1 /*#define CHASE_CHAIN*/
3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998
4 * The Regents of the University of California. All rights reserved.
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that: (1) source code distributions
8 * retain the above copyright notice and this paragraph in its entirety, (2)
9 * distributions including binary code include the above copyright notice and
10 * this paragraph in its entirety in the documentation or other materials
11 * provided with the distribution, and (3) all advertising materials mentioning
12 * features or use of this software display the following acknowledgement:
13 * ``This product includes software developed by the University of California,
14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
15 * the University nor the names of its contributors may be used to endorse
16 * or promote products derived from this software without specific prior
18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
25 static const char rcsid[] _U_ =
26 "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.193.2.8 2004/03/29 20:53:47 guy Exp $ (LBL)";
34 #include <pcap-stdinc.h>
36 #include <sys/types.h>
37 #include <sys/socket.h>
42 * XXX - why was this included even on UNIX?
51 #include <sys/param.h>
54 #include <netinet/in.h>
66 #include "ethertype.h"
71 #include "sunatmpos.h"
77 #define offsetof(s, e) ((size_t)&((s *)0)->e)
81 #include <netdb.h> /* for "struct addrinfo" */
84 #include <pcap-namedb.h>
90 #define IPPROTO_SCTP 132
93 #ifdef HAVE_OS_PROTO_H
97 #define JMP(c) ((c)|BPF_JMP|BPF_K)
100 static jmp_buf top_ctx;
101 static pcap_t *bpf_pcap;
103 /* Hack for updating VLAN offsets. */
104 static u_int orig_linktype = -1, orig_nl = -1, orig_nl_nosnap = -1;
108 int pcap_fddipad = PCAP_FDDIPAD;
115 bpf_error(const char *fmt, ...)
121 if (bpf_pcap != NULL)
122 (void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE,
129 static void init_linktype(int);
131 static int alloc_reg(void);
132 static void free_reg(int);
134 static struct block *root;
137 * We divy out chunks of memory rather than call malloc each time so
138 * we don't have to worry about leaking memory. It's probably
139 * not a big deal if all this memory was wasted but it this ever
140 * goes into a library that would probably not be a good idea.
143 #define CHUNK0SIZE 1024
149 static struct chunk chunks[NCHUNKS];
150 static int cur_chunk;
152 static void *newchunk(u_int);
153 static void freechunks(void);
154 static inline struct block *new_block(int);
155 static inline struct slist *new_stmt(int);
156 static struct block *gen_retblk(int);
157 static inline void syntax(void);
159 static void backpatch(struct block *, struct block *);
160 static void merge(struct block *, struct block *);
161 static struct block *gen_cmp(u_int, u_int, bpf_int32);
162 static struct block *gen_cmp_gt(u_int, u_int, bpf_int32);
163 static struct block *gen_mcmp(u_int, u_int, bpf_int32, bpf_u_int32);
164 static struct block *gen_bcmp(u_int, u_int, const u_char *);
165 static struct block *gen_ncmp(bpf_u_int32, bpf_u_int32, bpf_u_int32,
166 bpf_u_int32, bpf_u_int32, int);
167 static struct block *gen_uncond(int);
168 static inline struct block *gen_true(void);
169 static inline struct block *gen_false(void);
170 static struct block *gen_ether_linktype(int);
171 static struct block *gen_linktype(int);
172 static struct block *gen_snap(bpf_u_int32, bpf_u_int32, u_int);
173 static struct block *gen_llc(int);
174 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int);
176 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int);
178 static struct block *gen_ahostop(const u_char *, int);
179 static struct block *gen_ehostop(const u_char *, int);
180 static struct block *gen_fhostop(const u_char *, int);
181 static struct block *gen_thostop(const u_char *, int);
182 static struct block *gen_wlanhostop(const u_char *, int);
183 static struct block *gen_ipfchostop(const u_char *, int);
184 static struct block *gen_dnhostop(bpf_u_int32, int, u_int);
185 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int);
187 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int);
190 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int);
192 static struct block *gen_ipfrag(void);
193 static struct block *gen_portatom(int, bpf_int32);
195 static struct block *gen_portatom6(int, bpf_int32);
197 struct block *gen_portop(int, int, int);
198 static struct block *gen_port(int, int, int);
200 struct block *gen_portop6(int, int, int);
201 static struct block *gen_port6(int, int, int);
203 static int lookup_proto(const char *, int);
204 static struct block *gen_protochain(int, int, int);
205 static struct block *gen_proto(int, int, int);
206 static struct slist *xfer_to_x(struct arth *);
207 static struct slist *xfer_to_a(struct arth *);
208 static struct block *gen_mac_multicast(int);
209 static struct block *gen_len(int, int);
211 static struct block *gen_msg_abbrev(int type);
222 /* XXX Round up to nearest long. */
223 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1);
225 /* XXX Round up to structure boundary. */
229 cp = &chunks[cur_chunk];
230 if (n > cp->n_left) {
231 ++cp, k = ++cur_chunk;
233 bpf_error("out of memory");
234 size = CHUNK0SIZE << k;
235 cp->m = (void *)malloc(size);
237 bpf_error("out of memory");
238 memset((char *)cp->m, 0, size);
241 bpf_error("out of memory");
244 return (void *)((char *)cp->m + cp->n_left);
253 for (i = 0; i < NCHUNKS; ++i)
254 if (chunks[i].m != NULL) {
261 * A strdup whose allocations are freed after code generation is over.
265 register const char *s;
267 int n = strlen(s) + 1;
268 char *cp = newchunk(n);
274 static inline struct block *
280 p = (struct block *)newchunk(sizeof(*p));
287 static inline struct slist *
293 p = (struct slist *)newchunk(sizeof(*p));
299 static struct block *
303 struct block *b = new_block(BPF_RET|BPF_K);
312 bpf_error("syntax error in filter expression");
315 static bpf_u_int32 netmask;
320 pcap_compile(pcap_t *p, struct bpf_program *program,
321 char *buf, int optimize, bpf_u_int32 mask)
330 if (setjmp(top_ctx)) {
338 snaplen = pcap_snapshot(p);
340 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
341 "snaplen of 0 rejects all packets");
345 lex_init(buf ? buf : "");
346 init_linktype(pcap_datalink(p));
353 root = gen_retblk(snaplen);
355 if (optimize && !no_optimize) {
358 (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0))
359 bpf_error("expression rejects all packets");
361 program->bf_insns = icode_to_fcode(root, &len);
362 program->bf_len = len;
370 * entry point for using the compiler with no pcap open
371 * pass in all the stuff that is needed explicitly instead.
374 pcap_compile_nopcap(int snaplen_arg, int linktype_arg,
375 struct bpf_program *program,
376 char *buf, int optimize, bpf_u_int32 mask)
381 p = pcap_open_dead(linktype_arg, snaplen_arg);
384 ret = pcap_compile(p, program, buf, optimize, mask);
390 * Clean up a "struct bpf_program" by freeing all the memory allocated
394 pcap_freecode(struct bpf_program *program)
397 if (program->bf_insns != NULL) {
398 free((char *)program->bf_insns);
399 program->bf_insns = NULL;
404 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates
405 * which of the jt and jf fields has been resolved and which is a pointer
406 * back to another unresolved block (or nil). At least one of the fields
407 * in each block is already resolved.
410 backpatch(list, target)
411 struct block *list, *target;
428 * Merge the lists in b0 and b1, using the 'sense' field to indicate
429 * which of jt and jf is the link.
433 struct block *b0, *b1;
435 register struct block **p = &b0;
437 /* Find end of list. */
439 p = !((*p)->sense) ? &JT(*p) : &JF(*p);
441 /* Concatenate the lists. */
449 backpatch(p, gen_retblk(snaplen));
450 p->sense = !p->sense;
451 backpatch(p, gen_retblk(0));
457 struct block *b0, *b1;
459 backpatch(b0, b1->head);
460 b0->sense = !b0->sense;
461 b1->sense = !b1->sense;
463 b1->sense = !b1->sense;
469 struct block *b0, *b1;
471 b0->sense = !b0->sense;
472 backpatch(b0, b1->head);
473 b0->sense = !b0->sense;
482 b->sense = !b->sense;
485 static struct block *
486 gen_cmp(offset, size, v)
493 s = new_stmt(BPF_LD|BPF_ABS|size);
496 b = new_block(JMP(BPF_JEQ));
503 static struct block *
504 gen_cmp_gt(offset, size, v)
511 s = new_stmt(BPF_LD|BPF_ABS|size);
514 b = new_block(JMP(BPF_JGT));
521 static struct block *
522 gen_mcmp(offset, size, v, mask)
527 struct block *b = gen_cmp(offset, size, v);
530 if (mask != 0xffffffff) {
531 s = new_stmt(BPF_ALU|BPF_AND|BPF_K);
538 static struct block *
539 gen_bcmp(offset, size, v)
540 register u_int offset, size;
541 register const u_char *v;
543 register struct block *b, *tmp;
547 register const u_char *p = &v[size - 4];
548 bpf_int32 w = ((bpf_int32)p[0] << 24) |
549 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3];
551 tmp = gen_cmp(offset + size - 4, BPF_W, w);
558 register const u_char *p = &v[size - 2];
559 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1];
561 tmp = gen_cmp(offset + size - 2, BPF_H, w);
568 tmp = gen_cmp(offset, BPF_B, (bpf_int32)v[0]);
576 static struct block *
577 gen_ncmp(datasize, offset, mask, jtype, jvalue, reverse)
578 bpf_u_int32 datasize, offset, mask, jtype, jvalue;
584 s = new_stmt(BPF_LD|datasize|BPF_ABS);
587 if (mask != 0xffffffff) {
588 s->next = new_stmt(BPF_ALU|BPF_AND|BPF_K);
592 b = new_block(JMP(jtype));
595 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE))
601 * Various code constructs need to know the layout of the data link
602 * layer. These variables give the necessary offsets.
606 * This is the offset of the beginning of the MAC-layer header.
607 * It's usually 0, except for ATM LANE.
609 static u_int off_mac;
612 * "off_linktype" is the offset to information in the link-layer header
613 * giving the packet type.
615 * For Ethernet, it's the offset of the Ethernet type field.
617 * For link-layer types that always use 802.2 headers, it's the
618 * offset of the LLC header.
620 * For PPP, it's the offset of the PPP type field.
622 * For Cisco HDLC, it's the offset of the CHDLC type field.
624 * For BSD loopback, it's the offset of the AF_ value.
626 * For Linux cooked sockets, it's the offset of the type field.
628 * It's set to -1 for no encapsulation, in which case, IP is assumed.
630 static u_int off_linktype;
633 * TRUE if the link layer includes an ATM pseudo-header.
635 static int is_atm = 0;
638 * TRUE if "lane" appeared in the filter; it causes us to generate
639 * code that assumes LANE rather than LLC-encapsulated traffic in SunATM.
641 static int is_lane = 0;
644 * These are offsets for the ATM pseudo-header.
646 static u_int off_vpi;
647 static u_int off_vci;
648 static u_int off_proto;
651 * This is the offset of the first byte after the ATM pseudo_header,
652 * or -1 if there is no ATM pseudo-header.
654 static u_int off_payload;
657 * These are offsets to the beginning of the network-layer header.
659 * If the link layer never uses 802.2 LLC:
661 * "off_nl" and "off_nl_nosnap" are the same.
663 * If the link layer always uses 802.2 LLC:
665 * "off_nl" is the offset if there's a SNAP header following
668 * "off_nl_nosnap" is the offset if there's no SNAP header.
670 * If the link layer is Ethernet:
672 * "off_nl" is the offset if the packet is an Ethernet II packet
673 * (we assume no 802.3+802.2+SNAP);
675 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet
676 * with an 802.2 header following it.
679 static u_int off_nl_nosnap;
690 * Assume it's not raw ATM with a pseudo-header, for now.
708 off_nl = 6; /* XXX in reality, variable! */
709 off_nl_nosnap = 6; /* no 802.2 LLC */
712 case DLT_ARCNET_LINUX:
714 off_nl = 8; /* XXX in reality, variable! */
715 off_nl_nosnap = 8; /* no 802.2 LLC */
720 off_nl = 14; /* Ethernet II */
721 off_nl_nosnap = 17; /* 802.3+802.2 */
726 * SLIP doesn't have a link level type. The 16 byte
727 * header is hacked into our SLIP driver.
731 off_nl_nosnap = 16; /* no 802.2 LLC */
735 /* XXX this may be the same as the DLT_PPP_BSDOS case */
739 off_nl_nosnap = 24; /* no 802.2 LLC */
746 off_nl_nosnap = 4; /* no 802.2 LLC */
752 off_nl_nosnap = 12; /* no 802.2 LLC */
756 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */
757 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */
760 off_nl_nosnap = 4; /* no 802.2 LLC */
765 * This does no include the Ethernet header, and
766 * only covers session state.
770 off_nl_nosnap = 8; /* no 802.2 LLC */
776 off_nl_nosnap = 24; /* no 802.2 LLC */
781 * FDDI doesn't really have a link-level type field.
782 * We set "off_linktype" to the offset of the LLC header.
784 * To check for Ethernet types, we assume that SSAP = SNAP
785 * is being used and pick out the encapsulated Ethernet type.
786 * XXX - should we generate code to check for SNAP?
790 off_linktype += pcap_fddipad;
792 off_nl = 21; /* FDDI+802.2+SNAP */
793 off_nl_nosnap = 16; /* FDDI+802.2 */
795 off_nl += pcap_fddipad;
796 off_nl_nosnap += pcap_fddipad;
802 * Token Ring doesn't really have a link-level type field.
803 * We set "off_linktype" to the offset of the LLC header.
805 * To check for Ethernet types, we assume that SSAP = SNAP
806 * is being used and pick out the encapsulated Ethernet type.
807 * XXX - should we generate code to check for SNAP?
809 * XXX - the header is actually variable-length.
810 * Some various Linux patched versions gave 38
811 * as "off_linktype" and 40 as "off_nl"; however,
812 * if a token ring packet has *no* routing
813 * information, i.e. is not source-routed, the correct
814 * values are 20 and 22, as they are in the vanilla code.
816 * A packet is source-routed iff the uppermost bit
817 * of the first byte of the source address, at an
818 * offset of 8, has the uppermost bit set. If the
819 * packet is source-routed, the total number of bytes
820 * of routing information is 2 plus bits 0x1F00 of
821 * the 16-bit value at an offset of 14 (shifted right
822 * 8 - figure out which byte that is).
825 off_nl = 22; /* Token Ring+802.2+SNAP */
826 off_nl_nosnap = 17; /* Token Ring+802.2 */
831 * 802.11 doesn't really have a link-level type field.
832 * We set "off_linktype" to the offset of the LLC header.
834 * To check for Ethernet types, we assume that SSAP = SNAP
835 * is being used and pick out the encapsulated Ethernet type.
836 * XXX - should we generate code to check for SNAP?
838 * XXX - the header is actually variable-length. We
839 * assume a 24-byte link-layer header, as appears in
840 * data frames in networks with no bridges. If the
841 * fromds and tods 802.11 header bits are both set,
842 * it's actually supposed to be 30 bytes.
845 off_nl = 32; /* 802.11+802.2+SNAP */
846 off_nl_nosnap = 27; /* 802.11+802.2 */
849 case DLT_PRISM_HEADER:
851 * Same as 802.11, but with an additional header before
852 * the 802.11 header, containing a bunch of additional
853 * information including radio-level information.
855 * The header is 144 bytes long.
857 * XXX - same variable-length header problem; at least
858 * the Prism header is fixed-length.
860 off_linktype = 144+24;
861 off_nl = 144+32; /* Prism+802.11+802.2+SNAP */
862 off_nl_nosnap = 144+27; /* Prism+802.11+802.2 */
865 case DLT_IEEE802_11_RADIO_AVS:
867 * Same as 802.11, but with an additional header before
868 * the 802.11 header, containing a bunch of additional
869 * information including radio-level information.
871 * The header is 64 bytes long, at least in its
872 * current incarnation.
874 * XXX - same variable-length header problem, only
875 * more so; this header is also variable-length,
876 * with the length being the 32-bit big-endian
877 * number at an offset of 4 from the beginning
878 * of the radio header.
880 off_linktype = 64+24;
881 off_nl = 64+32; /* Radio+802.11+802.2+SNAP */
882 off_nl_nosnap = 64+27; /* Radio+802.11+802.2 */
885 case DLT_IEEE802_11_RADIO:
887 * Same as 802.11, but with an additional header before
888 * the 802.11 header, containing a bunch of additional
889 * information including radio-level information.
891 * XXX - same variable-length header problem, only
892 * even *more* so; this header is also variable-length,
893 * with the length being the 16-bit number at an offset
894 * of 2 from the beginning of the radio header, and it's
895 * device-dependent (different devices might supply
896 * different amounts of information), so we can't even
897 * assume a fixed length for the current version of the
900 * Therefore, currently, only raw "link[N:M]" filtering is
908 case DLT_ATM_RFC1483:
909 case DLT_ATM_CLIP: /* Linux ATM defines this */
911 * assume routed, non-ISO PDUs
912 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00)
915 off_nl = 8; /* 802.2+SNAP */
916 off_nl_nosnap = 3; /* 802.2 */
921 * Full Frontal ATM; you get AALn PDUs with an ATM
925 off_vpi = SUNATM_VPI_POS;
926 off_vci = SUNATM_VCI_POS;
927 off_proto = PROTO_POS;
928 off_mac = -1; /* LLC-encapsulated, so no MAC-layer header */
929 off_payload = SUNATM_PKT_BEGIN_POS;
930 off_linktype = off_payload;
931 off_nl = off_payload+8; /* 802.2+SNAP */
932 off_nl_nosnap = off_payload+3; /* 802.2 */
938 off_nl_nosnap = 0; /* no 802.2 LLC */
941 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */
944 off_nl_nosnap = 16; /* no 802.2 LLC */
949 * LocalTalk does have a 1-byte type field in the LLAP header,
950 * but really it just indicates whether there is a "short" or
951 * "long" DDP packet following.
955 off_nl_nosnap = 0; /* no 802.2 LLC */
960 * RFC 2625 IP-over-Fibre-Channel doesn't really have a
961 * link-level type field. We set "off_linktype" to the
962 * offset of the LLC header.
964 * To check for Ethernet types, we assume that SSAP = SNAP
965 * is being used and pick out the encapsulated Ethernet type.
966 * XXX - should we generate code to check for SNAP? RFC
967 * 2625 says SNAP should be used.
970 off_nl = 24; /* IPFC+802.2+SNAP */
971 off_nl_nosnap = 19; /* IPFC+802.2 */
976 * XXX - we should set this to handle SNAP-encapsulated
977 * frames (NLPID of 0x80).
981 off_nl_nosnap = 0; /* no 802.2 LLC */
984 case DLT_APPLE_IP_OVER_IEEE1394:
987 off_nl_nosnap = 0; /* no 802.2 LLC */
992 * Currently, only raw "link[N:M]" filtering is supported.
1001 /* XXX read from header? */
1002 off_nl = PFLOG_HDRLEN;
1003 off_nl_nosnap = PFLOG_HDRLEN;
1014 bpf_error("unknown data link type %d", linktype);
1018 static struct block *
1025 s = new_stmt(BPF_LD|BPF_IMM);
1027 b = new_block(JMP(BPF_JEQ));
1033 static inline struct block *
1036 return gen_uncond(1);
1039 static inline struct block *
1042 return gen_uncond(0);
1046 * Byte-swap a 32-bit number.
1047 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on
1048 * big-endian platforms.)
1050 #define SWAPLONG(y) \
1051 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
1053 static struct block *
1054 gen_ether_linktype(proto)
1057 struct block *b0, *b1;
1063 * OSI protocols always use 802.2 encapsulation.
1064 * XXX - should we check both the DSAP and the
1065 * SSAP, like this, or should we check just the
1068 b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
1070 b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
1071 ((LLCSAP_ISONS << 8) | LLCSAP_ISONS));
1076 b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
1078 b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
1079 ((LLCSAP_IP << 8) | LLCSAP_IP));
1083 case LLCSAP_NETBEUI:
1085 * NetBEUI always uses 802.2 encapsulation.
1086 * XXX - should we check both the DSAP and the
1087 * SSAP, like this, or should we check just the
1090 b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
1092 b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
1093 ((LLCSAP_NETBEUI << 8) | LLCSAP_NETBEUI));
1101 * Ethernet_II frames, which are Ethernet
1102 * frames with a frame type of ETHERTYPE_IPX;
1104 * Ethernet_802.3 frames, which are 802.3
1105 * frames (i.e., the type/length field is
1106 * a length field, <= ETHERMTU, rather than
1107 * a type field) with the first two bytes
1108 * after the Ethernet/802.3 header being
1111 * Ethernet_802.2 frames, which are 802.3
1112 * frames with an 802.2 LLC header and
1113 * with the IPX LSAP as the DSAP in the LLC
1116 * Ethernet_SNAP frames, which are 802.3
1117 * frames with an LLC header and a SNAP
1118 * header and with an OUI of 0x000000
1119 * (encapsulated Ethernet) and a protocol
1120 * ID of ETHERTYPE_IPX in the SNAP header.
1122 * XXX - should we generate the same code both
1123 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX?
1127 * This generates code to check both for the
1128 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3.
1130 b0 = gen_cmp(off_linktype + 2, BPF_B, (bpf_int32)LLCSAP_IPX);
1131 b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)0xFFFF);
1135 * Now we add code to check for SNAP frames with
1136 * ETHERTYPE_IPX, i.e. Ethernet_SNAP.
1138 b0 = gen_snap(0x000000, ETHERTYPE_IPX, 14);
1142 * Now we generate code to check for 802.3
1143 * frames in general.
1145 b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
1149 * Now add the check for 802.3 frames before the
1150 * check for Ethernet_802.2 and Ethernet_802.3,
1151 * as those checks should only be done on 802.3
1152 * frames, not on Ethernet frames.
1157 * Now add the check for Ethernet_II frames, and
1158 * do that before checking for the other frame
1161 b0 = gen_cmp(off_linktype, BPF_H, (bpf_int32)ETHERTYPE_IPX);
1165 case ETHERTYPE_ATALK:
1166 case ETHERTYPE_AARP:
1168 * EtherTalk (AppleTalk protocols on Ethernet link
1169 * layer) may use 802.2 encapsulation.
1173 * Check for 802.2 encapsulation (EtherTalk phase 2?);
1174 * we check for an Ethernet type field less than
1175 * 1500, which means it's an 802.3 length field.
1177 b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
1181 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1182 * SNAP packets with an organization code of
1183 * 0x080007 (Apple, for Appletalk) and a protocol
1184 * type of ETHERTYPE_ATALK (Appletalk).
1186 * 802.2-encapsulated ETHERTYPE_AARP packets are
1187 * SNAP packets with an organization code of
1188 * 0x000000 (encapsulated Ethernet) and a protocol
1189 * type of ETHERTYPE_AARP (Appletalk ARP).
1191 if (proto == ETHERTYPE_ATALK)
1192 b1 = gen_snap(0x080007, ETHERTYPE_ATALK, 14);
1193 else /* proto == ETHERTYPE_AARP */
1194 b1 = gen_snap(0x000000, ETHERTYPE_AARP, 14);
1198 * Check for Ethernet encapsulation (Ethertalk
1199 * phase 1?); we just check for the Ethernet
1202 b0 = gen_cmp(off_linktype, BPF_H, (bpf_int32)proto);
1208 if (proto <= ETHERMTU) {
1210 * This is an LLC SAP value, so the frames
1211 * that match would be 802.2 frames.
1212 * Check that the frame is an 802.2 frame
1213 * (i.e., that the length/type field is
1214 * a length field, <= ETHERMTU) and
1215 * then check the DSAP.
1217 b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
1219 b1 = gen_cmp(off_linktype + 2, BPF_B, (bpf_int32)proto);
1224 * This is an Ethernet type, so compare
1225 * the length/type field with it (if
1226 * the frame is an 802.2 frame, the length
1227 * field will be <= ETHERMTU, and, as
1228 * "proto" is > ETHERMTU, this test
1229 * will fail and the frame won't match,
1230 * which is what we want).
1232 return gen_cmp(off_linktype, BPF_H, (bpf_int32)proto);
1237 static struct block *
1241 struct block *b0, *b1, *b2;
1246 return gen_ether_linktype(proto);
1253 proto = (proto << 8 | LLCSAP_ISONS);
1257 return gen_cmp(off_linktype, BPF_H, (bpf_int32)proto);
1262 case DLT_IEEE802_11:
1263 case DLT_PRISM_HEADER:
1264 case DLT_IEEE802_11_RADIO:
1267 case DLT_ATM_RFC1483:
1269 case DLT_IP_OVER_FC:
1270 return gen_llc(proto);
1275 * If "is_lane" is set, check for a LANE-encapsulated
1276 * version of this protocol, otherwise check for an
1277 * LLC-encapsulated version of this protocol.
1279 * We assume LANE means Ethernet, not Token Ring.
1283 * Check that the packet doesn't begin with an
1284 * LE Control marker. (We've already generated
1287 b0 = gen_cmp(SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
1291 * Now generate an Ethernet test.
1293 b1 = gen_ether_linktype(proto);
1298 * Check for LLC encapsulation and then check the
1301 b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
1302 b1 = gen_llc(proto);
1311 b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_2);
1312 b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
1313 ((LLCSAP_IP << 8) | LLCSAP_IP));
1319 * OSI protocols always use 802.2 encapsulation.
1320 * XXX - should we check both the DSAP and the
1321 * LSAP, like this, or should we check just the
1324 b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_2);
1325 b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
1326 ((LLCSAP_ISONS << 8) | LLCSAP_ISONS));
1330 case LLCSAP_NETBEUI:
1332 * NetBEUI always uses 802.2 encapsulation.
1333 * XXX - should we check both the DSAP and the
1334 * LSAP, like this, or should we check just the
1337 b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_2);
1338 b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
1339 ((LLCSAP_NETBEUI << 8) | LLCSAP_NETBEUI));
1345 * Ethernet_II frames, which are Ethernet
1346 * frames with a frame type of ETHERTYPE_IPX;
1348 * Ethernet_802.3 frames, which have a frame
1349 * type of LINUX_SLL_P_802_3;
1351 * Ethernet_802.2 frames, which are 802.3
1352 * frames with an 802.2 LLC header (i.e, have
1353 * a frame type of LINUX_SLL_P_802_2) and
1354 * with the IPX LSAP as the DSAP in the LLC
1357 * Ethernet_SNAP frames, which are 802.3
1358 * frames with an LLC header and a SNAP
1359 * header and with an OUI of 0x000000
1360 * (encapsulated Ethernet) and a protocol
1361 * ID of ETHERTYPE_IPX in the SNAP header.
1363 * First, do the checks on LINUX_SLL_P_802_2
1364 * frames; generate the check for either
1365 * Ethernet_802.2 or Ethernet_SNAP frames, and
1366 * then put a check for LINUX_SLL_P_802_2 frames
1369 b0 = gen_cmp(off_linktype + 2, BPF_B,
1370 (bpf_int32)LLCSAP_IPX);
1371 b1 = gen_snap(0x000000, ETHERTYPE_IPX,
1374 b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_2);
1378 * Now check for 802.3 frames and OR that with
1379 * the previous test.
1381 b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_3);
1385 * Now add the check for Ethernet_II frames, and
1386 * do that before checking for the other frame
1389 b0 = gen_cmp(off_linktype, BPF_H,
1390 (bpf_int32)ETHERTYPE_IPX);
1394 case ETHERTYPE_ATALK:
1395 case ETHERTYPE_AARP:
1397 * EtherTalk (AppleTalk protocols on Ethernet link
1398 * layer) may use 802.2 encapsulation.
1402 * Check for 802.2 encapsulation (EtherTalk phase 2?);
1403 * we check for the 802.2 protocol type in the
1404 * "Ethernet type" field.
1406 b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_2);
1409 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1410 * SNAP packets with an organization code of
1411 * 0x080007 (Apple, for Appletalk) and a protocol
1412 * type of ETHERTYPE_ATALK (Appletalk).
1414 * 802.2-encapsulated ETHERTYPE_AARP packets are
1415 * SNAP packets with an organization code of
1416 * 0x000000 (encapsulated Ethernet) and a protocol
1417 * type of ETHERTYPE_AARP (Appletalk ARP).
1419 if (proto == ETHERTYPE_ATALK)
1420 b1 = gen_snap(0x080007, ETHERTYPE_ATALK,
1422 else /* proto == ETHERTYPE_AARP */
1423 b1 = gen_snap(0x000000, ETHERTYPE_AARP,
1428 * Check for Ethernet encapsulation (Ethertalk
1429 * phase 1?); we just check for the Ethernet
1432 b0 = gen_cmp(off_linktype, BPF_H, (bpf_int32)proto);
1438 if (proto <= ETHERMTU) {
1440 * This is an LLC SAP value, so the frames
1441 * that match would be 802.2 frames.
1442 * Check for the 802.2 protocol type
1443 * in the "Ethernet type" field, and
1444 * then check the DSAP.
1446 b0 = gen_cmp(off_linktype, BPF_H,
1448 b1 = gen_cmp(off_linktype + 2, BPF_B,
1454 * This is an Ethernet type, so compare
1455 * the length/type field with it (if
1456 * the frame is an 802.2 frame, the length
1457 * field will be <= ETHERMTU, and, as
1458 * "proto" is > ETHERMTU, this test
1459 * will fail and the frame won't match,
1460 * which is what we want).
1462 return gen_cmp(off_linktype, BPF_H,
1469 case DLT_SLIP_BSDOS:
1472 * These types don't provide any type field; packets
1475 * XXX - for IPv4, check for a version number of 4, and,
1476 * for IPv6, check for a version number of 6?
1482 case ETHERTYPE_IPV6:
1484 return gen_true(); /* always true */
1487 return gen_false(); /* always false */
1492 case DLT_PPP_SERIAL:
1495 * We use Ethernet protocol types inside libpcap;
1496 * map them to the corresponding PPP protocol types.
1505 case ETHERTYPE_IPV6:
1514 case ETHERTYPE_ATALK:
1528 * I'm assuming the "Bridging PDU"s that go
1529 * over PPP are Spanning Tree Protocol
1543 * We use Ethernet protocol types inside libpcap;
1544 * map them to the corresponding PPP protocol types.
1549 b0 = gen_cmp(off_linktype, BPF_H, PPP_IP);
1550 b1 = gen_cmp(off_linktype, BPF_H, PPP_VJC);
1552 b0 = gen_cmp(off_linktype, BPF_H, PPP_VJNC);
1557 case ETHERTYPE_IPV6:
1567 case ETHERTYPE_ATALK:
1581 * I'm assuming the "Bridging PDU"s that go
1582 * over PPP are Spanning Tree Protocol
1598 * For DLT_NULL, the link-layer header is a 32-bit
1599 * word containing an AF_ value in *host* byte order,
1600 * and for DLT_ENC, the link-layer header begins
1601 * with a 32-bit work containing an AF_ value in
1604 * In addition, if we're reading a saved capture file,
1605 * the host byte order in the capture may not be the
1606 * same as the host byte order on this machine.
1608 * For DLT_LOOP, the link-layer header is a 32-bit
1609 * word containing an AF_ value in *network* byte order.
1611 * XXX - AF_ values may, unfortunately, be platform-
1612 * dependent; for example, FreeBSD's AF_INET6 is 24
1613 * whilst NetBSD's and OpenBSD's is 26.
1615 * This means that, when reading a capture file, just
1616 * checking for our AF_INET6 value won't work if the
1617 * capture file came from another OS.
1626 case ETHERTYPE_IPV6:
1633 * Not a type on which we support filtering.
1634 * XXX - support those that have AF_ values
1635 * #defined on this platform, at least?
1640 if (linktype == DLT_NULL || linktype == DLT_ENC) {
1642 * The AF_ value is in host byte order, but
1643 * the BPF interpreter will convert it to
1644 * network byte order.
1646 * If this is a save file, and it's from a
1647 * machine with the opposite byte order to
1648 * ours, we byte-swap the AF_ value.
1650 * Then we run it through "htonl()", and
1651 * generate code to compare against the result.
1653 if (bpf_pcap->sf.rfile != NULL &&
1654 bpf_pcap->sf.swapped)
1655 proto = SWAPLONG(proto);
1656 proto = htonl(proto);
1658 return (gen_cmp(0, BPF_W, (bpf_int32)proto));
1662 * af field is host byte order in contrast to the rest of
1665 if (proto == ETHERTYPE_IP)
1666 return (gen_cmp(offsetof(struct pfloghdr, af), BPF_B,
1667 (bpf_int32)AF_INET));
1669 else if (proto == ETHERTYPE_IPV6)
1670 return (gen_cmp(offsetof(struct pfloghdr, af), BPF_B,
1671 (bpf_int32)AF_INET6));
1678 case DLT_ARCNET_LINUX:
1680 * XXX should we check for first fragment if the protocol
1689 case ETHERTYPE_IPV6:
1690 return (gen_cmp(off_linktype, BPF_B,
1691 (bpf_int32)ARCTYPE_INET6));
1695 b0 = gen_cmp(off_linktype, BPF_B,
1696 (bpf_int32)ARCTYPE_IP);
1697 b1 = gen_cmp(off_linktype, BPF_B,
1698 (bpf_int32)ARCTYPE_IP_OLD);
1703 b0 = gen_cmp(off_linktype, BPF_B,
1704 (bpf_int32)ARCTYPE_ARP);
1705 b1 = gen_cmp(off_linktype, BPF_B,
1706 (bpf_int32)ARCTYPE_ARP_OLD);
1710 case ETHERTYPE_REVARP:
1711 return (gen_cmp(off_linktype, BPF_B,
1712 (bpf_int32)ARCTYPE_REVARP));
1714 case ETHERTYPE_ATALK:
1715 return (gen_cmp(off_linktype, BPF_B,
1716 (bpf_int32)ARCTYPE_ATALK));
1722 case ETHERTYPE_ATALK:
1731 * XXX - assumes a 2-byte Frame Relay header with
1732 * DLCI and flags. What if the address is longer?
1738 * Check for the special NLPID for IP.
1740 return gen_cmp(2, BPF_H, (0x03<<8) | 0xcc);
1743 case ETHERTYPE_IPV6:
1745 * Check for the special NLPID for IPv6.
1747 return gen_cmp(2, BPF_H, (0x03<<8) | 0x8e);
1752 * Check for several OSI protocols.
1754 * Frame Relay packets typically have an OSI
1755 * NLPID at the beginning; we check for each
1758 * What we check for is the NLPID and a frame
1759 * control field of UI, i.e. 0x03 followed
1762 b0 = gen_cmp(2, BPF_H, (0x03<<8) | ISO8473_CLNP);
1763 b1 = gen_cmp(2, BPF_H, (0x03<<8) | ISO9542_ESIS);
1764 b2 = gen_cmp(2, BPF_H, (0x03<<8) | ISO10589_ISIS);
1774 case DLT_LINUX_IRDA:
1775 bpf_error("IrDA link-layer type filtering not implemented");
1779 * All the types that have no encapsulation should either be
1780 * handled as DLT_SLIP, DLT_SLIP_BSDOS, and DLT_RAW are, if
1781 * all packets are IP packets, or should be handled in some
1782 * special case, if none of them are (if some are and some
1783 * aren't, the lack of encapsulation is a problem, as we'd
1784 * have to find some other way of determining the packet type).
1786 * Therefore, if "off_linktype" is -1, there's an error.
1788 if (off_linktype == (u_int)-1)
1792 * Any type not handled above should always have an Ethernet
1793 * type at an offset of "off_linktype". (PPP is partially
1794 * handled above - the protocol type is mapped from the
1795 * Ethernet and LLC types we use internally to the corresponding
1796 * PPP type - but the PPP type is always specified by a value
1797 * at "off_linktype", so we don't have to do the code generation
1800 return gen_cmp(off_linktype, BPF_H, (bpf_int32)proto);
1804 * Check for an LLC SNAP packet with a given organization code and
1805 * protocol type; we check the entire contents of the 802.2 LLC and
1806 * snap headers, checking for DSAP and SSAP of SNAP and a control
1807 * field of 0x03 in the LLC header, and for the specified organization
1808 * code and protocol type in the SNAP header.
1810 static struct block *
1811 gen_snap(orgcode, ptype, offset)
1812 bpf_u_int32 orgcode;
1816 u_char snapblock[8];
1818 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */
1819 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */
1820 snapblock[2] = 0x03; /* control = UI */
1821 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */
1822 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */
1823 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */
1824 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */
1825 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */
1826 return gen_bcmp(offset, 8, snapblock);
1830 * Check for a given protocol value assuming an 802.2 LLC header.
1832 static struct block *
1837 * XXX - handle token-ring variable-length header.
1842 return gen_cmp(off_linktype, BPF_H, (long)
1843 ((LLCSAP_IP << 8) | LLCSAP_IP));
1846 return gen_cmp(off_linktype, BPF_H, (long)
1847 ((LLCSAP_ISONS << 8) | LLCSAP_ISONS));
1849 case LLCSAP_NETBEUI:
1850 return gen_cmp(off_linktype, BPF_H, (long)
1851 ((LLCSAP_NETBEUI << 8) | LLCSAP_NETBEUI));
1855 * XXX - are there ever SNAP frames for IPX on
1856 * non-Ethernet 802.x networks?
1858 return gen_cmp(off_linktype, BPF_B, (bpf_int32)LLCSAP_IPX);
1860 case ETHERTYPE_ATALK:
1862 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1863 * SNAP packets with an organization code of
1864 * 0x080007 (Apple, for Appletalk) and a protocol
1865 * type of ETHERTYPE_ATALK (Appletalk).
1867 * XXX - check for an organization code of
1868 * encapsulated Ethernet as well?
1870 return gen_snap(0x080007, ETHERTYPE_ATALK, off_linktype);
1874 * XXX - we don't have to check for IPX 802.3
1875 * here, but should we check for the IPX Ethertype?
1877 if (proto <= ETHERMTU) {
1879 * This is an LLC SAP value, so check
1882 return gen_cmp(off_linktype, BPF_B, (bpf_int32)proto);
1885 * This is an Ethernet type; we assume that it's
1886 * unlikely that it'll appear in the right place
1887 * at random, and therefore check only the
1888 * location that would hold the Ethernet type
1889 * in a SNAP frame with an organization code of
1890 * 0x000000 (encapsulated Ethernet).
1892 * XXX - if we were to check for the SNAP DSAP and
1893 * LSAP, as per XXX, and were also to check for an
1894 * organization code of 0x000000 (encapsulated
1895 * Ethernet), we'd do
1897 * return gen_snap(0x000000, proto,
1900 * here; for now, we don't, as per the above.
1901 * I don't know whether it's worth the extra CPU
1902 * time to do the right check or not.
1904 return gen_cmp(off_linktype+6, BPF_H, (bpf_int32)proto);
1909 static struct block *
1910 gen_hostop(addr, mask, dir, proto, src_off, dst_off)
1914 u_int src_off, dst_off;
1916 struct block *b0, *b1;
1930 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
1931 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
1937 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
1938 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
1945 b0 = gen_linktype(proto);
1946 b1 = gen_mcmp(offset, BPF_W, (bpf_int32)addr, mask);
1952 static struct block *
1953 gen_hostop6(addr, mask, dir, proto, src_off, dst_off)
1954 struct in6_addr *addr;
1955 struct in6_addr *mask;
1957 u_int src_off, dst_off;
1959 struct block *b0, *b1;
1974 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
1975 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
1981 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
1982 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
1989 /* this order is important */
1990 a = (u_int32_t *)addr;
1991 m = (u_int32_t *)mask;
1992 b1 = gen_mcmp(offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3]));
1993 b0 = gen_mcmp(offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2]));
1995 b0 = gen_mcmp(offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1]));
1997 b0 = gen_mcmp(offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0]));
1999 b0 = gen_linktype(proto);
2005 static struct block *
2006 gen_ehostop(eaddr, dir)
2007 register const u_char *eaddr;
2010 register struct block *b0, *b1;
2014 return gen_bcmp(off_mac + 6, 6, eaddr);
2017 return gen_bcmp(off_mac + 0, 6, eaddr);
2020 b0 = gen_ehostop(eaddr, Q_SRC);
2021 b1 = gen_ehostop(eaddr, Q_DST);
2027 b0 = gen_ehostop(eaddr, Q_SRC);
2028 b1 = gen_ehostop(eaddr, Q_DST);
2037 * Like gen_ehostop, but for DLT_FDDI
2039 static struct block *
2040 gen_fhostop(eaddr, dir)
2041 register const u_char *eaddr;
2044 struct block *b0, *b1;
2049 return gen_bcmp(6 + 1 + pcap_fddipad, 6, eaddr);
2051 return gen_bcmp(6 + 1, 6, eaddr);
2056 return gen_bcmp(0 + 1 + pcap_fddipad, 6, eaddr);
2058 return gen_bcmp(0 + 1, 6, eaddr);
2062 b0 = gen_fhostop(eaddr, Q_SRC);
2063 b1 = gen_fhostop(eaddr, Q_DST);
2069 b0 = gen_fhostop(eaddr, Q_SRC);
2070 b1 = gen_fhostop(eaddr, Q_DST);
2079 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring)
2081 static struct block *
2082 gen_thostop(eaddr, dir)
2083 register const u_char *eaddr;
2086 register struct block *b0, *b1;
2090 return gen_bcmp(8, 6, eaddr);
2093 return gen_bcmp(2, 6, eaddr);
2096 b0 = gen_thostop(eaddr, Q_SRC);
2097 b1 = gen_thostop(eaddr, Q_DST);
2103 b0 = gen_thostop(eaddr, Q_SRC);
2104 b1 = gen_thostop(eaddr, Q_DST);
2113 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN)
2115 static struct block *
2116 gen_wlanhostop(eaddr, dir)
2117 register const u_char *eaddr;
2120 register struct block *b0, *b1, *b2;
2121 register struct slist *s;
2128 * For control frames, there is no SA.
2130 * For management frames, SA is at an
2131 * offset of 10 from the beginning of
2134 * For data frames, SA is at an offset
2135 * of 10 from the beginning of the packet
2136 * if From DS is clear, at an offset of
2137 * 16 from the beginning of the packet
2138 * if From DS is set and To DS is clear,
2139 * and an offset of 24 from the beginning
2140 * of the packet if From DS is set and To DS
2145 * Generate the tests to be done for data frames
2148 * First, check for To DS set, i.e. check "link[1] & 0x01".
2150 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2152 b1 = new_block(JMP(BPF_JSET));
2153 b1->s.k = 0x01; /* To DS */
2157 * If To DS is set, the SA is at 24.
2159 b0 = gen_bcmp(24, 6, eaddr);
2163 * Now, check for To DS not set, i.e. check
2164 * "!(link[1] & 0x01)".
2166 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2168 b2 = new_block(JMP(BPF_JSET));
2169 b2->s.k = 0x01; /* To DS */
2174 * If To DS is not set, the SA is at 16.
2176 b1 = gen_bcmp(16, 6, eaddr);
2180 * Now OR together the last two checks. That gives
2181 * the complete set of checks for data frames with
2187 * Now check for From DS being set, and AND that with
2188 * the ORed-together checks.
2190 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2192 b1 = new_block(JMP(BPF_JSET));
2193 b1->s.k = 0x02; /* From DS */
2198 * Now check for data frames with From DS not set.
2200 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2202 b2 = new_block(JMP(BPF_JSET));
2203 b2->s.k = 0x02; /* From DS */
2208 * If From DS isn't set, the SA is at 10.
2210 b1 = gen_bcmp(10, 6, eaddr);
2214 * Now OR together the checks for data frames with
2215 * From DS not set and for data frames with From DS
2216 * set; that gives the checks done for data frames.
2221 * Now check for a data frame.
2222 * I.e, check "link[0] & 0x08".
2224 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2226 b1 = new_block(JMP(BPF_JSET));
2231 * AND that with the checks done for data frames.
2236 * If the high-order bit of the type value is 0, this
2237 * is a management frame.
2238 * I.e, check "!(link[0] & 0x08)".
2240 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2242 b2 = new_block(JMP(BPF_JSET));
2248 * For management frames, the SA is at 10.
2250 b1 = gen_bcmp(10, 6, eaddr);
2254 * OR that with the checks done for data frames.
2255 * That gives the checks done for management and
2261 * If the low-order bit of the type value is 1,
2262 * this is either a control frame or a frame
2263 * with a reserved type, and thus not a
2266 * I.e., check "!(link[0] & 0x04)".
2268 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2270 b1 = new_block(JMP(BPF_JSET));
2276 * AND that with the checks for data and management
2286 * For control frames, there is no DA.
2288 * For management frames, DA is at an
2289 * offset of 4 from the beginning of
2292 * For data frames, DA is at an offset
2293 * of 4 from the beginning of the packet
2294 * if To DS is clear and at an offset of
2295 * 16 from the beginning of the packet
2300 * Generate the tests to be done for data frames.
2302 * First, check for To DS set, i.e. "link[1] & 0x01".
2304 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2306 b1 = new_block(JMP(BPF_JSET));
2307 b1->s.k = 0x01; /* To DS */
2311 * If To DS is set, the DA is at 16.
2313 b0 = gen_bcmp(16, 6, eaddr);
2317 * Now, check for To DS not set, i.e. check
2318 * "!(link[1] & 0x01)".
2320 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2322 b2 = new_block(JMP(BPF_JSET));
2323 b2->s.k = 0x01; /* To DS */
2328 * If To DS is not set, the DA is at 4.
2330 b1 = gen_bcmp(4, 6, eaddr);
2334 * Now OR together the last two checks. That gives
2335 * the complete set of checks for data frames.
2340 * Now check for a data frame.
2341 * I.e, check "link[0] & 0x08".
2343 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2345 b1 = new_block(JMP(BPF_JSET));
2350 * AND that with the checks done for data frames.
2355 * If the high-order bit of the type value is 0, this
2356 * is a management frame.
2357 * I.e, check "!(link[0] & 0x08)".
2359 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2361 b2 = new_block(JMP(BPF_JSET));
2367 * For management frames, the DA is at 4.
2369 b1 = gen_bcmp(4, 6, eaddr);
2373 * OR that with the checks done for data frames.
2374 * That gives the checks done for management and
2380 * If the low-order bit of the type value is 1,
2381 * this is either a control frame or a frame
2382 * with a reserved type, and thus not a
2385 * I.e., check "!(link[0] & 0x04)".
2387 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2389 b1 = new_block(JMP(BPF_JSET));
2395 * AND that with the checks for data and management
2402 b0 = gen_wlanhostop(eaddr, Q_SRC);
2403 b1 = gen_wlanhostop(eaddr, Q_DST);
2409 b0 = gen_wlanhostop(eaddr, Q_SRC);
2410 b1 = gen_wlanhostop(eaddr, Q_DST);
2419 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel.
2420 * (We assume that the addresses are IEEE 48-bit MAC addresses,
2421 * as the RFC states.)
2423 static struct block *
2424 gen_ipfchostop(eaddr, dir)
2425 register const u_char *eaddr;
2428 register struct block *b0, *b1;
2432 return gen_bcmp(10, 6, eaddr);
2435 return gen_bcmp(2, 6, eaddr);
2438 b0 = gen_ipfchostop(eaddr, Q_SRC);
2439 b1 = gen_ipfchostop(eaddr, Q_DST);
2445 b0 = gen_ipfchostop(eaddr, Q_SRC);
2446 b1 = gen_ipfchostop(eaddr, Q_DST);
2455 * This is quite tricky because there may be pad bytes in front of the
2456 * DECNET header, and then there are two possible data packet formats that
2457 * carry both src and dst addresses, plus 5 packet types in a format that
2458 * carries only the src node, plus 2 types that use a different format and
2459 * also carry just the src node.
2463 * Instead of doing those all right, we just look for data packets with
2464 * 0 or 1 bytes of padding. If you want to look at other packets, that
2465 * will require a lot more hacking.
2467 * To add support for filtering on DECNET "areas" (network numbers)
2468 * one would want to add a "mask" argument to this routine. That would
2469 * make the filter even more inefficient, although one could be clever
2470 * and not generate masking instructions if the mask is 0xFFFF.
2472 static struct block *
2473 gen_dnhostop(addr, dir, base_off)
2478 struct block *b0, *b1, *b2, *tmp;
2479 u_int offset_lh; /* offset if long header is received */
2480 u_int offset_sh; /* offset if short header is received */
2485 offset_sh = 1; /* follows flags */
2486 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */
2490 offset_sh = 3; /* follows flags, dstnode */
2491 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */
2495 /* Inefficient because we do our Calvinball dance twice */
2496 b0 = gen_dnhostop(addr, Q_SRC, base_off);
2497 b1 = gen_dnhostop(addr, Q_DST, base_off);
2503 /* Inefficient because we do our Calvinball dance twice */
2504 b0 = gen_dnhostop(addr, Q_SRC, base_off);
2505 b1 = gen_dnhostop(addr, Q_DST, base_off);
2510 bpf_error("ISO host filtering not implemented");
2515 b0 = gen_linktype(ETHERTYPE_DN);
2516 /* Check for pad = 1, long header case */
2517 tmp = gen_mcmp(base_off + 2, BPF_H,
2518 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF));
2519 b1 = gen_cmp(base_off + 2 + 1 + offset_lh,
2520 BPF_H, (bpf_int32)ntohs(addr));
2522 /* Check for pad = 0, long header case */
2523 tmp = gen_mcmp(base_off + 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7);
2524 b2 = gen_cmp(base_off + 2 + offset_lh, BPF_H, (bpf_int32)ntohs(addr));
2527 /* Check for pad = 1, short header case */
2528 tmp = gen_mcmp(base_off + 2, BPF_H,
2529 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF));
2530 b2 = gen_cmp(base_off + 2 + 1 + offset_sh,
2531 BPF_H, (bpf_int32)ntohs(addr));
2534 /* Check for pad = 0, short header case */
2535 tmp = gen_mcmp(base_off + 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7);
2536 b2 = gen_cmp(base_off + 2 + offset_sh, BPF_H, (bpf_int32)ntohs(addr));
2540 /* Combine with test for linktype */
2545 static struct block *
2546 gen_host(addr, mask, proto, dir)
2552 struct block *b0, *b1;
2557 b0 = gen_host(addr, mask, Q_IP, dir);
2558 if (off_linktype != (u_int)-1) {
2559 b1 = gen_host(addr, mask, Q_ARP, dir);
2561 b0 = gen_host(addr, mask, Q_RARP, dir);
2567 return gen_hostop(addr, mask, dir, ETHERTYPE_IP,
2568 off_nl + 12, off_nl + 16);
2571 return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP,
2572 off_nl + 14, off_nl + 24);
2575 return gen_hostop(addr, mask, dir, ETHERTYPE_ARP,
2576 off_nl + 14, off_nl + 24);
2579 bpf_error("'tcp' modifier applied to host");
2582 bpf_error("'sctp' modifier applied to host");
2585 bpf_error("'udp' modifier applied to host");
2588 bpf_error("'icmp' modifier applied to host");
2591 bpf_error("'igmp' modifier applied to host");
2594 bpf_error("'igrp' modifier applied to host");
2597 bpf_error("'pim' modifier applied to host");
2600 bpf_error("'vrrp' modifier applied to host");
2603 bpf_error("ATALK host filtering not implemented");
2606 bpf_error("AARP host filtering not implemented");
2609 return gen_dnhostop(addr, dir, off_nl);
2612 bpf_error("SCA host filtering not implemented");
2615 bpf_error("LAT host filtering not implemented");
2618 bpf_error("MOPDL host filtering not implemented");
2621 bpf_error("MOPRC host filtering not implemented");
2625 bpf_error("'ip6' modifier applied to ip host");
2628 bpf_error("'icmp6' modifier applied to host");
2632 bpf_error("'ah' modifier applied to host");
2635 bpf_error("'esp' modifier applied to host");
2638 bpf_error("ISO host filtering not implemented");
2641 bpf_error("'esis' modifier applied to host");
2644 bpf_error("'isis' modifier applied to host");
2647 bpf_error("'clnp' modifier applied to host");
2650 bpf_error("'stp' modifier applied to host");
2653 bpf_error("IPX host filtering not implemented");
2656 bpf_error("'netbeui' modifier applied to host");
2665 static struct block *
2666 gen_host6(addr, mask, proto, dir)
2667 struct in6_addr *addr;
2668 struct in6_addr *mask;
2675 return gen_host6(addr, mask, Q_IPV6, dir);
2678 bpf_error("'ip' modifier applied to ip6 host");
2681 bpf_error("'rarp' modifier applied to ip6 host");
2684 bpf_error("'arp' modifier applied to ip6 host");
2687 bpf_error("'sctp' modifier applied to host");
2690 bpf_error("'tcp' modifier applied to host");
2693 bpf_error("'udp' modifier applied to host");
2696 bpf_error("'icmp' modifier applied to host");
2699 bpf_error("'igmp' modifier applied to host");
2702 bpf_error("'igrp' modifier applied to host");
2705 bpf_error("'pim' modifier applied to host");
2708 bpf_error("'vrrp' modifier applied to host");
2711 bpf_error("ATALK host filtering not implemented");
2714 bpf_error("AARP host filtering not implemented");
2717 bpf_error("'decnet' modifier applied to ip6 host");
2720 bpf_error("SCA host filtering not implemented");
2723 bpf_error("LAT host filtering not implemented");
2726 bpf_error("MOPDL host filtering not implemented");
2729 bpf_error("MOPRC host filtering not implemented");
2732 return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6,
2733 off_nl + 8, off_nl + 24);
2736 bpf_error("'icmp6' modifier applied to host");
2739 bpf_error("'ah' modifier applied to host");
2742 bpf_error("'esp' modifier applied to host");
2745 bpf_error("ISO host filtering not implemented");
2748 bpf_error("'esis' modifier applied to host");
2751 bpf_error("'isis' modifier applied to host");
2754 bpf_error("'clnp' modifier applied to host");
2757 bpf_error("'stp' modifier applied to host");
2760 bpf_error("IPX host filtering not implemented");
2763 bpf_error("'netbeui' modifier applied to host");
2773 static struct block *
2774 gen_gateway(eaddr, alist, proto, dir)
2775 const u_char *eaddr;
2776 bpf_u_int32 **alist;
2780 struct block *b0, *b1, *tmp;
2783 bpf_error("direction applied to 'gateway'");
2790 if (linktype == DLT_EN10MB)
2791 b0 = gen_ehostop(eaddr, Q_OR);
2792 else if (linktype == DLT_FDDI)
2793 b0 = gen_fhostop(eaddr, Q_OR);
2794 else if (linktype == DLT_IEEE802)
2795 b0 = gen_thostop(eaddr, Q_OR);
2796 else if (linktype == DLT_IEEE802_11)
2797 b0 = gen_wlanhostop(eaddr, Q_OR);
2798 else if (linktype == DLT_SUNATM && is_lane) {
2800 * Check that the packet doesn't begin with an
2801 * LE Control marker. (We've already generated
2804 b1 = gen_cmp(SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
2808 * Now check the MAC address.
2810 b0 = gen_ehostop(eaddr, Q_OR);
2812 } else if (linktype == DLT_IP_OVER_FC)
2813 b0 = gen_ipfchostop(eaddr, Q_OR);
2816 "'gateway' supported only on ethernet/FDDI/token ring/802.11/Fibre Channel");
2818 b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR);
2820 tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR);
2828 bpf_error("illegal modifier of 'gateway'");
2834 gen_proto_abbrev(proto)
2843 b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT);
2845 b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT);
2851 b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT);
2853 b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT);
2859 b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT);
2861 b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT);
2867 b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT);
2870 #ifndef IPPROTO_IGMP
2871 #define IPPROTO_IGMP 2
2875 b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT);
2878 #ifndef IPPROTO_IGRP
2879 #define IPPROTO_IGRP 9
2882 b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT);
2886 #define IPPROTO_PIM 103
2890 b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT);
2892 b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT);
2897 #ifndef IPPROTO_VRRP
2898 #define IPPROTO_VRRP 112
2902 b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT);
2906 b1 = gen_linktype(ETHERTYPE_IP);
2910 b1 = gen_linktype(ETHERTYPE_ARP);
2914 b1 = gen_linktype(ETHERTYPE_REVARP);
2918 bpf_error("link layer applied in wrong context");
2921 b1 = gen_linktype(ETHERTYPE_ATALK);
2925 b1 = gen_linktype(ETHERTYPE_AARP);
2929 b1 = gen_linktype(ETHERTYPE_DN);
2933 b1 = gen_linktype(ETHERTYPE_SCA);
2937 b1 = gen_linktype(ETHERTYPE_LAT);
2941 b1 = gen_linktype(ETHERTYPE_MOPDL);
2945 b1 = gen_linktype(ETHERTYPE_MOPRC);
2950 b1 = gen_linktype(ETHERTYPE_IPV6);
2953 #ifndef IPPROTO_ICMPV6
2954 #define IPPROTO_ICMPV6 58
2957 b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT);
2962 #define IPPROTO_AH 51
2965 b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT);
2967 b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT);
2973 #define IPPROTO_ESP 50
2976 b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT);
2978 b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT);
2984 b1 = gen_linktype(LLCSAP_ISONS);
2988 b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT);
2992 b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
2995 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */
2996 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
2997 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
2999 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
3001 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
3003 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
3007 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */
3008 b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
3009 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
3011 b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
3013 b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
3015 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
3019 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */
3020 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
3021 b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
3023 b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT);
3028 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
3029 b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
3034 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
3035 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
3037 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
3039 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
3044 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
3045 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
3050 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
3051 b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
3056 b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT);
3060 b1 = gen_linktype(LLCSAP_8021D);
3064 b1 = gen_linktype(LLCSAP_IPX);
3068 b1 = gen_linktype(LLCSAP_NETBEUI);
3077 static struct block *
3084 s = new_stmt(BPF_LD|BPF_H|BPF_ABS);
3085 s->s.k = off_nl + 6;
3086 b = new_block(JMP(BPF_JSET));
3094 static struct block *
3095 gen_portatom(off, v)
3102 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
3105 s->next = new_stmt(BPF_LD|BPF_IND|BPF_H);
3106 s->next->s.k = off_nl + off;
3108 b = new_block(JMP(BPF_JEQ));
3116 static struct block *
3117 gen_portatom6(off, v)
3121 return gen_cmp(off_nl + 40 + off, BPF_H, v);
3126 gen_portop(port, proto, dir)
3127 int port, proto, dir;
3129 struct block *b0, *b1, *tmp;
3131 /* ip proto 'proto' */
3132 tmp = gen_cmp(off_nl + 9, BPF_B, (bpf_int32)proto);
3138 b1 = gen_portatom(0, (bpf_int32)port);
3142 b1 = gen_portatom(2, (bpf_int32)port);
3147 tmp = gen_portatom(0, (bpf_int32)port);
3148 b1 = gen_portatom(2, (bpf_int32)port);
3153 tmp = gen_portatom(0, (bpf_int32)port);
3154 b1 = gen_portatom(2, (bpf_int32)port);
3166 static struct block *
3167 gen_port(port, ip_proto, dir)
3172 struct block *b0, *b1, *tmp;
3177 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
3178 * not LLC encapsulation with LLCSAP_IP.
3180 * For IEEE 802 networks - which includes 802.5 token ring
3181 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
3182 * says that SNAP encapsulation is used, not LLC encapsulation
3185 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
3186 * RFC 2225 say that SNAP encapsulation is used, not LLC
3187 * encapsulation with LLCSAP_IP.
3189 * So we always check for ETHERTYPE_IP.
3191 b0 = gen_linktype(ETHERTYPE_IP);
3197 b1 = gen_portop(port, ip_proto, dir);
3201 tmp = gen_portop(port, IPPROTO_TCP, dir);
3202 b1 = gen_portop(port, IPPROTO_UDP, dir);
3204 tmp = gen_portop(port, IPPROTO_SCTP, dir);
3217 gen_portop6(port, proto, dir)
3218 int port, proto, dir;
3220 struct block *b0, *b1, *tmp;
3222 /* ip proto 'proto' */
3223 b0 = gen_cmp(off_nl + 6, BPF_B, (bpf_int32)proto);
3227 b1 = gen_portatom6(0, (bpf_int32)port);
3231 b1 = gen_portatom6(2, (bpf_int32)port);
3236 tmp = gen_portatom6(0, (bpf_int32)port);
3237 b1 = gen_portatom6(2, (bpf_int32)port);
3242 tmp = gen_portatom6(0, (bpf_int32)port);
3243 b1 = gen_portatom6(2, (bpf_int32)port);
3255 static struct block *
3256 gen_port6(port, ip_proto, dir)
3261 struct block *b0, *b1, *tmp;
3263 /* ether proto ip */
3264 b0 = gen_linktype(ETHERTYPE_IPV6);
3270 b1 = gen_portop6(port, ip_proto, dir);
3274 tmp = gen_portop6(port, IPPROTO_TCP, dir);
3275 b1 = gen_portop6(port, IPPROTO_UDP, dir);
3277 tmp = gen_portop6(port, IPPROTO_SCTP, dir);
3290 lookup_proto(name, proto)
3291 register const char *name;
3301 v = pcap_nametoproto(name);
3302 if (v == PROTO_UNDEF)
3303 bpf_error("unknown ip proto '%s'", name);
3307 /* XXX should look up h/w protocol type based on linktype */
3308 v = pcap_nametoeproto(name);
3309 if (v == PROTO_UNDEF)
3310 bpf_error("unknown ether proto '%s'", name);
3314 if (strcmp(name, "esis") == 0)
3316 else if (strcmp(name, "isis") == 0)
3318 else if (strcmp(name, "clnp") == 0)
3321 bpf_error("unknown osi proto '%s'", name);
3341 static struct block *
3342 gen_protochain(v, proto, dir)
3347 #ifdef NO_PROTOCHAIN
3348 return gen_proto(v, proto, dir);
3350 struct block *b0, *b;
3351 struct slist *s[100];
3352 int fix2, fix3, fix4, fix5;
3353 int ahcheck, again, end;
3355 int reg2 = alloc_reg();
3357 memset(s, 0, sizeof(s));
3358 fix2 = fix3 = fix4 = fix5 = 0;
3365 b0 = gen_protochain(v, Q_IP, dir);
3366 b = gen_protochain(v, Q_IPV6, dir);
3370 bpf_error("bad protocol applied for 'protochain'");
3374 no_optimize = 1; /*this code is not compatible with optimzer yet */
3377 * s[0] is a dummy entry to protect other BPF insn from damaged
3378 * by s[fix] = foo with uninitialized variable "fix". It is somewhat
3379 * hard to find interdependency made by jump table fixup.
3382 s[i] = new_stmt(0); /*dummy*/
3387 b0 = gen_linktype(ETHERTYPE_IP);
3390 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
3391 s[i]->s.k = off_nl + 9;
3393 /* X = ip->ip_hl << 2 */
3394 s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
3400 b0 = gen_linktype(ETHERTYPE_IPV6);
3402 /* A = ip6->ip_nxt */
3403 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
3404 s[i]->s.k = off_nl + 6;
3406 /* X = sizeof(struct ip6_hdr) */
3407 s[i] = new_stmt(BPF_LDX|BPF_IMM);
3413 bpf_error("unsupported proto to gen_protochain");
3417 /* again: if (A == v) goto end; else fall through; */
3419 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
3421 s[i]->s.jt = NULL; /*later*/
3422 s[i]->s.jf = NULL; /*update in next stmt*/
3426 #ifndef IPPROTO_NONE
3427 #define IPPROTO_NONE 59
3429 /* if (A == IPPROTO_NONE) goto end */
3430 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
3431 s[i]->s.jt = NULL; /*later*/
3432 s[i]->s.jf = NULL; /*update in next stmt*/
3433 s[i]->s.k = IPPROTO_NONE;
3434 s[fix5]->s.jf = s[i];
3439 if (proto == Q_IPV6) {
3440 int v6start, v6end, v6advance, j;
3443 /* if (A == IPPROTO_HOPOPTS) goto v6advance */
3444 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
3445 s[i]->s.jt = NULL; /*later*/
3446 s[i]->s.jf = NULL; /*update in next stmt*/
3447 s[i]->s.k = IPPROTO_HOPOPTS;
3448 s[fix2]->s.jf = s[i];
3450 /* if (A == IPPROTO_DSTOPTS) goto v6advance */
3451 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
3452 s[i]->s.jt = NULL; /*later*/
3453 s[i]->s.jf = NULL; /*update in next stmt*/
3454 s[i]->s.k = IPPROTO_DSTOPTS;
3456 /* if (A == IPPROTO_ROUTING) goto v6advance */
3457 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
3458 s[i]->s.jt = NULL; /*later*/
3459 s[i]->s.jf = NULL; /*update in next stmt*/
3460 s[i]->s.k = IPPROTO_ROUTING;
3462 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */
3463 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
3464 s[i]->s.jt = NULL; /*later*/
3465 s[i]->s.jf = NULL; /*later*/
3466 s[i]->s.k = IPPROTO_FRAGMENT;
3477 * X = X + (P[X + 1] + 1) * 8;
3480 s[i] = new_stmt(BPF_MISC|BPF_TXA);
3482 /* A = P[X + packet head] */
3483 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
3487 s[i] = new_stmt(BPF_ST);
3491 s[i] = new_stmt(BPF_MISC|BPF_TXA);
3494 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
3498 s[i] = new_stmt(BPF_MISC|BPF_TAX);
3500 /* A = P[X + packet head]; */
3501 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
3505 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
3509 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
3513 s[i] = new_stmt(BPF_MISC|BPF_TAX);
3516 s[i] = new_stmt(BPF_LD|BPF_MEM);
3520 /* goto again; (must use BPF_JA for backward jump) */
3521 s[i] = new_stmt(BPF_JMP|BPF_JA);
3522 s[i]->s.k = again - i - 1;
3523 s[i - 1]->s.jf = s[i];
3527 for (j = v6start; j <= v6end; j++)
3528 s[j]->s.jt = s[v6advance];
3533 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
3535 s[fix2]->s.jf = s[i];
3541 /* if (A == IPPROTO_AH) then fall through; else goto end; */
3542 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
3543 s[i]->s.jt = NULL; /*later*/
3544 s[i]->s.jf = NULL; /*later*/
3545 s[i]->s.k = IPPROTO_AH;
3547 s[fix3]->s.jf = s[ahcheck];
3554 * X = X + (P[X + 1] + 2) * 4;
3557 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
3559 /* A = P[X + packet head]; */
3560 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
3564 s[i] = new_stmt(BPF_ST);
3568 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
3571 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
3575 s[i] = new_stmt(BPF_MISC|BPF_TAX);
3577 /* A = P[X + packet head] */
3578 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
3582 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
3586 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
3590 s[i] = new_stmt(BPF_MISC|BPF_TAX);
3593 s[i] = new_stmt(BPF_LD|BPF_MEM);
3597 /* goto again; (must use BPF_JA for backward jump) */
3598 s[i] = new_stmt(BPF_JMP|BPF_JA);
3599 s[i]->s.k = again - i - 1;
3604 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
3606 s[fix2]->s.jt = s[end];
3607 s[fix4]->s.jf = s[end];
3608 s[fix5]->s.jt = s[end];
3615 for (i = 0; i < max - 1; i++)
3616 s[i]->next = s[i + 1];
3617 s[max - 1]->next = NULL;
3622 b = new_block(JMP(BPF_JEQ));
3623 b->stmts = s[1]; /*remember, s[0] is dummy*/
3633 static struct block *
3634 gen_proto(v, proto, dir)
3639 struct block *b0, *b1;
3641 if (dir != Q_DEFAULT)
3642 bpf_error("direction applied to 'proto'");
3647 b0 = gen_proto(v, Q_IP, dir);
3648 b1 = gen_proto(v, Q_IPV6, dir);
3656 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
3657 * not LLC encapsulation with LLCSAP_IP.
3659 * For IEEE 802 networks - which includes 802.5 token ring
3660 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
3661 * says that SNAP encapsulation is used, not LLC encapsulation
3664 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
3665 * RFC 2225 say that SNAP encapsulation is used, not LLC
3666 * encapsulation with LLCSAP_IP.
3668 * So we always check for ETHERTYPE_IP.
3670 b0 = gen_linktype(ETHERTYPE_IP);
3672 b1 = gen_cmp(off_nl + 9, BPF_B, (bpf_int32)v);
3674 b1 = gen_protochain(v, Q_IP);
3684 * Frame Relay packets typically have an OSI
3685 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)"
3686 * generates code to check for all the OSI
3687 * NLPIDs, so calling it and then adding a check
3688 * for the particular NLPID for which we're
3689 * looking is bogus, as we can just check for
3692 * What we check for is the NLPID and a frame
3693 * control field value of UI, i.e. 0x03 followed
3696 * XXX - assumes a 2-byte Frame Relay header with
3697 * DLCI and flags. What if the address is longer?
3699 * XXX - what about SNAP-encapsulated frames?
3701 return gen_cmp(2, BPF_H, (0x03<<8) | v);
3706 * Cisco uses an Ethertype lookalike - for OSI,
3709 b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS);
3710 /* OSI in C-HDLC is stuffed with a fudge byte */
3711 b1 = gen_cmp(off_nl_nosnap+1, BPF_B, (long)v);
3716 b0 = gen_linktype(LLCSAP_ISONS);
3717 b1 = gen_cmp(off_nl_nosnap, BPF_B, (long)v);
3723 b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
3725 * 4 is the offset of the PDU type relative to the IS-IS
3728 b1 = gen_cmp(off_nl_nosnap+4, BPF_B, (long)v);
3733 bpf_error("arp does not encapsulate another protocol");
3737 bpf_error("rarp does not encapsulate another protocol");
3741 bpf_error("atalk encapsulation is not specifiable");
3745 bpf_error("decnet encapsulation is not specifiable");
3749 bpf_error("sca does not encapsulate another protocol");
3753 bpf_error("lat does not encapsulate another protocol");
3757 bpf_error("moprc does not encapsulate another protocol");
3761 bpf_error("mopdl does not encapsulate another protocol");
3765 return gen_linktype(v);
3768 bpf_error("'udp proto' is bogus");
3772 bpf_error("'tcp proto' is bogus");
3776 bpf_error("'sctp proto' is bogus");
3780 bpf_error("'icmp proto' is bogus");
3784 bpf_error("'igmp proto' is bogus");
3788 bpf_error("'igrp proto' is bogus");
3792 bpf_error("'pim proto' is bogus");
3796 bpf_error("'vrrp proto' is bogus");
3801 b0 = gen_linktype(ETHERTYPE_IPV6);
3803 b1 = gen_cmp(off_nl + 6, BPF_B, (bpf_int32)v);
3805 b1 = gen_protochain(v, Q_IPV6);
3811 bpf_error("'icmp6 proto' is bogus");
3815 bpf_error("'ah proto' is bogus");
3818 bpf_error("'ah proto' is bogus");
3821 bpf_error("'stp proto' is bogus");
3824 bpf_error("'ipx proto' is bogus");
3827 bpf_error("'netbeui proto' is bogus");
3838 register const char *name;
3841 int proto = q.proto;
3845 bpf_u_int32 mask, addr;
3847 bpf_u_int32 **alist;
3850 struct sockaddr_in *sin;
3851 struct sockaddr_in6 *sin6;
3852 struct addrinfo *res, *res0;
3853 struct in6_addr mask128;
3855 struct block *b, *tmp;
3856 int port, real_proto;
3861 addr = pcap_nametonetaddr(name);
3863 bpf_error("unknown network '%s'", name);
3864 /* Left justify network addr and calculate its network mask */
3866 while (addr && (addr & 0xff000000) == 0) {
3870 return gen_host(addr, mask, proto, dir);
3874 if (proto == Q_LINK) {
3878 eaddr = pcap_ether_hostton(name);
3881 "unknown ether host '%s'", name);
3882 b = gen_ehostop(eaddr, dir);
3887 eaddr = pcap_ether_hostton(name);
3890 "unknown FDDI host '%s'", name);
3891 b = gen_fhostop(eaddr, dir);
3896 eaddr = pcap_ether_hostton(name);
3899 "unknown token ring host '%s'", name);
3900 b = gen_thostop(eaddr, dir);
3904 case DLT_IEEE802_11:
3905 eaddr = pcap_ether_hostton(name);
3908 "unknown 802.11 host '%s'", name);
3909 b = gen_wlanhostop(eaddr, dir);
3913 case DLT_IP_OVER_FC:
3914 eaddr = pcap_ether_hostton(name);
3917 "unknown Fibre Channel host '%s'", name);
3918 b = gen_ipfchostop(eaddr, dir);
3927 * Check that the packet doesn't begin
3928 * with an LE Control marker. (We've
3929 * already generated a test for LANE.)
3931 tmp = gen_cmp(SUNATM_PKT_BEGIN_POS, BPF_H,
3935 eaddr = pcap_ether_hostton(name);
3938 "unknown ether host '%s'", name);
3939 b = gen_ehostop(eaddr, dir);
3945 bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name");
3946 } else if (proto == Q_DECNET) {
3947 unsigned short dn_addr = __pcap_nametodnaddr(name);
3949 * I don't think DECNET hosts can be multihomed, so
3950 * there is no need to build up a list of addresses
3952 return (gen_host(dn_addr, 0, proto, dir));
3955 alist = pcap_nametoaddr(name);
3956 if (alist == NULL || *alist == NULL)
3957 bpf_error("unknown host '%s'", name);
3959 if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT)
3961 b = gen_host(**alist++, 0xffffffff, tproto, dir);
3963 tmp = gen_host(**alist++, 0xffffffff,
3970 memset(&mask128, 0xff, sizeof(mask128));
3971 res0 = res = pcap_nametoaddrinfo(name);
3973 bpf_error("unknown host '%s'", name);
3975 tproto = tproto6 = proto;
3976 if (off_linktype == -1 && tproto == Q_DEFAULT) {
3980 for (res = res0; res; res = res->ai_next) {
3981 switch (res->ai_family) {
3983 if (tproto == Q_IPV6)
3986 sin = (struct sockaddr_in *)
3988 tmp = gen_host(ntohl(sin->sin_addr.s_addr),
3989 0xffffffff, tproto, dir);
3992 if (tproto6 == Q_IP)
3995 sin6 = (struct sockaddr_in6 *)
3997 tmp = gen_host6(&sin6->sin6_addr,
3998 &mask128, tproto6, dir);
4009 bpf_error("unknown host '%s'%s", name,
4010 (proto == Q_DEFAULT)
4012 : " for specified address family");
4019 if (proto != Q_DEFAULT &&
4020 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
4021 bpf_error("illegal qualifier of 'port'");
4022 if (pcap_nametoport(name, &port, &real_proto) == 0)
4023 bpf_error("unknown port '%s'", name);
4024 if (proto == Q_UDP) {
4025 if (real_proto == IPPROTO_TCP)
4026 bpf_error("port '%s' is tcp", name);
4027 else if (real_proto == IPPROTO_SCTP)
4028 bpf_error("port '%s' is sctp", name);
4030 /* override PROTO_UNDEF */
4031 real_proto = IPPROTO_UDP;
4033 if (proto == Q_TCP) {
4034 if (real_proto == IPPROTO_UDP)
4035 bpf_error("port '%s' is udp", name);
4037 else if (real_proto == IPPROTO_SCTP)
4038 bpf_error("port '%s' is sctp", name);
4040 /* override PROTO_UNDEF */
4041 real_proto = IPPROTO_TCP;
4043 if (proto == Q_SCTP) {
4044 if (real_proto == IPPROTO_UDP)
4045 bpf_error("port '%s' is udp", name);
4047 else if (real_proto == IPPROTO_TCP)
4048 bpf_error("port '%s' is tcp", name);
4050 /* override PROTO_UNDEF */
4051 real_proto = IPPROTO_SCTP;
4054 return gen_port(port, real_proto, dir);
4058 b = gen_port(port, real_proto, dir);
4059 gen_or(gen_port6(port, real_proto, dir), b);
4066 eaddr = pcap_ether_hostton(name);
4068 bpf_error("unknown ether host: %s", name);
4070 alist = pcap_nametoaddr(name);
4071 if (alist == NULL || *alist == NULL)
4072 bpf_error("unknown host '%s'", name);
4073 b = gen_gateway(eaddr, alist, proto, dir);
4077 bpf_error("'gateway' not supported in this configuration");
4081 real_proto = lookup_proto(name, proto);
4082 if (real_proto >= 0)
4083 return gen_proto(real_proto, proto, dir);
4085 bpf_error("unknown protocol: %s", name);
4088 real_proto = lookup_proto(name, proto);
4089 if (real_proto >= 0)
4090 return gen_protochain(real_proto, proto, dir);
4092 bpf_error("unknown protocol: %s", name);
4104 gen_mcode(s1, s2, masklen, q)
4105 register const char *s1, *s2;
4106 register int masklen;
4109 register int nlen, mlen;
4112 nlen = __pcap_atoin(s1, &n);
4113 /* Promote short ipaddr */
4117 mlen = __pcap_atoin(s2, &m);
4118 /* Promote short ipaddr */
4121 bpf_error("non-network bits set in \"%s mask %s\"",
4124 /* Convert mask len to mask */
4126 bpf_error("mask length must be <= 32");
4127 m = 0xffffffff << (32 - masklen);
4129 bpf_error("non-network bits set in \"%s/%d\"",
4136 return gen_host(n, m, q.proto, q.dir);
4139 bpf_error("Mask syntax for networks only");
4146 register const char *s;
4151 int proto = q.proto;
4157 else if (q.proto == Q_DECNET)
4158 vlen = __pcap_atodn(s, &v);
4160 vlen = __pcap_atoin(s, &v);
4167 if (proto == Q_DECNET)
4168 return gen_host(v, 0, proto, dir);
4169 else if (proto == Q_LINK) {
4170 bpf_error("illegal link layer address");
4173 if (s == NULL && q.addr == Q_NET) {
4174 /* Promote short net number */
4175 while (v && (v & 0xff000000) == 0) {
4180 /* Promote short ipaddr */
4184 return gen_host(v, mask, proto, dir);
4189 proto = IPPROTO_UDP;
4190 else if (proto == Q_TCP)
4191 proto = IPPROTO_TCP;
4192 else if (proto == Q_SCTP)
4193 proto = IPPROTO_SCTP;
4194 else if (proto == Q_DEFAULT)
4195 proto = PROTO_UNDEF;
4197 bpf_error("illegal qualifier of 'port'");
4200 return gen_port((int)v, proto, dir);
4204 b = gen_port((int)v, proto, dir);
4205 gen_or(gen_port6((int)v, proto, dir), b);
4211 bpf_error("'gateway' requires a name");
4215 return gen_proto((int)v, proto, dir);
4218 return gen_protochain((int)v, proto, dir);
4233 gen_mcode6(s1, s2, masklen, q)
4234 register const char *s1, *s2;
4235 register int masklen;
4238 struct addrinfo *res;
4239 struct in6_addr *addr;
4240 struct in6_addr mask;
4245 bpf_error("no mask %s supported", s2);
4247 res = pcap_nametoaddrinfo(s1);
4249 bpf_error("invalid ip6 address %s", s1);
4251 bpf_error("%s resolved to multiple address", s1);
4252 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
4254 if (sizeof(mask) * 8 < masklen)
4255 bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8));
4256 memset(&mask, 0, sizeof(mask));
4257 memset(&mask, 0xff, masklen / 8);
4259 mask.s6_addr[masklen / 8] =
4260 (0xff << (8 - masklen % 8)) & 0xff;
4263 a = (u_int32_t *)addr;
4264 m = (u_int32_t *)&mask;
4265 if ((a[0] & ~m[0]) || (a[1] & ~m[1])
4266 || (a[2] & ~m[2]) || (a[3] & ~m[3])) {
4267 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen);
4275 bpf_error("Mask syntax for networks only");
4279 b = gen_host6(addr, &mask, q.proto, q.dir);
4284 bpf_error("invalid qualifier against IPv6 address");
4292 register const u_char *eaddr;
4295 struct block *b, *tmp;
4297 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
4298 if (linktype == DLT_EN10MB)
4299 return gen_ehostop(eaddr, (int)q.dir);
4300 if (linktype == DLT_FDDI)
4301 return gen_fhostop(eaddr, (int)q.dir);
4302 if (linktype == DLT_IEEE802)
4303 return gen_thostop(eaddr, (int)q.dir);
4304 if (linktype == DLT_IEEE802_11)
4305 return gen_wlanhostop(eaddr, (int)q.dir);
4306 if (linktype == DLT_SUNATM && is_lane) {
4308 * Check that the packet doesn't begin with an
4309 * LE Control marker. (We've already generated
4312 tmp = gen_cmp(SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
4316 * Now check the MAC address.
4318 b = gen_ehostop(eaddr, (int)q.dir);
4322 if (linktype == DLT_IP_OVER_FC)
4323 return gen_ipfchostop(eaddr, (int)q.dir);
4324 bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
4326 bpf_error("ethernet address used in non-ether expression");
4332 struct slist *s0, *s1;
4335 * This is definitely not the best way to do this, but the
4336 * lists will rarely get long.
4343 static struct slist *
4349 s = new_stmt(BPF_LDX|BPF_MEM);
4354 static struct slist *
4360 s = new_stmt(BPF_LD|BPF_MEM);
4366 gen_load(proto, index, size)
4371 struct slist *s, *tmp;
4373 int regno = alloc_reg();
4375 free_reg(index->regno);
4379 bpf_error("data size must be 1, 2, or 4");
4395 bpf_error("unsupported index operation");
4399 * XXX - what about ATM LANE? Should the index be
4400 * relative to the beginning of the AAL5 frame, so
4401 * that 0 refers to the beginning of the LE Control
4402 * field, or relative to the beginning of the LAN
4403 * frame, so that 0 refers, for Ethernet LANE, to
4404 * the beginning of the destination address?
4406 s = xfer_to_x(index);
4407 tmp = new_stmt(BPF_LD|BPF_IND|size);
4409 sappend(index->s, s);
4424 /* XXX Note that we assume a fixed link header here. */
4425 s = xfer_to_x(index);
4426 tmp = new_stmt(BPF_LD|BPF_IND|size);
4429 sappend(index->s, s);
4431 b = gen_proto_abbrev(proto);
4433 gen_and(index->b, b);
4445 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
4447 sappend(s, xfer_to_a(index));
4448 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
4449 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
4450 sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size));
4452 sappend(index->s, s);
4454 gen_and(gen_proto_abbrev(proto), b = gen_ipfrag());
4456 gen_and(index->b, b);
4458 gen_and(gen_proto_abbrev(Q_IP), b);
4464 bpf_error("IPv6 upper-layer protocol is not supported by proto[x]");
4468 index->regno = regno;
4469 s = new_stmt(BPF_ST);
4471 sappend(index->s, s);
4477 gen_relation(code, a0, a1, reversed)
4479 struct arth *a0, *a1;
4482 struct slist *s0, *s1, *s2;
4483 struct block *b, *tmp;
4487 if (code == BPF_JEQ) {
4488 s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X);
4489 b = new_block(JMP(code));
4493 b = new_block(BPF_JMP|code|BPF_X);
4499 sappend(a0->s, a1->s);
4503 free_reg(a0->regno);
4504 free_reg(a1->regno);
4506 /* 'and' together protocol checks */
4509 gen_and(a0->b, tmp = a1->b);
4525 int regno = alloc_reg();
4526 struct arth *a = (struct arth *)newchunk(sizeof(*a));
4529 s = new_stmt(BPF_LD|BPF_LEN);
4530 s->next = new_stmt(BPF_ST);
4531 s->next->s.k = regno;
4546 a = (struct arth *)newchunk(sizeof(*a));
4550 s = new_stmt(BPF_LD|BPF_IMM);
4552 s->next = new_stmt(BPF_ST);
4568 s = new_stmt(BPF_ALU|BPF_NEG);
4571 s = new_stmt(BPF_ST);
4579 gen_arth(code, a0, a1)
4581 struct arth *a0, *a1;
4583 struct slist *s0, *s1, *s2;
4587 s2 = new_stmt(BPF_ALU|BPF_X|code);
4592 sappend(a0->s, a1->s);
4594 free_reg(a0->regno);
4595 free_reg(a1->regno);
4597 s0 = new_stmt(BPF_ST);
4598 a0->regno = s0->s.k = alloc_reg();
4605 * Here we handle simple allocation of the scratch registers.
4606 * If too many registers are alloc'd, the allocator punts.
4608 static int regused[BPF_MEMWORDS];
4612 * Return the next free register.
4617 int n = BPF_MEMWORDS;
4620 if (regused[curreg])
4621 curreg = (curreg + 1) % BPF_MEMWORDS;
4623 regused[curreg] = 1;
4627 bpf_error("too many registers needed to evaluate expression");
4632 * Return a register to the table so it can
4642 static struct block *
4649 s = new_stmt(BPF_LD|BPF_LEN);
4650 b = new_block(JMP(jmp));
4661 return gen_len(BPF_JGE, n);
4665 * Actually, this is less than or equal.
4673 b = gen_len(BPF_JGT, n);
4680 gen_byteop(op, idx, val)
4691 return gen_cmp((u_int)idx, BPF_B, (bpf_int32)val);
4694 b = gen_cmp((u_int)idx, BPF_B, (bpf_int32)val);
4695 b->s.code = JMP(BPF_JGE);
4700 b = gen_cmp((u_int)idx, BPF_B, (bpf_int32)val);
4701 b->s.code = JMP(BPF_JGT);
4705 s = new_stmt(BPF_ALU|BPF_OR|BPF_K);
4709 s = new_stmt(BPF_ALU|BPF_AND|BPF_K);
4713 b = new_block(JMP(BPF_JEQ));
4720 static u_char abroadcast[] = { 0x0 };
4723 gen_broadcast(proto)
4726 bpf_u_int32 hostmask;
4727 struct block *b0, *b1, *b2;
4728 static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
4734 if (linktype == DLT_ARCNET || linktype == DLT_ARCNET_LINUX)
4735 return gen_ahostop(abroadcast, Q_DST);
4736 if (linktype == DLT_EN10MB)
4737 return gen_ehostop(ebroadcast, Q_DST);
4738 if (linktype == DLT_FDDI)
4739 return gen_fhostop(ebroadcast, Q_DST);
4740 if (linktype == DLT_IEEE802)
4741 return gen_thostop(ebroadcast, Q_DST);
4742 if (linktype == DLT_IEEE802_11)
4743 return gen_wlanhostop(ebroadcast, Q_DST);
4744 if (linktype == DLT_IP_OVER_FC)
4745 return gen_ipfchostop(ebroadcast, Q_DST);
4746 if (linktype == DLT_SUNATM && is_lane) {
4748 * Check that the packet doesn't begin with an
4749 * LE Control marker. (We've already generated
4752 b1 = gen_cmp(SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
4756 * Now check the MAC address.
4758 b0 = gen_ehostop(ebroadcast, Q_DST);
4762 bpf_error("not a broadcast link");
4766 b0 = gen_linktype(ETHERTYPE_IP);
4767 hostmask = ~netmask;
4768 b1 = gen_mcmp(off_nl + 16, BPF_W, (bpf_int32)0, hostmask);
4769 b2 = gen_mcmp(off_nl + 16, BPF_W,
4770 (bpf_int32)(~0 & hostmask), hostmask);
4775 bpf_error("only link-layer/IP broadcast filters supported");
4779 * Generate code to test the low-order bit of a MAC address (that's
4780 * the bottom bit of the *first* byte).
4782 static struct block *
4783 gen_mac_multicast(offset)
4786 register struct block *b0;
4787 register struct slist *s;
4789 /* link[offset] & 1 != 0 */
4790 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
4792 b0 = new_block(JMP(BPF_JSET));
4799 gen_multicast(proto)
4802 register struct block *b0, *b1, *b2;
4803 register struct slist *s;
4809 if (linktype == DLT_ARCNET || linktype == DLT_ARCNET_LINUX)
4810 /* all ARCnet multicasts use the same address */
4811 return gen_ahostop(abroadcast, Q_DST);
4813 if (linktype == DLT_EN10MB) {
4814 /* ether[0] & 1 != 0 */
4815 return gen_mac_multicast(0);
4818 if (linktype == DLT_FDDI) {
4820 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX
4822 * XXX - was that referring to bit-order issues?
4824 /* fddi[1] & 1 != 0 */
4825 return gen_mac_multicast(1);
4828 if (linktype == DLT_IEEE802) {
4829 /* tr[2] & 1 != 0 */
4830 return gen_mac_multicast(2);
4833 if (linktype == DLT_IEEE802_11) {
4837 * For control frames, there is no DA.
4839 * For management frames, DA is at an
4840 * offset of 4 from the beginning of
4843 * For data frames, DA is at an offset
4844 * of 4 from the beginning of the packet
4845 * if To DS is clear and at an offset of
4846 * 16 from the beginning of the packet
4851 * Generate the tests to be done for data frames.
4853 * First, check for To DS set, i.e. "link[1] & 0x01".
4855 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
4857 b1 = new_block(JMP(BPF_JSET));
4858 b1->s.k = 0x01; /* To DS */
4862 * If To DS is set, the DA is at 16.
4864 b0 = gen_mac_multicast(16);
4868 * Now, check for To DS not set, i.e. check
4869 * "!(link[1] & 0x01)".
4871 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
4873 b2 = new_block(JMP(BPF_JSET));
4874 b2->s.k = 0x01; /* To DS */
4879 * If To DS is not set, the DA is at 4.
4881 b1 = gen_mac_multicast(4);
4885 * Now OR together the last two checks. That gives
4886 * the complete set of checks for data frames.
4891 * Now check for a data frame.
4892 * I.e, check "link[0] & 0x08".
4894 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
4896 b1 = new_block(JMP(BPF_JSET));
4901 * AND that with the checks done for data frames.
4906 * If the high-order bit of the type value is 0, this
4907 * is a management frame.
4908 * I.e, check "!(link[0] & 0x08)".
4910 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
4912 b2 = new_block(JMP(BPF_JSET));
4918 * For management frames, the DA is at 4.
4920 b1 = gen_mac_multicast(4);
4924 * OR that with the checks done for data frames.
4925 * That gives the checks done for management and
4931 * If the low-order bit of the type value is 1,
4932 * this is either a control frame or a frame
4933 * with a reserved type, and thus not a
4936 * I.e., check "!(link[0] & 0x04)".
4938 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
4940 b1 = new_block(JMP(BPF_JSET));
4946 * AND that with the checks for data and management
4953 if (linktype == DLT_IP_OVER_FC) {
4954 b0 = gen_mac_multicast(2);
4958 if (linktype == DLT_SUNATM && is_lane) {
4960 * Check that the packet doesn't begin with an
4961 * LE Control marker. (We've already generated
4964 b1 = gen_cmp(SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
4967 /* ether[off_mac] & 1 != 0 */
4968 b0 = gen_mac_multicast(off_mac);
4973 /* Link not known to support multicasts */
4977 b0 = gen_linktype(ETHERTYPE_IP);
4978 b1 = gen_cmp(off_nl + 16, BPF_B, (bpf_int32)224);
4979 b1->s.code = JMP(BPF_JGE);
4985 b0 = gen_linktype(ETHERTYPE_IPV6);
4986 b1 = gen_cmp(off_nl + 24, BPF_B, (bpf_int32)255);
4991 bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel");
4995 * generate command for inbound/outbound. It's here so we can
4996 * make it link-type specific. 'dir' = 0 implies "inbound",
4997 * = 1 implies "outbound".
5003 register struct block *b0;
5006 * Only some data link types support inbound/outbound qualifiers.
5010 b0 = gen_relation(BPF_JEQ,
5011 gen_load(Q_LINK, gen_loadi(0), 1),
5019 * Match packets sent by this machine.
5021 b0 = gen_cmp(0, BPF_H, LINUX_SLL_OUTGOING);
5024 * Match packets sent to this machine.
5025 * (No broadcast or multicast packets, or
5026 * packets sent to some other machine and
5027 * received promiscuously.)
5029 * XXX - packets sent to other machines probably
5030 * shouldn't be matched, but what about broadcast
5031 * or multicast packets we received?
5033 b0 = gen_cmp(0, BPF_H, LINUX_SLL_HOST);
5038 b0 = gen_cmp(offsetof(struct pfloghdr, dir), BPF_B,
5039 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT));
5043 bpf_error("inbound/outbound not supported on linktype %d",
5051 /* PF firewall log matched interface */
5053 gen_pf_ifname(const char *ifname)
5058 if (linktype == DLT_PFLOG) {
5059 len = sizeof(((struct pfloghdr *)0)->ifname);
5060 off = offsetof(struct pfloghdr, ifname);
5062 bpf_error("ifname not supported on linktype 0x%x", linktype);
5065 if (strlen(ifname) >= len) {
5066 bpf_error("ifname interface names can only be %d characters",
5070 b0 = gen_bcmp(off, strlen(ifname), ifname);
5074 /* PF firewall log matched interface */
5076 gen_pf_ruleset(char *ruleset)
5080 if (linktype != DLT_PFLOG) {
5081 bpf_error("ruleset not supported on linktype 0x%x", linktype);
5084 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) {
5085 bpf_error("ruleset names can only be %ld characters",
5086 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1));
5089 b0 = gen_bcmp(offsetof(struct pfloghdr, ruleset),
5090 strlen(ruleset), ruleset);
5094 /* PF firewall log rule number */
5100 if (linktype == DLT_PFLOG) {
5101 b0 = gen_cmp(offsetof(struct pfloghdr, rulenr), BPF_W,
5104 bpf_error("rnr not supported on linktype 0x%x", linktype);
5111 /* PF firewall log sub-rule number */
5113 gen_pf_srnr(int srnr)
5117 if (linktype != DLT_PFLOG) {
5118 bpf_error("srnr not supported on linktype 0x%x", linktype);
5122 b0 = gen_cmp(offsetof(struct pfloghdr, subrulenr), BPF_W,
5127 /* PF firewall log reason code */
5129 gen_pf_reason(int reason)
5133 if (linktype == DLT_PFLOG) {
5134 b0 = gen_cmp(offsetof(struct pfloghdr, reason), BPF_B,
5137 bpf_error("reason not supported on linktype 0x%x", linktype);
5144 /* PF firewall log action */
5146 gen_pf_action(int action)
5150 if (linktype == DLT_PFLOG) {
5151 b0 = gen_cmp(offsetof(struct pfloghdr, action), BPF_B,
5154 bpf_error("action not supported on linktype 0x%x", linktype);
5163 register const u_char *eaddr;
5166 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
5167 if (linktype == DLT_ARCNET || linktype == DLT_ARCNET_LINUX)
5168 return gen_ahostop(eaddr, (int)q.dir);
5170 bpf_error("ARCnet address used in non-arc expression");
5174 static struct block *
5175 gen_ahostop(eaddr, dir)
5176 register const u_char *eaddr;
5179 register struct block *b0, *b1;
5182 /* src comes first, different from Ethernet */
5184 return gen_bcmp(0, 1, eaddr);
5187 return gen_bcmp(1, 1, eaddr);
5190 b0 = gen_ahostop(eaddr, Q_SRC);
5191 b1 = gen_ahostop(eaddr, Q_DST);
5197 b0 = gen_ahostop(eaddr, Q_SRC);
5198 b1 = gen_ahostop(eaddr, Q_DST);
5207 * support IEEE 802.1Q VLAN trunk over ethernet
5216 * Change the offsets to point to the type and data fields within
5217 * the VLAN packet. This is somewhat of a kludge.
5219 if (orig_nl == (u_int)-1) {
5220 orig_linktype = off_linktype; /* save original values */
5222 orig_nl_nosnap = off_nl_nosnap;
5233 bpf_error("no VLAN support for data link type %d",
5239 /* check for VLAN */
5240 b0 = gen_cmp(orig_linktype, BPF_H, (bpf_int32)ETHERTYPE_8021Q);
5242 /* If a specific VLAN is requested, check VLAN id */
5243 if (vlan_num >= 0) {
5246 b1 = gen_cmp(orig_nl, BPF_H, (bpf_int32)vlan_num);
5255 gen_atmfield_code(atmfield, jvalue, jtype, reverse)
5267 bpf_error("'vpi' supported only on raw ATM");
5268 if (off_vpi == (u_int)-1)
5270 b0 = gen_ncmp(BPF_B, off_vpi, 0xffffffff, (u_int)jtype,
5271 (u_int)jvalue, reverse);
5276 bpf_error("'vci' supported only on raw ATM");
5277 if (off_vci == (u_int)-1)
5279 b0 = gen_ncmp(BPF_H, off_vci, 0xffffffff, (u_int)jtype,
5280 (u_int)jvalue, reverse);
5284 if (off_proto == (u_int)-1)
5285 abort(); /* XXX - this isn't on FreeBSD */
5286 b0 = gen_ncmp(BPF_B, off_proto, 0x0f, (u_int)jtype,
5287 (u_int)jvalue, reverse);
5291 if (off_payload == (u_int)-1)
5293 b0 = gen_ncmp(BPF_B, off_payload + MSG_TYPE_POS, 0xffffffff,
5294 (u_int)jtype, (u_int)jvalue, reverse);
5299 bpf_error("'callref' supported only on raw ATM");
5300 if (off_proto == (u_int)-1)
5302 b0 = gen_ncmp(BPF_B, off_proto, 0xffffffff, (u_int)jtype,
5303 (u_int)jvalue, reverse);
5313 gen_atmtype_abbrev(type)
5316 struct block *b0, *b1;
5321 /* Get all packets in Meta signalling Circuit */
5323 bpf_error("'metac' supported only on raw ATM");
5324 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
5325 b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0);
5330 /* Get all packets in Broadcast Circuit*/
5332 bpf_error("'bcc' supported only on raw ATM");
5333 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
5334 b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0);
5339 /* Get all cells in Segment OAM F4 circuit*/
5341 bpf_error("'oam4sc' supported only on raw ATM");
5342 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
5343 b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
5348 /* Get all cells in End-to-End OAM F4 Circuit*/
5350 bpf_error("'oam4ec' supported only on raw ATM");
5351 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
5352 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
5357 /* Get all packets in connection Signalling Circuit */
5359 bpf_error("'sc' supported only on raw ATM");
5360 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
5361 b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0);
5366 /* Get all packets in ILMI Circuit */
5368 bpf_error("'ilmic' supported only on raw ATM");
5369 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
5370 b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0);
5375 /* Get all LANE packets */
5377 bpf_error("'lane' supported only on raw ATM");
5378 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0);
5381 * Arrange that all subsequent tests assume LANE
5382 * rather than LLC-encapsulated packets, and set
5383 * the offsets appropriately for LANE-encapsulated
5386 * "off_mac" is the offset of the Ethernet header,
5387 * which is 2 bytes past the ATM pseudo-header
5388 * (skipping the pseudo-header and 2-byte LE Client
5389 * field). The other offsets are Ethernet offsets
5390 * relative to "off_mac".
5393 off_mac = off_payload + 2; /* MAC header */
5394 off_linktype = off_mac + 12;
5395 off_nl = off_mac + 14; /* Ethernet II */
5396 off_nl_nosnap = off_mac + 17; /* 802.3+802.2 */
5400 /* Get all LLC-encapsulated packets */
5402 bpf_error("'llc' supported only on raw ATM");
5403 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
5414 static struct block *
5415 gen_msg_abbrev(type)
5421 * Q.2931 signalling protocol messages for handling virtual circuits
5422 * establishment and teardown
5427 b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0);
5431 b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0);
5435 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0);
5439 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0);
5443 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0);
5446 case A_RELEASE_DONE:
5447 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0);
5457 gen_atmmulti_abbrev(type)
5460 struct block *b0, *b1;
5466 bpf_error("'oam' supported only on raw ATM");
5467 b1 = gen_atmmulti_abbrev(A_OAMF4);
5472 bpf_error("'oamf4' supported only on raw ATM");
5474 b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
5475 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
5477 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
5483 * Get Q.2931 signalling messages for switched
5484 * virtual connection
5487 bpf_error("'connectmsg' supported only on raw ATM");
5488 b0 = gen_msg_abbrev(A_SETUP);
5489 b1 = gen_msg_abbrev(A_CALLPROCEED);
5491 b0 = gen_msg_abbrev(A_CONNECT);
5493 b0 = gen_msg_abbrev(A_CONNECTACK);
5495 b0 = gen_msg_abbrev(A_RELEASE);
5497 b0 = gen_msg_abbrev(A_RELEASE_DONE);
5499 b0 = gen_atmtype_abbrev(A_SC);
5505 bpf_error("'metaconnect' supported only on raw ATM");
5506 b0 = gen_msg_abbrev(A_SETUP);
5507 b1 = gen_msg_abbrev(A_CALLPROCEED);
5509 b0 = gen_msg_abbrev(A_CONNECT);
5511 b0 = gen_msg_abbrev(A_RELEASE);
5513 b0 = gen_msg_abbrev(A_RELEASE_DONE);
5515 b0 = gen_atmtype_abbrev(A_METAC);