1 /*#define CHASE_CHAIN*/
3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998
4 * The Regents of the University of California. All rights reserved.
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that: (1) source code distributions
8 * retain the above copyright notice and this paragraph in its entirety, (2)
9 * distributions including binary code include the above copyright notice and
10 * this paragraph in its entirety in the documentation or other materials
11 * provided with the distribution, and (3) all advertising materials mentioning
12 * features or use of this software display the following acknowledgement:
13 * ``This product includes software developed by the University of California,
14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
15 * the University nor the names of its contributors may be used to endorse
16 * or promote products derived from this software without specific prior
18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
23 static const char rcsid[] _U_ =
24 "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.309 2008-12-23 20:13:29 guy Exp $ (LBL)";
27 #define _KERNEL_STRUCTURES
34 #include <pcap-stdinc.h>
41 #ifdef HAVE_SYS_BITYPES_H
42 #include <sys/bitypes.h>
44 #include <sys/types.h>
45 #include <sys/socket.h>
49 * XXX - why was this included even on UNIX?
58 #include <sys/param.h>
61 #include <netinet/in.h>
62 #include <arpa/inet.h>
78 #include "ethertype.h"
82 #include "ieee80211.h"
84 #include "sunatmpos.h"
87 #include "pcap/ipnet.h"
89 #if defined(PF_PACKET) && defined(SO_ATTACH_FILTER)
90 #include <linux/types.h>
91 #include <linux/if_packet.h>
92 #include <linux/filter.h>
94 #ifdef HAVE_NET_PFVAR_H
95 #include <sys/socket.h>
97 #include <net/if_var.h>
98 #include <net/pf/pfvar.h>
99 #include <net/pf/if_pflog.h>
102 #define offsetof(s, e) ((size_t)&((s *)0)->e)
106 #include <netdb.h> /* for "struct addrinfo" */
109 #include <pcap/namedb.h>
111 #define ETHERMTU 1500
113 #ifndef IPPROTO_HOPOPTS
114 #define IPPROTO_HOPOPTS 0
116 #ifndef IPPROTO_ROUTING
117 #define IPPROTO_ROUTING 43
119 #ifndef IPPROTO_FRAGMENT
120 #define IPPROTO_FRAGMENT 44
122 #ifndef IPPROTO_DSTOPTS
123 #define IPPROTO_DSTOPTS 60
126 #define IPPROTO_SCTP 132
129 #ifdef HAVE_OS_PROTO_H
130 #include "os-proto.h"
133 #define JMP(c) ((c)|BPF_JMP|BPF_K)
136 static jmp_buf top_ctx;
137 static pcap_t *bpf_pcap;
139 /* Hack for updating VLAN, MPLS, and PPPoE offsets. */
141 static u_int orig_linktype = (u_int)-1, orig_nl = (u_int)-1, label_stack_depth = (u_int)-1;
143 static u_int orig_linktype = -1U, orig_nl = -1U, label_stack_depth = -1U;
148 static int pcap_fddipad;
153 bpf_error(const char *fmt, ...)
158 if (bpf_pcap != NULL)
159 (void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE,
166 static void init_linktype(pcap_t *);
168 static void init_regs(void);
169 static int alloc_reg(void);
170 static void free_reg(int);
172 static struct block *root;
175 * Value passed to gen_load_a() to indicate what the offset argument
179 OR_PACKET, /* relative to the beginning of the packet */
180 OR_LINK, /* relative to the beginning of the link-layer header */
181 OR_MACPL, /* relative to the end of the MAC-layer header */
182 OR_NET, /* relative to the network-layer header */
183 OR_NET_NOSNAP, /* relative to the network-layer header, with no SNAP header at the link layer */
184 OR_TRAN_IPV4, /* relative to the transport-layer header, with IPv4 network layer */
185 OR_TRAN_IPV6 /* relative to the transport-layer header, with IPv6 network layer */
190 * As errors are handled by a longjmp, anything allocated must be freed
191 * in the longjmp handler, so it must be reachable from that handler.
192 * One thing that's allocated is the result of pcap_nametoaddrinfo();
193 * it must be freed with freeaddrinfo(). This variable points to any
194 * addrinfo structure that would need to be freed.
196 static struct addrinfo *ai;
200 * We divy out chunks of memory rather than call malloc each time so
201 * we don't have to worry about leaking memory. It's probably
202 * not a big deal if all this memory was wasted but if this ever
203 * goes into a library that would probably not be a good idea.
205 * XXX - this *is* in a library....
208 #define CHUNK0SIZE 1024
214 static struct chunk chunks[NCHUNKS];
215 static int cur_chunk;
217 static void *newchunk(u_int);
218 static void freechunks(void);
219 static inline struct block *new_block(int);
220 static inline struct slist *new_stmt(int);
221 static struct block *gen_retblk(int);
222 static inline void syntax(void);
224 static void backpatch(struct block *, struct block *);
225 static void merge(struct block *, struct block *);
226 static struct block *gen_cmp(enum e_offrel, u_int, u_int, bpf_int32);
227 static struct block *gen_cmp_gt(enum e_offrel, u_int, u_int, bpf_int32);
228 static struct block *gen_cmp_ge(enum e_offrel, u_int, u_int, bpf_int32);
229 static struct block *gen_cmp_lt(enum e_offrel, u_int, u_int, bpf_int32);
230 static struct block *gen_cmp_le(enum e_offrel, u_int, u_int, bpf_int32);
231 static struct block *gen_mcmp(enum e_offrel, u_int, u_int, bpf_int32,
233 static struct block *gen_bcmp(enum e_offrel, u_int, u_int, const u_char *);
234 static struct block *gen_ncmp(enum e_offrel, bpf_u_int32, bpf_u_int32,
235 bpf_u_int32, bpf_u_int32, int, bpf_int32);
236 static struct slist *gen_load_llrel(u_int, u_int);
237 static struct slist *gen_load_macplrel(u_int, u_int);
238 static struct slist *gen_load_a(enum e_offrel, u_int, u_int);
239 static struct slist *gen_loadx_iphdrlen(void);
240 static struct block *gen_uncond(int);
241 static inline struct block *gen_true(void);
242 static inline struct block *gen_false(void);
243 static struct block *gen_ether_linktype(int);
244 static struct block *gen_ipnet_linktype(int);
245 static struct block *gen_linux_sll_linktype(int);
246 static struct slist *gen_load_prism_llprefixlen(void);
247 static struct slist *gen_load_avs_llprefixlen(void);
248 static struct slist *gen_load_radiotap_llprefixlen(void);
249 static struct slist *gen_load_ppi_llprefixlen(void);
250 static void insert_compute_vloffsets(struct block *);
251 static struct slist *gen_llprefixlen(void);
252 static struct slist *gen_off_macpl(void);
253 static int ethertype_to_ppptype(int);
254 static struct block *gen_linktype(int);
255 static struct block *gen_snap(bpf_u_int32, bpf_u_int32);
256 static struct block *gen_llc_linktype(int);
257 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int);
259 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int);
261 static struct block *gen_ahostop(const u_char *, int);
262 static struct block *gen_ehostop(const u_char *, int);
263 static struct block *gen_fhostop(const u_char *, int);
264 static struct block *gen_thostop(const u_char *, int);
265 static struct block *gen_wlanhostop(const u_char *, int);
266 static struct block *gen_ipfchostop(const u_char *, int);
267 static struct block *gen_dnhostop(bpf_u_int32, int);
268 static struct block *gen_mpls_linktype(int);
269 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int, int);
271 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int, int);
274 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int);
276 static struct block *gen_ipfrag(void);
277 static struct block *gen_portatom(int, bpf_int32);
278 static struct block *gen_portrangeatom(int, bpf_int32, bpf_int32);
279 static struct block *gen_portatom6(int, bpf_int32);
280 static struct block *gen_portrangeatom6(int, bpf_int32, bpf_int32);
281 struct block *gen_portop(int, int, int);
282 static struct block *gen_port(int, int, int);
283 struct block *gen_portrangeop(int, int, int, int);
284 static struct block *gen_portrange(int, int, int, int);
285 struct block *gen_portop6(int, int, int);
286 static struct block *gen_port6(int, int, int);
287 struct block *gen_portrangeop6(int, int, int, int);
288 static struct block *gen_portrange6(int, int, int, int);
289 static int lookup_proto(const char *, int);
290 static struct block *gen_protochain(int, int, int);
291 static struct block *gen_proto(int, int, int);
292 static struct slist *xfer_to_x(struct arth *);
293 static struct slist *xfer_to_a(struct arth *);
294 static struct block *gen_mac_multicast(int);
295 static struct block *gen_len(int, int);
296 static struct block *gen_check_802_11_data_frame(void);
298 static struct block *gen_ppi_dlt_check(void);
299 static struct block *gen_msg_abbrev(int type);
310 /* XXX Round up to nearest long. */
311 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1);
313 /* XXX Round up to structure boundary. */
317 cp = &chunks[cur_chunk];
318 if (n > cp->n_left) {
319 ++cp, k = ++cur_chunk;
321 bpf_error("out of memory");
322 size = CHUNK0SIZE << k;
323 cp->m = (void *)malloc(size);
325 bpf_error("out of memory");
326 memset((char *)cp->m, 0, size);
329 bpf_error("out of memory");
332 return (void *)((char *)cp->m + cp->n_left);
341 for (i = 0; i < NCHUNKS; ++i)
342 if (chunks[i].m != NULL) {
349 * A strdup whose allocations are freed after code generation is over.
353 register const char *s;
355 int n = strlen(s) + 1;
356 char *cp = newchunk(n);
362 static inline struct block *
368 p = (struct block *)newchunk(sizeof(*p));
375 static inline struct slist *
381 p = (struct slist *)newchunk(sizeof(*p));
387 static struct block *
391 struct block *b = new_block(BPF_RET|BPF_K);
400 bpf_error("syntax error in filter expression");
403 static bpf_u_int32 netmask;
408 pcap_compile_unsafe(pcap_t *p, struct bpf_program *program,
409 const char *buf, int optimize, bpf_u_int32 mask);
412 pcap_compile(pcap_t *p, struct bpf_program *program,
413 const char *buf, int optimize, bpf_u_int32 mask)
417 EnterCriticalSection(&g_PcapCompileCriticalSection);
419 result = pcap_compile_unsafe(p, program, buf, optimize, mask);
421 LeaveCriticalSection(&g_PcapCompileCriticalSection);
427 pcap_compile_unsafe(pcap_t *p, struct bpf_program *program,
428 const char *buf, int optimize, bpf_u_int32 mask)
431 pcap_compile(pcap_t *p, struct bpf_program *program,
432 const char *buf, int optimize, bpf_u_int32 mask)
436 const char * volatile xbuf = buf;
440 * If this pcap_t hasn't been activated, it doesn't have a
441 * link-layer type, so we can't use it.
444 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
445 "not-yet-activated pcap_t passed to pcap_compile");
453 if (setjmp(top_ctx)) {
467 snaplen = pcap_snapshot(p);
469 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
470 "snaplen of 0 rejects all packets");
474 lex_init(xbuf ? xbuf : "");
482 root = gen_retblk(snaplen);
484 if (optimize && !no_optimize) {
487 (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0))
488 bpf_error("expression rejects all packets");
490 program->bf_insns = icode_to_fcode(root, &len);
491 program->bf_len = len;
499 * entry point for using the compiler with no pcap open
500 * pass in all the stuff that is needed explicitly instead.
503 pcap_compile_nopcap(int snaplen_arg, int linktype_arg,
504 struct bpf_program *program,
505 const char *buf, int optimize, bpf_u_int32 mask)
510 p = pcap_open_dead(linktype_arg, snaplen_arg);
513 ret = pcap_compile(p, program, buf, optimize, mask);
519 * Clean up a "struct bpf_program" by freeing all the memory allocated
523 pcap_freecode(struct bpf_program *program)
526 if (program->bf_insns != NULL) {
527 free((char *)program->bf_insns);
528 program->bf_insns = NULL;
533 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates
534 * which of the jt and jf fields has been resolved and which is a pointer
535 * back to another unresolved block (or nil). At least one of the fields
536 * in each block is already resolved.
539 backpatch(list, target)
540 struct block *list, *target;
557 * Merge the lists in b0 and b1, using the 'sense' field to indicate
558 * which of jt and jf is the link.
562 struct block *b0, *b1;
564 register struct block **p = &b0;
566 /* Find end of list. */
568 p = !((*p)->sense) ? &JT(*p) : &JF(*p);
570 /* Concatenate the lists. */
578 struct block *ppi_dlt_check;
581 * Insert before the statements of the first (root) block any
582 * statements needed to load the lengths of any variable-length
583 * headers into registers.
585 * XXX - a fancier strategy would be to insert those before the
586 * statements of all blocks that use those lengths and that
587 * have no predecessors that use them, so that we only compute
588 * the lengths if we need them. There might be even better
589 * approaches than that.
591 * However, those strategies would be more complicated, and
592 * as we don't generate code to compute a length if the
593 * program has no tests that use the length, and as most
594 * tests will probably use those lengths, we would just
595 * postpone computing the lengths so that it's not done
596 * for tests that fail early, and it's not clear that's
599 insert_compute_vloffsets(p->head);
602 * For DLT_PPI captures, generate a check of the per-packet
603 * DLT value to make sure it's DLT_IEEE802_11.
605 ppi_dlt_check = gen_ppi_dlt_check();
606 if (ppi_dlt_check != NULL)
607 gen_and(ppi_dlt_check, p);
609 backpatch(p, gen_retblk(snaplen));
610 p->sense = !p->sense;
611 backpatch(p, gen_retblk(0));
617 struct block *b0, *b1;
619 backpatch(b0, b1->head);
620 b0->sense = !b0->sense;
621 b1->sense = !b1->sense;
623 b1->sense = !b1->sense;
629 struct block *b0, *b1;
631 b0->sense = !b0->sense;
632 backpatch(b0, b1->head);
633 b0->sense = !b0->sense;
642 b->sense = !b->sense;
645 static struct block *
646 gen_cmp(offrel, offset, size, v)
647 enum e_offrel offrel;
651 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v);
654 static struct block *
655 gen_cmp_gt(offrel, offset, size, v)
656 enum e_offrel offrel;
660 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 0, v);
663 static struct block *
664 gen_cmp_ge(offrel, offset, size, v)
665 enum e_offrel offrel;
669 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 0, v);
672 static struct block *
673 gen_cmp_lt(offrel, offset, size, v)
674 enum e_offrel offrel;
678 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 1, v);
681 static struct block *
682 gen_cmp_le(offrel, offset, size, v)
683 enum e_offrel offrel;
687 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 1, v);
690 static struct block *
691 gen_mcmp(offrel, offset, size, v, mask)
692 enum e_offrel offrel;
697 return gen_ncmp(offrel, offset, size, mask, BPF_JEQ, 0, v);
700 static struct block *
701 gen_bcmp(offrel, offset, size, v)
702 enum e_offrel offrel;
703 register u_int offset, size;
704 register const u_char *v;
706 register struct block *b, *tmp;
710 register const u_char *p = &v[size - 4];
711 bpf_int32 w = ((bpf_int32)p[0] << 24) |
712 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3];
714 tmp = gen_cmp(offrel, offset + size - 4, BPF_W, w);
721 register const u_char *p = &v[size - 2];
722 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1];
724 tmp = gen_cmp(offrel, offset + size - 2, BPF_H, w);
731 tmp = gen_cmp(offrel, offset, BPF_B, (bpf_int32)v[0]);
740 * AND the field of size "size" at offset "offset" relative to the header
741 * specified by "offrel" with "mask", and compare it with the value "v"
742 * with the test specified by "jtype"; if "reverse" is true, the test
743 * should test the opposite of "jtype".
745 static struct block *
746 gen_ncmp(offrel, offset, size, mask, jtype, reverse, v)
747 enum e_offrel offrel;
749 bpf_u_int32 offset, size, mask, jtype;
752 struct slist *s, *s2;
755 s = gen_load_a(offrel, offset, size);
757 if (mask != 0xffffffff) {
758 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
763 b = new_block(JMP(jtype));
766 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE))
772 * Various code constructs need to know the layout of the data link
773 * layer. These variables give the necessary offsets from the beginning
774 * of the packet data.
778 * This is the offset of the beginning of the link-layer header from
779 * the beginning of the raw packet data.
781 * It's usually 0, except for 802.11 with a fixed-length radio header.
782 * (For 802.11 with a variable-length radio header, we have to generate
783 * code to compute that offset; off_ll is 0 in that case.)
788 * If there's a variable-length header preceding the link-layer header,
789 * "reg_off_ll" is the register number for a register containing the
790 * length of that header, and therefore the offset of the link-layer
791 * header from the beginning of the raw packet data. Otherwise,
792 * "reg_off_ll" is -1.
794 static int reg_off_ll;
797 * This is the offset of the beginning of the MAC-layer header from
798 * the beginning of the link-layer header.
799 * It's usually 0, except for ATM LANE, where it's the offset, relative
800 * to the beginning of the raw packet data, of the Ethernet header, and
801 * for Ethernet with various additional information.
803 static u_int off_mac;
806 * This is the offset of the beginning of the MAC-layer payload,
807 * from the beginning of the raw packet data.
809 * I.e., it's the sum of the length of the link-layer header (without,
810 * for example, any 802.2 LLC header, so it's the MAC-layer
811 * portion of that header), plus any prefix preceding the
814 static u_int off_macpl;
817 * This is 1 if the offset of the beginning of the MAC-layer payload
818 * from the beginning of the link-layer header is variable-length.
820 static int off_macpl_is_variable;
823 * If the link layer has variable_length headers, "reg_off_macpl"
824 * is the register number for a register containing the length of the
825 * link-layer header plus the length of any variable-length header
826 * preceding the link-layer header. Otherwise, "reg_off_macpl"
829 static int reg_off_macpl;
832 * "off_linktype" is the offset to information in the link-layer header
833 * giving the packet type. This offset is relative to the beginning
834 * of the link-layer header (i.e., it doesn't include off_ll).
836 * For Ethernet, it's the offset of the Ethernet type field.
838 * For link-layer types that always use 802.2 headers, it's the
839 * offset of the LLC header.
841 * For PPP, it's the offset of the PPP type field.
843 * For Cisco HDLC, it's the offset of the CHDLC type field.
845 * For BSD loopback, it's the offset of the AF_ value.
847 * For Linux cooked sockets, it's the offset of the type field.
849 * It's set to -1 for no encapsulation, in which case, IP is assumed.
851 static u_int off_linktype;
854 * TRUE if "pppoes" appeared in the filter; it causes link-layer type
855 * checks to check the PPP header, assumed to follow a LAN-style link-
856 * layer header and a PPPoE session header.
858 static int is_pppoes = 0;
861 * TRUE if the link layer includes an ATM pseudo-header.
863 static int is_atm = 0;
866 * TRUE if "lane" appeared in the filter; it causes us to generate
867 * code that assumes LANE rather than LLC-encapsulated traffic in SunATM.
869 static int is_lane = 0;
872 * These are offsets for the ATM pseudo-header.
874 static u_int off_vpi;
875 static u_int off_vci;
876 static u_int off_proto;
879 * These are offsets for the MTP2 fields.
884 * These are offsets for the MTP3 fields.
886 static u_int off_sio;
887 static u_int off_opc;
888 static u_int off_dpc;
889 static u_int off_sls;
892 * This is the offset of the first byte after the ATM pseudo_header,
893 * or -1 if there is no ATM pseudo-header.
895 static u_int off_payload;
898 * These are offsets to the beginning of the network-layer header.
899 * They are relative to the beginning of the MAC-layer payload (i.e.,
900 * they don't include off_ll or off_macpl).
902 * If the link layer never uses 802.2 LLC:
904 * "off_nl" and "off_nl_nosnap" are the same.
906 * If the link layer always uses 802.2 LLC:
908 * "off_nl" is the offset if there's a SNAP header following
911 * "off_nl_nosnap" is the offset if there's no SNAP header.
913 * If the link layer is Ethernet:
915 * "off_nl" is the offset if the packet is an Ethernet II packet
916 * (we assume no 802.3+802.2+SNAP);
918 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet
919 * with an 802.2 header following it.
922 static u_int off_nl_nosnap;
930 linktype = pcap_datalink(p);
932 pcap_fddipad = p->fddipad;
936 * Assume it's not raw ATM with a pseudo-header, for now.
947 * And that we're not doing PPPoE.
952 * And assume we're not doing SS7.
961 * Also assume it's not 802.11.
965 off_macpl_is_variable = 0;
969 label_stack_depth = 0;
979 off_nl = 0; /* XXX in reality, variable! */
980 off_nl_nosnap = 0; /* no 802.2 LLC */
983 case DLT_ARCNET_LINUX:
986 off_nl = 0; /* XXX in reality, variable! */
987 off_nl_nosnap = 0; /* no 802.2 LLC */
992 off_macpl = 14; /* Ethernet header length */
993 off_nl = 0; /* Ethernet II */
994 off_nl_nosnap = 3; /* 802.3+802.2 */
999 * SLIP doesn't have a link level type. The 16 byte
1000 * header is hacked into our SLIP driver.
1005 off_nl_nosnap = 0; /* no 802.2 LLC */
1008 case DLT_SLIP_BSDOS:
1009 /* XXX this may be the same as the DLT_PPP_BSDOS case */
1014 off_nl_nosnap = 0; /* no 802.2 LLC */
1022 off_nl_nosnap = 0; /* no 802.2 LLC */
1029 off_nl_nosnap = 0; /* no 802.2 LLC */
1034 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */
1035 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */
1039 off_nl_nosnap = 0; /* no 802.2 LLC */
1044 * This does no include the Ethernet header, and
1045 * only covers session state.
1050 off_nl_nosnap = 0; /* no 802.2 LLC */
1057 off_nl_nosnap = 0; /* no 802.2 LLC */
1062 * FDDI doesn't really have a link-level type field.
1063 * We set "off_linktype" to the offset of the LLC header.
1065 * To check for Ethernet types, we assume that SSAP = SNAP
1066 * is being used and pick out the encapsulated Ethernet type.
1067 * XXX - should we generate code to check for SNAP?
1071 off_linktype += pcap_fddipad;
1073 off_macpl = 13; /* FDDI MAC header length */
1075 off_macpl += pcap_fddipad;
1077 off_nl = 8; /* 802.2+SNAP */
1078 off_nl_nosnap = 3; /* 802.2 */
1083 * Token Ring doesn't really have a link-level type field.
1084 * We set "off_linktype" to the offset of the LLC header.
1086 * To check for Ethernet types, we assume that SSAP = SNAP
1087 * is being used and pick out the encapsulated Ethernet type.
1088 * XXX - should we generate code to check for SNAP?
1090 * XXX - the header is actually variable-length.
1091 * Some various Linux patched versions gave 38
1092 * as "off_linktype" and 40 as "off_nl"; however,
1093 * if a token ring packet has *no* routing
1094 * information, i.e. is not source-routed, the correct
1095 * values are 20 and 22, as they are in the vanilla code.
1097 * A packet is source-routed iff the uppermost bit
1098 * of the first byte of the source address, at an
1099 * offset of 8, has the uppermost bit set. If the
1100 * packet is source-routed, the total number of bytes
1101 * of routing information is 2 plus bits 0x1F00 of
1102 * the 16-bit value at an offset of 14 (shifted right
1103 * 8 - figure out which byte that is).
1106 off_macpl = 14; /* Token Ring MAC header length */
1107 off_nl = 8; /* 802.2+SNAP */
1108 off_nl_nosnap = 3; /* 802.2 */
1111 case DLT_IEEE802_11:
1112 case DLT_PRISM_HEADER:
1113 case DLT_IEEE802_11_RADIO_AVS:
1114 case DLT_IEEE802_11_RADIO:
1116 * 802.11 doesn't really have a link-level type field.
1117 * We set "off_linktype" to the offset of the LLC header.
1119 * To check for Ethernet types, we assume that SSAP = SNAP
1120 * is being used and pick out the encapsulated Ethernet type.
1121 * XXX - should we generate code to check for SNAP?
1123 * We also handle variable-length radio headers here.
1124 * The Prism header is in theory variable-length, but in
1125 * practice it's always 144 bytes long. However, some
1126 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but
1127 * sometimes or always supply an AVS header, so we
1128 * have to check whether the radio header is a Prism
1129 * header or an AVS header, so, in practice, it's
1133 off_macpl = 0; /* link-layer header is variable-length */
1134 off_macpl_is_variable = 1;
1135 off_nl = 8; /* 802.2+SNAP */
1136 off_nl_nosnap = 3; /* 802.2 */
1141 * At the moment we treat PPI the same way that we treat
1142 * normal Radiotap encoded packets. The difference is in
1143 * the function that generates the code at the beginning
1144 * to compute the header length. Since this code generator
1145 * of PPI supports bare 802.11 encapsulation only (i.e.
1146 * the encapsulated DLT should be DLT_IEEE802_11) we
1147 * generate code to check for this too.
1150 off_macpl = 0; /* link-layer header is variable-length */
1151 off_macpl_is_variable = 1;
1152 off_nl = 8; /* 802.2+SNAP */
1153 off_nl_nosnap = 3; /* 802.2 */
1156 case DLT_ATM_RFC1483:
1157 case DLT_ATM_CLIP: /* Linux ATM defines this */
1159 * assume routed, non-ISO PDUs
1160 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00)
1162 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS,
1163 * or PPP with the PPP NLPID (e.g., PPPoA)? The
1164 * latter would presumably be treated the way PPPoE
1165 * should be, so you can do "pppoe and udp port 2049"
1166 * or "pppoa and tcp port 80" and have it check for
1167 * PPPo{A,E} and a PPP protocol of IP and....
1170 off_macpl = 0; /* packet begins with LLC header */
1171 off_nl = 8; /* 802.2+SNAP */
1172 off_nl_nosnap = 3; /* 802.2 */
1177 * Full Frontal ATM; you get AALn PDUs with an ATM
1181 off_vpi = SUNATM_VPI_POS;
1182 off_vci = SUNATM_VCI_POS;
1183 off_proto = PROTO_POS;
1184 off_mac = -1; /* assume LLC-encapsulated, so no MAC-layer header */
1185 off_payload = SUNATM_PKT_BEGIN_POS;
1186 off_linktype = off_payload;
1187 off_macpl = off_payload; /* if LLC-encapsulated */
1188 off_nl = 8; /* 802.2+SNAP */
1189 off_nl_nosnap = 3; /* 802.2 */
1198 off_nl_nosnap = 0; /* no 802.2 LLC */
1201 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */
1205 off_nl_nosnap = 0; /* no 802.2 LLC */
1210 * LocalTalk does have a 1-byte type field in the LLAP header,
1211 * but really it just indicates whether there is a "short" or
1212 * "long" DDP packet following.
1217 off_nl_nosnap = 0; /* no 802.2 LLC */
1220 case DLT_IP_OVER_FC:
1222 * RFC 2625 IP-over-Fibre-Channel doesn't really have a
1223 * link-level type field. We set "off_linktype" to the
1224 * offset of the LLC header.
1226 * To check for Ethernet types, we assume that SSAP = SNAP
1227 * is being used and pick out the encapsulated Ethernet type.
1228 * XXX - should we generate code to check for SNAP? RFC
1229 * 2625 says SNAP should be used.
1233 off_nl = 8; /* 802.2+SNAP */
1234 off_nl_nosnap = 3; /* 802.2 */
1239 * XXX - we should set this to handle SNAP-encapsulated
1240 * frames (NLPID of 0x80).
1245 off_nl_nosnap = 0; /* no 802.2 LLC */
1249 * the only BPF-interesting FRF.16 frames are non-control frames;
1250 * Frame Relay has a variable length link-layer
1251 * so lets start with offset 4 for now and increments later on (FIXME);
1257 off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */
1260 case DLT_APPLE_IP_OVER_IEEE1394:
1264 off_nl_nosnap = 0; /* no 802.2 LLC */
1267 case DLT_SYMANTEC_FIREWALL:
1270 off_nl = 0; /* Ethernet II */
1271 off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */
1274 #ifdef HAVE_NET_PFVAR_H
1277 off_macpl = PFLOG_HDRLEN;
1279 off_nl_nosnap = 0; /* no 802.2 LLC */
1283 case DLT_JUNIPER_MFR:
1284 case DLT_JUNIPER_MLFR:
1285 case DLT_JUNIPER_MLPPP:
1286 case DLT_JUNIPER_PPP:
1287 case DLT_JUNIPER_CHDLC:
1288 case DLT_JUNIPER_FRELAY:
1292 off_nl_nosnap = -1; /* no 802.2 LLC */
1295 case DLT_JUNIPER_ATM1:
1296 off_linktype = 4; /* in reality variable between 4-8 */
1297 off_macpl = 4; /* in reality variable between 4-8 */
1302 case DLT_JUNIPER_ATM2:
1303 off_linktype = 8; /* in reality variable between 8-12 */
1304 off_macpl = 8; /* in reality variable between 8-12 */
1309 /* frames captured on a Juniper PPPoE service PIC
1310 * contain raw ethernet frames */
1311 case DLT_JUNIPER_PPPOE:
1312 case DLT_JUNIPER_ETHER:
1315 off_nl = 18; /* Ethernet II */
1316 off_nl_nosnap = 21; /* 802.3+802.2 */
1319 case DLT_JUNIPER_PPPOE_ATM:
1323 off_nl_nosnap = -1; /* no 802.2 LLC */
1326 case DLT_JUNIPER_GGSN:
1330 off_nl_nosnap = -1; /* no 802.2 LLC */
1333 case DLT_JUNIPER_ES:
1335 off_macpl = -1; /* not really a network layer but raw IP addresses */
1336 off_nl = -1; /* not really a network layer but raw IP addresses */
1337 off_nl_nosnap = -1; /* no 802.2 LLC */
1340 case DLT_JUNIPER_MONITOR:
1343 off_nl = 0; /* raw IP/IP6 header */
1344 off_nl_nosnap = -1; /* no 802.2 LLC */
1347 case DLT_JUNIPER_SERVICES:
1349 off_macpl = -1; /* L3 proto location dep. on cookie type */
1350 off_nl = -1; /* L3 proto location dep. on cookie type */
1351 off_nl_nosnap = -1; /* no 802.2 LLC */
1354 case DLT_JUNIPER_VP:
1361 case DLT_JUNIPER_ST:
1368 case DLT_JUNIPER_ISM:
1375 case DLT_JUNIPER_VS:
1376 case DLT_JUNIPER_SRX_E2E:
1377 case DLT_JUNIPER_FIBRECHANNEL:
1378 case DLT_JUNIPER_ATM_CEMIC:
1397 case DLT_MTP2_WITH_PHDR:
1430 * Currently, only raw "link[N:M]" filtering is supported.
1432 off_linktype = -1; /* variable, min 15, max 71 steps of 7 */
1434 off_nl = -1; /* variable, min 16, max 71 steps of 7 */
1435 off_nl_nosnap = -1; /* no 802.2 LLC */
1436 off_mac = 1; /* step over the kiss length byte */
1441 off_macpl = 24; /* ipnet header length */
1446 case DLT_NETANALYZER:
1447 off_mac = 4; /* MAC header is past 4-byte pseudo-header */
1448 off_linktype = 16; /* includes 4-byte pseudo-header */
1449 off_macpl = 18; /* pseudo-header+Ethernet header length */
1450 off_nl = 0; /* Ethernet II */
1451 off_nl_nosnap = 3; /* 802.3+802.2 */
1454 case DLT_NETANALYZER_TRANSPARENT:
1455 off_mac = 12; /* MAC header is past 4-byte pseudo-header, preamble, and SFD */
1456 off_linktype = 24; /* includes 4-byte pseudo-header+preamble+SFD */
1457 off_macpl = 26; /* pseudo-header+preamble+SFD+Ethernet header length */
1458 off_nl = 0; /* Ethernet II */
1459 off_nl_nosnap = 3; /* 802.3+802.2 */
1464 * For values in the range in which we've assigned new
1465 * DLT_ values, only raw "link[N:M]" filtering is supported.
1467 if (linktype >= DLT_MATCHING_MIN &&
1468 linktype <= DLT_MATCHING_MAX) {
1477 bpf_error("unknown data link type %d", linktype);
1482 * Load a value relative to the beginning of the link-layer header.
1483 * The link-layer header doesn't necessarily begin at the beginning
1484 * of the packet data; there might be a variable-length prefix containing
1485 * radio information.
1487 static struct slist *
1488 gen_load_llrel(offset, size)
1491 struct slist *s, *s2;
1493 s = gen_llprefixlen();
1496 * If "s" is non-null, it has code to arrange that the X register
1497 * contains the length of the prefix preceding the link-layer
1500 * Otherwise, the length of the prefix preceding the link-layer
1501 * header is "off_ll".
1505 * There's a variable-length prefix preceding the
1506 * link-layer header. "s" points to a list of statements
1507 * that put the length of that prefix into the X register.
1508 * do an indirect load, to use the X register as an offset.
1510 s2 = new_stmt(BPF_LD|BPF_IND|size);
1515 * There is no variable-length header preceding the
1516 * link-layer header; add in off_ll, which, if there's
1517 * a fixed-length header preceding the link-layer header,
1518 * is the length of that header.
1520 s = new_stmt(BPF_LD|BPF_ABS|size);
1521 s->s.k = offset + off_ll;
1527 * Load a value relative to the beginning of the MAC-layer payload.
1529 static struct slist *
1530 gen_load_macplrel(offset, size)
1533 struct slist *s, *s2;
1535 s = gen_off_macpl();
1538 * If s is non-null, the offset of the MAC-layer payload is
1539 * variable, and s points to a list of instructions that
1540 * arrange that the X register contains that offset.
1542 * Otherwise, the offset of the MAC-layer payload is constant,
1543 * and is in off_macpl.
1547 * The offset of the MAC-layer payload is in the X
1548 * register. Do an indirect load, to use the X register
1551 s2 = new_stmt(BPF_LD|BPF_IND|size);
1556 * The offset of the MAC-layer payload is constant,
1557 * and is in off_macpl; load the value at that offset
1558 * plus the specified offset.
1560 s = new_stmt(BPF_LD|BPF_ABS|size);
1561 s->s.k = off_macpl + offset;
1567 * Load a value relative to the beginning of the specified header.
1569 static struct slist *
1570 gen_load_a(offrel, offset, size)
1571 enum e_offrel offrel;
1574 struct slist *s, *s2;
1579 s = new_stmt(BPF_LD|BPF_ABS|size);
1584 s = gen_load_llrel(offset, size);
1588 s = gen_load_macplrel(offset, size);
1592 s = gen_load_macplrel(off_nl + offset, size);
1596 s = gen_load_macplrel(off_nl_nosnap + offset, size);
1601 * Load the X register with the length of the IPv4 header
1602 * (plus the offset of the link-layer header, if it's
1603 * preceded by a variable-length header such as a radio
1604 * header), in bytes.
1606 s = gen_loadx_iphdrlen();
1609 * Load the item at {offset of the MAC-layer payload} +
1610 * {offset, relative to the start of the MAC-layer
1611 * paylod, of the IPv4 header} + {length of the IPv4 header} +
1612 * {specified offset}.
1614 * (If the offset of the MAC-layer payload is variable,
1615 * it's included in the value in the X register, and
1618 s2 = new_stmt(BPF_LD|BPF_IND|size);
1619 s2->s.k = off_macpl + off_nl + offset;
1624 s = gen_load_macplrel(off_nl + 40 + offset, size);
1635 * Generate code to load into the X register the sum of the length of
1636 * the IPv4 header and any variable-length header preceding the link-layer
1639 static struct slist *
1640 gen_loadx_iphdrlen()
1642 struct slist *s, *s2;
1644 s = gen_off_macpl();
1647 * There's a variable-length prefix preceding the
1648 * link-layer header, or the link-layer header is itself
1649 * variable-length. "s" points to a list of statements
1650 * that put the offset of the MAC-layer payload into
1653 * The 4*([k]&0xf) addressing mode can't be used, as we
1654 * don't have a constant offset, so we have to load the
1655 * value in question into the A register and add to it
1656 * the value from the X register.
1658 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B);
1661 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
1664 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
1669 * The A register now contains the length of the
1670 * IP header. We need to add to it the offset of
1671 * the MAC-layer payload, which is still in the X
1672 * register, and move the result into the X register.
1674 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
1675 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
1678 * There is no variable-length header preceding the
1679 * link-layer header, and the link-layer header is
1680 * fixed-length; load the length of the IPv4 header,
1681 * which is at an offset of off_nl from the beginning
1682 * of the MAC-layer payload, and thus at an offset
1683 * of off_mac_pl + off_nl from the beginning of the
1686 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
1687 s->s.k = off_macpl + off_nl;
1692 static struct block *
1699 s = new_stmt(BPF_LD|BPF_IMM);
1701 b = new_block(JMP(BPF_JEQ));
1707 static inline struct block *
1710 return gen_uncond(1);
1713 static inline struct block *
1716 return gen_uncond(0);
1720 * Byte-swap a 32-bit number.
1721 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on
1722 * big-endian platforms.)
1724 #define SWAPLONG(y) \
1725 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
1728 * Generate code to match a particular packet type.
1730 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1731 * value, if <= ETHERMTU. We use that to determine whether to
1732 * match the type/length field or to check the type/length field for
1733 * a value <= ETHERMTU to see whether it's a type field and then do
1734 * the appropriate test.
1736 static struct block *
1737 gen_ether_linktype(proto)
1740 struct block *b0, *b1;
1746 case LLCSAP_NETBEUI:
1748 * OSI protocols and NetBEUI always use 802.2 encapsulation,
1749 * so we check the DSAP and SSAP.
1751 * LLCSAP_IP checks for IP-over-802.2, rather
1752 * than IP-over-Ethernet or IP-over-SNAP.
1754 * XXX - should we check both the DSAP and the
1755 * SSAP, like this, or should we check just the
1756 * DSAP, as we do for other types <= ETHERMTU
1757 * (i.e., other SAP values)?
1759 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1761 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)
1762 ((proto << 8) | proto));
1770 * Ethernet_II frames, which are Ethernet
1771 * frames with a frame type of ETHERTYPE_IPX;
1773 * Ethernet_802.3 frames, which are 802.3
1774 * frames (i.e., the type/length field is
1775 * a length field, <= ETHERMTU, rather than
1776 * a type field) with the first two bytes
1777 * after the Ethernet/802.3 header being
1780 * Ethernet_802.2 frames, which are 802.3
1781 * frames with an 802.2 LLC header and
1782 * with the IPX LSAP as the DSAP in the LLC
1785 * Ethernet_SNAP frames, which are 802.3
1786 * frames with an LLC header and a SNAP
1787 * header and with an OUI of 0x000000
1788 * (encapsulated Ethernet) and a protocol
1789 * ID of ETHERTYPE_IPX in the SNAP header.
1791 * XXX - should we generate the same code both
1792 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX?
1796 * This generates code to check both for the
1797 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3.
1799 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX);
1800 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)0xFFFF);
1804 * Now we add code to check for SNAP frames with
1805 * ETHERTYPE_IPX, i.e. Ethernet_SNAP.
1807 b0 = gen_snap(0x000000, ETHERTYPE_IPX);
1811 * Now we generate code to check for 802.3
1812 * frames in general.
1814 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1818 * Now add the check for 802.3 frames before the
1819 * check for Ethernet_802.2 and Ethernet_802.3,
1820 * as those checks should only be done on 802.3
1821 * frames, not on Ethernet frames.
1826 * Now add the check for Ethernet_II frames, and
1827 * do that before checking for the other frame
1830 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
1831 (bpf_int32)ETHERTYPE_IPX);
1835 case ETHERTYPE_ATALK:
1836 case ETHERTYPE_AARP:
1838 * EtherTalk (AppleTalk protocols on Ethernet link
1839 * layer) may use 802.2 encapsulation.
1843 * Check for 802.2 encapsulation (EtherTalk phase 2?);
1844 * we check for an Ethernet type field less than
1845 * 1500, which means it's an 802.3 length field.
1847 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1851 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1852 * SNAP packets with an organization code of
1853 * 0x080007 (Apple, for Appletalk) and a protocol
1854 * type of ETHERTYPE_ATALK (Appletalk).
1856 * 802.2-encapsulated ETHERTYPE_AARP packets are
1857 * SNAP packets with an organization code of
1858 * 0x000000 (encapsulated Ethernet) and a protocol
1859 * type of ETHERTYPE_AARP (Appletalk ARP).
1861 if (proto == ETHERTYPE_ATALK)
1862 b1 = gen_snap(0x080007, ETHERTYPE_ATALK);
1863 else /* proto == ETHERTYPE_AARP */
1864 b1 = gen_snap(0x000000, ETHERTYPE_AARP);
1868 * Check for Ethernet encapsulation (Ethertalk
1869 * phase 1?); we just check for the Ethernet
1872 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
1878 if (proto <= ETHERMTU) {
1880 * This is an LLC SAP value, so the frames
1881 * that match would be 802.2 frames.
1882 * Check that the frame is an 802.2 frame
1883 * (i.e., that the length/type field is
1884 * a length field, <= ETHERMTU) and
1885 * then check the DSAP.
1887 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1889 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B,
1895 * This is an Ethernet type, so compare
1896 * the length/type field with it (if
1897 * the frame is an 802.2 frame, the length
1898 * field will be <= ETHERMTU, and, as
1899 * "proto" is > ETHERMTU, this test
1900 * will fail and the frame won't match,
1901 * which is what we want).
1903 return gen_cmp(OR_LINK, off_linktype, BPF_H,
1910 * "proto" is an Ethernet type value and for IPNET, if it is not IPv4
1911 * or IPv6 then we have an error.
1913 static struct block *
1914 gen_ipnet_linktype(proto)
1920 return gen_cmp(OR_LINK, off_linktype, BPF_B,
1921 (bpf_int32)IPH_AF_INET);
1924 case ETHERTYPE_IPV6:
1925 return gen_cmp(OR_LINK, off_linktype, BPF_B,
1926 (bpf_int32)IPH_AF_INET6);
1937 * Generate code to match a particular packet type.
1939 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1940 * value, if <= ETHERMTU. We use that to determine whether to
1941 * match the type field or to check the type field for the special
1942 * LINUX_SLL_P_802_2 value and then do the appropriate test.
1944 static struct block *
1945 gen_linux_sll_linktype(proto)
1948 struct block *b0, *b1;
1954 case LLCSAP_NETBEUI:
1956 * OSI protocols and NetBEUI always use 802.2 encapsulation,
1957 * so we check the DSAP and SSAP.
1959 * LLCSAP_IP checks for IP-over-802.2, rather
1960 * than IP-over-Ethernet or IP-over-SNAP.
1962 * XXX - should we check both the DSAP and the
1963 * SSAP, like this, or should we check just the
1964 * DSAP, as we do for other types <= ETHERMTU
1965 * (i.e., other SAP values)?
1967 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
1968 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)
1969 ((proto << 8) | proto));
1975 * Ethernet_II frames, which are Ethernet
1976 * frames with a frame type of ETHERTYPE_IPX;
1978 * Ethernet_802.3 frames, which have a frame
1979 * type of LINUX_SLL_P_802_3;
1981 * Ethernet_802.2 frames, which are 802.3
1982 * frames with an 802.2 LLC header (i.e, have
1983 * a frame type of LINUX_SLL_P_802_2) and
1984 * with the IPX LSAP as the DSAP in the LLC
1987 * Ethernet_SNAP frames, which are 802.3
1988 * frames with an LLC header and a SNAP
1989 * header and with an OUI of 0x000000
1990 * (encapsulated Ethernet) and a protocol
1991 * ID of ETHERTYPE_IPX in the SNAP header.
1993 * First, do the checks on LINUX_SLL_P_802_2
1994 * frames; generate the check for either
1995 * Ethernet_802.2 or Ethernet_SNAP frames, and
1996 * then put a check for LINUX_SLL_P_802_2 frames
1999 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX);
2000 b1 = gen_snap(0x000000, ETHERTYPE_IPX);
2002 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
2006 * Now check for 802.3 frames and OR that with
2007 * the previous test.
2009 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_3);
2013 * Now add the check for Ethernet_II frames, and
2014 * do that before checking for the other frame
2017 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
2018 (bpf_int32)ETHERTYPE_IPX);
2022 case ETHERTYPE_ATALK:
2023 case ETHERTYPE_AARP:
2025 * EtherTalk (AppleTalk protocols on Ethernet link
2026 * layer) may use 802.2 encapsulation.
2030 * Check for 802.2 encapsulation (EtherTalk phase 2?);
2031 * we check for the 802.2 protocol type in the
2032 * "Ethernet type" field.
2034 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
2037 * 802.2-encapsulated ETHERTYPE_ATALK packets are
2038 * SNAP packets with an organization code of
2039 * 0x080007 (Apple, for Appletalk) and a protocol
2040 * type of ETHERTYPE_ATALK (Appletalk).
2042 * 802.2-encapsulated ETHERTYPE_AARP packets are
2043 * SNAP packets with an organization code of
2044 * 0x000000 (encapsulated Ethernet) and a protocol
2045 * type of ETHERTYPE_AARP (Appletalk ARP).
2047 if (proto == ETHERTYPE_ATALK)
2048 b1 = gen_snap(0x080007, ETHERTYPE_ATALK);
2049 else /* proto == ETHERTYPE_AARP */
2050 b1 = gen_snap(0x000000, ETHERTYPE_AARP);
2054 * Check for Ethernet encapsulation (Ethertalk
2055 * phase 1?); we just check for the Ethernet
2058 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
2064 if (proto <= ETHERMTU) {
2066 * This is an LLC SAP value, so the frames
2067 * that match would be 802.2 frames.
2068 * Check for the 802.2 protocol type
2069 * in the "Ethernet type" field, and
2070 * then check the DSAP.
2072 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
2074 b1 = gen_cmp(OR_LINK, off_macpl, BPF_B,
2080 * This is an Ethernet type, so compare
2081 * the length/type field with it (if
2082 * the frame is an 802.2 frame, the length
2083 * field will be <= ETHERMTU, and, as
2084 * "proto" is > ETHERMTU, this test
2085 * will fail and the frame won't match,
2086 * which is what we want).
2088 return gen_cmp(OR_LINK, off_linktype, BPF_H,
2094 static struct slist *
2095 gen_load_prism_llprefixlen()
2097 struct slist *s1, *s2;
2098 struct slist *sjeq_avs_cookie;
2099 struct slist *sjcommon;
2102 * This code is not compatible with the optimizer, as
2103 * we are generating jmp instructions within a normal
2104 * slist of instructions
2109 * Generate code to load the length of the radio header into
2110 * the register assigned to hold that length, if one has been
2111 * assigned. (If one hasn't been assigned, no code we've
2112 * generated uses that prefix, so we don't need to generate any
2115 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes
2116 * or always use the AVS header rather than the Prism header.
2117 * We load a 4-byte big-endian value at the beginning of the
2118 * raw packet data, and see whether, when masked with 0xFFFFF000,
2119 * it's equal to 0x80211000. If so, that indicates that it's
2120 * an AVS header (the masked-out bits are the version number).
2121 * Otherwise, it's a Prism header.
2123 * XXX - the Prism header is also, in theory, variable-length,
2124 * but no known software generates headers that aren't 144
2127 if (reg_off_ll != -1) {
2131 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2135 * AND it with 0xFFFFF000.
2137 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
2138 s2->s.k = 0xFFFFF000;
2142 * Compare with 0x80211000.
2144 sjeq_avs_cookie = new_stmt(JMP(BPF_JEQ));
2145 sjeq_avs_cookie->s.k = 0x80211000;
2146 sappend(s1, sjeq_avs_cookie);
2151 * The 4 bytes at an offset of 4 from the beginning of
2152 * the AVS header are the length of the AVS header.
2153 * That field is big-endian.
2155 s2 = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2158 sjeq_avs_cookie->s.jt = s2;
2161 * Now jump to the code to allocate a register
2162 * into which to save the header length and
2163 * store the length there. (The "jump always"
2164 * instruction needs to have the k field set;
2165 * it's added to the PC, so, as we're jumping
2166 * over a single instruction, it should be 1.)
2168 sjcommon = new_stmt(JMP(BPF_JA));
2170 sappend(s1, sjcommon);
2173 * Now for the code that handles the Prism header.
2174 * Just load the length of the Prism header (144)
2175 * into the A register. Have the test for an AVS
2176 * header branch here if we don't have an AVS header.
2178 s2 = new_stmt(BPF_LD|BPF_W|BPF_IMM);
2181 sjeq_avs_cookie->s.jf = s2;
2184 * Now allocate a register to hold that value and store
2185 * it. The code for the AVS header will jump here after
2186 * loading the length of the AVS header.
2188 s2 = new_stmt(BPF_ST);
2189 s2->s.k = reg_off_ll;
2191 sjcommon->s.jf = s2;
2194 * Now move it into the X register.
2196 s2 = new_stmt(BPF_MISC|BPF_TAX);
2204 static struct slist *
2205 gen_load_avs_llprefixlen()
2207 struct slist *s1, *s2;
2210 * Generate code to load the length of the AVS header into
2211 * the register assigned to hold that length, if one has been
2212 * assigned. (If one hasn't been assigned, no code we've
2213 * generated uses that prefix, so we don't need to generate any
2216 if (reg_off_ll != -1) {
2218 * The 4 bytes at an offset of 4 from the beginning of
2219 * the AVS header are the length of the AVS header.
2220 * That field is big-endian.
2222 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2226 * Now allocate a register to hold that value and store
2229 s2 = new_stmt(BPF_ST);
2230 s2->s.k = reg_off_ll;
2234 * Now move it into the X register.
2236 s2 = new_stmt(BPF_MISC|BPF_TAX);
2244 static struct slist *
2245 gen_load_radiotap_llprefixlen()
2247 struct slist *s1, *s2;
2250 * Generate code to load the length of the radiotap header into
2251 * the register assigned to hold that length, if one has been
2252 * assigned. (If one hasn't been assigned, no code we've
2253 * generated uses that prefix, so we don't need to generate any
2256 if (reg_off_ll != -1) {
2258 * The 2 bytes at offsets of 2 and 3 from the beginning
2259 * of the radiotap header are the length of the radiotap
2260 * header; unfortunately, it's little-endian, so we have
2261 * to load it a byte at a time and construct the value.
2265 * Load the high-order byte, at an offset of 3, shift it
2266 * left a byte, and put the result in the X register.
2268 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2270 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
2273 s2 = new_stmt(BPF_MISC|BPF_TAX);
2277 * Load the next byte, at an offset of 2, and OR the
2278 * value from the X register into it.
2280 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2283 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X);
2287 * Now allocate a register to hold that value and store
2290 s2 = new_stmt(BPF_ST);
2291 s2->s.k = reg_off_ll;
2295 * Now move it into the X register.
2297 s2 = new_stmt(BPF_MISC|BPF_TAX);
2306 * At the moment we treat PPI as normal Radiotap encoded
2307 * packets. The difference is in the function that generates
2308 * the code at the beginning to compute the header length.
2309 * Since this code generator of PPI supports bare 802.11
2310 * encapsulation only (i.e. the encapsulated DLT should be
2311 * DLT_IEEE802_11) we generate code to check for this too;
2312 * that's done in finish_parse().
2314 static struct slist *
2315 gen_load_ppi_llprefixlen()
2317 struct slist *s1, *s2;
2320 * Generate code to load the length of the radiotap header
2321 * into the register assigned to hold that length, if one has
2324 if (reg_off_ll != -1) {
2326 * The 2 bytes at offsets of 2 and 3 from the beginning
2327 * of the radiotap header are the length of the radiotap
2328 * header; unfortunately, it's little-endian, so we have
2329 * to load it a byte at a time and construct the value.
2333 * Load the high-order byte, at an offset of 3, shift it
2334 * left a byte, and put the result in the X register.
2336 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2338 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
2341 s2 = new_stmt(BPF_MISC|BPF_TAX);
2345 * Load the next byte, at an offset of 2, and OR the
2346 * value from the X register into it.
2348 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2351 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X);
2355 * Now allocate a register to hold that value and store
2358 s2 = new_stmt(BPF_ST);
2359 s2->s.k = reg_off_ll;
2363 * Now move it into the X register.
2365 s2 = new_stmt(BPF_MISC|BPF_TAX);
2374 * Load a value relative to the beginning of the link-layer header after the 802.11
2375 * header, i.e. LLC_SNAP.
2376 * The link-layer header doesn't necessarily begin at the beginning
2377 * of the packet data; there might be a variable-length prefix containing
2378 * radio information.
2380 static struct slist *
2381 gen_load_802_11_header_len(struct slist *s, struct slist *snext)
2384 struct slist *sjset_data_frame_1;
2385 struct slist *sjset_data_frame_2;
2386 struct slist *sjset_qos;
2387 struct slist *sjset_radiotap_flags;
2388 struct slist *sjset_radiotap_tsft;
2389 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad;
2390 struct slist *s_roundup;
2392 if (reg_off_macpl == -1) {
2394 * No register has been assigned to the offset of
2395 * the MAC-layer payload, which means nobody needs
2396 * it; don't bother computing it - just return
2397 * what we already have.
2403 * This code is not compatible with the optimizer, as
2404 * we are generating jmp instructions within a normal
2405 * slist of instructions
2410 * If "s" is non-null, it has code to arrange that the X register
2411 * contains the length of the prefix preceding the link-layer
2414 * Otherwise, the length of the prefix preceding the link-layer
2415 * header is "off_ll".
2419 * There is no variable-length header preceding the
2420 * link-layer header.
2422 * Load the length of the fixed-length prefix preceding
2423 * the link-layer header (if any) into the X register,
2424 * and store it in the reg_off_macpl register.
2425 * That length is off_ll.
2427 s = new_stmt(BPF_LDX|BPF_IMM);
2432 * The X register contains the offset of the beginning of the
2433 * link-layer header; add 24, which is the minimum length
2434 * of the MAC header for a data frame, to that, and store it
2435 * in reg_off_macpl, and then load the Frame Control field,
2436 * which is at the offset in the X register, with an indexed load.
2438 s2 = new_stmt(BPF_MISC|BPF_TXA);
2440 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
2443 s2 = new_stmt(BPF_ST);
2444 s2->s.k = reg_off_macpl;
2447 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B);
2452 * Check the Frame Control field to see if this is a data frame;
2453 * a data frame has the 0x08 bit (b3) in that field set and the
2454 * 0x04 bit (b2) clear.
2456 sjset_data_frame_1 = new_stmt(JMP(BPF_JSET));
2457 sjset_data_frame_1->s.k = 0x08;
2458 sappend(s, sjset_data_frame_1);
2461 * If b3 is set, test b2, otherwise go to the first statement of
2462 * the rest of the program.
2464 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(JMP(BPF_JSET));
2465 sjset_data_frame_2->s.k = 0x04;
2466 sappend(s, sjset_data_frame_2);
2467 sjset_data_frame_1->s.jf = snext;
2470 * If b2 is not set, this is a data frame; test the QoS bit.
2471 * Otherwise, go to the first statement of the rest of the
2474 sjset_data_frame_2->s.jt = snext;
2475 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(JMP(BPF_JSET));
2476 sjset_qos->s.k = 0x80; /* QoS bit */
2477 sappend(s, sjset_qos);
2480 * If it's set, add 2 to reg_off_macpl, to skip the QoS
2482 * Otherwise, go to the first statement of the rest of the
2485 sjset_qos->s.jt = s2 = new_stmt(BPF_LD|BPF_MEM);
2486 s2->s.k = reg_off_macpl;
2488 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM);
2491 s2 = new_stmt(BPF_ST);
2492 s2->s.k = reg_off_macpl;
2496 * If we have a radiotap header, look at it to see whether
2497 * there's Atheros padding between the MAC-layer header
2500 * Note: all of the fields in the radiotap header are
2501 * little-endian, so we byte-swap all of the values
2502 * we test against, as they will be loaded as big-endian
2505 if (linktype == DLT_IEEE802_11_RADIO) {
2507 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set
2508 * in the presence flag?
2510 sjset_qos->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_W);
2514 sjset_radiotap_flags = new_stmt(JMP(BPF_JSET));
2515 sjset_radiotap_flags->s.k = SWAPLONG(0x00000002);
2516 sappend(s, sjset_radiotap_flags);
2519 * If not, skip all of this.
2521 sjset_radiotap_flags->s.jf = snext;
2524 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set?
2526 sjset_radiotap_tsft = sjset_radiotap_flags->s.jt =
2527 new_stmt(JMP(BPF_JSET));
2528 sjset_radiotap_tsft->s.k = SWAPLONG(0x00000001);
2529 sappend(s, sjset_radiotap_tsft);
2532 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is
2533 * at an offset of 16 from the beginning of the raw packet
2534 * data (8 bytes for the radiotap header and 8 bytes for
2537 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
2540 sjset_radiotap_tsft->s.jt = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B);
2544 sjset_tsft_datapad = new_stmt(JMP(BPF_JSET));
2545 sjset_tsft_datapad->s.k = 0x20;
2546 sappend(s, sjset_tsft_datapad);
2549 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is
2550 * at an offset of 8 from the beginning of the raw packet
2551 * data (8 bytes for the radiotap header).
2553 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
2556 sjset_radiotap_tsft->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B);
2560 sjset_notsft_datapad = new_stmt(JMP(BPF_JSET));
2561 sjset_notsft_datapad->s.k = 0x20;
2562 sappend(s, sjset_notsft_datapad);
2565 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is
2566 * set, round the length of the 802.11 header to
2567 * a multiple of 4. Do that by adding 3 and then
2568 * dividing by and multiplying by 4, which we do by
2571 s_roundup = new_stmt(BPF_LD|BPF_MEM);
2572 s_roundup->s.k = reg_off_macpl;
2573 sappend(s, s_roundup);
2574 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM);
2577 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_IMM);
2580 s2 = new_stmt(BPF_ST);
2581 s2->s.k = reg_off_macpl;
2584 sjset_tsft_datapad->s.jt = s_roundup;
2585 sjset_tsft_datapad->s.jf = snext;
2586 sjset_notsft_datapad->s.jt = s_roundup;
2587 sjset_notsft_datapad->s.jf = snext;
2589 sjset_qos->s.jf = snext;
2595 insert_compute_vloffsets(b)
2601 * For link-layer types that have a variable-length header
2602 * preceding the link-layer header, generate code to load
2603 * the offset of the link-layer header into the register
2604 * assigned to that offset, if any.
2608 case DLT_PRISM_HEADER:
2609 s = gen_load_prism_llprefixlen();
2612 case DLT_IEEE802_11_RADIO_AVS:
2613 s = gen_load_avs_llprefixlen();
2616 case DLT_IEEE802_11_RADIO:
2617 s = gen_load_radiotap_llprefixlen();
2621 s = gen_load_ppi_llprefixlen();
2630 * For link-layer types that have a variable-length link-layer
2631 * header, generate code to load the offset of the MAC-layer
2632 * payload into the register assigned to that offset, if any.
2636 case DLT_IEEE802_11:
2637 case DLT_PRISM_HEADER:
2638 case DLT_IEEE802_11_RADIO_AVS:
2639 case DLT_IEEE802_11_RADIO:
2641 s = gen_load_802_11_header_len(s, b->stmts);
2646 * If we have any offset-loading code, append all the
2647 * existing statements in the block to those statements,
2648 * and make the resulting list the list of statements
2652 sappend(s, b->stmts);
2657 static struct block *
2658 gen_ppi_dlt_check(void)
2660 struct slist *s_load_dlt;
2663 if (linktype == DLT_PPI)
2665 /* Create the statements that check for the DLT
2667 s_load_dlt = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2668 s_load_dlt->s.k = 4;
2670 b = new_block(JMP(BPF_JEQ));
2672 b->stmts = s_load_dlt;
2673 b->s.k = SWAPLONG(DLT_IEEE802_11);
2683 static struct slist *
2684 gen_prism_llprefixlen(void)
2688 if (reg_off_ll == -1) {
2690 * We haven't yet assigned a register for the length
2691 * of the radio header; allocate one.
2693 reg_off_ll = alloc_reg();
2697 * Load the register containing the radio length
2698 * into the X register.
2700 s = new_stmt(BPF_LDX|BPF_MEM);
2701 s->s.k = reg_off_ll;
2705 static struct slist *
2706 gen_avs_llprefixlen(void)
2710 if (reg_off_ll == -1) {
2712 * We haven't yet assigned a register for the length
2713 * of the AVS header; allocate one.
2715 reg_off_ll = alloc_reg();
2719 * Load the register containing the AVS length
2720 * into the X register.
2722 s = new_stmt(BPF_LDX|BPF_MEM);
2723 s->s.k = reg_off_ll;
2727 static struct slist *
2728 gen_radiotap_llprefixlen(void)
2732 if (reg_off_ll == -1) {
2734 * We haven't yet assigned a register for the length
2735 * of the radiotap header; allocate one.
2737 reg_off_ll = alloc_reg();
2741 * Load the register containing the radiotap length
2742 * into the X register.
2744 s = new_stmt(BPF_LDX|BPF_MEM);
2745 s->s.k = reg_off_ll;
2750 * At the moment we treat PPI as normal Radiotap encoded
2751 * packets. The difference is in the function that generates
2752 * the code at the beginning to compute the header length.
2753 * Since this code generator of PPI supports bare 802.11
2754 * encapsulation only (i.e. the encapsulated DLT should be
2755 * DLT_IEEE802_11) we generate code to check for this too.
2757 static struct slist *
2758 gen_ppi_llprefixlen(void)
2762 if (reg_off_ll == -1) {
2764 * We haven't yet assigned a register for the length
2765 * of the radiotap header; allocate one.
2767 reg_off_ll = alloc_reg();
2771 * Load the register containing the PPI length
2772 * into the X register.
2774 s = new_stmt(BPF_LDX|BPF_MEM);
2775 s->s.k = reg_off_ll;
2780 * Generate code to compute the link-layer header length, if necessary,
2781 * putting it into the X register, and to return either a pointer to a
2782 * "struct slist" for the list of statements in that code, or NULL if
2783 * no code is necessary.
2785 static struct slist *
2786 gen_llprefixlen(void)
2790 case DLT_PRISM_HEADER:
2791 return gen_prism_llprefixlen();
2793 case DLT_IEEE802_11_RADIO_AVS:
2794 return gen_avs_llprefixlen();
2796 case DLT_IEEE802_11_RADIO:
2797 return gen_radiotap_llprefixlen();
2800 return gen_ppi_llprefixlen();
2808 * Generate code to load the register containing the offset of the
2809 * MAC-layer payload into the X register; if no register for that offset
2810 * has been allocated, allocate it first.
2812 static struct slist *
2817 if (off_macpl_is_variable) {
2818 if (reg_off_macpl == -1) {
2820 * We haven't yet assigned a register for the offset
2821 * of the MAC-layer payload; allocate one.
2823 reg_off_macpl = alloc_reg();
2827 * Load the register containing the offset of the MAC-layer
2828 * payload into the X register.
2830 s = new_stmt(BPF_LDX|BPF_MEM);
2831 s->s.k = reg_off_macpl;
2835 * That offset isn't variable, so we don't need to
2836 * generate any code.
2843 * Map an Ethernet type to the equivalent PPP type.
2846 ethertype_to_ppptype(proto)
2855 case ETHERTYPE_IPV6:
2863 case ETHERTYPE_ATALK:
2877 * I'm assuming the "Bridging PDU"s that go
2878 * over PPP are Spanning Tree Protocol
2892 * Generate code to match a particular packet type by matching the
2893 * link-layer type field or fields in the 802.2 LLC header.
2895 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
2896 * value, if <= ETHERMTU.
2898 static struct block *
2902 struct block *b0, *b1, *b2;
2904 /* are we checking MPLS-encapsulated packets? */
2905 if (label_stack_depth > 0) {
2909 /* FIXME add other L3 proto IDs */
2910 return gen_mpls_linktype(Q_IP);
2912 case ETHERTYPE_IPV6:
2914 /* FIXME add other L3 proto IDs */
2915 return gen_mpls_linktype(Q_IPV6);
2918 bpf_error("unsupported protocol over mpls");
2924 * Are we testing PPPoE packets?
2928 * The PPPoE session header is part of the
2929 * MAC-layer payload, so all references
2930 * should be relative to the beginning of
2935 * We use Ethernet protocol types inside libpcap;
2936 * map them to the corresponding PPP protocol types.
2938 proto = ethertype_to_ppptype(proto);
2939 return gen_cmp(OR_MACPL, off_linktype, BPF_H, (bpf_int32)proto);
2945 case DLT_NETANALYZER:
2946 case DLT_NETANALYZER_TRANSPARENT:
2947 return gen_ether_linktype(proto);
2955 proto = (proto << 8 | LLCSAP_ISONS);
2959 return gen_cmp(OR_LINK, off_linktype, BPF_H,
2966 case DLT_IEEE802_11:
2967 case DLT_PRISM_HEADER:
2968 case DLT_IEEE802_11_RADIO_AVS:
2969 case DLT_IEEE802_11_RADIO:
2972 * Check that we have a data frame.
2974 b0 = gen_check_802_11_data_frame();
2977 * Now check for the specified link-layer type.
2979 b1 = gen_llc_linktype(proto);
2987 * XXX - check for asynchronous frames, as per RFC 1103.
2989 return gen_llc_linktype(proto);
2995 * XXX - check for LLC PDUs, as per IEEE 802.5.
2997 return gen_llc_linktype(proto);
3001 case DLT_ATM_RFC1483:
3003 case DLT_IP_OVER_FC:
3004 return gen_llc_linktype(proto);
3010 * If "is_lane" is set, check for a LANE-encapsulated
3011 * version of this protocol, otherwise check for an
3012 * LLC-encapsulated version of this protocol.
3014 * We assume LANE means Ethernet, not Token Ring.
3018 * Check that the packet doesn't begin with an
3019 * LE Control marker. (We've already generated
3022 b0 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
3027 * Now generate an Ethernet test.
3029 b1 = gen_ether_linktype(proto);
3034 * Check for LLC encapsulation and then check the
3037 b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
3038 b1 = gen_llc_linktype(proto);
3046 return gen_linux_sll_linktype(proto);
3051 case DLT_SLIP_BSDOS:
3054 * These types don't provide any type field; packets
3055 * are always IPv4 or IPv6.
3057 * XXX - for IPv4, check for a version number of 4, and,
3058 * for IPv6, check for a version number of 6?
3063 /* Check for a version number of 4. */
3064 return gen_mcmp(OR_LINK, 0, BPF_B, 0x40, 0xF0);
3066 case ETHERTYPE_IPV6:
3067 /* Check for a version number of 6. */
3068 return gen_mcmp(OR_LINK, 0, BPF_B, 0x60, 0xF0);
3071 return gen_false(); /* always false */
3078 * Raw IPv4, so no type field.
3080 if (proto == ETHERTYPE_IP)
3081 return gen_true(); /* always true */
3083 /* Checking for something other than IPv4; always false */
3090 * Raw IPv6, so no type field.
3092 if (proto == ETHERTYPE_IPV6)
3093 return gen_true(); /* always true */
3095 /* Checking for something other than IPv6; always false */
3102 case DLT_PPP_SERIAL:
3105 * We use Ethernet protocol types inside libpcap;
3106 * map them to the corresponding PPP protocol types.
3108 proto = ethertype_to_ppptype(proto);
3109 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
3115 * We use Ethernet protocol types inside libpcap;
3116 * map them to the corresponding PPP protocol types.
3122 * Also check for Van Jacobson-compressed IP.
3123 * XXX - do this for other forms of PPP?
3125 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_IP);
3126 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJC);
3128 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJNC);
3133 proto = ethertype_to_ppptype(proto);
3134 return gen_cmp(OR_LINK, off_linktype, BPF_H,
3144 * For DLT_NULL, the link-layer header is a 32-bit
3145 * word containing an AF_ value in *host* byte order,
3146 * and for DLT_ENC, the link-layer header begins
3147 * with a 32-bit work containing an AF_ value in
3150 * In addition, if we're reading a saved capture file,
3151 * the host byte order in the capture may not be the
3152 * same as the host byte order on this machine.
3154 * For DLT_LOOP, the link-layer header is a 32-bit
3155 * word containing an AF_ value in *network* byte order.
3157 * XXX - AF_ values may, unfortunately, be platform-
3158 * dependent; for example, FreeBSD's AF_INET6 is 24
3159 * whilst NetBSD's and OpenBSD's is 26.
3161 * This means that, when reading a capture file, just
3162 * checking for our AF_INET6 value won't work if the
3163 * capture file came from another OS.
3172 case ETHERTYPE_IPV6:
3179 * Not a type on which we support filtering.
3180 * XXX - support those that have AF_ values
3181 * #defined on this platform, at least?
3186 if (linktype == DLT_NULL || linktype == DLT_ENC) {
3188 * The AF_ value is in host byte order, but
3189 * the BPF interpreter will convert it to
3190 * network byte order.
3192 * If this is a save file, and it's from a
3193 * machine with the opposite byte order to
3194 * ours, we byte-swap the AF_ value.
3196 * Then we run it through "htonl()", and
3197 * generate code to compare against the result.
3199 if (bpf_pcap->sf.rfile != NULL &&
3200 bpf_pcap->sf.swapped)
3201 proto = SWAPLONG(proto);
3202 proto = htonl(proto);
3204 return (gen_cmp(OR_LINK, 0, BPF_W, (bpf_int32)proto));
3206 #ifdef HAVE_NET_PFVAR_H
3209 * af field is host byte order in contrast to the rest of
3212 if (proto == ETHERTYPE_IP)
3213 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af),
3214 BPF_B, (bpf_int32)AF_INET));
3215 else if (proto == ETHERTYPE_IPV6)
3216 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af),
3217 BPF_B, (bpf_int32)AF_INET6));
3222 #endif /* HAVE_NET_PFVAR_H */
3225 case DLT_ARCNET_LINUX:
3227 * XXX should we check for first fragment if the protocol
3235 case ETHERTYPE_IPV6:
3236 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
3237 (bpf_int32)ARCTYPE_INET6));
3240 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B,
3241 (bpf_int32)ARCTYPE_IP);
3242 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B,
3243 (bpf_int32)ARCTYPE_IP_OLD);
3248 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B,
3249 (bpf_int32)ARCTYPE_ARP);
3250 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B,
3251 (bpf_int32)ARCTYPE_ARP_OLD);
3255 case ETHERTYPE_REVARP:
3256 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
3257 (bpf_int32)ARCTYPE_REVARP));
3259 case ETHERTYPE_ATALK:
3260 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
3261 (bpf_int32)ARCTYPE_ATALK));
3268 case ETHERTYPE_ATALK:
3278 * XXX - assumes a 2-byte Frame Relay header with
3279 * DLCI and flags. What if the address is longer?
3285 * Check for the special NLPID for IP.
3287 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0xcc);
3289 case ETHERTYPE_IPV6:
3291 * Check for the special NLPID for IPv6.
3293 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0x8e);
3297 * Check for several OSI protocols.
3299 * Frame Relay packets typically have an OSI
3300 * NLPID at the beginning; we check for each
3303 * What we check for is the NLPID and a frame
3304 * control field of UI, i.e. 0x03 followed
3307 b0 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO8473_CLNP);
3308 b1 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO9542_ESIS);
3309 b2 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO10589_ISIS);
3321 bpf_error("Multi-link Frame Relay link-layer type filtering not implemented");
3323 case DLT_JUNIPER_MFR:
3324 case DLT_JUNIPER_MLFR:
3325 case DLT_JUNIPER_MLPPP:
3326 case DLT_JUNIPER_ATM1:
3327 case DLT_JUNIPER_ATM2:
3328 case DLT_JUNIPER_PPPOE:
3329 case DLT_JUNIPER_PPPOE_ATM:
3330 case DLT_JUNIPER_GGSN:
3331 case DLT_JUNIPER_ES:
3332 case DLT_JUNIPER_MONITOR:
3333 case DLT_JUNIPER_SERVICES:
3334 case DLT_JUNIPER_ETHER:
3335 case DLT_JUNIPER_PPP:
3336 case DLT_JUNIPER_FRELAY:
3337 case DLT_JUNIPER_CHDLC:
3338 case DLT_JUNIPER_VP:
3339 case DLT_JUNIPER_ST:
3340 case DLT_JUNIPER_ISM:
3341 case DLT_JUNIPER_VS:
3342 case DLT_JUNIPER_SRX_E2E:
3343 case DLT_JUNIPER_FIBRECHANNEL:
3344 case DLT_JUNIPER_ATM_CEMIC:
3346 /* just lets verify the magic number for now -
3347 * on ATM we may have up to 6 different encapsulations on the wire
3348 * and need a lot of heuristics to figure out that the payload
3351 * FIXME encapsulation specific BPF_ filters
3353 return gen_mcmp(OR_LINK, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */
3356 return gen_ipnet_linktype(proto);
3358 case DLT_LINUX_IRDA:
3359 bpf_error("IrDA link-layer type filtering not implemented");
3362 bpf_error("DOCSIS link-layer type filtering not implemented");
3365 case DLT_MTP2_WITH_PHDR:
3366 bpf_error("MTP2 link-layer type filtering not implemented");
3369 bpf_error("ERF link-layer type filtering not implemented");
3372 bpf_error("PFSYNC link-layer type filtering not implemented");
3374 case DLT_LINUX_LAPD:
3375 bpf_error("LAPD link-layer type filtering not implemented");
3379 case DLT_USB_LINUX_MMAPPED:
3380 bpf_error("USB link-layer type filtering not implemented");
3382 case DLT_BLUETOOTH_HCI_H4:
3383 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR:
3384 bpf_error("Bluetooth link-layer type filtering not implemented");
3387 case DLT_CAN_SOCKETCAN:
3388 bpf_error("CAN link-layer type filtering not implemented");
3390 case DLT_IEEE802_15_4:
3391 case DLT_IEEE802_15_4_LINUX:
3392 case DLT_IEEE802_15_4_NONASK_PHY:
3393 case DLT_IEEE802_15_4_NOFCS:
3394 bpf_error("IEEE 802.15.4 link-layer type filtering not implemented");
3396 case DLT_IEEE802_16_MAC_CPS_RADIO:
3397 bpf_error("IEEE 802.16 link-layer type filtering not implemented");
3400 bpf_error("SITA link-layer type filtering not implemented");
3403 bpf_error("RAIF1 link-layer type filtering not implemented");
3406 bpf_error("IPMB link-layer type filtering not implemented");
3409 bpf_error("AX.25 link-layer type filtering not implemented");
3413 * All the types that have no encapsulation should either be
3414 * handled as DLT_SLIP, DLT_SLIP_BSDOS, and DLT_RAW are, if
3415 * all packets are IP packets, or should be handled in some
3416 * special case, if none of them are (if some are and some
3417 * aren't, the lack of encapsulation is a problem, as we'd
3418 * have to find some other way of determining the packet type).
3420 * Therefore, if "off_linktype" is -1, there's an error.
3422 if (off_linktype == (u_int)-1)
3426 * Any type not handled above should always have an Ethernet
3427 * type at an offset of "off_linktype".
3429 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
3433 * Check for an LLC SNAP packet with a given organization code and
3434 * protocol type; we check the entire contents of the 802.2 LLC and
3435 * snap headers, checking for DSAP and SSAP of SNAP and a control
3436 * field of 0x03 in the LLC header, and for the specified organization
3437 * code and protocol type in the SNAP header.
3439 static struct block *
3440 gen_snap(orgcode, ptype)
3441 bpf_u_int32 orgcode;
3444 u_char snapblock[8];
3446 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */
3447 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */
3448 snapblock[2] = 0x03; /* control = UI */
3449 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */
3450 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */
3451 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */
3452 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */
3453 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */
3454 return gen_bcmp(OR_MACPL, 0, 8, snapblock);
3458 * Generate code to match a particular packet type, for link-layer types
3459 * using 802.2 LLC headers.
3461 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used
3462 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues.
3464 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
3465 * value, if <= ETHERMTU. We use that to determine whether to
3466 * match the DSAP or both DSAP and LSAP or to check the OUI and
3467 * protocol ID in a SNAP header.
3469 static struct block *
3470 gen_llc_linktype(proto)
3474 * XXX - handle token-ring variable-length header.
3480 case LLCSAP_NETBEUI:
3482 * XXX - should we check both the DSAP and the
3483 * SSAP, like this, or should we check just the
3484 * DSAP, as we do for other types <= ETHERMTU
3485 * (i.e., other SAP values)?
3487 return gen_cmp(OR_MACPL, 0, BPF_H, (bpf_u_int32)
3488 ((proto << 8) | proto));
3492 * XXX - are there ever SNAP frames for IPX on
3493 * non-Ethernet 802.x networks?
3495 return gen_cmp(OR_MACPL, 0, BPF_B,
3496 (bpf_int32)LLCSAP_IPX);
3498 case ETHERTYPE_ATALK:
3500 * 802.2-encapsulated ETHERTYPE_ATALK packets are
3501 * SNAP packets with an organization code of
3502 * 0x080007 (Apple, for Appletalk) and a protocol
3503 * type of ETHERTYPE_ATALK (Appletalk).
3505 * XXX - check for an organization code of
3506 * encapsulated Ethernet as well?
3508 return gen_snap(0x080007, ETHERTYPE_ATALK);
3512 * XXX - we don't have to check for IPX 802.3
3513 * here, but should we check for the IPX Ethertype?
3515 if (proto <= ETHERMTU) {
3517 * This is an LLC SAP value, so check
3520 return gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)proto);
3523 * This is an Ethernet type; we assume that it's
3524 * unlikely that it'll appear in the right place
3525 * at random, and therefore check only the
3526 * location that would hold the Ethernet type
3527 * in a SNAP frame with an organization code of
3528 * 0x000000 (encapsulated Ethernet).
3530 * XXX - if we were to check for the SNAP DSAP and
3531 * LSAP, as per XXX, and were also to check for an
3532 * organization code of 0x000000 (encapsulated
3533 * Ethernet), we'd do
3535 * return gen_snap(0x000000, proto);
3537 * here; for now, we don't, as per the above.
3538 * I don't know whether it's worth the extra CPU
3539 * time to do the right check or not.
3541 return gen_cmp(OR_MACPL, 6, BPF_H, (bpf_int32)proto);
3546 static struct block *
3547 gen_hostop(addr, mask, dir, proto, src_off, dst_off)
3551 u_int src_off, dst_off;
3553 struct block *b0, *b1;
3567 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
3568 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
3574 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
3575 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
3582 b0 = gen_linktype(proto);
3583 b1 = gen_mcmp(OR_NET, offset, BPF_W, (bpf_int32)addr, mask);
3589 static struct block *
3590 gen_hostop6(addr, mask, dir, proto, src_off, dst_off)
3591 struct in6_addr *addr;
3592 struct in6_addr *mask;
3594 u_int src_off, dst_off;
3596 struct block *b0, *b1;
3611 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
3612 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
3618 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
3619 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
3626 /* this order is important */
3627 a = (u_int32_t *)addr;
3628 m = (u_int32_t *)mask;
3629 b1 = gen_mcmp(OR_NET, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3]));
3630 b0 = gen_mcmp(OR_NET, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2]));
3632 b0 = gen_mcmp(OR_NET, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1]));
3634 b0 = gen_mcmp(OR_NET, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0]));
3636 b0 = gen_linktype(proto);
3642 static struct block *
3643 gen_ehostop(eaddr, dir)
3644 register const u_char *eaddr;
3647 register struct block *b0, *b1;
3651 return gen_bcmp(OR_LINK, off_mac + 6, 6, eaddr);
3654 return gen_bcmp(OR_LINK, off_mac + 0, 6, eaddr);
3657 b0 = gen_ehostop(eaddr, Q_SRC);
3658 b1 = gen_ehostop(eaddr, Q_DST);
3664 b0 = gen_ehostop(eaddr, Q_SRC);
3665 b1 = gen_ehostop(eaddr, Q_DST);
3670 bpf_error("'addr1' is only supported on 802.11 with 802.11 headers");
3674 bpf_error("'addr2' is only supported on 802.11 with 802.11 headers");
3678 bpf_error("'addr3' is only supported on 802.11 with 802.11 headers");
3682 bpf_error("'addr4' is only supported on 802.11 with 802.11 headers");
3686 bpf_error("'ra' is only supported on 802.11 with 802.11 headers");
3690 bpf_error("'ta' is only supported on 802.11 with 802.11 headers");
3698 * Like gen_ehostop, but for DLT_FDDI
3700 static struct block *
3701 gen_fhostop(eaddr, dir)
3702 register const u_char *eaddr;
3705 struct block *b0, *b1;
3710 return gen_bcmp(OR_LINK, 6 + 1 + pcap_fddipad, 6, eaddr);
3712 return gen_bcmp(OR_LINK, 6 + 1, 6, eaddr);
3717 return gen_bcmp(OR_LINK, 0 + 1 + pcap_fddipad, 6, eaddr);
3719 return gen_bcmp(OR_LINK, 0 + 1, 6, eaddr);
3723 b0 = gen_fhostop(eaddr, Q_SRC);
3724 b1 = gen_fhostop(eaddr, Q_DST);
3730 b0 = gen_fhostop(eaddr, Q_SRC);
3731 b1 = gen_fhostop(eaddr, Q_DST);
3736 bpf_error("'addr1' is only supported on 802.11");
3740 bpf_error("'addr2' is only supported on 802.11");
3744 bpf_error("'addr3' is only supported on 802.11");
3748 bpf_error("'addr4' is only supported on 802.11");
3752 bpf_error("'ra' is only supported on 802.11");
3756 bpf_error("'ta' is only supported on 802.11");
3764 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring)
3766 static struct block *
3767 gen_thostop(eaddr, dir)
3768 register const u_char *eaddr;
3771 register struct block *b0, *b1;
3775 return gen_bcmp(OR_LINK, 8, 6, eaddr);
3778 return gen_bcmp(OR_LINK, 2, 6, eaddr);
3781 b0 = gen_thostop(eaddr, Q_SRC);
3782 b1 = gen_thostop(eaddr, Q_DST);
3788 b0 = gen_thostop(eaddr, Q_SRC);
3789 b1 = gen_thostop(eaddr, Q_DST);
3794 bpf_error("'addr1' is only supported on 802.11");
3798 bpf_error("'addr2' is only supported on 802.11");
3802 bpf_error("'addr3' is only supported on 802.11");
3806 bpf_error("'addr4' is only supported on 802.11");
3810 bpf_error("'ra' is only supported on 802.11");
3814 bpf_error("'ta' is only supported on 802.11");
3822 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and
3823 * various 802.11 + radio headers.
3825 static struct block *
3826 gen_wlanhostop(eaddr, dir)
3827 register const u_char *eaddr;
3830 register struct block *b0, *b1, *b2;
3831 register struct slist *s;
3833 #ifdef ENABLE_WLAN_FILTERING_PATCH
3836 * We need to disable the optimizer because the optimizer is buggy
3837 * and wipes out some LD instructions generated by the below
3838 * code to validate the Frame Control bits
3841 #endif /* ENABLE_WLAN_FILTERING_PATCH */
3848 * For control frames, there is no SA.
3850 * For management frames, SA is at an
3851 * offset of 10 from the beginning of
3854 * For data frames, SA is at an offset
3855 * of 10 from the beginning of the packet
3856 * if From DS is clear, at an offset of
3857 * 16 from the beginning of the packet
3858 * if From DS is set and To DS is clear,
3859 * and an offset of 24 from the beginning
3860 * of the packet if From DS is set and To DS
3865 * Generate the tests to be done for data frames
3868 * First, check for To DS set, i.e. check "link[1] & 0x01".
3870 s = gen_load_a(OR_LINK, 1, BPF_B);
3871 b1 = new_block(JMP(BPF_JSET));
3872 b1->s.k = 0x01; /* To DS */
3876 * If To DS is set, the SA is at 24.
3878 b0 = gen_bcmp(OR_LINK, 24, 6, eaddr);
3882 * Now, check for To DS not set, i.e. check
3883 * "!(link[1] & 0x01)".
3885 s = gen_load_a(OR_LINK, 1, BPF_B);
3886 b2 = new_block(JMP(BPF_JSET));
3887 b2->s.k = 0x01; /* To DS */
3892 * If To DS is not set, the SA is at 16.
3894 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr);
3898 * Now OR together the last two checks. That gives
3899 * the complete set of checks for data frames with
3905 * Now check for From DS being set, and AND that with
3906 * the ORed-together checks.
3908 s = gen_load_a(OR_LINK, 1, BPF_B);
3909 b1 = new_block(JMP(BPF_JSET));
3910 b1->s.k = 0x02; /* From DS */
3915 * Now check for data frames with From DS not set.
3917 s = gen_load_a(OR_LINK, 1, BPF_B);
3918 b2 = new_block(JMP(BPF_JSET));
3919 b2->s.k = 0x02; /* From DS */
3924 * If From DS isn't set, the SA is at 10.
3926 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
3930 * Now OR together the checks for data frames with
3931 * From DS not set and for data frames with From DS
3932 * set; that gives the checks done for data frames.
3937 * Now check for a data frame.
3938 * I.e, check "link[0] & 0x08".
3940 s = gen_load_a(OR_LINK, 0, BPF_B);
3941 b1 = new_block(JMP(BPF_JSET));
3946 * AND that with the checks done for data frames.
3951 * If the high-order bit of the type value is 0, this
3952 * is a management frame.
3953 * I.e, check "!(link[0] & 0x08)".
3955 s = gen_load_a(OR_LINK, 0, BPF_B);
3956 b2 = new_block(JMP(BPF_JSET));
3962 * For management frames, the SA is at 10.
3964 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
3968 * OR that with the checks done for data frames.
3969 * That gives the checks done for management and
3975 * If the low-order bit of the type value is 1,
3976 * this is either a control frame or a frame
3977 * with a reserved type, and thus not a
3980 * I.e., check "!(link[0] & 0x04)".
3982 s = gen_load_a(OR_LINK, 0, BPF_B);
3983 b1 = new_block(JMP(BPF_JSET));
3989 * AND that with the checks for data and management
3999 * For control frames, there is no DA.
4001 * For management frames, DA is at an
4002 * offset of 4 from the beginning of
4005 * For data frames, DA is at an offset
4006 * of 4 from the beginning of the packet
4007 * if To DS is clear and at an offset of
4008 * 16 from the beginning of the packet
4013 * Generate the tests to be done for data frames.
4015 * First, check for To DS set, i.e. "link[1] & 0x01".
4017 s = gen_load_a(OR_LINK, 1, BPF_B);
4018 b1 = new_block(JMP(BPF_JSET));
4019 b1->s.k = 0x01; /* To DS */
4023 * If To DS is set, the DA is at 16.
4025 b0 = gen_bcmp(OR_LINK, 16, 6, eaddr);
4029 * Now, check for To DS not set, i.e. check
4030 * "!(link[1] & 0x01)".
4032 s = gen_load_a(OR_LINK, 1, BPF_B);
4033 b2 = new_block(JMP(BPF_JSET));
4034 b2->s.k = 0x01; /* To DS */
4039 * If To DS is not set, the DA is at 4.
4041 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr);
4045 * Now OR together the last two checks. That gives
4046 * the complete set of checks for data frames.
4051 * Now check for a data frame.
4052 * I.e, check "link[0] & 0x08".
4054 s = gen_load_a(OR_LINK, 0, BPF_B);
4055 b1 = new_block(JMP(BPF_JSET));
4060 * AND that with the checks done for data frames.
4065 * If the high-order bit of the type value is 0, this
4066 * is a management frame.
4067 * I.e, check "!(link[0] & 0x08)".
4069 s = gen_load_a(OR_LINK, 0, BPF_B);
4070 b2 = new_block(JMP(BPF_JSET));
4076 * For management frames, the DA is at 4.
4078 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr);
4082 * OR that with the checks done for data frames.
4083 * That gives the checks done for management and
4089 * If the low-order bit of the type value is 1,
4090 * this is either a control frame or a frame
4091 * with a reserved type, and thus not a
4094 * I.e., check "!(link[0] & 0x04)".
4096 s = gen_load_a(OR_LINK, 0, BPF_B);
4097 b1 = new_block(JMP(BPF_JSET));
4103 * AND that with the checks for data and management
4111 * Not present in management frames; addr1 in other
4116 * If the high-order bit of the type value is 0, this
4117 * is a management frame.
4118 * I.e, check "(link[0] & 0x08)".
4120 s = gen_load_a(OR_LINK, 0, BPF_B);
4121 b1 = new_block(JMP(BPF_JSET));
4128 b0 = gen_bcmp(OR_LINK, 4, 6, eaddr);
4131 * AND that with the check of addr1.
4138 * Not present in management frames; addr2, if present,
4143 * Not present in CTS or ACK control frames.
4145 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4146 IEEE80211_FC0_TYPE_MASK);
4148 b1 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS,
4149 IEEE80211_FC0_SUBTYPE_MASK);
4151 b2 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK,
4152 IEEE80211_FC0_SUBTYPE_MASK);
4158 * If the high-order bit of the type value is 0, this
4159 * is a management frame.
4160 * I.e, check "(link[0] & 0x08)".
4162 s = gen_load_a(OR_LINK, 0, BPF_B);
4163 b1 = new_block(JMP(BPF_JSET));
4168 * AND that with the check for frames other than
4169 * CTS and ACK frames.
4176 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
4181 * XXX - add BSSID keyword?
4184 return (gen_bcmp(OR_LINK, 4, 6, eaddr));
4188 * Not present in CTS or ACK control frames.
4190 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4191 IEEE80211_FC0_TYPE_MASK);
4193 b1 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS,
4194 IEEE80211_FC0_SUBTYPE_MASK);
4196 b2 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK,
4197 IEEE80211_FC0_SUBTYPE_MASK);
4201 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
4207 * Not present in control frames.
4209 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4210 IEEE80211_FC0_TYPE_MASK);
4212 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr);
4218 * Present only if the direction mask has both "From DS"
4219 * and "To DS" set. Neither control frames nor management
4220 * frames should have both of those set, so we don't
4221 * check the frame type.
4223 b0 = gen_mcmp(OR_LINK, 1, BPF_B,
4224 IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK);
4225 b1 = gen_bcmp(OR_LINK, 24, 6, eaddr);
4230 b0 = gen_wlanhostop(eaddr, Q_SRC);
4231 b1 = gen_wlanhostop(eaddr, Q_DST);
4237 b0 = gen_wlanhostop(eaddr, Q_SRC);
4238 b1 = gen_wlanhostop(eaddr, Q_DST);
4247 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel.
4248 * (We assume that the addresses are IEEE 48-bit MAC addresses,
4249 * as the RFC states.)
4251 static struct block *
4252 gen_ipfchostop(eaddr, dir)
4253 register const u_char *eaddr;
4256 register struct block *b0, *b1;
4260 return gen_bcmp(OR_LINK, 10, 6, eaddr);
4263 return gen_bcmp(OR_LINK, 2, 6, eaddr);
4266 b0 = gen_ipfchostop(eaddr, Q_SRC);
4267 b1 = gen_ipfchostop(eaddr, Q_DST);
4273 b0 = gen_ipfchostop(eaddr, Q_SRC);
4274 b1 = gen_ipfchostop(eaddr, Q_DST);
4279 bpf_error("'addr1' is only supported on 802.11");
4283 bpf_error("'addr2' is only supported on 802.11");
4287 bpf_error("'addr3' is only supported on 802.11");
4291 bpf_error("'addr4' is only supported on 802.11");
4295 bpf_error("'ra' is only supported on 802.11");
4299 bpf_error("'ta' is only supported on 802.11");
4307 * This is quite tricky because there may be pad bytes in front of the
4308 * DECNET header, and then there are two possible data packet formats that
4309 * carry both src and dst addresses, plus 5 packet types in a format that
4310 * carries only the src node, plus 2 types that use a different format and
4311 * also carry just the src node.
4315 * Instead of doing those all right, we just look for data packets with
4316 * 0 or 1 bytes of padding. If you want to look at other packets, that
4317 * will require a lot more hacking.
4319 * To add support for filtering on DECNET "areas" (network numbers)
4320 * one would want to add a "mask" argument to this routine. That would
4321 * make the filter even more inefficient, although one could be clever
4322 * and not generate masking instructions if the mask is 0xFFFF.
4324 static struct block *
4325 gen_dnhostop(addr, dir)
4329 struct block *b0, *b1, *b2, *tmp;
4330 u_int offset_lh; /* offset if long header is received */
4331 u_int offset_sh; /* offset if short header is received */
4336 offset_sh = 1; /* follows flags */
4337 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */
4341 offset_sh = 3; /* follows flags, dstnode */
4342 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */
4346 /* Inefficient because we do our Calvinball dance twice */
4347 b0 = gen_dnhostop(addr, Q_SRC);
4348 b1 = gen_dnhostop(addr, Q_DST);
4354 /* Inefficient because we do our Calvinball dance twice */
4355 b0 = gen_dnhostop(addr, Q_SRC);
4356 b1 = gen_dnhostop(addr, Q_DST);
4361 bpf_error("ISO host filtering not implemented");
4366 b0 = gen_linktype(ETHERTYPE_DN);
4367 /* Check for pad = 1, long header case */
4368 tmp = gen_mcmp(OR_NET, 2, BPF_H,
4369 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF));
4370 b1 = gen_cmp(OR_NET, 2 + 1 + offset_lh,
4371 BPF_H, (bpf_int32)ntohs((u_short)addr));
4373 /* Check for pad = 0, long header case */
4374 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7);
4375 b2 = gen_cmp(OR_NET, 2 + offset_lh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4378 /* Check for pad = 1, short header case */
4379 tmp = gen_mcmp(OR_NET, 2, BPF_H,
4380 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF));
4381 b2 = gen_cmp(OR_NET, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4384 /* Check for pad = 0, short header case */
4385 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7);
4386 b2 = gen_cmp(OR_NET, 2 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4390 /* Combine with test for linktype */
4396 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets;
4397 * test the bottom-of-stack bit, and then check the version number
4398 * field in the IP header.
4400 static struct block *
4401 gen_mpls_linktype(proto)
4404 struct block *b0, *b1;
4409 /* match the bottom-of-stack bit */
4410 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01);
4411 /* match the IPv4 version number */
4412 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x40, 0xf0);
4417 /* match the bottom-of-stack bit */
4418 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01);
4419 /* match the IPv4 version number */
4420 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x60, 0xf0);
4429 static struct block *
4430 gen_host(addr, mask, proto, dir, type)
4437 struct block *b0, *b1;
4438 const char *typestr;
4448 b0 = gen_host(addr, mask, Q_IP, dir, type);
4450 * Only check for non-IPv4 addresses if we're not
4451 * checking MPLS-encapsulated packets.
4453 if (label_stack_depth == 0) {
4454 b1 = gen_host(addr, mask, Q_ARP, dir, type);
4456 b0 = gen_host(addr, mask, Q_RARP, dir, type);
4462 return gen_hostop(addr, mask, dir, ETHERTYPE_IP, 12, 16);
4465 return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP, 14, 24);
4468 return gen_hostop(addr, mask, dir, ETHERTYPE_ARP, 14, 24);
4471 bpf_error("'tcp' modifier applied to %s", typestr);
4474 bpf_error("'sctp' modifier applied to %s", typestr);
4477 bpf_error("'udp' modifier applied to %s", typestr);
4480 bpf_error("'icmp' modifier applied to %s", typestr);
4483 bpf_error("'igmp' modifier applied to %s", typestr);
4486 bpf_error("'igrp' modifier applied to %s", typestr);
4489 bpf_error("'pim' modifier applied to %s", typestr);
4492 bpf_error("'vrrp' modifier applied to %s", typestr);
4495 bpf_error("'carp' modifier applied to %s", typestr);
4498 bpf_error("ATALK host filtering not implemented");
4501 bpf_error("AARP host filtering not implemented");
4504 return gen_dnhostop(addr, dir);
4507 bpf_error("SCA host filtering not implemented");
4510 bpf_error("LAT host filtering not implemented");
4513 bpf_error("MOPDL host filtering not implemented");
4516 bpf_error("MOPRC host filtering not implemented");
4519 bpf_error("'ip6' modifier applied to ip host");
4522 bpf_error("'icmp6' modifier applied to %s", typestr);
4525 bpf_error("'ah' modifier applied to %s", typestr);
4528 bpf_error("'esp' modifier applied to %s", typestr);
4531 bpf_error("ISO host filtering not implemented");
4534 bpf_error("'esis' modifier applied to %s", typestr);
4537 bpf_error("'isis' modifier applied to %s", typestr);
4540 bpf_error("'clnp' modifier applied to %s", typestr);
4543 bpf_error("'stp' modifier applied to %s", typestr);
4546 bpf_error("IPX host filtering not implemented");
4549 bpf_error("'netbeui' modifier applied to %s", typestr);
4552 bpf_error("'radio' modifier applied to %s", typestr);
4561 static struct block *
4562 gen_host6(addr, mask, proto, dir, type)
4563 struct in6_addr *addr;
4564 struct in6_addr *mask;
4569 const char *typestr;
4579 return gen_host6(addr, mask, Q_IPV6, dir, type);
4582 bpf_error("'ip' modifier applied to ip6 %s", typestr);
4585 bpf_error("'rarp' modifier applied to ip6 %s", typestr);
4588 bpf_error("'arp' modifier applied to ip6 %s", typestr);
4591 bpf_error("'sctp' modifier applied to %s", typestr);
4594 bpf_error("'tcp' modifier applied to %s", typestr);
4597 bpf_error("'udp' modifier applied to %s", typestr);
4600 bpf_error("'icmp' modifier applied to %s", typestr);
4603 bpf_error("'igmp' modifier applied to %s", typestr);
4606 bpf_error("'igrp' modifier applied to %s", typestr);
4609 bpf_error("'pim' modifier applied to %s", typestr);
4612 bpf_error("'vrrp' modifier applied to %s", typestr);
4615 bpf_error("'carp' modifier applied to %s", typestr);
4618 bpf_error("ATALK host filtering not implemented");
4621 bpf_error("AARP host filtering not implemented");
4624 bpf_error("'decnet' modifier applied to ip6 %s", typestr);
4627 bpf_error("SCA host filtering not implemented");
4630 bpf_error("LAT host filtering not implemented");
4633 bpf_error("MOPDL host filtering not implemented");
4636 bpf_error("MOPRC host filtering not implemented");
4639 return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6, 8, 24);
4642 bpf_error("'icmp6' modifier applied to %s", typestr);
4645 bpf_error("'ah' modifier applied to %s", typestr);
4648 bpf_error("'esp' modifier applied to %s", typestr);
4651 bpf_error("ISO host filtering not implemented");
4654 bpf_error("'esis' modifier applied to %s", typestr);
4657 bpf_error("'isis' modifier applied to %s", typestr);
4660 bpf_error("'clnp' modifier applied to %s", typestr);
4663 bpf_error("'stp' modifier applied to %s", typestr);
4666 bpf_error("IPX host filtering not implemented");
4669 bpf_error("'netbeui' modifier applied to %s", typestr);
4672 bpf_error("'radio' modifier applied to %s", typestr);
4682 static struct block *
4683 gen_gateway(eaddr, alist, proto, dir)
4684 const u_char *eaddr;
4685 bpf_u_int32 **alist;
4689 struct block *b0, *b1, *tmp;
4692 bpf_error("direction applied to 'gateway'");
4701 case DLT_NETANALYZER:
4702 case DLT_NETANALYZER_TRANSPARENT:
4703 b0 = gen_ehostop(eaddr, Q_OR);
4706 b0 = gen_fhostop(eaddr, Q_OR);
4709 b0 = gen_thostop(eaddr, Q_OR);
4711 case DLT_IEEE802_11:
4712 case DLT_PRISM_HEADER:
4713 case DLT_IEEE802_11_RADIO_AVS:
4714 case DLT_IEEE802_11_RADIO:
4716 b0 = gen_wlanhostop(eaddr, Q_OR);
4721 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
4723 * Check that the packet doesn't begin with an
4724 * LE Control marker. (We've already generated
4727 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
4732 * Now check the MAC address.
4734 b0 = gen_ehostop(eaddr, Q_OR);
4737 case DLT_IP_OVER_FC:
4738 b0 = gen_ipfchostop(eaddr, Q_OR);
4742 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
4744 b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR, Q_HOST);
4746 tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR,
4755 bpf_error("illegal modifier of 'gateway'");
4761 gen_proto_abbrev(proto)
4770 b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT);
4771 b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT);
4776 b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT);
4777 b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT);
4782 b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT);
4783 b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT);
4788 b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT);
4791 #ifndef IPPROTO_IGMP
4792 #define IPPROTO_IGMP 2
4796 b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT);
4799 #ifndef IPPROTO_IGRP
4800 #define IPPROTO_IGRP 9
4803 b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT);
4807 #define IPPROTO_PIM 103
4811 b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT);
4812 b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT);
4816 #ifndef IPPROTO_VRRP
4817 #define IPPROTO_VRRP 112
4821 b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT);
4824 #ifndef IPPROTO_CARP
4825 #define IPPROTO_CARP 112
4829 b1 = gen_proto(IPPROTO_CARP, Q_IP, Q_DEFAULT);
4833 b1 = gen_linktype(ETHERTYPE_IP);
4837 b1 = gen_linktype(ETHERTYPE_ARP);
4841 b1 = gen_linktype(ETHERTYPE_REVARP);
4845 bpf_error("link layer applied in wrong context");
4848 b1 = gen_linktype(ETHERTYPE_ATALK);
4852 b1 = gen_linktype(ETHERTYPE_AARP);
4856 b1 = gen_linktype(ETHERTYPE_DN);
4860 b1 = gen_linktype(ETHERTYPE_SCA);
4864 b1 = gen_linktype(ETHERTYPE_LAT);
4868 b1 = gen_linktype(ETHERTYPE_MOPDL);
4872 b1 = gen_linktype(ETHERTYPE_MOPRC);
4876 b1 = gen_linktype(ETHERTYPE_IPV6);
4879 #ifndef IPPROTO_ICMPV6
4880 #define IPPROTO_ICMPV6 58
4883 b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT);
4887 #define IPPROTO_AH 51
4890 b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT);
4891 b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT);
4896 #define IPPROTO_ESP 50
4899 b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT);
4900 b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT);
4905 b1 = gen_linktype(LLCSAP_ISONS);
4909 b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT);
4913 b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
4916 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */
4917 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
4918 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
4920 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
4922 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
4924 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
4928 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */
4929 b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
4930 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
4932 b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
4934 b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
4936 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
4940 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */
4941 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
4942 b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
4944 b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT);
4949 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
4950 b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
4955 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
4956 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
4958 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
4960 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
4965 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
4966 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
4971 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
4972 b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
4977 b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT);
4981 b1 = gen_linktype(LLCSAP_8021D);
4985 b1 = gen_linktype(LLCSAP_IPX);
4989 b1 = gen_linktype(LLCSAP_NETBEUI);
4993 bpf_error("'radio' is not a valid protocol type");
5001 static struct block *
5007 /* not IPv4 frag other than the first frag */
5008 s = gen_load_a(OR_NET, 6, BPF_H);
5009 b = new_block(JMP(BPF_JSET));
5018 * Generate a comparison to a port value in the transport-layer header
5019 * at the specified offset from the beginning of that header.
5021 * XXX - this handles a variable-length prefix preceding the link-layer
5022 * header, such as the radiotap or AVS radio prefix, but doesn't handle
5023 * variable-length link-layer headers (such as Token Ring or 802.11
5026 static struct block *
5027 gen_portatom(off, v)
5031 return gen_cmp(OR_TRAN_IPV4, off, BPF_H, v);
5034 static struct block *
5035 gen_portatom6(off, v)
5039 return gen_cmp(OR_TRAN_IPV6, off, BPF_H, v);
5043 gen_portop(port, proto, dir)
5044 int port, proto, dir;
5046 struct block *b0, *b1, *tmp;
5048 /* ip proto 'proto' and not a fragment other than the first fragment */
5049 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto);
5055 b1 = gen_portatom(0, (bpf_int32)port);
5059 b1 = gen_portatom(2, (bpf_int32)port);
5064 tmp = gen_portatom(0, (bpf_int32)port);
5065 b1 = gen_portatom(2, (bpf_int32)port);
5070 tmp = gen_portatom(0, (bpf_int32)port);
5071 b1 = gen_portatom(2, (bpf_int32)port);
5083 static struct block *
5084 gen_port(port, ip_proto, dir)
5089 struct block *b0, *b1, *tmp;
5094 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
5095 * not LLC encapsulation with LLCSAP_IP.
5097 * For IEEE 802 networks - which includes 802.5 token ring
5098 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
5099 * says that SNAP encapsulation is used, not LLC encapsulation
5102 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
5103 * RFC 2225 say that SNAP encapsulation is used, not LLC
5104 * encapsulation with LLCSAP_IP.
5106 * So we always check for ETHERTYPE_IP.
5108 b0 = gen_linktype(ETHERTYPE_IP);
5114 b1 = gen_portop(port, ip_proto, dir);
5118 tmp = gen_portop(port, IPPROTO_TCP, dir);
5119 b1 = gen_portop(port, IPPROTO_UDP, dir);
5121 tmp = gen_portop(port, IPPROTO_SCTP, dir);
5133 gen_portop6(port, proto, dir)
5134 int port, proto, dir;
5136 struct block *b0, *b1, *tmp;
5138 /* ip6 proto 'proto' */
5139 /* XXX - catch the first fragment of a fragmented packet? */
5140 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto);
5144 b1 = gen_portatom6(0, (bpf_int32)port);
5148 b1 = gen_portatom6(2, (bpf_int32)port);
5153 tmp = gen_portatom6(0, (bpf_int32)port);
5154 b1 = gen_portatom6(2, (bpf_int32)port);
5159 tmp = gen_portatom6(0, (bpf_int32)port);
5160 b1 = gen_portatom6(2, (bpf_int32)port);
5172 static struct block *
5173 gen_port6(port, ip_proto, dir)
5178 struct block *b0, *b1, *tmp;
5180 /* link proto ip6 */
5181 b0 = gen_linktype(ETHERTYPE_IPV6);
5187 b1 = gen_portop6(port, ip_proto, dir);
5191 tmp = gen_portop6(port, IPPROTO_TCP, dir);
5192 b1 = gen_portop6(port, IPPROTO_UDP, dir);
5194 tmp = gen_portop6(port, IPPROTO_SCTP, dir);
5205 /* gen_portrange code */
5206 static struct block *
5207 gen_portrangeatom(off, v1, v2)
5211 struct block *b1, *b2;
5215 * Reverse the order of the ports, so v1 is the lower one.
5224 b1 = gen_cmp_ge(OR_TRAN_IPV4, off, BPF_H, v1);
5225 b2 = gen_cmp_le(OR_TRAN_IPV4, off, BPF_H, v2);
5233 gen_portrangeop(port1, port2, proto, dir)
5238 struct block *b0, *b1, *tmp;
5240 /* ip proto 'proto' and not a fragment other than the first fragment */
5241 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto);
5247 b1 = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
5251 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
5256 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
5257 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
5262 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
5263 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
5275 static struct block *
5276 gen_portrange(port1, port2, ip_proto, dir)
5281 struct block *b0, *b1, *tmp;
5284 b0 = gen_linktype(ETHERTYPE_IP);
5290 b1 = gen_portrangeop(port1, port2, ip_proto, dir);
5294 tmp = gen_portrangeop(port1, port2, IPPROTO_TCP, dir);
5295 b1 = gen_portrangeop(port1, port2, IPPROTO_UDP, dir);
5297 tmp = gen_portrangeop(port1, port2, IPPROTO_SCTP, dir);
5308 static struct block *
5309 gen_portrangeatom6(off, v1, v2)
5313 struct block *b1, *b2;
5317 * Reverse the order of the ports, so v1 is the lower one.
5326 b1 = gen_cmp_ge(OR_TRAN_IPV6, off, BPF_H, v1);
5327 b2 = gen_cmp_le(OR_TRAN_IPV6, off, BPF_H, v2);
5335 gen_portrangeop6(port1, port2, proto, dir)
5340 struct block *b0, *b1, *tmp;
5342 /* ip6 proto 'proto' */
5343 /* XXX - catch the first fragment of a fragmented packet? */
5344 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto);
5348 b1 = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
5352 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
5357 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
5358 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
5363 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
5364 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
5376 static struct block *
5377 gen_portrange6(port1, port2, ip_proto, dir)
5382 struct block *b0, *b1, *tmp;
5384 /* link proto ip6 */
5385 b0 = gen_linktype(ETHERTYPE_IPV6);
5391 b1 = gen_portrangeop6(port1, port2, ip_proto, dir);
5395 tmp = gen_portrangeop6(port1, port2, IPPROTO_TCP, dir);
5396 b1 = gen_portrangeop6(port1, port2, IPPROTO_UDP, dir);
5398 tmp = gen_portrangeop6(port1, port2, IPPROTO_SCTP, dir);
5410 lookup_proto(name, proto)
5411 register const char *name;
5421 v = pcap_nametoproto(name);
5422 if (v == PROTO_UNDEF)
5423 bpf_error("unknown ip proto '%s'", name);
5427 /* XXX should look up h/w protocol type based on linktype */
5428 v = pcap_nametoeproto(name);
5429 if (v == PROTO_UNDEF) {
5430 v = pcap_nametollc(name);
5431 if (v == PROTO_UNDEF)
5432 bpf_error("unknown ether proto '%s'", name);
5437 if (strcmp(name, "esis") == 0)
5439 else if (strcmp(name, "isis") == 0)
5441 else if (strcmp(name, "clnp") == 0)
5444 bpf_error("unknown osi proto '%s'", name);
5464 static struct block *
5465 gen_protochain(v, proto, dir)
5470 #ifdef NO_PROTOCHAIN
5471 return gen_proto(v, proto, dir);
5473 struct block *b0, *b;
5474 struct slist *s[100];
5475 int fix2, fix3, fix4, fix5;
5476 int ahcheck, again, end;
5478 int reg2 = alloc_reg();
5480 memset(s, 0, sizeof(s));
5481 fix2 = fix3 = fix4 = fix5 = 0;
5488 b0 = gen_protochain(v, Q_IP, dir);
5489 b = gen_protochain(v, Q_IPV6, dir);
5493 bpf_error("bad protocol applied for 'protochain'");
5498 * We don't handle variable-length prefixes before the link-layer
5499 * header, or variable-length link-layer headers, here yet.
5500 * We might want to add BPF instructions to do the protochain
5501 * work, to simplify that and, on platforms that have a BPF
5502 * interpreter with the new instructions, let the filtering
5503 * be done in the kernel. (We already require a modified BPF
5504 * engine to do the protochain stuff, to support backward
5505 * branches, and backward branch support is unlikely to appear
5506 * in kernel BPF engines.)
5510 case DLT_IEEE802_11:
5511 case DLT_PRISM_HEADER:
5512 case DLT_IEEE802_11_RADIO_AVS:
5513 case DLT_IEEE802_11_RADIO:
5515 bpf_error("'protochain' not supported with 802.11");
5518 no_optimize = 1; /*this code is not compatible with optimzer yet */
5521 * s[0] is a dummy entry to protect other BPF insn from damage
5522 * by s[fix] = foo with uninitialized variable "fix". It is somewhat
5523 * hard to find interdependency made by jump table fixup.
5526 s[i] = new_stmt(0); /*dummy*/
5531 b0 = gen_linktype(ETHERTYPE_IP);
5534 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
5535 s[i]->s.k = off_macpl + off_nl + 9;
5537 /* X = ip->ip_hl << 2 */
5538 s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
5539 s[i]->s.k = off_macpl + off_nl;
5544 b0 = gen_linktype(ETHERTYPE_IPV6);
5546 /* A = ip6->ip_nxt */
5547 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
5548 s[i]->s.k = off_macpl + off_nl + 6;
5550 /* X = sizeof(struct ip6_hdr) */
5551 s[i] = new_stmt(BPF_LDX|BPF_IMM);
5557 bpf_error("unsupported proto to gen_protochain");
5561 /* again: if (A == v) goto end; else fall through; */
5563 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5565 s[i]->s.jt = NULL; /*later*/
5566 s[i]->s.jf = NULL; /*update in next stmt*/
5570 #ifndef IPPROTO_NONE
5571 #define IPPROTO_NONE 59
5573 /* if (A == IPPROTO_NONE) goto end */
5574 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5575 s[i]->s.jt = NULL; /*later*/
5576 s[i]->s.jf = NULL; /*update in next stmt*/
5577 s[i]->s.k = IPPROTO_NONE;
5578 s[fix5]->s.jf = s[i];
5582 if (proto == Q_IPV6) {
5583 int v6start, v6end, v6advance, j;
5586 /* if (A == IPPROTO_HOPOPTS) goto v6advance */
5587 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5588 s[i]->s.jt = NULL; /*later*/
5589 s[i]->s.jf = NULL; /*update in next stmt*/
5590 s[i]->s.k = IPPROTO_HOPOPTS;
5591 s[fix2]->s.jf = s[i];
5593 /* if (A == IPPROTO_DSTOPTS) goto v6advance */
5594 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5595 s[i]->s.jt = NULL; /*later*/
5596 s[i]->s.jf = NULL; /*update in next stmt*/
5597 s[i]->s.k = IPPROTO_DSTOPTS;
5599 /* if (A == IPPROTO_ROUTING) goto v6advance */
5600 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5601 s[i]->s.jt = NULL; /*later*/
5602 s[i]->s.jf = NULL; /*update in next stmt*/
5603 s[i]->s.k = IPPROTO_ROUTING;
5605 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */
5606 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5607 s[i]->s.jt = NULL; /*later*/
5608 s[i]->s.jf = NULL; /*later*/
5609 s[i]->s.k = IPPROTO_FRAGMENT;
5619 * A = P[X + packet head];
5620 * X = X + (P[X + packet head + 1] + 1) * 8;
5622 /* A = P[X + packet head] */
5623 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5624 s[i]->s.k = off_macpl + off_nl;
5627 s[i] = new_stmt(BPF_ST);
5630 /* A = P[X + packet head + 1]; */
5631 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5632 s[i]->s.k = off_macpl + off_nl + 1;
5635 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5639 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
5643 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_X);
5647 s[i] = new_stmt(BPF_MISC|BPF_TAX);
5650 s[i] = new_stmt(BPF_LD|BPF_MEM);
5654 /* goto again; (must use BPF_JA for backward jump) */
5655 s[i] = new_stmt(BPF_JMP|BPF_JA);
5656 s[i]->s.k = again - i - 1;
5657 s[i - 1]->s.jf = s[i];
5661 for (j = v6start; j <= v6end; j++)
5662 s[j]->s.jt = s[v6advance];
5665 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5667 s[fix2]->s.jf = s[i];
5673 /* if (A == IPPROTO_AH) then fall through; else goto end; */
5674 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5675 s[i]->s.jt = NULL; /*later*/
5676 s[i]->s.jf = NULL; /*later*/
5677 s[i]->s.k = IPPROTO_AH;
5679 s[fix3]->s.jf = s[ahcheck];
5686 * X = X + (P[X + 1] + 2) * 4;
5689 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
5691 /* A = P[X + packet head]; */
5692 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5693 s[i]->s.k = off_macpl + off_nl;
5696 s[i] = new_stmt(BPF_ST);
5700 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
5703 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5707 s[i] = new_stmt(BPF_MISC|BPF_TAX);
5709 /* A = P[X + packet head] */
5710 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5711 s[i]->s.k = off_macpl + off_nl;
5714 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5718 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
5722 s[i] = new_stmt(BPF_MISC|BPF_TAX);
5725 s[i] = new_stmt(BPF_LD|BPF_MEM);
5729 /* goto again; (must use BPF_JA for backward jump) */
5730 s[i] = new_stmt(BPF_JMP|BPF_JA);
5731 s[i]->s.k = again - i - 1;
5736 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5738 s[fix2]->s.jt = s[end];
5739 s[fix4]->s.jf = s[end];
5740 s[fix5]->s.jt = s[end];
5747 for (i = 0; i < max - 1; i++)
5748 s[i]->next = s[i + 1];
5749 s[max - 1]->next = NULL;
5754 b = new_block(JMP(BPF_JEQ));
5755 b->stmts = s[1]; /*remember, s[0] is dummy*/
5765 static struct block *
5766 gen_check_802_11_data_frame()
5769 struct block *b0, *b1;
5772 * A data frame has the 0x08 bit (b3) in the frame control field set
5773 * and the 0x04 bit (b2) clear.
5775 s = gen_load_a(OR_LINK, 0, BPF_B);
5776 b0 = new_block(JMP(BPF_JSET));
5780 s = gen_load_a(OR_LINK, 0, BPF_B);
5781 b1 = new_block(JMP(BPF_JSET));
5792 * Generate code that checks whether the packet is a packet for protocol
5793 * <proto> and whether the type field in that protocol's header has
5794 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an
5795 * IP packet and checks the protocol number in the IP header against <v>.
5797 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks
5798 * against Q_IP and Q_IPV6.
5800 static struct block *
5801 gen_proto(v, proto, dir)
5806 struct block *b0, *b1;
5811 if (dir != Q_DEFAULT)
5812 bpf_error("direction applied to 'proto'");
5816 b0 = gen_proto(v, Q_IP, dir);
5817 b1 = gen_proto(v, Q_IPV6, dir);
5823 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
5824 * not LLC encapsulation with LLCSAP_IP.
5826 * For IEEE 802 networks - which includes 802.5 token ring
5827 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
5828 * says that SNAP encapsulation is used, not LLC encapsulation
5831 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
5832 * RFC 2225 say that SNAP encapsulation is used, not LLC
5833 * encapsulation with LLCSAP_IP.
5835 * So we always check for ETHERTYPE_IP.
5837 b0 = gen_linktype(ETHERTYPE_IP);
5839 b1 = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)v);
5841 b1 = gen_protochain(v, Q_IP);
5851 * Frame Relay packets typically have an OSI
5852 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)"
5853 * generates code to check for all the OSI
5854 * NLPIDs, so calling it and then adding a check
5855 * for the particular NLPID for which we're
5856 * looking is bogus, as we can just check for
5859 * What we check for is the NLPID and a frame
5860 * control field value of UI, i.e. 0x03 followed
5863 * XXX - assumes a 2-byte Frame Relay header with
5864 * DLCI and flags. What if the address is longer?
5866 * XXX - what about SNAP-encapsulated frames?
5868 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | v);
5874 * Cisco uses an Ethertype lookalike - for OSI,
5877 b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS);
5878 /* OSI in C-HDLC is stuffed with a fudge byte */
5879 b1 = gen_cmp(OR_NET_NOSNAP, 1, BPF_B, (long)v);
5884 b0 = gen_linktype(LLCSAP_ISONS);
5885 b1 = gen_cmp(OR_NET_NOSNAP, 0, BPF_B, (long)v);
5891 b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
5893 * 4 is the offset of the PDU type relative to the IS-IS
5896 b1 = gen_cmp(OR_NET_NOSNAP, 4, BPF_B, (long)v);
5901 bpf_error("arp does not encapsulate another protocol");
5905 bpf_error("rarp does not encapsulate another protocol");
5909 bpf_error("atalk encapsulation is not specifiable");
5913 bpf_error("decnet encapsulation is not specifiable");
5917 bpf_error("sca does not encapsulate another protocol");
5921 bpf_error("lat does not encapsulate another protocol");
5925 bpf_error("moprc does not encapsulate another protocol");
5929 bpf_error("mopdl does not encapsulate another protocol");
5933 return gen_linktype(v);
5936 bpf_error("'udp proto' is bogus");
5940 bpf_error("'tcp proto' is bogus");
5944 bpf_error("'sctp proto' is bogus");
5948 bpf_error("'icmp proto' is bogus");
5952 bpf_error("'igmp proto' is bogus");
5956 bpf_error("'igrp proto' is bogus");
5960 bpf_error("'pim proto' is bogus");
5964 bpf_error("'vrrp proto' is bogus");
5968 bpf_error("'carp proto' is bogus");
5972 b0 = gen_linktype(ETHERTYPE_IPV6);
5975 * Also check for a fragment header before the final
5978 b2 = gen_cmp(OR_NET, 6, BPF_B, IPPROTO_FRAGMENT);
5979 b1 = gen_cmp(OR_NET, 40, BPF_B, (bpf_int32)v);
5981 b2 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)v);
5984 b1 = gen_protochain(v, Q_IPV6);
5990 bpf_error("'icmp6 proto' is bogus");
5993 bpf_error("'ah proto' is bogus");
5996 bpf_error("'ah proto' is bogus");
5999 bpf_error("'stp proto' is bogus");
6002 bpf_error("'ipx proto' is bogus");
6005 bpf_error("'netbeui proto' is bogus");
6008 bpf_error("'radio proto' is bogus");
6019 register const char *name;
6022 int proto = q.proto;
6026 bpf_u_int32 mask, addr;
6028 bpf_u_int32 **alist;
6031 struct sockaddr_in *sin4;
6032 struct sockaddr_in6 *sin6;
6033 struct addrinfo *res, *res0;
6034 struct in6_addr mask128;
6036 struct block *b, *tmp;
6037 int port, real_proto;
6043 addr = pcap_nametonetaddr(name);
6045 bpf_error("unknown network '%s'", name);
6046 /* Left justify network addr and calculate its network mask */
6048 while (addr && (addr & 0xff000000) == 0) {
6052 return gen_host(addr, mask, proto, dir, q.addr);
6056 if (proto == Q_LINK) {
6060 case DLT_NETANALYZER:
6061 case DLT_NETANALYZER_TRANSPARENT:
6062 eaddr = pcap_ether_hostton(name);
6065 "unknown ether host '%s'", name);
6066 b = gen_ehostop(eaddr, dir);
6071 eaddr = pcap_ether_hostton(name);
6074 "unknown FDDI host '%s'", name);
6075 b = gen_fhostop(eaddr, dir);
6080 eaddr = pcap_ether_hostton(name);
6083 "unknown token ring host '%s'", name);
6084 b = gen_thostop(eaddr, dir);
6088 case DLT_IEEE802_11:
6089 case DLT_PRISM_HEADER:
6090 case DLT_IEEE802_11_RADIO_AVS:
6091 case DLT_IEEE802_11_RADIO:
6093 eaddr = pcap_ether_hostton(name);
6096 "unknown 802.11 host '%s'", name);
6097 b = gen_wlanhostop(eaddr, dir);
6101 case DLT_IP_OVER_FC:
6102 eaddr = pcap_ether_hostton(name);
6105 "unknown Fibre Channel host '%s'", name);
6106 b = gen_ipfchostop(eaddr, dir);
6115 * Check that the packet doesn't begin
6116 * with an LE Control marker. (We've
6117 * already generated a test for LANE.)
6119 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
6123 eaddr = pcap_ether_hostton(name);
6126 "unknown ether host '%s'", name);
6127 b = gen_ehostop(eaddr, dir);
6133 bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name");
6134 } else if (proto == Q_DECNET) {
6135 unsigned short dn_addr = __pcap_nametodnaddr(name);
6137 * I don't think DECNET hosts can be multihomed, so
6138 * there is no need to build up a list of addresses
6140 return (gen_host(dn_addr, 0, proto, dir, q.addr));
6143 alist = pcap_nametoaddr(name);
6144 if (alist == NULL || *alist == NULL)
6145 bpf_error("unknown host '%s'", name);
6147 if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT)
6149 b = gen_host(**alist++, 0xffffffff, tproto, dir, q.addr);
6151 tmp = gen_host(**alist++, 0xffffffff,
6152 tproto, dir, q.addr);
6158 memset(&mask128, 0xff, sizeof(mask128));
6159 res0 = res = pcap_nametoaddrinfo(name);
6161 bpf_error("unknown host '%s'", name);
6164 tproto = tproto6 = proto;
6165 if (off_linktype == -1 && tproto == Q_DEFAULT) {
6169 for (res = res0; res; res = res->ai_next) {
6170 switch (res->ai_family) {
6172 if (tproto == Q_IPV6)
6175 sin4 = (struct sockaddr_in *)
6177 tmp = gen_host(ntohl(sin4->sin_addr.s_addr),
6178 0xffffffff, tproto, dir, q.addr);
6181 if (tproto6 == Q_IP)
6184 sin6 = (struct sockaddr_in6 *)
6186 tmp = gen_host6(&sin6->sin6_addr,
6187 &mask128, tproto6, dir, q.addr);
6199 bpf_error("unknown host '%s'%s", name,
6200 (proto == Q_DEFAULT)
6202 : " for specified address family");
6209 if (proto != Q_DEFAULT &&
6210 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
6211 bpf_error("illegal qualifier of 'port'");
6212 if (pcap_nametoport(name, &port, &real_proto) == 0)
6213 bpf_error("unknown port '%s'", name);
6214 if (proto == Q_UDP) {
6215 if (real_proto == IPPROTO_TCP)
6216 bpf_error("port '%s' is tcp", name);
6217 else if (real_proto == IPPROTO_SCTP)
6218 bpf_error("port '%s' is sctp", name);
6220 /* override PROTO_UNDEF */
6221 real_proto = IPPROTO_UDP;
6223 if (proto == Q_TCP) {
6224 if (real_proto == IPPROTO_UDP)
6225 bpf_error("port '%s' is udp", name);
6227 else if (real_proto == IPPROTO_SCTP)
6228 bpf_error("port '%s' is sctp", name);
6230 /* override PROTO_UNDEF */
6231 real_proto = IPPROTO_TCP;
6233 if (proto == Q_SCTP) {
6234 if (real_proto == IPPROTO_UDP)
6235 bpf_error("port '%s' is udp", name);
6237 else if (real_proto == IPPROTO_TCP)
6238 bpf_error("port '%s' is tcp", name);
6240 /* override PROTO_UNDEF */
6241 real_proto = IPPROTO_SCTP;
6244 bpf_error("illegal port number %d < 0", port);
6246 bpf_error("illegal port number %d > 65535", port);
6247 b = gen_port(port, real_proto, dir);
6248 gen_or(gen_port6(port, real_proto, dir), b);
6252 if (proto != Q_DEFAULT &&
6253 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
6254 bpf_error("illegal qualifier of 'portrange'");
6255 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0)
6256 bpf_error("unknown port in range '%s'", name);
6257 if (proto == Q_UDP) {
6258 if (real_proto == IPPROTO_TCP)
6259 bpf_error("port in range '%s' is tcp", name);
6260 else if (real_proto == IPPROTO_SCTP)
6261 bpf_error("port in range '%s' is sctp", name);
6263 /* override PROTO_UNDEF */
6264 real_proto = IPPROTO_UDP;
6266 if (proto == Q_TCP) {
6267 if (real_proto == IPPROTO_UDP)
6268 bpf_error("port in range '%s' is udp", name);
6269 else if (real_proto == IPPROTO_SCTP)
6270 bpf_error("port in range '%s' is sctp", name);
6272 /* override PROTO_UNDEF */
6273 real_proto = IPPROTO_TCP;
6275 if (proto == Q_SCTP) {
6276 if (real_proto == IPPROTO_UDP)
6277 bpf_error("port in range '%s' is udp", name);
6278 else if (real_proto == IPPROTO_TCP)
6279 bpf_error("port in range '%s' is tcp", name);
6281 /* override PROTO_UNDEF */
6282 real_proto = IPPROTO_SCTP;
6285 bpf_error("illegal port number %d < 0", port1);
6287 bpf_error("illegal port number %d > 65535", port1);
6289 bpf_error("illegal port number %d < 0", port2);
6291 bpf_error("illegal port number %d > 65535", port2);
6293 b = gen_portrange(port1, port2, real_proto, dir);
6294 gen_or(gen_portrange6(port1, port2, real_proto, dir), b);
6299 eaddr = pcap_ether_hostton(name);
6301 bpf_error("unknown ether host: %s", name);
6303 alist = pcap_nametoaddr(name);
6304 if (alist == NULL || *alist == NULL)
6305 bpf_error("unknown host '%s'", name);
6306 b = gen_gateway(eaddr, alist, proto, dir);
6310 bpf_error("'gateway' not supported in this configuration");
6314 real_proto = lookup_proto(name, proto);
6315 if (real_proto >= 0)
6316 return gen_proto(real_proto, proto, dir);
6318 bpf_error("unknown protocol: %s", name);
6321 real_proto = lookup_proto(name, proto);
6322 if (real_proto >= 0)
6323 return gen_protochain(real_proto, proto, dir);
6325 bpf_error("unknown protocol: %s", name);
6336 gen_mcode(s1, s2, masklen, q)
6337 register const char *s1, *s2;
6338 register int masklen;
6341 register int nlen, mlen;
6344 nlen = __pcap_atoin(s1, &n);
6345 /* Promote short ipaddr */
6349 mlen = __pcap_atoin(s2, &m);
6350 /* Promote short ipaddr */
6353 bpf_error("non-network bits set in \"%s mask %s\"",
6356 /* Convert mask len to mask */
6358 bpf_error("mask length must be <= 32");
6361 * X << 32 is not guaranteed by C to be 0; it's
6366 m = 0xffffffff << (32 - masklen);
6368 bpf_error("non-network bits set in \"%s/%d\"",
6375 return gen_host(n, m, q.proto, q.dir, q.addr);
6378 bpf_error("Mask syntax for networks only");
6387 register const char *s;
6392 int proto = q.proto;
6398 else if (q.proto == Q_DECNET)
6399 vlen = __pcap_atodn(s, &v);
6401 vlen = __pcap_atoin(s, &v);
6408 if (proto == Q_DECNET)
6409 return gen_host(v, 0, proto, dir, q.addr);
6410 else if (proto == Q_LINK) {
6411 bpf_error("illegal link layer address");
6414 if (s == NULL && q.addr == Q_NET) {
6415 /* Promote short net number */
6416 while (v && (v & 0xff000000) == 0) {
6421 /* Promote short ipaddr */
6425 return gen_host(v, mask, proto, dir, q.addr);
6430 proto = IPPROTO_UDP;
6431 else if (proto == Q_TCP)
6432 proto = IPPROTO_TCP;
6433 else if (proto == Q_SCTP)
6434 proto = IPPROTO_SCTP;
6435 else if (proto == Q_DEFAULT)
6436 proto = PROTO_UNDEF;
6438 bpf_error("illegal qualifier of 'port'");
6441 bpf_error("illegal port number %u > 65535", v);
6445 b = gen_port((int)v, proto, dir);
6446 gen_or(gen_port6((int)v, proto, dir), b);
6452 proto = IPPROTO_UDP;
6453 else if (proto == Q_TCP)
6454 proto = IPPROTO_TCP;
6455 else if (proto == Q_SCTP)
6456 proto = IPPROTO_SCTP;
6457 else if (proto == Q_DEFAULT)
6458 proto = PROTO_UNDEF;
6460 bpf_error("illegal qualifier of 'portrange'");
6463 bpf_error("illegal port number %u > 65535", v);
6467 b = gen_portrange((int)v, (int)v, proto, dir);
6468 gen_or(gen_portrange6((int)v, (int)v, proto, dir), b);
6473 bpf_error("'gateway' requires a name");
6477 return gen_proto((int)v, proto, dir);
6480 return gen_protochain((int)v, proto, dir);
6495 gen_mcode6(s1, s2, masklen, q)
6496 register const char *s1, *s2;
6497 register int masklen;
6500 struct addrinfo *res;
6501 struct in6_addr *addr;
6502 struct in6_addr mask;
6507 bpf_error("no mask %s supported", s2);
6509 res = pcap_nametoaddrinfo(s1);
6511 bpf_error("invalid ip6 address %s", s1);
6514 bpf_error("%s resolved to multiple address", s1);
6515 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
6517 if (sizeof(mask) * 8 < masklen)
6518 bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8));
6519 memset(&mask, 0, sizeof(mask));
6520 memset(&mask, 0xff, masklen / 8);
6522 mask.s6_addr[masklen / 8] =
6523 (0xff << (8 - masklen % 8)) & 0xff;
6526 a = (u_int32_t *)addr;
6527 m = (u_int32_t *)&mask;
6528 if ((a[0] & ~m[0]) || (a[1] & ~m[1])
6529 || (a[2] & ~m[2]) || (a[3] & ~m[3])) {
6530 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen);
6538 bpf_error("Mask syntax for networks only");
6542 b = gen_host6(addr, &mask, q.proto, q.dir, q.addr);
6548 bpf_error("invalid qualifier against IPv6 address");
6557 register const u_char *eaddr;
6560 struct block *b, *tmp;
6562 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
6565 case DLT_NETANALYZER:
6566 case DLT_NETANALYZER_TRANSPARENT:
6567 return gen_ehostop(eaddr, (int)q.dir);
6569 return gen_fhostop(eaddr, (int)q.dir);
6571 return gen_thostop(eaddr, (int)q.dir);
6572 case DLT_IEEE802_11:
6573 case DLT_PRISM_HEADER:
6574 case DLT_IEEE802_11_RADIO_AVS:
6575 case DLT_IEEE802_11_RADIO:
6577 return gen_wlanhostop(eaddr, (int)q.dir);
6581 * Check that the packet doesn't begin with an
6582 * LE Control marker. (We've already generated
6585 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
6590 * Now check the MAC address.
6592 b = gen_ehostop(eaddr, (int)q.dir);
6597 case DLT_IP_OVER_FC:
6598 return gen_ipfchostop(eaddr, (int)q.dir);
6600 bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
6604 bpf_error("ethernet address used in non-ether expression");
6611 struct slist *s0, *s1;
6614 * This is definitely not the best way to do this, but the
6615 * lists will rarely get long.
6622 static struct slist *
6628 s = new_stmt(BPF_LDX|BPF_MEM);
6633 static struct slist *
6639 s = new_stmt(BPF_LD|BPF_MEM);
6645 * Modify "index" to use the value stored into its register as an
6646 * offset relative to the beginning of the header for the protocol
6647 * "proto", and allocate a register and put an item "size" bytes long
6648 * (1, 2, or 4) at that offset into that register, making it the register
6652 gen_load(proto, inst, size)
6657 struct slist *s, *tmp;
6659 int regno = alloc_reg();
6661 free_reg(inst->regno);
6665 bpf_error("data size must be 1, 2, or 4");
6681 bpf_error("unsupported index operation");
6685 * The offset is relative to the beginning of the packet
6686 * data, if we have a radio header. (If we don't, this
6689 if (linktype != DLT_IEEE802_11_RADIO_AVS &&
6690 linktype != DLT_IEEE802_11_RADIO &&
6691 linktype != DLT_PRISM_HEADER)
6692 bpf_error("radio information not present in capture");
6695 * Load into the X register the offset computed into the
6696 * register specified by "index".
6698 s = xfer_to_x(inst);
6701 * Load the item at that offset.
6703 tmp = new_stmt(BPF_LD|BPF_IND|size);
6705 sappend(inst->s, s);
6710 * The offset is relative to the beginning of
6711 * the link-layer header.
6713 * XXX - what about ATM LANE? Should the index be
6714 * relative to the beginning of the AAL5 frame, so
6715 * that 0 refers to the beginning of the LE Control
6716 * field, or relative to the beginning of the LAN
6717 * frame, so that 0 refers, for Ethernet LANE, to
6718 * the beginning of the destination address?
6720 s = gen_llprefixlen();
6723 * If "s" is non-null, it has code to arrange that the
6724 * X register contains the length of the prefix preceding
6725 * the link-layer header. Add to it the offset computed
6726 * into the register specified by "index", and move that
6727 * into the X register. Otherwise, just load into the X
6728 * register the offset computed into the register specified
6732 sappend(s, xfer_to_a(inst));
6733 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
6734 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
6736 s = xfer_to_x(inst);
6739 * Load the item at the sum of the offset we've put in the
6740 * X register and the offset of the start of the link
6741 * layer header (which is 0 if the radio header is
6742 * variable-length; that header length is what we put
6743 * into the X register and then added to the index).
6745 tmp = new_stmt(BPF_LD|BPF_IND|size);
6748 sappend(inst->s, s);
6762 * The offset is relative to the beginning of
6763 * the network-layer header.
6764 * XXX - are there any cases where we want
6767 s = gen_off_macpl();
6770 * If "s" is non-null, it has code to arrange that the
6771 * X register contains the offset of the MAC-layer
6772 * payload. Add to it the offset computed into the
6773 * register specified by "index", and move that into
6774 * the X register. Otherwise, just load into the X
6775 * register the offset computed into the register specified
6779 sappend(s, xfer_to_a(inst));
6780 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
6781 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
6783 s = xfer_to_x(inst);
6786 * Load the item at the sum of the offset we've put in the
6787 * X register, the offset of the start of the network
6788 * layer header from the beginning of the MAC-layer
6789 * payload, and the purported offset of the start of the
6790 * MAC-layer payload (which might be 0 if there's a
6791 * variable-length prefix before the link-layer header
6792 * or the link-layer header itself is variable-length;
6793 * the variable-length offset of the start of the
6794 * MAC-layer payload is what we put into the X register
6795 * and then added to the index).
6797 tmp = new_stmt(BPF_LD|BPF_IND|size);
6798 tmp->s.k = off_macpl + off_nl;
6800 sappend(inst->s, s);
6803 * Do the computation only if the packet contains
6804 * the protocol in question.
6806 b = gen_proto_abbrev(proto);
6808 gen_and(inst->b, b);
6822 * The offset is relative to the beginning of
6823 * the transport-layer header.
6825 * Load the X register with the length of the IPv4 header
6826 * (plus the offset of the link-layer header, if it's
6827 * a variable-length header), in bytes.
6829 * XXX - are there any cases where we want
6831 * XXX - we should, if we're built with
6832 * IPv6 support, generate code to load either
6833 * IPv4, IPv6, or both, as appropriate.
6835 s = gen_loadx_iphdrlen();
6838 * The X register now contains the sum of the length
6839 * of any variable-length header preceding the link-layer
6840 * header, any variable-length link-layer header, and the
6841 * length of the network-layer header.
6843 * Load into the A register the offset relative to
6844 * the beginning of the transport layer header,
6845 * add the X register to that, move that to the
6846 * X register, and load with an offset from the
6847 * X register equal to the offset of the network
6848 * layer header relative to the beginning of
6849 * the MAC-layer payload plus the fixed-length
6850 * portion of the offset of the MAC-layer payload
6851 * from the beginning of the raw packet data.
6853 sappend(s, xfer_to_a(inst));
6854 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
6855 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
6856 sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size));
6857 tmp->s.k = off_macpl + off_nl;
6858 sappend(inst->s, s);
6861 * Do the computation only if the packet contains
6862 * the protocol in question - which is true only
6863 * if this is an IP datagram and is the first or
6864 * only fragment of that datagram.
6866 gen_and(gen_proto_abbrev(proto), b = gen_ipfrag());
6868 gen_and(inst->b, b);
6869 gen_and(gen_proto_abbrev(Q_IP), b);
6873 bpf_error("IPv6 upper-layer protocol is not supported by proto[x]");
6876 inst->regno = regno;
6877 s = new_stmt(BPF_ST);
6879 sappend(inst->s, s);
6885 gen_relation(code, a0, a1, reversed)
6887 struct arth *a0, *a1;
6890 struct slist *s0, *s1, *s2;
6891 struct block *b, *tmp;
6895 if (code == BPF_JEQ) {
6896 s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X);
6897 b = new_block(JMP(code));
6901 b = new_block(BPF_JMP|code|BPF_X);
6907 sappend(a0->s, a1->s);
6911 free_reg(a0->regno);
6912 free_reg(a1->regno);
6914 /* 'and' together protocol checks */
6917 gen_and(a0->b, tmp = a1->b);
6933 int regno = alloc_reg();
6934 struct arth *a = (struct arth *)newchunk(sizeof(*a));
6937 s = new_stmt(BPF_LD|BPF_LEN);
6938 s->next = new_stmt(BPF_ST);
6939 s->next->s.k = regno;
6954 a = (struct arth *)newchunk(sizeof(*a));
6958 s = new_stmt(BPF_LD|BPF_IMM);
6960 s->next = new_stmt(BPF_ST);
6976 s = new_stmt(BPF_ALU|BPF_NEG);
6979 s = new_stmt(BPF_ST);
6987 gen_arth(code, a0, a1)
6989 struct arth *a0, *a1;
6991 struct slist *s0, *s1, *s2;
6995 s2 = new_stmt(BPF_ALU|BPF_X|code);
7000 sappend(a0->s, a1->s);
7002 free_reg(a0->regno);
7003 free_reg(a1->regno);
7005 s0 = new_stmt(BPF_ST);
7006 a0->regno = s0->s.k = alloc_reg();
7013 * Here we handle simple allocation of the scratch registers.
7014 * If too many registers are alloc'd, the allocator punts.
7016 static int regused[BPF_MEMWORDS];
7020 * Initialize the table of used registers and the current register.
7026 memset(regused, 0, sizeof regused);
7030 * Return the next free register.
7035 int n = BPF_MEMWORDS;
7038 if (regused[curreg])
7039 curreg = (curreg + 1) % BPF_MEMWORDS;
7041 regused[curreg] = 1;
7045 bpf_error("too many registers needed to evaluate expression");
7051 * Return a register to the table so it can
7061 static struct block *
7068 s = new_stmt(BPF_LD|BPF_LEN);
7069 b = new_block(JMP(jmp));
7080 return gen_len(BPF_JGE, n);
7084 * Actually, this is less than or equal.
7092 b = gen_len(BPF_JGT, n);
7099 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to
7100 * the beginning of the link-layer header.
7101 * XXX - that means you can't test values in the radiotap header, but
7102 * as that header is difficult if not impossible to parse generally
7103 * without a loop, that might not be a severe problem. A new keyword
7104 * "radio" could be added for that, although what you'd really want
7105 * would be a way of testing particular radio header values, which
7106 * would generate code appropriate to the radio header in question.
7109 gen_byteop(op, idx, val)
7120 return gen_cmp(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
7123 b = gen_cmp_lt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
7127 b = gen_cmp_gt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
7131 s = new_stmt(BPF_ALU|BPF_OR|BPF_K);
7135 s = new_stmt(BPF_ALU|BPF_AND|BPF_K);
7139 b = new_block(JMP(BPF_JEQ));
7146 static u_char abroadcast[] = { 0x0 };
7149 gen_broadcast(proto)
7152 bpf_u_int32 hostmask;
7153 struct block *b0, *b1, *b2;
7154 static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
7162 case DLT_ARCNET_LINUX:
7163 return gen_ahostop(abroadcast, Q_DST);
7165 case DLT_NETANALYZER:
7166 case DLT_NETANALYZER_TRANSPARENT:
7167 return gen_ehostop(ebroadcast, Q_DST);
7169 return gen_fhostop(ebroadcast, Q_DST);
7171 return gen_thostop(ebroadcast, Q_DST);
7172 case DLT_IEEE802_11:
7173 case DLT_PRISM_HEADER:
7174 case DLT_IEEE802_11_RADIO_AVS:
7175 case DLT_IEEE802_11_RADIO:
7177 return gen_wlanhostop(ebroadcast, Q_DST);
7178 case DLT_IP_OVER_FC:
7179 return gen_ipfchostop(ebroadcast, Q_DST);
7183 * Check that the packet doesn't begin with an
7184 * LE Control marker. (We've already generated
7187 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
7192 * Now check the MAC address.
7194 b0 = gen_ehostop(ebroadcast, Q_DST);
7200 bpf_error("not a broadcast link");
7206 * We treat a netmask of PCAP_NETMASK_UNKNOWN (0xffffffff)
7207 * as an indication that we don't know the netmask, and fail
7210 if (netmask == PCAP_NETMASK_UNKNOWN)
7211 bpf_error("netmask not known, so 'ip broadcast' not supported");
7212 b0 = gen_linktype(ETHERTYPE_IP);
7213 hostmask = ~netmask;
7214 b1 = gen_mcmp(OR_NET, 16, BPF_W, (bpf_int32)0, hostmask);
7215 b2 = gen_mcmp(OR_NET, 16, BPF_W,
7216 (bpf_int32)(~0 & hostmask), hostmask);
7221 bpf_error("only link-layer/IP broadcast filters supported");
7227 * Generate code to test the low-order bit of a MAC address (that's
7228 * the bottom bit of the *first* byte).
7230 static struct block *
7231 gen_mac_multicast(offset)
7234 register struct block *b0;
7235 register struct slist *s;
7237 /* link[offset] & 1 != 0 */
7238 s = gen_load_a(OR_LINK, offset, BPF_B);
7239 b0 = new_block(JMP(BPF_JSET));
7246 gen_multicast(proto)
7249 register struct block *b0, *b1, *b2;
7250 register struct slist *s;
7258 case DLT_ARCNET_LINUX:
7259 /* all ARCnet multicasts use the same address */
7260 return gen_ahostop(abroadcast, Q_DST);
7262 case DLT_NETANALYZER:
7263 case DLT_NETANALYZER_TRANSPARENT:
7264 /* ether[0] & 1 != 0 */
7265 return gen_mac_multicast(0);
7268 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX
7270 * XXX - was that referring to bit-order issues?
7272 /* fddi[1] & 1 != 0 */
7273 return gen_mac_multicast(1);
7275 /* tr[2] & 1 != 0 */
7276 return gen_mac_multicast(2);
7277 case DLT_IEEE802_11:
7278 case DLT_PRISM_HEADER:
7279 case DLT_IEEE802_11_RADIO_AVS:
7280 case DLT_IEEE802_11_RADIO:
7285 * For control frames, there is no DA.
7287 * For management frames, DA is at an
7288 * offset of 4 from the beginning of
7291 * For data frames, DA is at an offset
7292 * of 4 from the beginning of the packet
7293 * if To DS is clear and at an offset of
7294 * 16 from the beginning of the packet
7299 * Generate the tests to be done for data frames.
7301 * First, check for To DS set, i.e. "link[1] & 0x01".
7303 s = gen_load_a(OR_LINK, 1, BPF_B);
7304 b1 = new_block(JMP(BPF_JSET));
7305 b1->s.k = 0x01; /* To DS */
7309 * If To DS is set, the DA is at 16.
7311 b0 = gen_mac_multicast(16);
7315 * Now, check for To DS not set, i.e. check
7316 * "!(link[1] & 0x01)".
7318 s = gen_load_a(OR_LINK, 1, BPF_B);
7319 b2 = new_block(JMP(BPF_JSET));
7320 b2->s.k = 0x01; /* To DS */
7325 * If To DS is not set, the DA is at 4.
7327 b1 = gen_mac_multicast(4);
7331 * Now OR together the last two checks. That gives
7332 * the complete set of checks for data frames.
7337 * Now check for a data frame.
7338 * I.e, check "link[0] & 0x08".
7340 s = gen_load_a(OR_LINK, 0, BPF_B);
7341 b1 = new_block(JMP(BPF_JSET));
7346 * AND that with the checks done for data frames.
7351 * If the high-order bit of the type value is 0, this
7352 * is a management frame.
7353 * I.e, check "!(link[0] & 0x08)".
7355 s = gen_load_a(OR_LINK, 0, BPF_B);
7356 b2 = new_block(JMP(BPF_JSET));
7362 * For management frames, the DA is at 4.
7364 b1 = gen_mac_multicast(4);
7368 * OR that with the checks done for data frames.
7369 * That gives the checks done for management and
7375 * If the low-order bit of the type value is 1,
7376 * this is either a control frame or a frame
7377 * with a reserved type, and thus not a
7380 * I.e., check "!(link[0] & 0x04)".
7382 s = gen_load_a(OR_LINK, 0, BPF_B);
7383 b1 = new_block(JMP(BPF_JSET));
7389 * AND that with the checks for data and management
7394 case DLT_IP_OVER_FC:
7395 b0 = gen_mac_multicast(2);
7400 * Check that the packet doesn't begin with an
7401 * LE Control marker. (We've already generated
7404 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
7408 /* ether[off_mac] & 1 != 0 */
7409 b0 = gen_mac_multicast(off_mac);
7417 /* Link not known to support multicasts */
7421 b0 = gen_linktype(ETHERTYPE_IP);
7422 b1 = gen_cmp_ge(OR_NET, 16, BPF_B, (bpf_int32)224);
7427 b0 = gen_linktype(ETHERTYPE_IPV6);
7428 b1 = gen_cmp(OR_NET, 24, BPF_B, (bpf_int32)255);
7432 bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel");
7438 * Filter on inbound (dir == 0) or outbound (dir == 1) traffic.
7439 * Outbound traffic is sent by this machine, while inbound traffic is
7440 * sent by a remote machine (and may include packets destined for a
7441 * unicast or multicast link-layer address we are not subscribing to).
7442 * These are the same definitions implemented by pcap_setdirection().
7443 * Capturing only unicast traffic destined for this host is probably
7444 * better accomplished using a higher-layer filter.
7450 register struct block *b0;
7453 * Only some data link types support inbound/outbound qualifiers.
7457 b0 = gen_relation(BPF_JEQ,
7458 gen_load(Q_LINK, gen_loadi(0), 1),
7465 /* match outgoing packets */
7466 b0 = gen_cmp(OR_LINK, 2, BPF_H, IPNET_OUTBOUND);
7468 /* match incoming packets */
7469 b0 = gen_cmp(OR_LINK, 2, BPF_H, IPNET_INBOUND);
7474 /* match outgoing packets */
7475 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_OUTGOING);
7477 /* to filter on inbound traffic, invert the match */
7482 #ifdef HAVE_NET_PFVAR_H
7484 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, dir), BPF_B,
7485 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT));
7491 /* match outgoing packets */
7492 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_OUT);
7494 /* match incoming packets */
7495 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_IN);
7499 case DLT_JUNIPER_MFR:
7500 case DLT_JUNIPER_MLFR:
7501 case DLT_JUNIPER_MLPPP:
7502 case DLT_JUNIPER_ATM1:
7503 case DLT_JUNIPER_ATM2:
7504 case DLT_JUNIPER_PPPOE:
7505 case DLT_JUNIPER_PPPOE_ATM:
7506 case DLT_JUNIPER_GGSN:
7507 case DLT_JUNIPER_ES:
7508 case DLT_JUNIPER_MONITOR:
7509 case DLT_JUNIPER_SERVICES:
7510 case DLT_JUNIPER_ETHER:
7511 case DLT_JUNIPER_PPP:
7512 case DLT_JUNIPER_FRELAY:
7513 case DLT_JUNIPER_CHDLC:
7514 case DLT_JUNIPER_VP:
7515 case DLT_JUNIPER_ST:
7516 case DLT_JUNIPER_ISM:
7517 case DLT_JUNIPER_VS:
7518 case DLT_JUNIPER_SRX_E2E:
7519 case DLT_JUNIPER_FIBRECHANNEL:
7520 case DLT_JUNIPER_ATM_CEMIC:
7522 /* juniper flags (including direction) are stored
7523 * the byte after the 3-byte magic number */
7525 /* match outgoing packets */
7526 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 0, 0x01);
7528 /* match incoming packets */
7529 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 1, 0x01);
7535 * If we have packet meta-data indicating a direction,
7536 * check it, otherwise give up as this link-layer type
7537 * has nothing in the packet data.
7539 #if defined(PF_PACKET) && defined(SO_ATTACH_FILTER)
7541 * We infer that this is Linux with PF_PACKET support.
7542 * If this is a *live* capture, we can look at
7543 * special meta-data in the filter expression;
7544 * if it's a savefile, we can't.
7546 if (bpf_pcap->sf.rfile != NULL) {
7547 /* We have a FILE *, so this is a savefile */
7548 bpf_error("inbound/outbound not supported on linktype %d when reading savefiles",
7553 /* match outgoing packets */
7554 b0 = gen_cmp(OR_LINK, SKF_AD_OFF + SKF_AD_PKTTYPE, BPF_H,
7557 /* to filter on inbound traffic, invert the match */
7560 #else /* defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */
7561 bpf_error("inbound/outbound not supported on linktype %d",
7565 #endif /* defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */
7570 #ifdef HAVE_NET_PFVAR_H
7571 /* PF firewall log matched interface */
7573 gen_pf_ifname(const char *ifname)
7578 if (linktype != DLT_PFLOG) {
7579 bpf_error("ifname supported only on PF linktype");
7582 len = sizeof(((struct pfloghdr *)0)->ifname);
7583 off = offsetof(struct pfloghdr, ifname);
7584 if (strlen(ifname) >= len) {
7585 bpf_error("ifname interface names can only be %d characters",
7589 b0 = gen_bcmp(OR_LINK, off, strlen(ifname), (const u_char *)ifname);
7593 /* PF firewall log ruleset name */
7595 gen_pf_ruleset(char *ruleset)
7599 if (linktype != DLT_PFLOG) {
7600 bpf_error("ruleset supported only on PF linktype");
7604 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) {
7605 bpf_error("ruleset names can only be %ld characters",
7606 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1));
7610 b0 = gen_bcmp(OR_LINK, offsetof(struct pfloghdr, ruleset),
7611 strlen(ruleset), (const u_char *)ruleset);
7615 /* PF firewall log rule number */
7621 if (linktype != DLT_PFLOG) {
7622 bpf_error("rnr supported only on PF linktype");
7626 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, rulenr), BPF_W,
7631 /* PF firewall log sub-rule number */
7633 gen_pf_srnr(int srnr)
7637 if (linktype != DLT_PFLOG) {
7638 bpf_error("srnr supported only on PF linktype");
7642 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, subrulenr), BPF_W,
7647 /* PF firewall log reason code */
7649 gen_pf_reason(int reason)
7653 if (linktype != DLT_PFLOG) {
7654 bpf_error("reason supported only on PF linktype");
7658 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, reason), BPF_B,
7663 /* PF firewall log action */
7665 gen_pf_action(int action)
7669 if (linktype != DLT_PFLOG) {
7670 bpf_error("action supported only on PF linktype");
7674 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, action), BPF_B,
7678 #else /* !HAVE_NET_PFVAR_H */
7680 gen_pf_ifname(const char *ifname)
7682 bpf_error("libpcap was compiled without pf support");
7688 gen_pf_ruleset(char *ruleset)
7690 bpf_error("libpcap was compiled on a machine without pf support");
7698 bpf_error("libpcap was compiled on a machine without pf support");
7704 gen_pf_srnr(int srnr)
7706 bpf_error("libpcap was compiled on a machine without pf support");
7712 gen_pf_reason(int reason)
7714 bpf_error("libpcap was compiled on a machine without pf support");
7720 gen_pf_action(int action)
7722 bpf_error("libpcap was compiled on a machine without pf support");
7726 #endif /* HAVE_NET_PFVAR_H */
7728 /* IEEE 802.11 wireless header */
7730 gen_p80211_type(int type, int mask)
7736 case DLT_IEEE802_11:
7737 case DLT_PRISM_HEADER:
7738 case DLT_IEEE802_11_RADIO_AVS:
7739 case DLT_IEEE802_11_RADIO:
7740 b0 = gen_mcmp(OR_LINK, 0, BPF_B, (bpf_int32)type,
7745 bpf_error("802.11 link-layer types supported only on 802.11");
7753 gen_p80211_fcdir(int fcdir)
7759 case DLT_IEEE802_11:
7760 case DLT_PRISM_HEADER:
7761 case DLT_IEEE802_11_RADIO_AVS:
7762 case DLT_IEEE802_11_RADIO:
7766 bpf_error("frame direction supported only with 802.11 headers");
7770 b0 = gen_mcmp(OR_LINK, 1, BPF_B, (bpf_int32)fcdir,
7771 (bpf_u_int32)IEEE80211_FC1_DIR_MASK);
7778 register const u_char *eaddr;
7784 case DLT_ARCNET_LINUX:
7785 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) &&
7787 return (gen_ahostop(eaddr, (int)q.dir));
7789 bpf_error("ARCnet address used in non-arc expression");
7795 bpf_error("aid supported only on ARCnet");
7798 bpf_error("ARCnet address used in non-arc expression");
7803 static struct block *
7804 gen_ahostop(eaddr, dir)
7805 register const u_char *eaddr;
7808 register struct block *b0, *b1;
7811 /* src comes first, different from Ethernet */
7813 return gen_bcmp(OR_LINK, 0, 1, eaddr);
7816 return gen_bcmp(OR_LINK, 1, 1, eaddr);
7819 b0 = gen_ahostop(eaddr, Q_SRC);
7820 b1 = gen_ahostop(eaddr, Q_DST);
7826 b0 = gen_ahostop(eaddr, Q_SRC);
7827 b1 = gen_ahostop(eaddr, Q_DST);
7832 bpf_error("'addr1' is only supported on 802.11");
7836 bpf_error("'addr2' is only supported on 802.11");
7840 bpf_error("'addr3' is only supported on 802.11");
7844 bpf_error("'addr4' is only supported on 802.11");
7848 bpf_error("'ra' is only supported on 802.11");
7852 bpf_error("'ta' is only supported on 802.11");
7860 * support IEEE 802.1Q VLAN trunk over ethernet
7866 struct block *b0, *b1;
7868 /* can't check for VLAN-encapsulated packets inside MPLS */
7869 if (label_stack_depth > 0)
7870 bpf_error("no VLAN match after MPLS");
7873 * Check for a VLAN packet, and then change the offsets to point
7874 * to the type and data fields within the VLAN packet. Just
7875 * increment the offsets, so that we can support a hierarchy, e.g.
7876 * "vlan 300 && vlan 200" to capture VLAN 200 encapsulated within
7879 * XXX - this is a bit of a kludge. If we were to split the
7880 * compiler into a parser that parses an expression and
7881 * generates an expression tree, and a code generator that
7882 * takes an expression tree (which could come from our
7883 * parser or from some other parser) and generates BPF code,
7884 * we could perhaps make the offsets parameters of routines
7885 * and, in the handler for an "AND" node, pass to subnodes
7886 * other than the VLAN node the adjusted offsets.
7888 * This would mean that "vlan" would, instead of changing the
7889 * behavior of *all* tests after it, change only the behavior
7890 * of tests ANDed with it. That would change the documented
7891 * semantics of "vlan", which might break some expressions.
7892 * However, it would mean that "(vlan and ip) or ip" would check
7893 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
7894 * checking only for VLAN-encapsulated IP, so that could still
7895 * be considered worth doing; it wouldn't break expressions
7896 * that are of the form "vlan and ..." or "vlan N and ...",
7897 * which I suspect are the most common expressions involving
7898 * "vlan". "vlan or ..." doesn't necessarily do what the user
7899 * would really want, now, as all the "or ..." tests would
7900 * be done assuming a VLAN, even though the "or" could be viewed
7901 * as meaning "or, if this isn't a VLAN packet...".
7908 case DLT_NETANALYZER:
7909 case DLT_NETANALYZER_TRANSPARENT:
7910 /* check for VLAN, including QinQ */
7911 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
7912 (bpf_int32)ETHERTYPE_8021Q);
7913 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H,
7914 (bpf_int32)ETHERTYPE_8021QINQ);
7918 /* If a specific VLAN is requested, check VLAN id */
7919 if (vlan_num >= 0) {
7920 b1 = gen_mcmp(OR_MACPL, 0, BPF_H,
7921 (bpf_int32)vlan_num, 0x0fff);
7935 bpf_error("no VLAN support for data link type %d",
7950 struct block *b0,*b1;
7953 * Change the offsets to point to the type and data fields within
7954 * the MPLS packet. Just increment the offsets, so that we
7955 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to
7956 * capture packets with an outer label of 100000 and an inner
7959 * XXX - this is a bit of a kludge. See comments in gen_vlan().
7963 if (label_stack_depth > 0) {
7964 /* just match the bottom-of-stack bit clear */
7965 b0 = gen_mcmp(OR_MACPL, orig_nl-2, BPF_B, 0, 0x01);
7968 * Indicate that we're checking MPLS-encapsulated headers,
7969 * to make sure higher level code generators don't try to
7970 * match against IP-related protocols such as Q_ARP, Q_RARP
7975 case DLT_C_HDLC: /* fall through */
7977 case DLT_NETANALYZER:
7978 case DLT_NETANALYZER_TRANSPARENT:
7979 b0 = gen_linktype(ETHERTYPE_MPLS);
7983 b0 = gen_linktype(PPP_MPLS_UCAST);
7986 /* FIXME add other DLT_s ...
7987 * for Frame-Relay/and ATM this may get messy due to SNAP headers
7988 * leave it for now */
7991 bpf_error("no MPLS support for data link type %d",
7999 /* If a specific MPLS label is requested, check it */
8000 if (label_num >= 0) {
8001 label_num = label_num << 12; /* label is shifted 12 bits on the wire */
8002 b1 = gen_mcmp(OR_MACPL, orig_nl, BPF_W, (bpf_int32)label_num,
8003 0xfffff000); /* only compare the first 20 bits */
8010 label_stack_depth++;
8015 * Support PPPOE discovery and session.
8020 /* check for PPPoE discovery */
8021 return gen_linktype((bpf_int32)ETHERTYPE_PPPOED);
8030 * Test against the PPPoE session link-layer type.
8032 b0 = gen_linktype((bpf_int32)ETHERTYPE_PPPOES);
8035 * Change the offsets to point to the type and data fields within
8036 * the PPP packet, and note that this is PPPoE rather than
8039 * XXX - this is a bit of a kludge. If we were to split the
8040 * compiler into a parser that parses an expression and
8041 * generates an expression tree, and a code generator that
8042 * takes an expression tree (which could come from our
8043 * parser or from some other parser) and generates BPF code,
8044 * we could perhaps make the offsets parameters of routines
8045 * and, in the handler for an "AND" node, pass to subnodes
8046 * other than the PPPoE node the adjusted offsets.
8048 * This would mean that "pppoes" would, instead of changing the
8049 * behavior of *all* tests after it, change only the behavior
8050 * of tests ANDed with it. That would change the documented
8051 * semantics of "pppoes", which might break some expressions.
8052 * However, it would mean that "(pppoes and ip) or ip" would check
8053 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
8054 * checking only for VLAN-encapsulated IP, so that could still
8055 * be considered worth doing; it wouldn't break expressions
8056 * that are of the form "pppoes and ..." which I suspect are the
8057 * most common expressions involving "pppoes". "pppoes or ..."
8058 * doesn't necessarily do what the user would really want, now,
8059 * as all the "or ..." tests would be done assuming PPPoE, even
8060 * though the "or" could be viewed as meaning "or, if this isn't
8061 * a PPPoE packet...".
8063 orig_linktype = off_linktype; /* save original values */
8068 * The "network-layer" protocol is PPPoE, which has a 6-byte
8069 * PPPoE header, followed by a PPP packet.
8071 * There is no HDLC encapsulation for the PPP packet (it's
8072 * encapsulated in PPPoES instead), so the link-layer type
8073 * starts at the first byte of the PPP packet. For PPPoE,
8074 * that offset is relative to the beginning of the total
8075 * link-layer payload, including any 802.2 LLC header, so
8076 * it's 6 bytes past off_nl.
8078 off_linktype = off_nl + 6;
8081 * The network-layer offsets are relative to the beginning
8082 * of the MAC-layer payload; that's past the 6-byte
8083 * PPPoE header and the 2-byte PPP header.
8086 off_nl_nosnap = 6+2;
8092 gen_atmfield_code(atmfield, jvalue, jtype, reverse)
8104 bpf_error("'vpi' supported only on raw ATM");
8105 if (off_vpi == (u_int)-1)
8107 b0 = gen_ncmp(OR_LINK, off_vpi, BPF_B, 0xffffffff, jtype,
8113 bpf_error("'vci' supported only on raw ATM");
8114 if (off_vci == (u_int)-1)
8116 b0 = gen_ncmp(OR_LINK, off_vci, BPF_H, 0xffffffff, jtype,
8121 if (off_proto == (u_int)-1)
8122 abort(); /* XXX - this isn't on FreeBSD */
8123 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0x0f, jtype,
8128 if (off_payload == (u_int)-1)
8130 b0 = gen_ncmp(OR_LINK, off_payload + MSG_TYPE_POS, BPF_B,
8131 0xffffffff, jtype, reverse, jvalue);
8136 bpf_error("'callref' supported only on raw ATM");
8137 if (off_proto == (u_int)-1)
8139 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0xffffffff,
8140 jtype, reverse, jvalue);
8150 gen_atmtype_abbrev(type)
8153 struct block *b0, *b1;
8158 /* Get all packets in Meta signalling Circuit */
8160 bpf_error("'metac' supported only on raw ATM");
8161 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8162 b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0);
8167 /* Get all packets in Broadcast Circuit*/
8169 bpf_error("'bcc' supported only on raw ATM");
8170 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8171 b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0);
8176 /* Get all cells in Segment OAM F4 circuit*/
8178 bpf_error("'oam4sc' supported only on raw ATM");
8179 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8180 b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
8185 /* Get all cells in End-to-End OAM F4 Circuit*/
8187 bpf_error("'oam4ec' supported only on raw ATM");
8188 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8189 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
8194 /* Get all packets in connection Signalling Circuit */
8196 bpf_error("'sc' supported only on raw ATM");
8197 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8198 b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0);
8203 /* Get all packets in ILMI Circuit */
8205 bpf_error("'ilmic' supported only on raw ATM");
8206 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8207 b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0);
8212 /* Get all LANE packets */
8214 bpf_error("'lane' supported only on raw ATM");
8215 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0);
8218 * Arrange that all subsequent tests assume LANE
8219 * rather than LLC-encapsulated packets, and set
8220 * the offsets appropriately for LANE-encapsulated
8223 * "off_mac" is the offset of the Ethernet header,
8224 * which is 2 bytes past the ATM pseudo-header
8225 * (skipping the pseudo-header and 2-byte LE Client
8226 * field). The other offsets are Ethernet offsets
8227 * relative to "off_mac".
8230 off_mac = off_payload + 2; /* MAC header */
8231 off_linktype = off_mac + 12;
8232 off_macpl = off_mac + 14; /* Ethernet */
8233 off_nl = 0; /* Ethernet II */
8234 off_nl_nosnap = 3; /* 802.3+802.2 */
8238 /* Get all LLC-encapsulated packets */
8240 bpf_error("'llc' supported only on raw ATM");
8241 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
8252 * Filtering for MTP2 messages based on li value
8253 * FISU, length is null
8254 * LSSU, length is 1 or 2
8255 * MSU, length is 3 or more
8258 gen_mtp2type_abbrev(type)
8261 struct block *b0, *b1;
8266 if ( (linktype != DLT_MTP2) &&
8267 (linktype != DLT_ERF) &&
8268 (linktype != DLT_MTP2_WITH_PHDR) )
8269 bpf_error("'fisu' supported only on MTP2");
8270 /* gen_ncmp(offrel, offset, size, mask, jtype, reverse, value) */
8271 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JEQ, 0, 0);
8275 if ( (linktype != DLT_MTP2) &&
8276 (linktype != DLT_ERF) &&
8277 (linktype != DLT_MTP2_WITH_PHDR) )
8278 bpf_error("'lssu' supported only on MTP2");
8279 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 1, 2);
8280 b1 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 0);
8285 if ( (linktype != DLT_MTP2) &&
8286 (linktype != DLT_ERF) &&
8287 (linktype != DLT_MTP2_WITH_PHDR) )
8288 bpf_error("'msu' supported only on MTP2");
8289 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 2);
8299 gen_mtp3field_code(mtp3field, jvalue, jtype, reverse)
8306 bpf_u_int32 val1 , val2 , val3;
8308 switch (mtp3field) {
8311 if (off_sio == (u_int)-1)
8312 bpf_error("'sio' supported only on SS7");
8313 /* sio coded on 1 byte so max value 255 */
8315 bpf_error("sio value %u too big; max value = 255",
8317 b0 = gen_ncmp(OR_PACKET, off_sio, BPF_B, 0xffffffff,
8318 (u_int)jtype, reverse, (u_int)jvalue);
8322 if (off_opc == (u_int)-1)
8323 bpf_error("'opc' supported only on SS7");
8324 /* opc coded on 14 bits so max value 16383 */
8326 bpf_error("opc value %u too big; max value = 16383",
8328 /* the following instructions are made to convert jvalue
8329 * to the form used to write opc in an ss7 message*/
8330 val1 = jvalue & 0x00003c00;
8332 val2 = jvalue & 0x000003fc;
8334 val3 = jvalue & 0x00000003;
8336 jvalue = val1 + val2 + val3;
8337 b0 = gen_ncmp(OR_PACKET, off_opc, BPF_W, 0x00c0ff0f,
8338 (u_int)jtype, reverse, (u_int)jvalue);
8342 if (off_dpc == (u_int)-1)
8343 bpf_error("'dpc' supported only on SS7");
8344 /* dpc coded on 14 bits so max value 16383 */
8346 bpf_error("dpc value %u too big; max value = 16383",
8348 /* the following instructions are made to convert jvalue
8349 * to the forme used to write dpc in an ss7 message*/
8350 val1 = jvalue & 0x000000ff;
8352 val2 = jvalue & 0x00003f00;
8354 jvalue = val1 + val2;
8355 b0 = gen_ncmp(OR_PACKET, off_dpc, BPF_W, 0xff3f0000,
8356 (u_int)jtype, reverse, (u_int)jvalue);
8360 if (off_sls == (u_int)-1)
8361 bpf_error("'sls' supported only on SS7");
8362 /* sls coded on 4 bits so max value 15 */
8364 bpf_error("sls value %u too big; max value = 15",
8366 /* the following instruction is made to convert jvalue
8367 * to the forme used to write sls in an ss7 message*/
8368 jvalue = jvalue << 4;
8369 b0 = gen_ncmp(OR_PACKET, off_sls, BPF_B, 0xf0,
8370 (u_int)jtype,reverse, (u_int)jvalue);
8379 static struct block *
8380 gen_msg_abbrev(type)
8386 * Q.2931 signalling protocol messages for handling virtual circuits
8387 * establishment and teardown
8392 b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0);
8396 b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0);
8400 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0);
8404 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0);
8408 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0);
8411 case A_RELEASE_DONE:
8412 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0);
8422 gen_atmmulti_abbrev(type)
8425 struct block *b0, *b1;
8431 bpf_error("'oam' supported only on raw ATM");
8432 b1 = gen_atmmulti_abbrev(A_OAMF4);
8437 bpf_error("'oamf4' supported only on raw ATM");
8439 b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
8440 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
8442 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8448 * Get Q.2931 signalling messages for switched
8449 * virtual connection
8452 bpf_error("'connectmsg' supported only on raw ATM");
8453 b0 = gen_msg_abbrev(A_SETUP);
8454 b1 = gen_msg_abbrev(A_CALLPROCEED);
8456 b0 = gen_msg_abbrev(A_CONNECT);
8458 b0 = gen_msg_abbrev(A_CONNECTACK);
8460 b0 = gen_msg_abbrev(A_RELEASE);
8462 b0 = gen_msg_abbrev(A_RELEASE_DONE);
8464 b0 = gen_atmtype_abbrev(A_SC);
8470 bpf_error("'metaconnect' supported only on raw ATM");
8471 b0 = gen_msg_abbrev(A_SETUP);
8472 b1 = gen_msg_abbrev(A_CALLPROCEED);
8474 b0 = gen_msg_abbrev(A_CONNECT);
8476 b0 = gen_msg_abbrev(A_RELEASE);
8478 b0 = gen_msg_abbrev(A_RELEASE_DONE);
8480 b0 = gen_atmtype_abbrev(A_METAC);