1 /*#define CHASE_CHAIN*/
3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998
4 * The Regents of the University of California. All rights reserved.
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that: (1) source code distributions
8 * retain the above copyright notice and this paragraph in its entirety, (2)
9 * distributions including binary code include the above copyright notice and
10 * this paragraph in its entirety in the documentation or other materials
11 * provided with the distribution, and (3) all advertising materials mentioning
12 * features or use of this software display the following acknowledgement:
13 * ``This product includes software developed by the University of California,
14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
15 * the University nor the names of its contributors may be used to endorse
16 * or promote products derived from this software without specific prior
18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
23 static const char rcsid[] _U_ =
24 "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.309 2008-12-23 20:13:29 guy Exp $ (LBL)";
32 #include <pcap-stdinc.h>
39 #ifdef HAVE_SYS_BITYPES_H
40 #include <sys/bitypes.h>
42 #include <sys/types.h>
43 #include <sys/socket.h>
47 * XXX - why was this included even on UNIX?
56 #include <sys/param.h>
59 #include <netinet/in.h>
60 #include <arpa/inet.h>
76 #include "ethertype.h"
80 #include "ieee80211.h"
82 #include "sunatmpos.h"
85 #include "pcap/ipnet.h"
87 #if defined(PF_PACKET) && defined(SO_ATTACH_FILTER)
88 #include <linux/types.h>
89 #include <linux/if_packet.h>
90 #include <linux/filter.h>
92 #ifdef HAVE_NET_PFVAR_H
93 #include <sys/socket.h>
95 #include <net/pf/pfvar.h>
96 #include <net/pf/if_pflog.h>
99 #define offsetof(s, e) ((size_t)&((s *)0)->e)
103 #include <netdb.h> /* for "struct addrinfo" */
106 #include <pcap/namedb.h>
108 #define ETHERMTU 1500
111 #define IPPROTO_SCTP 132
114 #ifdef HAVE_OS_PROTO_H
115 #include "os-proto.h"
118 #define JMP(c) ((c)|BPF_JMP|BPF_K)
121 static jmp_buf top_ctx;
122 static pcap_t *bpf_pcap;
124 /* Hack for updating VLAN, MPLS, and PPPoE offsets. */
126 static u_int orig_linktype = (u_int)-1, orig_nl = (u_int)-1, label_stack_depth = (u_int)-1;
128 static u_int orig_linktype = -1U, orig_nl = -1U, label_stack_depth = -1U;
133 static int pcap_fddipad;
138 bpf_error(const char *fmt, ...)
143 if (bpf_pcap != NULL)
144 (void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE,
151 static void init_linktype(pcap_t *);
153 static void init_regs(void);
154 static int alloc_reg(void);
155 static void free_reg(int);
157 static struct block *root;
160 * Value passed to gen_load_a() to indicate what the offset argument
164 OR_PACKET, /* relative to the beginning of the packet */
165 OR_LINK, /* relative to the beginning of the link-layer header */
166 OR_MACPL, /* relative to the end of the MAC-layer header */
167 OR_NET, /* relative to the network-layer header */
168 OR_NET_NOSNAP, /* relative to the network-layer header, with no SNAP header at the link layer */
169 OR_TRAN_IPV4, /* relative to the transport-layer header, with IPv4 network layer */
170 OR_TRAN_IPV6 /* relative to the transport-layer header, with IPv6 network layer */
175 * As errors are handled by a longjmp, anything allocated must be freed
176 * in the longjmp handler, so it must be reachable from that handler.
177 * One thing that's allocated is the result of pcap_nametoaddrinfo();
178 * it must be freed with freeaddrinfo(). This variable points to any
179 * addrinfo structure that would need to be freed.
181 static struct addrinfo *ai;
185 * We divy out chunks of memory rather than call malloc each time so
186 * we don't have to worry about leaking memory. It's probably
187 * not a big deal if all this memory was wasted but if this ever
188 * goes into a library that would probably not be a good idea.
190 * XXX - this *is* in a library....
193 #define CHUNK0SIZE 1024
199 static struct chunk chunks[NCHUNKS];
200 static int cur_chunk;
202 static void *newchunk(u_int);
203 static void freechunks(void);
204 static inline struct block *new_block(int);
205 static inline struct slist *new_stmt(int);
206 static struct block *gen_retblk(int);
207 static inline void syntax(void);
209 static void backpatch(struct block *, struct block *);
210 static void merge(struct block *, struct block *);
211 static struct block *gen_cmp(enum e_offrel, u_int, u_int, bpf_int32);
212 static struct block *gen_cmp_gt(enum e_offrel, u_int, u_int, bpf_int32);
213 static struct block *gen_cmp_ge(enum e_offrel, u_int, u_int, bpf_int32);
214 static struct block *gen_cmp_lt(enum e_offrel, u_int, u_int, bpf_int32);
215 static struct block *gen_cmp_le(enum e_offrel, u_int, u_int, bpf_int32);
216 static struct block *gen_mcmp(enum e_offrel, u_int, u_int, bpf_int32,
218 static struct block *gen_bcmp(enum e_offrel, u_int, u_int, const u_char *);
219 static struct block *gen_ncmp(enum e_offrel, bpf_u_int32, bpf_u_int32,
220 bpf_u_int32, bpf_u_int32, int, bpf_int32);
221 static struct slist *gen_load_llrel(u_int, u_int);
222 static struct slist *gen_load_macplrel(u_int, u_int);
223 static struct slist *gen_load_a(enum e_offrel, u_int, u_int);
224 static struct slist *gen_loadx_iphdrlen(void);
225 static struct block *gen_uncond(int);
226 static inline struct block *gen_true(void);
227 static inline struct block *gen_false(void);
228 static struct block *gen_ether_linktype(int);
229 static struct block *gen_ipnet_linktype(int);
230 static struct block *gen_linux_sll_linktype(int);
231 static struct slist *gen_load_prism_llprefixlen(void);
232 static struct slist *gen_load_avs_llprefixlen(void);
233 static struct slist *gen_load_radiotap_llprefixlen(void);
234 static struct slist *gen_load_ppi_llprefixlen(void);
235 static void insert_compute_vloffsets(struct block *);
236 static struct slist *gen_llprefixlen(void);
237 static struct slist *gen_off_macpl(void);
238 static int ethertype_to_ppptype(int);
239 static struct block *gen_linktype(int);
240 static struct block *gen_snap(bpf_u_int32, bpf_u_int32);
241 static struct block *gen_llc_linktype(int);
242 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int);
244 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int);
246 static struct block *gen_ahostop(const u_char *, int);
247 static struct block *gen_ehostop(const u_char *, int);
248 static struct block *gen_fhostop(const u_char *, int);
249 static struct block *gen_thostop(const u_char *, int);
250 static struct block *gen_wlanhostop(const u_char *, int);
251 static struct block *gen_ipfchostop(const u_char *, int);
252 static struct block *gen_dnhostop(bpf_u_int32, int);
253 static struct block *gen_mpls_linktype(int);
254 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int, int);
256 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int, int);
259 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int);
261 static struct block *gen_ipfrag(void);
262 static struct block *gen_portatom(int, bpf_int32);
263 static struct block *gen_portrangeatom(int, bpf_int32, bpf_int32);
265 static struct block *gen_portatom6(int, bpf_int32);
266 static struct block *gen_portrangeatom6(int, bpf_int32, bpf_int32);
268 struct block *gen_portop(int, int, int);
269 static struct block *gen_port(int, int, int);
270 struct block *gen_portrangeop(int, int, int, int);
271 static struct block *gen_portrange(int, int, int, int);
273 struct block *gen_portop6(int, int, int);
274 static struct block *gen_port6(int, int, int);
275 struct block *gen_portrangeop6(int, int, int, int);
276 static struct block *gen_portrange6(int, int, int, int);
278 static int lookup_proto(const char *, int);
279 static struct block *gen_protochain(int, int, int);
280 static struct block *gen_proto(int, int, int);
281 static struct slist *xfer_to_x(struct arth *);
282 static struct slist *xfer_to_a(struct arth *);
283 static struct block *gen_mac_multicast(int);
284 static struct block *gen_len(int, int);
285 static struct block *gen_check_802_11_data_frame(void);
287 static struct block *gen_ppi_dlt_check(void);
288 static struct block *gen_msg_abbrev(int type);
299 /* XXX Round up to nearest long. */
300 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1);
302 /* XXX Round up to structure boundary. */
306 cp = &chunks[cur_chunk];
307 if (n > cp->n_left) {
308 ++cp, k = ++cur_chunk;
310 bpf_error("out of memory");
311 size = CHUNK0SIZE << k;
312 cp->m = (void *)malloc(size);
314 bpf_error("out of memory");
315 memset((char *)cp->m, 0, size);
318 bpf_error("out of memory");
321 return (void *)((char *)cp->m + cp->n_left);
330 for (i = 0; i < NCHUNKS; ++i)
331 if (chunks[i].m != NULL) {
338 * A strdup whose allocations are freed after code generation is over.
342 register const char *s;
344 int n = strlen(s) + 1;
345 char *cp = newchunk(n);
351 static inline struct block *
357 p = (struct block *)newchunk(sizeof(*p));
364 static inline struct slist *
370 p = (struct slist *)newchunk(sizeof(*p));
376 static struct block *
380 struct block *b = new_block(BPF_RET|BPF_K);
389 bpf_error("syntax error in filter expression");
392 static bpf_u_int32 netmask;
397 pcap_compile_unsafe(pcap_t *p, struct bpf_program *program,
398 const char *buf, int optimize, bpf_u_int32 mask);
401 pcap_compile(pcap_t *p, struct bpf_program *program,
402 const char *buf, int optimize, bpf_u_int32 mask)
406 EnterCriticalSection(&g_PcapCompileCriticalSection);
408 result = pcap_compile_unsafe(p, program, buf, optimize, mask);
410 LeaveCriticalSection(&g_PcapCompileCriticalSection);
416 pcap_compile_unsafe(pcap_t *p, struct bpf_program *program,
417 const char *buf, int optimize, bpf_u_int32 mask)
420 pcap_compile(pcap_t *p, struct bpf_program *program,
421 const char *buf, int optimize, bpf_u_int32 mask)
425 const char * volatile xbuf = buf;
433 if (setjmp(top_ctx)) {
447 snaplen = pcap_snapshot(p);
449 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
450 "snaplen of 0 rejects all packets");
454 lex_init(xbuf ? xbuf : "");
462 root = gen_retblk(snaplen);
464 if (optimize && !no_optimize) {
467 (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0))
468 bpf_error("expression rejects all packets");
470 program->bf_insns = icode_to_fcode(root, &len);
471 program->bf_len = len;
479 * entry point for using the compiler with no pcap open
480 * pass in all the stuff that is needed explicitly instead.
483 pcap_compile_nopcap(int snaplen_arg, int linktype_arg,
484 struct bpf_program *program,
485 const char *buf, int optimize, bpf_u_int32 mask)
490 p = pcap_open_dead(linktype_arg, snaplen_arg);
493 ret = pcap_compile(p, program, buf, optimize, mask);
499 * Clean up a "struct bpf_program" by freeing all the memory allocated
503 pcap_freecode(struct bpf_program *program)
506 if (program->bf_insns != NULL) {
507 free((char *)program->bf_insns);
508 program->bf_insns = NULL;
513 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates
514 * which of the jt and jf fields has been resolved and which is a pointer
515 * back to another unresolved block (or nil). At least one of the fields
516 * in each block is already resolved.
519 backpatch(list, target)
520 struct block *list, *target;
537 * Merge the lists in b0 and b1, using the 'sense' field to indicate
538 * which of jt and jf is the link.
542 struct block *b0, *b1;
544 register struct block **p = &b0;
546 /* Find end of list. */
548 p = !((*p)->sense) ? &JT(*p) : &JF(*p);
550 /* Concatenate the lists. */
558 struct block *ppi_dlt_check;
561 * Insert before the statements of the first (root) block any
562 * statements needed to load the lengths of any variable-length
563 * headers into registers.
565 * XXX - a fancier strategy would be to insert those before the
566 * statements of all blocks that use those lengths and that
567 * have no predecessors that use them, so that we only compute
568 * the lengths if we need them. There might be even better
569 * approaches than that.
571 * However, those strategies would be more complicated, and
572 * as we don't generate code to compute a length if the
573 * program has no tests that use the length, and as most
574 * tests will probably use those lengths, we would just
575 * postpone computing the lengths so that it's not done
576 * for tests that fail early, and it's not clear that's
579 insert_compute_vloffsets(p->head);
582 * For DLT_PPI captures, generate a check of the per-packet
583 * DLT value to make sure it's DLT_IEEE802_11.
585 ppi_dlt_check = gen_ppi_dlt_check();
586 if (ppi_dlt_check != NULL)
587 gen_and(ppi_dlt_check, p);
589 backpatch(p, gen_retblk(snaplen));
590 p->sense = !p->sense;
591 backpatch(p, gen_retblk(0));
597 struct block *b0, *b1;
599 backpatch(b0, b1->head);
600 b0->sense = !b0->sense;
601 b1->sense = !b1->sense;
603 b1->sense = !b1->sense;
609 struct block *b0, *b1;
611 b0->sense = !b0->sense;
612 backpatch(b0, b1->head);
613 b0->sense = !b0->sense;
622 b->sense = !b->sense;
625 static struct block *
626 gen_cmp(offrel, offset, size, v)
627 enum e_offrel offrel;
631 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v);
634 static struct block *
635 gen_cmp_gt(offrel, offset, size, v)
636 enum e_offrel offrel;
640 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 0, v);
643 static struct block *
644 gen_cmp_ge(offrel, offset, size, v)
645 enum e_offrel offrel;
649 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 0, v);
652 static struct block *
653 gen_cmp_lt(offrel, offset, size, v)
654 enum e_offrel offrel;
658 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 1, v);
661 static struct block *
662 gen_cmp_le(offrel, offset, size, v)
663 enum e_offrel offrel;
667 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 1, v);
670 static struct block *
671 gen_mcmp(offrel, offset, size, v, mask)
672 enum e_offrel offrel;
677 return gen_ncmp(offrel, offset, size, mask, BPF_JEQ, 0, v);
680 static struct block *
681 gen_bcmp(offrel, offset, size, v)
682 enum e_offrel offrel;
683 register u_int offset, size;
684 register const u_char *v;
686 register struct block *b, *tmp;
690 register const u_char *p = &v[size - 4];
691 bpf_int32 w = ((bpf_int32)p[0] << 24) |
692 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3];
694 tmp = gen_cmp(offrel, offset + size - 4, BPF_W, w);
701 register const u_char *p = &v[size - 2];
702 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1];
704 tmp = gen_cmp(offrel, offset + size - 2, BPF_H, w);
711 tmp = gen_cmp(offrel, offset, BPF_B, (bpf_int32)v[0]);
720 * AND the field of size "size" at offset "offset" relative to the header
721 * specified by "offrel" with "mask", and compare it with the value "v"
722 * with the test specified by "jtype"; if "reverse" is true, the test
723 * should test the opposite of "jtype".
725 static struct block *
726 gen_ncmp(offrel, offset, size, mask, jtype, reverse, v)
727 enum e_offrel offrel;
729 bpf_u_int32 offset, size, mask, jtype;
732 struct slist *s, *s2;
735 s = gen_load_a(offrel, offset, size);
737 if (mask != 0xffffffff) {
738 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
743 b = new_block(JMP(jtype));
746 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE))
752 * Various code constructs need to know the layout of the data link
753 * layer. These variables give the necessary offsets from the beginning
754 * of the packet data.
758 * This is the offset of the beginning of the link-layer header from
759 * the beginning of the raw packet data.
761 * It's usually 0, except for 802.11 with a fixed-length radio header.
762 * (For 802.11 with a variable-length radio header, we have to generate
763 * code to compute that offset; off_ll is 0 in that case.)
768 * If there's a variable-length header preceding the link-layer header,
769 * "reg_off_ll" is the register number for a register containing the
770 * length of that header, and therefore the offset of the link-layer
771 * header from the beginning of the raw packet data. Otherwise,
772 * "reg_off_ll" is -1.
774 static int reg_off_ll;
777 * This is the offset of the beginning of the MAC-layer header from
778 * the beginning of the link-layer header.
779 * It's usually 0, except for ATM LANE, where it's the offset, relative
780 * to the beginning of the raw packet data, of the Ethernet header, and
781 * for Ethernet with various additional information.
783 static u_int off_mac;
786 * This is the offset of the beginning of the MAC-layer payload,
787 * from the beginning of the raw packet data.
789 * I.e., it's the sum of the length of the link-layer header (without,
790 * for example, any 802.2 LLC header, so it's the MAC-layer
791 * portion of that header), plus any prefix preceding the
794 static u_int off_macpl;
797 * This is 1 if the offset of the beginning of the MAC-layer payload
798 * from the beginning of the link-layer header is variable-length.
800 static int off_macpl_is_variable;
803 * If the link layer has variable_length headers, "reg_off_macpl"
804 * is the register number for a register containing the length of the
805 * link-layer header plus the length of any variable-length header
806 * preceding the link-layer header. Otherwise, "reg_off_macpl"
809 static int reg_off_macpl;
812 * "off_linktype" is the offset to information in the link-layer header
813 * giving the packet type. This offset is relative to the beginning
814 * of the link-layer header (i.e., it doesn't include off_ll).
816 * For Ethernet, it's the offset of the Ethernet type field.
818 * For link-layer types that always use 802.2 headers, it's the
819 * offset of the LLC header.
821 * For PPP, it's the offset of the PPP type field.
823 * For Cisco HDLC, it's the offset of the CHDLC type field.
825 * For BSD loopback, it's the offset of the AF_ value.
827 * For Linux cooked sockets, it's the offset of the type field.
829 * It's set to -1 for no encapsulation, in which case, IP is assumed.
831 static u_int off_linktype;
834 * TRUE if "pppoes" appeared in the filter; it causes link-layer type
835 * checks to check the PPP header, assumed to follow a LAN-style link-
836 * layer header and a PPPoE session header.
838 static int is_pppoes = 0;
841 * TRUE if the link layer includes an ATM pseudo-header.
843 static int is_atm = 0;
846 * TRUE if "lane" appeared in the filter; it causes us to generate
847 * code that assumes LANE rather than LLC-encapsulated traffic in SunATM.
849 static int is_lane = 0;
852 * These are offsets for the ATM pseudo-header.
854 static u_int off_vpi;
855 static u_int off_vci;
856 static u_int off_proto;
859 * These are offsets for the MTP2 fields.
864 * These are offsets for the MTP3 fields.
866 static u_int off_sio;
867 static u_int off_opc;
868 static u_int off_dpc;
869 static u_int off_sls;
872 * This is the offset of the first byte after the ATM pseudo_header,
873 * or -1 if there is no ATM pseudo-header.
875 static u_int off_payload;
878 * These are offsets to the beginning of the network-layer header.
879 * They are relative to the beginning of the MAC-layer payload (i.e.,
880 * they don't include off_ll or off_macpl).
882 * If the link layer never uses 802.2 LLC:
884 * "off_nl" and "off_nl_nosnap" are the same.
886 * If the link layer always uses 802.2 LLC:
888 * "off_nl" is the offset if there's a SNAP header following
891 * "off_nl_nosnap" is the offset if there's no SNAP header.
893 * If the link layer is Ethernet:
895 * "off_nl" is the offset if the packet is an Ethernet II packet
896 * (we assume no 802.3+802.2+SNAP);
898 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet
899 * with an 802.2 header following it.
902 static u_int off_nl_nosnap;
910 linktype = pcap_datalink(p);
912 pcap_fddipad = p->fddipad;
916 * Assume it's not raw ATM with a pseudo-header, for now.
927 * And that we're not doing PPPoE.
932 * And assume we're not doing SS7.
941 * Also assume it's not 802.11.
945 off_macpl_is_variable = 0;
949 label_stack_depth = 0;
959 off_nl = 0; /* XXX in reality, variable! */
960 off_nl_nosnap = 0; /* no 802.2 LLC */
963 case DLT_ARCNET_LINUX:
966 off_nl = 0; /* XXX in reality, variable! */
967 off_nl_nosnap = 0; /* no 802.2 LLC */
972 off_macpl = 14; /* Ethernet header length */
973 off_nl = 0; /* Ethernet II */
974 off_nl_nosnap = 3; /* 802.3+802.2 */
979 * SLIP doesn't have a link level type. The 16 byte
980 * header is hacked into our SLIP driver.
985 off_nl_nosnap = 0; /* no 802.2 LLC */
989 /* XXX this may be the same as the DLT_PPP_BSDOS case */
994 off_nl_nosnap = 0; /* no 802.2 LLC */
1002 off_nl_nosnap = 0; /* no 802.2 LLC */
1009 off_nl_nosnap = 0; /* no 802.2 LLC */
1014 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */
1015 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */
1019 off_nl_nosnap = 0; /* no 802.2 LLC */
1024 * This does no include the Ethernet header, and
1025 * only covers session state.
1030 off_nl_nosnap = 0; /* no 802.2 LLC */
1037 off_nl_nosnap = 0; /* no 802.2 LLC */
1042 * FDDI doesn't really have a link-level type field.
1043 * We set "off_linktype" to the offset of the LLC header.
1045 * To check for Ethernet types, we assume that SSAP = SNAP
1046 * is being used and pick out the encapsulated Ethernet type.
1047 * XXX - should we generate code to check for SNAP?
1051 off_linktype += pcap_fddipad;
1053 off_macpl = 13; /* FDDI MAC header length */
1055 off_macpl += pcap_fddipad;
1057 off_nl = 8; /* 802.2+SNAP */
1058 off_nl_nosnap = 3; /* 802.2 */
1063 * Token Ring doesn't really have a link-level type field.
1064 * We set "off_linktype" to the offset of the LLC header.
1066 * To check for Ethernet types, we assume that SSAP = SNAP
1067 * is being used and pick out the encapsulated Ethernet type.
1068 * XXX - should we generate code to check for SNAP?
1070 * XXX - the header is actually variable-length.
1071 * Some various Linux patched versions gave 38
1072 * as "off_linktype" and 40 as "off_nl"; however,
1073 * if a token ring packet has *no* routing
1074 * information, i.e. is not source-routed, the correct
1075 * values are 20 and 22, as they are in the vanilla code.
1077 * A packet is source-routed iff the uppermost bit
1078 * of the first byte of the source address, at an
1079 * offset of 8, has the uppermost bit set. If the
1080 * packet is source-routed, the total number of bytes
1081 * of routing information is 2 plus bits 0x1F00 of
1082 * the 16-bit value at an offset of 14 (shifted right
1083 * 8 - figure out which byte that is).
1086 off_macpl = 14; /* Token Ring MAC header length */
1087 off_nl = 8; /* 802.2+SNAP */
1088 off_nl_nosnap = 3; /* 802.2 */
1091 case DLT_IEEE802_11:
1092 case DLT_PRISM_HEADER:
1093 case DLT_IEEE802_11_RADIO_AVS:
1094 case DLT_IEEE802_11_RADIO:
1096 * 802.11 doesn't really have a link-level type field.
1097 * We set "off_linktype" to the offset of the LLC header.
1099 * To check for Ethernet types, we assume that SSAP = SNAP
1100 * is being used and pick out the encapsulated Ethernet type.
1101 * XXX - should we generate code to check for SNAP?
1103 * We also handle variable-length radio headers here.
1104 * The Prism header is in theory variable-length, but in
1105 * practice it's always 144 bytes long. However, some
1106 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but
1107 * sometimes or always supply an AVS header, so we
1108 * have to check whether the radio header is a Prism
1109 * header or an AVS header, so, in practice, it's
1113 off_macpl = 0; /* link-layer header is variable-length */
1114 off_macpl_is_variable = 1;
1115 off_nl = 8; /* 802.2+SNAP */
1116 off_nl_nosnap = 3; /* 802.2 */
1121 * At the moment we treat PPI the same way that we treat
1122 * normal Radiotap encoded packets. The difference is in
1123 * the function that generates the code at the beginning
1124 * to compute the header length. Since this code generator
1125 * of PPI supports bare 802.11 encapsulation only (i.e.
1126 * the encapsulated DLT should be DLT_IEEE802_11) we
1127 * generate code to check for this too.
1130 off_macpl = 0; /* link-layer header is variable-length */
1131 off_macpl_is_variable = 1;
1132 off_nl = 8; /* 802.2+SNAP */
1133 off_nl_nosnap = 3; /* 802.2 */
1136 case DLT_ATM_RFC1483:
1137 case DLT_ATM_CLIP: /* Linux ATM defines this */
1139 * assume routed, non-ISO PDUs
1140 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00)
1142 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS,
1143 * or PPP with the PPP NLPID (e.g., PPPoA)? The
1144 * latter would presumably be treated the way PPPoE
1145 * should be, so you can do "pppoe and udp port 2049"
1146 * or "pppoa and tcp port 80" and have it check for
1147 * PPPo{A,E} and a PPP protocol of IP and....
1150 off_macpl = 0; /* packet begins with LLC header */
1151 off_nl = 8; /* 802.2+SNAP */
1152 off_nl_nosnap = 3; /* 802.2 */
1157 * Full Frontal ATM; you get AALn PDUs with an ATM
1161 off_vpi = SUNATM_VPI_POS;
1162 off_vci = SUNATM_VCI_POS;
1163 off_proto = PROTO_POS;
1164 off_mac = -1; /* assume LLC-encapsulated, so no MAC-layer header */
1165 off_payload = SUNATM_PKT_BEGIN_POS;
1166 off_linktype = off_payload;
1167 off_macpl = off_payload; /* if LLC-encapsulated */
1168 off_nl = 8; /* 802.2+SNAP */
1169 off_nl_nosnap = 3; /* 802.2 */
1178 off_nl_nosnap = 0; /* no 802.2 LLC */
1181 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */
1185 off_nl_nosnap = 0; /* no 802.2 LLC */
1190 * LocalTalk does have a 1-byte type field in the LLAP header,
1191 * but really it just indicates whether there is a "short" or
1192 * "long" DDP packet following.
1197 off_nl_nosnap = 0; /* no 802.2 LLC */
1200 case DLT_IP_OVER_FC:
1202 * RFC 2625 IP-over-Fibre-Channel doesn't really have a
1203 * link-level type field. We set "off_linktype" to the
1204 * offset of the LLC header.
1206 * To check for Ethernet types, we assume that SSAP = SNAP
1207 * is being used and pick out the encapsulated Ethernet type.
1208 * XXX - should we generate code to check for SNAP? RFC
1209 * 2625 says SNAP should be used.
1213 off_nl = 8; /* 802.2+SNAP */
1214 off_nl_nosnap = 3; /* 802.2 */
1219 * XXX - we should set this to handle SNAP-encapsulated
1220 * frames (NLPID of 0x80).
1225 off_nl_nosnap = 0; /* no 802.2 LLC */
1229 * the only BPF-interesting FRF.16 frames are non-control frames;
1230 * Frame Relay has a variable length link-layer
1231 * so lets start with offset 4 for now and increments later on (FIXME);
1237 off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */
1240 case DLT_APPLE_IP_OVER_IEEE1394:
1244 off_nl_nosnap = 0; /* no 802.2 LLC */
1247 case DLT_SYMANTEC_FIREWALL:
1250 off_nl = 0; /* Ethernet II */
1251 off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */
1254 #ifdef HAVE_NET_PFVAR_H
1257 off_macpl = PFLOG_HDRLEN;
1259 off_nl_nosnap = 0; /* no 802.2 LLC */
1263 case DLT_JUNIPER_MFR:
1264 case DLT_JUNIPER_MLFR:
1265 case DLT_JUNIPER_MLPPP:
1266 case DLT_JUNIPER_PPP:
1267 case DLT_JUNIPER_CHDLC:
1268 case DLT_JUNIPER_FRELAY:
1272 off_nl_nosnap = -1; /* no 802.2 LLC */
1275 case DLT_JUNIPER_ATM1:
1276 off_linktype = 4; /* in reality variable between 4-8 */
1277 off_macpl = 4; /* in reality variable between 4-8 */
1282 case DLT_JUNIPER_ATM2:
1283 off_linktype = 8; /* in reality variable between 8-12 */
1284 off_macpl = 8; /* in reality variable between 8-12 */
1289 /* frames captured on a Juniper PPPoE service PIC
1290 * contain raw ethernet frames */
1291 case DLT_JUNIPER_PPPOE:
1292 case DLT_JUNIPER_ETHER:
1295 off_nl = 18; /* Ethernet II */
1296 off_nl_nosnap = 21; /* 802.3+802.2 */
1299 case DLT_JUNIPER_PPPOE_ATM:
1303 off_nl_nosnap = -1; /* no 802.2 LLC */
1306 case DLT_JUNIPER_GGSN:
1310 off_nl_nosnap = -1; /* no 802.2 LLC */
1313 case DLT_JUNIPER_ES:
1315 off_macpl = -1; /* not really a network layer but raw IP addresses */
1316 off_nl = -1; /* not really a network layer but raw IP addresses */
1317 off_nl_nosnap = -1; /* no 802.2 LLC */
1320 case DLT_JUNIPER_MONITOR:
1323 off_nl = 0; /* raw IP/IP6 header */
1324 off_nl_nosnap = -1; /* no 802.2 LLC */
1327 case DLT_JUNIPER_SERVICES:
1329 off_macpl = -1; /* L3 proto location dep. on cookie type */
1330 off_nl = -1; /* L3 proto location dep. on cookie type */
1331 off_nl_nosnap = -1; /* no 802.2 LLC */
1334 case DLT_JUNIPER_VP:
1341 case DLT_JUNIPER_ST:
1348 case DLT_JUNIPER_ISM:
1355 case DLT_JUNIPER_VS:
1356 case DLT_JUNIPER_SRX_E2E:
1357 case DLT_JUNIPER_FIBRECHANNEL:
1358 case DLT_JUNIPER_ATM_CEMIC:
1377 case DLT_MTP2_WITH_PHDR:
1410 * Currently, only raw "link[N:M]" filtering is supported.
1412 off_linktype = -1; /* variable, min 15, max 71 steps of 7 */
1414 off_nl = -1; /* variable, min 16, max 71 steps of 7 */
1415 off_nl_nosnap = -1; /* no 802.2 LLC */
1416 off_mac = 1; /* step over the kiss length byte */
1421 off_macpl = 24; /* ipnet header length */
1426 case DLT_NETANALYZER:
1427 off_mac = 4; /* MAC header is past 4-byte pseudo-header */
1428 off_linktype = 16; /* includes 4-byte pseudo-header */
1429 off_macpl = 18; /* pseudo-header+Ethernet header length */
1430 off_nl = 0; /* Ethernet II */
1431 off_nl_nosnap = 3; /* 802.3+802.2 */
1434 case DLT_NETANALYZER_TRANSPARENT:
1435 off_mac = 12; /* MAC header is past 4-byte pseudo-header, preamble, and SFD */
1436 off_linktype = 24; /* includes 4-byte pseudo-header+preamble+SFD */
1437 off_macpl = 26; /* pseudo-header+preamble+SFD+Ethernet header length */
1438 off_nl = 0; /* Ethernet II */
1439 off_nl_nosnap = 3; /* 802.3+802.2 */
1444 * For values in the range in which we've assigned new
1445 * DLT_ values, only raw "link[N:M]" filtering is supported.
1447 if (linktype >= DLT_MATCHING_MIN &&
1448 linktype <= DLT_MATCHING_MAX) {
1457 bpf_error("unknown data link type %d", linktype);
1462 * Load a value relative to the beginning of the link-layer header.
1463 * The link-layer header doesn't necessarily begin at the beginning
1464 * of the packet data; there might be a variable-length prefix containing
1465 * radio information.
1467 static struct slist *
1468 gen_load_llrel(offset, size)
1471 struct slist *s, *s2;
1473 s = gen_llprefixlen();
1476 * If "s" is non-null, it has code to arrange that the X register
1477 * contains the length of the prefix preceding the link-layer
1480 * Otherwise, the length of the prefix preceding the link-layer
1481 * header is "off_ll".
1485 * There's a variable-length prefix preceding the
1486 * link-layer header. "s" points to a list of statements
1487 * that put the length of that prefix into the X register.
1488 * do an indirect load, to use the X register as an offset.
1490 s2 = new_stmt(BPF_LD|BPF_IND|size);
1495 * There is no variable-length header preceding the
1496 * link-layer header; add in off_ll, which, if there's
1497 * a fixed-length header preceding the link-layer header,
1498 * is the length of that header.
1500 s = new_stmt(BPF_LD|BPF_ABS|size);
1501 s->s.k = offset + off_ll;
1507 * Load a value relative to the beginning of the MAC-layer payload.
1509 static struct slist *
1510 gen_load_macplrel(offset, size)
1513 struct slist *s, *s2;
1515 s = gen_off_macpl();
1518 * If s is non-null, the offset of the MAC-layer payload is
1519 * variable, and s points to a list of instructions that
1520 * arrange that the X register contains that offset.
1522 * Otherwise, the offset of the MAC-layer payload is constant,
1523 * and is in off_macpl.
1527 * The offset of the MAC-layer payload is in the X
1528 * register. Do an indirect load, to use the X register
1531 s2 = new_stmt(BPF_LD|BPF_IND|size);
1536 * The offset of the MAC-layer payload is constant,
1537 * and is in off_macpl; load the value at that offset
1538 * plus the specified offset.
1540 s = new_stmt(BPF_LD|BPF_ABS|size);
1541 s->s.k = off_macpl + offset;
1547 * Load a value relative to the beginning of the specified header.
1549 static struct slist *
1550 gen_load_a(offrel, offset, size)
1551 enum e_offrel offrel;
1554 struct slist *s, *s2;
1559 s = new_stmt(BPF_LD|BPF_ABS|size);
1564 s = gen_load_llrel(offset, size);
1568 s = gen_load_macplrel(offset, size);
1572 s = gen_load_macplrel(off_nl + offset, size);
1576 s = gen_load_macplrel(off_nl_nosnap + offset, size);
1581 * Load the X register with the length of the IPv4 header
1582 * (plus the offset of the link-layer header, if it's
1583 * preceded by a variable-length header such as a radio
1584 * header), in bytes.
1586 s = gen_loadx_iphdrlen();
1589 * Load the item at {offset of the MAC-layer payload} +
1590 * {offset, relative to the start of the MAC-layer
1591 * paylod, of the IPv4 header} + {length of the IPv4 header} +
1592 * {specified offset}.
1594 * (If the offset of the MAC-layer payload is variable,
1595 * it's included in the value in the X register, and
1598 s2 = new_stmt(BPF_LD|BPF_IND|size);
1599 s2->s.k = off_macpl + off_nl + offset;
1604 s = gen_load_macplrel(off_nl + 40 + offset, size);
1615 * Generate code to load into the X register the sum of the length of
1616 * the IPv4 header and any variable-length header preceding the link-layer
1619 static struct slist *
1620 gen_loadx_iphdrlen()
1622 struct slist *s, *s2;
1624 s = gen_off_macpl();
1627 * There's a variable-length prefix preceding the
1628 * link-layer header, or the link-layer header is itself
1629 * variable-length. "s" points to a list of statements
1630 * that put the offset of the MAC-layer payload into
1633 * The 4*([k]&0xf) addressing mode can't be used, as we
1634 * don't have a constant offset, so we have to load the
1635 * value in question into the A register and add to it
1636 * the value from the X register.
1638 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B);
1641 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
1644 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
1649 * The A register now contains the length of the
1650 * IP header. We need to add to it the offset of
1651 * the MAC-layer payload, which is still in the X
1652 * register, and move the result into the X register.
1654 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
1655 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
1658 * There is no variable-length header preceding the
1659 * link-layer header, and the link-layer header is
1660 * fixed-length; load the length of the IPv4 header,
1661 * which is at an offset of off_nl from the beginning
1662 * of the MAC-layer payload, and thus at an offset
1663 * of off_mac_pl + off_nl from the beginning of the
1666 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
1667 s->s.k = off_macpl + off_nl;
1672 static struct block *
1679 s = new_stmt(BPF_LD|BPF_IMM);
1681 b = new_block(JMP(BPF_JEQ));
1687 static inline struct block *
1690 return gen_uncond(1);
1693 static inline struct block *
1696 return gen_uncond(0);
1700 * Byte-swap a 32-bit number.
1701 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on
1702 * big-endian platforms.)
1704 #define SWAPLONG(y) \
1705 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
1708 * Generate code to match a particular packet type.
1710 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1711 * value, if <= ETHERMTU. We use that to determine whether to
1712 * match the type/length field or to check the type/length field for
1713 * a value <= ETHERMTU to see whether it's a type field and then do
1714 * the appropriate test.
1716 static struct block *
1717 gen_ether_linktype(proto)
1720 struct block *b0, *b1;
1726 case LLCSAP_NETBEUI:
1728 * OSI protocols and NetBEUI always use 802.2 encapsulation,
1729 * so we check the DSAP and SSAP.
1731 * LLCSAP_IP checks for IP-over-802.2, rather
1732 * than IP-over-Ethernet or IP-over-SNAP.
1734 * XXX - should we check both the DSAP and the
1735 * SSAP, like this, or should we check just the
1736 * DSAP, as we do for other types <= ETHERMTU
1737 * (i.e., other SAP values)?
1739 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1741 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)
1742 ((proto << 8) | proto));
1750 * Ethernet_II frames, which are Ethernet
1751 * frames with a frame type of ETHERTYPE_IPX;
1753 * Ethernet_802.3 frames, which are 802.3
1754 * frames (i.e., the type/length field is
1755 * a length field, <= ETHERMTU, rather than
1756 * a type field) with the first two bytes
1757 * after the Ethernet/802.3 header being
1760 * Ethernet_802.2 frames, which are 802.3
1761 * frames with an 802.2 LLC header and
1762 * with the IPX LSAP as the DSAP in the LLC
1765 * Ethernet_SNAP frames, which are 802.3
1766 * frames with an LLC header and a SNAP
1767 * header and with an OUI of 0x000000
1768 * (encapsulated Ethernet) and a protocol
1769 * ID of ETHERTYPE_IPX in the SNAP header.
1771 * XXX - should we generate the same code both
1772 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX?
1776 * This generates code to check both for the
1777 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3.
1779 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX);
1780 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)0xFFFF);
1784 * Now we add code to check for SNAP frames with
1785 * ETHERTYPE_IPX, i.e. Ethernet_SNAP.
1787 b0 = gen_snap(0x000000, ETHERTYPE_IPX);
1791 * Now we generate code to check for 802.3
1792 * frames in general.
1794 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1798 * Now add the check for 802.3 frames before the
1799 * check for Ethernet_802.2 and Ethernet_802.3,
1800 * as those checks should only be done on 802.3
1801 * frames, not on Ethernet frames.
1806 * Now add the check for Ethernet_II frames, and
1807 * do that before checking for the other frame
1810 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
1811 (bpf_int32)ETHERTYPE_IPX);
1815 case ETHERTYPE_ATALK:
1816 case ETHERTYPE_AARP:
1818 * EtherTalk (AppleTalk protocols on Ethernet link
1819 * layer) may use 802.2 encapsulation.
1823 * Check for 802.2 encapsulation (EtherTalk phase 2?);
1824 * we check for an Ethernet type field less than
1825 * 1500, which means it's an 802.3 length field.
1827 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1831 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1832 * SNAP packets with an organization code of
1833 * 0x080007 (Apple, for Appletalk) and a protocol
1834 * type of ETHERTYPE_ATALK (Appletalk).
1836 * 802.2-encapsulated ETHERTYPE_AARP packets are
1837 * SNAP packets with an organization code of
1838 * 0x000000 (encapsulated Ethernet) and a protocol
1839 * type of ETHERTYPE_AARP (Appletalk ARP).
1841 if (proto == ETHERTYPE_ATALK)
1842 b1 = gen_snap(0x080007, ETHERTYPE_ATALK);
1843 else /* proto == ETHERTYPE_AARP */
1844 b1 = gen_snap(0x000000, ETHERTYPE_AARP);
1848 * Check for Ethernet encapsulation (Ethertalk
1849 * phase 1?); we just check for the Ethernet
1852 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
1858 if (proto <= ETHERMTU) {
1860 * This is an LLC SAP value, so the frames
1861 * that match would be 802.2 frames.
1862 * Check that the frame is an 802.2 frame
1863 * (i.e., that the length/type field is
1864 * a length field, <= ETHERMTU) and
1865 * then check the DSAP.
1867 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1869 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B,
1875 * This is an Ethernet type, so compare
1876 * the length/type field with it (if
1877 * the frame is an 802.2 frame, the length
1878 * field will be <= ETHERMTU, and, as
1879 * "proto" is > ETHERMTU, this test
1880 * will fail and the frame won't match,
1881 * which is what we want).
1883 return gen_cmp(OR_LINK, off_linktype, BPF_H,
1890 * "proto" is an Ethernet type value and for IPNET, if it is not IPv4
1891 * or IPv6 then we have an error.
1893 static struct block *
1894 gen_ipnet_linktype(proto)
1900 return gen_cmp(OR_LINK, off_linktype, BPF_B,
1901 (bpf_int32)IPH_AF_INET);
1904 case ETHERTYPE_IPV6:
1905 return gen_cmp(OR_LINK, off_linktype, BPF_B,
1906 (bpf_int32)IPH_AF_INET6);
1917 * Generate code to match a particular packet type.
1919 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1920 * value, if <= ETHERMTU. We use that to determine whether to
1921 * match the type field or to check the type field for the special
1922 * LINUX_SLL_P_802_2 value and then do the appropriate test.
1924 static struct block *
1925 gen_linux_sll_linktype(proto)
1928 struct block *b0, *b1;
1934 case LLCSAP_NETBEUI:
1936 * OSI protocols and NetBEUI always use 802.2 encapsulation,
1937 * so we check the DSAP and SSAP.
1939 * LLCSAP_IP checks for IP-over-802.2, rather
1940 * than IP-over-Ethernet or IP-over-SNAP.
1942 * XXX - should we check both the DSAP and the
1943 * SSAP, like this, or should we check just the
1944 * DSAP, as we do for other types <= ETHERMTU
1945 * (i.e., other SAP values)?
1947 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
1948 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)
1949 ((proto << 8) | proto));
1955 * Ethernet_II frames, which are Ethernet
1956 * frames with a frame type of ETHERTYPE_IPX;
1958 * Ethernet_802.3 frames, which have a frame
1959 * type of LINUX_SLL_P_802_3;
1961 * Ethernet_802.2 frames, which are 802.3
1962 * frames with an 802.2 LLC header (i.e, have
1963 * a frame type of LINUX_SLL_P_802_2) and
1964 * with the IPX LSAP as the DSAP in the LLC
1967 * Ethernet_SNAP frames, which are 802.3
1968 * frames with an LLC header and a SNAP
1969 * header and with an OUI of 0x000000
1970 * (encapsulated Ethernet) and a protocol
1971 * ID of ETHERTYPE_IPX in the SNAP header.
1973 * First, do the checks on LINUX_SLL_P_802_2
1974 * frames; generate the check for either
1975 * Ethernet_802.2 or Ethernet_SNAP frames, and
1976 * then put a check for LINUX_SLL_P_802_2 frames
1979 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX);
1980 b1 = gen_snap(0x000000, ETHERTYPE_IPX);
1982 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
1986 * Now check for 802.3 frames and OR that with
1987 * the previous test.
1989 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_3);
1993 * Now add the check for Ethernet_II frames, and
1994 * do that before checking for the other frame
1997 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
1998 (bpf_int32)ETHERTYPE_IPX);
2002 case ETHERTYPE_ATALK:
2003 case ETHERTYPE_AARP:
2005 * EtherTalk (AppleTalk protocols on Ethernet link
2006 * layer) may use 802.2 encapsulation.
2010 * Check for 802.2 encapsulation (EtherTalk phase 2?);
2011 * we check for the 802.2 protocol type in the
2012 * "Ethernet type" field.
2014 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
2017 * 802.2-encapsulated ETHERTYPE_ATALK packets are
2018 * SNAP packets with an organization code of
2019 * 0x080007 (Apple, for Appletalk) and a protocol
2020 * type of ETHERTYPE_ATALK (Appletalk).
2022 * 802.2-encapsulated ETHERTYPE_AARP packets are
2023 * SNAP packets with an organization code of
2024 * 0x000000 (encapsulated Ethernet) and a protocol
2025 * type of ETHERTYPE_AARP (Appletalk ARP).
2027 if (proto == ETHERTYPE_ATALK)
2028 b1 = gen_snap(0x080007, ETHERTYPE_ATALK);
2029 else /* proto == ETHERTYPE_AARP */
2030 b1 = gen_snap(0x000000, ETHERTYPE_AARP);
2034 * Check for Ethernet encapsulation (Ethertalk
2035 * phase 1?); we just check for the Ethernet
2038 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
2044 if (proto <= ETHERMTU) {
2046 * This is an LLC SAP value, so the frames
2047 * that match would be 802.2 frames.
2048 * Check for the 802.2 protocol type
2049 * in the "Ethernet type" field, and
2050 * then check the DSAP.
2052 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
2054 b1 = gen_cmp(OR_LINK, off_macpl, BPF_B,
2060 * This is an Ethernet type, so compare
2061 * the length/type field with it (if
2062 * the frame is an 802.2 frame, the length
2063 * field will be <= ETHERMTU, and, as
2064 * "proto" is > ETHERMTU, this test
2065 * will fail and the frame won't match,
2066 * which is what we want).
2068 return gen_cmp(OR_LINK, off_linktype, BPF_H,
2074 static struct slist *
2075 gen_load_prism_llprefixlen()
2077 struct slist *s1, *s2;
2078 struct slist *sjeq_avs_cookie;
2079 struct slist *sjcommon;
2082 * This code is not compatible with the optimizer, as
2083 * we are generating jmp instructions within a normal
2084 * slist of instructions
2089 * Generate code to load the length of the radio header into
2090 * the register assigned to hold that length, if one has been
2091 * assigned. (If one hasn't been assigned, no code we've
2092 * generated uses that prefix, so we don't need to generate any
2095 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes
2096 * or always use the AVS header rather than the Prism header.
2097 * We load a 4-byte big-endian value at the beginning of the
2098 * raw packet data, and see whether, when masked with 0xFFFFF000,
2099 * it's equal to 0x80211000. If so, that indicates that it's
2100 * an AVS header (the masked-out bits are the version number).
2101 * Otherwise, it's a Prism header.
2103 * XXX - the Prism header is also, in theory, variable-length,
2104 * but no known software generates headers that aren't 144
2107 if (reg_off_ll != -1) {
2111 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2115 * AND it with 0xFFFFF000.
2117 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
2118 s2->s.k = 0xFFFFF000;
2122 * Compare with 0x80211000.
2124 sjeq_avs_cookie = new_stmt(JMP(BPF_JEQ));
2125 sjeq_avs_cookie->s.k = 0x80211000;
2126 sappend(s1, sjeq_avs_cookie);
2131 * The 4 bytes at an offset of 4 from the beginning of
2132 * the AVS header are the length of the AVS header.
2133 * That field is big-endian.
2135 s2 = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2138 sjeq_avs_cookie->s.jt = s2;
2141 * Now jump to the code to allocate a register
2142 * into which to save the header length and
2143 * store the length there. (The "jump always"
2144 * instruction needs to have the k field set;
2145 * it's added to the PC, so, as we're jumping
2146 * over a single instruction, it should be 1.)
2148 sjcommon = new_stmt(JMP(BPF_JA));
2150 sappend(s1, sjcommon);
2153 * Now for the code that handles the Prism header.
2154 * Just load the length of the Prism header (144)
2155 * into the A register. Have the test for an AVS
2156 * header branch here if we don't have an AVS header.
2158 s2 = new_stmt(BPF_LD|BPF_W|BPF_IMM);
2161 sjeq_avs_cookie->s.jf = s2;
2164 * Now allocate a register to hold that value and store
2165 * it. The code for the AVS header will jump here after
2166 * loading the length of the AVS header.
2168 s2 = new_stmt(BPF_ST);
2169 s2->s.k = reg_off_ll;
2171 sjcommon->s.jf = s2;
2174 * Now move it into the X register.
2176 s2 = new_stmt(BPF_MISC|BPF_TAX);
2184 static struct slist *
2185 gen_load_avs_llprefixlen()
2187 struct slist *s1, *s2;
2190 * Generate code to load the length of the AVS header into
2191 * the register assigned to hold that length, if one has been
2192 * assigned. (If one hasn't been assigned, no code we've
2193 * generated uses that prefix, so we don't need to generate any
2196 if (reg_off_ll != -1) {
2198 * The 4 bytes at an offset of 4 from the beginning of
2199 * the AVS header are the length of the AVS header.
2200 * That field is big-endian.
2202 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2206 * Now allocate a register to hold that value and store
2209 s2 = new_stmt(BPF_ST);
2210 s2->s.k = reg_off_ll;
2214 * Now move it into the X register.
2216 s2 = new_stmt(BPF_MISC|BPF_TAX);
2224 static struct slist *
2225 gen_load_radiotap_llprefixlen()
2227 struct slist *s1, *s2;
2230 * Generate code to load the length of the radiotap header into
2231 * the register assigned to hold that length, if one has been
2232 * assigned. (If one hasn't been assigned, no code we've
2233 * generated uses that prefix, so we don't need to generate any
2236 if (reg_off_ll != -1) {
2238 * The 2 bytes at offsets of 2 and 3 from the beginning
2239 * of the radiotap header are the length of the radiotap
2240 * header; unfortunately, it's little-endian, so we have
2241 * to load it a byte at a time and construct the value.
2245 * Load the high-order byte, at an offset of 3, shift it
2246 * left a byte, and put the result in the X register.
2248 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2250 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
2253 s2 = new_stmt(BPF_MISC|BPF_TAX);
2257 * Load the next byte, at an offset of 2, and OR the
2258 * value from the X register into it.
2260 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2263 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X);
2267 * Now allocate a register to hold that value and store
2270 s2 = new_stmt(BPF_ST);
2271 s2->s.k = reg_off_ll;
2275 * Now move it into the X register.
2277 s2 = new_stmt(BPF_MISC|BPF_TAX);
2286 * At the moment we treat PPI as normal Radiotap encoded
2287 * packets. The difference is in the function that generates
2288 * the code at the beginning to compute the header length.
2289 * Since this code generator of PPI supports bare 802.11
2290 * encapsulation only (i.e. the encapsulated DLT should be
2291 * DLT_IEEE802_11) we generate code to check for this too;
2292 * that's done in finish_parse().
2294 static struct slist *
2295 gen_load_ppi_llprefixlen()
2297 struct slist *s1, *s2;
2300 * Generate code to load the length of the radiotap header
2301 * into the register assigned to hold that length, if one has
2304 if (reg_off_ll != -1) {
2306 * The 2 bytes at offsets of 2 and 3 from the beginning
2307 * of the radiotap header are the length of the radiotap
2308 * header; unfortunately, it's little-endian, so we have
2309 * to load it a byte at a time and construct the value.
2313 * Load the high-order byte, at an offset of 3, shift it
2314 * left a byte, and put the result in the X register.
2316 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2318 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
2321 s2 = new_stmt(BPF_MISC|BPF_TAX);
2325 * Load the next byte, at an offset of 2, and OR the
2326 * value from the X register into it.
2328 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2331 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X);
2335 * Now allocate a register to hold that value and store
2338 s2 = new_stmt(BPF_ST);
2339 s2->s.k = reg_off_ll;
2343 * Now move it into the X register.
2345 s2 = new_stmt(BPF_MISC|BPF_TAX);
2354 * Load a value relative to the beginning of the link-layer header after the 802.11
2355 * header, i.e. LLC_SNAP.
2356 * The link-layer header doesn't necessarily begin at the beginning
2357 * of the packet data; there might be a variable-length prefix containing
2358 * radio information.
2360 static struct slist *
2361 gen_load_802_11_header_len(struct slist *s, struct slist *snext)
2364 struct slist *sjset_data_frame_1;
2365 struct slist *sjset_data_frame_2;
2366 struct slist *sjset_qos;
2367 struct slist *sjset_radiotap_flags;
2368 struct slist *sjset_radiotap_tsft;
2369 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad;
2370 struct slist *s_roundup;
2372 if (reg_off_macpl == -1) {
2374 * No register has been assigned to the offset of
2375 * the MAC-layer payload, which means nobody needs
2376 * it; don't bother computing it - just return
2377 * what we already have.
2383 * This code is not compatible with the optimizer, as
2384 * we are generating jmp instructions within a normal
2385 * slist of instructions
2390 * If "s" is non-null, it has code to arrange that the X register
2391 * contains the length of the prefix preceding the link-layer
2394 * Otherwise, the length of the prefix preceding the link-layer
2395 * header is "off_ll".
2399 * There is no variable-length header preceding the
2400 * link-layer header.
2402 * Load the length of the fixed-length prefix preceding
2403 * the link-layer header (if any) into the X register,
2404 * and store it in the reg_off_macpl register.
2405 * That length is off_ll.
2407 s = new_stmt(BPF_LDX|BPF_IMM);
2412 * The X register contains the offset of the beginning of the
2413 * link-layer header; add 24, which is the minimum length
2414 * of the MAC header for a data frame, to that, and store it
2415 * in reg_off_macpl, and then load the Frame Control field,
2416 * which is at the offset in the X register, with an indexed load.
2418 s2 = new_stmt(BPF_MISC|BPF_TXA);
2420 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
2423 s2 = new_stmt(BPF_ST);
2424 s2->s.k = reg_off_macpl;
2427 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B);
2432 * Check the Frame Control field to see if this is a data frame;
2433 * a data frame has the 0x08 bit (b3) in that field set and the
2434 * 0x04 bit (b2) clear.
2436 sjset_data_frame_1 = new_stmt(JMP(BPF_JSET));
2437 sjset_data_frame_1->s.k = 0x08;
2438 sappend(s, sjset_data_frame_1);
2441 * If b3 is set, test b2, otherwise go to the first statement of
2442 * the rest of the program.
2444 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(JMP(BPF_JSET));
2445 sjset_data_frame_2->s.k = 0x04;
2446 sappend(s, sjset_data_frame_2);
2447 sjset_data_frame_1->s.jf = snext;
2450 * If b2 is not set, this is a data frame; test the QoS bit.
2451 * Otherwise, go to the first statement of the rest of the
2454 sjset_data_frame_2->s.jt = snext;
2455 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(JMP(BPF_JSET));
2456 sjset_qos->s.k = 0x80; /* QoS bit */
2457 sappend(s, sjset_qos);
2460 * If it's set, add 2 to reg_off_macpl, to skip the QoS
2462 * Otherwise, go to the first statement of the rest of the
2465 sjset_qos->s.jt = s2 = new_stmt(BPF_LD|BPF_MEM);
2466 s2->s.k = reg_off_macpl;
2468 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM);
2471 s2 = new_stmt(BPF_ST);
2472 s2->s.k = reg_off_macpl;
2476 * If we have a radiotap header, look at it to see whether
2477 * there's Atheros padding between the MAC-layer header
2480 * Note: all of the fields in the radiotap header are
2481 * little-endian, so we byte-swap all of the values
2482 * we test against, as they will be loaded as big-endian
2485 if (linktype == DLT_IEEE802_11_RADIO) {
2487 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set
2488 * in the presence flag?
2490 sjset_qos->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_W);
2494 sjset_radiotap_flags = new_stmt(JMP(BPF_JSET));
2495 sjset_radiotap_flags->s.k = SWAPLONG(0x00000002);
2496 sappend(s, sjset_radiotap_flags);
2499 * If not, skip all of this.
2501 sjset_radiotap_flags->s.jf = snext;
2504 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set?
2506 sjset_radiotap_tsft = sjset_radiotap_flags->s.jt =
2507 new_stmt(JMP(BPF_JSET));
2508 sjset_radiotap_tsft->s.k = SWAPLONG(0x00000001);
2509 sappend(s, sjset_radiotap_tsft);
2512 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is
2513 * at an offset of 16 from the beginning of the raw packet
2514 * data (8 bytes for the radiotap header and 8 bytes for
2517 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
2520 sjset_radiotap_tsft->s.jt = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B);
2524 sjset_tsft_datapad = new_stmt(JMP(BPF_JSET));
2525 sjset_tsft_datapad->s.k = 0x20;
2526 sappend(s, sjset_tsft_datapad);
2529 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is
2530 * at an offset of 8 from the beginning of the raw packet
2531 * data (8 bytes for the radiotap header).
2533 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
2536 sjset_radiotap_tsft->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B);
2540 sjset_notsft_datapad = new_stmt(JMP(BPF_JSET));
2541 sjset_notsft_datapad->s.k = 0x20;
2542 sappend(s, sjset_notsft_datapad);
2545 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is
2546 * set, round the length of the 802.11 header to
2547 * a multiple of 4. Do that by adding 3 and then
2548 * dividing by and multiplying by 4, which we do by
2551 s_roundup = new_stmt(BPF_LD|BPF_MEM);
2552 s_roundup->s.k = reg_off_macpl;
2553 sappend(s, s_roundup);
2554 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM);
2557 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_IMM);
2560 s2 = new_stmt(BPF_ST);
2561 s2->s.k = reg_off_macpl;
2564 sjset_tsft_datapad->s.jt = s_roundup;
2565 sjset_tsft_datapad->s.jf = snext;
2566 sjset_notsft_datapad->s.jt = s_roundup;
2567 sjset_notsft_datapad->s.jf = snext;
2569 sjset_qos->s.jf = snext;
2575 insert_compute_vloffsets(b)
2581 * For link-layer types that have a variable-length header
2582 * preceding the link-layer header, generate code to load
2583 * the offset of the link-layer header into the register
2584 * assigned to that offset, if any.
2588 case DLT_PRISM_HEADER:
2589 s = gen_load_prism_llprefixlen();
2592 case DLT_IEEE802_11_RADIO_AVS:
2593 s = gen_load_avs_llprefixlen();
2596 case DLT_IEEE802_11_RADIO:
2597 s = gen_load_radiotap_llprefixlen();
2601 s = gen_load_ppi_llprefixlen();
2610 * For link-layer types that have a variable-length link-layer
2611 * header, generate code to load the offset of the MAC-layer
2612 * payload into the register assigned to that offset, if any.
2616 case DLT_IEEE802_11:
2617 case DLT_PRISM_HEADER:
2618 case DLT_IEEE802_11_RADIO_AVS:
2619 case DLT_IEEE802_11_RADIO:
2621 s = gen_load_802_11_header_len(s, b->stmts);
2626 * If we have any offset-loading code, append all the
2627 * existing statements in the block to those statements,
2628 * and make the resulting list the list of statements
2632 sappend(s, b->stmts);
2637 static struct block *
2638 gen_ppi_dlt_check(void)
2640 struct slist *s_load_dlt;
2643 if (linktype == DLT_PPI)
2645 /* Create the statements that check for the DLT
2647 s_load_dlt = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2648 s_load_dlt->s.k = 4;
2650 b = new_block(JMP(BPF_JEQ));
2652 b->stmts = s_load_dlt;
2653 b->s.k = SWAPLONG(DLT_IEEE802_11);
2663 static struct slist *
2664 gen_prism_llprefixlen(void)
2668 if (reg_off_ll == -1) {
2670 * We haven't yet assigned a register for the length
2671 * of the radio header; allocate one.
2673 reg_off_ll = alloc_reg();
2677 * Load the register containing the radio length
2678 * into the X register.
2680 s = new_stmt(BPF_LDX|BPF_MEM);
2681 s->s.k = reg_off_ll;
2685 static struct slist *
2686 gen_avs_llprefixlen(void)
2690 if (reg_off_ll == -1) {
2692 * We haven't yet assigned a register for the length
2693 * of the AVS header; allocate one.
2695 reg_off_ll = alloc_reg();
2699 * Load the register containing the AVS length
2700 * into the X register.
2702 s = new_stmt(BPF_LDX|BPF_MEM);
2703 s->s.k = reg_off_ll;
2707 static struct slist *
2708 gen_radiotap_llprefixlen(void)
2712 if (reg_off_ll == -1) {
2714 * We haven't yet assigned a register for the length
2715 * of the radiotap header; allocate one.
2717 reg_off_ll = alloc_reg();
2721 * Load the register containing the radiotap length
2722 * into the X register.
2724 s = new_stmt(BPF_LDX|BPF_MEM);
2725 s->s.k = reg_off_ll;
2730 * At the moment we treat PPI as normal Radiotap encoded
2731 * packets. The difference is in the function that generates
2732 * the code at the beginning to compute the header length.
2733 * Since this code generator of PPI supports bare 802.11
2734 * encapsulation only (i.e. the encapsulated DLT should be
2735 * DLT_IEEE802_11) we generate code to check for this too.
2737 static struct slist *
2738 gen_ppi_llprefixlen(void)
2742 if (reg_off_ll == -1) {
2744 * We haven't yet assigned a register for the length
2745 * of the radiotap header; allocate one.
2747 reg_off_ll = alloc_reg();
2751 * Load the register containing the PPI length
2752 * into the X register.
2754 s = new_stmt(BPF_LDX|BPF_MEM);
2755 s->s.k = reg_off_ll;
2760 * Generate code to compute the link-layer header length, if necessary,
2761 * putting it into the X register, and to return either a pointer to a
2762 * "struct slist" for the list of statements in that code, or NULL if
2763 * no code is necessary.
2765 static struct slist *
2766 gen_llprefixlen(void)
2770 case DLT_PRISM_HEADER:
2771 return gen_prism_llprefixlen();
2773 case DLT_IEEE802_11_RADIO_AVS:
2774 return gen_avs_llprefixlen();
2776 case DLT_IEEE802_11_RADIO:
2777 return gen_radiotap_llprefixlen();
2780 return gen_ppi_llprefixlen();
2788 * Generate code to load the register containing the offset of the
2789 * MAC-layer payload into the X register; if no register for that offset
2790 * has been allocated, allocate it first.
2792 static struct slist *
2797 if (off_macpl_is_variable) {
2798 if (reg_off_macpl == -1) {
2800 * We haven't yet assigned a register for the offset
2801 * of the MAC-layer payload; allocate one.
2803 reg_off_macpl = alloc_reg();
2807 * Load the register containing the offset of the MAC-layer
2808 * payload into the X register.
2810 s = new_stmt(BPF_LDX|BPF_MEM);
2811 s->s.k = reg_off_macpl;
2815 * That offset isn't variable, so we don't need to
2816 * generate any code.
2823 * Map an Ethernet type to the equivalent PPP type.
2826 ethertype_to_ppptype(proto)
2836 case ETHERTYPE_IPV6:
2845 case ETHERTYPE_ATALK:
2859 * I'm assuming the "Bridging PDU"s that go
2860 * over PPP are Spanning Tree Protocol
2874 * Generate code to match a particular packet type by matching the
2875 * link-layer type field or fields in the 802.2 LLC header.
2877 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
2878 * value, if <= ETHERMTU.
2880 static struct block *
2884 struct block *b0, *b1, *b2;
2886 /* are we checking MPLS-encapsulated packets? */
2887 if (label_stack_depth > 0) {
2891 /* FIXME add other L3 proto IDs */
2892 return gen_mpls_linktype(Q_IP);
2894 case ETHERTYPE_IPV6:
2896 /* FIXME add other L3 proto IDs */
2897 return gen_mpls_linktype(Q_IPV6);
2900 bpf_error("unsupported protocol over mpls");
2906 * Are we testing PPPoE packets?
2910 * The PPPoE session header is part of the
2911 * MAC-layer payload, so all references
2912 * should be relative to the beginning of
2917 * We use Ethernet protocol types inside libpcap;
2918 * map them to the corresponding PPP protocol types.
2920 proto = ethertype_to_ppptype(proto);
2921 return gen_cmp(OR_MACPL, off_linktype, BPF_H, (bpf_int32)proto);
2927 case DLT_NETANALYZER:
2928 case DLT_NETANALYZER_TRANSPARENT:
2929 return gen_ether_linktype(proto);
2937 proto = (proto << 8 | LLCSAP_ISONS);
2941 return gen_cmp(OR_LINK, off_linktype, BPF_H,
2948 case DLT_IEEE802_11:
2949 case DLT_PRISM_HEADER:
2950 case DLT_IEEE802_11_RADIO_AVS:
2951 case DLT_IEEE802_11_RADIO:
2954 * Check that we have a data frame.
2956 b0 = gen_check_802_11_data_frame();
2959 * Now check for the specified link-layer type.
2961 b1 = gen_llc_linktype(proto);
2969 * XXX - check for asynchronous frames, as per RFC 1103.
2971 return gen_llc_linktype(proto);
2977 * XXX - check for LLC PDUs, as per IEEE 802.5.
2979 return gen_llc_linktype(proto);
2983 case DLT_ATM_RFC1483:
2985 case DLT_IP_OVER_FC:
2986 return gen_llc_linktype(proto);
2992 * If "is_lane" is set, check for a LANE-encapsulated
2993 * version of this protocol, otherwise check for an
2994 * LLC-encapsulated version of this protocol.
2996 * We assume LANE means Ethernet, not Token Ring.
3000 * Check that the packet doesn't begin with an
3001 * LE Control marker. (We've already generated
3004 b0 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
3009 * Now generate an Ethernet test.
3011 b1 = gen_ether_linktype(proto);
3016 * Check for LLC encapsulation and then check the
3019 b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
3020 b1 = gen_llc_linktype(proto);
3028 return gen_linux_sll_linktype(proto);
3033 case DLT_SLIP_BSDOS:
3036 * These types don't provide any type field; packets
3037 * are always IPv4 or IPv6.
3039 * XXX - for IPv4, check for a version number of 4, and,
3040 * for IPv6, check for a version number of 6?
3045 /* Check for a version number of 4. */
3046 return gen_mcmp(OR_LINK, 0, BPF_B, 0x40, 0xF0);
3048 case ETHERTYPE_IPV6:
3049 /* Check for a version number of 6. */
3050 return gen_mcmp(OR_LINK, 0, BPF_B, 0x60, 0xF0);
3054 return gen_false(); /* always false */
3061 * Raw IPv4, so no type field.
3063 if (proto == ETHERTYPE_IP)
3064 return gen_true(); /* always true */
3066 /* Checking for something other than IPv4; always false */
3073 * Raw IPv6, so no type field.
3076 if (proto == ETHERTYPE_IPV6)
3077 return gen_true(); /* always true */
3080 /* Checking for something other than IPv6; always false */
3087 case DLT_PPP_SERIAL:
3090 * We use Ethernet protocol types inside libpcap;
3091 * map them to the corresponding PPP protocol types.
3093 proto = ethertype_to_ppptype(proto);
3094 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
3100 * We use Ethernet protocol types inside libpcap;
3101 * map them to the corresponding PPP protocol types.
3107 * Also check for Van Jacobson-compressed IP.
3108 * XXX - do this for other forms of PPP?
3110 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_IP);
3111 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJC);
3113 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJNC);
3118 proto = ethertype_to_ppptype(proto);
3119 return gen_cmp(OR_LINK, off_linktype, BPF_H,
3129 * For DLT_NULL, the link-layer header is a 32-bit
3130 * word containing an AF_ value in *host* byte order,
3131 * and for DLT_ENC, the link-layer header begins
3132 * with a 32-bit work containing an AF_ value in
3135 * In addition, if we're reading a saved capture file,
3136 * the host byte order in the capture may not be the
3137 * same as the host byte order on this machine.
3139 * For DLT_LOOP, the link-layer header is a 32-bit
3140 * word containing an AF_ value in *network* byte order.
3142 * XXX - AF_ values may, unfortunately, be platform-
3143 * dependent; for example, FreeBSD's AF_INET6 is 24
3144 * whilst NetBSD's and OpenBSD's is 26.
3146 * This means that, when reading a capture file, just
3147 * checking for our AF_INET6 value won't work if the
3148 * capture file came from another OS.
3157 case ETHERTYPE_IPV6:
3164 * Not a type on which we support filtering.
3165 * XXX - support those that have AF_ values
3166 * #defined on this platform, at least?
3171 if (linktype == DLT_NULL || linktype == DLT_ENC) {
3173 * The AF_ value is in host byte order, but
3174 * the BPF interpreter will convert it to
3175 * network byte order.
3177 * If this is a save file, and it's from a
3178 * machine with the opposite byte order to
3179 * ours, we byte-swap the AF_ value.
3181 * Then we run it through "htonl()", and
3182 * generate code to compare against the result.
3184 if (bpf_pcap->sf.rfile != NULL &&
3185 bpf_pcap->sf.swapped)
3186 proto = SWAPLONG(proto);
3187 proto = htonl(proto);
3189 return (gen_cmp(OR_LINK, 0, BPF_W, (bpf_int32)proto));
3191 #ifdef HAVE_NET_PFVAR_H
3194 * af field is host byte order in contrast to the rest of
3197 if (proto == ETHERTYPE_IP)
3198 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af),
3199 BPF_B, (bpf_int32)AF_INET));
3201 else if (proto == ETHERTYPE_IPV6)
3202 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af),
3203 BPF_B, (bpf_int32)AF_INET6));
3209 #endif /* HAVE_NET_PFVAR_H */
3212 case DLT_ARCNET_LINUX:
3214 * XXX should we check for first fragment if the protocol
3223 case ETHERTYPE_IPV6:
3224 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
3225 (bpf_int32)ARCTYPE_INET6));
3229 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B,
3230 (bpf_int32)ARCTYPE_IP);
3231 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B,
3232 (bpf_int32)ARCTYPE_IP_OLD);
3237 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B,
3238 (bpf_int32)ARCTYPE_ARP);
3239 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B,
3240 (bpf_int32)ARCTYPE_ARP_OLD);
3244 case ETHERTYPE_REVARP:
3245 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
3246 (bpf_int32)ARCTYPE_REVARP));
3248 case ETHERTYPE_ATALK:
3249 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
3250 (bpf_int32)ARCTYPE_ATALK));
3257 case ETHERTYPE_ATALK:
3267 * XXX - assumes a 2-byte Frame Relay header with
3268 * DLCI and flags. What if the address is longer?
3274 * Check for the special NLPID for IP.
3276 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0xcc);
3279 case ETHERTYPE_IPV6:
3281 * Check for the special NLPID for IPv6.
3283 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0x8e);
3288 * Check for several OSI protocols.
3290 * Frame Relay packets typically have an OSI
3291 * NLPID at the beginning; we check for each
3294 * What we check for is the NLPID and a frame
3295 * control field of UI, i.e. 0x03 followed
3298 b0 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO8473_CLNP);
3299 b1 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO9542_ESIS);
3300 b2 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO10589_ISIS);
3312 bpf_error("Multi-link Frame Relay link-layer type filtering not implemented");
3314 case DLT_JUNIPER_MFR:
3315 case DLT_JUNIPER_MLFR:
3316 case DLT_JUNIPER_MLPPP:
3317 case DLT_JUNIPER_ATM1:
3318 case DLT_JUNIPER_ATM2:
3319 case DLT_JUNIPER_PPPOE:
3320 case DLT_JUNIPER_PPPOE_ATM:
3321 case DLT_JUNIPER_GGSN:
3322 case DLT_JUNIPER_ES:
3323 case DLT_JUNIPER_MONITOR:
3324 case DLT_JUNIPER_SERVICES:
3325 case DLT_JUNIPER_ETHER:
3326 case DLT_JUNIPER_PPP:
3327 case DLT_JUNIPER_FRELAY:
3328 case DLT_JUNIPER_CHDLC:
3329 case DLT_JUNIPER_VP:
3330 case DLT_JUNIPER_ST:
3331 case DLT_JUNIPER_ISM:
3332 case DLT_JUNIPER_VS:
3333 case DLT_JUNIPER_SRX_E2E:
3334 case DLT_JUNIPER_FIBRECHANNEL:
3335 case DLT_JUNIPER_ATM_CEMIC:
3337 /* just lets verify the magic number for now -
3338 * on ATM we may have up to 6 different encapsulations on the wire
3339 * and need a lot of heuristics to figure out that the payload
3342 * FIXME encapsulation specific BPF_ filters
3344 return gen_mcmp(OR_LINK, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */
3347 return gen_ipnet_linktype(proto);
3349 case DLT_LINUX_IRDA:
3350 bpf_error("IrDA link-layer type filtering not implemented");
3353 bpf_error("DOCSIS link-layer type filtering not implemented");
3356 case DLT_MTP2_WITH_PHDR:
3357 bpf_error("MTP2 link-layer type filtering not implemented");
3360 bpf_error("ERF link-layer type filtering not implemented");
3363 bpf_error("PFSYNC link-layer type filtering not implemented");
3365 case DLT_LINUX_LAPD:
3366 bpf_error("LAPD link-layer type filtering not implemented");
3370 case DLT_USB_LINUX_MMAPPED:
3371 bpf_error("USB link-layer type filtering not implemented");
3373 case DLT_BLUETOOTH_HCI_H4:
3374 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR:
3375 bpf_error("Bluetooth link-layer type filtering not implemented");
3378 case DLT_CAN_SOCKETCAN:
3379 bpf_error("CAN link-layer type filtering not implemented");
3381 case DLT_IEEE802_15_4:
3382 case DLT_IEEE802_15_4_LINUX:
3383 case DLT_IEEE802_15_4_NONASK_PHY:
3384 case DLT_IEEE802_15_4_NOFCS:
3385 bpf_error("IEEE 802.15.4 link-layer type filtering not implemented");
3387 case DLT_IEEE802_16_MAC_CPS_RADIO:
3388 bpf_error("IEEE 802.16 link-layer type filtering not implemented");
3391 bpf_error("SITA link-layer type filtering not implemented");
3394 bpf_error("RAIF1 link-layer type filtering not implemented");
3397 bpf_error("IPMB link-layer type filtering not implemented");
3400 bpf_error("AX.25 link-layer type filtering not implemented");
3404 * All the types that have no encapsulation should either be
3405 * handled as DLT_SLIP, DLT_SLIP_BSDOS, and DLT_RAW are, if
3406 * all packets are IP packets, or should be handled in some
3407 * special case, if none of them are (if some are and some
3408 * aren't, the lack of encapsulation is a problem, as we'd
3409 * have to find some other way of determining the packet type).
3411 * Therefore, if "off_linktype" is -1, there's an error.
3413 if (off_linktype == (u_int)-1)
3417 * Any type not handled above should always have an Ethernet
3418 * type at an offset of "off_linktype".
3420 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
3424 * Check for an LLC SNAP packet with a given organization code and
3425 * protocol type; we check the entire contents of the 802.2 LLC and
3426 * snap headers, checking for DSAP and SSAP of SNAP and a control
3427 * field of 0x03 in the LLC header, and for the specified organization
3428 * code and protocol type in the SNAP header.
3430 static struct block *
3431 gen_snap(orgcode, ptype)
3432 bpf_u_int32 orgcode;
3435 u_char snapblock[8];
3437 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */
3438 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */
3439 snapblock[2] = 0x03; /* control = UI */
3440 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */
3441 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */
3442 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */
3443 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */
3444 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */
3445 return gen_bcmp(OR_MACPL, 0, 8, snapblock);
3449 * Generate code to match a particular packet type, for link-layer types
3450 * using 802.2 LLC headers.
3452 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used
3453 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues.
3455 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
3456 * value, if <= ETHERMTU. We use that to determine whether to
3457 * match the DSAP or both DSAP and LSAP or to check the OUI and
3458 * protocol ID in a SNAP header.
3460 static struct block *
3461 gen_llc_linktype(proto)
3465 * XXX - handle token-ring variable-length header.
3471 case LLCSAP_NETBEUI:
3473 * XXX - should we check both the DSAP and the
3474 * SSAP, like this, or should we check just the
3475 * DSAP, as we do for other types <= ETHERMTU
3476 * (i.e., other SAP values)?
3478 return gen_cmp(OR_MACPL, 0, BPF_H, (bpf_u_int32)
3479 ((proto << 8) | proto));
3483 * XXX - are there ever SNAP frames for IPX on
3484 * non-Ethernet 802.x networks?
3486 return gen_cmp(OR_MACPL, 0, BPF_B,
3487 (bpf_int32)LLCSAP_IPX);
3489 case ETHERTYPE_ATALK:
3491 * 802.2-encapsulated ETHERTYPE_ATALK packets are
3492 * SNAP packets with an organization code of
3493 * 0x080007 (Apple, for Appletalk) and a protocol
3494 * type of ETHERTYPE_ATALK (Appletalk).
3496 * XXX - check for an organization code of
3497 * encapsulated Ethernet as well?
3499 return gen_snap(0x080007, ETHERTYPE_ATALK);
3503 * XXX - we don't have to check for IPX 802.3
3504 * here, but should we check for the IPX Ethertype?
3506 if (proto <= ETHERMTU) {
3508 * This is an LLC SAP value, so check
3511 return gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)proto);
3514 * This is an Ethernet type; we assume that it's
3515 * unlikely that it'll appear in the right place
3516 * at random, and therefore check only the
3517 * location that would hold the Ethernet type
3518 * in a SNAP frame with an organization code of
3519 * 0x000000 (encapsulated Ethernet).
3521 * XXX - if we were to check for the SNAP DSAP and
3522 * LSAP, as per XXX, and were also to check for an
3523 * organization code of 0x000000 (encapsulated
3524 * Ethernet), we'd do
3526 * return gen_snap(0x000000, proto);
3528 * here; for now, we don't, as per the above.
3529 * I don't know whether it's worth the extra CPU
3530 * time to do the right check or not.
3532 return gen_cmp(OR_MACPL, 6, BPF_H, (bpf_int32)proto);
3537 static struct block *
3538 gen_hostop(addr, mask, dir, proto, src_off, dst_off)
3542 u_int src_off, dst_off;
3544 struct block *b0, *b1;
3558 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
3559 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
3565 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
3566 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
3573 b0 = gen_linktype(proto);
3574 b1 = gen_mcmp(OR_NET, offset, BPF_W, (bpf_int32)addr, mask);
3580 static struct block *
3581 gen_hostop6(addr, mask, dir, proto, src_off, dst_off)
3582 struct in6_addr *addr;
3583 struct in6_addr *mask;
3585 u_int src_off, dst_off;
3587 struct block *b0, *b1;
3602 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
3603 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
3609 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
3610 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
3617 /* this order is important */
3618 a = (u_int32_t *)addr;
3619 m = (u_int32_t *)mask;
3620 b1 = gen_mcmp(OR_NET, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3]));
3621 b0 = gen_mcmp(OR_NET, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2]));
3623 b0 = gen_mcmp(OR_NET, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1]));
3625 b0 = gen_mcmp(OR_NET, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0]));
3627 b0 = gen_linktype(proto);
3633 static struct block *
3634 gen_ehostop(eaddr, dir)
3635 register const u_char *eaddr;
3638 register struct block *b0, *b1;
3642 return gen_bcmp(OR_LINK, off_mac + 6, 6, eaddr);
3645 return gen_bcmp(OR_LINK, off_mac + 0, 6, eaddr);
3648 b0 = gen_ehostop(eaddr, Q_SRC);
3649 b1 = gen_ehostop(eaddr, Q_DST);
3655 b0 = gen_ehostop(eaddr, Q_SRC);
3656 b1 = gen_ehostop(eaddr, Q_DST);
3661 bpf_error("'addr1' is only supported on 802.11 with 802.11 headers");
3665 bpf_error("'addr2' is only supported on 802.11 with 802.11 headers");
3669 bpf_error("'addr3' is only supported on 802.11 with 802.11 headers");
3673 bpf_error("'addr4' is only supported on 802.11 with 802.11 headers");
3677 bpf_error("'ra' is only supported on 802.11 with 802.11 headers");
3681 bpf_error("'ta' is only supported on 802.11 with 802.11 headers");
3689 * Like gen_ehostop, but for DLT_FDDI
3691 static struct block *
3692 gen_fhostop(eaddr, dir)
3693 register const u_char *eaddr;
3696 struct block *b0, *b1;
3701 return gen_bcmp(OR_LINK, 6 + 1 + pcap_fddipad, 6, eaddr);
3703 return gen_bcmp(OR_LINK, 6 + 1, 6, eaddr);
3708 return gen_bcmp(OR_LINK, 0 + 1 + pcap_fddipad, 6, eaddr);
3710 return gen_bcmp(OR_LINK, 0 + 1, 6, eaddr);
3714 b0 = gen_fhostop(eaddr, Q_SRC);
3715 b1 = gen_fhostop(eaddr, Q_DST);
3721 b0 = gen_fhostop(eaddr, Q_SRC);
3722 b1 = gen_fhostop(eaddr, Q_DST);
3727 bpf_error("'addr1' is only supported on 802.11");
3731 bpf_error("'addr2' is only supported on 802.11");
3735 bpf_error("'addr3' is only supported on 802.11");
3739 bpf_error("'addr4' is only supported on 802.11");
3743 bpf_error("'ra' is only supported on 802.11");
3747 bpf_error("'ta' is only supported on 802.11");
3755 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring)
3757 static struct block *
3758 gen_thostop(eaddr, dir)
3759 register const u_char *eaddr;
3762 register struct block *b0, *b1;
3766 return gen_bcmp(OR_LINK, 8, 6, eaddr);
3769 return gen_bcmp(OR_LINK, 2, 6, eaddr);
3772 b0 = gen_thostop(eaddr, Q_SRC);
3773 b1 = gen_thostop(eaddr, Q_DST);
3779 b0 = gen_thostop(eaddr, Q_SRC);
3780 b1 = gen_thostop(eaddr, Q_DST);
3785 bpf_error("'addr1' is only supported on 802.11");
3789 bpf_error("'addr2' is only supported on 802.11");
3793 bpf_error("'addr3' is only supported on 802.11");
3797 bpf_error("'addr4' is only supported on 802.11");
3801 bpf_error("'ra' is only supported on 802.11");
3805 bpf_error("'ta' is only supported on 802.11");
3813 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and
3814 * various 802.11 + radio headers.
3816 static struct block *
3817 gen_wlanhostop(eaddr, dir)
3818 register const u_char *eaddr;
3821 register struct block *b0, *b1, *b2;
3822 register struct slist *s;
3824 #ifdef ENABLE_WLAN_FILTERING_PATCH
3827 * We need to disable the optimizer because the optimizer is buggy
3828 * and wipes out some LD instructions generated by the below
3829 * code to validate the Frame Control bits
3832 #endif /* ENABLE_WLAN_FILTERING_PATCH */
3839 * For control frames, there is no SA.
3841 * For management frames, SA is at an
3842 * offset of 10 from the beginning of
3845 * For data frames, SA is at an offset
3846 * of 10 from the beginning of the packet
3847 * if From DS is clear, at an offset of
3848 * 16 from the beginning of the packet
3849 * if From DS is set and To DS is clear,
3850 * and an offset of 24 from the beginning
3851 * of the packet if From DS is set and To DS
3856 * Generate the tests to be done for data frames
3859 * First, check for To DS set, i.e. check "link[1] & 0x01".
3861 s = gen_load_a(OR_LINK, 1, BPF_B);
3862 b1 = new_block(JMP(BPF_JSET));
3863 b1->s.k = 0x01; /* To DS */
3867 * If To DS is set, the SA is at 24.
3869 b0 = gen_bcmp(OR_LINK, 24, 6, eaddr);
3873 * Now, check for To DS not set, i.e. check
3874 * "!(link[1] & 0x01)".
3876 s = gen_load_a(OR_LINK, 1, BPF_B);
3877 b2 = new_block(JMP(BPF_JSET));
3878 b2->s.k = 0x01; /* To DS */
3883 * If To DS is not set, the SA is at 16.
3885 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr);
3889 * Now OR together the last two checks. That gives
3890 * the complete set of checks for data frames with
3896 * Now check for From DS being set, and AND that with
3897 * the ORed-together checks.
3899 s = gen_load_a(OR_LINK, 1, BPF_B);
3900 b1 = new_block(JMP(BPF_JSET));
3901 b1->s.k = 0x02; /* From DS */
3906 * Now check for data frames with From DS not set.
3908 s = gen_load_a(OR_LINK, 1, BPF_B);
3909 b2 = new_block(JMP(BPF_JSET));
3910 b2->s.k = 0x02; /* From DS */
3915 * If From DS isn't set, the SA is at 10.
3917 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
3921 * Now OR together the checks for data frames with
3922 * From DS not set and for data frames with From DS
3923 * set; that gives the checks done for data frames.
3928 * Now check for a data frame.
3929 * I.e, check "link[0] & 0x08".
3931 s = gen_load_a(OR_LINK, 0, BPF_B);
3932 b1 = new_block(JMP(BPF_JSET));
3937 * AND that with the checks done for data frames.
3942 * If the high-order bit of the type value is 0, this
3943 * is a management frame.
3944 * I.e, check "!(link[0] & 0x08)".
3946 s = gen_load_a(OR_LINK, 0, BPF_B);
3947 b2 = new_block(JMP(BPF_JSET));
3953 * For management frames, the SA is at 10.
3955 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
3959 * OR that with the checks done for data frames.
3960 * That gives the checks done for management and
3966 * If the low-order bit of the type value is 1,
3967 * this is either a control frame or a frame
3968 * with a reserved type, and thus not a
3971 * I.e., check "!(link[0] & 0x04)".
3973 s = gen_load_a(OR_LINK, 0, BPF_B);
3974 b1 = new_block(JMP(BPF_JSET));
3980 * AND that with the checks for data and management
3990 * For control frames, there is no DA.
3992 * For management frames, DA is at an
3993 * offset of 4 from the beginning of
3996 * For data frames, DA is at an offset
3997 * of 4 from the beginning of the packet
3998 * if To DS is clear and at an offset of
3999 * 16 from the beginning of the packet
4004 * Generate the tests to be done for data frames.
4006 * First, check for To DS set, i.e. "link[1] & 0x01".
4008 s = gen_load_a(OR_LINK, 1, BPF_B);
4009 b1 = new_block(JMP(BPF_JSET));
4010 b1->s.k = 0x01; /* To DS */
4014 * If To DS is set, the DA is at 16.
4016 b0 = gen_bcmp(OR_LINK, 16, 6, eaddr);
4020 * Now, check for To DS not set, i.e. check
4021 * "!(link[1] & 0x01)".
4023 s = gen_load_a(OR_LINK, 1, BPF_B);
4024 b2 = new_block(JMP(BPF_JSET));
4025 b2->s.k = 0x01; /* To DS */
4030 * If To DS is not set, the DA is at 4.
4032 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr);
4036 * Now OR together the last two checks. That gives
4037 * the complete set of checks for data frames.
4042 * Now check for a data frame.
4043 * I.e, check "link[0] & 0x08".
4045 s = gen_load_a(OR_LINK, 0, BPF_B);
4046 b1 = new_block(JMP(BPF_JSET));
4051 * AND that with the checks done for data frames.
4056 * If the high-order bit of the type value is 0, this
4057 * is a management frame.
4058 * I.e, check "!(link[0] & 0x08)".
4060 s = gen_load_a(OR_LINK, 0, BPF_B);
4061 b2 = new_block(JMP(BPF_JSET));
4067 * For management frames, the DA is at 4.
4069 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr);
4073 * OR that with the checks done for data frames.
4074 * That gives the checks done for management and
4080 * If the low-order bit of the type value is 1,
4081 * this is either a control frame or a frame
4082 * with a reserved type, and thus not a
4085 * I.e., check "!(link[0] & 0x04)".
4087 s = gen_load_a(OR_LINK, 0, BPF_B);
4088 b1 = new_block(JMP(BPF_JSET));
4094 * AND that with the checks for data and management
4102 * Not present in management frames; addr1 in other
4107 * If the high-order bit of the type value is 0, this
4108 * is a management frame.
4109 * I.e, check "(link[0] & 0x08)".
4111 s = gen_load_a(OR_LINK, 0, BPF_B);
4112 b1 = new_block(JMP(BPF_JSET));
4119 b0 = gen_bcmp(OR_LINK, 4, 6, eaddr);
4122 * AND that with the check of addr1.
4129 * Not present in management frames; addr2, if present,
4134 * Not present in CTS or ACK control frames.
4136 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4137 IEEE80211_FC0_TYPE_MASK);
4139 b1 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS,
4140 IEEE80211_FC0_SUBTYPE_MASK);
4142 b2 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK,
4143 IEEE80211_FC0_SUBTYPE_MASK);
4149 * If the high-order bit of the type value is 0, this
4150 * is a management frame.
4151 * I.e, check "(link[0] & 0x08)".
4153 s = gen_load_a(OR_LINK, 0, BPF_B);
4154 b1 = new_block(JMP(BPF_JSET));
4159 * AND that with the check for frames other than
4160 * CTS and ACK frames.
4167 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
4172 * XXX - add BSSID keyword?
4175 return (gen_bcmp(OR_LINK, 4, 6, eaddr));
4179 * Not present in CTS or ACK control frames.
4181 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4182 IEEE80211_FC0_TYPE_MASK);
4184 b1 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS,
4185 IEEE80211_FC0_SUBTYPE_MASK);
4187 b2 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK,
4188 IEEE80211_FC0_SUBTYPE_MASK);
4192 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
4198 * Not present in control frames.
4200 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4201 IEEE80211_FC0_TYPE_MASK);
4203 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr);
4209 * Present only if the direction mask has both "From DS"
4210 * and "To DS" set. Neither control frames nor management
4211 * frames should have both of those set, so we don't
4212 * check the frame type.
4214 b0 = gen_mcmp(OR_LINK, 1, BPF_B,
4215 IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK);
4216 b1 = gen_bcmp(OR_LINK, 24, 6, eaddr);
4221 b0 = gen_wlanhostop(eaddr, Q_SRC);
4222 b1 = gen_wlanhostop(eaddr, Q_DST);
4228 b0 = gen_wlanhostop(eaddr, Q_SRC);
4229 b1 = gen_wlanhostop(eaddr, Q_DST);
4238 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel.
4239 * (We assume that the addresses are IEEE 48-bit MAC addresses,
4240 * as the RFC states.)
4242 static struct block *
4243 gen_ipfchostop(eaddr, dir)
4244 register const u_char *eaddr;
4247 register struct block *b0, *b1;
4251 return gen_bcmp(OR_LINK, 10, 6, eaddr);
4254 return gen_bcmp(OR_LINK, 2, 6, eaddr);
4257 b0 = gen_ipfchostop(eaddr, Q_SRC);
4258 b1 = gen_ipfchostop(eaddr, Q_DST);
4264 b0 = gen_ipfchostop(eaddr, Q_SRC);
4265 b1 = gen_ipfchostop(eaddr, Q_DST);
4270 bpf_error("'addr1' is only supported on 802.11");
4274 bpf_error("'addr2' is only supported on 802.11");
4278 bpf_error("'addr3' is only supported on 802.11");
4282 bpf_error("'addr4' is only supported on 802.11");
4286 bpf_error("'ra' is only supported on 802.11");
4290 bpf_error("'ta' is only supported on 802.11");
4298 * This is quite tricky because there may be pad bytes in front of the
4299 * DECNET header, and then there are two possible data packet formats that
4300 * carry both src and dst addresses, plus 5 packet types in a format that
4301 * carries only the src node, plus 2 types that use a different format and
4302 * also carry just the src node.
4306 * Instead of doing those all right, we just look for data packets with
4307 * 0 or 1 bytes of padding. If you want to look at other packets, that
4308 * will require a lot more hacking.
4310 * To add support for filtering on DECNET "areas" (network numbers)
4311 * one would want to add a "mask" argument to this routine. That would
4312 * make the filter even more inefficient, although one could be clever
4313 * and not generate masking instructions if the mask is 0xFFFF.
4315 static struct block *
4316 gen_dnhostop(addr, dir)
4320 struct block *b0, *b1, *b2, *tmp;
4321 u_int offset_lh; /* offset if long header is received */
4322 u_int offset_sh; /* offset if short header is received */
4327 offset_sh = 1; /* follows flags */
4328 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */
4332 offset_sh = 3; /* follows flags, dstnode */
4333 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */
4337 /* Inefficient because we do our Calvinball dance twice */
4338 b0 = gen_dnhostop(addr, Q_SRC);
4339 b1 = gen_dnhostop(addr, Q_DST);
4345 /* Inefficient because we do our Calvinball dance twice */
4346 b0 = gen_dnhostop(addr, Q_SRC);
4347 b1 = gen_dnhostop(addr, Q_DST);
4352 bpf_error("ISO host filtering not implemented");
4357 b0 = gen_linktype(ETHERTYPE_DN);
4358 /* Check for pad = 1, long header case */
4359 tmp = gen_mcmp(OR_NET, 2, BPF_H,
4360 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF));
4361 b1 = gen_cmp(OR_NET, 2 + 1 + offset_lh,
4362 BPF_H, (bpf_int32)ntohs((u_short)addr));
4364 /* Check for pad = 0, long header case */
4365 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7);
4366 b2 = gen_cmp(OR_NET, 2 + offset_lh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4369 /* Check for pad = 1, short header case */
4370 tmp = gen_mcmp(OR_NET, 2, BPF_H,
4371 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF));
4372 b2 = gen_cmp(OR_NET, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4375 /* Check for pad = 0, short header case */
4376 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7);
4377 b2 = gen_cmp(OR_NET, 2 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4381 /* Combine with test for linktype */
4387 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets;
4388 * test the bottom-of-stack bit, and then check the version number
4389 * field in the IP header.
4391 static struct block *
4392 gen_mpls_linktype(proto)
4395 struct block *b0, *b1;
4400 /* match the bottom-of-stack bit */
4401 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01);
4402 /* match the IPv4 version number */
4403 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x40, 0xf0);
4408 /* match the bottom-of-stack bit */
4409 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01);
4410 /* match the IPv4 version number */
4411 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x60, 0xf0);
4420 static struct block *
4421 gen_host(addr, mask, proto, dir, type)
4428 struct block *b0, *b1;
4429 const char *typestr;
4439 b0 = gen_host(addr, mask, Q_IP, dir, type);
4441 * Only check for non-IPv4 addresses if we're not
4442 * checking MPLS-encapsulated packets.
4444 if (label_stack_depth == 0) {
4445 b1 = gen_host(addr, mask, Q_ARP, dir, type);
4447 b0 = gen_host(addr, mask, Q_RARP, dir, type);
4453 return gen_hostop(addr, mask, dir, ETHERTYPE_IP, 12, 16);
4456 return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP, 14, 24);
4459 return gen_hostop(addr, mask, dir, ETHERTYPE_ARP, 14, 24);
4462 bpf_error("'tcp' modifier applied to %s", typestr);
4465 bpf_error("'sctp' modifier applied to %s", typestr);
4468 bpf_error("'udp' modifier applied to %s", typestr);
4471 bpf_error("'icmp' modifier applied to %s", typestr);
4474 bpf_error("'igmp' modifier applied to %s", typestr);
4477 bpf_error("'igrp' modifier applied to %s", typestr);
4480 bpf_error("'pim' modifier applied to %s", typestr);
4483 bpf_error("'vrrp' modifier applied to %s", typestr);
4486 bpf_error("'carp' modifier applied to %s", typestr);
4489 bpf_error("ATALK host filtering not implemented");
4492 bpf_error("AARP host filtering not implemented");
4495 return gen_dnhostop(addr, dir);
4498 bpf_error("SCA host filtering not implemented");
4501 bpf_error("LAT host filtering not implemented");
4504 bpf_error("MOPDL host filtering not implemented");
4507 bpf_error("MOPRC host filtering not implemented");
4511 bpf_error("'ip6' modifier applied to ip host");
4514 bpf_error("'icmp6' modifier applied to %s", typestr);
4518 bpf_error("'ah' modifier applied to %s", typestr);
4521 bpf_error("'esp' modifier applied to %s", typestr);
4524 bpf_error("ISO host filtering not implemented");
4527 bpf_error("'esis' modifier applied to %s", typestr);
4530 bpf_error("'isis' modifier applied to %s", typestr);
4533 bpf_error("'clnp' modifier applied to %s", typestr);
4536 bpf_error("'stp' modifier applied to %s", typestr);
4539 bpf_error("IPX host filtering not implemented");
4542 bpf_error("'netbeui' modifier applied to %s", typestr);
4545 bpf_error("'radio' modifier applied to %s", typestr);
4554 static struct block *
4555 gen_host6(addr, mask, proto, dir, type)
4556 struct in6_addr *addr;
4557 struct in6_addr *mask;
4562 const char *typestr;
4572 return gen_host6(addr, mask, Q_IPV6, dir, type);
4575 bpf_error("'ip' modifier applied to ip6 %s", typestr);
4578 bpf_error("'rarp' modifier applied to ip6 %s", typestr);
4581 bpf_error("'arp' modifier applied to ip6 %s", typestr);
4584 bpf_error("'sctp' modifier applied to %s", typestr);
4587 bpf_error("'tcp' modifier applied to %s", typestr);
4590 bpf_error("'udp' modifier applied to %s", typestr);
4593 bpf_error("'icmp' modifier applied to %s", typestr);
4596 bpf_error("'igmp' modifier applied to %s", typestr);
4599 bpf_error("'igrp' modifier applied to %s", typestr);
4602 bpf_error("'pim' modifier applied to %s", typestr);
4605 bpf_error("'vrrp' modifier applied to %s", typestr);
4608 bpf_error("'carp' modifier applied to %s", typestr);
4611 bpf_error("ATALK host filtering not implemented");
4614 bpf_error("AARP host filtering not implemented");
4617 bpf_error("'decnet' modifier applied to ip6 %s", typestr);
4620 bpf_error("SCA host filtering not implemented");
4623 bpf_error("LAT host filtering not implemented");
4626 bpf_error("MOPDL host filtering not implemented");
4629 bpf_error("MOPRC host filtering not implemented");
4632 return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6, 8, 24);
4635 bpf_error("'icmp6' modifier applied to %s", typestr);
4638 bpf_error("'ah' modifier applied to %s", typestr);
4641 bpf_error("'esp' modifier applied to %s", typestr);
4644 bpf_error("ISO host filtering not implemented");
4647 bpf_error("'esis' modifier applied to %s", typestr);
4650 bpf_error("'isis' modifier applied to %s", typestr);
4653 bpf_error("'clnp' modifier applied to %s", typestr);
4656 bpf_error("'stp' modifier applied to %s", typestr);
4659 bpf_error("IPX host filtering not implemented");
4662 bpf_error("'netbeui' modifier applied to %s", typestr);
4665 bpf_error("'radio' modifier applied to %s", typestr);
4675 static struct block *
4676 gen_gateway(eaddr, alist, proto, dir)
4677 const u_char *eaddr;
4678 bpf_u_int32 **alist;
4682 struct block *b0, *b1, *tmp;
4685 bpf_error("direction applied to 'gateway'");
4694 case DLT_NETANALYZER:
4695 case DLT_NETANALYZER_TRANSPARENT:
4696 b0 = gen_ehostop(eaddr, Q_OR);
4699 b0 = gen_fhostop(eaddr, Q_OR);
4702 b0 = gen_thostop(eaddr, Q_OR);
4704 case DLT_IEEE802_11:
4705 case DLT_PRISM_HEADER:
4706 case DLT_IEEE802_11_RADIO_AVS:
4707 case DLT_IEEE802_11_RADIO:
4709 b0 = gen_wlanhostop(eaddr, Q_OR);
4714 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
4716 * Check that the packet doesn't begin with an
4717 * LE Control marker. (We've already generated
4720 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
4725 * Now check the MAC address.
4727 b0 = gen_ehostop(eaddr, Q_OR);
4730 case DLT_IP_OVER_FC:
4731 b0 = gen_ipfchostop(eaddr, Q_OR);
4735 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
4737 b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR, Q_HOST);
4739 tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR,
4748 bpf_error("illegal modifier of 'gateway'");
4754 gen_proto_abbrev(proto)
4763 b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT);
4765 b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT);
4771 b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT);
4773 b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT);
4779 b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT);
4781 b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT);
4787 b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT);
4790 #ifndef IPPROTO_IGMP
4791 #define IPPROTO_IGMP 2
4795 b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT);
4798 #ifndef IPPROTO_IGRP
4799 #define IPPROTO_IGRP 9
4802 b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT);
4806 #define IPPROTO_PIM 103
4810 b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT);
4812 b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT);
4817 #ifndef IPPROTO_VRRP
4818 #define IPPROTO_VRRP 112
4822 b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT);
4825 #ifndef IPPROTO_CARP
4826 #define IPPROTO_CARP 112
4830 b1 = gen_proto(IPPROTO_CARP, Q_IP, Q_DEFAULT);
4834 b1 = gen_linktype(ETHERTYPE_IP);
4838 b1 = gen_linktype(ETHERTYPE_ARP);
4842 b1 = gen_linktype(ETHERTYPE_REVARP);
4846 bpf_error("link layer applied in wrong context");
4849 b1 = gen_linktype(ETHERTYPE_ATALK);
4853 b1 = gen_linktype(ETHERTYPE_AARP);
4857 b1 = gen_linktype(ETHERTYPE_DN);
4861 b1 = gen_linktype(ETHERTYPE_SCA);
4865 b1 = gen_linktype(ETHERTYPE_LAT);
4869 b1 = gen_linktype(ETHERTYPE_MOPDL);
4873 b1 = gen_linktype(ETHERTYPE_MOPRC);
4878 b1 = gen_linktype(ETHERTYPE_IPV6);
4881 #ifndef IPPROTO_ICMPV6
4882 #define IPPROTO_ICMPV6 58
4885 b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT);
4890 #define IPPROTO_AH 51
4893 b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT);
4895 b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT);
4901 #define IPPROTO_ESP 50
4904 b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT);
4906 b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT);
4912 b1 = gen_linktype(LLCSAP_ISONS);
4916 b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT);
4920 b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
4923 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */
4924 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
4925 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
4927 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
4929 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
4931 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
4935 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */
4936 b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
4937 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
4939 b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
4941 b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
4943 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
4947 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */
4948 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
4949 b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
4951 b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT);
4956 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
4957 b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
4962 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
4963 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
4965 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
4967 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
4972 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
4973 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
4978 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
4979 b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
4984 b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT);
4988 b1 = gen_linktype(LLCSAP_8021D);
4992 b1 = gen_linktype(LLCSAP_IPX);
4996 b1 = gen_linktype(LLCSAP_NETBEUI);
5000 bpf_error("'radio' is not a valid protocol type");
5008 static struct block *
5014 /* not IPv4 frag other than the first frag */
5015 s = gen_load_a(OR_NET, 6, BPF_H);
5016 b = new_block(JMP(BPF_JSET));
5025 * Generate a comparison to a port value in the transport-layer header
5026 * at the specified offset from the beginning of that header.
5028 * XXX - this handles a variable-length prefix preceding the link-layer
5029 * header, such as the radiotap or AVS radio prefix, but doesn't handle
5030 * variable-length link-layer headers (such as Token Ring or 802.11
5033 static struct block *
5034 gen_portatom(off, v)
5038 return gen_cmp(OR_TRAN_IPV4, off, BPF_H, v);
5042 static struct block *
5043 gen_portatom6(off, v)
5047 return gen_cmp(OR_TRAN_IPV6, off, BPF_H, v);
5052 gen_portop(port, proto, dir)
5053 int port, proto, dir;
5055 struct block *b0, *b1, *tmp;
5057 /* ip proto 'proto' and not a fragment other than the first fragment */
5058 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto);
5064 b1 = gen_portatom(0, (bpf_int32)port);
5068 b1 = gen_portatom(2, (bpf_int32)port);
5073 tmp = gen_portatom(0, (bpf_int32)port);
5074 b1 = gen_portatom(2, (bpf_int32)port);
5079 tmp = gen_portatom(0, (bpf_int32)port);
5080 b1 = gen_portatom(2, (bpf_int32)port);
5092 static struct block *
5093 gen_port(port, ip_proto, dir)
5098 struct block *b0, *b1, *tmp;
5103 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
5104 * not LLC encapsulation with LLCSAP_IP.
5106 * For IEEE 802 networks - which includes 802.5 token ring
5107 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
5108 * says that SNAP encapsulation is used, not LLC encapsulation
5111 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
5112 * RFC 2225 say that SNAP encapsulation is used, not LLC
5113 * encapsulation with LLCSAP_IP.
5115 * So we always check for ETHERTYPE_IP.
5117 b0 = gen_linktype(ETHERTYPE_IP);
5123 b1 = gen_portop(port, ip_proto, dir);
5127 tmp = gen_portop(port, IPPROTO_TCP, dir);
5128 b1 = gen_portop(port, IPPROTO_UDP, dir);
5130 tmp = gen_portop(port, IPPROTO_SCTP, dir);
5143 gen_portop6(port, proto, dir)
5144 int port, proto, dir;
5146 struct block *b0, *b1, *tmp;
5148 /* ip6 proto 'proto' */
5149 /* XXX - catch the first fragment of a fragmented packet? */
5150 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto);
5154 b1 = gen_portatom6(0, (bpf_int32)port);
5158 b1 = gen_portatom6(2, (bpf_int32)port);
5163 tmp = gen_portatom6(0, (bpf_int32)port);
5164 b1 = gen_portatom6(2, (bpf_int32)port);
5169 tmp = gen_portatom6(0, (bpf_int32)port);
5170 b1 = gen_portatom6(2, (bpf_int32)port);
5182 static struct block *
5183 gen_port6(port, ip_proto, dir)
5188 struct block *b0, *b1, *tmp;
5190 /* link proto ip6 */
5191 b0 = gen_linktype(ETHERTYPE_IPV6);
5197 b1 = gen_portop6(port, ip_proto, dir);
5201 tmp = gen_portop6(port, IPPROTO_TCP, dir);
5202 b1 = gen_portop6(port, IPPROTO_UDP, dir);
5204 tmp = gen_portop6(port, IPPROTO_SCTP, dir);
5216 /* gen_portrange code */
5217 static struct block *
5218 gen_portrangeatom(off, v1, v2)
5222 struct block *b1, *b2;
5226 * Reverse the order of the ports, so v1 is the lower one.
5235 b1 = gen_cmp_ge(OR_TRAN_IPV4, off, BPF_H, v1);
5236 b2 = gen_cmp_le(OR_TRAN_IPV4, off, BPF_H, v2);
5244 gen_portrangeop(port1, port2, proto, dir)
5249 struct block *b0, *b1, *tmp;
5251 /* ip proto 'proto' and not a fragment other than the first fragment */
5252 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto);
5258 b1 = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
5262 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
5267 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
5268 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
5273 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
5274 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
5286 static struct block *
5287 gen_portrange(port1, port2, ip_proto, dir)
5292 struct block *b0, *b1, *tmp;
5295 b0 = gen_linktype(ETHERTYPE_IP);
5301 b1 = gen_portrangeop(port1, port2, ip_proto, dir);
5305 tmp = gen_portrangeop(port1, port2, IPPROTO_TCP, dir);
5306 b1 = gen_portrangeop(port1, port2, IPPROTO_UDP, dir);
5308 tmp = gen_portrangeop(port1, port2, IPPROTO_SCTP, dir);
5320 static struct block *
5321 gen_portrangeatom6(off, v1, v2)
5325 struct block *b1, *b2;
5329 * Reverse the order of the ports, so v1 is the lower one.
5338 b1 = gen_cmp_ge(OR_TRAN_IPV6, off, BPF_H, v1);
5339 b2 = gen_cmp_le(OR_TRAN_IPV6, off, BPF_H, v2);
5347 gen_portrangeop6(port1, port2, proto, dir)
5352 struct block *b0, *b1, *tmp;
5354 /* ip6 proto 'proto' */
5355 /* XXX - catch the first fragment of a fragmented packet? */
5356 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto);
5360 b1 = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
5364 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
5369 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
5370 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
5375 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
5376 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
5388 static struct block *
5389 gen_portrange6(port1, port2, ip_proto, dir)
5394 struct block *b0, *b1, *tmp;
5396 /* link proto ip6 */
5397 b0 = gen_linktype(ETHERTYPE_IPV6);
5403 b1 = gen_portrangeop6(port1, port2, ip_proto, dir);
5407 tmp = gen_portrangeop6(port1, port2, IPPROTO_TCP, dir);
5408 b1 = gen_portrangeop6(port1, port2, IPPROTO_UDP, dir);
5410 tmp = gen_portrangeop6(port1, port2, IPPROTO_SCTP, dir);
5423 lookup_proto(name, proto)
5424 register const char *name;
5434 v = pcap_nametoproto(name);
5435 if (v == PROTO_UNDEF)
5436 bpf_error("unknown ip proto '%s'", name);
5440 /* XXX should look up h/w protocol type based on linktype */
5441 v = pcap_nametoeproto(name);
5442 if (v == PROTO_UNDEF) {
5443 v = pcap_nametollc(name);
5444 if (v == PROTO_UNDEF)
5445 bpf_error("unknown ether proto '%s'", name);
5450 if (strcmp(name, "esis") == 0)
5452 else if (strcmp(name, "isis") == 0)
5454 else if (strcmp(name, "clnp") == 0)
5457 bpf_error("unknown osi proto '%s'", name);
5477 static struct block *
5478 gen_protochain(v, proto, dir)
5483 #ifdef NO_PROTOCHAIN
5484 return gen_proto(v, proto, dir);
5486 struct block *b0, *b;
5487 struct slist *s[100];
5488 int fix2, fix3, fix4, fix5;
5489 int ahcheck, again, end;
5491 int reg2 = alloc_reg();
5493 memset(s, 0, sizeof(s));
5494 fix2 = fix3 = fix4 = fix5 = 0;
5501 b0 = gen_protochain(v, Q_IP, dir);
5502 b = gen_protochain(v, Q_IPV6, dir);
5506 bpf_error("bad protocol applied for 'protochain'");
5511 * We don't handle variable-length prefixes before the link-layer
5512 * header, or variable-length link-layer headers, here yet.
5513 * We might want to add BPF instructions to do the protochain
5514 * work, to simplify that and, on platforms that have a BPF
5515 * interpreter with the new instructions, let the filtering
5516 * be done in the kernel. (We already require a modified BPF
5517 * engine to do the protochain stuff, to support backward
5518 * branches, and backward branch support is unlikely to appear
5519 * in kernel BPF engines.)
5523 case DLT_IEEE802_11:
5524 case DLT_PRISM_HEADER:
5525 case DLT_IEEE802_11_RADIO_AVS:
5526 case DLT_IEEE802_11_RADIO:
5528 bpf_error("'protochain' not supported with 802.11");
5531 no_optimize = 1; /*this code is not compatible with optimzer yet */
5534 * s[0] is a dummy entry to protect other BPF insn from damage
5535 * by s[fix] = foo with uninitialized variable "fix". It is somewhat
5536 * hard to find interdependency made by jump table fixup.
5539 s[i] = new_stmt(0); /*dummy*/
5544 b0 = gen_linktype(ETHERTYPE_IP);
5547 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
5548 s[i]->s.k = off_macpl + off_nl + 9;
5550 /* X = ip->ip_hl << 2 */
5551 s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
5552 s[i]->s.k = off_macpl + off_nl;
5557 b0 = gen_linktype(ETHERTYPE_IPV6);
5559 /* A = ip6->ip_nxt */
5560 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
5561 s[i]->s.k = off_macpl + off_nl + 6;
5563 /* X = sizeof(struct ip6_hdr) */
5564 s[i] = new_stmt(BPF_LDX|BPF_IMM);
5570 bpf_error("unsupported proto to gen_protochain");
5574 /* again: if (A == v) goto end; else fall through; */
5576 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5578 s[i]->s.jt = NULL; /*later*/
5579 s[i]->s.jf = NULL; /*update in next stmt*/
5583 #ifndef IPPROTO_NONE
5584 #define IPPROTO_NONE 59
5586 /* if (A == IPPROTO_NONE) goto end */
5587 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5588 s[i]->s.jt = NULL; /*later*/
5589 s[i]->s.jf = NULL; /*update in next stmt*/
5590 s[i]->s.k = IPPROTO_NONE;
5591 s[fix5]->s.jf = s[i];
5596 if (proto == Q_IPV6) {
5597 int v6start, v6end, v6advance, j;
5600 /* if (A == IPPROTO_HOPOPTS) goto v6advance */
5601 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5602 s[i]->s.jt = NULL; /*later*/
5603 s[i]->s.jf = NULL; /*update in next stmt*/
5604 s[i]->s.k = IPPROTO_HOPOPTS;
5605 s[fix2]->s.jf = s[i];
5607 /* if (A == IPPROTO_DSTOPTS) goto v6advance */
5608 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5609 s[i]->s.jt = NULL; /*later*/
5610 s[i]->s.jf = NULL; /*update in next stmt*/
5611 s[i]->s.k = IPPROTO_DSTOPTS;
5613 /* if (A == IPPROTO_ROUTING) goto v6advance */
5614 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5615 s[i]->s.jt = NULL; /*later*/
5616 s[i]->s.jf = NULL; /*update in next stmt*/
5617 s[i]->s.k = IPPROTO_ROUTING;
5619 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */
5620 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5621 s[i]->s.jt = NULL; /*later*/
5622 s[i]->s.jf = NULL; /*later*/
5623 s[i]->s.k = IPPROTO_FRAGMENT;
5633 * A = P[X + packet head];
5634 * X = X + (P[X + packet head + 1] + 1) * 8;
5636 /* A = P[X + packet head] */
5637 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5638 s[i]->s.k = off_macpl + off_nl;
5641 s[i] = new_stmt(BPF_ST);
5644 /* A = P[X + packet head + 1]; */
5645 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5646 s[i]->s.k = off_macpl + off_nl + 1;
5649 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5653 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
5657 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_X);
5661 s[i] = new_stmt(BPF_MISC|BPF_TAX);
5664 s[i] = new_stmt(BPF_LD|BPF_MEM);
5668 /* goto again; (must use BPF_JA for backward jump) */
5669 s[i] = new_stmt(BPF_JMP|BPF_JA);
5670 s[i]->s.k = again - i - 1;
5671 s[i - 1]->s.jf = s[i];
5675 for (j = v6start; j <= v6end; j++)
5676 s[j]->s.jt = s[v6advance];
5681 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5683 s[fix2]->s.jf = s[i];
5689 /* if (A == IPPROTO_AH) then fall through; else goto end; */
5690 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5691 s[i]->s.jt = NULL; /*later*/
5692 s[i]->s.jf = NULL; /*later*/
5693 s[i]->s.k = IPPROTO_AH;
5695 s[fix3]->s.jf = s[ahcheck];
5702 * X = X + (P[X + 1] + 2) * 4;
5705 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
5707 /* A = P[X + packet head]; */
5708 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5709 s[i]->s.k = off_macpl + off_nl;
5712 s[i] = new_stmt(BPF_ST);
5716 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
5719 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5723 s[i] = new_stmt(BPF_MISC|BPF_TAX);
5725 /* A = P[X + packet head] */
5726 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5727 s[i]->s.k = off_macpl + off_nl;
5730 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5734 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
5738 s[i] = new_stmt(BPF_MISC|BPF_TAX);
5741 s[i] = new_stmt(BPF_LD|BPF_MEM);
5745 /* goto again; (must use BPF_JA for backward jump) */
5746 s[i] = new_stmt(BPF_JMP|BPF_JA);
5747 s[i]->s.k = again - i - 1;
5752 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5754 s[fix2]->s.jt = s[end];
5755 s[fix4]->s.jf = s[end];
5756 s[fix5]->s.jt = s[end];
5763 for (i = 0; i < max - 1; i++)
5764 s[i]->next = s[i + 1];
5765 s[max - 1]->next = NULL;
5770 b = new_block(JMP(BPF_JEQ));
5771 b->stmts = s[1]; /*remember, s[0] is dummy*/
5781 static struct block *
5782 gen_check_802_11_data_frame()
5785 struct block *b0, *b1;
5788 * A data frame has the 0x08 bit (b3) in the frame control field set
5789 * and the 0x04 bit (b2) clear.
5791 s = gen_load_a(OR_LINK, 0, BPF_B);
5792 b0 = new_block(JMP(BPF_JSET));
5796 s = gen_load_a(OR_LINK, 0, BPF_B);
5797 b1 = new_block(JMP(BPF_JSET));
5808 * Generate code that checks whether the packet is a packet for protocol
5809 * <proto> and whether the type field in that protocol's header has
5810 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an
5811 * IP packet and checks the protocol number in the IP header against <v>.
5813 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks
5814 * against Q_IP and Q_IPV6.
5816 static struct block *
5817 gen_proto(v, proto, dir)
5822 struct block *b0, *b1;
5829 if (dir != Q_DEFAULT)
5830 bpf_error("direction applied to 'proto'");
5835 b0 = gen_proto(v, Q_IP, dir);
5836 b1 = gen_proto(v, Q_IPV6, dir);
5844 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
5845 * not LLC encapsulation with LLCSAP_IP.
5847 * For IEEE 802 networks - which includes 802.5 token ring
5848 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
5849 * says that SNAP encapsulation is used, not LLC encapsulation
5852 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
5853 * RFC 2225 say that SNAP encapsulation is used, not LLC
5854 * encapsulation with LLCSAP_IP.
5856 * So we always check for ETHERTYPE_IP.
5858 b0 = gen_linktype(ETHERTYPE_IP);
5860 b1 = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)v);
5862 b1 = gen_protochain(v, Q_IP);
5872 * Frame Relay packets typically have an OSI
5873 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)"
5874 * generates code to check for all the OSI
5875 * NLPIDs, so calling it and then adding a check
5876 * for the particular NLPID for which we're
5877 * looking is bogus, as we can just check for
5880 * What we check for is the NLPID and a frame
5881 * control field value of UI, i.e. 0x03 followed
5884 * XXX - assumes a 2-byte Frame Relay header with
5885 * DLCI and flags. What if the address is longer?
5887 * XXX - what about SNAP-encapsulated frames?
5889 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | v);
5895 * Cisco uses an Ethertype lookalike - for OSI,
5898 b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS);
5899 /* OSI in C-HDLC is stuffed with a fudge byte */
5900 b1 = gen_cmp(OR_NET_NOSNAP, 1, BPF_B, (long)v);
5905 b0 = gen_linktype(LLCSAP_ISONS);
5906 b1 = gen_cmp(OR_NET_NOSNAP, 0, BPF_B, (long)v);
5912 b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
5914 * 4 is the offset of the PDU type relative to the IS-IS
5917 b1 = gen_cmp(OR_NET_NOSNAP, 4, BPF_B, (long)v);
5922 bpf_error("arp does not encapsulate another protocol");
5926 bpf_error("rarp does not encapsulate another protocol");
5930 bpf_error("atalk encapsulation is not specifiable");
5934 bpf_error("decnet encapsulation is not specifiable");
5938 bpf_error("sca does not encapsulate another protocol");
5942 bpf_error("lat does not encapsulate another protocol");
5946 bpf_error("moprc does not encapsulate another protocol");
5950 bpf_error("mopdl does not encapsulate another protocol");
5954 return gen_linktype(v);
5957 bpf_error("'udp proto' is bogus");
5961 bpf_error("'tcp proto' is bogus");
5965 bpf_error("'sctp proto' is bogus");
5969 bpf_error("'icmp proto' is bogus");
5973 bpf_error("'igmp proto' is bogus");
5977 bpf_error("'igrp proto' is bogus");
5981 bpf_error("'pim proto' is bogus");
5985 bpf_error("'vrrp proto' is bogus");
5989 bpf_error("'carp proto' is bogus");
5994 b0 = gen_linktype(ETHERTYPE_IPV6);
5997 * Also check for a fragment header before the final
6000 b2 = gen_cmp(OR_NET, 6, BPF_B, IPPROTO_FRAGMENT);
6001 b1 = gen_cmp(OR_NET, 40, BPF_B, (bpf_int32)v);
6003 b2 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)v);
6006 b1 = gen_protochain(v, Q_IPV6);
6012 bpf_error("'icmp6 proto' is bogus");
6016 bpf_error("'ah proto' is bogus");
6019 bpf_error("'ah proto' is bogus");
6022 bpf_error("'stp proto' is bogus");
6025 bpf_error("'ipx proto' is bogus");
6028 bpf_error("'netbeui proto' is bogus");
6031 bpf_error("'radio proto' is bogus");
6042 register const char *name;
6045 int proto = q.proto;
6049 bpf_u_int32 mask, addr;
6051 bpf_u_int32 **alist;
6054 struct sockaddr_in *sin4;
6055 struct sockaddr_in6 *sin6;
6056 struct addrinfo *res, *res0;
6057 struct in6_addr mask128;
6059 struct block *b, *tmp;
6060 int port, real_proto;
6066 addr = pcap_nametonetaddr(name);
6068 bpf_error("unknown network '%s'", name);
6069 /* Left justify network addr and calculate its network mask */
6071 while (addr && (addr & 0xff000000) == 0) {
6075 return gen_host(addr, mask, proto, dir, q.addr);
6079 if (proto == Q_LINK) {
6083 case DLT_NETANALYZER:
6084 case DLT_NETANALYZER_TRANSPARENT:
6085 eaddr = pcap_ether_hostton(name);
6088 "unknown ether host '%s'", name);
6089 b = gen_ehostop(eaddr, dir);
6094 eaddr = pcap_ether_hostton(name);
6097 "unknown FDDI host '%s'", name);
6098 b = gen_fhostop(eaddr, dir);
6103 eaddr = pcap_ether_hostton(name);
6106 "unknown token ring host '%s'", name);
6107 b = gen_thostop(eaddr, dir);
6111 case DLT_IEEE802_11:
6112 case DLT_PRISM_HEADER:
6113 case DLT_IEEE802_11_RADIO_AVS:
6114 case DLT_IEEE802_11_RADIO:
6116 eaddr = pcap_ether_hostton(name);
6119 "unknown 802.11 host '%s'", name);
6120 b = gen_wlanhostop(eaddr, dir);
6124 case DLT_IP_OVER_FC:
6125 eaddr = pcap_ether_hostton(name);
6128 "unknown Fibre Channel host '%s'", name);
6129 b = gen_ipfchostop(eaddr, dir);
6138 * Check that the packet doesn't begin
6139 * with an LE Control marker. (We've
6140 * already generated a test for LANE.)
6142 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
6146 eaddr = pcap_ether_hostton(name);
6149 "unknown ether host '%s'", name);
6150 b = gen_ehostop(eaddr, dir);
6156 bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name");
6157 } else if (proto == Q_DECNET) {
6158 unsigned short dn_addr = __pcap_nametodnaddr(name);
6160 * I don't think DECNET hosts can be multihomed, so
6161 * there is no need to build up a list of addresses
6163 return (gen_host(dn_addr, 0, proto, dir, q.addr));
6166 alist = pcap_nametoaddr(name);
6167 if (alist == NULL || *alist == NULL)
6168 bpf_error("unknown host '%s'", name);
6170 if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT)
6172 b = gen_host(**alist++, 0xffffffff, tproto, dir, q.addr);
6174 tmp = gen_host(**alist++, 0xffffffff,
6175 tproto, dir, q.addr);
6181 memset(&mask128, 0xff, sizeof(mask128));
6182 res0 = res = pcap_nametoaddrinfo(name);
6184 bpf_error("unknown host '%s'", name);
6187 tproto = tproto6 = proto;
6188 if (off_linktype == -1 && tproto == Q_DEFAULT) {
6192 for (res = res0; res; res = res->ai_next) {
6193 switch (res->ai_family) {
6195 if (tproto == Q_IPV6)
6198 sin4 = (struct sockaddr_in *)
6200 tmp = gen_host(ntohl(sin4->sin_addr.s_addr),
6201 0xffffffff, tproto, dir, q.addr);
6204 if (tproto6 == Q_IP)
6207 sin6 = (struct sockaddr_in6 *)
6209 tmp = gen_host6(&sin6->sin6_addr,
6210 &mask128, tproto6, dir, q.addr);
6222 bpf_error("unknown host '%s'%s", name,
6223 (proto == Q_DEFAULT)
6225 : " for specified address family");
6232 if (proto != Q_DEFAULT &&
6233 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
6234 bpf_error("illegal qualifier of 'port'");
6235 if (pcap_nametoport(name, &port, &real_proto) == 0)
6236 bpf_error("unknown port '%s'", name);
6237 if (proto == Q_UDP) {
6238 if (real_proto == IPPROTO_TCP)
6239 bpf_error("port '%s' is tcp", name);
6240 else if (real_proto == IPPROTO_SCTP)
6241 bpf_error("port '%s' is sctp", name);
6243 /* override PROTO_UNDEF */
6244 real_proto = IPPROTO_UDP;
6246 if (proto == Q_TCP) {
6247 if (real_proto == IPPROTO_UDP)
6248 bpf_error("port '%s' is udp", name);
6250 else if (real_proto == IPPROTO_SCTP)
6251 bpf_error("port '%s' is sctp", name);
6253 /* override PROTO_UNDEF */
6254 real_proto = IPPROTO_TCP;
6256 if (proto == Q_SCTP) {
6257 if (real_proto == IPPROTO_UDP)
6258 bpf_error("port '%s' is udp", name);
6260 else if (real_proto == IPPROTO_TCP)
6261 bpf_error("port '%s' is tcp", name);
6263 /* override PROTO_UNDEF */
6264 real_proto = IPPROTO_SCTP;
6267 bpf_error("illegal port number %d < 0", port);
6269 bpf_error("illegal port number %d > 65535", port);
6271 return gen_port(port, real_proto, dir);
6273 b = gen_port(port, real_proto, dir);
6274 gen_or(gen_port6(port, real_proto, dir), b);
6279 if (proto != Q_DEFAULT &&
6280 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
6281 bpf_error("illegal qualifier of 'portrange'");
6282 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0)
6283 bpf_error("unknown port in range '%s'", name);
6284 if (proto == Q_UDP) {
6285 if (real_proto == IPPROTO_TCP)
6286 bpf_error("port in range '%s' is tcp", name);
6287 else if (real_proto == IPPROTO_SCTP)
6288 bpf_error("port in range '%s' is sctp", name);
6290 /* override PROTO_UNDEF */
6291 real_proto = IPPROTO_UDP;
6293 if (proto == Q_TCP) {
6294 if (real_proto == IPPROTO_UDP)
6295 bpf_error("port in range '%s' is udp", name);
6296 else if (real_proto == IPPROTO_SCTP)
6297 bpf_error("port in range '%s' is sctp", name);
6299 /* override PROTO_UNDEF */
6300 real_proto = IPPROTO_TCP;
6302 if (proto == Q_SCTP) {
6303 if (real_proto == IPPROTO_UDP)
6304 bpf_error("port in range '%s' is udp", name);
6305 else if (real_proto == IPPROTO_TCP)
6306 bpf_error("port in range '%s' is tcp", name);
6308 /* override PROTO_UNDEF */
6309 real_proto = IPPROTO_SCTP;
6312 bpf_error("illegal port number %d < 0", port1);
6314 bpf_error("illegal port number %d > 65535", port1);
6316 bpf_error("illegal port number %d < 0", port2);
6318 bpf_error("illegal port number %d > 65535", port2);
6321 return gen_portrange(port1, port2, real_proto, dir);
6323 b = gen_portrange(port1, port2, real_proto, dir);
6324 gen_or(gen_portrange6(port1, port2, real_proto, dir), b);
6330 eaddr = pcap_ether_hostton(name);
6332 bpf_error("unknown ether host: %s", name);
6334 alist = pcap_nametoaddr(name);
6335 if (alist == NULL || *alist == NULL)
6336 bpf_error("unknown host '%s'", name);
6337 b = gen_gateway(eaddr, alist, proto, dir);
6341 bpf_error("'gateway' not supported in this configuration");
6345 real_proto = lookup_proto(name, proto);
6346 if (real_proto >= 0)
6347 return gen_proto(real_proto, proto, dir);
6349 bpf_error("unknown protocol: %s", name);
6352 real_proto = lookup_proto(name, proto);
6353 if (real_proto >= 0)
6354 return gen_protochain(real_proto, proto, dir);
6356 bpf_error("unknown protocol: %s", name);
6367 gen_mcode(s1, s2, masklen, q)
6368 register const char *s1, *s2;
6369 register int masklen;
6372 register int nlen, mlen;
6375 nlen = __pcap_atoin(s1, &n);
6376 /* Promote short ipaddr */
6380 mlen = __pcap_atoin(s2, &m);
6381 /* Promote short ipaddr */
6384 bpf_error("non-network bits set in \"%s mask %s\"",
6387 /* Convert mask len to mask */
6389 bpf_error("mask length must be <= 32");
6392 * X << 32 is not guaranteed by C to be 0; it's
6397 m = 0xffffffff << (32 - masklen);
6399 bpf_error("non-network bits set in \"%s/%d\"",
6406 return gen_host(n, m, q.proto, q.dir, q.addr);
6409 bpf_error("Mask syntax for networks only");
6418 register const char *s;
6423 int proto = q.proto;
6429 else if (q.proto == Q_DECNET)
6430 vlen = __pcap_atodn(s, &v);
6432 vlen = __pcap_atoin(s, &v);
6439 if (proto == Q_DECNET)
6440 return gen_host(v, 0, proto, dir, q.addr);
6441 else if (proto == Q_LINK) {
6442 bpf_error("illegal link layer address");
6445 if (s == NULL && q.addr == Q_NET) {
6446 /* Promote short net number */
6447 while (v && (v & 0xff000000) == 0) {
6452 /* Promote short ipaddr */
6456 return gen_host(v, mask, proto, dir, q.addr);
6461 proto = IPPROTO_UDP;
6462 else if (proto == Q_TCP)
6463 proto = IPPROTO_TCP;
6464 else if (proto == Q_SCTP)
6465 proto = IPPROTO_SCTP;
6466 else if (proto == Q_DEFAULT)
6467 proto = PROTO_UNDEF;
6469 bpf_error("illegal qualifier of 'port'");
6472 bpf_error("illegal port number %u > 65535", v);
6475 return gen_port((int)v, proto, dir);
6479 b = gen_port((int)v, proto, dir);
6480 gen_or(gen_port6((int)v, proto, dir), b);
6487 proto = IPPROTO_UDP;
6488 else if (proto == Q_TCP)
6489 proto = IPPROTO_TCP;
6490 else if (proto == Q_SCTP)
6491 proto = IPPROTO_SCTP;
6492 else if (proto == Q_DEFAULT)
6493 proto = PROTO_UNDEF;
6495 bpf_error("illegal qualifier of 'portrange'");
6498 bpf_error("illegal port number %u > 65535", v);
6501 return gen_portrange((int)v, (int)v, proto, dir);
6505 b = gen_portrange((int)v, (int)v, proto, dir);
6506 gen_or(gen_portrange6((int)v, (int)v, proto, dir), b);
6512 bpf_error("'gateway' requires a name");
6516 return gen_proto((int)v, proto, dir);
6519 return gen_protochain((int)v, proto, dir);
6534 gen_mcode6(s1, s2, masklen, q)
6535 register const char *s1, *s2;
6536 register int masklen;
6539 struct addrinfo *res;
6540 struct in6_addr *addr;
6541 struct in6_addr mask;
6546 bpf_error("no mask %s supported", s2);
6548 res = pcap_nametoaddrinfo(s1);
6550 bpf_error("invalid ip6 address %s", s1);
6553 bpf_error("%s resolved to multiple address", s1);
6554 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
6556 if (sizeof(mask) * 8 < masklen)
6557 bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8));
6558 memset(&mask, 0, sizeof(mask));
6559 memset(&mask, 0xff, masklen / 8);
6561 mask.s6_addr[masklen / 8] =
6562 (0xff << (8 - masklen % 8)) & 0xff;
6565 a = (u_int32_t *)addr;
6566 m = (u_int32_t *)&mask;
6567 if ((a[0] & ~m[0]) || (a[1] & ~m[1])
6568 || (a[2] & ~m[2]) || (a[3] & ~m[3])) {
6569 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen);
6577 bpf_error("Mask syntax for networks only");
6581 b = gen_host6(addr, &mask, q.proto, q.dir, q.addr);
6587 bpf_error("invalid qualifier against IPv6 address");
6596 register const u_char *eaddr;
6599 struct block *b, *tmp;
6601 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
6604 case DLT_NETANALYZER:
6605 case DLT_NETANALYZER_TRANSPARENT:
6606 return gen_ehostop(eaddr, (int)q.dir);
6608 return gen_fhostop(eaddr, (int)q.dir);
6610 return gen_thostop(eaddr, (int)q.dir);
6611 case DLT_IEEE802_11:
6612 case DLT_PRISM_HEADER:
6613 case DLT_IEEE802_11_RADIO_AVS:
6614 case DLT_IEEE802_11_RADIO:
6616 return gen_wlanhostop(eaddr, (int)q.dir);
6620 * Check that the packet doesn't begin with an
6621 * LE Control marker. (We've already generated
6624 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
6629 * Now check the MAC address.
6631 b = gen_ehostop(eaddr, (int)q.dir);
6636 case DLT_IP_OVER_FC:
6637 return gen_ipfchostop(eaddr, (int)q.dir);
6639 bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
6643 bpf_error("ethernet address used in non-ether expression");
6650 struct slist *s0, *s1;
6653 * This is definitely not the best way to do this, but the
6654 * lists will rarely get long.
6661 static struct slist *
6667 s = new_stmt(BPF_LDX|BPF_MEM);
6672 static struct slist *
6678 s = new_stmt(BPF_LD|BPF_MEM);
6684 * Modify "index" to use the value stored into its register as an
6685 * offset relative to the beginning of the header for the protocol
6686 * "proto", and allocate a register and put an item "size" bytes long
6687 * (1, 2, or 4) at that offset into that register, making it the register
6691 gen_load(proto, inst, size)
6696 struct slist *s, *tmp;
6698 int regno = alloc_reg();
6700 free_reg(inst->regno);
6704 bpf_error("data size must be 1, 2, or 4");
6720 bpf_error("unsupported index operation");
6724 * The offset is relative to the beginning of the packet
6725 * data, if we have a radio header. (If we don't, this
6728 if (linktype != DLT_IEEE802_11_RADIO_AVS &&
6729 linktype != DLT_IEEE802_11_RADIO &&
6730 linktype != DLT_PRISM_HEADER)
6731 bpf_error("radio information not present in capture");
6734 * Load into the X register the offset computed into the
6735 * register specified by "index".
6737 s = xfer_to_x(inst);
6740 * Load the item at that offset.
6742 tmp = new_stmt(BPF_LD|BPF_IND|size);
6744 sappend(inst->s, s);
6749 * The offset is relative to the beginning of
6750 * the link-layer header.
6752 * XXX - what about ATM LANE? Should the index be
6753 * relative to the beginning of the AAL5 frame, so
6754 * that 0 refers to the beginning of the LE Control
6755 * field, or relative to the beginning of the LAN
6756 * frame, so that 0 refers, for Ethernet LANE, to
6757 * the beginning of the destination address?
6759 s = gen_llprefixlen();
6762 * If "s" is non-null, it has code to arrange that the
6763 * X register contains the length of the prefix preceding
6764 * the link-layer header. Add to it the offset computed
6765 * into the register specified by "index", and move that
6766 * into the X register. Otherwise, just load into the X
6767 * register the offset computed into the register specified
6771 sappend(s, xfer_to_a(inst));
6772 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
6773 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
6775 s = xfer_to_x(inst);
6778 * Load the item at the sum of the offset we've put in the
6779 * X register and the offset of the start of the link
6780 * layer header (which is 0 if the radio header is
6781 * variable-length; that header length is what we put
6782 * into the X register and then added to the index).
6784 tmp = new_stmt(BPF_LD|BPF_IND|size);
6787 sappend(inst->s, s);
6803 * The offset is relative to the beginning of
6804 * the network-layer header.
6805 * XXX - are there any cases where we want
6808 s = gen_off_macpl();
6811 * If "s" is non-null, it has code to arrange that the
6812 * X register contains the offset of the MAC-layer
6813 * payload. Add to it the offset computed into the
6814 * register specified by "index", and move that into
6815 * the X register. Otherwise, just load into the X
6816 * register the offset computed into the register specified
6820 sappend(s, xfer_to_a(inst));
6821 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
6822 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
6824 s = xfer_to_x(inst);
6827 * Load the item at the sum of the offset we've put in the
6828 * X register, the offset of the start of the network
6829 * layer header from the beginning of the MAC-layer
6830 * payload, and the purported offset of the start of the
6831 * MAC-layer payload (which might be 0 if there's a
6832 * variable-length prefix before the link-layer header
6833 * or the link-layer header itself is variable-length;
6834 * the variable-length offset of the start of the
6835 * MAC-layer payload is what we put into the X register
6836 * and then added to the index).
6838 tmp = new_stmt(BPF_LD|BPF_IND|size);
6839 tmp->s.k = off_macpl + off_nl;
6841 sappend(inst->s, s);
6844 * Do the computation only if the packet contains
6845 * the protocol in question.
6847 b = gen_proto_abbrev(proto);
6849 gen_and(inst->b, b);
6863 * The offset is relative to the beginning of
6864 * the transport-layer header.
6866 * Load the X register with the length of the IPv4 header
6867 * (plus the offset of the link-layer header, if it's
6868 * a variable-length header), in bytes.
6870 * XXX - are there any cases where we want
6872 * XXX - we should, if we're built with
6873 * IPv6 support, generate code to load either
6874 * IPv4, IPv6, or both, as appropriate.
6876 s = gen_loadx_iphdrlen();
6879 * The X register now contains the sum of the length
6880 * of any variable-length header preceding the link-layer
6881 * header, any variable-length link-layer header, and the
6882 * length of the network-layer header.
6884 * Load into the A register the offset relative to
6885 * the beginning of the transport layer header,
6886 * add the X register to that, move that to the
6887 * X register, and load with an offset from the
6888 * X register equal to the offset of the network
6889 * layer header relative to the beginning of
6890 * the MAC-layer payload plus the fixed-length
6891 * portion of the offset of the MAC-layer payload
6892 * from the beginning of the raw packet data.
6894 sappend(s, xfer_to_a(inst));
6895 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
6896 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
6897 sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size));
6898 tmp->s.k = off_macpl + off_nl;
6899 sappend(inst->s, s);
6902 * Do the computation only if the packet contains
6903 * the protocol in question - which is true only
6904 * if this is an IP datagram and is the first or
6905 * only fragment of that datagram.
6907 gen_and(gen_proto_abbrev(proto), b = gen_ipfrag());
6909 gen_and(inst->b, b);
6911 gen_and(gen_proto_abbrev(Q_IP), b);
6917 bpf_error("IPv6 upper-layer protocol is not supported by proto[x]");
6921 inst->regno = regno;
6922 s = new_stmt(BPF_ST);
6924 sappend(inst->s, s);
6930 gen_relation(code, a0, a1, reversed)
6932 struct arth *a0, *a1;
6935 struct slist *s0, *s1, *s2;
6936 struct block *b, *tmp;
6940 if (code == BPF_JEQ) {
6941 s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X);
6942 b = new_block(JMP(code));
6946 b = new_block(BPF_JMP|code|BPF_X);
6952 sappend(a0->s, a1->s);
6956 free_reg(a0->regno);
6957 free_reg(a1->regno);
6959 /* 'and' together protocol checks */
6962 gen_and(a0->b, tmp = a1->b);
6978 int regno = alloc_reg();
6979 struct arth *a = (struct arth *)newchunk(sizeof(*a));
6982 s = new_stmt(BPF_LD|BPF_LEN);
6983 s->next = new_stmt(BPF_ST);
6984 s->next->s.k = regno;
6999 a = (struct arth *)newchunk(sizeof(*a));
7003 s = new_stmt(BPF_LD|BPF_IMM);
7005 s->next = new_stmt(BPF_ST);
7021 s = new_stmt(BPF_ALU|BPF_NEG);
7024 s = new_stmt(BPF_ST);
7032 gen_arth(code, a0, a1)
7034 struct arth *a0, *a1;
7036 struct slist *s0, *s1, *s2;
7040 s2 = new_stmt(BPF_ALU|BPF_X|code);
7045 sappend(a0->s, a1->s);
7047 free_reg(a0->regno);
7048 free_reg(a1->regno);
7050 s0 = new_stmt(BPF_ST);
7051 a0->regno = s0->s.k = alloc_reg();
7058 * Here we handle simple allocation of the scratch registers.
7059 * If too many registers are alloc'd, the allocator punts.
7061 static int regused[BPF_MEMWORDS];
7065 * Initialize the table of used registers and the current register.
7071 memset(regused, 0, sizeof regused);
7075 * Return the next free register.
7080 int n = BPF_MEMWORDS;
7083 if (regused[curreg])
7084 curreg = (curreg + 1) % BPF_MEMWORDS;
7086 regused[curreg] = 1;
7090 bpf_error("too many registers needed to evaluate expression");
7096 * Return a register to the table so it can
7106 static struct block *
7113 s = new_stmt(BPF_LD|BPF_LEN);
7114 b = new_block(JMP(jmp));
7125 return gen_len(BPF_JGE, n);
7129 * Actually, this is less than or equal.
7137 b = gen_len(BPF_JGT, n);
7144 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to
7145 * the beginning of the link-layer header.
7146 * XXX - that means you can't test values in the radiotap header, but
7147 * as that header is difficult if not impossible to parse generally
7148 * without a loop, that might not be a severe problem. A new keyword
7149 * "radio" could be added for that, although what you'd really want
7150 * would be a way of testing particular radio header values, which
7151 * would generate code appropriate to the radio header in question.
7154 gen_byteop(op, idx, val)
7165 return gen_cmp(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
7168 b = gen_cmp_lt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
7172 b = gen_cmp_gt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
7176 s = new_stmt(BPF_ALU|BPF_OR|BPF_K);
7180 s = new_stmt(BPF_ALU|BPF_AND|BPF_K);
7184 b = new_block(JMP(BPF_JEQ));
7191 static u_char abroadcast[] = { 0x0 };
7194 gen_broadcast(proto)
7197 bpf_u_int32 hostmask;
7198 struct block *b0, *b1, *b2;
7199 static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
7207 case DLT_ARCNET_LINUX:
7208 return gen_ahostop(abroadcast, Q_DST);
7210 case DLT_NETANALYZER:
7211 case DLT_NETANALYZER_TRANSPARENT:
7212 return gen_ehostop(ebroadcast, Q_DST);
7214 return gen_fhostop(ebroadcast, Q_DST);
7216 return gen_thostop(ebroadcast, Q_DST);
7217 case DLT_IEEE802_11:
7218 case DLT_PRISM_HEADER:
7219 case DLT_IEEE802_11_RADIO_AVS:
7220 case DLT_IEEE802_11_RADIO:
7222 return gen_wlanhostop(ebroadcast, Q_DST);
7223 case DLT_IP_OVER_FC:
7224 return gen_ipfchostop(ebroadcast, Q_DST);
7228 * Check that the packet doesn't begin with an
7229 * LE Control marker. (We've already generated
7232 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
7237 * Now check the MAC address.
7239 b0 = gen_ehostop(ebroadcast, Q_DST);
7245 bpf_error("not a broadcast link");
7251 * We treat a netmask of PCAP_NETMASK_UNKNOWN (0xffffffff)
7252 * as an indication that we don't know the netmask, and fail
7255 if (netmask == PCAP_NETMASK_UNKNOWN)
7256 bpf_error("netmask not known, so 'ip broadcast' not supported");
7257 b0 = gen_linktype(ETHERTYPE_IP);
7258 hostmask = ~netmask;
7259 b1 = gen_mcmp(OR_NET, 16, BPF_W, (bpf_int32)0, hostmask);
7260 b2 = gen_mcmp(OR_NET, 16, BPF_W,
7261 (bpf_int32)(~0 & hostmask), hostmask);
7266 bpf_error("only link-layer/IP broadcast filters supported");
7272 * Generate code to test the low-order bit of a MAC address (that's
7273 * the bottom bit of the *first* byte).
7275 static struct block *
7276 gen_mac_multicast(offset)
7279 register struct block *b0;
7280 register struct slist *s;
7282 /* link[offset] & 1 != 0 */
7283 s = gen_load_a(OR_LINK, offset, BPF_B);
7284 b0 = new_block(JMP(BPF_JSET));
7291 gen_multicast(proto)
7294 register struct block *b0, *b1, *b2;
7295 register struct slist *s;
7303 case DLT_ARCNET_LINUX:
7304 /* all ARCnet multicasts use the same address */
7305 return gen_ahostop(abroadcast, Q_DST);
7307 case DLT_NETANALYZER:
7308 case DLT_NETANALYZER_TRANSPARENT:
7309 /* ether[0] & 1 != 0 */
7310 return gen_mac_multicast(0);
7313 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX
7315 * XXX - was that referring to bit-order issues?
7317 /* fddi[1] & 1 != 0 */
7318 return gen_mac_multicast(1);
7320 /* tr[2] & 1 != 0 */
7321 return gen_mac_multicast(2);
7322 case DLT_IEEE802_11:
7323 case DLT_PRISM_HEADER:
7324 case DLT_IEEE802_11_RADIO_AVS:
7325 case DLT_IEEE802_11_RADIO:
7330 * For control frames, there is no DA.
7332 * For management frames, DA is at an
7333 * offset of 4 from the beginning of
7336 * For data frames, DA is at an offset
7337 * of 4 from the beginning of the packet
7338 * if To DS is clear and at an offset of
7339 * 16 from the beginning of the packet
7344 * Generate the tests to be done for data frames.
7346 * First, check for To DS set, i.e. "link[1] & 0x01".
7348 s = gen_load_a(OR_LINK, 1, BPF_B);
7349 b1 = new_block(JMP(BPF_JSET));
7350 b1->s.k = 0x01; /* To DS */
7354 * If To DS is set, the DA is at 16.
7356 b0 = gen_mac_multicast(16);
7360 * Now, check for To DS not set, i.e. check
7361 * "!(link[1] & 0x01)".
7363 s = gen_load_a(OR_LINK, 1, BPF_B);
7364 b2 = new_block(JMP(BPF_JSET));
7365 b2->s.k = 0x01; /* To DS */
7370 * If To DS is not set, the DA is at 4.
7372 b1 = gen_mac_multicast(4);
7376 * Now OR together the last two checks. That gives
7377 * the complete set of checks for data frames.
7382 * Now check for a data frame.
7383 * I.e, check "link[0] & 0x08".
7385 s = gen_load_a(OR_LINK, 0, BPF_B);
7386 b1 = new_block(JMP(BPF_JSET));
7391 * AND that with the checks done for data frames.
7396 * If the high-order bit of the type value is 0, this
7397 * is a management frame.
7398 * I.e, check "!(link[0] & 0x08)".
7400 s = gen_load_a(OR_LINK, 0, BPF_B);
7401 b2 = new_block(JMP(BPF_JSET));
7407 * For management frames, the DA is at 4.
7409 b1 = gen_mac_multicast(4);
7413 * OR that with the checks done for data frames.
7414 * That gives the checks done for management and
7420 * If the low-order bit of the type value is 1,
7421 * this is either a control frame or a frame
7422 * with a reserved type, and thus not a
7425 * I.e., check "!(link[0] & 0x04)".
7427 s = gen_load_a(OR_LINK, 0, BPF_B);
7428 b1 = new_block(JMP(BPF_JSET));
7434 * AND that with the checks for data and management
7439 case DLT_IP_OVER_FC:
7440 b0 = gen_mac_multicast(2);
7445 * Check that the packet doesn't begin with an
7446 * LE Control marker. (We've already generated
7449 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
7453 /* ether[off_mac] & 1 != 0 */
7454 b0 = gen_mac_multicast(off_mac);
7462 /* Link not known to support multicasts */
7466 b0 = gen_linktype(ETHERTYPE_IP);
7467 b1 = gen_cmp_ge(OR_NET, 16, BPF_B, (bpf_int32)224);
7473 b0 = gen_linktype(ETHERTYPE_IPV6);
7474 b1 = gen_cmp(OR_NET, 24, BPF_B, (bpf_int32)255);
7479 bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel");
7485 * Filter on inbound (dir == 0) or outbound (dir == 1) traffic.
7486 * Outbound traffic is sent by this machine, while inbound traffic is
7487 * sent by a remote machine (and may include packets destined for a
7488 * unicast or multicast link-layer address we are not subscribing to).
7489 * These are the same definitions implemented by pcap_setdirection().
7490 * Capturing only unicast traffic destined for this host is probably
7491 * better accomplished using a higher-layer filter.
7497 register struct block *b0;
7500 * Only some data link types support inbound/outbound qualifiers.
7504 b0 = gen_relation(BPF_JEQ,
7505 gen_load(Q_LINK, gen_loadi(0), 1),
7512 /* match outgoing packets */
7513 b0 = gen_cmp(OR_LINK, 2, BPF_H, IPNET_OUTBOUND);
7515 /* match incoming packets */
7516 b0 = gen_cmp(OR_LINK, 2, BPF_H, IPNET_INBOUND);
7521 /* match outgoing packets */
7522 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_OUTGOING);
7524 /* to filter on inbound traffic, invert the match */
7529 #ifdef HAVE_NET_PFVAR_H
7531 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, dir), BPF_B,
7532 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT));
7538 /* match outgoing packets */
7539 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_OUT);
7541 /* match incoming packets */
7542 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_IN);
7546 case DLT_JUNIPER_MFR:
7547 case DLT_JUNIPER_MLFR:
7548 case DLT_JUNIPER_MLPPP:
7549 case DLT_JUNIPER_ATM1:
7550 case DLT_JUNIPER_ATM2:
7551 case DLT_JUNIPER_PPPOE:
7552 case DLT_JUNIPER_PPPOE_ATM:
7553 case DLT_JUNIPER_GGSN:
7554 case DLT_JUNIPER_ES:
7555 case DLT_JUNIPER_MONITOR:
7556 case DLT_JUNIPER_SERVICES:
7557 case DLT_JUNIPER_ETHER:
7558 case DLT_JUNIPER_PPP:
7559 case DLT_JUNIPER_FRELAY:
7560 case DLT_JUNIPER_CHDLC:
7561 case DLT_JUNIPER_VP:
7562 case DLT_JUNIPER_ST:
7563 case DLT_JUNIPER_ISM:
7564 case DLT_JUNIPER_VS:
7565 case DLT_JUNIPER_SRX_E2E:
7566 case DLT_JUNIPER_FIBRECHANNEL:
7567 case DLT_JUNIPER_ATM_CEMIC:
7569 /* juniper flags (including direction) are stored
7570 * the byte after the 3-byte magic number */
7572 /* match outgoing packets */
7573 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 0, 0x01);
7575 /* match incoming packets */
7576 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 1, 0x01);
7582 * If we have packet meta-data indicating a direction,
7583 * check it, otherwise give up as this link-layer type
7584 * has nothing in the packet data.
7586 #if defined(PF_PACKET) && defined(SO_ATTACH_FILTER)
7588 * We infer that this is Linux with PF_PACKET support.
7589 * If this is a *live* capture, we can look at
7590 * special meta-data in the filter expression;
7591 * if it's a savefile, we can't.
7593 if (bpf_pcap->sf.rfile != NULL) {
7594 /* We have a FILE *, so this is a savefile */
7595 bpf_error("inbound/outbound not supported on linktype %d when reading savefiles",
7600 /* match outgoing packets */
7601 b0 = gen_cmp(OR_LINK, SKF_AD_OFF + SKF_AD_PKTTYPE, BPF_H,
7604 /* to filter on inbound traffic, invert the match */
7607 #else /* defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */
7608 bpf_error("inbound/outbound not supported on linktype %d",
7612 #endif /* defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */
7617 #ifdef HAVE_NET_PFVAR_H
7618 /* PF firewall log matched interface */
7620 gen_pf_ifname(const char *ifname)
7625 if (linktype != DLT_PFLOG) {
7626 bpf_error("ifname supported only on PF linktype");
7629 len = sizeof(((struct pfloghdr *)0)->ifname);
7630 off = offsetof(struct pfloghdr, ifname);
7631 if (strlen(ifname) >= len) {
7632 bpf_error("ifname interface names can only be %d characters",
7636 b0 = gen_bcmp(OR_LINK, off, strlen(ifname), (const u_char *)ifname);
7640 /* PF firewall log ruleset name */
7642 gen_pf_ruleset(char *ruleset)
7646 if (linktype != DLT_PFLOG) {
7647 bpf_error("ruleset supported only on PF linktype");
7651 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) {
7652 bpf_error("ruleset names can only be %ld characters",
7653 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1));
7657 b0 = gen_bcmp(OR_LINK, offsetof(struct pfloghdr, ruleset),
7658 strlen(ruleset), (const u_char *)ruleset);
7662 /* PF firewall log rule number */
7668 if (linktype != DLT_PFLOG) {
7669 bpf_error("rnr supported only on PF linktype");
7673 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, rulenr), BPF_W,
7678 /* PF firewall log sub-rule number */
7680 gen_pf_srnr(int srnr)
7684 if (linktype != DLT_PFLOG) {
7685 bpf_error("srnr supported only on PF linktype");
7689 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, subrulenr), BPF_W,
7694 /* PF firewall log reason code */
7696 gen_pf_reason(int reason)
7700 if (linktype != DLT_PFLOG) {
7701 bpf_error("reason supported only on PF linktype");
7705 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, reason), BPF_B,
7710 /* PF firewall log action */
7712 gen_pf_action(int action)
7716 if (linktype != DLT_PFLOG) {
7717 bpf_error("action supported only on PF linktype");
7721 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, action), BPF_B,
7725 #else /* !HAVE_NET_PFVAR_H */
7727 gen_pf_ifname(const char *ifname)
7729 bpf_error("libpcap was compiled without pf support");
7735 gen_pf_ruleset(char *ruleset)
7737 bpf_error("libpcap was compiled on a machine without pf support");
7745 bpf_error("libpcap was compiled on a machine without pf support");
7751 gen_pf_srnr(int srnr)
7753 bpf_error("libpcap was compiled on a machine without pf support");
7759 gen_pf_reason(int reason)
7761 bpf_error("libpcap was compiled on a machine without pf support");
7767 gen_pf_action(int action)
7769 bpf_error("libpcap was compiled on a machine without pf support");
7773 #endif /* HAVE_NET_PFVAR_H */
7775 /* IEEE 802.11 wireless header */
7777 gen_p80211_type(int type, int mask)
7783 case DLT_IEEE802_11:
7784 case DLT_PRISM_HEADER:
7785 case DLT_IEEE802_11_RADIO_AVS:
7786 case DLT_IEEE802_11_RADIO:
7787 b0 = gen_mcmp(OR_LINK, 0, BPF_B, (bpf_int32)type,
7792 bpf_error("802.11 link-layer types supported only on 802.11");
7800 gen_p80211_fcdir(int fcdir)
7806 case DLT_IEEE802_11:
7807 case DLT_PRISM_HEADER:
7808 case DLT_IEEE802_11_RADIO_AVS:
7809 case DLT_IEEE802_11_RADIO:
7813 bpf_error("frame direction supported only with 802.11 headers");
7817 b0 = gen_mcmp(OR_LINK, 1, BPF_B, (bpf_int32)fcdir,
7818 (bpf_u_int32)IEEE80211_FC1_DIR_MASK);
7825 register const u_char *eaddr;
7831 case DLT_ARCNET_LINUX:
7832 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) &&
7834 return (gen_ahostop(eaddr, (int)q.dir));
7836 bpf_error("ARCnet address used in non-arc expression");
7842 bpf_error("aid supported only on ARCnet");
7845 bpf_error("ARCnet address used in non-arc expression");
7850 static struct block *
7851 gen_ahostop(eaddr, dir)
7852 register const u_char *eaddr;
7855 register struct block *b0, *b1;
7858 /* src comes first, different from Ethernet */
7860 return gen_bcmp(OR_LINK, 0, 1, eaddr);
7863 return gen_bcmp(OR_LINK, 1, 1, eaddr);
7866 b0 = gen_ahostop(eaddr, Q_SRC);
7867 b1 = gen_ahostop(eaddr, Q_DST);
7873 b0 = gen_ahostop(eaddr, Q_SRC);
7874 b1 = gen_ahostop(eaddr, Q_DST);
7879 bpf_error("'addr1' is only supported on 802.11");
7883 bpf_error("'addr2' is only supported on 802.11");
7887 bpf_error("'addr3' is only supported on 802.11");
7891 bpf_error("'addr4' is only supported on 802.11");
7895 bpf_error("'ra' is only supported on 802.11");
7899 bpf_error("'ta' is only supported on 802.11");
7907 * support IEEE 802.1Q VLAN trunk over ethernet
7913 struct block *b0, *b1;
7915 /* can't check for VLAN-encapsulated packets inside MPLS */
7916 if (label_stack_depth > 0)
7917 bpf_error("no VLAN match after MPLS");
7920 * Check for a VLAN packet, and then change the offsets to point
7921 * to the type and data fields within the VLAN packet. Just
7922 * increment the offsets, so that we can support a hierarchy, e.g.
7923 * "vlan 300 && vlan 200" to capture VLAN 200 encapsulated within
7926 * XXX - this is a bit of a kludge. If we were to split the
7927 * compiler into a parser that parses an expression and
7928 * generates an expression tree, and a code generator that
7929 * takes an expression tree (which could come from our
7930 * parser or from some other parser) and generates BPF code,
7931 * we could perhaps make the offsets parameters of routines
7932 * and, in the handler for an "AND" node, pass to subnodes
7933 * other than the VLAN node the adjusted offsets.
7935 * This would mean that "vlan" would, instead of changing the
7936 * behavior of *all* tests after it, change only the behavior
7937 * of tests ANDed with it. That would change the documented
7938 * semantics of "vlan", which might break some expressions.
7939 * However, it would mean that "(vlan and ip) or ip" would check
7940 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
7941 * checking only for VLAN-encapsulated IP, so that could still
7942 * be considered worth doing; it wouldn't break expressions
7943 * that are of the form "vlan and ..." or "vlan N and ...",
7944 * which I suspect are the most common expressions involving
7945 * "vlan". "vlan or ..." doesn't necessarily do what the user
7946 * would really want, now, as all the "or ..." tests would
7947 * be done assuming a VLAN, even though the "or" could be viewed
7948 * as meaning "or, if this isn't a VLAN packet...".
7955 case DLT_NETANALYZER:
7956 case DLT_NETANALYZER_TRANSPARENT:
7957 /* check for VLAN, including QinQ */
7958 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
7959 (bpf_int32)ETHERTYPE_8021Q);
7960 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H,
7961 (bpf_int32)ETHERTYPE_8021QINQ);
7965 /* If a specific VLAN is requested, check VLAN id */
7966 if (vlan_num >= 0) {
7967 b1 = gen_mcmp(OR_MACPL, 0, BPF_H,
7968 (bpf_int32)vlan_num, 0x0fff);
7982 bpf_error("no VLAN support for data link type %d",
7997 struct block *b0,*b1;
8000 * Change the offsets to point to the type and data fields within
8001 * the MPLS packet. Just increment the offsets, so that we
8002 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to
8003 * capture packets with an outer label of 100000 and an inner
8006 * XXX - this is a bit of a kludge. See comments in gen_vlan().
8010 if (label_stack_depth > 0) {
8011 /* just match the bottom-of-stack bit clear */
8012 b0 = gen_mcmp(OR_MACPL, orig_nl-2, BPF_B, 0, 0x01);
8015 * Indicate that we're checking MPLS-encapsulated headers,
8016 * to make sure higher level code generators don't try to
8017 * match against IP-related protocols such as Q_ARP, Q_RARP
8022 case DLT_C_HDLC: /* fall through */
8024 case DLT_NETANALYZER:
8025 case DLT_NETANALYZER_TRANSPARENT:
8026 b0 = gen_linktype(ETHERTYPE_MPLS);
8030 b0 = gen_linktype(PPP_MPLS_UCAST);
8033 /* FIXME add other DLT_s ...
8034 * for Frame-Relay/and ATM this may get messy due to SNAP headers
8035 * leave it for now */
8038 bpf_error("no MPLS support for data link type %d",
8046 /* If a specific MPLS label is requested, check it */
8047 if (label_num >= 0) {
8048 label_num = label_num << 12; /* label is shifted 12 bits on the wire */
8049 b1 = gen_mcmp(OR_MACPL, orig_nl, BPF_W, (bpf_int32)label_num,
8050 0xfffff000); /* only compare the first 20 bits */
8057 label_stack_depth++;
8062 * Support PPPOE discovery and session.
8067 /* check for PPPoE discovery */
8068 return gen_linktype((bpf_int32)ETHERTYPE_PPPOED);
8077 * Test against the PPPoE session link-layer type.
8079 b0 = gen_linktype((bpf_int32)ETHERTYPE_PPPOES);
8082 * Change the offsets to point to the type and data fields within
8083 * the PPP packet, and note that this is PPPoE rather than
8086 * XXX - this is a bit of a kludge. If we were to split the
8087 * compiler into a parser that parses an expression and
8088 * generates an expression tree, and a code generator that
8089 * takes an expression tree (which could come from our
8090 * parser or from some other parser) and generates BPF code,
8091 * we could perhaps make the offsets parameters of routines
8092 * and, in the handler for an "AND" node, pass to subnodes
8093 * other than the PPPoE node the adjusted offsets.
8095 * This would mean that "pppoes" would, instead of changing the
8096 * behavior of *all* tests after it, change only the behavior
8097 * of tests ANDed with it. That would change the documented
8098 * semantics of "pppoes", which might break some expressions.
8099 * However, it would mean that "(pppoes and ip) or ip" would check
8100 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
8101 * checking only for VLAN-encapsulated IP, so that could still
8102 * be considered worth doing; it wouldn't break expressions
8103 * that are of the form "pppoes and ..." which I suspect are the
8104 * most common expressions involving "pppoes". "pppoes or ..."
8105 * doesn't necessarily do what the user would really want, now,
8106 * as all the "or ..." tests would be done assuming PPPoE, even
8107 * though the "or" could be viewed as meaning "or, if this isn't
8108 * a PPPoE packet...".
8110 orig_linktype = off_linktype; /* save original values */
8115 * The "network-layer" protocol is PPPoE, which has a 6-byte
8116 * PPPoE header, followed by a PPP packet.
8118 * There is no HDLC encapsulation for the PPP packet (it's
8119 * encapsulated in PPPoES instead), so the link-layer type
8120 * starts at the first byte of the PPP packet. For PPPoE,
8121 * that offset is relative to the beginning of the total
8122 * link-layer payload, including any 802.2 LLC header, so
8123 * it's 6 bytes past off_nl.
8125 off_linktype = off_nl + 6;
8128 * The network-layer offsets are relative to the beginning
8129 * of the MAC-layer payload; that's past the 6-byte
8130 * PPPoE header and the 2-byte PPP header.
8133 off_nl_nosnap = 6+2;
8139 gen_atmfield_code(atmfield, jvalue, jtype, reverse)
8151 bpf_error("'vpi' supported only on raw ATM");
8152 if (off_vpi == (u_int)-1)
8154 b0 = gen_ncmp(OR_LINK, off_vpi, BPF_B, 0xffffffff, jtype,
8160 bpf_error("'vci' supported only on raw ATM");
8161 if (off_vci == (u_int)-1)
8163 b0 = gen_ncmp(OR_LINK, off_vci, BPF_H, 0xffffffff, jtype,
8168 if (off_proto == (u_int)-1)
8169 abort(); /* XXX - this isn't on FreeBSD */
8170 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0x0f, jtype,
8175 if (off_payload == (u_int)-1)
8177 b0 = gen_ncmp(OR_LINK, off_payload + MSG_TYPE_POS, BPF_B,
8178 0xffffffff, jtype, reverse, jvalue);
8183 bpf_error("'callref' supported only on raw ATM");
8184 if (off_proto == (u_int)-1)
8186 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0xffffffff,
8187 jtype, reverse, jvalue);
8197 gen_atmtype_abbrev(type)
8200 struct block *b0, *b1;
8205 /* Get all packets in Meta signalling Circuit */
8207 bpf_error("'metac' supported only on raw ATM");
8208 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8209 b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0);
8214 /* Get all packets in Broadcast Circuit*/
8216 bpf_error("'bcc' supported only on raw ATM");
8217 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8218 b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0);
8223 /* Get all cells in Segment OAM F4 circuit*/
8225 bpf_error("'oam4sc' supported only on raw ATM");
8226 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8227 b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
8232 /* Get all cells in End-to-End OAM F4 Circuit*/
8234 bpf_error("'oam4ec' supported only on raw ATM");
8235 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8236 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
8241 /* Get all packets in connection Signalling Circuit */
8243 bpf_error("'sc' supported only on raw ATM");
8244 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8245 b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0);
8250 /* Get all packets in ILMI Circuit */
8252 bpf_error("'ilmic' supported only on raw ATM");
8253 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8254 b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0);
8259 /* Get all LANE packets */
8261 bpf_error("'lane' supported only on raw ATM");
8262 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0);
8265 * Arrange that all subsequent tests assume LANE
8266 * rather than LLC-encapsulated packets, and set
8267 * the offsets appropriately for LANE-encapsulated
8270 * "off_mac" is the offset of the Ethernet header,
8271 * which is 2 bytes past the ATM pseudo-header
8272 * (skipping the pseudo-header and 2-byte LE Client
8273 * field). The other offsets are Ethernet offsets
8274 * relative to "off_mac".
8277 off_mac = off_payload + 2; /* MAC header */
8278 off_linktype = off_mac + 12;
8279 off_macpl = off_mac + 14; /* Ethernet */
8280 off_nl = 0; /* Ethernet II */
8281 off_nl_nosnap = 3; /* 802.3+802.2 */
8285 /* Get all LLC-encapsulated packets */
8287 bpf_error("'llc' supported only on raw ATM");
8288 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
8299 * Filtering for MTP2 messages based on li value
8300 * FISU, length is null
8301 * LSSU, length is 1 or 2
8302 * MSU, length is 3 or more
8305 gen_mtp2type_abbrev(type)
8308 struct block *b0, *b1;
8313 if ( (linktype != DLT_MTP2) &&
8314 (linktype != DLT_ERF) &&
8315 (linktype != DLT_MTP2_WITH_PHDR) )
8316 bpf_error("'fisu' supported only on MTP2");
8317 /* gen_ncmp(offrel, offset, size, mask, jtype, reverse, value) */
8318 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JEQ, 0, 0);
8322 if ( (linktype != DLT_MTP2) &&
8323 (linktype != DLT_ERF) &&
8324 (linktype != DLT_MTP2_WITH_PHDR) )
8325 bpf_error("'lssu' supported only on MTP2");
8326 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 1, 2);
8327 b1 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 0);
8332 if ( (linktype != DLT_MTP2) &&
8333 (linktype != DLT_ERF) &&
8334 (linktype != DLT_MTP2_WITH_PHDR) )
8335 bpf_error("'msu' supported only on MTP2");
8336 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 2);
8346 gen_mtp3field_code(mtp3field, jvalue, jtype, reverse)
8353 bpf_u_int32 val1 , val2 , val3;
8355 switch (mtp3field) {
8358 if (off_sio == (u_int)-1)
8359 bpf_error("'sio' supported only on SS7");
8360 /* sio coded on 1 byte so max value 255 */
8362 bpf_error("sio value %u too big; max value = 255",
8364 b0 = gen_ncmp(OR_PACKET, off_sio, BPF_B, 0xffffffff,
8365 (u_int)jtype, reverse, (u_int)jvalue);
8369 if (off_opc == (u_int)-1)
8370 bpf_error("'opc' supported only on SS7");
8371 /* opc coded on 14 bits so max value 16383 */
8373 bpf_error("opc value %u too big; max value = 16383",
8375 /* the following instructions are made to convert jvalue
8376 * to the form used to write opc in an ss7 message*/
8377 val1 = jvalue & 0x00003c00;
8379 val2 = jvalue & 0x000003fc;
8381 val3 = jvalue & 0x00000003;
8383 jvalue = val1 + val2 + val3;
8384 b0 = gen_ncmp(OR_PACKET, off_opc, BPF_W, 0x00c0ff0f,
8385 (u_int)jtype, reverse, (u_int)jvalue);
8389 if (off_dpc == (u_int)-1)
8390 bpf_error("'dpc' supported only on SS7");
8391 /* dpc coded on 14 bits so max value 16383 */
8393 bpf_error("dpc value %u too big; max value = 16383",
8395 /* the following instructions are made to convert jvalue
8396 * to the forme used to write dpc in an ss7 message*/
8397 val1 = jvalue & 0x000000ff;
8399 val2 = jvalue & 0x00003f00;
8401 jvalue = val1 + val2;
8402 b0 = gen_ncmp(OR_PACKET, off_dpc, BPF_W, 0xff3f0000,
8403 (u_int)jtype, reverse, (u_int)jvalue);
8407 if (off_sls == (u_int)-1)
8408 bpf_error("'sls' supported only on SS7");
8409 /* sls coded on 4 bits so max value 15 */
8411 bpf_error("sls value %u too big; max value = 15",
8413 /* the following instruction is made to convert jvalue
8414 * to the forme used to write sls in an ss7 message*/
8415 jvalue = jvalue << 4;
8416 b0 = gen_ncmp(OR_PACKET, off_sls, BPF_B, 0xf0,
8417 (u_int)jtype,reverse, (u_int)jvalue);
8426 static struct block *
8427 gen_msg_abbrev(type)
8433 * Q.2931 signalling protocol messages for handling virtual circuits
8434 * establishment and teardown
8439 b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0);
8443 b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0);
8447 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0);
8451 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0);
8455 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0);
8458 case A_RELEASE_DONE:
8459 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0);
8469 gen_atmmulti_abbrev(type)
8472 struct block *b0, *b1;
8478 bpf_error("'oam' supported only on raw ATM");
8479 b1 = gen_atmmulti_abbrev(A_OAMF4);
8484 bpf_error("'oamf4' supported only on raw ATM");
8486 b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
8487 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
8489 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8495 * Get Q.2931 signalling messages for switched
8496 * virtual connection
8499 bpf_error("'connectmsg' supported only on raw ATM");
8500 b0 = gen_msg_abbrev(A_SETUP);
8501 b1 = gen_msg_abbrev(A_CALLPROCEED);
8503 b0 = gen_msg_abbrev(A_CONNECT);
8505 b0 = gen_msg_abbrev(A_CONNECTACK);
8507 b0 = gen_msg_abbrev(A_RELEASE);
8509 b0 = gen_msg_abbrev(A_RELEASE_DONE);
8511 b0 = gen_atmtype_abbrev(A_SC);
8517 bpf_error("'metaconnect' supported only on raw ATM");
8518 b0 = gen_msg_abbrev(A_SETUP);
8519 b1 = gen_msg_abbrev(A_CALLPROCEED);
8521 b0 = gen_msg_abbrev(A_CONNECT);
8523 b0 = gen_msg_abbrev(A_RELEASE);
8525 b0 = gen_msg_abbrev(A_RELEASE_DONE);
8527 b0 = gen_atmtype_abbrev(A_METAC);
tuxillo's projects / dragonfly.git / blob