tmp = gen_cmp(offrel, offset + size - 2, BPF_H, w);
636 tmp = gen_cmp(offrel, offset, BPF_B, (bpf_int32)v[0]);
645 * AND the field of size "size" at offset "offset" relative to the header
646 * specified by "offrel" with "mask", and compare it with the value "v"
647 * with the test specified by "jtype"; if "reverse" is true, the test
648 * should test the opposite of "jtype".
650 static struct block *
651 gen_ncmp(offrel, offset, size, mask, jtype, reverse, v)
652 enum e_offrel offrel;
654 bpf_u_int32 offset, size, mask, jtype;
657 struct slist *s, *s2;
660 s = gen_load_a(offrel, offset, size);
662 if (mask != 0xffffffff) {
663 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
668 b = new_block(JMP(jtype));
671 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE))
677 * Various code constructs need to know the layout of the data link
678 * layer. These variables give the necessary offsets from the beginning
679 * of the packet data.
681 * If the link layer has variable_length headers, the offsets are offsets
682 * from the end of the link-link-layer header, and "reg_ll_size" is
683 * the register number for a register containing the length of the
684 * link-layer header. Otherwise, "reg_ll_size" is -1.
686 static int reg_ll_size;
689 * This is the offset of the beginning of the link-layer header from
690 * the beginning of the raw packet data.
692 * It's usually 0, except for 802.11 with a fixed-length radio header.
693 * (For 802.11 with a variable-length radio header, we have to generate
694 * code to compute that offset; off_ll is 0 in that case.)
699 * This is the offset of the beginning of the MAC-layer header.
700 * It's usually 0, except for ATM LANE, where it's the offset, relative
701 * to the beginning of the raw packet data, of the Ethernet header.
703 static u_int off_mac;
706 * "off_linktype" is the offset to information in the link-layer header
707 * giving the packet type. This offset is relative to the beginning
708 * of the link-layer header (i.e., it doesn't include off_ll).
710 * For Ethernet, it's the offset of the Ethernet type field.
712 * For link-layer types that always use 802.2 headers, it's the
713 * offset of the LLC header.
715 * For PPP, it's the offset of the PPP type field.
717 * For Cisco HDLC, it's the offset of the CHDLC type field.
719 * For BSD loopback, it's the offset of the AF_ value.
721 * For Linux cooked sockets, it's the offset of the type field.
723 * It's set to -1 for no encapsulation, in which case, IP is assumed.
725 static u_int off_linktype;
728 * TRUE if the link layer includes an ATM pseudo-header.
730 static int is_atm = 0;
733 * TRUE if "lane" appeared in the filter; it causes us to generate
734 * code that assumes LANE rather than LLC-encapsulated traffic in SunATM.
736 static int is_lane = 0;
739 * These are offsets for the ATM pseudo-header.
741 static u_int off_vpi;
742 static u_int off_vci;
743 static u_int off_proto;
746 * These are offsets for the MTP2 fields.
751 * These are offsets for the MTP3 fields.
753 static u_int off_sio;
754 static u_int off_opc;
755 static u_int off_dpc;
756 static u_int off_sls;
759 * This is the offset of the first byte after the ATM pseudo_header,
760 * or -1 if there is no ATM pseudo-header.
762 static u_int off_payload;
765 * These are offsets to the beginning of the network-layer header.
766 * They are relative to the beginning of the link-layer header (i.e.,
767 * they don't include off_ll).
769 * If the link layer never uses 802.2 LLC:
771 * "off_nl" and "off_nl_nosnap" are the same.
773 * If the link layer always uses 802.2 LLC:
775 * "off_nl" is the offset if there's a SNAP header following
778 * "off_nl_nosnap" is the offset if there's no SNAP header.
780 * If the link layer is Ethernet:
782 * "off_nl" is the offset if the packet is an Ethernet II packet
783 * (we assume no 802.3+802.2+SNAP);
785 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet
786 * with an 802.2 header following it.
789 static u_int off_nl_nosnap;
797 linktype = pcap_datalink(p);
799 pcap_fddipad = p->fddipad;
803 * Assume it's not raw ATM with a pseudo-header, for now.
814 * And assume we're not doing SS7.
823 * Also assume it's not 802.11 with a fixed-length radio header.
829 label_stack_depth = 0;
837 off_nl = 6; /* XXX in reality, variable! */
838 off_nl_nosnap = 6; /* no 802.2 LLC */
841 case DLT_ARCNET_LINUX:
843 off_nl = 8; /* XXX in reality, variable! */
844 off_nl_nosnap = 8; /* no 802.2 LLC */
849 off_nl = 14; /* Ethernet II */
850 off_nl_nosnap = 17; /* 802.3+802.2 */
855 * SLIP doesn't have a link level type. The 16 byte
856 * header is hacked into our SLIP driver.
860 off_nl_nosnap = 16; /* no 802.2 LLC */
864 /* XXX this may be the same as the DLT_PPP_BSDOS case */
868 off_nl_nosnap = 24; /* no 802.2 LLC */
875 off_nl_nosnap = 4; /* no 802.2 LLC */
881 off_nl_nosnap = 12; /* no 802.2 LLC */
886 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */
887 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */
890 off_nl_nosnap = 4; /* no 802.2 LLC */
895 * This does no include the Ethernet header, and
896 * only covers session state.
900 off_nl_nosnap = 8; /* no 802.2 LLC */
906 off_nl_nosnap = 24; /* no 802.2 LLC */
911 * FDDI doesn't really have a link-level type field.
912 * We set "off_linktype" to the offset of the LLC header.
914 * To check for Ethernet types, we assume that SSAP = SNAP
915 * is being used and pick out the encapsulated Ethernet type.
916 * XXX - should we generate code to check for SNAP?
920 off_linktype += pcap_fddipad;
922 off_nl = 21; /* FDDI+802.2+SNAP */
923 off_nl_nosnap = 16; /* FDDI+802.2 */
925 off_nl += pcap_fddipad;
926 off_nl_nosnap += pcap_fddipad;
932 * Token Ring doesn't really have a link-level type field.
933 * We set "off_linktype" to the offset of the LLC header.
935 * To check for Ethernet types, we assume that SSAP = SNAP
936 * is being used and pick out the encapsulated Ethernet type.
937 * XXX - should we generate code to check for SNAP?
939 * XXX - the header is actually variable-length.
940 * Some various Linux patched versions gave 38
941 * as "off_linktype" and 40 as "off_nl"; however,
942 * if a token ring packet has *no* routing
943 * information, i.e. is not source-routed, the correct
944 * values are 20 and 22, as they are in the vanilla code.
946 * A packet is source-routed iff the uppermost bit
947 * of the first byte of the source address, at an
948 * offset of 8, has the uppermost bit set. If the
949 * packet is source-routed, the total number of bytes
950 * of routing information is 2 plus bits 0x1F00 of
951 * the 16-bit value at an offset of 14 (shifted right
952 * 8 - figure out which byte that is).
955 off_nl = 22; /* Token Ring+802.2+SNAP */
956 off_nl_nosnap = 17; /* Token Ring+802.2 */
961 * 802.11 doesn't really have a link-level type field.
962 * We set "off_linktype" to the offset of the LLC header.
964 * To check for Ethernet types, we assume that SSAP = SNAP
965 * is being used and pick out the encapsulated Ethernet type.
966 * XXX - should we generate code to check for SNAP?
968 * XXX - the header is actually variable-length. We
969 * assume a 24-byte link-layer header, as appears in
970 * data frames in networks with no bridges. If the
971 * fromds and tods 802.11 header bits are both set,
972 * it's actually supposed to be 30 bytes.
975 off_nl = 32; /* 802.11+802.2+SNAP */
976 off_nl_nosnap = 27; /* 802.11+802.2 */
979 case DLT_PRISM_HEADER:
981 * Same as 802.11, but with an additional header before
982 * the 802.11 header, containing a bunch of additional
983 * information including radio-level information.
985 * The header is 144 bytes long.
987 * XXX - same variable-length header problem; at least
988 * the Prism header is fixed-length.
992 off_nl = 32; /* Prism+802.11+802.2+SNAP */
993 off_nl_nosnap = 27; /* Prism+802.11+802.2 */
996 case DLT_IEEE802_11_RADIO_AVS:
998 * Same as 802.11, but with an additional header before
999 * the 802.11 header, containing a bunch of additional
1000 * information including radio-level information.
1002 * The header is 64 bytes long, at least in its
1003 * current incarnation.
1005 * XXX - same variable-length header problem, only
1006 * more so; this header is also variable-length,
1007 * with the length being the 32-bit big-endian
1008 * number at an offset of 4 from the beginning
1009 * of the radio header. We should handle that the
1010 * same way we handle the length at the beginning
1011 * of the radiotap header.
1013 * XXX - in Linux, do any drivers that supply an AVS
1014 * header supply a link-layer type other than
1015 * ARPHRD_IEEE80211_PRISM? If so, we should map that
1016 * to DLT_IEEE802_11_RADIO_AVS; if not, or if there are
1017 * any drivers that supply an AVS header but supply
1018 * an ARPHRD value of ARPHRD_IEEE80211_PRISM, we'll
1019 * have to check the header in the generated code to
1020 * determine whether it's Prism or AVS.
1024 off_nl = 32; /* Radio+802.11+802.2+SNAP */
1025 off_nl_nosnap = 27; /* Radio+802.11+802.2 */
1030 * At the moment we treat PPI as normal Radiotap encoded
1031 * packets. The difference is in the function that generates
1032 * the code at the beginning to compute the header length.
1033 * Since this code generator of PPI supports bare 802.11
1034 * encapsulation only (i.e. the encapsulated DLT should be
1035 * DLT_IEEE802_11) we generate code to check for this too.
1038 case DLT_IEEE802_11_RADIO:
1040 * Same as 802.11, but with an additional header before
1041 * the 802.11 header, containing a bunch of additional
1042 * information including radio-level information.
1044 * The radiotap header is variable length, and we
1045 * generate code to compute its length and store it
1046 * in a register. These offsets are relative to the
1047 * beginning of the 802.11 header.
1050 off_nl = 32; /* 802.11+802.2+SNAP */
1051 off_nl_nosnap = 27; /* 802.11+802.2 */
1054 case DLT_ATM_RFC1483:
1055 case DLT_ATM_CLIP: /* Linux ATM defines this */
1057 * assume routed, non-ISO PDUs
1058 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00)
1060 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS,
1061 * or PPP with the PPP NLPID (e.g., PPPoA)? The
1062 * latter would presumably be treated the way PPPoE
1063 * should be, so you can do "pppoe and udp port 2049"
1064 * or "pppoa and tcp port 80" and have it check for
1065 * PPPo{A,E} and a PPP protocol of IP and....
1068 off_nl = 8; /* 802.2+SNAP */
1069 off_nl_nosnap = 3; /* 802.2 */
1074 * Full Frontal ATM; you get AALn PDUs with an ATM
1078 off_vpi = SUNATM_VPI_POS;
1079 off_vci = SUNATM_VCI_POS;
1080 off_proto = PROTO_POS;
1081 off_mac = -1; /* LLC-encapsulated, so no MAC-layer header */
1082 off_payload = SUNATM_PKT_BEGIN_POS;
1083 off_linktype = off_payload;
1084 off_nl = off_payload+8; /* 802.2+SNAP */
1085 off_nl_nosnap = off_payload+3; /* 802.2 */
1091 off_nl_nosnap = 0; /* no 802.2 LLC */
1094 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */
1097 off_nl_nosnap = 16; /* no 802.2 LLC */
1102 * LocalTalk does have a 1-byte type field in the LLAP header,
1103 * but really it just indicates whether there is a "short" or
1104 * "long" DDP packet following.
1108 off_nl_nosnap = 0; /* no 802.2 LLC */
1111 case DLT_IP_OVER_FC:
1113 * RFC 2625 IP-over-Fibre-Channel doesn't really have a
1114 * link-level type field. We set "off_linktype" to the
1115 * offset of the LLC header.
1117 * To check for Ethernet types, we assume that SSAP = SNAP
1118 * is being used and pick out the encapsulated Ethernet type.
1119 * XXX - should we generate code to check for SNAP? RFC
1120 * 2625 says SNAP should be used.
1123 off_nl = 24; /* IPFC+802.2+SNAP */
1124 off_nl_nosnap = 19; /* IPFC+802.2 */
1129 * XXX - we should set this to handle SNAP-encapsulated
1130 * frames (NLPID of 0x80).
1134 off_nl_nosnap = 0; /* no 802.2 LLC */
1138 * the only BPF-interesting FRF.16 frames are non-control frames;
1139 * Frame Relay has a variable length link-layer
1140 * so lets start with offset 4 for now and increments later on (FIXME);
1145 off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */
1148 case DLT_APPLE_IP_OVER_IEEE1394:
1151 off_nl_nosnap = 18; /* no 802.2 LLC */
1154 case DLT_LINUX_IRDA:
1156 * Currently, only raw "link[N:M]" filtering is supported.
1165 * Currently, only raw "link[N:M]" filtering is supported.
1172 case DLT_SYMANTEC_FIREWALL:
1174 off_nl = 44; /* Ethernet II */
1175 off_nl_nosnap = 44; /* XXX - what does it do with 802.3 packets? */
1180 /* XXX read this from pf.h? */
1181 off_nl = PFLOG_HDRLEN;
1182 off_nl_nosnap = PFLOG_HDRLEN; /* no 802.2 LLC */
1185 case DLT_JUNIPER_MFR:
1186 case DLT_JUNIPER_MLFR:
1187 case DLT_JUNIPER_MLPPP:
1188 case DLT_JUNIPER_PPP:
1189 case DLT_JUNIPER_CHDLC:
1190 case DLT_JUNIPER_FRELAY:
1193 off_nl_nosnap = -1; /* no 802.2 LLC */
1196 case DLT_JUNIPER_ATM1:
1197 off_linktype = 4; /* in reality variable between 4-8 */
1202 case DLT_JUNIPER_ATM2:
1203 off_linktype = 8; /* in reality variable between 8-12 */
1208 /* frames captured on a Juniper PPPoE service PIC
1209 * contain raw ethernet frames */
1210 case DLT_JUNIPER_PPPOE:
1211 case DLT_JUNIPER_ETHER:
1213 off_nl = 18; /* Ethernet II */
1214 off_nl_nosnap = 21; /* 802.3+802.2 */
1217 case DLT_JUNIPER_PPPOE_ATM:
1220 off_nl_nosnap = -1; /* no 802.2 LLC */
1223 case DLT_JUNIPER_GGSN:
1226 off_nl_nosnap = -1; /* no 802.2 LLC */
1229 case DLT_JUNIPER_ES:
1231 off_nl = -1; /* not really a network layer but raw IP adresses */
1232 off_nl_nosnap = -1; /* no 802.2 LLC */
1235 case DLT_JUNIPER_MONITOR:
1237 off_nl = 12; /* raw IP/IP6 header */
1238 off_nl_nosnap = -1; /* no 802.2 LLC */
1241 case DLT_JUNIPER_SERVICES:
1243 off_nl = -1; /* L3 proto location dep. on cookie type */
1244 off_nl_nosnap = -1; /* no 802.2 LLC */
1247 case DLT_JUNIPER_VP:
1264 case DLT_MTP2_WITH_PHDR:
1283 case DLT_LINUX_LAPD:
1285 * Currently, only raw "link[N:M]" filtering is supported.
1294 * Currently, only raw "link[N:M]" filtering is supported.
1301 case DLT_BLUETOOTH_HCI_H4:
1303 * Currently, only raw "link[N:M]" filtering is supported.
1310 bpf_error("unknown data link type %d", linktype);
1315 * Load a value relative to the beginning of the link-layer header.
1316 * The link-layer header doesn't necessarily begin at the beginning
1317 * of the packet data; there might be a variable-length prefix containing
1318 * radio information.
1320 static struct slist *
1321 gen_load_llrel(offset, size)
1324 struct slist *s, *s2;
1326 s = gen_llprefixlen();
1329 * If "s" is non-null, it has code to arrange that the X register
1330 * contains the length of the prefix preceding the link-layer
1333 * Otherwise, the length of the prefix preceding the link-layer
1334 * header is "off_ll".
1338 * There's a variable-length prefix preceding the
1339 * link-layer header. "s" points to a list of statements
1340 * that put the length of that prefix into the X register.
1341 * do an indirect load, to use the X register as an offset.
1343 s2 = new_stmt(BPF_LD|BPF_IND|size);
1348 * There is no variable-length header preceding the
1349 * link-layer header; add in off_ll, which, if there's
1350 * a fixed-length header preceding the link-layer header,
1351 * is the length of that header.
1353 s = new_stmt(BPF_LD|BPF_ABS|size);
1354 s->s.k = offset + off_ll;
1361 * Load a value relative to the beginning of the specified header.
1363 static struct slist *
1364 gen_load_a(offrel, offset, size)
1365 enum e_offrel offrel;
1368 struct slist *s, *s2;
1373 s = new_stmt(BPF_LD|BPF_ABS|size);
1378 s = gen_load_llrel(offset, size);
1382 s = gen_load_llrel(off_nl + offset, size);
1386 s = gen_load_llrel(off_nl_nosnap + offset, size);
1391 * Load the X register with the length of the IPv4 header
1392 * (plus the offset of the link-layer header, if it's
1393 * preceded by a variable-length header such as a radio
1394 * header), in bytes.
1396 s = gen_loadx_iphdrlen();
1399 * Load the item at {offset of the link-layer header} +
1400 * {offset, relative to the start of the link-layer
1401 * header, of the IPv4 header} + {length of the IPv4 header} +
1402 * {specified offset}.
1404 * (If the link-layer is variable-length, it's included
1405 * in the value in the X register, and off_ll is 0.)
1407 s2 = new_stmt(BPF_LD|BPF_IND|size);
1408 s2->s.k = off_ll + off_nl + offset;
1413 s = gen_load_llrel(off_nl + 40 + offset, size);
1424 * Generate code to load into the X register the sum of the length of
1425 * the IPv4 header and any variable-length header preceding the link-layer
1428 static struct slist *
1429 gen_loadx_iphdrlen()
1431 struct slist *s, *s2;
1433 s = gen_llprefixlen();
1436 * There's a variable-length prefix preceding the
1437 * link-layer header. "s" points to a list of statements
1438 * that put the length of that prefix into the X register.
1439 * The 4*([k]&0xf) addressing mode can't be used, as we
1440 * don't have a constant offset, so we have to load the
1441 * value in question into the A register and add to it
1442 * the value from the X register.
1444 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B);
1447 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
1450 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
1455 * The A register now contains the length of the
1456 * IP header. We need to add to it the length
1457 * of the prefix preceding the link-layer
1458 * header, which is still in the X register, and
1459 * move the result into the X register.
1461 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
1462 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
1465 * There is no variable-length header preceding the
1466 * link-layer header; add in off_ll, which, if there's
1467 * a fixed-length header preceding the link-layer header,
1468 * is the length of that header.
1470 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
1471 s->s.k = off_ll + off_nl;
1476 static struct block *
1483 s = new_stmt(BPF_LD|BPF_IMM);
1485 b = new_block(JMP(BPF_JEQ));
1491 static inline struct block *
1494 return gen_uncond(1);
1497 static inline struct block *
1500 return gen_uncond(0);
1504 * Byte-swap a 32-bit number.
1505 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on
1506 * big-endian platforms.)
1508 #define SWAPLONG(y) \
1509 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
1512 * Generate code to match a particular packet type.
1514 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1515 * value, if <= ETHERMTU. We use that to determine whether to
1516 * match the type/length field or to check the type/length field for
1517 * a value <= ETHERMTU to see whether it's a type field and then do
1518 * the appropriate test.
1520 static struct block *
1521 gen_ether_linktype(proto)
1524 struct block *b0, *b1;
1530 case LLCSAP_NETBEUI:
1532 * OSI protocols and NetBEUI always use 802.2 encapsulation,
1533 * so we check the DSAP and SSAP.
1535 * LLCSAP_IP checks for IP-over-802.2, rather
1536 * than IP-over-Ethernet or IP-over-SNAP.
1538 * XXX - should we check both the DSAP and the
1539 * SSAP, like this, or should we check just the
1540 * DSAP, as we do for other types <= ETHERMTU
1541 * (i.e., other SAP values)?
1543 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1545 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_H, (bpf_int32)
1546 ((proto << 8) | proto));
1554 * Ethernet_II frames, which are Ethernet
1555 * frames with a frame type of ETHERTYPE_IPX;
1557 * Ethernet_802.3 frames, which are 802.3
1558 * frames (i.e., the type/length field is
1559 * a length field, <= ETHERMTU, rather than
1560 * a type field) with the first two bytes
1561 * after the Ethernet/802.3 header being
1564 * Ethernet_802.2 frames, which are 802.3
1565 * frames with an 802.2 LLC header and
1566 * with the IPX LSAP as the DSAP in the LLC
1569 * Ethernet_SNAP frames, which are 802.3
1570 * frames with an LLC header and a SNAP
1571 * header and with an OUI of 0x000000
1572 * (encapsulated Ethernet) and a protocol
1573 * ID of ETHERTYPE_IPX in the SNAP header.
1575 * XXX - should we generate the same code both
1576 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX?
1580 * This generates code to check both for the
1581 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3.
1583 b0 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B,
1584 (bpf_int32)LLCSAP_IPX);
1585 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_H,
1590 * Now we add code to check for SNAP frames with
1591 * ETHERTYPE_IPX, i.e. Ethernet_SNAP.
1593 b0 = gen_snap(0x000000, ETHERTYPE_IPX, 14);
1597 * Now we generate code to check for 802.3
1598 * frames in general.
1600 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1604 * Now add the check for 802.3 frames before the
1605 * check for Ethernet_802.2 and Ethernet_802.3,
1606 * as those checks should only be done on 802.3
1607 * frames, not on Ethernet frames.
1612 * Now add the check for Ethernet_II frames, and
1613 * do that before checking for the other frame
1616 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
1617 (bpf_int32)ETHERTYPE_IPX);
1621 case ETHERTYPE_ATALK:
1622 case ETHERTYPE_AARP:
1624 * EtherTalk (AppleTalk protocols on Ethernet link
1625 * layer) may use 802.2 encapsulation.
1629 * Check for 802.2 encapsulation (EtherTalk phase 2?);
1630 * we check for an Ethernet type field less than
1631 * 1500, which means it's an 802.3 length field.
1633 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1637 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1638 * SNAP packets with an organization code of
1639 * 0x080007 (Apple, for Appletalk) and a protocol
1640 * type of ETHERTYPE_ATALK (Appletalk).
1642 * 802.2-encapsulated ETHERTYPE_AARP packets are
1643 * SNAP packets with an organization code of
1644 * 0x000000 (encapsulated Ethernet) and a protocol
1645 * type of ETHERTYPE_AARP (Appletalk ARP).
1647 if (proto == ETHERTYPE_ATALK)
1648 b1 = gen_snap(0x080007, ETHERTYPE_ATALK, 14);
1649 else /* proto == ETHERTYPE_AARP */
1650 b1 = gen_snap(0x000000, ETHERTYPE_AARP, 14);
1654 * Check for Ethernet encapsulation (Ethertalk
1655 * phase 1?); we just check for the Ethernet
1658 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
1664 if (proto <= ETHERMTU) {
1666 * This is an LLC SAP value, so the frames
1667 * that match would be 802.2 frames.
1668 * Check that the frame is an 802.2 frame
1669 * (i.e., that the length/type field is
1670 * a length field, <= ETHERMTU) and
1671 * then check the DSAP.
1673 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1675 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B,
1681 * This is an Ethernet type, so compare
1682 * the length/type field with it (if
1683 * the frame is an 802.2 frame, the length
1684 * field will be <= ETHERMTU, and, as
1685 * "proto" is > ETHERMTU, this test
1686 * will fail and the frame won't match,
1687 * which is what we want).
1689 return gen_cmp(OR_LINK, off_linktype, BPF_H,
1696 * Generate code to match a particular packet type.
1698 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1699 * value, if <= ETHERMTU. We use that to determine whether to
1700 * match the type field or to check the type field for the special
1701 * LINUX_SLL_P_802_2 value and then do the appropriate test.
1703 static struct block *
1704 gen_linux_sll_linktype(proto)
1707 struct block *b0, *b1;
1713 case LLCSAP_NETBEUI:
1715 * OSI protocols and NetBEUI always use 802.2 encapsulation,
1716 * so we check the DSAP and SSAP.
1718 * LLCSAP_IP checks for IP-over-802.2, rather
1719 * than IP-over-Ethernet or IP-over-SNAP.
1721 * XXX - should we check both the DSAP and the
1722 * SSAP, like this, or should we check just the
1723 * DSAP, as we do for other types <= ETHERMTU
1724 * (i.e., other SAP values)?
1726 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
1727 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_H, (bpf_int32)
1728 ((proto << 8) | proto));
1734 * Ethernet_II frames, which are Ethernet
1735 * frames with a frame type of ETHERTYPE_IPX;
1737 * Ethernet_802.3 frames, which have a frame
1738 * type of LINUX_SLL_P_802_3;
1740 * Ethernet_802.2 frames, which are 802.3
1741 * frames with an 802.2 LLC header (i.e, have
1742 * a frame type of LINUX_SLL_P_802_2) and
1743 * with the IPX LSAP as the DSAP in the LLC
1746 * Ethernet_SNAP frames, which are 802.3
1747 * frames with an LLC header and a SNAP
1748 * header and with an OUI of 0x000000
1749 * (encapsulated Ethernet) and a protocol
1750 * ID of ETHERTYPE_IPX in the SNAP header.
1752 * First, do the checks on LINUX_SLL_P_802_2
1753 * frames; generate the check for either
1754 * Ethernet_802.2 or Ethernet_SNAP frames, and
1755 * then put a check for LINUX_SLL_P_802_2 frames
1758 b0 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B,
1759 (bpf_int32)LLCSAP_IPX);
1760 b1 = gen_snap(0x000000, ETHERTYPE_IPX,
1763 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
1767 * Now check for 802.3 frames and OR that with
1768 * the previous test.
1770 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_3);
1774 * Now add the check for Ethernet_II frames, and
1775 * do that before checking for the other frame
1778 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
1779 (bpf_int32)ETHERTYPE_IPX);
1783 case ETHERTYPE_ATALK:
1784 case ETHERTYPE_AARP:
1786 * EtherTalk (AppleTalk protocols on Ethernet link
1787 * layer) may use 802.2 encapsulation.
1791 * Check for 802.2 encapsulation (EtherTalk phase 2?);
1792 * we check for the 802.2 protocol type in the
1793 * "Ethernet type" field.
1795 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
1798 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1799 * SNAP packets with an organization code of
1800 * 0x080007 (Apple, for Appletalk) and a protocol
1801 * type of ETHERTYPE_ATALK (Appletalk).
1803 * 802.2-encapsulated ETHERTYPE_AARP packets are
1804 * SNAP packets with an organization code of
1805 * 0x000000 (encapsulated Ethernet) and a protocol
1806 * type of ETHERTYPE_AARP (Appletalk ARP).
1808 if (proto == ETHERTYPE_ATALK)
1809 b1 = gen_snap(0x080007, ETHERTYPE_ATALK,
1811 else /* proto == ETHERTYPE_AARP */
1812 b1 = gen_snap(0x000000, ETHERTYPE_AARP,
1817 * Check for Ethernet encapsulation (Ethertalk
1818 * phase 1?); we just check for the Ethernet
1821 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
1827 if (proto <= ETHERMTU) {
1829 * This is an LLC SAP value, so the frames
1830 * that match would be 802.2 frames.
1831 * Check for the 802.2 protocol type
1832 * in the "Ethernet type" field, and
1833 * then check the DSAP.
1835 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
1837 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B,
1843 * This is an Ethernet type, so compare
1844 * the length/type field with it (if
1845 * the frame is an 802.2 frame, the length
1846 * field will be <= ETHERMTU, and, as
1847 * "proto" is > ETHERMTU, this test
1848 * will fail and the frame won't match,
1849 * which is what we want).
1851 return gen_cmp(OR_LINK, off_linktype, BPF_H,
1858 insert_radiotap_load_llprefixlen(b)
1861 struct slist *s1, *s2;
1864 * Prepend to the statements in this block code to load the
1865 * length of the radiotap header into the register assigned
1866 * to hold that length, if one has been assigned.
1868 if (reg_ll_size != -1) {
1870 * The 2 bytes at offsets of 2 and 3 from the beginning
1871 * of the radiotap header are the length of the radiotap
1872 * header; unfortunately, it's little-endian, so we have
1873 * to load it a byte at a time and construct the value.
1877 * Load the high-order byte, at an offset of 3, shift it
1878 * left a byte, and put the result in the X register.
1880 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
1882 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
1885 s2 = new_stmt(BPF_MISC|BPF_TAX);
1889 * Load the next byte, at an offset of 2, and OR the
1890 * value from the X register into it.
1892 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
1895 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X);
1899 * Now allocate a register to hold that value and store
1902 s2 = new_stmt(BPF_ST);
1903 s2->s.k = reg_ll_size;
1907 * Now move it into the X register.
1909 s2 = new_stmt(BPF_MISC|BPF_TAX);
1913 * Now append all the existing statements in this
1914 * block to these statements.
1916 sappend(s1, b->stmts);
1922 * At the moment we treat PPI as normal Radiotap encoded
1923 * packets. The difference is in the function that generates
1924 * the code at the beginning to compute the header length.
1925 * Since this code generator of PPI supports bare 802.11
1926 * encapsulation only (i.e. the encapsulated DLT should be
1927 * DLT_IEEE802_11) we generate code to check for this too.
1930 insert_ppi_load_llprefixlen(b)
1933 struct slist *s1, *s2;
1936 * Prepend to the statements in this block code to load the
1937 * length of the radiotap header into the register assigned
1938 * to hold that length, if one has been assigned.
1940 if (reg_ll_size != -1) {
1942 * The 2 bytes at offsets of 2 and 3 from the beginning
1943 * of the radiotap header are the length of the radiotap
1944 * header; unfortunately, it's little-endian, so we have
1945 * to load it a byte at a time and construct the value.
1949 * Load the high-order byte, at an offset of 3, shift it
1950 * left a byte, and put the result in the X register.
1952 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
1954 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
1957 s2 = new_stmt(BPF_MISC|BPF_TAX);
1961 * Load the next byte, at an offset of 2, and OR the
1962 * value from the X register into it.
1964 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
1967 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X);
1971 * Now allocate a register to hold that value and store
1974 s2 = new_stmt(BPF_ST);
1975 s2->s.k = reg_ll_size;
1979 * Now move it into the X register.
1981 s2 = new_stmt(BPF_MISC|BPF_TAX);
1985 * Now append all the existing statements in this
1986 * block to these statements.
1988 sappend(s1, b->stmts);
1994 static struct block *
1995 gen_ppi_dlt_check(void)
1997 struct slist *s_load_dlt;
2000 if (linktype == DLT_PPI)
2002 /* Create the statements that check for the DLT
2004 s_load_dlt = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2005 s_load_dlt->s.k = 4;
2007 b = new_block(JMP(BPF_JEQ));
2009 b->stmts = s_load_dlt;
2010 b->s.k = SWAPLONG(DLT_IEEE802_11);
2021 insert_load_llprefixlen(b)
2027 * At the moment we treat PPI as normal Radiotap encoded
2028 * packets. The difference is in the function that generates
2029 * the code at the beginning to compute the header length.
2030 * Since this code generator of PPI supports bare 802.11
2031 * encapsulation only (i.e. the encapsulated DLT should be
2032 * DLT_IEEE802_11) we generate code to check for this too.
2035 insert_ppi_load_llprefixlen(b);
2038 case DLT_IEEE802_11_RADIO:
2039 insert_radiotap_load_llprefixlen(b);
2045 static struct slist *
2046 gen_radiotap_llprefixlen(void)
2050 if (reg_ll_size == -1) {
2052 * We haven't yet assigned a register for the length
2053 * of the radiotap header; allocate one.
2055 reg_ll_size = alloc_reg();
2059 * Load the register containing the radiotap length
2060 * into the X register.
2062 s = new_stmt(BPF_LDX|BPF_MEM);
2063 s->s.k = reg_ll_size;
2068 * At the moment we treat PPI as normal Radiotap encoded
2069 * packets. The difference is in the function that generates
2070 * the code at the beginning to compute the header length.
2071 * Since this code generator of PPI supports bare 802.11
2072 * encapsulation only (i.e. the encapsulated DLT should be
2073 * DLT_IEEE802_11) we generate code to check for this too.
2075 static struct slist *
2076 gen_ppi_llprefixlen(void)
2080 if (reg_ll_size == -1) {
2082 * We haven't yet assigned a register for the length
2083 * of the radiotap header; allocate one.
2085 reg_ll_size = alloc_reg();
2089 * Load the register containing the radiotap length
2090 * into the X register.
2092 s = new_stmt(BPF_LDX|BPF_MEM);
2093 s->s.k = reg_ll_size;
2100 * Generate code to compute the link-layer header length, if necessary,
2101 * putting it into the X register, and to return either a pointer to a
2102 * "struct slist" for the list of statements in that code, or NULL if
2103 * no code is necessary.
2105 static struct slist *
2106 gen_llprefixlen(void)
2111 return gen_ppi_llprefixlen();
2114 case DLT_IEEE802_11_RADIO:
2115 return gen_radiotap_llprefixlen();
2123 * Generate code to match a particular packet type by matching the
2124 * link-layer type field or fields in the 802.2 LLC header.
2126 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
2127 * value, if <= ETHERMTU.
2129 static struct block *
2133 struct block *b0, *b1, *b2;
2135 /* are we checking MPLS-encapsulated packets? */
2136 if (label_stack_depth > 0) {
2140 /* FIXME add other L3 proto IDs */
2141 return gen_mpls_linktype(Q_IP);
2143 case ETHERTYPE_IPV6:
2145 /* FIXME add other L3 proto IDs */
2146 return gen_mpls_linktype(Q_IPV6);
2149 bpf_error("unsupported protocol over mpls");
2157 return gen_ether_linktype(proto);
2165 proto = (proto << 8 | LLCSAP_ISONS);
2169 return gen_cmp(OR_LINK, off_linktype, BPF_H,
2179 case DLT_IEEE802_11:
2180 case DLT_IEEE802_11_RADIO_AVS:
2181 case DLT_IEEE802_11_RADIO:
2182 case DLT_PRISM_HEADER:
2183 case DLT_ATM_RFC1483:
2185 case DLT_IP_OVER_FC:
2186 return gen_llc_linktype(proto);
2192 * If "is_lane" is set, check for a LANE-encapsulated
2193 * version of this protocol, otherwise check for an
2194 * LLC-encapsulated version of this protocol.
2196 * We assume LANE means Ethernet, not Token Ring.
2200 * Check that the packet doesn't begin with an
2201 * LE Control marker. (We've already generated
2204 b0 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
2209 * Now generate an Ethernet test.
2211 b1 = gen_ether_linktype(proto);
2216 * Check for LLC encapsulation and then check the
2219 b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
2220 b1 = gen_llc_linktype(proto);
2228 return gen_linux_sll_linktype(proto);
2233 case DLT_SLIP_BSDOS:
2236 * These types don't provide any type field; packets
2237 * are always IPv4 or IPv6.
2239 * XXX - for IPv4, check for a version number of 4, and,
2240 * for IPv6, check for a version number of 6?
2245 /* Check for a version number of 4. */
2246 return gen_mcmp(OR_LINK, 0, BPF_B, 0x40, 0xF0);
2248 case ETHERTYPE_IPV6:
2249 /* Check for a version number of 6. */
2250 return gen_mcmp(OR_LINK, 0, BPF_B, 0x60, 0xF0);
2254 return gen_false(); /* always false */
2261 case DLT_PPP_SERIAL:
2264 * We use Ethernet protocol types inside libpcap;
2265 * map them to the corresponding PPP protocol types.
2274 case ETHERTYPE_IPV6:
2283 case ETHERTYPE_ATALK:
2297 * I'm assuming the "Bridging PDU"s that go
2298 * over PPP are Spanning Tree Protocol
2312 * We use Ethernet protocol types inside libpcap;
2313 * map them to the corresponding PPP protocol types.
2318 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_IP);
2319 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJC);
2321 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJNC);
2326 case ETHERTYPE_IPV6:
2336 case ETHERTYPE_ATALK:
2350 * I'm assuming the "Bridging PDU"s that go
2351 * over PPP are Spanning Tree Protocol
2367 * For DLT_NULL, the link-layer header is a 32-bit
2368 * word containing an AF_ value in *host* byte order,
2369 * and for DLT_ENC, the link-layer header begins
2370 * with a 32-bit work containing an AF_ value in
2373 * In addition, if we're reading a saved capture file,
2374 * the host byte order in the capture may not be the
2375 * same as the host byte order on this machine.
2377 * For DLT_LOOP, the link-layer header is a 32-bit
2378 * word containing an AF_ value in *network* byte order.
2380 * XXX - AF_ values may, unfortunately, be platform-
2381 * dependent; for example, FreeBSD's AF_INET6 is 24
2382 * whilst NetBSD's and OpenBSD's is 26.
2384 * This means that, when reading a capture file, just
2385 * checking for our AF_INET6 value won't work if the
2386 * capture file came from another OS.
2395 case ETHERTYPE_IPV6:
2402 * Not a type on which we support filtering.
2403 * XXX - support those that have AF_ values
2404 * #defined on this platform, at least?
2409 if (linktype == DLT_NULL || linktype == DLT_ENC) {
2411 * The AF_ value is in host byte order, but
2412 * the BPF interpreter will convert it to
2413 * network byte order.
2415 * If this is a save file, and it's from a
2416 * machine with the opposite byte order to
2417 * ours, we byte-swap the AF_ value.
2419 * Then we run it through "htonl()", and
2420 * generate code to compare against the result.
2422 if (bpf_pcap->sf.rfile != NULL &&
2423 bpf_pcap->sf.swapped)
2424 proto = SWAPLONG(proto);
2425 proto = htonl(proto);
2427 return (gen_cmp(OR_LINK, 0, BPF_W, (bpf_int32)proto));
2431 * af field is host byte order in contrast to the rest of
2434 if (proto == ETHERTYPE_IP)
2435 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af),
2436 BPF_B, (bpf_int32)AF_INET));
2438 else if (proto == ETHERTYPE_IPV6)
2439 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af),
2440 BPF_B, (bpf_int32)AF_INET6));
2448 case DLT_ARCNET_LINUX:
2450 * XXX should we check for first fragment if the protocol
2459 case ETHERTYPE_IPV6:
2460 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
2461 (bpf_int32)ARCTYPE_INET6));
2465 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B,
2466 (bpf_int32)ARCTYPE_IP);
2467 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B,
2468 (bpf_int32)ARCTYPE_IP_OLD);
2473 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B,
2474 (bpf_int32)ARCTYPE_ARP);
2475 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B,
2476 (bpf_int32)ARCTYPE_ARP_OLD);
2480 case ETHERTYPE_REVARP:
2481 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
2482 (bpf_int32)ARCTYPE_REVARP));
2484 case ETHERTYPE_ATALK:
2485 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
2486 (bpf_int32)ARCTYPE_ATALK));
2493 case ETHERTYPE_ATALK:
2503 * XXX - assumes a 2-byte Frame Relay header with
2504 * DLCI and flags. What if the address is longer?
2510 * Check for the special NLPID for IP.
2512 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0xcc);
2515 case ETHERTYPE_IPV6:
2517 * Check for the special NLPID for IPv6.
2519 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0x8e);
2524 * Check for several OSI protocols.
2526 * Frame Relay packets typically have an OSI
2527 * NLPID at the beginning; we check for each
2530 * What we check for is the NLPID and a frame
2531 * control field of UI, i.e. 0x03 followed
2534 b0 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO8473_CLNP);
2535 b1 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO9542_ESIS);
2536 b2 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO10589_ISIS);
2547 case DLT_JUNIPER_MFR:
2548 case DLT_JUNIPER_MLFR:
2549 case DLT_JUNIPER_MLPPP:
2550 case DLT_JUNIPER_ATM1:
2551 case DLT_JUNIPER_ATM2:
2552 case DLT_JUNIPER_PPPOE:
2553 case DLT_JUNIPER_PPPOE_ATM:
2554 case DLT_JUNIPER_GGSN:
2555 case DLT_JUNIPER_ES:
2556 case DLT_JUNIPER_MONITOR:
2557 case DLT_JUNIPER_SERVICES:
2558 case DLT_JUNIPER_ETHER:
2559 case DLT_JUNIPER_PPP:
2560 case DLT_JUNIPER_FRELAY:
2561 case DLT_JUNIPER_CHDLC:
2562 case DLT_JUNIPER_VP:
2563 /* just lets verify the magic number for now -
2564 * on ATM we may have up to 6 different encapsulations on the wire
2565 * and need a lot of heuristics to figure out that the payload
2568 * FIXME encapsulation specific BPF_ filters
2570 return gen_mcmp(OR_LINK, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */
2572 case DLT_LINUX_IRDA:
2573 bpf_error("IrDA link-layer type filtering not implemented");
2576 bpf_error("DOCSIS link-layer type filtering not implemented");
2578 case DLT_LINUX_LAPD:
2579 bpf_error("LAPD link-layer type filtering not implemented");
2583 * All the types that have no encapsulation should either be
2584 * handled as DLT_SLIP, DLT_SLIP_BSDOS, and DLT_RAW are, if
2585 * all packets are IP packets, or should be handled in some
2586 * special case, if none of them are (if some are and some
2587 * aren't, the lack of encapsulation is a problem, as we'd
2588 * have to find some other way of determining the packet type).
2590 * Therefore, if "off_linktype" is -1, there's an error.
2592 if (off_linktype == (u_int)-1)
2596 * Any type not handled above should always have an Ethernet
2597 * type at an offset of "off_linktype". (PPP is partially
2598 * handled above - the protocol type is mapped from the
2599 * Ethernet and LLC types we use internally to the corresponding
2600 * PPP type - but the PPP type is always specified by a value
2601 * at "off_linktype", so we don't have to do the code generation
2604 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
2608 * Check for an LLC SNAP packet with a given organization code and
2609 * protocol type; we check the entire contents of the 802.2 LLC and
2610 * snap headers, checking for DSAP and SSAP of SNAP and a control
2611 * field of 0x03 in the LLC header, and for the specified organization
2612 * code and protocol type in the SNAP header.
2614 static struct block *
2615 gen_snap(orgcode, ptype, offset)
2616 bpf_u_int32 orgcode;
2620 u_char snapblock[8];
2622 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */
2623 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */
2624 snapblock[2] = 0x03; /* control = UI */
2625 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */
2626 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */
2627 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */
2628 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */
2629 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */
2630 return gen_bcmp(OR_LINK, offset, 8, snapblock);
2634 * Generate code to match a particular packet type, for link-layer types
2635 * using 802.2 LLC headers.
2637 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used
2638 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues.
2640 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
2641 * value, if <= ETHERMTU. We use that to determine whether to
2642 * match the DSAP or both DSAP and LSAP or to check the OUI and
2643 * protocol ID in a SNAP header.
2645 static struct block *
2646 gen_llc_linktype(proto)
2650 * XXX - handle token-ring variable-length header.
2656 case LLCSAP_NETBEUI:
2658 * XXX - should we check both the DSAP and the
2659 * SSAP, like this, or should we check just the
2660 * DSAP, as we do for other types <= ETHERMTU
2661 * (i.e., other SAP values)?
2663 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_u_int32)
2664 ((proto << 8) | proto));
2668 * XXX - are there ever SNAP frames for IPX on
2669 * non-Ethernet 802.x networks?
2671 return gen_cmp(OR_LINK, off_linktype, BPF_B,
2672 (bpf_int32)LLCSAP_IPX);
2674 case ETHERTYPE_ATALK:
2676 * 802.2-encapsulated ETHERTYPE_ATALK packets are
2677 * SNAP packets with an organization code of
2678 * 0x080007 (Apple, for Appletalk) and a protocol
2679 * type of ETHERTYPE_ATALK (Appletalk).
2681 * XXX - check for an organization code of
2682 * encapsulated Ethernet as well?
2684 return gen_snap(0x080007, ETHERTYPE_ATALK, off_linktype);
2688 * XXX - we don't have to check for IPX 802.3
2689 * here, but should we check for the IPX Ethertype?
2691 if (proto <= ETHERMTU) {
2693 * This is an LLC SAP value, so check
2696 return gen_cmp(OR_LINK, off_linktype, BPF_B,
2700 * This is an Ethernet type; we assume that it's
2701 * unlikely that it'll appear in the right place
2702 * at random, and therefore check only the
2703 * location that would hold the Ethernet type
2704 * in a SNAP frame with an organization code of
2705 * 0x000000 (encapsulated Ethernet).
2707 * XXX - if we were to check for the SNAP DSAP and
2708 * LSAP, as per XXX, and were also to check for an
2709 * organization code of 0x000000 (encapsulated
2710 * Ethernet), we'd do
2712 * return gen_snap(0x000000, proto,
2715 * here; for now, we don't, as per the above.
2716 * I don't know whether it's worth the extra CPU
2717 * time to do the right check or not.
2719 return gen_cmp(OR_LINK, off_linktype+6, BPF_H,
2725 static struct block *
2726 gen_hostop(addr, mask, dir, proto, src_off, dst_off)
2730 u_int src_off, dst_off;
2732 struct block *b0, *b1;
2746 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
2747 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
2753 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
2754 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
2761 b0 = gen_linktype(proto);
2762 b1 = gen_mcmp(OR_NET, offset, BPF_W, (bpf_int32)addr, mask);
2768 static struct block *
2769 gen_hostop6(addr, mask, dir, proto, src_off, dst_off)
2770 struct in6_addr *addr;
2771 struct in6_addr *mask;
2773 u_int src_off, dst_off;
2775 struct block *b0, *b1;
2790 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
2791 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
2797 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
2798 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
2805 /* this order is important */
2806 a = (u_int32_t *)addr;
2807 m = (u_int32_t *)mask;
2808 b1 = gen_mcmp(OR_NET, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3]));
2809 b0 = gen_mcmp(OR_NET, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2]));
2811 b0 = gen_mcmp(OR_NET, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1]));
2813 b0 = gen_mcmp(OR_NET, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0]));
2815 b0 = gen_linktype(proto);
2821 static struct block *
2822 gen_ehostop(eaddr, dir)
2823 register const u_char *eaddr;
2826 register struct block *b0, *b1;
2830 return gen_bcmp(OR_LINK, off_mac + 6, 6, eaddr);
2833 return gen_bcmp(OR_LINK, off_mac + 0, 6, eaddr);
2836 b0 = gen_ehostop(eaddr, Q_SRC);
2837 b1 = gen_ehostop(eaddr, Q_DST);
2843 b0 = gen_ehostop(eaddr, Q_SRC);
2844 b1 = gen_ehostop(eaddr, Q_DST);
2853 * Like gen_ehostop, but for DLT_FDDI
2855 static struct block *
2856 gen_fhostop(eaddr, dir)
2857 register const u_char *eaddr;
2860 struct block *b0, *b1;
2865 return gen_bcmp(OR_LINK, 6 + 1 + pcap_fddipad, 6, eaddr);
2867 return gen_bcmp(OR_LINK, 6 + 1, 6, eaddr);
2872 return gen_bcmp(OR_LINK, 0 + 1 + pcap_fddipad, 6, eaddr);
2874 return gen_bcmp(OR_LINK, 0 + 1, 6, eaddr);
2878 b0 = gen_fhostop(eaddr, Q_SRC);
2879 b1 = gen_fhostop(eaddr, Q_DST);
2885 b0 = gen_fhostop(eaddr, Q_SRC);
2886 b1 = gen_fhostop(eaddr, Q_DST);
2895 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring)
2897 static struct block *
2898 gen_thostop(eaddr, dir)
2899 register const u_char *eaddr;
2902 register struct block *b0, *b1;
2906 return gen_bcmp(OR_LINK, 8, 6, eaddr);
2909 return gen_bcmp(OR_LINK, 2, 6, eaddr);
2912 b0 = gen_thostop(eaddr, Q_SRC);
2913 b1 = gen_thostop(eaddr, Q_DST);
2919 b0 = gen_thostop(eaddr, Q_SRC);
2920 b1 = gen_thostop(eaddr, Q_DST);
2929 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN)
2931 static struct block *
2932 gen_wlanhostop(eaddr, dir)
2933 register const u_char *eaddr;
2936 register struct block *b0, *b1, *b2;
2937 register struct slist *s;
2944 * For control frames, there is no SA.
2946 * For management frames, SA is at an
2947 * offset of 10 from the beginning of
2950 * For data frames, SA is at an offset
2951 * of 10 from the beginning of the packet
2952 * if From DS is clear, at an offset of
2953 * 16 from the beginning of the packet
2954 * if From DS is set and To DS is clear,
2955 * and an offset of 24 from the beginning
2956 * of the packet if From DS is set and To DS
2961 * Generate the tests to be done for data frames
2964 * First, check for To DS set, i.e. check "link[1] & 0x01".
2966 s = gen_load_a(OR_LINK, 1, BPF_B);
2967 b1 = new_block(JMP(BPF_JSET));
2968 b1->s.k = 0x01; /* To DS */
2972 * If To DS is set, the SA is at 24.
2974 b0 = gen_bcmp(OR_LINK, 24, 6, eaddr);
2978 * Now, check for To DS not set, i.e. check
2979 * "!(link[1] & 0x01)".
2981 s = gen_load_a(OR_LINK, 1, BPF_B);
2982 b2 = new_block(JMP(BPF_JSET));
2983 b2->s.k = 0x01; /* To DS */
2988 * If To DS is not set, the SA is at 16.
2990 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr);
2994 * Now OR together the last two checks. That gives
2995 * the complete set of checks for data frames with
3001 * Now check for From DS being set, and AND that with
3002 * the ORed-together checks.
3004 s = gen_load_a(OR_LINK, 1, BPF_B);
3005 b1 = new_block(JMP(BPF_JSET));
3006 b1->s.k = 0x02; /* From DS */
3011 * Now check for data frames with From DS not set.
3013 s = gen_load_a(OR_LINK, 1, BPF_B);
3014 b2 = new_block(JMP(BPF_JSET));
3015 b2->s.k = 0x02; /* From DS */
3020 * If From DS isn't set, the SA is at 10.
3022 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
3026 * Now OR together the checks for data frames with
3027 * From DS not set and for data frames with From DS
3028 * set; that gives the checks done for data frames.
3033 * Now check for a data frame.
3034 * I.e, check "link[0] & 0x08".
3036 gen_load_a(OR_LINK, 0, BPF_B);
3037 b1 = new_block(JMP(BPF_JSET));
3042 * AND that with the checks done for data frames.
3047 * If the high-order bit of the type value is 0, this
3048 * is a management frame.
3049 * I.e, check "!(link[0] & 0x08)".
3051 s = gen_load_a(OR_LINK, 0, BPF_B);
3052 b2 = new_block(JMP(BPF_JSET));
3058 * For management frames, the SA is at 10.
3060 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
3064 * OR that with the checks done for data frames.
3065 * That gives the checks done for management and
3071 * If the low-order bit of the type value is 1,
3072 * this is either a control frame or a frame
3073 * with a reserved type, and thus not a
3076 * I.e., check "!(link[0] & 0x04)".
3078 s = gen_load_a(OR_LINK, 0, BPF_B);
3079 b1 = new_block(JMP(BPF_JSET));
3085 * AND that with the checks for data and management
3095 * For control frames, there is no DA.
3097 * For management frames, DA is at an
3098 * offset of 4 from the beginning of
3101 * For data frames, DA is at an offset
3102 * of 4 from the beginning of the packet
3103 * if To DS is clear and at an offset of
3104 * 16 from the beginning of the packet
3109 * Generate the tests to be done for data frames.
3111 * First, check for To DS set, i.e. "link[1] & 0x01".
3113 s = gen_load_a(OR_LINK, 1, BPF_B);
3114 b1 = new_block(JMP(BPF_JSET));
3115 b1->s.k = 0x01; /* To DS */
3119 * If To DS is set, the DA is at 16.
3121 b0 = gen_bcmp(OR_LINK, 16, 6, eaddr);
3125 * Now, check for To DS not set, i.e. check
3126 * "!(link[1] & 0x01)".
3128 s = gen_load_a(OR_LINK, 1, BPF_B);
3129 b2 = new_block(JMP(BPF_JSET));
3130 b2->s.k = 0x01; /* To DS */
3135 * If To DS is not set, the DA is at 4.
3137 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr);
3141 * Now OR together the last two checks. That gives
3142 * the complete set of checks for data frames.
3147 * Now check for a data frame.
3148 * I.e, check "link[0] & 0x08".
3150 s = gen_load_a(OR_LINK, 0, BPF_B);
3151 b1 = new_block(JMP(BPF_JSET));
3156 * AND that with the checks done for data frames.
3161 * If the high-order bit of the type value is 0, this
3162 * is a management frame.
3163 * I.e, check "!(link[0] & 0x08)".
3165 s = gen_load_a(OR_LINK, 0, BPF_B);
3166 b2 = new_block(JMP(BPF_JSET));
3172 * For management frames, the DA is at 4.
3174 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr);
3178 * OR that with the checks done for data frames.
3179 * That gives the checks done for management and
3185 * If the low-order bit of the type value is 1,
3186 * this is either a control frame or a frame
3187 * with a reserved type, and thus not a
3190 * I.e., check "!(link[0] & 0x04)".
3192 s = gen_load_a(OR_LINK, 0, BPF_B);
3193 b1 = new_block(JMP(BPF_JSET));
3199 * AND that with the checks for data and management
3206 b0 = gen_wlanhostop(eaddr, Q_SRC);
3207 b1 = gen_wlanhostop(eaddr, Q_DST);
3213 b0 = gen_wlanhostop(eaddr, Q_SRC);
3214 b1 = gen_wlanhostop(eaddr, Q_DST);
3223 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel.
3224 * (We assume that the addresses are IEEE 48-bit MAC addresses,
3225 * as the RFC states.)
3227 static struct block *
3228 gen_ipfchostop(eaddr, dir)
3229 register const u_char *eaddr;
3232 register struct block *b0, *b1;
3236 return gen_bcmp(OR_LINK, 10, 6, eaddr);
3239 return gen_bcmp(OR_LINK, 2, 6, eaddr);
3242 b0 = gen_ipfchostop(eaddr, Q_SRC);
3243 b1 = gen_ipfchostop(eaddr, Q_DST);
3249 b0 = gen_ipfchostop(eaddr, Q_SRC);
3250 b1 = gen_ipfchostop(eaddr, Q_DST);
3259 * This is quite tricky because there may be pad bytes in front of the
3260 * DECNET header, and then there are two possible data packet formats that
3261 * carry both src and dst addresses, plus 5 packet types in a format that
3262 * carries only the src node, plus 2 types that use a different format and
3263 * also carry just the src node.
3267 * Instead of doing those all right, we just look for data packets with
3268 * 0 or 1 bytes of padding. If you want to look at other packets, that
3269 * will require a lot more hacking.
3271 * To add support for filtering on DECNET "areas" (network numbers)
3272 * one would want to add a "mask" argument to this routine. That would
3273 * make the filter even more inefficient, although one could be clever
3274 * and not generate masking instructions if the mask is 0xFFFF.
3276 static struct block *
3277 gen_dnhostop(addr, dir)
3281 struct block *b0, *b1, *b2, *tmp;
3282 u_int offset_lh; /* offset if long header is received */
3283 u_int offset_sh; /* offset if short header is received */
3288 offset_sh = 1; /* follows flags */
3289 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */
3293 offset_sh = 3; /* follows flags, dstnode */
3294 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */
3298 /* Inefficient because we do our Calvinball dance twice */
3299 b0 = gen_dnhostop(addr, Q_SRC);
3300 b1 = gen_dnhostop(addr, Q_DST);
3306 /* Inefficient because we do our Calvinball dance twice */
3307 b0 = gen_dnhostop(addr, Q_SRC);
3308 b1 = gen_dnhostop(addr, Q_DST);
3313 bpf_error("ISO host filtering not implemented");
3318 b0 = gen_linktype(ETHERTYPE_DN);
3319 /* Check for pad = 1, long header case */
3320 tmp = gen_mcmp(OR_NET, 2, BPF_H,
3321 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF));
3322 b1 = gen_cmp(OR_NET, 2 + 1 + offset_lh,
3323 BPF_H, (bpf_int32)ntohs((u_short)addr));
3325 /* Check for pad = 0, long header case */
3326 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7);
3327 b2 = gen_cmp(OR_NET, 2 + offset_lh, BPF_H, (bpf_int32)ntohs((u_short)addr));
3330 /* Check for pad = 1, short header case */
3331 tmp = gen_mcmp(OR_NET, 2, BPF_H,
3332 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF));
3333 b2 = gen_cmp(OR_NET, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr));
3336 /* Check for pad = 0, short header case */
3337 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7);
3338 b2 = gen_cmp(OR_NET, 2 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr));
3342 /* Combine with test for linktype */
3348 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets;
3349 * test the bottom-of-stack bit, and then check the version number
3350 * field in the IP header.
3352 static struct block *
3353 gen_mpls_linktype(proto)
3356 struct block *b0, *b1;
3361 /* match the bottom-of-stack bit */
3362 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01);
3363 /* match the IPv4 version number */
3364 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x40, 0xf0);
3369 /* match the bottom-of-stack bit */
3370 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01);
3371 /* match the IPv4 version number */
3372 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x60, 0xf0);
3381 static struct block *
3382 gen_host(addr, mask, proto, dir, type)
3389 struct block *b0, *b1;
3390 const char *typestr;
3400 b0 = gen_host(addr, mask, Q_IP, dir, type);
3402 * Only check for non-IPv4 addresses if we're not
3403 * checking MPLS-encapsulated packets.
3405 if (label_stack_depth == 0) {
3406 b1 = gen_host(addr, mask, Q_ARP, dir, type);
3408 b0 = gen_host(addr, mask, Q_RARP, dir, type);
3414 return gen_hostop(addr, mask, dir, ETHERTYPE_IP, 12, 16);
3417 return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP, 14, 24);
3420 return gen_hostop(addr, mask, dir, ETHERTYPE_ARP, 14, 24);
3423 bpf_error("'tcp' modifier applied to %s", typestr);
3426 bpf_error("'sctp' modifier applied to %s", typestr);
3429 bpf_error("'udp' modifier applied to %s", typestr);
3432 bpf_error("'icmp' modifier applied to %s", typestr);
3435 bpf_error("'igmp' modifier applied to %s", typestr);
3438 bpf_error("'igrp' modifier applied to %s", typestr);
3441 bpf_error("'pim' modifier applied to %s", typestr);
3444 bpf_error("'vrrp' modifier applied to %s", typestr);
3447 bpf_error("ATALK host filtering not implemented");
3450 bpf_error("AARP host filtering not implemented");
3453 return gen_dnhostop(addr, dir);
3456 bpf_error("SCA host filtering not implemented");
3459 bpf_error("LAT host filtering not implemented");
3462 bpf_error("MOPDL host filtering not implemented");
3465 bpf_error("MOPRC host filtering not implemented");
3469 bpf_error("'ip6' modifier applied to ip host");
3472 bpf_error("'icmp6' modifier applied to %s", typestr);
3476 bpf_error("'ah' modifier applied to %s", typestr);
3479 bpf_error("'esp' modifier applied to %s", typestr);
3482 bpf_error("ISO host filtering not implemented");
3485 bpf_error("'esis' modifier applied to %s", typestr);
3488 bpf_error("'isis' modifier applied to %s", typestr);
3491 bpf_error("'clnp' modifier applied to %s", typestr);
3494 bpf_error("'stp' modifier applied to %s", typestr);
3497 bpf_error("IPX host filtering not implemented");
3500 bpf_error("'netbeui' modifier applied to %s", typestr);
3503 bpf_error("'radio' modifier applied to %s", typestr);
3512 static struct block *
3513 gen_host6(addr, mask, proto, dir, type)
3514 struct in6_addr *addr;
3515 struct in6_addr *mask;
3520 const char *typestr;
3530 return gen_host6(addr, mask, Q_IPV6, dir, type);
3533 bpf_error("'ip' modifier applied to ip6 %s", typestr);
3536 bpf_error("'rarp' modifier applied to ip6 %s", typestr);
3539 bpf_error("'arp' modifier applied to ip6 %s", typestr);
3542 bpf_error("'sctp' modifier applied to %s", typestr);
3545 bpf_error("'tcp' modifier applied to %s", typestr);
3548 bpf_error("'udp' modifier applied to %s", typestr);
3551 bpf_error("'icmp' modifier applied to %s", typestr);
3554 bpf_error("'igmp' modifier applied to %s", typestr);
3557 bpf_error("'igrp' modifier applied to %s", typestr);
3560 bpf_error("'pim' modifier applied to %s", typestr);
3563 bpf_error("'vrrp' modifier applied to %s", typestr);
3566 bpf_error("ATALK host filtering not implemented");
3569 bpf_error("AARP host filtering not implemented");
3572 bpf_error("'decnet' modifier applied to ip6 %s", typestr);
3575 bpf_error("SCA host filtering not implemented");
3578 bpf_error("LAT host filtering not implemented");
3581 bpf_error("MOPDL host filtering not implemented");
3584 bpf_error("MOPRC host filtering not implemented");
3587 return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6, 8, 24);
3590 bpf_error("'icmp6' modifier applied to %s", typestr);
3593 bpf_error("'ah' modifier applied to %s", typestr);
3596 bpf_error("'esp' modifier applied to %s", typestr);
3599 bpf_error("ISO host filtering not implemented");
3602 bpf_error("'esis' modifier applied to %s", typestr);
3605 bpf_error("'isis' modifier applied to %s", typestr);
3608 bpf_error("'clnp' modifier applied to %s", typestr);
3611 bpf_error("'stp' modifier applied to %s", typestr);
3614 bpf_error("IPX host filtering not implemented");
3617 bpf_error("'netbeui' modifier applied to %s", typestr);
3620 bpf_error("'radio' modifier applied to %s", typestr);
3630 static struct block *
3631 gen_gateway(eaddr, alist, proto, dir)
3632 const u_char *eaddr;
3633 bpf_u_int32 **alist;
3637 struct block *b0, *b1, *tmp;
3640 bpf_error("direction applied to 'gateway'");
3649 b0 = gen_ehostop(eaddr, Q_OR);
3652 b0 = gen_fhostop(eaddr, Q_OR);
3655 b0 = gen_thostop(eaddr, Q_OR);
3657 case DLT_IEEE802_11:
3658 case DLT_IEEE802_11_RADIO_AVS:
3660 case DLT_IEEE802_11_RADIO:
3661 case DLT_PRISM_HEADER:
3662 b0 = gen_wlanhostop(eaddr, Q_OR);
3667 * Check that the packet doesn't begin with an
3668 * LE Control marker. (We've already generated
3671 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
3676 * Now check the MAC address.
3678 b0 = gen_ehostop(eaddr, Q_OR);
3682 case DLT_IP_OVER_FC:
3683 b0 = gen_ipfchostop(eaddr, Q_OR);
3687 "'gateway' supported only on ethernet/FDDI/token ring/802.11/Fibre Channel");
3689 b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR, Q_HOST);
3691 tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR,
3700 bpf_error("illegal modifier of 'gateway'");
3706 gen_proto_abbrev(proto)
3715 b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT);
3717 b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT);
3723 b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT);
3725 b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT);
3731 b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT);
3733 b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT);
3739 b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT);
3742 #ifndef IPPROTO_IGMP
3743 #define IPPROTO_IGMP 2
3747 b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT);
3750 #ifndef IPPROTO_IGRP
3751 #define IPPROTO_IGRP 9
3754 b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT);
3758 #define IPPROTO_PIM 103
3762 b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT);
3764 b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT);
3769 #ifndef IPPROTO_VRRP
3770 #define IPPROTO_VRRP 112
3774 b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT);
3778 b1 = gen_linktype(ETHERTYPE_IP);
3782 b1 = gen_linktype(ETHERTYPE_ARP);
3786 b1 = gen_linktype(ETHERTYPE_REVARP);
3790 bpf_error("link layer applied in wrong context");
3793 b1 = gen_linktype(ETHERTYPE_ATALK);
3797 b1 = gen_linktype(ETHERTYPE_AARP);
3801 b1 = gen_linktype(ETHERTYPE_DN);
3805 b1 = gen_linktype(ETHERTYPE_SCA);
3809 b1 = gen_linktype(ETHERTYPE_LAT);
3813 b1 = gen_linktype(ETHERTYPE_MOPDL);
3817 b1 = gen_linktype(ETHERTYPE_MOPRC);
3822 b1 = gen_linktype(ETHERTYPE_IPV6);
3825 #ifndef IPPROTO_ICMPV6
3826 #define IPPROTO_ICMPV6 58
3829 b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT);
3834 #define IPPROTO_AH 51
3837 b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT);
3839 b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT);
3845 #define IPPROTO_ESP 50
3848 b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT);
3850 b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT);
3856 b1 = gen_linktype(LLCSAP_ISONS);
3860 b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT);
3864 b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
3867 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */
3868 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
3869 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
3871 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
3873 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
3875 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
3879 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */
3880 b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
3881 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
3883 b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
3885 b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
3887 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
3891 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */
3892 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
3893 b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
3895 b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT);
3900 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
3901 b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
3906 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
3907 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
3909 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
3911 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
3916 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
3917 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
3922 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
3923 b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
3928 b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT);
3932 b1 = gen_linktype(LLCSAP_8021D);
3936 b1 = gen_linktype(LLCSAP_IPX);
3940 b1 = gen_linktype(LLCSAP_NETBEUI);
3944 bpf_error("'radio' is not a valid protocol type");
3952 static struct block *
3959 s = gen_load_a(OR_NET, 6, BPF_H);
3960 b = new_block(JMP(BPF_JSET));
3969 * Generate a comparison to a port value in the transport-layer header
3970 * at the specified offset from the beginning of that header.
3972 * XXX - this handles a variable-length prefix preceding the link-layer
3973 * header, such as the radiotap or AVS radio prefix, but doesn't handle
3974 * variable-length link-layer headers (such as Token Ring or 802.11
3977 static struct block *
3978 gen_portatom(off, v)
3982 return gen_cmp(OR_TRAN_IPV4, off, BPF_H, v);
3986 static struct block *
3987 gen_portatom6(off, v)
3991 return gen_cmp(OR_TRAN_IPV6, off, BPF_H, v);
3996 gen_portop(port, proto, dir)
3997 int port, proto, dir;
3999 struct block *b0, *b1, *tmp;
4001 /* ip proto 'proto' */
4002 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto);
4008 b1 = gen_portatom(0, (bpf_int32)port);
4012 b1 = gen_portatom(2, (bpf_int32)port);
4017 tmp = gen_portatom(0, (bpf_int32)port);
4018 b1 = gen_portatom(2, (bpf_int32)port);
4023 tmp = gen_portatom(0, (bpf_int32)port);
4024 b1 = gen_portatom(2, (bpf_int32)port);
4036 static struct block *
4037 gen_port(port, ip_proto, dir)
4042 struct block *b0, *b1, *tmp;
4047 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
4048 * not LLC encapsulation with LLCSAP_IP.
4050 * For IEEE 802 networks - which includes 802.5 token ring
4051 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
4052 * says that SNAP encapsulation is used, not LLC encapsulation
4055 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
4056 * RFC 2225 say that SNAP encapsulation is used, not LLC
4057 * encapsulation with LLCSAP_IP.
4059 * So we always check for ETHERTYPE_IP.
4061 b0 = gen_linktype(ETHERTYPE_IP);
4067 b1 = gen_portop(port, ip_proto, dir);
4071 tmp = gen_portop(port, IPPROTO_TCP, dir);
4072 b1 = gen_portop(port, IPPROTO_UDP, dir);
4074 tmp = gen_portop(port, IPPROTO_SCTP, dir);
4087 gen_portop6(port, proto, dir)
4088 int port, proto, dir;
4090 struct block *b0, *b1, *tmp;
4092 /* ip6 proto 'proto' */
4093 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto);
4097 b1 = gen_portatom6(0, (bpf_int32)port);
4101 b1 = gen_portatom6(2, (bpf_int32)port);
4106 tmp = gen_portatom6(0, (bpf_int32)port);
4107 b1 = gen_portatom6(2, (bpf_int32)port);
4112 tmp = gen_portatom6(0, (bpf_int32)port);
4113 b1 = gen_portatom6(2, (bpf_int32)port);
4125 static struct block *
4126 gen_port6(port, ip_proto, dir)
4131 struct block *b0, *b1, *tmp;
4133 /* link proto ip6 */
4134 b0 = gen_linktype(ETHERTYPE_IPV6);
4140 b1 = gen_portop6(port, ip_proto, dir);
4144 tmp = gen_portop6(port, IPPROTO_TCP, dir);
4145 b1 = gen_portop6(port, IPPROTO_UDP, dir);
4147 tmp = gen_portop6(port, IPPROTO_SCTP, dir);
4159 /* gen_portrange code */
4160 static struct block *
4161 gen_portrangeatom(off, v1, v2)
4165 struct block *b1, *b2;
4169 * Reverse the order of the ports, so v1 is the lower one.
4178 b1 = gen_cmp_ge(OR_TRAN_IPV4, off, BPF_H, v1);
4179 b2 = gen_cmp_le(OR_TRAN_IPV4, off, BPF_H, v2);
4187 gen_portrangeop(port1, port2, proto, dir)
4192 struct block *b0, *b1, *tmp;
4194 /* ip proto 'proto' */
4195 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto);
4201 b1 = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
4205 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
4210 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
4211 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
4216 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
4217 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
4229 static struct block *
4230 gen_portrange(port1, port2, ip_proto, dir)
4235 struct block *b0, *b1, *tmp;
4238 b0 = gen_linktype(ETHERTYPE_IP);
4244 b1 = gen_portrangeop(port1, port2, ip_proto, dir);
4248 tmp = gen_portrangeop(port1, port2, IPPROTO_TCP, dir);
4249 b1 = gen_portrangeop(port1, port2, IPPROTO_UDP, dir);
4251 tmp = gen_portrangeop(port1, port2, IPPROTO_SCTP, dir);
4263 static struct block *
4264 gen_portrangeatom6(off, v1, v2)
4268 struct block *b1, *b2;
4272 * Reverse the order of the ports, so v1 is the lower one.
4281 b1 = gen_cmp_ge(OR_TRAN_IPV6, off, BPF_H, v1);
4282 b2 = gen_cmp_le(OR_TRAN_IPV6, off, BPF_H, v2);
4290 gen_portrangeop6(port1, port2, proto, dir)
4295 struct block *b0, *b1, *tmp;
4297 /* ip6 proto 'proto' */
4298 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto);
4302 b1 = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
4306 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
4311 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
4312 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
4317 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
4318 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
4330 static struct block *
4331 gen_portrange6(port1, port2, ip_proto, dir)
4336 struct block *b0, *b1, *tmp;
4338 /* link proto ip6 */
4339 b0 = gen_linktype(ETHERTYPE_IPV6);
4345 b1 = gen_portrangeop6(port1, port2, ip_proto, dir);
4349 tmp = gen_portrangeop6(port1, port2, IPPROTO_TCP, dir);
4350 b1 = gen_portrangeop6(port1, port2, IPPROTO_UDP, dir);
4352 tmp = gen_portrangeop6(port1, port2, IPPROTO_SCTP, dir);
4365 lookup_proto(name, proto)
4366 register const char *name;
4376 v = pcap_nametoproto(name);
4377 if (v == PROTO_UNDEF)
4378 bpf_error("unknown ip proto '%s'", name);
4382 /* XXX should look up h/w protocol type based on linktype */
4383 v = pcap_nametoeproto(name);
4384 if (v == PROTO_UNDEF) {
4385 v = pcap_nametollc(name);
4386 if (v == PROTO_UNDEF)
4387 bpf_error("unknown ether proto '%s'", name);
4392 if (strcmp(name, "esis") == 0)
4394 else if (strcmp(name, "isis") == 0)
4396 else if (strcmp(name, "clnp") == 0)
4399 bpf_error("unknown osi proto '%s'", name);
4419 static struct block *
4420 gen_protochain(v, proto, dir)
4425 #ifdef NO_PROTOCHAIN
4426 return gen_proto(v, proto, dir);
4428 struct block *b0, *b;
4429 struct slist *s[100];
4430 int fix2, fix3, fix4, fix5;
4431 int ahcheck, again, end;
4433 int reg2 = alloc_reg();
4435 memset(s, 0, sizeof(s));
4436 fix2 = fix3 = fix4 = fix5 = 0;
4443 b0 = gen_protochain(v, Q_IP, dir);
4444 b = gen_protochain(v, Q_IPV6, dir);
4448 bpf_error("bad protocol applied for 'protochain'");
4453 * We don't handle variable-length radiotap here headers yet.
4454 * We might want to add BPF instructions to do the protochain
4455 * work, to simplify that and, on platforms that have a BPF
4456 * interpreter with the new instructions, let the filtering
4457 * be done in the kernel. (We already require a modified BPF
4458 * engine to do the protochain stuff, to support backward
4459 * branches, and backward branch support is unlikely to appear
4460 * in kernel BPF engines.)
4462 if (linktype == DLT_IEEE802_11_RADIO)
4463 bpf_error("'protochain' not supported with radiotap headers");
4465 if (linktype == DLT_PPI)
4466 bpf_error("'protochain' not supported with PPI headers");
4468 no_optimize = 1; /*this code is not compatible with optimzer yet */
4471 * s[0] is a dummy entry to protect other BPF insn from damage
4472 * by s[fix] = foo with uninitialized variable "fix". It is somewhat
4473 * hard to find interdependency made by jump table fixup.
4476 s[i] = new_stmt(0); /*dummy*/
4481 b0 = gen_linktype(ETHERTYPE_IP);
4484 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
4485 s[i]->s.k = off_ll + off_nl + 9;
4487 /* X = ip->ip_hl << 2 */
4488 s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
4489 s[i]->s.k = off_ll + off_nl;
4494 b0 = gen_linktype(ETHERTYPE_IPV6);
4496 /* A = ip6->ip_nxt */
4497 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
4498 s[i]->s.k = off_ll + off_nl + 6;
4500 /* X = sizeof(struct ip6_hdr) */
4501 s[i] = new_stmt(BPF_LDX|BPF_IMM);
4507 bpf_error("unsupported proto to gen_protochain");
4511 /* again: if (A == v) goto end; else fall through; */
4513 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4515 s[i]->s.jt = NULL; /*later*/
4516 s[i]->s.jf = NULL; /*update in next stmt*/
4520 #ifndef IPPROTO_NONE
4521 #define IPPROTO_NONE 59
4523 /* if (A == IPPROTO_NONE) goto end */
4524 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4525 s[i]->s.jt = NULL; /*later*/
4526 s[i]->s.jf = NULL; /*update in next stmt*/
4527 s[i]->s.k = IPPROTO_NONE;
4528 s[fix5]->s.jf = s[i];
4533 if (proto == Q_IPV6) {
4534 int v6start, v6end, v6advance, j;
4537 /* if (A == IPPROTO_HOPOPTS) goto v6advance */
4538 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4539 s[i]->s.jt = NULL; /*later*/
4540 s[i]->s.jf = NULL; /*update in next stmt*/
4541 s[i]->s.k = IPPROTO_HOPOPTS;
4542 s[fix2]->s.jf = s[i];
4544 /* if (A == IPPROTO_DSTOPTS) goto v6advance */
4545 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4546 s[i]->s.jt = NULL; /*later*/
4547 s[i]->s.jf = NULL; /*update in next stmt*/
4548 s[i]->s.k = IPPROTO_DSTOPTS;
4550 /* if (A == IPPROTO_ROUTING) goto v6advance */
4551 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4552 s[i]->s.jt = NULL; /*later*/
4553 s[i]->s.jf = NULL; /*update in next stmt*/
4554 s[i]->s.k = IPPROTO_ROUTING;
4556 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */
4557 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4558 s[i]->s.jt = NULL; /*later*/
4559 s[i]->s.jf = NULL; /*later*/
4560 s[i]->s.k = IPPROTO_FRAGMENT;
4571 * X = X + (P[X + 1] + 1) * 8;
4574 s[i] = new_stmt(BPF_MISC|BPF_TXA);
4576 /* A = P[X + packet head] */
4577 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
4578 s[i]->s.k = off_ll + off_nl;
4581 s[i] = new_stmt(BPF_ST);
4585 s[i] = new_stmt(BPF_MISC|BPF_TXA);
4588 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
4592 s[i] = new_stmt(BPF_MISC|BPF_TAX);
4594 /* A = P[X + packet head]; */
4595 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
4596 s[i]->s.k = off_ll + off_nl;
4599 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
4603 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
4607 s[i] = new_stmt(BPF_MISC|BPF_TAX);
4610 s[i] = new_stmt(BPF_LD|BPF_MEM);
4614 /* goto again; (must use BPF_JA for backward jump) */
4615 s[i] = new_stmt(BPF_JMP|BPF_JA);
4616 s[i]->s.k = again - i - 1;
4617 s[i - 1]->s.jf = s[i];
4621 for (j = v6start; j <= v6end; j++)
4622 s[j]->s.jt = s[v6advance];
4627 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
4629 s[fix2]->s.jf = s[i];
4635 /* if (A == IPPROTO_AH) then fall through; else goto end; */
4636 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4637 s[i]->s.jt = NULL; /*later*/
4638 s[i]->s.jf = NULL; /*later*/
4639 s[i]->s.k = IPPROTO_AH;
4641 s[fix3]->s.jf = s[ahcheck];
4648 * X = X + (P[X + 1] + 2) * 4;
4651 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
4653 /* A = P[X + packet head]; */
4654 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
4655 s[i]->s.k = off_ll + off_nl;
4658 s[i] = new_stmt(BPF_ST);
4662 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
4665 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
4669 s[i] = new_stmt(BPF_MISC|BPF_TAX);
4671 /* A = P[X + packet head] */
4672 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
4673 s[i]->s.k = off_ll + off_nl;
4676 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
4680 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
4684 s[i] = new_stmt(BPF_MISC|BPF_TAX);
4687 s[i] = new_stmt(BPF_LD|BPF_MEM);
4691 /* goto again; (must use BPF_JA for backward jump) */
4692 s[i] = new_stmt(BPF_JMP|BPF_JA);
4693 s[i]->s.k = again - i - 1;
4698 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
4700 s[fix2]->s.jt = s[end];
4701 s[fix4]->s.jf = s[end];
4702 s[fix5]->s.jt = s[end];
4709 for (i = 0; i < max - 1; i++)
4710 s[i]->next = s[i + 1];
4711 s[max - 1]->next = NULL;
4716 b = new_block(JMP(BPF_JEQ));
4717 b->stmts = s[1]; /*remember, s[0] is dummy*/
4729 * Generate code that checks whether the packet is a packet for protocol
4730 * <proto> and whether the type field in that protocol's header has
4731 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an
4732 * IP packet and checks the protocol number in the IP header against <v>.
4734 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks
4735 * against Q_IP and Q_IPV6.
4737 static struct block *
4738 gen_proto(v, proto, dir)
4743 struct block *b0, *b1;
4745 if (dir != Q_DEFAULT)
4746 bpf_error("direction applied to 'proto'");
4751 b0 = gen_proto(v, Q_IP, dir);
4752 b1 = gen_proto(v, Q_IPV6, dir);
4760 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
4761 * not LLC encapsulation with LLCSAP_IP.
4763 * For IEEE 802 networks - which includes 802.5 token ring
4764 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
4765 * says that SNAP encapsulation is used, not LLC encapsulation
4768 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
4769 * RFC 2225 say that SNAP encapsulation is used, not LLC
4770 * encapsulation with LLCSAP_IP.
4772 * So we always check for ETHERTYPE_IP.
4774 b0 = gen_linktype(ETHERTYPE_IP);
4776 b1 = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)v);
4778 b1 = gen_protochain(v, Q_IP);
4788 * Frame Relay packets typically have an OSI
4789 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)"
4790 * generates code to check for all the OSI
4791 * NLPIDs, so calling it and then adding a check
4792 * for the particular NLPID for which we're
4793 * looking is bogus, as we can just check for
4796 * What we check for is the NLPID and a frame
4797 * control field value of UI, i.e. 0x03 followed
4800 * XXX - assumes a 2-byte Frame Relay header with
4801 * DLCI and flags. What if the address is longer?
4803 * XXX - what about SNAP-encapsulated frames?
4805 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | v);
4811 * Cisco uses an Ethertype lookalike - for OSI,
4814 b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS);
4815 /* OSI in C-HDLC is stuffed with a fudge byte */
4816 b1 = gen_cmp(OR_NET_NOSNAP, 1, BPF_B, (long)v);
4821 b0 = gen_linktype(LLCSAP_ISONS);
4822 b1 = gen_cmp(OR_NET_NOSNAP, 0, BPF_B, (long)v);
4828 b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
4830 * 4 is the offset of the PDU type relative to the IS-IS
4833 b1 = gen_cmp(OR_NET_NOSNAP, 4, BPF_B, (long)v);
4838 bpf_error("arp does not encapsulate another protocol");
4842 bpf_error("rarp does not encapsulate another protocol");
4846 bpf_error("atalk encapsulation is not specifiable");
4850 bpf_error("decnet encapsulation is not specifiable");
4854 bpf_error("sca does not encapsulate another protocol");
4858 bpf_error("lat does not encapsulate another protocol");
4862 bpf_error("moprc does not encapsulate another protocol");
4866 bpf_error("mopdl does not encapsulate another protocol");
4870 return gen_linktype(v);
4873 bpf_error("'udp proto' is bogus");
4877 bpf_error("'tcp proto' is bogus");
4881 bpf_error("'sctp proto' is bogus");
4885 bpf_error("'icmp proto' is bogus");
4889 bpf_error("'igmp proto' is bogus");
4893 bpf_error("'igrp proto' is bogus");
4897 bpf_error("'pim proto' is bogus");
4901 bpf_error("'vrrp proto' is bogus");
4906 b0 = gen_linktype(ETHERTYPE_IPV6);
4908 b1 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)v);
4910 b1 = gen_protochain(v, Q_IPV6);
4916 bpf_error("'icmp6 proto' is bogus");
4920 bpf_error("'ah proto' is bogus");
4923 bpf_error("'ah proto' is bogus");
4926 bpf_error("'stp proto' is bogus");
4929 bpf_error("'ipx proto' is bogus");
4932 bpf_error("'netbeui proto' is bogus");
4935 bpf_error("'radio proto' is bogus");
4946 register const char *name;
4949 int proto = q.proto;
4953 bpf_u_int32 mask, addr;
4955 bpf_u_int32 **alist;
4958 struct sockaddr_in *sin4;
4959 struct sockaddr_in6 *sin6;
4960 struct addrinfo *res, *res0;
4961 struct in6_addr mask128;
4963 struct block *b, *tmp;
4964 int port, real_proto;
4970 addr = pcap_nametonetaddr(name);
4972 bpf_error("unknown network '%s'", name);
4973 /* Left justify network addr and calculate its network mask */
4975 while (addr && (addr & 0xff000000) == 0) {
4979 return gen_host(addr, mask, proto, dir, q.addr);
4983 if (proto == Q_LINK) {
4987 eaddr = pcap_ether_hostton(name);
4990 "unknown ether host '%s'", name);
4991 b = gen_ehostop(eaddr, dir);
4996 eaddr = pcap_ether_hostton(name);
4999 "unknown FDDI host '%s'", name);
5000 b = gen_fhostop(eaddr, dir);
5005 eaddr = pcap_ether_hostton(name);
5008 "unknown token ring host '%s'", name);
5009 b = gen_thostop(eaddr, dir);
5013 case DLT_IEEE802_11:
5014 case DLT_IEEE802_11_RADIO_AVS:
5015 case DLT_IEEE802_11_RADIO:
5016 case DLT_PRISM_HEADER:
5018 eaddr = pcap_ether_hostton(name);
5021 "unknown 802.11 host '%s'", name);
5022 b = gen_wlanhostop(eaddr, dir);
5026 case DLT_IP_OVER_FC:
5027 eaddr = pcap_ether_hostton(name);
5030 "unknown Fibre Channel host '%s'", name);
5031 b = gen_ipfchostop(eaddr, dir);
5040 * Check that the packet doesn't begin
5041 * with an LE Control marker. (We've
5042 * already generated a test for LANE.)
5044 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
5048 eaddr = pcap_ether_hostton(name);
5051 "unknown ether host '%s'", name);
5052 b = gen_ehostop(eaddr, dir);
5058 bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name");
5059 } else if (proto == Q_DECNET) {
5060 unsigned short dn_addr = __pcap_nametodnaddr(name);
5062 * I don't think DECNET hosts can be multihomed, so
5063 * there is no need to build up a list of addresses
5065 return (gen_host(dn_addr, 0, proto, dir, q.addr));
5068 alist = pcap_nametoaddr(name);
5069 if (alist == NULL || *alist == NULL)
5070 bpf_error("unknown host '%s'", name);
5072 if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT)
5074 b = gen_host(**alist++, 0xffffffff, tproto, dir, q.addr);
5076 tmp = gen_host(**alist++, 0xffffffff,
5077 tproto, dir, q.addr);
5083 memset(&mask128, 0xff, sizeof(mask128));
5084 res0 = res = pcap_nametoaddrinfo(name);
5086 bpf_error("unknown host '%s'", name);
5088 tproto = tproto6 = proto;
5089 if (off_linktype == -1 && tproto == Q_DEFAULT) {
5093 for (res = res0; res; res = res->ai_next) {
5094 switch (res->ai_family) {
5096 if (tproto == Q_IPV6)
5099 sin4 = (struct sockaddr_in *)
5101 tmp = gen_host(ntohl(sin4->sin_addr.s_addr),
5102 0xffffffff, tproto, dir, q.addr);
5105 if (tproto6 == Q_IP)
5108 sin6 = (struct sockaddr_in6 *)
5110 tmp = gen_host6(&sin6->sin6_addr,
5111 &mask128, tproto6, dir, q.addr);
5122 bpf_error("unknown host '%s'%s", name,
5123 (proto == Q_DEFAULT)
5125 : " for specified address family");
5132 if (proto != Q_DEFAULT &&
5133 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
5134 bpf_error("illegal qualifier of 'port'");
5135 if (pcap_nametoport(name, &port, &real_proto) == 0)
5136 bpf_error("unknown port '%s'", name);
5137 if (proto == Q_UDP) {
5138 if (real_proto == IPPROTO_TCP)
5139 bpf_error("port '%s' is tcp", name);
5140 else if (real_proto == IPPROTO_SCTP)
5141 bpf_error("port '%s' is sctp", name);
5143 /* override PROTO_UNDEF */
5144 real_proto = IPPROTO_UDP;
5146 if (proto == Q_TCP) {
5147 if (real_proto == IPPROTO_UDP)
5148 bpf_error("port '%s' is udp", name);
5150 else if (real_proto == IPPROTO_SCTP)
5151 bpf_error("port '%s' is sctp", name);
5153 /* override PROTO_UNDEF */
5154 real_proto = IPPROTO_TCP;
5156 if (proto == Q_SCTP) {
5157 if (real_proto == IPPROTO_UDP)
5158 bpf_error("port '%s' is udp", name);
5160 else if (real_proto == IPPROTO_TCP)
5161 bpf_error("port '%s' is tcp", name);
5163 /* override PROTO_UNDEF */
5164 real_proto = IPPROTO_SCTP;
5167 return gen_port(port, real_proto, dir);
5169 b = gen_port(port, real_proto, dir);
5170 gen_or(gen_port6(port, real_proto, dir), b);
5175 if (proto != Q_DEFAULT &&
5176 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
5177 bpf_error("illegal qualifier of 'portrange'");
5178 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0)
5179 bpf_error("unknown port in range '%s'", name);
5180 if (proto == Q_UDP) {
5181 if (real_proto == IPPROTO_TCP)
5182 bpf_error("port in range '%s' is tcp", name);
5183 else if (real_proto == IPPROTO_SCTP)
5184 bpf_error("port in range '%s' is sctp", name);
5186 /* override PROTO_UNDEF */
5187 real_proto = IPPROTO_UDP;
5189 if (proto == Q_TCP) {
5190 if (real_proto == IPPROTO_UDP)
5191 bpf_error("port in range '%s' is udp", name);
5192 else if (real_proto == IPPROTO_SCTP)
5193 bpf_error("port in range '%s' is sctp", name);
5195 /* override PROTO_UNDEF */
5196 real_proto = IPPROTO_TCP;
5198 if (proto == Q_SCTP) {
5199 if (real_proto == IPPROTO_UDP)
5200 bpf_error("port in range '%s' is udp", name);
5201 else if (real_proto == IPPROTO_TCP)
5202 bpf_error("port in range '%s' is tcp", name);
5204 /* override PROTO_UNDEF */
5205 real_proto = IPPROTO_SCTP;
5208 return gen_portrange(port1, port2, real_proto, dir);
5210 b = gen_portrange(port1, port2, real_proto, dir);
5211 gen_or(gen_portrange6(port1, port2, real_proto, dir), b);
5217 eaddr = pcap_ether_hostton(name);
5219 bpf_error("unknown ether host: %s", name);
5221 alist = pcap_nametoaddr(name);
5222 if (alist == NULL || *alist == NULL)
5223 bpf_error("unknown host '%s'", name);
5224 b = gen_gateway(eaddr, alist, proto, dir);
5228 bpf_error("'gateway' not supported in this configuration");
5232 real_proto = lookup_proto(name, proto);
5233 if (real_proto >= 0)
5234 return gen_proto(real_proto, proto, dir);
5236 bpf_error("unknown protocol: %s", name);
5239 real_proto = lookup_proto(name, proto);
5240 if (real_proto >= 0)
5241 return gen_protochain(real_proto, proto, dir);
5243 bpf_error("unknown protocol: %s", name);
5255 gen_mcode(s1, s2, masklen, q)
5256 register const char *s1, *s2;
5257 register int masklen;
5260 register int nlen, mlen;
5263 nlen = __pcap_atoin(s1, &n);
5264 /* Promote short ipaddr */
5268 mlen = __pcap_atoin(s2, &m);
5269 /* Promote short ipaddr */
5272 bpf_error("non-network bits set in \"%s mask %s\"",
5275 /* Convert mask len to mask */
5277 bpf_error("mask length must be <= 32");
5280 * X << 32 is not guaranteed by C to be 0; it's
5285 m = 0xffffffff << (32 - masklen);
5287 bpf_error("non-network bits set in \"%s/%d\"",
5294 return gen_host(n, m, q.proto, q.dir, q.addr);
5297 bpf_error("Mask syntax for networks only");
5306 register const char *s;
5311 int proto = q.proto;
5317 else if (q.proto == Q_DECNET)
5318 vlen = __pcap_atodn(s, &v);
5320 vlen = __pcap_atoin(s, &v);
5327 if (proto == Q_DECNET)
5328 return gen_host(v, 0, proto, dir, q.addr);
5329 else if (proto == Q_LINK) {
5330 bpf_error("illegal link layer address");
5333 if (s == NULL && q.addr == Q_NET) {
5334 /* Promote short net number */
5335 while (v && (v & 0xff000000) == 0) {
5340 /* Promote short ipaddr */
5344 return gen_host(v, mask, proto, dir, q.addr);
5349 proto = IPPROTO_UDP;
5350 else if (proto == Q_TCP)
5351 proto = IPPROTO_TCP;
5352 else if (proto == Q_SCTP)
5353 proto = IPPROTO_SCTP;
5354 else if (proto == Q_DEFAULT)
5355 proto = PROTO_UNDEF;
5357 bpf_error("illegal qualifier of 'port'");
5360 return gen_port((int)v, proto, dir);
5364 b = gen_port((int)v, proto, dir);
5365 gen_or(gen_port6((int)v, proto, dir), b);
5372 proto = IPPROTO_UDP;
5373 else if (proto == Q_TCP)
5374 proto = IPPROTO_TCP;
5375 else if (proto == Q_SCTP)
5376 proto = IPPROTO_SCTP;
5377 else if (proto == Q_DEFAULT)
5378 proto = PROTO_UNDEF;
5380 bpf_error("illegal qualifier of 'portrange'");
5383 return gen_portrange((int)v, (int)v, proto, dir);
5387 b = gen_portrange((int)v, (int)v, proto, dir);
5388 gen_or(gen_portrange6((int)v, (int)v, proto, dir), b);
5394 bpf_error("'gateway' requires a name");
5398 return gen_proto((int)v, proto, dir);
5401 return gen_protochain((int)v, proto, dir);
5416 gen_mcode6(s1, s2, masklen, q)
5417 register const char *s1, *s2;
5418 register int masklen;
5421 struct addrinfo *res;
5422 struct in6_addr *addr;
5423 struct in6_addr mask;
5428 bpf_error("no mask %s supported", s2);
5430 res = pcap_nametoaddrinfo(s1);
5432 bpf_error("invalid ip6 address %s", s1);
5434 bpf_error("%s resolved to multiple address", s1);
5435 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
5437 if (sizeof(mask) * 8 < masklen)
5438 bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8));
5439 memset(&mask, 0, sizeof(mask));
5440 memset(&mask, 0xff, masklen / 8);
5442 mask.s6_addr[masklen / 8] =
5443 (0xff << (8 - masklen % 8)) & 0xff;
5446 a = (u_int32_t *)addr;
5447 m = (u_int32_t *)&mask;
5448 if ((a[0] & ~m[0]) || (a[1] & ~m[1])
5449 || (a[2] & ~m[2]) || (a[3] & ~m[3])) {
5450 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen);
5458 bpf_error("Mask syntax for networks only");
5462 b = gen_host6(addr, &mask, q.proto, q.dir, q.addr);
5467 bpf_error("invalid qualifier against IPv6 address");
5476 register const u_char *eaddr;
5479 struct block *b, *tmp;
5481 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
5484 return gen_ehostop(eaddr, (int)q.dir);
5486 return gen_fhostop(eaddr, (int)q.dir);
5488 return gen_thostop(eaddr, (int)q.dir);
5489 case DLT_IEEE802_11:
5490 case DLT_IEEE802_11_RADIO_AVS:
5491 case DLT_IEEE802_11_RADIO:
5492 case DLT_PRISM_HEADER:
5494 return gen_wlanhostop(eaddr, (int)q.dir);
5498 * Check that the packet doesn't begin with an
5499 * LE Control marker. (We've already generated
5502 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
5507 * Now check the MAC address.
5509 b = gen_ehostop(eaddr, (int)q.dir);
5514 case DLT_IP_OVER_FC:
5515 return gen_ipfchostop(eaddr, (int)q.dir);
5517 bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
5521 bpf_error("ethernet address used in non-ether expression");
5528 struct slist *s0, *s1;
5531 * This is definitely not the best way to do this, but the
5532 * lists will rarely get long.
5539 static struct slist *
5545 s = new_stmt(BPF_LDX|BPF_MEM);
5550 static struct slist *
5556 s = new_stmt(BPF_LD|BPF_MEM);
5562 * Modify "index" to use the value stored into its register as an
5563 * offset relative to the beginning of the header for the protocol
5564 * "proto", and allocate a register and put an item "size" bytes long
5565 * (1, 2, or 4) at that offset into that register, making it the register
5569 gen_load(proto, inst, size)
5574 struct slist *s, *tmp;
5576 int regno = alloc_reg();
5578 free_reg(inst->regno);
5582 bpf_error("data size must be 1, 2, or 4");
5598 bpf_error("unsupported index operation");
5602 * The offset is relative to the beginning of the packet
5603 * data, if we have a radio header. (If we don't, this
5606 if (linktype != DLT_IEEE802_11_RADIO_AVS &&
5607 linktype != DLT_IEEE802_11_RADIO &&
5608 linktype != DLT_PRISM_HEADER)
5609 bpf_error("radio information not present in capture");
5612 * Load into the X register the offset computed into the
5613 * register specifed by "index".
5615 s = xfer_to_x(inst);
5618 * Load the item at that offset.
5620 tmp = new_stmt(BPF_LD|BPF_IND|size);
5622 sappend(inst->s, s);
5627 * The offset is relative to the beginning of
5628 * the link-layer header.
5630 * XXX - what about ATM LANE? Should the index be
5631 * relative to the beginning of the AAL5 frame, so
5632 * that 0 refers to the beginning of the LE Control
5633 * field, or relative to the beginning of the LAN
5634 * frame, so that 0 refers, for Ethernet LANE, to
5635 * the beginning of the destination address?
5637 s = gen_llprefixlen();
5640 * If "s" is non-null, it has code to arrange that the
5641 * X register contains the length of the prefix preceding
5642 * the link-layer header. Add to it the offset computed
5643 * into the register specified by "index", and move that
5644 * into the X register. Otherwise, just load into the X
5645 * register the offset computed into the register specifed
5649 sappend(s, xfer_to_a(inst));
5650 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
5651 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
5653 s = xfer_to_x(inst);
5656 * Load the item at the sum of the offset we've put in the
5657 * X register and the offset of the start of the link
5658 * layer header (which is 0 if the radio header is
5659 * variable-length; that header length is what we put
5660 * into the X register and then added to the index).
5662 tmp = new_stmt(BPF_LD|BPF_IND|size);
5665 sappend(inst->s, s);
5681 * The offset is relative to the beginning of
5682 * the network-layer header.
5683 * XXX - are there any cases where we want
5686 s = gen_llprefixlen();
5689 * If "s" is non-null, it has code to arrange that the
5690 * X register contains the length of the prefix preceding
5691 * the link-layer header. Add to it the offset computed
5692 * into the register specified by "index", and move that
5693 * into the X register. Otherwise, just load into the X
5694 * register the offset computed into the register specifed
5698 sappend(s, xfer_to_a(inst));
5699 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
5700 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
5702 s = xfer_to_x(inst);
5705 * Load the item at the sum of the offset we've put in the
5706 * X register, the offset of the start of the network
5707 * layer header, and the offset of the start of the link
5708 * layer header (which is 0 if the radio header is
5709 * variable-length; that header length is what we put
5710 * into the X register and then added to the index).
5712 tmp = new_stmt(BPF_LD|BPF_IND|size);
5713 tmp->s.k = off_ll + off_nl;
5715 sappend(inst->s, s);
5718 * Do the computation only if the packet contains
5719 * the protocol in question.
5721 b = gen_proto_abbrev(proto);
5723 gen_and(inst->b, b);
5736 * The offset is relative to the beginning of
5737 * the transport-layer header.
5739 * Load the X register with the length of the IPv4 header
5740 * (plus the offset of the link-layer header, if it's
5741 * a variable-length header), in bytes.
5743 * XXX - are there any cases where we want
5745 * XXX - we should, if we're built with
5746 * IPv6 support, generate code to load either
5747 * IPv4, IPv6, or both, as appropriate.
5749 s = gen_loadx_iphdrlen();
5752 * The X register now contains the sum of the length
5753 * of any variable-length header preceding the link-layer
5754 * header and the length of the network-layer header.
5755 * Load into the A register the offset relative to
5756 * the beginning of the transport layer header,
5757 * add the X register to that, move that to the
5758 * X register, and load with an offset from the
5759 * X register equal to the offset of the network
5760 * layer header relative to the beginning of
5761 * the link-layer header plus the length of any
5762 * fixed-length header preceding the link-layer
5765 sappend(s, xfer_to_a(inst));
5766 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
5767 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
5768 sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size));
5769 tmp->s.k = off_ll + off_nl;
5770 sappend(inst->s, s);
5773 * Do the computation only if the packet contains
5774 * the protocol in question - which is true only
5775 * if this is an IP datagram and is the first or
5776 * only fragment of that datagram.
5778 gen_and(gen_proto_abbrev(proto), b = gen_ipfrag());
5780 gen_and(inst->b, b);
5782 gen_and(gen_proto_abbrev(Q_IP), b);
5788 bpf_error("IPv6 upper-layer protocol is not supported by proto[x]");
5792 inst->regno = regno;
5793 s = new_stmt(BPF_ST);
5795 sappend(inst->s, s);
5801 gen_relation(code, a0, a1, reversed)
5803 struct arth *a0, *a1;
5806 struct slist *s0, *s1, *s2;
5807 struct block *b, *tmp;
5811 if (code == BPF_JEQ) {
5812 s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X);
5813 b = new_block(JMP(code));
5817 b = new_block(BPF_JMP|code|BPF_X);
5823 sappend(a0->s, a1->s);
5827 free_reg(a0->regno);
5828 free_reg(a1->regno);
5830 /* 'and' together protocol checks */
5833 gen_and(a0->b, tmp = a1->b);
5849 int regno = alloc_reg();
5850 struct arth *a = (struct arth *)newchunk(sizeof(*a));
5853 s = new_stmt(BPF_LD|BPF_LEN);
5854 s->next = new_stmt(BPF_ST);
5855 s->next->s.k = regno;
5870 a = (struct arth *)newchunk(sizeof(*a));
5874 s = new_stmt(BPF_LD|BPF_IMM);
5876 s->next = new_stmt(BPF_ST);
5892 s = new_stmt(BPF_ALU|BPF_NEG);
5895 s = new_stmt(BPF_ST);
5903 gen_arth(code, a0, a1)
5905 struct arth *a0, *a1;
5907 struct slist *s0, *s1, *s2;
5911 s2 = new_stmt(BPF_ALU|BPF_X|code);
5916 sappend(a0->s, a1->s);
5918 free_reg(a0->regno);
5919 free_reg(a1->regno);
5921 s0 = new_stmt(BPF_ST);
5922 a0->regno = s0->s.k = alloc_reg();
5929 * Here we handle simple allocation of the scratch registers.
5930 * If too many registers are alloc'd, the allocator punts.
5932 static int regused[BPF_MEMWORDS];
5936 * Return the next free register.
5941 int n = BPF_MEMWORDS;
5944 if (regused[curreg])
5945 curreg = (curreg + 1) % BPF_MEMWORDS;
5947 regused[curreg] = 1;
5951 bpf_error("too many registers needed to evaluate expression");
5957 * Return a register to the table so it can
5967 static struct block *
5974 s = new_stmt(BPF_LD|BPF_LEN);
5975 b = new_block(JMP(jmp));
5986 return gen_len(BPF_JGE, n);
5990 * Actually, this is less than or equal.
5998 b = gen_len(BPF_JGT, n);
6005 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to
6006 * the beginning of the link-layer header.
6007 * XXX - that means you can't test values in the radiotap header, but
6008 * as that header is difficult if not impossible to parse generally
6009 * without a loop, that might not be a severe problem. A new keyword
6010 * "radio" could be added for that, although what you'd really want
6011 * would be a way of testing particular radio header values, which
6012 * would generate code appropriate to the radio header in question.
6015 gen_byteop(op, idx, val)
6026 return gen_cmp(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
6029 b = gen_cmp_lt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
6033 b = gen_cmp_gt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
6037 s = new_stmt(BPF_ALU|BPF_OR|BPF_K);
6041 s = new_stmt(BPF_ALU|BPF_AND|BPF_K);
6045 b = new_block(JMP(BPF_JEQ));
6052 static u_char abroadcast[] = { 0x0 };
6055 gen_broadcast(proto)
6058 bpf_u_int32 hostmask;
6059 struct block *b0, *b1, *b2;
6060 static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
6068 case DLT_ARCNET_LINUX:
6069 return gen_ahostop(abroadcast, Q_DST);
6071 return gen_ehostop(ebroadcast, Q_DST);
6073 return gen_fhostop(ebroadcast, Q_DST);
6075 return gen_thostop(ebroadcast, Q_DST);
6076 case DLT_IEEE802_11:
6077 case DLT_IEEE802_11_RADIO_AVS:
6078 case DLT_IEEE802_11_RADIO:
6080 case DLT_PRISM_HEADER:
6081 return gen_wlanhostop(ebroadcast, Q_DST);
6082 case DLT_IP_OVER_FC:
6083 return gen_ipfchostop(ebroadcast, Q_DST);
6087 * Check that the packet doesn't begin with an
6088 * LE Control marker. (We've already generated
6091 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
6096 * Now check the MAC address.
6098 b0 = gen_ehostop(ebroadcast, Q_DST);
6104 bpf_error("not a broadcast link");
6109 b0 = gen_linktype(ETHERTYPE_IP);
6110 hostmask = ~netmask;
6111 b1 = gen_mcmp(OR_NET, 16, BPF_W, (bpf_int32)0, hostmask);
6112 b2 = gen_mcmp(OR_NET, 16, BPF_W,
6113 (bpf_int32)(~0 & hostmask), hostmask);
6118 bpf_error("only link-layer/IP broadcast filters supported");
6124 * Generate code to test the low-order bit of a MAC address (that's
6125 * the bottom bit of the *first* byte).
6127 static struct block *
6128 gen_mac_multicast(offset)
6131 register struct block *b0;
6132 register struct slist *s;
6134 /* link[offset] & 1 != 0 */
6135 s = gen_load_a(OR_LINK, offset, BPF_B);
6136 b0 = new_block(JMP(BPF_JSET));
6143 gen_multicast(proto)
6146 register struct block *b0, *b1, *b2;
6147 register struct slist *s;
6155 case DLT_ARCNET_LINUX:
6156 /* all ARCnet multicasts use the same address */
6157 return gen_ahostop(abroadcast, Q_DST);
6159 /* ether[0] & 1 != 0 */
6160 return gen_mac_multicast(0);
6163 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX
6165 * XXX - was that referring to bit-order issues?
6167 /* fddi[1] & 1 != 0 */
6168 return gen_mac_multicast(1);
6170 /* tr[2] & 1 != 0 */
6171 return gen_mac_multicast(2);
6172 case DLT_IEEE802_11:
6173 case DLT_IEEE802_11_RADIO_AVS:
6175 case DLT_IEEE802_11_RADIO:
6176 case DLT_PRISM_HEADER:
6180 * For control frames, there is no DA.
6182 * For management frames, DA is at an
6183 * offset of 4 from the beginning of
6186 * For data frames, DA is at an offset
6187 * of 4 from the beginning of the packet
6188 * if To DS is clear and at an offset of
6189 * 16 from the beginning of the packet
6194 * Generate the tests to be done for data frames.
6196 * First, check for To DS set, i.e. "link[1] & 0x01".
6198 s = gen_load_a(OR_LINK, 1, BPF_B);
6199 b1 = new_block(JMP(BPF_JSET));
6200 b1->s.k = 0x01; /* To DS */
6204 * If To DS is set, the DA is at 16.
6206 b0 = gen_mac_multicast(16);
6210 * Now, check for To DS not set, i.e. check
6211 * "!(link[1] & 0x01)".
6213 s = gen_load_a(OR_LINK, 1, BPF_B);
6214 b2 = new_block(JMP(BPF_JSET));
6215 b2->s.k = 0x01; /* To DS */
6220 * If To DS is not set, the DA is at 4.
6222 b1 = gen_mac_multicast(4);
6226 * Now OR together the last two checks. That gives
6227 * the complete set of checks for data frames.
6232 * Now check for a data frame.
6233 * I.e, check "link[0] & 0x08".
6235 s = gen_load_a(OR_LINK, 0, BPF_B);
6236 b1 = new_block(JMP(BPF_JSET));
6241 * AND that with the checks done for data frames.
6246 * If the high-order bit of the type value is 0, this
6247 * is a management frame.
6248 * I.e, check "!(link[0] & 0x08)".
6250 s = gen_load_a(OR_LINK, 0, BPF_B);
6251 b2 = new_block(JMP(BPF_JSET));
6257 * For management frames, the DA is at 4.
6259 b1 = gen_mac_multicast(4);
6263 * OR that with the checks done for data frames.
6264 * That gives the checks done for management and
6270 * If the low-order bit of the type value is 1,
6271 * this is either a control frame or a frame
6272 * with a reserved type, and thus not a
6275 * I.e., check "!(link[0] & 0x04)".
6277 s = gen_load_a(OR_LINK, 0, BPF_B);
6278 b1 = new_block(JMP(BPF_JSET));
6284 * AND that with the checks for data and management
6289 case DLT_IP_OVER_FC:
6290 b0 = gen_mac_multicast(2);
6295 * Check that the packet doesn't begin with an
6296 * LE Control marker. (We've already generated
6299 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
6303 /* ether[off_mac] & 1 != 0 */
6304 b0 = gen_mac_multicast(off_mac);
6312 /* Link not known to support multicasts */
6316 b0 = gen_linktype(ETHERTYPE_IP);
6317 b1 = gen_cmp_ge(OR_NET, 16, BPF_B, (bpf_int32)224);
6323 b0 = gen_linktype(ETHERTYPE_IPV6);
6324 b1 = gen_cmp(OR_NET, 24, BPF_B, (bpf_int32)255);
6329 bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel");
6335 * generate command for inbound/outbound. It's here so we can
6336 * make it link-type specific. 'dir' = 0 implies "inbound",
6337 * = 1 implies "outbound".
6343 register struct block *b0;
6346 * Only some data link types support inbound/outbound qualifiers.
6350 b0 = gen_relation(BPF_JEQ,
6351 gen_load(Q_LINK, gen_loadi(0), 1),
6359 * Match packets sent by this machine.
6361 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_OUTGOING);
6364 * Match packets sent to this machine.
6365 * (No broadcast or multicast packets, or
6366 * packets sent to some other machine and
6367 * received promiscuously.)
6369 * XXX - packets sent to other machines probably
6370 * shouldn't be matched, but what about broadcast
6371 * or multicast packets we received?
6373 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_HOST);
6378 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, dir), BPF_B,
6379 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT));
6384 /* match outgoing packets */
6385 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_OUT);
6387 /* match incoming packets */
6388 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_IN);
6392 case DLT_JUNIPER_MFR:
6393 case DLT_JUNIPER_MLFR:
6394 case DLT_JUNIPER_MLPPP:
6395 case DLT_JUNIPER_ATM1:
6396 case DLT_JUNIPER_ATM2:
6397 case DLT_JUNIPER_PPPOE:
6398 case DLT_JUNIPER_PPPOE_ATM:
6399 case DLT_JUNIPER_GGSN:
6400 case DLT_JUNIPER_ES:
6401 case DLT_JUNIPER_MONITOR:
6402 case DLT_JUNIPER_SERVICES:
6403 case DLT_JUNIPER_ETHER:
6404 case DLT_JUNIPER_PPP:
6405 case DLT_JUNIPER_FRELAY:
6406 case DLT_JUNIPER_CHDLC:
6407 case DLT_JUNIPER_VP:
6408 /* juniper flags (including direction) are stored
6409 * the byte after the 3-byte magic number */
6411 /* match outgoing packets */
6412 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 0, 0x01);
6414 /* match incoming packets */
6415 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 1, 0x01);
6420 bpf_error("inbound/outbound not supported on linktype %d",
6428 /* PF firewall log matched interface */
6430 gen_pf_ifname(const char *ifname)
6435 if (linktype == DLT_PFLOG) {
6436 len = sizeof(((struct pfloghdr *)0)->ifname);
6437 off = offsetof(struct pfloghdr, ifname);
6439 bpf_error("ifname not supported on linktype 0x%x", linktype);
6442 if (strlen(ifname) >= len) {
6443 bpf_error("ifname interface names can only be %d characters",
6447 b0 = gen_bcmp(OR_LINK, off, strlen(ifname), (const u_char *)ifname);
6451 /* PF firewall log ruleset name */
6453 gen_pf_ruleset(char *ruleset)
6457 if (linktype != DLT_PFLOG) {
6458 bpf_error("ruleset not supported on linktype 0x%x", linktype);
6461 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) {
6462 bpf_error("ruleset names can only be %ld characters",
6463 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1));
6466 b0 = gen_bcmp(OR_LINK, offsetof(struct pfloghdr, ruleset),
6467 strlen(ruleset), (const u_char *)ruleset);
6471 /* PF firewall log rule number */
6477 if (linktype == DLT_PFLOG) {
6478 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, rulenr), BPF_W,
6481 bpf_error("rnr not supported on linktype 0x%x", linktype);
6488 /* PF firewall log sub-rule number */
6490 gen_pf_srnr(int srnr)
6494 if (linktype != DLT_PFLOG) {
6495 bpf_error("srnr not supported on linktype 0x%x", linktype);
6499 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, subrulenr), BPF_W,
6504 /* PF firewall log reason code */
6506 gen_pf_reason(int reason)
6510 if (linktype == DLT_PFLOG) {
6511 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, reason), BPF_B,
6514 bpf_error("reason not supported on linktype 0x%x", linktype);
6521 /* PF firewall log action */
6523 gen_pf_action(int action)
6527 if (linktype == DLT_PFLOG) {
6528 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, action), BPF_B,
6531 bpf_error("action not supported on linktype 0x%x", linktype);
6540 register const u_char *eaddr;
6543 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
6544 if (linktype == DLT_ARCNET || linktype == DLT_ARCNET_LINUX)
6545 return gen_ahostop(eaddr, (int)q.dir);
6547 bpf_error("ARCnet address used in non-arc expression");
6552 static struct block *
6553 gen_ahostop(eaddr, dir)
6554 register const u_char *eaddr;
6557 register struct block *b0, *b1;
6560 /* src comes first, different from Ethernet */
6562 return gen_bcmp(OR_LINK, 0, 1, eaddr);
6565 return gen_bcmp(OR_LINK, 1, 1, eaddr);
6568 b0 = gen_ahostop(eaddr, Q_SRC);
6569 b1 = gen_ahostop(eaddr, Q_DST);
6575 b0 = gen_ahostop(eaddr, Q_SRC);
6576 b1 = gen_ahostop(eaddr, Q_DST);
6585 * support IEEE 802.1Q VLAN trunk over ethernet
6591 struct block *b0, *b1;
6593 /* can't check for VLAN-encapsulated packets inside MPLS */
6594 if (label_stack_depth > 0)
6595 bpf_error("no VLAN match after MPLS");
6598 * Change the offsets to point to the type and data fields within
6599 * the VLAN packet. Just increment the offsets, so that we
6600 * can support a hierarchy, e.g. "vlan 300 && vlan 200" to
6601 * capture VLAN 200 encapsulated within VLAN 100.
6603 * XXX - this is a bit of a kludge. If we were to split the
6604 * compiler into a parser that parses an expression and
6605 * generates an expression tree, and a code generator that
6606 * takes an expression tree (which could come from our
6607 * parser or from some other parser) and generates BPF code,
6608 * we could perhaps make the offsets parameters of routines
6609 * and, in the handler for an "AND" node, pass to subnodes
6610 * other than the VLAN node the adjusted offsets.
6612 * This would mean that "vlan" would, instead of changing the
6613 * behavior of *all* tests after it, change only the behavior
6614 * of tests ANDed with it. That would change the documented
6615 * semantics of "vlan", which might break some expressions.
6616 * However, it would mean that "(vlan and ip) or ip" would check
6617 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
6618 * checking only for VLAN-encapsulated IP, so that could still
6619 * be considered worth doing; it wouldn't break expressions
6620 * that are of the form "vlan and ..." or "vlan N and ...",
6621 * which I suspect are the most common expressions involving
6622 * "vlan". "vlan or ..." doesn't necessarily do what the user
6623 * would really want, now, as all the "or ..." tests would
6624 * be done assuming a VLAN, even though the "or" could be viewed
6625 * as meaning "or, if this isn't a VLAN packet...".
6627 orig_linktype = off_linktype; /* save original values */
6639 bpf_error("no VLAN support for data link type %d",
6644 /* check for VLAN */
6645 b0 = gen_cmp(OR_LINK, orig_linktype, BPF_H, (bpf_int32)ETHERTYPE_8021Q);
6647 /* If a specific VLAN is requested, check VLAN id */
6648 if (vlan_num >= 0) {
6649 b1 = gen_mcmp(OR_LINK, orig_nl, BPF_H, (bpf_int32)vlan_num,
6665 struct block *b0,*b1;
6668 * Change the offsets to point to the type and data fields within
6669 * the MPLS packet. Just increment the offsets, so that we
6670 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to
6671 * capture packets with an outer label of 100000 and an inner
6674 * XXX - this is a bit of a kludge. See comments in gen_vlan().
6678 if (label_stack_depth > 0) {
6679 /* just match the bottom-of-stack bit clear */
6680 b0 = gen_mcmp(OR_LINK, orig_nl-2, BPF_B, 0, 0x01);
6683 * Indicate that we're checking MPLS-encapsulated headers,
6684 * to make sure higher level code generators don't try to
6685 * match against IP-related protocols such as Q_ARP, Q_RARP
6690 case DLT_C_HDLC: /* fall through */
6692 b0 = gen_linktype(ETHERTYPE_MPLS);
6696 b0 = gen_linktype(PPP_MPLS_UCAST);
6699 /* FIXME add other DLT_s ...
6700 * for Frame-Relay/and ATM this may get messy due to SNAP headers
6701 * leave it for now */
6704 bpf_error("no MPLS support for data link type %d",
6712 /* If a specific MPLS label is requested, check it */
6713 if (label_num >= 0) {
6714 label_num = label_num << 12; /* label is shifted 12 bits on the wire */
6715 b1 = gen_mcmp(OR_LINK, orig_nl, BPF_W, (bpf_int32)label_num,
6716 0xfffff000); /* only compare the first 20 bits */
6723 label_stack_depth++;
6728 * Support PPPOE discovery and session.
6733 /* check for PPPoE discovery */
6734 return gen_linktype((bpf_int32)ETHERTYPE_PPPOED);
6743 * Test against the PPPoE session link-layer type.
6745 b0 = gen_linktype((bpf_int32)ETHERTYPE_PPPOES);
6748 * Change the offsets to point to the type and data fields within
6751 * XXX - this is a bit of a kludge. If we were to split the
6752 * compiler into a parser that parses an expression and
6753 * generates an expression tree, and a code generator that
6754 * takes an expression tree (which could come from our
6755 * parser or from some other parser) and generates BPF code,
6756 * we could perhaps make the offsets parameters of routines
6757 * and, in the handler for an "AND" node, pass to subnodes
6758 * other than the PPPoE node the adjusted offsets.
6760 * This would mean that "pppoes" would, instead of changing the
6761 * behavior of *all* tests after it, change only the behavior
6762 * of tests ANDed with it. That would change the documented
6763 * semantics of "pppoes", which might break some expressions.
6764 * However, it would mean that "(pppoes and ip) or ip" would check
6765 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
6766 * checking only for VLAN-encapsulated IP, so that could still
6767 * be considered worth doing; it wouldn't break expressions
6768 * that are of the form "pppoes and ..." which I suspect are the
6769 * most common expressions involving "pppoes". "pppoes or ..."
6770 * doesn't necessarily do what the user would really want, now,
6771 * as all the "or ..." tests would be done assuming PPPoE, even
6772 * though the "or" could be viewed as meaning "or, if this isn't
6773 * a PPPoE packet...".
6775 orig_linktype = off_linktype; /* save original values */
6779 * The "network-layer" protocol is PPPoE, which has a 6-byte
6780 * PPPoE header, followed by PPP payload, so we set the
6781 * offsets to the network layer offset plus 6 bytes for
6782 * the PPPoE header plus the values appropriate for PPP when
6783 * encapsulated in Ethernet (which means there's no HDLC
6786 off_linktype = orig_nl + 6;
6787 off_nl = orig_nl + 6 + 2;
6788 off_nl_nosnap = orig_nl + 6 + 2;
6791 * Set the link-layer type to PPP, as all subsequent tests will
6792 * be on the encapsulated PPP header.
6800 gen_atmfield_code(atmfield, jvalue, jtype, reverse)
6812 bpf_error("'vpi' supported only on raw ATM");
6813 if (off_vpi == (u_int)-1)
6815 b0 = gen_ncmp(OR_LINK, off_vpi, BPF_B, 0xffffffff, jtype,
6821 bpf_error("'vci' supported only on raw ATM");
6822 if (off_vci == (u_int)-1)
6824 b0 = gen_ncmp(OR_LINK, off_vci, BPF_H, 0xffffffff, jtype,
6829 if (off_proto == (u_int)-1)
6830 abort(); /* XXX - this isn't on FreeBSD */
6831 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0x0f, jtype,
6836 if (off_payload == (u_int)-1)
6838 b0 = gen_ncmp(OR_LINK, off_payload + MSG_TYPE_POS, BPF_B,
6839 0xffffffff, jtype, reverse, jvalue);
6844 bpf_error("'callref' supported only on raw ATM");
6845 if (off_proto == (u_int)-1)
6847 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0xffffffff,
6848 jtype, reverse, jvalue);
6858 gen_atmtype_abbrev(type)
6861 struct block *b0, *b1;
6866 /* Get all packets in Meta signalling Circuit */
6868 bpf_error("'metac' supported only on raw ATM");
6869 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
6870 b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0);
6875 /* Get all packets in Broadcast Circuit*/
6877 bpf_error("'bcc' supported only on raw ATM");
6878 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
6879 b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0);
6884 /* Get all cells in Segment OAM F4 circuit*/
6886 bpf_error("'oam4sc' supported only on raw ATM");
6887 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
6888 b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
6893 /* Get all cells in End-to-End OAM F4 Circuit*/
6895 bpf_error("'oam4ec' supported only on raw ATM");
6896 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
6897 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
6902 /* Get all packets in connection Signalling Circuit */
6904 bpf_error("'sc' supported only on raw ATM");
6905 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
6906 b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0);
6911 /* Get all packets in ILMI Circuit */
6913 bpf_error("'ilmic' supported only on raw ATM");
6914 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
6915 b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0);
6920 /* Get all LANE packets */
6922 bpf_error("'lane' supported only on raw ATM");
6923 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0);
6926 * Arrange that all subsequent tests assume LANE
6927 * rather than LLC-encapsulated packets, and set
6928 * the offsets appropriately for LANE-encapsulated
6931 * "off_mac" is the offset of the Ethernet header,
6932 * which is 2 bytes past the ATM pseudo-header
6933 * (skipping the pseudo-header and 2-byte LE Client
6934 * field). The other offsets are Ethernet offsets
6935 * relative to "off_mac".
6938 off_mac = off_payload + 2; /* MAC header */
6939 off_linktype = off_mac + 12;
6940 off_nl = off_mac + 14; /* Ethernet II */
6941 off_nl_nosnap = off_mac + 17; /* 802.3+802.2 */
6945 /* Get all LLC-encapsulated packets */
6947 bpf_error("'llc' supported only on raw ATM");
6948 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
6959 * Filtering for MTP2 messages based on li value
6960 * FISU, length is null
6961 * LSSU, length is 1 or 2
6962 * MSU, length is 3 or more
6965 gen_mtp2type_abbrev(type)
6968 struct block *b0, *b1;
6973 if ( (linktype != DLT_MTP2) &&
6974 (linktype != DLT_MTP2_WITH_PHDR) )
6975 bpf_error("'fisu' supported only on MTP2");
6976 /* gen_ncmp(offrel, offset, size, mask, jtype, reverse, value) */
6977 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JEQ, 0, 0);
6981 if ( (linktype != DLT_MTP2) &&
6982 (linktype != DLT_MTP2_WITH_PHDR) )
6983 bpf_error("'lssu' supported only on MTP2");
6984 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 1, 2);
6985 b1 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 0);
6990 if ( (linktype != DLT_MTP2) &&
6991 (linktype != DLT_MTP2_WITH_PHDR) )
6992 bpf_error("'msu' supported only on MTP2");
6993 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 2);
7003 gen_mtp3field_code(mtp3field, jvalue, jtype, reverse)
7010 bpf_u_int32 val1 , val2 , val3;
7012 switch (mtp3field) {
7015 if (off_sio == (u_int)-1)
7016 bpf_error("'sio' supported only on SS7");
7017 /* sio coded on 1 byte so max value 255 */
7019 bpf_error("sio value %u too big; max value = 255",
7021 b0 = gen_ncmp(OR_PACKET, off_sio, BPF_B, 0xffffffff,
7022 (u_int)jtype, reverse, (u_int)jvalue);
7026 if (off_opc == (u_int)-1)
7027 bpf_error("'opc' supported only on SS7");
7028 /* opc coded on 14 bits so max value 16383 */
7030 bpf_error("opc value %u too big; max value = 16383",
7032 /* the following instructions are made to convert jvalue
7033 * to the form used to write opc in an ss7 message*/
7034 val1 = jvalue & 0x00003c00;
7036 val2 = jvalue & 0x000003fc;
7038 val3 = jvalue & 0x00000003;
7040 jvalue = val1 + val2 + val3;
7041 b0 = gen_ncmp(OR_PACKET, off_opc, BPF_W, 0x00c0ff0f,
7042 (u_int)jtype, reverse, (u_int)jvalue);
7046 if (off_dpc == (u_int)-1)
7047 bpf_error("'dpc' supported only on SS7");
7048 /* dpc coded on 14 bits so max value 16383 */
7050 bpf_error("dpc value %u too big; max value = 16383",
7052 /* the following instructions are made to convert jvalue
7053 * to the forme used to write dpc in an ss7 message*/
7054 val1 = jvalue & 0x000000ff;
7056 val2 = jvalue & 0x00003f00;
7058 jvalue = val1 + val2;
7059 b0 = gen_ncmp(OR_PACKET, off_dpc, BPF_W, 0xff3f0000,
7060 (u_int)jtype, reverse, (u_int)jvalue);
7064 if (off_sls == (u_int)-1)
7065 bpf_error("'sls' supported only on SS7");
7066 /* sls coded on 4 bits so max value 15 */
7068 bpf_error("sls value %u too big; max value = 15",
7070 /* the following instruction is made to convert jvalue
7071 * to the forme used to write sls in an ss7 message*/
7072 jvalue = jvalue << 4;
7073 b0 = gen_ncmp(OR_PACKET, off_sls, BPF_B, 0xf0,
7074 (u_int)jtype,reverse, (u_int)jvalue);
7083 static struct block *
7084 gen_msg_abbrev(type)
7090 * Q.2931 signalling protocol messages for handling virtual circuits
7091 * establishment and teardown
7096 b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0);
7100 b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0);
7104 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0);
7108 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0);
7112 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0);
7115 case A_RELEASE_DONE:
7116 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0);
7126 gen_atmmulti_abbrev(type)
7129 struct block *b0, *b1;
7135 bpf_error("'oam' supported only on raw ATM");
7136 b1 = gen_atmmulti_abbrev(A_OAMF4);
7141 bpf_error("'oamf4' supported only on raw ATM");
7143 b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
7144 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
7146 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
7152 * Get Q.2931 signalling messages for switched
7153 * virtual connection
7156 bpf_error("'connectmsg' supported only on raw ATM");
7157 b0 = gen_msg_abbrev(A_SETUP);
7158 b1 = gen_msg_abbrev(A_CALLPROCEED);
7160 b0 = gen_msg_abbrev(A_CONNECT);
7162 b0 = gen_msg_abbrev(A_CONNECTACK);
7164 b0 = gen_msg_abbrev(A_RELEASE);
7166 b0 = gen_msg_abbrev(A_RELEASE_DONE);
7168 b0 = gen_atmtype_abbrev(A_SC);
7174 bpf_error("'metaconnect' supported only on raw ATM");
7175 b0 = gen_msg_abbrev(A_SETUP);
7176 b1 = gen_msg_abbrev(A_CALLPROCEED);
7178 b0 = gen_msg_abbrev(A_CONNECT);
7180 b0 = gen_msg_abbrev(A_RELEASE);
7182 b0 = gen_msg_abbrev(A_RELEASE_DONE);
7184 b0 = gen_atmtype_abbrev(A_METAC);
projects / dragonfly.git / blob