1 /*#define CHASE_CHAIN*/
3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998
4 * The Regents of the University of California. All rights reserved.
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that: (1) source code distributions
8 * retain the above copyright notice and this paragraph in its entirety, (2)
9 * distributions including binary code include the above copyright notice and
10 * this paragraph in its entirety in the documentation or other materials
11 * provided with the distribution, and (3) all advertising materials mentioning
12 * features or use of this software display the following acknowledgement:
13 * ``This product includes software developed by the University of California,
14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
15 * the University nor the names of its contributors may be used to endorse
16 * or promote products derived from this software without specific prior
18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
27 #include <pcap-types.h>
31 #include <sys/socket.h>
34 #include <sys/param.h>
37 #include <netinet/in.h>
38 #include <arpa/inet.h>
55 #include "ethertype.h"
59 #include "ieee80211.h"
61 #include "sunatmpos.h"
64 #include "pcap/ipnet.h"
70 #if defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER)
71 #include <linux/types.h>
72 #include <linux/if_packet.h>
73 #include <linux/filter.h>
76 #ifdef HAVE_NET_PFVAR_H
77 #include <sys/socket.h>
79 #include <net/pf/pfvar.h>
80 #include <net/pf/if_pflog.h>
84 #define offsetof(s, e) ((size_t)&((s *)0)->e)
89 #if defined(__MINGW32__) && defined(DEFINE_ADDITIONAL_IPV6_STUFF)
96 uint16_t u6_addr16[8];
97 uint32_t u6_addr32[4];
99 #define s6_addr in6_u.u6_addr8
100 #define s6_addr16 in6_u.u6_addr16
101 #define s6_addr32 in6_u.u6_addr32
102 #define s6_addr64 in6_u.u6_addr64
105 typedef unsigned short sa_family_t;
107 #define __SOCKADDR_COMMON(sa_prefix) \
108 sa_family_t sa_prefix##family
110 /* Ditto, for IPv6. */
113 __SOCKADDR_COMMON (sin6_);
114 uint16_t sin6_port; /* Transport layer port # */
115 uint32_t sin6_flowinfo; /* IPv6 flow information */
116 struct in6_addr sin6_addr; /* IPv6 address */
119 #ifndef EAI_ADDRFAMILY
121 int ai_flags; /* AI_PASSIVE, AI_CANONNAME */
122 int ai_family; /* PF_xxx */
123 int ai_socktype; /* SOCK_xxx */
124 int ai_protocol; /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
125 size_t ai_addrlen; /* length of ai_addr */
126 char *ai_canonname; /* canonical name for hostname */
127 struct sockaddr *ai_addr; /* binary address */
128 struct addrinfo *ai_next; /* next structure in linked list */
130 #endif /* EAI_ADDRFAMILY */
131 #endif /* defined(__MINGW32__) && defined(DEFINE_ADDITIONAL_IPV6_STUFF) */
134 #include <netdb.h> /* for "struct addrinfo" */
136 #include <pcap/namedb.h>
138 #include "nametoaddr.h"
140 #define ETHERMTU 1500
142 #ifndef ETHERTYPE_TEB
143 #define ETHERTYPE_TEB 0x6558
146 #ifndef IPPROTO_HOPOPTS
147 #define IPPROTO_HOPOPTS 0
149 #ifndef IPPROTO_ROUTING
150 #define IPPROTO_ROUTING 43
152 #ifndef IPPROTO_FRAGMENT
153 #define IPPROTO_FRAGMENT 44
155 #ifndef IPPROTO_DSTOPTS
156 #define IPPROTO_DSTOPTS 60
159 #define IPPROTO_SCTP 132
162 #define GENEVE_PORT 6081
164 #ifdef HAVE_OS_PROTO_H
165 #include "os-proto.h"
168 #define JMP(c) ((c)|BPF_JMP|BPF_K)
171 * "Push" the current value of the link-layer header type and link-layer
172 * header offset onto a "stack", and set a new value. (It's not a
173 * full-blown stack; we keep only the top two items.)
175 #define PUSH_LINKHDR(cs, new_linktype, new_is_variable, new_constant_part, new_reg) \
177 (cs)->prevlinktype = (cs)->linktype; \
178 (cs)->off_prevlinkhdr = (cs)->off_linkhdr; \
179 (cs)->linktype = (new_linktype); \
180 (cs)->off_linkhdr.is_variable = (new_is_variable); \
181 (cs)->off_linkhdr.constant_part = (new_constant_part); \
182 (cs)->off_linkhdr.reg = (new_reg); \
183 (cs)->is_geneve = 0; \
187 * Offset "not set" value.
189 #define OFFSET_NOT_SET 0xffffffffU
192 * Absolute offsets, which are offsets from the beginning of the raw
193 * packet data, are, in the general case, the sum of a variable value
194 * and a constant value; the variable value may be absent, in which
195 * case the offset is only the constant value, and the constant value
196 * may be zero, in which case the offset is only the variable value.
198 * bpf_abs_offset is a structure containing all that information:
200 * is_variable is 1 if there's a variable part.
202 * constant_part is the constant part of the value, possibly zero;
204 * if is_variable is 1, reg is the register number for a register
205 * containing the variable value if the register has been assigned,
215 * Value passed to gen_load_a() to indicate what the offset argument
216 * is relative to the beginning of.
219 OR_PACKET, /* full packet data */
220 OR_LINKHDR, /* link-layer header */
221 OR_PREVLINKHDR, /* previous link-layer header */
222 OR_LLC, /* 802.2 LLC header */
223 OR_PREVMPLSHDR, /* previous MPLS header */
224 OR_LINKTYPE, /* link-layer type */
225 OR_LINKPL, /* link-layer payload */
226 OR_LINKPL_NOSNAP, /* link-layer payload, with no SNAP header at the link layer */
227 OR_TRAN_IPV4, /* transport-layer header, with IPv4 network layer */
228 OR_TRAN_IPV6 /* transport-layer header, with IPv6 network layer */
232 * We divy out chunks of memory rather than call malloc each time so
233 * we don't have to worry about leaking memory. It's probably
234 * not a big deal if all this memory was wasted but if this ever
235 * goes into a library that would probably not be a good idea.
237 * XXX - this *is* in a library....
240 #define CHUNK0SIZE 1024
246 /* Code generator state */
248 struct _compiler_state {
258 int outermostlinktype;
263 /* Hack for handling VLAN and MPLS stacks. */
264 u_int label_stack_depth;
265 u_int vlan_stack_depth;
271 * As errors are handled by a longjmp, anything allocated must
272 * be freed in the longjmp handler, so it must be reachable
275 * One thing that's allocated is the result of pcap_nametoaddrinfo();
276 * it must be freed with freeaddrinfo(). This variable points to
277 * any addrinfo structure that would need to be freed.
282 * Another thing that's allocated is the result of pcap_ether_aton();
283 * it must be freed with free(). This variable points to any
284 * address that would need to be freed.
289 * Various code constructs need to know the layout of the packet.
290 * These values give the necessary offsets from the beginning
291 * of the packet data.
295 * Absolute offset of the beginning of the link-layer header.
297 bpf_abs_offset off_linkhdr;
300 * If we're checking a link-layer header for a packet encapsulated
301 * in another protocol layer, this is the equivalent information
302 * for the previous layers' link-layer header from the beginning
303 * of the raw packet data.
305 bpf_abs_offset off_prevlinkhdr;
308 * This is the equivalent information for the outermost layers'
311 bpf_abs_offset off_outermostlinkhdr;
314 * Absolute offset of the beginning of the link-layer payload.
316 bpf_abs_offset off_linkpl;
319 * "off_linktype" is the offset to information in the link-layer
320 * header giving the packet type. This is an absolute offset
321 * from the beginning of the packet.
323 * For Ethernet, it's the offset of the Ethernet type field; this
324 * means that it must have a value that skips VLAN tags.
326 * For link-layer types that always use 802.2 headers, it's the
327 * offset of the LLC header; this means that it must have a value
328 * that skips VLAN tags.
330 * For PPP, it's the offset of the PPP type field.
332 * For Cisco HDLC, it's the offset of the CHDLC type field.
334 * For BSD loopback, it's the offset of the AF_ value.
336 * For Linux cooked sockets, it's the offset of the type field.
338 * off_linktype.constant_part is set to OFFSET_NOT_SET for no
339 * encapsulation, in which case, IP is assumed.
341 bpf_abs_offset off_linktype;
344 * TRUE if the link layer includes an ATM pseudo-header.
349 * TRUE if "geneve" appeared in the filter; it causes us to
350 * generate code that checks for a Geneve header and assume
351 * that later filters apply to the encapsulated payload.
356 * TRUE if we need variable length part of VLAN offset
358 int is_vlan_vloffset;
361 * These are offsets for the ATM pseudo-header.
368 * These are offsets for the MTP2 fields.
374 * These are offsets for the MTP3 fields.
382 * This is the offset of the first byte after the ATM pseudo_header,
383 * or -1 if there is no ATM pseudo-header.
388 * These are offsets to the beginning of the network-layer header.
389 * They are relative to the beginning of the link-layer payload
390 * (i.e., they don't include off_linkhdr.constant_part or
391 * off_linkpl.constant_part).
393 * If the link layer never uses 802.2 LLC:
395 * "off_nl" and "off_nl_nosnap" are the same.
397 * If the link layer always uses 802.2 LLC:
399 * "off_nl" is the offset if there's a SNAP header following
402 * "off_nl_nosnap" is the offset if there's no SNAP header.
404 * If the link layer is Ethernet:
406 * "off_nl" is the offset if the packet is an Ethernet II packet
407 * (we assume no 802.3+802.2+SNAP);
409 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet
410 * with an 802.2 header following it.
416 * Here we handle simple allocation of the scratch registers.
417 * If too many registers are alloc'd, the allocator punts.
419 int regused[BPF_MEMWORDS];
425 struct chunk chunks[NCHUNKS];
430 * For use by routines outside this file.
434 bpf_set_error(compiler_state_t *cstate, const char *fmt, ...)
439 (void)pcap_vsnprintf(cstate->bpf_pcap->errbuf, PCAP_ERRBUF_SIZE,
445 * For use *ONLY* in routines in this file.
447 static void PCAP_NORETURN bpf_error(compiler_state_t *, const char *, ...)
448 PCAP_PRINTFLIKE(2, 3);
451 static void PCAP_NORETURN
452 bpf_error(compiler_state_t *cstate, const char *fmt, ...)
457 (void)pcap_vsnprintf(cstate->bpf_pcap->errbuf, PCAP_ERRBUF_SIZE,
460 longjmp(cstate->top_ctx, 1);
464 static int init_linktype(compiler_state_t *, pcap_t *);
466 static void init_regs(compiler_state_t *);
467 static int alloc_reg(compiler_state_t *);
468 static void free_reg(compiler_state_t *, int);
470 static void initchunks(compiler_state_t *cstate);
471 static void *newchunk_nolongjmp(compiler_state_t *cstate, size_t);
472 static void *newchunk(compiler_state_t *cstate, size_t);
473 static void freechunks(compiler_state_t *cstate);
474 static inline struct block *new_block(compiler_state_t *cstate, int);
475 static inline struct slist *new_stmt(compiler_state_t *cstate, int);
476 static struct block *gen_retblk(compiler_state_t *cstate, int);
477 static inline void syntax(compiler_state_t *cstate);
479 static void backpatch(struct block *, struct block *);
480 static void merge(struct block *, struct block *);
481 static struct block *gen_cmp(compiler_state_t *, enum e_offrel, u_int,
483 static struct block *gen_cmp_gt(compiler_state_t *, enum e_offrel, u_int,
485 static struct block *gen_cmp_ge(compiler_state_t *, enum e_offrel, u_int,
487 static struct block *gen_cmp_lt(compiler_state_t *, enum e_offrel, u_int,
489 static struct block *gen_cmp_le(compiler_state_t *, enum e_offrel, u_int,
491 static struct block *gen_mcmp(compiler_state_t *, enum e_offrel, u_int,
492 u_int, bpf_int32, bpf_u_int32);
493 static struct block *gen_bcmp(compiler_state_t *, enum e_offrel, u_int,
494 u_int, const u_char *);
495 static struct block *gen_ncmp(compiler_state_t *, enum e_offrel, bpf_u_int32,
496 bpf_u_int32, bpf_u_int32, bpf_u_int32, int, bpf_int32);
497 static struct slist *gen_load_absoffsetrel(compiler_state_t *, bpf_abs_offset *,
499 static struct slist *gen_load_a(compiler_state_t *, enum e_offrel, u_int,
501 static struct slist *gen_loadx_iphdrlen(compiler_state_t *);
502 static struct block *gen_uncond(compiler_state_t *, int);
503 static inline struct block *gen_true(compiler_state_t *);
504 static inline struct block *gen_false(compiler_state_t *);
505 static struct block *gen_ether_linktype(compiler_state_t *, int);
506 static struct block *gen_ipnet_linktype(compiler_state_t *, int);
507 static struct block *gen_linux_sll_linktype(compiler_state_t *, int);
508 static struct slist *gen_load_prism_llprefixlen(compiler_state_t *);
509 static struct slist *gen_load_avs_llprefixlen(compiler_state_t *);
510 static struct slist *gen_load_radiotap_llprefixlen(compiler_state_t *);
511 static struct slist *gen_load_ppi_llprefixlen(compiler_state_t *);
512 static void insert_compute_vloffsets(compiler_state_t *, struct block *);
513 static struct slist *gen_abs_offset_varpart(compiler_state_t *,
515 static int ethertype_to_ppptype(int);
516 static struct block *gen_linktype(compiler_state_t *, int);
517 static struct block *gen_snap(compiler_state_t *, bpf_u_int32, bpf_u_int32);
518 static struct block *gen_llc_linktype(compiler_state_t *, int);
519 static struct block *gen_hostop(compiler_state_t *, bpf_u_int32, bpf_u_int32,
520 int, int, u_int, u_int);
522 static struct block *gen_hostop6(compiler_state_t *, struct in6_addr *,
523 struct in6_addr *, int, int, u_int, u_int);
525 static struct block *gen_ahostop(compiler_state_t *, const u_char *, int);
526 static struct block *gen_ehostop(compiler_state_t *, const u_char *, int);
527 static struct block *gen_fhostop(compiler_state_t *, const u_char *, int);
528 static struct block *gen_thostop(compiler_state_t *, const u_char *, int);
529 static struct block *gen_wlanhostop(compiler_state_t *, const u_char *, int);
530 static struct block *gen_ipfchostop(compiler_state_t *, const u_char *, int);
531 static struct block *gen_dnhostop(compiler_state_t *, bpf_u_int32, int);
532 static struct block *gen_mpls_linktype(compiler_state_t *, int);
533 static struct block *gen_host(compiler_state_t *, bpf_u_int32, bpf_u_int32,
536 static struct block *gen_host6(compiler_state_t *, struct in6_addr *,
537 struct in6_addr *, int, int, int);
540 static struct block *gen_gateway(compiler_state_t *, const u_char *,
541 struct addrinfo *, int, int);
543 static struct block *gen_ipfrag(compiler_state_t *);
544 static struct block *gen_portatom(compiler_state_t *, int, bpf_int32);
545 static struct block *gen_portrangeatom(compiler_state_t *, int, bpf_int32,
547 static struct block *gen_portatom6(compiler_state_t *, int, bpf_int32);
548 static struct block *gen_portrangeatom6(compiler_state_t *, int, bpf_int32,
550 struct block *gen_portop(compiler_state_t *, int, int, int);
551 static struct block *gen_port(compiler_state_t *, int, int, int);
552 struct block *gen_portrangeop(compiler_state_t *, int, int, int, int);
553 static struct block *gen_portrange(compiler_state_t *, int, int, int, int);
554 struct block *gen_portop6(compiler_state_t *, int, int, int);
555 static struct block *gen_port6(compiler_state_t *, int, int, int);
556 struct block *gen_portrangeop6(compiler_state_t *, int, int, int, int);
557 static struct block *gen_portrange6(compiler_state_t *, int, int, int, int);
558 static int lookup_proto(compiler_state_t *, const char *, int);
559 static struct block *gen_protochain(compiler_state_t *, int, int, int);
560 static struct block *gen_proto(compiler_state_t *, int, int, int);
561 static struct slist *xfer_to_x(compiler_state_t *, struct arth *);
562 static struct slist *xfer_to_a(compiler_state_t *, struct arth *);
563 static struct block *gen_mac_multicast(compiler_state_t *, int);
564 static struct block *gen_len(compiler_state_t *, int, int);
565 static struct block *gen_check_802_11_data_frame(compiler_state_t *);
566 static struct block *gen_geneve_ll_check(compiler_state_t *cstate);
568 static struct block *gen_ppi_dlt_check(compiler_state_t *);
569 static struct block *gen_atmfield_code_internal(compiler_state_t *, int,
570 bpf_int32, bpf_u_int32, int);
571 static struct block *gen_atmtype_llc(compiler_state_t *);
572 static struct block *gen_msg_abbrev(compiler_state_t *, int type);
575 initchunks(compiler_state_t *cstate)
579 for (i = 0; i < NCHUNKS; i++) {
580 cstate->chunks[i].n_left = 0;
581 cstate->chunks[i].m = NULL;
583 cstate->cur_chunk = 0;
587 newchunk_nolongjmp(compiler_state_t *cstate, size_t n)
594 /* XXX Round up to nearest long. */
595 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1);
597 /* XXX Round up to structure boundary. */
601 cp = &cstate->chunks[cstate->cur_chunk];
602 if (n > cp->n_left) {
604 k = ++cstate->cur_chunk;
606 bpf_set_error(cstate, "out of memory");
609 size = CHUNK0SIZE << k;
610 cp->m = (void *)malloc(size);
612 bpf_set_error(cstate, "out of memory");
615 memset((char *)cp->m, 0, size);
618 bpf_set_error(cstate, "out of memory");
623 return (void *)((char *)cp->m + cp->n_left);
627 newchunk(compiler_state_t *cstate, size_t n)
631 p = newchunk_nolongjmp(cstate, n);
633 longjmp(cstate->top_ctx, 1);
640 freechunks(compiler_state_t *cstate)
644 for (i = 0; i < NCHUNKS; ++i)
645 if (cstate->chunks[i].m != NULL)
646 free(cstate->chunks[i].m);
650 * A strdup whose allocations are freed after code generation is over.
651 * This is used by the lexical analyzer, so it can't longjmp; it just
652 * returns NULL on an allocation error, and the callers must check
656 sdup(compiler_state_t *cstate, const char *s)
658 size_t n = strlen(s) + 1;
659 char *cp = newchunk_nolongjmp(cstate, n);
663 pcap_strlcpy(cp, s, n);
667 static inline struct block *
668 new_block(compiler_state_t *cstate, int code)
672 p = (struct block *)newchunk(cstate, sizeof(*p));
679 static inline struct slist *
680 new_stmt(compiler_state_t *cstate, int code)
684 p = (struct slist *)newchunk(cstate, sizeof(*p));
690 static struct block *
691 gen_retblk(compiler_state_t *cstate, int v)
693 struct block *b = new_block(cstate, BPF_RET|BPF_K);
699 static inline PCAP_NORETURN_DEF void
700 syntax(compiler_state_t *cstate)
702 bpf_error(cstate, "syntax error in filter expression");
706 pcap_compile(pcap_t *p, struct bpf_program *program,
707 const char *buf, int optimize, bpf_u_int32 mask)
712 compiler_state_t cstate;
713 const char * volatile xbuf = buf;
714 yyscan_t scanner = NULL;
715 volatile YY_BUFFER_STATE in_buffer = NULL;
720 * If this pcap_t hasn't been activated, it doesn't have a
721 * link-layer type, so we can't use it.
724 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
725 "not-yet-activated pcap_t passed to pcap_compile");
737 * If the device on which we're capturing need to be notified
738 * that a new filter is being compiled, do so.
740 * This allows them to save a copy of it, in case, for example,
741 * they're implementing a form of remote packet capture, and
742 * want the remote machine to filter out the packets in which
743 * it's sending the packets it's captured.
745 * XXX - the fact that we happen to be compiling a filter
746 * doesn't necessarily mean we'll be installing it as the
747 * filter for this pcap_t; we might be running it from userland
748 * on captured packets to do packet classification. We really
749 * need a better way of handling this, but this is all that
750 * the WinPcap remote capture code did.
752 if (p->save_current_filter_op != NULL)
753 (p->save_current_filter_op)(p, buf);
757 cstate.no_optimize = 0;
762 cstate.ic.root = NULL;
763 cstate.ic.cur_mark = 0;
767 cstate.netmask = mask;
769 cstate.snaplen = pcap_snapshot(p);
770 if (cstate.snaplen == 0) {
771 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
772 "snaplen of 0 rejects all packets");
777 if (pcap_lex_init(&scanner) != 0)
778 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
779 errno, "can't initialize scanner");
780 in_buffer = pcap__scan_string(xbuf ? xbuf : "", scanner);
783 * Associate the compiler state with the lexical analyzer
786 pcap_set_extra(&cstate, scanner);
788 if (init_linktype(&cstate, p) == -1) {
792 if (pcap_parse(scanner, &cstate) != 0) {
794 if (cstate.ai != NULL)
795 freeaddrinfo(cstate.ai);
797 if (cstate.e != NULL)
803 if (cstate.ic.root == NULL) {
805 * Catch errors reported by gen_retblk().
807 if (setjmp(cstate.top_ctx)) {
811 cstate.ic.root = gen_retblk(&cstate, cstate.snaplen);
814 if (optimize && !cstate.no_optimize) {
815 if (bpf_optimize(&cstate.ic, p->errbuf) == -1) {
820 if (cstate.ic.root == NULL ||
821 (cstate.ic.root->s.code == (BPF_RET|BPF_K) && cstate.ic.root->s.k == 0)) {
822 (void)pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
823 "expression rejects all packets");
828 program->bf_insns = icode_to_fcode(&cstate.ic,
829 cstate.ic.root, &len, p->errbuf);
830 if (program->bf_insns == NULL) {
835 program->bf_len = len;
837 rc = 0; /* We're all okay */
841 * Clean up everything for the lexical analyzer.
843 if (in_buffer != NULL)
844 pcap__delete_buffer(in_buffer, scanner);
846 pcap_lex_destroy(scanner);
849 * Clean up our own allocated memory.
857 * entry point for using the compiler with no pcap open
858 * pass in all the stuff that is needed explicitly instead.
861 pcap_compile_nopcap(int snaplen_arg, int linktype_arg,
862 struct bpf_program *program,
863 const char *buf, int optimize, bpf_u_int32 mask)
868 p = pcap_open_dead(linktype_arg, snaplen_arg);
871 ret = pcap_compile(p, program, buf, optimize, mask);
877 * Clean up a "struct bpf_program" by freeing all the memory allocated
881 pcap_freecode(struct bpf_program *program)
884 if (program->bf_insns != NULL) {
885 free((char *)program->bf_insns);
886 program->bf_insns = NULL;
891 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates
892 * which of the jt and jf fields has been resolved and which is a pointer
893 * back to another unresolved block (or nil). At least one of the fields
894 * in each block is already resolved.
897 backpatch(struct block *list, struct block *target)
914 * Merge the lists in b0 and b1, using the 'sense' field to indicate
915 * which of jt and jf is the link.
918 merge(struct block *b0, struct block *b1)
920 register struct block **p = &b0;
922 /* Find end of list. */
924 p = !((*p)->sense) ? &JT(*p) : &JF(*p);
926 /* Concatenate the lists. */
931 finish_parse(compiler_state_t *cstate, struct block *p)
933 struct block *ppi_dlt_check;
936 * Catch errors reported by us and routines below us, and return -1
939 if (setjmp(cstate->top_ctx))
943 * Insert before the statements of the first (root) block any
944 * statements needed to load the lengths of any variable-length
945 * headers into registers.
947 * XXX - a fancier strategy would be to insert those before the
948 * statements of all blocks that use those lengths and that
949 * have no predecessors that use them, so that we only compute
950 * the lengths if we need them. There might be even better
951 * approaches than that.
953 * However, those strategies would be more complicated, and
954 * as we don't generate code to compute a length if the
955 * program has no tests that use the length, and as most
956 * tests will probably use those lengths, we would just
957 * postpone computing the lengths so that it's not done
958 * for tests that fail early, and it's not clear that's
961 insert_compute_vloffsets(cstate, p->head);
964 * For DLT_PPI captures, generate a check of the per-packet
965 * DLT value to make sure it's DLT_IEEE802_11.
967 * XXX - TurboCap cards use DLT_PPI for Ethernet.
968 * Can we just define some DLT_ETHERNET_WITH_PHDR pseudo-header
969 * with appropriate Ethernet information and use that rather
970 * than using something such as DLT_PPI where you don't know
971 * the link-layer header type until runtime, which, in the
972 * general case, would force us to generate both Ethernet *and*
973 * 802.11 code (*and* anything else for which PPI is used)
974 * and choose between them early in the BPF program?
976 ppi_dlt_check = gen_ppi_dlt_check(cstate);
977 if (ppi_dlt_check != NULL)
978 gen_and(ppi_dlt_check, p);
980 backpatch(p, gen_retblk(cstate, cstate->snaplen));
981 p->sense = !p->sense;
982 backpatch(p, gen_retblk(cstate, 0));
983 cstate->ic.root = p->head;
988 gen_and(struct block *b0, struct block *b1)
990 backpatch(b0, b1->head);
991 b0->sense = !b0->sense;
992 b1->sense = !b1->sense;
994 b1->sense = !b1->sense;
999 gen_or(struct block *b0, struct block *b1)
1001 b0->sense = !b0->sense;
1002 backpatch(b0, b1->head);
1003 b0->sense = !b0->sense;
1005 b1->head = b0->head;
1009 gen_not(struct block *b)
1011 b->sense = !b->sense;
1014 static struct block *
1015 gen_cmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1016 u_int size, bpf_int32 v)
1018 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v);
1021 static struct block *
1022 gen_cmp_gt(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1023 u_int size, bpf_int32 v)
1025 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGT, 0, v);
1028 static struct block *
1029 gen_cmp_ge(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1030 u_int size, bpf_int32 v)
1032 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGE, 0, v);
1035 static struct block *
1036 gen_cmp_lt(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1037 u_int size, bpf_int32 v)
1039 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGE, 1, v);
1042 static struct block *
1043 gen_cmp_le(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1044 u_int size, bpf_int32 v)
1046 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGT, 1, v);
1049 static struct block *
1050 gen_mcmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1051 u_int size, bpf_int32 v, bpf_u_int32 mask)
1053 return gen_ncmp(cstate, offrel, offset, size, mask, BPF_JEQ, 0, v);
1056 static struct block *
1057 gen_bcmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1058 u_int size, const u_char *v)
1060 register struct block *b, *tmp;
1063 * XXX - the actual *instructions* do unsigned comparisons on
1064 * most platforms, and the load instructions don't do sign
1065 * extension, so gen_cmp() should really take an unsigned
1068 * As the load instructons also don't do sign-extension, we
1069 * fetch the values from the byte array as unsigned. We don't
1070 * want to use the signed versions of the extract calls.
1074 register const u_char *p = &v[size - 4];
1076 tmp = gen_cmp(cstate, offrel, offset + size - 4, BPF_W,
1077 (bpf_int32)EXTRACT_32BITS(p));
1084 register const u_char *p = &v[size - 2];
1086 tmp = gen_cmp(cstate, offrel, offset + size - 2, BPF_H,
1087 (bpf_int32)EXTRACT_16BITS(p));
1094 tmp = gen_cmp(cstate, offrel, offset, BPF_B, (bpf_int32)v[0]);
1103 * AND the field of size "size" at offset "offset" relative to the header
1104 * specified by "offrel" with "mask", and compare it with the value "v"
1105 * with the test specified by "jtype"; if "reverse" is true, the test
1106 * should test the opposite of "jtype".
1108 static struct block *
1109 gen_ncmp(compiler_state_t *cstate, enum e_offrel offrel, bpf_u_int32 offset,
1110 bpf_u_int32 size, bpf_u_int32 mask, bpf_u_int32 jtype, int reverse,
1113 struct slist *s, *s2;
1116 s = gen_load_a(cstate, offrel, offset, size);
1118 if (mask != 0xffffffff) {
1119 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
1124 b = new_block(cstate, JMP(jtype));
1127 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE))
1133 init_linktype(compiler_state_t *cstate, pcap_t *p)
1135 cstate->pcap_fddipad = p->fddipad;
1138 * We start out with only one link-layer header.
1140 cstate->outermostlinktype = pcap_datalink(p);
1141 cstate->off_outermostlinkhdr.constant_part = 0;
1142 cstate->off_outermostlinkhdr.is_variable = 0;
1143 cstate->off_outermostlinkhdr.reg = -1;
1145 cstate->prevlinktype = cstate->outermostlinktype;
1146 cstate->off_prevlinkhdr.constant_part = 0;
1147 cstate->off_prevlinkhdr.is_variable = 0;
1148 cstate->off_prevlinkhdr.reg = -1;
1150 cstate->linktype = cstate->outermostlinktype;
1151 cstate->off_linkhdr.constant_part = 0;
1152 cstate->off_linkhdr.is_variable = 0;
1153 cstate->off_linkhdr.reg = -1;
1158 cstate->off_linkpl.constant_part = 0;
1159 cstate->off_linkpl.is_variable = 0;
1160 cstate->off_linkpl.reg = -1;
1162 cstate->off_linktype.constant_part = 0;
1163 cstate->off_linktype.is_variable = 0;
1164 cstate->off_linktype.reg = -1;
1167 * Assume it's not raw ATM with a pseudo-header, for now.
1170 cstate->off_vpi = OFFSET_NOT_SET;
1171 cstate->off_vci = OFFSET_NOT_SET;
1172 cstate->off_proto = OFFSET_NOT_SET;
1173 cstate->off_payload = OFFSET_NOT_SET;
1178 cstate->is_geneve = 0;
1181 * No variable length VLAN offset by default
1183 cstate->is_vlan_vloffset = 0;
1186 * And assume we're not doing SS7.
1188 cstate->off_li = OFFSET_NOT_SET;
1189 cstate->off_li_hsl = OFFSET_NOT_SET;
1190 cstate->off_sio = OFFSET_NOT_SET;
1191 cstate->off_opc = OFFSET_NOT_SET;
1192 cstate->off_dpc = OFFSET_NOT_SET;
1193 cstate->off_sls = OFFSET_NOT_SET;
1195 cstate->label_stack_depth = 0;
1196 cstate->vlan_stack_depth = 0;
1198 switch (cstate->linktype) {
1201 cstate->off_linktype.constant_part = 2;
1202 cstate->off_linkpl.constant_part = 6;
1203 cstate->off_nl = 0; /* XXX in reality, variable! */
1204 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1207 case DLT_ARCNET_LINUX:
1208 cstate->off_linktype.constant_part = 4;
1209 cstate->off_linkpl.constant_part = 8;
1210 cstate->off_nl = 0; /* XXX in reality, variable! */
1211 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1215 cstate->off_linktype.constant_part = 12;
1216 cstate->off_linkpl.constant_part = 14; /* Ethernet header length */
1217 cstate->off_nl = 0; /* Ethernet II */
1218 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */
1223 * SLIP doesn't have a link level type. The 16 byte
1224 * header is hacked into our SLIP driver.
1226 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1227 cstate->off_linkpl.constant_part = 16;
1229 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1232 case DLT_SLIP_BSDOS:
1233 /* XXX this may be the same as the DLT_PPP_BSDOS case */
1234 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1236 cstate->off_linkpl.constant_part = 24;
1238 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1243 cstate->off_linktype.constant_part = 0;
1244 cstate->off_linkpl.constant_part = 4;
1246 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1250 cstate->off_linktype.constant_part = 0;
1251 cstate->off_linkpl.constant_part = 12;
1253 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1258 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */
1259 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */
1260 cstate->off_linktype.constant_part = 2; /* skip HDLC-like framing */
1261 cstate->off_linkpl.constant_part = 4; /* skip HDLC-like framing and protocol field */
1263 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1268 * This does no include the Ethernet header, and
1269 * only covers session state.
1271 cstate->off_linktype.constant_part = 6;
1272 cstate->off_linkpl.constant_part = 8;
1274 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1278 cstate->off_linktype.constant_part = 5;
1279 cstate->off_linkpl.constant_part = 24;
1281 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1286 * FDDI doesn't really have a link-level type field.
1287 * We set "off_linktype" to the offset of the LLC header.
1289 * To check for Ethernet types, we assume that SSAP = SNAP
1290 * is being used and pick out the encapsulated Ethernet type.
1291 * XXX - should we generate code to check for SNAP?
1293 cstate->off_linktype.constant_part = 13;
1294 cstate->off_linktype.constant_part += cstate->pcap_fddipad;
1295 cstate->off_linkpl.constant_part = 13; /* FDDI MAC header length */
1296 cstate->off_linkpl.constant_part += cstate->pcap_fddipad;
1297 cstate->off_nl = 8; /* 802.2+SNAP */
1298 cstate->off_nl_nosnap = 3; /* 802.2 */
1303 * Token Ring doesn't really have a link-level type field.
1304 * We set "off_linktype" to the offset of the LLC header.
1306 * To check for Ethernet types, we assume that SSAP = SNAP
1307 * is being used and pick out the encapsulated Ethernet type.
1308 * XXX - should we generate code to check for SNAP?
1310 * XXX - the header is actually variable-length.
1311 * Some various Linux patched versions gave 38
1312 * as "off_linktype" and 40 as "off_nl"; however,
1313 * if a token ring packet has *no* routing
1314 * information, i.e. is not source-routed, the correct
1315 * values are 20 and 22, as they are in the vanilla code.
1317 * A packet is source-routed iff the uppermost bit
1318 * of the first byte of the source address, at an
1319 * offset of 8, has the uppermost bit set. If the
1320 * packet is source-routed, the total number of bytes
1321 * of routing information is 2 plus bits 0x1F00 of
1322 * the 16-bit value at an offset of 14 (shifted right
1323 * 8 - figure out which byte that is).
1325 cstate->off_linktype.constant_part = 14;
1326 cstate->off_linkpl.constant_part = 14; /* Token Ring MAC header length */
1327 cstate->off_nl = 8; /* 802.2+SNAP */
1328 cstate->off_nl_nosnap = 3; /* 802.2 */
1331 case DLT_PRISM_HEADER:
1332 case DLT_IEEE802_11_RADIO_AVS:
1333 case DLT_IEEE802_11_RADIO:
1334 cstate->off_linkhdr.is_variable = 1;
1335 /* Fall through, 802.11 doesn't have a variable link
1336 * prefix but is otherwise the same. */
1339 case DLT_IEEE802_11:
1341 * 802.11 doesn't really have a link-level type field.
1342 * We set "off_linktype.constant_part" to the offset of
1345 * To check for Ethernet types, we assume that SSAP = SNAP
1346 * is being used and pick out the encapsulated Ethernet type.
1347 * XXX - should we generate code to check for SNAP?
1349 * We also handle variable-length radio headers here.
1350 * The Prism header is in theory variable-length, but in
1351 * practice it's always 144 bytes long. However, some
1352 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but
1353 * sometimes or always supply an AVS header, so we
1354 * have to check whether the radio header is a Prism
1355 * header or an AVS header, so, in practice, it's
1358 cstate->off_linktype.constant_part = 24;
1359 cstate->off_linkpl.constant_part = 0; /* link-layer header is variable-length */
1360 cstate->off_linkpl.is_variable = 1;
1361 cstate->off_nl = 8; /* 802.2+SNAP */
1362 cstate->off_nl_nosnap = 3; /* 802.2 */
1367 * At the moment we treat PPI the same way that we treat
1368 * normal Radiotap encoded packets. The difference is in
1369 * the function that generates the code at the beginning
1370 * to compute the header length. Since this code generator
1371 * of PPI supports bare 802.11 encapsulation only (i.e.
1372 * the encapsulated DLT should be DLT_IEEE802_11) we
1373 * generate code to check for this too.
1375 cstate->off_linktype.constant_part = 24;
1376 cstate->off_linkpl.constant_part = 0; /* link-layer header is variable-length */
1377 cstate->off_linkpl.is_variable = 1;
1378 cstate->off_linkhdr.is_variable = 1;
1379 cstate->off_nl = 8; /* 802.2+SNAP */
1380 cstate->off_nl_nosnap = 3; /* 802.2 */
1383 case DLT_ATM_RFC1483:
1384 case DLT_ATM_CLIP: /* Linux ATM defines this */
1386 * assume routed, non-ISO PDUs
1387 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00)
1389 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS,
1390 * or PPP with the PPP NLPID (e.g., PPPoA)? The
1391 * latter would presumably be treated the way PPPoE
1392 * should be, so you can do "pppoe and udp port 2049"
1393 * or "pppoa and tcp port 80" and have it check for
1394 * PPPo{A,E} and a PPP protocol of IP and....
1396 cstate->off_linktype.constant_part = 0;
1397 cstate->off_linkpl.constant_part = 0; /* packet begins with LLC header */
1398 cstate->off_nl = 8; /* 802.2+SNAP */
1399 cstate->off_nl_nosnap = 3; /* 802.2 */
1404 * Full Frontal ATM; you get AALn PDUs with an ATM
1408 cstate->off_vpi = SUNATM_VPI_POS;
1409 cstate->off_vci = SUNATM_VCI_POS;
1410 cstate->off_proto = PROTO_POS;
1411 cstate->off_payload = SUNATM_PKT_BEGIN_POS;
1412 cstate->off_linktype.constant_part = cstate->off_payload;
1413 cstate->off_linkpl.constant_part = cstate->off_payload; /* if LLC-encapsulated */
1414 cstate->off_nl = 8; /* 802.2+SNAP */
1415 cstate->off_nl_nosnap = 3; /* 802.2 */
1421 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1422 cstate->off_linkpl.constant_part = 0;
1424 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1427 case DLT_LINUX_SLL: /* fake header for Linux cooked socket v1 */
1428 cstate->off_linktype.constant_part = 14;
1429 cstate->off_linkpl.constant_part = 16;
1431 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1434 case DLT_LINUX_SLL2: /* fake header for Linux cooked socket v2 */
1435 cstate->off_linktype.constant_part = 0;
1436 cstate->off_linkpl.constant_part = 20;
1438 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1443 * LocalTalk does have a 1-byte type field in the LLAP header,
1444 * but really it just indicates whether there is a "short" or
1445 * "long" DDP packet following.
1447 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1448 cstate->off_linkpl.constant_part = 0;
1450 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1453 case DLT_IP_OVER_FC:
1455 * RFC 2625 IP-over-Fibre-Channel doesn't really have a
1456 * link-level type field. We set "off_linktype" to the
1457 * offset of the LLC header.
1459 * To check for Ethernet types, we assume that SSAP = SNAP
1460 * is being used and pick out the encapsulated Ethernet type.
1461 * XXX - should we generate code to check for SNAP? RFC
1462 * 2625 says SNAP should be used.
1464 cstate->off_linktype.constant_part = 16;
1465 cstate->off_linkpl.constant_part = 16;
1466 cstate->off_nl = 8; /* 802.2+SNAP */
1467 cstate->off_nl_nosnap = 3; /* 802.2 */
1472 * XXX - we should set this to handle SNAP-encapsulated
1473 * frames (NLPID of 0x80).
1475 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1476 cstate->off_linkpl.constant_part = 0;
1478 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1482 * the only BPF-interesting FRF.16 frames are non-control frames;
1483 * Frame Relay has a variable length link-layer
1484 * so lets start with offset 4 for now and increments later on (FIXME);
1487 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1488 cstate->off_linkpl.constant_part = 0;
1490 cstate->off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */
1493 case DLT_APPLE_IP_OVER_IEEE1394:
1494 cstate->off_linktype.constant_part = 16;
1495 cstate->off_linkpl.constant_part = 18;
1497 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1500 case DLT_SYMANTEC_FIREWALL:
1501 cstate->off_linktype.constant_part = 6;
1502 cstate->off_linkpl.constant_part = 44;
1503 cstate->off_nl = 0; /* Ethernet II */
1504 cstate->off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */
1507 #ifdef HAVE_NET_PFVAR_H
1509 cstate->off_linktype.constant_part = 0;
1510 cstate->off_linkpl.constant_part = PFLOG_HDRLEN;
1512 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1516 case DLT_JUNIPER_MFR:
1517 case DLT_JUNIPER_MLFR:
1518 case DLT_JUNIPER_MLPPP:
1519 case DLT_JUNIPER_PPP:
1520 case DLT_JUNIPER_CHDLC:
1521 case DLT_JUNIPER_FRELAY:
1522 cstate->off_linktype.constant_part = 4;
1523 cstate->off_linkpl.constant_part = 4;
1525 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1528 case DLT_JUNIPER_ATM1:
1529 cstate->off_linktype.constant_part = 4; /* in reality variable between 4-8 */
1530 cstate->off_linkpl.constant_part = 4; /* in reality variable between 4-8 */
1532 cstate->off_nl_nosnap = 10;
1535 case DLT_JUNIPER_ATM2:
1536 cstate->off_linktype.constant_part = 8; /* in reality variable between 8-12 */
1537 cstate->off_linkpl.constant_part = 8; /* in reality variable between 8-12 */
1539 cstate->off_nl_nosnap = 10;
1542 /* frames captured on a Juniper PPPoE service PIC
1543 * contain raw ethernet frames */
1544 case DLT_JUNIPER_PPPOE:
1545 case DLT_JUNIPER_ETHER:
1546 cstate->off_linkpl.constant_part = 14;
1547 cstate->off_linktype.constant_part = 16;
1548 cstate->off_nl = 18; /* Ethernet II */
1549 cstate->off_nl_nosnap = 21; /* 802.3+802.2 */
1552 case DLT_JUNIPER_PPPOE_ATM:
1553 cstate->off_linktype.constant_part = 4;
1554 cstate->off_linkpl.constant_part = 6;
1556 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1559 case DLT_JUNIPER_GGSN:
1560 cstate->off_linktype.constant_part = 6;
1561 cstate->off_linkpl.constant_part = 12;
1563 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1566 case DLT_JUNIPER_ES:
1567 cstate->off_linktype.constant_part = 6;
1568 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; /* not really a network layer but raw IP addresses */
1569 cstate->off_nl = OFFSET_NOT_SET; /* not really a network layer but raw IP addresses */
1570 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1573 case DLT_JUNIPER_MONITOR:
1574 cstate->off_linktype.constant_part = 12;
1575 cstate->off_linkpl.constant_part = 12;
1576 cstate->off_nl = 0; /* raw IP/IP6 header */
1577 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1580 case DLT_BACNET_MS_TP:
1581 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1582 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1583 cstate->off_nl = OFFSET_NOT_SET;
1584 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1587 case DLT_JUNIPER_SERVICES:
1588 cstate->off_linktype.constant_part = 12;
1589 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; /* L3 proto location dep. on cookie type */
1590 cstate->off_nl = OFFSET_NOT_SET; /* L3 proto location dep. on cookie type */
1591 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1594 case DLT_JUNIPER_VP:
1595 cstate->off_linktype.constant_part = 18;
1596 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1597 cstate->off_nl = OFFSET_NOT_SET;
1598 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1601 case DLT_JUNIPER_ST:
1602 cstate->off_linktype.constant_part = 18;
1603 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1604 cstate->off_nl = OFFSET_NOT_SET;
1605 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1608 case DLT_JUNIPER_ISM:
1609 cstate->off_linktype.constant_part = 8;
1610 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1611 cstate->off_nl = OFFSET_NOT_SET;
1612 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1615 case DLT_JUNIPER_VS:
1616 case DLT_JUNIPER_SRX_E2E:
1617 case DLT_JUNIPER_FIBRECHANNEL:
1618 case DLT_JUNIPER_ATM_CEMIC:
1619 cstate->off_linktype.constant_part = 8;
1620 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1621 cstate->off_nl = OFFSET_NOT_SET;
1622 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1627 cstate->off_li_hsl = 4;
1628 cstate->off_sio = 3;
1629 cstate->off_opc = 4;
1630 cstate->off_dpc = 4;
1631 cstate->off_sls = 7;
1632 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1633 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1634 cstate->off_nl = OFFSET_NOT_SET;
1635 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1638 case DLT_MTP2_WITH_PHDR:
1640 cstate->off_li_hsl = 8;
1641 cstate->off_sio = 7;
1642 cstate->off_opc = 8;
1643 cstate->off_dpc = 8;
1644 cstate->off_sls = 11;
1645 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1646 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1647 cstate->off_nl = OFFSET_NOT_SET;
1648 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1652 cstate->off_li = 22;
1653 cstate->off_li_hsl = 24;
1654 cstate->off_sio = 23;
1655 cstate->off_opc = 24;
1656 cstate->off_dpc = 24;
1657 cstate->off_sls = 27;
1658 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1659 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1660 cstate->off_nl = OFFSET_NOT_SET;
1661 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1665 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1666 cstate->off_linkpl.constant_part = 4;
1668 cstate->off_nl_nosnap = 0;
1673 * Currently, only raw "link[N:M]" filtering is supported.
1675 cstate->off_linktype.constant_part = OFFSET_NOT_SET; /* variable, min 15, max 71 steps of 7 */
1676 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1677 cstate->off_nl = OFFSET_NOT_SET; /* variable, min 16, max 71 steps of 7 */
1678 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1682 cstate->off_linktype.constant_part = 1;
1683 cstate->off_linkpl.constant_part = 24; /* ipnet header length */
1685 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1688 case DLT_NETANALYZER:
1689 cstate->off_linkhdr.constant_part = 4; /* Ethernet header is past 4-byte pseudo-header */
1690 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12;
1691 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* pseudo-header+Ethernet header length */
1692 cstate->off_nl = 0; /* Ethernet II */
1693 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */
1696 case DLT_NETANALYZER_TRANSPARENT:
1697 cstate->off_linkhdr.constant_part = 12; /* MAC header is past 4-byte pseudo-header, preamble, and SFD */
1698 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12;
1699 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* pseudo-header+preamble+SFD+Ethernet header length */
1700 cstate->off_nl = 0; /* Ethernet II */
1701 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */
1706 * For values in the range in which we've assigned new
1707 * DLT_ values, only raw "link[N:M]" filtering is supported.
1709 if (cstate->linktype >= DLT_MATCHING_MIN &&
1710 cstate->linktype <= DLT_MATCHING_MAX) {
1711 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1712 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1713 cstate->off_nl = OFFSET_NOT_SET;
1714 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1716 bpf_set_error(cstate, "unknown data link type %d", cstate->linktype);
1722 cstate->off_outermostlinkhdr = cstate->off_prevlinkhdr = cstate->off_linkhdr;
1727 * Load a value relative to the specified absolute offset.
1729 static struct slist *
1730 gen_load_absoffsetrel(compiler_state_t *cstate, bpf_abs_offset *abs_offset,
1731 u_int offset, u_int size)
1733 struct slist *s, *s2;
1735 s = gen_abs_offset_varpart(cstate, abs_offset);
1738 * If "s" is non-null, it has code to arrange that the X register
1739 * contains the variable part of the absolute offset, so we
1740 * generate a load relative to that, with an offset of
1741 * abs_offset->constant_part + offset.
1743 * Otherwise, we can do an absolute load with an offset of
1744 * abs_offset->constant_part + offset.
1748 * "s" points to a list of statements that puts the
1749 * variable part of the absolute offset into the X register.
1750 * Do an indirect load, to use the X register as an offset.
1752 s2 = new_stmt(cstate, BPF_LD|BPF_IND|size);
1753 s2->s.k = abs_offset->constant_part + offset;
1757 * There is no variable part of the absolute offset, so
1758 * just do an absolute load.
1760 s = new_stmt(cstate, BPF_LD|BPF_ABS|size);
1761 s->s.k = abs_offset->constant_part + offset;
1767 * Load a value relative to the beginning of the specified header.
1769 static struct slist *
1770 gen_load_a(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1773 struct slist *s, *s2;
1776 * Squelch warnings from compilers that *don't* assume that
1777 * offrel always has a valid enum value and therefore don't
1778 * assume that we'll always go through one of the case arms.
1780 * If we have a default case, compilers that *do* assume that
1781 * will then complain about the default case code being
1784 * Damned if you do, damned if you don't.
1791 s = new_stmt(cstate, BPF_LD|BPF_ABS|size);
1796 s = gen_load_absoffsetrel(cstate, &cstate->off_linkhdr, offset, size);
1799 case OR_PREVLINKHDR:
1800 s = gen_load_absoffsetrel(cstate, &cstate->off_prevlinkhdr, offset, size);
1804 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, offset, size);
1807 case OR_PREVMPLSHDR:
1808 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl - 4 + offset, size);
1812 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl + offset, size);
1815 case OR_LINKPL_NOSNAP:
1816 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl_nosnap + offset, size);
1820 s = gen_load_absoffsetrel(cstate, &cstate->off_linktype, offset, size);
1825 * Load the X register with the length of the IPv4 header
1826 * (plus the offset of the link-layer header, if it's
1827 * preceded by a variable-length header such as a radio
1828 * header), in bytes.
1830 s = gen_loadx_iphdrlen(cstate);
1833 * Load the item at {offset of the link-layer payload} +
1834 * {offset, relative to the start of the link-layer
1835 * paylod, of the IPv4 header} + {length of the IPv4 header} +
1836 * {specified offset}.
1838 * If the offset of the link-layer payload is variable,
1839 * the variable part of that offset is included in the
1840 * value in the X register, and we include the constant
1841 * part in the offset of the load.
1843 s2 = new_stmt(cstate, BPF_LD|BPF_IND|size);
1844 s2->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + offset;
1849 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl + 40 + offset, size);
1856 * Generate code to load into the X register the sum of the length of
1857 * the IPv4 header and the variable part of the offset of the link-layer
1860 static struct slist *
1861 gen_loadx_iphdrlen(compiler_state_t *cstate)
1863 struct slist *s, *s2;
1865 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl);
1868 * The offset of the link-layer payload has a variable
1869 * part. "s" points to a list of statements that put
1870 * the variable part of that offset into the X register.
1872 * The 4*([k]&0xf) addressing mode can't be used, as we
1873 * don't have a constant offset, so we have to load the
1874 * value in question into the A register and add to it
1875 * the value from the X register.
1877 s2 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
1878 s2->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
1880 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
1883 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K);
1888 * The A register now contains the length of the IP header.
1889 * We need to add to it the variable part of the offset of
1890 * the link-layer payload, which is still in the X
1891 * register, and move the result into the X register.
1893 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
1894 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
1897 * The offset of the link-layer payload is a constant,
1898 * so no code was generated to load the (non-existent)
1899 * variable part of that offset.
1901 * This means we can use the 4*([k]&0xf) addressing
1902 * mode. Load the length of the IPv4 header, which
1903 * is at an offset of cstate->off_nl from the beginning of
1904 * the link-layer payload, and thus at an offset of
1905 * cstate->off_linkpl.constant_part + cstate->off_nl from the beginning
1906 * of the raw packet data, using that addressing mode.
1908 s = new_stmt(cstate, BPF_LDX|BPF_MSH|BPF_B);
1909 s->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
1915 static struct block *
1916 gen_uncond(compiler_state_t *cstate, int rsense)
1921 s = new_stmt(cstate, BPF_LD|BPF_IMM);
1923 b = new_block(cstate, JMP(BPF_JEQ));
1929 static inline struct block *
1930 gen_true(compiler_state_t *cstate)
1932 return gen_uncond(cstate, 1);
1935 static inline struct block *
1936 gen_false(compiler_state_t *cstate)
1938 return gen_uncond(cstate, 0);
1942 * Byte-swap a 32-bit number.
1943 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on
1944 * big-endian platforms.)
1946 #define SWAPLONG(y) \
1947 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
1950 * Generate code to match a particular packet type.
1952 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1953 * value, if <= ETHERMTU. We use that to determine whether to
1954 * match the type/length field or to check the type/length field for
1955 * a value <= ETHERMTU to see whether it's a type field and then do
1956 * the appropriate test.
1958 static struct block *
1959 gen_ether_linktype(compiler_state_t *cstate, int proto)
1961 struct block *b0, *b1;
1967 case LLCSAP_NETBEUI:
1969 * OSI protocols and NetBEUI always use 802.2 encapsulation,
1970 * so we check the DSAP and SSAP.
1972 * LLCSAP_IP checks for IP-over-802.2, rather
1973 * than IP-over-Ethernet or IP-over-SNAP.
1975 * XXX - should we check both the DSAP and the
1976 * SSAP, like this, or should we check just the
1977 * DSAP, as we do for other types <= ETHERMTU
1978 * (i.e., other SAP values)?
1980 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
1982 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_int32)
1983 ((proto << 8) | proto));
1991 * Ethernet_II frames, which are Ethernet
1992 * frames with a frame type of ETHERTYPE_IPX;
1994 * Ethernet_802.3 frames, which are 802.3
1995 * frames (i.e., the type/length field is
1996 * a length field, <= ETHERMTU, rather than
1997 * a type field) with the first two bytes
1998 * after the Ethernet/802.3 header being
2001 * Ethernet_802.2 frames, which are 802.3
2002 * frames with an 802.2 LLC header and
2003 * with the IPX LSAP as the DSAP in the LLC
2006 * Ethernet_SNAP frames, which are 802.3
2007 * frames with an LLC header and a SNAP
2008 * header and with an OUI of 0x000000
2009 * (encapsulated Ethernet) and a protocol
2010 * ID of ETHERTYPE_IPX in the SNAP header.
2012 * XXX - should we generate the same code both
2013 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX?
2017 * This generates code to check both for the
2018 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3.
2020 b0 = gen_cmp(cstate, OR_LLC, 0, BPF_B, (bpf_int32)LLCSAP_IPX);
2021 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_int32)0xFFFF);
2025 * Now we add code to check for SNAP frames with
2026 * ETHERTYPE_IPX, i.e. Ethernet_SNAP.
2028 b0 = gen_snap(cstate, 0x000000, ETHERTYPE_IPX);
2032 * Now we generate code to check for 802.3
2033 * frames in general.
2035 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
2039 * Now add the check for 802.3 frames before the
2040 * check for Ethernet_802.2 and Ethernet_802.3,
2041 * as those checks should only be done on 802.3
2042 * frames, not on Ethernet frames.
2047 * Now add the check for Ethernet_II frames, and
2048 * do that before checking for the other frame
2051 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)ETHERTYPE_IPX);
2055 case ETHERTYPE_ATALK:
2056 case ETHERTYPE_AARP:
2058 * EtherTalk (AppleTalk protocols on Ethernet link
2059 * layer) may use 802.2 encapsulation.
2063 * Check for 802.2 encapsulation (EtherTalk phase 2?);
2064 * we check for an Ethernet type field less than
2065 * 1500, which means it's an 802.3 length field.
2067 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
2071 * 802.2-encapsulated ETHERTYPE_ATALK packets are
2072 * SNAP packets with an organization code of
2073 * 0x080007 (Apple, for Appletalk) and a protocol
2074 * type of ETHERTYPE_ATALK (Appletalk).
2076 * 802.2-encapsulated ETHERTYPE_AARP packets are
2077 * SNAP packets with an organization code of
2078 * 0x000000 (encapsulated Ethernet) and a protocol
2079 * type of ETHERTYPE_AARP (Appletalk ARP).
2081 if (proto == ETHERTYPE_ATALK)
2082 b1 = gen_snap(cstate, 0x080007, ETHERTYPE_ATALK);
2083 else /* proto == ETHERTYPE_AARP */
2084 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_AARP);
2088 * Check for Ethernet encapsulation (Ethertalk
2089 * phase 1?); we just check for the Ethernet
2092 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto);
2098 if (proto <= ETHERMTU) {
2100 * This is an LLC SAP value, so the frames
2101 * that match would be 802.2 frames.
2102 * Check that the frame is an 802.2 frame
2103 * (i.e., that the length/type field is
2104 * a length field, <= ETHERMTU) and
2105 * then check the DSAP.
2107 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
2109 b1 = gen_cmp(cstate, OR_LINKTYPE, 2, BPF_B, (bpf_int32)proto);
2114 * This is an Ethernet type, so compare
2115 * the length/type field with it (if
2116 * the frame is an 802.2 frame, the length
2117 * field will be <= ETHERMTU, and, as
2118 * "proto" is > ETHERMTU, this test
2119 * will fail and the frame won't match,
2120 * which is what we want).
2122 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H,
2128 static struct block *
2129 gen_loopback_linktype(compiler_state_t *cstate, int proto)
2132 * For DLT_NULL, the link-layer header is a 32-bit word
2133 * containing an AF_ value in *host* byte order, and for
2134 * DLT_ENC, the link-layer header begins with a 32-bit
2135 * word containing an AF_ value in host byte order.
2137 * In addition, if we're reading a saved capture file,
2138 * the host byte order in the capture may not be the
2139 * same as the host byte order on this machine.
2141 * For DLT_LOOP, the link-layer header is a 32-bit
2142 * word containing an AF_ value in *network* byte order.
2144 if (cstate->linktype == DLT_NULL || cstate->linktype == DLT_ENC) {
2146 * The AF_ value is in host byte order, but the BPF
2147 * interpreter will convert it to network byte order.
2149 * If this is a save file, and it's from a machine
2150 * with the opposite byte order to ours, we byte-swap
2153 * Then we run it through "htonl()", and generate
2154 * code to compare against the result.
2156 if (cstate->bpf_pcap->rfile != NULL && cstate->bpf_pcap->swapped)
2157 proto = SWAPLONG(proto);
2158 proto = htonl(proto);
2160 return (gen_cmp(cstate, OR_LINKHDR, 0, BPF_W, (bpf_int32)proto));
2164 * "proto" is an Ethernet type value and for IPNET, if it is not IPv4
2165 * or IPv6 then we have an error.
2167 static struct block *
2168 gen_ipnet_linktype(compiler_state_t *cstate, int proto)
2173 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, (bpf_int32)IPH_AF_INET);
2176 case ETHERTYPE_IPV6:
2177 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
2178 (bpf_int32)IPH_AF_INET6);
2185 return gen_false(cstate);
2189 * Generate code to match a particular packet type.
2191 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
2192 * value, if <= ETHERMTU. We use that to determine whether to
2193 * match the type field or to check the type field for the special
2194 * LINUX_SLL_P_802_2 value and then do the appropriate test.
2196 static struct block *
2197 gen_linux_sll_linktype(compiler_state_t *cstate, int proto)
2199 struct block *b0, *b1;
2205 case LLCSAP_NETBEUI:
2207 * OSI protocols and NetBEUI always use 802.2 encapsulation,
2208 * so we check the DSAP and SSAP.
2210 * LLCSAP_IP checks for IP-over-802.2, rather
2211 * than IP-over-Ethernet or IP-over-SNAP.
2213 * XXX - should we check both the DSAP and the
2214 * SSAP, like this, or should we check just the
2215 * DSAP, as we do for other types <= ETHERMTU
2216 * (i.e., other SAP values)?
2218 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2219 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_int32)
2220 ((proto << 8) | proto));
2226 * Ethernet_II frames, which are Ethernet
2227 * frames with a frame type of ETHERTYPE_IPX;
2229 * Ethernet_802.3 frames, which have a frame
2230 * type of LINUX_SLL_P_802_3;
2232 * Ethernet_802.2 frames, which are 802.3
2233 * frames with an 802.2 LLC header (i.e, have
2234 * a frame type of LINUX_SLL_P_802_2) and
2235 * with the IPX LSAP as the DSAP in the LLC
2238 * Ethernet_SNAP frames, which are 802.3
2239 * frames with an LLC header and a SNAP
2240 * header and with an OUI of 0x000000
2241 * (encapsulated Ethernet) and a protocol
2242 * ID of ETHERTYPE_IPX in the SNAP header.
2244 * First, do the checks on LINUX_SLL_P_802_2
2245 * frames; generate the check for either
2246 * Ethernet_802.2 or Ethernet_SNAP frames, and
2247 * then put a check for LINUX_SLL_P_802_2 frames
2250 b0 = gen_cmp(cstate, OR_LLC, 0, BPF_B, (bpf_int32)LLCSAP_IPX);
2251 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_IPX);
2253 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2257 * Now check for 802.3 frames and OR that with
2258 * the previous test.
2260 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_3);
2264 * Now add the check for Ethernet_II frames, and
2265 * do that before checking for the other frame
2268 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)ETHERTYPE_IPX);
2272 case ETHERTYPE_ATALK:
2273 case ETHERTYPE_AARP:
2275 * EtherTalk (AppleTalk protocols on Ethernet link
2276 * layer) may use 802.2 encapsulation.
2280 * Check for 802.2 encapsulation (EtherTalk phase 2?);
2281 * we check for the 802.2 protocol type in the
2282 * "Ethernet type" field.
2284 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2287 * 802.2-encapsulated ETHERTYPE_ATALK packets are
2288 * SNAP packets with an organization code of
2289 * 0x080007 (Apple, for Appletalk) and a protocol
2290 * type of ETHERTYPE_ATALK (Appletalk).
2292 * 802.2-encapsulated ETHERTYPE_AARP packets are
2293 * SNAP packets with an organization code of
2294 * 0x000000 (encapsulated Ethernet) and a protocol
2295 * type of ETHERTYPE_AARP (Appletalk ARP).
2297 if (proto == ETHERTYPE_ATALK)
2298 b1 = gen_snap(cstate, 0x080007, ETHERTYPE_ATALK);
2299 else /* proto == ETHERTYPE_AARP */
2300 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_AARP);
2304 * Check for Ethernet encapsulation (Ethertalk
2305 * phase 1?); we just check for the Ethernet
2308 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto);
2314 if (proto <= ETHERMTU) {
2316 * This is an LLC SAP value, so the frames
2317 * that match would be 802.2 frames.
2318 * Check for the 802.2 protocol type
2319 * in the "Ethernet type" field, and
2320 * then check the DSAP.
2322 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2323 b1 = gen_cmp(cstate, OR_LINKHDR, cstate->off_linkpl.constant_part, BPF_B,
2329 * This is an Ethernet type, so compare
2330 * the length/type field with it (if
2331 * the frame is an 802.2 frame, the length
2332 * field will be <= ETHERMTU, and, as
2333 * "proto" is > ETHERMTU, this test
2334 * will fail and the frame won't match,
2335 * which is what we want).
2337 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto);
2342 static struct slist *
2343 gen_load_prism_llprefixlen(compiler_state_t *cstate)
2345 struct slist *s1, *s2;
2346 struct slist *sjeq_avs_cookie;
2347 struct slist *sjcommon;
2350 * This code is not compatible with the optimizer, as
2351 * we are generating jmp instructions within a normal
2352 * slist of instructions
2354 cstate->no_optimize = 1;
2357 * Generate code to load the length of the radio header into
2358 * the register assigned to hold that length, if one has been
2359 * assigned. (If one hasn't been assigned, no code we've
2360 * generated uses that prefix, so we don't need to generate any
2363 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes
2364 * or always use the AVS header rather than the Prism header.
2365 * We load a 4-byte big-endian value at the beginning of the
2366 * raw packet data, and see whether, when masked with 0xFFFFF000,
2367 * it's equal to 0x80211000. If so, that indicates that it's
2368 * an AVS header (the masked-out bits are the version number).
2369 * Otherwise, it's a Prism header.
2371 * XXX - the Prism header is also, in theory, variable-length,
2372 * but no known software generates headers that aren't 144
2375 if (cstate->off_linkhdr.reg != -1) {
2379 s1 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS);
2383 * AND it with 0xFFFFF000.
2385 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
2386 s2->s.k = 0xFFFFF000;
2390 * Compare with 0x80211000.
2392 sjeq_avs_cookie = new_stmt(cstate, JMP(BPF_JEQ));
2393 sjeq_avs_cookie->s.k = 0x80211000;
2394 sappend(s1, sjeq_avs_cookie);
2399 * The 4 bytes at an offset of 4 from the beginning of
2400 * the AVS header are the length of the AVS header.
2401 * That field is big-endian.
2403 s2 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS);
2406 sjeq_avs_cookie->s.jt = s2;
2409 * Now jump to the code to allocate a register
2410 * into which to save the header length and
2411 * store the length there. (The "jump always"
2412 * instruction needs to have the k field set;
2413 * it's added to the PC, so, as we're jumping
2414 * over a single instruction, it should be 1.)
2416 sjcommon = new_stmt(cstate, JMP(BPF_JA));
2418 sappend(s1, sjcommon);
2421 * Now for the code that handles the Prism header.
2422 * Just load the length of the Prism header (144)
2423 * into the A register. Have the test for an AVS
2424 * header branch here if we don't have an AVS header.
2426 s2 = new_stmt(cstate, BPF_LD|BPF_W|BPF_IMM);
2429 sjeq_avs_cookie->s.jf = s2;
2432 * Now allocate a register to hold that value and store
2433 * it. The code for the AVS header will jump here after
2434 * loading the length of the AVS header.
2436 s2 = new_stmt(cstate, BPF_ST);
2437 s2->s.k = cstate->off_linkhdr.reg;
2439 sjcommon->s.jf = s2;
2442 * Now move it into the X register.
2444 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2452 static struct slist *
2453 gen_load_avs_llprefixlen(compiler_state_t *cstate)
2455 struct slist *s1, *s2;
2458 * Generate code to load the length of the AVS header into
2459 * the register assigned to hold that length, if one has been
2460 * assigned. (If one hasn't been assigned, no code we've
2461 * generated uses that prefix, so we don't need to generate any
2464 if (cstate->off_linkhdr.reg != -1) {
2466 * The 4 bytes at an offset of 4 from the beginning of
2467 * the AVS header are the length of the AVS header.
2468 * That field is big-endian.
2470 s1 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS);
2474 * Now allocate a register to hold that value and store
2477 s2 = new_stmt(cstate, BPF_ST);
2478 s2->s.k = cstate->off_linkhdr.reg;
2482 * Now move it into the X register.
2484 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2492 static struct slist *
2493 gen_load_radiotap_llprefixlen(compiler_state_t *cstate)
2495 struct slist *s1, *s2;
2498 * Generate code to load the length of the radiotap header into
2499 * the register assigned to hold that length, if one has been
2500 * assigned. (If one hasn't been assigned, no code we've
2501 * generated uses that prefix, so we don't need to generate any
2504 if (cstate->off_linkhdr.reg != -1) {
2506 * The 2 bytes at offsets of 2 and 3 from the beginning
2507 * of the radiotap header are the length of the radiotap
2508 * header; unfortunately, it's little-endian, so we have
2509 * to load it a byte at a time and construct the value.
2513 * Load the high-order byte, at an offset of 3, shift it
2514 * left a byte, and put the result in the X register.
2516 s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2518 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K);
2521 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2525 * Load the next byte, at an offset of 2, and OR the
2526 * value from the X register into it.
2528 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2531 s2 = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_X);
2535 * Now allocate a register to hold that value and store
2538 s2 = new_stmt(cstate, BPF_ST);
2539 s2->s.k = cstate->off_linkhdr.reg;
2543 * Now move it into the X register.
2545 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2554 * At the moment we treat PPI as normal Radiotap encoded
2555 * packets. The difference is in the function that generates
2556 * the code at the beginning to compute the header length.
2557 * Since this code generator of PPI supports bare 802.11
2558 * encapsulation only (i.e. the encapsulated DLT should be
2559 * DLT_IEEE802_11) we generate code to check for this too;
2560 * that's done in finish_parse().
2562 static struct slist *
2563 gen_load_ppi_llprefixlen(compiler_state_t *cstate)
2565 struct slist *s1, *s2;
2568 * Generate code to load the length of the radiotap header
2569 * into the register assigned to hold that length, if one has
2572 if (cstate->off_linkhdr.reg != -1) {
2574 * The 2 bytes at offsets of 2 and 3 from the beginning
2575 * of the radiotap header are the length of the radiotap
2576 * header; unfortunately, it's little-endian, so we have
2577 * to load it a byte at a time and construct the value.
2581 * Load the high-order byte, at an offset of 3, shift it
2582 * left a byte, and put the result in the X register.
2584 s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2586 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K);
2589 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2593 * Load the next byte, at an offset of 2, and OR the
2594 * value from the X register into it.
2596 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2599 s2 = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_X);
2603 * Now allocate a register to hold that value and store
2606 s2 = new_stmt(cstate, BPF_ST);
2607 s2->s.k = cstate->off_linkhdr.reg;
2611 * Now move it into the X register.
2613 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2622 * Load a value relative to the beginning of the link-layer header after the 802.11
2623 * header, i.e. LLC_SNAP.
2624 * The link-layer header doesn't necessarily begin at the beginning
2625 * of the packet data; there might be a variable-length prefix containing
2626 * radio information.
2628 static struct slist *
2629 gen_load_802_11_header_len(compiler_state_t *cstate, struct slist *s, struct slist *snext)
2632 struct slist *sjset_data_frame_1;
2633 struct slist *sjset_data_frame_2;
2634 struct slist *sjset_qos;
2635 struct slist *sjset_radiotap_flags_present;
2636 struct slist *sjset_radiotap_ext_present;
2637 struct slist *sjset_radiotap_tsft_present;
2638 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad;
2639 struct slist *s_roundup;
2641 if (cstate->off_linkpl.reg == -1) {
2643 * No register has been assigned to the offset of
2644 * the link-layer payload, which means nobody needs
2645 * it; don't bother computing it - just return
2646 * what we already have.
2652 * This code is not compatible with the optimizer, as
2653 * we are generating jmp instructions within a normal
2654 * slist of instructions
2656 cstate->no_optimize = 1;
2659 * If "s" is non-null, it has code to arrange that the X register
2660 * contains the length of the prefix preceding the link-layer
2663 * Otherwise, the length of the prefix preceding the link-layer
2664 * header is "off_outermostlinkhdr.constant_part".
2668 * There is no variable-length header preceding the
2669 * link-layer header.
2671 * Load the length of the fixed-length prefix preceding
2672 * the link-layer header (if any) into the X register,
2673 * and store it in the cstate->off_linkpl.reg register.
2674 * That length is off_outermostlinkhdr.constant_part.
2676 s = new_stmt(cstate, BPF_LDX|BPF_IMM);
2677 s->s.k = cstate->off_outermostlinkhdr.constant_part;
2681 * The X register contains the offset of the beginning of the
2682 * link-layer header; add 24, which is the minimum length
2683 * of the MAC header for a data frame, to that, and store it
2684 * in cstate->off_linkpl.reg, and then load the Frame Control field,
2685 * which is at the offset in the X register, with an indexed load.
2687 s2 = new_stmt(cstate, BPF_MISC|BPF_TXA);
2689 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
2692 s2 = new_stmt(cstate, BPF_ST);
2693 s2->s.k = cstate->off_linkpl.reg;
2696 s2 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
2701 * Check the Frame Control field to see if this is a data frame;
2702 * a data frame has the 0x08 bit (b3) in that field set and the
2703 * 0x04 bit (b2) clear.
2705 sjset_data_frame_1 = new_stmt(cstate, JMP(BPF_JSET));
2706 sjset_data_frame_1->s.k = 0x08;
2707 sappend(s, sjset_data_frame_1);
2710 * If b3 is set, test b2, otherwise go to the first statement of
2711 * the rest of the program.
2713 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(cstate, JMP(BPF_JSET));
2714 sjset_data_frame_2->s.k = 0x04;
2715 sappend(s, sjset_data_frame_2);
2716 sjset_data_frame_1->s.jf = snext;
2719 * If b2 is not set, this is a data frame; test the QoS bit.
2720 * Otherwise, go to the first statement of the rest of the
2723 sjset_data_frame_2->s.jt = snext;
2724 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(cstate, JMP(BPF_JSET));
2725 sjset_qos->s.k = 0x80; /* QoS bit */
2726 sappend(s, sjset_qos);
2729 * If it's set, add 2 to cstate->off_linkpl.reg, to skip the QoS
2731 * Otherwise, go to the first statement of the rest of the
2734 sjset_qos->s.jt = s2 = new_stmt(cstate, BPF_LD|BPF_MEM);
2735 s2->s.k = cstate->off_linkpl.reg;
2737 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM);
2740 s2 = new_stmt(cstate, BPF_ST);
2741 s2->s.k = cstate->off_linkpl.reg;
2745 * If we have a radiotap header, look at it to see whether
2746 * there's Atheros padding between the MAC-layer header
2749 * Note: all of the fields in the radiotap header are
2750 * little-endian, so we byte-swap all of the values
2751 * we test against, as they will be loaded as big-endian
2754 * XXX - in the general case, we would have to scan through
2755 * *all* the presence bits, if there's more than one word of
2756 * presence bits. That would require a loop, meaning that
2757 * we wouldn't be able to run the filter in the kernel.
2759 * We assume here that the Atheros adapters that insert the
2760 * annoying padding don't have multiple antennae and therefore
2761 * do not generate radiotap headers with multiple presence words.
2763 if (cstate->linktype == DLT_IEEE802_11_RADIO) {
2765 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set
2766 * in the first presence flag word?
2768 sjset_qos->s.jf = s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_W);
2772 sjset_radiotap_flags_present = new_stmt(cstate, JMP(BPF_JSET));
2773 sjset_radiotap_flags_present->s.k = SWAPLONG(0x00000002);
2774 sappend(s, sjset_radiotap_flags_present);
2777 * If not, skip all of this.
2779 sjset_radiotap_flags_present->s.jf = snext;
2782 * Otherwise, is the "extension" bit set in that word?
2784 sjset_radiotap_ext_present = new_stmt(cstate, JMP(BPF_JSET));
2785 sjset_radiotap_ext_present->s.k = SWAPLONG(0x80000000);
2786 sappend(s, sjset_radiotap_ext_present);
2787 sjset_radiotap_flags_present->s.jt = sjset_radiotap_ext_present;
2790 * If so, skip all of this.
2792 sjset_radiotap_ext_present->s.jt = snext;
2795 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set?
2797 sjset_radiotap_tsft_present = new_stmt(cstate, JMP(BPF_JSET));
2798 sjset_radiotap_tsft_present->s.k = SWAPLONG(0x00000001);
2799 sappend(s, sjset_radiotap_tsft_present);
2800 sjset_radiotap_ext_present->s.jf = sjset_radiotap_tsft_present;
2803 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is
2804 * at an offset of 16 from the beginning of the raw packet
2805 * data (8 bytes for the radiotap header and 8 bytes for
2808 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
2811 s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B);
2814 sjset_radiotap_tsft_present->s.jt = s2;
2816 sjset_tsft_datapad = new_stmt(cstate, JMP(BPF_JSET));
2817 sjset_tsft_datapad->s.k = 0x20;
2818 sappend(s, sjset_tsft_datapad);
2821 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is
2822 * at an offset of 8 from the beginning of the raw packet
2823 * data (8 bytes for the radiotap header).
2825 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
2828 s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B);
2831 sjset_radiotap_tsft_present->s.jf = s2;
2833 sjset_notsft_datapad = new_stmt(cstate, JMP(BPF_JSET));
2834 sjset_notsft_datapad->s.k = 0x20;
2835 sappend(s, sjset_notsft_datapad);
2838 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is
2839 * set, round the length of the 802.11 header to
2840 * a multiple of 4. Do that by adding 3 and then
2841 * dividing by and multiplying by 4, which we do by
2844 s_roundup = new_stmt(cstate, BPF_LD|BPF_MEM);
2845 s_roundup->s.k = cstate->off_linkpl.reg;
2846 sappend(s, s_roundup);
2847 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM);
2850 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_IMM);
2853 s2 = new_stmt(cstate, BPF_ST);
2854 s2->s.k = cstate->off_linkpl.reg;
2857 sjset_tsft_datapad->s.jt = s_roundup;
2858 sjset_tsft_datapad->s.jf = snext;
2859 sjset_notsft_datapad->s.jt = s_roundup;
2860 sjset_notsft_datapad->s.jf = snext;
2862 sjset_qos->s.jf = snext;
2868 insert_compute_vloffsets(compiler_state_t *cstate, struct block *b)
2872 /* There is an implicit dependency between the link
2873 * payload and link header since the payload computation
2874 * includes the variable part of the header. Therefore,
2875 * if nobody else has allocated a register for the link
2876 * header and we need it, do it now. */
2877 if (cstate->off_linkpl.reg != -1 && cstate->off_linkhdr.is_variable &&
2878 cstate->off_linkhdr.reg == -1)
2879 cstate->off_linkhdr.reg = alloc_reg(cstate);
2882 * For link-layer types that have a variable-length header
2883 * preceding the link-layer header, generate code to load
2884 * the offset of the link-layer header into the register
2885 * assigned to that offset, if any.
2887 * XXX - this, and the next switch statement, won't handle
2888 * encapsulation of 802.11 or 802.11+radio information in
2889 * some other protocol stack. That's significantly more
2892 switch (cstate->outermostlinktype) {
2894 case DLT_PRISM_HEADER:
2895 s = gen_load_prism_llprefixlen(cstate);
2898 case DLT_IEEE802_11_RADIO_AVS:
2899 s = gen_load_avs_llprefixlen(cstate);
2902 case DLT_IEEE802_11_RADIO:
2903 s = gen_load_radiotap_llprefixlen(cstate);
2907 s = gen_load_ppi_llprefixlen(cstate);
2916 * For link-layer types that have a variable-length link-layer
2917 * header, generate code to load the offset of the link-layer
2918 * payload into the register assigned to that offset, if any.
2920 switch (cstate->outermostlinktype) {
2922 case DLT_IEEE802_11:
2923 case DLT_PRISM_HEADER:
2924 case DLT_IEEE802_11_RADIO_AVS:
2925 case DLT_IEEE802_11_RADIO:
2927 s = gen_load_802_11_header_len(cstate, s, b->stmts);
2932 * If there there is no initialization yet and we need variable
2933 * length offsets for VLAN, initialize them to zero
2935 if (s == NULL && cstate->is_vlan_vloffset) {
2938 if (cstate->off_linkpl.reg == -1)
2939 cstate->off_linkpl.reg = alloc_reg(cstate);
2940 if (cstate->off_linktype.reg == -1)
2941 cstate->off_linktype.reg = alloc_reg(cstate);
2943 s = new_stmt(cstate, BPF_LD|BPF_W|BPF_IMM);
2945 s2 = new_stmt(cstate, BPF_ST);
2946 s2->s.k = cstate->off_linkpl.reg;
2948 s2 = new_stmt(cstate, BPF_ST);
2949 s2->s.k = cstate->off_linktype.reg;
2954 * If we have any offset-loading code, append all the
2955 * existing statements in the block to those statements,
2956 * and make the resulting list the list of statements
2960 sappend(s, b->stmts);
2965 static struct block *
2966 gen_ppi_dlt_check(compiler_state_t *cstate)
2968 struct slist *s_load_dlt;
2971 if (cstate->linktype == DLT_PPI)
2973 /* Create the statements that check for the DLT
2975 s_load_dlt = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS);
2976 s_load_dlt->s.k = 4;
2978 b = new_block(cstate, JMP(BPF_JEQ));
2980 b->stmts = s_load_dlt;
2981 b->s.k = SWAPLONG(DLT_IEEE802_11);
2992 * Take an absolute offset, and:
2994 * if it has no variable part, return NULL;
2996 * if it has a variable part, generate code to load the register
2997 * containing that variable part into the X register, returning
2998 * a pointer to that code - if no register for that offset has
2999 * been allocated, allocate it first.
3001 * (The code to set that register will be generated later, but will
3002 * be placed earlier in the code sequence.)
3004 static struct slist *
3005 gen_abs_offset_varpart(compiler_state_t *cstate, bpf_abs_offset *off)
3009 if (off->is_variable) {
3010 if (off->reg == -1) {
3012 * We haven't yet assigned a register for the
3013 * variable part of the offset of the link-layer
3014 * header; allocate one.
3016 off->reg = alloc_reg(cstate);
3020 * Load the register containing the variable part of the
3021 * offset of the link-layer header into the X register.
3023 s = new_stmt(cstate, BPF_LDX|BPF_MEM);
3028 * That offset isn't variable, there's no variable part,
3029 * so we don't need to generate any code.
3036 * Map an Ethernet type to the equivalent PPP type.
3039 ethertype_to_ppptype(int proto)
3047 case ETHERTYPE_IPV6:
3055 case ETHERTYPE_ATALK:
3069 * I'm assuming the "Bridging PDU"s that go
3070 * over PPP are Spanning Tree Protocol
3084 * Generate any tests that, for encapsulation of a link-layer packet
3085 * inside another protocol stack, need to be done to check for those
3086 * link-layer packets (and that haven't already been done by a check
3087 * for that encapsulation).
3089 static struct block *
3090 gen_prevlinkhdr_check(compiler_state_t *cstate)
3094 if (cstate->is_geneve)
3095 return gen_geneve_ll_check(cstate);
3097 switch (cstate->prevlinktype) {
3101 * This is LANE-encapsulated Ethernet; check that the LANE
3102 * packet doesn't begin with an LE Control marker, i.e.
3103 * that it's data, not a control message.
3105 * (We've already generated a test for LANE.)
3107 b0 = gen_cmp(cstate, OR_PREVLINKHDR, SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
3113 * No such tests are necessary.
3121 * The three different values we should check for when checking for an
3122 * IPv6 packet with DLT_NULL.
3124 #define BSD_AFNUM_INET6_BSD 24 /* NetBSD, OpenBSD, BSD/OS, Npcap */
3125 #define BSD_AFNUM_INET6_FREEBSD 28 /* FreeBSD */
3126 #define BSD_AFNUM_INET6_DARWIN 30 /* macOS, iOS, other Darwin-based OSes */
3129 * Generate code to match a particular packet type by matching the
3130 * link-layer type field or fields in the 802.2 LLC header.
3132 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
3133 * value, if <= ETHERMTU.
3135 static struct block *
3136 gen_linktype(compiler_state_t *cstate, int proto)
3138 struct block *b0, *b1, *b2;
3139 const char *description;
3141 /* are we checking MPLS-encapsulated packets? */
3142 if (cstate->label_stack_depth > 0) {
3146 /* FIXME add other L3 proto IDs */
3147 return gen_mpls_linktype(cstate, Q_IP);
3149 case ETHERTYPE_IPV6:
3151 /* FIXME add other L3 proto IDs */
3152 return gen_mpls_linktype(cstate, Q_IPV6);
3155 bpf_error(cstate, "unsupported protocol over mpls");
3160 switch (cstate->linktype) {
3163 case DLT_NETANALYZER:
3164 case DLT_NETANALYZER_TRANSPARENT:
3165 /* Geneve has an EtherType regardless of whether there is an
3167 if (!cstate->is_geneve)
3168 b0 = gen_prevlinkhdr_check(cstate);
3172 b1 = gen_ether_linktype(cstate, proto);
3182 proto = (proto << 8 | LLCSAP_ISONS);
3186 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto);
3190 case DLT_IEEE802_11:
3191 case DLT_PRISM_HEADER:
3192 case DLT_IEEE802_11_RADIO_AVS:
3193 case DLT_IEEE802_11_RADIO:
3196 * Check that we have a data frame.
3198 b0 = gen_check_802_11_data_frame(cstate);
3201 * Now check for the specified link-layer type.
3203 b1 = gen_llc_linktype(cstate, proto);
3210 * XXX - check for LLC frames.
3212 return gen_llc_linktype(cstate, proto);
3217 * XXX - check for LLC PDUs, as per IEEE 802.5.
3219 return gen_llc_linktype(cstate, proto);
3222 case DLT_ATM_RFC1483:
3224 case DLT_IP_OVER_FC:
3225 return gen_llc_linktype(cstate, proto);
3230 * Check for an LLC-encapsulated version of this protocol;
3231 * if we were checking for LANE, linktype would no longer
3234 * Check for LLC encapsulation and then check the protocol.
3236 b0 = gen_atmfield_code_internal(cstate, A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
3237 b1 = gen_llc_linktype(cstate, proto);
3243 return gen_linux_sll_linktype(cstate, proto);
3247 case DLT_SLIP_BSDOS:
3250 * These types don't provide any type field; packets
3251 * are always IPv4 or IPv6.
3253 * XXX - for IPv4, check for a version number of 4, and,
3254 * for IPv6, check for a version number of 6?
3259 /* Check for a version number of 4. */
3260 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, 0x40, 0xF0);
3262 case ETHERTYPE_IPV6:
3263 /* Check for a version number of 6. */
3264 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, 0x60, 0xF0);
3267 return gen_false(cstate); /* always false */
3273 * Raw IPv4, so no type field.
3275 if (proto == ETHERTYPE_IP)
3276 return gen_true(cstate); /* always true */
3278 /* Checking for something other than IPv4; always false */
3279 return gen_false(cstate);
3284 * Raw IPv6, so no type field.
3286 if (proto == ETHERTYPE_IPV6)
3287 return gen_true(cstate); /* always true */
3289 /* Checking for something other than IPv6; always false */
3290 return gen_false(cstate);
3295 case DLT_PPP_SERIAL:
3298 * We use Ethernet protocol types inside libpcap;
3299 * map them to the corresponding PPP protocol types.
3301 proto = ethertype_to_ppptype(proto);
3302 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto);
3307 * We use Ethernet protocol types inside libpcap;
3308 * map them to the corresponding PPP protocol types.
3314 * Also check for Van Jacobson-compressed IP.
3315 * XXX - do this for other forms of PPP?
3317 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_IP);
3318 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_VJC);
3320 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_VJNC);
3325 proto = ethertype_to_ppptype(proto);
3326 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H,
3337 return (gen_loopback_linktype(cstate, AF_INET));
3339 case ETHERTYPE_IPV6:
3341 * AF_ values may, unfortunately, be platform-
3342 * dependent; AF_INET isn't, because everybody
3343 * used 4.2BSD's value, but AF_INET6 is, because
3344 * 4.2BSD didn't have a value for it (given that
3345 * IPv6 didn't exist back in the early 1980's),
3346 * and they all picked their own values.
3348 * This means that, if we're reading from a
3349 * savefile, we need to check for all the
3352 * If we're doing a live capture, we only need
3353 * to check for this platform's value; however,
3354 * Npcap uses 24, which isn't Windows's AF_INET6
3355 * value. (Given the multiple different values,
3356 * programs that read pcap files shouldn't be
3357 * checking for their platform's AF_INET6 value
3358 * anyway, they should check for all of the
3359 * possible values. and they might as well do
3360 * that even for live captures.)
3362 if (cstate->bpf_pcap->rfile != NULL) {
3364 * Savefile - check for all three
3365 * possible IPv6 values.
3367 b0 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_BSD);
3368 b1 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_FREEBSD);
3370 b0 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_DARWIN);
3375 * Live capture, so we only need to
3376 * check for the value used on this
3381 * Npcap doesn't use Windows's AF_INET6,
3382 * as that collides with AF_IPX on
3383 * some BSDs (both have the value 23).
3384 * Instead, it uses 24.
3386 return (gen_loopback_linktype(cstate, 24));
3389 return (gen_loopback_linktype(cstate, AF_INET6));
3390 #else /* AF_INET6 */
3392 * I guess this platform doesn't support
3393 * IPv6, so we just reject all packets.
3395 return gen_false(cstate);
3396 #endif /* AF_INET6 */
3402 * Not a type on which we support filtering.
3403 * XXX - support those that have AF_ values
3404 * #defined on this platform, at least?
3406 return gen_false(cstate);
3409 #ifdef HAVE_NET_PFVAR_H
3412 * af field is host byte order in contrast to the rest of
3415 if (proto == ETHERTYPE_IP)
3416 return (gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, af),
3417 BPF_B, (bpf_int32)AF_INET));
3418 else if (proto == ETHERTYPE_IPV6)
3419 return (gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, af),
3420 BPF_B, (bpf_int32)AF_INET6));
3422 return gen_false(cstate);
3424 #endif /* HAVE_NET_PFVAR_H */
3427 case DLT_ARCNET_LINUX:
3429 * XXX should we check for first fragment if the protocol
3435 return gen_false(cstate);
3437 case ETHERTYPE_IPV6:
3438 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3439 (bpf_int32)ARCTYPE_INET6));
3442 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3443 (bpf_int32)ARCTYPE_IP);
3444 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3445 (bpf_int32)ARCTYPE_IP_OLD);
3450 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3451 (bpf_int32)ARCTYPE_ARP);
3452 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3453 (bpf_int32)ARCTYPE_ARP_OLD);
3457 case ETHERTYPE_REVARP:
3458 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3459 (bpf_int32)ARCTYPE_REVARP));
3461 case ETHERTYPE_ATALK:
3462 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3463 (bpf_int32)ARCTYPE_ATALK));
3469 case ETHERTYPE_ATALK:
3470 return gen_true(cstate);
3472 return gen_false(cstate);
3478 * XXX - assumes a 2-byte Frame Relay header with
3479 * DLCI and flags. What if the address is longer?
3485 * Check for the special NLPID for IP.
3487 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0xcc);
3489 case ETHERTYPE_IPV6:
3491 * Check for the special NLPID for IPv6.
3493 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0x8e);
3497 * Check for several OSI protocols.
3499 * Frame Relay packets typically have an OSI
3500 * NLPID at the beginning; we check for each
3503 * What we check for is the NLPID and a frame
3504 * control field of UI, i.e. 0x03 followed
3507 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO8473_CLNP);
3508 b1 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO9542_ESIS);
3509 b2 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO10589_ISIS);
3515 return gen_false(cstate);
3520 bpf_error(cstate, "Multi-link Frame Relay link-layer type filtering not implemented");
3522 case DLT_JUNIPER_MFR:
3523 case DLT_JUNIPER_MLFR:
3524 case DLT_JUNIPER_MLPPP:
3525 case DLT_JUNIPER_ATM1:
3526 case DLT_JUNIPER_ATM2:
3527 case DLT_JUNIPER_PPPOE:
3528 case DLT_JUNIPER_PPPOE_ATM:
3529 case DLT_JUNIPER_GGSN:
3530 case DLT_JUNIPER_ES:
3531 case DLT_JUNIPER_MONITOR:
3532 case DLT_JUNIPER_SERVICES:
3533 case DLT_JUNIPER_ETHER:
3534 case DLT_JUNIPER_PPP:
3535 case DLT_JUNIPER_FRELAY:
3536 case DLT_JUNIPER_CHDLC:
3537 case DLT_JUNIPER_VP:
3538 case DLT_JUNIPER_ST:
3539 case DLT_JUNIPER_ISM:
3540 case DLT_JUNIPER_VS:
3541 case DLT_JUNIPER_SRX_E2E:
3542 case DLT_JUNIPER_FIBRECHANNEL:
3543 case DLT_JUNIPER_ATM_CEMIC:
3545 /* just lets verify the magic number for now -
3546 * on ATM we may have up to 6 different encapsulations on the wire
3547 * and need a lot of heuristics to figure out that the payload
3550 * FIXME encapsulation specific BPF_ filters
3552 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */
3554 case DLT_BACNET_MS_TP:
3555 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_W, 0x55FF0000, 0xffff0000);
3558 return gen_ipnet_linktype(cstate, proto);
3560 case DLT_LINUX_IRDA:
3561 bpf_error(cstate, "IrDA link-layer type filtering not implemented");
3564 bpf_error(cstate, "DOCSIS link-layer type filtering not implemented");
3567 case DLT_MTP2_WITH_PHDR:
3568 bpf_error(cstate, "MTP2 link-layer type filtering not implemented");
3571 bpf_error(cstate, "ERF link-layer type filtering not implemented");
3574 bpf_error(cstate, "PFSYNC link-layer type filtering not implemented");
3576 case DLT_LINUX_LAPD:
3577 bpf_error(cstate, "LAPD link-layer type filtering not implemented");
3579 case DLT_USB_FREEBSD:
3581 case DLT_USB_LINUX_MMAPPED:
3583 bpf_error(cstate, "USB link-layer type filtering not implemented");
3585 case DLT_BLUETOOTH_HCI_H4:
3586 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR:
3587 bpf_error(cstate, "Bluetooth link-layer type filtering not implemented");
3590 case DLT_CAN_SOCKETCAN:
3591 bpf_error(cstate, "CAN link-layer type filtering not implemented");
3593 case DLT_IEEE802_15_4:
3594 case DLT_IEEE802_15_4_LINUX:
3595 case DLT_IEEE802_15_4_NONASK_PHY:
3596 case DLT_IEEE802_15_4_NOFCS:
3597 bpf_error(cstate, "IEEE 802.15.4 link-layer type filtering not implemented");
3599 case DLT_IEEE802_16_MAC_CPS_RADIO:
3600 bpf_error(cstate, "IEEE 802.16 link-layer type filtering not implemented");
3603 bpf_error(cstate, "SITA link-layer type filtering not implemented");
3606 bpf_error(cstate, "RAIF1 link-layer type filtering not implemented");
3608 case DLT_IPMB_KONTRON:
3609 case DLT_IPMB_LINUX:
3610 bpf_error(cstate, "IPMB link-layer type filtering not implemented");
3613 bpf_error(cstate, "AX.25 link-layer type filtering not implemented");
3616 /* Using the fixed-size NFLOG header it is possible to tell only
3617 * the address family of the packet, other meaningful data is
3618 * either missing or behind TLVs.
3620 bpf_error(cstate, "NFLOG link-layer type filtering not implemented");
3624 * Does this link-layer header type have a field
3625 * indicating the type of the next protocol? If
3626 * so, off_linktype.constant_part will be the offset of that
3627 * field in the packet; if not, it will be OFFSET_NOT_SET.
3629 if (cstate->off_linktype.constant_part != OFFSET_NOT_SET) {
3631 * Yes; assume it's an Ethernet type. (If
3632 * it's not, it needs to be handled specially
3635 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto);
3639 * No; report an error.
3641 description = pcap_datalink_val_to_description_or_dlt(cstate->linktype);
3642 bpf_error(cstate, "%s link-layer type filtering not implemented",
3650 * Check for an LLC SNAP packet with a given organization code and
3651 * protocol type; we check the entire contents of the 802.2 LLC and
3652 * snap headers, checking for DSAP and SSAP of SNAP and a control
3653 * field of 0x03 in the LLC header, and for the specified organization
3654 * code and protocol type in the SNAP header.
3656 static struct block *
3657 gen_snap(compiler_state_t *cstate, bpf_u_int32 orgcode, bpf_u_int32 ptype)
3659 u_char snapblock[8];
3661 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */
3662 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */
3663 snapblock[2] = 0x03; /* control = UI */
3664 snapblock[3] = (u_char)(orgcode >> 16); /* upper 8 bits of organization code */
3665 snapblock[4] = (u_char)(orgcode >> 8); /* middle 8 bits of organization code */
3666 snapblock[5] = (u_char)(orgcode >> 0); /* lower 8 bits of organization code */
3667 snapblock[6] = (u_char)(ptype >> 8); /* upper 8 bits of protocol type */
3668 snapblock[7] = (u_char)(ptype >> 0); /* lower 8 bits of protocol type */
3669 return gen_bcmp(cstate, OR_LLC, 0, 8, snapblock);
3673 * Generate code to match frames with an LLC header.
3675 static struct block *
3676 gen_llc_internal(compiler_state_t *cstate)
3678 struct block *b0, *b1;
3680 switch (cstate->linktype) {
3684 * We check for an Ethernet type field less than
3685 * 1500, which means it's an 802.3 length field.
3687 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
3691 * Now check for the purported DSAP and SSAP not being
3692 * 0xFF, to rule out NetWare-over-802.3.
3694 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_int32)0xFFFF);
3701 * We check for LLC traffic.
3703 b0 = gen_atmtype_llc(cstate);
3706 case DLT_IEEE802: /* Token Ring */
3708 * XXX - check for LLC frames.
3710 return gen_true(cstate);
3714 * XXX - check for LLC frames.
3716 return gen_true(cstate);
3718 case DLT_ATM_RFC1483:
3720 * For LLC encapsulation, these are defined to have an
3723 * For VC encapsulation, they don't, but there's no
3724 * way to check for that; the protocol used on the VC
3725 * is negotiated out of band.
3727 return gen_true(cstate);
3729 case DLT_IEEE802_11:
3730 case DLT_PRISM_HEADER:
3731 case DLT_IEEE802_11_RADIO:
3732 case DLT_IEEE802_11_RADIO_AVS:
3735 * Check that we have a data frame.
3737 b0 = gen_check_802_11_data_frame(cstate);
3741 bpf_error(cstate, "'llc' not supported for %s",
3742 pcap_datalink_val_to_description_or_dlt(cstate->linktype));
3748 gen_llc(compiler_state_t *cstate)
3751 * Catch errors reported by us and routines below us, and return NULL
3754 if (setjmp(cstate->top_ctx))
3757 return gen_llc_internal(cstate);
3761 gen_llc_i(compiler_state_t *cstate)
3763 struct block *b0, *b1;
3767 * Catch errors reported by us and routines below us, and return NULL
3770 if (setjmp(cstate->top_ctx))
3774 * Check whether this is an LLC frame.
3776 b0 = gen_llc_internal(cstate);
3779 * Load the control byte and test the low-order bit; it must
3780 * be clear for I frames.
3782 s = gen_load_a(cstate, OR_LLC, 2, BPF_B);
3783 b1 = new_block(cstate, JMP(BPF_JSET));
3792 gen_llc_s(compiler_state_t *cstate)
3794 struct block *b0, *b1;
3797 * Catch errors reported by us and routines below us, and return NULL
3800 if (setjmp(cstate->top_ctx))
3804 * Check whether this is an LLC frame.
3806 b0 = gen_llc_internal(cstate);
3809 * Now compare the low-order 2 bit of the control byte against
3810 * the appropriate value for S frames.
3812 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, LLC_S_FMT, 0x03);
3818 gen_llc_u(compiler_state_t *cstate)
3820 struct block *b0, *b1;
3823 * Catch errors reported by us and routines below us, and return NULL
3826 if (setjmp(cstate->top_ctx))
3830 * Check whether this is an LLC frame.
3832 b0 = gen_llc_internal(cstate);
3835 * Now compare the low-order 2 bit of the control byte against
3836 * the appropriate value for U frames.
3838 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, LLC_U_FMT, 0x03);
3844 gen_llc_s_subtype(compiler_state_t *cstate, bpf_u_int32 subtype)
3846 struct block *b0, *b1;
3849 * Catch errors reported by us and routines below us, and return NULL
3852 if (setjmp(cstate->top_ctx))
3856 * Check whether this is an LLC frame.
3858 b0 = gen_llc_internal(cstate);
3861 * Now check for an S frame with the appropriate type.
3863 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, subtype, LLC_S_CMD_MASK);
3869 gen_llc_u_subtype(compiler_state_t *cstate, bpf_u_int32 subtype)
3871 struct block *b0, *b1;
3874 * Catch errors reported by us and routines below us, and return NULL
3877 if (setjmp(cstate->top_ctx))
3881 * Check whether this is an LLC frame.
3883 b0 = gen_llc_internal(cstate);
3886 * Now check for a U frame with the appropriate type.
3888 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, subtype, LLC_U_CMD_MASK);
3894 * Generate code to match a particular packet type, for link-layer types
3895 * using 802.2 LLC headers.
3897 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used
3898 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues.
3900 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
3901 * value, if <= ETHERMTU. We use that to determine whether to
3902 * match the DSAP or both DSAP and LSAP or to check the OUI and
3903 * protocol ID in a SNAP header.
3905 static struct block *
3906 gen_llc_linktype(compiler_state_t *cstate, int proto)
3909 * XXX - handle token-ring variable-length header.
3915 case LLCSAP_NETBEUI:
3917 * XXX - should we check both the DSAP and the
3918 * SSAP, like this, or should we check just the
3919 * DSAP, as we do for other SAP values?
3921 return gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_u_int32)
3922 ((proto << 8) | proto));
3926 * XXX - are there ever SNAP frames for IPX on
3927 * non-Ethernet 802.x networks?
3929 return gen_cmp(cstate, OR_LLC, 0, BPF_B,
3930 (bpf_int32)LLCSAP_IPX);
3932 case ETHERTYPE_ATALK:
3934 * 802.2-encapsulated ETHERTYPE_ATALK packets are
3935 * SNAP packets with an organization code of
3936 * 0x080007 (Apple, for Appletalk) and a protocol
3937 * type of ETHERTYPE_ATALK (Appletalk).
3939 * XXX - check for an organization code of
3940 * encapsulated Ethernet as well?
3942 return gen_snap(cstate, 0x080007, ETHERTYPE_ATALK);
3946 * XXX - we don't have to check for IPX 802.3
3947 * here, but should we check for the IPX Ethertype?
3949 if (proto <= ETHERMTU) {
3951 * This is an LLC SAP value, so check
3954 return gen_cmp(cstate, OR_LLC, 0, BPF_B, (bpf_int32)proto);
3957 * This is an Ethernet type; we assume that it's
3958 * unlikely that it'll appear in the right place
3959 * at random, and therefore check only the
3960 * location that would hold the Ethernet type
3961 * in a SNAP frame with an organization code of
3962 * 0x000000 (encapsulated Ethernet).
3964 * XXX - if we were to check for the SNAP DSAP and
3965 * LSAP, as per XXX, and were also to check for an
3966 * organization code of 0x000000 (encapsulated
3967 * Ethernet), we'd do
3969 * return gen_snap(cstate, 0x000000, proto);
3971 * here; for now, we don't, as per the above.
3972 * I don't know whether it's worth the extra CPU
3973 * time to do the right check or not.
3975 return gen_cmp(cstate, OR_LLC, 6, BPF_H, (bpf_int32)proto);
3980 static struct block *
3981 gen_hostop(compiler_state_t *cstate, bpf_u_int32 addr, bpf_u_int32 mask,
3982 int dir, int proto, u_int src_off, u_int dst_off)
3984 struct block *b0, *b1;
3998 b0 = gen_hostop(cstate, addr, mask, Q_SRC, proto, src_off, dst_off);
3999 b1 = gen_hostop(cstate, addr, mask, Q_DST, proto, src_off, dst_off);
4005 b0 = gen_hostop(cstate, addr, mask, Q_SRC, proto, src_off, dst_off);
4006 b1 = gen_hostop(cstate, addr, mask, Q_DST, proto, src_off, dst_off);
4011 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4015 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4019 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4023 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4027 bpf_error(cstate, "'ra' is not a valid qualifier for addresses other than 802.11 MAC addresses");
4031 bpf_error(cstate, "'ta' is not a valid qualifier for addresses other than 802.11 MAC addresses");
4038 b0 = gen_linktype(cstate, proto);
4039 b1 = gen_mcmp(cstate, OR_LINKPL, offset, BPF_W, (bpf_int32)addr, mask);
4045 static struct block *
4046 gen_hostop6(compiler_state_t *cstate, struct in6_addr *addr,
4047 struct in6_addr *mask, int dir, int proto, u_int src_off, u_int dst_off)
4049 struct block *b0, *b1;
4064 b0 = gen_hostop6(cstate, addr, mask, Q_SRC, proto, src_off, dst_off);
4065 b1 = gen_hostop6(cstate, addr, mask, Q_DST, proto, src_off, dst_off);
4071 b0 = gen_hostop6(cstate, addr, mask, Q_SRC, proto, src_off, dst_off);
4072 b1 = gen_hostop6(cstate, addr, mask, Q_DST, proto, src_off, dst_off);
4077 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4081 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4085 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4089 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4093 bpf_error(cstate, "'ra' is not a valid qualifier for addresses other than 802.11 MAC addresses");
4097 bpf_error(cstate, "'ta' is not a valid qualifier for addresses other than 802.11 MAC addresses");
4104 /* this order is important */
4105 a = (uint32_t *)addr;
4106 m = (uint32_t *)mask;
4107 b1 = gen_mcmp(cstate, OR_LINKPL, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3]));
4108 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2]));
4110 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1]));
4112 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0]));
4114 b0 = gen_linktype(cstate, proto);
4120 static struct block *
4121 gen_ehostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4123 register struct block *b0, *b1;
4127 return gen_bcmp(cstate, OR_LINKHDR, 6, 6, eaddr);
4130 return gen_bcmp(cstate, OR_LINKHDR, 0, 6, eaddr);
4133 b0 = gen_ehostop(cstate, eaddr, Q_SRC);
4134 b1 = gen_ehostop(cstate, eaddr, Q_DST);
4140 b0 = gen_ehostop(cstate, eaddr, Q_SRC);
4141 b1 = gen_ehostop(cstate, eaddr, Q_DST);
4146 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11 with 802.11 headers");
4150 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11 with 802.11 headers");
4154 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11 with 802.11 headers");
4158 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11 with 802.11 headers");
4162 bpf_error(cstate, "'ra' is only supported on 802.11 with 802.11 headers");
4166 bpf_error(cstate, "'ta' is only supported on 802.11 with 802.11 headers");
4174 * Like gen_ehostop, but for DLT_FDDI
4176 static struct block *
4177 gen_fhostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4179 struct block *b0, *b1;
4183 return gen_bcmp(cstate, OR_LINKHDR, 6 + 1 + cstate->pcap_fddipad, 6, eaddr);
4186 return gen_bcmp(cstate, OR_LINKHDR, 0 + 1 + cstate->pcap_fddipad, 6, eaddr);
4189 b0 = gen_fhostop(cstate, eaddr, Q_SRC);
4190 b1 = gen_fhostop(cstate, eaddr, Q_DST);
4196 b0 = gen_fhostop(cstate, eaddr, Q_SRC);
4197 b1 = gen_fhostop(cstate, eaddr, Q_DST);
4202 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11");
4206 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11");
4210 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11");
4214 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11");
4218 bpf_error(cstate, "'ra' is only supported on 802.11");
4222 bpf_error(cstate, "'ta' is only supported on 802.11");
4230 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring)
4232 static struct block *
4233 gen_thostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4235 register struct block *b0, *b1;
4239 return gen_bcmp(cstate, OR_LINKHDR, 8, 6, eaddr);
4242 return gen_bcmp(cstate, OR_LINKHDR, 2, 6, eaddr);
4245 b0 = gen_thostop(cstate, eaddr, Q_SRC);
4246 b1 = gen_thostop(cstate, eaddr, Q_DST);
4252 b0 = gen_thostop(cstate, eaddr, Q_SRC);
4253 b1 = gen_thostop(cstate, eaddr, Q_DST);
4258 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11");
4262 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11");
4266 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11");
4270 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11");
4274 bpf_error(cstate, "'ra' is only supported on 802.11");
4278 bpf_error(cstate, "'ta' is only supported on 802.11");
4286 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and
4287 * various 802.11 + radio headers.
4289 static struct block *
4290 gen_wlanhostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4292 register struct block *b0, *b1, *b2;
4293 register struct slist *s;
4295 #ifdef ENABLE_WLAN_FILTERING_PATCH
4298 * We need to disable the optimizer because the optimizer is buggy
4299 * and wipes out some LD instructions generated by the below
4300 * code to validate the Frame Control bits
4302 cstate->no_optimize = 1;
4303 #endif /* ENABLE_WLAN_FILTERING_PATCH */
4310 * For control frames, there is no SA.
4312 * For management frames, SA is at an
4313 * offset of 10 from the beginning of
4316 * For data frames, SA is at an offset
4317 * of 10 from the beginning of the packet
4318 * if From DS is clear, at an offset of
4319 * 16 from the beginning of the packet
4320 * if From DS is set and To DS is clear,
4321 * and an offset of 24 from the beginning
4322 * of the packet if From DS is set and To DS
4327 * Generate the tests to be done for data frames
4330 * First, check for To DS set, i.e. check "link[1] & 0x01".
4332 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4333 b1 = new_block(cstate, JMP(BPF_JSET));
4334 b1->s.k = 0x01; /* To DS */
4338 * If To DS is set, the SA is at 24.
4340 b0 = gen_bcmp(cstate, OR_LINKHDR, 24, 6, eaddr);
4344 * Now, check for To DS not set, i.e. check
4345 * "!(link[1] & 0x01)".
4347 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4348 b2 = new_block(cstate, JMP(BPF_JSET));
4349 b2->s.k = 0x01; /* To DS */
4354 * If To DS is not set, the SA is at 16.
4356 b1 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr);
4360 * Now OR together the last two checks. That gives
4361 * the complete set of checks for data frames with
4367 * Now check for From DS being set, and AND that with
4368 * the ORed-together checks.
4370 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4371 b1 = new_block(cstate, JMP(BPF_JSET));
4372 b1->s.k = 0x02; /* From DS */
4377 * Now check for data frames with From DS not set.
4379 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4380 b2 = new_block(cstate, JMP(BPF_JSET));
4381 b2->s.k = 0x02; /* From DS */
4386 * If From DS isn't set, the SA is at 10.
4388 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4392 * Now OR together the checks for data frames with
4393 * From DS not set and for data frames with From DS
4394 * set; that gives the checks done for data frames.
4399 * Now check for a data frame.
4400 * I.e, check "link[0] & 0x08".
4402 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4403 b1 = new_block(cstate, JMP(BPF_JSET));
4408 * AND that with the checks done for data frames.
4413 * If the high-order bit of the type value is 0, this
4414 * is a management frame.
4415 * I.e, check "!(link[0] & 0x08)".
4417 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4418 b2 = new_block(cstate, JMP(BPF_JSET));
4424 * For management frames, the SA is at 10.
4426 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4430 * OR that with the checks done for data frames.
4431 * That gives the checks done for management and
4437 * If the low-order bit of the type value is 1,
4438 * this is either a control frame or a frame
4439 * with a reserved type, and thus not a
4442 * I.e., check "!(link[0] & 0x04)".
4444 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4445 b1 = new_block(cstate, JMP(BPF_JSET));
4451 * AND that with the checks for data and management
4461 * For control frames, there is no DA.
4463 * For management frames, DA is at an
4464 * offset of 4 from the beginning of
4467 * For data frames, DA is at an offset
4468 * of 4 from the beginning of the packet
4469 * if To DS is clear and at an offset of
4470 * 16 from the beginning of the packet
4475 * Generate the tests to be done for data frames.
4477 * First, check for To DS set, i.e. "link[1] & 0x01".
4479 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4480 b1 = new_block(cstate, JMP(BPF_JSET));
4481 b1->s.k = 0x01; /* To DS */
4485 * If To DS is set, the DA is at 16.
4487 b0 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr);
4491 * Now, check for To DS not set, i.e. check
4492 * "!(link[1] & 0x01)".
4494 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4495 b2 = new_block(cstate, JMP(BPF_JSET));
4496 b2->s.k = 0x01; /* To DS */
4501 * If To DS is not set, the DA is at 4.
4503 b1 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr);
4507 * Now OR together the last two checks. That gives
4508 * the complete set of checks for data frames.
4513 * Now check for a data frame.
4514 * I.e, check "link[0] & 0x08".
4516 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4517 b1 = new_block(cstate, JMP(BPF_JSET));
4522 * AND that with the checks done for data frames.
4527 * If the high-order bit of the type value is 0, this
4528 * is a management frame.
4529 * I.e, check "!(link[0] & 0x08)".
4531 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4532 b2 = new_block(cstate, JMP(BPF_JSET));
4538 * For management frames, the DA is at 4.
4540 b1 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr);
4544 * OR that with the checks done for data frames.
4545 * That gives the checks done for management and
4551 * If the low-order bit of the type value is 1,
4552 * this is either a control frame or a frame
4553 * with a reserved type, and thus not a
4556 * I.e., check "!(link[0] & 0x04)".
4558 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4559 b1 = new_block(cstate, JMP(BPF_JSET));
4565 * AND that with the checks for data and management
4572 b0 = gen_wlanhostop(cstate, eaddr, Q_SRC);
4573 b1 = gen_wlanhostop(cstate, eaddr, Q_DST);
4579 b0 = gen_wlanhostop(cstate, eaddr, Q_SRC);
4580 b1 = gen_wlanhostop(cstate, eaddr, Q_DST);
4585 * XXX - add BSSID keyword?
4588 return (gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr));
4592 * Not present in CTS or ACK control frames.
4594 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4595 IEEE80211_FC0_TYPE_MASK);
4597 b1 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS,
4598 IEEE80211_FC0_SUBTYPE_MASK);
4600 b2 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK,
4601 IEEE80211_FC0_SUBTYPE_MASK);
4605 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4611 * Not present in control frames.
4613 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4614 IEEE80211_FC0_TYPE_MASK);
4616 b1 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr);
4622 * Present only if the direction mask has both "From DS"
4623 * and "To DS" set. Neither control frames nor management
4624 * frames should have both of those set, so we don't
4625 * check the frame type.
4627 b0 = gen_mcmp(cstate, OR_LINKHDR, 1, BPF_B,
4628 IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK);
4629 b1 = gen_bcmp(cstate, OR_LINKHDR, 24, 6, eaddr);
4635 * Not present in management frames; addr1 in other
4640 * If the high-order bit of the type value is 0, this
4641 * is a management frame.
4642 * I.e, check "(link[0] & 0x08)".
4644 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4645 b1 = new_block(cstate, JMP(BPF_JSET));
4652 b0 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr);
4655 * AND that with the check of addr1.
4662 * Not present in management frames; addr2, if present,
4667 * Not present in CTS or ACK control frames.
4669 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4670 IEEE80211_FC0_TYPE_MASK);
4672 b1 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS,
4673 IEEE80211_FC0_SUBTYPE_MASK);
4675 b2 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK,
4676 IEEE80211_FC0_SUBTYPE_MASK);
4682 * If the high-order bit of the type value is 0, this
4683 * is a management frame.
4684 * I.e, check "(link[0] & 0x08)".
4686 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4687 b1 = new_block(cstate, JMP(BPF_JSET));
4692 * AND that with the check for frames other than
4693 * CTS and ACK frames.
4700 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4709 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel.
4710 * (We assume that the addresses are IEEE 48-bit MAC addresses,
4711 * as the RFC states.)
4713 static struct block *
4714 gen_ipfchostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4716 register struct block *b0, *b1;
4720 return gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4723 return gen_bcmp(cstate, OR_LINKHDR, 2, 6, eaddr);
4726 b0 = gen_ipfchostop(cstate, eaddr, Q_SRC);
4727 b1 = gen_ipfchostop(cstate, eaddr, Q_DST);
4733 b0 = gen_ipfchostop(cstate, eaddr, Q_SRC);
4734 b1 = gen_ipfchostop(cstate, eaddr, Q_DST);
4739 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11");
4743 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11");
4747 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11");
4751 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11");
4755 bpf_error(cstate, "'ra' is only supported on 802.11");
4759 bpf_error(cstate, "'ta' is only supported on 802.11");
4767 * This is quite tricky because there may be pad bytes in front of the
4768 * DECNET header, and then there are two possible data packet formats that
4769 * carry both src and dst addresses, plus 5 packet types in a format that
4770 * carries only the src node, plus 2 types that use a different format and
4771 * also carry just the src node.
4775 * Instead of doing those all right, we just look for data packets with
4776 * 0 or 1 bytes of padding. If you want to look at other packets, that
4777 * will require a lot more hacking.
4779 * To add support for filtering on DECNET "areas" (network numbers)
4780 * one would want to add a "mask" argument to this routine. That would
4781 * make the filter even more inefficient, although one could be clever
4782 * and not generate masking instructions if the mask is 0xFFFF.
4784 static struct block *
4785 gen_dnhostop(compiler_state_t *cstate, bpf_u_int32 addr, int dir)
4787 struct block *b0, *b1, *b2, *tmp;
4788 u_int offset_lh; /* offset if long header is received */
4789 u_int offset_sh; /* offset if short header is received */
4794 offset_sh = 1; /* follows flags */
4795 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */
4799 offset_sh = 3; /* follows flags, dstnode */
4800 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */
4804 /* Inefficient because we do our Calvinball dance twice */
4805 b0 = gen_dnhostop(cstate, addr, Q_SRC);
4806 b1 = gen_dnhostop(cstate, addr, Q_DST);
4812 /* Inefficient because we do our Calvinball dance twice */
4813 b0 = gen_dnhostop(cstate, addr, Q_SRC);
4814 b1 = gen_dnhostop(cstate, addr, Q_DST);
4819 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4823 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4827 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4831 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4835 bpf_error(cstate, "'ra' is not a valid qualifier for addresses other than 802.11 MAC addresses");
4839 bpf_error(cstate, "'ta' is not a valid qualifier for addresses other than 802.11 MAC addresses");
4846 b0 = gen_linktype(cstate, ETHERTYPE_DN);
4847 /* Check for pad = 1, long header case */
4848 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_H,
4849 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF));
4850 b1 = gen_cmp(cstate, OR_LINKPL, 2 + 1 + offset_lh,
4851 BPF_H, (bpf_int32)ntohs((u_short)addr));
4853 /* Check for pad = 0, long header case */
4854 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7);
4855 b2 = gen_cmp(cstate, OR_LINKPL, 2 + offset_lh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4858 /* Check for pad = 1, short header case */
4859 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_H,
4860 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF));
4861 b2 = gen_cmp(cstate, OR_LINKPL, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4864 /* Check for pad = 0, short header case */
4865 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7);
4866 b2 = gen_cmp(cstate, OR_LINKPL, 2 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4870 /* Combine with test for cstate->linktype */
4876 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets;
4877 * test the bottom-of-stack bit, and then check the version number
4878 * field in the IP header.
4880 static struct block *
4881 gen_mpls_linktype(compiler_state_t *cstate, int proto)
4883 struct block *b0, *b1;
4888 /* match the bottom-of-stack bit */
4889 b0 = gen_mcmp(cstate, OR_LINKPL, (u_int)-2, BPF_B, 0x01, 0x01);
4890 /* match the IPv4 version number */
4891 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_B, 0x40, 0xf0);
4896 /* match the bottom-of-stack bit */
4897 b0 = gen_mcmp(cstate, OR_LINKPL, (u_int)-2, BPF_B, 0x01, 0x01);
4898 /* match the IPv4 version number */
4899 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_B, 0x60, 0xf0);
4908 static struct block *
4909 gen_host(compiler_state_t *cstate, bpf_u_int32 addr, bpf_u_int32 mask,
4910 int proto, int dir, int type)
4912 struct block *b0, *b1;
4913 const char *typestr;
4923 b0 = gen_host(cstate, addr, mask, Q_IP, dir, type);
4925 * Only check for non-IPv4 addresses if we're not
4926 * checking MPLS-encapsulated packets.
4928 if (cstate->label_stack_depth == 0) {
4929 b1 = gen_host(cstate, addr, mask, Q_ARP, dir, type);
4931 b0 = gen_host(cstate, addr, mask, Q_RARP, dir, type);
4937 bpf_error(cstate, "link-layer modifier applied to %s", typestr);
4940 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_IP, 12, 16);
4943 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_REVARP, 14, 24);
4946 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_ARP, 14, 24);
4949 bpf_error(cstate, "'sctp' modifier applied to %s", typestr);
4952 bpf_error(cstate, "'tcp' modifier applied to %s", typestr);
4955 bpf_error(cstate, "'udp' modifier applied to %s", typestr);
4958 bpf_error(cstate, "'icmp' modifier applied to %s", typestr);
4961 bpf_error(cstate, "'igmp' modifier applied to %s", typestr);
4964 bpf_error(cstate, "'igrp' modifier applied to %s", typestr);
4967 bpf_error(cstate, "AppleTalk host filtering not implemented");
4970 return gen_dnhostop(cstate, addr, dir);
4973 bpf_error(cstate, "LAT host filtering not implemented");
4976 bpf_error(cstate, "SCA host filtering not implemented");
4979 bpf_error(cstate, "MOPRC host filtering not implemented");
4982 bpf_error(cstate, "MOPDL host filtering not implemented");
4985 bpf_error(cstate, "'ip6' modifier applied to ip host");
4988 bpf_error(cstate, "'icmp6' modifier applied to %s", typestr);
4991 bpf_error(cstate, "'ah' modifier applied to %s", typestr);
4994 bpf_error(cstate, "'esp' modifier applied to %s", typestr);
4997 bpf_error(cstate, "'pim' modifier applied to %s", typestr);
5000 bpf_error(cstate, "'vrrp' modifier applied to %s", typestr);
5003 bpf_error(cstate, "AARP host filtering not implemented");
5006 bpf_error(cstate, "ISO host filtering not implemented");
5009 bpf_error(cstate, "'esis' modifier applied to %s", typestr);
5012 bpf_error(cstate, "'isis' modifier applied to %s", typestr);
5015 bpf_error(cstate, "'clnp' modifier applied to %s", typestr);
5018 bpf_error(cstate, "'stp' modifier applied to %s", typestr);
5021 bpf_error(cstate, "IPX host filtering not implemented");
5024 bpf_error(cstate, "'netbeui' modifier applied to %s", typestr);
5027 bpf_error(cstate, "'l1' modifier applied to %s", typestr);
5030 bpf_error(cstate, "'l2' modifier applied to %s", typestr);
5033 bpf_error(cstate, "'iih' modifier applied to %s", typestr);
5036 bpf_error(cstate, "'snp' modifier applied to %s", typestr);
5039 bpf_error(cstate, "'csnp' modifier applied to %s", typestr);
5042 bpf_error(cstate, "'psnp' modifier applied to %s", typestr);
5045 bpf_error(cstate, "'lsp' modifier applied to %s", typestr);
5048 bpf_error(cstate, "'radio' modifier applied to %s", typestr);
5051 bpf_error(cstate, "'carp' modifier applied to %s", typestr);
5060 static struct block *
5061 gen_host6(compiler_state_t *cstate, struct in6_addr *addr,
5062 struct in6_addr *mask, int proto, int dir, int type)
5064 const char *typestr;
5074 return gen_host6(cstate, addr, mask, Q_IPV6, dir, type);
5077 bpf_error(cstate, "link-layer modifier applied to ip6 %s", typestr);
5080 bpf_error(cstate, "'ip' modifier applied to ip6 %s", typestr);
5083 bpf_error(cstate, "'rarp' modifier applied to ip6 %s", typestr);
5086 bpf_error(cstate, "'arp' modifier applied to ip6 %s", typestr);
5089 bpf_error(cstate, "'sctp' modifier applied to ip6 %s", typestr);
5092 bpf_error(cstate, "'tcp' modifier applied to ip6 %s", typestr);
5095 bpf_error(cstate, "'udp' modifier applied to ip6 %s", typestr);
5098 bpf_error(cstate, "'icmp' modifier applied to ip6 %s", typestr);
5101 bpf_error(cstate, "'igmp' modifier applied to ip6 %s", typestr);
5104 bpf_error(cstate, "'igrp' modifier applied to ip6 %s", typestr);
5107 bpf_error(cstate, "AppleTalk modifier applied to ip6 %s", typestr);
5110 bpf_error(cstate, "'decnet' modifier applied to ip6 %s", typestr);
5113 bpf_error(cstate, "'lat' modifier applied to ip6 %s", typestr);
5116 bpf_error(cstate, "'sca' modifier applied to ip6 %s", typestr);
5119 bpf_error(cstate, "'moprc' modifier applied to ip6 %s", typestr);
5122 bpf_error(cstate, "'mopdl' modifier applied to ip6 %s", typestr);
5125 return gen_hostop6(cstate, addr, mask, dir, ETHERTYPE_IPV6, 8, 24);
5128 bpf_error(cstate, "'icmp6' modifier applied to ip6 %s", typestr);
5131 bpf_error(cstate, "'ah' modifier applied to ip6 %s", typestr);
5134 bpf_error(cstate, "'esp' modifier applied to ip6 %s", typestr);
5137 bpf_error(cstate, "'pim' modifier applied to ip6 %s", typestr);
5140 bpf_error(cstate, "'vrrp' modifier applied to ip6 %s", typestr);
5143 bpf_error(cstate, "'aarp' modifier applied to ip6 %s", typestr);
5146 bpf_error(cstate, "'iso' modifier applied to ip6 %s", typestr);
5149 bpf_error(cstate, "'esis' modifier applied to ip6 %s", typestr);
5152 bpf_error(cstate, "'isis' modifier applied to ip6 %s", typestr);
5155 bpf_error(cstate, "'clnp' modifier applied to ip6 %s", typestr);
5158 bpf_error(cstate, "'stp' modifier applied to ip6 %s", typestr);
5161 bpf_error(cstate, "'ipx' modifier applied to ip6 %s", typestr);
5164 bpf_error(cstate, "'netbeui' modifier applied to ip6 %s", typestr);
5167 bpf_error(cstate, "'l1' modifier applied to ip6 %s", typestr);
5170 bpf_error(cstate, "'l2' modifier applied to ip6 %s", typestr);
5173 bpf_error(cstate, "'iih' modifier applied to ip6 %s", typestr);
5176 bpf_error(cstate, "'snp' modifier applied to ip6 %s", typestr);
5179 bpf_error(cstate, "'csnp' modifier applied to ip6 %s", typestr);
5182 bpf_error(cstate, "'psnp' modifier applied to ip6 %s", typestr);
5185 bpf_error(cstate, "'lsp' modifier applied to ip6 %s", typestr);
5188 bpf_error(cstate, "'radio' modifier applied to ip6 %s", typestr);
5191 bpf_error(cstate, "'carp' modifier applied to ip6 %s", typestr);
5201 static struct block *
5202 gen_gateway(compiler_state_t *cstate, const u_char *eaddr,
5203 struct addrinfo *alist, int proto, int dir)
5205 struct block *b0, *b1, *tmp;
5206 struct addrinfo *ai;
5207 struct sockaddr_in *sin;
5210 bpf_error(cstate, "direction applied to 'gateway'");
5217 switch (cstate->linktype) {
5219 case DLT_NETANALYZER:
5220 case DLT_NETANALYZER_TRANSPARENT:
5221 b1 = gen_prevlinkhdr_check(cstate);
5222 b0 = gen_ehostop(cstate, eaddr, Q_OR);
5227 b0 = gen_fhostop(cstate, eaddr, Q_OR);
5230 b0 = gen_thostop(cstate, eaddr, Q_OR);
5232 case DLT_IEEE802_11:
5233 case DLT_PRISM_HEADER:
5234 case DLT_IEEE802_11_RADIO_AVS:
5235 case DLT_IEEE802_11_RADIO:
5237 b0 = gen_wlanhostop(cstate, eaddr, Q_OR);
5241 * This is LLC-multiplexed traffic; if it were
5242 * LANE, cstate->linktype would have been set to
5246 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
5248 case DLT_IP_OVER_FC:
5249 b0 = gen_ipfchostop(cstate, eaddr, Q_OR);
5253 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
5256 for (ai = alist; ai != NULL; ai = ai->ai_next) {
5258 * Does it have an address?
5260 if (ai->ai_addr != NULL) {
5262 * Yes. Is it an IPv4 address?
5264 if (ai->ai_addr->sa_family == AF_INET) {
5266 * Generate an entry for it.
5268 sin = (struct sockaddr_in *)ai->ai_addr;
5269 tmp = gen_host(cstate,
5270 ntohl(sin->sin_addr.s_addr),
5271 0xffffffff, proto, Q_OR, Q_HOST);
5273 * Is it the *first* IPv4 address?
5277 * Yes, so start with it.
5282 * No, so OR it into the
5294 * No IPv4 addresses found.
5302 bpf_error(cstate, "illegal modifier of 'gateway'");
5307 static struct block *
5308 gen_proto_abbrev_internal(compiler_state_t *cstate, int proto)
5316 b1 = gen_proto(cstate, IPPROTO_SCTP, Q_IP, Q_DEFAULT);
5317 b0 = gen_proto(cstate, IPPROTO_SCTP, Q_IPV6, Q_DEFAULT);
5322 b1 = gen_proto(cstate, IPPROTO_TCP, Q_IP, Q_DEFAULT);
5323 b0 = gen_proto(cstate, IPPROTO_TCP, Q_IPV6, Q_DEFAULT);
5328 b1 = gen_proto(cstate, IPPROTO_UDP, Q_IP, Q_DEFAULT);
5329 b0 = gen_proto(cstate, IPPROTO_UDP, Q_IPV6, Q_DEFAULT);
5334 b1 = gen_proto(cstate, IPPROTO_ICMP, Q_IP, Q_DEFAULT);
5337 #ifndef IPPROTO_IGMP
5338 #define IPPROTO_IGMP 2
5342 b1 = gen_proto(cstate, IPPROTO_IGMP, Q_IP, Q_DEFAULT);
5345 #ifndef IPPROTO_IGRP
5346 #define IPPROTO_IGRP 9
5349 b1 = gen_proto(cstate, IPPROTO_IGRP, Q_IP, Q_DEFAULT);
5353 #define IPPROTO_PIM 103
5357 b1 = gen_proto(cstate, IPPROTO_PIM, Q_IP, Q_DEFAULT);
5358 b0 = gen_proto(cstate, IPPROTO_PIM, Q_IPV6, Q_DEFAULT);
5362 #ifndef IPPROTO_VRRP
5363 #define IPPROTO_VRRP 112
5367 b1 = gen_proto(cstate, IPPROTO_VRRP, Q_IP, Q_DEFAULT);
5370 #ifndef IPPROTO_CARP
5371 #define IPPROTO_CARP 112
5375 b1 = gen_proto(cstate, IPPROTO_CARP, Q_IP, Q_DEFAULT);
5379 b1 = gen_linktype(cstate, ETHERTYPE_IP);
5383 b1 = gen_linktype(cstate, ETHERTYPE_ARP);
5387 b1 = gen_linktype(cstate, ETHERTYPE_REVARP);
5391 bpf_error(cstate, "link layer applied in wrong context");
5394 b1 = gen_linktype(cstate, ETHERTYPE_ATALK);
5398 b1 = gen_linktype(cstate, ETHERTYPE_AARP);
5402 b1 = gen_linktype(cstate, ETHERTYPE_DN);
5406 b1 = gen_linktype(cstate, ETHERTYPE_SCA);
5410 b1 = gen_linktype(cstate, ETHERTYPE_LAT);
5414 b1 = gen_linktype(cstate, ETHERTYPE_MOPDL);
5418 b1 = gen_linktype(cstate, ETHERTYPE_MOPRC);
5422 b1 = gen_linktype(cstate, ETHERTYPE_IPV6);
5425 #ifndef IPPROTO_ICMPV6
5426 #define IPPROTO_ICMPV6 58
5429 b1 = gen_proto(cstate, IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT);
5433 #define IPPROTO_AH 51
5436 b1 = gen_proto(cstate, IPPROTO_AH, Q_IP, Q_DEFAULT);
5437 b0 = gen_proto(cstate, IPPROTO_AH, Q_IPV6, Q_DEFAULT);
5442 #define IPPROTO_ESP 50
5445 b1 = gen_proto(cstate, IPPROTO_ESP, Q_IP, Q_DEFAULT);
5446 b0 = gen_proto(cstate, IPPROTO_ESP, Q_IPV6, Q_DEFAULT);
5451 b1 = gen_linktype(cstate, LLCSAP_ISONS);
5455 b1 = gen_proto(cstate, ISO9542_ESIS, Q_ISO, Q_DEFAULT);
5459 b1 = gen_proto(cstate, ISO10589_ISIS, Q_ISO, Q_DEFAULT);
5462 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */
5463 b0 = gen_proto(cstate, ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
5464 b1 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
5466 b0 = gen_proto(cstate, ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
5468 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
5470 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
5474 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */
5475 b0 = gen_proto(cstate, ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
5476 b1 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
5478 b0 = gen_proto(cstate, ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
5480 b0 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
5482 b0 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
5486 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */
5487 b0 = gen_proto(cstate, ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
5488 b1 = gen_proto(cstate, ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
5490 b0 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT);
5495 b0 = gen_proto(cstate, ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
5496 b1 = gen_proto(cstate, ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
5501 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
5502 b1 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
5504 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
5506 b0 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
5511 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
5512 b1 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
5517 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
5518 b1 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
5523 b1 = gen_proto(cstate, ISO8473_CLNP, Q_ISO, Q_DEFAULT);
5527 b1 = gen_linktype(cstate, LLCSAP_8021D);
5531 b1 = gen_linktype(cstate, LLCSAP_IPX);
5535 b1 = gen_linktype(cstate, LLCSAP_NETBEUI);
5539 bpf_error(cstate, "'radio' is not a valid protocol type");
5548 gen_proto_abbrev(compiler_state_t *cstate, int proto)
5551 * Catch errors reported by us and routines below us, and return NULL
5554 if (setjmp(cstate->top_ctx))
5557 return gen_proto_abbrev_internal(cstate, proto);
5560 static struct block *
5561 gen_ipfrag(compiler_state_t *cstate)
5566 /* not IPv4 frag other than the first frag */
5567 s = gen_load_a(cstate, OR_LINKPL, 6, BPF_H);
5568 b = new_block(cstate, JMP(BPF_JSET));
5577 * Generate a comparison to a port value in the transport-layer header
5578 * at the specified offset from the beginning of that header.
5580 * XXX - this handles a variable-length prefix preceding the link-layer
5581 * header, such as the radiotap or AVS radio prefix, but doesn't handle
5582 * variable-length link-layer headers (such as Token Ring or 802.11
5585 static struct block *
5586 gen_portatom(compiler_state_t *cstate, int off, bpf_int32 v)
5588 return gen_cmp(cstate, OR_TRAN_IPV4, off, BPF_H, v);
5591 static struct block *
5592 gen_portatom6(compiler_state_t *cstate, int off, bpf_int32 v)
5594 return gen_cmp(cstate, OR_TRAN_IPV6, off, BPF_H, v);
5598 gen_portop(compiler_state_t *cstate, int port, int proto, int dir)
5600 struct block *b0, *b1, *tmp;
5602 /* ip proto 'proto' and not a fragment other than the first fragment */
5603 tmp = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, (bpf_int32)proto);
5604 b0 = gen_ipfrag(cstate);
5609 b1 = gen_portatom(cstate, 0, (bpf_int32)port);
5613 b1 = gen_portatom(cstate, 2, (bpf_int32)port);
5617 tmp = gen_portatom(cstate, 0, (bpf_int32)port);
5618 b1 = gen_portatom(cstate, 2, (bpf_int32)port);
5624 tmp = gen_portatom(cstate, 0, (bpf_int32)port);
5625 b1 = gen_portatom(cstate, 2, (bpf_int32)port);
5630 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for ports");
5634 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for ports");
5638 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for ports");
5642 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for ports");
5646 bpf_error(cstate, "'ra' is not a valid qualifier for ports");
5650 bpf_error(cstate, "'ta' is not a valid qualifier for ports");
5662 static struct block *
5663 gen_port(compiler_state_t *cstate, int port, int ip_proto, int dir)
5665 struct block *b0, *b1, *tmp;
5670 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
5671 * not LLC encapsulation with LLCSAP_IP.
5673 * For IEEE 802 networks - which includes 802.5 token ring
5674 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
5675 * says that SNAP encapsulation is used, not LLC encapsulation
5678 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
5679 * RFC 2225 say that SNAP encapsulation is used, not LLC
5680 * encapsulation with LLCSAP_IP.
5682 * So we always check for ETHERTYPE_IP.
5684 b0 = gen_linktype(cstate, ETHERTYPE_IP);
5690 b1 = gen_portop(cstate, port, ip_proto, dir);
5694 tmp = gen_portop(cstate, port, IPPROTO_TCP, dir);
5695 b1 = gen_portop(cstate, port, IPPROTO_UDP, dir);
5697 tmp = gen_portop(cstate, port, IPPROTO_SCTP, dir);
5709 gen_portop6(compiler_state_t *cstate, int port, int proto, int dir)
5711 struct block *b0, *b1, *tmp;
5713 /* ip6 proto 'proto' */
5714 /* XXX - catch the first fragment of a fragmented packet? */
5715 b0 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, (bpf_int32)proto);
5719 b1 = gen_portatom6(cstate, 0, (bpf_int32)port);
5723 b1 = gen_portatom6(cstate, 2, (bpf_int32)port);
5727 tmp = gen_portatom6(cstate, 0, (bpf_int32)port);
5728 b1 = gen_portatom6(cstate, 2, (bpf_int32)port);
5734 tmp = gen_portatom6(cstate, 0, (bpf_int32)port);
5735 b1 = gen_portatom6(cstate, 2, (bpf_int32)port);
5747 static struct block *
5748 gen_port6(compiler_state_t *cstate, int port, int ip_proto, int dir)
5750 struct block *b0, *b1, *tmp;
5752 /* link proto ip6 */
5753 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
5759 b1 = gen_portop6(cstate, port, ip_proto, dir);
5763 tmp = gen_portop6(cstate, port, IPPROTO_TCP, dir);
5764 b1 = gen_portop6(cstate, port, IPPROTO_UDP, dir);
5766 tmp = gen_portop6(cstate, port, IPPROTO_SCTP, dir);
5777 /* gen_portrange code */
5778 static struct block *
5779 gen_portrangeatom(compiler_state_t *cstate, int off, bpf_int32 v1,
5782 struct block *b1, *b2;
5786 * Reverse the order of the ports, so v1 is the lower one.
5795 b1 = gen_cmp_ge(cstate, OR_TRAN_IPV4, off, BPF_H, v1);
5796 b2 = gen_cmp_le(cstate, OR_TRAN_IPV4, off, BPF_H, v2);
5804 gen_portrangeop(compiler_state_t *cstate, int port1, int port2, int proto,
5807 struct block *b0, *b1, *tmp;
5809 /* ip proto 'proto' and not a fragment other than the first fragment */
5810 tmp = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, (bpf_int32)proto);
5811 b0 = gen_ipfrag(cstate);
5816 b1 = gen_portrangeatom(cstate, 0, (bpf_int32)port1, (bpf_int32)port2);
5820 b1 = gen_portrangeatom(cstate, 2, (bpf_int32)port1, (bpf_int32)port2);
5824 tmp = gen_portrangeatom(cstate, 0, (bpf_int32)port1, (bpf_int32)port2);
5825 b1 = gen_portrangeatom(cstate, 2, (bpf_int32)port1, (bpf_int32)port2);
5831 tmp = gen_portrangeatom(cstate, 0, (bpf_int32)port1, (bpf_int32)port2);
5832 b1 = gen_portrangeatom(cstate, 2, (bpf_int32)port1, (bpf_int32)port2);
5837 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for port ranges");
5841 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for port ranges");
5845 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for port ranges");
5849 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for port ranges");
5853 bpf_error(cstate, "'ra' is not a valid qualifier for port ranges");
5857 bpf_error(cstate, "'ta' is not a valid qualifier for port ranges");
5869 static struct block *
5870 gen_portrange(compiler_state_t *cstate, int port1, int port2, int ip_proto,
5873 struct block *b0, *b1, *tmp;
5876 b0 = gen_linktype(cstate, ETHERTYPE_IP);
5882 b1 = gen_portrangeop(cstate, port1, port2, ip_proto, dir);
5886 tmp = gen_portrangeop(cstate, port1, port2, IPPROTO_TCP, dir);
5887 b1 = gen_portrangeop(cstate, port1, port2, IPPROTO_UDP, dir);
5889 tmp = gen_portrangeop(cstate, port1, port2, IPPROTO_SCTP, dir);
5900 static struct block *
5901 gen_portrangeatom6(compiler_state_t *cstate, int off, bpf_int32 v1,
5904 struct block *b1, *b2;
5908 * Reverse the order of the ports, so v1 is the lower one.
5917 b1 = gen_cmp_ge(cstate, OR_TRAN_IPV6, off, BPF_H, v1);
5918 b2 = gen_cmp_le(cstate, OR_TRAN_IPV6, off, BPF_H, v2);
5926 gen_portrangeop6(compiler_state_t *cstate, int port1, int port2, int proto,
5929 struct block *b0, *b1, *tmp;
5931 /* ip6 proto 'proto' */
5932 /* XXX - catch the first fragment of a fragmented packet? */
5933 b0 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, (bpf_int32)proto);
5937 b1 = gen_portrangeatom6(cstate, 0, (bpf_int32)port1, (bpf_int32)port2);
5941 b1 = gen_portrangeatom6(cstate, 2, (bpf_int32)port1, (bpf_int32)port2);
5945 tmp = gen_portrangeatom6(cstate, 0, (bpf_int32)port1, (bpf_int32)port2);
5946 b1 = gen_portrangeatom6(cstate, 2, (bpf_int32)port1, (bpf_int32)port2);
5952 tmp = gen_portrangeatom6(cstate, 0, (bpf_int32)port1, (bpf_int32)port2);
5953 b1 = gen_portrangeatom6(cstate, 2, (bpf_int32)port1, (bpf_int32)port2);
5965 static struct block *
5966 gen_portrange6(compiler_state_t *cstate, int port1, int port2, int ip_proto,
5969 struct block *b0, *b1, *tmp;
5971 /* link proto ip6 */
5972 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
5978 b1 = gen_portrangeop6(cstate, port1, port2, ip_proto, dir);
5982 tmp = gen_portrangeop6(cstate, port1, port2, IPPROTO_TCP, dir);
5983 b1 = gen_portrangeop6(cstate, port1, port2, IPPROTO_UDP, dir);
5985 tmp = gen_portrangeop6(cstate, port1, port2, IPPROTO_SCTP, dir);
5997 lookup_proto(compiler_state_t *cstate, const char *name, int proto)
6006 v = pcap_nametoproto(name);
6007 if (v == PROTO_UNDEF)
6008 bpf_error(cstate, "unknown ip proto '%s'", name);
6012 /* XXX should look up h/w protocol type based on cstate->linktype */
6013 v = pcap_nametoeproto(name);
6014 if (v == PROTO_UNDEF) {
6015 v = pcap_nametollc(name);
6016 if (v == PROTO_UNDEF)
6017 bpf_error(cstate, "unknown ether proto '%s'", name);
6022 if (strcmp(name, "esis") == 0)
6024 else if (strcmp(name, "isis") == 0)
6026 else if (strcmp(name, "clnp") == 0)
6029 bpf_error(cstate, "unknown osi proto '%s'", name);
6041 gen_joinsp(struct stmt **s, int n)
6047 static struct block *
6048 gen_protochain(compiler_state_t *cstate, int v, int proto, int dir)
6050 #ifdef NO_PROTOCHAIN
6051 return gen_proto(cstate, v, proto, dir);
6053 struct block *b0, *b;
6054 struct slist *s[100];
6055 int fix2, fix3, fix4, fix5;
6056 int ahcheck, again, end;
6058 int reg2 = alloc_reg(cstate);
6060 memset(s, 0, sizeof(s));
6061 fix3 = fix4 = fix5 = 0;
6068 b0 = gen_protochain(cstate, v, Q_IP, dir);
6069 b = gen_protochain(cstate, v, Q_IPV6, dir);
6073 bpf_error(cstate, "bad protocol applied for 'protochain'");
6078 * We don't handle variable-length prefixes before the link-layer
6079 * header, or variable-length link-layer headers, here yet.
6080 * We might want to add BPF instructions to do the protochain
6081 * work, to simplify that and, on platforms that have a BPF
6082 * interpreter with the new instructions, let the filtering
6083 * be done in the kernel. (We already require a modified BPF
6084 * engine to do the protochain stuff, to support backward
6085 * branches, and backward branch support is unlikely to appear
6086 * in kernel BPF engines.)
6088 if (cstate->off_linkpl.is_variable)
6089 bpf_error(cstate, "'protochain' not supported with variable length headers");
6091 cstate->no_optimize = 1; /* this code is not compatible with optimizer yet */
6094 * s[0] is a dummy entry to protect other BPF insn from damage
6095 * by s[fix] = foo with uninitialized variable "fix". It is somewhat
6096 * hard to find interdependency made by jump table fixup.
6099 s[i] = new_stmt(cstate, 0); /*dummy*/
6104 b0 = gen_linktype(cstate, ETHERTYPE_IP);
6107 s[i] = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B);
6108 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 9;
6110 /* X = ip->ip_hl << 2 */
6111 s[i] = new_stmt(cstate, BPF_LDX|BPF_MSH|BPF_B);
6112 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
6117 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
6119 /* A = ip6->ip_nxt */
6120 s[i] = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B);
6121 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 6;
6123 /* X = sizeof(struct ip6_hdr) */
6124 s[i] = new_stmt(cstate, BPF_LDX|BPF_IMM);
6130 bpf_error(cstate, "unsupported proto to gen_protochain");
6134 /* again: if (A == v) goto end; else fall through; */
6136 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6138 s[i]->s.jt = NULL; /*later*/
6139 s[i]->s.jf = NULL; /*update in next stmt*/
6143 #ifndef IPPROTO_NONE
6144 #define IPPROTO_NONE 59
6146 /* if (A == IPPROTO_NONE) goto end */
6147 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6148 s[i]->s.jt = NULL; /*later*/
6149 s[i]->s.jf = NULL; /*update in next stmt*/
6150 s[i]->s.k = IPPROTO_NONE;
6151 s[fix5]->s.jf = s[i];
6155 if (proto == Q_IPV6) {
6156 int v6start, v6end, v6advance, j;
6159 /* if (A == IPPROTO_HOPOPTS) goto v6advance */
6160 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6161 s[i]->s.jt = NULL; /*later*/
6162 s[i]->s.jf = NULL; /*update in next stmt*/
6163 s[i]->s.k = IPPROTO_HOPOPTS;
6164 s[fix2]->s.jf = s[i];
6166 /* if (A == IPPROTO_DSTOPTS) goto v6advance */
6167 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6168 s[i]->s.jt = NULL; /*later*/
6169 s[i]->s.jf = NULL; /*update in next stmt*/
6170 s[i]->s.k = IPPROTO_DSTOPTS;
6172 /* if (A == IPPROTO_ROUTING) goto v6advance */
6173 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6174 s[i]->s.jt = NULL; /*later*/
6175 s[i]->s.jf = NULL; /*update in next stmt*/
6176 s[i]->s.k = IPPROTO_ROUTING;
6178 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */
6179 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6180 s[i]->s.jt = NULL; /*later*/
6181 s[i]->s.jf = NULL; /*later*/
6182 s[i]->s.k = IPPROTO_FRAGMENT;
6192 * A = P[X + packet head];
6193 * X = X + (P[X + packet head + 1] + 1) * 8;
6195 /* A = P[X + packet head] */
6196 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
6197 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
6200 s[i] = new_stmt(cstate, BPF_ST);
6203 /* A = P[X + packet head + 1]; */
6204 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
6205 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 1;
6208 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
6212 s[i] = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K);
6216 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X);
6220 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX);
6223 s[i] = new_stmt(cstate, BPF_LD|BPF_MEM);
6227 /* goto again; (must use BPF_JA for backward jump) */
6228 s[i] = new_stmt(cstate, BPF_JMP|BPF_JA);
6229 s[i]->s.k = again - i - 1;
6230 s[i - 1]->s.jf = s[i];
6234 for (j = v6start; j <= v6end; j++)
6235 s[j]->s.jt = s[v6advance];
6238 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
6240 s[fix2]->s.jf = s[i];
6246 /* if (A == IPPROTO_AH) then fall through; else goto end; */
6247 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6248 s[i]->s.jt = NULL; /*later*/
6249 s[i]->s.jf = NULL; /*later*/
6250 s[i]->s.k = IPPROTO_AH;
6252 s[fix3]->s.jf = s[ahcheck];
6259 * X = X + (P[X + 1] + 2) * 4;
6262 s[i - 1]->s.jt = s[i] = new_stmt(cstate, BPF_MISC|BPF_TXA);
6264 /* A = P[X + packet head]; */
6265 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
6266 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
6269 s[i] = new_stmt(cstate, BPF_ST);
6273 s[i - 1]->s.jt = s[i] = new_stmt(cstate, BPF_MISC|BPF_TXA);
6276 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
6280 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX);
6282 /* A = P[X + packet head] */
6283 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
6284 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
6287 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
6291 s[i] = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K);
6295 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX);
6298 s[i] = new_stmt(cstate, BPF_LD|BPF_MEM);
6302 /* goto again; (must use BPF_JA for backward jump) */
6303 s[i] = new_stmt(cstate, BPF_JMP|BPF_JA);
6304 s[i]->s.k = again - i - 1;
6309 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
6311 s[fix2]->s.jt = s[end];
6312 s[fix4]->s.jf = s[end];
6313 s[fix5]->s.jt = s[end];
6320 for (i = 0; i < max - 1; i++)
6321 s[i]->next = s[i + 1];
6322 s[max - 1]->next = NULL;
6327 b = new_block(cstate, JMP(BPF_JEQ));
6328 b->stmts = s[1]; /*remember, s[0] is dummy*/
6331 free_reg(cstate, reg2);
6338 static struct block *
6339 gen_check_802_11_data_frame(compiler_state_t *cstate)
6342 struct block *b0, *b1;
6345 * A data frame has the 0x08 bit (b3) in the frame control field set
6346 * and the 0x04 bit (b2) clear.
6348 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
6349 b0 = new_block(cstate, JMP(BPF_JSET));
6353 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
6354 b1 = new_block(cstate, JMP(BPF_JSET));
6365 * Generate code that checks whether the packet is a packet for protocol
6366 * <proto> and whether the type field in that protocol's header has
6367 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an
6368 * IP packet and checks the protocol number in the IP header against <v>.
6370 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks
6371 * against Q_IP and Q_IPV6.
6373 static struct block *
6374 gen_proto(compiler_state_t *cstate, int v, int proto, int dir)
6376 struct block *b0, *b1;
6381 if (dir != Q_DEFAULT)
6382 bpf_error(cstate, "direction applied to 'proto'");
6386 b0 = gen_proto(cstate, v, Q_IP, dir);
6387 b1 = gen_proto(cstate, v, Q_IPV6, dir);
6392 return gen_linktype(cstate, v);
6396 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
6397 * not LLC encapsulation with LLCSAP_IP.
6399 * For IEEE 802 networks - which includes 802.5 token ring
6400 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
6401 * says that SNAP encapsulation is used, not LLC encapsulation
6404 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
6405 * RFC 2225 say that SNAP encapsulation is used, not LLC
6406 * encapsulation with LLCSAP_IP.
6408 * So we always check for ETHERTYPE_IP.
6410 b0 = gen_linktype(cstate, ETHERTYPE_IP);
6412 b1 = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, (bpf_int32)v);
6414 b1 = gen_protochain(cstate, v, Q_IP);
6420 bpf_error(cstate, "arp does not encapsulate another protocol");
6424 bpf_error(cstate, "rarp does not encapsulate another protocol");
6428 bpf_error(cstate, "'sctp proto' is bogus");
6432 bpf_error(cstate, "'tcp proto' is bogus");
6436 bpf_error(cstate, "'udp proto' is bogus");
6440 bpf_error(cstate, "'icmp proto' is bogus");
6444 bpf_error(cstate, "'igmp proto' is bogus");
6448 bpf_error(cstate, "'igrp proto' is bogus");
6452 bpf_error(cstate, "AppleTalk encapsulation is not specifiable");
6456 bpf_error(cstate, "DECNET encapsulation is not specifiable");
6460 bpf_error(cstate, "LAT does not encapsulate another protocol");
6464 bpf_error(cstate, "SCA does not encapsulate another protocol");
6468 bpf_error(cstate, "MOPRC does not encapsulate another protocol");
6472 bpf_error(cstate, "MOPDL does not encapsulate another protocol");
6476 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
6479 * Also check for a fragment header before the final
6482 b2 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, IPPROTO_FRAGMENT);
6483 b1 = gen_cmp(cstate, OR_LINKPL, 40, BPF_B, (bpf_int32)v);
6485 b2 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, (bpf_int32)v);
6488 b1 = gen_protochain(cstate, v, Q_IPV6);
6494 bpf_error(cstate, "'icmp6 proto' is bogus");
6498 bpf_error(cstate, "'ah proto' is bogus");
6502 bpf_error(cstate, "'ah proto' is bogus");
6506 bpf_error(cstate, "'pim proto' is bogus");
6510 bpf_error(cstate, "'vrrp proto' is bogus");
6514 bpf_error(cstate, "'aarp proto' is bogus");
6518 switch (cstate->linktype) {
6522 * Frame Relay packets typically have an OSI
6523 * NLPID at the beginning; "gen_linktype(cstate, LLCSAP_ISONS)"
6524 * generates code to check for all the OSI
6525 * NLPIDs, so calling it and then adding a check
6526 * for the particular NLPID for which we're
6527 * looking is bogus, as we can just check for
6530 * What we check for is the NLPID and a frame
6531 * control field value of UI, i.e. 0x03 followed
6534 * XXX - assumes a 2-byte Frame Relay header with
6535 * DLCI and flags. What if the address is longer?
6537 * XXX - what about SNAP-encapsulated frames?
6539 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | v);
6544 * Cisco uses an Ethertype lookalike - for OSI,
6547 b0 = gen_linktype(cstate, LLCSAP_ISONS<<8 | LLCSAP_ISONS);
6548 /* OSI in C-HDLC is stuffed with a fudge byte */
6549 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 1, BPF_B, (long)v);
6554 b0 = gen_linktype(cstate, LLCSAP_ISONS);
6555 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 0, BPF_B, (long)v);
6561 bpf_error(cstate, "'esis proto' is bogus");
6565 b0 = gen_proto(cstate, ISO10589_ISIS, Q_ISO, Q_DEFAULT);
6567 * 4 is the offset of the PDU type relative to the IS-IS
6570 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 4, BPF_B, (long)v);
6575 bpf_error(cstate, "'clnp proto' is not supported");
6579 bpf_error(cstate, "'stp proto' is bogus");
6583 bpf_error(cstate, "'ipx proto' is bogus");
6587 bpf_error(cstate, "'netbeui proto' is bogus");
6591 bpf_error(cstate, "'l1 proto' is bogus");
6595 bpf_error(cstate, "'l2 proto' is bogus");
6599 bpf_error(cstate, "'iih proto' is bogus");
6603 bpf_error(cstate, "'snp proto' is bogus");
6607 bpf_error(cstate, "'csnp proto' is bogus");
6611 bpf_error(cstate, "'psnp proto' is bogus");
6615 bpf_error(cstate, "'lsp proto' is bogus");
6619 bpf_error(cstate, "'radio proto' is bogus");
6623 bpf_error(cstate, "'carp proto' is bogus");
6634 gen_scode(compiler_state_t *cstate, const char *name, struct qual q)
6636 int proto = q.proto;
6640 bpf_u_int32 mask, addr;
6641 struct addrinfo *res, *res0;
6642 struct sockaddr_in *sin4;
6645 struct sockaddr_in6 *sin6;
6646 struct in6_addr mask128;
6648 struct block *b, *tmp;
6649 int port, real_proto;
6653 * Catch errors reported by us and routines below us, and return NULL
6656 if (setjmp(cstate->top_ctx))
6662 addr = pcap_nametonetaddr(name);
6664 bpf_error(cstate, "unknown network '%s'", name);
6665 /* Left justify network addr and calculate its network mask */
6667 while (addr && (addr & 0xff000000) == 0) {
6671 return gen_host(cstate, addr, mask, proto, dir, q.addr);
6675 if (proto == Q_LINK) {
6676 switch (cstate->linktype) {
6679 case DLT_NETANALYZER:
6680 case DLT_NETANALYZER_TRANSPARENT:
6681 eaddr = pcap_ether_hostton(name);
6684 "unknown ether host '%s'", name);
6685 tmp = gen_prevlinkhdr_check(cstate);
6686 b = gen_ehostop(cstate, eaddr, dir);
6693 eaddr = pcap_ether_hostton(name);
6696 "unknown FDDI host '%s'", name);
6697 b = gen_fhostop(cstate, eaddr, dir);
6702 eaddr = pcap_ether_hostton(name);
6705 "unknown token ring host '%s'", name);
6706 b = gen_thostop(cstate, eaddr, dir);
6710 case DLT_IEEE802_11:
6711 case DLT_PRISM_HEADER:
6712 case DLT_IEEE802_11_RADIO_AVS:
6713 case DLT_IEEE802_11_RADIO:
6715 eaddr = pcap_ether_hostton(name);
6718 "unknown 802.11 host '%s'", name);
6719 b = gen_wlanhostop(cstate, eaddr, dir);
6723 case DLT_IP_OVER_FC:
6724 eaddr = pcap_ether_hostton(name);
6727 "unknown Fibre Channel host '%s'", name);
6728 b = gen_ipfchostop(cstate, eaddr, dir);
6733 bpf_error(cstate, "only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name");
6734 } else if (proto == Q_DECNET) {
6735 unsigned short dn_addr;
6737 if (!__pcap_nametodnaddr(name, &dn_addr)) {
6739 bpf_error(cstate, "unknown decnet host name '%s'\n", name);
6741 bpf_error(cstate, "decnet name support not included, '%s' cannot be translated\n",
6746 * I don't think DECNET hosts can be multihomed, so
6747 * there is no need to build up a list of addresses
6749 return (gen_host(cstate, dn_addr, 0, proto, dir, q.addr));
6752 memset(&mask128, 0xff, sizeof(mask128));
6754 res0 = res = pcap_nametoaddrinfo(name);
6756 bpf_error(cstate, "unknown host '%s'", name);
6763 if (cstate->off_linktype.constant_part == OFFSET_NOT_SET &&
6764 tproto == Q_DEFAULT) {
6770 for (res = res0; res; res = res->ai_next) {
6771 switch (res->ai_family) {
6774 if (tproto == Q_IPV6)
6778 sin4 = (struct sockaddr_in *)
6780 tmp = gen_host(cstate, ntohl(sin4->sin_addr.s_addr),
6781 0xffffffff, tproto, dir, q.addr);
6785 if (tproto6 == Q_IP)
6788 sin6 = (struct sockaddr_in6 *)
6790 tmp = gen_host6(cstate, &sin6->sin6_addr,
6791 &mask128, tproto6, dir, q.addr);
6804 bpf_error(cstate, "unknown host '%s'%s", name,
6805 (proto == Q_DEFAULT)
6807 : " for specified address family");
6813 if (proto != Q_DEFAULT &&
6814 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
6815 bpf_error(cstate, "illegal qualifier of 'port'");
6816 if (pcap_nametoport(name, &port, &real_proto) == 0)
6817 bpf_error(cstate, "unknown port '%s'", name);
6818 if (proto == Q_UDP) {
6819 if (real_proto == IPPROTO_TCP)
6820 bpf_error(cstate, "port '%s' is tcp", name);
6821 else if (real_proto == IPPROTO_SCTP)
6822 bpf_error(cstate, "port '%s' is sctp", name);
6824 /* override PROTO_UNDEF */
6825 real_proto = IPPROTO_UDP;
6827 if (proto == Q_TCP) {
6828 if (real_proto == IPPROTO_UDP)
6829 bpf_error(cstate, "port '%s' is udp", name);
6831 else if (real_proto == IPPROTO_SCTP)
6832 bpf_error(cstate, "port '%s' is sctp", name);
6834 /* override PROTO_UNDEF */
6835 real_proto = IPPROTO_TCP;
6837 if (proto == Q_SCTP) {
6838 if (real_proto == IPPROTO_UDP)
6839 bpf_error(cstate, "port '%s' is udp", name);
6841 else if (real_proto == IPPROTO_TCP)
6842 bpf_error(cstate, "port '%s' is tcp", name);
6844 /* override PROTO_UNDEF */
6845 real_proto = IPPROTO_SCTP;
6848 bpf_error(cstate, "illegal port number %d < 0", port);
6850 bpf_error(cstate, "illegal port number %d > 65535", port);
6851 b = gen_port(cstate, port, real_proto, dir);
6852 gen_or(gen_port6(cstate, port, real_proto, dir), b);
6856 if (proto != Q_DEFAULT &&
6857 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
6858 bpf_error(cstate, "illegal qualifier of 'portrange'");
6859 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0)
6860 bpf_error(cstate, "unknown port in range '%s'", name);
6861 if (proto == Q_UDP) {
6862 if (real_proto == IPPROTO_TCP)
6863 bpf_error(cstate, "port in range '%s' is tcp", name);
6864 else if (real_proto == IPPROTO_SCTP)
6865 bpf_error(cstate, "port in range '%s' is sctp", name);
6867 /* override PROTO_UNDEF */
6868 real_proto = IPPROTO_UDP;
6870 if (proto == Q_TCP) {
6871 if (real_proto == IPPROTO_UDP)
6872 bpf_error(cstate, "port in range '%s' is udp", name);
6873 else if (real_proto == IPPROTO_SCTP)
6874 bpf_error(cstate, "port in range '%s' is sctp", name);
6876 /* override PROTO_UNDEF */
6877 real_proto = IPPROTO_TCP;
6879 if (proto == Q_SCTP) {
6880 if (real_proto == IPPROTO_UDP)
6881 bpf_error(cstate, "port in range '%s' is udp", name);
6882 else if (real_proto == IPPROTO_TCP)
6883 bpf_error(cstate, "port in range '%s' is tcp", name);
6885 /* override PROTO_UNDEF */
6886 real_proto = IPPROTO_SCTP;
6889 bpf_error(cstate, "illegal port number %d < 0", port1);
6891 bpf_error(cstate, "illegal port number %d > 65535", port1);
6893 bpf_error(cstate, "illegal port number %d < 0", port2);
6895 bpf_error(cstate, "illegal port number %d > 65535", port2);
6897 b = gen_portrange(cstate, port1, port2, real_proto, dir);
6898 gen_or(gen_portrange6(cstate, port1, port2, real_proto, dir), b);
6903 eaddr = pcap_ether_hostton(name);
6905 bpf_error(cstate, "unknown ether host: %s", name);
6907 res = pcap_nametoaddrinfo(name);
6910 bpf_error(cstate, "unknown host '%s'", name);
6911 b = gen_gateway(cstate, eaddr, res, proto, dir);
6915 bpf_error(cstate, "unknown host '%s'", name);
6918 bpf_error(cstate, "'gateway' not supported in this configuration");
6922 real_proto = lookup_proto(cstate, name, proto);
6923 if (real_proto >= 0)
6924 return gen_proto(cstate, real_proto, proto, dir);
6926 bpf_error(cstate, "unknown protocol: %s", name);
6929 real_proto = lookup_proto(cstate, name, proto);
6930 if (real_proto >= 0)
6931 return gen_protochain(cstate, real_proto, proto, dir);
6933 bpf_error(cstate, "unknown protocol: %s", name);
6944 gen_mcode(compiler_state_t *cstate, const char *s1, const char *s2,
6945 unsigned int masklen, struct qual q)
6947 register int nlen, mlen;
6951 * Catch errors reported by us and routines below us, and return NULL
6954 if (setjmp(cstate->top_ctx))
6957 nlen = __pcap_atoin(s1, &n);
6959 bpf_error(cstate, "invalid IPv4 address '%s'", s1);
6960 /* Promote short ipaddr */
6964 mlen = __pcap_atoin(s2, &m);
6966 bpf_error(cstate, "invalid IPv4 address '%s'", s2);
6967 /* Promote short ipaddr */
6970 bpf_error(cstate, "non-network bits set in \"%s mask %s\"",
6973 /* Convert mask len to mask */
6975 bpf_error(cstate, "mask length must be <= 32");
6978 * X << 32 is not guaranteed by C to be 0; it's
6983 m = 0xffffffff << (32 - masklen);
6985 bpf_error(cstate, "non-network bits set in \"%s/%d\"",
6992 return gen_host(cstate, n, m, q.proto, q.dir, q.addr);
6995 bpf_error(cstate, "Mask syntax for networks only");
7002 gen_ncode(compiler_state_t *cstate, const char *s, bpf_u_int32 v, struct qual q)
7010 * Catch errors reported by us and routines below us, and return NULL
7013 if (setjmp(cstate->top_ctx))
7020 else if (q.proto == Q_DECNET) {
7021 vlen = __pcap_atodn(s, &v);
7023 bpf_error(cstate, "malformed decnet address '%s'", s);
7025 vlen = __pcap_atoin(s, &v);
7027 bpf_error(cstate, "invalid IPv4 address '%s'", s);
7035 if (proto == Q_DECNET)
7036 return gen_host(cstate, v, 0, proto, dir, q.addr);
7037 else if (proto == Q_LINK) {
7038 bpf_error(cstate, "illegal link layer address");
7041 if (s == NULL && q.addr == Q_NET) {
7042 /* Promote short net number */
7043 while (v && (v & 0xff000000) == 0) {
7048 /* Promote short ipaddr */
7050 mask <<= 32 - vlen ;
7052 return gen_host(cstate, v, mask, proto, dir, q.addr);
7057 proto = IPPROTO_UDP;
7058 else if (proto == Q_TCP)
7059 proto = IPPROTO_TCP;
7060 else if (proto == Q_SCTP)
7061 proto = IPPROTO_SCTP;
7062 else if (proto == Q_DEFAULT)
7063 proto = PROTO_UNDEF;
7065 bpf_error(cstate, "illegal qualifier of 'port'");
7068 bpf_error(cstate, "illegal port number %u > 65535", v);
7072 b = gen_port(cstate, (int)v, proto, dir);
7073 gen_or(gen_port6(cstate, (int)v, proto, dir), b);
7079 proto = IPPROTO_UDP;
7080 else if (proto == Q_TCP)
7081 proto = IPPROTO_TCP;
7082 else if (proto == Q_SCTP)
7083 proto = IPPROTO_SCTP;
7084 else if (proto == Q_DEFAULT)
7085 proto = PROTO_UNDEF;
7087 bpf_error(cstate, "illegal qualifier of 'portrange'");
7090 bpf_error(cstate, "illegal port number %u > 65535", v);
7094 b = gen_portrange(cstate, (int)v, (int)v, proto, dir);
7095 gen_or(gen_portrange6(cstate, (int)v, (int)v, proto, dir), b);
7100 bpf_error(cstate, "'gateway' requires a name");
7104 return gen_proto(cstate, (int)v, proto, dir);
7107 return gen_protochain(cstate, (int)v, proto, dir);
7122 gen_mcode6(compiler_state_t *cstate, const char *s1, const char *s2,
7123 unsigned int masklen, struct qual q)
7125 struct addrinfo *res;
7126 struct in6_addr *addr;
7127 struct in6_addr mask;
7132 * Catch errors reported by us and routines below us, and return NULL
7135 if (setjmp(cstate->top_ctx))
7139 bpf_error(cstate, "no mask %s supported", s2);
7141 res = pcap_nametoaddrinfo(s1);
7143 bpf_error(cstate, "invalid ip6 address %s", s1);
7146 bpf_error(cstate, "%s resolved to multiple address", s1);
7147 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
7149 if (sizeof(mask) * 8 < masklen)
7150 bpf_error(cstate, "mask length must be <= %u", (unsigned int)(sizeof(mask) * 8));
7151 memset(&mask, 0, sizeof(mask));
7152 memset(&mask, 0xff, masklen / 8);
7154 mask.s6_addr[masklen / 8] =
7155 (0xff << (8 - masklen % 8)) & 0xff;
7158 a = (uint32_t *)addr;
7159 m = (uint32_t *)&mask;
7160 if ((a[0] & ~m[0]) || (a[1] & ~m[1])
7161 || (a[2] & ~m[2]) || (a[3] & ~m[3])) {
7162 bpf_error(cstate, "non-network bits set in \"%s/%d\"", s1, masklen);
7170 bpf_error(cstate, "Mask syntax for networks only");
7174 b = gen_host6(cstate, addr, &mask, q.proto, q.dir, q.addr);
7180 bpf_error(cstate, "invalid qualifier against IPv6 address");
7187 gen_ecode(compiler_state_t *cstate, const char *s, struct qual q)
7189 struct block *b, *tmp;
7192 * Catch errors reported by us and routines below us, and return NULL
7195 if (setjmp(cstate->top_ctx))
7198 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
7199 cstate->e = pcap_ether_aton(s);
7200 if (cstate->e == NULL)
7201 bpf_error(cstate, "malloc");
7202 switch (cstate->linktype) {
7204 case DLT_NETANALYZER:
7205 case DLT_NETANALYZER_TRANSPARENT:
7206 tmp = gen_prevlinkhdr_check(cstate);
7207 b = gen_ehostop(cstate, cstate->e, (int)q.dir);
7212 b = gen_fhostop(cstate, cstate->e, (int)q.dir);
7215 b = gen_thostop(cstate, cstate->e, (int)q.dir);
7217 case DLT_IEEE802_11:
7218 case DLT_PRISM_HEADER:
7219 case DLT_IEEE802_11_RADIO_AVS:
7220 case DLT_IEEE802_11_RADIO:
7222 b = gen_wlanhostop(cstate, cstate->e, (int)q.dir);
7224 case DLT_IP_OVER_FC:
7225 b = gen_ipfchostop(cstate, cstate->e, (int)q.dir);
7230 bpf_error(cstate, "ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
7237 bpf_error(cstate, "ethernet address used in non-ether expression");
7242 sappend(struct slist *s0, struct slist *s1)
7245 * This is definitely not the best way to do this, but the
7246 * lists will rarely get long.
7253 static struct slist *
7254 xfer_to_x(compiler_state_t *cstate, struct arth *a)
7258 s = new_stmt(cstate, BPF_LDX|BPF_MEM);
7263 static struct slist *
7264 xfer_to_a(compiler_state_t *cstate, struct arth *a)
7268 s = new_stmt(cstate, BPF_LD|BPF_MEM);
7274 * Modify "index" to use the value stored into its register as an
7275 * offset relative to the beginning of the header for the protocol
7276 * "proto", and allocate a register and put an item "size" bytes long
7277 * (1, 2, or 4) at that offset into that register, making it the register
7280 static struct arth *
7281 gen_load_internal(compiler_state_t *cstate, int proto, struct arth *inst, int size)
7283 struct slist *s, *tmp;
7285 int regno = alloc_reg(cstate);
7287 free_reg(cstate, inst->regno);
7291 bpf_error(cstate, "data size must be 1, 2, or 4");
7307 bpf_error(cstate, "unsupported index operation");
7311 * The offset is relative to the beginning of the packet
7312 * data, if we have a radio header. (If we don't, this
7315 if (cstate->linktype != DLT_IEEE802_11_RADIO_AVS &&
7316 cstate->linktype != DLT_IEEE802_11_RADIO &&
7317 cstate->linktype != DLT_PRISM_HEADER)
7318 bpf_error(cstate, "radio information not present in capture");
7321 * Load into the X register the offset computed into the
7322 * register specified by "index".
7324 s = xfer_to_x(cstate, inst);
7327 * Load the item at that offset.
7329 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size);
7331 sappend(inst->s, s);
7336 * The offset is relative to the beginning of
7337 * the link-layer header.
7339 * XXX - what about ATM LANE? Should the index be
7340 * relative to the beginning of the AAL5 frame, so
7341 * that 0 refers to the beginning of the LE Control
7342 * field, or relative to the beginning of the LAN
7343 * frame, so that 0 refers, for Ethernet LANE, to
7344 * the beginning of the destination address?
7346 s = gen_abs_offset_varpart(cstate, &cstate->off_linkhdr);
7349 * If "s" is non-null, it has code to arrange that the
7350 * X register contains the length of the prefix preceding
7351 * the link-layer header. Add to it the offset computed
7352 * into the register specified by "index", and move that
7353 * into the X register. Otherwise, just load into the X
7354 * register the offset computed into the register specified
7358 sappend(s, xfer_to_a(cstate, inst));
7359 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
7360 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
7362 s = xfer_to_x(cstate, inst);
7365 * Load the item at the sum of the offset we've put in the
7366 * X register and the offset of the start of the link
7367 * layer header (which is 0 if the radio header is
7368 * variable-length; that header length is what we put
7369 * into the X register and then added to the index).
7371 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size);
7372 tmp->s.k = cstate->off_linkhdr.constant_part;
7374 sappend(inst->s, s);
7388 * The offset is relative to the beginning of
7389 * the network-layer header.
7390 * XXX - are there any cases where we want
7391 * cstate->off_nl_nosnap?
7393 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl);
7396 * If "s" is non-null, it has code to arrange that the
7397 * X register contains the variable part of the offset
7398 * of the link-layer payload. Add to it the offset
7399 * computed into the register specified by "index",
7400 * and move that into the X register. Otherwise, just
7401 * load into the X register the offset computed into
7402 * the register specified by "index".
7405 sappend(s, xfer_to_a(cstate, inst));
7406 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
7407 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
7409 s = xfer_to_x(cstate, inst);
7412 * Load the item at the sum of the offset we've put in the
7413 * X register, the offset of the start of the network
7414 * layer header from the beginning of the link-layer
7415 * payload, and the constant part of the offset of the
7416 * start of the link-layer payload.
7418 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size);
7419 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
7421 sappend(inst->s, s);
7424 * Do the computation only if the packet contains
7425 * the protocol in question.
7427 b = gen_proto_abbrev_internal(cstate, proto);
7429 gen_and(inst->b, b);
7443 * The offset is relative to the beginning of
7444 * the transport-layer header.
7446 * Load the X register with the length of the IPv4 header
7447 * (plus the offset of the link-layer header, if it's
7448 * a variable-length header), in bytes.
7450 * XXX - are there any cases where we want
7451 * cstate->off_nl_nosnap?
7452 * XXX - we should, if we're built with
7453 * IPv6 support, generate code to load either
7454 * IPv4, IPv6, or both, as appropriate.
7456 s = gen_loadx_iphdrlen(cstate);
7459 * The X register now contains the sum of the variable
7460 * part of the offset of the link-layer payload and the
7461 * length of the network-layer header.
7463 * Load into the A register the offset relative to
7464 * the beginning of the transport layer header,
7465 * add the X register to that, move that to the
7466 * X register, and load with an offset from the
7467 * X register equal to the sum of the constant part of
7468 * the offset of the link-layer payload and the offset,
7469 * relative to the beginning of the link-layer payload,
7470 * of the network-layer header.
7472 sappend(s, xfer_to_a(cstate, inst));
7473 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
7474 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
7475 sappend(s, tmp = new_stmt(cstate, BPF_LD|BPF_IND|size));
7476 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
7477 sappend(inst->s, s);
7480 * Do the computation only if the packet contains
7481 * the protocol in question - which is true only
7482 * if this is an IP datagram and is the first or
7483 * only fragment of that datagram.
7485 gen_and(gen_proto_abbrev_internal(cstate, proto), b = gen_ipfrag(cstate));
7487 gen_and(inst->b, b);
7488 gen_and(gen_proto_abbrev_internal(cstate, Q_IP), b);
7493 * Do the computation only if the packet contains
7494 * the protocol in question.
7496 b = gen_proto_abbrev_internal(cstate, Q_IPV6);
7498 gen_and(inst->b, b);
7503 * Check if we have an icmp6 next header
7505 b = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, 58);
7507 gen_and(inst->b, b);
7512 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl);
7514 * If "s" is non-null, it has code to arrange that the
7515 * X register contains the variable part of the offset
7516 * of the link-layer payload. Add to it the offset
7517 * computed into the register specified by "index",
7518 * and move that into the X register. Otherwise, just
7519 * load into the X register the offset computed into
7520 * the register specified by "index".
7523 sappend(s, xfer_to_a(cstate, inst));
7524 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
7525 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
7527 s = xfer_to_x(cstate, inst);
7531 * Load the item at the sum of the offset we've put in the
7532 * X register, the offset of the start of the network
7533 * layer header from the beginning of the link-layer
7534 * payload, and the constant part of the offset of the
7535 * start of the link-layer payload.
7537 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size);
7538 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 40;
7541 sappend(inst->s, s);
7545 inst->regno = regno;
7546 s = new_stmt(cstate, BPF_ST);
7548 sappend(inst->s, s);
7554 gen_load(compiler_state_t *cstate, int proto, struct arth *inst, int size)
7557 * Catch errors reported by us and routines below us, and return NULL
7560 if (setjmp(cstate->top_ctx))
7563 return gen_load_internal(cstate, proto, inst, size);
7566 static struct block *
7567 gen_relation_internal(compiler_state_t *cstate, int code, struct arth *a0,
7568 struct arth *a1, int reversed)
7570 struct slist *s0, *s1, *s2;
7571 struct block *b, *tmp;
7573 s0 = xfer_to_x(cstate, a1);
7574 s1 = xfer_to_a(cstate, a0);
7575 if (code == BPF_JEQ) {
7576 s2 = new_stmt(cstate, BPF_ALU|BPF_SUB|BPF_X);
7577 b = new_block(cstate, JMP(code));
7581 b = new_block(cstate, BPF_JMP|code|BPF_X);
7587 sappend(a0->s, a1->s);
7591 free_reg(cstate, a0->regno);
7592 free_reg(cstate, a1->regno);
7594 /* 'and' together protocol checks */
7597 gen_and(a0->b, tmp = a1->b);
7611 gen_relation(compiler_state_t *cstate, int code, struct arth *a0,
7612 struct arth *a1, int reversed)
7615 * Catch errors reported by us and routines below us, and return NULL
7618 if (setjmp(cstate->top_ctx))
7621 return gen_relation_internal(cstate, code, a0, a1, reversed);
7625 gen_loadlen(compiler_state_t *cstate)
7632 * Catch errors reported by us and routines below us, and return NULL
7635 if (setjmp(cstate->top_ctx))
7638 regno = alloc_reg(cstate);
7639 a = (struct arth *)newchunk(cstate, sizeof(*a));
7640 s = new_stmt(cstate, BPF_LD|BPF_LEN);
7641 s->next = new_stmt(cstate, BPF_ST);
7642 s->next->s.k = regno;
7649 static struct arth *
7650 gen_loadi_internal(compiler_state_t *cstate, int val)
7656 a = (struct arth *)newchunk(cstate, sizeof(*a));
7658 reg = alloc_reg(cstate);
7660 s = new_stmt(cstate, BPF_LD|BPF_IMM);
7662 s->next = new_stmt(cstate, BPF_ST);
7671 gen_loadi(compiler_state_t *cstate, int val)
7674 * Catch errors reported by us and routines below us, and return NULL
7677 if (setjmp(cstate->top_ctx))
7680 return gen_loadi_internal(cstate, val);
7684 * The a_arg dance is to avoid annoying whining by compilers that
7685 * a might be clobbered by longjmp - yeah, it might, but *WHO CARES*?
7686 * It's not *used* after setjmp returns.
7689 gen_neg(compiler_state_t *cstate, struct arth *a_arg)
7691 struct arth *a = a_arg;
7695 * Catch errors reported by us and routines below us, and return NULL
7698 if (setjmp(cstate->top_ctx))
7701 s = xfer_to_a(cstate, a);
7703 s = new_stmt(cstate, BPF_ALU|BPF_NEG);
7706 s = new_stmt(cstate, BPF_ST);
7714 * The a0_arg dance is to avoid annoying whining by compilers that
7715 * a0 might be clobbered by longjmp - yeah, it might, but *WHO CARES*?
7716 * It's not *used* after setjmp returns.
7719 gen_arth(compiler_state_t *cstate, int code, struct arth *a0_arg,
7722 struct arth *a0 = a0_arg;
7723 struct slist *s0, *s1, *s2;
7726 * Catch errors reported by us and routines below us, and return NULL
7729 if (setjmp(cstate->top_ctx))
7733 * Disallow division by, or modulus by, zero; we do this here
7734 * so that it gets done even if the optimizer is disabled.
7736 * Also disallow shifts by a value greater than 31; we do this
7737 * here, for the same reason.
7739 if (code == BPF_DIV) {
7740 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k == 0)
7741 bpf_error(cstate, "division by zero");
7742 } else if (code == BPF_MOD) {
7743 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k == 0)
7744 bpf_error(cstate, "modulus by zero");
7745 } else if (code == BPF_LSH || code == BPF_RSH) {
7747 * XXX - we need to make up our minds as to what integers
7748 * are signed and what integers are unsigned in BPF programs
7751 if (a1->s->s.code == (BPF_LD|BPF_IMM) &&
7752 (a1->s->s.k < 0 || a1->s->s.k > 31))
7753 bpf_error(cstate, "shift by more than 31 bits");
7755 s0 = xfer_to_x(cstate, a1);
7756 s1 = xfer_to_a(cstate, a0);
7757 s2 = new_stmt(cstate, BPF_ALU|BPF_X|code);
7762 sappend(a0->s, a1->s);
7764 free_reg(cstate, a0->regno);
7765 free_reg(cstate, a1->regno);
7767 s0 = new_stmt(cstate, BPF_ST);
7768 a0->regno = s0->s.k = alloc_reg(cstate);
7775 * Initialize the table of used registers and the current register.
7778 init_regs(compiler_state_t *cstate)
7781 memset(cstate->regused, 0, sizeof cstate->regused);
7785 * Return the next free register.
7788 alloc_reg(compiler_state_t *cstate)
7790 int n = BPF_MEMWORDS;
7793 if (cstate->regused[cstate->curreg])
7794 cstate->curreg = (cstate->curreg + 1) % BPF_MEMWORDS;
7796 cstate->regused[cstate->curreg] = 1;
7797 return cstate->curreg;
7800 bpf_error(cstate, "too many registers needed to evaluate expression");
7805 * Return a register to the table so it can
7809 free_reg(compiler_state_t *cstate, int n)
7811 cstate->regused[n] = 0;
7814 static struct block *
7815 gen_len(compiler_state_t *cstate, int jmp, int n)
7820 s = new_stmt(cstate, BPF_LD|BPF_LEN);
7821 b = new_block(cstate, JMP(jmp));
7829 gen_greater(compiler_state_t *cstate, int n)
7832 * Catch errors reported by us and routines below us, and return NULL
7835 if (setjmp(cstate->top_ctx))
7838 return gen_len(cstate, BPF_JGE, n);
7842 * Actually, this is less than or equal.
7845 gen_less(compiler_state_t *cstate, int n)
7850 * Catch errors reported by us and routines below us, and return NULL
7853 if (setjmp(cstate->top_ctx))
7856 b = gen_len(cstate, BPF_JGT, n);
7863 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to
7864 * the beginning of the link-layer header.
7865 * XXX - that means you can't test values in the radiotap header, but
7866 * as that header is difficult if not impossible to parse generally
7867 * without a loop, that might not be a severe problem. A new keyword
7868 * "radio" could be added for that, although what you'd really want
7869 * would be a way of testing particular radio header values, which
7870 * would generate code appropriate to the radio header in question.
7873 gen_byteop(compiler_state_t *cstate, int op, int idx, int val)
7879 * Catch errors reported by us and routines below us, and return NULL
7882 if (setjmp(cstate->top_ctx))
7890 return gen_cmp(cstate, OR_LINKHDR, (u_int)idx, BPF_B, (bpf_int32)val);
7893 b = gen_cmp_lt(cstate, OR_LINKHDR, (u_int)idx, BPF_B, (bpf_int32)val);
7897 b = gen_cmp_gt(cstate, OR_LINKHDR, (u_int)idx, BPF_B, (bpf_int32)val);
7901 s = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_K);
7905 s = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
7909 b = new_block(cstate, JMP(BPF_JEQ));
7916 static const u_char abroadcast[] = { 0x0 };
7919 gen_broadcast(compiler_state_t *cstate, int proto)
7921 bpf_u_int32 hostmask;
7922 struct block *b0, *b1, *b2;
7923 static const u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
7926 * Catch errors reported by us and routines below us, and return NULL
7929 if (setjmp(cstate->top_ctx))
7936 switch (cstate->linktype) {
7938 case DLT_ARCNET_LINUX:
7939 return gen_ahostop(cstate, abroadcast, Q_DST);
7941 case DLT_NETANALYZER:
7942 case DLT_NETANALYZER_TRANSPARENT:
7943 b1 = gen_prevlinkhdr_check(cstate);
7944 b0 = gen_ehostop(cstate, ebroadcast, Q_DST);
7949 return gen_fhostop(cstate, ebroadcast, Q_DST);
7951 return gen_thostop(cstate, ebroadcast, Q_DST);
7952 case DLT_IEEE802_11:
7953 case DLT_PRISM_HEADER:
7954 case DLT_IEEE802_11_RADIO_AVS:
7955 case DLT_IEEE802_11_RADIO:
7957 return gen_wlanhostop(cstate, ebroadcast, Q_DST);
7958 case DLT_IP_OVER_FC:
7959 return gen_ipfchostop(cstate, ebroadcast, Q_DST);
7961 bpf_error(cstate, "not a broadcast link");
7967 * We treat a netmask of PCAP_NETMASK_UNKNOWN (0xffffffff)
7968 * as an indication that we don't know the netmask, and fail
7971 if (cstate->netmask == PCAP_NETMASK_UNKNOWN)
7972 bpf_error(cstate, "netmask not known, so 'ip broadcast' not supported");
7973 b0 = gen_linktype(cstate, ETHERTYPE_IP);
7974 hostmask = ~cstate->netmask;
7975 b1 = gen_mcmp(cstate, OR_LINKPL, 16, BPF_W, (bpf_int32)0, hostmask);
7976 b2 = gen_mcmp(cstate, OR_LINKPL, 16, BPF_W,
7977 (bpf_int32)(~0 & hostmask), hostmask);
7982 bpf_error(cstate, "only link-layer/IP broadcast filters supported");
7987 * Generate code to test the low-order bit of a MAC address (that's
7988 * the bottom bit of the *first* byte).
7990 static struct block *
7991 gen_mac_multicast(compiler_state_t *cstate, int offset)
7993 register struct block *b0;
7994 register struct slist *s;
7996 /* link[offset] & 1 != 0 */
7997 s = gen_load_a(cstate, OR_LINKHDR, offset, BPF_B);
7998 b0 = new_block(cstate, JMP(BPF_JSET));
8005 gen_multicast(compiler_state_t *cstate, int proto)
8007 register struct block *b0, *b1, *b2;
8008 register struct slist *s;
8011 * Catch errors reported by us and routines below us, and return NULL
8014 if (setjmp(cstate->top_ctx))
8021 switch (cstate->linktype) {
8023 case DLT_ARCNET_LINUX:
8024 /* all ARCnet multicasts use the same address */
8025 return gen_ahostop(cstate, abroadcast, Q_DST);
8027 case DLT_NETANALYZER:
8028 case DLT_NETANALYZER_TRANSPARENT:
8029 b1 = gen_prevlinkhdr_check(cstate);
8030 /* ether[0] & 1 != 0 */
8031 b0 = gen_mac_multicast(cstate, 0);
8037 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX
8039 * XXX - was that referring to bit-order issues?
8041 /* fddi[1] & 1 != 0 */
8042 return gen_mac_multicast(cstate, 1);
8044 /* tr[2] & 1 != 0 */
8045 return gen_mac_multicast(cstate, 2);
8046 case DLT_IEEE802_11:
8047 case DLT_PRISM_HEADER:
8048 case DLT_IEEE802_11_RADIO_AVS:
8049 case DLT_IEEE802_11_RADIO:
8054 * For control frames, there is no DA.
8056 * For management frames, DA is at an
8057 * offset of 4 from the beginning of
8060 * For data frames, DA is at an offset
8061 * of 4 from the beginning of the packet
8062 * if To DS is clear and at an offset of
8063 * 16 from the beginning of the packet
8068 * Generate the tests to be done for data frames.
8070 * First, check for To DS set, i.e. "link[1] & 0x01".
8072 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
8073 b1 = new_block(cstate, JMP(BPF_JSET));
8074 b1->s.k = 0x01; /* To DS */
8078 * If To DS is set, the DA is at 16.
8080 b0 = gen_mac_multicast(cstate, 16);
8084 * Now, check for To DS not set, i.e. check
8085 * "!(link[1] & 0x01)".
8087 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
8088 b2 = new_block(cstate, JMP(BPF_JSET));
8089 b2->s.k = 0x01; /* To DS */
8094 * If To DS is not set, the DA is at 4.
8096 b1 = gen_mac_multicast(cstate, 4);
8100 * Now OR together the last two checks. That gives
8101 * the complete set of checks for data frames.
8106 * Now check for a data frame.
8107 * I.e, check "link[0] & 0x08".
8109 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
8110 b1 = new_block(cstate, JMP(BPF_JSET));
8115 * AND that with the checks done for data frames.
8120 * If the high-order bit of the type value is 0, this
8121 * is a management frame.
8122 * I.e, check "!(link[0] & 0x08)".
8124 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
8125 b2 = new_block(cstate, JMP(BPF_JSET));
8131 * For management frames, the DA is at 4.
8133 b1 = gen_mac_multicast(cstate, 4);
8137 * OR that with the checks done for data frames.
8138 * That gives the checks done for management and
8144 * If the low-order bit of the type value is 1,
8145 * this is either a control frame or a frame
8146 * with a reserved type, and thus not a
8149 * I.e., check "!(link[0] & 0x04)".
8151 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
8152 b1 = new_block(cstate, JMP(BPF_JSET));
8158 * AND that with the checks for data and management
8163 case DLT_IP_OVER_FC:
8164 b0 = gen_mac_multicast(cstate, 2);
8169 /* Link not known to support multicasts */
8173 b0 = gen_linktype(cstate, ETHERTYPE_IP);
8174 b1 = gen_cmp_ge(cstate, OR_LINKPL, 16, BPF_B, (bpf_int32)224);
8179 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
8180 b1 = gen_cmp(cstate, OR_LINKPL, 24, BPF_B, (bpf_int32)255);
8184 bpf_error(cstate, "link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel");
8189 * Filter on inbound (dir == 0) or outbound (dir == 1) traffic.
8190 * Outbound traffic is sent by this machine, while inbound traffic is
8191 * sent by a remote machine (and may include packets destined for a
8192 * unicast or multicast link-layer address we are not subscribing to).
8193 * These are the same definitions implemented by pcap_setdirection().
8194 * Capturing only unicast traffic destined for this host is probably
8195 * better accomplished using a higher-layer filter.
8198 gen_inbound(compiler_state_t *cstate, int dir)
8200 register struct block *b0;
8203 * Catch errors reported by us and routines below us, and return NULL
8206 if (setjmp(cstate->top_ctx))
8210 * Only some data link types support inbound/outbound qualifiers.
8212 switch (cstate->linktype) {
8214 b0 = gen_relation_internal(cstate, BPF_JEQ,
8215 gen_load_internal(cstate, Q_LINK, gen_loadi_internal(cstate, 0), 1),
8216 gen_loadi_internal(cstate, 0),
8222 /* match outgoing packets */
8223 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, IPNET_OUTBOUND);
8225 /* match incoming packets */
8226 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, IPNET_INBOUND);
8231 /* match outgoing packets */
8232 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_H, LINUX_SLL_OUTGOING);
8234 /* to filter on inbound traffic, invert the match */
8239 case DLT_LINUX_SLL2:
8240 /* match outgoing packets */
8241 b0 = gen_cmp(cstate, OR_LINKHDR, 10, BPF_B, LINUX_SLL_OUTGOING);
8243 /* to filter on inbound traffic, invert the match */
8248 #ifdef HAVE_NET_PFVAR_H
8250 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, dir), BPF_B,
8251 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT));
8257 /* match outgoing packets */
8258 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_B, PPP_PPPD_OUT);
8260 /* match incoming packets */
8261 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_B, PPP_PPPD_IN);
8265 case DLT_JUNIPER_MFR:
8266 case DLT_JUNIPER_MLFR:
8267 case DLT_JUNIPER_MLPPP:
8268 case DLT_JUNIPER_ATM1:
8269 case DLT_JUNIPER_ATM2:
8270 case DLT_JUNIPER_PPPOE:
8271 case DLT_JUNIPER_PPPOE_ATM:
8272 case DLT_JUNIPER_GGSN:
8273 case DLT_JUNIPER_ES:
8274 case DLT_JUNIPER_MONITOR:
8275 case DLT_JUNIPER_SERVICES:
8276 case DLT_JUNIPER_ETHER:
8277 case DLT_JUNIPER_PPP:
8278 case DLT_JUNIPER_FRELAY:
8279 case DLT_JUNIPER_CHDLC:
8280 case DLT_JUNIPER_VP:
8281 case DLT_JUNIPER_ST:
8282 case DLT_JUNIPER_ISM:
8283 case DLT_JUNIPER_VS:
8284 case DLT_JUNIPER_SRX_E2E:
8285 case DLT_JUNIPER_FIBRECHANNEL:
8286 case DLT_JUNIPER_ATM_CEMIC:
8288 /* juniper flags (including direction) are stored
8289 * the byte after the 3-byte magic number */
8291 /* match outgoing packets */
8292 b0 = gen_mcmp(cstate, OR_LINKHDR, 3, BPF_B, 0, 0x01);
8294 /* match incoming packets */
8295 b0 = gen_mcmp(cstate, OR_LINKHDR, 3, BPF_B, 1, 0x01);
8301 * If we have packet meta-data indicating a direction,
8302 * and that metadata can be checked by BPF code, check
8303 * it. Otherwise, give up, as this link-layer type has
8304 * nothing in the packet data.
8306 * Currently, the only platform where a BPF filter can
8307 * check that metadata is Linux with the in-kernel
8308 * BPF interpreter. If other packet capture mechanisms
8309 * and BPF filters also supported this, it would be
8310 * nice. It would be even better if they made that
8311 * metadata available so that we could provide it
8312 * with newer capture APIs, allowing it to be saved
8315 #if defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER)
8317 * This is Linux with PF_PACKET support.
8318 * If this is a *live* capture, we can look at
8319 * special meta-data in the filter expression;
8320 * if it's a savefile, we can't.
8322 if (cstate->bpf_pcap->rfile != NULL) {
8323 /* We have a FILE *, so this is a savefile */
8324 bpf_error(cstate, "inbound/outbound not supported on %s when reading savefiles",
8325 pcap_datalink_val_to_description_or_dlt(cstate->linktype));
8329 /* match outgoing packets */
8330 b0 = gen_cmp(cstate, OR_LINKHDR, SKF_AD_OFF + SKF_AD_PKTTYPE, BPF_H,
8333 /* to filter on inbound traffic, invert the match */
8336 #else /* defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */
8337 bpf_error(cstate, "inbound/outbound not supported on %s",
8338 pcap_datalink_val_to_description_or_dlt(cstate->linktype));
8340 #endif /* defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */
8345 #ifdef HAVE_NET_PFVAR_H
8346 /* PF firewall log matched interface */
8348 gen_pf_ifname(compiler_state_t *cstate, const char *ifname)
8354 * Catch errors reported by us and routines below us, and return NULL
8357 if (setjmp(cstate->top_ctx))
8360 if (cstate->linktype != DLT_PFLOG) {
8361 bpf_error(cstate, "ifname supported only on PF linktype");
8364 len = sizeof(((struct pfloghdr *)0)->ifname);
8365 off = offsetof(struct pfloghdr, ifname);
8366 if (strlen(ifname) >= len) {
8367 bpf_error(cstate, "ifname interface names can only be %d characters",
8371 b0 = gen_bcmp(cstate, OR_LINKHDR, off, (u_int)strlen(ifname),
8372 (const u_char *)ifname);
8376 /* PF firewall log ruleset name */
8378 gen_pf_ruleset(compiler_state_t *cstate, char *ruleset)
8383 * Catch errors reported by us and routines below us, and return NULL
8386 if (setjmp(cstate->top_ctx))
8389 if (cstate->linktype != DLT_PFLOG) {
8390 bpf_error(cstate, "ruleset supported only on PF linktype");
8394 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) {
8395 bpf_error(cstate, "ruleset names can only be %ld characters",
8396 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1));
8400 b0 = gen_bcmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, ruleset),
8401 (u_int)strlen(ruleset), (const u_char *)ruleset);
8405 /* PF firewall log rule number */
8407 gen_pf_rnr(compiler_state_t *cstate, int rnr)
8412 * Catch errors reported by us and routines below us, and return NULL
8415 if (setjmp(cstate->top_ctx))
8418 if (cstate->linktype != DLT_PFLOG) {
8419 bpf_error(cstate, "rnr supported only on PF linktype");
8423 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, rulenr), BPF_W,
8428 /* PF firewall log sub-rule number */
8430 gen_pf_srnr(compiler_state_t *cstate, int srnr)
8435 * Catch errors reported by us and routines below us, and return NULL
8438 if (setjmp(cstate->top_ctx))
8441 if (cstate->linktype != DLT_PFLOG) {
8442 bpf_error(cstate, "srnr supported only on PF linktype");
8446 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, subrulenr), BPF_W,
8451 /* PF firewall log reason code */
8453 gen_pf_reason(compiler_state_t *cstate, int reason)
8458 * Catch errors reported by us and routines below us, and return NULL
8461 if (setjmp(cstate->top_ctx))
8464 if (cstate->linktype != DLT_PFLOG) {
8465 bpf_error(cstate, "reason supported only on PF linktype");
8469 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, reason), BPF_B,
8474 /* PF firewall log action */
8476 gen_pf_action(compiler_state_t *cstate, int action)
8481 * Catch errors reported by us and routines below us, and return NULL
8484 if (setjmp(cstate->top_ctx))
8487 if (cstate->linktype != DLT_PFLOG) {
8488 bpf_error(cstate, "action supported only on PF linktype");
8492 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, action), BPF_B,
8496 #else /* !HAVE_NET_PFVAR_H */
8498 gen_pf_ifname(compiler_state_t *cstate, const char *ifname _U_)
8501 * Catch errors reported by us and routines below us, and return NULL
8504 if (setjmp(cstate->top_ctx))
8507 bpf_error(cstate, "libpcap was compiled without pf support");
8512 gen_pf_ruleset(compiler_state_t *cstate, char *ruleset _U_)
8515 * Catch errors reported by us and routines below us, and return NULL
8518 if (setjmp(cstate->top_ctx))
8521 bpf_error(cstate, "libpcap was compiled on a machine without pf support");
8526 gen_pf_rnr(compiler_state_t *cstate, int rnr _U_)
8529 * Catch errors reported by us and routines below us, and return NULL
8532 if (setjmp(cstate->top_ctx))
8535 bpf_error(cstate, "libpcap was compiled on a machine without pf support");
8540 gen_pf_srnr(compiler_state_t *cstate, int srnr _U_)
8543 * Catch errors reported by us and routines below us, and return NULL
8546 if (setjmp(cstate->top_ctx))
8549 bpf_error(cstate, "libpcap was compiled on a machine without pf support");
8554 gen_pf_reason(compiler_state_t *cstate, int reason _U_)
8557 * Catch errors reported by us and routines below us, and return NULL
8560 if (setjmp(cstate->top_ctx))
8563 bpf_error(cstate, "libpcap was compiled on a machine without pf support");
8568 gen_pf_action(compiler_state_t *cstate, int action _U_)
8571 * Catch errors reported by us and routines below us, and return NULL
8574 if (setjmp(cstate->top_ctx))
8577 bpf_error(cstate, "libpcap was compiled on a machine without pf support");
8580 #endif /* HAVE_NET_PFVAR_H */
8582 /* IEEE 802.11 wireless header */
8584 gen_p80211_type(compiler_state_t *cstate, int type, int mask)
8589 * Catch errors reported by us and routines below us, and return NULL
8592 if (setjmp(cstate->top_ctx))
8595 switch (cstate->linktype) {
8597 case DLT_IEEE802_11:
8598 case DLT_PRISM_HEADER:
8599 case DLT_IEEE802_11_RADIO_AVS:
8600 case DLT_IEEE802_11_RADIO:
8601 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, (bpf_int32)type,
8606 bpf_error(cstate, "802.11 link-layer types supported only on 802.11");
8614 gen_p80211_fcdir(compiler_state_t *cstate, int fcdir)
8619 * Catch errors reported by us and routines below us, and return NULL
8622 if (setjmp(cstate->top_ctx))
8625 switch (cstate->linktype) {
8627 case DLT_IEEE802_11:
8628 case DLT_PRISM_HEADER:
8629 case DLT_IEEE802_11_RADIO_AVS:
8630 case DLT_IEEE802_11_RADIO:
8634 bpf_error(cstate, "frame direction supported only with 802.11 headers");
8638 b0 = gen_mcmp(cstate, OR_LINKHDR, 1, BPF_B, (bpf_int32)fcdir,
8639 (bpf_u_int32)IEEE80211_FC1_DIR_MASK);
8645 gen_acode(compiler_state_t *cstate, const char *s, struct qual q)
8650 * Catch errors reported by us and routines below us, and return NULL
8653 if (setjmp(cstate->top_ctx))
8656 switch (cstate->linktype) {
8659 case DLT_ARCNET_LINUX:
8660 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) &&
8661 q.proto == Q_LINK) {
8662 cstate->e = pcap_ether_aton(s);
8663 if (cstate->e == NULL)
8664 bpf_error(cstate, "malloc");
8665 b = gen_ahostop(cstate, cstate->e, (int)q.dir);
8670 bpf_error(cstate, "ARCnet address used in non-arc expression");
8674 bpf_error(cstate, "aid supported only on ARCnet");
8679 static struct block *
8680 gen_ahostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
8682 register struct block *b0, *b1;
8685 /* src comes first, different from Ethernet */
8687 return gen_bcmp(cstate, OR_LINKHDR, 0, 1, eaddr);
8690 return gen_bcmp(cstate, OR_LINKHDR, 1, 1, eaddr);
8693 b0 = gen_ahostop(cstate, eaddr, Q_SRC);
8694 b1 = gen_ahostop(cstate, eaddr, Q_DST);
8700 b0 = gen_ahostop(cstate, eaddr, Q_SRC);
8701 b1 = gen_ahostop(cstate, eaddr, Q_DST);
8706 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11");
8710 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11");
8714 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11");
8718 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11");
8722 bpf_error(cstate, "'ra' is only supported on 802.11");
8726 bpf_error(cstate, "'ta' is only supported on 802.11");
8733 static struct block *
8734 gen_vlan_tpid_test(compiler_state_t *cstate)
8736 struct block *b0, *b1;
8738 /* check for VLAN, including QinQ */
8739 b0 = gen_linktype(cstate, ETHERTYPE_8021Q);
8740 b1 = gen_linktype(cstate, ETHERTYPE_8021AD);
8743 b1 = gen_linktype(cstate, ETHERTYPE_8021QINQ);
8749 static struct block *
8750 gen_vlan_vid_test(compiler_state_t *cstate, bpf_u_int32 vlan_num)
8752 if (vlan_num > 0x0fff) {
8753 bpf_error(cstate, "VLAN tag %u greater than maximum %u",
8756 return gen_mcmp(cstate, OR_LINKPL, 0, BPF_H, (bpf_int32)vlan_num, 0x0fff);
8759 static struct block *
8760 gen_vlan_no_bpf_extensions(compiler_state_t *cstate, bpf_u_int32 vlan_num,
8763 struct block *b0, *b1;
8765 b0 = gen_vlan_tpid_test(cstate);
8768 b1 = gen_vlan_vid_test(cstate, vlan_num);
8774 * Both payload and link header type follow the VLAN tags so that
8775 * both need to be updated.
8777 cstate->off_linkpl.constant_part += 4;
8778 cstate->off_linktype.constant_part += 4;
8783 #if defined(SKF_AD_VLAN_TAG_PRESENT)
8784 /* add v to variable part of off */
8786 gen_vlan_vloffset_add(compiler_state_t *cstate, bpf_abs_offset *off, int v, struct slist *s)
8790 if (!off->is_variable)
8791 off->is_variable = 1;
8793 off->reg = alloc_reg(cstate);
8795 s2 = new_stmt(cstate, BPF_LD|BPF_MEM);
8798 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM);
8801 s2 = new_stmt(cstate, BPF_ST);
8807 * patch block b_tpid (VLAN TPID test) to update variable parts of link payload
8808 * and link type offsets first
8811 gen_vlan_patch_tpid_test(compiler_state_t *cstate, struct block *b_tpid)
8815 /* offset determined at run time, shift variable part */
8817 cstate->is_vlan_vloffset = 1;
8818 gen_vlan_vloffset_add(cstate, &cstate->off_linkpl, 4, &s);
8819 gen_vlan_vloffset_add(cstate, &cstate->off_linktype, 4, &s);
8821 /* we get a pointer to a chain of or-ed blocks, patch first of them */
8822 sappend(s.next, b_tpid->head->stmts);
8823 b_tpid->head->stmts = s.next;
8827 * patch block b_vid (VLAN id test) to load VID value either from packet
8828 * metadata (using BPF extensions) if SKF_AD_VLAN_TAG_PRESENT is true
8831 gen_vlan_patch_vid_test(compiler_state_t *cstate, struct block *b_vid)
8833 struct slist *s, *s2, *sjeq;
8836 s = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
8837 s->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT;
8839 /* true -> next instructions, false -> beginning of b_vid */
8840 sjeq = new_stmt(cstate, JMP(BPF_JEQ));
8842 sjeq->s.jf = b_vid->stmts;
8845 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
8846 s2->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG;
8850 /* Jump to the test in b_vid. We need to jump one instruction before
8851 * the end of the b_vid block so that we only skip loading the TCI
8852 * from packet data and not the 'and' instruction extractging VID.
8855 for (s2 = b_vid->stmts; s2; s2 = s2->next)
8857 s2 = new_stmt(cstate, JMP(BPF_JA));
8861 /* insert our statements at the beginning of b_vid */
8862 sappend(s, b_vid->stmts);
8867 * Generate check for "vlan" or "vlan <id>" on systems with support for BPF
8868 * extensions. Even if kernel supports VLAN BPF extensions, (outermost) VLAN
8869 * tag can be either in metadata or in packet data; therefore if the
8870 * SKF_AD_VLAN_TAG_PRESENT test is negative, we need to check link
8871 * header for VLAN tag. As the decision is done at run time, we need
8872 * update variable part of the offsets
8874 static struct block *
8875 gen_vlan_bpf_extensions(compiler_state_t *cstate, bpf_u_int32 vlan_num,
8878 struct block *b0, *b_tpid, *b_vid = NULL;
8881 /* generate new filter code based on extracting packet
8883 s = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
8884 s->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT;
8886 b0 = new_block(cstate, JMP(BPF_JEQ));
8891 * This is tricky. We need to insert the statements updating variable
8892 * parts of offsets before the the traditional TPID and VID tests so
8893 * that they are called whenever SKF_AD_VLAN_TAG_PRESENT fails but
8894 * we do not want this update to affect those checks. That's why we
8895 * generate both test blocks first and insert the statements updating
8896 * variable parts of both offsets after that. This wouldn't work if
8897 * there already were variable length link header when entering this
8898 * function but gen_vlan_bpf_extensions() isn't called in that case.
8900 b_tpid = gen_vlan_tpid_test(cstate);
8902 b_vid = gen_vlan_vid_test(cstate, vlan_num);
8904 gen_vlan_patch_tpid_test(cstate, b_tpid);
8909 gen_vlan_patch_vid_test(cstate, b_vid);
8919 * support IEEE 802.1Q VLAN trunk over ethernet
8922 gen_vlan(compiler_state_t *cstate, bpf_u_int32 vlan_num, int has_vlan_tag)
8927 * Catch errors reported by us and routines below us, and return NULL
8930 if (setjmp(cstate->top_ctx))
8933 /* can't check for VLAN-encapsulated packets inside MPLS */
8934 if (cstate->label_stack_depth > 0)
8935 bpf_error(cstate, "no VLAN match after MPLS");
8938 * Check for a VLAN packet, and then change the offsets to point
8939 * to the type and data fields within the VLAN packet. Just
8940 * increment the offsets, so that we can support a hierarchy, e.g.
8941 * "vlan 300 && vlan 200" to capture VLAN 200 encapsulated within
8944 * XXX - this is a bit of a kludge. If we were to split the
8945 * compiler into a parser that parses an expression and
8946 * generates an expression tree, and a code generator that
8947 * takes an expression tree (which could come from our
8948 * parser or from some other parser) and generates BPF code,
8949 * we could perhaps make the offsets parameters of routines
8950 * and, in the handler for an "AND" node, pass to subnodes
8951 * other than the VLAN node the adjusted offsets.
8953 * This would mean that "vlan" would, instead of changing the
8954 * behavior of *all* tests after it, change only the behavior
8955 * of tests ANDed with it. That would change the documented
8956 * semantics of "vlan", which might break some expressions.
8957 * However, it would mean that "(vlan and ip) or ip" would check
8958 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
8959 * checking only for VLAN-encapsulated IP, so that could still
8960 * be considered worth doing; it wouldn't break expressions
8961 * that are of the form "vlan and ..." or "vlan N and ...",
8962 * which I suspect are the most common expressions involving
8963 * "vlan". "vlan or ..." doesn't necessarily do what the user
8964 * would really want, now, as all the "or ..." tests would
8965 * be done assuming a VLAN, even though the "or" could be viewed
8966 * as meaning "or, if this isn't a VLAN packet...".
8968 switch (cstate->linktype) {
8971 case DLT_NETANALYZER:
8972 case DLT_NETANALYZER_TRANSPARENT:
8973 #if defined(SKF_AD_VLAN_TAG_PRESENT)
8974 /* Verify that this is the outer part of the packet and
8975 * not encapsulated somehow. */
8976 if (cstate->vlan_stack_depth == 0 && !cstate->off_linkhdr.is_variable &&
8977 cstate->off_linkhdr.constant_part ==
8978 cstate->off_outermostlinkhdr.constant_part) {
8980 * Do we need special VLAN handling?
8982 if (cstate->bpf_pcap->bpf_codegen_flags & BPF_SPECIAL_VLAN_HANDLING)
8983 b0 = gen_vlan_bpf_extensions(cstate, vlan_num,
8986 b0 = gen_vlan_no_bpf_extensions(cstate,
8987 vlan_num, has_vlan_tag);
8990 b0 = gen_vlan_no_bpf_extensions(cstate, vlan_num,
8994 case DLT_IEEE802_11:
8995 case DLT_PRISM_HEADER:
8996 case DLT_IEEE802_11_RADIO_AVS:
8997 case DLT_IEEE802_11_RADIO:
8998 b0 = gen_vlan_no_bpf_extensions(cstate, vlan_num, has_vlan_tag);
9002 bpf_error(cstate, "no VLAN support for %s",
9003 pcap_datalink_val_to_description_or_dlt(cstate->linktype));
9007 cstate->vlan_stack_depth++;
9015 * The label_num_arg dance is to avoid annoying whining by compilers that
9016 * label_num might be clobbered by longjmp - yeah, it might, but *WHO CARES*?
9017 * It's not *used* after setjmp returns.
9020 gen_mpls(compiler_state_t *cstate, bpf_u_int32 label_num_arg,
9023 volatile bpf_u_int32 label_num = label_num_arg;
9024 struct block *b0, *b1;
9027 * Catch errors reported by us and routines below us, and return NULL
9030 if (setjmp(cstate->top_ctx))
9033 if (cstate->label_stack_depth > 0) {
9034 /* just match the bottom-of-stack bit clear */
9035 b0 = gen_mcmp(cstate, OR_PREVMPLSHDR, 2, BPF_B, 0, 0x01);
9038 * We're not in an MPLS stack yet, so check the link-layer
9039 * type against MPLS.
9041 switch (cstate->linktype) {
9043 case DLT_C_HDLC: /* fall through */
9045 case DLT_NETANALYZER:
9046 case DLT_NETANALYZER_TRANSPARENT:
9047 b0 = gen_linktype(cstate, ETHERTYPE_MPLS);
9051 b0 = gen_linktype(cstate, PPP_MPLS_UCAST);
9054 /* FIXME add other DLT_s ...
9055 * for Frame-Relay/and ATM this may get messy due to SNAP headers
9056 * leave it for now */
9059 bpf_error(cstate, "no MPLS support for %s",
9060 pcap_datalink_val_to_description_or_dlt(cstate->linktype));
9065 /* If a specific MPLS label is requested, check it */
9066 if (has_label_num) {
9067 if (label_num > 0xFFFFF) {
9068 bpf_error(cstate, "MPLS label %u greater than maximum %u",
9069 label_num, 0xFFFFF);
9071 label_num = label_num << 12; /* label is shifted 12 bits on the wire */
9072 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_W, (bpf_int32)label_num,
9073 0xfffff000); /* only compare the first 20 bits */
9079 * Change the offsets to point to the type and data fields within
9080 * the MPLS packet. Just increment the offsets, so that we
9081 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to
9082 * capture packets with an outer label of 100000 and an inner
9085 * Increment the MPLS stack depth as well; this indicates that
9086 * we're checking MPLS-encapsulated headers, to make sure higher
9087 * level code generators don't try to match against IP-related
9088 * protocols such as Q_ARP, Q_RARP etc.
9090 * XXX - this is a bit of a kludge. See comments in gen_vlan().
9092 cstate->off_nl_nosnap += 4;
9093 cstate->off_nl += 4;
9094 cstate->label_stack_depth++;
9099 * Support PPPOE discovery and session.
9102 gen_pppoed(compiler_state_t *cstate)
9105 * Catch errors reported by us and routines below us, and return NULL
9108 if (setjmp(cstate->top_ctx))
9111 /* check for PPPoE discovery */
9112 return gen_linktype(cstate, (bpf_int32)ETHERTYPE_PPPOED);
9116 gen_pppoes(compiler_state_t *cstate, bpf_u_int32 sess_num, int has_sess_num)
9118 struct block *b0, *b1;
9121 * Catch errors reported by us and routines below us, and return NULL
9124 if (setjmp(cstate->top_ctx))
9128 * Test against the PPPoE session link-layer type.
9130 b0 = gen_linktype(cstate, (bpf_int32)ETHERTYPE_PPPOES);
9132 /* If a specific session is requested, check PPPoE session id */
9134 if (sess_num > 0x0000ffff) {
9135 bpf_error(cstate, "PPPoE session number %u greater than maximum %u",
9136 sess_num, 0x0000ffff);
9138 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_W,
9139 (bpf_int32)sess_num, 0x0000ffff);
9145 * Change the offsets to point to the type and data fields within
9146 * the PPP packet, and note that this is PPPoE rather than
9149 * XXX - this is a bit of a kludge. See the comments in
9152 * The "network-layer" protocol is PPPoE, which has a 6-byte
9153 * PPPoE header, followed by a PPP packet.
9155 * There is no HDLC encapsulation for the PPP packet (it's
9156 * encapsulated in PPPoES instead), so the link-layer type
9157 * starts at the first byte of the PPP packet. For PPPoE,
9158 * that offset is relative to the beginning of the total
9159 * link-layer payload, including any 802.2 LLC header, so
9160 * it's 6 bytes past cstate->off_nl.
9162 PUSH_LINKHDR(cstate, DLT_PPP, cstate->off_linkpl.is_variable,
9163 cstate->off_linkpl.constant_part + cstate->off_nl + 6, /* 6 bytes past the PPPoE header */
9164 cstate->off_linkpl.reg);
9166 cstate->off_linktype = cstate->off_linkhdr;
9167 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 2;
9170 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
9175 /* Check that this is Geneve and the VNI is correct if
9176 * specified. Parameterized to handle both IPv4 and IPv6. */
9177 static struct block *
9178 gen_geneve_check(compiler_state_t *cstate,
9179 struct block *(*gen_portfn)(compiler_state_t *, int, int, int),
9180 enum e_offrel offrel, bpf_u_int32 vni, int has_vni)
9182 struct block *b0, *b1;
9184 b0 = gen_portfn(cstate, GENEVE_PORT, IPPROTO_UDP, Q_DST);
9186 /* Check that we are operating on version 0. Otherwise, we
9187 * can't decode the rest of the fields. The version is 2 bits
9188 * in the first byte of the Geneve header. */
9189 b1 = gen_mcmp(cstate, offrel, 8, BPF_B, (bpf_int32)0, 0xc0);
9194 if (vni > 0xffffff) {
9195 bpf_error(cstate, "Geneve VNI %u greater than maximum %u",
9198 vni <<= 8; /* VNI is in the upper 3 bytes */
9199 b1 = gen_mcmp(cstate, offrel, 12, BPF_W, (bpf_int32)vni,
9208 /* The IPv4 and IPv6 Geneve checks need to do two things:
9209 * - Verify that this actually is Geneve with the right VNI.
9210 * - Place the IP header length (plus variable link prefix if
9211 * needed) into register A to be used later to compute
9212 * the inner packet offsets. */
9213 static struct block *
9214 gen_geneve4(compiler_state_t *cstate, bpf_u_int32 vni, int has_vni)
9216 struct block *b0, *b1;
9217 struct slist *s, *s1;
9219 b0 = gen_geneve_check(cstate, gen_port, OR_TRAN_IPV4, vni, has_vni);
9221 /* Load the IP header length into A. */
9222 s = gen_loadx_iphdrlen(cstate);
9224 s1 = new_stmt(cstate, BPF_MISC|BPF_TXA);
9227 /* Forcibly append these statements to the true condition
9228 * of the protocol check by creating a new block that is
9229 * always true and ANDing them. */
9230 b1 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X);
9239 static struct block *
9240 gen_geneve6(compiler_state_t *cstate, bpf_u_int32 vni, int has_vni)
9242 struct block *b0, *b1;
9243 struct slist *s, *s1;
9245 b0 = gen_geneve_check(cstate, gen_port6, OR_TRAN_IPV6, vni, has_vni);
9247 /* Load the IP header length. We need to account for a
9248 * variable length link prefix if there is one. */
9249 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl);
9251 s1 = new_stmt(cstate, BPF_LD|BPF_IMM);
9255 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X);
9259 s = new_stmt(cstate, BPF_LD|BPF_IMM);
9263 /* Forcibly append these statements to the true condition
9264 * of the protocol check by creating a new block that is
9265 * always true and ANDing them. */
9266 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX);
9269 b1 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X);
9278 /* We need to store three values based on the Geneve header::
9279 * - The offset of the linktype.
9280 * - The offset of the end of the Geneve header.
9281 * - The offset of the end of the encapsulated MAC header. */
9282 static struct slist *
9283 gen_geneve_offsets(compiler_state_t *cstate)
9285 struct slist *s, *s1, *s_proto;
9287 /* First we need to calculate the offset of the Geneve header
9288 * itself. This is composed of the IP header previously calculated
9289 * (include any variable link prefix) and stored in A plus the
9290 * fixed sized headers (fixed link prefix, MAC length, and UDP
9292 s = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9293 s->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 8;
9295 /* Stash this in X since we'll need it later. */
9296 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX);
9299 /* The EtherType in Geneve is 2 bytes in. Calculate this and
9301 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9305 cstate->off_linktype.reg = alloc_reg(cstate);
9306 cstate->off_linktype.is_variable = 1;
9307 cstate->off_linktype.constant_part = 0;
9309 s1 = new_stmt(cstate, BPF_ST);
9310 s1->s.k = cstate->off_linktype.reg;
9313 /* Load the Geneve option length and mask and shift to get the
9314 * number of bytes. It is stored in the first byte of the Geneve
9316 s1 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
9320 s1 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
9324 s1 = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K);
9328 /* Add in the rest of the Geneve base header. */
9329 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9333 /* Add the Geneve header length to its offset and store. */
9334 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X);
9338 /* Set the encapsulated type as Ethernet. Even though we may
9339 * not actually have Ethernet inside there are two reasons this
9341 * - The linktype field is always in EtherType format regardless
9342 * of whether it is in Geneve or an inner Ethernet frame.
9343 * - The only link layer that we have specific support for is
9344 * Ethernet. We will confirm that the packet actually is
9345 * Ethernet at runtime before executing these checks. */
9346 PUSH_LINKHDR(cstate, DLT_EN10MB, 1, 0, alloc_reg(cstate));
9348 s1 = new_stmt(cstate, BPF_ST);
9349 s1->s.k = cstate->off_linkhdr.reg;
9352 /* Calculate whether we have an Ethernet header or just raw IP/
9353 * MPLS/etc. If we have Ethernet, advance the end of the MAC offset
9354 * and linktype by 14 bytes so that the network header can be found
9355 * seamlessly. Otherwise, keep what we've calculated already. */
9357 /* We have a bare jmp so we can't use the optimizer. */
9358 cstate->no_optimize = 1;
9360 /* Load the EtherType in the Geneve header, 2 bytes in. */
9361 s1 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_H);
9365 /* Load X with the end of the Geneve header. */
9366 s1 = new_stmt(cstate, BPF_LDX|BPF_MEM);
9367 s1->s.k = cstate->off_linkhdr.reg;
9370 /* Check if the EtherType is Transparent Ethernet Bridging. At the
9371 * end of this check, we should have the total length in X. In
9372 * the non-Ethernet case, it's already there. */
9373 s_proto = new_stmt(cstate, JMP(BPF_JEQ));
9374 s_proto->s.k = ETHERTYPE_TEB;
9375 sappend(s, s_proto);
9377 s1 = new_stmt(cstate, BPF_MISC|BPF_TXA);
9381 /* Since this is Ethernet, use the EtherType of the payload
9382 * directly as the linktype. Overwrite what we already have. */
9383 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9387 s1 = new_stmt(cstate, BPF_ST);
9388 s1->s.k = cstate->off_linktype.reg;
9391 /* Advance two bytes further to get the end of the Ethernet
9393 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9397 /* Move the result to X. */
9398 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX);
9401 /* Store the final result of our linkpl calculation. */
9402 cstate->off_linkpl.reg = alloc_reg(cstate);
9403 cstate->off_linkpl.is_variable = 1;
9404 cstate->off_linkpl.constant_part = 0;
9406 s1 = new_stmt(cstate, BPF_STX);
9407 s1->s.k = cstate->off_linkpl.reg;
9416 /* Check to see if this is a Geneve packet. */
9418 gen_geneve(compiler_state_t *cstate, bpf_u_int32 vni, int has_vni)
9420 struct block *b0, *b1;
9424 * Catch errors reported by us and routines below us, and return NULL
9427 if (setjmp(cstate->top_ctx))
9430 b0 = gen_geneve4(cstate, vni, has_vni);
9431 b1 = gen_geneve6(cstate, vni, has_vni);
9436 /* Later filters should act on the payload of the Geneve frame,
9437 * update all of the header pointers. Attach this code so that
9438 * it gets executed in the event that the Geneve filter matches. */
9439 s = gen_geneve_offsets(cstate);
9441 b1 = gen_true(cstate);
9442 sappend(s, b1->stmts);
9447 cstate->is_geneve = 1;
9452 /* Check that the encapsulated frame has a link layer header
9453 * for Ethernet filters. */
9454 static struct block *
9455 gen_geneve_ll_check(compiler_state_t *cstate)
9458 struct slist *s, *s1;
9460 /* The easiest way to see if there is a link layer present
9461 * is to check if the link layer header and payload are not
9464 /* Geneve always generates pure variable offsets so we can
9465 * compare only the registers. */
9466 s = new_stmt(cstate, BPF_LD|BPF_MEM);
9467 s->s.k = cstate->off_linkhdr.reg;
9469 s1 = new_stmt(cstate, BPF_LDX|BPF_MEM);
9470 s1->s.k = cstate->off_linkpl.reg;
9473 b0 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X);
9481 static struct block *
9482 gen_atmfield_code_internal(compiler_state_t *cstate, int atmfield,
9483 bpf_int32 jvalue, bpf_u_int32 jtype, int reverse)
9490 if (!cstate->is_atm)
9491 bpf_error(cstate, "'vpi' supported only on raw ATM");
9492 if (cstate->off_vpi == OFFSET_NOT_SET)
9494 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_vpi, BPF_B, 0xffffffff, jtype,
9499 if (!cstate->is_atm)
9500 bpf_error(cstate, "'vci' supported only on raw ATM");
9501 if (cstate->off_vci == OFFSET_NOT_SET)
9503 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_vci, BPF_H, 0xffffffff, jtype,
9508 if (cstate->off_proto == OFFSET_NOT_SET)
9509 abort(); /* XXX - this isn't on FreeBSD */
9510 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_proto, BPF_B, 0x0f, jtype,
9515 if (cstate->off_payload == OFFSET_NOT_SET)
9517 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_payload + MSG_TYPE_POS, BPF_B,
9518 0xffffffff, jtype, reverse, jvalue);
9522 if (!cstate->is_atm)
9523 bpf_error(cstate, "'callref' supported only on raw ATM");
9524 if (cstate->off_proto == OFFSET_NOT_SET)
9526 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_proto, BPF_B, 0xffffffff,
9527 jtype, reverse, jvalue);
9536 static struct block *
9537 gen_atmtype_metac(compiler_state_t *cstate)
9539 struct block *b0, *b1;
9541 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
9542 b1 = gen_atmfield_code_internal(cstate, A_VCI, 1, BPF_JEQ, 0);
9547 static struct block *
9548 gen_atmtype_sc(compiler_state_t *cstate)
9550 struct block *b0, *b1;
9552 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
9553 b1 = gen_atmfield_code_internal(cstate, A_VCI, 5, BPF_JEQ, 0);
9558 static struct block *
9559 gen_atmtype_llc(compiler_state_t *cstate)
9563 b0 = gen_atmfield_code_internal(cstate, A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
9564 cstate->linktype = cstate->prevlinktype;
9569 gen_atmfield_code(compiler_state_t *cstate, int atmfield,
9570 bpf_int32 jvalue, bpf_u_int32 jtype, int reverse)
9573 * Catch errors reported by us and routines below us, and return NULL
9576 if (setjmp(cstate->top_ctx))
9579 return gen_atmfield_code_internal(cstate, atmfield, jvalue, jtype,
9584 gen_atmtype_abbrev(compiler_state_t *cstate, int type)
9586 struct block *b0, *b1;
9589 * Catch errors reported by us and routines below us, and return NULL
9592 if (setjmp(cstate->top_ctx))
9598 /* Get all packets in Meta signalling Circuit */
9599 if (!cstate->is_atm)
9600 bpf_error(cstate, "'metac' supported only on raw ATM");
9601 b1 = gen_atmtype_metac(cstate);
9605 /* Get all packets in Broadcast Circuit*/
9606 if (!cstate->is_atm)
9607 bpf_error(cstate, "'bcc' supported only on raw ATM");
9608 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
9609 b1 = gen_atmfield_code_internal(cstate, A_VCI, 2, BPF_JEQ, 0);
9614 /* Get all cells in Segment OAM F4 circuit*/
9615 if (!cstate->is_atm)
9616 bpf_error(cstate, "'oam4sc' supported only on raw ATM");
9617 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
9618 b1 = gen_atmfield_code_internal(cstate, A_VCI, 3, BPF_JEQ, 0);
9623 /* Get all cells in End-to-End OAM F4 Circuit*/
9624 if (!cstate->is_atm)
9625 bpf_error(cstate, "'oam4ec' supported only on raw ATM");
9626 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
9627 b1 = gen_atmfield_code_internal(cstate, A_VCI, 4, BPF_JEQ, 0);
9632 /* Get all packets in connection Signalling Circuit */
9633 if (!cstate->is_atm)
9634 bpf_error(cstate, "'sc' supported only on raw ATM");
9635 b1 = gen_atmtype_sc(cstate);
9639 /* Get all packets in ILMI Circuit */
9640 if (!cstate->is_atm)
9641 bpf_error(cstate, "'ilmic' supported only on raw ATM");
9642 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
9643 b1 = gen_atmfield_code_internal(cstate, A_VCI, 16, BPF_JEQ, 0);
9648 /* Get all LANE packets */
9649 if (!cstate->is_atm)
9650 bpf_error(cstate, "'lane' supported only on raw ATM");
9651 b1 = gen_atmfield_code_internal(cstate, A_PROTOTYPE, PT_LANE, BPF_JEQ, 0);
9654 * Arrange that all subsequent tests assume LANE
9655 * rather than LLC-encapsulated packets, and set
9656 * the offsets appropriately for LANE-encapsulated
9659 * We assume LANE means Ethernet, not Token Ring.
9661 PUSH_LINKHDR(cstate, DLT_EN10MB, 0,
9662 cstate->off_payload + 2, /* Ethernet header */
9664 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12;
9665 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* Ethernet */
9666 cstate->off_nl = 0; /* Ethernet II */
9667 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */
9671 /* Get all LLC-encapsulated packets */
9672 if (!cstate->is_atm)
9673 bpf_error(cstate, "'llc' supported only on raw ATM");
9674 b1 = gen_atmtype_llc(cstate);
9684 * Filtering for MTP2 messages based on li value
9685 * FISU, length is null
9686 * LSSU, length is 1 or 2
9687 * MSU, length is 3 or more
9688 * For MTP2_HSL, sequences are on 2 bytes, and length on 9 bits
9691 gen_mtp2type_abbrev(compiler_state_t *cstate, int type)
9693 struct block *b0, *b1;
9696 * Catch errors reported by us and routines below us, and return NULL
9699 if (setjmp(cstate->top_ctx))
9705 if ( (cstate->linktype != DLT_MTP2) &&
9706 (cstate->linktype != DLT_ERF) &&
9707 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
9708 bpf_error(cstate, "'fisu' supported only on MTP2");
9709 /* gen_ncmp(cstate, offrel, offset, size, mask, jtype, reverse, value) */
9710 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 0x3f, BPF_JEQ, 0, 0);
9714 if ( (cstate->linktype != DLT_MTP2) &&
9715 (cstate->linktype != DLT_ERF) &&
9716 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
9717 bpf_error(cstate, "'lssu' supported only on MTP2");
9718 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 0x3f, BPF_JGT, 1, 2);
9719 b1 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 0x3f, BPF_JGT, 0, 0);
9724 if ( (cstate->linktype != DLT_MTP2) &&
9725 (cstate->linktype != DLT_ERF) &&
9726 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
9727 bpf_error(cstate, "'msu' supported only on MTP2");
9728 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 0x3f, BPF_JGT, 0, 2);
9732 if ( (cstate->linktype != DLT_MTP2) &&
9733 (cstate->linktype != DLT_ERF) &&
9734 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
9735 bpf_error(cstate, "'hfisu' supported only on MTP2_HSL");
9736 /* gen_ncmp(cstate, offrel, offset, size, mask, jtype, reverse, value) */
9737 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 0xff80, BPF_JEQ, 0, 0);
9741 if ( (cstate->linktype != DLT_MTP2) &&
9742 (cstate->linktype != DLT_ERF) &&
9743 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
9744 bpf_error(cstate, "'hlssu' supported only on MTP2_HSL");
9745 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 0xff80, BPF_JGT, 1, 0x0100);
9746 b1 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 0xff80, BPF_JGT, 0, 0);
9751 if ( (cstate->linktype != DLT_MTP2) &&
9752 (cstate->linktype != DLT_ERF) &&
9753 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
9754 bpf_error(cstate, "'hmsu' supported only on MTP2_HSL");
9755 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 0xff80, BPF_JGT, 0, 0x0100);
9765 * The jvalue_arg dance is to avoid annoying whining by compilers that
9766 * jvalue might be clobbered by longjmp - yeah, it might, but *WHO CARES*?
9767 * It's not *used* after setjmp returns.
9770 gen_mtp3field_code(compiler_state_t *cstate, int mtp3field,
9771 bpf_u_int32 jvalue_arg, bpf_u_int32 jtype, int reverse)
9773 volatile bpf_u_int32 jvalue = jvalue_arg;
9775 bpf_u_int32 val1 , val2 , val3;
9782 * Catch errors reported by us and routines below us, and return NULL
9785 if (setjmp(cstate->top_ctx))
9788 newoff_sio = cstate->off_sio;
9789 newoff_opc = cstate->off_opc;
9790 newoff_dpc = cstate->off_dpc;
9791 newoff_sls = cstate->off_sls;
9792 switch (mtp3field) {
9795 newoff_sio += 3; /* offset for MTP2_HSL */
9799 if (cstate->off_sio == OFFSET_NOT_SET)
9800 bpf_error(cstate, "'sio' supported only on SS7");
9801 /* sio coded on 1 byte so max value 255 */
9803 bpf_error(cstate, "sio value %u too big; max value = 255",
9805 b0 = gen_ncmp(cstate, OR_PACKET, newoff_sio, BPF_B, 0xffffffff,
9806 (u_int)jtype, reverse, (u_int)jvalue);
9814 if (cstate->off_opc == OFFSET_NOT_SET)
9815 bpf_error(cstate, "'opc' supported only on SS7");
9816 /* opc coded on 14 bits so max value 16383 */
9818 bpf_error(cstate, "opc value %u too big; max value = 16383",
9820 /* the following instructions are made to convert jvalue
9821 * to the form used to write opc in an ss7 message*/
9822 val1 = jvalue & 0x00003c00;
9824 val2 = jvalue & 0x000003fc;
9826 val3 = jvalue & 0x00000003;
9828 jvalue = val1 + val2 + val3;
9829 b0 = gen_ncmp(cstate, OR_PACKET, newoff_opc, BPF_W, 0x00c0ff0f,
9830 (u_int)jtype, reverse, (u_int)jvalue);
9838 if (cstate->off_dpc == OFFSET_NOT_SET)
9839 bpf_error(cstate, "'dpc' supported only on SS7");
9840 /* dpc coded on 14 bits so max value 16383 */
9842 bpf_error(cstate, "dpc value %u too big; max value = 16383",
9844 /* the following instructions are made to convert jvalue
9845 * to the forme used to write dpc in an ss7 message*/
9846 val1 = jvalue & 0x000000ff;
9848 val2 = jvalue & 0x00003f00;
9850 jvalue = val1 + val2;
9851 b0 = gen_ncmp(cstate, OR_PACKET, newoff_dpc, BPF_W, 0xff3f0000,
9852 (u_int)jtype, reverse, (u_int)jvalue);
9860 if (cstate->off_sls == OFFSET_NOT_SET)
9861 bpf_error(cstate, "'sls' supported only on SS7");
9862 /* sls coded on 4 bits so max value 15 */
9864 bpf_error(cstate, "sls value %u too big; max value = 15",
9866 /* the following instruction is made to convert jvalue
9867 * to the forme used to write sls in an ss7 message*/
9868 jvalue = jvalue << 4;
9869 b0 = gen_ncmp(cstate, OR_PACKET, newoff_sls, BPF_B, 0xf0,
9870 (u_int)jtype,reverse, (u_int)jvalue);
9879 static struct block *
9880 gen_msg_abbrev(compiler_state_t *cstate, int type)
9885 * Q.2931 signalling protocol messages for handling virtual circuits
9886 * establishment and teardown
9891 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, SETUP, BPF_JEQ, 0);
9895 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0);
9899 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, CONNECT, BPF_JEQ, 0);
9903 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0);
9907 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, RELEASE, BPF_JEQ, 0);
9910 case A_RELEASE_DONE:
9911 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0);
9921 gen_atmmulti_abbrev(compiler_state_t *cstate, int type)
9923 struct block *b0, *b1;
9926 * Catch errors reported by us and routines below us, and return NULL
9929 if (setjmp(cstate->top_ctx))
9935 if (!cstate->is_atm)
9936 bpf_error(cstate, "'oam' supported only on raw ATM");
9938 b0 = gen_atmfield_code_internal(cstate, A_VCI, 3, BPF_JEQ, 0);
9939 b1 = gen_atmfield_code_internal(cstate, A_VCI, 4, BPF_JEQ, 0);
9941 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
9946 if (!cstate->is_atm)
9947 bpf_error(cstate, "'oamf4' supported only on raw ATM");
9949 b0 = gen_atmfield_code_internal(cstate, A_VCI, 3, BPF_JEQ, 0);
9950 b1 = gen_atmfield_code_internal(cstate, A_VCI, 4, BPF_JEQ, 0);
9952 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
9958 * Get Q.2931 signalling messages for switched
9959 * virtual connection
9961 if (!cstate->is_atm)
9962 bpf_error(cstate, "'connectmsg' supported only on raw ATM");
9963 b0 = gen_msg_abbrev(cstate, A_SETUP);
9964 b1 = gen_msg_abbrev(cstate, A_CALLPROCEED);
9966 b0 = gen_msg_abbrev(cstate, A_CONNECT);
9968 b0 = gen_msg_abbrev(cstate, A_CONNECTACK);
9970 b0 = gen_msg_abbrev(cstate, A_RELEASE);
9972 b0 = gen_msg_abbrev(cstate, A_RELEASE_DONE);
9974 b0 = gen_atmtype_sc(cstate);
9979 if (!cstate->is_atm)
9980 bpf_error(cstate, "'metaconnect' supported only on raw ATM");
9981 b0 = gen_msg_abbrev(cstate, A_SETUP);
9982 b1 = gen_msg_abbrev(cstate, A_CALLPROCEED);
9984 b0 = gen_msg_abbrev(cstate, A_CONNECT);
9986 b0 = gen_msg_abbrev(cstate, A_RELEASE);
9988 b0 = gen_msg_abbrev(cstate, A_RELEASE_DONE);
9990 b0 = gen_atmtype_metac(cstate);
projects / dragonfly.git / blob