1 /*#define CHASE_CHAIN*/
3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998
4 * The Regents of the University of California. All rights reserved.
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that: (1) source code distributions
8 * retain the above copyright notice and this paragraph in its entirety, (2)
9 * distributions including binary code include the above copyright notice and
10 * this paragraph in its entirety in the documentation or other materials
11 * provided with the distribution, and (3) all advertising materials mentioning
12 * features or use of this software display the following acknowledgement:
13 * ``This product includes software developed by the University of California,
14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
15 * the University nor the names of its contributors may be used to endorse
16 * or promote products derived from this software without specific prior
18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
23 static const char rcsid[] _U_ =
24 "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.290.2.16 2008-09-22 20:16:01 guy Exp $ (LBL)";
32 #include <pcap-stdinc.h>
34 #include <sys/types.h>
35 #include <sys/socket.h>
39 * XXX - why was this included even on UNIX?
48 #include <sys/param.h>
51 #include <netinet/in.h>
67 #include "ethertype.h"
71 #include "ieee80211.h"
73 #include "sunatmpos.h"
77 #ifdef HAVE_NET_PFVAR_H
78 #include <sys/socket.h>
80 #include <net/pfvar.h>
81 #include <net/if_pflog.h>
84 #define offsetof(s, e) ((size_t)&((s *)0)->e)
88 #include <netdb.h> /* for "struct addrinfo" */
91 #include <pcap/namedb.h>
96 #define IPPROTO_SCTP 132
99 #ifdef HAVE_OS_PROTO_H
100 #include "os-proto.h"
103 #define JMP(c) ((c)|BPF_JMP|BPF_K)
106 static jmp_buf top_ctx;
107 static pcap_t *bpf_pcap;
109 /* Hack for updating VLAN, MPLS, and PPPoE offsets. */
111 static u_int orig_linktype = (u_int)-1, orig_nl = (u_int)-1, label_stack_depth = (u_int)-1;
113 static u_int orig_linktype = -1U, orig_nl = -1U, label_stack_depth = -1U;
118 static int pcap_fddipad;
123 bpf_error(const char *fmt, ...)
128 if (bpf_pcap != NULL)
129 (void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE,
136 static void init_linktype(pcap_t *);
138 static void init_regs(void);
139 static int alloc_reg(void);
140 static void free_reg(int);
142 static struct block *root;
145 * Value passed to gen_load_a() to indicate what the offset argument
149 OR_PACKET, /* relative to the beginning of the packet */
150 OR_LINK, /* relative to the beginning of the link-layer header */
151 OR_MACPL, /* relative to the end of the MAC-layer header */
152 OR_NET, /* relative to the network-layer header */
153 OR_NET_NOSNAP, /* relative to the network-layer header, with no SNAP header at the link layer */
154 OR_TRAN_IPV4, /* relative to the transport-layer header, with IPv4 network layer */
155 OR_TRAN_IPV6 /* relative to the transport-layer header, with IPv6 network layer */
159 * We divy out chunks of memory rather than call malloc each time so
160 * we don't have to worry about leaking memory. It's probably
161 * not a big deal if all this memory was wasted but if this ever
162 * goes into a library that would probably not be a good idea.
164 * XXX - this *is* in a library....
167 #define CHUNK0SIZE 1024
173 static struct chunk chunks[NCHUNKS];
174 static int cur_chunk;
176 static void *newchunk(u_int);
177 static void freechunks(void);
178 static inline struct block *new_block(int);
179 static inline struct slist *new_stmt(int);
180 static struct block *gen_retblk(int);
181 static inline void syntax(void);
183 static void backpatch(struct block *, struct block *);
184 static void merge(struct block *, struct block *);
185 static struct block *gen_cmp(enum e_offrel, u_int, u_int, bpf_int32);
186 static struct block *gen_cmp_gt(enum e_offrel, u_int, u_int, bpf_int32);
187 static struct block *gen_cmp_ge(enum e_offrel, u_int, u_int, bpf_int32);
188 static struct block *gen_cmp_lt(enum e_offrel, u_int, u_int, bpf_int32);
189 static struct block *gen_cmp_le(enum e_offrel, u_int, u_int, bpf_int32);
190 static struct block *gen_mcmp(enum e_offrel, u_int, u_int, bpf_int32,
192 static struct block *gen_bcmp(enum e_offrel, u_int, u_int, const u_char *);
193 static struct block *gen_ncmp(enum e_offrel, bpf_u_int32, bpf_u_int32,
194 bpf_u_int32, bpf_u_int32, int, bpf_int32);
195 static struct slist *gen_load_llrel(u_int, u_int);
196 static struct slist *gen_load_macplrel(u_int, u_int);
197 static struct slist *gen_load_a(enum e_offrel, u_int, u_int);
198 static struct slist *gen_loadx_iphdrlen(void);
199 static struct block *gen_uncond(int);
200 static inline struct block *gen_true(void);
201 static inline struct block *gen_false(void);
202 static struct block *gen_ether_linktype(int);
203 static struct block *gen_linux_sll_linktype(int);
204 static struct slist *gen_load_prism_llprefixlen(void);
205 static struct slist *gen_load_avs_llprefixlen(void);
206 static struct slist *gen_load_radiotap_llprefixlen(void);
207 static struct slist *gen_load_ppi_llprefixlen(void);
208 static void insert_compute_vloffsets(struct block *);
209 static struct slist *gen_llprefixlen(void);
210 static struct slist *gen_off_macpl(void);
211 static int ethertype_to_ppptype(int);
212 static struct block *gen_linktype(int);
213 static struct block *gen_snap(bpf_u_int32, bpf_u_int32);
214 static struct block *gen_llc_linktype(int);
215 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int);
217 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int);
219 static struct block *gen_ahostop(const u_char *, int);
220 static struct block *gen_ehostop(const u_char *, int);
221 static struct block *gen_fhostop(const u_char *, int);
222 static struct block *gen_thostop(const u_char *, int);
223 static struct block *gen_wlanhostop(const u_char *, int);
224 static struct block *gen_ipfchostop(const u_char *, int);
225 static struct block *gen_dnhostop(bpf_u_int32, int);
226 static struct block *gen_mpls_linktype(int);
227 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int, int);
229 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int, int);
232 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int);
234 static struct block *gen_ipfrag(void);
235 static struct block *gen_portatom(int, bpf_int32);
236 static struct block *gen_portrangeatom(int, bpf_int32, bpf_int32);
238 static struct block *gen_portatom6(int, bpf_int32);
239 static struct block *gen_portrangeatom6(int, bpf_int32, bpf_int32);
241 struct block *gen_portop(int, int, int);
242 static struct block *gen_port(int, int, int);
243 struct block *gen_portrangeop(int, int, int, int);
244 static struct block *gen_portrange(int, int, int, int);
246 struct block *gen_portop6(int, int, int);
247 static struct block *gen_port6(int, int, int);
248 struct block *gen_portrangeop6(int, int, int, int);
249 static struct block *gen_portrange6(int, int, int, int);
251 static int lookup_proto(const char *, int);
252 static struct block *gen_protochain(int, int, int);
253 static struct block *gen_proto(int, int, int);
254 static struct slist *xfer_to_x(struct arth *);
255 static struct slist *xfer_to_a(struct arth *);
256 static struct block *gen_mac_multicast(int);
257 static struct block *gen_len(int, int);
258 static struct block *gen_check_802_11_data_frame(void);
260 static struct block *gen_ppi_dlt_check(void);
261 static struct block *gen_msg_abbrev(int type);
272 /* XXX Round up to nearest long. */
273 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1);
275 /* XXX Round up to structure boundary. */
279 cp = &chunks[cur_chunk];
280 if (n > cp->n_left) {
281 ++cp, k = ++cur_chunk;
283 bpf_error("out of memory");
284 size = CHUNK0SIZE << k;
285 cp->m = (void *)malloc(size);
287 bpf_error("out of memory");
288 memset((char *)cp->m, 0, size);
291 bpf_error("out of memory");
294 return (void *)((char *)cp->m + cp->n_left);
303 for (i = 0; i < NCHUNKS; ++i)
304 if (chunks[i].m != NULL) {
311 * A strdup whose allocations are freed after code generation is over.
315 register const char *s;
317 int n = strlen(s) + 1;
318 char *cp = newchunk(n);
324 static inline struct block *
330 p = (struct block *)newchunk(sizeof(*p));
337 static inline struct slist *
343 p = (struct slist *)newchunk(sizeof(*p));
349 static struct block *
353 struct block *b = new_block(BPF_RET|BPF_K);
362 bpf_error("syntax error in filter expression");
365 static bpf_u_int32 netmask;
370 pcap_compile(pcap_t *p, struct bpf_program *program,
371 const char *buf, int optimize, bpf_u_int32 mask)
374 const char * volatile xbuf = buf;
382 if (setjmp(top_ctx)) {
390 snaplen = pcap_snapshot(p);
392 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
393 "snaplen of 0 rejects all packets");
397 lex_init(xbuf ? xbuf : "");
405 root = gen_retblk(snaplen);
407 if (optimize && !no_optimize) {
410 (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0))
411 bpf_error("expression rejects all packets");
413 program->bf_insns = icode_to_fcode(root, &len);
414 program->bf_len = len;
422 * entry point for using the compiler with no pcap open
423 * pass in all the stuff that is needed explicitly instead.
426 pcap_compile_nopcap(int snaplen_arg, int linktype_arg,
427 struct bpf_program *program,
428 const char *buf, int optimize, bpf_u_int32 mask)
433 p = pcap_open_dead(linktype_arg, snaplen_arg);
436 ret = pcap_compile(p, program, buf, optimize, mask);
442 * Clean up a "struct bpf_program" by freeing all the memory allocated
446 pcap_freecode(struct bpf_program *program)
449 if (program->bf_insns != NULL) {
450 free((char *)program->bf_insns);
451 program->bf_insns = NULL;
456 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates
457 * which of the jt and jf fields has been resolved and which is a pointer
458 * back to another unresolved block (or nil). At least one of the fields
459 * in each block is already resolved.
462 backpatch(list, target)
463 struct block *list, *target;
480 * Merge the lists in b0 and b1, using the 'sense' field to indicate
481 * which of jt and jf is the link.
485 struct block *b0, *b1;
487 register struct block **p = &b0;
489 /* Find end of list. */
491 p = !((*p)->sense) ? &JT(*p) : &JF(*p);
493 /* Concatenate the lists. */
501 struct block *ppi_dlt_check;
504 * Insert before the statements of the first (root) block any
505 * statements needed to load the lengths of any variable-length
506 * headers into registers.
508 * XXX - a fancier strategy would be to insert those before the
509 * statements of all blocks that use those lengths and that
510 * have no predecessors that use them, so that we only compute
511 * the lengths if we need them. There might be even better
512 * approaches than that.
514 * However, those strategies would be more complicated, and
515 * as we don't generate code to compute a length if the
516 * program has no tests that use the length, and as most
517 * tests will probably use those lengths, we would just
518 * postpone computing the lengths so that it's not done
519 * for tests that fail early, and it's not clear that's
522 insert_compute_vloffsets(p->head);
525 * For DLT_PPI captures, generate a check of the per-packet
526 * DLT value to make sure it's DLT_IEEE802_11.
528 ppi_dlt_check = gen_ppi_dlt_check();
529 if (ppi_dlt_check != NULL)
530 gen_and(ppi_dlt_check, p);
532 backpatch(p, gen_retblk(snaplen));
533 p->sense = !p->sense;
534 backpatch(p, gen_retblk(0));
540 struct block *b0, *b1;
542 backpatch(b0, b1->head);
543 b0->sense = !b0->sense;
544 b1->sense = !b1->sense;
546 b1->sense = !b1->sense;
552 struct block *b0, *b1;
554 b0->sense = !b0->sense;
555 backpatch(b0, b1->head);
556 b0->sense = !b0->sense;
565 b->sense = !b->sense;
568 static struct block *
569 gen_cmp(offrel, offset, size, v)
570 enum e_offrel offrel;
574 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v);
577 static struct block *
578 gen_cmp_gt(offrel, offset, size, v)
579 enum e_offrel offrel;
583 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 0, v);
586 static struct block *
587 gen_cmp_ge(offrel, offset, size, v)
588 enum e_offrel offrel;
592 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 0, v);
595 static struct block *
596 gen_cmp_lt(offrel, offset, size, v)
597 enum e_offrel offrel;
601 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 1, v);
604 static struct block *
605 gen_cmp_le(offrel, offset, size, v)
606 enum e_offrel offrel;
610 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 1, v);
613 static struct block *
614 gen_mcmp(offrel, offset, size, v, mask)
615 enum e_offrel offrel;
620 return gen_ncmp(offrel, offset, size, mask, BPF_JEQ, 0, v);
623 static struct block *
624 gen_bcmp(offrel, offset, size, v)
625 enum e_offrel offrel;
626 register u_int offset, size;
627 register const u_char *v;
629 register struct block *b, *tmp;
633 register const u_char *p = &v[size - 4];
634 bpf_int32 w = ((bpf_int32)p[0] << 24) |
635 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3];
637 tmp = gen_cmp(offrel, offset + size - 4, BPF_W, w);
644 register const u_char *p = &v[size - 2];
645 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1];
647 tmp = gen_cmp(offrel, offset + size - 2, BPF_H, w);
654 tmp = gen_cmp(offrel, offset, BPF_B, (bpf_int32)v[0]);
663 * AND the field of size "size" at offset "offset" relative to the header
664 * specified by "offrel" with "mask", and compare it with the value "v"
665 * with the test specified by "jtype"; if "reverse" is true, the test
666 * should test the opposite of "jtype".
668 static struct block *
669 gen_ncmp(offrel, offset, size, mask, jtype, reverse, v)
670 enum e_offrel offrel;
672 bpf_u_int32 offset, size, mask, jtype;
675 struct slist *s, *s2;
678 s = gen_load_a(offrel, offset, size);
680 if (mask != 0xffffffff) {
681 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
686 b = new_block(JMP(jtype));
689 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE))
695 * Various code constructs need to know the layout of the data link
696 * layer. These variables give the necessary offsets from the beginning
697 * of the packet data.
701 * This is the offset of the beginning of the link-layer header from
702 * the beginning of the raw packet data.
704 * It's usually 0, except for 802.11 with a fixed-length radio header.
705 * (For 802.11 with a variable-length radio header, we have to generate
706 * code to compute that offset; off_ll is 0 in that case.)
711 * If there's a variable-length header preceding the link-layer header,
712 * "reg_off_ll" is the register number for a register containing the
713 * length of that header, and therefore the offset of the link-layer
714 * header from the beginning of the raw packet data. Otherwise,
715 * "reg_off_ll" is -1.
717 static int reg_off_ll;
720 * This is the offset of the beginning of the MAC-layer header from
721 * the beginning of the link-layer header.
722 * It's usually 0, except for ATM LANE, where it's the offset, relative
723 * to the beginning of the raw packet data, of the Ethernet header.
725 static u_int off_mac;
728 * This is the offset of the beginning of the MAC-layer payload,
729 * from the beginning of the raw packet data.
731 * I.e., it's the sum of the length of the link-layer header (without,
732 * for example, any 802.2 LLC header, so it's the MAC-layer
733 * portion of that header), plus any prefix preceding the
736 static u_int off_macpl;
739 * This is 1 if the offset of the beginning of the MAC-layer payload
740 * from the beginning of the link-layer header is variable-length.
742 static int off_macpl_is_variable;
745 * If the link layer has variable_length headers, "reg_off_macpl"
746 * is the register number for a register containing the length of the
747 * link-layer header plus the length of any variable-length header
748 * preceding the link-layer header. Otherwise, "reg_off_macpl"
751 static int reg_off_macpl;
754 * "off_linktype" is the offset to information in the link-layer header
755 * giving the packet type. This offset is relative to the beginning
756 * of the link-layer header (i.e., it doesn't include off_ll).
758 * For Ethernet, it's the offset of the Ethernet type field.
760 * For link-layer types that always use 802.2 headers, it's the
761 * offset of the LLC header.
763 * For PPP, it's the offset of the PPP type field.
765 * For Cisco HDLC, it's the offset of the CHDLC type field.
767 * For BSD loopback, it's the offset of the AF_ value.
769 * For Linux cooked sockets, it's the offset of the type field.
771 * It's set to -1 for no encapsulation, in which case, IP is assumed.
773 static u_int off_linktype;
776 * TRUE if "pppoes" appeared in the filter; it causes link-layer type
777 * checks to check the PPP header, assumed to follow a LAN-style link-
778 * layer header and a PPPoE session header.
780 static int is_pppoes = 0;
783 * TRUE if the link layer includes an ATM pseudo-header.
785 static int is_atm = 0;
788 * TRUE if "lane" appeared in the filter; it causes us to generate
789 * code that assumes LANE rather than LLC-encapsulated traffic in SunATM.
791 static int is_lane = 0;
794 * These are offsets for the ATM pseudo-header.
796 static u_int off_vpi;
797 static u_int off_vci;
798 static u_int off_proto;
801 * These are offsets for the MTP2 fields.
806 * These are offsets for the MTP3 fields.
808 static u_int off_sio;
809 static u_int off_opc;
810 static u_int off_dpc;
811 static u_int off_sls;
814 * This is the offset of the first byte after the ATM pseudo_header,
815 * or -1 if there is no ATM pseudo-header.
817 static u_int off_payload;
820 * These are offsets to the beginning of the network-layer header.
821 * They are relative to the beginning of the MAC-layer payload (i.e.,
822 * they don't include off_ll or off_macpl).
824 * If the link layer never uses 802.2 LLC:
826 * "off_nl" and "off_nl_nosnap" are the same.
828 * If the link layer always uses 802.2 LLC:
830 * "off_nl" is the offset if there's a SNAP header following
833 * "off_nl_nosnap" is the offset if there's no SNAP header.
835 * If the link layer is Ethernet:
837 * "off_nl" is the offset if the packet is an Ethernet II packet
838 * (we assume no 802.3+802.2+SNAP);
840 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet
841 * with an 802.2 header following it.
844 static u_int off_nl_nosnap;
852 linktype = pcap_datalink(p);
854 pcap_fddipad = p->fddipad;
858 * Assume it's not raw ATM with a pseudo-header, for now.
869 * And that we're not doing PPPoE.
874 * And assume we're not doing SS7.
883 * Also assume it's not 802.11.
887 off_macpl_is_variable = 0;
891 label_stack_depth = 0;
901 off_nl = 0; /* XXX in reality, variable! */
902 off_nl_nosnap = 0; /* no 802.2 LLC */
905 case DLT_ARCNET_LINUX:
908 off_nl = 0; /* XXX in reality, variable! */
909 off_nl_nosnap = 0; /* no 802.2 LLC */
914 off_macpl = 14; /* Ethernet header length */
915 off_nl = 0; /* Ethernet II */
916 off_nl_nosnap = 3; /* 802.3+802.2 */
921 * SLIP doesn't have a link level type. The 16 byte
922 * header is hacked into our SLIP driver.
927 off_nl_nosnap = 0; /* no 802.2 LLC */
931 /* XXX this may be the same as the DLT_PPP_BSDOS case */
936 off_nl_nosnap = 0; /* no 802.2 LLC */
944 off_nl_nosnap = 0; /* no 802.2 LLC */
951 off_nl_nosnap = 0; /* no 802.2 LLC */
956 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */
957 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */
961 off_nl_nosnap = 0; /* no 802.2 LLC */
966 * This does no include the Ethernet header, and
967 * only covers session state.
972 off_nl_nosnap = 0; /* no 802.2 LLC */
979 off_nl_nosnap = 0; /* no 802.2 LLC */
984 * FDDI doesn't really have a link-level type field.
985 * We set "off_linktype" to the offset of the LLC header.
987 * To check for Ethernet types, we assume that SSAP = SNAP
988 * is being used and pick out the encapsulated Ethernet type.
989 * XXX - should we generate code to check for SNAP?
993 off_linktype += pcap_fddipad;
995 off_macpl = 13; /* FDDI MAC header length */
997 off_macpl += pcap_fddipad;
999 off_nl = 8; /* 802.2+SNAP */
1000 off_nl_nosnap = 3; /* 802.2 */
1005 * Token Ring doesn't really have a link-level type field.
1006 * We set "off_linktype" to the offset of the LLC header.
1008 * To check for Ethernet types, we assume that SSAP = SNAP
1009 * is being used and pick out the encapsulated Ethernet type.
1010 * XXX - should we generate code to check for SNAP?
1012 * XXX - the header is actually variable-length.
1013 * Some various Linux patched versions gave 38
1014 * as "off_linktype" and 40 as "off_nl"; however,
1015 * if a token ring packet has *no* routing
1016 * information, i.e. is not source-routed, the correct
1017 * values are 20 and 22, as they are in the vanilla code.
1019 * A packet is source-routed iff the uppermost bit
1020 * of the first byte of the source address, at an
1021 * offset of 8, has the uppermost bit set. If the
1022 * packet is source-routed, the total number of bytes
1023 * of routing information is 2 plus bits 0x1F00 of
1024 * the 16-bit value at an offset of 14 (shifted right
1025 * 8 - figure out which byte that is).
1028 off_macpl = 14; /* Token Ring MAC header length */
1029 off_nl = 8; /* 802.2+SNAP */
1030 off_nl_nosnap = 3; /* 802.2 */
1033 case DLT_IEEE802_11:
1034 case DLT_PRISM_HEADER:
1035 case DLT_IEEE802_11_RADIO_AVS:
1036 case DLT_IEEE802_11_RADIO:
1038 * 802.11 doesn't really have a link-level type field.
1039 * We set "off_linktype" to the offset of the LLC header.
1041 * To check for Ethernet types, we assume that SSAP = SNAP
1042 * is being used and pick out the encapsulated Ethernet type.
1043 * XXX - should we generate code to check for SNAP?
1045 * We also handle variable-length radio headers here.
1046 * The Prism header is in theory variable-length, but in
1047 * practice it's always 144 bytes long. However, some
1048 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but
1049 * sometimes or always supply an AVS header, so we
1050 * have to check whether the radio header is a Prism
1051 * header or an AVS header, so, in practice, it's
1055 off_macpl = 0; /* link-layer header is variable-length */
1056 off_macpl_is_variable = 1;
1057 off_nl = 8; /* 802.2+SNAP */
1058 off_nl_nosnap = 3; /* 802.2 */
1063 * At the moment we treat PPI the same way that we treat
1064 * normal Radiotap encoded packets. The difference is in
1065 * the function that generates the code at the beginning
1066 * to compute the header length. Since this code generator
1067 * of PPI supports bare 802.11 encapsulation only (i.e.
1068 * the encapsulated DLT should be DLT_IEEE802_11) we
1069 * generate code to check for this too.
1072 off_macpl = 0; /* link-layer header is variable-length */
1073 off_macpl_is_variable = 1;
1074 off_nl = 8; /* 802.2+SNAP */
1075 off_nl_nosnap = 3; /* 802.2 */
1078 case DLT_ATM_RFC1483:
1079 case DLT_ATM_CLIP: /* Linux ATM defines this */
1081 * assume routed, non-ISO PDUs
1082 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00)
1084 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS,
1085 * or PPP with the PPP NLPID (e.g., PPPoA)? The
1086 * latter would presumably be treated the way PPPoE
1087 * should be, so you can do "pppoe and udp port 2049"
1088 * or "pppoa and tcp port 80" and have it check for
1089 * PPPo{A,E} and a PPP protocol of IP and....
1092 off_macpl = 0; /* packet begins with LLC header */
1093 off_nl = 8; /* 802.2+SNAP */
1094 off_nl_nosnap = 3; /* 802.2 */
1099 * Full Frontal ATM; you get AALn PDUs with an ATM
1103 off_vpi = SUNATM_VPI_POS;
1104 off_vci = SUNATM_VCI_POS;
1105 off_proto = PROTO_POS;
1106 off_mac = -1; /* assume LLC-encapsulated, so no MAC-layer header */
1107 off_payload = SUNATM_PKT_BEGIN_POS;
1108 off_linktype = off_payload;
1109 off_macpl = off_payload; /* if LLC-encapsulated */
1110 off_nl = 8; /* 802.2+SNAP */
1111 off_nl_nosnap = 3; /* 802.2 */
1118 off_nl_nosnap = 0; /* no 802.2 LLC */
1121 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */
1125 off_nl_nosnap = 0; /* no 802.2 LLC */
1130 * LocalTalk does have a 1-byte type field in the LLAP header,
1131 * but really it just indicates whether there is a "short" or
1132 * "long" DDP packet following.
1137 off_nl_nosnap = 0; /* no 802.2 LLC */
1140 case DLT_IP_OVER_FC:
1142 * RFC 2625 IP-over-Fibre-Channel doesn't really have a
1143 * link-level type field. We set "off_linktype" to the
1144 * offset of the LLC header.
1146 * To check for Ethernet types, we assume that SSAP = SNAP
1147 * is being used and pick out the encapsulated Ethernet type.
1148 * XXX - should we generate code to check for SNAP? RFC
1149 * 2625 says SNAP should be used.
1153 off_nl = 8; /* 802.2+SNAP */
1154 off_nl_nosnap = 3; /* 802.2 */
1159 * XXX - we should set this to handle SNAP-encapsulated
1160 * frames (NLPID of 0x80).
1165 off_nl_nosnap = 0; /* no 802.2 LLC */
1169 * the only BPF-interesting FRF.16 frames are non-control frames;
1170 * Frame Relay has a variable length link-layer
1171 * so lets start with offset 4 for now and increments later on (FIXME);
1177 off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */
1180 case DLT_APPLE_IP_OVER_IEEE1394:
1184 off_nl_nosnap = 0; /* no 802.2 LLC */
1187 case DLT_LINUX_IRDA:
1189 * Currently, only raw "link[N:M]" filtering is supported.
1199 * Currently, only raw "link[N:M]" filtering is supported.
1207 case DLT_SYMANTEC_FIREWALL:
1210 off_nl = 0; /* Ethernet II */
1211 off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */
1214 #ifdef HAVE_NET_PFVAR_H
1217 off_macpl = PFLOG_HDRLEN;
1219 off_nl_nosnap = 0; /* no 802.2 LLC */
1223 case DLT_JUNIPER_MFR:
1224 case DLT_JUNIPER_MLFR:
1225 case DLT_JUNIPER_MLPPP:
1226 case DLT_JUNIPER_PPP:
1227 case DLT_JUNIPER_CHDLC:
1228 case DLT_JUNIPER_FRELAY:
1232 off_nl_nosnap = -1; /* no 802.2 LLC */
1235 case DLT_JUNIPER_ATM1:
1236 off_linktype = 4; /* in reality variable between 4-8 */
1237 off_macpl = 4; /* in reality variable between 4-8 */
1242 case DLT_JUNIPER_ATM2:
1243 off_linktype = 8; /* in reality variable between 8-12 */
1244 off_macpl = 8; /* in reality variable between 8-12 */
1249 /* frames captured on a Juniper PPPoE service PIC
1250 * contain raw ethernet frames */
1251 case DLT_JUNIPER_PPPOE:
1252 case DLT_JUNIPER_ETHER:
1255 off_nl = 18; /* Ethernet II */
1256 off_nl_nosnap = 21; /* 802.3+802.2 */
1259 case DLT_JUNIPER_PPPOE_ATM:
1263 off_nl_nosnap = -1; /* no 802.2 LLC */
1266 case DLT_JUNIPER_GGSN:
1270 off_nl_nosnap = -1; /* no 802.2 LLC */
1273 case DLT_JUNIPER_ES:
1275 off_macpl = -1; /* not really a network layer but raw IP addresses */
1276 off_nl = -1; /* not really a network layer but raw IP addresses */
1277 off_nl_nosnap = -1; /* no 802.2 LLC */
1280 case DLT_JUNIPER_MONITOR:
1283 off_nl = 0; /* raw IP/IP6 header */
1284 off_nl_nosnap = -1; /* no 802.2 LLC */
1287 case DLT_JUNIPER_SERVICES:
1289 off_macpl = -1; /* L3 proto location dep. on cookie type */
1290 off_nl = -1; /* L3 proto location dep. on cookie type */
1291 off_nl_nosnap = -1; /* no 802.2 LLC */
1294 case DLT_JUNIPER_VP:
1301 case DLT_JUNIPER_ST:
1308 case DLT_JUNIPER_ISM:
1327 case DLT_MTP2_WITH_PHDR:
1360 case DLT_LINUX_LAPD:
1362 * Currently, only raw "link[N:M]" filtering is supported.
1372 * Currently, only raw "link[N:M]" filtering is supported.
1380 case DLT_BLUETOOTH_HCI_H4:
1382 * Currently, only raw "link[N:M]" filtering is supported.
1392 * Currently, only raw "link[N:M]" filtering is supported.
1402 * Currently, only raw "link[N:M]" filtering is supported.
1410 case DLT_IEEE802_15_4_LINUX:
1412 * Currently, only raw "link[N:M]" filtering is supported.
1420 case DLT_IEEE802_16_MAC_CPS_RADIO:
1422 * Currently, only raw "link[N:M]" filtering is supported.
1430 case DLT_IEEE802_15_4:
1432 * Currently, only raw "link[N:M]" filtering is supported.
1442 * Currently, only raw "link[N:M]" filtering is supported.
1452 * Currently, only raw "link[N:M]" filtering is supported.
1462 * Currently, only raw "link[N:M]" filtering is supported.
1470 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR:
1472 * Currently, only raw "link[N:M]" filtering is supported.
1482 * Currently, only raw "link[N:M]" filtering is supported.
1484 off_linktype = -1; /* variable, min 15, max 71 steps of 7 */
1486 off_nl = -1; /* variable, min 16, max 71 steps of 7 */
1487 off_nl_nosnap = -1; /* no 802.2 LLC */
1488 off_mac = 1; /* step over the kiss length byte */
1491 case DLT_IEEE802_15_4_NONASK_PHY:
1493 * Currently, only raw "link[N:M]" filtering is supported.
1501 bpf_error("unknown data link type %d", linktype);
1506 * Load a value relative to the beginning of the link-layer header.
1507 * The link-layer header doesn't necessarily begin at the beginning
1508 * of the packet data; there might be a variable-length prefix containing
1509 * radio information.
1511 static struct slist *
1512 gen_load_llrel(offset, size)
1515 struct slist *s, *s2;
1517 s = gen_llprefixlen();
1520 * If "s" is non-null, it has code to arrange that the X register
1521 * contains the length of the prefix preceding the link-layer
1524 * Otherwise, the length of the prefix preceding the link-layer
1525 * header is "off_ll".
1529 * There's a variable-length prefix preceding the
1530 * link-layer header. "s" points to a list of statements
1531 * that put the length of that prefix into the X register.
1532 * do an indirect load, to use the X register as an offset.
1534 s2 = new_stmt(BPF_LD|BPF_IND|size);
1539 * There is no variable-length header preceding the
1540 * link-layer header; add in off_ll, which, if there's
1541 * a fixed-length header preceding the link-layer header,
1542 * is the length of that header.
1544 s = new_stmt(BPF_LD|BPF_ABS|size);
1545 s->s.k = offset + off_ll;
1551 * Load a value relative to the beginning of the MAC-layer payload.
1553 static struct slist *
1554 gen_load_macplrel(offset, size)
1557 struct slist *s, *s2;
1559 s = gen_off_macpl();
1562 * If s is non-null, the offset of the MAC-layer payload is
1563 * variable, and s points to a list of instructions that
1564 * arrange that the X register contains that offset.
1566 * Otherwise, the offset of the MAC-layer payload is constant,
1567 * and is in off_macpl.
1571 * The offset of the MAC-layer payload is in the X
1572 * register. Do an indirect load, to use the X register
1575 s2 = new_stmt(BPF_LD|BPF_IND|size);
1580 * The offset of the MAC-layer payload is constant,
1581 * and is in off_macpl; load the value at that offset
1582 * plus the specified offset.
1584 s = new_stmt(BPF_LD|BPF_ABS|size);
1585 s->s.k = off_macpl + offset;
1591 * Load a value relative to the beginning of the specified header.
1593 static struct slist *
1594 gen_load_a(offrel, offset, size)
1595 enum e_offrel offrel;
1598 struct slist *s, *s2;
1603 s = new_stmt(BPF_LD|BPF_ABS|size);
1608 s = gen_load_llrel(offset, size);
1612 s = gen_load_macplrel(offset, size);
1616 s = gen_load_macplrel(off_nl + offset, size);
1620 s = gen_load_macplrel(off_nl_nosnap + offset, size);
1625 * Load the X register with the length of the IPv4 header
1626 * (plus the offset of the link-layer header, if it's
1627 * preceded by a variable-length header such as a radio
1628 * header), in bytes.
1630 s = gen_loadx_iphdrlen();
1633 * Load the item at {offset of the MAC-layer payload} +
1634 * {offset, relative to the start of the MAC-layer
1635 * paylod, of the IPv4 header} + {length of the IPv4 header} +
1636 * {specified offset}.
1638 * (If the offset of the MAC-layer payload is variable,
1639 * it's included in the value in the X register, and
1642 s2 = new_stmt(BPF_LD|BPF_IND|size);
1643 s2->s.k = off_macpl + off_nl + offset;
1648 s = gen_load_macplrel(off_nl + 40 + offset, size);
1659 * Generate code to load into the X register the sum of the length of
1660 * the IPv4 header and any variable-length header preceding the link-layer
1663 static struct slist *
1664 gen_loadx_iphdrlen()
1666 struct slist *s, *s2;
1668 s = gen_off_macpl();
1671 * There's a variable-length prefix preceding the
1672 * link-layer header, or the link-layer header is itself
1673 * variable-length. "s" points to a list of statements
1674 * that put the offset of the MAC-layer payload into
1677 * The 4*([k]&0xf) addressing mode can't be used, as we
1678 * don't have a constant offset, so we have to load the
1679 * value in question into the A register and add to it
1680 * the value from the X register.
1682 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B);
1685 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
1688 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
1693 * The A register now contains the length of the
1694 * IP header. We need to add to it the offset of
1695 * the MAC-layer payload, which is still in the X
1696 * register, and move the result into the X register.
1698 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
1699 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
1702 * There is no variable-length header preceding the
1703 * link-layer header, and the link-layer header is
1704 * fixed-length; load the length of the IPv4 header,
1705 * which is at an offset of off_nl from the beginning
1706 * of the MAC-layer payload, and thus at an offset
1707 * of off_mac_pl + off_nl from the beginning of the
1710 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
1711 s->s.k = off_macpl + off_nl;
1716 static struct block *
1723 s = new_stmt(BPF_LD|BPF_IMM);
1725 b = new_block(JMP(BPF_JEQ));
1731 static inline struct block *
1734 return gen_uncond(1);
1737 static inline struct block *
1740 return gen_uncond(0);
1744 * Byte-swap a 32-bit number.
1745 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on
1746 * big-endian platforms.)
1748 #define SWAPLONG(y) \
1749 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
1752 * Generate code to match a particular packet type.
1754 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1755 * value, if <= ETHERMTU. We use that to determine whether to
1756 * match the type/length field or to check the type/length field for
1757 * a value <= ETHERMTU to see whether it's a type field and then do
1758 * the appropriate test.
1760 static struct block *
1761 gen_ether_linktype(proto)
1764 struct block *b0, *b1;
1770 case LLCSAP_NETBEUI:
1772 * OSI protocols and NetBEUI always use 802.2 encapsulation,
1773 * so we check the DSAP and SSAP.
1775 * LLCSAP_IP checks for IP-over-802.2, rather
1776 * than IP-over-Ethernet or IP-over-SNAP.
1778 * XXX - should we check both the DSAP and the
1779 * SSAP, like this, or should we check just the
1780 * DSAP, as we do for other types <= ETHERMTU
1781 * (i.e., other SAP values)?
1783 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1785 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)
1786 ((proto << 8) | proto));
1794 * Ethernet_II frames, which are Ethernet
1795 * frames with a frame type of ETHERTYPE_IPX;
1797 * Ethernet_802.3 frames, which are 802.3
1798 * frames (i.e., the type/length field is
1799 * a length field, <= ETHERMTU, rather than
1800 * a type field) with the first two bytes
1801 * after the Ethernet/802.3 header being
1804 * Ethernet_802.2 frames, which are 802.3
1805 * frames with an 802.2 LLC header and
1806 * with the IPX LSAP as the DSAP in the LLC
1809 * Ethernet_SNAP frames, which are 802.3
1810 * frames with an LLC header and a SNAP
1811 * header and with an OUI of 0x000000
1812 * (encapsulated Ethernet) and a protocol
1813 * ID of ETHERTYPE_IPX in the SNAP header.
1815 * XXX - should we generate the same code both
1816 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX?
1820 * This generates code to check both for the
1821 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3.
1823 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX);
1824 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)0xFFFF);
1828 * Now we add code to check for SNAP frames with
1829 * ETHERTYPE_IPX, i.e. Ethernet_SNAP.
1831 b0 = gen_snap(0x000000, ETHERTYPE_IPX);
1835 * Now we generate code to check for 802.3
1836 * frames in general.
1838 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1842 * Now add the check for 802.3 frames before the
1843 * check for Ethernet_802.2 and Ethernet_802.3,
1844 * as those checks should only be done on 802.3
1845 * frames, not on Ethernet frames.
1850 * Now add the check for Ethernet_II frames, and
1851 * do that before checking for the other frame
1854 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
1855 (bpf_int32)ETHERTYPE_IPX);
1859 case ETHERTYPE_ATALK:
1860 case ETHERTYPE_AARP:
1862 * EtherTalk (AppleTalk protocols on Ethernet link
1863 * layer) may use 802.2 encapsulation.
1867 * Check for 802.2 encapsulation (EtherTalk phase 2?);
1868 * we check for an Ethernet type field less than
1869 * 1500, which means it's an 802.3 length field.
1871 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1875 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1876 * SNAP packets with an organization code of
1877 * 0x080007 (Apple, for Appletalk) and a protocol
1878 * type of ETHERTYPE_ATALK (Appletalk).
1880 * 802.2-encapsulated ETHERTYPE_AARP packets are
1881 * SNAP packets with an organization code of
1882 * 0x000000 (encapsulated Ethernet) and a protocol
1883 * type of ETHERTYPE_AARP (Appletalk ARP).
1885 if (proto == ETHERTYPE_ATALK)
1886 b1 = gen_snap(0x080007, ETHERTYPE_ATALK);
1887 else /* proto == ETHERTYPE_AARP */
1888 b1 = gen_snap(0x000000, ETHERTYPE_AARP);
1892 * Check for Ethernet encapsulation (Ethertalk
1893 * phase 1?); we just check for the Ethernet
1896 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
1902 if (proto <= ETHERMTU) {
1904 * This is an LLC SAP value, so the frames
1905 * that match would be 802.2 frames.
1906 * Check that the frame is an 802.2 frame
1907 * (i.e., that the length/type field is
1908 * a length field, <= ETHERMTU) and
1909 * then check the DSAP.
1911 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1913 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B,
1919 * This is an Ethernet type, so compare
1920 * the length/type field with it (if
1921 * the frame is an 802.2 frame, the length
1922 * field will be <= ETHERMTU, and, as
1923 * "proto" is > ETHERMTU, this test
1924 * will fail and the frame won't match,
1925 * which is what we want).
1927 return gen_cmp(OR_LINK, off_linktype, BPF_H,
1934 * Generate code to match a particular packet type.
1936 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1937 * value, if <= ETHERMTU. We use that to determine whether to
1938 * match the type field or to check the type field for the special
1939 * LINUX_SLL_P_802_2 value and then do the appropriate test.
1941 static struct block *
1942 gen_linux_sll_linktype(proto)
1945 struct block *b0, *b1;
1951 case LLCSAP_NETBEUI:
1953 * OSI protocols and NetBEUI always use 802.2 encapsulation,
1954 * so we check the DSAP and SSAP.
1956 * LLCSAP_IP checks for IP-over-802.2, rather
1957 * than IP-over-Ethernet or IP-over-SNAP.
1959 * XXX - should we check both the DSAP and the
1960 * SSAP, like this, or should we check just the
1961 * DSAP, as we do for other types <= ETHERMTU
1962 * (i.e., other SAP values)?
1964 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
1965 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)
1966 ((proto << 8) | proto));
1972 * Ethernet_II frames, which are Ethernet
1973 * frames with a frame type of ETHERTYPE_IPX;
1975 * Ethernet_802.3 frames, which have a frame
1976 * type of LINUX_SLL_P_802_3;
1978 * Ethernet_802.2 frames, which are 802.3
1979 * frames with an 802.2 LLC header (i.e, have
1980 * a frame type of LINUX_SLL_P_802_2) and
1981 * with the IPX LSAP as the DSAP in the LLC
1984 * Ethernet_SNAP frames, which are 802.3
1985 * frames with an LLC header and a SNAP
1986 * header and with an OUI of 0x000000
1987 * (encapsulated Ethernet) and a protocol
1988 * ID of ETHERTYPE_IPX in the SNAP header.
1990 * First, do the checks on LINUX_SLL_P_802_2
1991 * frames; generate the check for either
1992 * Ethernet_802.2 or Ethernet_SNAP frames, and
1993 * then put a check for LINUX_SLL_P_802_2 frames
1996 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX);
1997 b1 = gen_snap(0x000000, ETHERTYPE_IPX);
1999 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
2003 * Now check for 802.3 frames and OR that with
2004 * the previous test.
2006 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_3);
2010 * Now add the check for Ethernet_II frames, and
2011 * do that before checking for the other frame
2014 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
2015 (bpf_int32)ETHERTYPE_IPX);
2019 case ETHERTYPE_ATALK:
2020 case ETHERTYPE_AARP:
2022 * EtherTalk (AppleTalk protocols on Ethernet link
2023 * layer) may use 802.2 encapsulation.
2027 * Check for 802.2 encapsulation (EtherTalk phase 2?);
2028 * we check for the 802.2 protocol type in the
2029 * "Ethernet type" field.
2031 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
2034 * 802.2-encapsulated ETHERTYPE_ATALK packets are
2035 * SNAP packets with an organization code of
2036 * 0x080007 (Apple, for Appletalk) and a protocol
2037 * type of ETHERTYPE_ATALK (Appletalk).
2039 * 802.2-encapsulated ETHERTYPE_AARP packets are
2040 * SNAP packets with an organization code of
2041 * 0x000000 (encapsulated Ethernet) and a protocol
2042 * type of ETHERTYPE_AARP (Appletalk ARP).
2044 if (proto == ETHERTYPE_ATALK)
2045 b1 = gen_snap(0x080007, ETHERTYPE_ATALK);
2046 else /* proto == ETHERTYPE_AARP */
2047 b1 = gen_snap(0x000000, ETHERTYPE_AARP);
2051 * Check for Ethernet encapsulation (Ethertalk
2052 * phase 1?); we just check for the Ethernet
2055 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
2061 if (proto <= ETHERMTU) {
2063 * This is an LLC SAP value, so the frames
2064 * that match would be 802.2 frames.
2065 * Check for the 802.2 protocol type
2066 * in the "Ethernet type" field, and
2067 * then check the DSAP.
2069 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
2071 b1 = gen_cmp(OR_LINK, off_macpl, BPF_B,
2077 * This is an Ethernet type, so compare
2078 * the length/type field with it (if
2079 * the frame is an 802.2 frame, the length
2080 * field will be <= ETHERMTU, and, as
2081 * "proto" is > ETHERMTU, this test
2082 * will fail and the frame won't match,
2083 * which is what we want).
2085 return gen_cmp(OR_LINK, off_linktype, BPF_H,
2091 static struct slist *
2092 gen_load_prism_llprefixlen()
2094 struct slist *s1, *s2;
2095 struct slist *sjeq_avs_cookie;
2096 struct slist *sjcommon;
2099 * This code is not compatible with the optimizer, as
2100 * we are generating jmp instructions within a normal
2101 * slist of instructions
2106 * Generate code to load the length of the radio header into
2107 * the register assigned to hold that length, if one has been
2108 * assigned. (If one hasn't been assigned, no code we've
2109 * generated uses that prefix, so we don't need to generate any
2112 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes
2113 * or always use the AVS header rather than the Prism header.
2114 * We load a 4-byte big-endian value at the beginning of the
2115 * raw packet data, and see whether, when masked with 0xFFFFF000,
2116 * it's equal to 0x80211000. If so, that indicates that it's
2117 * an AVS header (the masked-out bits are the version number).
2118 * Otherwise, it's a Prism header.
2120 * XXX - the Prism header is also, in theory, variable-length,
2121 * but no known software generates headers that aren't 144
2124 if (reg_off_ll != -1) {
2128 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2132 * AND it with 0xFFFFF000.
2134 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
2135 s2->s.k = 0xFFFFF000;
2139 * Compare with 0x80211000.
2141 sjeq_avs_cookie = new_stmt(JMP(BPF_JEQ));
2142 sjeq_avs_cookie->s.k = 0x80211000;
2143 sappend(s1, sjeq_avs_cookie);
2148 * The 4 bytes at an offset of 4 from the beginning of
2149 * the AVS header are the length of the AVS header.
2150 * That field is big-endian.
2152 s2 = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2155 sjeq_avs_cookie->s.jt = s2;
2158 * Now jump to the code to allocate a register
2159 * into which to save the header length and
2160 * store the length there. (The "jump always"
2161 * instruction needs to have the k field set;
2162 * it's added to the PC, so, as we're jumping
2163 * over a single instruction, it should be 1.)
2165 sjcommon = new_stmt(JMP(BPF_JA));
2167 sappend(s1, sjcommon);
2170 * Now for the code that handles the Prism header.
2171 * Just load the length of the Prism header (144)
2172 * into the A register. Have the test for an AVS
2173 * header branch here if we don't have an AVS header.
2175 s2 = new_stmt(BPF_LD|BPF_W|BPF_IMM);
2178 sjeq_avs_cookie->s.jf = s2;
2181 * Now allocate a register to hold that value and store
2182 * it. The code for the AVS header will jump here after
2183 * loading the length of the AVS header.
2185 s2 = new_stmt(BPF_ST);
2186 s2->s.k = reg_off_ll;
2188 sjcommon->s.jf = s2;
2191 * Now move it into the X register.
2193 s2 = new_stmt(BPF_MISC|BPF_TAX);
2201 static struct slist *
2202 gen_load_avs_llprefixlen()
2204 struct slist *s1, *s2;
2207 * Generate code to load the length of the AVS header into
2208 * the register assigned to hold that length, if one has been
2209 * assigned. (If one hasn't been assigned, no code we've
2210 * generated uses that prefix, so we don't need to generate any
2213 if (reg_off_ll != -1) {
2215 * The 4 bytes at an offset of 4 from the beginning of
2216 * the AVS header are the length of the AVS header.
2217 * That field is big-endian.
2219 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2223 * Now allocate a register to hold that value and store
2226 s2 = new_stmt(BPF_ST);
2227 s2->s.k = reg_off_ll;
2231 * Now move it into the X register.
2233 s2 = new_stmt(BPF_MISC|BPF_TAX);
2241 static struct slist *
2242 gen_load_radiotap_llprefixlen()
2244 struct slist *s1, *s2;
2247 * Generate code to load the length of the radiotap header into
2248 * the register assigned to hold that length, if one has been
2249 * assigned. (If one hasn't been assigned, no code we've
2250 * generated uses that prefix, so we don't need to generate any
2253 if (reg_off_ll != -1) {
2255 * The 2 bytes at offsets of 2 and 3 from the beginning
2256 * of the radiotap header are the length of the radiotap
2257 * header; unfortunately, it's little-endian, so we have
2258 * to load it a byte at a time and construct the value.
2262 * Load the high-order byte, at an offset of 3, shift it
2263 * left a byte, and put the result in the X register.
2265 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2267 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
2270 s2 = new_stmt(BPF_MISC|BPF_TAX);
2274 * Load the next byte, at an offset of 2, and OR the
2275 * value from the X register into it.
2277 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2280 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X);
2284 * Now allocate a register to hold that value and store
2287 s2 = new_stmt(BPF_ST);
2288 s2->s.k = reg_off_ll;
2292 * Now move it into the X register.
2294 s2 = new_stmt(BPF_MISC|BPF_TAX);
2303 * At the moment we treat PPI as normal Radiotap encoded
2304 * packets. The difference is in the function that generates
2305 * the code at the beginning to compute the header length.
2306 * Since this code generator of PPI supports bare 802.11
2307 * encapsulation only (i.e. the encapsulated DLT should be
2308 * DLT_IEEE802_11) we generate code to check for this too;
2309 * that's done in finish_parse().
2311 static struct slist *
2312 gen_load_ppi_llprefixlen()
2314 struct slist *s1, *s2;
2317 * Generate code to load the length of the radiotap header
2318 * into the register assigned to hold that length, if one has
2321 if (reg_off_ll != -1) {
2323 * The 2 bytes at offsets of 2 and 3 from the beginning
2324 * of the radiotap header are the length of the radiotap
2325 * header; unfortunately, it's little-endian, so we have
2326 * to load it a byte at a time and construct the value.
2330 * Load the high-order byte, at an offset of 3, shift it
2331 * left a byte, and put the result in the X register.
2333 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2335 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
2338 s2 = new_stmt(BPF_MISC|BPF_TAX);
2342 * Load the next byte, at an offset of 2, and OR the
2343 * value from the X register into it.
2345 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2348 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X);
2352 * Now allocate a register to hold that value and store
2355 s2 = new_stmt(BPF_ST);
2356 s2->s.k = reg_off_ll;
2360 * Now move it into the X register.
2362 s2 = new_stmt(BPF_MISC|BPF_TAX);
2371 * Load a value relative to the beginning of the link-layer header after the 802.11
2372 * header, i.e. LLC_SNAP.
2373 * The link-layer header doesn't necessarily begin at the beginning
2374 * of the packet data; there might be a variable-length prefix containing
2375 * radio information.
2377 static struct slist *
2378 gen_load_802_11_header_len(struct slist *s, struct slist *snext)
2381 struct slist *sjset_data_frame_1;
2382 struct slist *sjset_data_frame_2;
2383 struct slist *sjset_qos;
2384 struct slist *sjset_radiotap_flags;
2385 struct slist *sjset_radiotap_tsft;
2386 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad;
2387 struct slist *s_roundup;
2389 if (reg_off_macpl == -1) {
2391 * No register has been assigned to the offset of
2392 * the MAC-layer payload, which means nobody needs
2393 * it; don't bother computing it - just return
2394 * what we already have.
2400 * This code is not compatible with the optimizer, as
2401 * we are generating jmp instructions within a normal
2402 * slist of instructions
2407 * If "s" is non-null, it has code to arrange that the X register
2408 * contains the length of the prefix preceding the link-layer
2411 * Otherwise, the length of the prefix preceding the link-layer
2412 * header is "off_ll".
2416 * There is no variable-length header preceding the
2417 * link-layer header.
2419 * Load the length of the fixed-length prefix preceding
2420 * the link-layer header (if any) into the X register,
2421 * and store it in the reg_off_macpl register.
2422 * That length is off_ll.
2424 s = new_stmt(BPF_LDX|BPF_IMM);
2429 * The X register contains the offset of the beginning of the
2430 * link-layer header; add 24, which is the minimum length
2431 * of the MAC header for a data frame, to that, and store it
2432 * in reg_off_macpl, and then load the Frame Control field,
2433 * which is at the offset in the X register, with an indexed load.
2435 s2 = new_stmt(BPF_MISC|BPF_TXA);
2437 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
2440 s2 = new_stmt(BPF_ST);
2441 s2->s.k = reg_off_macpl;
2444 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B);
2449 * Check the Frame Control field to see if this is a data frame;
2450 * a data frame has the 0x08 bit (b3) in that field set and the
2451 * 0x04 bit (b2) clear.
2453 sjset_data_frame_1 = new_stmt(JMP(BPF_JSET));
2454 sjset_data_frame_1->s.k = 0x08;
2455 sappend(s, sjset_data_frame_1);
2458 * If b3 is set, test b2, otherwise go to the first statement of
2459 * the rest of the program.
2461 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(JMP(BPF_JSET));
2462 sjset_data_frame_2->s.k = 0x04;
2463 sappend(s, sjset_data_frame_2);
2464 sjset_data_frame_1->s.jf = snext;
2467 * If b2 is not set, this is a data frame; test the QoS bit.
2468 * Otherwise, go to the first statement of the rest of the
2471 sjset_data_frame_2->s.jt = snext;
2472 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(JMP(BPF_JSET));
2473 sjset_qos->s.k = 0x80; /* QoS bit */
2474 sappend(s, sjset_qos);
2477 * If it's set, add 2 to reg_off_macpl, to skip the QoS
2479 * Otherwise, go to the first statement of the rest of the
2482 sjset_qos->s.jt = s2 = new_stmt(BPF_LD|BPF_MEM);
2483 s2->s.k = reg_off_macpl;
2485 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM);
2488 s2 = new_stmt(BPF_ST);
2489 s2->s.k = reg_off_macpl;
2493 * If we have a radiotap header, look at it to see whether
2494 * there's Atheros padding between the MAC-layer header
2497 * Note: all of the fields in the radiotap header are
2498 * little-endian, so we byte-swap all of the values
2499 * we test against, as they will be loaded as big-endian
2502 if (linktype == DLT_IEEE802_11_RADIO) {
2504 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set
2505 * in the presence flag?
2507 sjset_qos->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_W);
2511 sjset_radiotap_flags = new_stmt(JMP(BPF_JSET));
2512 sjset_radiotap_flags->s.k = SWAPLONG(0x00000002);
2513 sappend(s, sjset_radiotap_flags);
2516 * If not, skip all of this.
2518 sjset_radiotap_flags->s.jf = snext;
2521 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set?
2523 sjset_radiotap_tsft = sjset_radiotap_flags->s.jt =
2524 new_stmt(JMP(BPF_JSET));
2525 sjset_radiotap_tsft->s.k = SWAPLONG(0x00000001);
2526 sappend(s, sjset_radiotap_tsft);
2529 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is
2530 * at an offset of 16 from the beginning of the raw packet
2531 * data (8 bytes for the radiotap header and 8 bytes for
2534 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
2537 sjset_radiotap_tsft->s.jt = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B);
2541 sjset_tsft_datapad = new_stmt(JMP(BPF_JSET));
2542 sjset_tsft_datapad->s.k = 0x20;
2543 sappend(s, sjset_tsft_datapad);
2546 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is
2547 * at an offset of 8 from the beginning of the raw packet
2548 * data (8 bytes for the radiotap header).
2550 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
2553 sjset_radiotap_tsft->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B);
2557 sjset_notsft_datapad = new_stmt(JMP(BPF_JSET));
2558 sjset_notsft_datapad->s.k = 0x20;
2559 sappend(s, sjset_notsft_datapad);
2562 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is
2563 * set, round the length of the 802.11 header to
2564 * a multiple of 4. Do that by adding 3 and then
2565 * dividing by and multiplying by 4, which we do by
2568 s_roundup = new_stmt(BPF_LD|BPF_MEM);
2569 s_roundup->s.k = reg_off_macpl;
2570 sappend(s, s_roundup);
2571 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM);
2574 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_IMM);
2577 s2 = new_stmt(BPF_ST);
2578 s2->s.k = reg_off_macpl;
2581 sjset_tsft_datapad->s.jt = s_roundup;
2582 sjset_tsft_datapad->s.jf = snext;
2583 sjset_notsft_datapad->s.jt = s_roundup;
2584 sjset_notsft_datapad->s.jf = snext;
2586 sjset_qos->s.jf = snext;
2592 insert_compute_vloffsets(b)
2598 * For link-layer types that have a variable-length header
2599 * preceding the link-layer header, generate code to load
2600 * the offset of the link-layer header into the register
2601 * assigned to that offset, if any.
2605 case DLT_PRISM_HEADER:
2606 s = gen_load_prism_llprefixlen();
2609 case DLT_IEEE802_11_RADIO_AVS:
2610 s = gen_load_avs_llprefixlen();
2613 case DLT_IEEE802_11_RADIO:
2614 s = gen_load_radiotap_llprefixlen();
2618 s = gen_load_ppi_llprefixlen();
2627 * For link-layer types that have a variable-length link-layer
2628 * header, generate code to load the offset of the MAC-layer
2629 * payload into the register assigned to that offset, if any.
2633 case DLT_IEEE802_11:
2634 case DLT_PRISM_HEADER:
2635 case DLT_IEEE802_11_RADIO_AVS:
2636 case DLT_IEEE802_11_RADIO:
2638 s = gen_load_802_11_header_len(s, b->stmts);
2643 * If we have any offset-loading code, append all the
2644 * existing statements in the block to those statements,
2645 * and make the resulting list the list of statements
2649 sappend(s, b->stmts);
2654 static struct block *
2655 gen_ppi_dlt_check(void)
2657 struct slist *s_load_dlt;
2660 if (linktype == DLT_PPI)
2662 /* Create the statements that check for the DLT
2664 s_load_dlt = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2665 s_load_dlt->s.k = 4;
2667 b = new_block(JMP(BPF_JEQ));
2669 b->stmts = s_load_dlt;
2670 b->s.k = SWAPLONG(DLT_IEEE802_11);
2680 static struct slist *
2681 gen_prism_llprefixlen(void)
2685 if (reg_off_ll == -1) {
2687 * We haven't yet assigned a register for the length
2688 * of the radio header; allocate one.
2690 reg_off_ll = alloc_reg();
2694 * Load the register containing the radio length
2695 * into the X register.
2697 s = new_stmt(BPF_LDX|BPF_MEM);
2698 s->s.k = reg_off_ll;
2702 static struct slist *
2703 gen_avs_llprefixlen(void)
2707 if (reg_off_ll == -1) {
2709 * We haven't yet assigned a register for the length
2710 * of the AVS header; allocate one.
2712 reg_off_ll = alloc_reg();
2716 * Load the register containing the AVS length
2717 * into the X register.
2719 s = new_stmt(BPF_LDX|BPF_MEM);
2720 s->s.k = reg_off_ll;
2724 static struct slist *
2725 gen_radiotap_llprefixlen(void)
2729 if (reg_off_ll == -1) {
2731 * We haven't yet assigned a register for the length
2732 * of the radiotap header; allocate one.
2734 reg_off_ll = alloc_reg();
2738 * Load the register containing the radiotap length
2739 * into the X register.
2741 s = new_stmt(BPF_LDX|BPF_MEM);
2742 s->s.k = reg_off_ll;
2747 * At the moment we treat PPI as normal Radiotap encoded
2748 * packets. The difference is in the function that generates
2749 * the code at the beginning to compute the header length.
2750 * Since this code generator of PPI supports bare 802.11
2751 * encapsulation only (i.e. the encapsulated DLT should be
2752 * DLT_IEEE802_11) we generate code to check for this too.
2754 static struct slist *
2755 gen_ppi_llprefixlen(void)
2759 if (reg_off_ll == -1) {
2761 * We haven't yet assigned a register for the length
2762 * of the radiotap header; allocate one.
2764 reg_off_ll = alloc_reg();
2768 * Load the register containing the PPI length
2769 * into the X register.
2771 s = new_stmt(BPF_LDX|BPF_MEM);
2772 s->s.k = reg_off_ll;
2777 * Generate code to compute the link-layer header length, if necessary,
2778 * putting it into the X register, and to return either a pointer to a
2779 * "struct slist" for the list of statements in that code, or NULL if
2780 * no code is necessary.
2782 static struct slist *
2783 gen_llprefixlen(void)
2787 case DLT_PRISM_HEADER:
2788 return gen_prism_llprefixlen();
2790 case DLT_IEEE802_11_RADIO_AVS:
2791 return gen_avs_llprefixlen();
2793 case DLT_IEEE802_11_RADIO:
2794 return gen_radiotap_llprefixlen();
2797 return gen_ppi_llprefixlen();
2805 * Generate code to load the register containing the offset of the
2806 * MAC-layer payload into the X register; if no register for that offset
2807 * has been allocated, allocate it first.
2809 static struct slist *
2814 if (off_macpl_is_variable) {
2815 if (reg_off_macpl == -1) {
2817 * We haven't yet assigned a register for the offset
2818 * of the MAC-layer payload; allocate one.
2820 reg_off_macpl = alloc_reg();
2824 * Load the register containing the offset of the MAC-layer
2825 * payload into the X register.
2827 s = new_stmt(BPF_LDX|BPF_MEM);
2828 s->s.k = reg_off_macpl;
2832 * That offset isn't variable, so we don't need to
2833 * generate any code.
2840 * Map an Ethernet type to the equivalent PPP type.
2843 ethertype_to_ppptype(proto)
2853 case ETHERTYPE_IPV6:
2862 case ETHERTYPE_ATALK:
2876 * I'm assuming the "Bridging PDU"s that go
2877 * over PPP are Spanning Tree Protocol
2891 * Generate code to match a particular packet type by matching the
2892 * link-layer type field or fields in the 802.2 LLC header.
2894 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
2895 * value, if <= ETHERMTU.
2897 static struct block *
2901 struct block *b0, *b1, *b2;
2903 /* are we checking MPLS-encapsulated packets? */
2904 if (label_stack_depth > 0) {
2908 /* FIXME add other L3 proto IDs */
2909 return gen_mpls_linktype(Q_IP);
2911 case ETHERTYPE_IPV6:
2913 /* FIXME add other L3 proto IDs */
2914 return gen_mpls_linktype(Q_IPV6);
2917 bpf_error("unsupported protocol over mpls");
2923 * Are we testing PPPoE packets?
2927 * The PPPoE session header is part of the
2928 * MAC-layer payload, so all references
2929 * should be relative to the beginning of
2934 * We use Ethernet protocol types inside libpcap;
2935 * map them to the corresponding PPP protocol types.
2937 proto = ethertype_to_ppptype(proto);
2938 return gen_cmp(OR_MACPL, off_linktype, BPF_H, (bpf_int32)proto);
2944 return gen_ether_linktype(proto);
2952 proto = (proto << 8 | LLCSAP_ISONS);
2956 return gen_cmp(OR_LINK, off_linktype, BPF_H,
2963 case DLT_IEEE802_11:
2964 case DLT_PRISM_HEADER:
2965 case DLT_IEEE802_11_RADIO_AVS:
2966 case DLT_IEEE802_11_RADIO:
2969 * Check that we have a data frame.
2971 b0 = gen_check_802_11_data_frame();
2974 * Now check for the specified link-layer type.
2976 b1 = gen_llc_linktype(proto);
2984 * XXX - check for asynchronous frames, as per RFC 1103.
2986 return gen_llc_linktype(proto);
2992 * XXX - check for LLC PDUs, as per IEEE 802.5.
2994 return gen_llc_linktype(proto);
2998 case DLT_ATM_RFC1483:
3000 case DLT_IP_OVER_FC:
3001 return gen_llc_linktype(proto);
3007 * If "is_lane" is set, check for a LANE-encapsulated
3008 * version of this protocol, otherwise check for an
3009 * LLC-encapsulated version of this protocol.
3011 * We assume LANE means Ethernet, not Token Ring.
3015 * Check that the packet doesn't begin with an
3016 * LE Control marker. (We've already generated
3019 b0 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
3024 * Now generate an Ethernet test.
3026 b1 = gen_ether_linktype(proto);
3031 * Check for LLC encapsulation and then check the
3034 b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
3035 b1 = gen_llc_linktype(proto);
3043 return gen_linux_sll_linktype(proto);
3048 case DLT_SLIP_BSDOS:
3051 * These types don't provide any type field; packets
3052 * are always IPv4 or IPv6.
3054 * XXX - for IPv4, check for a version number of 4, and,
3055 * for IPv6, check for a version number of 6?
3060 /* Check for a version number of 4. */
3061 return gen_mcmp(OR_LINK, 0, BPF_B, 0x40, 0xF0);
3063 case ETHERTYPE_IPV6:
3064 /* Check for a version number of 6. */
3065 return gen_mcmp(OR_LINK, 0, BPF_B, 0x60, 0xF0);
3069 return gen_false(); /* always false */
3076 case DLT_PPP_SERIAL:
3079 * We use Ethernet protocol types inside libpcap;
3080 * map them to the corresponding PPP protocol types.
3082 proto = ethertype_to_ppptype(proto);
3083 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
3089 * We use Ethernet protocol types inside libpcap;
3090 * map them to the corresponding PPP protocol types.
3096 * Also check for Van Jacobson-compressed IP.
3097 * XXX - do this for other forms of PPP?
3099 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_IP);
3100 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJC);
3102 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJNC);
3107 proto = ethertype_to_ppptype(proto);
3108 return gen_cmp(OR_LINK, off_linktype, BPF_H,
3118 * For DLT_NULL, the link-layer header is a 32-bit
3119 * word containing an AF_ value in *host* byte order,
3120 * and for DLT_ENC, the link-layer header begins
3121 * with a 32-bit work containing an AF_ value in
3124 * In addition, if we're reading a saved capture file,
3125 * the host byte order in the capture may not be the
3126 * same as the host byte order on this machine.
3128 * For DLT_LOOP, the link-layer header is a 32-bit
3129 * word containing an AF_ value in *network* byte order.
3131 * XXX - AF_ values may, unfortunately, be platform-
3132 * dependent; for example, FreeBSD's AF_INET6 is 24
3133 * whilst NetBSD's and OpenBSD's is 26.
3135 * This means that, when reading a capture file, just
3136 * checking for our AF_INET6 value won't work if the
3137 * capture file came from another OS.
3146 case ETHERTYPE_IPV6:
3153 * Not a type on which we support filtering.
3154 * XXX - support those that have AF_ values
3155 * #defined on this platform, at least?
3160 if (linktype == DLT_NULL || linktype == DLT_ENC) {
3162 * The AF_ value is in host byte order, but
3163 * the BPF interpreter will convert it to
3164 * network byte order.
3166 * If this is a save file, and it's from a
3167 * machine with the opposite byte order to
3168 * ours, we byte-swap the AF_ value.
3170 * Then we run it through "htonl()", and
3171 * generate code to compare against the result.
3173 if (bpf_pcap->sf.rfile != NULL &&
3174 bpf_pcap->sf.swapped)
3175 proto = SWAPLONG(proto);
3176 proto = htonl(proto);
3178 return (gen_cmp(OR_LINK, 0, BPF_W, (bpf_int32)proto));
3180 #ifdef HAVE_NET_PFVAR_H
3183 * af field is host byte order in contrast to the rest of
3186 if (proto == ETHERTYPE_IP)
3187 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af),
3188 BPF_B, (bpf_int32)AF_INET));
3190 else if (proto == ETHERTYPE_IPV6)
3191 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af),
3192 BPF_B, (bpf_int32)AF_INET6));
3198 #endif /* HAVE_NET_PFVAR_H */
3201 case DLT_ARCNET_LINUX:
3203 * XXX should we check for first fragment if the protocol
3212 case ETHERTYPE_IPV6:
3213 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
3214 (bpf_int32)ARCTYPE_INET6));
3218 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B,
3219 (bpf_int32)ARCTYPE_IP);
3220 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B,
3221 (bpf_int32)ARCTYPE_IP_OLD);
3226 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B,
3227 (bpf_int32)ARCTYPE_ARP);
3228 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B,
3229 (bpf_int32)ARCTYPE_ARP_OLD);
3233 case ETHERTYPE_REVARP:
3234 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
3235 (bpf_int32)ARCTYPE_REVARP));
3237 case ETHERTYPE_ATALK:
3238 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
3239 (bpf_int32)ARCTYPE_ATALK));
3246 case ETHERTYPE_ATALK:
3256 * XXX - assumes a 2-byte Frame Relay header with
3257 * DLCI and flags. What if the address is longer?
3263 * Check for the special NLPID for IP.
3265 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0xcc);
3268 case ETHERTYPE_IPV6:
3270 * Check for the special NLPID for IPv6.
3272 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0x8e);
3277 * Check for several OSI protocols.
3279 * Frame Relay packets typically have an OSI
3280 * NLPID at the beginning; we check for each
3283 * What we check for is the NLPID and a frame
3284 * control field of UI, i.e. 0x03 followed
3287 b0 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO8473_CLNP);
3288 b1 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO9542_ESIS);
3289 b2 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO10589_ISIS);
3301 bpf_error("Multi-link Frame Relay link-layer type filtering not implemented");
3303 case DLT_JUNIPER_MFR:
3304 case DLT_JUNIPER_MLFR:
3305 case DLT_JUNIPER_MLPPP:
3306 case DLT_JUNIPER_ATM1:
3307 case DLT_JUNIPER_ATM2:
3308 case DLT_JUNIPER_PPPOE:
3309 case DLT_JUNIPER_PPPOE_ATM:
3310 case DLT_JUNIPER_GGSN:
3311 case DLT_JUNIPER_ES:
3312 case DLT_JUNIPER_MONITOR:
3313 case DLT_JUNIPER_SERVICES:
3314 case DLT_JUNIPER_ETHER:
3315 case DLT_JUNIPER_PPP:
3316 case DLT_JUNIPER_FRELAY:
3317 case DLT_JUNIPER_CHDLC:
3318 case DLT_JUNIPER_VP:
3319 case DLT_JUNIPER_ST:
3320 case DLT_JUNIPER_ISM:
3321 /* just lets verify the magic number for now -
3322 * on ATM we may have up to 6 different encapsulations on the wire
3323 * and need a lot of heuristics to figure out that the payload
3326 * FIXME encapsulation specific BPF_ filters
3328 return gen_mcmp(OR_LINK, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */
3330 case DLT_LINUX_IRDA:
3331 bpf_error("IrDA link-layer type filtering not implemented");
3334 bpf_error("DOCSIS link-layer type filtering not implemented");
3337 case DLT_MTP2_WITH_PHDR:
3338 bpf_error("MTP2 link-layer type filtering not implemented");
3341 bpf_error("ERF link-layer type filtering not implemented");
3345 bpf_error("PFSYNC link-layer type filtering not implemented");
3348 case DLT_LINUX_LAPD:
3349 bpf_error("LAPD link-layer type filtering not implemented");
3353 bpf_error("USB link-layer type filtering not implemented");
3355 case DLT_BLUETOOTH_HCI_H4:
3356 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR:
3357 bpf_error("Bluetooth link-layer type filtering not implemented");
3360 bpf_error("CAN20B link-layer type filtering not implemented");
3362 case DLT_IEEE802_15_4:
3363 case DLT_IEEE802_15_4_LINUX:
3364 case DLT_IEEE802_15_4_NONASK_PHY:
3365 bpf_error("IEEE 802.15.4 link-layer type filtering not implemented");
3367 case DLT_IEEE802_16_MAC_CPS_RADIO:
3368 bpf_error("IEEE 802.16 link-layer type filtering not implemented");
3371 bpf_error("SITA link-layer type filtering not implemented");
3374 bpf_error("RAIF1 link-layer type filtering not implemented");
3377 bpf_error("IPMB link-layer type filtering not implemented");
3380 bpf_error("AX.25 link-layer type filtering not implemented");
3384 * All the types that have no encapsulation should either be
3385 * handled as DLT_SLIP, DLT_SLIP_BSDOS, and DLT_RAW are, if
3386 * all packets are IP packets, or should be handled in some
3387 * special case, if none of them are (if some are and some
3388 * aren't, the lack of encapsulation is a problem, as we'd
3389 * have to find some other way of determining the packet type).
3391 * Therefore, if "off_linktype" is -1, there's an error.
3393 if (off_linktype == (u_int)-1)
3397 * Any type not handled above should always have an Ethernet
3398 * type at an offset of "off_linktype".
3400 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
3404 * Check for an LLC SNAP packet with a given organization code and
3405 * protocol type; we check the entire contents of the 802.2 LLC and
3406 * snap headers, checking for DSAP and SSAP of SNAP and a control
3407 * field of 0x03 in the LLC header, and for the specified organization
3408 * code and protocol type in the SNAP header.
3410 static struct block *
3411 gen_snap(orgcode, ptype)
3412 bpf_u_int32 orgcode;
3415 u_char snapblock[8];
3417 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */
3418 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */
3419 snapblock[2] = 0x03; /* control = UI */
3420 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */
3421 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */
3422 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */
3423 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */
3424 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */
3425 return gen_bcmp(OR_MACPL, 0, 8, snapblock);
3429 * Generate code to match a particular packet type, for link-layer types
3430 * using 802.2 LLC headers.
3432 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used
3433 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues.
3435 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
3436 * value, if <= ETHERMTU. We use that to determine whether to
3437 * match the DSAP or both DSAP and LSAP or to check the OUI and
3438 * protocol ID in a SNAP header.
3440 static struct block *
3441 gen_llc_linktype(proto)
3445 * XXX - handle token-ring variable-length header.
3451 case LLCSAP_NETBEUI:
3453 * XXX - should we check both the DSAP and the
3454 * SSAP, like this, or should we check just the
3455 * DSAP, as we do for other types <= ETHERMTU
3456 * (i.e., other SAP values)?
3458 return gen_cmp(OR_MACPL, 0, BPF_H, (bpf_u_int32)
3459 ((proto << 8) | proto));
3463 * XXX - are there ever SNAP frames for IPX on
3464 * non-Ethernet 802.x networks?
3466 return gen_cmp(OR_MACPL, 0, BPF_B,
3467 (bpf_int32)LLCSAP_IPX);
3469 case ETHERTYPE_ATALK:
3471 * 802.2-encapsulated ETHERTYPE_ATALK packets are
3472 * SNAP packets with an organization code of
3473 * 0x080007 (Apple, for Appletalk) and a protocol
3474 * type of ETHERTYPE_ATALK (Appletalk).
3476 * XXX - check for an organization code of
3477 * encapsulated Ethernet as well?
3479 return gen_snap(0x080007, ETHERTYPE_ATALK);
3483 * XXX - we don't have to check for IPX 802.3
3484 * here, but should we check for the IPX Ethertype?
3486 if (proto <= ETHERMTU) {
3488 * This is an LLC SAP value, so check
3491 return gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)proto);
3494 * This is an Ethernet type; we assume that it's
3495 * unlikely that it'll appear in the right place
3496 * at random, and therefore check only the
3497 * location that would hold the Ethernet type
3498 * in a SNAP frame with an organization code of
3499 * 0x000000 (encapsulated Ethernet).
3501 * XXX - if we were to check for the SNAP DSAP and
3502 * LSAP, as per XXX, and were also to check for an
3503 * organization code of 0x000000 (encapsulated
3504 * Ethernet), we'd do
3506 * return gen_snap(0x000000, proto);
3508 * here; for now, we don't, as per the above.
3509 * I don't know whether it's worth the extra CPU
3510 * time to do the right check or not.
3512 return gen_cmp(OR_MACPL, 6, BPF_H, (bpf_int32)proto);
3517 static struct block *
3518 gen_hostop(addr, mask, dir, proto, src_off, dst_off)
3522 u_int src_off, dst_off;
3524 struct block *b0, *b1;
3538 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
3539 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
3545 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
3546 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
3553 b0 = gen_linktype(proto);
3554 b1 = gen_mcmp(OR_NET, offset, BPF_W, (bpf_int32)addr, mask);
3560 static struct block *
3561 gen_hostop6(addr, mask, dir, proto, src_off, dst_off)
3562 struct in6_addr *addr;
3563 struct in6_addr *mask;
3565 u_int src_off, dst_off;
3567 struct block *b0, *b1;
3582 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
3583 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
3589 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
3590 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
3597 /* this order is important */
3598 a = (u_int32_t *)addr;
3599 m = (u_int32_t *)mask;
3600 b1 = gen_mcmp(OR_NET, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3]));
3601 b0 = gen_mcmp(OR_NET, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2]));
3603 b0 = gen_mcmp(OR_NET, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1]));
3605 b0 = gen_mcmp(OR_NET, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0]));
3607 b0 = gen_linktype(proto);
3613 static struct block *
3614 gen_ehostop(eaddr, dir)
3615 register const u_char *eaddr;
3618 register struct block *b0, *b1;
3622 return gen_bcmp(OR_LINK, off_mac + 6, 6, eaddr);
3625 return gen_bcmp(OR_LINK, off_mac + 0, 6, eaddr);
3628 b0 = gen_ehostop(eaddr, Q_SRC);
3629 b1 = gen_ehostop(eaddr, Q_DST);
3635 b0 = gen_ehostop(eaddr, Q_SRC);
3636 b1 = gen_ehostop(eaddr, Q_DST);
3645 * Like gen_ehostop, but for DLT_FDDI
3647 static struct block *
3648 gen_fhostop(eaddr, dir)
3649 register const u_char *eaddr;
3652 struct block *b0, *b1;
3657 return gen_bcmp(OR_LINK, 6 + 1 + pcap_fddipad, 6, eaddr);
3659 return gen_bcmp(OR_LINK, 6 + 1, 6, eaddr);
3664 return gen_bcmp(OR_LINK, 0 + 1 + pcap_fddipad, 6, eaddr);
3666 return gen_bcmp(OR_LINK, 0 + 1, 6, eaddr);
3670 b0 = gen_fhostop(eaddr, Q_SRC);
3671 b1 = gen_fhostop(eaddr, Q_DST);
3677 b0 = gen_fhostop(eaddr, Q_SRC);
3678 b1 = gen_fhostop(eaddr, Q_DST);
3687 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring)
3689 static struct block *
3690 gen_thostop(eaddr, dir)
3691 register const u_char *eaddr;
3694 register struct block *b0, *b1;
3698 return gen_bcmp(OR_LINK, 8, 6, eaddr);
3701 return gen_bcmp(OR_LINK, 2, 6, eaddr);
3704 b0 = gen_thostop(eaddr, Q_SRC);
3705 b1 = gen_thostop(eaddr, Q_DST);
3711 b0 = gen_thostop(eaddr, Q_SRC);
3712 b1 = gen_thostop(eaddr, Q_DST);
3721 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and
3722 * various 802.11 + radio headers.
3724 static struct block *
3725 gen_wlanhostop(eaddr, dir)
3726 register const u_char *eaddr;
3729 register struct block *b0, *b1, *b2;
3730 register struct slist *s;
3732 #ifdef ENABLE_WLAN_FILTERING_PATCH
3735 * We need to disable the optimizer because the optimizer is buggy
3736 * and wipes out some LD instructions generated by the below
3737 * code to validate the Frame Control bits
3740 #endif /* ENABLE_WLAN_FILTERING_PATCH */
3747 * For control frames, there is no SA.
3749 * For management frames, SA is at an
3750 * offset of 10 from the beginning of
3753 * For data frames, SA is at an offset
3754 * of 10 from the beginning of the packet
3755 * if From DS is clear, at an offset of
3756 * 16 from the beginning of the packet
3757 * if From DS is set and To DS is clear,
3758 * and an offset of 24 from the beginning
3759 * of the packet if From DS is set and To DS
3764 * Generate the tests to be done for data frames
3767 * First, check for To DS set, i.e. check "link[1] & 0x01".
3769 s = gen_load_a(OR_LINK, 1, BPF_B);
3770 b1 = new_block(JMP(BPF_JSET));
3771 b1->s.k = 0x01; /* To DS */
3775 * If To DS is set, the SA is at 24.
3777 b0 = gen_bcmp(OR_LINK, 24, 6, eaddr);
3781 * Now, check for To DS not set, i.e. check
3782 * "!(link[1] & 0x01)".
3784 s = gen_load_a(OR_LINK, 1, BPF_B);
3785 b2 = new_block(JMP(BPF_JSET));
3786 b2->s.k = 0x01; /* To DS */
3791 * If To DS is not set, the SA is at 16.
3793 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr);
3797 * Now OR together the last two checks. That gives
3798 * the complete set of checks for data frames with
3804 * Now check for From DS being set, and AND that with
3805 * the ORed-together checks.
3807 s = gen_load_a(OR_LINK, 1, BPF_B);
3808 b1 = new_block(JMP(BPF_JSET));
3809 b1->s.k = 0x02; /* From DS */
3814 * Now check for data frames with From DS not set.
3816 s = gen_load_a(OR_LINK, 1, BPF_B);
3817 b2 = new_block(JMP(BPF_JSET));
3818 b2->s.k = 0x02; /* From DS */
3823 * If From DS isn't set, the SA is at 10.
3825 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
3829 * Now OR together the checks for data frames with
3830 * From DS not set and for data frames with From DS
3831 * set; that gives the checks done for data frames.
3836 * Now check for a data frame.
3837 * I.e, check "link[0] & 0x08".
3839 s = gen_load_a(OR_LINK, 0, BPF_B);
3840 b1 = new_block(JMP(BPF_JSET));
3845 * AND that with the checks done for data frames.
3850 * If the high-order bit of the type value is 0, this
3851 * is a management frame.
3852 * I.e, check "!(link[0] & 0x08)".
3854 s = gen_load_a(OR_LINK, 0, BPF_B);
3855 b2 = new_block(JMP(BPF_JSET));
3861 * For management frames, the SA is at 10.
3863 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
3867 * OR that with the checks done for data frames.
3868 * That gives the checks done for management and
3874 * If the low-order bit of the type value is 1,
3875 * this is either a control frame or a frame
3876 * with a reserved type, and thus not a
3879 * I.e., check "!(link[0] & 0x04)".
3881 s = gen_load_a(OR_LINK, 0, BPF_B);
3882 b1 = new_block(JMP(BPF_JSET));
3888 * AND that with the checks for data and management
3898 * For control frames, there is no DA.
3900 * For management frames, DA is at an
3901 * offset of 4 from the beginning of
3904 * For data frames, DA is at an offset
3905 * of 4 from the beginning of the packet
3906 * if To DS is clear and at an offset of
3907 * 16 from the beginning of the packet
3912 * Generate the tests to be done for data frames.
3914 * First, check for To DS set, i.e. "link[1] & 0x01".
3916 s = gen_load_a(OR_LINK, 1, BPF_B);
3917 b1 = new_block(JMP(BPF_JSET));
3918 b1->s.k = 0x01; /* To DS */
3922 * If To DS is set, the DA is at 16.
3924 b0 = gen_bcmp(OR_LINK, 16, 6, eaddr);
3928 * Now, check for To DS not set, i.e. check
3929 * "!(link[1] & 0x01)".
3931 s = gen_load_a(OR_LINK, 1, BPF_B);
3932 b2 = new_block(JMP(BPF_JSET));
3933 b2->s.k = 0x01; /* To DS */
3938 * If To DS is not set, the DA is at 4.
3940 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr);
3944 * Now OR together the last two checks. That gives
3945 * the complete set of checks for data frames.
3950 * Now check for a data frame.
3951 * I.e, check "link[0] & 0x08".
3953 s = gen_load_a(OR_LINK, 0, BPF_B);
3954 b1 = new_block(JMP(BPF_JSET));
3959 * AND that with the checks done for data frames.
3964 * If the high-order bit of the type value is 0, this
3965 * is a management frame.
3966 * I.e, check "!(link[0] & 0x08)".
3968 s = gen_load_a(OR_LINK, 0, BPF_B);
3969 b2 = new_block(JMP(BPF_JSET));
3975 * For management frames, the DA is at 4.
3977 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr);
3981 * OR that with the checks done for data frames.
3982 * That gives the checks done for management and
3988 * If the low-order bit of the type value is 1,
3989 * this is either a control frame or a frame
3990 * with a reserved type, and thus not a
3993 * I.e., check "!(link[0] & 0x04)".
3995 s = gen_load_a(OR_LINK, 0, BPF_B);
3996 b1 = new_block(JMP(BPF_JSET));
4002 * AND that with the checks for data and management
4009 * XXX - add RA, TA, and BSSID keywords?
4012 return (gen_bcmp(OR_LINK, 4, 6, eaddr));
4016 * Not present in CTS or ACK control frames.
4018 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4019 IEEE80211_FC0_TYPE_MASK);
4021 b1 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS,
4022 IEEE80211_FC0_SUBTYPE_MASK);
4024 b2 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK,
4025 IEEE80211_FC0_SUBTYPE_MASK);
4029 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
4035 * Not present in control frames.
4037 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4038 IEEE80211_FC0_TYPE_MASK);
4040 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr);
4046 * Present only if the direction mask has both "From DS"
4047 * and "To DS" set. Neither control frames nor management
4048 * frames should have both of those set, so we don't
4049 * check the frame type.
4051 b0 = gen_mcmp(OR_LINK, 1, BPF_B,
4052 IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK);
4053 b1 = gen_bcmp(OR_LINK, 24, 6, eaddr);
4058 b0 = gen_wlanhostop(eaddr, Q_SRC);
4059 b1 = gen_wlanhostop(eaddr, Q_DST);
4065 b0 = gen_wlanhostop(eaddr, Q_SRC);
4066 b1 = gen_wlanhostop(eaddr, Q_DST);
4075 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel.
4076 * (We assume that the addresses are IEEE 48-bit MAC addresses,
4077 * as the RFC states.)
4079 static struct block *
4080 gen_ipfchostop(eaddr, dir)
4081 register const u_char *eaddr;
4084 register struct block *b0, *b1;
4088 return gen_bcmp(OR_LINK, 10, 6, eaddr);
4091 return gen_bcmp(OR_LINK, 2, 6, eaddr);
4094 b0 = gen_ipfchostop(eaddr, Q_SRC);
4095 b1 = gen_ipfchostop(eaddr, Q_DST);
4101 b0 = gen_ipfchostop(eaddr, Q_SRC);
4102 b1 = gen_ipfchostop(eaddr, Q_DST);
4111 * This is quite tricky because there may be pad bytes in front of the
4112 * DECNET header, and then there are two possible data packet formats that
4113 * carry both src and dst addresses, plus 5 packet types in a format that
4114 * carries only the src node, plus 2 types that use a different format and
4115 * also carry just the src node.
4119 * Instead of doing those all right, we just look for data packets with
4120 * 0 or 1 bytes of padding. If you want to look at other packets, that
4121 * will require a lot more hacking.
4123 * To add support for filtering on DECNET "areas" (network numbers)
4124 * one would want to add a "mask" argument to this routine. That would
4125 * make the filter even more inefficient, although one could be clever
4126 * and not generate masking instructions if the mask is 0xFFFF.
4128 static struct block *
4129 gen_dnhostop(addr, dir)
4133 struct block *b0, *b1, *b2, *tmp;
4134 u_int offset_lh; /* offset if long header is received */
4135 u_int offset_sh; /* offset if short header is received */
4140 offset_sh = 1; /* follows flags */
4141 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */
4145 offset_sh = 3; /* follows flags, dstnode */
4146 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */
4150 /* Inefficient because we do our Calvinball dance twice */
4151 b0 = gen_dnhostop(addr, Q_SRC);
4152 b1 = gen_dnhostop(addr, Q_DST);
4158 /* Inefficient because we do our Calvinball dance twice */
4159 b0 = gen_dnhostop(addr, Q_SRC);
4160 b1 = gen_dnhostop(addr, Q_DST);
4165 bpf_error("ISO host filtering not implemented");
4170 b0 = gen_linktype(ETHERTYPE_DN);
4171 /* Check for pad = 1, long header case */
4172 tmp = gen_mcmp(OR_NET, 2, BPF_H,
4173 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF));
4174 b1 = gen_cmp(OR_NET, 2 + 1 + offset_lh,
4175 BPF_H, (bpf_int32)ntohs((u_short)addr));
4177 /* Check for pad = 0, long header case */
4178 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7);
4179 b2 = gen_cmp(OR_NET, 2 + offset_lh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4182 /* Check for pad = 1, short header case */
4183 tmp = gen_mcmp(OR_NET, 2, BPF_H,
4184 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF));
4185 b2 = gen_cmp(OR_NET, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4188 /* Check for pad = 0, short header case */
4189 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7);
4190 b2 = gen_cmp(OR_NET, 2 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4194 /* Combine with test for linktype */
4200 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets;
4201 * test the bottom-of-stack bit, and then check the version number
4202 * field in the IP header.
4204 static struct block *
4205 gen_mpls_linktype(proto)
4208 struct block *b0, *b1;
4213 /* match the bottom-of-stack bit */
4214 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01);
4215 /* match the IPv4 version number */
4216 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x40, 0xf0);
4221 /* match the bottom-of-stack bit */
4222 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01);
4223 /* match the IPv4 version number */
4224 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x60, 0xf0);
4233 static struct block *
4234 gen_host(addr, mask, proto, dir, type)
4241 struct block *b0, *b1;
4242 const char *typestr;
4252 b0 = gen_host(addr, mask, Q_IP, dir, type);
4254 * Only check for non-IPv4 addresses if we're not
4255 * checking MPLS-encapsulated packets.
4257 if (label_stack_depth == 0) {
4258 b1 = gen_host(addr, mask, Q_ARP, dir, type);
4260 b0 = gen_host(addr, mask, Q_RARP, dir, type);
4266 return gen_hostop(addr, mask, dir, ETHERTYPE_IP, 12, 16);
4269 return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP, 14, 24);
4272 return gen_hostop(addr, mask, dir, ETHERTYPE_ARP, 14, 24);
4275 bpf_error("'tcp' modifier applied to %s", typestr);
4278 bpf_error("'sctp' modifier applied to %s", typestr);
4281 bpf_error("'udp' modifier applied to %s", typestr);
4284 bpf_error("'icmp' modifier applied to %s", typestr);
4287 bpf_error("'igmp' modifier applied to %s", typestr);
4290 bpf_error("'igrp' modifier applied to %s", typestr);
4293 bpf_error("'pim' modifier applied to %s", typestr);
4296 bpf_error("'vrrp' modifier applied to %s", typestr);
4299 bpf_error("ATALK host filtering not implemented");
4302 bpf_error("AARP host filtering not implemented");
4305 return gen_dnhostop(addr, dir);
4308 bpf_error("SCA host filtering not implemented");
4311 bpf_error("LAT host filtering not implemented");
4314 bpf_error("MOPDL host filtering not implemented");
4317 bpf_error("MOPRC host filtering not implemented");
4321 bpf_error("'ip6' modifier applied to ip host");
4324 bpf_error("'icmp6' modifier applied to %s", typestr);
4328 bpf_error("'ah' modifier applied to %s", typestr);
4331 bpf_error("'esp' modifier applied to %s", typestr);
4334 bpf_error("ISO host filtering not implemented");
4337 bpf_error("'esis' modifier applied to %s", typestr);
4340 bpf_error("'isis' modifier applied to %s", typestr);
4343 bpf_error("'clnp' modifier applied to %s", typestr);
4346 bpf_error("'stp' modifier applied to %s", typestr);
4349 bpf_error("IPX host filtering not implemented");
4352 bpf_error("'netbeui' modifier applied to %s", typestr);
4355 bpf_error("'radio' modifier applied to %s", typestr);
4364 static struct block *
4365 gen_host6(addr, mask, proto, dir, type)
4366 struct in6_addr *addr;
4367 struct in6_addr *mask;
4372 const char *typestr;
4382 return gen_host6(addr, mask, Q_IPV6, dir, type);
4385 bpf_error("'ip' modifier applied to ip6 %s", typestr);
4388 bpf_error("'rarp' modifier applied to ip6 %s", typestr);
4391 bpf_error("'arp' modifier applied to ip6 %s", typestr);
4394 bpf_error("'sctp' modifier applied to %s", typestr);
4397 bpf_error("'tcp' modifier applied to %s", typestr);
4400 bpf_error("'udp' modifier applied to %s", typestr);
4403 bpf_error("'icmp' modifier applied to %s", typestr);
4406 bpf_error("'igmp' modifier applied to %s", typestr);
4409 bpf_error("'igrp' modifier applied to %s", typestr);
4412 bpf_error("'pim' modifier applied to %s", typestr);
4415 bpf_error("'vrrp' modifier applied to %s", typestr);
4418 bpf_error("ATALK host filtering not implemented");
4421 bpf_error("AARP host filtering not implemented");
4424 bpf_error("'decnet' modifier applied to ip6 %s", typestr);
4427 bpf_error("SCA host filtering not implemented");
4430 bpf_error("LAT host filtering not implemented");
4433 bpf_error("MOPDL host filtering not implemented");
4436 bpf_error("MOPRC host filtering not implemented");
4439 return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6, 8, 24);
4442 bpf_error("'icmp6' modifier applied to %s", typestr);
4445 bpf_error("'ah' modifier applied to %s", typestr);
4448 bpf_error("'esp' modifier applied to %s", typestr);
4451 bpf_error("ISO host filtering not implemented");
4454 bpf_error("'esis' modifier applied to %s", typestr);
4457 bpf_error("'isis' modifier applied to %s", typestr);
4460 bpf_error("'clnp' modifier applied to %s", typestr);
4463 bpf_error("'stp' modifier applied to %s", typestr);
4466 bpf_error("IPX host filtering not implemented");
4469 bpf_error("'netbeui' modifier applied to %s", typestr);
4472 bpf_error("'radio' modifier applied to %s", typestr);
4482 static struct block *
4483 gen_gateway(eaddr, alist, proto, dir)
4484 const u_char *eaddr;
4485 bpf_u_int32 **alist;
4489 struct block *b0, *b1, *tmp;
4492 bpf_error("direction applied to 'gateway'");
4501 b0 = gen_ehostop(eaddr, Q_OR);
4504 b0 = gen_fhostop(eaddr, Q_OR);
4507 b0 = gen_thostop(eaddr, Q_OR);
4509 case DLT_IEEE802_11:
4510 case DLT_PRISM_HEADER:
4511 case DLT_IEEE802_11_RADIO_AVS:
4512 case DLT_IEEE802_11_RADIO:
4514 b0 = gen_wlanhostop(eaddr, Q_OR);
4519 * Check that the packet doesn't begin with an
4520 * LE Control marker. (We've already generated
4523 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
4528 * Now check the MAC address.
4530 b0 = gen_ehostop(eaddr, Q_OR);
4534 case DLT_IP_OVER_FC:
4535 b0 = gen_ipfchostop(eaddr, Q_OR);
4539 "'gateway' supported only on ethernet/FDDI/token ring/802.11/Fibre Channel");
4541 b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR, Q_HOST);
4543 tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR,
4552 bpf_error("illegal modifier of 'gateway'");
4558 gen_proto_abbrev(proto)
4567 b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT);
4569 b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT);
4575 b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT);
4577 b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT);
4583 b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT);
4585 b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT);
4591 b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT);
4594 #ifndef IPPROTO_IGMP
4595 #define IPPROTO_IGMP 2
4599 b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT);
4602 #ifndef IPPROTO_IGRP
4603 #define IPPROTO_IGRP 9
4606 b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT);
4610 #define IPPROTO_PIM 103
4614 b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT);
4616 b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT);
4621 #ifndef IPPROTO_VRRP
4622 #define IPPROTO_VRRP 112
4626 b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT);
4630 b1 = gen_linktype(ETHERTYPE_IP);
4634 b1 = gen_linktype(ETHERTYPE_ARP);
4638 b1 = gen_linktype(ETHERTYPE_REVARP);
4642 bpf_error("link layer applied in wrong context");
4645 b1 = gen_linktype(ETHERTYPE_ATALK);
4649 b1 = gen_linktype(ETHERTYPE_AARP);
4653 b1 = gen_linktype(ETHERTYPE_DN);
4657 b1 = gen_linktype(ETHERTYPE_SCA);
4661 b1 = gen_linktype(ETHERTYPE_LAT);
4665 b1 = gen_linktype(ETHERTYPE_MOPDL);
4669 b1 = gen_linktype(ETHERTYPE_MOPRC);
4674 b1 = gen_linktype(ETHERTYPE_IPV6);
4677 #ifndef IPPROTO_ICMPV6
4678 #define IPPROTO_ICMPV6 58
4681 b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT);
4686 #define IPPROTO_AH 51
4689 b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT);
4691 b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT);
4697 #define IPPROTO_ESP 50
4700 b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT);
4702 b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT);
4708 b1 = gen_linktype(LLCSAP_ISONS);
4712 b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT);
4716 b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
4719 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */
4720 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
4721 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
4723 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
4725 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
4727 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
4731 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */
4732 b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
4733 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
4735 b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
4737 b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
4739 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
4743 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */
4744 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
4745 b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
4747 b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT);
4752 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
4753 b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
4758 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
4759 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
4761 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
4763 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
4768 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
4769 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
4774 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
4775 b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
4780 b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT);
4784 b1 = gen_linktype(LLCSAP_8021D);
4788 b1 = gen_linktype(LLCSAP_IPX);
4792 b1 = gen_linktype(LLCSAP_NETBEUI);
4796 bpf_error("'radio' is not a valid protocol type");
4804 static struct block *
4811 s = gen_load_a(OR_NET, 6, BPF_H);
4812 b = new_block(JMP(BPF_JSET));
4821 * Generate a comparison to a port value in the transport-layer header
4822 * at the specified offset from the beginning of that header.
4824 * XXX - this handles a variable-length prefix preceding the link-layer
4825 * header, such as the radiotap or AVS radio prefix, but doesn't handle
4826 * variable-length link-layer headers (such as Token Ring or 802.11
4829 static struct block *
4830 gen_portatom(off, v)
4834 return gen_cmp(OR_TRAN_IPV4, off, BPF_H, v);
4838 static struct block *
4839 gen_portatom6(off, v)
4843 return gen_cmp(OR_TRAN_IPV6, off, BPF_H, v);
4848 gen_portop(port, proto, dir)
4849 int port, proto, dir;
4851 struct block *b0, *b1, *tmp;
4853 /* ip proto 'proto' */
4854 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto);
4860 b1 = gen_portatom(0, (bpf_int32)port);
4864 b1 = gen_portatom(2, (bpf_int32)port);
4869 tmp = gen_portatom(0, (bpf_int32)port);
4870 b1 = gen_portatom(2, (bpf_int32)port);
4875 tmp = gen_portatom(0, (bpf_int32)port);
4876 b1 = gen_portatom(2, (bpf_int32)port);
4888 static struct block *
4889 gen_port(port, ip_proto, dir)
4894 struct block *b0, *b1, *tmp;
4899 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
4900 * not LLC encapsulation with LLCSAP_IP.
4902 * For IEEE 802 networks - which includes 802.5 token ring
4903 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
4904 * says that SNAP encapsulation is used, not LLC encapsulation
4907 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
4908 * RFC 2225 say that SNAP encapsulation is used, not LLC
4909 * encapsulation with LLCSAP_IP.
4911 * So we always check for ETHERTYPE_IP.
4913 b0 = gen_linktype(ETHERTYPE_IP);
4919 b1 = gen_portop(port, ip_proto, dir);
4923 tmp = gen_portop(port, IPPROTO_TCP, dir);
4924 b1 = gen_portop(port, IPPROTO_UDP, dir);
4926 tmp = gen_portop(port, IPPROTO_SCTP, dir);
4939 gen_portop6(port, proto, dir)
4940 int port, proto, dir;
4942 struct block *b0, *b1, *tmp;
4944 /* ip6 proto 'proto' */
4945 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto);
4949 b1 = gen_portatom6(0, (bpf_int32)port);
4953 b1 = gen_portatom6(2, (bpf_int32)port);
4958 tmp = gen_portatom6(0, (bpf_int32)port);
4959 b1 = gen_portatom6(2, (bpf_int32)port);
4964 tmp = gen_portatom6(0, (bpf_int32)port);
4965 b1 = gen_portatom6(2, (bpf_int32)port);
4977 static struct block *
4978 gen_port6(port, ip_proto, dir)
4983 struct block *b0, *b1, *tmp;
4985 /* link proto ip6 */
4986 b0 = gen_linktype(ETHERTYPE_IPV6);
4992 b1 = gen_portop6(port, ip_proto, dir);
4996 tmp = gen_portop6(port, IPPROTO_TCP, dir);
4997 b1 = gen_portop6(port, IPPROTO_UDP, dir);
4999 tmp = gen_portop6(port, IPPROTO_SCTP, dir);
5011 /* gen_portrange code */
5012 static struct block *
5013 gen_portrangeatom(off, v1, v2)
5017 struct block *b1, *b2;
5021 * Reverse the order of the ports, so v1 is the lower one.
5030 b1 = gen_cmp_ge(OR_TRAN_IPV4, off, BPF_H, v1);
5031 b2 = gen_cmp_le(OR_TRAN_IPV4, off, BPF_H, v2);
5039 gen_portrangeop(port1, port2, proto, dir)
5044 struct block *b0, *b1, *tmp;
5046 /* ip proto 'proto' */
5047 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto);
5053 b1 = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
5057 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
5062 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
5063 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
5068 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
5069 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
5081 static struct block *
5082 gen_portrange(port1, port2, ip_proto, dir)
5087 struct block *b0, *b1, *tmp;
5090 b0 = gen_linktype(ETHERTYPE_IP);
5096 b1 = gen_portrangeop(port1, port2, ip_proto, dir);
5100 tmp = gen_portrangeop(port1, port2, IPPROTO_TCP, dir);
5101 b1 = gen_portrangeop(port1, port2, IPPROTO_UDP, dir);
5103 tmp = gen_portrangeop(port1, port2, IPPROTO_SCTP, dir);
5115 static struct block *
5116 gen_portrangeatom6(off, v1, v2)
5120 struct block *b1, *b2;
5124 * Reverse the order of the ports, so v1 is the lower one.
5133 b1 = gen_cmp_ge(OR_TRAN_IPV6, off, BPF_H, v1);
5134 b2 = gen_cmp_le(OR_TRAN_IPV6, off, BPF_H, v2);
5142 gen_portrangeop6(port1, port2, proto, dir)
5147 struct block *b0, *b1, *tmp;
5149 /* ip6 proto 'proto' */
5150 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto);
5154 b1 = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
5158 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
5163 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
5164 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
5169 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
5170 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
5182 static struct block *
5183 gen_portrange6(port1, port2, ip_proto, dir)
5188 struct block *b0, *b1, *tmp;
5190 /* link proto ip6 */
5191 b0 = gen_linktype(ETHERTYPE_IPV6);
5197 b1 = gen_portrangeop6(port1, port2, ip_proto, dir);
5201 tmp = gen_portrangeop6(port1, port2, IPPROTO_TCP, dir);
5202 b1 = gen_portrangeop6(port1, port2, IPPROTO_UDP, dir);
5204 tmp = gen_portrangeop6(port1, port2, IPPROTO_SCTP, dir);
5217 lookup_proto(name, proto)
5218 register const char *name;
5228 v = pcap_nametoproto(name);
5229 if (v == PROTO_UNDEF)
5230 bpf_error("unknown ip proto '%s'", name);
5234 /* XXX should look up h/w protocol type based on linktype */
5235 v = pcap_nametoeproto(name);
5236 if (v == PROTO_UNDEF) {
5237 v = pcap_nametollc(name);
5238 if (v == PROTO_UNDEF)
5239 bpf_error("unknown ether proto '%s'", name);
5244 if (strcmp(name, "esis") == 0)
5246 else if (strcmp(name, "isis") == 0)
5248 else if (strcmp(name, "clnp") == 0)
5251 bpf_error("unknown osi proto '%s'", name);
5271 static struct block *
5272 gen_protochain(v, proto, dir)
5277 #ifdef NO_PROTOCHAIN
5278 return gen_proto(v, proto, dir);
5280 struct block *b0, *b;
5281 struct slist *s[100];
5282 int fix2, fix3, fix4, fix5;
5283 int ahcheck, again, end;
5285 int reg2 = alloc_reg();
5287 memset(s, 0, sizeof(s));
5288 fix2 = fix3 = fix4 = fix5 = 0;
5295 b0 = gen_protochain(v, Q_IP, dir);
5296 b = gen_protochain(v, Q_IPV6, dir);
5300 bpf_error("bad protocol applied for 'protochain'");
5305 * We don't handle variable-length prefixes before the link-layer
5306 * header, or variable-length link-layer headers, here yet.
5307 * We might want to add BPF instructions to do the protochain
5308 * work, to simplify that and, on platforms that have a BPF
5309 * interpreter with the new instructions, let the filtering
5310 * be done in the kernel. (We already require a modified BPF
5311 * engine to do the protochain stuff, to support backward
5312 * branches, and backward branch support is unlikely to appear
5313 * in kernel BPF engines.)
5317 case DLT_IEEE802_11:
5318 case DLT_PRISM_HEADER:
5319 case DLT_IEEE802_11_RADIO_AVS:
5320 case DLT_IEEE802_11_RADIO:
5322 bpf_error("'protochain' not supported with 802.11");
5325 no_optimize = 1; /*this code is not compatible with optimzer yet */
5328 * s[0] is a dummy entry to protect other BPF insn from damage
5329 * by s[fix] = foo with uninitialized variable "fix". It is somewhat
5330 * hard to find interdependency made by jump table fixup.
5333 s[i] = new_stmt(0); /*dummy*/
5338 b0 = gen_linktype(ETHERTYPE_IP);
5341 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
5342 s[i]->s.k = off_macpl + off_nl + 9;
5344 /* X = ip->ip_hl << 2 */
5345 s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
5346 s[i]->s.k = off_macpl + off_nl;
5351 b0 = gen_linktype(ETHERTYPE_IPV6);
5353 /* A = ip6->ip_nxt */
5354 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
5355 s[i]->s.k = off_macpl + off_nl + 6;
5357 /* X = sizeof(struct ip6_hdr) */
5358 s[i] = new_stmt(BPF_LDX|BPF_IMM);
5364 bpf_error("unsupported proto to gen_protochain");
5368 /* again: if (A == v) goto end; else fall through; */
5370 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5372 s[i]->s.jt = NULL; /*later*/
5373 s[i]->s.jf = NULL; /*update in next stmt*/
5377 #ifndef IPPROTO_NONE
5378 #define IPPROTO_NONE 59
5380 /* if (A == IPPROTO_NONE) goto end */
5381 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5382 s[i]->s.jt = NULL; /*later*/
5383 s[i]->s.jf = NULL; /*update in next stmt*/
5384 s[i]->s.k = IPPROTO_NONE;
5385 s[fix5]->s.jf = s[i];
5390 if (proto == Q_IPV6) {
5391 int v6start, v6end, v6advance, j;
5394 /* if (A == IPPROTO_HOPOPTS) goto v6advance */
5395 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5396 s[i]->s.jt = NULL; /*later*/
5397 s[i]->s.jf = NULL; /*update in next stmt*/
5398 s[i]->s.k = IPPROTO_HOPOPTS;
5399 s[fix2]->s.jf = s[i];
5401 /* if (A == IPPROTO_DSTOPTS) goto v6advance */
5402 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5403 s[i]->s.jt = NULL; /*later*/
5404 s[i]->s.jf = NULL; /*update in next stmt*/
5405 s[i]->s.k = IPPROTO_DSTOPTS;
5407 /* if (A == IPPROTO_ROUTING) goto v6advance */
5408 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5409 s[i]->s.jt = NULL; /*later*/
5410 s[i]->s.jf = NULL; /*update in next stmt*/
5411 s[i]->s.k = IPPROTO_ROUTING;
5413 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */
5414 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5415 s[i]->s.jt = NULL; /*later*/
5416 s[i]->s.jf = NULL; /*later*/
5417 s[i]->s.k = IPPROTO_FRAGMENT;
5428 * X = X + (P[X + 1] + 1) * 8;
5431 s[i] = new_stmt(BPF_MISC|BPF_TXA);
5433 /* A = P[X + packet head] */
5434 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5435 s[i]->s.k = off_macpl + off_nl;
5438 s[i] = new_stmt(BPF_ST);
5442 s[i] = new_stmt(BPF_MISC|BPF_TXA);
5445 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5449 s[i] = new_stmt(BPF_MISC|BPF_TAX);
5451 /* A = P[X + packet head]; */
5452 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5453 s[i]->s.k = off_macpl + off_nl;
5456 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5460 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
5464 s[i] = new_stmt(BPF_MISC|BPF_TAX);
5467 s[i] = new_stmt(BPF_LD|BPF_MEM);
5471 /* goto again; (must use BPF_JA for backward jump) */
5472 s[i] = new_stmt(BPF_JMP|BPF_JA);
5473 s[i]->s.k = again - i - 1;
5474 s[i - 1]->s.jf = s[i];
5478 for (j = v6start; j <= v6end; j++)
5479 s[j]->s.jt = s[v6advance];
5484 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5486 s[fix2]->s.jf = s[i];
5492 /* if (A == IPPROTO_AH) then fall through; else goto end; */
5493 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5494 s[i]->s.jt = NULL; /*later*/
5495 s[i]->s.jf = NULL; /*later*/
5496 s[i]->s.k = IPPROTO_AH;
5498 s[fix3]->s.jf = s[ahcheck];
5505 * X = X + (P[X + 1] + 2) * 4;
5508 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
5510 /* A = P[X + packet head]; */
5511 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5512 s[i]->s.k = off_macpl + off_nl;
5515 s[i] = new_stmt(BPF_ST);
5519 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
5522 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5526 s[i] = new_stmt(BPF_MISC|BPF_TAX);
5528 /* A = P[X + packet head] */
5529 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5530 s[i]->s.k = off_macpl + off_nl;
5533 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5537 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
5541 s[i] = new_stmt(BPF_MISC|BPF_TAX);
5544 s[i] = new_stmt(BPF_LD|BPF_MEM);
5548 /* goto again; (must use BPF_JA for backward jump) */
5549 s[i] = new_stmt(BPF_JMP|BPF_JA);
5550 s[i]->s.k = again - i - 1;
5555 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5557 s[fix2]->s.jt = s[end];
5558 s[fix4]->s.jf = s[end];
5559 s[fix5]->s.jt = s[end];
5566 for (i = 0; i < max - 1; i++)
5567 s[i]->next = s[i + 1];
5568 s[max - 1]->next = NULL;
5573 b = new_block(JMP(BPF_JEQ));
5574 b->stmts = s[1]; /*remember, s[0] is dummy*/
5584 static struct block *
5585 gen_check_802_11_data_frame()
5588 struct block *b0, *b1;
5591 * A data frame has the 0x08 bit (b3) in the frame control field set
5592 * and the 0x04 bit (b2) clear.
5594 s = gen_load_a(OR_LINK, 0, BPF_B);
5595 b0 = new_block(JMP(BPF_JSET));
5599 s = gen_load_a(OR_LINK, 0, BPF_B);
5600 b1 = new_block(JMP(BPF_JSET));
5611 * Generate code that checks whether the packet is a packet for protocol
5612 * <proto> and whether the type field in that protocol's header has
5613 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an
5614 * IP packet and checks the protocol number in the IP header against <v>.
5616 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks
5617 * against Q_IP and Q_IPV6.
5619 static struct block *
5620 gen_proto(v, proto, dir)
5625 struct block *b0, *b1;
5627 if (dir != Q_DEFAULT)
5628 bpf_error("direction applied to 'proto'");
5633 b0 = gen_proto(v, Q_IP, dir);
5634 b1 = gen_proto(v, Q_IPV6, dir);
5642 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
5643 * not LLC encapsulation with LLCSAP_IP.
5645 * For IEEE 802 networks - which includes 802.5 token ring
5646 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
5647 * says that SNAP encapsulation is used, not LLC encapsulation
5650 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
5651 * RFC 2225 say that SNAP encapsulation is used, not LLC
5652 * encapsulation with LLCSAP_IP.
5654 * So we always check for ETHERTYPE_IP.
5656 b0 = gen_linktype(ETHERTYPE_IP);
5658 b1 = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)v);
5660 b1 = gen_protochain(v, Q_IP);
5670 * Frame Relay packets typically have an OSI
5671 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)"
5672 * generates code to check for all the OSI
5673 * NLPIDs, so calling it and then adding a check
5674 * for the particular NLPID for which we're
5675 * looking is bogus, as we can just check for
5678 * What we check for is the NLPID and a frame
5679 * control field value of UI, i.e. 0x03 followed
5682 * XXX - assumes a 2-byte Frame Relay header with
5683 * DLCI and flags. What if the address is longer?
5685 * XXX - what about SNAP-encapsulated frames?
5687 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | v);
5693 * Cisco uses an Ethertype lookalike - for OSI,
5696 b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS);
5697 /* OSI in C-HDLC is stuffed with a fudge byte */
5698 b1 = gen_cmp(OR_NET_NOSNAP, 1, BPF_B, (long)v);
5703 b0 = gen_linktype(LLCSAP_ISONS);
5704 b1 = gen_cmp(OR_NET_NOSNAP, 0, BPF_B, (long)v);
5710 b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
5712 * 4 is the offset of the PDU type relative to the IS-IS
5715 b1 = gen_cmp(OR_NET_NOSNAP, 4, BPF_B, (long)v);
5720 bpf_error("arp does not encapsulate another protocol");
5724 bpf_error("rarp does not encapsulate another protocol");
5728 bpf_error("atalk encapsulation is not specifiable");
5732 bpf_error("decnet encapsulation is not specifiable");
5736 bpf_error("sca does not encapsulate another protocol");
5740 bpf_error("lat does not encapsulate another protocol");
5744 bpf_error("moprc does not encapsulate another protocol");
5748 bpf_error("mopdl does not encapsulate another protocol");
5752 return gen_linktype(v);
5755 bpf_error("'udp proto' is bogus");
5759 bpf_error("'tcp proto' is bogus");
5763 bpf_error("'sctp proto' is bogus");
5767 bpf_error("'icmp proto' is bogus");
5771 bpf_error("'igmp proto' is bogus");
5775 bpf_error("'igrp proto' is bogus");
5779 bpf_error("'pim proto' is bogus");
5783 bpf_error("'vrrp proto' is bogus");
5788 b0 = gen_linktype(ETHERTYPE_IPV6);
5790 b1 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)v);
5792 b1 = gen_protochain(v, Q_IPV6);
5798 bpf_error("'icmp6 proto' is bogus");
5802 bpf_error("'ah proto' is bogus");
5805 bpf_error("'ah proto' is bogus");
5808 bpf_error("'stp proto' is bogus");
5811 bpf_error("'ipx proto' is bogus");
5814 bpf_error("'netbeui proto' is bogus");
5817 bpf_error("'radio proto' is bogus");
5828 register const char *name;
5831 int proto = q.proto;
5835 bpf_u_int32 mask, addr;
5837 bpf_u_int32 **alist;
5840 struct sockaddr_in *sin4;
5841 struct sockaddr_in6 *sin6;
5842 struct addrinfo *res, *res0;
5843 struct in6_addr mask128;
5845 struct block *b, *tmp;
5846 int port, real_proto;
5852 addr = pcap_nametonetaddr(name);
5854 bpf_error("unknown network '%s'", name);
5855 /* Left justify network addr and calculate its network mask */
5857 while (addr && (addr & 0xff000000) == 0) {
5861 return gen_host(addr, mask, proto, dir, q.addr);
5865 if (proto == Q_LINK) {
5869 eaddr = pcap_ether_hostton(name);
5872 "unknown ether host '%s'", name);
5873 b = gen_ehostop(eaddr, dir);
5878 eaddr = pcap_ether_hostton(name);
5881 "unknown FDDI host '%s'", name);
5882 b = gen_fhostop(eaddr, dir);
5887 eaddr = pcap_ether_hostton(name);
5890 "unknown token ring host '%s'", name);
5891 b = gen_thostop(eaddr, dir);
5895 case DLT_IEEE802_11:
5896 case DLT_PRISM_HEADER:
5897 case DLT_IEEE802_11_RADIO_AVS:
5898 case DLT_IEEE802_11_RADIO:
5900 eaddr = pcap_ether_hostton(name);
5903 "unknown 802.11 host '%s'", name);
5904 b = gen_wlanhostop(eaddr, dir);
5908 case DLT_IP_OVER_FC:
5909 eaddr = pcap_ether_hostton(name);
5912 "unknown Fibre Channel host '%s'", name);
5913 b = gen_ipfchostop(eaddr, dir);
5922 * Check that the packet doesn't begin
5923 * with an LE Control marker. (We've
5924 * already generated a test for LANE.)
5926 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
5930 eaddr = pcap_ether_hostton(name);
5933 "unknown ether host '%s'", name);
5934 b = gen_ehostop(eaddr, dir);
5940 bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name");
5941 } else if (proto == Q_DECNET) {
5942 unsigned short dn_addr = __pcap_nametodnaddr(name);
5944 * I don't think DECNET hosts can be multihomed, so
5945 * there is no need to build up a list of addresses
5947 return (gen_host(dn_addr, 0, proto, dir, q.addr));
5950 alist = pcap_nametoaddr(name);
5951 if (alist == NULL || *alist == NULL)
5952 bpf_error("unknown host '%s'", name);
5954 if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT)
5956 b = gen_host(**alist++, 0xffffffff, tproto, dir, q.addr);
5958 tmp = gen_host(**alist++, 0xffffffff,
5959 tproto, dir, q.addr);
5965 memset(&mask128, 0xff, sizeof(mask128));
5966 res0 = res = pcap_nametoaddrinfo(name);
5968 bpf_error("unknown host '%s'", name);
5970 tproto = tproto6 = proto;
5971 if (off_linktype == -1 && tproto == Q_DEFAULT) {
5975 for (res = res0; res; res = res->ai_next) {
5976 switch (res->ai_family) {
5978 if (tproto == Q_IPV6)
5981 sin4 = (struct sockaddr_in *)
5983 tmp = gen_host(ntohl(sin4->sin_addr.s_addr),
5984 0xffffffff, tproto, dir, q.addr);
5987 if (tproto6 == Q_IP)
5990 sin6 = (struct sockaddr_in6 *)
5992 tmp = gen_host6(&sin6->sin6_addr,
5993 &mask128, tproto6, dir, q.addr);
6004 bpf_error("unknown host '%s'%s", name,
6005 (proto == Q_DEFAULT)
6007 : " for specified address family");
6014 if (proto != Q_DEFAULT &&
6015 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
6016 bpf_error("illegal qualifier of 'port'");
6017 if (pcap_nametoport(name, &port, &real_proto) == 0)
6018 bpf_error("unknown port '%s'", name);
6019 if (proto == Q_UDP) {
6020 if (real_proto == IPPROTO_TCP)
6021 bpf_error("port '%s' is tcp", name);
6022 else if (real_proto == IPPROTO_SCTP)
6023 bpf_error("port '%s' is sctp", name);
6025 /* override PROTO_UNDEF */
6026 real_proto = IPPROTO_UDP;
6028 if (proto == Q_TCP) {
6029 if (real_proto == IPPROTO_UDP)
6030 bpf_error("port '%s' is udp", name);
6032 else if (real_proto == IPPROTO_SCTP)
6033 bpf_error("port '%s' is sctp", name);
6035 /* override PROTO_UNDEF */
6036 real_proto = IPPROTO_TCP;
6038 if (proto == Q_SCTP) {
6039 if (real_proto == IPPROTO_UDP)
6040 bpf_error("port '%s' is udp", name);
6042 else if (real_proto == IPPROTO_TCP)
6043 bpf_error("port '%s' is tcp", name);
6045 /* override PROTO_UNDEF */
6046 real_proto = IPPROTO_SCTP;
6049 return gen_port(port, real_proto, dir);
6051 b = gen_port(port, real_proto, dir);
6052 gen_or(gen_port6(port, real_proto, dir), b);
6057 if (proto != Q_DEFAULT &&
6058 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
6059 bpf_error("illegal qualifier of 'portrange'");
6060 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0)
6061 bpf_error("unknown port in range '%s'", name);
6062 if (proto == Q_UDP) {
6063 if (real_proto == IPPROTO_TCP)
6064 bpf_error("port in range '%s' is tcp", name);
6065 else if (real_proto == IPPROTO_SCTP)
6066 bpf_error("port in range '%s' is sctp", name);
6068 /* override PROTO_UNDEF */
6069 real_proto = IPPROTO_UDP;
6071 if (proto == Q_TCP) {
6072 if (real_proto == IPPROTO_UDP)
6073 bpf_error("port in range '%s' is udp", name);
6074 else if (real_proto == IPPROTO_SCTP)
6075 bpf_error("port in range '%s' is sctp", name);
6077 /* override PROTO_UNDEF */
6078 real_proto = IPPROTO_TCP;
6080 if (proto == Q_SCTP) {
6081 if (real_proto == IPPROTO_UDP)
6082 bpf_error("port in range '%s' is udp", name);
6083 else if (real_proto == IPPROTO_TCP)
6084 bpf_error("port in range '%s' is tcp", name);
6086 /* override PROTO_UNDEF */
6087 real_proto = IPPROTO_SCTP;
6090 return gen_portrange(port1, port2, real_proto, dir);
6092 b = gen_portrange(port1, port2, real_proto, dir);
6093 gen_or(gen_portrange6(port1, port2, real_proto, dir), b);
6099 eaddr = pcap_ether_hostton(name);
6101 bpf_error("unknown ether host: %s", name);
6103 alist = pcap_nametoaddr(name);
6104 if (alist == NULL || *alist == NULL)
6105 bpf_error("unknown host '%s'", name);
6106 b = gen_gateway(eaddr, alist, proto, dir);
6110 bpf_error("'gateway' not supported in this configuration");
6114 real_proto = lookup_proto(name, proto);
6115 if (real_proto >= 0)
6116 return gen_proto(real_proto, proto, dir);
6118 bpf_error("unknown protocol: %s", name);
6121 real_proto = lookup_proto(name, proto);
6122 if (real_proto >= 0)
6123 return gen_protochain(real_proto, proto, dir);
6125 bpf_error("unknown protocol: %s", name);
6136 gen_mcode(s1, s2, masklen, q)
6137 register const char *s1, *s2;
6138 register int masklen;
6141 register int nlen, mlen;
6144 nlen = __pcap_atoin(s1, &n);
6145 /* Promote short ipaddr */
6149 mlen = __pcap_atoin(s2, &m);
6150 /* Promote short ipaddr */
6153 bpf_error("non-network bits set in \"%s mask %s\"",
6156 /* Convert mask len to mask */
6158 bpf_error("mask length must be <= 32");
6161 * X << 32 is not guaranteed by C to be 0; it's
6166 m = 0xffffffff << (32 - masklen);
6168 bpf_error("non-network bits set in \"%s/%d\"",
6175 return gen_host(n, m, q.proto, q.dir, q.addr);
6178 bpf_error("Mask syntax for networks only");
6187 register const char *s;
6192 int proto = q.proto;
6198 else if (q.proto == Q_DECNET)
6199 vlen = __pcap_atodn(s, &v);
6201 vlen = __pcap_atoin(s, &v);
6208 if (proto == Q_DECNET)
6209 return gen_host(v, 0, proto, dir, q.addr);
6210 else if (proto == Q_LINK) {
6211 bpf_error("illegal link layer address");
6214 if (s == NULL && q.addr == Q_NET) {
6215 /* Promote short net number */
6216 while (v && (v & 0xff000000) == 0) {
6221 /* Promote short ipaddr */
6225 return gen_host(v, mask, proto, dir, q.addr);
6230 proto = IPPROTO_UDP;
6231 else if (proto == Q_TCP)
6232 proto = IPPROTO_TCP;
6233 else if (proto == Q_SCTP)
6234 proto = IPPROTO_SCTP;
6235 else if (proto == Q_DEFAULT)
6236 proto = PROTO_UNDEF;
6238 bpf_error("illegal qualifier of 'port'");
6241 return gen_port((int)v, proto, dir);
6245 b = gen_port((int)v, proto, dir);
6246 gen_or(gen_port6((int)v, proto, dir), b);
6253 proto = IPPROTO_UDP;
6254 else if (proto == Q_TCP)
6255 proto = IPPROTO_TCP;
6256 else if (proto == Q_SCTP)
6257 proto = IPPROTO_SCTP;
6258 else if (proto == Q_DEFAULT)
6259 proto = PROTO_UNDEF;
6261 bpf_error("illegal qualifier of 'portrange'");
6264 return gen_portrange((int)v, (int)v, proto, dir);
6268 b = gen_portrange((int)v, (int)v, proto, dir);
6269 gen_or(gen_portrange6((int)v, (int)v, proto, dir), b);
6275 bpf_error("'gateway' requires a name");
6279 return gen_proto((int)v, proto, dir);
6282 return gen_protochain((int)v, proto, dir);
6297 gen_mcode6(s1, s2, masklen, q)
6298 register const char *s1, *s2;
6299 register int masklen;
6302 struct addrinfo *res;
6303 struct in6_addr *addr;
6304 struct in6_addr mask;
6309 bpf_error("no mask %s supported", s2);
6311 res = pcap_nametoaddrinfo(s1);
6313 bpf_error("invalid ip6 address %s", s1);
6315 bpf_error("%s resolved to multiple address", s1);
6316 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
6318 if (sizeof(mask) * 8 < masklen)
6319 bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8));
6320 memset(&mask, 0, sizeof(mask));
6321 memset(&mask, 0xff, masklen / 8);
6323 mask.s6_addr[masklen / 8] =
6324 (0xff << (8 - masklen % 8)) & 0xff;
6327 a = (u_int32_t *)addr;
6328 m = (u_int32_t *)&mask;
6329 if ((a[0] & ~m[0]) || (a[1] & ~m[1])
6330 || (a[2] & ~m[2]) || (a[3] & ~m[3])) {
6331 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen);
6339 bpf_error("Mask syntax for networks only");
6343 b = gen_host6(addr, &mask, q.proto, q.dir, q.addr);
6348 bpf_error("invalid qualifier against IPv6 address");
6357 register const u_char *eaddr;
6360 struct block *b, *tmp;
6362 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
6365 return gen_ehostop(eaddr, (int)q.dir);
6367 return gen_fhostop(eaddr, (int)q.dir);
6369 return gen_thostop(eaddr, (int)q.dir);
6370 case DLT_IEEE802_11:
6371 case DLT_PRISM_HEADER:
6372 case DLT_IEEE802_11_RADIO_AVS:
6373 case DLT_IEEE802_11_RADIO:
6375 return gen_wlanhostop(eaddr, (int)q.dir);
6379 * Check that the packet doesn't begin with an
6380 * LE Control marker. (We've already generated
6383 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
6388 * Now check the MAC address.
6390 b = gen_ehostop(eaddr, (int)q.dir);
6395 case DLT_IP_OVER_FC:
6396 return gen_ipfchostop(eaddr, (int)q.dir);
6398 bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
6402 bpf_error("ethernet address used in non-ether expression");
6409 struct slist *s0, *s1;
6412 * This is definitely not the best way to do this, but the
6413 * lists will rarely get long.
6420 static struct slist *
6426 s = new_stmt(BPF_LDX|BPF_MEM);
6431 static struct slist *
6437 s = new_stmt(BPF_LD|BPF_MEM);
6443 * Modify "index" to use the value stored into its register as an
6444 * offset relative to the beginning of the header for the protocol
6445 * "proto", and allocate a register and put an item "size" bytes long
6446 * (1, 2, or 4) at that offset into that register, making it the register
6450 gen_load(proto, inst, size)
6455 struct slist *s, *tmp;
6457 int regno = alloc_reg();
6459 free_reg(inst->regno);
6463 bpf_error("data size must be 1, 2, or 4");
6479 bpf_error("unsupported index operation");
6483 * The offset is relative to the beginning of the packet
6484 * data, if we have a radio header. (If we don't, this
6487 if (linktype != DLT_IEEE802_11_RADIO_AVS &&
6488 linktype != DLT_IEEE802_11_RADIO &&
6489 linktype != DLT_PRISM_HEADER)
6490 bpf_error("radio information not present in capture");
6493 * Load into the X register the offset computed into the
6494 * register specifed by "index".
6496 s = xfer_to_x(inst);
6499 * Load the item at that offset.
6501 tmp = new_stmt(BPF_LD|BPF_IND|size);
6503 sappend(inst->s, s);
6508 * The offset is relative to the beginning of
6509 * the link-layer header.
6511 * XXX - what about ATM LANE? Should the index be
6512 * relative to the beginning of the AAL5 frame, so
6513 * that 0 refers to the beginning of the LE Control
6514 * field, or relative to the beginning of the LAN
6515 * frame, so that 0 refers, for Ethernet LANE, to
6516 * the beginning of the destination address?
6518 s = gen_llprefixlen();
6521 * If "s" is non-null, it has code to arrange that the
6522 * X register contains the length of the prefix preceding
6523 * the link-layer header. Add to it the offset computed
6524 * into the register specified by "index", and move that
6525 * into the X register. Otherwise, just load into the X
6526 * register the offset computed into the register specifed
6530 sappend(s, xfer_to_a(inst));
6531 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
6532 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
6534 s = xfer_to_x(inst);
6537 * Load the item at the sum of the offset we've put in the
6538 * X register and the offset of the start of the link
6539 * layer header (which is 0 if the radio header is
6540 * variable-length; that header length is what we put
6541 * into the X register and then added to the index).
6543 tmp = new_stmt(BPF_LD|BPF_IND|size);
6546 sappend(inst->s, s);
6562 * The offset is relative to the beginning of
6563 * the network-layer header.
6564 * XXX - are there any cases where we want
6567 s = gen_off_macpl();
6570 * If "s" is non-null, it has code to arrange that the
6571 * X register contains the offset of the MAC-layer
6572 * payload. Add to it the offset computed into the
6573 * register specified by "index", and move that into
6574 * the X register. Otherwise, just load into the X
6575 * register the offset computed into the register specifed
6579 sappend(s, xfer_to_a(inst));
6580 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
6581 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
6583 s = xfer_to_x(inst);
6586 * Load the item at the sum of the offset we've put in the
6587 * X register, the offset of the start of the network
6588 * layer header from the beginning of the MAC-layer
6589 * payload, and the purported offset of the start of the
6590 * MAC-layer payload (which might be 0 if there's a
6591 * variable-length prefix before the link-layer header
6592 * or the link-layer header itself is variable-length;
6593 * the variable-length offset of the start of the
6594 * MAC-layer payload is what we put into the X register
6595 * and then added to the index).
6597 tmp = new_stmt(BPF_LD|BPF_IND|size);
6598 tmp->s.k = off_macpl + off_nl;
6600 sappend(inst->s, s);
6603 * Do the computation only if the packet contains
6604 * the protocol in question.
6606 b = gen_proto_abbrev(proto);
6608 gen_and(inst->b, b);
6621 * The offset is relative to the beginning of
6622 * the transport-layer header.
6624 * Load the X register with the length of the IPv4 header
6625 * (plus the offset of the link-layer header, if it's
6626 * a variable-length header), in bytes.
6628 * XXX - are there any cases where we want
6630 * XXX - we should, if we're built with
6631 * IPv6 support, generate code to load either
6632 * IPv4, IPv6, or both, as appropriate.
6634 s = gen_loadx_iphdrlen();
6637 * The X register now contains the sum of the length
6638 * of any variable-length header preceding the link-layer
6639 * header, any variable-length link-layer header, and the
6640 * length of the network-layer header.
6642 * Load into the A register the offset relative to
6643 * the beginning of the transport layer header,
6644 * add the X register to that, move that to the
6645 * X register, and load with an offset from the
6646 * X register equal to the offset of the network
6647 * layer header relative to the beginning of
6648 * the MAC-layer payload plus the fixed-length
6649 * portion of the offset of the MAC-layer payload
6650 * from the beginning of the raw packet data.
6652 sappend(s, xfer_to_a(inst));
6653 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
6654 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
6655 sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size));
6656 tmp->s.k = off_macpl + off_nl;
6657 sappend(inst->s, s);
6660 * Do the computation only if the packet contains
6661 * the protocol in question - which is true only
6662 * if this is an IP datagram and is the first or
6663 * only fragment of that datagram.
6665 gen_and(gen_proto_abbrev(proto), b = gen_ipfrag());
6667 gen_and(inst->b, b);
6669 gen_and(gen_proto_abbrev(Q_IP), b);
6675 bpf_error("IPv6 upper-layer protocol is not supported by proto[x]");
6679 inst->regno = regno;
6680 s = new_stmt(BPF_ST);
6682 sappend(inst->s, s);
6688 gen_relation(code, a0, a1, reversed)
6690 struct arth *a0, *a1;
6693 struct slist *s0, *s1, *s2;
6694 struct block *b, *tmp;
6698 if (code == BPF_JEQ) {
6699 s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X);
6700 b = new_block(JMP(code));
6704 b = new_block(BPF_JMP|code|BPF_X);
6710 sappend(a0->s, a1->s);
6714 free_reg(a0->regno);
6715 free_reg(a1->regno);
6717 /* 'and' together protocol checks */
6720 gen_and(a0->b, tmp = a1->b);
6736 int regno = alloc_reg();
6737 struct arth *a = (struct arth *)newchunk(sizeof(*a));
6740 s = new_stmt(BPF_LD|BPF_LEN);
6741 s->next = new_stmt(BPF_ST);
6742 s->next->s.k = regno;
6757 a = (struct arth *)newchunk(sizeof(*a));
6761 s = new_stmt(BPF_LD|BPF_IMM);
6763 s->next = new_stmt(BPF_ST);
6779 s = new_stmt(BPF_ALU|BPF_NEG);
6782 s = new_stmt(BPF_ST);
6790 gen_arth(code, a0, a1)
6792 struct arth *a0, *a1;
6794 struct slist *s0, *s1, *s2;
6798 s2 = new_stmt(BPF_ALU|BPF_X|code);
6803 sappend(a0->s, a1->s);
6805 free_reg(a0->regno);
6806 free_reg(a1->regno);
6808 s0 = new_stmt(BPF_ST);
6809 a0->regno = s0->s.k = alloc_reg();
6816 * Here we handle simple allocation of the scratch registers.
6817 * If too many registers are alloc'd, the allocator punts.
6819 static int regused[BPF_MEMWORDS];
6823 * Initialize the table of used registers and the current register.
6829 memset(regused, 0, sizeof regused);
6833 * Return the next free register.
6838 int n = BPF_MEMWORDS;
6841 if (regused[curreg])
6842 curreg = (curreg + 1) % BPF_MEMWORDS;
6844 regused[curreg] = 1;
6848 bpf_error("too many registers needed to evaluate expression");
6854 * Return a register to the table so it can
6864 static struct block *
6871 s = new_stmt(BPF_LD|BPF_LEN);
6872 b = new_block(JMP(jmp));
6883 return gen_len(BPF_JGE, n);
6887 * Actually, this is less than or equal.
6895 b = gen_len(BPF_JGT, n);
6902 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to
6903 * the beginning of the link-layer header.
6904 * XXX - that means you can't test values in the radiotap header, but
6905 * as that header is difficult if not impossible to parse generally
6906 * without a loop, that might not be a severe problem. A new keyword
6907 * "radio" could be added for that, although what you'd really want
6908 * would be a way of testing particular radio header values, which
6909 * would generate code appropriate to the radio header in question.
6912 gen_byteop(op, idx, val)
6923 return gen_cmp(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
6926 b = gen_cmp_lt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
6930 b = gen_cmp_gt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
6934 s = new_stmt(BPF_ALU|BPF_OR|BPF_K);
6938 s = new_stmt(BPF_ALU|BPF_AND|BPF_K);
6942 b = new_block(JMP(BPF_JEQ));
6949 static u_char abroadcast[] = { 0x0 };
6952 gen_broadcast(proto)
6955 bpf_u_int32 hostmask;
6956 struct block *b0, *b1, *b2;
6957 static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
6965 case DLT_ARCNET_LINUX:
6966 return gen_ahostop(abroadcast, Q_DST);
6968 return gen_ehostop(ebroadcast, Q_DST);
6970 return gen_fhostop(ebroadcast, Q_DST);
6972 return gen_thostop(ebroadcast, Q_DST);
6973 case DLT_IEEE802_11:
6974 case DLT_PRISM_HEADER:
6975 case DLT_IEEE802_11_RADIO_AVS:
6976 case DLT_IEEE802_11_RADIO:
6978 return gen_wlanhostop(ebroadcast, Q_DST);
6979 case DLT_IP_OVER_FC:
6980 return gen_ipfchostop(ebroadcast, Q_DST);
6984 * Check that the packet doesn't begin with an
6985 * LE Control marker. (We've already generated
6988 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
6993 * Now check the MAC address.
6995 b0 = gen_ehostop(ebroadcast, Q_DST);
7001 bpf_error("not a broadcast link");
7006 b0 = gen_linktype(ETHERTYPE_IP);
7007 hostmask = ~netmask;
7008 b1 = gen_mcmp(OR_NET, 16, BPF_W, (bpf_int32)0, hostmask);
7009 b2 = gen_mcmp(OR_NET, 16, BPF_W,
7010 (bpf_int32)(~0 & hostmask), hostmask);
7015 bpf_error("only link-layer/IP broadcast filters supported");
7021 * Generate code to test the low-order bit of a MAC address (that's
7022 * the bottom bit of the *first* byte).
7024 static struct block *
7025 gen_mac_multicast(offset)
7028 register struct block *b0;
7029 register struct slist *s;
7031 /* link[offset] & 1 != 0 */
7032 s = gen_load_a(OR_LINK, offset, BPF_B);
7033 b0 = new_block(JMP(BPF_JSET));
7040 gen_multicast(proto)
7043 register struct block *b0, *b1, *b2;
7044 register struct slist *s;
7052 case DLT_ARCNET_LINUX:
7053 /* all ARCnet multicasts use the same address */
7054 return gen_ahostop(abroadcast, Q_DST);
7056 /* ether[0] & 1 != 0 */
7057 return gen_mac_multicast(0);
7060 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX
7062 * XXX - was that referring to bit-order issues?
7064 /* fddi[1] & 1 != 0 */
7065 return gen_mac_multicast(1);
7067 /* tr[2] & 1 != 0 */
7068 return gen_mac_multicast(2);
7069 case DLT_IEEE802_11:
7070 case DLT_PRISM_HEADER:
7071 case DLT_IEEE802_11_RADIO_AVS:
7072 case DLT_IEEE802_11_RADIO:
7077 * For control frames, there is no DA.
7079 * For management frames, DA is at an
7080 * offset of 4 from the beginning of
7083 * For data frames, DA is at an offset
7084 * of 4 from the beginning of the packet
7085 * if To DS is clear and at an offset of
7086 * 16 from the beginning of the packet
7091 * Generate the tests to be done for data frames.
7093 * First, check for To DS set, i.e. "link[1] & 0x01".
7095 s = gen_load_a(OR_LINK, 1, BPF_B);
7096 b1 = new_block(JMP(BPF_JSET));
7097 b1->s.k = 0x01; /* To DS */
7101 * If To DS is set, the DA is at 16.
7103 b0 = gen_mac_multicast(16);
7107 * Now, check for To DS not set, i.e. check
7108 * "!(link[1] & 0x01)".
7110 s = gen_load_a(OR_LINK, 1, BPF_B);
7111 b2 = new_block(JMP(BPF_JSET));
7112 b2->s.k = 0x01; /* To DS */
7117 * If To DS is not set, the DA is at 4.
7119 b1 = gen_mac_multicast(4);
7123 * Now OR together the last two checks. That gives
7124 * the complete set of checks for data frames.
7129 * Now check for a data frame.
7130 * I.e, check "link[0] & 0x08".
7132 s = gen_load_a(OR_LINK, 0, BPF_B);
7133 b1 = new_block(JMP(BPF_JSET));
7138 * AND that with the checks done for data frames.
7143 * If the high-order bit of the type value is 0, this
7144 * is a management frame.
7145 * I.e, check "!(link[0] & 0x08)".
7147 s = gen_load_a(OR_LINK, 0, BPF_B);
7148 b2 = new_block(JMP(BPF_JSET));
7154 * For management frames, the DA is at 4.
7156 b1 = gen_mac_multicast(4);
7160 * OR that with the checks done for data frames.
7161 * That gives the checks done for management and
7167 * If the low-order bit of the type value is 1,
7168 * this is either a control frame or a frame
7169 * with a reserved type, and thus not a
7172 * I.e., check "!(link[0] & 0x04)".
7174 s = gen_load_a(OR_LINK, 0, BPF_B);
7175 b1 = new_block(JMP(BPF_JSET));
7181 * AND that with the checks for data and management
7186 case DLT_IP_OVER_FC:
7187 b0 = gen_mac_multicast(2);
7192 * Check that the packet doesn't begin with an
7193 * LE Control marker. (We've already generated
7196 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
7200 /* ether[off_mac] & 1 != 0 */
7201 b0 = gen_mac_multicast(off_mac);
7209 /* Link not known to support multicasts */
7213 b0 = gen_linktype(ETHERTYPE_IP);
7214 b1 = gen_cmp_ge(OR_NET, 16, BPF_B, (bpf_int32)224);
7220 b0 = gen_linktype(ETHERTYPE_IPV6);
7221 b1 = gen_cmp(OR_NET, 24, BPF_B, (bpf_int32)255);
7226 bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel");
7232 * generate command for inbound/outbound. It's here so we can
7233 * make it link-type specific. 'dir' = 0 implies "inbound",
7234 * = 1 implies "outbound".
7240 register struct block *b0;
7243 * Only some data link types support inbound/outbound qualifiers.
7247 b0 = gen_relation(BPF_JEQ,
7248 gen_load(Q_LINK, gen_loadi(0), 1),
7256 * Match packets sent by this machine.
7258 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_OUTGOING);
7261 * Match packets sent to this machine.
7262 * (No broadcast or multicast packets, or
7263 * packets sent to some other machine and
7264 * received promiscuously.)
7266 * XXX - packets sent to other machines probably
7267 * shouldn't be matched, but what about broadcast
7268 * or multicast packets we received?
7270 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_HOST);
7274 #ifdef HAVE_NET_PFVAR_H
7276 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, dir), BPF_B,
7277 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT));
7283 /* match outgoing packets */
7284 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_OUT);
7286 /* match incoming packets */
7287 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_IN);
7291 case DLT_JUNIPER_MFR:
7292 case DLT_JUNIPER_MLFR:
7293 case DLT_JUNIPER_MLPPP:
7294 case DLT_JUNIPER_ATM1:
7295 case DLT_JUNIPER_ATM2:
7296 case DLT_JUNIPER_PPPOE:
7297 case DLT_JUNIPER_PPPOE_ATM:
7298 case DLT_JUNIPER_GGSN:
7299 case DLT_JUNIPER_ES:
7300 case DLT_JUNIPER_MONITOR:
7301 case DLT_JUNIPER_SERVICES:
7302 case DLT_JUNIPER_ETHER:
7303 case DLT_JUNIPER_PPP:
7304 case DLT_JUNIPER_FRELAY:
7305 case DLT_JUNIPER_CHDLC:
7306 case DLT_JUNIPER_VP:
7307 case DLT_JUNIPER_ST:
7308 case DLT_JUNIPER_ISM:
7309 /* juniper flags (including direction) are stored
7310 * the byte after the 3-byte magic number */
7312 /* match outgoing packets */
7313 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 0, 0x01);
7315 /* match incoming packets */
7316 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 1, 0x01);
7321 bpf_error("inbound/outbound not supported on linktype %d",
7329 #ifdef HAVE_NET_PFVAR_H
7330 /* PF firewall log matched interface */
7332 gen_pf_ifname(const char *ifname)
7337 if (linktype != DLT_PFLOG) {
7338 bpf_error("ifname supported only on PF linktype");
7341 len = sizeof(((struct pfloghdr *)0)->ifname);
7342 off = offsetof(struct pfloghdr, ifname);
7343 if (strlen(ifname) >= len) {
7344 bpf_error("ifname interface names can only be %d characters",
7348 b0 = gen_bcmp(OR_LINK, off, strlen(ifname), (const u_char *)ifname);
7352 /* PF firewall log ruleset name */
7354 gen_pf_ruleset(char *ruleset)
7358 if (linktype != DLT_PFLOG) {
7359 bpf_error("ruleset supported only on PF linktype");
7363 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) {
7364 bpf_error("ruleset names can only be %ld characters",
7365 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1));
7369 b0 = gen_bcmp(OR_LINK, offsetof(struct pfloghdr, ruleset),
7370 strlen(ruleset), (const u_char *)ruleset);
7374 /* PF firewall log rule number */
7380 if (linktype != DLT_PFLOG) {
7381 bpf_error("rnr supported only on PF linktype");
7385 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, rulenr), BPF_W,
7390 /* PF firewall log sub-rule number */
7392 gen_pf_srnr(int srnr)
7396 if (linktype != DLT_PFLOG) {
7397 bpf_error("srnr supported only on PF linktype");
7401 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, subrulenr), BPF_W,
7406 /* PF firewall log reason code */
7408 gen_pf_reason(int reason)
7412 if (linktype != DLT_PFLOG) {
7413 bpf_error("reason supported only on PF linktype");
7417 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, reason), BPF_B,
7422 /* PF firewall log action */
7424 gen_pf_action(int action)
7428 if (linktype != DLT_PFLOG) {
7429 bpf_error("action supported only on PF linktype");
7433 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, action), BPF_B,
7437 #else /* !HAVE_NET_PFVAR_H */
7439 gen_pf_ifname(const char *ifname)
7441 bpf_error("libpcap was compiled without pf support");
7447 gen_pf_ruleset(char *ruleset)
7449 bpf_error("libpcap was compiled on a machine without pf support");
7457 bpf_error("libpcap was compiled on a machine without pf support");
7463 gen_pf_srnr(int srnr)
7465 bpf_error("libpcap was compiled on a machine without pf support");
7471 gen_pf_reason(int reason)
7473 bpf_error("libpcap was compiled on a machine without pf support");
7479 gen_pf_action(int action)
7481 bpf_error("libpcap was compiled on a machine without pf support");
7485 #endif /* HAVE_NET_PFVAR_H */
7487 /* IEEE 802.11 wireless header */
7489 gen_p80211_type(int type, int mask)
7495 case DLT_IEEE802_11:
7496 case DLT_PRISM_HEADER:
7497 case DLT_IEEE802_11_RADIO_AVS:
7498 case DLT_IEEE802_11_RADIO:
7499 b0 = gen_mcmp(OR_LINK, 0, BPF_B, (bpf_int32)type,
7504 bpf_error("802.11 link-layer types supported only on 802.11");
7512 gen_p80211_fcdir(int fcdir)
7518 case DLT_IEEE802_11:
7519 case DLT_PRISM_HEADER:
7520 case DLT_IEEE802_11_RADIO_AVS:
7521 case DLT_IEEE802_11_RADIO:
7525 bpf_error("frame direction supported only with 802.11 headers");
7529 b0 = gen_mcmp(OR_LINK, 1, BPF_B, (bpf_int32)fcdir,
7530 (bpf_u_int32)IEEE80211_FC1_DIR_MASK);
7537 register const u_char *eaddr;
7543 case DLT_ARCNET_LINUX:
7544 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) &&
7546 return (gen_ahostop(eaddr, (int)q.dir));
7548 bpf_error("ARCnet address used in non-arc expression");
7554 bpf_error("aid supported only on ARCnet");
7557 bpf_error("ARCnet address used in non-arc expression");
7562 static struct block *
7563 gen_ahostop(eaddr, dir)
7564 register const u_char *eaddr;
7567 register struct block *b0, *b1;
7570 /* src comes first, different from Ethernet */
7572 return gen_bcmp(OR_LINK, 0, 1, eaddr);
7575 return gen_bcmp(OR_LINK, 1, 1, eaddr);
7578 b0 = gen_ahostop(eaddr, Q_SRC);
7579 b1 = gen_ahostop(eaddr, Q_DST);
7585 b0 = gen_ahostop(eaddr, Q_SRC);
7586 b1 = gen_ahostop(eaddr, Q_DST);
7595 * support IEEE 802.1Q VLAN trunk over ethernet
7601 struct block *b0, *b1;
7603 /* can't check for VLAN-encapsulated packets inside MPLS */
7604 if (label_stack_depth > 0)
7605 bpf_error("no VLAN match after MPLS");
7608 * Check for a VLAN packet, and then change the offsets to point
7609 * to the type and data fields within the VLAN packet. Just
7610 * increment the offsets, so that we can support a hierarchy, e.g.
7611 * "vlan 300 && vlan 200" to capture VLAN 200 encapsulated within
7614 * XXX - this is a bit of a kludge. If we were to split the
7615 * compiler into a parser that parses an expression and
7616 * generates an expression tree, and a code generator that
7617 * takes an expression tree (which could come from our
7618 * parser or from some other parser) and generates BPF code,
7619 * we could perhaps make the offsets parameters of routines
7620 * and, in the handler for an "AND" node, pass to subnodes
7621 * other than the VLAN node the adjusted offsets.
7623 * This would mean that "vlan" would, instead of changing the
7624 * behavior of *all* tests after it, change only the behavior
7625 * of tests ANDed with it. That would change the documented
7626 * semantics of "vlan", which might break some expressions.
7627 * However, it would mean that "(vlan and ip) or ip" would check
7628 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
7629 * checking only for VLAN-encapsulated IP, so that could still
7630 * be considered worth doing; it wouldn't break expressions
7631 * that are of the form "vlan and ..." or "vlan N and ...",
7632 * which I suspect are the most common expressions involving
7633 * "vlan". "vlan or ..." doesn't necessarily do what the user
7634 * would really want, now, as all the "or ..." tests would
7635 * be done assuming a VLAN, even though the "or" could be viewed
7636 * as meaning "or, if this isn't a VLAN packet...".
7643 /* check for VLAN */
7644 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
7645 (bpf_int32)ETHERTYPE_8021Q);
7647 /* If a specific VLAN is requested, check VLAN id */
7648 if (vlan_num >= 0) {
7649 b1 = gen_mcmp(OR_MACPL, 0, BPF_H,
7650 (bpf_int32)vlan_num, 0x0fff);
7664 bpf_error("no VLAN support for data link type %d",
7679 struct block *b0,*b1;
7682 * Change the offsets to point to the type and data fields within
7683 * the MPLS packet. Just increment the offsets, so that we
7684 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to
7685 * capture packets with an outer label of 100000 and an inner
7688 * XXX - this is a bit of a kludge. See comments in gen_vlan().
7692 if (label_stack_depth > 0) {
7693 /* just match the bottom-of-stack bit clear */
7694 b0 = gen_mcmp(OR_MACPL, orig_nl-2, BPF_B, 0, 0x01);
7697 * Indicate that we're checking MPLS-encapsulated headers,
7698 * to make sure higher level code generators don't try to
7699 * match against IP-related protocols such as Q_ARP, Q_RARP
7704 case DLT_C_HDLC: /* fall through */
7706 b0 = gen_linktype(ETHERTYPE_MPLS);
7710 b0 = gen_linktype(PPP_MPLS_UCAST);
7713 /* FIXME add other DLT_s ...
7714 * for Frame-Relay/and ATM this may get messy due to SNAP headers
7715 * leave it for now */
7718 bpf_error("no MPLS support for data link type %d",
7726 /* If a specific MPLS label is requested, check it */
7727 if (label_num >= 0) {
7728 label_num = label_num << 12; /* label is shifted 12 bits on the wire */
7729 b1 = gen_mcmp(OR_MACPL, orig_nl, BPF_W, (bpf_int32)label_num,
7730 0xfffff000); /* only compare the first 20 bits */
7737 label_stack_depth++;
7742 * Support PPPOE discovery and session.
7747 /* check for PPPoE discovery */
7748 return gen_linktype((bpf_int32)ETHERTYPE_PPPOED);
7757 * Test against the PPPoE session link-layer type.
7759 b0 = gen_linktype((bpf_int32)ETHERTYPE_PPPOES);
7762 * Change the offsets to point to the type and data fields within
7763 * the PPP packet, and note that this is PPPoE rather than
7766 * XXX - this is a bit of a kludge. If we were to split the
7767 * compiler into a parser that parses an expression and
7768 * generates an expression tree, and a code generator that
7769 * takes an expression tree (which could come from our
7770 * parser or from some other parser) and generates BPF code,
7771 * we could perhaps make the offsets parameters of routines
7772 * and, in the handler for an "AND" node, pass to subnodes
7773 * other than the PPPoE node the adjusted offsets.
7775 * This would mean that "pppoes" would, instead of changing the
7776 * behavior of *all* tests after it, change only the behavior
7777 * of tests ANDed with it. That would change the documented
7778 * semantics of "pppoes", which might break some expressions.
7779 * However, it would mean that "(pppoes and ip) or ip" would check
7780 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
7781 * checking only for VLAN-encapsulated IP, so that could still
7782 * be considered worth doing; it wouldn't break expressions
7783 * that are of the form "pppoes and ..." which I suspect are the
7784 * most common expressions involving "pppoes". "pppoes or ..."
7785 * doesn't necessarily do what the user would really want, now,
7786 * as all the "or ..." tests would be done assuming PPPoE, even
7787 * though the "or" could be viewed as meaning "or, if this isn't
7788 * a PPPoE packet...".
7790 orig_linktype = off_linktype; /* save original values */
7795 * The "network-layer" protocol is PPPoE, which has a 6-byte
7796 * PPPoE header, followed by a PPP packet.
7798 * There is no HDLC encapsulation for the PPP packet (it's
7799 * encapsulated in PPPoES instead), so the link-layer type
7800 * starts at the first byte of the PPP packet. For PPPoE,
7801 * that offset is relative to the beginning of the total
7802 * link-layer payload, including any 802.2 LLC header, so
7803 * it's 6 bytes past off_nl.
7805 off_linktype = off_nl + 6;
7808 * The network-layer offsets are relative to the beginning
7809 * of the MAC-layer payload; that's past the 6-byte
7810 * PPPoE header and the 2-byte PPP header.
7813 off_nl_nosnap = 6+2;
7819 gen_atmfield_code(atmfield, jvalue, jtype, reverse)
7831 bpf_error("'vpi' supported only on raw ATM");
7832 if (off_vpi == (u_int)-1)
7834 b0 = gen_ncmp(OR_LINK, off_vpi, BPF_B, 0xffffffff, jtype,
7840 bpf_error("'vci' supported only on raw ATM");
7841 if (off_vci == (u_int)-1)
7843 b0 = gen_ncmp(OR_LINK, off_vci, BPF_H, 0xffffffff, jtype,
7848 if (off_proto == (u_int)-1)
7849 abort(); /* XXX - this isn't on FreeBSD */
7850 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0x0f, jtype,
7855 if (off_payload == (u_int)-1)
7857 b0 = gen_ncmp(OR_LINK, off_payload + MSG_TYPE_POS, BPF_B,
7858 0xffffffff, jtype, reverse, jvalue);
7863 bpf_error("'callref' supported only on raw ATM");
7864 if (off_proto == (u_int)-1)
7866 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0xffffffff,
7867 jtype, reverse, jvalue);
7877 gen_atmtype_abbrev(type)
7880 struct block *b0, *b1;
7885 /* Get all packets in Meta signalling Circuit */
7887 bpf_error("'metac' supported only on raw ATM");
7888 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
7889 b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0);
7894 /* Get all packets in Broadcast Circuit*/
7896 bpf_error("'bcc' supported only on raw ATM");
7897 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
7898 b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0);
7903 /* Get all cells in Segment OAM F4 circuit*/
7905 bpf_error("'oam4sc' supported only on raw ATM");
7906 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
7907 b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
7912 /* Get all cells in End-to-End OAM F4 Circuit*/
7914 bpf_error("'oam4ec' supported only on raw ATM");
7915 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
7916 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
7921 /* Get all packets in connection Signalling Circuit */
7923 bpf_error("'sc' supported only on raw ATM");
7924 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
7925 b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0);
7930 /* Get all packets in ILMI Circuit */
7932 bpf_error("'ilmic' supported only on raw ATM");
7933 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
7934 b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0);
7939 /* Get all LANE packets */
7941 bpf_error("'lane' supported only on raw ATM");
7942 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0);
7945 * Arrange that all subsequent tests assume LANE
7946 * rather than LLC-encapsulated packets, and set
7947 * the offsets appropriately for LANE-encapsulated
7950 * "off_mac" is the offset of the Ethernet header,
7951 * which is 2 bytes past the ATM pseudo-header
7952 * (skipping the pseudo-header and 2-byte LE Client
7953 * field). The other offsets are Ethernet offsets
7954 * relative to "off_mac".
7957 off_mac = off_payload + 2; /* MAC header */
7958 off_linktype = off_mac + 12;
7959 off_macpl = off_mac + 14; /* Ethernet */
7960 off_nl = 0; /* Ethernet II */
7961 off_nl_nosnap = 3; /* 802.3+802.2 */
7965 /* Get all LLC-encapsulated packets */
7967 bpf_error("'llc' supported only on raw ATM");
7968 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
7979 * Filtering for MTP2 messages based on li value
7980 * FISU, length is null
7981 * LSSU, length is 1 or 2
7982 * MSU, length is 3 or more
7985 gen_mtp2type_abbrev(type)
7988 struct block *b0, *b1;
7993 if ( (linktype != DLT_MTP2) &&
7994 (linktype != DLT_ERF) &&
7995 (linktype != DLT_MTP2_WITH_PHDR) )
7996 bpf_error("'fisu' supported only on MTP2");
7997 /* gen_ncmp(offrel, offset, size, mask, jtype, reverse, value) */
7998 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JEQ, 0, 0);
8002 if ( (linktype != DLT_MTP2) &&
8003 (linktype != DLT_ERF) &&
8004 (linktype != DLT_MTP2_WITH_PHDR) )
8005 bpf_error("'lssu' supported only on MTP2");
8006 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 1, 2);
8007 b1 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 0);
8012 if ( (linktype != DLT_MTP2) &&
8013 (linktype != DLT_ERF) &&
8014 (linktype != DLT_MTP2_WITH_PHDR) )
8015 bpf_error("'msu' supported only on MTP2");
8016 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 2);
8026 gen_mtp3field_code(mtp3field, jvalue, jtype, reverse)
8033 bpf_u_int32 val1 , val2 , val3;
8035 switch (mtp3field) {
8038 if (off_sio == (u_int)-1)
8039 bpf_error("'sio' supported only on SS7");
8040 /* sio coded on 1 byte so max value 255 */
8042 bpf_error("sio value %u too big; max value = 255",
8044 b0 = gen_ncmp(OR_PACKET, off_sio, BPF_B, 0xffffffff,
8045 (u_int)jtype, reverse, (u_int)jvalue);
8049 if (off_opc == (u_int)-1)
8050 bpf_error("'opc' supported only on SS7");
8051 /* opc coded on 14 bits so max value 16383 */
8053 bpf_error("opc value %u too big; max value = 16383",
8055 /* the following instructions are made to convert jvalue
8056 * to the form used to write opc in an ss7 message*/
8057 val1 = jvalue & 0x00003c00;
8059 val2 = jvalue & 0x000003fc;
8061 val3 = jvalue & 0x00000003;
8063 jvalue = val1 + val2 + val3;
8064 b0 = gen_ncmp(OR_PACKET, off_opc, BPF_W, 0x00c0ff0f,
8065 (u_int)jtype, reverse, (u_int)jvalue);
8069 if (off_dpc == (u_int)-1)
8070 bpf_error("'dpc' supported only on SS7");
8071 /* dpc coded on 14 bits so max value 16383 */
8073 bpf_error("dpc value %u too big; max value = 16383",
8075 /* the following instructions are made to convert jvalue
8076 * to the forme used to write dpc in an ss7 message*/
8077 val1 = jvalue & 0x000000ff;
8079 val2 = jvalue & 0x00003f00;
8081 jvalue = val1 + val2;
8082 b0 = gen_ncmp(OR_PACKET, off_dpc, BPF_W, 0xff3f0000,
8083 (u_int)jtype, reverse, (u_int)jvalue);
8087 if (off_sls == (u_int)-1)
8088 bpf_error("'sls' supported only on SS7");
8089 /* sls coded on 4 bits so max value 15 */
8091 bpf_error("sls value %u too big; max value = 15",
8093 /* the following instruction is made to convert jvalue
8094 * to the forme used to write sls in an ss7 message*/
8095 jvalue = jvalue << 4;
8096 b0 = gen_ncmp(OR_PACKET, off_sls, BPF_B, 0xf0,
8097 (u_int)jtype,reverse, (u_int)jvalue);
8106 static struct block *
8107 gen_msg_abbrev(type)
8113 * Q.2931 signalling protocol messages for handling virtual circuits
8114 * establishment and teardown
8119 b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0);
8123 b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0);
8127 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0);
8131 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0);
8135 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0);
8138 case A_RELEASE_DONE:
8139 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0);
8149 gen_atmmulti_abbrev(type)
8152 struct block *b0, *b1;
8158 bpf_error("'oam' supported only on raw ATM");
8159 b1 = gen_atmmulti_abbrev(A_OAMF4);
8164 bpf_error("'oamf4' supported only on raw ATM");
8166 b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
8167 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
8169 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8175 * Get Q.2931 signalling messages for switched
8176 * virtual connection
8179 bpf_error("'connectmsg' supported only on raw ATM");
8180 b0 = gen_msg_abbrev(A_SETUP);
8181 b1 = gen_msg_abbrev(A_CALLPROCEED);
8183 b0 = gen_msg_abbrev(A_CONNECT);
8185 b0 = gen_msg_abbrev(A_CONNECTACK);
8187 b0 = gen_msg_abbrev(A_RELEASE);
8189 b0 = gen_msg_abbrev(A_RELEASE_DONE);
8191 b0 = gen_atmtype_abbrev(A_SC);
8197 bpf_error("'metaconnect' supported only on raw ATM");
8198 b0 = gen_msg_abbrev(A_SETUP);
8199 b1 = gen_msg_abbrev(A_CALLPROCEED);
8201 b0 = gen_msg_abbrev(A_CONNECT);
8203 b0 = gen_msg_abbrev(A_RELEASE);
8205 b0 = gen_msg_abbrev(A_RELEASE_DONE);
8207 b0 = gen_atmtype_abbrev(A_METAC);