1 /*#define CHASE_CHAIN*/
3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998
4 * The Regents of the University of California. All rights reserved.
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that: (1) source code distributions
8 * retain the above copyright notice and this paragraph in its entirety, (2)
9 * distributions including binary code include the above copyright notice and
10 * this paragraph in its entirety in the documentation or other materials
11 * provided with the distribution, and (3) all advertising materials mentioning
12 * features or use of this software display the following acknowledgement:
13 * ``This product includes software developed by the University of California,
14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
15 * the University nor the names of its contributors may be used to endorse
16 * or promote products derived from this software without specific prior
18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
30 #include <pcap-stdinc.h>
37 #ifdef HAVE_SYS_BITYPES_H
38 #include <sys/bitypes.h>
40 #include <sys/types.h>
41 #include <sys/socket.h>
47 #include <sys/param.h>
50 #include <netinet/in.h>
51 #include <arpa/inet.h>
67 #include "ethertype.h"
71 #include "ieee80211.h"
73 #include "sunatmpos.h"
76 #include "pcap/ipnet.h"
82 #if defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER)
83 #include <linux/types.h>
84 #include <linux/if_packet.h>
85 #include <linux/filter.h>
88 #ifdef HAVE_NET_PFVAR_H
89 #include <sys/socket.h>
91 #include <net/pfvar.h>
92 #include <net/if_pflog.h>
96 #define offsetof(s, e) ((size_t)&((s *)0)->e)
101 #if defined(__MINGW32__) && defined(DEFINE_ADDITIONAL_IPV6_STUFF)
107 u_int8_t u6_addr8[16];
108 u_int16_t u6_addr16[8];
109 u_int32_t u6_addr32[4];
111 #define s6_addr in6_u.u6_addr8
112 #define s6_addr16 in6_u.u6_addr16
113 #define s6_addr32 in6_u.u6_addr32
114 #define s6_addr64 in6_u.u6_addr64
117 typedef unsigned short sa_family_t;
119 #define __SOCKADDR_COMMON(sa_prefix) \
120 sa_family_t sa_prefix##family
122 /* Ditto, for IPv6. */
125 __SOCKADDR_COMMON (sin6_);
126 u_int16_t sin6_port; /* Transport layer port # */
127 u_int32_t sin6_flowinfo; /* IPv6 flow information */
128 struct in6_addr sin6_addr; /* IPv6 address */
131 #ifndef EAI_ADDRFAMILY
133 int ai_flags; /* AI_PASSIVE, AI_CANONNAME */
134 int ai_family; /* PF_xxx */
135 int ai_socktype; /* SOCK_xxx */
136 int ai_protocol; /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
137 size_t ai_addrlen; /* length of ai_addr */
138 char *ai_canonname; /* canonical name for hostname */
139 struct sockaddr *ai_addr; /* binary address */
140 struct addrinfo *ai_next; /* next structure in linked list */
142 #endif /* EAI_ADDRFAMILY */
143 #endif /* defined(__MINGW32__) && defined(DEFINE_ADDITIONAL_IPV6_STUFF) */
145 #include <netdb.h> /* for "struct addrinfo" */
148 #include <pcap/namedb.h>
150 #include "nametoaddr.h"
152 #define ETHERMTU 1500
154 #ifndef ETHERTYPE_TEB
155 #define ETHERTYPE_TEB 0x6558
158 #ifndef IPPROTO_HOPOPTS
159 #define IPPROTO_HOPOPTS 0
161 #ifndef IPPROTO_ROUTING
162 #define IPPROTO_ROUTING 43
164 #ifndef IPPROTO_FRAGMENT
165 #define IPPROTO_FRAGMENT 44
167 #ifndef IPPROTO_DSTOPTS
168 #define IPPROTO_DSTOPTS 60
171 #define IPPROTO_SCTP 132
174 #define GENEVE_PORT 6081
176 #ifdef HAVE_OS_PROTO_H
177 #include "os-proto.h"
180 #define JMP(c) ((c)|BPF_JMP|BPF_K)
183 * "Push" the current value of the link-layer header type and link-layer
184 * header offset onto a "stack", and set a new value. (It's not a
185 * full-blown stack; we keep only the top two items.)
187 #define PUSH_LINKHDR(cs, new_linktype, new_is_variable, new_constant_part, new_reg) \
189 (cs)->prevlinktype = (cs)->linktype; \
190 (cs)->off_prevlinkhdr = (cs)->off_linkhdr; \
191 (cs)->linktype = (new_linktype); \
192 (cs)->off_linkhdr.is_variable = (new_is_variable); \
193 (cs)->off_linkhdr.constant_part = (new_constant_part); \
194 (cs)->off_linkhdr.reg = (new_reg); \
195 (cs)->is_geneve = 0; \
199 * Offset "not set" value.
201 #define OFFSET_NOT_SET 0xffffffffU
204 * Absolute offsets, which are offsets from the beginning of the raw
205 * packet data, are, in the general case, the sum of a variable value
206 * and a constant value; the variable value may be absent, in which
207 * case the offset is only the constant value, and the constant value
208 * may be zero, in which case the offset is only the variable value.
210 * bpf_abs_offset is a structure containing all that information:
212 * is_variable is 1 if there's a variable part.
214 * constant_part is the constant part of the value, possibly zero;
216 * if is_variable is 1, reg is the register number for a register
217 * containing the variable value if the register has been assigned,
227 * Value passed to gen_load_a() to indicate what the offset argument
228 * is relative to the beginning of.
231 OR_PACKET, /* full packet data */
232 OR_LINKHDR, /* link-layer header */
233 OR_PREVLINKHDR, /* previous link-layer header */
234 OR_LLC, /* 802.2 LLC header */
235 OR_PREVMPLSHDR, /* previous MPLS header */
236 OR_LINKTYPE, /* link-layer type */
237 OR_LINKPL, /* link-layer payload */
238 OR_LINKPL_NOSNAP, /* link-layer payload, with no SNAP header at the link layer */
239 OR_TRAN_IPV4, /* transport-layer header, with IPv4 network layer */
240 OR_TRAN_IPV6 /* transport-layer header, with IPv6 network layer */
244 * We divy out chunks of memory rather than call malloc each time so
245 * we don't have to worry about leaking memory. It's probably
246 * not a big deal if all this memory was wasted but if this ever
247 * goes into a library that would probably not be a good idea.
249 * XXX - this *is* in a library....
252 #define CHUNK0SIZE 1024
258 /* Code generator state */
260 struct _compiler_state {
270 int outermostlinktype;
275 /* Hack for handling VLAN and MPLS stacks. */
276 u_int label_stack_depth;
277 u_int vlan_stack_depth;
284 * As errors are handled by a longjmp, anything allocated must
285 * be freed in the longjmp handler, so it must be reachable
288 * One thing that's allocated is the result of pcap_nametoaddrinfo();
289 * it must be freed with freeaddrinfo(). This variable points to
290 * any addrinfo structure that would need to be freed.
296 * Various code constructs need to know the layout of the packet.
297 * These values give the necessary offsets from the beginning
298 * of the packet data.
302 * Absolute offset of the beginning of the link-layer header.
304 bpf_abs_offset off_linkhdr;
307 * If we're checking a link-layer header for a packet encapsulated
308 * in another protocol layer, this is the equivalent information
309 * for the previous layers' link-layer header from the beginning
310 * of the raw packet data.
312 bpf_abs_offset off_prevlinkhdr;
315 * This is the equivalent information for the outermost layers'
318 bpf_abs_offset off_outermostlinkhdr;
321 * Absolute offset of the beginning of the link-layer payload.
323 bpf_abs_offset off_linkpl;
326 * "off_linktype" is the offset to information in the link-layer
327 * header giving the packet type. This is an absolute offset
328 * from the beginning of the packet.
330 * For Ethernet, it's the offset of the Ethernet type field; this
331 * means that it must have a value that skips VLAN tags.
333 * For link-layer types that always use 802.2 headers, it's the
334 * offset of the LLC header; this means that it must have a value
335 * that skips VLAN tags.
337 * For PPP, it's the offset of the PPP type field.
339 * For Cisco HDLC, it's the offset of the CHDLC type field.
341 * For BSD loopback, it's the offset of the AF_ value.
343 * For Linux cooked sockets, it's the offset of the type field.
345 * off_linktype.constant_part is set to OFFSET_NOT_SET for no
346 * encapsulation, in which case, IP is assumed.
348 bpf_abs_offset off_linktype;
351 * TRUE if the link layer includes an ATM pseudo-header.
356 * TRUE if "geneve" appeared in the filter; it causes us to
357 * generate code that checks for a Geneve header and assume
358 * that later filters apply to the encapsulated payload.
363 * These are offsets for the ATM pseudo-header.
370 * These are offsets for the MTP2 fields.
376 * These are offsets for the MTP3 fields.
384 * This is the offset of the first byte after the ATM pseudo_header,
385 * or -1 if there is no ATM pseudo-header.
390 * These are offsets to the beginning of the network-layer header.
391 * They are relative to the beginning of the link-layer payload
392 * (i.e., they don't include off_linkhdr.constant_part or
393 * off_linkpl.constant_part).
395 * If the link layer never uses 802.2 LLC:
397 * "off_nl" and "off_nl_nosnap" are the same.
399 * If the link layer always uses 802.2 LLC:
401 * "off_nl" is the offset if there's a SNAP header following
404 * "off_nl_nosnap" is the offset if there's no SNAP header.
406 * If the link layer is Ethernet:
408 * "off_nl" is the offset if the packet is an Ethernet II packet
409 * (we assume no 802.3+802.2+SNAP);
411 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet
412 * with an 802.2 header following it.
418 * Here we handle simple allocation of the scratch registers.
419 * If too many registers are alloc'd, the allocator punts.
421 int regused[BPF_MEMWORDS];
427 struct chunk chunks[NCHUNKS];
432 bpf_syntax_error(compiler_state_t *cstate, const char *msg)
434 bpf_error(cstate, "syntax error in filter expression: %s", msg);
440 bpf_error(compiler_state_t *cstate, const char *fmt, ...)
445 if (cstate->bpf_pcap != NULL)
446 (void)pcap_vsnprintf(pcap_geterr(cstate->bpf_pcap),
447 PCAP_ERRBUF_SIZE, fmt, ap);
449 longjmp(cstate->top_ctx, 1);
453 static void init_linktype(compiler_state_t *, pcap_t *);
455 static void init_regs(compiler_state_t *);
456 static int alloc_reg(compiler_state_t *);
457 static void free_reg(compiler_state_t *, int);
459 static void initchunks(compiler_state_t *cstate);
460 static void *newchunk(compiler_state_t *cstate, size_t);
461 static void freechunks(compiler_state_t *cstate);
462 static inline struct block *new_block(compiler_state_t *cstate, int);
463 static inline struct slist *new_stmt(compiler_state_t *cstate, int);
464 static struct block *gen_retblk(compiler_state_t *cstate, int);
465 static inline void syntax(compiler_state_t *cstate);
467 static void backpatch(struct block *, struct block *);
468 static void merge(struct block *, struct block *);
469 static struct block *gen_cmp(compiler_state_t *, enum e_offrel, u_int,
471 static struct block *gen_cmp_gt(compiler_state_t *, enum e_offrel, u_int,
473 static struct block *gen_cmp_ge(compiler_state_t *, enum e_offrel, u_int,
475 static struct block *gen_cmp_lt(compiler_state_t *, enum e_offrel, u_int,
477 static struct block *gen_cmp_le(compiler_state_t *, enum e_offrel, u_int,
479 static struct block *gen_mcmp(compiler_state_t *, enum e_offrel, u_int,
480 u_int, bpf_int32, bpf_u_int32);
481 static struct block *gen_bcmp(compiler_state_t *, enum e_offrel, u_int,
482 u_int, const u_char *);
483 static struct block *gen_ncmp(compiler_state_t *, enum e_offrel, bpf_u_int32,
484 bpf_u_int32, bpf_u_int32, bpf_u_int32, int, bpf_int32);
485 static struct slist *gen_load_absoffsetrel(compiler_state_t *, bpf_abs_offset *,
487 static struct slist *gen_load_a(compiler_state_t *, enum e_offrel, u_int,
489 static struct slist *gen_loadx_iphdrlen(compiler_state_t *);
490 static struct block *gen_uncond(compiler_state_t *, int);
491 static inline struct block *gen_true(compiler_state_t *);
492 static inline struct block *gen_false(compiler_state_t *);
493 static struct block *gen_ether_linktype(compiler_state_t *, int);
494 static struct block *gen_ipnet_linktype(compiler_state_t *, int);
495 static struct block *gen_linux_sll_linktype(compiler_state_t *, int);
496 static struct slist *gen_load_prism_llprefixlen(compiler_state_t *);
497 static struct slist *gen_load_avs_llprefixlen(compiler_state_t *);
498 static struct slist *gen_load_radiotap_llprefixlen(compiler_state_t *);
499 static struct slist *gen_load_ppi_llprefixlen(compiler_state_t *);
500 static void insert_compute_vloffsets(compiler_state_t *, struct block *);
501 static struct slist *gen_abs_offset_varpart(compiler_state_t *,
503 static int ethertype_to_ppptype(int);
504 static struct block *gen_linktype(compiler_state_t *, int);
505 static struct block *gen_snap(compiler_state_t *, bpf_u_int32, bpf_u_int32);
506 static struct block *gen_llc_linktype(compiler_state_t *, int);
507 static struct block *gen_hostop(compiler_state_t *, bpf_u_int32, bpf_u_int32,
508 int, int, u_int, u_int);
510 static struct block *gen_hostop6(compiler_state_t *, struct in6_addr *,
511 struct in6_addr *, int, int, u_int, u_int);
513 static struct block *gen_ahostop(compiler_state_t *, const u_char *, int);
514 static struct block *gen_ehostop(compiler_state_t *, const u_char *, int);
515 static struct block *gen_fhostop(compiler_state_t *, const u_char *, int);
516 static struct block *gen_thostop(compiler_state_t *, const u_char *, int);
517 static struct block *gen_wlanhostop(compiler_state_t *, const u_char *, int);
518 static struct block *gen_ipfchostop(compiler_state_t *, const u_char *, int);
519 static struct block *gen_dnhostop(compiler_state_t *, bpf_u_int32, int);
520 static struct block *gen_mpls_linktype(compiler_state_t *, int);
521 static struct block *gen_host(compiler_state_t *, bpf_u_int32, bpf_u_int32,
524 static struct block *gen_host6(compiler_state_t *, struct in6_addr *,
525 struct in6_addr *, int, int, int);
528 static struct block *gen_gateway(compiler_state_t *, const u_char *,
529 bpf_u_int32 **, int, int);
531 static struct block *gen_ipfrag(compiler_state_t *);
532 static struct block *gen_portatom(compiler_state_t *, int, bpf_int32);
533 static struct block *gen_portrangeatom(compiler_state_t *, int, bpf_int32,
535 static struct block *gen_portatom6(compiler_state_t *, int, bpf_int32);
536 static struct block *gen_portrangeatom6(compiler_state_t *, int, bpf_int32,
538 struct block *gen_portop(compiler_state_t *, int, int, int);
539 static struct block *gen_port(compiler_state_t *, int, int, int);
540 struct block *gen_portrangeop(compiler_state_t *, int, int, int, int);
541 static struct block *gen_portrange(compiler_state_t *, int, int, int, int);
542 struct block *gen_portop6(compiler_state_t *, int, int, int);
543 static struct block *gen_port6(compiler_state_t *, int, int, int);
544 struct block *gen_portrangeop6(compiler_state_t *, int, int, int, int);
545 static struct block *gen_portrange6(compiler_state_t *, int, int, int, int);
546 static int lookup_proto(compiler_state_t *, const char *, int);
547 static struct block *gen_protochain(compiler_state_t *, int, int, int);
548 static struct block *gen_proto(compiler_state_t *, int, int, int);
549 static struct slist *xfer_to_x(compiler_state_t *, struct arth *);
550 static struct slist *xfer_to_a(compiler_state_t *, struct arth *);
551 static struct block *gen_mac_multicast(compiler_state_t *, int);
552 static struct block *gen_len(compiler_state_t *, int, int);
553 static struct block *gen_check_802_11_data_frame(compiler_state_t *);
554 static struct block *gen_geneve_ll_check(compiler_state_t *cstate);
556 static struct block *gen_ppi_dlt_check(compiler_state_t *);
557 static struct block *gen_msg_abbrev(compiler_state_t *, int type);
560 initchunks(compiler_state_t *cstate)
564 for (i = 0; i < NCHUNKS; i++) {
565 cstate->chunks[i].n_left = 0;
566 cstate->chunks[i].m = NULL;
568 cstate->cur_chunk = 0;
572 newchunk(compiler_state_t *cstate, size_t n)
579 /* XXX Round up to nearest long. */
580 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1);
582 /* XXX Round up to structure boundary. */
586 cp = &cstate->chunks[cstate->cur_chunk];
587 if (n > cp->n_left) {
588 ++cp, k = ++cstate->cur_chunk;
590 bpf_error(cstate, "out of memory");
591 size = CHUNK0SIZE << k;
592 cp->m = (void *)malloc(size);
594 bpf_error(cstate, "out of memory");
595 memset((char *)cp->m, 0, size);
598 bpf_error(cstate, "out of memory");
601 return (void *)((char *)cp->m + cp->n_left);
605 freechunks(compiler_state_t *cstate)
609 for (i = 0; i < NCHUNKS; ++i)
610 if (cstate->chunks[i].m != NULL)
611 free(cstate->chunks[i].m);
615 * A strdup whose allocations are freed after code generation is over.
618 sdup(compiler_state_t *cstate, const char *s)
620 size_t n = strlen(s) + 1;
621 char *cp = newchunk(cstate, n);
627 static inline struct block *
628 new_block(compiler_state_t *cstate, int code)
632 p = (struct block *)newchunk(cstate, sizeof(*p));
639 static inline struct slist *
640 new_stmt(compiler_state_t *cstate, int code)
644 p = (struct slist *)newchunk(cstate, sizeof(*p));
650 static struct block *
651 gen_retblk(compiler_state_t *cstate, int v)
653 struct block *b = new_block(cstate, BPF_RET|BPF_K);
660 syntax(compiler_state_t *cstate)
662 bpf_error(cstate, "syntax error in filter expression");
666 pcap_compile(pcap_t *p, struct bpf_program *program,
667 const char *buf, int optimize, bpf_u_int32 mask)
669 compiler_state_t cstate;
670 const char * volatile xbuf = buf;
671 yyscan_t scanner = NULL;
672 YY_BUFFER_STATE in_buffer = NULL;
685 * If this pcap_t hasn't been activated, it doesn't have a
686 * link-layer type, so we can't use it.
689 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
690 "not-yet-activated pcap_t passed to pcap_compile");
695 cstate.no_optimize = 0;
699 cstate.ic.root = NULL;
700 cstate.ic.cur_mark = 0;
704 if (setjmp(cstate.top_ctx)) {
706 if (cstate.ai != NULL)
707 freeaddrinfo(cstate.ai);
713 cstate.netmask = mask;
715 cstate.snaplen = pcap_snapshot(p);
716 if (cstate.snaplen == 0) {
717 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
718 "snaplen of 0 rejects all packets");
723 if (pcap_lex_init(&scanner) != 0)
724 bpf_error(&cstate, "can't initialize scanner: %s", pcap_strerror(errno));
725 in_buffer = pcap__scan_string(xbuf ? xbuf : "", scanner);
728 * Associate the compiler state with the lexical analyzer
731 pcap_set_extra(&cstate, scanner);
733 init_linktype(&cstate, p);
734 (void)pcap_parse(scanner, &cstate);
736 if (cstate.ic.root == NULL)
737 cstate.ic.root = gen_retblk(&cstate, cstate.snaplen);
739 if (optimize && !cstate.no_optimize) {
740 bpf_optimize(&cstate, &cstate.ic);
741 if (cstate.ic.root == NULL ||
742 (cstate.ic.root->s.code == (BPF_RET|BPF_K) && cstate.ic.root->s.k == 0))
743 bpf_error(&cstate, "expression rejects all packets");
745 program->bf_insns = icode_to_fcode(&cstate, &cstate.ic, cstate.ic.root, &len);
746 program->bf_len = len;
748 rc = 0; /* We're all okay */
752 * Clean up everything for the lexical analyzer.
754 if (in_buffer != NULL)
755 pcap__delete_buffer(in_buffer, scanner);
757 pcap_lex_destroy(scanner);
760 * Clean up our own allocated memory.
768 * entry point for using the compiler with no pcap open
769 * pass in all the stuff that is needed explicitly instead.
772 pcap_compile_nopcap(int snaplen_arg, int linktype_arg,
773 struct bpf_program *program,
774 const char *buf, int optimize, bpf_u_int32 mask)
779 p = pcap_open_dead(linktype_arg, snaplen_arg);
782 ret = pcap_compile(p, program, buf, optimize, mask);
788 * Clean up a "struct bpf_program" by freeing all the memory allocated
792 pcap_freecode(struct bpf_program *program)
795 if (program->bf_insns != NULL) {
796 free((char *)program->bf_insns);
797 program->bf_insns = NULL;
802 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates
803 * which of the jt and jf fields has been resolved and which is a pointer
804 * back to another unresolved block (or nil). At least one of the fields
805 * in each block is already resolved.
808 backpatch(list, target)
809 struct block *list, *target;
826 * Merge the lists in b0 and b1, using the 'sense' field to indicate
827 * which of jt and jf is the link.
831 struct block *b0, *b1;
833 register struct block **p = &b0;
835 /* Find end of list. */
837 p = !((*p)->sense) ? &JT(*p) : &JF(*p);
839 /* Concatenate the lists. */
844 finish_parse(compiler_state_t *cstate, struct block *p)
846 struct block *ppi_dlt_check;
849 * Insert before the statements of the first (root) block any
850 * statements needed to load the lengths of any variable-length
851 * headers into registers.
853 * XXX - a fancier strategy would be to insert those before the
854 * statements of all blocks that use those lengths and that
855 * have no predecessors that use them, so that we only compute
856 * the lengths if we need them. There might be even better
857 * approaches than that.
859 * However, those strategies would be more complicated, and
860 * as we don't generate code to compute a length if the
861 * program has no tests that use the length, and as most
862 * tests will probably use those lengths, we would just
863 * postpone computing the lengths so that it's not done
864 * for tests that fail early, and it's not clear that's
867 insert_compute_vloffsets(cstate, p->head);
870 * For DLT_PPI captures, generate a check of the per-packet
871 * DLT value to make sure it's DLT_IEEE802_11.
873 * XXX - TurboCap cards use DLT_PPI for Ethernet.
874 * Can we just define some DLT_ETHERNET_WITH_PHDR pseudo-header
875 * with appropriate Ethernet information and use that rather
876 * than using something such as DLT_PPI where you don't know
877 * the link-layer header type until runtime, which, in the
878 * general case, would force us to generate both Ethernet *and*
879 * 802.11 code (*and* anything else for which PPI is used)
880 * and choose between them early in the BPF program?
882 ppi_dlt_check = gen_ppi_dlt_check(cstate);
883 if (ppi_dlt_check != NULL)
884 gen_and(ppi_dlt_check, p);
886 backpatch(p, gen_retblk(cstate, cstate->snaplen));
887 p->sense = !p->sense;
888 backpatch(p, gen_retblk(cstate, 0));
889 cstate->ic.root = p->head;
894 struct block *b0, *b1;
896 backpatch(b0, b1->head);
897 b0->sense = !b0->sense;
898 b1->sense = !b1->sense;
900 b1->sense = !b1->sense;
906 struct block *b0, *b1;
908 b0->sense = !b0->sense;
909 backpatch(b0, b1->head);
910 b0->sense = !b0->sense;
919 b->sense = !b->sense;
922 static struct block *
923 gen_cmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
924 u_int size, bpf_int32 v)
926 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v);
929 static struct block *
930 gen_cmp_gt(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
931 u_int size, bpf_int32 v)
933 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGT, 0, v);
936 static struct block *
937 gen_cmp_ge(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
938 u_int size, bpf_int32 v)
940 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGE, 0, v);
943 static struct block *
944 gen_cmp_lt(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
945 u_int size, bpf_int32 v)
947 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGE, 1, v);
950 static struct block *
951 gen_cmp_le(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
952 u_int size, bpf_int32 v)
954 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGT, 1, v);
957 static struct block *
958 gen_mcmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
959 u_int size, bpf_int32 v, bpf_u_int32 mask)
961 return gen_ncmp(cstate, offrel, offset, size, mask, BPF_JEQ, 0, v);
964 static struct block *
965 gen_bcmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
966 u_int size, const u_char *v)
968 register struct block *b, *tmp;
972 register const u_char *p = &v[size - 4];
973 bpf_int32 w = ((bpf_int32)p[0] << 24) |
974 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3];
976 tmp = gen_cmp(cstate, offrel, offset + size - 4, BPF_W, w);
983 register const u_char *p = &v[size - 2];
984 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1];
986 tmp = gen_cmp(cstate, offrel, offset + size - 2, BPF_H, w);
993 tmp = gen_cmp(cstate, offrel, offset, BPF_B, (bpf_int32)v[0]);
1002 * AND the field of size "size" at offset "offset" relative to the header
1003 * specified by "offrel" with "mask", and compare it with the value "v"
1004 * with the test specified by "jtype"; if "reverse" is true, the test
1005 * should test the opposite of "jtype".
1007 static struct block *
1008 gen_ncmp(compiler_state_t *cstate, enum e_offrel offrel, bpf_u_int32 offset,
1009 bpf_u_int32 size, bpf_u_int32 mask, bpf_u_int32 jtype, int reverse,
1012 struct slist *s, *s2;
1015 s = gen_load_a(cstate, offrel, offset, size);
1017 if (mask != 0xffffffff) {
1018 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
1023 b = new_block(cstate, JMP(jtype));
1026 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE))
1032 init_linktype(compiler_state_t *cstate, pcap_t *p)
1034 cstate->pcap_fddipad = p->fddipad;
1037 * We start out with only one link-layer header.
1039 cstate->outermostlinktype = pcap_datalink(p);
1040 cstate->off_outermostlinkhdr.constant_part = 0;
1041 cstate->off_outermostlinkhdr.is_variable = 0;
1042 cstate->off_outermostlinkhdr.reg = -1;
1044 cstate->prevlinktype = cstate->outermostlinktype;
1045 cstate->off_prevlinkhdr.constant_part = 0;
1046 cstate->off_prevlinkhdr.is_variable = 0;
1047 cstate->off_prevlinkhdr.reg = -1;
1049 cstate->linktype = cstate->outermostlinktype;
1050 cstate->off_linkhdr.constant_part = 0;
1051 cstate->off_linkhdr.is_variable = 0;
1052 cstate->off_linkhdr.reg = -1;
1057 cstate->off_linkpl.constant_part = 0;
1058 cstate->off_linkpl.is_variable = 0;
1059 cstate->off_linkpl.reg = -1;
1061 cstate->off_linktype.constant_part = 0;
1062 cstate->off_linktype.is_variable = 0;
1063 cstate->off_linktype.reg = -1;
1066 * Assume it's not raw ATM with a pseudo-header, for now.
1069 cstate->off_vpi = -1;
1070 cstate->off_vci = -1;
1071 cstate->off_proto = -1;
1072 cstate->off_payload = -1;
1077 cstate->is_geneve = 0;
1080 * And assume we're not doing SS7.
1082 cstate->off_li = -1;
1083 cstate->off_li_hsl = -1;
1084 cstate->off_sio = -1;
1085 cstate->off_opc = -1;
1086 cstate->off_dpc = -1;
1087 cstate->off_sls = -1;
1089 cstate->label_stack_depth = 0;
1090 cstate->vlan_stack_depth = 0;
1092 switch (cstate->linktype) {
1095 cstate->off_linktype.constant_part = 2;
1096 cstate->off_linkpl.constant_part = 6;
1097 cstate->off_nl = 0; /* XXX in reality, variable! */
1098 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1101 case DLT_ARCNET_LINUX:
1102 cstate->off_linktype.constant_part = 4;
1103 cstate->off_linkpl.constant_part = 8;
1104 cstate->off_nl = 0; /* XXX in reality, variable! */
1105 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1109 cstate->off_linktype.constant_part = 12;
1110 cstate->off_linkpl.constant_part = 14; /* Ethernet header length */
1111 cstate->off_nl = 0; /* Ethernet II */
1112 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */
1117 * SLIP doesn't have a link level type. The 16 byte
1118 * header is hacked into our SLIP driver.
1120 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1121 cstate->off_linkpl.constant_part = 16;
1123 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1126 case DLT_SLIP_BSDOS:
1127 /* XXX this may be the same as the DLT_PPP_BSDOS case */
1128 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1130 cstate->off_linkpl.constant_part = 24;
1132 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1137 cstate->off_linktype.constant_part = 0;
1138 cstate->off_linkpl.constant_part = 4;
1140 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1144 cstate->off_linktype.constant_part = 0;
1145 cstate->off_linkpl.constant_part = 12;
1147 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1152 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */
1153 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */
1154 cstate->off_linktype.constant_part = 2; /* skip HDLC-like framing */
1155 cstate->off_linkpl.constant_part = 4; /* skip HDLC-like framing and protocol field */
1157 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1162 * This does no include the Ethernet header, and
1163 * only covers session state.
1165 cstate->off_linktype.constant_part = 6;
1166 cstate->off_linkpl.constant_part = 8;
1168 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1172 cstate->off_linktype.constant_part = 5;
1173 cstate->off_linkpl.constant_part = 24;
1175 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1180 * FDDI doesn't really have a link-level type field.
1181 * We set "off_linktype" to the offset of the LLC header.
1183 * To check for Ethernet types, we assume that SSAP = SNAP
1184 * is being used and pick out the encapsulated Ethernet type.
1185 * XXX - should we generate code to check for SNAP?
1187 cstate->off_linktype.constant_part = 13;
1188 cstate->off_linktype.constant_part += cstate->pcap_fddipad;
1189 cstate->off_linkpl.constant_part = 13; /* FDDI MAC header length */
1190 cstate->off_linkpl.constant_part += cstate->pcap_fddipad;
1191 cstate->off_nl = 8; /* 802.2+SNAP */
1192 cstate->off_nl_nosnap = 3; /* 802.2 */
1197 * Token Ring doesn't really have a link-level type field.
1198 * We set "off_linktype" to the offset of the LLC header.
1200 * To check for Ethernet types, we assume that SSAP = SNAP
1201 * is being used and pick out the encapsulated Ethernet type.
1202 * XXX - should we generate code to check for SNAP?
1204 * XXX - the header is actually variable-length.
1205 * Some various Linux patched versions gave 38
1206 * as "off_linktype" and 40 as "off_nl"; however,
1207 * if a token ring packet has *no* routing
1208 * information, i.e. is not source-routed, the correct
1209 * values are 20 and 22, as they are in the vanilla code.
1211 * A packet is source-routed iff the uppermost bit
1212 * of the first byte of the source address, at an
1213 * offset of 8, has the uppermost bit set. If the
1214 * packet is source-routed, the total number of bytes
1215 * of routing information is 2 plus bits 0x1F00 of
1216 * the 16-bit value at an offset of 14 (shifted right
1217 * 8 - figure out which byte that is).
1219 cstate->off_linktype.constant_part = 14;
1220 cstate->off_linkpl.constant_part = 14; /* Token Ring MAC header length */
1221 cstate->off_nl = 8; /* 802.2+SNAP */
1222 cstate->off_nl_nosnap = 3; /* 802.2 */
1225 case DLT_PRISM_HEADER:
1226 case DLT_IEEE802_11_RADIO_AVS:
1227 case DLT_IEEE802_11_RADIO:
1228 cstate->off_linkhdr.is_variable = 1;
1229 /* Fall through, 802.11 doesn't have a variable link
1230 * prefix but is otherwise the same. */
1232 case DLT_IEEE802_11:
1234 * 802.11 doesn't really have a link-level type field.
1235 * We set "off_linktype.constant_part" to the offset of
1238 * To check for Ethernet types, we assume that SSAP = SNAP
1239 * is being used and pick out the encapsulated Ethernet type.
1240 * XXX - should we generate code to check for SNAP?
1242 * We also handle variable-length radio headers here.
1243 * The Prism header is in theory variable-length, but in
1244 * practice it's always 144 bytes long. However, some
1245 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but
1246 * sometimes or always supply an AVS header, so we
1247 * have to check whether the radio header is a Prism
1248 * header or an AVS header, so, in practice, it's
1251 cstate->off_linktype.constant_part = 24;
1252 cstate->off_linkpl.constant_part = 0; /* link-layer header is variable-length */
1253 cstate->off_linkpl.is_variable = 1;
1254 cstate->off_nl = 8; /* 802.2+SNAP */
1255 cstate->off_nl_nosnap = 3; /* 802.2 */
1260 * At the moment we treat PPI the same way that we treat
1261 * normal Radiotap encoded packets. The difference is in
1262 * the function that generates the code at the beginning
1263 * to compute the header length. Since this code generator
1264 * of PPI supports bare 802.11 encapsulation only (i.e.
1265 * the encapsulated DLT should be DLT_IEEE802_11) we
1266 * generate code to check for this too.
1268 cstate->off_linktype.constant_part = 24;
1269 cstate->off_linkpl.constant_part = 0; /* link-layer header is variable-length */
1270 cstate->off_linkpl.is_variable = 1;
1271 cstate->off_linkhdr.is_variable = 1;
1272 cstate->off_nl = 8; /* 802.2+SNAP */
1273 cstate->off_nl_nosnap = 3; /* 802.2 */
1276 case DLT_ATM_RFC1483:
1277 case DLT_ATM_CLIP: /* Linux ATM defines this */
1279 * assume routed, non-ISO PDUs
1280 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00)
1282 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS,
1283 * or PPP with the PPP NLPID (e.g., PPPoA)? The
1284 * latter would presumably be treated the way PPPoE
1285 * should be, so you can do "pppoe and udp port 2049"
1286 * or "pppoa and tcp port 80" and have it check for
1287 * PPPo{A,E} and a PPP protocol of IP and....
1289 cstate->off_linktype.constant_part = 0;
1290 cstate->off_linkpl.constant_part = 0; /* packet begins with LLC header */
1291 cstate->off_nl = 8; /* 802.2+SNAP */
1292 cstate->off_nl_nosnap = 3; /* 802.2 */
1297 * Full Frontal ATM; you get AALn PDUs with an ATM
1301 cstate->off_vpi = SUNATM_VPI_POS;
1302 cstate->off_vci = SUNATM_VCI_POS;
1303 cstate->off_proto = PROTO_POS;
1304 cstate->off_payload = SUNATM_PKT_BEGIN_POS;
1305 cstate->off_linktype.constant_part = cstate->off_payload;
1306 cstate->off_linkpl.constant_part = cstate->off_payload; /* if LLC-encapsulated */
1307 cstate->off_nl = 8; /* 802.2+SNAP */
1308 cstate->off_nl_nosnap = 3; /* 802.2 */
1314 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1315 cstate->off_linkpl.constant_part = 0;
1317 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1320 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */
1321 cstate->off_linktype.constant_part = 14;
1322 cstate->off_linkpl.constant_part = 16;
1324 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1329 * LocalTalk does have a 1-byte type field in the LLAP header,
1330 * but really it just indicates whether there is a "short" or
1331 * "long" DDP packet following.
1333 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1334 cstate->off_linkpl.constant_part = 0;
1336 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1339 case DLT_IP_OVER_FC:
1341 * RFC 2625 IP-over-Fibre-Channel doesn't really have a
1342 * link-level type field. We set "off_linktype" to the
1343 * offset of the LLC header.
1345 * To check for Ethernet types, we assume that SSAP = SNAP
1346 * is being used and pick out the encapsulated Ethernet type.
1347 * XXX - should we generate code to check for SNAP? RFC
1348 * 2625 says SNAP should be used.
1350 cstate->off_linktype.constant_part = 16;
1351 cstate->off_linkpl.constant_part = 16;
1352 cstate->off_nl = 8; /* 802.2+SNAP */
1353 cstate->off_nl_nosnap = 3; /* 802.2 */
1358 * XXX - we should set this to handle SNAP-encapsulated
1359 * frames (NLPID of 0x80).
1361 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1362 cstate->off_linkpl.constant_part = 0;
1364 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1368 * the only BPF-interesting FRF.16 frames are non-control frames;
1369 * Frame Relay has a variable length link-layer
1370 * so lets start with offset 4 for now and increments later on (FIXME);
1373 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1374 cstate->off_linkpl.constant_part = 0;
1376 cstate->off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */
1379 case DLT_APPLE_IP_OVER_IEEE1394:
1380 cstate->off_linktype.constant_part = 16;
1381 cstate->off_linkpl.constant_part = 18;
1383 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1386 case DLT_SYMANTEC_FIREWALL:
1387 cstate->off_linktype.constant_part = 6;
1388 cstate->off_linkpl.constant_part = 44;
1389 cstate->off_nl = 0; /* Ethernet II */
1390 cstate->off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */
1393 #ifdef HAVE_NET_PFVAR_H
1395 cstate->off_linktype.constant_part = 0;
1396 cstate->off_linkpl.constant_part = PFLOG_HDRLEN;
1398 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1402 case DLT_JUNIPER_MFR:
1403 case DLT_JUNIPER_MLFR:
1404 case DLT_JUNIPER_MLPPP:
1405 case DLT_JUNIPER_PPP:
1406 case DLT_JUNIPER_CHDLC:
1407 case DLT_JUNIPER_FRELAY:
1408 cstate->off_linktype.constant_part = 4;
1409 cstate->off_linkpl.constant_part = 4;
1411 cstate->off_nl_nosnap = -1; /* no 802.2 LLC */
1414 case DLT_JUNIPER_ATM1:
1415 cstate->off_linktype.constant_part = 4; /* in reality variable between 4-8 */
1416 cstate->off_linkpl.constant_part = 4; /* in reality variable between 4-8 */
1418 cstate->off_nl_nosnap = 10;
1421 case DLT_JUNIPER_ATM2:
1422 cstate->off_linktype.constant_part = 8; /* in reality variable between 8-12 */
1423 cstate->off_linkpl.constant_part = 8; /* in reality variable between 8-12 */
1425 cstate->off_nl_nosnap = 10;
1428 /* frames captured on a Juniper PPPoE service PIC
1429 * contain raw ethernet frames */
1430 case DLT_JUNIPER_PPPOE:
1431 case DLT_JUNIPER_ETHER:
1432 cstate->off_linkpl.constant_part = 14;
1433 cstate->off_linktype.constant_part = 16;
1434 cstate->off_nl = 18; /* Ethernet II */
1435 cstate->off_nl_nosnap = 21; /* 802.3+802.2 */
1438 case DLT_JUNIPER_PPPOE_ATM:
1439 cstate->off_linktype.constant_part = 4;
1440 cstate->off_linkpl.constant_part = 6;
1442 cstate->off_nl_nosnap = -1; /* no 802.2 LLC */
1445 case DLT_JUNIPER_GGSN:
1446 cstate->off_linktype.constant_part = 6;
1447 cstate->off_linkpl.constant_part = 12;
1449 cstate->off_nl_nosnap = -1; /* no 802.2 LLC */
1452 case DLT_JUNIPER_ES:
1453 cstate->off_linktype.constant_part = 6;
1454 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; /* not really a network layer but raw IP addresses */
1455 cstate->off_nl = -1; /* not really a network layer but raw IP addresses */
1456 cstate->off_nl_nosnap = -1; /* no 802.2 LLC */
1459 case DLT_JUNIPER_MONITOR:
1460 cstate->off_linktype.constant_part = 12;
1461 cstate->off_linkpl.constant_part = 12;
1462 cstate->off_nl = 0; /* raw IP/IP6 header */
1463 cstate->off_nl_nosnap = -1; /* no 802.2 LLC */
1466 case DLT_BACNET_MS_TP:
1467 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1468 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1469 cstate->off_nl = -1;
1470 cstate->off_nl_nosnap = -1;
1473 case DLT_JUNIPER_SERVICES:
1474 cstate->off_linktype.constant_part = 12;
1475 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; /* L3 proto location dep. on cookie type */
1476 cstate->off_nl = -1; /* L3 proto location dep. on cookie type */
1477 cstate->off_nl_nosnap = -1; /* no 802.2 LLC */
1480 case DLT_JUNIPER_VP:
1481 cstate->off_linktype.constant_part = 18;
1482 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1483 cstate->off_nl = -1;
1484 cstate->off_nl_nosnap = -1;
1487 case DLT_JUNIPER_ST:
1488 cstate->off_linktype.constant_part = 18;
1489 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1490 cstate->off_nl = -1;
1491 cstate->off_nl_nosnap = -1;
1494 case DLT_JUNIPER_ISM:
1495 cstate->off_linktype.constant_part = 8;
1496 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1497 cstate->off_nl = -1;
1498 cstate->off_nl_nosnap = -1;
1501 case DLT_JUNIPER_VS:
1502 case DLT_JUNIPER_SRX_E2E:
1503 case DLT_JUNIPER_FIBRECHANNEL:
1504 case DLT_JUNIPER_ATM_CEMIC:
1505 cstate->off_linktype.constant_part = 8;
1506 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1507 cstate->off_nl = -1;
1508 cstate->off_nl_nosnap = -1;
1513 cstate->off_li_hsl = 4;
1514 cstate->off_sio = 3;
1515 cstate->off_opc = 4;
1516 cstate->off_dpc = 4;
1517 cstate->off_sls = 7;
1518 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1519 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1520 cstate->off_nl = -1;
1521 cstate->off_nl_nosnap = -1;
1524 case DLT_MTP2_WITH_PHDR:
1526 cstate->off_li_hsl = 8;
1527 cstate->off_sio = 7;
1528 cstate->off_opc = 8;
1529 cstate->off_dpc = 8;
1530 cstate->off_sls = 11;
1531 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1532 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1533 cstate->off_nl = -1;
1534 cstate->off_nl_nosnap = -1;
1538 cstate->off_li = 22;
1539 cstate->off_li_hsl = 24;
1540 cstate->off_sio = 23;
1541 cstate->off_opc = 24;
1542 cstate->off_dpc = 24;
1543 cstate->off_sls = 27;
1544 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1545 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1546 cstate->off_nl = -1;
1547 cstate->off_nl_nosnap = -1;
1551 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1552 cstate->off_linkpl.constant_part = 4;
1554 cstate->off_nl_nosnap = 0;
1559 * Currently, only raw "link[N:M]" filtering is supported.
1561 cstate->off_linktype.constant_part = OFFSET_NOT_SET; /* variable, min 15, max 71 steps of 7 */
1562 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1563 cstate->off_nl = -1; /* variable, min 16, max 71 steps of 7 */
1564 cstate->off_nl_nosnap = -1; /* no 802.2 LLC */
1568 cstate->off_linktype.constant_part = 1;
1569 cstate->off_linkpl.constant_part = 24; /* ipnet header length */
1571 cstate->off_nl_nosnap = -1;
1574 case DLT_NETANALYZER:
1575 cstate->off_linkhdr.constant_part = 4; /* Ethernet header is past 4-byte pseudo-header */
1576 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12;
1577 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* pseudo-header+Ethernet header length */
1578 cstate->off_nl = 0; /* Ethernet II */
1579 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */
1582 case DLT_NETANALYZER_TRANSPARENT:
1583 cstate->off_linkhdr.constant_part = 12; /* MAC header is past 4-byte pseudo-header, preamble, and SFD */
1584 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12;
1585 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* pseudo-header+preamble+SFD+Ethernet header length */
1586 cstate->off_nl = 0; /* Ethernet II */
1587 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */
1592 * For values in the range in which we've assigned new
1593 * DLT_ values, only raw "link[N:M]" filtering is supported.
1595 if (cstate->linktype >= DLT_MATCHING_MIN &&
1596 cstate->linktype <= DLT_MATCHING_MAX) {
1597 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1598 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1599 cstate->off_nl = -1;
1600 cstate->off_nl_nosnap = -1;
1602 bpf_error(cstate, "unknown data link type %d", cstate->linktype);
1607 cstate->off_outermostlinkhdr = cstate->off_prevlinkhdr = cstate->off_linkhdr;
1611 * Load a value relative to the specified absolute offset.
1613 static struct slist *
1614 gen_load_absoffsetrel(compiler_state_t *cstate, bpf_abs_offset *abs_offset,
1615 u_int offset, u_int size)
1617 struct slist *s, *s2;
1619 s = gen_abs_offset_varpart(cstate, abs_offset);
1622 * If "s" is non-null, it has code to arrange that the X register
1623 * contains the variable part of the absolute offset, so we
1624 * generate a load relative to that, with an offset of
1625 * abs_offset->constant_part + offset.
1627 * Otherwise, we can do an absolute load with an offset of
1628 * abs_offset->constant_part + offset.
1632 * "s" points to a list of statements that puts the
1633 * variable part of the absolute offset into the X register.
1634 * Do an indirect load, to use the X register as an offset.
1636 s2 = new_stmt(cstate, BPF_LD|BPF_IND|size);
1637 s2->s.k = abs_offset->constant_part + offset;
1641 * There is no variable part of the absolute offset, so
1642 * just do an absolute load.
1644 s = new_stmt(cstate, BPF_LD|BPF_ABS|size);
1645 s->s.k = abs_offset->constant_part + offset;
1651 * Load a value relative to the beginning of the specified header.
1653 static struct slist *
1654 gen_load_a(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1657 struct slist *s, *s2;
1662 s = new_stmt(cstate, BPF_LD|BPF_ABS|size);
1667 s = gen_load_absoffsetrel(cstate, &cstate->off_linkhdr, offset, size);
1670 case OR_PREVLINKHDR:
1671 s = gen_load_absoffsetrel(cstate, &cstate->off_prevlinkhdr, offset, size);
1675 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, offset, size);
1678 case OR_PREVMPLSHDR:
1679 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl - 4 + offset, size);
1683 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl + offset, size);
1686 case OR_LINKPL_NOSNAP:
1687 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl_nosnap + offset, size);
1691 s = gen_load_absoffsetrel(cstate, &cstate->off_linktype, offset, size);
1696 * Load the X register with the length of the IPv4 header
1697 * (plus the offset of the link-layer header, if it's
1698 * preceded by a variable-length header such as a radio
1699 * header), in bytes.
1701 s = gen_loadx_iphdrlen(cstate);
1704 * Load the item at {offset of the link-layer payload} +
1705 * {offset, relative to the start of the link-layer
1706 * paylod, of the IPv4 header} + {length of the IPv4 header} +
1707 * {specified offset}.
1709 * If the offset of the link-layer payload is variable,
1710 * the variable part of that offset is included in the
1711 * value in the X register, and we include the constant
1712 * part in the offset of the load.
1714 s2 = new_stmt(cstate, BPF_LD|BPF_IND|size);
1715 s2->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + offset;
1720 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl + 40 + offset, size);
1731 * Generate code to load into the X register the sum of the length of
1732 * the IPv4 header and the variable part of the offset of the link-layer
1735 static struct slist *
1736 gen_loadx_iphdrlen(compiler_state_t *cstate)
1738 struct slist *s, *s2;
1740 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl);
1743 * The offset of the link-layer payload has a variable
1744 * part. "s" points to a list of statements that put
1745 * the variable part of that offset into the X register.
1747 * The 4*([k]&0xf) addressing mode can't be used, as we
1748 * don't have a constant offset, so we have to load the
1749 * value in question into the A register and add to it
1750 * the value from the X register.
1752 s2 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
1753 s2->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
1755 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
1758 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K);
1763 * The A register now contains the length of the IP header.
1764 * We need to add to it the variable part of the offset of
1765 * the link-layer payload, which is still in the X
1766 * register, and move the result into the X register.
1768 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
1769 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
1772 * The offset of the link-layer payload is a constant,
1773 * so no code was generated to load the (non-existent)
1774 * variable part of that offset.
1776 * This means we can use the 4*([k]&0xf) addressing
1777 * mode. Load the length of the IPv4 header, which
1778 * is at an offset of cstate->off_nl from the beginning of
1779 * the link-layer payload, and thus at an offset of
1780 * cstate->off_linkpl.constant_part + cstate->off_nl from the beginning
1781 * of the raw packet data, using that addressing mode.
1783 s = new_stmt(cstate, BPF_LDX|BPF_MSH|BPF_B);
1784 s->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
1789 static struct block *
1790 gen_uncond(compiler_state_t *cstate, int rsense)
1795 s = new_stmt(cstate, BPF_LD|BPF_IMM);
1797 b = new_block(cstate, JMP(BPF_JEQ));
1803 static inline struct block *
1804 gen_true(compiler_state_t *cstate)
1806 return gen_uncond(cstate, 1);
1809 static inline struct block *
1810 gen_false(compiler_state_t *cstate)
1812 return gen_uncond(cstate, 0);
1816 * Byte-swap a 32-bit number.
1817 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on
1818 * big-endian platforms.)
1820 #define SWAPLONG(y) \
1821 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
1824 * Generate code to match a particular packet type.
1826 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1827 * value, if <= ETHERMTU. We use that to determine whether to
1828 * match the type/length field or to check the type/length field for
1829 * a value <= ETHERMTU to see whether it's a type field and then do
1830 * the appropriate test.
1832 static struct block *
1833 gen_ether_linktype(compiler_state_t *cstate, int proto)
1835 struct block *b0, *b1;
1841 case LLCSAP_NETBEUI:
1843 * OSI protocols and NetBEUI always use 802.2 encapsulation,
1844 * so we check the DSAP and SSAP.
1846 * LLCSAP_IP checks for IP-over-802.2, rather
1847 * than IP-over-Ethernet or IP-over-SNAP.
1849 * XXX - should we check both the DSAP and the
1850 * SSAP, like this, or should we check just the
1851 * DSAP, as we do for other types <= ETHERMTU
1852 * (i.e., other SAP values)?
1854 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
1856 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_int32)
1857 ((proto << 8) | proto));
1865 * Ethernet_II frames, which are Ethernet
1866 * frames with a frame type of ETHERTYPE_IPX;
1868 * Ethernet_802.3 frames, which are 802.3
1869 * frames (i.e., the type/length field is
1870 * a length field, <= ETHERMTU, rather than
1871 * a type field) with the first two bytes
1872 * after the Ethernet/802.3 header being
1875 * Ethernet_802.2 frames, which are 802.3
1876 * frames with an 802.2 LLC header and
1877 * with the IPX LSAP as the DSAP in the LLC
1880 * Ethernet_SNAP frames, which are 802.3
1881 * frames with an LLC header and a SNAP
1882 * header and with an OUI of 0x000000
1883 * (encapsulated Ethernet) and a protocol
1884 * ID of ETHERTYPE_IPX in the SNAP header.
1886 * XXX - should we generate the same code both
1887 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX?
1891 * This generates code to check both for the
1892 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3.
1894 b0 = gen_cmp(cstate, OR_LLC, 0, BPF_B, (bpf_int32)LLCSAP_IPX);
1895 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_int32)0xFFFF);
1899 * Now we add code to check for SNAP frames with
1900 * ETHERTYPE_IPX, i.e. Ethernet_SNAP.
1902 b0 = gen_snap(cstate, 0x000000, ETHERTYPE_IPX);
1906 * Now we generate code to check for 802.3
1907 * frames in general.
1909 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
1913 * Now add the check for 802.3 frames before the
1914 * check for Ethernet_802.2 and Ethernet_802.3,
1915 * as those checks should only be done on 802.3
1916 * frames, not on Ethernet frames.
1921 * Now add the check for Ethernet_II frames, and
1922 * do that before checking for the other frame
1925 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)ETHERTYPE_IPX);
1929 case ETHERTYPE_ATALK:
1930 case ETHERTYPE_AARP:
1932 * EtherTalk (AppleTalk protocols on Ethernet link
1933 * layer) may use 802.2 encapsulation.
1937 * Check for 802.2 encapsulation (EtherTalk phase 2?);
1938 * we check for an Ethernet type field less than
1939 * 1500, which means it's an 802.3 length field.
1941 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
1945 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1946 * SNAP packets with an organization code of
1947 * 0x080007 (Apple, for Appletalk) and a protocol
1948 * type of ETHERTYPE_ATALK (Appletalk).
1950 * 802.2-encapsulated ETHERTYPE_AARP packets are
1951 * SNAP packets with an organization code of
1952 * 0x000000 (encapsulated Ethernet) and a protocol
1953 * type of ETHERTYPE_AARP (Appletalk ARP).
1955 if (proto == ETHERTYPE_ATALK)
1956 b1 = gen_snap(cstate, 0x080007, ETHERTYPE_ATALK);
1957 else /* proto == ETHERTYPE_AARP */
1958 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_AARP);
1962 * Check for Ethernet encapsulation (Ethertalk
1963 * phase 1?); we just check for the Ethernet
1966 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto);
1972 if (proto <= ETHERMTU) {
1974 * This is an LLC SAP value, so the frames
1975 * that match would be 802.2 frames.
1976 * Check that the frame is an 802.2 frame
1977 * (i.e., that the length/type field is
1978 * a length field, <= ETHERMTU) and
1979 * then check the DSAP.
1981 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
1983 b1 = gen_cmp(cstate, OR_LINKTYPE, 2, BPF_B, (bpf_int32)proto);
1988 * This is an Ethernet type, so compare
1989 * the length/type field with it (if
1990 * the frame is an 802.2 frame, the length
1991 * field will be <= ETHERMTU, and, as
1992 * "proto" is > ETHERMTU, this test
1993 * will fail and the frame won't match,
1994 * which is what we want).
1996 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H,
2002 static struct block *
2003 gen_loopback_linktype(compiler_state_t *cstate, int proto)
2006 * For DLT_NULL, the link-layer header is a 32-bit word
2007 * containing an AF_ value in *host* byte order, and for
2008 * DLT_ENC, the link-layer header begins with a 32-bit
2009 * word containing an AF_ value in host byte order.
2011 * In addition, if we're reading a saved capture file,
2012 * the host byte order in the capture may not be the
2013 * same as the host byte order on this machine.
2015 * For DLT_LOOP, the link-layer header is a 32-bit
2016 * word containing an AF_ value in *network* byte order.
2018 if (cstate->linktype == DLT_NULL || cstate->linktype == DLT_ENC) {
2020 * The AF_ value is in host byte order, but the BPF
2021 * interpreter will convert it to network byte order.
2023 * If this is a save file, and it's from a machine
2024 * with the opposite byte order to ours, we byte-swap
2027 * Then we run it through "htonl()", and generate
2028 * code to compare against the result.
2030 if (cstate->bpf_pcap->rfile != NULL && cstate->bpf_pcap->swapped)
2031 proto = SWAPLONG(proto);
2032 proto = htonl(proto);
2034 return (gen_cmp(cstate, OR_LINKHDR, 0, BPF_W, (bpf_int32)proto));
2038 * "proto" is an Ethernet type value and for IPNET, if it is not IPv4
2039 * or IPv6 then we have an error.
2041 static struct block *
2042 gen_ipnet_linktype(compiler_state_t *cstate, int proto)
2047 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, (bpf_int32)IPH_AF_INET);
2050 case ETHERTYPE_IPV6:
2051 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
2052 (bpf_int32)IPH_AF_INET6);
2059 return gen_false(cstate);
2063 * Generate code to match a particular packet type.
2065 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
2066 * value, if <= ETHERMTU. We use that to determine whether to
2067 * match the type field or to check the type field for the special
2068 * LINUX_SLL_P_802_2 value and then do the appropriate test.
2070 static struct block *
2071 gen_linux_sll_linktype(compiler_state_t *cstate, int proto)
2073 struct block *b0, *b1;
2079 case LLCSAP_NETBEUI:
2081 * OSI protocols and NetBEUI always use 802.2 encapsulation,
2082 * so we check the DSAP and SSAP.
2084 * LLCSAP_IP checks for IP-over-802.2, rather
2085 * than IP-over-Ethernet or IP-over-SNAP.
2087 * XXX - should we check both the DSAP and the
2088 * SSAP, like this, or should we check just the
2089 * DSAP, as we do for other types <= ETHERMTU
2090 * (i.e., other SAP values)?
2092 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2093 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_int32)
2094 ((proto << 8) | proto));
2100 * Ethernet_II frames, which are Ethernet
2101 * frames with a frame type of ETHERTYPE_IPX;
2103 * Ethernet_802.3 frames, which have a frame
2104 * type of LINUX_SLL_P_802_3;
2106 * Ethernet_802.2 frames, which are 802.3
2107 * frames with an 802.2 LLC header (i.e, have
2108 * a frame type of LINUX_SLL_P_802_2) and
2109 * with the IPX LSAP as the DSAP in the LLC
2112 * Ethernet_SNAP frames, which are 802.3
2113 * frames with an LLC header and a SNAP
2114 * header and with an OUI of 0x000000
2115 * (encapsulated Ethernet) and a protocol
2116 * ID of ETHERTYPE_IPX in the SNAP header.
2118 * First, do the checks on LINUX_SLL_P_802_2
2119 * frames; generate the check for either
2120 * Ethernet_802.2 or Ethernet_SNAP frames, and
2121 * then put a check for LINUX_SLL_P_802_2 frames
2124 b0 = gen_cmp(cstate, OR_LLC, 0, BPF_B, (bpf_int32)LLCSAP_IPX);
2125 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_IPX);
2127 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2131 * Now check for 802.3 frames and OR that with
2132 * the previous test.
2134 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_3);
2138 * Now add the check for Ethernet_II frames, and
2139 * do that before checking for the other frame
2142 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)ETHERTYPE_IPX);
2146 case ETHERTYPE_ATALK:
2147 case ETHERTYPE_AARP:
2149 * EtherTalk (AppleTalk protocols on Ethernet link
2150 * layer) may use 802.2 encapsulation.
2154 * Check for 802.2 encapsulation (EtherTalk phase 2?);
2155 * we check for the 802.2 protocol type in the
2156 * "Ethernet type" field.
2158 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2161 * 802.2-encapsulated ETHERTYPE_ATALK packets are
2162 * SNAP packets with an organization code of
2163 * 0x080007 (Apple, for Appletalk) and a protocol
2164 * type of ETHERTYPE_ATALK (Appletalk).
2166 * 802.2-encapsulated ETHERTYPE_AARP packets are
2167 * SNAP packets with an organization code of
2168 * 0x000000 (encapsulated Ethernet) and a protocol
2169 * type of ETHERTYPE_AARP (Appletalk ARP).
2171 if (proto == ETHERTYPE_ATALK)
2172 b1 = gen_snap(cstate, 0x080007, ETHERTYPE_ATALK);
2173 else /* proto == ETHERTYPE_AARP */
2174 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_AARP);
2178 * Check for Ethernet encapsulation (Ethertalk
2179 * phase 1?); we just check for the Ethernet
2182 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto);
2188 if (proto <= ETHERMTU) {
2190 * This is an LLC SAP value, so the frames
2191 * that match would be 802.2 frames.
2192 * Check for the 802.2 protocol type
2193 * in the "Ethernet type" field, and
2194 * then check the DSAP.
2196 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2197 b1 = gen_cmp(cstate, OR_LINKHDR, cstate->off_linkpl.constant_part, BPF_B,
2203 * This is an Ethernet type, so compare
2204 * the length/type field with it (if
2205 * the frame is an 802.2 frame, the length
2206 * field will be <= ETHERMTU, and, as
2207 * "proto" is > ETHERMTU, this test
2208 * will fail and the frame won't match,
2209 * which is what we want).
2211 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto);
2216 static struct slist *
2217 gen_load_prism_llprefixlen(compiler_state_t *cstate)
2219 struct slist *s1, *s2;
2220 struct slist *sjeq_avs_cookie;
2221 struct slist *sjcommon;
2224 * This code is not compatible with the optimizer, as
2225 * we are generating jmp instructions within a normal
2226 * slist of instructions
2228 cstate->no_optimize = 1;
2231 * Generate code to load the length of the radio header into
2232 * the register assigned to hold that length, if one has been
2233 * assigned. (If one hasn't been assigned, no code we've
2234 * generated uses that prefix, so we don't need to generate any
2237 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes
2238 * or always use the AVS header rather than the Prism header.
2239 * We load a 4-byte big-endian value at the beginning of the
2240 * raw packet data, and see whether, when masked with 0xFFFFF000,
2241 * it's equal to 0x80211000. If so, that indicates that it's
2242 * an AVS header (the masked-out bits are the version number).
2243 * Otherwise, it's a Prism header.
2245 * XXX - the Prism header is also, in theory, variable-length,
2246 * but no known software generates headers that aren't 144
2249 if (cstate->off_linkhdr.reg != -1) {
2253 s1 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS);
2257 * AND it with 0xFFFFF000.
2259 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
2260 s2->s.k = 0xFFFFF000;
2264 * Compare with 0x80211000.
2266 sjeq_avs_cookie = new_stmt(cstate, JMP(BPF_JEQ));
2267 sjeq_avs_cookie->s.k = 0x80211000;
2268 sappend(s1, sjeq_avs_cookie);
2273 * The 4 bytes at an offset of 4 from the beginning of
2274 * the AVS header are the length of the AVS header.
2275 * That field is big-endian.
2277 s2 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS);
2280 sjeq_avs_cookie->s.jt = s2;
2283 * Now jump to the code to allocate a register
2284 * into which to save the header length and
2285 * store the length there. (The "jump always"
2286 * instruction needs to have the k field set;
2287 * it's added to the PC, so, as we're jumping
2288 * over a single instruction, it should be 1.)
2290 sjcommon = new_stmt(cstate, JMP(BPF_JA));
2292 sappend(s1, sjcommon);
2295 * Now for the code that handles the Prism header.
2296 * Just load the length of the Prism header (144)
2297 * into the A register. Have the test for an AVS
2298 * header branch here if we don't have an AVS header.
2300 s2 = new_stmt(cstate, BPF_LD|BPF_W|BPF_IMM);
2303 sjeq_avs_cookie->s.jf = s2;
2306 * Now allocate a register to hold that value and store
2307 * it. The code for the AVS header will jump here after
2308 * loading the length of the AVS header.
2310 s2 = new_stmt(cstate, BPF_ST);
2311 s2->s.k = cstate->off_linkhdr.reg;
2313 sjcommon->s.jf = s2;
2316 * Now move it into the X register.
2318 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2326 static struct slist *
2327 gen_load_avs_llprefixlen(compiler_state_t *cstate)
2329 struct slist *s1, *s2;
2332 * Generate code to load the length of the AVS header into
2333 * the register assigned to hold that length, if one has been
2334 * assigned. (If one hasn't been assigned, no code we've
2335 * generated uses that prefix, so we don't need to generate any
2338 if (cstate->off_linkhdr.reg != -1) {
2340 * The 4 bytes at an offset of 4 from the beginning of
2341 * the AVS header are the length of the AVS header.
2342 * That field is big-endian.
2344 s1 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS);
2348 * Now allocate a register to hold that value and store
2351 s2 = new_stmt(cstate, BPF_ST);
2352 s2->s.k = cstate->off_linkhdr.reg;
2356 * Now move it into the X register.
2358 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2366 static struct slist *
2367 gen_load_radiotap_llprefixlen(compiler_state_t *cstate)
2369 struct slist *s1, *s2;
2372 * Generate code to load the length of the radiotap header into
2373 * the register assigned to hold that length, if one has been
2374 * assigned. (If one hasn't been assigned, no code we've
2375 * generated uses that prefix, so we don't need to generate any
2378 if (cstate->off_linkhdr.reg != -1) {
2380 * The 2 bytes at offsets of 2 and 3 from the beginning
2381 * of the radiotap header are the length of the radiotap
2382 * header; unfortunately, it's little-endian, so we have
2383 * to load it a byte at a time and construct the value.
2387 * Load the high-order byte, at an offset of 3, shift it
2388 * left a byte, and put the result in the X register.
2390 s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2392 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K);
2395 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2399 * Load the next byte, at an offset of 2, and OR the
2400 * value from the X register into it.
2402 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2405 s2 = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_X);
2409 * Now allocate a register to hold that value and store
2412 s2 = new_stmt(cstate, BPF_ST);
2413 s2->s.k = cstate->off_linkhdr.reg;
2417 * Now move it into the X register.
2419 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2428 * At the moment we treat PPI as normal Radiotap encoded
2429 * packets. The difference is in the function that generates
2430 * the code at the beginning to compute the header length.
2431 * Since this code generator of PPI supports bare 802.11
2432 * encapsulation only (i.e. the encapsulated DLT should be
2433 * DLT_IEEE802_11) we generate code to check for this too;
2434 * that's done in finish_parse().
2436 static struct slist *
2437 gen_load_ppi_llprefixlen(compiler_state_t *cstate)
2439 struct slist *s1, *s2;
2442 * Generate code to load the length of the radiotap header
2443 * into the register assigned to hold that length, if one has
2446 if (cstate->off_linkhdr.reg != -1) {
2448 * The 2 bytes at offsets of 2 and 3 from the beginning
2449 * of the radiotap header are the length of the radiotap
2450 * header; unfortunately, it's little-endian, so we have
2451 * to load it a byte at a time and construct the value.
2455 * Load the high-order byte, at an offset of 3, shift it
2456 * left a byte, and put the result in the X register.
2458 s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2460 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K);
2463 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2467 * Load the next byte, at an offset of 2, and OR the
2468 * value from the X register into it.
2470 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2473 s2 = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_X);
2477 * Now allocate a register to hold that value and store
2480 s2 = new_stmt(cstate, BPF_ST);
2481 s2->s.k = cstate->off_linkhdr.reg;
2485 * Now move it into the X register.
2487 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2496 * Load a value relative to the beginning of the link-layer header after the 802.11
2497 * header, i.e. LLC_SNAP.
2498 * The link-layer header doesn't necessarily begin at the beginning
2499 * of the packet data; there might be a variable-length prefix containing
2500 * radio information.
2502 static struct slist *
2503 gen_load_802_11_header_len(compiler_state_t *cstate, struct slist *s, struct slist *snext)
2506 struct slist *sjset_data_frame_1;
2507 struct slist *sjset_data_frame_2;
2508 struct slist *sjset_qos;
2509 struct slist *sjset_radiotap_flags_present;
2510 struct slist *sjset_radiotap_ext_present;
2511 struct slist *sjset_radiotap_tsft_present;
2512 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad;
2513 struct slist *s_roundup;
2515 if (cstate->off_linkpl.reg == -1) {
2517 * No register has been assigned to the offset of
2518 * the link-layer payload, which means nobody needs
2519 * it; don't bother computing it - just return
2520 * what we already have.
2526 * This code is not compatible with the optimizer, as
2527 * we are generating jmp instructions within a normal
2528 * slist of instructions
2530 cstate->no_optimize = 1;
2533 * If "s" is non-null, it has code to arrange that the X register
2534 * contains the length of the prefix preceding the link-layer
2537 * Otherwise, the length of the prefix preceding the link-layer
2538 * header is "off_outermostlinkhdr.constant_part".
2542 * There is no variable-length header preceding the
2543 * link-layer header.
2545 * Load the length of the fixed-length prefix preceding
2546 * the link-layer header (if any) into the X register,
2547 * and store it in the cstate->off_linkpl.reg register.
2548 * That length is off_outermostlinkhdr.constant_part.
2550 s = new_stmt(cstate, BPF_LDX|BPF_IMM);
2551 s->s.k = cstate->off_outermostlinkhdr.constant_part;
2555 * The X register contains the offset of the beginning of the
2556 * link-layer header; add 24, which is the minimum length
2557 * of the MAC header for a data frame, to that, and store it
2558 * in cstate->off_linkpl.reg, and then load the Frame Control field,
2559 * which is at the offset in the X register, with an indexed load.
2561 s2 = new_stmt(cstate, BPF_MISC|BPF_TXA);
2563 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
2566 s2 = new_stmt(cstate, BPF_ST);
2567 s2->s.k = cstate->off_linkpl.reg;
2570 s2 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
2575 * Check the Frame Control field to see if this is a data frame;
2576 * a data frame has the 0x08 bit (b3) in that field set and the
2577 * 0x04 bit (b2) clear.
2579 sjset_data_frame_1 = new_stmt(cstate, JMP(BPF_JSET));
2580 sjset_data_frame_1->s.k = 0x08;
2581 sappend(s, sjset_data_frame_1);
2584 * If b3 is set, test b2, otherwise go to the first statement of
2585 * the rest of the program.
2587 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(cstate, JMP(BPF_JSET));
2588 sjset_data_frame_2->s.k = 0x04;
2589 sappend(s, sjset_data_frame_2);
2590 sjset_data_frame_1->s.jf = snext;
2593 * If b2 is not set, this is a data frame; test the QoS bit.
2594 * Otherwise, go to the first statement of the rest of the
2597 sjset_data_frame_2->s.jt = snext;
2598 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(cstate, JMP(BPF_JSET));
2599 sjset_qos->s.k = 0x80; /* QoS bit */
2600 sappend(s, sjset_qos);
2603 * If it's set, add 2 to cstate->off_linkpl.reg, to skip the QoS
2605 * Otherwise, go to the first statement of the rest of the
2608 sjset_qos->s.jt = s2 = new_stmt(cstate, BPF_LD|BPF_MEM);
2609 s2->s.k = cstate->off_linkpl.reg;
2611 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM);
2614 s2 = new_stmt(cstate, BPF_ST);
2615 s2->s.k = cstate->off_linkpl.reg;
2619 * If we have a radiotap header, look at it to see whether
2620 * there's Atheros padding between the MAC-layer header
2623 * Note: all of the fields in the radiotap header are
2624 * little-endian, so we byte-swap all of the values
2625 * we test against, as they will be loaded as big-endian
2628 * XXX - in the general case, we would have to scan through
2629 * *all* the presence bits, if there's more than one word of
2630 * presence bits. That would require a loop, meaning that
2631 * we wouldn't be able to run the filter in the kernel.
2633 * We assume here that the Atheros adapters that insert the
2634 * annoying padding don't have multiple antennae and therefore
2635 * do not generate radiotap headers with multiple presence words.
2637 if (cstate->linktype == DLT_IEEE802_11_RADIO) {
2639 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set
2640 * in the first presence flag word?
2642 sjset_qos->s.jf = s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_W);
2646 sjset_radiotap_flags_present = new_stmt(cstate, JMP(BPF_JSET));
2647 sjset_radiotap_flags_present->s.k = SWAPLONG(0x00000002);
2648 sappend(s, sjset_radiotap_flags_present);
2651 * If not, skip all of this.
2653 sjset_radiotap_flags_present->s.jf = snext;
2656 * Otherwise, is the "extension" bit set in that word?
2658 sjset_radiotap_ext_present = new_stmt(cstate, JMP(BPF_JSET));
2659 sjset_radiotap_ext_present->s.k = SWAPLONG(0x80000000);
2660 sappend(s, sjset_radiotap_ext_present);
2661 sjset_radiotap_flags_present->s.jt = sjset_radiotap_ext_present;
2664 * If so, skip all of this.
2666 sjset_radiotap_ext_present->s.jt = snext;
2669 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set?
2671 sjset_radiotap_tsft_present = new_stmt(cstate, JMP(BPF_JSET));
2672 sjset_radiotap_tsft_present->s.k = SWAPLONG(0x00000001);
2673 sappend(s, sjset_radiotap_tsft_present);
2674 sjset_radiotap_ext_present->s.jf = sjset_radiotap_tsft_present;
2677 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is
2678 * at an offset of 16 from the beginning of the raw packet
2679 * data (8 bytes for the radiotap header and 8 bytes for
2682 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
2685 s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B);
2688 sjset_radiotap_tsft_present->s.jt = s2;
2690 sjset_tsft_datapad = new_stmt(cstate, JMP(BPF_JSET));
2691 sjset_tsft_datapad->s.k = 0x20;
2692 sappend(s, sjset_tsft_datapad);
2695 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is
2696 * at an offset of 8 from the beginning of the raw packet
2697 * data (8 bytes for the radiotap header).
2699 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
2702 s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B);
2705 sjset_radiotap_tsft_present->s.jf = s2;
2707 sjset_notsft_datapad = new_stmt(cstate, JMP(BPF_JSET));
2708 sjset_notsft_datapad->s.k = 0x20;
2709 sappend(s, sjset_notsft_datapad);
2712 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is
2713 * set, round the length of the 802.11 header to
2714 * a multiple of 4. Do that by adding 3 and then
2715 * dividing by and multiplying by 4, which we do by
2718 s_roundup = new_stmt(cstate, BPF_LD|BPF_MEM);
2719 s_roundup->s.k = cstate->off_linkpl.reg;
2720 sappend(s, s_roundup);
2721 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM);
2724 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_IMM);
2727 s2 = new_stmt(cstate, BPF_ST);
2728 s2->s.k = cstate->off_linkpl.reg;
2731 sjset_tsft_datapad->s.jt = s_roundup;
2732 sjset_tsft_datapad->s.jf = snext;
2733 sjset_notsft_datapad->s.jt = s_roundup;
2734 sjset_notsft_datapad->s.jf = snext;
2736 sjset_qos->s.jf = snext;
2742 insert_compute_vloffsets(compiler_state_t *cstate, struct block *b)
2746 /* There is an implicit dependency between the link
2747 * payload and link header since the payload computation
2748 * includes the variable part of the header. Therefore,
2749 * if nobody else has allocated a register for the link
2750 * header and we need it, do it now. */
2751 if (cstate->off_linkpl.reg != -1 && cstate->off_linkhdr.is_variable &&
2752 cstate->off_linkhdr.reg == -1)
2753 cstate->off_linkhdr.reg = alloc_reg(cstate);
2756 * For link-layer types that have a variable-length header
2757 * preceding the link-layer header, generate code to load
2758 * the offset of the link-layer header into the register
2759 * assigned to that offset, if any.
2761 * XXX - this, and the next switch statement, won't handle
2762 * encapsulation of 802.11 or 802.11+radio information in
2763 * some other protocol stack. That's significantly more
2766 switch (cstate->outermostlinktype) {
2768 case DLT_PRISM_HEADER:
2769 s = gen_load_prism_llprefixlen(cstate);
2772 case DLT_IEEE802_11_RADIO_AVS:
2773 s = gen_load_avs_llprefixlen(cstate);
2776 case DLT_IEEE802_11_RADIO:
2777 s = gen_load_radiotap_llprefixlen(cstate);
2781 s = gen_load_ppi_llprefixlen(cstate);
2790 * For link-layer types that have a variable-length link-layer
2791 * header, generate code to load the offset of the link-layer
2792 * payload into the register assigned to that offset, if any.
2794 switch (cstate->outermostlinktype) {
2796 case DLT_IEEE802_11:
2797 case DLT_PRISM_HEADER:
2798 case DLT_IEEE802_11_RADIO_AVS:
2799 case DLT_IEEE802_11_RADIO:
2801 s = gen_load_802_11_header_len(cstate, s, b->stmts);
2806 * If we have any offset-loading code, append all the
2807 * existing statements in the block to those statements,
2808 * and make the resulting list the list of statements
2812 sappend(s, b->stmts);
2817 static struct block *
2818 gen_ppi_dlt_check(compiler_state_t *cstate)
2820 struct slist *s_load_dlt;
2823 if (cstate->linktype == DLT_PPI)
2825 /* Create the statements that check for the DLT
2827 s_load_dlt = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS);
2828 s_load_dlt->s.k = 4;
2830 b = new_block(cstate, JMP(BPF_JEQ));
2832 b->stmts = s_load_dlt;
2833 b->s.k = SWAPLONG(DLT_IEEE802_11);
2844 * Take an absolute offset, and:
2846 * if it has no variable part, return NULL;
2848 * if it has a variable part, generate code to load the register
2849 * containing that variable part into the X register, returning
2850 * a pointer to that code - if no register for that offset has
2851 * been allocated, allocate it first.
2853 * (The code to set that register will be generated later, but will
2854 * be placed earlier in the code sequence.)
2856 static struct slist *
2857 gen_abs_offset_varpart(compiler_state_t *cstate, bpf_abs_offset *off)
2861 if (off->is_variable) {
2862 if (off->reg == -1) {
2864 * We haven't yet assigned a register for the
2865 * variable part of the offset of the link-layer
2866 * header; allocate one.
2868 off->reg = alloc_reg(cstate);
2872 * Load the register containing the variable part of the
2873 * offset of the link-layer header into the X register.
2875 s = new_stmt(cstate, BPF_LDX|BPF_MEM);
2880 * That offset isn't variable, there's no variable part,
2881 * so we don't need to generate any code.
2888 * Map an Ethernet type to the equivalent PPP type.
2891 ethertype_to_ppptype(proto)
2900 case ETHERTYPE_IPV6:
2908 case ETHERTYPE_ATALK:
2922 * I'm assuming the "Bridging PDU"s that go
2923 * over PPP are Spanning Tree Protocol
2937 * Generate any tests that, for encapsulation of a link-layer packet
2938 * inside another protocol stack, need to be done to check for those
2939 * link-layer packets (and that haven't already been done by a check
2940 * for that encapsulation).
2942 static struct block *
2943 gen_prevlinkhdr_check(compiler_state_t *cstate)
2947 if (cstate->is_geneve)
2948 return gen_geneve_ll_check(cstate);
2950 switch (cstate->prevlinktype) {
2954 * This is LANE-encapsulated Ethernet; check that the LANE
2955 * packet doesn't begin with an LE Control marker, i.e.
2956 * that it's data, not a control message.
2958 * (We've already generated a test for LANE.)
2960 b0 = gen_cmp(cstate, OR_PREVLINKHDR, SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
2966 * No such tests are necessary.
2974 * The three different values we should check for when checking for an
2975 * IPv6 packet with DLT_NULL.
2977 #define BSD_AFNUM_INET6_BSD 24 /* NetBSD, OpenBSD, BSD/OS, Npcap */
2978 #define BSD_AFNUM_INET6_FREEBSD 28 /* FreeBSD */
2979 #define BSD_AFNUM_INET6_DARWIN 30 /* OS X, iOS, other Darwin-based OSes */
2982 * Generate code to match a particular packet type by matching the
2983 * link-layer type field or fields in the 802.2 LLC header.
2985 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
2986 * value, if <= ETHERMTU.
2988 static struct block *
2989 gen_linktype(compiler_state_t *cstate, int proto)
2991 struct block *b0, *b1, *b2;
2992 const char *description;
2994 /* are we checking MPLS-encapsulated packets? */
2995 if (cstate->label_stack_depth > 0) {
2999 /* FIXME add other L3 proto IDs */
3000 return gen_mpls_linktype(cstate, Q_IP);
3002 case ETHERTYPE_IPV6:
3004 /* FIXME add other L3 proto IDs */
3005 return gen_mpls_linktype(cstate, Q_IPV6);
3008 bpf_error(cstate, "unsupported protocol over mpls");
3013 switch (cstate->linktype) {
3016 case DLT_NETANALYZER:
3017 case DLT_NETANALYZER_TRANSPARENT:
3018 /* Geneve has an EtherType regardless of whether there is an
3020 if (!cstate->is_geneve)
3021 b0 = gen_prevlinkhdr_check(cstate);
3025 b1 = gen_ether_linktype(cstate, proto);
3036 proto = (proto << 8 | LLCSAP_ISONS);
3040 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto);
3046 case DLT_IEEE802_11:
3047 case DLT_PRISM_HEADER:
3048 case DLT_IEEE802_11_RADIO_AVS:
3049 case DLT_IEEE802_11_RADIO:
3052 * Check that we have a data frame.
3054 b0 = gen_check_802_11_data_frame(cstate);
3057 * Now check for the specified link-layer type.
3059 b1 = gen_llc_linktype(cstate, proto);
3067 * XXX - check for LLC frames.
3069 return gen_llc_linktype(cstate, proto);
3075 * XXX - check for LLC PDUs, as per IEEE 802.5.
3077 return gen_llc_linktype(cstate, proto);
3081 case DLT_ATM_RFC1483:
3083 case DLT_IP_OVER_FC:
3084 return gen_llc_linktype(cstate, proto);
3090 * Check for an LLC-encapsulated version of this protocol;
3091 * if we were checking for LANE, linktype would no longer
3094 * Check for LLC encapsulation and then check the protocol.
3096 b0 = gen_atmfield_code(cstate, A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
3097 b1 = gen_llc_linktype(cstate, proto);
3104 return gen_linux_sll_linktype(cstate, proto);
3109 case DLT_SLIP_BSDOS:
3112 * These types don't provide any type field; packets
3113 * are always IPv4 or IPv6.
3115 * XXX - for IPv4, check for a version number of 4, and,
3116 * for IPv6, check for a version number of 6?
3121 /* Check for a version number of 4. */
3122 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, 0x40, 0xF0);
3124 case ETHERTYPE_IPV6:
3125 /* Check for a version number of 6. */
3126 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, 0x60, 0xF0);
3129 return gen_false(cstate); /* always false */
3136 * Raw IPv4, so no type field.
3138 if (proto == ETHERTYPE_IP)
3139 return gen_true(cstate); /* always true */
3141 /* Checking for something other than IPv4; always false */
3142 return gen_false(cstate);
3148 * Raw IPv6, so no type field.
3150 if (proto == ETHERTYPE_IPV6)
3151 return gen_true(cstate); /* always true */
3153 /* Checking for something other than IPv6; always false */
3154 return gen_false(cstate);
3160 case DLT_PPP_SERIAL:
3163 * We use Ethernet protocol types inside libpcap;
3164 * map them to the corresponding PPP protocol types.
3166 proto = ethertype_to_ppptype(proto);
3167 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto);
3173 * We use Ethernet protocol types inside libpcap;
3174 * map them to the corresponding PPP protocol types.
3180 * Also check for Van Jacobson-compressed IP.
3181 * XXX - do this for other forms of PPP?
3183 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_IP);
3184 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_VJC);
3186 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_VJNC);
3191 proto = ethertype_to_ppptype(proto);
3192 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H,
3204 return (gen_loopback_linktype(cstate, AF_INET));
3206 case ETHERTYPE_IPV6:
3208 * AF_ values may, unfortunately, be platform-
3209 * dependent; AF_INET isn't, because everybody
3210 * used 4.2BSD's value, but AF_INET6 is, because
3211 * 4.2BSD didn't have a value for it (given that
3212 * IPv6 didn't exist back in the early 1980's),
3213 * and they all picked their own values.
3215 * This means that, if we're reading from a
3216 * savefile, we need to check for all the
3219 * If we're doing a live capture, we only need
3220 * to check for this platform's value; however,
3221 * Npcap uses 24, which isn't Windows's AF_INET6
3222 * value. (Given the multiple different values,
3223 * programs that read pcap files shouldn't be
3224 * checking for their platform's AF_INET6 value
3225 * anyway, they should check for all of the
3226 * possible values. and they might as well do
3227 * that even for live captures.)
3229 if (cstate->bpf_pcap->rfile != NULL) {
3231 * Savefile - check for all three
3232 * possible IPv6 values.
3234 b0 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_BSD);
3235 b1 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_FREEBSD);
3237 b0 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_DARWIN);
3242 * Live capture, so we only need to
3243 * check for the value used on this
3248 * Npcap doesn't use Windows's AF_INET6,
3249 * as that collides with AF_IPX on
3250 * some BSDs (both have the value 23).
3251 * Instead, it uses 24.
3253 return (gen_loopback_linktype(cstate, 24));
3256 return (gen_loopback_linktype(cstate, AF_INET6));
3257 #else /* AF_INET6 */
3259 * I guess this platform doesn't support
3260 * IPv6, so we just reject all packets.
3262 return gen_false(cstate);
3263 #endif /* AF_INET6 */
3269 * Not a type on which we support filtering.
3270 * XXX - support those that have AF_ values
3271 * #defined on this platform, at least?
3273 return gen_false(cstate);
3276 #ifdef HAVE_NET_PFVAR_H
3279 * af field is host byte order in contrast to the rest of
3282 if (proto == ETHERTYPE_IP)
3283 return (gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, af),
3284 BPF_B, (bpf_int32)AF_INET));
3285 else if (proto == ETHERTYPE_IPV6)
3286 return (gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, af),
3287 BPF_B, (bpf_int32)AF_INET6));
3289 return gen_false(cstate);
3292 #endif /* HAVE_NET_PFVAR_H */
3295 case DLT_ARCNET_LINUX:
3297 * XXX should we check for first fragment if the protocol
3303 return gen_false(cstate);
3305 case ETHERTYPE_IPV6:
3306 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3307 (bpf_int32)ARCTYPE_INET6));
3310 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3311 (bpf_int32)ARCTYPE_IP);
3312 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3313 (bpf_int32)ARCTYPE_IP_OLD);
3318 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3319 (bpf_int32)ARCTYPE_ARP);
3320 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3321 (bpf_int32)ARCTYPE_ARP_OLD);
3325 case ETHERTYPE_REVARP:
3326 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3327 (bpf_int32)ARCTYPE_REVARP));
3329 case ETHERTYPE_ATALK:
3330 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3331 (bpf_int32)ARCTYPE_ATALK));
3338 case ETHERTYPE_ATALK:
3339 return gen_true(cstate);
3341 return gen_false(cstate);
3348 * XXX - assumes a 2-byte Frame Relay header with
3349 * DLCI and flags. What if the address is longer?
3355 * Check for the special NLPID for IP.
3357 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0xcc);
3359 case ETHERTYPE_IPV6:
3361 * Check for the special NLPID for IPv6.
3363 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0x8e);
3367 * Check for several OSI protocols.
3369 * Frame Relay packets typically have an OSI
3370 * NLPID at the beginning; we check for each
3373 * What we check for is the NLPID and a frame
3374 * control field of UI, i.e. 0x03 followed
3377 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO8473_CLNP);
3378 b1 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO9542_ESIS);
3379 b2 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO10589_ISIS);
3385 return gen_false(cstate);
3391 bpf_error(cstate, "Multi-link Frame Relay link-layer type filtering not implemented");
3393 case DLT_JUNIPER_MFR:
3394 case DLT_JUNIPER_MLFR:
3395 case DLT_JUNIPER_MLPPP:
3396 case DLT_JUNIPER_ATM1:
3397 case DLT_JUNIPER_ATM2:
3398 case DLT_JUNIPER_PPPOE:
3399 case DLT_JUNIPER_PPPOE_ATM:
3400 case DLT_JUNIPER_GGSN:
3401 case DLT_JUNIPER_ES:
3402 case DLT_JUNIPER_MONITOR:
3403 case DLT_JUNIPER_SERVICES:
3404 case DLT_JUNIPER_ETHER:
3405 case DLT_JUNIPER_PPP:
3406 case DLT_JUNIPER_FRELAY:
3407 case DLT_JUNIPER_CHDLC:
3408 case DLT_JUNIPER_VP:
3409 case DLT_JUNIPER_ST:
3410 case DLT_JUNIPER_ISM:
3411 case DLT_JUNIPER_VS:
3412 case DLT_JUNIPER_SRX_E2E:
3413 case DLT_JUNIPER_FIBRECHANNEL:
3414 case DLT_JUNIPER_ATM_CEMIC:
3416 /* just lets verify the magic number for now -
3417 * on ATM we may have up to 6 different encapsulations on the wire
3418 * and need a lot of heuristics to figure out that the payload
3421 * FIXME encapsulation specific BPF_ filters
3423 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */
3425 case DLT_BACNET_MS_TP:
3426 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_W, 0x55FF0000, 0xffff0000);
3429 return gen_ipnet_linktype(cstate, proto);
3431 case DLT_LINUX_IRDA:
3432 bpf_error(cstate, "IrDA link-layer type filtering not implemented");
3435 bpf_error(cstate, "DOCSIS link-layer type filtering not implemented");
3438 case DLT_MTP2_WITH_PHDR:
3439 bpf_error(cstate, "MTP2 link-layer type filtering not implemented");
3442 bpf_error(cstate, "ERF link-layer type filtering not implemented");
3445 bpf_error(cstate, "PFSYNC link-layer type filtering not implemented");
3447 case DLT_LINUX_LAPD:
3448 bpf_error(cstate, "LAPD link-layer type filtering not implemented");
3450 case DLT_USB_FREEBSD:
3452 case DLT_USB_LINUX_MMAPPED:
3454 bpf_error(cstate, "USB link-layer type filtering not implemented");
3456 case DLT_BLUETOOTH_HCI_H4:
3457 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR:
3458 bpf_error(cstate, "Bluetooth link-layer type filtering not implemented");
3461 case DLT_CAN_SOCKETCAN:
3462 bpf_error(cstate, "CAN link-layer type filtering not implemented");
3464 case DLT_IEEE802_15_4:
3465 case DLT_IEEE802_15_4_LINUX:
3466 case DLT_IEEE802_15_4_NONASK_PHY:
3467 case DLT_IEEE802_15_4_NOFCS:
3468 bpf_error(cstate, "IEEE 802.15.4 link-layer type filtering not implemented");
3470 case DLT_IEEE802_16_MAC_CPS_RADIO:
3471 bpf_error(cstate, "IEEE 802.16 link-layer type filtering not implemented");
3474 bpf_error(cstate, "SITA link-layer type filtering not implemented");
3477 bpf_error(cstate, "RAIF1 link-layer type filtering not implemented");
3480 bpf_error(cstate, "IPMB link-layer type filtering not implemented");
3483 bpf_error(cstate, "AX.25 link-layer type filtering not implemented");
3486 /* Using the fixed-size NFLOG header it is possible to tell only
3487 * the address family of the packet, other meaningful data is
3488 * either missing or behind TLVs.
3490 bpf_error(cstate, "NFLOG link-layer type filtering not implemented");
3494 * Does this link-layer header type have a field
3495 * indicating the type of the next protocol? If
3496 * so, off_linktype.constant_part will be the offset of that
3497 * field in the packet; if not, it will be OFFSET_NOT_SET.
3499 if (cstate->off_linktype.constant_part != OFFSET_NOT_SET) {
3501 * Yes; assume it's an Ethernet type. (If
3502 * it's not, it needs to be handled specially
3505 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto);
3508 * No; report an error.
3510 description = pcap_datalink_val_to_description(cstate->linktype);
3511 if (description != NULL) {
3512 bpf_error(cstate, "%s link-layer type filtering not implemented",
3515 bpf_error(cstate, "DLT %u link-layer type filtering not implemented",
3524 * Check for an LLC SNAP packet with a given organization code and
3525 * protocol type; we check the entire contents of the 802.2 LLC and
3526 * snap headers, checking for DSAP and SSAP of SNAP and a control
3527 * field of 0x03 in the LLC header, and for the specified organization
3528 * code and protocol type in the SNAP header.
3530 static struct block *
3531 gen_snap(compiler_state_t *cstate, bpf_u_int32 orgcode, bpf_u_int32 ptype)
3533 u_char snapblock[8];
3535 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */
3536 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */
3537 snapblock[2] = 0x03; /* control = UI */
3538 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */
3539 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */
3540 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */
3541 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */
3542 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */
3543 return gen_bcmp(cstate, OR_LLC, 0, 8, snapblock);
3547 * Generate code to match frames with an LLC header.
3550 gen_llc(compiler_state_t *cstate)
3552 struct block *b0, *b1;
3554 switch (cstate->linktype) {
3558 * We check for an Ethernet type field less than
3559 * 1500, which means it's an 802.3 length field.
3561 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
3565 * Now check for the purported DSAP and SSAP not being
3566 * 0xFF, to rule out NetWare-over-802.3.
3568 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_int32)0xFFFF);
3575 * We check for LLC traffic.
3577 b0 = gen_atmtype_abbrev(cstate, A_LLC);
3580 case DLT_IEEE802: /* Token Ring */
3582 * XXX - check for LLC frames.
3584 return gen_true(cstate);
3588 * XXX - check for LLC frames.
3590 return gen_true(cstate);
3592 case DLT_ATM_RFC1483:
3594 * For LLC encapsulation, these are defined to have an
3597 * For VC encapsulation, they don't, but there's no
3598 * way to check for that; the protocol used on the VC
3599 * is negotiated out of band.
3601 return gen_true(cstate);
3603 case DLT_IEEE802_11:
3604 case DLT_PRISM_HEADER:
3605 case DLT_IEEE802_11_RADIO:
3606 case DLT_IEEE802_11_RADIO_AVS:
3609 * Check that we have a data frame.
3611 b0 = gen_check_802_11_data_frame(cstate);
3615 bpf_error(cstate, "'llc' not supported for linktype %d", cstate->linktype);
3621 gen_llc_i(compiler_state_t *cstate)
3623 struct block *b0, *b1;
3627 * Check whether this is an LLC frame.
3629 b0 = gen_llc(cstate);
3632 * Load the control byte and test the low-order bit; it must
3633 * be clear for I frames.
3635 s = gen_load_a(cstate, OR_LLC, 2, BPF_B);
3636 b1 = new_block(cstate, JMP(BPF_JSET));
3645 gen_llc_s(compiler_state_t *cstate)
3647 struct block *b0, *b1;
3650 * Check whether this is an LLC frame.
3652 b0 = gen_llc(cstate);
3655 * Now compare the low-order 2 bit of the control byte against
3656 * the appropriate value for S frames.
3658 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, LLC_S_FMT, 0x03);
3664 gen_llc_u(compiler_state_t *cstate)
3666 struct block *b0, *b1;
3669 * Check whether this is an LLC frame.
3671 b0 = gen_llc(cstate);
3674 * Now compare the low-order 2 bit of the control byte against
3675 * the appropriate value for U frames.
3677 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, LLC_U_FMT, 0x03);
3683 gen_llc_s_subtype(compiler_state_t *cstate, bpf_u_int32 subtype)
3685 struct block *b0, *b1;
3688 * Check whether this is an LLC frame.
3690 b0 = gen_llc(cstate);
3693 * Now check for an S frame with the appropriate type.
3695 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, subtype, LLC_S_CMD_MASK);
3701 gen_llc_u_subtype(compiler_state_t *cstate, bpf_u_int32 subtype)
3703 struct block *b0, *b1;
3706 * Check whether this is an LLC frame.
3708 b0 = gen_llc(cstate);
3711 * Now check for a U frame with the appropriate type.
3713 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, subtype, LLC_U_CMD_MASK);
3719 * Generate code to match a particular packet type, for link-layer types
3720 * using 802.2 LLC headers.
3722 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used
3723 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues.
3725 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
3726 * value, if <= ETHERMTU. We use that to determine whether to
3727 * match the DSAP or both DSAP and LSAP or to check the OUI and
3728 * protocol ID in a SNAP header.
3730 static struct block *
3731 gen_llc_linktype(compiler_state_t *cstate, int proto)
3734 * XXX - handle token-ring variable-length header.
3740 case LLCSAP_NETBEUI:
3742 * XXX - should we check both the DSAP and the
3743 * SSAP, like this, or should we check just the
3744 * DSAP, as we do for other SAP values?
3746 return gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_u_int32)
3747 ((proto << 8) | proto));
3751 * XXX - are there ever SNAP frames for IPX on
3752 * non-Ethernet 802.x networks?
3754 return gen_cmp(cstate, OR_LLC, 0, BPF_B,
3755 (bpf_int32)LLCSAP_IPX);
3757 case ETHERTYPE_ATALK:
3759 * 802.2-encapsulated ETHERTYPE_ATALK packets are
3760 * SNAP packets with an organization code of
3761 * 0x080007 (Apple, for Appletalk) and a protocol
3762 * type of ETHERTYPE_ATALK (Appletalk).
3764 * XXX - check for an organization code of
3765 * encapsulated Ethernet as well?
3767 return gen_snap(cstate, 0x080007, ETHERTYPE_ATALK);
3771 * XXX - we don't have to check for IPX 802.3
3772 * here, but should we check for the IPX Ethertype?
3774 if (proto <= ETHERMTU) {
3776 * This is an LLC SAP value, so check
3779 return gen_cmp(cstate, OR_LLC, 0, BPF_B, (bpf_int32)proto);
3782 * This is an Ethernet type; we assume that it's
3783 * unlikely that it'll appear in the right place
3784 * at random, and therefore check only the
3785 * location that would hold the Ethernet type
3786 * in a SNAP frame with an organization code of
3787 * 0x000000 (encapsulated Ethernet).
3789 * XXX - if we were to check for the SNAP DSAP and
3790 * LSAP, as per XXX, and were also to check for an
3791 * organization code of 0x000000 (encapsulated
3792 * Ethernet), we'd do
3794 * return gen_snap(cstate, 0x000000, proto);
3796 * here; for now, we don't, as per the above.
3797 * I don't know whether it's worth the extra CPU
3798 * time to do the right check or not.
3800 return gen_cmp(cstate, OR_LLC, 6, BPF_H, (bpf_int32)proto);
3805 static struct block *
3806 gen_hostop(compiler_state_t *cstate, bpf_u_int32 addr, bpf_u_int32 mask,
3807 int dir, int proto, u_int src_off, u_int dst_off)
3809 struct block *b0, *b1;
3823 b0 = gen_hostop(cstate, addr, mask, Q_SRC, proto, src_off, dst_off);
3824 b1 = gen_hostop(cstate, addr, mask, Q_DST, proto, src_off, dst_off);
3830 b0 = gen_hostop(cstate, addr, mask, Q_SRC, proto, src_off, dst_off);
3831 b1 = gen_hostop(cstate, addr, mask, Q_DST, proto, src_off, dst_off);
3838 b0 = gen_linktype(cstate, proto);
3839 b1 = gen_mcmp(cstate, OR_LINKPL, offset, BPF_W, (bpf_int32)addr, mask);
3845 static struct block *
3846 gen_hostop6(compiler_state_t *cstate, struct in6_addr *addr,
3847 struct in6_addr *mask, int dir, int proto, u_int src_off, u_int dst_off)
3849 struct block *b0, *b1;
3864 b0 = gen_hostop6(cstate, addr, mask, Q_SRC, proto, src_off, dst_off);
3865 b1 = gen_hostop6(cstate, addr, mask, Q_DST, proto, src_off, dst_off);
3871 b0 = gen_hostop6(cstate, addr, mask, Q_SRC, proto, src_off, dst_off);
3872 b1 = gen_hostop6(cstate, addr, mask, Q_DST, proto, src_off, dst_off);
3879 /* this order is important */
3880 a = (u_int32_t *)addr;
3881 m = (u_int32_t *)mask;
3882 b1 = gen_mcmp(cstate, OR_LINKPL, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3]));
3883 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2]));
3885 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1]));
3887 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0]));
3889 b0 = gen_linktype(cstate, proto);
3895 static struct block *
3896 gen_ehostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
3898 register struct block *b0, *b1;
3902 return gen_bcmp(cstate, OR_LINKHDR, 6, 6, eaddr);
3905 return gen_bcmp(cstate, OR_LINKHDR, 0, 6, eaddr);
3908 b0 = gen_ehostop(cstate, eaddr, Q_SRC);
3909 b1 = gen_ehostop(cstate, eaddr, Q_DST);
3915 b0 = gen_ehostop(cstate, eaddr, Q_SRC);
3916 b1 = gen_ehostop(cstate, eaddr, Q_DST);
3921 bpf_error(cstate, "'addr1' is only supported on 802.11 with 802.11 headers");
3925 bpf_error(cstate, "'addr2' is only supported on 802.11 with 802.11 headers");
3929 bpf_error(cstate, "'addr3' is only supported on 802.11 with 802.11 headers");
3933 bpf_error(cstate, "'addr4' is only supported on 802.11 with 802.11 headers");
3937 bpf_error(cstate, "'ra' is only supported on 802.11 with 802.11 headers");
3941 bpf_error(cstate, "'ta' is only supported on 802.11 with 802.11 headers");
3949 * Like gen_ehostop, but for DLT_FDDI
3951 static struct block *
3952 gen_fhostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
3954 struct block *b0, *b1;
3958 return gen_bcmp(cstate, OR_LINKHDR, 6 + 1 + cstate->pcap_fddipad, 6, eaddr);
3961 return gen_bcmp(cstate, OR_LINKHDR, 0 + 1 + cstate->pcap_fddipad, 6, eaddr);
3964 b0 = gen_fhostop(cstate, eaddr, Q_SRC);
3965 b1 = gen_fhostop(cstate, eaddr, Q_DST);
3971 b0 = gen_fhostop(cstate, eaddr, Q_SRC);
3972 b1 = gen_fhostop(cstate, eaddr, Q_DST);
3977 bpf_error(cstate, "'addr1' is only supported on 802.11");
3981 bpf_error(cstate, "'addr2' is only supported on 802.11");
3985 bpf_error(cstate, "'addr3' is only supported on 802.11");
3989 bpf_error(cstate, "'addr4' is only supported on 802.11");
3993 bpf_error(cstate, "'ra' is only supported on 802.11");
3997 bpf_error(cstate, "'ta' is only supported on 802.11");
4005 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring)
4007 static struct block *
4008 gen_thostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4010 register struct block *b0, *b1;
4014 return gen_bcmp(cstate, OR_LINKHDR, 8, 6, eaddr);
4017 return gen_bcmp(cstate, OR_LINKHDR, 2, 6, eaddr);
4020 b0 = gen_thostop(cstate, eaddr, Q_SRC);
4021 b1 = gen_thostop(cstate, eaddr, Q_DST);
4027 b0 = gen_thostop(cstate, eaddr, Q_SRC);
4028 b1 = gen_thostop(cstate, eaddr, Q_DST);
4033 bpf_error(cstate, "'addr1' is only supported on 802.11");
4037 bpf_error(cstate, "'addr2' is only supported on 802.11");
4041 bpf_error(cstate, "'addr3' is only supported on 802.11");
4045 bpf_error(cstate, "'addr4' is only supported on 802.11");
4049 bpf_error(cstate, "'ra' is only supported on 802.11");
4053 bpf_error(cstate, "'ta' is only supported on 802.11");
4061 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and
4062 * various 802.11 + radio headers.
4064 static struct block *
4065 gen_wlanhostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4067 register struct block *b0, *b1, *b2;
4068 register struct slist *s;
4070 #ifdef ENABLE_WLAN_FILTERING_PATCH
4073 * We need to disable the optimizer because the optimizer is buggy
4074 * and wipes out some LD instructions generated by the below
4075 * code to validate the Frame Control bits
4077 cstate->no_optimize = 1;
4078 #endif /* ENABLE_WLAN_FILTERING_PATCH */
4085 * For control frames, there is no SA.
4087 * For management frames, SA is at an
4088 * offset of 10 from the beginning of
4091 * For data frames, SA is at an offset
4092 * of 10 from the beginning of the packet
4093 * if From DS is clear, at an offset of
4094 * 16 from the beginning of the packet
4095 * if From DS is set and To DS is clear,
4096 * and an offset of 24 from the beginning
4097 * of the packet if From DS is set and To DS
4102 * Generate the tests to be done for data frames
4105 * First, check for To DS set, i.e. check "link[1] & 0x01".
4107 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4108 b1 = new_block(cstate, JMP(BPF_JSET));
4109 b1->s.k = 0x01; /* To DS */
4113 * If To DS is set, the SA is at 24.
4115 b0 = gen_bcmp(cstate, OR_LINKHDR, 24, 6, eaddr);
4119 * Now, check for To DS not set, i.e. check
4120 * "!(link[1] & 0x01)".
4122 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4123 b2 = new_block(cstate, JMP(BPF_JSET));
4124 b2->s.k = 0x01; /* To DS */
4129 * If To DS is not set, the SA is at 16.
4131 b1 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr);
4135 * Now OR together the last two checks. That gives
4136 * the complete set of checks for data frames with
4142 * Now check for From DS being set, and AND that with
4143 * the ORed-together checks.
4145 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4146 b1 = new_block(cstate, JMP(BPF_JSET));
4147 b1->s.k = 0x02; /* From DS */
4152 * Now check for data frames with From DS not set.
4154 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4155 b2 = new_block(cstate, JMP(BPF_JSET));
4156 b2->s.k = 0x02; /* From DS */
4161 * If From DS isn't set, the SA is at 10.
4163 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4167 * Now OR together the checks for data frames with
4168 * From DS not set and for data frames with From DS
4169 * set; that gives the checks done for data frames.
4174 * Now check for a data frame.
4175 * I.e, check "link[0] & 0x08".
4177 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4178 b1 = new_block(cstate, JMP(BPF_JSET));
4183 * AND that with the checks done for data frames.
4188 * If the high-order bit of the type value is 0, this
4189 * is a management frame.
4190 * I.e, check "!(link[0] & 0x08)".
4192 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4193 b2 = new_block(cstate, JMP(BPF_JSET));
4199 * For management frames, the SA is at 10.
4201 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4205 * OR that with the checks done for data frames.
4206 * That gives the checks done for management and
4212 * If the low-order bit of the type value is 1,
4213 * this is either a control frame or a frame
4214 * with a reserved type, and thus not a
4217 * I.e., check "!(link[0] & 0x04)".
4219 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4220 b1 = new_block(cstate, JMP(BPF_JSET));
4226 * AND that with the checks for data and management
4236 * For control frames, there is no DA.
4238 * For management frames, DA is at an
4239 * offset of 4 from the beginning of
4242 * For data frames, DA is at an offset
4243 * of 4 from the beginning of the packet
4244 * if To DS is clear and at an offset of
4245 * 16 from the beginning of the packet
4250 * Generate the tests to be done for data frames.
4252 * First, check for To DS set, i.e. "link[1] & 0x01".
4254 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4255 b1 = new_block(cstate, JMP(BPF_JSET));
4256 b1->s.k = 0x01; /* To DS */
4260 * If To DS is set, the DA is at 16.
4262 b0 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr);
4266 * Now, check for To DS not set, i.e. check
4267 * "!(link[1] & 0x01)".
4269 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4270 b2 = new_block(cstate, JMP(BPF_JSET));
4271 b2->s.k = 0x01; /* To DS */
4276 * If To DS is not set, the DA is at 4.
4278 b1 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr);
4282 * Now OR together the last two checks. That gives
4283 * the complete set of checks for data frames.
4288 * Now check for a data frame.
4289 * I.e, check "link[0] & 0x08".
4291 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4292 b1 = new_block(cstate, JMP(BPF_JSET));
4297 * AND that with the checks done for data frames.
4302 * If the high-order bit of the type value is 0, this
4303 * is a management frame.
4304 * I.e, check "!(link[0] & 0x08)".
4306 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4307 b2 = new_block(cstate, JMP(BPF_JSET));
4313 * For management frames, the DA is at 4.
4315 b1 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr);
4319 * OR that with the checks done for data frames.
4320 * That gives the checks done for management and
4326 * If the low-order bit of the type value is 1,
4327 * this is either a control frame or a frame
4328 * with a reserved type, and thus not a
4331 * I.e., check "!(link[0] & 0x04)".
4333 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4334 b1 = new_block(cstate, JMP(BPF_JSET));
4340 * AND that with the checks for data and management
4348 * Not present in management frames; addr1 in other
4353 * If the high-order bit of the type value is 0, this
4354 * is a management frame.
4355 * I.e, check "(link[0] & 0x08)".
4357 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4358 b1 = new_block(cstate, JMP(BPF_JSET));
4365 b0 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr);
4368 * AND that with the check of addr1.
4375 * Not present in management frames; addr2, if present,
4380 * Not present in CTS or ACK control frames.
4382 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4383 IEEE80211_FC0_TYPE_MASK);
4385 b1 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS,
4386 IEEE80211_FC0_SUBTYPE_MASK);
4388 b2 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK,
4389 IEEE80211_FC0_SUBTYPE_MASK);
4395 * If the high-order bit of the type value is 0, this
4396 * is a management frame.
4397 * I.e, check "(link[0] & 0x08)".
4399 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4400 b1 = new_block(cstate, JMP(BPF_JSET));
4405 * AND that with the check for frames other than
4406 * CTS and ACK frames.
4413 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4418 * XXX - add BSSID keyword?
4421 return (gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr));
4425 * Not present in CTS or ACK control frames.
4427 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4428 IEEE80211_FC0_TYPE_MASK);
4430 b1 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS,
4431 IEEE80211_FC0_SUBTYPE_MASK);
4433 b2 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK,
4434 IEEE80211_FC0_SUBTYPE_MASK);
4438 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4444 * Not present in control frames.
4446 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4447 IEEE80211_FC0_TYPE_MASK);
4449 b1 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr);
4455 * Present only if the direction mask has both "From DS"
4456 * and "To DS" set. Neither control frames nor management
4457 * frames should have both of those set, so we don't
4458 * check the frame type.
4460 b0 = gen_mcmp(cstate, OR_LINKHDR, 1, BPF_B,
4461 IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK);
4462 b1 = gen_bcmp(cstate, OR_LINKHDR, 24, 6, eaddr);
4467 b0 = gen_wlanhostop(cstate, eaddr, Q_SRC);
4468 b1 = gen_wlanhostop(cstate, eaddr, Q_DST);
4474 b0 = gen_wlanhostop(cstate, eaddr, Q_SRC);
4475 b1 = gen_wlanhostop(cstate, eaddr, Q_DST);
4484 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel.
4485 * (We assume that the addresses are IEEE 48-bit MAC addresses,
4486 * as the RFC states.)
4488 static struct block *
4489 gen_ipfchostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4491 register struct block *b0, *b1;
4495 return gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4498 return gen_bcmp(cstate, OR_LINKHDR, 2, 6, eaddr);
4501 b0 = gen_ipfchostop(cstate, eaddr, Q_SRC);
4502 b1 = gen_ipfchostop(cstate, eaddr, Q_DST);
4508 b0 = gen_ipfchostop(cstate, eaddr, Q_SRC);
4509 b1 = gen_ipfchostop(cstate, eaddr, Q_DST);
4514 bpf_error(cstate, "'addr1' is only supported on 802.11");
4518 bpf_error(cstate, "'addr2' is only supported on 802.11");
4522 bpf_error(cstate, "'addr3' is only supported on 802.11");
4526 bpf_error(cstate, "'addr4' is only supported on 802.11");
4530 bpf_error(cstate, "'ra' is only supported on 802.11");
4534 bpf_error(cstate, "'ta' is only supported on 802.11");
4542 * This is quite tricky because there may be pad bytes in front of the
4543 * DECNET header, and then there are two possible data packet formats that
4544 * carry both src and dst addresses, plus 5 packet types in a format that
4545 * carries only the src node, plus 2 types that use a different format and
4546 * also carry just the src node.
4550 * Instead of doing those all right, we just look for data packets with
4551 * 0 or 1 bytes of padding. If you want to look at other packets, that
4552 * will require a lot more hacking.
4554 * To add support for filtering on DECNET "areas" (network numbers)
4555 * one would want to add a "mask" argument to this routine. That would
4556 * make the filter even more inefficient, although one could be clever
4557 * and not generate masking instructions if the mask is 0xFFFF.
4559 static struct block *
4560 gen_dnhostop(compiler_state_t *cstate, bpf_u_int32 addr, int dir)
4562 struct block *b0, *b1, *b2, *tmp;
4563 u_int offset_lh; /* offset if long header is received */
4564 u_int offset_sh; /* offset if short header is received */
4569 offset_sh = 1; /* follows flags */
4570 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */
4574 offset_sh = 3; /* follows flags, dstnode */
4575 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */
4579 /* Inefficient because we do our Calvinball dance twice */
4580 b0 = gen_dnhostop(cstate, addr, Q_SRC);
4581 b1 = gen_dnhostop(cstate, addr, Q_DST);
4587 /* Inefficient because we do our Calvinball dance twice */
4588 b0 = gen_dnhostop(cstate, addr, Q_SRC);
4589 b1 = gen_dnhostop(cstate, addr, Q_DST);
4594 bpf_error(cstate, "ISO host filtering not implemented");
4599 b0 = gen_linktype(cstate, ETHERTYPE_DN);
4600 /* Check for pad = 1, long header case */
4601 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_H,
4602 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF));
4603 b1 = gen_cmp(cstate, OR_LINKPL, 2 + 1 + offset_lh,
4604 BPF_H, (bpf_int32)ntohs((u_short)addr));
4606 /* Check for pad = 0, long header case */
4607 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7);
4608 b2 = gen_cmp(cstate, OR_LINKPL, 2 + offset_lh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4611 /* Check for pad = 1, short header case */
4612 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_H,
4613 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF));
4614 b2 = gen_cmp(cstate, OR_LINKPL, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4617 /* Check for pad = 0, short header case */
4618 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7);
4619 b2 = gen_cmp(cstate, OR_LINKPL, 2 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4623 /* Combine with test for cstate->linktype */
4629 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets;
4630 * test the bottom-of-stack bit, and then check the version number
4631 * field in the IP header.
4633 static struct block *
4634 gen_mpls_linktype(compiler_state_t *cstate, int proto)
4636 struct block *b0, *b1;
4641 /* match the bottom-of-stack bit */
4642 b0 = gen_mcmp(cstate, OR_LINKPL, -2, BPF_B, 0x01, 0x01);
4643 /* match the IPv4 version number */
4644 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_B, 0x40, 0xf0);
4649 /* match the bottom-of-stack bit */
4650 b0 = gen_mcmp(cstate, OR_LINKPL, -2, BPF_B, 0x01, 0x01);
4651 /* match the IPv4 version number */
4652 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_B, 0x60, 0xf0);
4661 static struct block *
4662 gen_host(compiler_state_t *cstate, bpf_u_int32 addr, bpf_u_int32 mask,
4663 int proto, int dir, int type)
4665 struct block *b0, *b1;
4666 const char *typestr;
4676 b0 = gen_host(cstate, addr, mask, Q_IP, dir, type);
4678 * Only check for non-IPv4 addresses if we're not
4679 * checking MPLS-encapsulated packets.
4681 if (cstate->label_stack_depth == 0) {
4682 b1 = gen_host(cstate, addr, mask, Q_ARP, dir, type);
4684 b0 = gen_host(cstate, addr, mask, Q_RARP, dir, type);
4690 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_IP, 12, 16);
4693 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_REVARP, 14, 24);
4696 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_ARP, 14, 24);
4699 bpf_error(cstate, "'tcp' modifier applied to %s", typestr);
4702 bpf_error(cstate, "'sctp' modifier applied to %s", typestr);
4705 bpf_error(cstate, "'udp' modifier applied to %s", typestr);
4708 bpf_error(cstate, "'icmp' modifier applied to %s", typestr);
4711 bpf_error(cstate, "'igmp' modifier applied to %s", typestr);
4714 bpf_error(cstate, "'igrp' modifier applied to %s", typestr);
4717 bpf_error(cstate, "'pim' modifier applied to %s", typestr);
4720 bpf_error(cstate, "'vrrp' modifier applied to %s", typestr);
4723 bpf_error(cstate, "'carp' modifier applied to %s", typestr);
4726 bpf_error(cstate, "ATALK host filtering not implemented");
4729 bpf_error(cstate, "AARP host filtering not implemented");
4732 return gen_dnhostop(cstate, addr, dir);
4735 bpf_error(cstate, "SCA host filtering not implemented");
4738 bpf_error(cstate, "LAT host filtering not implemented");
4741 bpf_error(cstate, "MOPDL host filtering not implemented");
4744 bpf_error(cstate, "MOPRC host filtering not implemented");
4747 bpf_error(cstate, "'ip6' modifier applied to ip host");
4750 bpf_error(cstate, "'icmp6' modifier applied to %s", typestr);
4753 bpf_error(cstate, "'ah' modifier applied to %s", typestr);
4756 bpf_error(cstate, "'esp' modifier applied to %s", typestr);
4759 bpf_error(cstate, "ISO host filtering not implemented");
4762 bpf_error(cstate, "'esis' modifier applied to %s", typestr);
4765 bpf_error(cstate, "'isis' modifier applied to %s", typestr);
4768 bpf_error(cstate, "'clnp' modifier applied to %s", typestr);
4771 bpf_error(cstate, "'stp' modifier applied to %s", typestr);
4774 bpf_error(cstate, "IPX host filtering not implemented");
4777 bpf_error(cstate, "'netbeui' modifier applied to %s", typestr);
4780 bpf_error(cstate, "'radio' modifier applied to %s", typestr);
4789 static struct block *
4790 gen_host6(compiler_state_t *cstate, struct in6_addr *addr,
4791 struct in6_addr *mask, int proto, int dir, int type)
4793 const char *typestr;
4803 return gen_host6(cstate, addr, mask, Q_IPV6, dir, type);
4806 bpf_error(cstate, "link-layer modifier applied to ip6 %s", typestr);
4809 bpf_error(cstate, "'ip' modifier applied to ip6 %s", typestr);
4812 bpf_error(cstate, "'rarp' modifier applied to ip6 %s", typestr);
4815 bpf_error(cstate, "'arp' modifier applied to ip6 %s", typestr);
4818 bpf_error(cstate, "'sctp' modifier applied to %s", typestr);
4821 bpf_error(cstate, "'tcp' modifier applied to %s", typestr);
4824 bpf_error(cstate, "'udp' modifier applied to %s", typestr);
4827 bpf_error(cstate, "'icmp' modifier applied to %s", typestr);
4830 bpf_error(cstate, "'igmp' modifier applied to %s", typestr);
4833 bpf_error(cstate, "'igrp' modifier applied to %s", typestr);
4836 bpf_error(cstate, "'pim' modifier applied to %s", typestr);
4839 bpf_error(cstate, "'vrrp' modifier applied to %s", typestr);
4842 bpf_error(cstate, "'carp' modifier applied to %s", typestr);
4845 bpf_error(cstate, "ATALK host filtering not implemented");
4848 bpf_error(cstate, "AARP host filtering not implemented");
4851 bpf_error(cstate, "'decnet' modifier applied to ip6 %s", typestr);
4854 bpf_error(cstate, "SCA host filtering not implemented");
4857 bpf_error(cstate, "LAT host filtering not implemented");
4860 bpf_error(cstate, "MOPDL host filtering not implemented");
4863 bpf_error(cstate, "MOPRC host filtering not implemented");
4866 return gen_hostop6(cstate, addr, mask, dir, ETHERTYPE_IPV6, 8, 24);
4869 bpf_error(cstate, "'icmp6' modifier applied to %s", typestr);
4872 bpf_error(cstate, "'ah' modifier applied to %s", typestr);
4875 bpf_error(cstate, "'esp' modifier applied to %s", typestr);
4878 bpf_error(cstate, "ISO host filtering not implemented");
4881 bpf_error(cstate, "'esis' modifier applied to %s", typestr);
4884 bpf_error(cstate, "'isis' modifier applied to %s", typestr);
4887 bpf_error(cstate, "'clnp' modifier applied to %s", typestr);
4890 bpf_error(cstate, "'stp' modifier applied to %s", typestr);
4893 bpf_error(cstate, "IPX host filtering not implemented");
4896 bpf_error(cstate, "'netbeui' modifier applied to %s", typestr);
4899 bpf_error(cstate, "'radio' modifier applied to %s", typestr);
4909 static struct block *
4910 gen_gateway(compiler_state_t *cstate, const u_char *eaddr, bpf_u_int32 **alist,
4913 struct block *b0, *b1, *tmp;
4916 bpf_error(cstate, "direction applied to 'gateway'");
4923 switch (cstate->linktype) {
4925 case DLT_NETANALYZER:
4926 case DLT_NETANALYZER_TRANSPARENT:
4927 b1 = gen_prevlinkhdr_check(cstate);
4928 b0 = gen_ehostop(cstate, eaddr, Q_OR);
4933 b0 = gen_fhostop(cstate, eaddr, Q_OR);
4936 b0 = gen_thostop(cstate, eaddr, Q_OR);
4938 case DLT_IEEE802_11:
4939 case DLT_PRISM_HEADER:
4940 case DLT_IEEE802_11_RADIO_AVS:
4941 case DLT_IEEE802_11_RADIO:
4943 b0 = gen_wlanhostop(cstate, eaddr, Q_OR);
4947 * This is LLC-multiplexed traffic; if it were
4948 * LANE, cstate->linktype would have been set to
4952 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
4954 case DLT_IP_OVER_FC:
4955 b0 = gen_ipfchostop(cstate, eaddr, Q_OR);
4959 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
4961 b1 = gen_host(cstate, **alist++, 0xffffffff, proto, Q_OR, Q_HOST);
4963 tmp = gen_host(cstate, **alist++, 0xffffffff, proto, Q_OR,
4972 bpf_error(cstate, "illegal modifier of 'gateway'");
4978 gen_proto_abbrev(compiler_state_t *cstate, int proto)
4986 b1 = gen_proto(cstate, IPPROTO_SCTP, Q_IP, Q_DEFAULT);
4987 b0 = gen_proto(cstate, IPPROTO_SCTP, Q_IPV6, Q_DEFAULT);
4992 b1 = gen_proto(cstate, IPPROTO_TCP, Q_IP, Q_DEFAULT);
4993 b0 = gen_proto(cstate, IPPROTO_TCP, Q_IPV6, Q_DEFAULT);
4998 b1 = gen_proto(cstate, IPPROTO_UDP, Q_IP, Q_DEFAULT);
4999 b0 = gen_proto(cstate, IPPROTO_UDP, Q_IPV6, Q_DEFAULT);
5004 b1 = gen_proto(cstate, IPPROTO_ICMP, Q_IP, Q_DEFAULT);
5007 #ifndef IPPROTO_IGMP
5008 #define IPPROTO_IGMP 2
5012 b1 = gen_proto(cstate, IPPROTO_IGMP, Q_IP, Q_DEFAULT);
5015 #ifndef IPPROTO_IGRP
5016 #define IPPROTO_IGRP 9
5019 b1 = gen_proto(cstate, IPPROTO_IGRP, Q_IP, Q_DEFAULT);
5023 #define IPPROTO_PIM 103
5027 b1 = gen_proto(cstate, IPPROTO_PIM, Q_IP, Q_DEFAULT);
5028 b0 = gen_proto(cstate, IPPROTO_PIM, Q_IPV6, Q_DEFAULT);
5032 #ifndef IPPROTO_VRRP
5033 #define IPPROTO_VRRP 112
5037 b1 = gen_proto(cstate, IPPROTO_VRRP, Q_IP, Q_DEFAULT);
5040 #ifndef IPPROTO_CARP
5041 #define IPPROTO_CARP 112
5045 b1 = gen_proto(cstate, IPPROTO_CARP, Q_IP, Q_DEFAULT);
5049 b1 = gen_linktype(cstate, ETHERTYPE_IP);
5053 b1 = gen_linktype(cstate, ETHERTYPE_ARP);
5057 b1 = gen_linktype(cstate, ETHERTYPE_REVARP);
5061 bpf_error(cstate, "link layer applied in wrong context");
5064 b1 = gen_linktype(cstate, ETHERTYPE_ATALK);
5068 b1 = gen_linktype(cstate, ETHERTYPE_AARP);
5072 b1 = gen_linktype(cstate, ETHERTYPE_DN);
5076 b1 = gen_linktype(cstate, ETHERTYPE_SCA);
5080 b1 = gen_linktype(cstate, ETHERTYPE_LAT);
5084 b1 = gen_linktype(cstate, ETHERTYPE_MOPDL);
5088 b1 = gen_linktype(cstate, ETHERTYPE_MOPRC);
5092 b1 = gen_linktype(cstate, ETHERTYPE_IPV6);
5095 #ifndef IPPROTO_ICMPV6
5096 #define IPPROTO_ICMPV6 58
5099 b1 = gen_proto(cstate, IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT);
5103 #define IPPROTO_AH 51
5106 b1 = gen_proto(cstate, IPPROTO_AH, Q_IP, Q_DEFAULT);
5107 b0 = gen_proto(cstate, IPPROTO_AH, Q_IPV6, Q_DEFAULT);
5112 #define IPPROTO_ESP 50
5115 b1 = gen_proto(cstate, IPPROTO_ESP, Q_IP, Q_DEFAULT);
5116 b0 = gen_proto(cstate, IPPROTO_ESP, Q_IPV6, Q_DEFAULT);
5121 b1 = gen_linktype(cstate, LLCSAP_ISONS);
5125 b1 = gen_proto(cstate, ISO9542_ESIS, Q_ISO, Q_DEFAULT);
5129 b1 = gen_proto(cstate, ISO10589_ISIS, Q_ISO, Q_DEFAULT);
5132 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */
5133 b0 = gen_proto(cstate, ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
5134 b1 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
5136 b0 = gen_proto(cstate, ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
5138 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
5140 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
5144 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */
5145 b0 = gen_proto(cstate, ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
5146 b1 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
5148 b0 = gen_proto(cstate, ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
5150 b0 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
5152 b0 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
5156 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */
5157 b0 = gen_proto(cstate, ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
5158 b1 = gen_proto(cstate, ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
5160 b0 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT);
5165 b0 = gen_proto(cstate, ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
5166 b1 = gen_proto(cstate, ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
5171 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
5172 b1 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
5174 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
5176 b0 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
5181 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
5182 b1 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
5187 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
5188 b1 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
5193 b1 = gen_proto(cstate, ISO8473_CLNP, Q_ISO, Q_DEFAULT);
5197 b1 = gen_linktype(cstate, LLCSAP_8021D);
5201 b1 = gen_linktype(cstate, LLCSAP_IPX);
5205 b1 = gen_linktype(cstate, LLCSAP_NETBEUI);
5209 bpf_error(cstate, "'radio' is not a valid protocol type");
5217 static struct block *
5218 gen_ipfrag(compiler_state_t *cstate)
5223 /* not IPv4 frag other than the first frag */
5224 s = gen_load_a(cstate, OR_LINKPL, 6, BPF_H);
5225 b = new_block(cstate, JMP(BPF_JSET));
5234 * Generate a comparison to a port value in the transport-layer header
5235 * at the specified offset from the beginning of that header.
5237 * XXX - this handles a variable-length prefix preceding the link-layer
5238 * header, such as the radiotap or AVS radio prefix, but doesn't handle
5239 * variable-length link-layer headers (such as Token Ring or 802.11
5242 static struct block *
5243 gen_portatom(compiler_state_t *cstate, int off, bpf_int32 v)
5245 return gen_cmp(cstate, OR_TRAN_IPV4, off, BPF_H, v);
5248 static struct block *
5249 gen_portatom6(compiler_state_t *cstate, int off, bpf_int32 v)
5251 return gen_cmp(cstate, OR_TRAN_IPV6, off, BPF_H, v);
5255 gen_portop(compiler_state_t *cstate, int port, int proto, int dir)
5257 struct block *b0, *b1, *tmp;
5259 /* ip proto 'proto' and not a fragment other than the first fragment */
5260 tmp = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, (bpf_int32)proto);
5261 b0 = gen_ipfrag(cstate);
5266 b1 = gen_portatom(cstate, 0, (bpf_int32)port);
5270 b1 = gen_portatom(cstate, 2, (bpf_int32)port);
5275 tmp = gen_portatom(cstate, 0, (bpf_int32)port);
5276 b1 = gen_portatom(cstate, 2, (bpf_int32)port);
5281 tmp = gen_portatom(cstate, 0, (bpf_int32)port);
5282 b1 = gen_portatom(cstate, 2, (bpf_int32)port);
5294 static struct block *
5295 gen_port(compiler_state_t *cstate, int port, int ip_proto, int dir)
5297 struct block *b0, *b1, *tmp;
5302 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
5303 * not LLC encapsulation with LLCSAP_IP.
5305 * For IEEE 802 networks - which includes 802.5 token ring
5306 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
5307 * says that SNAP encapsulation is used, not LLC encapsulation
5310 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
5311 * RFC 2225 say that SNAP encapsulation is used, not LLC
5312 * encapsulation with LLCSAP_IP.
5314 * So we always check for ETHERTYPE_IP.
5316 b0 = gen_linktype(cstate, ETHERTYPE_IP);
5322 b1 = gen_portop(cstate, port, ip_proto, dir);
5326 tmp = gen_portop(cstate, port, IPPROTO_TCP, dir);
5327 b1 = gen_portop(cstate, port, IPPROTO_UDP, dir);
5329 tmp = gen_portop(cstate, port, IPPROTO_SCTP, dir);
5341 gen_portop6(compiler_state_t *cstate, int port, int proto, int dir)
5343 struct block *b0, *b1, *tmp;
5345 /* ip6 proto 'proto' */
5346 /* XXX - catch the first fragment of a fragmented packet? */
5347 b0 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, (bpf_int32)proto);
5351 b1 = gen_portatom6(cstate, 0, (bpf_int32)port);
5355 b1 = gen_portatom6(cstate, 2, (bpf_int32)port);
5360 tmp = gen_portatom6(cstate, 0, (bpf_int32)port);
5361 b1 = gen_portatom6(cstate, 2, (bpf_int32)port);
5366 tmp = gen_portatom6(cstate, 0, (bpf_int32)port);
5367 b1 = gen_portatom6(cstate, 2, (bpf_int32)port);
5379 static struct block *
5380 gen_port6(compiler_state_t *cstate, int port, int ip_proto, int dir)
5382 struct block *b0, *b1, *tmp;
5384 /* link proto ip6 */
5385 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
5391 b1 = gen_portop6(cstate, port, ip_proto, dir);
5395 tmp = gen_portop6(cstate, port, IPPROTO_TCP, dir);
5396 b1 = gen_portop6(cstate, port, IPPROTO_UDP, dir);
5398 tmp = gen_portop6(cstate, port, IPPROTO_SCTP, dir);
5409 /* gen_portrange code */
5410 static struct block *
5411 gen_portrangeatom(compiler_state_t *cstate, int off, bpf_int32 v1,
5414 struct block *b1, *b2;
5418 * Reverse the order of the ports, so v1 is the lower one.
5427 b1 = gen_cmp_ge(cstate, OR_TRAN_IPV4, off, BPF_H, v1);
5428 b2 = gen_cmp_le(cstate, OR_TRAN_IPV4, off, BPF_H, v2);
5436 gen_portrangeop(compiler_state_t *cstate, int port1, int port2, int proto,
5439 struct block *b0, *b1, *tmp;
5441 /* ip proto 'proto' and not a fragment other than the first fragment */
5442 tmp = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, (bpf_int32)proto);
5443 b0 = gen_ipfrag(cstate);
5448 b1 = gen_portrangeatom(cstate, 0, (bpf_int32)port1, (bpf_int32)port2);
5452 b1 = gen_portrangeatom(cstate, 2, (bpf_int32)port1, (bpf_int32)port2);
5457 tmp = gen_portrangeatom(cstate, 0, (bpf_int32)port1, (bpf_int32)port2);
5458 b1 = gen_portrangeatom(cstate, 2, (bpf_int32)port1, (bpf_int32)port2);
5463 tmp = gen_portrangeatom(cstate, 0, (bpf_int32)port1, (bpf_int32)port2);
5464 b1 = gen_portrangeatom(cstate, 2, (bpf_int32)port1, (bpf_int32)port2);
5476 static struct block *
5477 gen_portrange(compiler_state_t *cstate, int port1, int port2, int ip_proto,
5480 struct block *b0, *b1, *tmp;
5483 b0 = gen_linktype(cstate, ETHERTYPE_IP);
5489 b1 = gen_portrangeop(cstate, port1, port2, ip_proto, dir);
5493 tmp = gen_portrangeop(cstate, port1, port2, IPPROTO_TCP, dir);
5494 b1 = gen_portrangeop(cstate, port1, port2, IPPROTO_UDP, dir);
5496 tmp = gen_portrangeop(cstate, port1, port2, IPPROTO_SCTP, dir);
5507 static struct block *
5508 gen_portrangeatom6(compiler_state_t *cstate, int off, bpf_int32 v1,
5511 struct block *b1, *b2;
5515 * Reverse the order of the ports, so v1 is the lower one.
5524 b1 = gen_cmp_ge(cstate, OR_TRAN_IPV6, off, BPF_H, v1);
5525 b2 = gen_cmp_le(cstate, OR_TRAN_IPV6, off, BPF_H, v2);
5533 gen_portrangeop6(compiler_state_t *cstate, int port1, int port2, int proto,
5536 struct block *b0, *b1, *tmp;
5538 /* ip6 proto 'proto' */
5539 /* XXX - catch the first fragment of a fragmented packet? */
5540 b0 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, (bpf_int32)proto);
5544 b1 = gen_portrangeatom6(cstate, 0, (bpf_int32)port1, (bpf_int32)port2);
5548 b1 = gen_portrangeatom6(cstate, 2, (bpf_int32)port1, (bpf_int32)port2);
5553 tmp = gen_portrangeatom6(cstate, 0, (bpf_int32)port1, (bpf_int32)port2);
5554 b1 = gen_portrangeatom6(cstate, 2, (bpf_int32)port1, (bpf_int32)port2);
5559 tmp = gen_portrangeatom6(cstate, 0, (bpf_int32)port1, (bpf_int32)port2);
5560 b1 = gen_portrangeatom6(cstate, 2, (bpf_int32)port1, (bpf_int32)port2);
5572 static struct block *
5573 gen_portrange6(compiler_state_t *cstate, int port1, int port2, int ip_proto,
5576 struct block *b0, *b1, *tmp;
5578 /* link proto ip6 */
5579 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
5585 b1 = gen_portrangeop6(cstate, port1, port2, ip_proto, dir);
5589 tmp = gen_portrangeop6(cstate, port1, port2, IPPROTO_TCP, dir);
5590 b1 = gen_portrangeop6(cstate, port1, port2, IPPROTO_UDP, dir);
5592 tmp = gen_portrangeop6(cstate, port1, port2, IPPROTO_SCTP, dir);
5604 lookup_proto(compiler_state_t *cstate, const char *name, int proto)
5613 v = pcap_nametoproto(name);
5614 if (v == PROTO_UNDEF)
5615 bpf_error(cstate, "unknown ip proto '%s'", name);
5619 /* XXX should look up h/w protocol type based on cstate->linktype */
5620 v = pcap_nametoeproto(name);
5621 if (v == PROTO_UNDEF) {
5622 v = pcap_nametollc(name);
5623 if (v == PROTO_UNDEF)
5624 bpf_error(cstate, "unknown ether proto '%s'", name);
5629 if (strcmp(name, "esis") == 0)
5631 else if (strcmp(name, "isis") == 0)
5633 else if (strcmp(name, "clnp") == 0)
5636 bpf_error(cstate, "unknown osi proto '%s'", name);
5656 static struct block *
5657 gen_protochain(compiler_state_t *cstate, int v, int proto, int dir)
5659 #ifdef NO_PROTOCHAIN
5660 return gen_proto(cstate, v, proto, dir);
5662 struct block *b0, *b;
5663 struct slist *s[100];
5664 int fix2, fix3, fix4, fix5;
5665 int ahcheck, again, end;
5667 int reg2 = alloc_reg(cstate);
5669 memset(s, 0, sizeof(s));
5670 fix3 = fix4 = fix5 = 0;
5677 b0 = gen_protochain(cstate, v, Q_IP, dir);
5678 b = gen_protochain(cstate, v, Q_IPV6, dir);
5682 bpf_error(cstate, "bad protocol applied for 'protochain'");
5687 * We don't handle variable-length prefixes before the link-layer
5688 * header, or variable-length link-layer headers, here yet.
5689 * We might want to add BPF instructions to do the protochain
5690 * work, to simplify that and, on platforms that have a BPF
5691 * interpreter with the new instructions, let the filtering
5692 * be done in the kernel. (We already require a modified BPF
5693 * engine to do the protochain stuff, to support backward
5694 * branches, and backward branch support is unlikely to appear
5695 * in kernel BPF engines.)
5697 if (cstate->off_linkpl.is_variable)
5698 bpf_error(cstate, "'protochain' not supported with variable length headers");
5700 cstate->no_optimize = 1; /*this code is not compatible with optimzer yet */
5703 * s[0] is a dummy entry to protect other BPF insn from damage
5704 * by s[fix] = foo with uninitialized variable "fix". It is somewhat
5705 * hard to find interdependency made by jump table fixup.
5708 s[i] = new_stmt(cstate, 0); /*dummy*/
5713 b0 = gen_linktype(cstate, ETHERTYPE_IP);
5716 s[i] = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B);
5717 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 9;
5719 /* X = ip->ip_hl << 2 */
5720 s[i] = new_stmt(cstate, BPF_LDX|BPF_MSH|BPF_B);
5721 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
5726 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
5728 /* A = ip6->ip_nxt */
5729 s[i] = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B);
5730 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 6;
5732 /* X = sizeof(struct ip6_hdr) */
5733 s[i] = new_stmt(cstate, BPF_LDX|BPF_IMM);
5739 bpf_error(cstate, "unsupported proto to gen_protochain");
5743 /* again: if (A == v) goto end; else fall through; */
5745 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
5747 s[i]->s.jt = NULL; /*later*/
5748 s[i]->s.jf = NULL; /*update in next stmt*/
5752 #ifndef IPPROTO_NONE
5753 #define IPPROTO_NONE 59
5755 /* if (A == IPPROTO_NONE) goto end */
5756 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
5757 s[i]->s.jt = NULL; /*later*/
5758 s[i]->s.jf = NULL; /*update in next stmt*/
5759 s[i]->s.k = IPPROTO_NONE;
5760 s[fix5]->s.jf = s[i];
5764 if (proto == Q_IPV6) {
5765 int v6start, v6end, v6advance, j;
5768 /* if (A == IPPROTO_HOPOPTS) goto v6advance */
5769 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
5770 s[i]->s.jt = NULL; /*later*/
5771 s[i]->s.jf = NULL; /*update in next stmt*/
5772 s[i]->s.k = IPPROTO_HOPOPTS;
5773 s[fix2]->s.jf = s[i];
5775 /* if (A == IPPROTO_DSTOPTS) goto v6advance */
5776 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
5777 s[i]->s.jt = NULL; /*later*/
5778 s[i]->s.jf = NULL; /*update in next stmt*/
5779 s[i]->s.k = IPPROTO_DSTOPTS;
5781 /* if (A == IPPROTO_ROUTING) goto v6advance */
5782 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
5783 s[i]->s.jt = NULL; /*later*/
5784 s[i]->s.jf = NULL; /*update in next stmt*/
5785 s[i]->s.k = IPPROTO_ROUTING;
5787 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */
5788 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
5789 s[i]->s.jt = NULL; /*later*/
5790 s[i]->s.jf = NULL; /*later*/
5791 s[i]->s.k = IPPROTO_FRAGMENT;
5801 * A = P[X + packet head];
5802 * X = X + (P[X + packet head + 1] + 1) * 8;
5804 /* A = P[X + packet head] */
5805 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
5806 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
5809 s[i] = new_stmt(cstate, BPF_ST);
5812 /* A = P[X + packet head + 1]; */
5813 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
5814 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 1;
5817 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
5821 s[i] = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K);
5825 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X);
5829 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX);
5832 s[i] = new_stmt(cstate, BPF_LD|BPF_MEM);
5836 /* goto again; (must use BPF_JA for backward jump) */
5837 s[i] = new_stmt(cstate, BPF_JMP|BPF_JA);
5838 s[i]->s.k = again - i - 1;
5839 s[i - 1]->s.jf = s[i];
5843 for (j = v6start; j <= v6end; j++)
5844 s[j]->s.jt = s[v6advance];
5847 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
5849 s[fix2]->s.jf = s[i];
5855 /* if (A == IPPROTO_AH) then fall through; else goto end; */
5856 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
5857 s[i]->s.jt = NULL; /*later*/
5858 s[i]->s.jf = NULL; /*later*/
5859 s[i]->s.k = IPPROTO_AH;
5861 s[fix3]->s.jf = s[ahcheck];
5868 * X = X + (P[X + 1] + 2) * 4;
5871 s[i - 1]->s.jt = s[i] = new_stmt(cstate, BPF_MISC|BPF_TXA);
5873 /* A = P[X + packet head]; */
5874 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
5875 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
5878 s[i] = new_stmt(cstate, BPF_ST);
5882 s[i - 1]->s.jt = s[i] = new_stmt(cstate, BPF_MISC|BPF_TXA);
5885 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
5889 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX);
5891 /* A = P[X + packet head] */
5892 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
5893 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
5896 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
5900 s[i] = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K);
5904 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX);
5907 s[i] = new_stmt(cstate, BPF_LD|BPF_MEM);
5911 /* goto again; (must use BPF_JA for backward jump) */
5912 s[i] = new_stmt(cstate, BPF_JMP|BPF_JA);
5913 s[i]->s.k = again - i - 1;
5918 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
5920 s[fix2]->s.jt = s[end];
5921 s[fix4]->s.jf = s[end];
5922 s[fix5]->s.jt = s[end];
5929 for (i = 0; i < max - 1; i++)
5930 s[i]->next = s[i + 1];
5931 s[max - 1]->next = NULL;
5936 b = new_block(cstate, JMP(BPF_JEQ));
5937 b->stmts = s[1]; /*remember, s[0] is dummy*/
5940 free_reg(cstate, reg2);
5947 static struct block *
5948 gen_check_802_11_data_frame(compiler_state_t *cstate)
5951 struct block *b0, *b1;
5954 * A data frame has the 0x08 bit (b3) in the frame control field set
5955 * and the 0x04 bit (b2) clear.
5957 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
5958 b0 = new_block(cstate, JMP(BPF_JSET));
5962 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
5963 b1 = new_block(cstate, JMP(BPF_JSET));
5974 * Generate code that checks whether the packet is a packet for protocol
5975 * <proto> and whether the type field in that protocol's header has
5976 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an
5977 * IP packet and checks the protocol number in the IP header against <v>.
5979 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks
5980 * against Q_IP and Q_IPV6.
5982 static struct block *
5983 gen_proto(compiler_state_t *cstate, int v, int proto, int dir)
5985 struct block *b0, *b1;
5990 if (dir != Q_DEFAULT)
5991 bpf_error(cstate, "direction applied to 'proto'");
5995 b0 = gen_proto(cstate, v, Q_IP, dir);
5996 b1 = gen_proto(cstate, v, Q_IPV6, dir);
6002 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
6003 * not LLC encapsulation with LLCSAP_IP.
6005 * For IEEE 802 networks - which includes 802.5 token ring
6006 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
6007 * says that SNAP encapsulation is used, not LLC encapsulation
6010 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
6011 * RFC 2225 say that SNAP encapsulation is used, not LLC
6012 * encapsulation with LLCSAP_IP.
6014 * So we always check for ETHERTYPE_IP.
6016 b0 = gen_linktype(cstate, ETHERTYPE_IP);
6018 b1 = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, (bpf_int32)v);
6020 b1 = gen_protochain(cstate, v, Q_IP);
6026 switch (cstate->linktype) {
6030 * Frame Relay packets typically have an OSI
6031 * NLPID at the beginning; "gen_linktype(cstate, LLCSAP_ISONS)"
6032 * generates code to check for all the OSI
6033 * NLPIDs, so calling it and then adding a check
6034 * for the particular NLPID for which we're
6035 * looking is bogus, as we can just check for
6038 * What we check for is the NLPID and a frame
6039 * control field value of UI, i.e. 0x03 followed
6042 * XXX - assumes a 2-byte Frame Relay header with
6043 * DLCI and flags. What if the address is longer?
6045 * XXX - what about SNAP-encapsulated frames?
6047 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | v);
6053 * Cisco uses an Ethertype lookalike - for OSI,
6056 b0 = gen_linktype(cstate, LLCSAP_ISONS<<8 | LLCSAP_ISONS);
6057 /* OSI in C-HDLC is stuffed with a fudge byte */
6058 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 1, BPF_B, (long)v);
6063 b0 = gen_linktype(cstate, LLCSAP_ISONS);
6064 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 0, BPF_B, (long)v);
6070 b0 = gen_proto(cstate, ISO10589_ISIS, Q_ISO, Q_DEFAULT);
6072 * 4 is the offset of the PDU type relative to the IS-IS
6075 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 4, BPF_B, (long)v);
6080 bpf_error(cstate, "arp does not encapsulate another protocol");
6084 bpf_error(cstate, "rarp does not encapsulate another protocol");
6088 bpf_error(cstate, "atalk encapsulation is not specifiable");
6092 bpf_error(cstate, "decnet encapsulation is not specifiable");
6096 bpf_error(cstate, "sca does not encapsulate another protocol");
6100 bpf_error(cstate, "lat does not encapsulate another protocol");
6104 bpf_error(cstate, "moprc does not encapsulate another protocol");
6108 bpf_error(cstate, "mopdl does not encapsulate another protocol");
6112 return gen_linktype(cstate, v);
6115 bpf_error(cstate, "'udp proto' is bogus");
6119 bpf_error(cstate, "'tcp proto' is bogus");
6123 bpf_error(cstate, "'sctp proto' is bogus");
6127 bpf_error(cstate, "'icmp proto' is bogus");
6131 bpf_error(cstate, "'igmp proto' is bogus");
6135 bpf_error(cstate, "'igrp proto' is bogus");
6139 bpf_error(cstate, "'pim proto' is bogus");
6143 bpf_error(cstate, "'vrrp proto' is bogus");
6147 bpf_error(cstate, "'carp proto' is bogus");
6151 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
6154 * Also check for a fragment header before the final
6157 b2 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, IPPROTO_FRAGMENT);
6158 b1 = gen_cmp(cstate, OR_LINKPL, 40, BPF_B, (bpf_int32)v);
6160 b2 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, (bpf_int32)v);
6163 b1 = gen_protochain(cstate, v, Q_IPV6);
6169 bpf_error(cstate, "'icmp6 proto' is bogus");
6172 bpf_error(cstate, "'ah proto' is bogus");
6175 bpf_error(cstate, "'ah proto' is bogus");
6178 bpf_error(cstate, "'stp proto' is bogus");
6181 bpf_error(cstate, "'ipx proto' is bogus");
6184 bpf_error(cstate, "'netbeui proto' is bogus");
6187 bpf_error(cstate, "'radio proto' is bogus");
6197 gen_scode(compiler_state_t *cstate, const char *name, struct qual q)
6199 int proto = q.proto;
6203 bpf_u_int32 mask, addr;
6205 bpf_u_int32 **alist;
6208 struct sockaddr_in *sin4;
6209 struct sockaddr_in6 *sin6;
6210 struct addrinfo *res, *res0;
6211 struct in6_addr mask128;
6213 struct block *b, *tmp;
6214 int port, real_proto;
6220 addr = pcap_nametonetaddr(name);
6222 bpf_error(cstate, "unknown network '%s'", name);
6223 /* Left justify network addr and calculate its network mask */
6225 while (addr && (addr & 0xff000000) == 0) {
6229 return gen_host(cstate, addr, mask, proto, dir, q.addr);
6233 if (proto == Q_LINK) {
6234 switch (cstate->linktype) {
6237 case DLT_NETANALYZER:
6238 case DLT_NETANALYZER_TRANSPARENT:
6239 eaddr = pcap_ether_hostton(name);
6242 "unknown ether host '%s'", name);
6243 tmp = gen_prevlinkhdr_check(cstate);
6244 b = gen_ehostop(cstate, eaddr, dir);
6251 eaddr = pcap_ether_hostton(name);
6254 "unknown FDDI host '%s'", name);
6255 b = gen_fhostop(cstate, eaddr, dir);
6260 eaddr = pcap_ether_hostton(name);
6263 "unknown token ring host '%s'", name);
6264 b = gen_thostop(cstate, eaddr, dir);
6268 case DLT_IEEE802_11:
6269 case DLT_PRISM_HEADER:
6270 case DLT_IEEE802_11_RADIO_AVS:
6271 case DLT_IEEE802_11_RADIO:
6273 eaddr = pcap_ether_hostton(name);
6276 "unknown 802.11 host '%s'", name);
6277 b = gen_wlanhostop(cstate, eaddr, dir);
6281 case DLT_IP_OVER_FC:
6282 eaddr = pcap_ether_hostton(name);
6285 "unknown Fibre Channel host '%s'", name);
6286 b = gen_ipfchostop(cstate, eaddr, dir);
6291 bpf_error(cstate, "only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name");
6292 } else if (proto == Q_DECNET) {
6293 unsigned short dn_addr;
6295 if (!__pcap_nametodnaddr(name, &dn_addr)) {
6297 bpf_error(cstate, "unknown decnet host name '%s'\n", name);
6299 bpf_error(cstate, "decnet name support not included, '%s' cannot be translated\n",
6304 * I don't think DECNET hosts can be multihomed, so
6305 * there is no need to build up a list of addresses
6307 return (gen_host(cstate, dn_addr, 0, proto, dir, q.addr));
6310 alist = pcap_nametoaddr(name);
6311 if (alist == NULL || *alist == NULL)
6312 bpf_error(cstate, "unknown host '%s'", name);
6314 if (cstate->off_linktype.constant_part == OFFSET_NOT_SET &&
6315 tproto == Q_DEFAULT)
6317 b = gen_host(cstate, **alist++, 0xffffffff, tproto, dir, q.addr);
6319 tmp = gen_host(cstate, **alist++, 0xffffffff,
6320 tproto, dir, q.addr);
6326 memset(&mask128, 0xff, sizeof(mask128));
6327 res0 = res = pcap_nametoaddrinfo(name);
6329 bpf_error(cstate, "unknown host '%s'", name);
6332 tproto = tproto6 = proto;
6333 if (cstate->off_linktype.constant_part == OFFSET_NOT_SET &&
6334 tproto == Q_DEFAULT) {
6338 for (res = res0; res; res = res->ai_next) {
6339 switch (res->ai_family) {
6341 if (tproto == Q_IPV6)
6344 sin4 = (struct sockaddr_in *)
6346 tmp = gen_host(cstate, ntohl(sin4->sin_addr.s_addr),
6347 0xffffffff, tproto, dir, q.addr);
6350 if (tproto6 == Q_IP)
6353 sin6 = (struct sockaddr_in6 *)
6355 tmp = gen_host6(cstate, &sin6->sin6_addr,
6356 &mask128, tproto6, dir, q.addr);
6368 bpf_error(cstate, "unknown host '%s'%s", name,
6369 (proto == Q_DEFAULT)
6371 : " for specified address family");
6378 if (proto != Q_DEFAULT &&
6379 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
6380 bpf_error(cstate, "illegal qualifier of 'port'");
6381 if (pcap_nametoport(name, &port, &real_proto) == 0)
6382 bpf_error(cstate, "unknown port '%s'", name);
6383 if (proto == Q_UDP) {
6384 if (real_proto == IPPROTO_TCP)
6385 bpf_error(cstate, "port '%s' is tcp", name);
6386 else if (real_proto == IPPROTO_SCTP)
6387 bpf_error(cstate, "port '%s' is sctp", name);
6389 /* override PROTO_UNDEF */
6390 real_proto = IPPROTO_UDP;
6392 if (proto == Q_TCP) {
6393 if (real_proto == IPPROTO_UDP)
6394 bpf_error(cstate, "port '%s' is udp", name);
6396 else if (real_proto == IPPROTO_SCTP)
6397 bpf_error(cstate, "port '%s' is sctp", name);
6399 /* override PROTO_UNDEF */
6400 real_proto = IPPROTO_TCP;
6402 if (proto == Q_SCTP) {
6403 if (real_proto == IPPROTO_UDP)
6404 bpf_error(cstate, "port '%s' is udp", name);
6406 else if (real_proto == IPPROTO_TCP)
6407 bpf_error(cstate, "port '%s' is tcp", name);
6409 /* override PROTO_UNDEF */
6410 real_proto = IPPROTO_SCTP;
6413 bpf_error(cstate, "illegal port number %d < 0", port);
6415 bpf_error(cstate, "illegal port number %d > 65535", port);
6416 b = gen_port(cstate, port, real_proto, dir);
6417 gen_or(gen_port6(cstate, port, real_proto, dir), b);
6421 if (proto != Q_DEFAULT &&
6422 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
6423 bpf_error(cstate, "illegal qualifier of 'portrange'");
6424 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0)
6425 bpf_error(cstate, "unknown port in range '%s'", name);
6426 if (proto == Q_UDP) {
6427 if (real_proto == IPPROTO_TCP)
6428 bpf_error(cstate, "port in range '%s' is tcp", name);
6429 else if (real_proto == IPPROTO_SCTP)
6430 bpf_error(cstate, "port in range '%s' is sctp", name);
6432 /* override PROTO_UNDEF */
6433 real_proto = IPPROTO_UDP;
6435 if (proto == Q_TCP) {
6436 if (real_proto == IPPROTO_UDP)
6437 bpf_error(cstate, "port in range '%s' is udp", name);
6438 else if (real_proto == IPPROTO_SCTP)
6439 bpf_error(cstate, "port in range '%s' is sctp", name);
6441 /* override PROTO_UNDEF */
6442 real_proto = IPPROTO_TCP;
6444 if (proto == Q_SCTP) {
6445 if (real_proto == IPPROTO_UDP)
6446 bpf_error(cstate, "port in range '%s' is udp", name);
6447 else if (real_proto == IPPROTO_TCP)
6448 bpf_error(cstate, "port in range '%s' is tcp", name);
6450 /* override PROTO_UNDEF */
6451 real_proto = IPPROTO_SCTP;
6454 bpf_error(cstate, "illegal port number %d < 0", port1);
6456 bpf_error(cstate, "illegal port number %d > 65535", port1);
6458 bpf_error(cstate, "illegal port number %d < 0", port2);
6460 bpf_error(cstate, "illegal port number %d > 65535", port2);
6462 b = gen_portrange(cstate, port1, port2, real_proto, dir);
6463 gen_or(gen_portrange6(cstate, port1, port2, real_proto, dir), b);
6468 eaddr = pcap_ether_hostton(name);
6470 bpf_error(cstate, "unknown ether host: %s", name);
6472 alist = pcap_nametoaddr(name);
6473 if (alist == NULL || *alist == NULL)
6474 bpf_error(cstate, "unknown host '%s'", name);
6475 b = gen_gateway(cstate, eaddr, alist, proto, dir);
6479 bpf_error(cstate, "'gateway' not supported in this configuration");
6483 real_proto = lookup_proto(cstate, name, proto);
6484 if (real_proto >= 0)
6485 return gen_proto(cstate, real_proto, proto, dir);
6487 bpf_error(cstate, "unknown protocol: %s", name);
6490 real_proto = lookup_proto(cstate, name, proto);
6491 if (real_proto >= 0)
6492 return gen_protochain(cstate, real_proto, proto, dir);
6494 bpf_error(cstate, "unknown protocol: %s", name);
6505 gen_mcode(compiler_state_t *cstate, const char *s1, const char *s2,
6506 unsigned int masklen, struct qual q)
6508 register int nlen, mlen;
6511 nlen = __pcap_atoin(s1, &n);
6512 /* Promote short ipaddr */
6516 mlen = __pcap_atoin(s2, &m);
6517 /* Promote short ipaddr */
6520 bpf_error(cstate, "non-network bits set in \"%s mask %s\"",
6523 /* Convert mask len to mask */
6525 bpf_error(cstate, "mask length must be <= 32");
6528 * X << 32 is not guaranteed by C to be 0; it's
6533 m = 0xffffffff << (32 - masklen);
6535 bpf_error(cstate, "non-network bits set in \"%s/%d\"",
6542 return gen_host(cstate, n, m, q.proto, q.dir, q.addr);
6545 bpf_error(cstate, "Mask syntax for networks only");
6553 gen_ncode(compiler_state_t *cstate, const char *s, bpf_u_int32 v, struct qual q)
6556 int proto = q.proto;
6562 else if (q.proto == Q_DECNET) {
6563 vlen = __pcap_atodn(s, &v);
6565 bpf_error(cstate, "malformed decnet address '%s'", s);
6567 vlen = __pcap_atoin(s, &v);
6574 if (proto == Q_DECNET)
6575 return gen_host(cstate, v, 0, proto, dir, q.addr);
6576 else if (proto == Q_LINK) {
6577 bpf_error(cstate, "illegal link layer address");
6580 if (s == NULL && q.addr == Q_NET) {
6581 /* Promote short net number */
6582 while (v && (v & 0xff000000) == 0) {
6587 /* Promote short ipaddr */
6589 mask <<= 32 - vlen ;
6591 return gen_host(cstate, v, mask, proto, dir, q.addr);
6596 proto = IPPROTO_UDP;
6597 else if (proto == Q_TCP)
6598 proto = IPPROTO_TCP;
6599 else if (proto == Q_SCTP)
6600 proto = IPPROTO_SCTP;
6601 else if (proto == Q_DEFAULT)
6602 proto = PROTO_UNDEF;
6604 bpf_error(cstate, "illegal qualifier of 'port'");
6607 bpf_error(cstate, "illegal port number %u > 65535", v);
6611 b = gen_port(cstate, (int)v, proto, dir);
6612 gen_or(gen_port6(cstate, (int)v, proto, dir), b);
6618 proto = IPPROTO_UDP;
6619 else if (proto == Q_TCP)
6620 proto = IPPROTO_TCP;
6621 else if (proto == Q_SCTP)
6622 proto = IPPROTO_SCTP;
6623 else if (proto == Q_DEFAULT)
6624 proto = PROTO_UNDEF;
6626 bpf_error(cstate, "illegal qualifier of 'portrange'");
6629 bpf_error(cstate, "illegal port number %u > 65535", v);
6633 b = gen_portrange(cstate, (int)v, (int)v, proto, dir);
6634 gen_or(gen_portrange6(cstate, (int)v, (int)v, proto, dir), b);
6639 bpf_error(cstate, "'gateway' requires a name");
6643 return gen_proto(cstate, (int)v, proto, dir);
6646 return gen_protochain(cstate, (int)v, proto, dir);
6661 gen_mcode6(compiler_state_t *cstate, const char *s1, const char *s2,
6662 unsigned int masklen, struct qual q)
6664 struct addrinfo *res;
6665 struct in6_addr *addr;
6666 struct in6_addr mask;
6671 bpf_error(cstate, "no mask %s supported", s2);
6673 res = pcap_nametoaddrinfo(s1);
6675 bpf_error(cstate, "invalid ip6 address %s", s1);
6678 bpf_error(cstate, "%s resolved to multiple address", s1);
6679 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
6681 if (sizeof(mask) * 8 < masklen)
6682 bpf_error(cstate, "mask length must be <= %u", (unsigned int)(sizeof(mask) * 8));
6683 memset(&mask, 0, sizeof(mask));
6684 memset(&mask, 0xff, masklen / 8);
6686 mask.s6_addr[masklen / 8] =
6687 (0xff << (8 - masklen % 8)) & 0xff;
6690 a = (u_int32_t *)addr;
6691 m = (u_int32_t *)&mask;
6692 if ((a[0] & ~m[0]) || (a[1] & ~m[1])
6693 || (a[2] & ~m[2]) || (a[3] & ~m[3])) {
6694 bpf_error(cstate, "non-network bits set in \"%s/%d\"", s1, masklen);
6702 bpf_error(cstate, "Mask syntax for networks only");
6706 b = gen_host6(cstate, addr, &mask, q.proto, q.dir, q.addr);
6712 bpf_error(cstate, "invalid qualifier against IPv6 address");
6720 gen_ecode(compiler_state_t *cstate, const u_char *eaddr, struct qual q)
6722 struct block *b, *tmp;
6724 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
6725 switch (cstate->linktype) {
6727 case DLT_NETANALYZER:
6728 case DLT_NETANALYZER_TRANSPARENT:
6729 tmp = gen_prevlinkhdr_check(cstate);
6730 b = gen_ehostop(cstate, eaddr, (int)q.dir);
6735 return gen_fhostop(cstate, eaddr, (int)q.dir);
6737 return gen_thostop(cstate, eaddr, (int)q.dir);
6738 case DLT_IEEE802_11:
6739 case DLT_PRISM_HEADER:
6740 case DLT_IEEE802_11_RADIO_AVS:
6741 case DLT_IEEE802_11_RADIO:
6743 return gen_wlanhostop(cstate, eaddr, (int)q.dir);
6744 case DLT_IP_OVER_FC:
6745 return gen_ipfchostop(cstate, eaddr, (int)q.dir);
6747 bpf_error(cstate, "ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
6751 bpf_error(cstate, "ethernet address used in non-ether expression");
6758 struct slist *s0, *s1;
6761 * This is definitely not the best way to do this, but the
6762 * lists will rarely get long.
6769 static struct slist *
6770 xfer_to_x(compiler_state_t *cstate, struct arth *a)
6774 s = new_stmt(cstate, BPF_LDX|BPF_MEM);
6779 static struct slist *
6780 xfer_to_a(compiler_state_t *cstate, struct arth *a)
6784 s = new_stmt(cstate, BPF_LD|BPF_MEM);
6790 * Modify "index" to use the value stored into its register as an
6791 * offset relative to the beginning of the header for the protocol
6792 * "proto", and allocate a register and put an item "size" bytes long
6793 * (1, 2, or 4) at that offset into that register, making it the register
6797 gen_load(compiler_state_t *cstate, int proto, struct arth *inst, int size)
6799 struct slist *s, *tmp;
6801 int regno = alloc_reg(cstate);
6803 free_reg(cstate, inst->regno);
6807 bpf_error(cstate, "data size must be 1, 2, or 4");
6823 bpf_error(cstate, "unsupported index operation");
6827 * The offset is relative to the beginning of the packet
6828 * data, if we have a radio header. (If we don't, this
6831 if (cstate->linktype != DLT_IEEE802_11_RADIO_AVS &&
6832 cstate->linktype != DLT_IEEE802_11_RADIO &&
6833 cstate->linktype != DLT_PRISM_HEADER)
6834 bpf_error(cstate, "radio information not present in capture");
6837 * Load into the X register the offset computed into the
6838 * register specified by "index".
6840 s = xfer_to_x(cstate, inst);
6843 * Load the item at that offset.
6845 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size);
6847 sappend(inst->s, s);
6852 * The offset is relative to the beginning of
6853 * the link-layer header.
6855 * XXX - what about ATM LANE? Should the index be
6856 * relative to the beginning of the AAL5 frame, so
6857 * that 0 refers to the beginning of the LE Control
6858 * field, or relative to the beginning of the LAN
6859 * frame, so that 0 refers, for Ethernet LANE, to
6860 * the beginning of the destination address?
6862 s = gen_abs_offset_varpart(cstate, &cstate->off_linkhdr);
6865 * If "s" is non-null, it has code to arrange that the
6866 * X register contains the length of the prefix preceding
6867 * the link-layer header. Add to it the offset computed
6868 * into the register specified by "index", and move that
6869 * into the X register. Otherwise, just load into the X
6870 * register the offset computed into the register specified
6874 sappend(s, xfer_to_a(cstate, inst));
6875 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
6876 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
6878 s = xfer_to_x(cstate, inst);
6881 * Load the item at the sum of the offset we've put in the
6882 * X register and the offset of the start of the link
6883 * layer header (which is 0 if the radio header is
6884 * variable-length; that header length is what we put
6885 * into the X register and then added to the index).
6887 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size);
6888 tmp->s.k = cstate->off_linkhdr.constant_part;
6890 sappend(inst->s, s);
6904 * The offset is relative to the beginning of
6905 * the network-layer header.
6906 * XXX - are there any cases where we want
6907 * cstate->off_nl_nosnap?
6909 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl);
6912 * If "s" is non-null, it has code to arrange that the
6913 * X register contains the variable part of the offset
6914 * of the link-layer payload. Add to it the offset
6915 * computed into the register specified by "index",
6916 * and move that into the X register. Otherwise, just
6917 * load into the X register the offset computed into
6918 * the register specified by "index".
6921 sappend(s, xfer_to_a(cstate, inst));
6922 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
6923 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
6925 s = xfer_to_x(cstate, inst);
6928 * Load the item at the sum of the offset we've put in the
6929 * X register, the offset of the start of the network
6930 * layer header from the beginning of the link-layer
6931 * payload, and the constant part of the offset of the
6932 * start of the link-layer payload.
6934 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size);
6935 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
6937 sappend(inst->s, s);
6940 * Do the computation only if the packet contains
6941 * the protocol in question.
6943 b = gen_proto_abbrev(cstate, proto);
6945 gen_and(inst->b, b);
6959 * The offset is relative to the beginning of
6960 * the transport-layer header.
6962 * Load the X register with the length of the IPv4 header
6963 * (plus the offset of the link-layer header, if it's
6964 * a variable-length header), in bytes.
6966 * XXX - are there any cases where we want
6967 * cstate->off_nl_nosnap?
6968 * XXX - we should, if we're built with
6969 * IPv6 support, generate code to load either
6970 * IPv4, IPv6, or both, as appropriate.
6972 s = gen_loadx_iphdrlen(cstate);
6975 * The X register now contains the sum of the variable
6976 * part of the offset of the link-layer payload and the
6977 * length of the network-layer header.
6979 * Load into the A register the offset relative to
6980 * the beginning of the transport layer header,
6981 * add the X register to that, move that to the
6982 * X register, and load with an offset from the
6983 * X register equal to the sum of the constant part of
6984 * the offset of the link-layer payload and the offset,
6985 * relative to the beginning of the link-layer payload,
6986 * of the network-layer header.
6988 sappend(s, xfer_to_a(cstate, inst));
6989 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
6990 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
6991 sappend(s, tmp = new_stmt(cstate, BPF_LD|BPF_IND|size));
6992 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
6993 sappend(inst->s, s);
6996 * Do the computation only if the packet contains
6997 * the protocol in question - which is true only
6998 * if this is an IP datagram and is the first or
6999 * only fragment of that datagram.
7001 gen_and(gen_proto_abbrev(cstate, proto), b = gen_ipfrag(cstate));
7003 gen_and(inst->b, b);
7004 gen_and(gen_proto_abbrev(cstate, Q_IP), b);
7008 bpf_error(cstate, "IPv6 upper-layer protocol is not supported by proto[x]");
7011 inst->regno = regno;
7012 s = new_stmt(cstate, BPF_ST);
7014 sappend(inst->s, s);
7020 gen_relation(compiler_state_t *cstate, int code, struct arth *a0,
7021 struct arth *a1, int reversed)
7023 struct slist *s0, *s1, *s2;
7024 struct block *b, *tmp;
7026 s0 = xfer_to_x(cstate, a1);
7027 s1 = xfer_to_a(cstate, a0);
7028 if (code == BPF_JEQ) {
7029 s2 = new_stmt(cstate, BPF_ALU|BPF_SUB|BPF_X);
7030 b = new_block(cstate, JMP(code));
7034 b = new_block(cstate, BPF_JMP|code|BPF_X);
7040 sappend(a0->s, a1->s);
7044 free_reg(cstate, a0->regno);
7045 free_reg(cstate, a1->regno);
7047 /* 'and' together protocol checks */
7050 gen_and(a0->b, tmp = a1->b);
7064 gen_loadlen(compiler_state_t *cstate)
7066 int regno = alloc_reg(cstate);
7067 struct arth *a = (struct arth *)newchunk(cstate, sizeof(*a));
7070 s = new_stmt(cstate, BPF_LD|BPF_LEN);
7071 s->next = new_stmt(cstate, BPF_ST);
7072 s->next->s.k = regno;
7080 gen_loadi(compiler_state_t *cstate, int val)
7086 a = (struct arth *)newchunk(cstate, sizeof(*a));
7088 reg = alloc_reg(cstate);
7090 s = new_stmt(cstate, BPF_LD|BPF_IMM);
7092 s->next = new_stmt(cstate, BPF_ST);
7101 gen_neg(compiler_state_t *cstate, struct arth *a)
7105 s = xfer_to_a(cstate, a);
7107 s = new_stmt(cstate, BPF_ALU|BPF_NEG);
7110 s = new_stmt(cstate, BPF_ST);
7118 gen_arth(compiler_state_t *cstate, int code, struct arth *a0,
7121 struct slist *s0, *s1, *s2;
7124 * Disallow division by, or modulus by, zero; we do this here
7125 * so that it gets done even if the optimizer is disabled.
7127 if (code == BPF_DIV) {
7128 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k == 0)
7129 bpf_error(cstate, "division by zero");
7130 } else if (code == BPF_MOD) {
7131 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k == 0)
7132 bpf_error(cstate, "modulus by zero");
7134 s0 = xfer_to_x(cstate, a1);
7135 s1 = xfer_to_a(cstate, a0);
7136 s2 = new_stmt(cstate, BPF_ALU|BPF_X|code);
7141 sappend(a0->s, a1->s);
7143 free_reg(cstate, a0->regno);
7144 free_reg(cstate, a1->regno);
7146 s0 = new_stmt(cstate, BPF_ST);
7147 a0->regno = s0->s.k = alloc_reg(cstate);
7154 * Initialize the table of used registers and the current register.
7157 init_regs(compiler_state_t *cstate)
7160 memset(cstate->regused, 0, sizeof cstate->regused);
7164 * Return the next free register.
7167 alloc_reg(compiler_state_t *cstate)
7169 int n = BPF_MEMWORDS;
7172 if (cstate->regused[cstate->curreg])
7173 cstate->curreg = (cstate->curreg + 1) % BPF_MEMWORDS;
7175 cstate->regused[cstate->curreg] = 1;
7176 return cstate->curreg;
7179 bpf_error(cstate, "too many registers needed to evaluate expression");
7185 * Return a register to the table so it can
7189 free_reg(compiler_state_t *cstate, int n)
7191 cstate->regused[n] = 0;
7194 static struct block *
7195 gen_len(compiler_state_t *cstate, int jmp, int n)
7200 s = new_stmt(cstate, BPF_LD|BPF_LEN);
7201 b = new_block(cstate, JMP(jmp));
7209 gen_greater(compiler_state_t *cstate, int n)
7211 return gen_len(cstate, BPF_JGE, n);
7215 * Actually, this is less than or equal.
7218 gen_less(compiler_state_t *cstate, int n)
7222 b = gen_len(cstate, BPF_JGT, n);
7229 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to
7230 * the beginning of the link-layer header.
7231 * XXX - that means you can't test values in the radiotap header, but
7232 * as that header is difficult if not impossible to parse generally
7233 * without a loop, that might not be a severe problem. A new keyword
7234 * "radio" could be added for that, although what you'd really want
7235 * would be a way of testing particular radio header values, which
7236 * would generate code appropriate to the radio header in question.
7239 gen_byteop(compiler_state_t *cstate, int op, int idx, int val)
7249 return gen_cmp(cstate, OR_LINKHDR, (u_int)idx, BPF_B, (bpf_int32)val);
7252 b = gen_cmp_lt(cstate, OR_LINKHDR, (u_int)idx, BPF_B, (bpf_int32)val);
7256 b = gen_cmp_gt(cstate, OR_LINKHDR, (u_int)idx, BPF_B, (bpf_int32)val);
7260 s = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_K);
7264 s = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
7268 b = new_block(cstate, JMP(BPF_JEQ));
7275 static const u_char abroadcast[] = { 0x0 };
7278 gen_broadcast(compiler_state_t *cstate, int proto)
7280 bpf_u_int32 hostmask;
7281 struct block *b0, *b1, *b2;
7282 static const u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
7288 switch (cstate->linktype) {
7290 case DLT_ARCNET_LINUX:
7291 return gen_ahostop(cstate, abroadcast, Q_DST);
7293 case DLT_NETANALYZER:
7294 case DLT_NETANALYZER_TRANSPARENT:
7295 b1 = gen_prevlinkhdr_check(cstate);
7296 b0 = gen_ehostop(cstate, ebroadcast, Q_DST);
7301 return gen_fhostop(cstate, ebroadcast, Q_DST);
7303 return gen_thostop(cstate, ebroadcast, Q_DST);
7304 case DLT_IEEE802_11:
7305 case DLT_PRISM_HEADER:
7306 case DLT_IEEE802_11_RADIO_AVS:
7307 case DLT_IEEE802_11_RADIO:
7309 return gen_wlanhostop(cstate, ebroadcast, Q_DST);
7310 case DLT_IP_OVER_FC:
7311 return gen_ipfchostop(cstate, ebroadcast, Q_DST);
7313 bpf_error(cstate, "not a broadcast link");
7319 * We treat a netmask of PCAP_NETMASK_UNKNOWN (0xffffffff)
7320 * as an indication that we don't know the netmask, and fail
7323 if (cstate->netmask == PCAP_NETMASK_UNKNOWN)
7324 bpf_error(cstate, "netmask not known, so 'ip broadcast' not supported");
7325 b0 = gen_linktype(cstate, ETHERTYPE_IP);
7326 hostmask = ~cstate->netmask;
7327 b1 = gen_mcmp(cstate, OR_LINKPL, 16, BPF_W, (bpf_int32)0, hostmask);
7328 b2 = gen_mcmp(cstate, OR_LINKPL, 16, BPF_W,
7329 (bpf_int32)(~0 & hostmask), hostmask);
7334 bpf_error(cstate, "only link-layer/IP broadcast filters supported");
7340 * Generate code to test the low-order bit of a MAC address (that's
7341 * the bottom bit of the *first* byte).
7343 static struct block *
7344 gen_mac_multicast(compiler_state_t *cstate, int offset)
7346 register struct block *b0;
7347 register struct slist *s;
7349 /* link[offset] & 1 != 0 */
7350 s = gen_load_a(cstate, OR_LINKHDR, offset, BPF_B);
7351 b0 = new_block(cstate, JMP(BPF_JSET));
7358 gen_multicast(compiler_state_t *cstate, int proto)
7360 register struct block *b0, *b1, *b2;
7361 register struct slist *s;
7367 switch (cstate->linktype) {
7369 case DLT_ARCNET_LINUX:
7370 /* all ARCnet multicasts use the same address */
7371 return gen_ahostop(cstate, abroadcast, Q_DST);
7373 case DLT_NETANALYZER:
7374 case DLT_NETANALYZER_TRANSPARENT:
7375 b1 = gen_prevlinkhdr_check(cstate);
7376 /* ether[0] & 1 != 0 */
7377 b0 = gen_mac_multicast(cstate, 0);
7383 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX
7385 * XXX - was that referring to bit-order issues?
7387 /* fddi[1] & 1 != 0 */
7388 return gen_mac_multicast(cstate, 1);
7390 /* tr[2] & 1 != 0 */
7391 return gen_mac_multicast(cstate, 2);
7392 case DLT_IEEE802_11:
7393 case DLT_PRISM_HEADER:
7394 case DLT_IEEE802_11_RADIO_AVS:
7395 case DLT_IEEE802_11_RADIO:
7400 * For control frames, there is no DA.
7402 * For management frames, DA is at an
7403 * offset of 4 from the beginning of
7406 * For data frames, DA is at an offset
7407 * of 4 from the beginning of the packet
7408 * if To DS is clear and at an offset of
7409 * 16 from the beginning of the packet
7414 * Generate the tests to be done for data frames.
7416 * First, check for To DS set, i.e. "link[1] & 0x01".
7418 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
7419 b1 = new_block(cstate, JMP(BPF_JSET));
7420 b1->s.k = 0x01; /* To DS */
7424 * If To DS is set, the DA is at 16.
7426 b0 = gen_mac_multicast(cstate, 16);
7430 * Now, check for To DS not set, i.e. check
7431 * "!(link[1] & 0x01)".
7433 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
7434 b2 = new_block(cstate, JMP(BPF_JSET));
7435 b2->s.k = 0x01; /* To DS */
7440 * If To DS is not set, the DA is at 4.
7442 b1 = gen_mac_multicast(cstate, 4);
7446 * Now OR together the last two checks. That gives
7447 * the complete set of checks for data frames.
7452 * Now check for a data frame.
7453 * I.e, check "link[0] & 0x08".
7455 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
7456 b1 = new_block(cstate, JMP(BPF_JSET));
7461 * AND that with the checks done for data frames.
7466 * If the high-order bit of the type value is 0, this
7467 * is a management frame.
7468 * I.e, check "!(link[0] & 0x08)".
7470 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
7471 b2 = new_block(cstate, JMP(BPF_JSET));
7477 * For management frames, the DA is at 4.
7479 b1 = gen_mac_multicast(cstate, 4);
7483 * OR that with the checks done for data frames.
7484 * That gives the checks done for management and
7490 * If the low-order bit of the type value is 1,
7491 * this is either a control frame or a frame
7492 * with a reserved type, and thus not a
7495 * I.e., check "!(link[0] & 0x04)".
7497 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
7498 b1 = new_block(cstate, JMP(BPF_JSET));
7504 * AND that with the checks for data and management
7509 case DLT_IP_OVER_FC:
7510 b0 = gen_mac_multicast(cstate, 2);
7515 /* Link not known to support multicasts */
7519 b0 = gen_linktype(cstate, ETHERTYPE_IP);
7520 b1 = gen_cmp_ge(cstate, OR_LINKPL, 16, BPF_B, (bpf_int32)224);
7525 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
7526 b1 = gen_cmp(cstate, OR_LINKPL, 24, BPF_B, (bpf_int32)255);
7530 bpf_error(cstate, "link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel");
7536 * Filter on inbound (dir == 0) or outbound (dir == 1) traffic.
7537 * Outbound traffic is sent by this machine, while inbound traffic is
7538 * sent by a remote machine (and may include packets destined for a
7539 * unicast or multicast link-layer address we are not subscribing to).
7540 * These are the same definitions implemented by pcap_setdirection().
7541 * Capturing only unicast traffic destined for this host is probably
7542 * better accomplished using a higher-layer filter.
7545 gen_inbound(compiler_state_t *cstate, int dir)
7547 register struct block *b0;
7550 * Only some data link types support inbound/outbound qualifiers.
7552 switch (cstate->linktype) {
7554 b0 = gen_relation(cstate, BPF_JEQ,
7555 gen_load(cstate, Q_LINK, gen_loadi(cstate, 0), 1),
7556 gen_loadi(cstate, 0),
7562 /* match outgoing packets */
7563 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, IPNET_OUTBOUND);
7565 /* match incoming packets */
7566 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, IPNET_INBOUND);
7571 /* match outgoing packets */
7572 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_H, LINUX_SLL_OUTGOING);
7574 /* to filter on inbound traffic, invert the match */
7579 #ifdef HAVE_NET_PFVAR_H
7581 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, dir), BPF_B,
7582 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT));
7588 /* match outgoing packets */
7589 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_B, PPP_PPPD_OUT);
7591 /* match incoming packets */
7592 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_B, PPP_PPPD_IN);
7596 case DLT_JUNIPER_MFR:
7597 case DLT_JUNIPER_MLFR:
7598 case DLT_JUNIPER_MLPPP:
7599 case DLT_JUNIPER_ATM1:
7600 case DLT_JUNIPER_ATM2:
7601 case DLT_JUNIPER_PPPOE:
7602 case DLT_JUNIPER_PPPOE_ATM:
7603 case DLT_JUNIPER_GGSN:
7604 case DLT_JUNIPER_ES:
7605 case DLT_JUNIPER_MONITOR:
7606 case DLT_JUNIPER_SERVICES:
7607 case DLT_JUNIPER_ETHER:
7608 case DLT_JUNIPER_PPP:
7609 case DLT_JUNIPER_FRELAY:
7610 case DLT_JUNIPER_CHDLC:
7611 case DLT_JUNIPER_VP:
7612 case DLT_JUNIPER_ST:
7613 case DLT_JUNIPER_ISM:
7614 case DLT_JUNIPER_VS:
7615 case DLT_JUNIPER_SRX_E2E:
7616 case DLT_JUNIPER_FIBRECHANNEL:
7617 case DLT_JUNIPER_ATM_CEMIC:
7619 /* juniper flags (including direction) are stored
7620 * the byte after the 3-byte magic number */
7622 /* match outgoing packets */
7623 b0 = gen_mcmp(cstate, OR_LINKHDR, 3, BPF_B, 0, 0x01);
7625 /* match incoming packets */
7626 b0 = gen_mcmp(cstate, OR_LINKHDR, 3, BPF_B, 1, 0x01);
7632 * If we have packet meta-data indicating a direction,
7633 * check it, otherwise give up as this link-layer type
7634 * has nothing in the packet data.
7636 #if defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER)
7638 * This is Linux with PF_PACKET support.
7639 * If this is a *live* capture, we can look at
7640 * special meta-data in the filter expression;
7641 * if it's a savefile, we can't.
7643 if (cstate->bpf_pcap->rfile != NULL) {
7644 /* We have a FILE *, so this is a savefile */
7645 bpf_error(cstate, "inbound/outbound not supported on linktype %d when reading savefiles",
7650 /* match outgoing packets */
7651 b0 = gen_cmp(cstate, OR_LINKHDR, SKF_AD_OFF + SKF_AD_PKTTYPE, BPF_H,
7654 /* to filter on inbound traffic, invert the match */
7657 #else /* defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */
7658 bpf_error(cstate, "inbound/outbound not supported on linktype %d",
7662 #endif /* defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */
7667 #ifdef HAVE_NET_PFVAR_H
7668 /* PF firewall log matched interface */
7670 gen_pf_ifname(compiler_state_t *cstate, const char *ifname)
7675 if (cstate->linktype != DLT_PFLOG) {
7676 bpf_error(cstate, "ifname supported only on PF linktype");
7679 len = sizeof(((struct pfloghdr *)0)->ifname);
7680 off = offsetof(struct pfloghdr, ifname);
7681 if (strlen(ifname) >= len) {
7682 bpf_error(cstate, "ifname interface names can only be %d characters",
7686 b0 = gen_bcmp(cstate, OR_LINKHDR, off, strlen(ifname), (const u_char *)ifname);
7690 /* PF firewall log ruleset name */
7692 gen_pf_ruleset(compiler_state_t *cstate, char *ruleset)
7696 if (cstate->linktype != DLT_PFLOG) {
7697 bpf_error(cstate, "ruleset supported only on PF linktype");
7701 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) {
7702 bpf_error(cstate, "ruleset names can only be %ld characters",
7703 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1));
7707 b0 = gen_bcmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, ruleset),
7708 strlen(ruleset), (const u_char *)ruleset);
7712 /* PF firewall log rule number */
7714 gen_pf_rnr(compiler_state_t *cstate, int rnr)
7718 if (cstate->linktype != DLT_PFLOG) {
7719 bpf_error(cstate, "rnr supported only on PF linktype");
7723 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, rulenr), BPF_W,
7728 /* PF firewall log sub-rule number */
7730 gen_pf_srnr(compiler_state_t *cstate, int srnr)
7734 if (cstate->linktype != DLT_PFLOG) {
7735 bpf_error(cstate, "srnr supported only on PF linktype");
7739 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, subrulenr), BPF_W,
7744 /* PF firewall log reason code */
7746 gen_pf_reason(compiler_state_t *cstate, int reason)
7750 if (cstate->linktype != DLT_PFLOG) {
7751 bpf_error(cstate, "reason supported only on PF linktype");
7755 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, reason), BPF_B,
7760 /* PF firewall log action */
7762 gen_pf_action(compiler_state_t *cstate, int action)
7766 if (cstate->linktype != DLT_PFLOG) {
7767 bpf_error(cstate, "action supported only on PF linktype");
7771 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, action), BPF_B,
7775 #else /* !HAVE_NET_PFVAR_H */
7777 gen_pf_ifname(compiler_state_t *cstate, const char *ifname)
7779 bpf_error(cstate, "libpcap was compiled without pf support");
7785 gen_pf_ruleset(compiler_state_t *cstate, char *ruleset)
7787 bpf_error(cstate, "libpcap was compiled on a machine without pf support");
7793 gen_pf_rnr(compiler_state_t *cstate, int rnr)
7795 bpf_error(cstate, "libpcap was compiled on a machine without pf support");
7801 gen_pf_srnr(compiler_state_t *cstate, int srnr)
7803 bpf_error(cstate, "libpcap was compiled on a machine without pf support");
7809 gen_pf_reason(compiler_state_t *cstate, int reason)
7811 bpf_error(cstate, "libpcap was compiled on a machine without pf support");
7817 gen_pf_action(compiler_state_t *cstate, int action)
7819 bpf_error(cstate, "libpcap was compiled on a machine without pf support");
7823 #endif /* HAVE_NET_PFVAR_H */
7825 /* IEEE 802.11 wireless header */
7827 gen_p80211_type(compiler_state_t *cstate, int type, int mask)
7831 switch (cstate->linktype) {
7833 case DLT_IEEE802_11:
7834 case DLT_PRISM_HEADER:
7835 case DLT_IEEE802_11_RADIO_AVS:
7836 case DLT_IEEE802_11_RADIO:
7837 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, (bpf_int32)type,
7842 bpf_error(cstate, "802.11 link-layer types supported only on 802.11");
7850 gen_p80211_fcdir(compiler_state_t *cstate, int fcdir)
7854 switch (cstate->linktype) {
7856 case DLT_IEEE802_11:
7857 case DLT_PRISM_HEADER:
7858 case DLT_IEEE802_11_RADIO_AVS:
7859 case DLT_IEEE802_11_RADIO:
7863 bpf_error(cstate, "frame direction supported only with 802.11 headers");
7867 b0 = gen_mcmp(cstate, OR_LINKHDR, 1, BPF_B, (bpf_int32)fcdir,
7868 (bpf_u_int32)IEEE80211_FC1_DIR_MASK);
7874 gen_acode(compiler_state_t *cstate, const u_char *eaddr, struct qual q)
7876 switch (cstate->linktype) {
7879 case DLT_ARCNET_LINUX:
7880 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) &&
7882 return (gen_ahostop(cstate, eaddr, (int)q.dir));
7884 bpf_error(cstate, "ARCnet address used in non-arc expression");
7890 bpf_error(cstate, "aid supported only on ARCnet");
7893 bpf_error(cstate, "ARCnet address used in non-arc expression");
7898 static struct block *
7899 gen_ahostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
7901 register struct block *b0, *b1;
7904 /* src comes first, different from Ethernet */
7906 return gen_bcmp(cstate, OR_LINKHDR, 0, 1, eaddr);
7909 return gen_bcmp(cstate, OR_LINKHDR, 1, 1, eaddr);
7912 b0 = gen_ahostop(cstate, eaddr, Q_SRC);
7913 b1 = gen_ahostop(cstate, eaddr, Q_DST);
7919 b0 = gen_ahostop(cstate, eaddr, Q_SRC);
7920 b1 = gen_ahostop(cstate, eaddr, Q_DST);
7925 bpf_error(cstate, "'addr1' is only supported on 802.11");
7929 bpf_error(cstate, "'addr2' is only supported on 802.11");
7933 bpf_error(cstate, "'addr3' is only supported on 802.11");
7937 bpf_error(cstate, "'addr4' is only supported on 802.11");
7941 bpf_error(cstate, "'ra' is only supported on 802.11");
7945 bpf_error(cstate, "'ta' is only supported on 802.11");
7952 #if defined(SKF_AD_VLAN_TAG) && defined(SKF_AD_VLAN_TAG_PRESENT)
7953 static struct block *
7954 gen_vlan_bpf_extensions(compiler_state_t *cstate, int vlan_num)
7956 struct block *b0, *b1;
7959 /* generate new filter code based on extracting packet
7961 s = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
7962 s->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT;
7964 b0 = new_block(cstate, JMP(BPF_JEQ));
7968 if (vlan_num >= 0) {
7969 s = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
7970 s->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG;
7972 b1 = new_block(cstate, JMP(BPF_JEQ));
7974 b1->s.k = (bpf_int32) vlan_num;
7984 static struct block *
7985 gen_vlan_no_bpf_extensions(compiler_state_t *cstate, int vlan_num)
7987 struct block *b0, *b1;
7989 /* check for VLAN, including QinQ */
7990 b0 = gen_linktype(cstate, ETHERTYPE_8021Q);
7991 b1 = gen_linktype(cstate, ETHERTYPE_8021AD);
7994 b1 = gen_linktype(cstate, ETHERTYPE_8021QINQ);
7998 /* If a specific VLAN is requested, check VLAN id */
7999 if (vlan_num >= 0) {
8000 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_H,
8001 (bpf_int32)vlan_num, 0x0fff);
8007 * The payload follows the full header, including the
8008 * VLAN tags, so skip past this VLAN tag.
8010 cstate->off_linkpl.constant_part += 4;
8013 * The link-layer type information follows the VLAN tags, so
8014 * skip past this VLAN tag.
8016 cstate->off_linktype.constant_part += 4;
8022 * support IEEE 802.1Q VLAN trunk over ethernet
8025 gen_vlan(compiler_state_t *cstate, int vlan_num)
8029 /* can't check for VLAN-encapsulated packets inside MPLS */
8030 if (cstate->label_stack_depth > 0)
8031 bpf_error(cstate, "no VLAN match after MPLS");
8034 * Check for a VLAN packet, and then change the offsets to point
8035 * to the type and data fields within the VLAN packet. Just
8036 * increment the offsets, so that we can support a hierarchy, e.g.
8037 * "vlan 300 && vlan 200" to capture VLAN 200 encapsulated within
8040 * XXX - this is a bit of a kludge. If we were to split the
8041 * compiler into a parser that parses an expression and
8042 * generates an expression tree, and a code generator that
8043 * takes an expression tree (which could come from our
8044 * parser or from some other parser) and generates BPF code,
8045 * we could perhaps make the offsets parameters of routines
8046 * and, in the handler for an "AND" node, pass to subnodes
8047 * other than the VLAN node the adjusted offsets.
8049 * This would mean that "vlan" would, instead of changing the
8050 * behavior of *all* tests after it, change only the behavior
8051 * of tests ANDed with it. That would change the documented
8052 * semantics of "vlan", which might break some expressions.
8053 * However, it would mean that "(vlan and ip) or ip" would check
8054 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
8055 * checking only for VLAN-encapsulated IP, so that could still
8056 * be considered worth doing; it wouldn't break expressions
8057 * that are of the form "vlan and ..." or "vlan N and ...",
8058 * which I suspect are the most common expressions involving
8059 * "vlan". "vlan or ..." doesn't necessarily do what the user
8060 * would really want, now, as all the "or ..." tests would
8061 * be done assuming a VLAN, even though the "or" could be viewed
8062 * as meaning "or, if this isn't a VLAN packet...".
8064 switch (cstate->linktype) {
8067 case DLT_NETANALYZER:
8068 case DLT_NETANALYZER_TRANSPARENT:
8069 #if defined(SKF_AD_VLAN_TAG) && defined(SKF_AD_VLAN_TAG_PRESENT)
8070 /* Verify that this is the outer part of the packet and
8071 * not encapsulated somehow. */
8072 if (cstate->vlan_stack_depth == 0 && !cstate->off_linkhdr.is_variable &&
8073 cstate->off_linkhdr.constant_part ==
8074 cstate->off_outermostlinkhdr.constant_part) {
8076 * Do we need special VLAN handling?
8078 if (cstate->bpf_pcap->bpf_codegen_flags & BPF_SPECIAL_VLAN_HANDLING)
8079 b0 = gen_vlan_bpf_extensions(cstate, vlan_num);
8081 b0 = gen_vlan_no_bpf_extensions(cstate, vlan_num);
8084 b0 = gen_vlan_no_bpf_extensions(cstate, vlan_num);
8087 case DLT_IEEE802_11:
8088 case DLT_PRISM_HEADER:
8089 case DLT_IEEE802_11_RADIO_AVS:
8090 case DLT_IEEE802_11_RADIO:
8091 b0 = gen_vlan_no_bpf_extensions(cstate, vlan_num);
8095 bpf_error(cstate, "no VLAN support for data link type %d",
8100 cstate->vlan_stack_depth++;
8109 gen_mpls(compiler_state_t *cstate, int label_num)
8111 struct block *b0, *b1;
8113 if (cstate->label_stack_depth > 0) {
8114 /* just match the bottom-of-stack bit clear */
8115 b0 = gen_mcmp(cstate, OR_PREVMPLSHDR, 2, BPF_B, 0, 0x01);
8118 * We're not in an MPLS stack yet, so check the link-layer
8119 * type against MPLS.
8121 switch (cstate->linktype) {
8123 case DLT_C_HDLC: /* fall through */
8125 case DLT_NETANALYZER:
8126 case DLT_NETANALYZER_TRANSPARENT:
8127 b0 = gen_linktype(cstate, ETHERTYPE_MPLS);
8131 b0 = gen_linktype(cstate, PPP_MPLS_UCAST);
8134 /* FIXME add other DLT_s ...
8135 * for Frame-Relay/and ATM this may get messy due to SNAP headers
8136 * leave it for now */
8139 bpf_error(cstate, "no MPLS support for data link type %d",
8147 /* If a specific MPLS label is requested, check it */
8148 if (label_num >= 0) {
8149 label_num = label_num << 12; /* label is shifted 12 bits on the wire */
8150 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_W, (bpf_int32)label_num,
8151 0xfffff000); /* only compare the first 20 bits */
8157 * Change the offsets to point to the type and data fields within
8158 * the MPLS packet. Just increment the offsets, so that we
8159 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to
8160 * capture packets with an outer label of 100000 and an inner
8163 * Increment the MPLS stack depth as well; this indicates that
8164 * we're checking MPLS-encapsulated headers, to make sure higher
8165 * level code generators don't try to match against IP-related
8166 * protocols such as Q_ARP, Q_RARP etc.
8168 * XXX - this is a bit of a kludge. See comments in gen_vlan().
8170 cstate->off_nl_nosnap += 4;
8171 cstate->off_nl += 4;
8172 cstate->label_stack_depth++;
8177 * Support PPPOE discovery and session.
8180 gen_pppoed(compiler_state_t *cstate)
8182 /* check for PPPoE discovery */
8183 return gen_linktype(cstate, (bpf_int32)ETHERTYPE_PPPOED);
8187 gen_pppoes(compiler_state_t *cstate, int sess_num)
8189 struct block *b0, *b1;
8192 * Test against the PPPoE session link-layer type.
8194 b0 = gen_linktype(cstate, (bpf_int32)ETHERTYPE_PPPOES);
8196 /* If a specific session is requested, check PPPoE session id */
8197 if (sess_num >= 0) {
8198 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_W,
8199 (bpf_int32)sess_num, 0x0000ffff);
8205 * Change the offsets to point to the type and data fields within
8206 * the PPP packet, and note that this is PPPoE rather than
8209 * XXX - this is a bit of a kludge. If we were to split the
8210 * compiler into a parser that parses an expression and
8211 * generates an expression tree, and a code generator that
8212 * takes an expression tree (which could come from our
8213 * parser or from some other parser) and generates BPF code,
8214 * we could perhaps make the offsets parameters of routines
8215 * and, in the handler for an "AND" node, pass to subnodes
8216 * other than the PPPoE node the adjusted offsets.
8218 * This would mean that "pppoes" would, instead of changing the
8219 * behavior of *all* tests after it, change only the behavior
8220 * of tests ANDed with it. That would change the documented
8221 * semantics of "pppoes", which might break some expressions.
8222 * However, it would mean that "(pppoes and ip) or ip" would check
8223 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
8224 * checking only for VLAN-encapsulated IP, so that could still
8225 * be considered worth doing; it wouldn't break expressions
8226 * that are of the form "pppoes and ..." which I suspect are the
8227 * most common expressions involving "pppoes". "pppoes or ..."
8228 * doesn't necessarily do what the user would really want, now,
8229 * as all the "or ..." tests would be done assuming PPPoE, even
8230 * though the "or" could be viewed as meaning "or, if this isn't
8231 * a PPPoE packet...".
8233 * The "network-layer" protocol is PPPoE, which has a 6-byte
8234 * PPPoE header, followed by a PPP packet.
8236 * There is no HDLC encapsulation for the PPP packet (it's
8237 * encapsulated in PPPoES instead), so the link-layer type
8238 * starts at the first byte of the PPP packet. For PPPoE,
8239 * that offset is relative to the beginning of the total
8240 * link-layer payload, including any 802.2 LLC header, so
8241 * it's 6 bytes past cstate->off_nl.
8243 PUSH_LINKHDR(cstate, DLT_PPP, cstate->off_linkpl.is_variable,
8244 cstate->off_linkpl.constant_part + cstate->off_nl + 6, /* 6 bytes past the PPPoE header */
8245 cstate->off_linkpl.reg);
8247 cstate->off_linktype = cstate->off_linkhdr;
8248 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 2;
8251 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
8256 /* Check that this is Geneve and the VNI is correct if
8257 * specified. Parameterized to handle both IPv4 and IPv6. */
8258 static struct block *
8259 gen_geneve_check(compiler_state_t *cstate,
8260 struct block *(*gen_portfn)(compiler_state_t *, int, int, int),
8261 enum e_offrel offrel, int vni)
8263 struct block *b0, *b1;
8265 b0 = gen_portfn(cstate, GENEVE_PORT, IPPROTO_UDP, Q_DST);
8267 /* Check that we are operating on version 0. Otherwise, we
8268 * can't decode the rest of the fields. The version is 2 bits
8269 * in the first byte of the Geneve header. */
8270 b1 = gen_mcmp(cstate, offrel, 8, BPF_B, (bpf_int32)0, 0xc0);
8275 vni <<= 8; /* VNI is in the upper 3 bytes */
8276 b1 = gen_mcmp(cstate, offrel, 12, BPF_W, (bpf_int32)vni,
8285 /* The IPv4 and IPv6 Geneve checks need to do two things:
8286 * - Verify that this actually is Geneve with the right VNI.
8287 * - Place the IP header length (plus variable link prefix if
8288 * needed) into register A to be used later to compute
8289 * the inner packet offsets. */
8290 static struct block *
8291 gen_geneve4(compiler_state_t *cstate, int vni)
8293 struct block *b0, *b1;
8294 struct slist *s, *s1;
8296 b0 = gen_geneve_check(cstate, gen_port, OR_TRAN_IPV4, vni);
8298 /* Load the IP header length into A. */
8299 s = gen_loadx_iphdrlen(cstate);
8301 s1 = new_stmt(cstate, BPF_MISC|BPF_TXA);
8304 /* Forcibly append these statements to the true condition
8305 * of the protocol check by creating a new block that is
8306 * always true and ANDing them. */
8307 b1 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X);
8316 static struct block *
8317 gen_geneve6(compiler_state_t *cstate, int vni)
8319 struct block *b0, *b1;
8320 struct slist *s, *s1;
8322 b0 = gen_geneve_check(cstate, gen_port6, OR_TRAN_IPV6, vni);
8324 /* Load the IP header length. We need to account for a
8325 * variable length link prefix if there is one. */
8326 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl);
8328 s1 = new_stmt(cstate, BPF_LD|BPF_IMM);
8332 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X);
8336 s = new_stmt(cstate, BPF_LD|BPF_IMM);
8340 /* Forcibly append these statements to the true condition
8341 * of the protocol check by creating a new block that is
8342 * always true and ANDing them. */
8343 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX);
8346 b1 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X);
8355 /* We need to store three values based on the Geneve header::
8356 * - The offset of the linktype.
8357 * - The offset of the end of the Geneve header.
8358 * - The offset of the end of the encapsulated MAC header. */
8359 static struct slist *
8360 gen_geneve_offsets(compiler_state_t *cstate)
8362 struct slist *s, *s1, *s_proto;
8364 /* First we need to calculate the offset of the Geneve header
8365 * itself. This is composed of the IP header previously calculated
8366 * (include any variable link prefix) and stored in A plus the
8367 * fixed sized headers (fixed link prefix, MAC length, and UDP
8369 s = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
8370 s->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 8;
8372 /* Stash this in X since we'll need it later. */
8373 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX);
8376 /* The EtherType in Geneve is 2 bytes in. Calculate this and
8378 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
8382 cstate->off_linktype.reg = alloc_reg(cstate);
8383 cstate->off_linktype.is_variable = 1;
8384 cstate->off_linktype.constant_part = 0;
8386 s1 = new_stmt(cstate, BPF_ST);
8387 s1->s.k = cstate->off_linktype.reg;
8390 /* Load the Geneve option length and mask and shift to get the
8391 * number of bytes. It is stored in the first byte of the Geneve
8393 s1 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
8397 s1 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
8401 s1 = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K);
8405 /* Add in the rest of the Geneve base header. */
8406 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
8410 /* Add the Geneve header length to its offset and store. */
8411 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X);
8415 /* Set the encapsulated type as Ethernet. Even though we may
8416 * not actually have Ethernet inside there are two reasons this
8418 * - The linktype field is always in EtherType format regardless
8419 * of whether it is in Geneve or an inner Ethernet frame.
8420 * - The only link layer that we have specific support for is
8421 * Ethernet. We will confirm that the packet actually is
8422 * Ethernet at runtime before executing these checks. */
8423 PUSH_LINKHDR(cstate, DLT_EN10MB, 1, 0, alloc_reg(cstate));
8425 s1 = new_stmt(cstate, BPF_ST);
8426 s1->s.k = cstate->off_linkhdr.reg;
8429 /* Calculate whether we have an Ethernet header or just raw IP/
8430 * MPLS/etc. If we have Ethernet, advance the end of the MAC offset
8431 * and linktype by 14 bytes so that the network header can be found
8432 * seamlessly. Otherwise, keep what we've calculated already. */
8434 /* We have a bare jmp so we can't use the optimizer. */
8435 cstate->no_optimize = 1;
8437 /* Load the EtherType in the Geneve header, 2 bytes in. */
8438 s1 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_H);
8442 /* Load X with the end of the Geneve header. */
8443 s1 = new_stmt(cstate, BPF_LDX|BPF_MEM);
8444 s1->s.k = cstate->off_linkhdr.reg;
8447 /* Check if the EtherType is Transparent Ethernet Bridging. At the
8448 * end of this check, we should have the total length in X. In
8449 * the non-Ethernet case, it's already there. */
8450 s_proto = new_stmt(cstate, JMP(BPF_JEQ));
8451 s_proto->s.k = ETHERTYPE_TEB;
8452 sappend(s, s_proto);
8454 s1 = new_stmt(cstate, BPF_MISC|BPF_TXA);
8458 /* Since this is Ethernet, use the EtherType of the payload
8459 * directly as the linktype. Overwrite what we already have. */
8460 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
8464 s1 = new_stmt(cstate, BPF_ST);
8465 s1->s.k = cstate->off_linktype.reg;
8468 /* Advance two bytes further to get the end of the Ethernet
8470 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
8474 /* Move the result to X. */
8475 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX);
8478 /* Store the final result of our linkpl calculation. */
8479 cstate->off_linkpl.reg = alloc_reg(cstate);
8480 cstate->off_linkpl.is_variable = 1;
8481 cstate->off_linkpl.constant_part = 0;
8483 s1 = new_stmt(cstate, BPF_STX);
8484 s1->s.k = cstate->off_linkpl.reg;
8493 /* Check to see if this is a Geneve packet. */
8495 gen_geneve(compiler_state_t *cstate, int vni)
8497 struct block *b0, *b1;
8500 b0 = gen_geneve4(cstate, vni);
8501 b1 = gen_geneve6(cstate, vni);
8506 /* Later filters should act on the payload of the Geneve frame,
8507 * update all of the header pointers. Attach this code so that
8508 * it gets executed in the event that the Geneve filter matches. */
8509 s = gen_geneve_offsets(cstate);
8511 b1 = gen_true(cstate);
8512 sappend(s, b1->stmts);
8517 cstate->is_geneve = 1;
8522 /* Check that the encapsulated frame has a link layer header
8523 * for Ethernet filters. */
8524 static struct block *
8525 gen_geneve_ll_check(compiler_state_t *cstate)
8528 struct slist *s, *s1;
8530 /* The easiest way to see if there is a link layer present
8531 * is to check if the link layer header and payload are not
8534 /* Geneve always generates pure variable offsets so we can
8535 * compare only the registers. */
8536 s = new_stmt(cstate, BPF_LD|BPF_MEM);
8537 s->s.k = cstate->off_linkhdr.reg;
8539 s1 = new_stmt(cstate, BPF_LDX|BPF_MEM);
8540 s1->s.k = cstate->off_linkpl.reg;
8543 b0 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X);
8552 gen_atmfield_code(compiler_state_t *cstate, int atmfield, bpf_int32 jvalue,
8553 bpf_u_int32 jtype, int reverse)
8560 if (!cstate->is_atm)
8561 bpf_error(cstate, "'vpi' supported only on raw ATM");
8562 if (cstate->off_vpi == (u_int)-1)
8564 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_vpi, BPF_B, 0xffffffff, jtype,
8569 if (!cstate->is_atm)
8570 bpf_error(cstate, "'vci' supported only on raw ATM");
8571 if (cstate->off_vci == (u_int)-1)
8573 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_vci, BPF_H, 0xffffffff, jtype,
8578 if (cstate->off_proto == (u_int)-1)
8579 abort(); /* XXX - this isn't on FreeBSD */
8580 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_proto, BPF_B, 0x0f, jtype,
8585 if (cstate->off_payload == (u_int)-1)
8587 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_payload + MSG_TYPE_POS, BPF_B,
8588 0xffffffff, jtype, reverse, jvalue);
8592 if (!cstate->is_atm)
8593 bpf_error(cstate, "'callref' supported only on raw ATM");
8594 if (cstate->off_proto == (u_int)-1)
8596 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_proto, BPF_B, 0xffffffff,
8597 jtype, reverse, jvalue);
8607 gen_atmtype_abbrev(compiler_state_t *cstate, int type)
8609 struct block *b0, *b1;
8614 /* Get all packets in Meta signalling Circuit */
8615 if (!cstate->is_atm)
8616 bpf_error(cstate, "'metac' supported only on raw ATM");
8617 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0);
8618 b1 = gen_atmfield_code(cstate, A_VCI, 1, BPF_JEQ, 0);
8623 /* Get all packets in Broadcast Circuit*/
8624 if (!cstate->is_atm)
8625 bpf_error(cstate, "'bcc' supported only on raw ATM");
8626 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0);
8627 b1 = gen_atmfield_code(cstate, A_VCI, 2, BPF_JEQ, 0);
8632 /* Get all cells in Segment OAM F4 circuit*/
8633 if (!cstate->is_atm)
8634 bpf_error(cstate, "'oam4sc' supported only on raw ATM");
8635 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0);
8636 b1 = gen_atmfield_code(cstate, A_VCI, 3, BPF_JEQ, 0);
8641 /* Get all cells in End-to-End OAM F4 Circuit*/
8642 if (!cstate->is_atm)
8643 bpf_error(cstate, "'oam4ec' supported only on raw ATM");
8644 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0);
8645 b1 = gen_atmfield_code(cstate, A_VCI, 4, BPF_JEQ, 0);
8650 /* Get all packets in connection Signalling Circuit */
8651 if (!cstate->is_atm)
8652 bpf_error(cstate, "'sc' supported only on raw ATM");
8653 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0);
8654 b1 = gen_atmfield_code(cstate, A_VCI, 5, BPF_JEQ, 0);
8659 /* Get all packets in ILMI Circuit */
8660 if (!cstate->is_atm)
8661 bpf_error(cstate, "'ilmic' supported only on raw ATM");
8662 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0);
8663 b1 = gen_atmfield_code(cstate, A_VCI, 16, BPF_JEQ, 0);
8668 /* Get all LANE packets */
8669 if (!cstate->is_atm)
8670 bpf_error(cstate, "'lane' supported only on raw ATM");
8671 b1 = gen_atmfield_code(cstate, A_PROTOTYPE, PT_LANE, BPF_JEQ, 0);
8674 * Arrange that all subsequent tests assume LANE
8675 * rather than LLC-encapsulated packets, and set
8676 * the offsets appropriately for LANE-encapsulated
8679 * We assume LANE means Ethernet, not Token Ring.
8681 PUSH_LINKHDR(cstate, DLT_EN10MB, 0,
8682 cstate->off_payload + 2, /* Ethernet header */
8684 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12;
8685 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* Ethernet */
8686 cstate->off_nl = 0; /* Ethernet II */
8687 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */
8691 /* Get all LLC-encapsulated packets */
8692 if (!cstate->is_atm)
8693 bpf_error(cstate, "'llc' supported only on raw ATM");
8694 b1 = gen_atmfield_code(cstate, A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
8695 cstate->linktype = cstate->prevlinktype;
8705 * Filtering for MTP2 messages based on li value
8706 * FISU, length is null
8707 * LSSU, length is 1 or 2
8708 * MSU, length is 3 or more
8709 * For MTP2_HSL, sequences are on 2 bytes, and length on 9 bits
8712 gen_mtp2type_abbrev(compiler_state_t *cstate, int type)
8714 struct block *b0, *b1;
8719 if ( (cstate->linktype != DLT_MTP2) &&
8720 (cstate->linktype != DLT_ERF) &&
8721 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
8722 bpf_error(cstate, "'fisu' supported only on MTP2");
8723 /* gen_ncmp(cstate, offrel, offset, size, mask, jtype, reverse, value) */
8724 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 0x3f, BPF_JEQ, 0, 0);
8728 if ( (cstate->linktype != DLT_MTP2) &&
8729 (cstate->linktype != DLT_ERF) &&
8730 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
8731 bpf_error(cstate, "'lssu' supported only on MTP2");
8732 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 0x3f, BPF_JGT, 1, 2);
8733 b1 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 0x3f, BPF_JGT, 0, 0);
8738 if ( (cstate->linktype != DLT_MTP2) &&
8739 (cstate->linktype != DLT_ERF) &&
8740 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
8741 bpf_error(cstate, "'msu' supported only on MTP2");
8742 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 0x3f, BPF_JGT, 0, 2);
8746 if ( (cstate->linktype != DLT_MTP2) &&
8747 (cstate->linktype != DLT_ERF) &&
8748 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
8749 bpf_error(cstate, "'hfisu' supported only on MTP2_HSL");
8750 /* gen_ncmp(cstate, offrel, offset, size, mask, jtype, reverse, value) */
8751 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 0xff80, BPF_JEQ, 0, 0);
8755 if ( (cstate->linktype != DLT_MTP2) &&
8756 (cstate->linktype != DLT_ERF) &&
8757 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
8758 bpf_error(cstate, "'hlssu' supported only on MTP2_HSL");
8759 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 0xff80, BPF_JGT, 1, 0x0100);
8760 b1 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 0xff80, BPF_JGT, 0, 0);
8765 if ( (cstate->linktype != DLT_MTP2) &&
8766 (cstate->linktype != DLT_ERF) &&
8767 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
8768 bpf_error(cstate, "'hmsu' supported only on MTP2_HSL");
8769 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 0xff80, BPF_JGT, 0, 0x0100);
8779 gen_mtp3field_code(compiler_state_t *cstate, int mtp3field, bpf_u_int32 jvalue,
8780 bpf_u_int32 jtype, int reverse)
8783 bpf_u_int32 val1 , val2 , val3;
8784 u_int newoff_sio = cstate->off_sio;
8785 u_int newoff_opc = cstate->off_opc;
8786 u_int newoff_dpc = cstate->off_dpc;
8787 u_int newoff_sls = cstate->off_sls;
8789 switch (mtp3field) {
8792 newoff_sio += 3; /* offset for MTP2_HSL */
8796 if (cstate->off_sio == (u_int)-1)
8797 bpf_error(cstate, "'sio' supported only on SS7");
8798 /* sio coded on 1 byte so max value 255 */
8800 bpf_error(cstate, "sio value %u too big; max value = 255",
8802 b0 = gen_ncmp(cstate, OR_PACKET, newoff_sio, BPF_B, 0xffffffff,
8803 (u_int)jtype, reverse, (u_int)jvalue);
8809 if (cstate->off_opc == (u_int)-1)
8810 bpf_error(cstate, "'opc' supported only on SS7");
8811 /* opc coded on 14 bits so max value 16383 */
8813 bpf_error(cstate, "opc value %u too big; max value = 16383",
8815 /* the following instructions are made to convert jvalue
8816 * to the form used to write opc in an ss7 message*/
8817 val1 = jvalue & 0x00003c00;
8819 val2 = jvalue & 0x000003fc;
8821 val3 = jvalue & 0x00000003;
8823 jvalue = val1 + val2 + val3;
8824 b0 = gen_ncmp(cstate, OR_PACKET, newoff_opc, BPF_W, 0x00c0ff0f,
8825 (u_int)jtype, reverse, (u_int)jvalue);
8833 if (cstate->off_dpc == (u_int)-1)
8834 bpf_error(cstate, "'dpc' supported only on SS7");
8835 /* dpc coded on 14 bits so max value 16383 */
8837 bpf_error(cstate, "dpc value %u too big; max value = 16383",
8839 /* the following instructions are made to convert jvalue
8840 * to the forme used to write dpc in an ss7 message*/
8841 val1 = jvalue & 0x000000ff;
8843 val2 = jvalue & 0x00003f00;
8845 jvalue = val1 + val2;
8846 b0 = gen_ncmp(cstate, OR_PACKET, newoff_dpc, BPF_W, 0xff3f0000,
8847 (u_int)jtype, reverse, (u_int)jvalue);
8853 if (cstate->off_sls == (u_int)-1)
8854 bpf_error(cstate, "'sls' supported only on SS7");
8855 /* sls coded on 4 bits so max value 15 */
8857 bpf_error(cstate, "sls value %u too big; max value = 15",
8859 /* the following instruction is made to convert jvalue
8860 * to the forme used to write sls in an ss7 message*/
8861 jvalue = jvalue << 4;
8862 b0 = gen_ncmp(cstate, OR_PACKET, newoff_sls, BPF_B, 0xf0,
8863 (u_int)jtype,reverse, (u_int)jvalue);
8872 static struct block *
8873 gen_msg_abbrev(compiler_state_t *cstate, int type)
8878 * Q.2931 signalling protocol messages for handling virtual circuits
8879 * establishment and teardown
8884 b1 = gen_atmfield_code(cstate, A_MSGTYPE, SETUP, BPF_JEQ, 0);
8888 b1 = gen_atmfield_code(cstate, A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0);
8892 b1 = gen_atmfield_code(cstate, A_MSGTYPE, CONNECT, BPF_JEQ, 0);
8896 b1 = gen_atmfield_code(cstate, A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0);
8900 b1 = gen_atmfield_code(cstate, A_MSGTYPE, RELEASE, BPF_JEQ, 0);
8903 case A_RELEASE_DONE:
8904 b1 = gen_atmfield_code(cstate, A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0);
8914 gen_atmmulti_abbrev(compiler_state_t *cstate, int type)
8916 struct block *b0, *b1;
8921 if (!cstate->is_atm)
8922 bpf_error(cstate, "'oam' supported only on raw ATM");
8923 b1 = gen_atmmulti_abbrev(cstate, A_OAMF4);
8927 if (!cstate->is_atm)
8928 bpf_error(cstate, "'oamf4' supported only on raw ATM");
8930 b0 = gen_atmfield_code(cstate, A_VCI, 3, BPF_JEQ, 0);
8931 b1 = gen_atmfield_code(cstate, A_VCI, 4, BPF_JEQ, 0);
8933 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0);
8939 * Get Q.2931 signalling messages for switched
8940 * virtual connection
8942 if (!cstate->is_atm)
8943 bpf_error(cstate, "'connectmsg' supported only on raw ATM");
8944 b0 = gen_msg_abbrev(cstate, A_SETUP);
8945 b1 = gen_msg_abbrev(cstate, A_CALLPROCEED);
8947 b0 = gen_msg_abbrev(cstate, A_CONNECT);
8949 b0 = gen_msg_abbrev(cstate, A_CONNECTACK);
8951 b0 = gen_msg_abbrev(cstate, A_RELEASE);
8953 b0 = gen_msg_abbrev(cstate, A_RELEASE_DONE);
8955 b0 = gen_atmtype_abbrev(cstate, A_SC);
8960 if (!cstate->is_atm)
8961 bpf_error(cstate, "'metaconnect' supported only on raw ATM");
8962 b0 = gen_msg_abbrev(cstate, A_SETUP);
8963 b1 = gen_msg_abbrev(cstate, A_CALLPROCEED);
8965 b0 = gen_msg_abbrev(cstate, A_CONNECT);
8967 b0 = gen_msg_abbrev(cstate, A_RELEASE);
8969 b0 = gen_msg_abbrev(cstate, A_RELEASE_DONE);
8971 b0 = gen_atmtype_abbrev(cstate, A_METAC);
projects / FreeBSD / FreeBSD.git / blob