1 /*#define CHASE_CHAIN*/
3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998
4 * The Regents of the University of California. All rights reserved.
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that: (1) source code distributions
8 * retain the above copyright notice and this paragraph in its entirety, (2)
9 * distributions including binary code include the above copyright notice and
10 * this paragraph in its entirety in the documentation or other materials
11 * provided with the distribution, and (3) all advertising materials mentioning
12 * features or use of this software display the following acknowledgement:
13 * ``This product includes software developed by the University of California,
14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
15 * the University nor the names of its contributors may be used to endorse
16 * or promote products derived from this software without specific prior
18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
23 static const char rcsid[] _U_ =
24 "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.193.2.8 2004/03/29 20:53:47 guy Exp $ (LBL)";
32 #include <pcap-stdinc.h>
34 #include <sys/types.h>
35 #include <sys/socket.h>
40 * XXX - why was this included even on UNIX?
49 #include <sys/param.h>
52 #include <netinet/in.h>
64 #include "ethertype.h"
69 #include "sunatmpos.h"
75 #define offsetof(s, e) ((size_t)&((s *)0)->e)
79 #include <netdb.h> /* for "struct addrinfo" */
82 #include <pcap-namedb.h>
87 #define IPPROTO_SCTP 132
90 #ifdef HAVE_OS_PROTO_H
94 #define JMP(c) ((c)|BPF_JMP|BPF_K)
97 static jmp_buf top_ctx;
98 static pcap_t *bpf_pcap;
100 /* Hack for updating VLAN offsets. */
101 static u_int orig_linktype = -1, orig_nl = -1, orig_nl_nosnap = -1;
105 int pcap_fddipad = PCAP_FDDIPAD;
112 bpf_error(const char *fmt, ...)
118 if (bpf_pcap != NULL)
119 (void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE,
126 static void init_linktype(int);
128 static int alloc_reg(void);
129 static void free_reg(int);
131 static struct block *root;
134 * We divy out chunks of memory rather than call malloc each time so
135 * we don't have to worry about leaking memory. It's probably
136 * not a big deal if all this memory was wasted but it this ever
137 * goes into a library that would probably not be a good idea.
140 #define CHUNK0SIZE 1024
146 static struct chunk chunks[NCHUNKS];
147 static int cur_chunk;
149 static void *newchunk(u_int);
150 static void freechunks(void);
151 static inline struct block *new_block(int);
152 static inline struct slist *new_stmt(int);
153 static struct block *gen_retblk(int);
154 static inline void syntax(void);
156 static void backpatch(struct block *, struct block *);
157 static void merge(struct block *, struct block *);
158 static struct block *gen_cmp(u_int, u_int, bpf_int32);
159 static struct block *gen_cmp_gt(u_int, u_int, bpf_int32);
160 static struct block *gen_mcmp(u_int, u_int, bpf_int32, bpf_u_int32);
161 static struct block *gen_bcmp(u_int, u_int, const u_char *);
162 static struct block *gen_ncmp(bpf_u_int32, bpf_u_int32, bpf_u_int32,
163 bpf_u_int32, bpf_u_int32, int);
164 static struct block *gen_uncond(int);
165 static inline struct block *gen_true(void);
166 static inline struct block *gen_false(void);
167 static struct block *gen_ether_linktype(int);
168 static struct block *gen_linktype(int);
169 static struct block *gen_snap(bpf_u_int32, bpf_u_int32, u_int);
170 static struct block *gen_llc(int);
171 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int);
173 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int);
175 static struct block *gen_ahostop(const u_char *, int);
176 static struct block *gen_ehostop(const u_char *, int);
177 static struct block *gen_fhostop(const u_char *, int);
178 static struct block *gen_thostop(const u_char *, int);
179 static struct block *gen_wlanhostop(const u_char *, int);
180 static struct block *gen_ipfchostop(const u_char *, int);
181 static struct block *gen_dnhostop(bpf_u_int32, int, u_int);
182 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int);
184 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int);
187 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int);
189 static struct block *gen_ipfrag(void);
190 static struct block *gen_portatom(int, bpf_int32);
192 static struct block *gen_portatom6(int, bpf_int32);
194 struct block *gen_portop(int, int, int);
195 static struct block *gen_port(int, int, int);
197 struct block *gen_portop6(int, int, int);
198 static struct block *gen_port6(int, int, int);
200 static int lookup_proto(const char *, int);
201 static struct block *gen_protochain(int, int, int);
202 static struct block *gen_proto(int, int, int);
203 static struct slist *xfer_to_x(struct arth *);
204 static struct slist *xfer_to_a(struct arth *);
205 static struct block *gen_mac_multicast(int);
206 static struct block *gen_len(int, int);
208 static struct block *gen_msg_abbrev(int type);
219 /* XXX Round up to nearest long. */
220 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1);
222 /* XXX Round up to structure boundary. */
226 cp = &chunks[cur_chunk];
227 if (n > cp->n_left) {
228 ++cp, k = ++cur_chunk;
230 bpf_error("out of memory");
231 size = CHUNK0SIZE << k;
232 cp->m = (void *)malloc(size);
234 bpf_error("out of memory");
235 memset((char *)cp->m, 0, size);
238 bpf_error("out of memory");
241 return (void *)((char *)cp->m + cp->n_left);
250 for (i = 0; i < NCHUNKS; ++i)
251 if (chunks[i].m != NULL) {
258 * A strdup whose allocations are freed after code generation is over.
262 register const char *s;
264 int n = strlen(s) + 1;
265 char *cp = newchunk(n);
271 static inline struct block *
277 p = (struct block *)newchunk(sizeof(*p));
284 static inline struct slist *
290 p = (struct slist *)newchunk(sizeof(*p));
296 static struct block *
300 struct block *b = new_block(BPF_RET|BPF_K);
309 bpf_error("syntax error in filter expression");
312 static bpf_u_int32 netmask;
317 pcap_compile(pcap_t *p, struct bpf_program *program,
318 char *buf, int optimize, bpf_u_int32 mask)
327 if (setjmp(top_ctx)) {
335 snaplen = pcap_snapshot(p);
337 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
338 "snaplen of 0 rejects all packets");
342 lex_init(buf ? buf : "");
343 init_linktype(pcap_datalink(p));
350 root = gen_retblk(snaplen);
352 if (optimize && !no_optimize) {
355 (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0))
356 bpf_error("expression rejects all packets");
358 program->bf_insns = icode_to_fcode(root, &len);
359 program->bf_len = len;
367 * entry point for using the compiler with no pcap open
368 * pass in all the stuff that is needed explicitly instead.
371 pcap_compile_nopcap(int snaplen_arg, int linktype_arg,
372 struct bpf_program *program,
373 char *buf, int optimize, bpf_u_int32 mask)
378 p = pcap_open_dead(linktype_arg, snaplen_arg);
381 ret = pcap_compile(p, program, buf, optimize, mask);
387 * Clean up a "struct bpf_program" by freeing all the memory allocated
391 pcap_freecode(struct bpf_program *program)
394 if (program->bf_insns != NULL) {
395 free((char *)program->bf_insns);
396 program->bf_insns = NULL;
401 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates
402 * which of the jt and jf fields has been resolved and which is a pointer
403 * back to another unresolved block (or nil). At least one of the fields
404 * in each block is already resolved.
407 backpatch(list, target)
408 struct block *list, *target;
425 * Merge the lists in b0 and b1, using the 'sense' field to indicate
426 * which of jt and jf is the link.
430 struct block *b0, *b1;
432 register struct block **p = &b0;
434 /* Find end of list. */
436 p = !((*p)->sense) ? &JT(*p) : &JF(*p);
438 /* Concatenate the lists. */
446 backpatch(p, gen_retblk(snaplen));
447 p->sense = !p->sense;
448 backpatch(p, gen_retblk(0));
454 struct block *b0, *b1;
456 backpatch(b0, b1->head);
457 b0->sense = !b0->sense;
458 b1->sense = !b1->sense;
460 b1->sense = !b1->sense;
466 struct block *b0, *b1;
468 b0->sense = !b0->sense;
469 backpatch(b0, b1->head);
470 b0->sense = !b0->sense;
479 b->sense = !b->sense;
482 static struct block *
483 gen_cmp(offset, size, v)
490 s = new_stmt(BPF_LD|BPF_ABS|size);
493 b = new_block(JMP(BPF_JEQ));
500 static struct block *
501 gen_cmp_gt(offset, size, v)
508 s = new_stmt(BPF_LD|BPF_ABS|size);
511 b = new_block(JMP(BPF_JGT));
518 static struct block *
519 gen_mcmp(offset, size, v, mask)
524 struct block *b = gen_cmp(offset, size, v);
527 if (mask != 0xffffffff) {
528 s = new_stmt(BPF_ALU|BPF_AND|BPF_K);
535 static struct block *
536 gen_bcmp(offset, size, v)
537 register u_int offset, size;
538 register const u_char *v;
540 register struct block *b, *tmp;
544 register const u_char *p = &v[size - 4];
545 bpf_int32 w = ((bpf_int32)p[0] << 24) |
546 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3];
548 tmp = gen_cmp(offset + size - 4, BPF_W, w);
555 register const u_char *p = &v[size - 2];
556 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1];
558 tmp = gen_cmp(offset + size - 2, BPF_H, w);
565 tmp = gen_cmp(offset, BPF_B, (bpf_int32)v[0]);
573 static struct block *
574 gen_ncmp(datasize, offset, mask, jtype, jvalue, reverse)
575 bpf_u_int32 datasize, offset, mask, jtype, jvalue;
581 s = new_stmt(BPF_LD|datasize|BPF_ABS);
584 if (mask != 0xffffffff) {
585 s->next = new_stmt(BPF_ALU|BPF_AND|BPF_K);
589 b = new_block(JMP(jtype));
592 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE))
598 * Various code constructs need to know the layout of the data link
599 * layer. These variables give the necessary offsets.
603 * This is the offset of the beginning of the MAC-layer header.
604 * It's usually 0, except for ATM LANE.
606 static u_int off_mac;
609 * "off_linktype" is the offset to information in the link-layer header
610 * giving the packet type.
612 * For Ethernet, it's the offset of the Ethernet type field.
614 * For link-layer types that always use 802.2 headers, it's the
615 * offset of the LLC header.
617 * For PPP, it's the offset of the PPP type field.
619 * For Cisco HDLC, it's the offset of the CHDLC type field.
621 * For BSD loopback, it's the offset of the AF_ value.
623 * For Linux cooked sockets, it's the offset of the type field.
625 * It's set to -1 for no encapsulation, in which case, IP is assumed.
627 static u_int off_linktype;
630 * TRUE if the link layer includes an ATM pseudo-header.
632 static int is_atm = 0;
635 * TRUE if "lane" appeared in the filter; it causes us to generate
636 * code that assumes LANE rather than LLC-encapsulated traffic in SunATM.
638 static int is_lane = 0;
641 * These are offsets for the ATM pseudo-header.
643 static u_int off_vpi;
644 static u_int off_vci;
645 static u_int off_proto;
648 * This is the offset of the first byte after the ATM pseudo_header,
649 * or -1 if there is no ATM pseudo-header.
651 static u_int off_payload;
654 * These are offsets to the beginning of the network-layer header.
656 * If the link layer never uses 802.2 LLC:
658 * "off_nl" and "off_nl_nosnap" are the same.
660 * If the link layer always uses 802.2 LLC:
662 * "off_nl" is the offset if there's a SNAP header following
665 * "off_nl_nosnap" is the offset if there's no SNAP header.
667 * If the link layer is Ethernet:
669 * "off_nl" is the offset if the packet is an Ethernet II packet
670 * (we assume no 802.3+802.2+SNAP);
672 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet
673 * with an 802.2 header following it.
676 static u_int off_nl_nosnap;
687 * Assume it's not raw ATM with a pseudo-header, for now.
705 off_nl = 6; /* XXX in reality, variable! */
706 off_nl_nosnap = 6; /* no 802.2 LLC */
709 case DLT_ARCNET_LINUX:
711 off_nl = 8; /* XXX in reality, variable! */
712 off_nl_nosnap = 8; /* no 802.2 LLC */
717 off_nl = 14; /* Ethernet II */
718 off_nl_nosnap = 17; /* 802.3+802.2 */
723 * SLIP doesn't have a link level type. The 16 byte
724 * header is hacked into our SLIP driver.
728 off_nl_nosnap = 16; /* no 802.2 LLC */
732 /* XXX this may be the same as the DLT_PPP_BSDOS case */
736 off_nl_nosnap = 24; /* no 802.2 LLC */
743 off_nl_nosnap = 4; /* no 802.2 LLC */
749 off_nl_nosnap = 12; /* no 802.2 LLC */
753 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */
754 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */
757 off_nl_nosnap = 4; /* no 802.2 LLC */
762 * This does no include the Ethernet header, and
763 * only covers session state.
767 off_nl_nosnap = 8; /* no 802.2 LLC */
773 off_nl_nosnap = 24; /* no 802.2 LLC */
778 * FDDI doesn't really have a link-level type field.
779 * We set "off_linktype" to the offset of the LLC header.
781 * To check for Ethernet types, we assume that SSAP = SNAP
782 * is being used and pick out the encapsulated Ethernet type.
783 * XXX - should we generate code to check for SNAP?
787 off_linktype += pcap_fddipad;
789 off_nl = 21; /* FDDI+802.2+SNAP */
790 off_nl_nosnap = 16; /* FDDI+802.2 */
792 off_nl += pcap_fddipad;
793 off_nl_nosnap += pcap_fddipad;
799 * Token Ring doesn't really have a link-level type field.
800 * We set "off_linktype" to the offset of the LLC header.
802 * To check for Ethernet types, we assume that SSAP = SNAP
803 * is being used and pick out the encapsulated Ethernet type.
804 * XXX - should we generate code to check for SNAP?
806 * XXX - the header is actually variable-length.
807 * Some various Linux patched versions gave 38
808 * as "off_linktype" and 40 as "off_nl"; however,
809 * if a token ring packet has *no* routing
810 * information, i.e. is not source-routed, the correct
811 * values are 20 and 22, as they are in the vanilla code.
813 * A packet is source-routed iff the uppermost bit
814 * of the first byte of the source address, at an
815 * offset of 8, has the uppermost bit set. If the
816 * packet is source-routed, the total number of bytes
817 * of routing information is 2 plus bits 0x1F00 of
818 * the 16-bit value at an offset of 14 (shifted right
819 * 8 - figure out which byte that is).
822 off_nl = 22; /* Token Ring+802.2+SNAP */
823 off_nl_nosnap = 17; /* Token Ring+802.2 */
828 * 802.11 doesn't really have a link-level type field.
829 * We set "off_linktype" to the offset of the LLC header.
831 * To check for Ethernet types, we assume that SSAP = SNAP
832 * is being used and pick out the encapsulated Ethernet type.
833 * XXX - should we generate code to check for SNAP?
835 * XXX - the header is actually variable-length. We
836 * assume a 24-byte link-layer header, as appears in
837 * data frames in networks with no bridges. If the
838 * fromds and tods 802.11 header bits are both set,
839 * it's actually supposed to be 30 bytes.
842 off_nl = 32; /* 802.11+802.2+SNAP */
843 off_nl_nosnap = 27; /* 802.11+802.2 */
846 case DLT_PRISM_HEADER:
848 * Same as 802.11, but with an additional header before
849 * the 802.11 header, containing a bunch of additional
850 * information including radio-level information.
852 * The header is 144 bytes long.
854 * XXX - same variable-length header problem; at least
855 * the Prism header is fixed-length.
857 off_linktype = 144+24;
858 off_nl = 144+32; /* Prism+802.11+802.2+SNAP */
859 off_nl_nosnap = 144+27; /* Prism+802.11+802.2 */
862 case DLT_IEEE802_11_RADIO_AVS:
864 * Same as 802.11, but with an additional header before
865 * the 802.11 header, containing a bunch of additional
866 * information including radio-level information.
868 * The header is 64 bytes long, at least in its
869 * current incarnation.
871 * XXX - same variable-length header problem, only
872 * more so; this header is also variable-length,
873 * with the length being the 32-bit big-endian
874 * number at an offset of 4 from the beginning
875 * of the radio header.
877 off_linktype = 64+24;
878 off_nl = 64+32; /* Radio+802.11+802.2+SNAP */
879 off_nl_nosnap = 64+27; /* Radio+802.11+802.2 */
882 case DLT_IEEE802_11_RADIO:
884 * Same as 802.11, but with an additional header before
885 * the 802.11 header, containing a bunch of additional
886 * information including radio-level information.
888 * XXX - same variable-length header problem, only
889 * even *more* so; this header is also variable-length,
890 * with the length being the 16-bit number at an offset
891 * of 2 from the beginning of the radio header, and it's
892 * device-dependent (different devices might supply
893 * different amounts of information), so we can't even
894 * assume a fixed length for the current version of the
897 * Therefore, currently, only raw "link[N:M]" filtering is
905 case DLT_ATM_RFC1483:
906 case DLT_ATM_CLIP: /* Linux ATM defines this */
908 * assume routed, non-ISO PDUs
909 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00)
912 off_nl = 8; /* 802.2+SNAP */
913 off_nl_nosnap = 3; /* 802.2 */
918 * Full Frontal ATM; you get AALn PDUs with an ATM
922 off_vpi = SUNATM_VPI_POS;
923 off_vci = SUNATM_VCI_POS;
924 off_proto = PROTO_POS;
925 off_mac = -1; /* LLC-encapsulated, so no MAC-layer header */
926 off_payload = SUNATM_PKT_BEGIN_POS;
927 off_linktype = off_payload;
928 off_nl = off_payload+8; /* 802.2+SNAP */
929 off_nl_nosnap = off_payload+3; /* 802.2 */
935 off_nl_nosnap = 0; /* no 802.2 LLC */
938 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */
941 off_nl_nosnap = 16; /* no 802.2 LLC */
946 * LocalTalk does have a 1-byte type field in the LLAP header,
947 * but really it just indicates whether there is a "short" or
948 * "long" DDP packet following.
952 off_nl_nosnap = 0; /* no 802.2 LLC */
957 * RFC 2625 IP-over-Fibre-Channel doesn't really have a
958 * link-level type field. We set "off_linktype" to the
959 * offset of the LLC header.
961 * To check for Ethernet types, we assume that SSAP = SNAP
962 * is being used and pick out the encapsulated Ethernet type.
963 * XXX - should we generate code to check for SNAP? RFC
964 * 2625 says SNAP should be used.
967 off_nl = 24; /* IPFC+802.2+SNAP */
968 off_nl_nosnap = 19; /* IPFC+802.2 */
973 * XXX - we should set this to handle SNAP-encapsulated
974 * frames (NLPID of 0x80).
978 off_nl_nosnap = 0; /* no 802.2 LLC */
981 case DLT_APPLE_IP_OVER_IEEE1394:
984 off_nl_nosnap = 0; /* no 802.2 LLC */
989 * Currently, only raw "link[N:M]" filtering is supported.
998 /* XXX read from header? */
999 off_nl = PFLOG_HDRLEN;
1000 off_nl_nosnap = PFLOG_HDRLEN;
1011 bpf_error("unknown data link type %d", linktype);
1015 static struct block *
1022 s = new_stmt(BPF_LD|BPF_IMM);
1024 b = new_block(JMP(BPF_JEQ));
1030 static inline struct block *
1033 return gen_uncond(1);
1036 static inline struct block *
1039 return gen_uncond(0);
1043 * Byte-swap a 32-bit number.
1044 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on
1045 * big-endian platforms.)
1047 #define SWAPLONG(y) \
1048 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
1050 static struct block *
1051 gen_ether_linktype(proto)
1054 struct block *b0, *b1;
1060 * OSI protocols always use 802.2 encapsulation.
1061 * XXX - should we check both the DSAP and the
1062 * SSAP, like this, or should we check just the
1065 b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
1067 b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
1068 ((LLCSAP_ISONS << 8) | LLCSAP_ISONS));
1073 b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
1075 b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
1076 ((LLCSAP_IP << 8) | LLCSAP_IP));
1080 case LLCSAP_NETBEUI:
1082 * NetBEUI always uses 802.2 encapsulation.
1083 * XXX - should we check both the DSAP and the
1084 * SSAP, like this, or should we check just the
1087 b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
1089 b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
1090 ((LLCSAP_NETBEUI << 8) | LLCSAP_NETBEUI));
1098 * Ethernet_II frames, which are Ethernet
1099 * frames with a frame type of ETHERTYPE_IPX;
1101 * Ethernet_802.3 frames, which are 802.3
1102 * frames (i.e., the type/length field is
1103 * a length field, <= ETHERMTU, rather than
1104 * a type field) with the first two bytes
1105 * after the Ethernet/802.3 header being
1108 * Ethernet_802.2 frames, which are 802.3
1109 * frames with an 802.2 LLC header and
1110 * with the IPX LSAP as the DSAP in the LLC
1113 * Ethernet_SNAP frames, which are 802.3
1114 * frames with an LLC header and a SNAP
1115 * header and with an OUI of 0x000000
1116 * (encapsulated Ethernet) and a protocol
1117 * ID of ETHERTYPE_IPX in the SNAP header.
1119 * XXX - should we generate the same code both
1120 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX?
1124 * This generates code to check both for the
1125 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3.
1127 b0 = gen_cmp(off_linktype + 2, BPF_B, (bpf_int32)LLCSAP_IPX);
1128 b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)0xFFFF);
1132 * Now we add code to check for SNAP frames with
1133 * ETHERTYPE_IPX, i.e. Ethernet_SNAP.
1135 b0 = gen_snap(0x000000, ETHERTYPE_IPX, 14);
1139 * Now we generate code to check for 802.3
1140 * frames in general.
1142 b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
1146 * Now add the check for 802.3 frames before the
1147 * check for Ethernet_802.2 and Ethernet_802.3,
1148 * as those checks should only be done on 802.3
1149 * frames, not on Ethernet frames.
1154 * Now add the check for Ethernet_II frames, and
1155 * do that before checking for the other frame
1158 b0 = gen_cmp(off_linktype, BPF_H, (bpf_int32)ETHERTYPE_IPX);
1162 case ETHERTYPE_ATALK:
1163 case ETHERTYPE_AARP:
1165 * EtherTalk (AppleTalk protocols on Ethernet link
1166 * layer) may use 802.2 encapsulation.
1170 * Check for 802.2 encapsulation (EtherTalk phase 2?);
1171 * we check for an Ethernet type field less than
1172 * 1500, which means it's an 802.3 length field.
1174 b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
1178 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1179 * SNAP packets with an organization code of
1180 * 0x080007 (Apple, for Appletalk) and a protocol
1181 * type of ETHERTYPE_ATALK (Appletalk).
1183 * 802.2-encapsulated ETHERTYPE_AARP packets are
1184 * SNAP packets with an organization code of
1185 * 0x000000 (encapsulated Ethernet) and a protocol
1186 * type of ETHERTYPE_AARP (Appletalk ARP).
1188 if (proto == ETHERTYPE_ATALK)
1189 b1 = gen_snap(0x080007, ETHERTYPE_ATALK, 14);
1190 else /* proto == ETHERTYPE_AARP */
1191 b1 = gen_snap(0x000000, ETHERTYPE_AARP, 14);
1195 * Check for Ethernet encapsulation (Ethertalk
1196 * phase 1?); we just check for the Ethernet
1199 b0 = gen_cmp(off_linktype, BPF_H, (bpf_int32)proto);
1205 if (proto <= ETHERMTU) {
1207 * This is an LLC SAP value, so the frames
1208 * that match would be 802.2 frames.
1209 * Check that the frame is an 802.2 frame
1210 * (i.e., that the length/type field is
1211 * a length field, <= ETHERMTU) and
1212 * then check the DSAP.
1214 b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
1216 b1 = gen_cmp(off_linktype + 2, BPF_B, (bpf_int32)proto);
1221 * This is an Ethernet type, so compare
1222 * the length/type field with it (if
1223 * the frame is an 802.2 frame, the length
1224 * field will be <= ETHERMTU, and, as
1225 * "proto" is > ETHERMTU, this test
1226 * will fail and the frame won't match,
1227 * which is what we want).
1229 return gen_cmp(off_linktype, BPF_H, (bpf_int32)proto);
1234 static struct block *
1238 struct block *b0, *b1, *b2;
1243 return gen_ether_linktype(proto);
1250 proto = (proto << 8 | LLCSAP_ISONS);
1254 return gen_cmp(off_linktype, BPF_H, (bpf_int32)proto);
1259 case DLT_IEEE802_11:
1260 case DLT_PRISM_HEADER:
1261 case DLT_IEEE802_11_RADIO:
1264 case DLT_ATM_RFC1483:
1266 case DLT_IP_OVER_FC:
1267 return gen_llc(proto);
1272 * If "is_lane" is set, check for a LANE-encapsulated
1273 * version of this protocol, otherwise check for an
1274 * LLC-encapsulated version of this protocol.
1276 * We assume LANE means Ethernet, not Token Ring.
1280 * Check that the packet doesn't begin with an
1281 * LE Control marker. (We've already generated
1284 b0 = gen_cmp(SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
1288 * Now generate an Ethernet test.
1290 b1 = gen_ether_linktype(proto);
1295 * Check for LLC encapsulation and then check the
1298 b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
1299 b1 = gen_llc(proto);
1308 b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_2);
1309 b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
1310 ((LLCSAP_IP << 8) | LLCSAP_IP));
1316 * OSI protocols always use 802.2 encapsulation.
1317 * XXX - should we check both the DSAP and the
1318 * LSAP, like this, or should we check just the
1321 b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_2);
1322 b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
1323 ((LLCSAP_ISONS << 8) | LLCSAP_ISONS));
1327 case LLCSAP_NETBEUI:
1329 * NetBEUI always uses 802.2 encapsulation.
1330 * XXX - should we check both the DSAP and the
1331 * LSAP, like this, or should we check just the
1334 b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_2);
1335 b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
1336 ((LLCSAP_NETBEUI << 8) | LLCSAP_NETBEUI));
1342 * Ethernet_II frames, which are Ethernet
1343 * frames with a frame type of ETHERTYPE_IPX;
1345 * Ethernet_802.3 frames, which have a frame
1346 * type of LINUX_SLL_P_802_3;
1348 * Ethernet_802.2 frames, which are 802.3
1349 * frames with an 802.2 LLC header (i.e, have
1350 * a frame type of LINUX_SLL_P_802_2) and
1351 * with the IPX LSAP as the DSAP in the LLC
1354 * Ethernet_SNAP frames, which are 802.3
1355 * frames with an LLC header and a SNAP
1356 * header and with an OUI of 0x000000
1357 * (encapsulated Ethernet) and a protocol
1358 * ID of ETHERTYPE_IPX in the SNAP header.
1360 * First, do the checks on LINUX_SLL_P_802_2
1361 * frames; generate the check for either
1362 * Ethernet_802.2 or Ethernet_SNAP frames, and
1363 * then put a check for LINUX_SLL_P_802_2 frames
1366 b0 = gen_cmp(off_linktype + 2, BPF_B,
1367 (bpf_int32)LLCSAP_IPX);
1368 b1 = gen_snap(0x000000, ETHERTYPE_IPX,
1371 b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_2);
1375 * Now check for 802.3 frames and OR that with
1376 * the previous test.
1378 b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_3);
1382 * Now add the check for Ethernet_II frames, and
1383 * do that before checking for the other frame
1386 b0 = gen_cmp(off_linktype, BPF_H,
1387 (bpf_int32)ETHERTYPE_IPX);
1391 case ETHERTYPE_ATALK:
1392 case ETHERTYPE_AARP:
1394 * EtherTalk (AppleTalk protocols on Ethernet link
1395 * layer) may use 802.2 encapsulation.
1399 * Check for 802.2 encapsulation (EtherTalk phase 2?);
1400 * we check for the 802.2 protocol type in the
1401 * "Ethernet type" field.
1403 b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_2);
1406 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1407 * SNAP packets with an organization code of
1408 * 0x080007 (Apple, for Appletalk) and a protocol
1409 * type of ETHERTYPE_ATALK (Appletalk).
1411 * 802.2-encapsulated ETHERTYPE_AARP packets are
1412 * SNAP packets with an organization code of
1413 * 0x000000 (encapsulated Ethernet) and a protocol
1414 * type of ETHERTYPE_AARP (Appletalk ARP).
1416 if (proto == ETHERTYPE_ATALK)
1417 b1 = gen_snap(0x080007, ETHERTYPE_ATALK,
1419 else /* proto == ETHERTYPE_AARP */
1420 b1 = gen_snap(0x000000, ETHERTYPE_AARP,
1425 * Check for Ethernet encapsulation (Ethertalk
1426 * phase 1?); we just check for the Ethernet
1429 b0 = gen_cmp(off_linktype, BPF_H, (bpf_int32)proto);
1435 if (proto <= ETHERMTU) {
1437 * This is an LLC SAP value, so the frames
1438 * that match would be 802.2 frames.
1439 * Check for the 802.2 protocol type
1440 * in the "Ethernet type" field, and
1441 * then check the DSAP.
1443 b0 = gen_cmp(off_linktype, BPF_H,
1445 b1 = gen_cmp(off_linktype + 2, BPF_B,
1451 * This is an Ethernet type, so compare
1452 * the length/type field with it (if
1453 * the frame is an 802.2 frame, the length
1454 * field will be <= ETHERMTU, and, as
1455 * "proto" is > ETHERMTU, this test
1456 * will fail and the frame won't match,
1457 * which is what we want).
1459 return gen_cmp(off_linktype, BPF_H,
1466 case DLT_SLIP_BSDOS:
1469 * These types don't provide any type field; packets
1472 * XXX - for IPv4, check for a version number of 4, and,
1473 * for IPv6, check for a version number of 6?
1479 case ETHERTYPE_IPV6:
1481 return gen_true(); /* always true */
1484 return gen_false(); /* always false */
1489 case DLT_PPP_SERIAL:
1492 * We use Ethernet protocol types inside libpcap;
1493 * map them to the corresponding PPP protocol types.
1502 case ETHERTYPE_IPV6:
1511 case ETHERTYPE_ATALK:
1525 * I'm assuming the "Bridging PDU"s that go
1526 * over PPP are Spanning Tree Protocol
1540 * We use Ethernet protocol types inside libpcap;
1541 * map them to the corresponding PPP protocol types.
1546 b0 = gen_cmp(off_linktype, BPF_H, PPP_IP);
1547 b1 = gen_cmp(off_linktype, BPF_H, PPP_VJC);
1549 b0 = gen_cmp(off_linktype, BPF_H, PPP_VJNC);
1554 case ETHERTYPE_IPV6:
1564 case ETHERTYPE_ATALK:
1578 * I'm assuming the "Bridging PDU"s that go
1579 * over PPP are Spanning Tree Protocol
1595 * For DLT_NULL, the link-layer header is a 32-bit
1596 * word containing an AF_ value in *host* byte order,
1597 * and for DLT_ENC, the link-layer header begins
1598 * with a 32-bit work containing an AF_ value in
1601 * In addition, if we're reading a saved capture file,
1602 * the host byte order in the capture may not be the
1603 * same as the host byte order on this machine.
1605 * For DLT_LOOP, the link-layer header is a 32-bit
1606 * word containing an AF_ value in *network* byte order.
1608 * XXX - AF_ values may, unfortunately, be platform-
1609 * dependent; for example, FreeBSD's AF_INET6 is 24
1610 * whilst NetBSD's and OpenBSD's is 26.
1612 * This means that, when reading a capture file, just
1613 * checking for our AF_INET6 value won't work if the
1614 * capture file came from another OS.
1623 case ETHERTYPE_IPV6:
1630 * Not a type on which we support filtering.
1631 * XXX - support those that have AF_ values
1632 * #defined on this platform, at least?
1637 if (linktype == DLT_NULL || linktype == DLT_ENC) {
1639 * The AF_ value is in host byte order, but
1640 * the BPF interpreter will convert it to
1641 * network byte order.
1643 * If this is a save file, and it's from a
1644 * machine with the opposite byte order to
1645 * ours, we byte-swap the AF_ value.
1647 * Then we run it through "htonl()", and
1648 * generate code to compare against the result.
1650 if (bpf_pcap->sf.rfile != NULL &&
1651 bpf_pcap->sf.swapped)
1652 proto = SWAPLONG(proto);
1653 proto = htonl(proto);
1655 return (gen_cmp(0, BPF_W, (bpf_int32)proto));
1659 * af field is host byte order in contrast to the rest of
1662 if (proto == ETHERTYPE_IP)
1663 return (gen_cmp(offsetof(struct pfloghdr, af), BPF_B,
1664 (bpf_int32)AF_INET));
1666 else if (proto == ETHERTYPE_IPV6)
1667 return (gen_cmp(offsetof(struct pfloghdr, af), BPF_B,
1668 (bpf_int32)AF_INET6));
1675 case DLT_ARCNET_LINUX:
1677 * XXX should we check for first fragment if the protocol
1686 case ETHERTYPE_IPV6:
1687 return (gen_cmp(off_linktype, BPF_B,
1688 (bpf_int32)ARCTYPE_INET6));
1692 b0 = gen_cmp(off_linktype, BPF_B,
1693 (bpf_int32)ARCTYPE_IP);
1694 b1 = gen_cmp(off_linktype, BPF_B,
1695 (bpf_int32)ARCTYPE_IP_OLD);
1700 b0 = gen_cmp(off_linktype, BPF_B,
1701 (bpf_int32)ARCTYPE_ARP);
1702 b1 = gen_cmp(off_linktype, BPF_B,
1703 (bpf_int32)ARCTYPE_ARP_OLD);
1707 case ETHERTYPE_REVARP:
1708 return (gen_cmp(off_linktype, BPF_B,
1709 (bpf_int32)ARCTYPE_REVARP));
1711 case ETHERTYPE_ATALK:
1712 return (gen_cmp(off_linktype, BPF_B,
1713 (bpf_int32)ARCTYPE_ATALK));
1719 case ETHERTYPE_ATALK:
1728 * XXX - assumes a 2-byte Frame Relay header with
1729 * DLCI and flags. What if the address is longer?
1735 * Check for the special NLPID for IP.
1737 return gen_cmp(2, BPF_H, (0x03<<8) | 0xcc);
1740 case ETHERTYPE_IPV6:
1742 * Check for the special NLPID for IPv6.
1744 return gen_cmp(2, BPF_H, (0x03<<8) | 0x8e);
1749 * Check for several OSI protocols.
1751 * Frame Relay packets typically have an OSI
1752 * NLPID at the beginning; we check for each
1755 * What we check for is the NLPID and a frame
1756 * control field of UI, i.e. 0x03 followed
1759 b0 = gen_cmp(2, BPF_H, (0x03<<8) | ISO8473_CLNP);
1760 b1 = gen_cmp(2, BPF_H, (0x03<<8) | ISO9542_ESIS);
1761 b2 = gen_cmp(2, BPF_H, (0x03<<8) | ISO10589_ISIS);
1771 case DLT_LINUX_IRDA:
1772 bpf_error("IrDA link-layer type filtering not implemented");
1776 * All the types that have no encapsulation should either be
1777 * handled as DLT_SLIP, DLT_SLIP_BSDOS, and DLT_RAW are, if
1778 * all packets are IP packets, or should be handled in some
1779 * special case, if none of them are (if some are and some
1780 * aren't, the lack of encapsulation is a problem, as we'd
1781 * have to find some other way of determining the packet type).
1783 * Therefore, if "off_linktype" is -1, there's an error.
1785 if (off_linktype == (u_int)-1)
1789 * Any type not handled above should always have an Ethernet
1790 * type at an offset of "off_linktype". (PPP is partially
1791 * handled above - the protocol type is mapped from the
1792 * Ethernet and LLC types we use internally to the corresponding
1793 * PPP type - but the PPP type is always specified by a value
1794 * at "off_linktype", so we don't have to do the code generation
1797 return gen_cmp(off_linktype, BPF_H, (bpf_int32)proto);
1801 * Check for an LLC SNAP packet with a given organization code and
1802 * protocol type; we check the entire contents of the 802.2 LLC and
1803 * snap headers, checking for DSAP and SSAP of SNAP and a control
1804 * field of 0x03 in the LLC header, and for the specified organization
1805 * code and protocol type in the SNAP header.
1807 static struct block *
1808 gen_snap(orgcode, ptype, offset)
1809 bpf_u_int32 orgcode;
1813 u_char snapblock[8];
1815 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */
1816 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */
1817 snapblock[2] = 0x03; /* control = UI */
1818 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */
1819 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */
1820 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */
1821 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */
1822 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */
1823 return gen_bcmp(offset, 8, snapblock);
1827 * Check for a given protocol value assuming an 802.2 LLC header.
1829 static struct block *
1834 * XXX - handle token-ring variable-length header.
1839 return gen_cmp(off_linktype, BPF_H, (long)
1840 ((LLCSAP_IP << 8) | LLCSAP_IP));
1843 return gen_cmp(off_linktype, BPF_H, (long)
1844 ((LLCSAP_ISONS << 8) | LLCSAP_ISONS));
1846 case LLCSAP_NETBEUI:
1847 return gen_cmp(off_linktype, BPF_H, (long)
1848 ((LLCSAP_NETBEUI << 8) | LLCSAP_NETBEUI));
1852 * XXX - are there ever SNAP frames for IPX on
1853 * non-Ethernet 802.x networks?
1855 return gen_cmp(off_linktype, BPF_B, (bpf_int32)LLCSAP_IPX);
1857 case ETHERTYPE_ATALK:
1859 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1860 * SNAP packets with an organization code of
1861 * 0x080007 (Apple, for Appletalk) and a protocol
1862 * type of ETHERTYPE_ATALK (Appletalk).
1864 * XXX - check for an organization code of
1865 * encapsulated Ethernet as well?
1867 return gen_snap(0x080007, ETHERTYPE_ATALK, off_linktype);
1871 * XXX - we don't have to check for IPX 802.3
1872 * here, but should we check for the IPX Ethertype?
1874 if (proto <= ETHERMTU) {
1876 * This is an LLC SAP value, so check
1879 return gen_cmp(off_linktype, BPF_B, (bpf_int32)proto);
1882 * This is an Ethernet type; we assume that it's
1883 * unlikely that it'll appear in the right place
1884 * at random, and therefore check only the
1885 * location that would hold the Ethernet type
1886 * in a SNAP frame with an organization code of
1887 * 0x000000 (encapsulated Ethernet).
1889 * XXX - if we were to check for the SNAP DSAP and
1890 * LSAP, as per XXX, and were also to check for an
1891 * organization code of 0x000000 (encapsulated
1892 * Ethernet), we'd do
1894 * return gen_snap(0x000000, proto,
1897 * here; for now, we don't, as per the above.
1898 * I don't know whether it's worth the extra CPU
1899 * time to do the right check or not.
1901 return gen_cmp(off_linktype+6, BPF_H, (bpf_int32)proto);
1906 static struct block *
1907 gen_hostop(addr, mask, dir, proto, src_off, dst_off)
1911 u_int src_off, dst_off;
1913 struct block *b0, *b1;
1927 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
1928 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
1934 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
1935 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
1942 b0 = gen_linktype(proto);
1943 b1 = gen_mcmp(offset, BPF_W, (bpf_int32)addr, mask);
1949 static struct block *
1950 gen_hostop6(addr, mask, dir, proto, src_off, dst_off)
1951 struct in6_addr *addr;
1952 struct in6_addr *mask;
1954 u_int src_off, dst_off;
1956 struct block *b0, *b1;
1971 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
1972 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
1978 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
1979 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
1986 /* this order is important */
1987 a = (u_int32_t *)addr;
1988 m = (u_int32_t *)mask;
1989 b1 = gen_mcmp(offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3]));
1990 b0 = gen_mcmp(offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2]));
1992 b0 = gen_mcmp(offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1]));
1994 b0 = gen_mcmp(offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0]));
1996 b0 = gen_linktype(proto);
2002 static struct block *
2003 gen_ehostop(eaddr, dir)
2004 register const u_char *eaddr;
2007 register struct block *b0, *b1;
2011 return gen_bcmp(off_mac + 6, 6, eaddr);
2014 return gen_bcmp(off_mac + 0, 6, eaddr);
2017 b0 = gen_ehostop(eaddr, Q_SRC);
2018 b1 = gen_ehostop(eaddr, Q_DST);
2024 b0 = gen_ehostop(eaddr, Q_SRC);
2025 b1 = gen_ehostop(eaddr, Q_DST);
2034 * Like gen_ehostop, but for DLT_FDDI
2036 static struct block *
2037 gen_fhostop(eaddr, dir)
2038 register const u_char *eaddr;
2041 struct block *b0, *b1;
2046 return gen_bcmp(6 + 1 + pcap_fddipad, 6, eaddr);
2048 return gen_bcmp(6 + 1, 6, eaddr);
2053 return gen_bcmp(0 + 1 + pcap_fddipad, 6, eaddr);
2055 return gen_bcmp(0 + 1, 6, eaddr);
2059 b0 = gen_fhostop(eaddr, Q_SRC);
2060 b1 = gen_fhostop(eaddr, Q_DST);
2066 b0 = gen_fhostop(eaddr, Q_SRC);
2067 b1 = gen_fhostop(eaddr, Q_DST);
2076 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring)
2078 static struct block *
2079 gen_thostop(eaddr, dir)
2080 register const u_char *eaddr;
2083 register struct block *b0, *b1;
2087 return gen_bcmp(8, 6, eaddr);
2090 return gen_bcmp(2, 6, eaddr);
2093 b0 = gen_thostop(eaddr, Q_SRC);
2094 b1 = gen_thostop(eaddr, Q_DST);
2100 b0 = gen_thostop(eaddr, Q_SRC);
2101 b1 = gen_thostop(eaddr, Q_DST);
2110 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN)
2112 static struct block *
2113 gen_wlanhostop(eaddr, dir)
2114 register const u_char *eaddr;
2117 register struct block *b0, *b1, *b2;
2118 register struct slist *s;
2125 * For control frames, there is no SA.
2127 * For management frames, SA is at an
2128 * offset of 10 from the beginning of
2131 * For data frames, SA is at an offset
2132 * of 10 from the beginning of the packet
2133 * if From DS is clear, at an offset of
2134 * 16 from the beginning of the packet
2135 * if From DS is set and To DS is clear,
2136 * and an offset of 24 from the beginning
2137 * of the packet if From DS is set and To DS
2142 * Generate the tests to be done for data frames
2145 * First, check for To DS set, i.e. check "link[1] & 0x01".
2147 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2149 b1 = new_block(JMP(BPF_JSET));
2150 b1->s.k = 0x01; /* To DS */
2154 * If To DS is set, the SA is at 24.
2156 b0 = gen_bcmp(24, 6, eaddr);
2160 * Now, check for To DS not set, i.e. check
2161 * "!(link[1] & 0x01)".
2163 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2165 b2 = new_block(JMP(BPF_JSET));
2166 b2->s.k = 0x01; /* To DS */
2171 * If To DS is not set, the SA is at 16.
2173 b1 = gen_bcmp(16, 6, eaddr);
2177 * Now OR together the last two checks. That gives
2178 * the complete set of checks for data frames with
2184 * Now check for From DS being set, and AND that with
2185 * the ORed-together checks.
2187 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2189 b1 = new_block(JMP(BPF_JSET));
2190 b1->s.k = 0x02; /* From DS */
2195 * Now check for data frames with From DS not set.
2197 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2199 b2 = new_block(JMP(BPF_JSET));
2200 b2->s.k = 0x02; /* From DS */
2205 * If From DS isn't set, the SA is at 10.
2207 b1 = gen_bcmp(10, 6, eaddr);
2211 * Now OR together the checks for data frames with
2212 * From DS not set and for data frames with From DS
2213 * set; that gives the checks done for data frames.
2218 * Now check for a data frame.
2219 * I.e, check "link[0] & 0x08".
2221 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2223 b1 = new_block(JMP(BPF_JSET));
2228 * AND that with the checks done for data frames.
2233 * If the high-order bit of the type value is 0, this
2234 * is a management frame.
2235 * I.e, check "!(link[0] & 0x08)".
2237 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2239 b2 = new_block(JMP(BPF_JSET));
2245 * For management frames, the SA is at 10.
2247 b1 = gen_bcmp(10, 6, eaddr);
2251 * OR that with the checks done for data frames.
2252 * That gives the checks done for management and
2258 * If the low-order bit of the type value is 1,
2259 * this is either a control frame or a frame
2260 * with a reserved type, and thus not a
2263 * I.e., check "!(link[0] & 0x04)".
2265 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2267 b1 = new_block(JMP(BPF_JSET));
2273 * AND that with the checks for data and management
2283 * For control frames, there is no DA.
2285 * For management frames, DA is at an
2286 * offset of 4 from the beginning of
2289 * For data frames, DA is at an offset
2290 * of 4 from the beginning of the packet
2291 * if To DS is clear and at an offset of
2292 * 16 from the beginning of the packet
2297 * Generate the tests to be done for data frames.
2299 * First, check for To DS set, i.e. "link[1] & 0x01".
2301 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2303 b1 = new_block(JMP(BPF_JSET));
2304 b1->s.k = 0x01; /* To DS */
2308 * If To DS is set, the DA is at 16.
2310 b0 = gen_bcmp(16, 6, eaddr);
2314 * Now, check for To DS not set, i.e. check
2315 * "!(link[1] & 0x01)".
2317 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2319 b2 = new_block(JMP(BPF_JSET));
2320 b2->s.k = 0x01; /* To DS */
2325 * If To DS is not set, the DA is at 4.
2327 b1 = gen_bcmp(4, 6, eaddr);
2331 * Now OR together the last two checks. That gives
2332 * the complete set of checks for data frames.
2337 * Now check for a data frame.
2338 * I.e, check "link[0] & 0x08".
2340 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2342 b1 = new_block(JMP(BPF_JSET));
2347 * AND that with the checks done for data frames.
2352 * If the high-order bit of the type value is 0, this
2353 * is a management frame.
2354 * I.e, check "!(link[0] & 0x08)".
2356 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2358 b2 = new_block(JMP(BPF_JSET));
2364 * For management frames, the DA is at 4.
2366 b1 = gen_bcmp(4, 6, eaddr);
2370 * OR that with the checks done for data frames.
2371 * That gives the checks done for management and
2377 * If the low-order bit of the type value is 1,
2378 * this is either a control frame or a frame
2379 * with a reserved type, and thus not a
2382 * I.e., check "!(link[0] & 0x04)".
2384 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2386 b1 = new_block(JMP(BPF_JSET));
2392 * AND that with the checks for data and management
2399 b0 = gen_wlanhostop(eaddr, Q_SRC);
2400 b1 = gen_wlanhostop(eaddr, Q_DST);
2406 b0 = gen_wlanhostop(eaddr, Q_SRC);
2407 b1 = gen_wlanhostop(eaddr, Q_DST);
2416 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel.
2417 * (We assume that the addresses are IEEE 48-bit MAC addresses,
2418 * as the RFC states.)
2420 static struct block *
2421 gen_ipfchostop(eaddr, dir)
2422 register const u_char *eaddr;
2425 register struct block *b0, *b1;
2429 return gen_bcmp(10, 6, eaddr);
2432 return gen_bcmp(2, 6, eaddr);
2435 b0 = gen_ipfchostop(eaddr, Q_SRC);
2436 b1 = gen_ipfchostop(eaddr, Q_DST);
2442 b0 = gen_ipfchostop(eaddr, Q_SRC);
2443 b1 = gen_ipfchostop(eaddr, Q_DST);
2452 * This is quite tricky because there may be pad bytes in front of the
2453 * DECNET header, and then there are two possible data packet formats that
2454 * carry both src and dst addresses, plus 5 packet types in a format that
2455 * carries only the src node, plus 2 types that use a different format and
2456 * also carry just the src node.
2460 * Instead of doing those all right, we just look for data packets with
2461 * 0 or 1 bytes of padding. If you want to look at other packets, that
2462 * will require a lot more hacking.
2464 * To add support for filtering on DECNET "areas" (network numbers)
2465 * one would want to add a "mask" argument to this routine. That would
2466 * make the filter even more inefficient, although one could be clever
2467 * and not generate masking instructions if the mask is 0xFFFF.
2469 static struct block *
2470 gen_dnhostop(addr, dir, base_off)
2475 struct block *b0, *b1, *b2, *tmp;
2476 u_int offset_lh; /* offset if long header is received */
2477 u_int offset_sh; /* offset if short header is received */
2482 offset_sh = 1; /* follows flags */
2483 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */
2487 offset_sh = 3; /* follows flags, dstnode */
2488 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */
2492 /* Inefficient because we do our Calvinball dance twice */
2493 b0 = gen_dnhostop(addr, Q_SRC, base_off);
2494 b1 = gen_dnhostop(addr, Q_DST, base_off);
2500 /* Inefficient because we do our Calvinball dance twice */
2501 b0 = gen_dnhostop(addr, Q_SRC, base_off);
2502 b1 = gen_dnhostop(addr, Q_DST, base_off);
2507 bpf_error("ISO host filtering not implemented");
2512 b0 = gen_linktype(ETHERTYPE_DN);
2513 /* Check for pad = 1, long header case */
2514 tmp = gen_mcmp(base_off + 2, BPF_H,
2515 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF));
2516 b1 = gen_cmp(base_off + 2 + 1 + offset_lh,
2517 BPF_H, (bpf_int32)ntohs(addr));
2519 /* Check for pad = 0, long header case */
2520 tmp = gen_mcmp(base_off + 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7);
2521 b2 = gen_cmp(base_off + 2 + offset_lh, BPF_H, (bpf_int32)ntohs(addr));
2524 /* Check for pad = 1, short header case */
2525 tmp = gen_mcmp(base_off + 2, BPF_H,
2526 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF));
2527 b2 = gen_cmp(base_off + 2 + 1 + offset_sh,
2528 BPF_H, (bpf_int32)ntohs(addr));
2531 /* Check for pad = 0, short header case */
2532 tmp = gen_mcmp(base_off + 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7);
2533 b2 = gen_cmp(base_off + 2 + offset_sh, BPF_H, (bpf_int32)ntohs(addr));
2537 /* Combine with test for linktype */
2542 static struct block *
2543 gen_host(addr, mask, proto, dir)
2549 struct block *b0, *b1;
2554 b0 = gen_host(addr, mask, Q_IP, dir);
2555 if (off_linktype != (u_int)-1) {
2556 b1 = gen_host(addr, mask, Q_ARP, dir);
2558 b0 = gen_host(addr, mask, Q_RARP, dir);
2564 return gen_hostop(addr, mask, dir, ETHERTYPE_IP,
2565 off_nl + 12, off_nl + 16);
2568 return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP,
2569 off_nl + 14, off_nl + 24);
2572 return gen_hostop(addr, mask, dir, ETHERTYPE_ARP,
2573 off_nl + 14, off_nl + 24);
2576 bpf_error("'tcp' modifier applied to host");
2579 bpf_error("'sctp' modifier applied to host");
2582 bpf_error("'udp' modifier applied to host");
2585 bpf_error("'icmp' modifier applied to host");
2588 bpf_error("'igmp' modifier applied to host");
2591 bpf_error("'igrp' modifier applied to host");
2594 bpf_error("'pim' modifier applied to host");
2597 bpf_error("'vrrp' modifier applied to host");
2600 bpf_error("ATALK host filtering not implemented");
2603 bpf_error("AARP host filtering not implemented");
2606 return gen_dnhostop(addr, dir, off_nl);
2609 bpf_error("SCA host filtering not implemented");
2612 bpf_error("LAT host filtering not implemented");
2615 bpf_error("MOPDL host filtering not implemented");
2618 bpf_error("MOPRC host filtering not implemented");
2622 bpf_error("'ip6' modifier applied to ip host");
2625 bpf_error("'icmp6' modifier applied to host");
2629 bpf_error("'ah' modifier applied to host");
2632 bpf_error("'esp' modifier applied to host");
2635 bpf_error("ISO host filtering not implemented");
2638 bpf_error("'esis' modifier applied to host");
2641 bpf_error("'isis' modifier applied to host");
2644 bpf_error("'clnp' modifier applied to host");
2647 bpf_error("'stp' modifier applied to host");
2650 bpf_error("IPX host filtering not implemented");
2653 bpf_error("'netbeui' modifier applied to host");
2662 static struct block *
2663 gen_host6(addr, mask, proto, dir)
2664 struct in6_addr *addr;
2665 struct in6_addr *mask;
2672 return gen_host6(addr, mask, Q_IPV6, dir);
2675 bpf_error("'ip' modifier applied to ip6 host");
2678 bpf_error("'rarp' modifier applied to ip6 host");
2681 bpf_error("'arp' modifier applied to ip6 host");
2684 bpf_error("'sctp' modifier applied to host");
2687 bpf_error("'tcp' modifier applied to host");
2690 bpf_error("'udp' modifier applied to host");
2693 bpf_error("'icmp' modifier applied to host");
2696 bpf_error("'igmp' modifier applied to host");
2699 bpf_error("'igrp' modifier applied to host");
2702 bpf_error("'pim' modifier applied to host");
2705 bpf_error("'vrrp' modifier applied to host");
2708 bpf_error("ATALK host filtering not implemented");
2711 bpf_error("AARP host filtering not implemented");
2714 bpf_error("'decnet' modifier applied to ip6 host");
2717 bpf_error("SCA host filtering not implemented");
2720 bpf_error("LAT host filtering not implemented");
2723 bpf_error("MOPDL host filtering not implemented");
2726 bpf_error("MOPRC host filtering not implemented");
2729 return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6,
2730 off_nl + 8, off_nl + 24);
2733 bpf_error("'icmp6' modifier applied to host");
2736 bpf_error("'ah' modifier applied to host");
2739 bpf_error("'esp' modifier applied to host");
2742 bpf_error("ISO host filtering not implemented");
2745 bpf_error("'esis' modifier applied to host");
2748 bpf_error("'isis' modifier applied to host");
2751 bpf_error("'clnp' modifier applied to host");
2754 bpf_error("'stp' modifier applied to host");
2757 bpf_error("IPX host filtering not implemented");
2760 bpf_error("'netbeui' modifier applied to host");
2770 static struct block *
2771 gen_gateway(eaddr, alist, proto, dir)
2772 const u_char *eaddr;
2773 bpf_u_int32 **alist;
2777 struct block *b0, *b1, *tmp;
2780 bpf_error("direction applied to 'gateway'");
2787 if (linktype == DLT_EN10MB)
2788 b0 = gen_ehostop(eaddr, Q_OR);
2789 else if (linktype == DLT_FDDI)
2790 b0 = gen_fhostop(eaddr, Q_OR);
2791 else if (linktype == DLT_IEEE802)
2792 b0 = gen_thostop(eaddr, Q_OR);
2793 else if (linktype == DLT_IEEE802_11)
2794 b0 = gen_wlanhostop(eaddr, Q_OR);
2795 else if (linktype == DLT_SUNATM && is_lane) {
2797 * Check that the packet doesn't begin with an
2798 * LE Control marker. (We've already generated
2801 b1 = gen_cmp(SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
2805 * Now check the MAC address.
2807 b0 = gen_ehostop(eaddr, Q_OR);
2809 } else if (linktype == DLT_IP_OVER_FC)
2810 b0 = gen_ipfchostop(eaddr, Q_OR);
2813 "'gateway' supported only on ethernet/FDDI/token ring/802.11/Fibre Channel");
2815 b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR);
2817 tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR);
2825 bpf_error("illegal modifier of 'gateway'");
2831 gen_proto_abbrev(proto)
2840 b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT);
2842 b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT);
2848 b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT);
2850 b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT);
2856 b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT);
2858 b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT);
2864 b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT);
2867 #ifndef IPPROTO_IGMP
2868 #define IPPROTO_IGMP 2
2872 b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT);
2875 #ifndef IPPROTO_IGRP
2876 #define IPPROTO_IGRP 9
2879 b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT);
2883 #define IPPROTO_PIM 103
2887 b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT);
2889 b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT);
2894 #ifndef IPPROTO_VRRP
2895 #define IPPROTO_VRRP 112
2899 b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT);
2903 b1 = gen_linktype(ETHERTYPE_IP);
2907 b1 = gen_linktype(ETHERTYPE_ARP);
2911 b1 = gen_linktype(ETHERTYPE_REVARP);
2915 bpf_error("link layer applied in wrong context");
2918 b1 = gen_linktype(ETHERTYPE_ATALK);
2922 b1 = gen_linktype(ETHERTYPE_AARP);
2926 b1 = gen_linktype(ETHERTYPE_DN);
2930 b1 = gen_linktype(ETHERTYPE_SCA);
2934 b1 = gen_linktype(ETHERTYPE_LAT);
2938 b1 = gen_linktype(ETHERTYPE_MOPDL);
2942 b1 = gen_linktype(ETHERTYPE_MOPRC);
2947 b1 = gen_linktype(ETHERTYPE_IPV6);
2950 #ifndef IPPROTO_ICMPV6
2951 #define IPPROTO_ICMPV6 58
2954 b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT);
2959 #define IPPROTO_AH 51
2962 b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT);
2964 b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT);
2970 #define IPPROTO_ESP 50
2973 b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT);
2975 b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT);
2981 b1 = gen_linktype(LLCSAP_ISONS);
2985 b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT);
2989 b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
2992 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */
2993 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
2994 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
2996 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
2998 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
3000 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
3004 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */
3005 b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
3006 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
3008 b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
3010 b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
3012 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
3016 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */
3017 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
3018 b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
3020 b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT);
3025 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
3026 b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
3031 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
3032 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
3034 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
3036 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
3041 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
3042 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
3047 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
3048 b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
3053 b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT);
3057 b1 = gen_linktype(LLCSAP_8021D);
3061 b1 = gen_linktype(LLCSAP_IPX);
3065 b1 = gen_linktype(LLCSAP_NETBEUI);
3074 static struct block *
3081 s = new_stmt(BPF_LD|BPF_H|BPF_ABS);
3082 s->s.k = off_nl + 6;
3083 b = new_block(JMP(BPF_JSET));
3091 static struct block *
3092 gen_portatom(off, v)
3099 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
3102 s->next = new_stmt(BPF_LD|BPF_IND|BPF_H);
3103 s->next->s.k = off_nl + off;
3105 b = new_block(JMP(BPF_JEQ));
3113 static struct block *
3114 gen_portatom6(off, v)
3118 return gen_cmp(off_nl + 40 + off, BPF_H, v);
3123 gen_portop(port, proto, dir)
3124 int port, proto, dir;
3126 struct block *b0, *b1, *tmp;
3128 /* ip proto 'proto' */
3129 tmp = gen_cmp(off_nl + 9, BPF_B, (bpf_int32)proto);
3135 b1 = gen_portatom(0, (bpf_int32)port);
3139 b1 = gen_portatom(2, (bpf_int32)port);
3144 tmp = gen_portatom(0, (bpf_int32)port);
3145 b1 = gen_portatom(2, (bpf_int32)port);
3150 tmp = gen_portatom(0, (bpf_int32)port);
3151 b1 = gen_portatom(2, (bpf_int32)port);
3163 static struct block *
3164 gen_port(port, ip_proto, dir)
3169 struct block *b0, *b1, *tmp;
3174 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
3175 * not LLC encapsulation with LLCSAP_IP.
3177 * For IEEE 802 networks - which includes 802.5 token ring
3178 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
3179 * says that SNAP encapsulation is used, not LLC encapsulation
3182 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
3183 * RFC 2225 say that SNAP encapsulation is used, not LLC
3184 * encapsulation with LLCSAP_IP.
3186 * So we always check for ETHERTYPE_IP.
3188 b0 = gen_linktype(ETHERTYPE_IP);
3194 b1 = gen_portop(port, ip_proto, dir);
3198 tmp = gen_portop(port, IPPROTO_TCP, dir);
3199 b1 = gen_portop(port, IPPROTO_UDP, dir);
3201 tmp = gen_portop(port, IPPROTO_SCTP, dir);
3214 gen_portop6(port, proto, dir)
3215 int port, proto, dir;
3217 struct block *b0, *b1, *tmp;
3219 /* ip proto 'proto' */
3220 b0 = gen_cmp(off_nl + 6, BPF_B, (bpf_int32)proto);
3224 b1 = gen_portatom6(0, (bpf_int32)port);
3228 b1 = gen_portatom6(2, (bpf_int32)port);
3233 tmp = gen_portatom6(0, (bpf_int32)port);
3234 b1 = gen_portatom6(2, (bpf_int32)port);
3239 tmp = gen_portatom6(0, (bpf_int32)port);
3240 b1 = gen_portatom6(2, (bpf_int32)port);
3252 static struct block *
3253 gen_port6(port, ip_proto, dir)
3258 struct block *b0, *b1, *tmp;
3260 /* ether proto ip */
3261 b0 = gen_linktype(ETHERTYPE_IPV6);
3267 b1 = gen_portop6(port, ip_proto, dir);
3271 tmp = gen_portop6(port, IPPROTO_TCP, dir);
3272 b1 = gen_portop6(port, IPPROTO_UDP, dir);
3274 tmp = gen_portop6(port, IPPROTO_SCTP, dir);
3287 lookup_proto(name, proto)
3288 register const char *name;
3298 v = pcap_nametoproto(name);
3299 if (v == PROTO_UNDEF)
3300 bpf_error("unknown ip proto '%s'", name);
3304 /* XXX should look up h/w protocol type based on linktype */
3305 v = pcap_nametoeproto(name);
3306 if (v == PROTO_UNDEF)
3307 bpf_error("unknown ether proto '%s'", name);
3311 if (strcmp(name, "esis") == 0)
3313 else if (strcmp(name, "isis") == 0)
3315 else if (strcmp(name, "clnp") == 0)
3318 bpf_error("unknown osi proto '%s'", name);
3338 static struct block *
3339 gen_protochain(v, proto, dir)
3344 #ifdef NO_PROTOCHAIN
3345 return gen_proto(v, proto, dir);
3347 struct block *b0, *b;
3348 struct slist *s[100];
3349 int fix2, fix3, fix4, fix5;
3350 int ahcheck, again, end;
3352 int reg2 = alloc_reg();
3354 memset(s, 0, sizeof(s));
3355 fix2 = fix3 = fix4 = fix5 = 0;
3362 b0 = gen_protochain(v, Q_IP, dir);
3363 b = gen_protochain(v, Q_IPV6, dir);
3367 bpf_error("bad protocol applied for 'protochain'");
3371 no_optimize = 1; /*this code is not compatible with optimzer yet */
3374 * s[0] is a dummy entry to protect other BPF insn from damaged
3375 * by s[fix] = foo with uninitialized variable "fix". It is somewhat
3376 * hard to find interdependency made by jump table fixup.
3379 s[i] = new_stmt(0); /*dummy*/
3384 b0 = gen_linktype(ETHERTYPE_IP);
3387 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
3388 s[i]->s.k = off_nl + 9;
3390 /* X = ip->ip_hl << 2 */
3391 s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
3397 b0 = gen_linktype(ETHERTYPE_IPV6);
3399 /* A = ip6->ip_nxt */
3400 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
3401 s[i]->s.k = off_nl + 6;
3403 /* X = sizeof(struct ip6_hdr) */
3404 s[i] = new_stmt(BPF_LDX|BPF_IMM);
3410 bpf_error("unsupported proto to gen_protochain");
3414 /* again: if (A == v) goto end; else fall through; */
3416 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
3418 s[i]->s.jt = NULL; /*later*/
3419 s[i]->s.jf = NULL; /*update in next stmt*/
3423 #ifndef IPPROTO_NONE
3424 #define IPPROTO_NONE 59
3426 /* if (A == IPPROTO_NONE) goto end */
3427 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
3428 s[i]->s.jt = NULL; /*later*/
3429 s[i]->s.jf = NULL; /*update in next stmt*/
3430 s[i]->s.k = IPPROTO_NONE;
3431 s[fix5]->s.jf = s[i];
3436 if (proto == Q_IPV6) {
3437 int v6start, v6end, v6advance, j;
3440 /* if (A == IPPROTO_HOPOPTS) goto v6advance */
3441 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
3442 s[i]->s.jt = NULL; /*later*/
3443 s[i]->s.jf = NULL; /*update in next stmt*/
3444 s[i]->s.k = IPPROTO_HOPOPTS;
3445 s[fix2]->s.jf = s[i];
3447 /* if (A == IPPROTO_DSTOPTS) goto v6advance */
3448 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
3449 s[i]->s.jt = NULL; /*later*/
3450 s[i]->s.jf = NULL; /*update in next stmt*/
3451 s[i]->s.k = IPPROTO_DSTOPTS;
3453 /* if (A == IPPROTO_ROUTING) goto v6advance */
3454 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
3455 s[i]->s.jt = NULL; /*later*/
3456 s[i]->s.jf = NULL; /*update in next stmt*/
3457 s[i]->s.k = IPPROTO_ROUTING;
3459 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */
3460 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
3461 s[i]->s.jt = NULL; /*later*/
3462 s[i]->s.jf = NULL; /*later*/
3463 s[i]->s.k = IPPROTO_FRAGMENT;
3474 * X = X + (P[X + 1] + 1) * 8;
3477 s[i] = new_stmt(BPF_MISC|BPF_TXA);
3479 /* A = P[X + packet head] */
3480 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
3484 s[i] = new_stmt(BPF_ST);
3488 s[i] = new_stmt(BPF_MISC|BPF_TXA);
3491 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
3495 s[i] = new_stmt(BPF_MISC|BPF_TAX);
3497 /* A = P[X + packet head]; */
3498 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
3502 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
3506 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
3510 s[i] = new_stmt(BPF_MISC|BPF_TAX);
3513 s[i] = new_stmt(BPF_LD|BPF_MEM);
3517 /* goto again; (must use BPF_JA for backward jump) */
3518 s[i] = new_stmt(BPF_JMP|BPF_JA);
3519 s[i]->s.k = again - i - 1;
3520 s[i - 1]->s.jf = s[i];
3524 for (j = v6start; j <= v6end; j++)
3525 s[j]->s.jt = s[v6advance];
3530 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
3532 s[fix2]->s.jf = s[i];
3538 /* if (A == IPPROTO_AH) then fall through; else goto end; */
3539 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
3540 s[i]->s.jt = NULL; /*later*/
3541 s[i]->s.jf = NULL; /*later*/
3542 s[i]->s.k = IPPROTO_AH;
3544 s[fix3]->s.jf = s[ahcheck];
3551 * X = X + (P[X + 1] + 2) * 4;
3554 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
3556 /* A = P[X + packet head]; */
3557 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
3561 s[i] = new_stmt(BPF_ST);
3565 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
3568 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
3572 s[i] = new_stmt(BPF_MISC|BPF_TAX);
3574 /* A = P[X + packet head] */
3575 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
3579 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
3583 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
3587 s[i] = new_stmt(BPF_MISC|BPF_TAX);
3590 s[i] = new_stmt(BPF_LD|BPF_MEM);
3594 /* goto again; (must use BPF_JA for backward jump) */
3595 s[i] = new_stmt(BPF_JMP|BPF_JA);
3596 s[i]->s.k = again - i - 1;
3601 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
3603 s[fix2]->s.jt = s[end];
3604 s[fix4]->s.jf = s[end];
3605 s[fix5]->s.jt = s[end];
3612 for (i = 0; i < max - 1; i++)
3613 s[i]->next = s[i + 1];
3614 s[max - 1]->next = NULL;
3619 b = new_block(JMP(BPF_JEQ));
3620 b->stmts = s[1]; /*remember, s[0] is dummy*/
3630 static struct block *
3631 gen_proto(v, proto, dir)
3636 struct block *b0, *b1;
3638 if (dir != Q_DEFAULT)
3639 bpf_error("direction applied to 'proto'");
3644 b0 = gen_proto(v, Q_IP, dir);
3645 b1 = gen_proto(v, Q_IPV6, dir);
3653 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
3654 * not LLC encapsulation with LLCSAP_IP.
3656 * For IEEE 802 networks - which includes 802.5 token ring
3657 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
3658 * says that SNAP encapsulation is used, not LLC encapsulation
3661 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
3662 * RFC 2225 say that SNAP encapsulation is used, not LLC
3663 * encapsulation with LLCSAP_IP.
3665 * So we always check for ETHERTYPE_IP.
3667 b0 = gen_linktype(ETHERTYPE_IP);
3669 b1 = gen_cmp(off_nl + 9, BPF_B, (bpf_int32)v);
3671 b1 = gen_protochain(v, Q_IP);
3681 * Frame Relay packets typically have an OSI
3682 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)"
3683 * generates code to check for all the OSI
3684 * NLPIDs, so calling it and then adding a check
3685 * for the particular NLPID for which we're
3686 * looking is bogus, as we can just check for
3689 * What we check for is the NLPID and a frame
3690 * control field value of UI, i.e. 0x03 followed
3693 * XXX - assumes a 2-byte Frame Relay header with
3694 * DLCI and flags. What if the address is longer?
3696 * XXX - what about SNAP-encapsulated frames?
3698 return gen_cmp(2, BPF_H, (0x03<<8) | v);
3703 * Cisco uses an Ethertype lookalike - for OSI,
3706 b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS);
3707 /* OSI in C-HDLC is stuffed with a fudge byte */
3708 b1 = gen_cmp(off_nl_nosnap+1, BPF_B, (long)v);
3713 b0 = gen_linktype(LLCSAP_ISONS);
3714 b1 = gen_cmp(off_nl_nosnap, BPF_B, (long)v);
3720 b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
3722 * 4 is the offset of the PDU type relative to the IS-IS
3725 b1 = gen_cmp(off_nl_nosnap+4, BPF_B, (long)v);
3730 bpf_error("arp does not encapsulate another protocol");
3734 bpf_error("rarp does not encapsulate another protocol");
3738 bpf_error("atalk encapsulation is not specifiable");
3742 bpf_error("decnet encapsulation is not specifiable");
3746 bpf_error("sca does not encapsulate another protocol");
3750 bpf_error("lat does not encapsulate another protocol");
3754 bpf_error("moprc does not encapsulate another protocol");
3758 bpf_error("mopdl does not encapsulate another protocol");
3762 return gen_linktype(v);
3765 bpf_error("'udp proto' is bogus");
3769 bpf_error("'tcp proto' is bogus");
3773 bpf_error("'sctp proto' is bogus");
3777 bpf_error("'icmp proto' is bogus");
3781 bpf_error("'igmp proto' is bogus");
3785 bpf_error("'igrp proto' is bogus");
3789 bpf_error("'pim proto' is bogus");
3793 bpf_error("'vrrp proto' is bogus");
3798 b0 = gen_linktype(ETHERTYPE_IPV6);
3800 b1 = gen_cmp(off_nl + 6, BPF_B, (bpf_int32)v);
3802 b1 = gen_protochain(v, Q_IPV6);
3808 bpf_error("'icmp6 proto' is bogus");
3812 bpf_error("'ah proto' is bogus");
3815 bpf_error("'ah proto' is bogus");
3818 bpf_error("'stp proto' is bogus");
3821 bpf_error("'ipx proto' is bogus");
3824 bpf_error("'netbeui proto' is bogus");
3835 register const char *name;
3838 int proto = q.proto;
3842 bpf_u_int32 mask, addr;
3844 bpf_u_int32 **alist;
3847 struct sockaddr_in *sin;
3848 struct sockaddr_in6 *sin6;
3849 struct addrinfo *res, *res0;
3850 struct in6_addr mask128;
3852 struct block *b, *tmp;
3853 int port, real_proto;
3858 addr = pcap_nametonetaddr(name);
3860 bpf_error("unknown network '%s'", name);
3861 /* Left justify network addr and calculate its network mask */
3863 while (addr && (addr & 0xff000000) == 0) {
3867 return gen_host(addr, mask, proto, dir);
3871 if (proto == Q_LINK) {
3875 eaddr = pcap_ether_hostton(name);
3878 "unknown ether host '%s'", name);
3879 b = gen_ehostop(eaddr, dir);
3884 eaddr = pcap_ether_hostton(name);
3887 "unknown FDDI host '%s'", name);
3888 b = gen_fhostop(eaddr, dir);
3893 eaddr = pcap_ether_hostton(name);
3896 "unknown token ring host '%s'", name);
3897 b = gen_thostop(eaddr, dir);
3901 case DLT_IEEE802_11:
3902 eaddr = pcap_ether_hostton(name);
3905 "unknown 802.11 host '%s'", name);
3906 b = gen_wlanhostop(eaddr, dir);
3910 case DLT_IP_OVER_FC:
3911 eaddr = pcap_ether_hostton(name);
3914 "unknown Fibre Channel host '%s'", name);
3915 b = gen_ipfchostop(eaddr, dir);
3924 * Check that the packet doesn't begin
3925 * with an LE Control marker. (We've
3926 * already generated a test for LANE.)
3928 tmp = gen_cmp(SUNATM_PKT_BEGIN_POS, BPF_H,
3932 eaddr = pcap_ether_hostton(name);
3935 "unknown ether host '%s'", name);
3936 b = gen_ehostop(eaddr, dir);
3942 bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name");
3943 } else if (proto == Q_DECNET) {
3944 unsigned short dn_addr = __pcap_nametodnaddr(name);
3946 * I don't think DECNET hosts can be multihomed, so
3947 * there is no need to build up a list of addresses
3949 return (gen_host(dn_addr, 0, proto, dir));
3952 alist = pcap_nametoaddr(name);
3953 if (alist == NULL || *alist == NULL)
3954 bpf_error("unknown host '%s'", name);
3956 if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT)
3958 b = gen_host(**alist++, 0xffffffff, tproto, dir);
3960 tmp = gen_host(**alist++, 0xffffffff,
3967 memset(&mask128, 0xff, sizeof(mask128));
3968 res0 = res = pcap_nametoaddrinfo(name);
3970 bpf_error("unknown host '%s'", name);
3972 tproto = tproto6 = proto;
3973 if (off_linktype == -1 && tproto == Q_DEFAULT) {
3977 for (res = res0; res; res = res->ai_next) {
3978 switch (res->ai_family) {
3980 if (tproto == Q_IPV6)
3983 sin = (struct sockaddr_in *)
3985 tmp = gen_host(ntohl(sin->sin_addr.s_addr),
3986 0xffffffff, tproto, dir);
3989 if (tproto6 == Q_IP)
3992 sin6 = (struct sockaddr_in6 *)
3994 tmp = gen_host6(&sin6->sin6_addr,
3995 &mask128, tproto6, dir);
4006 bpf_error("unknown host '%s'%s", name,
4007 (proto == Q_DEFAULT)
4009 : " for specified address family");
4016 if (proto != Q_DEFAULT &&
4017 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
4018 bpf_error("illegal qualifier of 'port'");
4019 if (pcap_nametoport(name, &port, &real_proto) == 0)
4020 bpf_error("unknown port '%s'", name);
4021 if (proto == Q_UDP) {
4022 if (real_proto == IPPROTO_TCP)
4023 bpf_error("port '%s' is tcp", name);
4024 else if (real_proto == IPPROTO_SCTP)
4025 bpf_error("port '%s' is sctp", name);
4027 /* override PROTO_UNDEF */
4028 real_proto = IPPROTO_UDP;
4030 if (proto == Q_TCP) {
4031 if (real_proto == IPPROTO_UDP)
4032 bpf_error("port '%s' is udp", name);
4034 else if (real_proto == IPPROTO_SCTP)
4035 bpf_error("port '%s' is sctp", name);
4037 /* override PROTO_UNDEF */
4038 real_proto = IPPROTO_TCP;
4040 if (proto == Q_SCTP) {
4041 if (real_proto == IPPROTO_UDP)
4042 bpf_error("port '%s' is udp", name);
4044 else if (real_proto == IPPROTO_TCP)
4045 bpf_error("port '%s' is tcp", name);
4047 /* override PROTO_UNDEF */
4048 real_proto = IPPROTO_SCTP;
4051 return gen_port(port, real_proto, dir);
4055 b = gen_port(port, real_proto, dir);
4056 gen_or(gen_port6(port, real_proto, dir), b);
4063 eaddr = pcap_ether_hostton(name);
4065 bpf_error("unknown ether host: %s", name);
4067 alist = pcap_nametoaddr(name);
4068 if (alist == NULL || *alist == NULL)
4069 bpf_error("unknown host '%s'", name);
4070 b = gen_gateway(eaddr, alist, proto, dir);
4074 bpf_error("'gateway' not supported in this configuration");
4078 real_proto = lookup_proto(name, proto);
4079 if (real_proto >= 0)
4080 return gen_proto(real_proto, proto, dir);
4082 bpf_error("unknown protocol: %s", name);
4085 real_proto = lookup_proto(name, proto);
4086 if (real_proto >= 0)
4087 return gen_protochain(real_proto, proto, dir);
4089 bpf_error("unknown protocol: %s", name);
4101 gen_mcode(s1, s2, masklen, q)
4102 register const char *s1, *s2;
4103 register int masklen;
4106 register int nlen, mlen;
4109 nlen = __pcap_atoin(s1, &n);
4110 /* Promote short ipaddr */
4114 mlen = __pcap_atoin(s2, &m);
4115 /* Promote short ipaddr */
4118 bpf_error("non-network bits set in \"%s mask %s\"",
4121 /* Convert mask len to mask */
4123 bpf_error("mask length must be <= 32");
4124 m = 0xffffffff << (32 - masklen);
4126 bpf_error("non-network bits set in \"%s/%d\"",
4133 return gen_host(n, m, q.proto, q.dir);
4136 bpf_error("Mask syntax for networks only");
4143 register const char *s;
4148 int proto = q.proto;
4154 else if (q.proto == Q_DECNET)
4155 vlen = __pcap_atodn(s, &v);
4157 vlen = __pcap_atoin(s, &v);
4164 if (proto == Q_DECNET)
4165 return gen_host(v, 0, proto, dir);
4166 else if (proto == Q_LINK) {
4167 bpf_error("illegal link layer address");
4170 if (s == NULL && q.addr == Q_NET) {
4171 /* Promote short net number */
4172 while (v && (v & 0xff000000) == 0) {
4177 /* Promote short ipaddr */
4181 return gen_host(v, mask, proto, dir);
4186 proto = IPPROTO_UDP;
4187 else if (proto == Q_TCP)
4188 proto = IPPROTO_TCP;
4189 else if (proto == Q_SCTP)
4190 proto = IPPROTO_SCTP;
4191 else if (proto == Q_DEFAULT)
4192 proto = PROTO_UNDEF;
4194 bpf_error("illegal qualifier of 'port'");
4197 return gen_port((int)v, proto, dir);
4201 b = gen_port((int)v, proto, dir);
4202 gen_or(gen_port6((int)v, proto, dir), b);
4208 bpf_error("'gateway' requires a name");
4212 return gen_proto((int)v, proto, dir);
4215 return gen_protochain((int)v, proto, dir);
4230 gen_mcode6(s1, s2, masklen, q)
4231 register const char *s1, *s2;
4232 register int masklen;
4235 struct addrinfo *res;
4236 struct in6_addr *addr;
4237 struct in6_addr mask;
4242 bpf_error("no mask %s supported", s2);
4244 res = pcap_nametoaddrinfo(s1);
4246 bpf_error("invalid ip6 address %s", s1);
4248 bpf_error("%s resolved to multiple address", s1);
4249 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
4251 if (sizeof(mask) * 8 < masklen)
4252 bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8));
4253 memset(&mask, 0, sizeof(mask));
4254 memset(&mask, 0xff, masklen / 8);
4256 mask.s6_addr[masklen / 8] =
4257 (0xff << (8 - masklen % 8)) & 0xff;
4260 a = (u_int32_t *)addr;
4261 m = (u_int32_t *)&mask;
4262 if ((a[0] & ~m[0]) || (a[1] & ~m[1])
4263 || (a[2] & ~m[2]) || (a[3] & ~m[3])) {
4264 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen);
4272 bpf_error("Mask syntax for networks only");
4276 b = gen_host6(addr, &mask, q.proto, q.dir);
4281 bpf_error("invalid qualifier against IPv6 address");
4289 register const u_char *eaddr;
4292 struct block *b, *tmp;
4294 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
4295 if (linktype == DLT_EN10MB)
4296 return gen_ehostop(eaddr, (int)q.dir);
4297 if (linktype == DLT_FDDI)
4298 return gen_fhostop(eaddr, (int)q.dir);
4299 if (linktype == DLT_IEEE802)
4300 return gen_thostop(eaddr, (int)q.dir);
4301 if (linktype == DLT_IEEE802_11)
4302 return gen_wlanhostop(eaddr, (int)q.dir);
4303 if (linktype == DLT_SUNATM && is_lane) {
4305 * Check that the packet doesn't begin with an
4306 * LE Control marker. (We've already generated
4309 tmp = gen_cmp(SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
4313 * Now check the MAC address.
4315 b = gen_ehostop(eaddr, (int)q.dir);
4319 if (linktype == DLT_IP_OVER_FC)
4320 return gen_ipfchostop(eaddr, (int)q.dir);
4321 bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
4323 bpf_error("ethernet address used in non-ether expression");
4329 struct slist *s0, *s1;
4332 * This is definitely not the best way to do this, but the
4333 * lists will rarely get long.
4340 static struct slist *
4346 s = new_stmt(BPF_LDX|BPF_MEM);
4351 static struct slist *
4357 s = new_stmt(BPF_LD|BPF_MEM);
4363 gen_load(proto, index, size)
4368 struct slist *s, *tmp;
4370 int regno = alloc_reg();
4372 free_reg(index->regno);
4376 bpf_error("data size must be 1, 2, or 4");
4392 bpf_error("unsupported index operation");
4396 * XXX - what about ATM LANE? Should the index be
4397 * relative to the beginning of the AAL5 frame, so
4398 * that 0 refers to the beginning of the LE Control
4399 * field, or relative to the beginning of the LAN
4400 * frame, so that 0 refers, for Ethernet LANE, to
4401 * the beginning of the destination address?
4403 s = xfer_to_x(index);
4404 tmp = new_stmt(BPF_LD|BPF_IND|size);
4406 sappend(index->s, s);
4421 /* XXX Note that we assume a fixed link header here. */
4422 s = xfer_to_x(index);
4423 tmp = new_stmt(BPF_LD|BPF_IND|size);
4426 sappend(index->s, s);
4428 b = gen_proto_abbrev(proto);
4430 gen_and(index->b, b);
4442 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
4444 sappend(s, xfer_to_a(index));
4445 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
4446 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
4447 sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size));
4449 sappend(index->s, s);
4451 gen_and(gen_proto_abbrev(proto), b = gen_ipfrag());
4453 gen_and(index->b, b);
4455 gen_and(gen_proto_abbrev(Q_IP), b);
4461 bpf_error("IPv6 upper-layer protocol is not supported by proto[x]");
4465 index->regno = regno;
4466 s = new_stmt(BPF_ST);
4468 sappend(index->s, s);
4474 gen_relation(code, a0, a1, reversed)
4476 struct arth *a0, *a1;
4479 struct slist *s0, *s1, *s2;
4480 struct block *b, *tmp;
4484 if (code == BPF_JEQ) {
4485 s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X);
4486 b = new_block(JMP(code));
4490 b = new_block(BPF_JMP|code|BPF_X);
4496 sappend(a0->s, a1->s);
4500 free_reg(a0->regno);
4501 free_reg(a1->regno);
4503 /* 'and' together protocol checks */
4506 gen_and(a0->b, tmp = a1->b);
4522 int regno = alloc_reg();
4523 struct arth *a = (struct arth *)newchunk(sizeof(*a));
4526 s = new_stmt(BPF_LD|BPF_LEN);
4527 s->next = new_stmt(BPF_ST);
4528 s->next->s.k = regno;
4543 a = (struct arth *)newchunk(sizeof(*a));
4547 s = new_stmt(BPF_LD|BPF_IMM);
4549 s->next = new_stmt(BPF_ST);
4565 s = new_stmt(BPF_ALU|BPF_NEG);
4568 s = new_stmt(BPF_ST);
4576 gen_arth(code, a0, a1)
4578 struct arth *a0, *a1;
4580 struct slist *s0, *s1, *s2;
4584 s2 = new_stmt(BPF_ALU|BPF_X|code);
4589 sappend(a0->s, a1->s);
4591 free_reg(a0->regno);
4592 free_reg(a1->regno);
4594 s0 = new_stmt(BPF_ST);
4595 a0->regno = s0->s.k = alloc_reg();
4602 * Here we handle simple allocation of the scratch registers.
4603 * If too many registers are alloc'd, the allocator punts.
4605 static int regused[BPF_MEMWORDS];
4609 * Return the next free register.
4614 int n = BPF_MEMWORDS;
4617 if (regused[curreg])
4618 curreg = (curreg + 1) % BPF_MEMWORDS;
4620 regused[curreg] = 1;
4624 bpf_error("too many registers needed to evaluate expression");
4629 * Return a register to the table so it can
4639 static struct block *
4646 s = new_stmt(BPF_LD|BPF_LEN);
4647 b = new_block(JMP(jmp));
4658 return gen_len(BPF_JGE, n);
4662 * Actually, this is less than or equal.
4670 b = gen_len(BPF_JGT, n);
4677 gen_byteop(op, idx, val)
4688 return gen_cmp((u_int)idx, BPF_B, (bpf_int32)val);
4691 b = gen_cmp((u_int)idx, BPF_B, (bpf_int32)val);
4692 b->s.code = JMP(BPF_JGE);
4697 b = gen_cmp((u_int)idx, BPF_B, (bpf_int32)val);
4698 b->s.code = JMP(BPF_JGT);
4702 s = new_stmt(BPF_ALU|BPF_OR|BPF_K);
4706 s = new_stmt(BPF_ALU|BPF_AND|BPF_K);
4710 b = new_block(JMP(BPF_JEQ));
4717 static u_char abroadcast[] = { 0x0 };
4720 gen_broadcast(proto)
4723 bpf_u_int32 hostmask;
4724 struct block *b0, *b1, *b2;
4725 static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
4731 if (linktype == DLT_ARCNET || linktype == DLT_ARCNET_LINUX)
4732 return gen_ahostop(abroadcast, Q_DST);
4733 if (linktype == DLT_EN10MB)
4734 return gen_ehostop(ebroadcast, Q_DST);
4735 if (linktype == DLT_FDDI)
4736 return gen_fhostop(ebroadcast, Q_DST);
4737 if (linktype == DLT_IEEE802)
4738 return gen_thostop(ebroadcast, Q_DST);
4739 if (linktype == DLT_IEEE802_11)
4740 return gen_wlanhostop(ebroadcast, Q_DST);
4741 if (linktype == DLT_IP_OVER_FC)
4742 return gen_ipfchostop(ebroadcast, Q_DST);
4743 if (linktype == DLT_SUNATM && is_lane) {
4745 * Check that the packet doesn't begin with an
4746 * LE Control marker. (We've already generated
4749 b1 = gen_cmp(SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
4753 * Now check the MAC address.
4755 b0 = gen_ehostop(ebroadcast, Q_DST);
4759 bpf_error("not a broadcast link");
4763 b0 = gen_linktype(ETHERTYPE_IP);
4764 hostmask = ~netmask;
4765 b1 = gen_mcmp(off_nl + 16, BPF_W, (bpf_int32)0, hostmask);
4766 b2 = gen_mcmp(off_nl + 16, BPF_W,
4767 (bpf_int32)(~0 & hostmask), hostmask);
4772 bpf_error("only link-layer/IP broadcast filters supported");
4776 * Generate code to test the low-order bit of a MAC address (that's
4777 * the bottom bit of the *first* byte).
4779 static struct block *
4780 gen_mac_multicast(offset)
4783 register struct block *b0;
4784 register struct slist *s;
4786 /* link[offset] & 1 != 0 */
4787 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
4789 b0 = new_block(JMP(BPF_JSET));
4796 gen_multicast(proto)
4799 register struct block *b0, *b1, *b2;
4800 register struct slist *s;
4806 if (linktype == DLT_ARCNET || linktype == DLT_ARCNET_LINUX)
4807 /* all ARCnet multicasts use the same address */
4808 return gen_ahostop(abroadcast, Q_DST);
4810 if (linktype == DLT_EN10MB) {
4811 /* ether[0] & 1 != 0 */
4812 return gen_mac_multicast(0);
4815 if (linktype == DLT_FDDI) {
4817 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX
4819 * XXX - was that referring to bit-order issues?
4821 /* fddi[1] & 1 != 0 */
4822 return gen_mac_multicast(1);
4825 if (linktype == DLT_IEEE802) {
4826 /* tr[2] & 1 != 0 */
4827 return gen_mac_multicast(2);
4830 if (linktype == DLT_IEEE802_11) {
4834 * For control frames, there is no DA.
4836 * For management frames, DA is at an
4837 * offset of 4 from the beginning of
4840 * For data frames, DA is at an offset
4841 * of 4 from the beginning of the packet
4842 * if To DS is clear and at an offset of
4843 * 16 from the beginning of the packet
4848 * Generate the tests to be done for data frames.
4850 * First, check for To DS set, i.e. "link[1] & 0x01".
4852 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
4854 b1 = new_block(JMP(BPF_JSET));
4855 b1->s.k = 0x01; /* To DS */
4859 * If To DS is set, the DA is at 16.
4861 b0 = gen_mac_multicast(16);
4865 * Now, check for To DS not set, i.e. check
4866 * "!(link[1] & 0x01)".
4868 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
4870 b2 = new_block(JMP(BPF_JSET));
4871 b2->s.k = 0x01; /* To DS */
4876 * If To DS is not set, the DA is at 4.
4878 b1 = gen_mac_multicast(4);
4882 * Now OR together the last two checks. That gives
4883 * the complete set of checks for data frames.
4888 * Now check for a data frame.
4889 * I.e, check "link[0] & 0x08".
4891 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
4893 b1 = new_block(JMP(BPF_JSET));
4898 * AND that with the checks done for data frames.
4903 * If the high-order bit of the type value is 0, this
4904 * is a management frame.
4905 * I.e, check "!(link[0] & 0x08)".
4907 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
4909 b2 = new_block(JMP(BPF_JSET));
4915 * For management frames, the DA is at 4.
4917 b1 = gen_mac_multicast(4);
4921 * OR that with the checks done for data frames.
4922 * That gives the checks done for management and
4928 * If the low-order bit of the type value is 1,
4929 * this is either a control frame or a frame
4930 * with a reserved type, and thus not a
4933 * I.e., check "!(link[0] & 0x04)".
4935 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
4937 b1 = new_block(JMP(BPF_JSET));
4943 * AND that with the checks for data and management
4950 if (linktype == DLT_IP_OVER_FC) {
4951 b0 = gen_mac_multicast(2);
4955 if (linktype == DLT_SUNATM && is_lane) {
4957 * Check that the packet doesn't begin with an
4958 * LE Control marker. (We've already generated
4961 b1 = gen_cmp(SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
4964 /* ether[off_mac] & 1 != 0 */
4965 b0 = gen_mac_multicast(off_mac);
4970 /* Link not known to support multicasts */
4974 b0 = gen_linktype(ETHERTYPE_IP);
4975 b1 = gen_cmp(off_nl + 16, BPF_B, (bpf_int32)224);
4976 b1->s.code = JMP(BPF_JGE);
4982 b0 = gen_linktype(ETHERTYPE_IPV6);
4983 b1 = gen_cmp(off_nl + 24, BPF_B, (bpf_int32)255);
4988 bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel");
4992 * generate command for inbound/outbound. It's here so we can
4993 * make it link-type specific. 'dir' = 0 implies "inbound",
4994 * = 1 implies "outbound".
5000 register struct block *b0;
5003 * Only some data link types support inbound/outbound qualifiers.
5007 b0 = gen_relation(BPF_JEQ,
5008 gen_load(Q_LINK, gen_loadi(0), 1),
5016 * Match packets sent by this machine.
5018 b0 = gen_cmp(0, BPF_H, LINUX_SLL_OUTGOING);
5021 * Match packets sent to this machine.
5022 * (No broadcast or multicast packets, or
5023 * packets sent to some other machine and
5024 * received promiscuously.)
5026 * XXX - packets sent to other machines probably
5027 * shouldn't be matched, but what about broadcast
5028 * or multicast packets we received?
5030 b0 = gen_cmp(0, BPF_H, LINUX_SLL_HOST);
5035 b0 = gen_cmp(offsetof(struct pfloghdr, dir), BPF_B,
5036 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT));
5040 bpf_error("inbound/outbound not supported on linktype %d",
5048 /* PF firewall log matched interface */
5050 gen_pf_ifname(const char *ifname)
5055 if (linktype == DLT_PFLOG) {
5056 len = sizeof(((struct pfloghdr *)0)->ifname);
5057 off = offsetof(struct pfloghdr, ifname);
5059 bpf_error("ifname not supported on linktype 0x%x", linktype);
5062 if (strlen(ifname) >= len) {
5063 bpf_error("ifname interface names can only be %d characters",
5067 b0 = gen_bcmp(off, strlen(ifname), ifname);
5071 /* PF firewall log matched interface */
5073 gen_pf_ruleset(char *ruleset)
5077 if (linktype != DLT_PFLOG) {
5078 bpf_error("ruleset not supported on linktype 0x%x", linktype);
5081 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) {
5082 bpf_error("ruleset names can only be %ld characters",
5083 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1));
5086 b0 = gen_bcmp(offsetof(struct pfloghdr, ruleset),
5087 strlen(ruleset), ruleset);
5091 /* PF firewall log rule number */
5097 if (linktype == DLT_PFLOG) {
5098 b0 = gen_cmp(offsetof(struct pfloghdr, rulenr), BPF_W,
5101 bpf_error("rnr not supported on linktype 0x%x", linktype);
5108 /* PF firewall log sub-rule number */
5110 gen_pf_srnr(int srnr)
5114 if (linktype != DLT_PFLOG) {
5115 bpf_error("srnr not supported on linktype 0x%x", linktype);
5119 b0 = gen_cmp(offsetof(struct pfloghdr, subrulenr), BPF_W,
5124 /* PF firewall log reason code */
5126 gen_pf_reason(int reason)
5130 if (linktype == DLT_PFLOG) {
5131 b0 = gen_cmp(offsetof(struct pfloghdr, reason), BPF_B,
5134 bpf_error("reason not supported on linktype 0x%x", linktype);
5141 /* PF firewall log action */
5143 gen_pf_action(int action)
5147 if (linktype == DLT_PFLOG) {
5148 b0 = gen_cmp(offsetof(struct pfloghdr, action), BPF_B,
5151 bpf_error("action not supported on linktype 0x%x", linktype);
5160 register const u_char *eaddr;
5163 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
5164 if (linktype == DLT_ARCNET || linktype == DLT_ARCNET_LINUX)
5165 return gen_ahostop(eaddr, (int)q.dir);
5167 bpf_error("ARCnet address used in non-arc expression");
5171 static struct block *
5172 gen_ahostop(eaddr, dir)
5173 register const u_char *eaddr;
5176 register struct block *b0, *b1;
5179 /* src comes first, different from Ethernet */
5181 return gen_bcmp(0, 1, eaddr);
5184 return gen_bcmp(1, 1, eaddr);
5187 b0 = gen_ahostop(eaddr, Q_SRC);
5188 b1 = gen_ahostop(eaddr, Q_DST);
5194 b0 = gen_ahostop(eaddr, Q_SRC);
5195 b1 = gen_ahostop(eaddr, Q_DST);
5204 * support IEEE 802.1Q VLAN trunk over ethernet
5213 * Change the offsets to point to the type and data fields within
5214 * the VLAN packet. This is somewhat of a kludge.
5216 if (orig_nl == (u_int)-1) {
5217 orig_linktype = off_linktype; /* save original values */
5219 orig_nl_nosnap = off_nl_nosnap;
5230 bpf_error("no VLAN support for data link type %d",
5236 /* check for VLAN */
5237 b0 = gen_cmp(orig_linktype, BPF_H, (bpf_int32)ETHERTYPE_8021Q);
5239 /* If a specific VLAN is requested, check VLAN id */
5240 if (vlan_num >= 0) {
5243 b1 = gen_cmp(orig_nl, BPF_H, (bpf_int32)vlan_num);
5252 gen_atmfield_code(atmfield, jvalue, jtype, reverse)
5264 bpf_error("'vpi' supported only on raw ATM");
5265 if (off_vpi == (u_int)-1)
5267 b0 = gen_ncmp(BPF_B, off_vpi, 0xffffffff, (u_int)jtype,
5268 (u_int)jvalue, reverse);
5273 bpf_error("'vci' supported only on raw ATM");
5274 if (off_vci == (u_int)-1)
5276 b0 = gen_ncmp(BPF_H, off_vci, 0xffffffff, (u_int)jtype,
5277 (u_int)jvalue, reverse);
5281 if (off_proto == (u_int)-1)
5282 abort(); /* XXX - this isn't on FreeBSD */
5283 b0 = gen_ncmp(BPF_B, off_proto, 0x0f, (u_int)jtype,
5284 (u_int)jvalue, reverse);
5288 if (off_payload == (u_int)-1)
5290 b0 = gen_ncmp(BPF_B, off_payload + MSG_TYPE_POS, 0xffffffff,
5291 (u_int)jtype, (u_int)jvalue, reverse);
5296 bpf_error("'callref' supported only on raw ATM");
5297 if (off_proto == (u_int)-1)
5299 b0 = gen_ncmp(BPF_B, off_proto, 0xffffffff, (u_int)jtype,
5300 (u_int)jvalue, reverse);
5310 gen_atmtype_abbrev(type)
5313 struct block *b0, *b1;
5318 /* Get all packets in Meta signalling Circuit */
5320 bpf_error("'metac' supported only on raw ATM");
5321 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
5322 b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0);
5327 /* Get all packets in Broadcast Circuit*/
5329 bpf_error("'bcc' supported only on raw ATM");
5330 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
5331 b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0);
5336 /* Get all cells in Segment OAM F4 circuit*/
5338 bpf_error("'oam4sc' supported only on raw ATM");
5339 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
5340 b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
5345 /* Get all cells in End-to-End OAM F4 Circuit*/
5347 bpf_error("'oam4ec' supported only on raw ATM");
5348 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
5349 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
5354 /* Get all packets in connection Signalling Circuit */
5356 bpf_error("'sc' supported only on raw ATM");
5357 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
5358 b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0);
5363 /* Get all packets in ILMI Circuit */
5365 bpf_error("'ilmic' supported only on raw ATM");
5366 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
5367 b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0);
5372 /* Get all LANE packets */
5374 bpf_error("'lane' supported only on raw ATM");
5375 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0);
5378 * Arrange that all subsequent tests assume LANE
5379 * rather than LLC-encapsulated packets, and set
5380 * the offsets appropriately for LANE-encapsulated
5383 * "off_mac" is the offset of the Ethernet header,
5384 * which is 2 bytes past the ATM pseudo-header
5385 * (skipping the pseudo-header and 2-byte LE Client
5386 * field). The other offsets are Ethernet offsets
5387 * relative to "off_mac".
5390 off_mac = off_payload + 2; /* MAC header */
5391 off_linktype = off_mac + 12;
5392 off_nl = off_mac + 14; /* Ethernet II */
5393 off_nl_nosnap = off_mac + 17; /* 802.3+802.2 */
5397 /* Get all LLC-encapsulated packets */
5399 bpf_error("'llc' supported only on raw ATM");
5400 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
5411 static struct block *
5412 gen_msg_abbrev(type)
5418 * Q.2931 signalling protocol messages for handling virtual circuits
5419 * establishment and teardown
5424 b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0);
5428 b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0);
5432 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0);
5436 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0);
5440 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0);
5443 case A_RELEASE_DONE:
5444 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0);
5454 gen_atmmulti_abbrev(type)
5457 struct block *b0, *b1;
5463 bpf_error("'oam' supported only on raw ATM");
5464 b1 = gen_atmmulti_abbrev(A_OAMF4);
5469 bpf_error("'oamf4' supported only on raw ATM");
5471 b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
5472 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
5474 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
5480 * Get Q.2931 signalling messages for switched
5481 * virtual connection
5484 bpf_error("'connectmsg' supported only on raw ATM");
5485 b0 = gen_msg_abbrev(A_SETUP);
5486 b1 = gen_msg_abbrev(A_CALLPROCEED);
5488 b0 = gen_msg_abbrev(A_CONNECT);
5490 b0 = gen_msg_abbrev(A_CONNECTACK);
5492 b0 = gen_msg_abbrev(A_RELEASE);
5494 b0 = gen_msg_abbrev(A_RELEASE_DONE);
5496 b0 = gen_atmtype_abbrev(A_SC);
5502 bpf_error("'metaconnect' supported only on raw ATM");
5503 b0 = gen_msg_abbrev(A_SETUP);
5504 b1 = gen_msg_abbrev(A_CALLPROCEED);
5506 b0 = gen_msg_abbrev(A_CONNECT);
5508 b0 = gen_msg_abbrev(A_RELEASE);
5510 b0 = gen_msg_abbrev(A_RELEASE_DONE);
5512 b0 = gen_atmtype_abbrev(A_METAC);
projects / dragonfly.git / blob