Merge branch 'vendor/LIBPCAP' and updated build for new version.
[dragonfly.git] / contrib / libpcap / gencode.c
CommitLineData
23fa89e6
PA
1/*#define CHASE_CHAIN*/
2/*
3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998
4 * The Regents of the University of California. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that: (1) source code distributions
8 * retain the above copyright notice and this paragraph in its entirety, (2)
9 * distributions including binary code include the above copyright notice and
10 * this paragraph in its entirety in the documentation or other materials
11 * provided with the distribution, and (3) all advertising materials mentioning
12 * features or use of this software display the following acknowledgement:
13 * ``This product includes software developed by the University of California,
14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
15 * the University nor the names of its contributors may be used to endorse
16 * or promote products derived from this software without specific prior
17 * written permission.
18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
21 */
22#ifndef lint
23static const char rcsid[] _U_ =
de0d3203 24 "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.290.2.16 2008-09-22 20:16:01 guy Exp $ (LBL)";
23fa89e6
PA
25#endif
26
27#ifdef HAVE_CONFIG_H
28#include "config.h"
29#endif
30
31#ifdef WIN32
32#include <pcap-stdinc.h>
33#else /* WIN32 */
34#include <sys/types.h>
35#include <sys/socket.h>
36#endif /* WIN32 */
37
38/*
39 * XXX - why was this included even on UNIX?
40 */
41#ifdef __MINGW32__
42#include "IP6_misc.h"
43#endif
44
45#ifndef WIN32
46
47#ifdef __NetBSD__
48#include <sys/param.h>
49#endif
50
51#include <netinet/in.h>
52
53#endif /* WIN32 */
54
55#include <stdlib.h>
56#include <string.h>
57#include <memory.h>
58#include <setjmp.h>
59#include <stdarg.h>
60
61#ifdef MSDOS
62#include "pcap-dos.h"
63#endif
64
65#include "pcap-int.h"
66
67#include "ethertype.h"
68#include "nlpid.h"
69#include "llc.h"
70#include "gencode.h"
42bcdd13 71#include <netproto/802_11/ieee80211.h>
23fa89e6
PA
72#include "atmuni31.h"
73#include "sunatmpos.h"
74#include "ppp.h"
de0d3203 75#include "pcap/sll.h"
23fa89e6 76#include "arcnet.h"
084fe320
PA
77#ifdef HAVE_NET_PFVAR_H
78#include <sys/socket.h>
79#include <net/if.h>
9320aa5c
PA
80#include <net/if_var.h>
81#include <net/pf/pfvar.h>
82#include <net/pf/if_pflog.h>
084fe320 83#endif
23fa89e6
PA
84#ifndef offsetof
85#define offsetof(s, e) ((size_t)&((s *)0)->e)
86#endif
87#ifdef INET6
88#ifndef WIN32
89#include <netdb.h> /* for "struct addrinfo" */
90#endif /* WIN32 */
91#endif /*INET6*/
de0d3203 92#include <pcap/namedb.h>
23fa89e6 93
ac0eb610
PA
94#include <netproto/802_11/ieee80211_radiotap.h>
95
23fa89e6
PA
96#define ETHERMTU 1500
97
98#ifndef IPPROTO_SCTP
99#define IPPROTO_SCTP 132
100#endif
101
102#ifdef HAVE_OS_PROTO_H
103#include "os-proto.h"
104#endif
105
106#define JMP(c) ((c)|BPF_JMP|BPF_K)
107
108/* Locals */
109static jmp_buf top_ctx;
110static pcap_t *bpf_pcap;
111
112/* Hack for updating VLAN, MPLS, and PPPoE offsets. */
de0d3203 113#ifdef WIN32
dfcad8d8
PA
114static u_int orig_linktype = (u_int)-1, orig_nl = (u_int)-1, label_stack_depth = (u_int)-1;
115#else
23fa89e6 116static u_int orig_linktype = -1U, orig_nl = -1U, label_stack_depth = -1U;
dfcad8d8 117#endif
23fa89e6
PA
118
119/* XXX */
120#ifdef PCAP_FDDIPAD
121static int pcap_fddipad;
122#endif
123
124/* VARARGS */
125void
126bpf_error(const char *fmt, ...)
127{
128 va_list ap;
129
130 va_start(ap, fmt);
131 if (bpf_pcap != NULL)
132 (void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE,
133 fmt, ap);
134 va_end(ap);
135 longjmp(top_ctx, 1);
136 /* NOTREACHED */
137}
138
139static void init_linktype(pcap_t *);
140
de0d3203 141static void init_regs(void);
23fa89e6
PA
142static int alloc_reg(void);
143static void free_reg(int);
144
145static struct block *root;
146
147/*
148 * Value passed to gen_load_a() to indicate what the offset argument
149 * is relative to.
150 */
151enum e_offrel {
152 OR_PACKET, /* relative to the beginning of the packet */
de0d3203
PA
153 OR_LINK, /* relative to the beginning of the link-layer header */
154 OR_MACPL, /* relative to the end of the MAC-layer header */
23fa89e6
PA
155 OR_NET, /* relative to the network-layer header */
156 OR_NET_NOSNAP, /* relative to the network-layer header, with no SNAP header at the link layer */
157 OR_TRAN_IPV4, /* relative to the transport-layer header, with IPv4 network layer */
158 OR_TRAN_IPV6 /* relative to the transport-layer header, with IPv6 network layer */
159};
160
161/*
162 * We divy out chunks of memory rather than call malloc each time so
163 * we don't have to worry about leaking memory. It's probably
164 * not a big deal if all this memory was wasted but if this ever
165 * goes into a library that would probably not be a good idea.
166 *
167 * XXX - this *is* in a library....
168 */
169#define NCHUNKS 16
170#define CHUNK0SIZE 1024
171struct chunk {
172 u_int n_left;
173 void *m;
174};
175
176static struct chunk chunks[NCHUNKS];
177static int cur_chunk;
178
179static void *newchunk(u_int);
180static void freechunks(void);
181static inline struct block *new_block(int);
182static inline struct slist *new_stmt(int);
183static struct block *gen_retblk(int);
184static inline void syntax(void);
185
186static void backpatch(struct block *, struct block *);
187static void merge(struct block *, struct block *);
188static struct block *gen_cmp(enum e_offrel, u_int, u_int, bpf_int32);
189static struct block *gen_cmp_gt(enum e_offrel, u_int, u_int, bpf_int32);
190static struct block *gen_cmp_ge(enum e_offrel, u_int, u_int, bpf_int32);
191static struct block *gen_cmp_lt(enum e_offrel, u_int, u_int, bpf_int32);
192static struct block *gen_cmp_le(enum e_offrel, u_int, u_int, bpf_int32);
193static struct block *gen_mcmp(enum e_offrel, u_int, u_int, bpf_int32,
194 bpf_u_int32);
195static struct block *gen_bcmp(enum e_offrel, u_int, u_int, const u_char *);
196static struct block *gen_ncmp(enum e_offrel, bpf_u_int32, bpf_u_int32,
197 bpf_u_int32, bpf_u_int32, int, bpf_int32);
198static struct slist *gen_load_llrel(u_int, u_int);
de0d3203 199static struct slist *gen_load_macplrel(u_int, u_int);
23fa89e6
PA
200static struct slist *gen_load_a(enum e_offrel, u_int, u_int);
201static struct slist *gen_loadx_iphdrlen(void);
202static struct block *gen_uncond(int);
203static inline struct block *gen_true(void);
204static inline struct block *gen_false(void);
205static struct block *gen_ether_linktype(int);
206static struct block *gen_linux_sll_linktype(int);
de0d3203
PA
207static struct slist *gen_load_prism_llprefixlen(void);
208static struct slist *gen_load_avs_llprefixlen(void);
209static struct slist *gen_load_radiotap_llprefixlen(void);
210static struct slist *gen_load_ppi_llprefixlen(void);
211static void insert_compute_vloffsets(struct block *);
23fa89e6 212static struct slist *gen_llprefixlen(void);
de0d3203
PA
213static struct slist *gen_off_macpl(void);
214static int ethertype_to_ppptype(int);
23fa89e6 215static struct block *gen_linktype(int);
de0d3203 216static struct block *gen_snap(bpf_u_int32, bpf_u_int32);
23fa89e6
PA
217static struct block *gen_llc_linktype(int);
218static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int);
219#ifdef INET6
220static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int);
221#endif
222static struct block *gen_ahostop(const u_char *, int);
223static struct block *gen_ehostop(const u_char *, int);
224static struct block *gen_fhostop(const u_char *, int);
225static struct block *gen_thostop(const u_char *, int);
226static struct block *gen_wlanhostop(const u_char *, int);
227static struct block *gen_ipfchostop(const u_char *, int);
228static struct block *gen_dnhostop(bpf_u_int32, int);
229static struct block *gen_mpls_linktype(int);
230static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int, int);
231#ifdef INET6
232static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int, int);
233#endif
234#ifndef INET6
235static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int);
236#endif
237static struct block *gen_ipfrag(void);
238static struct block *gen_portatom(int, bpf_int32);
239static struct block *gen_portrangeatom(int, bpf_int32, bpf_int32);
240#ifdef INET6
241static struct block *gen_portatom6(int, bpf_int32);
242static struct block *gen_portrangeatom6(int, bpf_int32, bpf_int32);
243#endif
244struct block *gen_portop(int, int, int);
245static struct block *gen_port(int, int, int);
246struct block *gen_portrangeop(int, int, int, int);
247static struct block *gen_portrange(int, int, int, int);
248#ifdef INET6
249struct block *gen_portop6(int, int, int);
250static struct block *gen_port6(int, int, int);
251struct block *gen_portrangeop6(int, int, int, int);
252static struct block *gen_portrange6(int, int, int, int);
253#endif
254static int lookup_proto(const char *, int);
255static struct block *gen_protochain(int, int, int);
256static struct block *gen_proto(int, int, int);
257static struct slist *xfer_to_x(struct arth *);
258static struct slist *xfer_to_a(struct arth *);
259static struct block *gen_mac_multicast(int);
260static struct block *gen_len(int, int);
de0d3203 261static struct block *gen_check_802_11_data_frame(void);
23fa89e6 262
dfcad8d8 263static struct block *gen_ppi_dlt_check(void);
23fa89e6
PA
264static struct block *gen_msg_abbrev(int type);
265
266static void *
267newchunk(n)
268 u_int n;
269{
270 struct chunk *cp;
271 int k;
272 size_t size;
273
274#ifndef __NetBSD__
275 /* XXX Round up to nearest long. */
276 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1);
277#else
278 /* XXX Round up to structure boundary. */
279 n = ALIGN(n);
280#endif
281
282 cp = &chunks[cur_chunk];
283 if (n > cp->n_left) {
284 ++cp, k = ++cur_chunk;
285 if (k >= NCHUNKS)
286 bpf_error("out of memory");
287 size = CHUNK0SIZE << k;
288 cp->m = (void *)malloc(size);
289 if (cp->m == NULL)
290 bpf_error("out of memory");
291 memset((char *)cp->m, 0, size);
292 cp->n_left = size;
293 if (n > size)
294 bpf_error("out of memory");
295 }
296 cp->n_left -= n;
297 return (void *)((char *)cp->m + cp->n_left);
298}
299
300static void
301freechunks()
302{
303 int i;
304
305 cur_chunk = 0;
306 for (i = 0; i < NCHUNKS; ++i)
307 if (chunks[i].m != NULL) {
308 free(chunks[i].m);
309 chunks[i].m = NULL;
310 }
311}
312
313/*
314 * A strdup whose allocations are freed after code generation is over.
315 */
316char *
317sdup(s)
318 register const char *s;
319{
320 int n = strlen(s) + 1;
321 char *cp = newchunk(n);
322
323 strlcpy(cp, s, n);
324 return (cp);
325}
326
327static inline struct block *
328new_block(code)
329 int code;
330{
331 struct block *p;
332
333 p = (struct block *)newchunk(sizeof(*p));
334 p->s.code = code;
335 p->head = p;
336
337 return p;
338}
339
340static inline struct slist *
341new_stmt(code)
342 int code;
343{
344 struct slist *p;
345
346 p = (struct slist *)newchunk(sizeof(*p));
347 p->s.code = code;
348
349 return p;
350}
351
352static struct block *
353gen_retblk(v)
354 int v;
355{
356 struct block *b = new_block(BPF_RET|BPF_K);
357
358 b->s.k = v;
359 return b;
360}
361
362static inline void
363syntax()
364{
365 bpf_error("syntax error in filter expression");
366}
367
368static bpf_u_int32 netmask;
369static int snaplen;
370int no_optimize;
371
372int
373pcap_compile(pcap_t *p, struct bpf_program *program,
dfcad8d8 374 const char *buf, int optimize, bpf_u_int32 mask)
23fa89e6
PA
375{
376 extern int n_errors;
dfcad8d8 377 const char * volatile xbuf = buf;
23fa89e6
PA
378 int len;
379
380 no_optimize = 0;
381 n_errors = 0;
382 root = NULL;
383 bpf_pcap = p;
de0d3203 384 init_regs();
23fa89e6
PA
385 if (setjmp(top_ctx)) {
386 lex_cleanup();
387 freechunks();
388 return (-1);
389 }
390
391 netmask = mask;
392
393 snaplen = pcap_snapshot(p);
394 if (snaplen == 0) {
395 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
396 "snaplen of 0 rejects all packets");
397 return -1;
398 }
399
dfcad8d8 400 lex_init(xbuf ? xbuf : "");
23fa89e6
PA
401 init_linktype(p);
402 (void)pcap_parse();
403
404 if (n_errors)
405 syntax();
406
407 if (root == NULL)
408 root = gen_retblk(snaplen);
409
410 if (optimize && !no_optimize) {
411 bpf_optimize(&root);
412 if (root == NULL ||
413 (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0))
414 bpf_error("expression rejects all packets");
415 }
416 program->bf_insns = icode_to_fcode(root, &len);
417 program->bf_len = len;
418
419 lex_cleanup();
420 freechunks();
421 return (0);
422}
423
424/*
425 * entry point for using the compiler with no pcap open
426 * pass in all the stuff that is needed explicitly instead.
427 */
428int
429pcap_compile_nopcap(int snaplen_arg, int linktype_arg,
430 struct bpf_program *program,
dfcad8d8 431 const char *buf, int optimize, bpf_u_int32 mask)
23fa89e6
PA
432{
433 pcap_t *p;
434 int ret;
435
436 p = pcap_open_dead(linktype_arg, snaplen_arg);
437 if (p == NULL)
438 return (-1);
439 ret = pcap_compile(p, program, buf, optimize, mask);
440 pcap_close(p);
441 return (ret);
442}
443
444/*
445 * Clean up a "struct bpf_program" by freeing all the memory allocated
446 * in it.
447 */
448void
449pcap_freecode(struct bpf_program *program)
450{
451 program->bf_len = 0;
452 if (program->bf_insns != NULL) {
453 free((char *)program->bf_insns);
454 program->bf_insns = NULL;
455 }
456}
457
458/*
459 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates
460 * which of the jt and jf fields has been resolved and which is a pointer
461 * back to another unresolved block (or nil). At least one of the fields
462 * in each block is already resolved.
463 */
464static void
465backpatch(list, target)
466 struct block *list, *target;
467{
468 struct block *next;
469
470 while (list) {
471 if (!list->sense) {
472 next = JT(list);
473 JT(list) = target;
474 } else {
475 next = JF(list);
476 JF(list) = target;
477 }
478 list = next;
479 }
480}
481
482/*
483 * Merge the lists in b0 and b1, using the 'sense' field to indicate
484 * which of jt and jf is the link.
485 */
486static void
487merge(b0, b1)
488 struct block *b0, *b1;
489{
490 register struct block **p = &b0;
491
492 /* Find end of list. */
493 while (*p)
494 p = !((*p)->sense) ? &JT(*p) : &JF(*p);
495
496 /* Concatenate the lists. */
497 *p = b1;
498}
499
500void
501finish_parse(p)
502 struct block *p;
503{
dfcad8d8 504 struct block *ppi_dlt_check;
23fa89e6
PA
505
506 /*
507 * Insert before the statements of the first (root) block any
508 * statements needed to load the lengths of any variable-length
509 * headers into registers.
510 *
511 * XXX - a fancier strategy would be to insert those before the
512 * statements of all blocks that use those lengths and that
513 * have no predecessors that use them, so that we only compute
514 * the lengths if we need them. There might be even better
de0d3203
PA
515 * approaches than that.
516 *
517 * However, those strategies would be more complicated, and
518 * as we don't generate code to compute a length if the
519 * program has no tests that use the length, and as most
520 * tests will probably use those lengths, we would just
521 * postpone computing the lengths so that it's not done
522 * for tests that fail early, and it's not clear that's
523 * worth the effort.
23fa89e6 524 */
de0d3203
PA
525 insert_compute_vloffsets(p->head);
526
527 /*
528 * For DLT_PPI captures, generate a check of the per-packet
529 * DLT value to make sure it's DLT_IEEE802_11.
23fa89e6 530 */
de0d3203
PA
531 ppi_dlt_check = gen_ppi_dlt_check();
532 if (ppi_dlt_check != NULL)
533 gen_and(ppi_dlt_check, p);
dfcad8d8 534
de0d3203
PA
535 backpatch(p, gen_retblk(snaplen));
536 p->sense = !p->sense;
537 backpatch(p, gen_retblk(0));
538 root = p->head;
23fa89e6
PA
539}
540
541void
542gen_and(b0, b1)
543 struct block *b0, *b1;
544{
545 backpatch(b0, b1->head);
546 b0->sense = !b0->sense;
547 b1->sense = !b1->sense;
548 merge(b1, b0);
549 b1->sense = !b1->sense;
550 b1->head = b0->head;
551}
552
553void
554gen_or(b0, b1)
555 struct block *b0, *b1;
556{
557 b0->sense = !b0->sense;
558 backpatch(b0, b1->head);
559 b0->sense = !b0->sense;
560 merge(b1, b0);
561 b1->head = b0->head;
562}
563
564void
565gen_not(b)
566 struct block *b;
567{
568 b->sense = !b->sense;
569}
570
571static struct block *
572gen_cmp(offrel, offset, size, v)
573 enum e_offrel offrel;
574 u_int offset, size;
575 bpf_int32 v;
576{
577 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v);
578}
579
580static struct block *
581gen_cmp_gt(offrel, offset, size, v)
582 enum e_offrel offrel;
583 u_int offset, size;
584 bpf_int32 v;
585{
586 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 0, v);
587}
588
589static struct block *
590gen_cmp_ge(offrel, offset, size, v)
591 enum e_offrel offrel;
592 u_int offset, size;
593 bpf_int32 v;
594{
595 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 0, v);
596}
597
598static struct block *
599gen_cmp_lt(offrel, offset, size, v)
600 enum e_offrel offrel;
601 u_int offset, size;
602 bpf_int32 v;
603{
604 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 1, v);
605}
606
607static struct block *
608gen_cmp_le(offrel, offset, size, v)
609 enum e_offrel offrel;
610 u_int offset, size;
611 bpf_int32 v;
612{
613 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 1, v);
614}
615
616static struct block *
617gen_mcmp(offrel, offset, size, v, mask)
618 enum e_offrel offrel;
619 u_int offset, size;
620 bpf_int32 v;
621 bpf_u_int32 mask;
622{
623 return gen_ncmp(offrel, offset, size, mask, BPF_JEQ, 0, v);
624}
625
626static struct block *
627gen_bcmp(offrel, offset, size, v)
628 enum e_offrel offrel;
629 register u_int offset, size;
630 register const u_char *v;
631{
632 register struct block *b, *tmp;
633
634 b = NULL;
635 while (size >= 4) {
636 register const u_char *p = &v[size - 4];
637 bpf_int32 w = ((bpf_int32)p[0] << 24) |
638 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3];
639
640 tmp = gen_cmp(offrel, offset + size - 4, BPF_W, w);
641 if (b != NULL)
642 gen_and(b, tmp);
643 b = tmp;
644 size -= 4;
645 }
646 while (size >= 2) {
647 register const u_char *p = &v[size - 2];
648 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1];
649
650 tmp = gen_cmp(offrel, offset + size - 2, BPF_H, w);
651 if (b != NULL)
652 gen_and(b, tmp);
653 b = tmp;
654 size -= 2;
655 }
656 if (size > 0) {
657 tmp = gen_cmp(offrel, offset, BPF_B, (bpf_int32)v[0]);
658 if (b != NULL)
659 gen_and(b, tmp);
660 b = tmp;
661 }
662 return b;
663}
664
665/*
666 * AND the field of size "size" at offset "offset" relative to the header
667 * specified by "offrel" with "mask", and compare it with the value "v"
668 * with the test specified by "jtype"; if "reverse" is true, the test
669 * should test the opposite of "jtype".
670 */
671static struct block *
672gen_ncmp(offrel, offset, size, mask, jtype, reverse, v)
673 enum e_offrel offrel;
674 bpf_int32 v;
675 bpf_u_int32 offset, size, mask, jtype;
676 int reverse;
677{
678 struct slist *s, *s2;
679 struct block *b;
680
681 s = gen_load_a(offrel, offset, size);
682
683 if (mask != 0xffffffff) {
684 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
685 s2->s.k = mask;
686 sappend(s, s2);
687 }
688
689 b = new_block(JMP(jtype));
690 b->stmts = s;
691 b->s.k = v;
692 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE))
693 gen_not(b);
694 return b;
695}
696
697/*
698 * Various code constructs need to know the layout of the data link
699 * layer. These variables give the necessary offsets from the beginning
700 * of the packet data.
23fa89e6 701 */
23fa89e6
PA
702
703/*
704 * This is the offset of the beginning of the link-layer header from
705 * the beginning of the raw packet data.
706 *
707 * It's usually 0, except for 802.11 with a fixed-length radio header.
708 * (For 802.11 with a variable-length radio header, we have to generate
709 * code to compute that offset; off_ll is 0 in that case.)
710 */
711static u_int off_ll;
712
713/*
de0d3203
PA
714 * If there's a variable-length header preceding the link-layer header,
715 * "reg_off_ll" is the register number for a register containing the
716 * length of that header, and therefore the offset of the link-layer
717 * header from the beginning of the raw packet data. Otherwise,
718 * "reg_off_ll" is -1.
719 */
720static int reg_off_ll;
721
722/*
723 * This is the offset of the beginning of the MAC-layer header from
724 * the beginning of the link-layer header.
23fa89e6
PA
725 * It's usually 0, except for ATM LANE, where it's the offset, relative
726 * to the beginning of the raw packet data, of the Ethernet header.
727 */
728static u_int off_mac;
729
de0d3203
PA
730/*
731 * This is the offset of the beginning of the MAC-layer payload,
732 * from the beginning of the raw packet data.
733 *
734 * I.e., it's the sum of the length of the link-layer header (without,
735 * for example, any 802.2 LLC header, so it's the MAC-layer
736 * portion of that header), plus any prefix preceding the
737 * link-layer header.
738 */
739static u_int off_macpl;
740
741/*
742 * This is 1 if the offset of the beginning of the MAC-layer payload
743 * from the beginning of the link-layer header is variable-length.
744 */
745static int off_macpl_is_variable;
746
747/*
748 * If the link layer has variable_length headers, "reg_off_macpl"
749 * is the register number for a register containing the length of the
750 * link-layer header plus the length of any variable-length header
751 * preceding the link-layer header. Otherwise, "reg_off_macpl"
752 * is -1.
753 */
754static int reg_off_macpl;
755
23fa89e6
PA
756/*
757 * "off_linktype" is the offset to information in the link-layer header
758 * giving the packet type. This offset is relative to the beginning
759 * of the link-layer header (i.e., it doesn't include off_ll).
760 *
761 * For Ethernet, it's the offset of the Ethernet type field.
762 *
763 * For link-layer types that always use 802.2 headers, it's the
764 * offset of the LLC header.
765 *
766 * For PPP, it's the offset of the PPP type field.
767 *
768 * For Cisco HDLC, it's the offset of the CHDLC type field.
769 *
770 * For BSD loopback, it's the offset of the AF_ value.
771 *
772 * For Linux cooked sockets, it's the offset of the type field.
773 *
774 * It's set to -1 for no encapsulation, in which case, IP is assumed.
775 */
776static u_int off_linktype;
777
de0d3203
PA
778/*
779 * TRUE if "pppoes" appeared in the filter; it causes link-layer type
780 * checks to check the PPP header, assumed to follow a LAN-style link-
781 * layer header and a PPPoE session header.
782 */
783static int is_pppoes = 0;
784
23fa89e6
PA
785/*
786 * TRUE if the link layer includes an ATM pseudo-header.
787 */
788static int is_atm = 0;
789
790/*
791 * TRUE if "lane" appeared in the filter; it causes us to generate
792 * code that assumes LANE rather than LLC-encapsulated traffic in SunATM.
793 */
794static int is_lane = 0;
795
796/*
797 * These are offsets for the ATM pseudo-header.
798 */
799static u_int off_vpi;
800static u_int off_vci;
801static u_int off_proto;
802
dfcad8d8
PA
803/*
804 * These are offsets for the MTP2 fields.
805 */
806static u_int off_li;
807
23fa89e6
PA
808/*
809 * These are offsets for the MTP3 fields.
810 */
811static u_int off_sio;
812static u_int off_opc;
813static u_int off_dpc;
814static u_int off_sls;
815
816/*
817 * This is the offset of the first byte after the ATM pseudo_header,
818 * or -1 if there is no ATM pseudo-header.
819 */
820static u_int off_payload;
821
822/*
823 * These are offsets to the beginning of the network-layer header.
de0d3203
PA
824 * They are relative to the beginning of the MAC-layer payload (i.e.,
825 * they don't include off_ll or off_macpl).
23fa89e6
PA
826 *
827 * If the link layer never uses 802.2 LLC:
828 *
829 * "off_nl" and "off_nl_nosnap" are the same.
830 *
831 * If the link layer always uses 802.2 LLC:
832 *
833 * "off_nl" is the offset if there's a SNAP header following
834 * the 802.2 header;
835 *
836 * "off_nl_nosnap" is the offset if there's no SNAP header.
837 *
838 * If the link layer is Ethernet:
839 *
840 * "off_nl" is the offset if the packet is an Ethernet II packet
841 * (we assume no 802.3+802.2+SNAP);
842 *
843 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet
844 * with an 802.2 header following it.
845 */
846static u_int off_nl;
847static u_int off_nl_nosnap;
848
849static int linktype;
850
851static void
852init_linktype(p)
853 pcap_t *p;
854{
855 linktype = pcap_datalink(p);
856#ifdef PCAP_FDDIPAD
857 pcap_fddipad = p->fddipad;
858#endif
859
860 /*
861 * Assume it's not raw ATM with a pseudo-header, for now.
862 */
863 off_mac = 0;
864 is_atm = 0;
865 is_lane = 0;
866 off_vpi = -1;
867 off_vci = -1;
868 off_proto = -1;
869 off_payload = -1;
870
de0d3203
PA
871 /*
872 * And that we're not doing PPPoE.
873 */
874 is_pppoes = 0;
875
23fa89e6
PA
876 /*
877 * And assume we're not doing SS7.
878 */
dfcad8d8 879 off_li = -1;
23fa89e6
PA
880 off_sio = -1;
881 off_opc = -1;
882 off_dpc = -1;
883 off_sls = -1;
884
885 /*
de0d3203 886 * Also assume it's not 802.11.
23fa89e6
PA
887 */
888 off_ll = 0;
de0d3203
PA
889 off_macpl = 0;
890 off_macpl_is_variable = 0;
23fa89e6
PA
891
892 orig_linktype = -1;
893 orig_nl = -1;
894 label_stack_depth = 0;
895
de0d3203
PA
896 reg_off_ll = -1;
897 reg_off_macpl = -1;
23fa89e6
PA
898
899 switch (linktype) {
900
901 case DLT_ARCNET:
902 off_linktype = 2;
de0d3203
PA
903 off_macpl = 6;
904 off_nl = 0; /* XXX in reality, variable! */
905 off_nl_nosnap = 0; /* no 802.2 LLC */
23fa89e6
PA
906 return;
907
908 case DLT_ARCNET_LINUX:
909 off_linktype = 4;
de0d3203
PA
910 off_macpl = 8;
911 off_nl = 0; /* XXX in reality, variable! */
912 off_nl_nosnap = 0; /* no 802.2 LLC */
23fa89e6
PA
913 return;
914
915 case DLT_EN10MB:
916 off_linktype = 12;
de0d3203
PA
917 off_macpl = 14; /* Ethernet header length */
918 off_nl = 0; /* Ethernet II */
919 off_nl_nosnap = 3; /* 802.3+802.2 */
23fa89e6
PA
920 return;
921
922 case DLT_SLIP:
923 /*
924 * SLIP doesn't have a link level type. The 16 byte
925 * header is hacked into our SLIP driver.
926 */
927 off_linktype = -1;
de0d3203
PA
928 off_macpl = 16;
929 off_nl = 0;
930 off_nl_nosnap = 0; /* no 802.2 LLC */
23fa89e6
PA
931 return;
932
933 case DLT_SLIP_BSDOS:
934 /* XXX this may be the same as the DLT_PPP_BSDOS case */
935 off_linktype = -1;
936 /* XXX end */
de0d3203
PA
937 off_macpl = 24;
938 off_nl = 0;
939 off_nl_nosnap = 0; /* no 802.2 LLC */
23fa89e6
PA
940 return;
941
942 case DLT_NULL:
943 case DLT_LOOP:
944 off_linktype = 0;
de0d3203
PA
945 off_macpl = 4;
946 off_nl = 0;
947 off_nl_nosnap = 0; /* no 802.2 LLC */
23fa89e6
PA
948 return;
949
950 case DLT_ENC:
951 off_linktype = 0;
de0d3203
PA
952 off_macpl = 12;
953 off_nl = 0;
954 off_nl_nosnap = 0; /* no 802.2 LLC */
23fa89e6
PA
955 return;
956
957 case DLT_PPP:
958 case DLT_PPP_PPPD:
959 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */
960 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */
961 off_linktype = 2;
de0d3203
PA
962 off_macpl = 4;
963 off_nl = 0;
964 off_nl_nosnap = 0; /* no 802.2 LLC */
23fa89e6
PA
965 return;
966
967 case DLT_PPP_ETHER:
968 /*
969 * This does no include the Ethernet header, and
970 * only covers session state.
971 */
972 off_linktype = 6;
de0d3203
PA
973 off_macpl = 8;
974 off_nl = 0;
975 off_nl_nosnap = 0; /* no 802.2 LLC */
23fa89e6
PA
976 return;
977
978 case DLT_PPP_BSDOS:
979 off_linktype = 5;
de0d3203
PA
980 off_macpl = 24;
981 off_nl = 0;
982 off_nl_nosnap = 0; /* no 802.2 LLC */
23fa89e6
PA
983 return;
984
985 case DLT_FDDI:
986 /*
987 * FDDI doesn't really have a link-level type field.
988 * We set "off_linktype" to the offset of the LLC header.
989 *
990 * To check for Ethernet types, we assume that SSAP = SNAP
991 * is being used and pick out the encapsulated Ethernet type.
992 * XXX - should we generate code to check for SNAP?
993 */
994 off_linktype = 13;
995#ifdef PCAP_FDDIPAD
996 off_linktype += pcap_fddipad;
997#endif
de0d3203 998 off_macpl = 13; /* FDDI MAC header length */
23fa89e6 999#ifdef PCAP_FDDIPAD
de0d3203 1000 off_macpl += pcap_fddipad;
23fa89e6 1001#endif
de0d3203
PA
1002 off_nl = 8; /* 802.2+SNAP */
1003 off_nl_nosnap = 3; /* 802.2 */
23fa89e6
PA
1004 return;
1005
1006 case DLT_IEEE802:
1007 /*
1008 * Token Ring doesn't really have a link-level type field.
1009 * We set "off_linktype" to the offset of the LLC header.
1010 *
1011 * To check for Ethernet types, we assume that SSAP = SNAP
1012 * is being used and pick out the encapsulated Ethernet type.
1013 * XXX - should we generate code to check for SNAP?
1014 *
1015 * XXX - the header is actually variable-length.
1016 * Some various Linux patched versions gave 38
1017 * as "off_linktype" and 40 as "off_nl"; however,
1018 * if a token ring packet has *no* routing
1019 * information, i.e. is not source-routed, the correct
1020 * values are 20 and 22, as they are in the vanilla code.
1021 *
1022 * A packet is source-routed iff the uppermost bit
1023 * of the first byte of the source address, at an
1024 * offset of 8, has the uppermost bit set. If the
1025 * packet is source-routed, the total number of bytes
1026 * of routing information is 2 plus bits 0x1F00 of
1027 * the 16-bit value at an offset of 14 (shifted right
1028 * 8 - figure out which byte that is).
1029 */
1030 off_linktype = 14;
de0d3203
PA
1031 off_macpl = 14; /* Token Ring MAC header length */
1032 off_nl = 8; /* 802.2+SNAP */
1033 off_nl_nosnap = 3; /* 802.2 */
23fa89e6
PA
1034 return;
1035
1036 case DLT_IEEE802_11:
de0d3203
PA
1037 case DLT_PRISM_HEADER:
1038 case DLT_IEEE802_11_RADIO_AVS:
1039 case DLT_IEEE802_11_RADIO:
23fa89e6
PA
1040 /*
1041 * 802.11 doesn't really have a link-level type field.
1042 * We set "off_linktype" to the offset of the LLC header.
1043 *
1044 * To check for Ethernet types, we assume that SSAP = SNAP
1045 * is being used and pick out the encapsulated Ethernet type.
1046 * XXX - should we generate code to check for SNAP?
1047 *
de0d3203
PA
1048 * We also handle variable-length radio headers here.
1049 * The Prism header is in theory variable-length, but in
1050 * practice it's always 144 bytes long. However, some
1051 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but
1052 * sometimes or always supply an AVS header, so we
1053 * have to check whether the radio header is a Prism
1054 * header or an AVS header, so, in practice, it's
1055 * variable-length.
23fa89e6 1056 */
23fa89e6 1057 off_linktype = 24;
de0d3203
PA
1058 off_macpl = 0; /* link-layer header is variable-length */
1059 off_macpl_is_variable = 1;
1060 off_nl = 8; /* 802.2+SNAP */
1061 off_nl_nosnap = 3; /* 802.2 */
23fa89e6
PA
1062 return;
1063
dfcad8d8 1064 case DLT_PPI:
de0d3203
PA
1065 /*
1066 * At the moment we treat PPI the same way that we treat
1067 * normal Radiotap encoded packets. The difference is in
1068 * the function that generates the code at the beginning
1069 * to compute the header length. Since this code generator
1070 * of PPI supports bare 802.11 encapsulation only (i.e.
1071 * the encapsulated DLT should be DLT_IEEE802_11) we
1072 * generate code to check for this too.
23fa89e6
PA
1073 */
1074 off_linktype = 24;
de0d3203
PA
1075 off_macpl = 0; /* link-layer header is variable-length */
1076 off_macpl_is_variable = 1;
1077 off_nl = 8; /* 802.2+SNAP */
1078 off_nl_nosnap = 3; /* 802.2 */
23fa89e6
PA
1079 return;
1080
1081 case DLT_ATM_RFC1483:
1082 case DLT_ATM_CLIP: /* Linux ATM defines this */
1083 /*
1084 * assume routed, non-ISO PDUs
1085 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00)
1086 *
1087 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS,
1088 * or PPP with the PPP NLPID (e.g., PPPoA)? The
1089 * latter would presumably be treated the way PPPoE
1090 * should be, so you can do "pppoe and udp port 2049"
1091 * or "pppoa and tcp port 80" and have it check for
1092 * PPPo{A,E} and a PPP protocol of IP and....
1093 */
1094 off_linktype = 0;
de0d3203 1095 off_macpl = 0; /* packet begins with LLC header */
23fa89e6
PA
1096 off_nl = 8; /* 802.2+SNAP */
1097 off_nl_nosnap = 3; /* 802.2 */
1098 return;
1099
1100 case DLT_SUNATM:
1101 /*
1102 * Full Frontal ATM; you get AALn PDUs with an ATM
1103 * pseudo-header.
1104 */
1105 is_atm = 1;
1106 off_vpi = SUNATM_VPI_POS;
1107 off_vci = SUNATM_VCI_POS;
1108 off_proto = PROTO_POS;
de0d3203 1109 off_mac = -1; /* assume LLC-encapsulated, so no MAC-layer header */
23fa89e6
PA
1110 off_payload = SUNATM_PKT_BEGIN_POS;
1111 off_linktype = off_payload;
de0d3203
PA
1112 off_macpl = off_payload; /* if LLC-encapsulated */
1113 off_nl = 8; /* 802.2+SNAP */
1114 off_nl_nosnap = 3; /* 802.2 */
23fa89e6
PA
1115 return;
1116
1117 case DLT_RAW:
1118 off_linktype = -1;
de0d3203 1119 off_macpl = 0;
23fa89e6
PA
1120 off_nl = 0;
1121 off_nl_nosnap = 0; /* no 802.2 LLC */
1122 return;
1123
1124 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */
1125 off_linktype = 14;
de0d3203
PA
1126 off_macpl = 16;
1127 off_nl = 0;
1128 off_nl_nosnap = 0; /* no 802.2 LLC */
23fa89e6
PA
1129 return;
1130
1131 case DLT_LTALK:
1132 /*
1133 * LocalTalk does have a 1-byte type field in the LLAP header,
1134 * but really it just indicates whether there is a "short" or
1135 * "long" DDP packet following.
1136 */
1137 off_linktype = -1;
de0d3203 1138 off_macpl = 0;
23fa89e6
PA
1139 off_nl = 0;
1140 off_nl_nosnap = 0; /* no 802.2 LLC */
1141 return;
1142
1143 case DLT_IP_OVER_FC:
1144 /*
1145 * RFC 2625 IP-over-Fibre-Channel doesn't really have a
1146 * link-level type field. We set "off_linktype" to the
1147 * offset of the LLC header.
1148 *
1149 * To check for Ethernet types, we assume that SSAP = SNAP
1150 * is being used and pick out the encapsulated Ethernet type.
1151 * XXX - should we generate code to check for SNAP? RFC
1152 * 2625 says SNAP should be used.
1153 */
1154 off_linktype = 16;
de0d3203
PA
1155 off_macpl = 16;
1156 off_nl = 8; /* 802.2+SNAP */
1157 off_nl_nosnap = 3; /* 802.2 */
23fa89e6
PA
1158 return;
1159
1160 case DLT_FRELAY:
1161 /*
1162 * XXX - we should set this to handle SNAP-encapsulated
1163 * frames (NLPID of 0x80).
1164 */
1165 off_linktype = -1;
de0d3203 1166 off_macpl = 0;
23fa89e6
PA
1167 off_nl = 0;
1168 off_nl_nosnap = 0; /* no 802.2 LLC */
1169 return;
1170
1171 /*
1172 * the only BPF-interesting FRF.16 frames are non-control frames;
1173 * Frame Relay has a variable length link-layer
1174 * so lets start with offset 4 for now and increments later on (FIXME);
1175 */
1176 case DLT_MFR:
1177 off_linktype = -1;
de0d3203 1178 off_macpl = 0;
23fa89e6
PA
1179 off_nl = 4;
1180 off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */
1181 return;
1182
1183 case DLT_APPLE_IP_OVER_IEEE1394:
1184 off_linktype = 16;
de0d3203
PA
1185 off_macpl = 18;
1186 off_nl = 0;
1187 off_nl_nosnap = 0; /* no 802.2 LLC */
23fa89e6
PA
1188 return;
1189
1190 case DLT_LINUX_IRDA:
1191 /*
1192 * Currently, only raw "link[N:M]" filtering is supported.
1193 */
1194 off_linktype = -1;
de0d3203 1195 off_macpl = -1;
23fa89e6
PA
1196 off_nl = -1;
1197 off_nl_nosnap = -1;
1198 return;
1199
1200 case DLT_DOCSIS:
1201 /*
1202 * Currently, only raw "link[N:M]" filtering is supported.
1203 */
1204 off_linktype = -1;
de0d3203 1205 off_macpl = -1;
23fa89e6
PA
1206 off_nl = -1;
1207 off_nl_nosnap = -1;
1208 return;
1209
1210 case DLT_SYMANTEC_FIREWALL:
1211 off_linktype = 6;
de0d3203
PA
1212 off_macpl = 44;
1213 off_nl = 0; /* Ethernet II */
1214 off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */
23fa89e6
PA
1215 return;
1216
084fe320 1217#ifdef HAVE_NET_PFVAR_H
23fa89e6
PA
1218 case DLT_PFLOG:
1219 off_linktype = 0;
de0d3203
PA
1220 off_macpl = PFLOG_HDRLEN;
1221 off_nl = 0;
1222 off_nl_nosnap = 0; /* no 802.2 LLC */
23fa89e6 1223 return;
084fe320 1224#endif
23fa89e6
PA
1225
1226 case DLT_JUNIPER_MFR:
1227 case DLT_JUNIPER_MLFR:
1228 case DLT_JUNIPER_MLPPP:
1229 case DLT_JUNIPER_PPP:
1230 case DLT_JUNIPER_CHDLC:
1231 case DLT_JUNIPER_FRELAY:
1232 off_linktype = 4;
de0d3203
PA
1233 off_macpl = 4;
1234 off_nl = 0;
23fa89e6
PA
1235 off_nl_nosnap = -1; /* no 802.2 LLC */
1236 return;
1237
1238 case DLT_JUNIPER_ATM1:
de0d3203
PA
1239 off_linktype = 4; /* in reality variable between 4-8 */
1240 off_macpl = 4; /* in reality variable between 4-8 */
1241 off_nl = 0;
1242 off_nl_nosnap = 10;
23fa89e6
PA
1243 return;
1244
1245 case DLT_JUNIPER_ATM2:
de0d3203
PA
1246 off_linktype = 8; /* in reality variable between 8-12 */
1247 off_macpl = 8; /* in reality variable between 8-12 */
1248 off_nl = 0;
1249 off_nl_nosnap = 10;
23fa89e6
PA
1250 return;
1251
1252 /* frames captured on a Juniper PPPoE service PIC
1253 * contain raw ethernet frames */
1254 case DLT_JUNIPER_PPPOE:
1255 case DLT_JUNIPER_ETHER:
de0d3203 1256 off_macpl = 14;
23fa89e6
PA
1257 off_linktype = 16;
1258 off_nl = 18; /* Ethernet II */
1259 off_nl_nosnap = 21; /* 802.3+802.2 */
1260 return;
1261
1262 case DLT_JUNIPER_PPPOE_ATM:
1263 off_linktype = 4;
de0d3203
PA
1264 off_macpl = 6;
1265 off_nl = 0;
1266 off_nl_nosnap = -1; /* no 802.2 LLC */
23fa89e6
PA
1267 return;
1268
1269 case DLT_JUNIPER_GGSN:
1270 off_linktype = 6;
de0d3203
PA
1271 off_macpl = 12;
1272 off_nl = 0;
1273 off_nl_nosnap = -1; /* no 802.2 LLC */
23fa89e6
PA
1274 return;
1275
1276 case DLT_JUNIPER_ES:
1277 off_linktype = 6;
de0d3203
PA
1278 off_macpl = -1; /* not really a network layer but raw IP addresses */
1279 off_nl = -1; /* not really a network layer but raw IP addresses */
23fa89e6
PA
1280 off_nl_nosnap = -1; /* no 802.2 LLC */
1281 return;
1282
1283 case DLT_JUNIPER_MONITOR:
1284 off_linktype = 12;
de0d3203
PA
1285 off_macpl = 12;
1286 off_nl = 0; /* raw IP/IP6 header */
23fa89e6
PA
1287 off_nl_nosnap = -1; /* no 802.2 LLC */
1288 return;
1289
1290 case DLT_JUNIPER_SERVICES:
1291 off_linktype = 12;
de0d3203 1292 off_macpl = -1; /* L3 proto location dep. on cookie type */
23fa89e6
PA
1293 off_nl = -1; /* L3 proto location dep. on cookie type */
1294 off_nl_nosnap = -1; /* no 802.2 LLC */
1295 return;
1296
dfcad8d8
PA
1297 case DLT_JUNIPER_VP:
1298 off_linktype = 18;
de0d3203
PA
1299 off_macpl = -1;
1300 off_nl = -1;
1301 off_nl_nosnap = -1;
1302 return;
1303
1304 case DLT_JUNIPER_ST:
1305 off_linktype = 18;
1306 off_macpl = -1;
1307 off_nl = -1;
1308 off_nl_nosnap = -1;
1309 return;
1310
1311 case DLT_JUNIPER_ISM:
1312 off_linktype = 8;
1313 off_macpl = -1;
dfcad8d8
PA
1314 off_nl = -1;
1315 off_nl_nosnap = -1;
1316 return;
1317
23fa89e6 1318 case DLT_MTP2:
dfcad8d8 1319 off_li = 2;
23fa89e6
PA
1320 off_sio = 3;
1321 off_opc = 4;
1322 off_dpc = 4;
1323 off_sls = 7;
1324 off_linktype = -1;
de0d3203 1325 off_macpl = -1;
23fa89e6
PA
1326 off_nl = -1;
1327 off_nl_nosnap = -1;
1328 return;
1329
dfcad8d8
PA
1330 case DLT_MTP2_WITH_PHDR:
1331 off_li = 6;
1332 off_sio = 7;
1333 off_opc = 8;
1334 off_dpc = 8;
1335 off_sls = 11;
1336 off_linktype = -1;
de0d3203
PA
1337 off_macpl = -1;
1338 off_nl = -1;
1339 off_nl_nosnap = -1;
1340 return;
1341
1342 case DLT_ERF:
1343 off_li = 22;
1344 off_sio = 23;
1345 off_opc = 24;
1346 off_dpc = 24;
1347 off_sls = 27;
1348 off_linktype = -1;
1349 off_macpl = -1;
dfcad8d8
PA
1350 off_nl = -1;
1351 off_nl_nosnap = -1;
1352 return;
1353
23fa89e6
PA
1354#ifdef DLT_PFSYNC
1355 case DLT_PFSYNC:
1356 off_linktype = -1;
de0d3203
PA
1357 off_macpl = 4;
1358 off_nl = 0;
1359 off_nl_nosnap = 0;
23fa89e6
PA
1360 return;
1361#endif
1362
1363 case DLT_LINUX_LAPD:
1364 /*
1365 * Currently, only raw "link[N:M]" filtering is supported.
1366 */
1367 off_linktype = -1;
de0d3203 1368 off_macpl = -1;
23fa89e6
PA
1369 off_nl = -1;
1370 off_nl_nosnap = -1;
1371 return;
dfcad8d8
PA
1372
1373 case DLT_USB:
1374 /*
1375 * Currently, only raw "link[N:M]" filtering is supported.
1376 */
1377 off_linktype = -1;
de0d3203 1378 off_macpl = -1;
dfcad8d8
PA
1379 off_nl = -1;
1380 off_nl_nosnap = -1;
1381 return;
1382
1383 case DLT_BLUETOOTH_HCI_H4:
1384 /*
1385 * Currently, only raw "link[N:M]" filtering is supported.
1386 */
1387 off_linktype = -1;
de0d3203
PA
1388 off_macpl = -1;
1389 off_nl = -1;
1390 off_nl_nosnap = -1;
1391 return;
1392
1393 case DLT_USB_LINUX:
1394 /*
1395 * Currently, only raw "link[N:M]" filtering is supported.
1396 */
1397 off_linktype = -1;
1398 off_macpl = -1;
1399 off_nl = -1;
1400 off_nl_nosnap = -1;
1401 return;
1402
1403 case DLT_CAN20B:
1404 /*
1405 * Currently, only raw "link[N:M]" filtering is supported.
1406 */
1407 off_linktype = -1;
1408 off_macpl = -1;
1409 off_nl = -1;
1410 off_nl_nosnap = -1;
1411 return;
1412
1413 case DLT_IEEE802_15_4_LINUX:
1414 /*
1415 * Currently, only raw "link[N:M]" filtering is supported.
1416 */
1417 off_linktype = -1;
1418 off_macpl = -1;
1419 off_nl = -1;
1420 off_nl_nosnap = -1;
1421 return;
1422
1423 case DLT_IEEE802_16_MAC_CPS_RADIO:
1424 /*
1425 * Currently, only raw "link[N:M]" filtering is supported.
1426 */
1427 off_linktype = -1;
1428 off_macpl = -1;
1429 off_nl = -1;
1430 off_nl_nosnap = -1;
1431 return;
1432
1433 case DLT_IEEE802_15_4:
1434 /*
1435 * Currently, only raw "link[N:M]" filtering is supported.
1436 */
1437 off_linktype = -1;
1438 off_macpl = -1;
1439 off_nl = -1;
1440 off_nl_nosnap = -1;
1441 return;
1442
1443 case DLT_SITA:
1444 /*
1445 * Currently, only raw "link[N:M]" filtering is supported.
1446 */
1447 off_linktype = -1;
1448 off_macpl = -1;
1449 off_nl = -1;
1450 off_nl_nosnap = -1;
1451 return;
1452
1453 case DLT_RAIF1:
1454 /*
1455 * Currently, only raw "link[N:M]" filtering is supported.
1456 */
1457 off_linktype = -1;
1458 off_macpl = -1;
1459 off_nl = -1;
1460 off_nl_nosnap = -1;
1461 return;
1462
1463 case DLT_IPMB:
1464 /*
1465 * Currently, only raw "link[N:M]" filtering is supported.
1466 */
1467 off_linktype = -1;
1468 off_macpl = -1;
1469 off_nl = -1;
1470 off_nl_nosnap = -1;
1471 return;
1472
1473 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR:
1474 /*
1475 * Currently, only raw "link[N:M]" filtering is supported.
1476 */
1477 off_linktype = -1;
1478 off_macpl = -1;
1479 off_nl = -1;
1480 off_nl_nosnap = -1;
1481 return;
1482
1483 case DLT_AX25_KISS:
1484 /*
1485 * Currently, only raw "link[N:M]" filtering is supported.
1486 */
1487 off_linktype = -1; /* variable, min 15, max 71 steps of 7 */
1488 off_macpl = -1;
1489 off_nl = -1; /* variable, min 16, max 71 steps of 7 */
1490 off_nl_nosnap = -1; /* no 802.2 LLC */
1491 off_mac = 1; /* step over the kiss length byte */
1492 return;
1493
1494 case DLT_IEEE802_15_4_NONASK_PHY:
1495 /*
1496 * Currently, only raw "link[N:M]" filtering is supported.
1497 */
1498 off_linktype = -1;
1499 off_macpl = -1;
dfcad8d8
PA
1500 off_nl = -1;
1501 off_nl_nosnap = -1;
1502 return;
23fa89e6
PA
1503 }
1504 bpf_error("unknown data link type %d", linktype);
1505 /* NOTREACHED */
1506}
1507
1508/*
1509 * Load a value relative to the beginning of the link-layer header.
1510 * The link-layer header doesn't necessarily begin at the beginning
1511 * of the packet data; there might be a variable-length prefix containing
1512 * radio information.
1513 */
1514static struct slist *
1515gen_load_llrel(offset, size)
1516 u_int offset, size;
1517{
1518 struct slist *s, *s2;
1519
1520 s = gen_llprefixlen();
1521
1522 /*
1523 * If "s" is non-null, it has code to arrange that the X register
1524 * contains the length of the prefix preceding the link-layer
1525 * header.
1526 *
1527 * Otherwise, the length of the prefix preceding the link-layer
1528 * header is "off_ll".
1529 */
1530 if (s != NULL) {
1531 /*
1532 * There's a variable-length prefix preceding the
1533 * link-layer header. "s" points to a list of statements
1534 * that put the length of that prefix into the X register.
1535 * do an indirect load, to use the X register as an offset.
1536 */
1537 s2 = new_stmt(BPF_LD|BPF_IND|size);
1538 s2->s.k = offset;
1539 sappend(s, s2);
1540 } else {
1541 /*
1542 * There is no variable-length header preceding the
1543 * link-layer header; add in off_ll, which, if there's
1544 * a fixed-length header preceding the link-layer header,
1545 * is the length of that header.
1546 */
1547 s = new_stmt(BPF_LD|BPF_ABS|size);
1548 s->s.k = offset + off_ll;
1549 }
1550 return s;
1551}
1552
de0d3203
PA
1553/*
1554 * Load a value relative to the beginning of the MAC-layer payload.
1555 */
1556static struct slist *
1557gen_load_macplrel(offset, size)
1558 u_int offset, size;
1559{
1560 struct slist *s, *s2;
1561
1562 s = gen_off_macpl();
1563
1564 /*
1565 * If s is non-null, the offset of the MAC-layer payload is
1566 * variable, and s points to a list of instructions that
1567 * arrange that the X register contains that offset.
1568 *
1569 * Otherwise, the offset of the MAC-layer payload is constant,
1570 * and is in off_macpl.
1571 */
1572 if (s != NULL) {
1573 /*
1574 * The offset of the MAC-layer payload is in the X
1575 * register. Do an indirect load, to use the X register
1576 * as an offset.
1577 */
1578 s2 = new_stmt(BPF_LD|BPF_IND|size);
1579 s2->s.k = offset;
1580 sappend(s, s2);
1581 } else {
1582 /*
1583 * The offset of the MAC-layer payload is constant,
1584 * and is in off_macpl; load the value at that offset
1585 * plus the specified offset.
1586 */
1587 s = new_stmt(BPF_LD|BPF_ABS|size);
1588 s->s.k = off_macpl + offset;
1589 }
1590 return s;
1591}
dfcad8d8 1592
23fa89e6
PA
1593/*
1594 * Load a value relative to the beginning of the specified header.
1595 */
1596static struct slist *
1597gen_load_a(offrel, offset, size)
1598 enum e_offrel offrel;
1599 u_int offset, size;
1600{
1601 struct slist *s, *s2;
1602
1603 switch (offrel) {
1604
1605 case OR_PACKET:
1606 s = new_stmt(BPF_LD|BPF_ABS|size);
1607 s->s.k = offset;
1608 break;
1609
1610 case OR_LINK:
1611 s = gen_load_llrel(offset, size);
1612 break;
1613
de0d3203
PA
1614 case OR_MACPL:
1615 s = gen_load_macplrel(offset, size);
1616 break;
1617
23fa89e6 1618 case OR_NET:
de0d3203 1619 s = gen_load_macplrel(off_nl + offset, size);
23fa89e6
PA
1620 break;
1621
1622 case OR_NET_NOSNAP:
de0d3203 1623 s = gen_load_macplrel(off_nl_nosnap + offset, size);
23fa89e6
PA
1624 break;
1625
1626 case OR_TRAN_IPV4:
1627 /*
1628 * Load the X register with the length of the IPv4 header
1629 * (plus the offset of the link-layer header, if it's
1630 * preceded by a variable-length header such as a radio
1631 * header), in bytes.
1632 */
1633 s = gen_loadx_iphdrlen();
1634
1635 /*
de0d3203
PA
1636 * Load the item at {offset of the MAC-layer payload} +
1637 * {offset, relative to the start of the MAC-layer
1638 * paylod, of the IPv4 header} + {length of the IPv4 header} +
23fa89e6
PA
1639 * {specified offset}.
1640 *
de0d3203
PA
1641 * (If the offset of the MAC-layer payload is variable,
1642 * it's included in the value in the X register, and
1643 * off_macpl is 0.)
23fa89e6
PA
1644 */
1645 s2 = new_stmt(BPF_LD|BPF_IND|size);
de0d3203 1646 s2->s.k = off_macpl + off_nl + offset;
23fa89e6
PA
1647 sappend(s, s2);
1648 break;
1649
1650 case OR_TRAN_IPV6:
de0d3203 1651 s = gen_load_macplrel(off_nl + 40 + offset, size);
23fa89e6
PA
1652 break;
1653
1654 default:
1655 abort();
1656 return NULL;
1657 }
1658 return s;
1659}
1660
1661/*
1662 * Generate code to load into the X register the sum of the length of
1663 * the IPv4 header and any variable-length header preceding the link-layer
1664 * header.
1665 */
1666static struct slist *
1667gen_loadx_iphdrlen()
1668{
1669 struct slist *s, *s2;
1670
de0d3203 1671 s = gen_off_macpl();
23fa89e6
PA
1672 if (s != NULL) {
1673 /*
1674 * There's a variable-length prefix preceding the
de0d3203
PA
1675 * link-layer header, or the link-layer header is itself
1676 * variable-length. "s" points to a list of statements
1677 * that put the offset of the MAC-layer payload into
1678 * the X register.
1679 *
23fa89e6
PA
1680 * The 4*([k]&0xf) addressing mode can't be used, as we
1681 * don't have a constant offset, so we have to load the
1682 * value in question into the A register and add to it
1683 * the value from the X register.
1684 */
1685 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B);
1686 s2->s.k = off_nl;
1687 sappend(s, s2);
1688 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
1689 s2->s.k = 0xf;
1690 sappend(s, s2);
1691 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
1692 s2->s.k = 2;
1693 sappend(s, s2);
1694
1695 /*
1696 * The A register now contains the length of the
de0d3203
PA
1697 * IP header. We need to add to it the offset of
1698 * the MAC-layer payload, which is still in the X
1699 * register, and move the result into the X register.
23fa89e6
PA
1700 */
1701 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
1702 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
1703 } else {
1704 /*
1705 * There is no variable-length header preceding the
de0d3203
PA
1706 * link-layer header, and the link-layer header is
1707 * fixed-length; load the length of the IPv4 header,
1708 * which is at an offset of off_nl from the beginning
1709 * of the MAC-layer payload, and thus at an offset
1710 * of off_mac_pl + off_nl from the beginning of the
1711 * raw packet data.
23fa89e6
PA
1712 */
1713 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
de0d3203 1714 s->s.k = off_macpl + off_nl;
23fa89e6
PA
1715 }
1716 return s;
1717}
1718
1719static struct block *
1720gen_uncond(rsense)
1721 int rsense;
1722{
1723 struct block *b;
1724 struct slist *s;
1725
1726 s = new_stmt(BPF_LD|BPF_IMM);
1727 s->s.k = !rsense;
1728 b = new_block(JMP(BPF_JEQ));
1729 b->stmts = s;
1730
1731 return b;
1732}
1733
1734static inline struct block *
1735gen_true()
1736{
1737 return gen_uncond(1);
1738}
1739
1740static inline struct block *
1741gen_false()
1742{
1743 return gen_uncond(0);
1744}
1745
1746/*
1747 * Byte-swap a 32-bit number.
1748 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on
1749 * big-endian platforms.)
1750 */
1751#define SWAPLONG(y) \
1752((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
1753
1754/*
1755 * Generate code to match a particular packet type.
1756 *
1757 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1758 * value, if <= ETHERMTU. We use that to determine whether to
1759 * match the type/length field or to check the type/length field for
1760 * a value <= ETHERMTU to see whether it's a type field and then do
1761 * the appropriate test.
1762 */
1763static struct block *
1764gen_ether_linktype(proto)
1765 register int proto;
1766{
1767 struct block *b0, *b1;
1768
1769 switch (proto) {
1770
1771 case LLCSAP_ISONS:
1772 case LLCSAP_IP:
1773 case LLCSAP_NETBEUI:
1774 /*
1775 * OSI protocols and NetBEUI always use 802.2 encapsulation,
1776 * so we check the DSAP and SSAP.
1777 *
1778 * LLCSAP_IP checks for IP-over-802.2, rather
1779 * than IP-over-Ethernet or IP-over-SNAP.
1780 *
1781 * XXX - should we check both the DSAP and the
1782 * SSAP, like this, or should we check just the
1783 * DSAP, as we do for other types <= ETHERMTU
1784 * (i.e., other SAP values)?
1785 */
1786 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1787 gen_not(b0);
de0d3203 1788 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)
23fa89e6
PA
1789 ((proto << 8) | proto));
1790 gen_and(b0, b1);
1791 return b1;
1792
1793 case LLCSAP_IPX:
1794 /*
1795 * Check for;
1796 *
1797 * Ethernet_II frames, which are Ethernet
1798 * frames with a frame type of ETHERTYPE_IPX;
1799 *
1800 * Ethernet_802.3 frames, which are 802.3
1801 * frames (i.e., the type/length field is
1802 * a length field, <= ETHERMTU, rather than
1803 * a type field) with the first two bytes
1804 * after the Ethernet/802.3 header being
1805 * 0xFFFF;
1806 *
1807 * Ethernet_802.2 frames, which are 802.3
1808 * frames with an 802.2 LLC header and
1809 * with the IPX LSAP as the DSAP in the LLC
1810 * header;
1811 *
1812 * Ethernet_SNAP frames, which are 802.3
1813 * frames with an LLC header and a SNAP
1814 * header and with an OUI of 0x000000
1815 * (encapsulated Ethernet) and a protocol
1816 * ID of ETHERTYPE_IPX in the SNAP header.
1817 *
1818 * XXX - should we generate the same code both
1819 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX?
1820 */
1821
1822 /*
1823 * This generates code to check both for the
1824 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3.
1825 */
de0d3203
PA
1826 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX);
1827 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)0xFFFF);
23fa89e6
PA
1828 gen_or(b0, b1);
1829
1830 /*
1831 * Now we add code to check for SNAP frames with
1832 * ETHERTYPE_IPX, i.e. Ethernet_SNAP.
1833 */
de0d3203 1834 b0 = gen_snap(0x000000, ETHERTYPE_IPX);
23fa89e6
PA
1835 gen_or(b0, b1);
1836
1837 /*
1838 * Now we generate code to check for 802.3
1839 * frames in general.
1840 */
1841 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1842 gen_not(b0);
1843
1844 /*
1845 * Now add the check for 802.3 frames before the
1846 * check for Ethernet_802.2 and Ethernet_802.3,
1847 * as those checks should only be done on 802.3
1848 * frames, not on Ethernet frames.
1849 */
1850 gen_and(b0, b1);
1851
1852 /*
1853 * Now add the check for Ethernet_II frames, and
1854 * do that before checking for the other frame
1855 * types.
1856 */
1857 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
1858 (bpf_int32)ETHERTYPE_IPX);
1859 gen_or(b0, b1);
1860 return b1;
1861
1862 case ETHERTYPE_ATALK:
1863 case ETHERTYPE_AARP:
1864 /*
1865 * EtherTalk (AppleTalk protocols on Ethernet link
1866 * layer) may use 802.2 encapsulation.
1867 */
1868
1869 /*
1870 * Check for 802.2 encapsulation (EtherTalk phase 2?);
1871 * we check for an Ethernet type field less than
1872 * 1500, which means it's an 802.3 length field.
1873 */
1874 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1875 gen_not(b0);
1876
1877 /*
1878 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1879 * SNAP packets with an organization code of
1880 * 0x080007 (Apple, for Appletalk) and a protocol
1881 * type of ETHERTYPE_ATALK (Appletalk).
1882 *
1883 * 802.2-encapsulated ETHERTYPE_AARP packets are
1884 * SNAP packets with an organization code of
1885 * 0x000000 (encapsulated Ethernet) and a protocol
1886 * type of ETHERTYPE_AARP (Appletalk ARP).
1887 */
1888 if (proto == ETHERTYPE_ATALK)
de0d3203 1889 b1 = gen_snap(0x080007, ETHERTYPE_ATALK);
23fa89e6 1890 else /* proto == ETHERTYPE_AARP */
de0d3203 1891 b1 = gen_snap(0x000000, ETHERTYPE_AARP);
23fa89e6
PA
1892 gen_and(b0, b1);
1893
1894 /*
1895 * Check for Ethernet encapsulation (Ethertalk
1896 * phase 1?); we just check for the Ethernet
1897 * protocol type.
1898 */
1899 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
1900
1901 gen_or(b0, b1);
1902 return b1;
1903
1904 default:
1905 if (proto <= ETHERMTU) {
1906 /*
1907 * This is an LLC SAP value, so the frames
1908 * that match would be 802.2 frames.
1909 * Check that the frame is an 802.2 frame
1910 * (i.e., that the length/type field is
1911 * a length field, <= ETHERMTU) and
1912 * then check the DSAP.
1913 */
1914 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1915 gen_not(b0);
1916 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B,
1917 (bpf_int32)proto);
1918 gen_and(b0, b1);
1919 return b1;
1920 } else {
1921 /*
1922 * This is an Ethernet type, so compare
1923 * the length/type field with it (if
1924 * the frame is an 802.2 frame, the length
1925 * field will be <= ETHERMTU, and, as
1926 * "proto" is > ETHERMTU, this test
1927 * will fail and the frame won't match,
1928 * which is what we want).
1929 */
1930 return gen_cmp(OR_LINK, off_linktype, BPF_H,
1931 (bpf_int32)proto);
1932 }
1933 }
1934}
1935
1936/*
1937 * Generate code to match a particular packet type.
1938 *
1939 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1940 * value, if <= ETHERMTU. We use that to determine whether to
1941 * match the type field or to check the type field for the special
1942 * LINUX_SLL_P_802_2 value and then do the appropriate test.
1943 */
1944static struct block *
1945gen_linux_sll_linktype(proto)
1946 register int proto;
1947{
1948 struct block *b0, *b1;
1949
1950 switch (proto) {
1951
1952 case LLCSAP_ISONS:
1953 case LLCSAP_IP:
1954 case LLCSAP_NETBEUI:
1955 /*
1956 * OSI protocols and NetBEUI always use 802.2 encapsulation,
1957 * so we check the DSAP and SSAP.
1958 *
1959 * LLCSAP_IP checks for IP-over-802.2, rather
1960 * than IP-over-Ethernet or IP-over-SNAP.
1961 *
1962 * XXX - should we check both the DSAP and the
1963 * SSAP, like this, or should we check just the
1964 * DSAP, as we do for other types <= ETHERMTU
1965 * (i.e., other SAP values)?
1966 */
1967 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
de0d3203 1968 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)
23fa89e6
PA
1969 ((proto << 8) | proto));
1970 gen_and(b0, b1);
1971 return b1;
1972
1973 case LLCSAP_IPX:
1974 /*
1975 * Ethernet_II frames, which are Ethernet
1976 * frames with a frame type of ETHERTYPE_IPX;
1977 *
1978 * Ethernet_802.3 frames, which have a frame
1979 * type of LINUX_SLL_P_802_3;
1980 *
1981 * Ethernet_802.2 frames, which are 802.3
1982 * frames with an 802.2 LLC header (i.e, have
1983 * a frame type of LINUX_SLL_P_802_2) and
1984 * with the IPX LSAP as the DSAP in the LLC
1985 * header;
1986 *
1987 * Ethernet_SNAP frames, which are 802.3
1988 * frames with an LLC header and a SNAP
1989 * header and with an OUI of 0x000000
1990 * (encapsulated Ethernet) and a protocol
1991 * ID of ETHERTYPE_IPX in the SNAP header.
1992 *
1993 * First, do the checks on LINUX_SLL_P_802_2
1994 * frames; generate the check for either
1995 * Ethernet_802.2 or Ethernet_SNAP frames, and
1996 * then put a check for LINUX_SLL_P_802_2 frames
1997 * before it.
1998 */
de0d3203
PA
1999 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX);
2000 b1 = gen_snap(0x000000, ETHERTYPE_IPX);
23fa89e6
PA
2001 gen_or(b0, b1);
2002 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
2003 gen_and(b0, b1);
2004
2005 /*
2006 * Now check for 802.3 frames and OR that with
2007 * the previous test.
2008 */
2009 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_3);
2010 gen_or(b0, b1);
2011
2012 /*
2013 * Now add the check for Ethernet_II frames, and
2014 * do that before checking for the other frame
2015 * types.
2016 */
2017 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
2018 (bpf_int32)ETHERTYPE_IPX);
2019 gen_or(b0, b1);
2020 return b1;
2021
2022 case ETHERTYPE_ATALK:
2023 case ETHERTYPE_AARP:
2024 /*
2025 * EtherTalk (AppleTalk protocols on Ethernet link
2026 * layer) may use 802.2 encapsulation.
2027 */
2028
2029 /*
2030 * Check for 802.2 encapsulation (EtherTalk phase 2?);
2031 * we check for the 802.2 protocol type in the
2032 * "Ethernet type" field.
2033 */
2034 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
2035
2036 /*
2037 * 802.2-encapsulated ETHERTYPE_ATALK packets are
2038 * SNAP packets with an organization code of
2039 * 0x080007 (Apple, for Appletalk) and a protocol
2040 * type of ETHERTYPE_ATALK (Appletalk).
2041 *
2042 * 802.2-encapsulated ETHERTYPE_AARP packets are
2043 * SNAP packets with an organization code of
2044 * 0x000000 (encapsulated Ethernet) and a protocol
2045 * type of ETHERTYPE_AARP (Appletalk ARP).
2046 */
2047 if (proto == ETHERTYPE_ATALK)
de0d3203 2048 b1 = gen_snap(0x080007, ETHERTYPE_ATALK);
23fa89e6 2049 else /* proto == ETHERTYPE_AARP */
de0d3203 2050 b1 = gen_snap(0x000000, ETHERTYPE_AARP);
23fa89e6
PA
2051 gen_and(b0, b1);
2052
2053 /*
2054 * Check for Ethernet encapsulation (Ethertalk
2055 * phase 1?); we just check for the Ethernet
2056 * protocol type.
2057 */
2058 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
2059
2060 gen_or(b0, b1);
2061 return b1;
2062
2063 default:
2064 if (proto <= ETHERMTU) {
2065 /*
2066 * This is an LLC SAP value, so the frames
2067 * that match would be 802.2 frames.
2068 * Check for the 802.2 protocol type
2069 * in the "Ethernet type" field, and
2070 * then check the DSAP.
2071 */
2072 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
2073 LINUX_SLL_P_802_2);
de0d3203 2074 b1 = gen_cmp(OR_LINK, off_macpl, BPF_B,
23fa89e6
PA
2075 (bpf_int32)proto);
2076 gen_and(b0, b1);
2077 return b1;
2078 } else {
2079 /*
2080 * This is an Ethernet type, so compare
2081 * the length/type field with it (if
2082 * the frame is an 802.2 frame, the length
2083 * field will be <= ETHERMTU, and, as
2084 * "proto" is > ETHERMTU, this test
2085 * will fail and the frame won't match,
2086 * which is what we want).
2087 */
2088 return gen_cmp(OR_LINK, off_linktype, BPF_H,
2089 (bpf_int32)proto);
2090 }
2091 }
2092}
2093
de0d3203
PA
2094static struct slist *
2095gen_load_prism_llprefixlen()
23fa89e6
PA
2096{
2097 struct slist *s1, *s2;
de0d3203
PA
2098 struct slist *sjeq_avs_cookie;
2099 struct slist *sjcommon;
2100
2101 /*
2102 * This code is not compatible with the optimizer, as
2103 * we are generating jmp instructions within a normal
2104 * slist of instructions
2105 */
2106 no_optimize = 1;
23fa89e6
PA
2107
2108 /*
de0d3203
PA
2109 * Generate code to load the length of the radio header into
2110 * the register assigned to hold that length, if one has been
2111 * assigned. (If one hasn't been assigned, no code we've
2112 * generated uses that prefix, so we don't need to generate any
2113 * code to load it.)
2114 *
2115 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes
2116 * or always use the AVS header rather than the Prism header.
2117 * We load a 4-byte big-endian value at the beginning of the
2118 * raw packet data, and see whether, when masked with 0xFFFFF000,
2119 * it's equal to 0x80211000. If so, that indicates that it's
2120 * an AVS header (the masked-out bits are the version number).
2121 * Otherwise, it's a Prism header.
2122 *
2123 * XXX - the Prism header is also, in theory, variable-length,
2124 * but no known software generates headers that aren't 144
2125 * bytes long.
23fa89e6 2126 */
de0d3203
PA
2127 if (reg_off_ll != -1) {
2128 /*
2129 * Load the cookie.
2130 */
2131 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2132 s1->s.k = 0;
2133
2134 /*
2135 * AND it with 0xFFFFF000.
2136 */
2137 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
2138 s2->s.k = 0xFFFFF000;
2139 sappend(s1, s2);
2140
2141 /*
2142 * Compare with 0x80211000.
2143 */
2144 sjeq_avs_cookie = new_stmt(JMP(BPF_JEQ));
2145 sjeq_avs_cookie->s.k = 0x80211000;
2146 sappend(s1, sjeq_avs_cookie);
2147
2148 /*
2149 * If it's AVS:
2150 *
2151 * The 4 bytes at an offset of 4 from the beginning of
2152 * the AVS header are the length of the AVS header.
2153 * That field is big-endian.
2154 */
2155 s2 = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2156 s2->s.k = 4;
2157 sappend(s1, s2);
2158 sjeq_avs_cookie->s.jt = s2;
2159
2160 /*
2161 * Now jump to the code to allocate a register
2162 * into which to save the header length and
2163 * store the length there. (The "jump always"
2164 * instruction needs to have the k field set;
2165 * it's added to the PC, so, as we're jumping
2166 * over a single instruction, it should be 1.)
2167 */
2168 sjcommon = new_stmt(JMP(BPF_JA));
2169 sjcommon->s.k = 1;
2170 sappend(s1, sjcommon);
2171
2172 /*
2173 * Now for the code that handles the Prism header.
2174 * Just load the length of the Prism header (144)
2175 * into the A register. Have the test for an AVS
2176 * header branch here if we don't have an AVS header.
2177 */
2178 s2 = new_stmt(BPF_LD|BPF_W|BPF_IMM);
2179 s2->s.k = 144;
2180 sappend(s1, s2);
2181 sjeq_avs_cookie->s.jf = s2;
2182
2183 /*
2184 * Now allocate a register to hold that value and store
2185 * it. The code for the AVS header will jump here after
2186 * loading the length of the AVS header.
2187 */
2188 s2 = new_stmt(BPF_ST);
2189 s2->s.k = reg_off_ll;
2190 sappend(s1, s2);
2191 sjcommon->s.jf = s2;
2192
2193 /*
2194 * Now move it into the X register.
2195 */
2196 s2 = new_stmt(BPF_MISC|BPF_TAX);
2197 sappend(s1, s2);
2198
2199 return (s1);
2200 } else
2201 return (NULL);
2202}
2203
2204static struct slist *
2205gen_load_avs_llprefixlen()
2206{
2207 struct slist *s1, *s2;
2208
2209 /*
2210 * Generate code to load the length of the AVS header into
2211 * the register assigned to hold that length, if one has been
2212 * assigned. (If one hasn't been assigned, no code we've
2213 * generated uses that prefix, so we don't need to generate any
2214 * code to load it.)
2215 */
2216 if (reg_off_ll != -1) {
2217 /*
2218 * The 4 bytes at an offset of 4 from the beginning of
2219 * the AVS header are the length of the AVS header.
2220 * That field is big-endian.
2221 */
2222 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2223 s1->s.k = 4;
2224
2225 /*
2226 * Now allocate a register to hold that value and store
2227 * it.
2228 */
2229 s2 = new_stmt(BPF_ST);
2230 s2->s.k = reg_off_ll;
2231 sappend(s1, s2);
2232
2233 /*
2234 * Now move it into the X register.
2235 */
2236 s2 = new_stmt(BPF_MISC|BPF_TAX);
2237 sappend(s1, s2);
2238
2239 return (s1);
2240 } else
2241 return (NULL);
2242}
2243
2244static struct slist *
2245gen_load_radiotap_llprefixlen()
23fa89e6
PA
2246{
2247 struct slist *s1, *s2;
2248
2249 /*
de0d3203
PA
2250 * Generate code to load the length of the radiotap header into
2251 * the register assigned to hold that length, if one has been
2252 * assigned. (If one hasn't been assigned, no code we've
2253 * generated uses that prefix, so we don't need to generate any
2254 * code to load it.)
23fa89e6 2255 */
de0d3203 2256 if (reg_off_ll != -1) {
23fa89e6
PA
2257 /*
2258 * The 2 bytes at offsets of 2 and 3 from the beginning
2259 * of the radiotap header are the length of the radiotap
2260 * header; unfortunately, it's little-endian, so we have
2261 * to load it a byte at a time and construct the value.
2262 */
2263
2264 /*
2265 * Load the high-order byte, at an offset of 3, shift it
2266 * left a byte, and put the result in the X register.
2267 */
2268 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2269 s1->s.k = 3;
2270 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
2271 sappend(s1, s2);
2272 s2->s.k = 8;
2273 s2 = new_stmt(BPF_MISC|BPF_TAX);
2274 sappend(s1, s2);
2275
2276 /*
2277 * Load the next byte, at an offset of 2, and OR the
2278 * value from the X register into it.
2279 */
2280 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2281 sappend(s1, s2);
2282 s2->s.k = 2;
2283 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X);
2284 sappend(s1, s2);
2285
2286 /*
2287 * Now allocate a register to hold that value and store
2288 * it.
2289 */
2290 s2 = new_stmt(BPF_ST);
de0d3203 2291 s2->s.k = reg_off_ll;
23fa89e6
PA
2292 sappend(s1, s2);
2293
2294 /*
2295 * Now move it into the X register.
2296 */
2297 s2 = new_stmt(BPF_MISC|BPF_TAX);
2298 sappend(s1, s2);
2299
de0d3203
PA
2300 return (s1);
2301 } else
2302 return (NULL);
23fa89e6
PA
2303}
2304
dfcad8d8
PA
2305/*
2306 * At the moment we treat PPI as normal Radiotap encoded
2307 * packets. The difference is in the function that generates
2308 * the code at the beginning to compute the header length.
2309 * Since this code generator of PPI supports bare 802.11
2310 * encapsulation only (i.e. the encapsulated DLT should be
de0d3203
PA
2311 * DLT_IEEE802_11) we generate code to check for this too;
2312 * that's done in finish_parse().
dfcad8d8 2313 */
de0d3203
PA
2314static struct slist *
2315gen_load_ppi_llprefixlen()
dfcad8d8
PA
2316{
2317 struct slist *s1, *s2;
2318
2319 /*
de0d3203
PA
2320 * Generate code to load the length of the radiotap header
2321 * into the register assigned to hold that length, if one has
2322 * been assigned.
dfcad8d8 2323 */
de0d3203
PA
2324 if (reg_off_ll != -1) {
2325 /*
dfcad8d8
PA
2326 * The 2 bytes at offsets of 2 and 3 from the beginning
2327 * of the radiotap header are the length of the radiotap
2328 * header; unfortunately, it's little-endian, so we have
2329 * to load it a byte at a time and construct the value.
2330 */
2331
2332 /*
2333 * Load the high-order byte, at an offset of 3, shift it
2334 * left a byte, and put the result in the X register.
2335 */
2336 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2337 s1->s.k = 3;
2338 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
2339 sappend(s1, s2);
2340 s2->s.k = 8;
2341 s2 = new_stmt(BPF_MISC|BPF_TAX);
2342 sappend(s1, s2);
2343
2344 /*
2345 * Load the next byte, at an offset of 2, and OR the
2346 * value from the X register into it.
2347 */
2348 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2349 sappend(s1, s2);
2350 s2->s.k = 2;
2351 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X);
2352 sappend(s1, s2);
2353
2354 /*
2355 * Now allocate a register to hold that value and store
2356 * it.
2357 */
2358 s2 = new_stmt(BPF_ST);
de0d3203 2359 s2->s.k = reg_off_ll;
dfcad8d8
PA
2360 sappend(s1, s2);
2361
2362 /*
2363 * Now move it into the X register.
2364 */
2365 s2 = new_stmt(BPF_MISC|BPF_TAX);
2366 sappend(s1, s2);
2367
de0d3203
PA
2368 return (s1);
2369 } else
2370 return (NULL);
2371}
2372
2373/*
2374 * Load a value relative to the beginning of the link-layer header after the 802.11
2375 * header, i.e. LLC_SNAP.
2376 * The link-layer header doesn't necessarily begin at the beginning
2377 * of the packet data; there might be a variable-length prefix containing
2378 * radio information.
2379 */
2380static struct slist *
2381gen_load_802_11_header_len(struct slist *s, struct slist *snext)
2382{
2383 struct slist *s2;
2384 struct slist *sjset_data_frame_1;
2385 struct slist *sjset_data_frame_2;
2386 struct slist *sjset_qos;
2387 struct slist *sjset_radiotap_flags;
2388 struct slist *sjset_radiotap_tsft;
2389 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad;
2390 struct slist *s_roundup;
2391
2392 if (reg_off_macpl == -1) {
2393 /*
2394 * No register has been assigned to the offset of
2395 * the MAC-layer payload, which means nobody needs
2396 * it; don't bother computing it - just return
2397 * what we already have.
2398 */
2399 return (s);
2400 }
2401
2402 /*
2403 * This code is not compatible with the optimizer, as
2404 * we are generating jmp instructions within a normal
2405 * slist of instructions
2406 */
2407 no_optimize = 1;
2408
2409 /*
2410 * If "s" is non-null, it has code to arrange that the X register
2411 * contains the length of the prefix preceding the link-layer
2412 * header.
2413 *
2414 * Otherwise, the length of the prefix preceding the link-layer
2415 * header is "off_ll".
2416 */
2417 if (s == NULL) {
2418 /*
2419 * There is no variable-length header preceding the
2420 * link-layer header.
2421 *
2422 * Load the length of the fixed-length prefix preceding
2423 * the link-layer header (if any) into the X register,
2424 * and store it in the reg_off_macpl register.
2425 * That length is off_ll.
2426 */
2427 s = new_stmt(BPF_LDX|BPF_IMM);
2428 s->s.k = off_ll;
2429 }
2430
2431 /*
2432 * The X register contains the offset of the beginning of the
2433 * link-layer header; add 24, which is the minimum length
2434 * of the MAC header for a data frame, to that, and store it
2435 * in reg_off_macpl, and then load the Frame Control field,
2436 * which is at the offset in the X register, with an indexed load.
2437 */
2438 s2 = new_stmt(BPF_MISC|BPF_TXA);
2439 sappend(s, s2);
2440 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
2441 s2->s.k = 24;
2442 sappend(s, s2);
2443 s2 = new_stmt(BPF_ST);
2444 s2->s.k = reg_off_macpl;
2445 sappend(s, s2);
2446
2447 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B);
2448 s2->s.k = 0;
2449 sappend(s, s2);
2450
2451 /*
2452 * Check the Frame Control field to see if this is a data frame;
2453 * a data frame has the 0x08 bit (b3) in that field set and the
2454 * 0x04 bit (b2) clear.
2455 */
2456 sjset_data_frame_1 = new_stmt(JMP(BPF_JSET));
2457 sjset_data_frame_1->s.k = 0x08;
2458 sappend(s, sjset_data_frame_1);
2459
2460 /*
2461 * If b3 is set, test b2, otherwise go to the first statement of
2462 * the rest of the program.
2463 */
2464 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(JMP(BPF_JSET));
2465 sjset_data_frame_2->s.k = 0x04;
2466 sappend(s, sjset_data_frame_2);
2467 sjset_data_frame_1->s.jf = snext;
2468
2469 /*
2470 * If b2 is not set, this is a data frame; test the QoS bit.
2471 * Otherwise, go to the first statement of the rest of the
2472 * program.
2473 */
2474 sjset_data_frame_2->s.jt = snext;
2475 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(JMP(BPF_JSET));
2476 sjset_qos->s.k = 0x80; /* QoS bit */
2477 sappend(s, sjset_qos);
2478
2479 /*
2480 * If it's set, add 2 to reg_off_macpl, to skip the QoS
2481 * field.
2482 * Otherwise, go to the first statement of the rest of the
2483 * program.
2484 */
2485 sjset_qos->s.jt = s2 = new_stmt(BPF_LD|BPF_MEM);
2486 s2->s.k = reg_off_macpl;
2487 sappend(s, s2);
2488 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM);
2489 s2->s.k = 2;
2490 sappend(s, s2);
2491 s2 = new_stmt(BPF_ST);
2492 s2->s.k = reg_off_macpl;
2493 sappend(s, s2);
2494
2495 /*
2496 * If we have a radiotap header, look at it to see whether
2497 * there's Atheros padding between the MAC-layer header
2498 * and the payload.
2499 *
2500 * Note: all of the fields in the radiotap header are
2501 * little-endian, so we byte-swap all of the values
2502 * we test against, as they will be loaded as big-endian
2503 * values.
2504 */
2505 if (linktype == DLT_IEEE802_11_RADIO) {
dfcad8d8 2506 /*
de0d3203
PA
2507 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set
2508 * in the presence flag?
dfcad8d8 2509 */
de0d3203
PA
2510 sjset_qos->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_W);
2511 s2->s.k = 4;
2512 sappend(s, s2);
2513
2514 sjset_radiotap_flags = new_stmt(JMP(BPF_JSET));
2515 sjset_radiotap_flags->s.k = SWAPLONG(0x00000002);
2516 sappend(s, sjset_radiotap_flags);
dfcad8d8 2517
de0d3203
PA
2518 /*
2519 * If not, skip all of this.
2520 */
2521 sjset_radiotap_flags->s.jf = snext;
2522
2523 /*
2524 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set?
2525 */
2526 sjset_radiotap_tsft = sjset_radiotap_flags->s.jt =
2527 new_stmt(JMP(BPF_JSET));
2528 sjset_radiotap_tsft->s.k = SWAPLONG(0x00000001);
2529 sappend(s, sjset_radiotap_tsft);
2530
2531 /*
2532 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is
2533 * at an offset of 16 from the beginning of the raw packet
2534 * data (8 bytes for the radiotap header and 8 bytes for
2535 * the TSFT field).
2536 *
2537 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
2538 * is set.
2539 */
2540 sjset_radiotap_tsft->s.jt = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B);
2541 s2->s.k = 16;
2542 sappend(s, s2);
2543
2544 sjset_tsft_datapad = new_stmt(JMP(BPF_JSET));
2545 sjset_tsft_datapad->s.k = 0x20;
2546 sappend(s, sjset_tsft_datapad);
2547
dfcad8d8 2548 /*
de0d3203
PA
2549 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is
2550 * at an offset of 8 from the beginning of the raw packet
2551 * data (8 bytes for the radiotap header).
2552 *
2553 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
2554 * is set.
dfcad8d8 2555 */
de0d3203
PA
2556 sjset_radiotap_tsft->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B);
2557 s2->s.k = 8;
2558 sappend(s, s2);
2559
2560 sjset_notsft_datapad = new_stmt(JMP(BPF_JSET));
2561 sjset_notsft_datapad->s.k = 0x20;
2562 sappend(s, sjset_notsft_datapad);
2563
2564 /*
2565 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is
2566 * set, round the length of the 802.11 header to
2567 * a multiple of 4. Do that by adding 3 and then
2568 * dividing by and multiplying by 4, which we do by
2569 * ANDing with ~3.
2570 */
2571 s_roundup = new_stmt(BPF_LD|BPF_MEM);
2572 s_roundup->s.k = reg_off_macpl;
2573 sappend(s, s_roundup);
2574 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM);
2575 s2->s.k = 3;
2576 sappend(s, s2);
2577 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_IMM);
2578 s2->s.k = ~3;
2579 sappend(s, s2);
2580 s2 = new_stmt(BPF_ST);
2581 s2->s.k = reg_off_macpl;
2582 sappend(s, s2);
dfcad8d8 2583
de0d3203
PA
2584 sjset_tsft_datapad->s.jt = s_roundup;
2585 sjset_tsft_datapad->s.jf = snext;
2586 sjset_notsft_datapad->s.jt = s_roundup;
2587 sjset_notsft_datapad->s.jf = snext;
2588 } else
2589 sjset_qos->s.jf = snext;
2590
2591 return s;
2592}
2593
2594static void
2595insert_compute_vloffsets(b)
2596 struct block *b;
2597{
2598 struct slist *s;
2599
2600 /*
2601 * For link-layer types that have a variable-length header
2602 * preceding the link-layer header, generate code to load
2603 * the offset of the link-layer header into the register
2604 * assigned to that offset, if any.
2605 */
2606 switch (linktype) {
2607
2608 case DLT_PRISM_HEADER:
2609 s = gen_load_prism_llprefixlen();
2610 break;
2611
2612 case DLT_IEEE802_11_RADIO_AVS:
2613 s = gen_load_avs_llprefixlen();
2614 break;
2615
2616 case DLT_IEEE802_11_RADIO:
2617 s = gen_load_radiotap_llprefixlen();
2618 break;
2619
2620 case DLT_PPI:
2621 s = gen_load_ppi_llprefixlen();
2622 break;
2623
2624 default:
2625 s = NULL;
2626 break;
2627 }
2628
2629 /*
2630 * For link-layer types that have a variable-length link-layer
2631 * header, generate code to load the offset of the MAC-layer
2632 * payload into the register assigned to that offset, if any.
2633 */
2634 switch (linktype) {
2635
2636 case DLT_IEEE802_11:
2637 case DLT_PRISM_HEADER:
2638 case DLT_IEEE802_11_RADIO_AVS:
2639 case DLT_IEEE802_11_RADIO:
2640 case DLT_PPI:
2641 s = gen_load_802_11_header_len(s, b->stmts);
2642 break;
2643 }
2644
2645 /*
2646 * If we have any offset-loading code, append all the
2647 * existing statements in the block to those statements,
2648 * and make the resulting list the list of statements
2649 * for the block.
2650 */
2651 if (s != NULL) {
2652 sappend(s, b->stmts);
2653 b->stmts = s;
dfcad8d8
PA
2654 }
2655}
de0d3203 2656
dfcad8d8
PA
2657static struct block *
2658gen_ppi_dlt_check(void)
2659{
2660 struct slist *s_load_dlt;
2661 struct block *b;
2662
2663 if (linktype == DLT_PPI)
2664 {
2665 /* Create the statements that check for the DLT
2666 */
2667 s_load_dlt = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2668 s_load_dlt->s.k = 4;
2669
2670 b = new_block(JMP(BPF_JEQ));
2671
2672 b->stmts = s_load_dlt;
2673 b->s.k = SWAPLONG(DLT_IEEE802_11);
2674 }
2675 else
2676 {
2677 b = NULL;
2678 }
2679
2680 return b;
2681}
23fa89e6 2682
de0d3203
PA
2683static struct slist *
2684gen_prism_llprefixlen(void)
23fa89e6 2685{
de0d3203
PA
2686 struct slist *s;
2687
2688 if (reg_off_ll == -1) {
2689 /*
2690 * We haven't yet assigned a register for the length
2691 * of the radio header; allocate one.
2692 */
2693 reg_off_ll = alloc_reg();
2694 }
23fa89e6 2695
de0d3203
PA
2696 /*
2697 * Load the register containing the radio length
2698 * into the X register.
dfcad8d8 2699 */
de0d3203
PA
2700 s = new_stmt(BPF_LDX|BPF_MEM);
2701 s->s.k = reg_off_ll;
2702 return s;
2703}
dfcad8d8 2704
de0d3203
PA
2705static struct slist *
2706gen_avs_llprefixlen(void)
23fa89e6 2707{
de0d3203 2708 struct slist *s;
dfcad8d8 2709
de0d3203
PA
2710 if (reg_off_ll == -1) {
2711 /*
2712 * We haven't yet assigned a register for the length
2713 * of the AVS header; allocate one.
2714 */
2715 reg_off_ll = alloc_reg();
23fa89e6 2716 }
23fa89e6 2717
de0d3203
PA
2718 /*
2719 * Load the register containing the AVS length
2720 * into the X register.
2721 */
2722 s = new_stmt(BPF_LDX|BPF_MEM);
2723 s->s.k = reg_off_ll;
2724 return s;
2725}
23fa89e6
PA
2726
2727static struct slist *
2728gen_radiotap_llprefixlen(void)
2729{
2730 struct slist *s;
2731
de0d3203 2732 if (reg_off_ll == -1) {
23fa89e6
PA
2733 /*
2734 * We haven't yet assigned a register for the length
2735 * of the radiotap header; allocate one.
2736 */
de0d3203 2737 reg_off_ll = alloc_reg();
23fa89e6
PA
2738 }
2739
2740 /*
2741 * Load the register containing the radiotap length
2742 * into the X register.
2743 */
2744 s = new_stmt(BPF_LDX|BPF_MEM);
de0d3203 2745 s->s.k = reg_off_ll;
23fa89e6
PA
2746 return s;
2747}
2748
dfcad8d8
PA
2749/*
2750 * At the moment we treat PPI as normal Radiotap encoded
2751 * packets. The difference is in the function that generates
2752 * the code at the beginning to compute the header length.
2753 * Since this code generator of PPI supports bare 802.11
2754 * encapsulation only (i.e. the encapsulated DLT should be
2755 * DLT_IEEE802_11) we generate code to check for this too.
2756 */
2757static struct slist *
2758gen_ppi_llprefixlen(void)
2759{
2760 struct slist *s;
2761
de0d3203 2762 if (reg_off_ll == -1) {
dfcad8d8
PA
2763 /*
2764 * We haven't yet assigned a register for the length
2765 * of the radiotap header; allocate one.
2766 */
de0d3203 2767 reg_off_ll = alloc_reg();
dfcad8d8
PA
2768 }
2769
2770 /*
de0d3203 2771 * Load the register containing the PPI length
dfcad8d8
PA
2772 * into the X register.
2773 */
2774 s = new_stmt(BPF_LDX|BPF_MEM);
de0d3203 2775 s->s.k = reg_off_ll;
dfcad8d8
PA
2776 return s;
2777}
2778
23fa89e6
PA
2779/*
2780 * Generate code to compute the link-layer header length, if necessary,
2781 * putting it into the X register, and to return either a pointer to a
2782 * "struct slist" for the list of statements in that code, or NULL if
2783 * no code is necessary.
2784 */
2785static struct slist *
2786gen_llprefixlen(void)
2787{
2788 switch (linktype) {
2789
de0d3203
PA
2790 case DLT_PRISM_HEADER:
2791 return gen_prism_llprefixlen();
2792
2793 case DLT_IEEE802_11_RADIO_AVS:
2794 return gen_avs_llprefixlen();
dfcad8d8 2795
23fa89e6
PA
2796 case DLT_IEEE802_11_RADIO:
2797 return gen_radiotap_llprefixlen();
2798
de0d3203
PA
2799 case DLT_PPI:
2800 return gen_ppi_llprefixlen();
2801
23fa89e6
PA
2802 default:
2803 return NULL;
2804 }
2805}
2806
de0d3203
PA
2807/*
2808 * Generate code to load the register containing the offset of the
2809 * MAC-layer payload into the X register; if no register for that offset
2810 * has been allocated, allocate it first.
2811 */
2812static struct slist *
2813gen_off_macpl(void)
2814{
2815 struct slist *s;
2816
2817 if (off_macpl_is_variable) {
2818 if (reg_off_macpl == -1) {
2819 /*
2820 * We haven't yet assigned a register for the offset
2821 * of the MAC-layer payload; allocate one.
2822 */
2823 reg_off_macpl = alloc_reg();
2824 }
2825
2826 /*
2827 * Load the register containing the offset of the MAC-layer
2828 * payload into the X register.
2829 */
2830 s = new_stmt(BPF_LDX|BPF_MEM);
2831 s->s.k = reg_off_macpl;
2832 return s;
2833 } else {
2834 /*
2835 * That offset isn't variable, so we don't need to
2836 * generate any code.
2837 */
2838 return NULL;
2839 }
2840}
2841
2842/*
2843 * Map an Ethernet type to the equivalent PPP type.
2844 */
2845static int
2846ethertype_to_ppptype(proto)
2847 int proto;
2848{
2849 switch (proto) {
2850
2851 case ETHERTYPE_IP:
2852 proto = PPP_IP;
2853 break;
2854
2855#ifdef INET6
2856 case ETHERTYPE_IPV6:
2857 proto = PPP_IPV6;
2858 break;
2859#endif
2860
2861 case ETHERTYPE_DN:
2862 proto = PPP_DECNET;
2863 break;
2864
2865 case ETHERTYPE_ATALK:
2866 proto = PPP_APPLE;
2867 break;
2868
2869 case ETHERTYPE_NS:
2870 proto = PPP_NS;
2871 break;
2872
2873 case LLCSAP_ISONS:
2874 proto = PPP_OSI;
2875 break;
2876
2877 case LLCSAP_8021D:
2878 /*
2879 * I'm assuming the "Bridging PDU"s that go
2880 * over PPP are Spanning Tree Protocol
2881 * Bridging PDUs.
2882 */
2883 proto = PPP_BRPDU;
2884 break;
2885
2886 case LLCSAP_IPX:
2887 proto = PPP_IPX;
2888 break;
2889 }
2890 return (proto);
2891}
2892
23fa89e6
PA
2893/*
2894 * Generate code to match a particular packet type by matching the
2895 * link-layer type field or fields in the 802.2 LLC header.
2896 *
2897 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
2898 * value, if <= ETHERMTU.
2899 */
2900static struct block *
2901gen_linktype(proto)
2902 register int proto;
2903{
2904 struct block *b0, *b1, *b2;
2905
2906 /* are we checking MPLS-encapsulated packets? */
2907 if (label_stack_depth > 0) {
2908 switch (proto) {
2909 case ETHERTYPE_IP:
2910 case PPP_IP:
de0d3203 2911 /* FIXME add other L3 proto IDs */
23fa89e6
PA
2912 return gen_mpls_linktype(Q_IP);
2913
2914 case ETHERTYPE_IPV6:
2915 case PPP_IPV6:
de0d3203 2916 /* FIXME add other L3 proto IDs */
23fa89e6
PA
2917 return gen_mpls_linktype(Q_IPV6);
2918
2919 default:
2920 bpf_error("unsupported protocol over mpls");
2921 /* NOTREACHED */
2922 }
2923 }
2924
de0d3203
PA
2925 /*
2926 * Are we testing PPPoE packets?
2927 */
2928 if (is_pppoes) {
2929 /*
2930 * The PPPoE session header is part of the
2931 * MAC-layer payload, so all references
2932 * should be relative to the beginning of
2933 * that payload.
2934 */
2935
2936 /*
2937 * We use Ethernet protocol types inside libpcap;
2938 * map them to the corresponding PPP protocol types.
2939 */
2940 proto = ethertype_to_ppptype(proto);
2941 return gen_cmp(OR_MACPL, off_linktype, BPF_H, (bpf_int32)proto);
2942 }
2943
23fa89e6
PA
2944 switch (linktype) {
2945
2946 case DLT_EN10MB:
2947 return gen_ether_linktype(proto);
2948 /*NOTREACHED*/
2949 break;
2950
2951 case DLT_C_HDLC:
2952 switch (proto) {
2953
2954 case LLCSAP_ISONS:
2955 proto = (proto << 8 | LLCSAP_ISONS);
2956 /* fall through */
2957
2958 default:
2959 return gen_cmp(OR_LINK, off_linktype, BPF_H,
2960 (bpf_int32)proto);
2961 /*NOTREACHED*/
2962 break;
2963 }
2964 break;
2965
23fa89e6 2966 case DLT_IEEE802_11:
de0d3203 2967 case DLT_PRISM_HEADER:
23fa89e6
PA
2968 case DLT_IEEE802_11_RADIO_AVS:
2969 case DLT_IEEE802_11_RADIO:
de0d3203
PA
2970 case DLT_PPI:
2971 /*
2972 * Check that we have a data frame.
2973 */
2974 b0 = gen_check_802_11_data_frame();
2975
2976 /*
2977 * Now check for the specified link-layer type.
2978 */
2979 b1 = gen_llc_linktype(proto);
2980 gen_and(b0, b1);
2981 return b1;
2982 /*NOTREACHED*/
2983 break;
2984
2985 case DLT_FDDI:
2986 /*
2987 * XXX - check for asynchronous frames, as per RFC 1103.
2988 */
2989 return gen_llc_linktype(proto);
2990 /*NOTREACHED*/
2991 break;
2992
2993 case DLT_IEEE802:
2994 /*
2995 * XXX - check for LLC PDUs, as per IEEE 802.5.
2996 */
2997 return gen_llc_linktype(proto);
2998 /*NOTREACHED*/
2999 break;
3000
23fa89e6
PA
3001 case DLT_ATM_RFC1483:
3002 case DLT_ATM_CLIP:
3003 case DLT_IP_OVER_FC:
3004 return gen_llc_linktype(proto);
3005 /*NOTREACHED*/
3006 break;
3007
3008 case DLT_SUNATM:
3009 /*
3010 * If "is_lane" is set, check for a LANE-encapsulated
3011 * version of this protocol, otherwise check for an
3012 * LLC-encapsulated version of this protocol.
3013 *
3014 * We assume LANE means Ethernet, not Token Ring.
3015 */
3016 if (is_lane) {
3017 /*
3018 * Check that the packet doesn't begin with an
3019 * LE Control marker. (We've already generated
3020 * a test for LANE.)
3021 */
3022 b0 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
3023 0xFF00);
3024 gen_not(b0);
3025
3026 /*
3027 * Now generate an Ethernet test.
3028 */
3029 b1 = gen_ether_linktype(proto);
3030 gen_and(b0, b1);
3031 return b1;
3032 } else {
3033 /*
3034 * Check for LLC encapsulation and then check the
3035 * protocol.
3036 */
3037 b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
3038 b1 = gen_llc_linktype(proto);
3039 gen_and(b0, b1);
3040 return b1;
3041 }
3042 /*NOTREACHED*/
3043 break;
3044
3045 case DLT_LINUX_SLL:
3046 return gen_linux_sll_linktype(proto);
3047 /*NOTREACHED*/
3048 break;
3049
3050 case DLT_SLIP:
3051 case DLT_SLIP_BSDOS:
3052 case DLT_RAW:
3053 /*
3054 * These types don't provide any type field; packets
dfcad8d8 3055 * are always IPv4 or IPv6.
23fa89e6
PA
3056 *
3057 * XXX - for IPv4, check for a version number of 4, and,
3058 * for IPv6, check for a version number of 6?
3059 */
3060 switch (proto) {
3061
3062 case ETHERTYPE_IP:
dfcad8d8
PA
3063 /* Check for a version number of 4. */
3064 return gen_mcmp(OR_LINK, 0, BPF_B, 0x40, 0xF0);
23fa89e6
PA
3065#ifdef INET6
3066 case ETHERTYPE_IPV6:
dfcad8d8
PA
3067 /* Check for a version number of 6. */
3068 return gen_mcmp(OR_LINK, 0, BPF_B, 0x60, 0xF0);
23fa89e6 3069#endif
23fa89e6
PA
3070
3071 default:
3072 return gen_false(); /* always false */
3073 }
3074 /*NOTREACHED*/
3075 break;
3076
3077 case DLT_PPP:
3078 case DLT_PPP_PPPD:
3079 case DLT_PPP_SERIAL:
3080 case DLT_PPP_ETHER:
3081 /*
3082 * We use Ethernet protocol types inside libpcap;
3083 * map them to the corresponding PPP protocol types.
3084 */
de0d3203
PA
3085 proto = ethertype_to_ppptype(proto);
3086 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
3087 /*NOTREACHED*/
23fa89e6
PA
3088 break;
3089
3090 case DLT_PPP_BSDOS:
3091 /*
3092 * We use Ethernet protocol types inside libpcap;
3093 * map them to the corresponding PPP protocol types.
3094 */
3095 switch (proto) {
3096
3097 case ETHERTYPE_IP:
de0d3203
PA
3098 /*
3099 * Also check for Van Jacobson-compressed IP.
3100 * XXX - do this for other forms of PPP?
3101 */
23fa89e6
PA
3102 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_IP);
3103 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJC);
3104 gen_or(b0, b1);
3105 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJNC);
3106 gen_or(b1, b0);
3107 return b0;
3108
de0d3203
PA
3109 default:
3110 proto = ethertype_to_ppptype(proto);
3111 return gen_cmp(OR_LINK, off_linktype, BPF_H,
3112 (bpf_int32)proto);
23fa89e6 3113 }
de0d3203 3114 /*NOTREACHED*/
23fa89e6
PA
3115 break;
3116
3117 case DLT_NULL:
3118 case DLT_LOOP:
3119 case DLT_ENC:
3120 /*
3121 * For DLT_NULL, the link-layer header is a 32-bit
3122 * word containing an AF_ value in *host* byte order,
3123 * and for DLT_ENC, the link-layer header begins
3124 * with a 32-bit work containing an AF_ value in
3125 * host byte order.
3126 *
3127 * In addition, if we're reading a saved capture file,
3128 * the host byte order in the capture may not be the
3129 * same as the host byte order on this machine.
3130 *
3131 * For DLT_LOOP, the link-layer header is a 32-bit
3132 * word containing an AF_ value in *network* byte order.
3133 *
3134 * XXX - AF_ values may, unfortunately, be platform-
3135 * dependent; for example, FreeBSD's AF_INET6 is 24
3136 * whilst NetBSD's and OpenBSD's is 26.
3137 *
3138 * This means that, when reading a capture file, just
3139 * checking for our AF_INET6 value won't work if the
3140 * capture file came from another OS.
3141 */
3142 switch (proto) {
3143
3144 case ETHERTYPE_IP:
3145 proto = AF_INET;
3146 break;
3147
3148#ifdef INET6
3149 case ETHERTYPE_IPV6:
3150 proto = AF_INET6;
3151 break;
3152#endif
3153
3154 default:
3155 /*
3156 * Not a type on which we support filtering.
3157 * XXX - support those that have AF_ values
3158 * #defined on this platform, at least?
3159 */
3160 return gen_false();
3161 }
3162
3163 if (linktype == DLT_NULL || linktype == DLT_ENC) {
3164 /*
3165 * The AF_ value is in host byte order, but
3166 * the BPF interpreter will convert it to
3167 * network byte order.
3168 *
3169 * If this is a save file, and it's from a
3170 * machine with the opposite byte order to
3171 * ours, we byte-swap the AF_ value.
3172 *
3173 * Then we run it through "htonl()", and
3174 * generate code to compare against the result.
3175 */
3176 if (bpf_pcap->sf.rfile != NULL &&
3177 bpf_pcap->sf.swapped)
3178 proto = SWAPLONG(proto);
3179 proto = htonl(proto);
3180 }
3181 return (gen_cmp(OR_LINK, 0, BPF_W, (bpf_int32)proto));
3182
084fe320 3183#ifdef HAVE_NET_PFVAR_H
23fa89e6
PA
3184 case DLT_PFLOG:
3185 /*
3186 * af field is host byte order in contrast to the rest of
3187 * the packet.
3188 */
3189 if (proto == ETHERTYPE_IP)
3190 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af),
3191 BPF_B, (bpf_int32)AF_INET));
3192#ifdef INET6
3193 else if (proto == ETHERTYPE_IPV6)
3194 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af),
3195 BPF_B, (bpf_int32)AF_INET6));
3196#endif /* INET6 */
3197 else
3198 return gen_false();
3199 /*NOTREACHED*/
3200 break;
084fe320 3201#endif /* HAVE_NET_PFVAR_H */
23fa89e6
PA
3202
3203 case DLT_ARCNET:
3204 case DLT_ARCNET_LINUX:
3205 /*
3206 * XXX should we check for first fragment if the protocol
3207 * uses PHDS?
3208 */
3209 switch (proto) {
3210
3211 default:
3212 return gen_false();
3213
3214#ifdef INET6
3215 case ETHERTYPE_IPV6:
3216 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
3217 (bpf_int32)ARCTYPE_INET6));
3218#endif /* INET6 */
3219
3220 case ETHERTYPE_IP:
3221 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B,
3222 (bpf_int32)ARCTYPE_IP);
3223 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B,
3224 (bpf_int32)ARCTYPE_IP_OLD);
3225 gen_or(b0, b1);
3226 return (b1);
3227
3228 case ETHERTYPE_ARP:
3229 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B,
3230 (bpf_int32)ARCTYPE_ARP);
3231 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B,
3232 (bpf_int32)ARCTYPE_ARP_OLD);
3233 gen_or(b0, b1);
3234 return (b1);
3235
3236 case ETHERTYPE_REVARP:
3237 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
3238 (bpf_int32)ARCTYPE_REVARP));
3239
3240 case ETHERTYPE_ATALK:
3241 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
3242 (bpf_int32)ARCTYPE_ATALK));
3243 }
3244 /*NOTREACHED*/
3245 break;
3246
3247 case DLT_LTALK:
3248 switch (proto) {
3249 case ETHERTYPE_ATALK:
3250 return gen_true();
3251 default:
3252 return gen_false();
3253 }
3254 /*NOTREACHED*/
3255 break;
3256
3257 case DLT_FRELAY:
3258 /*
3259 * XXX - assumes a 2-byte Frame Relay header with
3260 * DLCI and flags. What if the address is longer?
3261 */
3262 switch (proto) {
3263
3264 case ETHERTYPE_IP:
3265 /*
3266 * Check for the special NLPID for IP.
3267 */
3268 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0xcc);
3269
3270#ifdef INET6
3271 case ETHERTYPE_IPV6:
3272 /*
3273 * Check for the special NLPID for IPv6.
3274 */
3275 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0x8e);
3276#endif
3277
3278 case LLCSAP_ISONS:
3279 /*
3280 * Check for several OSI protocols.
3281 *
3282 * Frame Relay packets typically have an OSI
3283 * NLPID at the beginning; we check for each
3284 * of them.
3285 *
3286 * What we check for is the NLPID and a frame
3287 * control field of UI, i.e. 0x03 followed
3288 * by the NLPID.
3289 */
3290 b0 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO8473_CLNP);
3291 b1 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO9542_ESIS);
3292 b2 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO10589_ISIS);
3293 gen_or(b1, b2);
3294 gen_or(b0, b2);
3295 return b2;
3296
3297 default:
3298 return gen_false();
3299 }
3300 /*NOTREACHED*/
3301 break;
3302
de0d3203
PA
3303 case DLT_MFR:
3304 bpf_error("Multi-link Frame Relay link-layer type filtering not implemented");
3305
23fa89e6
PA
3306 case DLT_JUNIPER_MFR:
3307 case DLT_JUNIPER_MLFR:
3308 case DLT_JUNIPER_MLPPP:
3309 case DLT_JUNIPER_ATM1:
3310 case DLT_JUNIPER_ATM2:
3311 case DLT_JUNIPER_PPPOE:
3312 case DLT_JUNIPER_PPPOE_ATM:
3313 case DLT_JUNIPER_GGSN:
3314 case DLT_JUNIPER_ES:
3315 case DLT_JUNIPER_MONITOR:
3316 case DLT_JUNIPER_SERVICES:
3317 case DLT_JUNIPER_ETHER:
3318 case DLT_JUNIPER_PPP:
3319 case DLT_JUNIPER_FRELAY:
3320 case DLT_JUNIPER_CHDLC:
dfcad8d8 3321 case DLT_JUNIPER_VP:
de0d3203
PA
3322 case DLT_JUNIPER_ST:
3323 case DLT_JUNIPER_ISM:
23fa89e6
PA
3324 /* just lets verify the magic number for now -
3325 * on ATM we may have up to 6 different encapsulations on the wire
3326 * and need a lot of heuristics to figure out that the payload
3327 * might be;
3328 *
3329 * FIXME encapsulation specific BPF_ filters
3330 */
3331 return gen_mcmp(OR_LINK, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */
3332
3333 case DLT_LINUX_IRDA:
3334 bpf_error("IrDA link-layer type filtering not implemented");
3335
3336 case DLT_DOCSIS:
3337 bpf_error("DOCSIS link-layer type filtering not implemented");
3338
de0d3203
PA
3339 case DLT_MTP2:
3340 case DLT_MTP2_WITH_PHDR:
3341 bpf_error("MTP2 link-layer type filtering not implemented");
3342
3343 case DLT_ERF:
3344 bpf_error("ERF link-layer type filtering not implemented");
3345
3346#ifdef DLT_PFSYNC
3347 case DLT_PFSYNC:
3348 bpf_error("PFSYNC link-layer type filtering not implemented");
3349#endif
3350
23fa89e6
PA
3351 case DLT_LINUX_LAPD:
3352 bpf_error("LAPD link-layer type filtering not implemented");
de0d3203
PA
3353
3354 case DLT_USB:
3355 case DLT_USB_LINUX:
3356 bpf_error("USB link-layer type filtering not implemented");
3357
3358 case DLT_BLUETOOTH_HCI_H4:
3359 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR:
3360 bpf_error("Bluetooth link-layer type filtering not implemented");
3361
3362 case DLT_CAN20B:
3363 bpf_error("CAN20B link-layer type filtering not implemented");
3364
3365 case DLT_IEEE802_15_4:
3366 case DLT_IEEE802_15_4_LINUX:
3367 case DLT_IEEE802_15_4_NONASK_PHY:
3368 bpf_error("IEEE 802.15.4 link-layer type filtering not implemented");
3369
3370 case DLT_IEEE802_16_MAC_CPS_RADIO:
3371 bpf_error("IEEE 802.16 link-layer type filtering not implemented");
3372
3373 case DLT_SITA:
3374 bpf_error("SITA link-layer type filtering not implemented");
3375
3376 case DLT_RAIF1:
3377 bpf_error("RAIF1 link-layer type filtering not implemented");
3378
3379 case DLT_IPMB:
3380 bpf_error("IPMB link-layer type filtering not implemented");
3381
3382 case DLT_AX25_KISS:
3383 bpf_error("AX.25 link-layer type filtering not implemented");
23fa89e6
PA
3384 }
3385
3386 /*
3387 * All the types that have no encapsulation should either be
3388 * handled as DLT_SLIP, DLT_SLIP_BSDOS, and DLT_RAW are, if
3389 * all packets are IP packets, or should be handled in some
3390 * special case, if none of them are (if some are and some
3391 * aren't, the lack of encapsulation is a problem, as we'd
3392 * have to find some other way of determining the packet type).
3393 *
3394 * Therefore, if "off_linktype" is -1, there's an error.
3395 */
3396 if (off_linktype == (u_int)-1)
3397 abort();
3398
3399 /*
3400 * Any type not handled above should always have an Ethernet
de0d3203 3401 * type at an offset of "off_linktype".
23fa89e6
PA
3402 */
3403 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
3404}
3405
3406/*
3407 * Check for an LLC SNAP packet with a given organization code and
3408 * protocol type; we check the entire contents of the 802.2 LLC and
3409 * snap headers, checking for DSAP and SSAP of SNAP and a control
3410 * field of 0x03 in the LLC header, and for the specified organization
3411 * code and protocol type in the SNAP header.
3412 */
3413static struct block *
de0d3203 3414gen_snap(orgcode, ptype)
23fa89e6
PA
3415 bpf_u_int32 orgcode;
3416 bpf_u_int32 ptype;
23fa89e6
PA
3417{
3418 u_char snapblock[8];
3419
3420 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */
3421 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */
3422 snapblock[2] = 0x03; /* control = UI */
3423 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */
3424 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */
3425 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */
3426 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */
3427 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */
de0d3203 3428 return gen_bcmp(OR_MACPL, 0, 8, snapblock);
23fa89e6
PA
3429}
3430
3431/*
3432 * Generate code to match a particular packet type, for link-layer types
3433 * using 802.2 LLC headers.
3434 *
3435 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used
3436 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues.
3437 *
3438 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
3439 * value, if <= ETHERMTU. We use that to determine whether to
3440 * match the DSAP or both DSAP and LSAP or to check the OUI and
3441 * protocol ID in a SNAP header.
3442 */
3443static struct block *
3444gen_llc_linktype(proto)
3445 int proto;
3446{
3447 /*
3448 * XXX - handle token-ring variable-length header.
3449 */
3450 switch (proto) {
3451
3452 case LLCSAP_IP:
3453 case LLCSAP_ISONS:
3454 case LLCSAP_NETBEUI:
3455 /*
3456 * XXX - should we check both the DSAP and the
3457 * SSAP, like this, or should we check just the
3458 * DSAP, as we do for other types <= ETHERMTU
3459 * (i.e., other SAP values)?
3460 */
de0d3203 3461 return gen_cmp(OR_MACPL, 0, BPF_H, (bpf_u_int32)
23fa89e6
PA
3462 ((proto << 8) | proto));
3463
3464 case LLCSAP_IPX:
3465 /*
3466 * XXX - are there ever SNAP frames for IPX on
3467 * non-Ethernet 802.x networks?
3468 */
de0d3203 3469 return gen_cmp(OR_MACPL, 0, BPF_B,
23fa89e6
PA
3470 (bpf_int32)LLCSAP_IPX);
3471
3472 case ETHERTYPE_ATALK:
3473 /*
3474 * 802.2-encapsulated ETHERTYPE_ATALK packets are
3475 * SNAP packets with an organization code of
3476 * 0x080007 (Apple, for Appletalk) and a protocol
3477 * type of ETHERTYPE_ATALK (Appletalk).
3478 *
3479 * XXX - check for an organization code of
3480 * encapsulated Ethernet as well?
3481 */
de0d3203 3482 return gen_snap(0x080007, ETHERTYPE_ATALK);
23fa89e6
PA
3483
3484 default:
3485 /*
3486 * XXX - we don't have to check for IPX 802.3
3487 * here, but should we check for the IPX Ethertype?
3488 */
3489 if (proto <= ETHERMTU) {
3490 /*
3491 * This is an LLC SAP value, so check
3492 * the DSAP.
3493 */
de0d3203 3494 return gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)proto);
23fa89e6
PA
3495 } else {
3496 /*
3497 * This is an Ethernet type; we assume that it's
3498 * unlikely that it'll appear in the right place
3499 * at random, and therefore check only the
3500 * location that would hold the Ethernet type
3501 * in a SNAP frame with an organization code of
3502 * 0x000000 (encapsulated Ethernet).
3503 *
3504 * XXX - if we were to check for the SNAP DSAP and
3505 * LSAP, as per XXX, and were also to check for an
3506 * organization code of 0x000000 (encapsulated
3507 * Ethernet), we'd do
3508 *
de0d3203 3509 * return gen_snap(0x000000, proto);
23fa89e6
PA
3510 *
3511 * here; for now, we don't, as per the above.
3512 * I don't know whether it's worth the extra CPU
3513 * time to do the right check or not.
3514 */
de0d3203 3515 return gen_cmp(OR_MACPL, 6, BPF_H, (bpf_int32)proto);
23fa89e6
PA
3516 }
3517 }
3518}
3519
3520static struct block *
3521gen_hostop(addr, mask, dir, proto, src_off, dst_off)
3522 bpf_u_int32 addr;
3523 bpf_u_int32 mask;
3524 int dir, proto;
3525 u_int src_off, dst_off;
3526{
3527 struct block *b0, *b1;
3528 u_int offset;
3529
3530 switch (dir) {
3531
3532 case Q_SRC:
3533 offset = src_off;
3534 break;
3535
3536 case Q_DST:
3537 offset = dst_off;
3538 break;
3539
3540 case Q_AND:
3541 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
3542 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
3543 gen_and(b0, b1);
3544 return b1;
3545
3546 case Q_OR:
3547 case Q_DEFAULT:
3548 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
3549 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
3550 gen_or(b0, b1);
3551 return b1;
3552
3553 default:
3554 abort();
3555 }
3556 b0 = gen_linktype(proto);
3557 b1 = gen_mcmp(OR_NET, offset, BPF_W, (bpf_int32)addr, mask);
3558 gen_and(b0, b1);
3559 return b1;
3560}
3561
3562#ifdef INET6
3563static struct block *
3564gen_hostop6(addr, mask, dir, proto, src_off, dst_off)
3565 struct in6_addr *addr;
3566 struct in6_addr *mask;
3567 int dir, proto;
3568 u_int src_off, dst_off;
3569{
3570 struct block *b0, *b1;
3571 u_int offset;
3572 u_int32_t *a, *m;
3573
3574 switch (dir) {
3575
3576 case Q_SRC:
3577 offset = src_off;
3578 break;
3579
3580 case Q_DST:
3581 offset = dst_off;
3582 break;
3583
3584 case Q_AND:
3585 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
3586 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
3587 gen_and(b0, b1);
3588 return b1;
3589
3590 case Q_OR:
3591 case Q_DEFAULT:
3592 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
3593 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
3594 gen_or(b0, b1);
3595 return b1;
3596
3597 default:
3598 abort();
3599 }
3600 /* this order is important */
3601 a = (u_int32_t *)addr;
3602 m = (u_int32_t *)mask;
3603 b1 = gen_mcmp(OR_NET, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3]));
3604 b0 = gen_mcmp(OR_NET, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2]));
3605 gen_and(b0, b1);
3606 b0 = gen_mcmp(OR_NET, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1]));
3607 gen_and(b0, b1);
3608 b0 = gen_mcmp(OR_NET, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0]));
3609 gen_and(b0, b1);
3610 b0 = gen_linktype(proto);
3611 gen_and(b0, b1);
3612 return b1;
3613}
3614#endif /*INET6*/
3615
3616static struct block *
3617gen_ehostop(eaddr, dir)
3618 register const u_char *eaddr;
3619 register int dir;
3620{
3621 register struct block *b0, *b1;
3622
3623 switch (dir) {
3624 case Q_SRC:
3625 return gen_bcmp(OR_LINK, off_mac + 6, 6, eaddr);
3626
3627 case Q_DST:
3628 return gen_bcmp(OR_LINK, off_mac + 0, 6, eaddr);
3629
3630 case Q_AND:
3631 b0 = gen_ehostop(eaddr, Q_SRC);
3632 b1 = gen_ehostop(eaddr, Q_DST);
3633 gen_and(b0, b1);
3634 return b1;
3635
3636 case Q_DEFAULT:
3637 case Q_OR:
3638 b0 = gen_ehostop(eaddr, Q_SRC);
3639 b1 = gen_ehostop(eaddr, Q_DST);
3640 gen_or(b0, b1);
3641 return b1;
3642 }
3643 abort();
3644 /* NOTREACHED */
3645}
3646
3647/*
3648 * Like gen_ehostop, but for DLT_FDDI
3649 */
3650static struct block *
3651gen_fhostop(eaddr, dir)
3652 register const u_char *eaddr;
3653 register int dir;
3654{
3655 struct block *b0, *b1;
3656
3657 switch (dir) {
3658 case Q_SRC:
3659#ifdef PCAP_FDDIPAD
3660 return gen_bcmp(OR_LINK, 6 + 1 + pcap_fddipad, 6, eaddr);
3661#else
3662 return gen_bcmp(OR_LINK, 6 + 1, 6, eaddr);
3663#endif
3664
3665 case Q_DST:
3666#ifdef PCAP_FDDIPAD
3667 return gen_bcmp(OR_LINK, 0 + 1 + pcap_fddipad, 6, eaddr);
3668#else
3669 return gen_bcmp(OR_LINK, 0 + 1, 6, eaddr);
3670#endif
3671
3672 case Q_AND:
3673 b0 = gen_fhostop(eaddr, Q_SRC);
3674 b1 = gen_fhostop(eaddr, Q_DST);
3675 gen_and(b0, b1);
3676 return b1;
3677
3678 case Q_DEFAULT:
3679 case Q_OR:
3680 b0 = gen_fhostop(eaddr, Q_SRC);
3681 b1 = gen_fhostop(eaddr, Q_DST);
3682 gen_or(b0, b1);
3683 return b1;
3684 }
3685 abort();
3686 /* NOTREACHED */
3687}
3688
3689/*
3690 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring)
3691 */
3692static struct block *
3693gen_thostop(eaddr, dir)
3694 register const u_char *eaddr;
3695 register int dir;
3696{
3697 register struct block *b0, *b1;
3698
3699 switch (dir) {
3700 case Q_SRC:
3701 return gen_bcmp(OR_LINK, 8, 6, eaddr);
3702
3703 case Q_DST:
3704 return gen_bcmp(OR_LINK, 2, 6, eaddr);
3705
3706 case Q_AND:
3707 b0 = gen_thostop(eaddr, Q_SRC);
3708 b1 = gen_thostop(eaddr, Q_DST);
3709 gen_and(b0, b1);
3710 return b1;
3711
3712 case Q_DEFAULT:
3713 case Q_OR:
3714 b0 = gen_thostop(eaddr, Q_SRC);
3715 b1 = gen_thostop(eaddr, Q_DST);
3716 gen_or(b0, b1);
3717 return b1;
3718 }
3719 abort();
3720 /* NOTREACHED */
3721}
3722
3723/*
de0d3203
PA
3724 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and
3725 * various 802.11 + radio headers.
23fa89e6
PA
3726 */
3727static struct block *
3728gen_wlanhostop(eaddr, dir)
3729 register const u_char *eaddr;
3730 register int dir;
3731{
3732 register struct block *b0, *b1, *b2;
3733 register struct slist *s;
3734
de0d3203
PA
3735#ifdef ENABLE_WLAN_FILTERING_PATCH
3736 /*
3737 * TODO GV 20070613
3738 * We need to disable the optimizer because the optimizer is buggy
3739 * and wipes out some LD instructions generated by the below
3740 * code to validate the Frame Control bits
3741 */
3742 no_optimize = 1;
3743#endif /* ENABLE_WLAN_FILTERING_PATCH */
3744
23fa89e6
PA
3745 switch (dir) {
3746 case Q_SRC:
3747 /*
3748 * Oh, yuk.
3749 *
3750 * For control frames, there is no SA.
3751 *
3752 * For management frames, SA is at an
3753 * offset of 10 from the beginning of
3754 * the packet.
3755 *
3756 * For data frames, SA is at an offset
3757 * of 10 from the beginning of the packet
3758 * if From DS is clear, at an offset of
3759 * 16 from the beginning of the packet
3760 * if From DS is set and To DS is clear,
3761 * and an offset of 24 from the beginning
3762 * of the packet if From DS is set and To DS
3763 * is set.
3764 */
3765
3766 /*
3767 * Generate the tests to be done for data frames
3768 * with From DS set.
3769 *
3770 * First, check for To DS set, i.e. check "link[1] & 0x01".
3771 */
3772 s = gen_load_a(OR_LINK, 1, BPF_B);
3773 b1 = new_block(JMP(BPF_JSET));
3774 b1->s.k = 0x01; /* To DS */
3775 b1->stmts = s;
3776
3777 /*
3778 * If To DS is set, the SA is at 24.
3779 */
3780 b0 = gen_bcmp(OR_LINK, 24, 6, eaddr);
3781 gen_and(b1, b0);
3782
3783 /*
3784 * Now, check for To DS not set, i.e. check
3785 * "!(link[1] & 0x01)".
3786 */
3787 s = gen_load_a(OR_LINK, 1, BPF_B);
3788 b2 = new_block(JMP(BPF_JSET));
3789 b2->s.k = 0x01; /* To DS */
3790 b2->stmts = s;
3791 gen_not(b2);
3792
3793 /*
3794 * If To DS is not set, the SA is at 16.
3795 */
3796 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr);
3797 gen_and(b2, b1);
3798
3799 /*
3800 * Now OR together the last two checks. That gives
3801 * the complete set of checks for data frames with
3802 * From DS set.
3803 */
3804 gen_or(b1, b0);
3805
3806 /*
3807 * Now check for From DS being set, and AND that with
3808 * the ORed-together checks.
3809 */
3810 s = gen_load_a(OR_LINK, 1, BPF_B);
3811 b1 = new_block(JMP(BPF_JSET));
3812 b1->s.k = 0x02; /* From DS */
3813 b1->stmts = s;
3814 gen_and(b1, b0);
3815
3816 /*
3817 * Now check for data frames with From DS not set.
3818 */
3819 s = gen_load_a(OR_LINK, 1, BPF_B);
3820 b2 = new_block(JMP(BPF_JSET));
3821 b2->s.k = 0x02; /* From DS */
3822 b2->stmts = s;
3823 gen_not(b2);
3824
3825 /*
3826 * If From DS isn't set, the SA is at 10.
3827 */
3828 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
3829 gen_and(b2, b1);
3830
3831 /*
3832 * Now OR together the checks for data frames with
3833 * From DS not set and for data frames with From DS
3834 * set; that gives the checks done for data frames.
3835 */
3836 gen_or(b1, b0);
3837
3838 /*
3839 * Now check for a data frame.
3840 * I.e, check "link[0] & 0x08".
3841 */
de0d3203 3842 s = gen_load_a(OR_LINK, 0, BPF_B);
23fa89e6
PA
3843 b1 = new_block(JMP(BPF_JSET));
3844 b1->s.k = 0x08;
3845 b1->stmts = s;
3846
3847 /*
3848 * AND that with the checks done for data frames.
3849 */
3850 gen_and(b1, b0);
3851
3852 /*
3853 * If the high-order bit of the type value is 0, this
3854 * is a management frame.
3855 * I.e, check "!(link[0] & 0x08)".
3856 */
3857 s = gen_load_a(OR_LINK, 0, BPF_B);
3858 b2 = new_block(JMP(BPF_JSET));
3859 b2->s.k = 0x08;
3860 b2->stmts = s;
3861 gen_not(b2);
3862
3863 /*
3864 * For management frames, the SA is at 10.
3865 */
3866 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
3867 gen_and(b2, b1);
3868
3869 /*
3870 * OR that with the checks done for data frames.
3871 * That gives the checks done for management and
3872 * data frames.
3873 */