2 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998
3 * The Regents of the University of California. All rights reserved.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that: (1) source code distributions
7 * retain the above copyright notice and this paragraph in its entirety, (2)
8 * distributions including binary code include the above copyright notice and
9 * this paragraph in its entirety in the documentation or other materials
10 * provided with the distribution, and (3) all advertising materials mentioning
11 * features or use of this software display the following acknowledgement:
12 * ``This product includes software developed by the University of California,
13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14 * the University nor the names of its contributors may be used to endorse
15 * or promote products derived from this software without specific prior
17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
29 #include <sys/socket.h>
32 #include <sys/param.h>
35 #include <netinet/in.h>
36 #include <arpa/inet.h>
54 #include "ethertype.h"
58 #include "ieee80211.h"
60 #include "sunatmpos.h"
64 #include "pcap/ipnet.h"
66 #include "diag-control.h"
71 #include <linux/types.h>
72 #include <linux/if_packet.h>
73 #include <linux/filter.h>
77 #define offsetof(s, e) ((size_t)&((s *)0)->e)
82 #if defined(__MINGW32__) && defined(DEFINE_ADDITIONAL_IPV6_STUFF)
89 uint16_t u6_addr16[8];
90 uint32_t u6_addr32[4];
92 #define s6_addr in6_u.u6_addr8
93 #define s6_addr16 in6_u.u6_addr16
94 #define s6_addr32 in6_u.u6_addr32
95 #define s6_addr64 in6_u.u6_addr64
98 typedef unsigned short sa_family_t;
100 #define __SOCKADDR_COMMON(sa_prefix) \
101 sa_family_t sa_prefix##family
103 /* Ditto, for IPv6. */
106 __SOCKADDR_COMMON (sin6_);
107 uint16_t sin6_port; /* Transport layer port # */
108 uint32_t sin6_flowinfo; /* IPv6 flow information */
109 struct in6_addr sin6_addr; /* IPv6 address */
112 #ifndef EAI_ADDRFAMILY
114 int ai_flags; /* AI_PASSIVE, AI_CANONNAME */
115 int ai_family; /* PF_xxx */
116 int ai_socktype; /* SOCK_xxx */
117 int ai_protocol; /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
118 size_t ai_addrlen; /* length of ai_addr */
119 char *ai_canonname; /* canonical name for hostname */
120 struct sockaddr *ai_addr; /* binary address */
121 struct addrinfo *ai_next; /* next structure in linked list */
123 #endif /* EAI_ADDRFAMILY */
124 #endif /* defined(__MINGW32__) && defined(DEFINE_ADDITIONAL_IPV6_STUFF) */
127 #include <netdb.h> /* for "struct addrinfo" */
129 #include <pcap/namedb.h>
131 #include "nametoaddr.h"
133 #define ETHERMTU 1500
135 #ifndef IPPROTO_HOPOPTS
136 #define IPPROTO_HOPOPTS 0
138 #ifndef IPPROTO_ROUTING
139 #define IPPROTO_ROUTING 43
141 #ifndef IPPROTO_FRAGMENT
142 #define IPPROTO_FRAGMENT 44
144 #ifndef IPPROTO_DSTOPTS
145 #define IPPROTO_DSTOPTS 60
148 #define IPPROTO_SCTP 132
151 #define GENEVE_PORT 6081
153 #ifdef HAVE_OS_PROTO_H
154 #include "os-proto.h"
157 #define JMP(c) ((c)|BPF_JMP|BPF_K)
160 * "Push" the current value of the link-layer header type and link-layer
161 * header offset onto a "stack", and set a new value. (It's not a
162 * full-blown stack; we keep only the top two items.)
164 #define PUSH_LINKHDR(cs, new_linktype, new_is_variable, new_constant_part, new_reg) \
166 (cs)->prevlinktype = (cs)->linktype; \
167 (cs)->off_prevlinkhdr = (cs)->off_linkhdr; \
168 (cs)->linktype = (new_linktype); \
169 (cs)->off_linkhdr.is_variable = (new_is_variable); \
170 (cs)->off_linkhdr.constant_part = (new_constant_part); \
171 (cs)->off_linkhdr.reg = (new_reg); \
172 (cs)->is_geneve = 0; \
176 * Offset "not set" value.
178 #define OFFSET_NOT_SET 0xffffffffU
181 * Absolute offsets, which are offsets from the beginning of the raw
182 * packet data, are, in the general case, the sum of a variable value
183 * and a constant value; the variable value may be absent, in which
184 * case the offset is only the constant value, and the constant value
185 * may be zero, in which case the offset is only the variable value.
187 * bpf_abs_offset is a structure containing all that information:
189 * is_variable is 1 if there's a variable part.
191 * constant_part is the constant part of the value, possibly zero;
193 * if is_variable is 1, reg is the register number for a register
194 * containing the variable value if the register has been assigned,
204 * Value passed to gen_load_a() to indicate what the offset argument
205 * is relative to the beginning of.
208 OR_PACKET, /* full packet data */
209 OR_LINKHDR, /* link-layer header */
210 OR_PREVLINKHDR, /* previous link-layer header */
211 OR_LLC, /* 802.2 LLC header */
212 OR_PREVMPLSHDR, /* previous MPLS header */
213 OR_LINKTYPE, /* link-layer type */
214 OR_LINKPL, /* link-layer payload */
215 OR_LINKPL_NOSNAP, /* link-layer payload, with no SNAP header at the link layer */
216 OR_TRAN_IPV4, /* transport-layer header, with IPv4 network layer */
217 OR_TRAN_IPV6 /* transport-layer header, with IPv6 network layer */
221 * We divy out chunks of memory rather than call malloc each time so
222 * we don't have to worry about leaking memory. It's probably
223 * not a big deal if all this memory was wasted but if this ever
224 * goes into a library that would probably not be a good idea.
226 * XXX - this *is* in a library....
229 #define CHUNK0SIZE 1024
235 /* Code generator state */
237 struct _compiler_state {
248 int outermostlinktype;
253 /* Hack for handling VLAN and MPLS stacks. */
254 u_int label_stack_depth;
255 u_int vlan_stack_depth;
261 * As errors are handled by a longjmp, anything allocated must
262 * be freed in the longjmp handler, so it must be reachable
265 * One thing that's allocated is the result of pcap_nametoaddrinfo();
266 * it must be freed with freeaddrinfo(). This variable points to
267 * any addrinfo structure that would need to be freed.
272 * Another thing that's allocated is the result of pcap_ether_aton();
273 * it must be freed with free(). This variable points to any
274 * address that would need to be freed.
279 * Various code constructs need to know the layout of the packet.
280 * These values give the necessary offsets from the beginning
281 * of the packet data.
285 * Absolute offset of the beginning of the link-layer header.
287 bpf_abs_offset off_linkhdr;
290 * If we're checking a link-layer header for a packet encapsulated
291 * in another protocol layer, this is the equivalent information
292 * for the previous layers' link-layer header from the beginning
293 * of the raw packet data.
295 bpf_abs_offset off_prevlinkhdr;
298 * This is the equivalent information for the outermost layers'
301 bpf_abs_offset off_outermostlinkhdr;
304 * Absolute offset of the beginning of the link-layer payload.
306 bpf_abs_offset off_linkpl;
309 * "off_linktype" is the offset to information in the link-layer
310 * header giving the packet type. This is an absolute offset
311 * from the beginning of the packet.
313 * For Ethernet, it's the offset of the Ethernet type field; this
314 * means that it must have a value that skips VLAN tags.
316 * For link-layer types that always use 802.2 headers, it's the
317 * offset of the LLC header; this means that it must have a value
318 * that skips VLAN tags.
320 * For PPP, it's the offset of the PPP type field.
322 * For Cisco HDLC, it's the offset of the CHDLC type field.
324 * For BSD loopback, it's the offset of the AF_ value.
326 * For Linux cooked sockets, it's the offset of the type field.
328 * off_linktype.constant_part is set to OFFSET_NOT_SET for no
329 * encapsulation, in which case, IP is assumed.
331 bpf_abs_offset off_linktype;
334 * TRUE if the link layer includes an ATM pseudo-header.
339 * TRUE if "geneve" appeared in the filter; it causes us to
340 * generate code that checks for a Geneve header and assume
341 * that later filters apply to the encapsulated payload.
346 * TRUE if we need variable length part of VLAN offset
348 int is_vlan_vloffset;
351 * These are offsets for the ATM pseudo-header.
358 * These are offsets for the MTP2 fields.
364 * These are offsets for the MTP3 fields.
372 * This is the offset of the first byte after the ATM pseudo_header,
373 * or -1 if there is no ATM pseudo-header.
378 * These are offsets to the beginning of the network-layer header.
379 * They are relative to the beginning of the link-layer payload
380 * (i.e., they don't include off_linkhdr.constant_part or
381 * off_linkpl.constant_part).
383 * If the link layer never uses 802.2 LLC:
385 * "off_nl" and "off_nl_nosnap" are the same.
387 * If the link layer always uses 802.2 LLC:
389 * "off_nl" is the offset if there's a SNAP header following
392 * "off_nl_nosnap" is the offset if there's no SNAP header.
394 * If the link layer is Ethernet:
396 * "off_nl" is the offset if the packet is an Ethernet II packet
397 * (we assume no 802.3+802.2+SNAP);
399 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet
400 * with an 802.2 header following it.
406 * Here we handle simple allocation of the scratch registers.
407 * If too many registers are alloc'd, the allocator punts.
409 int regused[BPF_MEMWORDS];
415 struct chunk chunks[NCHUNKS];
420 * For use by routines outside this file.
424 bpf_set_error(compiler_state_t *cstate, const char *fmt, ...)
429 * If we've already set an error, don't override it.
430 * The lexical analyzer reports some errors by setting
431 * the error and then returning a LEX_ERROR token, which
432 * is not recognized by any grammar rule, and thus forces
433 * the parse to stop. We don't want the error reported
434 * by the lexical analyzer to be overwritten by the syntax
437 if (!cstate->error_set) {
439 (void)vsnprintf(cstate->bpf_pcap->errbuf, PCAP_ERRBUF_SIZE,
442 cstate->error_set = 1;
447 * For use *ONLY* in routines in this file.
449 static void PCAP_NORETURN bpf_error(compiler_state_t *, const char *, ...)
450 PCAP_PRINTFLIKE(2, 3);
453 static void PCAP_NORETURN
454 bpf_error(compiler_state_t *cstate, const char *fmt, ...)
459 (void)vsnprintf(cstate->bpf_pcap->errbuf, PCAP_ERRBUF_SIZE,
462 longjmp(cstate->top_ctx, 1);
469 static int init_linktype(compiler_state_t *, pcap_t *);
471 static void init_regs(compiler_state_t *);
472 static int alloc_reg(compiler_state_t *);
473 static void free_reg(compiler_state_t *, int);
475 static void initchunks(compiler_state_t *cstate);
476 static void *newchunk_nolongjmp(compiler_state_t *cstate, size_t);
477 static void *newchunk(compiler_state_t *cstate, size_t);
478 static void freechunks(compiler_state_t *cstate);
479 static inline struct block *new_block(compiler_state_t *cstate, int);
480 static inline struct slist *new_stmt(compiler_state_t *cstate, int);
481 static struct block *gen_retblk(compiler_state_t *cstate, int);
482 static inline void syntax(compiler_state_t *cstate);
484 static void backpatch(struct block *, struct block *);
485 static void merge(struct block *, struct block *);
486 static struct block *gen_cmp(compiler_state_t *, enum e_offrel, u_int,
488 static struct block *gen_cmp_gt(compiler_state_t *, enum e_offrel, u_int,
490 static struct block *gen_cmp_ge(compiler_state_t *, enum e_offrel, u_int,
492 static struct block *gen_cmp_lt(compiler_state_t *, enum e_offrel, u_int,
494 static struct block *gen_cmp_le(compiler_state_t *, enum e_offrel, u_int,
496 static struct block *gen_mcmp(compiler_state_t *, enum e_offrel, u_int,
497 u_int, bpf_u_int32, bpf_u_int32);
498 static struct block *gen_bcmp(compiler_state_t *, enum e_offrel, u_int,
499 u_int, const u_char *);
500 static struct block *gen_ncmp(compiler_state_t *, enum e_offrel, u_int,
501 u_int, bpf_u_int32, int, int, bpf_u_int32);
502 static struct slist *gen_load_absoffsetrel(compiler_state_t *, bpf_abs_offset *,
504 static struct slist *gen_load_a(compiler_state_t *, enum e_offrel, u_int,
506 static struct slist *gen_loadx_iphdrlen(compiler_state_t *);
507 static struct block *gen_uncond(compiler_state_t *, int);
508 static inline struct block *gen_true(compiler_state_t *);
509 static inline struct block *gen_false(compiler_state_t *);
510 static struct block *gen_ether_linktype(compiler_state_t *, bpf_u_int32);
511 static struct block *gen_ipnet_linktype(compiler_state_t *, bpf_u_int32);
512 static struct block *gen_linux_sll_linktype(compiler_state_t *, bpf_u_int32);
513 static struct slist *gen_load_pflog_llprefixlen(compiler_state_t *);
514 static struct slist *gen_load_prism_llprefixlen(compiler_state_t *);
515 static struct slist *gen_load_avs_llprefixlen(compiler_state_t *);
516 static struct slist *gen_load_radiotap_llprefixlen(compiler_state_t *);
517 static struct slist *gen_load_ppi_llprefixlen(compiler_state_t *);
518 static void insert_compute_vloffsets(compiler_state_t *, struct block *);
519 static struct slist *gen_abs_offset_varpart(compiler_state_t *,
521 static bpf_u_int32 ethertype_to_ppptype(bpf_u_int32);
522 static struct block *gen_linktype(compiler_state_t *, bpf_u_int32);
523 static struct block *gen_snap(compiler_state_t *, bpf_u_int32, bpf_u_int32);
524 static struct block *gen_llc_linktype(compiler_state_t *, bpf_u_int32);
525 static struct block *gen_hostop(compiler_state_t *, bpf_u_int32, bpf_u_int32,
526 int, bpf_u_int32, u_int, u_int);
528 static struct block *gen_hostop6(compiler_state_t *, struct in6_addr *,
529 struct in6_addr *, int, bpf_u_int32, u_int, u_int);
531 static struct block *gen_ahostop(compiler_state_t *, const u_char *, int);
532 static struct block *gen_ehostop(compiler_state_t *, const u_char *, int);
533 static struct block *gen_fhostop(compiler_state_t *, const u_char *, int);
534 static struct block *gen_thostop(compiler_state_t *, const u_char *, int);
535 static struct block *gen_wlanhostop(compiler_state_t *, const u_char *, int);
536 static struct block *gen_ipfchostop(compiler_state_t *, const u_char *, int);
537 static struct block *gen_dnhostop(compiler_state_t *, bpf_u_int32, int);
538 static struct block *gen_mpls_linktype(compiler_state_t *, bpf_u_int32);
539 static struct block *gen_host(compiler_state_t *, bpf_u_int32, bpf_u_int32,
542 static struct block *gen_host6(compiler_state_t *, struct in6_addr *,
543 struct in6_addr *, int, int, int);
546 static struct block *gen_gateway(compiler_state_t *, const u_char *,
547 struct addrinfo *, int, int);
549 static struct block *gen_ipfrag(compiler_state_t *);
550 static struct block *gen_portatom(compiler_state_t *, int, bpf_u_int32);
551 static struct block *gen_portrangeatom(compiler_state_t *, u_int, bpf_u_int32,
553 static struct block *gen_portatom6(compiler_state_t *, int, bpf_u_int32);
554 static struct block *gen_portrangeatom6(compiler_state_t *, u_int, bpf_u_int32,
556 static struct block *gen_portop(compiler_state_t *, u_int, u_int, int);
557 static struct block *gen_port(compiler_state_t *, u_int, int, int);
558 static struct block *gen_portrangeop(compiler_state_t *, u_int, u_int,
560 static struct block *gen_portrange(compiler_state_t *, u_int, u_int, int, int);
561 struct block *gen_portop6(compiler_state_t *, u_int, u_int, int);
562 static struct block *gen_port6(compiler_state_t *, u_int, int, int);
563 static struct block *gen_portrangeop6(compiler_state_t *, u_int, u_int,
565 static struct block *gen_portrange6(compiler_state_t *, u_int, u_int, int, int);
566 static int lookup_proto(compiler_state_t *, const char *, int);
567 #if !defined(NO_PROTOCHAIN)
568 static struct block *gen_protochain(compiler_state_t *, bpf_u_int32, int);
569 #endif /* !defined(NO_PROTOCHAIN) */
570 static struct block *gen_proto(compiler_state_t *, bpf_u_int32, int, int);
571 static struct slist *xfer_to_x(compiler_state_t *, struct arth *);
572 static struct slist *xfer_to_a(compiler_state_t *, struct arth *);
573 static struct block *gen_mac_multicast(compiler_state_t *, int);
574 static struct block *gen_len(compiler_state_t *, int, int);
575 static struct block *gen_check_802_11_data_frame(compiler_state_t *);
576 static struct block *gen_geneve_ll_check(compiler_state_t *cstate);
578 static struct block *gen_ppi_dlt_check(compiler_state_t *);
579 static struct block *gen_atmfield_code_internal(compiler_state_t *, int,
580 bpf_u_int32, int, int);
581 static struct block *gen_atmtype_llc(compiler_state_t *);
582 static struct block *gen_msg_abbrev(compiler_state_t *, int type);
585 initchunks(compiler_state_t *cstate)
589 for (i = 0; i < NCHUNKS; i++) {
590 cstate->chunks[i].n_left = 0;
591 cstate->chunks[i].m = NULL;
593 cstate->cur_chunk = 0;
597 newchunk_nolongjmp(compiler_state_t *cstate, size_t n)
604 /* XXX Round up to nearest long. */
605 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1);
607 /* XXX Round up to structure boundary. */
611 cp = &cstate->chunks[cstate->cur_chunk];
612 if (n > cp->n_left) {
614 k = ++cstate->cur_chunk;
616 bpf_set_error(cstate, "out of memory");
619 size = CHUNK0SIZE << k;
620 cp->m = (void *)malloc(size);
622 bpf_set_error(cstate, "out of memory");
625 memset((char *)cp->m, 0, size);
628 bpf_set_error(cstate, "out of memory");
633 return (void *)((char *)cp->m + cp->n_left);
637 newchunk(compiler_state_t *cstate, size_t n)
641 p = newchunk_nolongjmp(cstate, n);
643 longjmp(cstate->top_ctx, 1);
650 freechunks(compiler_state_t *cstate)
654 for (i = 0; i < NCHUNKS; ++i)
655 if (cstate->chunks[i].m != NULL)
656 free(cstate->chunks[i].m);
660 * A strdup whose allocations are freed after code generation is over.
661 * This is used by the lexical analyzer, so it can't longjmp; it just
662 * returns NULL on an allocation error, and the callers must check
666 sdup(compiler_state_t *cstate, const char *s)
668 size_t n = strlen(s) + 1;
669 char *cp = newchunk_nolongjmp(cstate, n);
673 pcap_strlcpy(cp, s, n);
677 static inline struct block *
678 new_block(compiler_state_t *cstate, int code)
682 p = (struct block *)newchunk(cstate, sizeof(*p));
689 static inline struct slist *
690 new_stmt(compiler_state_t *cstate, int code)
694 p = (struct slist *)newchunk(cstate, sizeof(*p));
700 static struct block *
701 gen_retblk(compiler_state_t *cstate, int v)
703 struct block *b = new_block(cstate, BPF_RET|BPF_K);
709 static inline PCAP_NORETURN_DEF void
710 syntax(compiler_state_t *cstate)
712 bpf_error(cstate, "syntax error in filter expression");
716 pcap_compile(pcap_t *p, struct bpf_program *program,
717 const char *buf, int optimize, bpf_u_int32 mask)
722 compiler_state_t cstate;
723 const char * volatile xbuf = buf;
724 yyscan_t scanner = NULL;
725 volatile YY_BUFFER_STATE in_buffer = NULL;
730 * If this pcap_t hasn't been activated, it doesn't have a
731 * link-layer type, so we can't use it.
734 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
735 "not-yet-activated pcap_t passed to pcap_compile");
747 * If the device on which we're capturing need to be notified
748 * that a new filter is being compiled, do so.
750 * This allows them to save a copy of it, in case, for example,
751 * they're implementing a form of remote packet capture, and
752 * want the remote machine to filter out the packets in which
753 * it's sending the packets it's captured.
755 * XXX - the fact that we happen to be compiling a filter
756 * doesn't necessarily mean we'll be installing it as the
757 * filter for this pcap_t; we might be running it from userland
758 * on captured packets to do packet classification. We really
759 * need a better way of handling this, but this is all that
760 * the WinPcap remote capture code did.
762 if (p->save_current_filter_op != NULL)
763 (p->save_current_filter_op)(p, buf);
767 cstate.no_optimize = 0;
772 cstate.ic.root = NULL;
773 cstate.ic.cur_mark = 0;
775 cstate.error_set = 0;
778 cstate.netmask = mask;
780 cstate.snaplen = pcap_snapshot(p);
781 if (cstate.snaplen == 0) {
782 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
783 "snaplen of 0 rejects all packets");
788 if (pcap_lex_init(&scanner) != 0)
789 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
790 errno, "can't initialize scanner");
791 in_buffer = pcap__scan_string(xbuf ? xbuf : "", scanner);
794 * Associate the compiler state with the lexical analyzer
797 pcap_set_extra(&cstate, scanner);
799 if (init_linktype(&cstate, p) == -1) {
803 if (pcap_parse(scanner, &cstate) != 0) {
805 if (cstate.ai != NULL)
806 freeaddrinfo(cstate.ai);
808 if (cstate.e != NULL)
814 if (cstate.ic.root == NULL) {
816 * Catch errors reported by gen_retblk().
818 if (setjmp(cstate.top_ctx)) {
822 cstate.ic.root = gen_retblk(&cstate, cstate.snaplen);
825 if (optimize && !cstate.no_optimize) {
826 if (bpf_optimize(&cstate.ic, p->errbuf) == -1) {
831 if (cstate.ic.root == NULL ||
832 (cstate.ic.root->s.code == (BPF_RET|BPF_K) && cstate.ic.root->s.k == 0)) {
833 (void)snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
834 "expression rejects all packets");
839 program->bf_insns = icode_to_fcode(&cstate.ic,
840 cstate.ic.root, &len, p->errbuf);
841 if (program->bf_insns == NULL) {
846 program->bf_len = len;
848 rc = 0; /* We're all okay */
852 * Clean up everything for the lexical analyzer.
854 if (in_buffer != NULL)
855 pcap__delete_buffer(in_buffer, scanner);
857 pcap_lex_destroy(scanner);
860 * Clean up our own allocated memory.
868 * entry point for using the compiler with no pcap open
869 * pass in all the stuff that is needed explicitly instead.
872 pcap_compile_nopcap(int snaplen_arg, int linktype_arg,
873 struct bpf_program *program,
874 const char *buf, int optimize, bpf_u_int32 mask)
879 p = pcap_open_dead(linktype_arg, snaplen_arg);
882 ret = pcap_compile(p, program, buf, optimize, mask);
888 * Clean up a "struct bpf_program" by freeing all the memory allocated
892 pcap_freecode(struct bpf_program *program)
895 if (program->bf_insns != NULL) {
896 free((char *)program->bf_insns);
897 program->bf_insns = NULL;
902 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates
903 * which of the jt and jf fields has been resolved and which is a pointer
904 * back to another unresolved block (or nil). At least one of the fields
905 * in each block is already resolved.
908 backpatch(struct block *list, struct block *target)
925 * Merge the lists in b0 and b1, using the 'sense' field to indicate
926 * which of jt and jf is the link.
929 merge(struct block *b0, struct block *b1)
931 register struct block **p = &b0;
933 /* Find end of list. */
935 p = !((*p)->sense) ? &JT(*p) : &JF(*p);
937 /* Concatenate the lists. */
942 finish_parse(compiler_state_t *cstate, struct block *p)
944 struct block *ppi_dlt_check;
947 * Catch errors reported by us and routines below us, and return -1
950 if (setjmp(cstate->top_ctx))
954 * Insert before the statements of the first (root) block any
955 * statements needed to load the lengths of any variable-length
956 * headers into registers.
958 * XXX - a fancier strategy would be to insert those before the
959 * statements of all blocks that use those lengths and that
960 * have no predecessors that use them, so that we only compute
961 * the lengths if we need them. There might be even better
962 * approaches than that.
964 * However, those strategies would be more complicated, and
965 * as we don't generate code to compute a length if the
966 * program has no tests that use the length, and as most
967 * tests will probably use those lengths, we would just
968 * postpone computing the lengths so that it's not done
969 * for tests that fail early, and it's not clear that's
972 insert_compute_vloffsets(cstate, p->head);
975 * For DLT_PPI captures, generate a check of the per-packet
976 * DLT value to make sure it's DLT_IEEE802_11.
978 * XXX - TurboCap cards use DLT_PPI for Ethernet.
979 * Can we just define some DLT_ETHERNET_WITH_PHDR pseudo-header
980 * with appropriate Ethernet information and use that rather
981 * than using something such as DLT_PPI where you don't know
982 * the link-layer header type until runtime, which, in the
983 * general case, would force us to generate both Ethernet *and*
984 * 802.11 code (*and* anything else for which PPI is used)
985 * and choose between them early in the BPF program?
987 ppi_dlt_check = gen_ppi_dlt_check(cstate);
988 if (ppi_dlt_check != NULL)
989 gen_and(ppi_dlt_check, p);
991 backpatch(p, gen_retblk(cstate, cstate->snaplen));
992 p->sense = !p->sense;
993 backpatch(p, gen_retblk(cstate, 0));
994 cstate->ic.root = p->head;
999 gen_and(struct block *b0, struct block *b1)
1001 backpatch(b0, b1->head);
1002 b0->sense = !b0->sense;
1003 b1->sense = !b1->sense;
1005 b1->sense = !b1->sense;
1006 b1->head = b0->head;
1010 gen_or(struct block *b0, struct block *b1)
1012 b0->sense = !b0->sense;
1013 backpatch(b0, b1->head);
1014 b0->sense = !b0->sense;
1016 b1->head = b0->head;
1020 gen_not(struct block *b)
1022 b->sense = !b->sense;
1025 static struct block *
1026 gen_cmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1027 u_int size, bpf_u_int32 v)
1029 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v);
1032 static struct block *
1033 gen_cmp_gt(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1034 u_int size, bpf_u_int32 v)
1036 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGT, 0, v);
1039 static struct block *
1040 gen_cmp_ge(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1041 u_int size, bpf_u_int32 v)
1043 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGE, 0, v);
1046 static struct block *
1047 gen_cmp_lt(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1048 u_int size, bpf_u_int32 v)
1050 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGE, 1, v);
1053 static struct block *
1054 gen_cmp_le(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1055 u_int size, bpf_u_int32 v)
1057 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGT, 1, v);
1060 static struct block *
1061 gen_mcmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1062 u_int size, bpf_u_int32 v, bpf_u_int32 mask)
1064 return gen_ncmp(cstate, offrel, offset, size, mask, BPF_JEQ, 0, v);
1067 static struct block *
1068 gen_bcmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1069 u_int size, const u_char *v)
1071 register struct block *b, *tmp;
1075 register const u_char *p = &v[size - 4];
1077 tmp = gen_cmp(cstate, offrel, offset + size - 4, BPF_W,
1085 register const u_char *p = &v[size - 2];
1087 tmp = gen_cmp(cstate, offrel, offset + size - 2, BPF_H,
1095 tmp = gen_cmp(cstate, offrel, offset, BPF_B, v[0]);
1104 * AND the field of size "size" at offset "offset" relative to the header
1105 * specified by "offrel" with "mask", and compare it with the value "v"
1106 * with the test specified by "jtype"; if "reverse" is true, the test
1107 * should test the opposite of "jtype".
1109 static struct block *
1110 gen_ncmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1111 u_int size, bpf_u_int32 mask, int jtype, int reverse,
1114 struct slist *s, *s2;
1117 s = gen_load_a(cstate, offrel, offset, size);
1119 if (mask != 0xffffffff) {
1120 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
1125 b = new_block(cstate, JMP(jtype));
1128 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE))
1134 init_linktype(compiler_state_t *cstate, pcap_t *p)
1136 cstate->pcap_fddipad = p->fddipad;
1139 * We start out with only one link-layer header.
1141 cstate->outermostlinktype = pcap_datalink(p);
1142 cstate->off_outermostlinkhdr.constant_part = 0;
1143 cstate->off_outermostlinkhdr.is_variable = 0;
1144 cstate->off_outermostlinkhdr.reg = -1;
1146 cstate->prevlinktype = cstate->outermostlinktype;
1147 cstate->off_prevlinkhdr.constant_part = 0;
1148 cstate->off_prevlinkhdr.is_variable = 0;
1149 cstate->off_prevlinkhdr.reg = -1;
1151 cstate->linktype = cstate->outermostlinktype;
1152 cstate->off_linkhdr.constant_part = 0;
1153 cstate->off_linkhdr.is_variable = 0;
1154 cstate->off_linkhdr.reg = -1;
1159 cstate->off_linkpl.constant_part = 0;
1160 cstate->off_linkpl.is_variable = 0;
1161 cstate->off_linkpl.reg = -1;
1163 cstate->off_linktype.constant_part = 0;
1164 cstate->off_linktype.is_variable = 0;
1165 cstate->off_linktype.reg = -1;
1168 * Assume it's not raw ATM with a pseudo-header, for now.
1171 cstate->off_vpi = OFFSET_NOT_SET;
1172 cstate->off_vci = OFFSET_NOT_SET;
1173 cstate->off_proto = OFFSET_NOT_SET;
1174 cstate->off_payload = OFFSET_NOT_SET;
1179 cstate->is_geneve = 0;
1182 * No variable length VLAN offset by default
1184 cstate->is_vlan_vloffset = 0;
1187 * And assume we're not doing SS7.
1189 cstate->off_li = OFFSET_NOT_SET;
1190 cstate->off_li_hsl = OFFSET_NOT_SET;
1191 cstate->off_sio = OFFSET_NOT_SET;
1192 cstate->off_opc = OFFSET_NOT_SET;
1193 cstate->off_dpc = OFFSET_NOT_SET;
1194 cstate->off_sls = OFFSET_NOT_SET;
1196 cstate->label_stack_depth = 0;
1197 cstate->vlan_stack_depth = 0;
1199 switch (cstate->linktype) {
1202 cstate->off_linktype.constant_part = 2;
1203 cstate->off_linkpl.constant_part = 6;
1204 cstate->off_nl = 0; /* XXX in reality, variable! */
1205 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1208 case DLT_ARCNET_LINUX:
1209 cstate->off_linktype.constant_part = 4;
1210 cstate->off_linkpl.constant_part = 8;
1211 cstate->off_nl = 0; /* XXX in reality, variable! */
1212 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1216 cstate->off_linktype.constant_part = 12;
1217 cstate->off_linkpl.constant_part = 14; /* Ethernet header length */
1218 cstate->off_nl = 0; /* Ethernet II */
1219 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */
1224 * SLIP doesn't have a link level type. The 16 byte
1225 * header is hacked into our SLIP driver.
1227 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1228 cstate->off_linkpl.constant_part = 16;
1230 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1233 case DLT_SLIP_BSDOS:
1234 /* XXX this may be the same as the DLT_PPP_BSDOS case */
1235 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1237 cstate->off_linkpl.constant_part = 24;
1239 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1244 cstate->off_linktype.constant_part = 0;
1245 cstate->off_linkpl.constant_part = 4;
1247 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1251 cstate->off_linktype.constant_part = 0;
1252 cstate->off_linkpl.constant_part = 12;
1254 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1259 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */
1260 case DLT_HDLC: /* NetBSD (Cisco) HDLC */
1261 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */
1262 cstate->off_linktype.constant_part = 2; /* skip HDLC-like framing */
1263 cstate->off_linkpl.constant_part = 4; /* skip HDLC-like framing and protocol field */
1265 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1270 * This does no include the Ethernet header, and
1271 * only covers session state.
1273 cstate->off_linktype.constant_part = 6;
1274 cstate->off_linkpl.constant_part = 8;
1276 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1280 cstate->off_linktype.constant_part = 5;
1281 cstate->off_linkpl.constant_part = 24;
1283 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1288 * FDDI doesn't really have a link-level type field.
1289 * We set "off_linktype" to the offset of the LLC header.
1291 * To check for Ethernet types, we assume that SSAP = SNAP
1292 * is being used and pick out the encapsulated Ethernet type.
1293 * XXX - should we generate code to check for SNAP?
1295 cstate->off_linktype.constant_part = 13;
1296 cstate->off_linktype.constant_part += cstate->pcap_fddipad;
1297 cstate->off_linkpl.constant_part = 13; /* FDDI MAC header length */
1298 cstate->off_linkpl.constant_part += cstate->pcap_fddipad;
1299 cstate->off_nl = 8; /* 802.2+SNAP */
1300 cstate->off_nl_nosnap = 3; /* 802.2 */
1305 * Token Ring doesn't really have a link-level type field.
1306 * We set "off_linktype" to the offset of the LLC header.
1308 * To check for Ethernet types, we assume that SSAP = SNAP
1309 * is being used and pick out the encapsulated Ethernet type.
1310 * XXX - should we generate code to check for SNAP?
1312 * XXX - the header is actually variable-length.
1313 * Some various Linux patched versions gave 38
1314 * as "off_linktype" and 40 as "off_nl"; however,
1315 * if a token ring packet has *no* routing
1316 * information, i.e. is not source-routed, the correct
1317 * values are 20 and 22, as they are in the vanilla code.
1319 * A packet is source-routed iff the uppermost bit
1320 * of the first byte of the source address, at an
1321 * offset of 8, has the uppermost bit set. If the
1322 * packet is source-routed, the total number of bytes
1323 * of routing information is 2 plus bits 0x1F00 of
1324 * the 16-bit value at an offset of 14 (shifted right
1325 * 8 - figure out which byte that is).
1327 cstate->off_linktype.constant_part = 14;
1328 cstate->off_linkpl.constant_part = 14; /* Token Ring MAC header length */
1329 cstate->off_nl = 8; /* 802.2+SNAP */
1330 cstate->off_nl_nosnap = 3; /* 802.2 */
1333 case DLT_PRISM_HEADER:
1334 case DLT_IEEE802_11_RADIO_AVS:
1335 case DLT_IEEE802_11_RADIO:
1336 cstate->off_linkhdr.is_variable = 1;
1337 /* Fall through, 802.11 doesn't have a variable link
1338 * prefix but is otherwise the same. */
1341 case DLT_IEEE802_11:
1343 * 802.11 doesn't really have a link-level type field.
1344 * We set "off_linktype.constant_part" to the offset of
1347 * To check for Ethernet types, we assume that SSAP = SNAP
1348 * is being used and pick out the encapsulated Ethernet type.
1349 * XXX - should we generate code to check for SNAP?
1351 * We also handle variable-length radio headers here.
1352 * The Prism header is in theory variable-length, but in
1353 * practice it's always 144 bytes long. However, some
1354 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but
1355 * sometimes or always supply an AVS header, so we
1356 * have to check whether the radio header is a Prism
1357 * header or an AVS header, so, in practice, it's
1360 cstate->off_linktype.constant_part = 24;
1361 cstate->off_linkpl.constant_part = 0; /* link-layer header is variable-length */
1362 cstate->off_linkpl.is_variable = 1;
1363 cstate->off_nl = 8; /* 802.2+SNAP */
1364 cstate->off_nl_nosnap = 3; /* 802.2 */
1369 * At the moment we treat PPI the same way that we treat
1370 * normal Radiotap encoded packets. The difference is in
1371 * the function that generates the code at the beginning
1372 * to compute the header length. Since this code generator
1373 * of PPI supports bare 802.11 encapsulation only (i.e.
1374 * the encapsulated DLT should be DLT_IEEE802_11) we
1375 * generate code to check for this too.
1377 cstate->off_linktype.constant_part = 24;
1378 cstate->off_linkpl.constant_part = 0; /* link-layer header is variable-length */
1379 cstate->off_linkpl.is_variable = 1;
1380 cstate->off_linkhdr.is_variable = 1;
1381 cstate->off_nl = 8; /* 802.2+SNAP */
1382 cstate->off_nl_nosnap = 3; /* 802.2 */
1385 case DLT_ATM_RFC1483:
1386 case DLT_ATM_CLIP: /* Linux ATM defines this */
1388 * assume routed, non-ISO PDUs
1389 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00)
1391 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS,
1392 * or PPP with the PPP NLPID (e.g., PPPoA)? The
1393 * latter would presumably be treated the way PPPoE
1394 * should be, so you can do "pppoe and udp port 2049"
1395 * or "pppoa and tcp port 80" and have it check for
1396 * PPPo{A,E} and a PPP protocol of IP and....
1398 cstate->off_linktype.constant_part = 0;
1399 cstate->off_linkpl.constant_part = 0; /* packet begins with LLC header */
1400 cstate->off_nl = 8; /* 802.2+SNAP */
1401 cstate->off_nl_nosnap = 3; /* 802.2 */
1406 * Full Frontal ATM; you get AALn PDUs with an ATM
1410 cstate->off_vpi = SUNATM_VPI_POS;
1411 cstate->off_vci = SUNATM_VCI_POS;
1412 cstate->off_proto = PROTO_POS;
1413 cstate->off_payload = SUNATM_PKT_BEGIN_POS;
1414 cstate->off_linktype.constant_part = cstate->off_payload;
1415 cstate->off_linkpl.constant_part = cstate->off_payload; /* if LLC-encapsulated */
1416 cstate->off_nl = 8; /* 802.2+SNAP */
1417 cstate->off_nl_nosnap = 3; /* 802.2 */
1423 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1424 cstate->off_linkpl.constant_part = 0;
1426 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1429 case DLT_LINUX_SLL: /* fake header for Linux cooked socket v1 */
1430 cstate->off_linktype.constant_part = 14;
1431 cstate->off_linkpl.constant_part = 16;
1433 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1436 case DLT_LINUX_SLL2: /* fake header for Linux cooked socket v2 */
1437 cstate->off_linktype.constant_part = 0;
1438 cstate->off_linkpl.constant_part = 20;
1440 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1445 * LocalTalk does have a 1-byte type field in the LLAP header,
1446 * but really it just indicates whether there is a "short" or
1447 * "long" DDP packet following.
1449 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1450 cstate->off_linkpl.constant_part = 0;
1452 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1455 case DLT_IP_OVER_FC:
1457 * RFC 2625 IP-over-Fibre-Channel doesn't really have a
1458 * link-level type field. We set "off_linktype" to the
1459 * offset of the LLC header.
1461 * To check for Ethernet types, we assume that SSAP = SNAP
1462 * is being used and pick out the encapsulated Ethernet type.
1463 * XXX - should we generate code to check for SNAP? RFC
1464 * 2625 says SNAP should be used.
1466 cstate->off_linktype.constant_part = 16;
1467 cstate->off_linkpl.constant_part = 16;
1468 cstate->off_nl = 8; /* 802.2+SNAP */
1469 cstate->off_nl_nosnap = 3; /* 802.2 */
1474 * XXX - we should set this to handle SNAP-encapsulated
1475 * frames (NLPID of 0x80).
1477 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1478 cstate->off_linkpl.constant_part = 0;
1480 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1484 * the only BPF-interesting FRF.16 frames are non-control frames;
1485 * Frame Relay has a variable length link-layer
1486 * so lets start with offset 4 for now and increments later on (FIXME);
1489 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1490 cstate->off_linkpl.constant_part = 0;
1492 cstate->off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */
1495 case DLT_APPLE_IP_OVER_IEEE1394:
1496 cstate->off_linktype.constant_part = 16;
1497 cstate->off_linkpl.constant_part = 18;
1499 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1502 case DLT_SYMANTEC_FIREWALL:
1503 cstate->off_linktype.constant_part = 6;
1504 cstate->off_linkpl.constant_part = 44;
1505 cstate->off_nl = 0; /* Ethernet II */
1506 cstate->off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */
1510 cstate->off_linktype.constant_part = 0;
1511 cstate->off_linkpl.constant_part = 0; /* link-layer header is variable-length */
1512 cstate->off_linkpl.is_variable = 1;
1514 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1517 case DLT_JUNIPER_MFR:
1518 case DLT_JUNIPER_MLFR:
1519 case DLT_JUNIPER_MLPPP:
1520 case DLT_JUNIPER_PPP:
1521 case DLT_JUNIPER_CHDLC:
1522 case DLT_JUNIPER_FRELAY:
1523 cstate->off_linktype.constant_part = 4;
1524 cstate->off_linkpl.constant_part = 4;
1526 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1529 case DLT_JUNIPER_ATM1:
1530 cstate->off_linktype.constant_part = 4; /* in reality variable between 4-8 */
1531 cstate->off_linkpl.constant_part = 4; /* in reality variable between 4-8 */
1533 cstate->off_nl_nosnap = 10;
1536 case DLT_JUNIPER_ATM2:
1537 cstate->off_linktype.constant_part = 8; /* in reality variable between 8-12 */
1538 cstate->off_linkpl.constant_part = 8; /* in reality variable between 8-12 */
1540 cstate->off_nl_nosnap = 10;
1543 /* frames captured on a Juniper PPPoE service PIC
1544 * contain raw ethernet frames */
1545 case DLT_JUNIPER_PPPOE:
1546 case DLT_JUNIPER_ETHER:
1547 cstate->off_linkpl.constant_part = 14;
1548 cstate->off_linktype.constant_part = 16;
1549 cstate->off_nl = 18; /* Ethernet II */
1550 cstate->off_nl_nosnap = 21; /* 802.3+802.2 */
1553 case DLT_JUNIPER_PPPOE_ATM:
1554 cstate->off_linktype.constant_part = 4;
1555 cstate->off_linkpl.constant_part = 6;
1557 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1560 case DLT_JUNIPER_GGSN:
1561 cstate->off_linktype.constant_part = 6;
1562 cstate->off_linkpl.constant_part = 12;
1564 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1567 case DLT_JUNIPER_ES:
1568 cstate->off_linktype.constant_part = 6;
1569 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; /* not really a network layer but raw IP addresses */
1570 cstate->off_nl = OFFSET_NOT_SET; /* not really a network layer but raw IP addresses */
1571 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1574 case DLT_JUNIPER_MONITOR:
1575 cstate->off_linktype.constant_part = 12;
1576 cstate->off_linkpl.constant_part = 12;
1577 cstate->off_nl = 0; /* raw IP/IP6 header */
1578 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1581 case DLT_BACNET_MS_TP:
1582 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1583 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1584 cstate->off_nl = OFFSET_NOT_SET;
1585 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1588 case DLT_JUNIPER_SERVICES:
1589 cstate->off_linktype.constant_part = 12;
1590 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; /* L3 proto location dep. on cookie type */
1591 cstate->off_nl = OFFSET_NOT_SET; /* L3 proto location dep. on cookie type */
1592 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1595 case DLT_JUNIPER_VP:
1596 cstate->off_linktype.constant_part = 18;
1597 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1598 cstate->off_nl = OFFSET_NOT_SET;
1599 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1602 case DLT_JUNIPER_ST:
1603 cstate->off_linktype.constant_part = 18;
1604 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1605 cstate->off_nl = OFFSET_NOT_SET;
1606 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1609 case DLT_JUNIPER_ISM:
1610 cstate->off_linktype.constant_part = 8;
1611 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1612 cstate->off_nl = OFFSET_NOT_SET;
1613 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1616 case DLT_JUNIPER_VS:
1617 case DLT_JUNIPER_SRX_E2E:
1618 case DLT_JUNIPER_FIBRECHANNEL:
1619 case DLT_JUNIPER_ATM_CEMIC:
1620 cstate->off_linktype.constant_part = 8;
1621 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1622 cstate->off_nl = OFFSET_NOT_SET;
1623 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1628 cstate->off_li_hsl = 4;
1629 cstate->off_sio = 3;
1630 cstate->off_opc = 4;
1631 cstate->off_dpc = 4;
1632 cstate->off_sls = 7;
1633 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1634 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1635 cstate->off_nl = OFFSET_NOT_SET;
1636 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1639 case DLT_MTP2_WITH_PHDR:
1641 cstate->off_li_hsl = 8;
1642 cstate->off_sio = 7;
1643 cstate->off_opc = 8;
1644 cstate->off_dpc = 8;
1645 cstate->off_sls = 11;
1646 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1647 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1648 cstate->off_nl = OFFSET_NOT_SET;
1649 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1653 cstate->off_li = 22;
1654 cstate->off_li_hsl = 24;
1655 cstate->off_sio = 23;
1656 cstate->off_opc = 24;
1657 cstate->off_dpc = 24;
1658 cstate->off_sls = 27;
1659 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1660 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1661 cstate->off_nl = OFFSET_NOT_SET;
1662 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1666 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1667 cstate->off_linkpl.constant_part = 4;
1669 cstate->off_nl_nosnap = 0;
1674 * Currently, only raw "link[N:M]" filtering is supported.
1676 cstate->off_linktype.constant_part = OFFSET_NOT_SET; /* variable, min 15, max 71 steps of 7 */
1677 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1678 cstate->off_nl = OFFSET_NOT_SET; /* variable, min 16, max 71 steps of 7 */
1679 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1683 cstate->off_linktype.constant_part = 1;
1684 cstate->off_linkpl.constant_part = 24; /* ipnet header length */
1686 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1689 case DLT_NETANALYZER:
1690 cstate->off_linkhdr.constant_part = 4; /* Ethernet header is past 4-byte pseudo-header */
1691 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12;
1692 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* pseudo-header+Ethernet header length */
1693 cstate->off_nl = 0; /* Ethernet II */
1694 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */
1697 case DLT_NETANALYZER_TRANSPARENT:
1698 cstate->off_linkhdr.constant_part = 12; /* MAC header is past 4-byte pseudo-header, preamble, and SFD */
1699 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12;
1700 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* pseudo-header+preamble+SFD+Ethernet header length */
1701 cstate->off_nl = 0; /* Ethernet II */
1702 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */
1707 * For values in the range in which we've assigned new
1708 * DLT_ values, only raw "link[N:M]" filtering is supported.
1710 if (cstate->linktype >= DLT_MATCHING_MIN &&
1711 cstate->linktype <= DLT_MATCHING_MAX) {
1712 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1713 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1714 cstate->off_nl = OFFSET_NOT_SET;
1715 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1717 bpf_set_error(cstate, "unknown data link type %d (min %d, max %d)",
1718 cstate->linktype, DLT_MATCHING_MIN, DLT_MATCHING_MAX);
1724 cstate->off_outermostlinkhdr = cstate->off_prevlinkhdr = cstate->off_linkhdr;
1729 * Load a value relative to the specified absolute offset.
1731 static struct slist *
1732 gen_load_absoffsetrel(compiler_state_t *cstate, bpf_abs_offset *abs_offset,
1733 u_int offset, u_int size)
1735 struct slist *s, *s2;
1737 s = gen_abs_offset_varpart(cstate, abs_offset);
1740 * If "s" is non-null, it has code to arrange that the X register
1741 * contains the variable part of the absolute offset, so we
1742 * generate a load relative to that, with an offset of
1743 * abs_offset->constant_part + offset.
1745 * Otherwise, we can do an absolute load with an offset of
1746 * abs_offset->constant_part + offset.
1750 * "s" points to a list of statements that puts the
1751 * variable part of the absolute offset into the X register.
1752 * Do an indirect load, to use the X register as an offset.
1754 s2 = new_stmt(cstate, BPF_LD|BPF_IND|size);
1755 s2->s.k = abs_offset->constant_part + offset;
1759 * There is no variable part of the absolute offset, so
1760 * just do an absolute load.
1762 s = new_stmt(cstate, BPF_LD|BPF_ABS|size);
1763 s->s.k = abs_offset->constant_part + offset;
1769 * Load a value relative to the beginning of the specified header.
1771 static struct slist *
1772 gen_load_a(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1775 struct slist *s, *s2;
1778 * Squelch warnings from compilers that *don't* assume that
1779 * offrel always has a valid enum value and therefore don't
1780 * assume that we'll always go through one of the case arms.
1782 * If we have a default case, compilers that *do* assume that
1783 * will then complain about the default case code being
1786 * Damned if you do, damned if you don't.
1793 s = new_stmt(cstate, BPF_LD|BPF_ABS|size);
1798 s = gen_load_absoffsetrel(cstate, &cstate->off_linkhdr, offset, size);
1801 case OR_PREVLINKHDR:
1802 s = gen_load_absoffsetrel(cstate, &cstate->off_prevlinkhdr, offset, size);
1806 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, offset, size);
1809 case OR_PREVMPLSHDR:
1810 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl - 4 + offset, size);
1814 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl + offset, size);
1817 case OR_LINKPL_NOSNAP:
1818 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl_nosnap + offset, size);
1822 s = gen_load_absoffsetrel(cstate, &cstate->off_linktype, offset, size);
1827 * Load the X register with the length of the IPv4 header
1828 * (plus the offset of the link-layer header, if it's
1829 * preceded by a variable-length header such as a radio
1830 * header), in bytes.
1832 s = gen_loadx_iphdrlen(cstate);
1835 * Load the item at {offset of the link-layer payload} +
1836 * {offset, relative to the start of the link-layer
1837 * paylod, of the IPv4 header} + {length of the IPv4 header} +
1838 * {specified offset}.
1840 * If the offset of the link-layer payload is variable,
1841 * the variable part of that offset is included in the
1842 * value in the X register, and we include the constant
1843 * part in the offset of the load.
1845 s2 = new_stmt(cstate, BPF_LD|BPF_IND|size);
1846 s2->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + offset;
1851 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl + 40 + offset, size);
1858 * Generate code to load into the X register the sum of the length of
1859 * the IPv4 header and the variable part of the offset of the link-layer
1862 static struct slist *
1863 gen_loadx_iphdrlen(compiler_state_t *cstate)
1865 struct slist *s, *s2;
1867 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl);
1870 * The offset of the link-layer payload has a variable
1871 * part. "s" points to a list of statements that put
1872 * the variable part of that offset into the X register.
1874 * The 4*([k]&0xf) addressing mode can't be used, as we
1875 * don't have a constant offset, so we have to load the
1876 * value in question into the A register and add to it
1877 * the value from the X register.
1879 s2 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
1880 s2->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
1882 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
1885 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K);
1890 * The A register now contains the length of the IP header.
1891 * We need to add to it the variable part of the offset of
1892 * the link-layer payload, which is still in the X
1893 * register, and move the result into the X register.
1895 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
1896 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
1899 * The offset of the link-layer payload is a constant,
1900 * so no code was generated to load the (non-existent)
1901 * variable part of that offset.
1903 * This means we can use the 4*([k]&0xf) addressing
1904 * mode. Load the length of the IPv4 header, which
1905 * is at an offset of cstate->off_nl from the beginning of
1906 * the link-layer payload, and thus at an offset of
1907 * cstate->off_linkpl.constant_part + cstate->off_nl from the beginning
1908 * of the raw packet data, using that addressing mode.
1910 s = new_stmt(cstate, BPF_LDX|BPF_MSH|BPF_B);
1911 s->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
1917 static struct block *
1918 gen_uncond(compiler_state_t *cstate, int rsense)
1923 s = new_stmt(cstate, BPF_LD|BPF_IMM);
1925 b = new_block(cstate, JMP(BPF_JEQ));
1931 static inline struct block *
1932 gen_true(compiler_state_t *cstate)
1934 return gen_uncond(cstate, 1);
1937 static inline struct block *
1938 gen_false(compiler_state_t *cstate)
1940 return gen_uncond(cstate, 0);
1944 * Byte-swap a 32-bit number.
1945 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on
1946 * big-endian platforms.)
1948 #define SWAPLONG(y) \
1949 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
1952 * Generate code to match a particular packet type.
1954 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1955 * value, if <= ETHERMTU. We use that to determine whether to
1956 * match the type/length field or to check the type/length field for
1957 * a value <= ETHERMTU to see whether it's a type field and then do
1958 * the appropriate test.
1960 static struct block *
1961 gen_ether_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto)
1963 struct block *b0, *b1;
1969 case LLCSAP_NETBEUI:
1971 * OSI protocols and NetBEUI always use 802.2 encapsulation,
1972 * so we check the DSAP and SSAP.
1974 * LLCSAP_IP checks for IP-over-802.2, rather
1975 * than IP-over-Ethernet or IP-over-SNAP.
1977 * XXX - should we check both the DSAP and the
1978 * SSAP, like this, or should we check just the
1979 * DSAP, as we do for other types <= ETHERMTU
1980 * (i.e., other SAP values)?
1982 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
1984 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (ll_proto << 8) | ll_proto);
1992 * Ethernet_II frames, which are Ethernet
1993 * frames with a frame type of ETHERTYPE_IPX;
1995 * Ethernet_802.3 frames, which are 802.3
1996 * frames (i.e., the type/length field is
1997 * a length field, <= ETHERMTU, rather than
1998 * a type field) with the first two bytes
1999 * after the Ethernet/802.3 header being
2002 * Ethernet_802.2 frames, which are 802.3
2003 * frames with an 802.2 LLC header and
2004 * with the IPX LSAP as the DSAP in the LLC
2007 * Ethernet_SNAP frames, which are 802.3
2008 * frames with an LLC header and a SNAP
2009 * header and with an OUI of 0x000000
2010 * (encapsulated Ethernet) and a protocol
2011 * ID of ETHERTYPE_IPX in the SNAP header.
2013 * XXX - should we generate the same code both
2014 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX?
2018 * This generates code to check both for the
2019 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3.
2021 b0 = gen_cmp(cstate, OR_LLC, 0, BPF_B, LLCSAP_IPX);
2022 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, 0xFFFF);
2026 * Now we add code to check for SNAP frames with
2027 * ETHERTYPE_IPX, i.e. Ethernet_SNAP.
2029 b0 = gen_snap(cstate, 0x000000, ETHERTYPE_IPX);
2033 * Now we generate code to check for 802.3
2034 * frames in general.
2036 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
2040 * Now add the check for 802.3 frames before the
2041 * check for Ethernet_802.2 and Ethernet_802.3,
2042 * as those checks should only be done on 802.3
2043 * frames, not on Ethernet frames.
2048 * Now add the check for Ethernet_II frames, and
2049 * do that before checking for the other frame
2052 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ETHERTYPE_IPX);
2056 case ETHERTYPE_ATALK:
2057 case ETHERTYPE_AARP:
2059 * EtherTalk (AppleTalk protocols on Ethernet link
2060 * layer) may use 802.2 encapsulation.
2064 * Check for 802.2 encapsulation (EtherTalk phase 2?);
2065 * we check for an Ethernet type field less than
2066 * 1500, which means it's an 802.3 length field.
2068 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
2072 * 802.2-encapsulated ETHERTYPE_ATALK packets are
2073 * SNAP packets with an organization code of
2074 * 0x080007 (Apple, for Appletalk) and a protocol
2075 * type of ETHERTYPE_ATALK (Appletalk).
2077 * 802.2-encapsulated ETHERTYPE_AARP packets are
2078 * SNAP packets with an organization code of
2079 * 0x000000 (encapsulated Ethernet) and a protocol
2080 * type of ETHERTYPE_AARP (Appletalk ARP).
2082 if (ll_proto == ETHERTYPE_ATALK)
2083 b1 = gen_snap(cstate, 0x080007, ETHERTYPE_ATALK);
2084 else /* ll_proto == ETHERTYPE_AARP */
2085 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_AARP);
2089 * Check for Ethernet encapsulation (Ethertalk
2090 * phase 1?); we just check for the Ethernet
2093 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto);
2099 if (ll_proto <= ETHERMTU) {
2101 * This is an LLC SAP value, so the frames
2102 * that match would be 802.2 frames.
2103 * Check that the frame is an 802.2 frame
2104 * (i.e., that the length/type field is
2105 * a length field, <= ETHERMTU) and
2106 * then check the DSAP.
2108 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
2110 b1 = gen_cmp(cstate, OR_LINKTYPE, 2, BPF_B, ll_proto);
2115 * This is an Ethernet type, so compare
2116 * the length/type field with it (if
2117 * the frame is an 802.2 frame, the length
2118 * field will be <= ETHERMTU, and, as
2119 * "ll_proto" is > ETHERMTU, this test
2120 * will fail and the frame won't match,
2121 * which is what we want).
2123 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto);
2128 static struct block *
2129 gen_loopback_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto)
2132 * For DLT_NULL, the link-layer header is a 32-bit word
2133 * containing an AF_ value in *host* byte order, and for
2134 * DLT_ENC, the link-layer header begins with a 32-bit
2135 * word containing an AF_ value in host byte order.
2137 * In addition, if we're reading a saved capture file,
2138 * the host byte order in the capture may not be the
2139 * same as the host byte order on this machine.
2141 * For DLT_LOOP, the link-layer header is a 32-bit
2142 * word containing an AF_ value in *network* byte order.
2144 if (cstate->linktype == DLT_NULL || cstate->linktype == DLT_ENC) {
2146 * The AF_ value is in host byte order, but the BPF
2147 * interpreter will convert it to network byte order.
2149 * If this is a save file, and it's from a machine
2150 * with the opposite byte order to ours, we byte-swap
2153 * Then we run it through "htonl()", and generate
2154 * code to compare against the result.
2156 if (cstate->bpf_pcap->rfile != NULL && cstate->bpf_pcap->swapped)
2157 ll_proto = SWAPLONG(ll_proto);
2158 ll_proto = htonl(ll_proto);
2160 return (gen_cmp(cstate, OR_LINKHDR, 0, BPF_W, ll_proto));
2164 * "proto" is an Ethernet type value and for IPNET, if it is not IPv4
2165 * or IPv6 then we have an error.
2167 static struct block *
2168 gen_ipnet_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto)
2173 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, IPH_AF_INET);
2176 case ETHERTYPE_IPV6:
2177 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, IPH_AF_INET6);
2184 return gen_false(cstate);
2188 * Generate code to match a particular packet type.
2190 * "ll_proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
2191 * value, if <= ETHERMTU. We use that to determine whether to
2192 * match the type field or to check the type field for the special
2193 * LINUX_SLL_P_802_2 value and then do the appropriate test.
2195 static struct block *
2196 gen_linux_sll_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto)
2198 struct block *b0, *b1;
2204 case LLCSAP_NETBEUI:
2206 * OSI protocols and NetBEUI always use 802.2 encapsulation,
2207 * so we check the DSAP and SSAP.
2209 * LLCSAP_IP checks for IP-over-802.2, rather
2210 * than IP-over-Ethernet or IP-over-SNAP.
2212 * XXX - should we check both the DSAP and the
2213 * SSAP, like this, or should we check just the
2214 * DSAP, as we do for other types <= ETHERMTU
2215 * (i.e., other SAP values)?
2217 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2218 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (ll_proto << 8) | ll_proto);
2224 * Ethernet_II frames, which are Ethernet
2225 * frames with a frame type of ETHERTYPE_IPX;
2227 * Ethernet_802.3 frames, which have a frame
2228 * type of LINUX_SLL_P_802_3;
2230 * Ethernet_802.2 frames, which are 802.3
2231 * frames with an 802.2 LLC header (i.e, have
2232 * a frame type of LINUX_SLL_P_802_2) and
2233 * with the IPX LSAP as the DSAP in the LLC
2236 * Ethernet_SNAP frames, which are 802.3
2237 * frames with an LLC header and a SNAP
2238 * header and with an OUI of 0x000000
2239 * (encapsulated Ethernet) and a protocol
2240 * ID of ETHERTYPE_IPX in the SNAP header.
2242 * First, do the checks on LINUX_SLL_P_802_2
2243 * frames; generate the check for either
2244 * Ethernet_802.2 or Ethernet_SNAP frames, and
2245 * then put a check for LINUX_SLL_P_802_2 frames
2248 b0 = gen_cmp(cstate, OR_LLC, 0, BPF_B, LLCSAP_IPX);
2249 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_IPX);
2251 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2255 * Now check for 802.3 frames and OR that with
2256 * the previous test.
2258 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_3);
2262 * Now add the check for Ethernet_II frames, and
2263 * do that before checking for the other frame
2266 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ETHERTYPE_IPX);
2270 case ETHERTYPE_ATALK:
2271 case ETHERTYPE_AARP:
2273 * EtherTalk (AppleTalk protocols on Ethernet link
2274 * layer) may use 802.2 encapsulation.
2278 * Check for 802.2 encapsulation (EtherTalk phase 2?);
2279 * we check for the 802.2 protocol type in the
2280 * "Ethernet type" field.
2282 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2285 * 802.2-encapsulated ETHERTYPE_ATALK packets are
2286 * SNAP packets with an organization code of
2287 * 0x080007 (Apple, for Appletalk) and a protocol
2288 * type of ETHERTYPE_ATALK (Appletalk).
2290 * 802.2-encapsulated ETHERTYPE_AARP packets are
2291 * SNAP packets with an organization code of
2292 * 0x000000 (encapsulated Ethernet) and a protocol
2293 * type of ETHERTYPE_AARP (Appletalk ARP).
2295 if (ll_proto == ETHERTYPE_ATALK)
2296 b1 = gen_snap(cstate, 0x080007, ETHERTYPE_ATALK);
2297 else /* ll_proto == ETHERTYPE_AARP */
2298 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_AARP);
2302 * Check for Ethernet encapsulation (Ethertalk
2303 * phase 1?); we just check for the Ethernet
2306 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto);
2312 if (ll_proto <= ETHERMTU) {
2314 * This is an LLC SAP value, so the frames
2315 * that match would be 802.2 frames.
2316 * Check for the 802.2 protocol type
2317 * in the "Ethernet type" field, and
2318 * then check the DSAP.
2320 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2321 b1 = gen_cmp(cstate, OR_LINKHDR, cstate->off_linkpl.constant_part, BPF_B,
2327 * This is an Ethernet type, so compare
2328 * the length/type field with it (if
2329 * the frame is an 802.2 frame, the length
2330 * field will be <= ETHERMTU, and, as
2331 * "ll_proto" is > ETHERMTU, this test
2332 * will fail and the frame won't match,
2333 * which is what we want).
2335 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto);
2341 * Load a value relative to the beginning of the link-layer header after the
2344 static struct slist *
2345 gen_load_pflog_llprefixlen(compiler_state_t *cstate)
2347 struct slist *s1, *s2;
2350 * Generate code to load the length of the pflog header into
2351 * the register assigned to hold that length, if one has been
2352 * assigned. (If one hasn't been assigned, no code we've
2353 * generated uses that prefix, so we don't need to generate any
2356 if (cstate->off_linkpl.reg != -1) {
2358 * The length is in the first byte of the header.
2360 s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2364 * Round it up to a multiple of 4.
2365 * Add 3, and clear the lower 2 bits.
2367 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
2370 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
2371 s2->s.k = 0xfffffffc;
2375 * Now allocate a register to hold that value and store
2378 s2 = new_stmt(cstate, BPF_ST);
2379 s2->s.k = cstate->off_linkpl.reg;
2383 * Now move it into the X register.
2385 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2393 static struct slist *
2394 gen_load_prism_llprefixlen(compiler_state_t *cstate)
2396 struct slist *s1, *s2;
2397 struct slist *sjeq_avs_cookie;
2398 struct slist *sjcommon;
2401 * This code is not compatible with the optimizer, as
2402 * we are generating jmp instructions within a normal
2403 * slist of instructions
2405 cstate->no_optimize = 1;
2408 * Generate code to load the length of the radio header into
2409 * the register assigned to hold that length, if one has been
2410 * assigned. (If one hasn't been assigned, no code we've
2411 * generated uses that prefix, so we don't need to generate any
2414 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes
2415 * or always use the AVS header rather than the Prism header.
2416 * We load a 4-byte big-endian value at the beginning of the
2417 * raw packet data, and see whether, when masked with 0xFFFFF000,
2418 * it's equal to 0x80211000. If so, that indicates that it's
2419 * an AVS header (the masked-out bits are the version number).
2420 * Otherwise, it's a Prism header.
2422 * XXX - the Prism header is also, in theory, variable-length,
2423 * but no known software generates headers that aren't 144
2426 if (cstate->off_linkhdr.reg != -1) {
2430 s1 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS);
2434 * AND it with 0xFFFFF000.
2436 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
2437 s2->s.k = 0xFFFFF000;
2441 * Compare with 0x80211000.
2443 sjeq_avs_cookie = new_stmt(cstate, JMP(BPF_JEQ));
2444 sjeq_avs_cookie->s.k = 0x80211000;
2445 sappend(s1, sjeq_avs_cookie);
2450 * The 4 bytes at an offset of 4 from the beginning of
2451 * the AVS header are the length of the AVS header.
2452 * That field is big-endian.
2454 s2 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS);
2457 sjeq_avs_cookie->s.jt = s2;
2460 * Now jump to the code to allocate a register
2461 * into which to save the header length and
2462 * store the length there. (The "jump always"
2463 * instruction needs to have the k field set;
2464 * it's added to the PC, so, as we're jumping
2465 * over a single instruction, it should be 1.)
2467 sjcommon = new_stmt(cstate, JMP(BPF_JA));
2469 sappend(s1, sjcommon);
2472 * Now for the code that handles the Prism header.
2473 * Just load the length of the Prism header (144)
2474 * into the A register. Have the test for an AVS
2475 * header branch here if we don't have an AVS header.
2477 s2 = new_stmt(cstate, BPF_LD|BPF_W|BPF_IMM);
2480 sjeq_avs_cookie->s.jf = s2;
2483 * Now allocate a register to hold that value and store
2484 * it. The code for the AVS header will jump here after
2485 * loading the length of the AVS header.
2487 s2 = new_stmt(cstate, BPF_ST);
2488 s2->s.k = cstate->off_linkhdr.reg;
2490 sjcommon->s.jf = s2;
2493 * Now move it into the X register.
2495 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2503 static struct slist *
2504 gen_load_avs_llprefixlen(compiler_state_t *cstate)
2506 struct slist *s1, *s2;
2509 * Generate code to load the length of the AVS header into
2510 * the register assigned to hold that length, if one has been
2511 * assigned. (If one hasn't been assigned, no code we've
2512 * generated uses that prefix, so we don't need to generate any
2515 if (cstate->off_linkhdr.reg != -1) {
2517 * The 4 bytes at an offset of 4 from the beginning of
2518 * the AVS header are the length of the AVS header.
2519 * That field is big-endian.
2521 s1 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS);
2525 * Now allocate a register to hold that value and store
2528 s2 = new_stmt(cstate, BPF_ST);
2529 s2->s.k = cstate->off_linkhdr.reg;
2533 * Now move it into the X register.
2535 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2543 static struct slist *
2544 gen_load_radiotap_llprefixlen(compiler_state_t *cstate)
2546 struct slist *s1, *s2;
2549 * Generate code to load the length of the radiotap header into
2550 * the register assigned to hold that length, if one has been
2551 * assigned. (If one hasn't been assigned, no code we've
2552 * generated uses that prefix, so we don't need to generate any
2555 if (cstate->off_linkhdr.reg != -1) {
2557 * The 2 bytes at offsets of 2 and 3 from the beginning
2558 * of the radiotap header are the length of the radiotap
2559 * header; unfortunately, it's little-endian, so we have
2560 * to load it a byte at a time and construct the value.
2564 * Load the high-order byte, at an offset of 3, shift it
2565 * left a byte, and put the result in the X register.
2567 s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2569 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K);
2572 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2576 * Load the next byte, at an offset of 2, and OR the
2577 * value from the X register into it.
2579 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2582 s2 = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_X);
2586 * Now allocate a register to hold that value and store
2589 s2 = new_stmt(cstate, BPF_ST);
2590 s2->s.k = cstate->off_linkhdr.reg;
2594 * Now move it into the X register.
2596 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2605 * At the moment we treat PPI as normal Radiotap encoded
2606 * packets. The difference is in the function that generates
2607 * the code at the beginning to compute the header length.
2608 * Since this code generator of PPI supports bare 802.11
2609 * encapsulation only (i.e. the encapsulated DLT should be
2610 * DLT_IEEE802_11) we generate code to check for this too;
2611 * that's done in finish_parse().
2613 static struct slist *
2614 gen_load_ppi_llprefixlen(compiler_state_t *cstate)
2616 struct slist *s1, *s2;
2619 * Generate code to load the length of the radiotap header
2620 * into the register assigned to hold that length, if one has
2623 if (cstate->off_linkhdr.reg != -1) {
2625 * The 2 bytes at offsets of 2 and 3 from the beginning
2626 * of the radiotap header are the length of the radiotap
2627 * header; unfortunately, it's little-endian, so we have
2628 * to load it a byte at a time and construct the value.
2632 * Load the high-order byte, at an offset of 3, shift it
2633 * left a byte, and put the result in the X register.
2635 s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2637 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K);
2640 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2644 * Load the next byte, at an offset of 2, and OR the
2645 * value from the X register into it.
2647 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2650 s2 = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_X);
2654 * Now allocate a register to hold that value and store
2657 s2 = new_stmt(cstate, BPF_ST);
2658 s2->s.k = cstate->off_linkhdr.reg;
2662 * Now move it into the X register.
2664 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2673 * Load a value relative to the beginning of the link-layer header after the 802.11
2674 * header, i.e. LLC_SNAP.
2675 * The link-layer header doesn't necessarily begin at the beginning
2676 * of the packet data; there might be a variable-length prefix containing
2677 * radio information.
2679 static struct slist *
2680 gen_load_802_11_header_len(compiler_state_t *cstate, struct slist *s, struct slist *snext)
2683 struct slist *sjset_data_frame_1;
2684 struct slist *sjset_data_frame_2;
2685 struct slist *sjset_qos;
2686 struct slist *sjset_radiotap_flags_present;
2687 struct slist *sjset_radiotap_ext_present;
2688 struct slist *sjset_radiotap_tsft_present;
2689 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad;
2690 struct slist *s_roundup;
2692 if (cstate->off_linkpl.reg == -1) {
2694 * No register has been assigned to the offset of
2695 * the link-layer payload, which means nobody needs
2696 * it; don't bother computing it - just return
2697 * what we already have.
2703 * This code is not compatible with the optimizer, as
2704 * we are generating jmp instructions within a normal
2705 * slist of instructions
2707 cstate->no_optimize = 1;
2710 * If "s" is non-null, it has code to arrange that the X register
2711 * contains the length of the prefix preceding the link-layer
2714 * Otherwise, the length of the prefix preceding the link-layer
2715 * header is "off_outermostlinkhdr.constant_part".
2719 * There is no variable-length header preceding the
2720 * link-layer header.
2722 * Load the length of the fixed-length prefix preceding
2723 * the link-layer header (if any) into the X register,
2724 * and store it in the cstate->off_linkpl.reg register.
2725 * That length is off_outermostlinkhdr.constant_part.
2727 s = new_stmt(cstate, BPF_LDX|BPF_IMM);
2728 s->s.k = cstate->off_outermostlinkhdr.constant_part;
2732 * The X register contains the offset of the beginning of the
2733 * link-layer header; add 24, which is the minimum length
2734 * of the MAC header for a data frame, to that, and store it
2735 * in cstate->off_linkpl.reg, and then load the Frame Control field,
2736 * which is at the offset in the X register, with an indexed load.
2738 s2 = new_stmt(cstate, BPF_MISC|BPF_TXA);
2740 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
2743 s2 = new_stmt(cstate, BPF_ST);
2744 s2->s.k = cstate->off_linkpl.reg;
2747 s2 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
2752 * Check the Frame Control field to see if this is a data frame;
2753 * a data frame has the 0x08 bit (b3) in that field set and the
2754 * 0x04 bit (b2) clear.
2756 sjset_data_frame_1 = new_stmt(cstate, JMP(BPF_JSET));
2757 sjset_data_frame_1->s.k = 0x08;
2758 sappend(s, sjset_data_frame_1);
2761 * If b3 is set, test b2, otherwise go to the first statement of
2762 * the rest of the program.
2764 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(cstate, JMP(BPF_JSET));
2765 sjset_data_frame_2->s.k = 0x04;
2766 sappend(s, sjset_data_frame_2);
2767 sjset_data_frame_1->s.jf = snext;
2770 * If b2 is not set, this is a data frame; test the QoS bit.
2771 * Otherwise, go to the first statement of the rest of the
2774 sjset_data_frame_2->s.jt = snext;
2775 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(cstate, JMP(BPF_JSET));
2776 sjset_qos->s.k = 0x80; /* QoS bit */
2777 sappend(s, sjset_qos);
2780 * If it's set, add 2 to cstate->off_linkpl.reg, to skip the QoS
2782 * Otherwise, go to the first statement of the rest of the
2785 sjset_qos->s.jt = s2 = new_stmt(cstate, BPF_LD|BPF_MEM);
2786 s2->s.k = cstate->off_linkpl.reg;
2788 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM);
2791 s2 = new_stmt(cstate, BPF_ST);
2792 s2->s.k = cstate->off_linkpl.reg;
2796 * If we have a radiotap header, look at it to see whether
2797 * there's Atheros padding between the MAC-layer header
2800 * Note: all of the fields in the radiotap header are
2801 * little-endian, so we byte-swap all of the values
2802 * we test against, as they will be loaded as big-endian
2805 * XXX - in the general case, we would have to scan through
2806 * *all* the presence bits, if there's more than one word of
2807 * presence bits. That would require a loop, meaning that
2808 * we wouldn't be able to run the filter in the kernel.
2810 * We assume here that the Atheros adapters that insert the
2811 * annoying padding don't have multiple antennae and therefore
2812 * do not generate radiotap headers with multiple presence words.
2814 if (cstate->linktype == DLT_IEEE802_11_RADIO) {
2816 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set
2817 * in the first presence flag word?
2819 sjset_qos->s.jf = s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_W);
2823 sjset_radiotap_flags_present = new_stmt(cstate, JMP(BPF_JSET));
2824 sjset_radiotap_flags_present->s.k = SWAPLONG(0x00000002);
2825 sappend(s, sjset_radiotap_flags_present);
2828 * If not, skip all of this.
2830 sjset_radiotap_flags_present->s.jf = snext;
2833 * Otherwise, is the "extension" bit set in that word?
2835 sjset_radiotap_ext_present = new_stmt(cstate, JMP(BPF_JSET));
2836 sjset_radiotap_ext_present->s.k = SWAPLONG(0x80000000);
2837 sappend(s, sjset_radiotap_ext_present);
2838 sjset_radiotap_flags_present->s.jt = sjset_radiotap_ext_present;
2841 * If so, skip all of this.
2843 sjset_radiotap_ext_present->s.jt = snext;
2846 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set?
2848 sjset_radiotap_tsft_present = new_stmt(cstate, JMP(BPF_JSET));
2849 sjset_radiotap_tsft_present->s.k = SWAPLONG(0x00000001);
2850 sappend(s, sjset_radiotap_tsft_present);
2851 sjset_radiotap_ext_present->s.jf = sjset_radiotap_tsft_present;
2854 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is
2855 * at an offset of 16 from the beginning of the raw packet
2856 * data (8 bytes for the radiotap header and 8 bytes for
2859 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
2862 s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B);
2865 sjset_radiotap_tsft_present->s.jt = s2;
2867 sjset_tsft_datapad = new_stmt(cstate, JMP(BPF_JSET));
2868 sjset_tsft_datapad->s.k = 0x20;
2869 sappend(s, sjset_tsft_datapad);
2872 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is
2873 * at an offset of 8 from the beginning of the raw packet
2874 * data (8 bytes for the radiotap header).
2876 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
2879 s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B);
2882 sjset_radiotap_tsft_present->s.jf = s2;
2884 sjset_notsft_datapad = new_stmt(cstate, JMP(BPF_JSET));
2885 sjset_notsft_datapad->s.k = 0x20;
2886 sappend(s, sjset_notsft_datapad);
2889 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is
2890 * set, round the length of the 802.11 header to
2891 * a multiple of 4. Do that by adding 3 and then
2892 * dividing by and multiplying by 4, which we do by
2895 s_roundup = new_stmt(cstate, BPF_LD|BPF_MEM);
2896 s_roundup->s.k = cstate->off_linkpl.reg;
2897 sappend(s, s_roundup);
2898 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM);
2901 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_IMM);
2902 s2->s.k = (bpf_u_int32)~3;
2904 s2 = new_stmt(cstate, BPF_ST);
2905 s2->s.k = cstate->off_linkpl.reg;
2908 sjset_tsft_datapad->s.jt = s_roundup;
2909 sjset_tsft_datapad->s.jf = snext;
2910 sjset_notsft_datapad->s.jt = s_roundup;
2911 sjset_notsft_datapad->s.jf = snext;
2913 sjset_qos->s.jf = snext;
2919 insert_compute_vloffsets(compiler_state_t *cstate, struct block *b)
2923 /* There is an implicit dependency between the link
2924 * payload and link header since the payload computation
2925 * includes the variable part of the header. Therefore,
2926 * if nobody else has allocated a register for the link
2927 * header and we need it, do it now. */
2928 if (cstate->off_linkpl.reg != -1 && cstate->off_linkhdr.is_variable &&
2929 cstate->off_linkhdr.reg == -1)
2930 cstate->off_linkhdr.reg = alloc_reg(cstate);
2933 * For link-layer types that have a variable-length header
2934 * preceding the link-layer header, generate code to load
2935 * the offset of the link-layer header into the register
2936 * assigned to that offset, if any.
2938 * XXX - this, and the next switch statement, won't handle
2939 * encapsulation of 802.11 or 802.11+radio information in
2940 * some other protocol stack. That's significantly more
2943 switch (cstate->outermostlinktype) {
2945 case DLT_PRISM_HEADER:
2946 s = gen_load_prism_llprefixlen(cstate);
2949 case DLT_IEEE802_11_RADIO_AVS:
2950 s = gen_load_avs_llprefixlen(cstate);
2953 case DLT_IEEE802_11_RADIO:
2954 s = gen_load_radiotap_llprefixlen(cstate);
2958 s = gen_load_ppi_llprefixlen(cstate);
2967 * For link-layer types that have a variable-length link-layer
2968 * header, generate code to load the offset of the link-layer
2969 * payload into the register assigned to that offset, if any.
2971 switch (cstate->outermostlinktype) {
2973 case DLT_IEEE802_11:
2974 case DLT_PRISM_HEADER:
2975 case DLT_IEEE802_11_RADIO_AVS:
2976 case DLT_IEEE802_11_RADIO:
2978 s = gen_load_802_11_header_len(cstate, s, b->stmts);
2982 s = gen_load_pflog_llprefixlen(cstate);
2987 * If there is no initialization yet and we need variable
2988 * length offsets for VLAN, initialize them to zero
2990 if (s == NULL && cstate->is_vlan_vloffset) {
2993 if (cstate->off_linkpl.reg == -1)
2994 cstate->off_linkpl.reg = alloc_reg(cstate);
2995 if (cstate->off_linktype.reg == -1)
2996 cstate->off_linktype.reg = alloc_reg(cstate);
2998 s = new_stmt(cstate, BPF_LD|BPF_W|BPF_IMM);
3000 s2 = new_stmt(cstate, BPF_ST);
3001 s2->s.k = cstate->off_linkpl.reg;
3003 s2 = new_stmt(cstate, BPF_ST);
3004 s2->s.k = cstate->off_linktype.reg;
3009 * If we have any offset-loading code, append all the
3010 * existing statements in the block to those statements,
3011 * and make the resulting list the list of statements
3015 sappend(s, b->stmts);
3020 static struct block *
3021 gen_ppi_dlt_check(compiler_state_t *cstate)
3023 struct slist *s_load_dlt;
3026 if (cstate->linktype == DLT_PPI)
3028 /* Create the statements that check for the DLT
3030 s_load_dlt = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS);
3031 s_load_dlt->s.k = 4;
3033 b = new_block(cstate, JMP(BPF_JEQ));
3035 b->stmts = s_load_dlt;
3036 b->s.k = SWAPLONG(DLT_IEEE802_11);
3047 * Take an absolute offset, and:
3049 * if it has no variable part, return NULL;
3051 * if it has a variable part, generate code to load the register
3052 * containing that variable part into the X register, returning
3053 * a pointer to that code - if no register for that offset has
3054 * been allocated, allocate it first.
3056 * (The code to set that register will be generated later, but will
3057 * be placed earlier in the code sequence.)
3059 static struct slist *
3060 gen_abs_offset_varpart(compiler_state_t *cstate, bpf_abs_offset *off)
3064 if (off->is_variable) {
3065 if (off->reg == -1) {
3067 * We haven't yet assigned a register for the
3068 * variable part of the offset of the link-layer
3069 * header; allocate one.
3071 off->reg = alloc_reg(cstate);
3075 * Load the register containing the variable part of the
3076 * offset of the link-layer header into the X register.
3078 s = new_stmt(cstate, BPF_LDX|BPF_MEM);
3083 * That offset isn't variable, there's no variable part,
3084 * so we don't need to generate any code.
3091 * Map an Ethernet type to the equivalent PPP type.
3094 ethertype_to_ppptype(bpf_u_int32 ll_proto)
3102 case ETHERTYPE_IPV6:
3103 ll_proto = PPP_IPV6;
3107 ll_proto = PPP_DECNET;
3110 case ETHERTYPE_ATALK:
3111 ll_proto = PPP_APPLE;
3124 * I'm assuming the "Bridging PDU"s that go
3125 * over PPP are Spanning Tree Protocol
3128 ll_proto = PPP_BRPDU;
3139 * Generate any tests that, for encapsulation of a link-layer packet
3140 * inside another protocol stack, need to be done to check for those
3141 * link-layer packets (and that haven't already been done by a check
3142 * for that encapsulation).
3144 static struct block *
3145 gen_prevlinkhdr_check(compiler_state_t *cstate)
3149 if (cstate->is_geneve)
3150 return gen_geneve_ll_check(cstate);
3152 switch (cstate->prevlinktype) {
3156 * This is LANE-encapsulated Ethernet; check that the LANE
3157 * packet doesn't begin with an LE Control marker, i.e.
3158 * that it's data, not a control message.
3160 * (We've already generated a test for LANE.)
3162 b0 = gen_cmp(cstate, OR_PREVLINKHDR, SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
3168 * No such tests are necessary.
3176 * The three different values we should check for when checking for an
3177 * IPv6 packet with DLT_NULL.
3179 #define BSD_AFNUM_INET6_BSD 24 /* NetBSD, OpenBSD, BSD/OS, Npcap */
3180 #define BSD_AFNUM_INET6_FREEBSD 28 /* FreeBSD */
3181 #define BSD_AFNUM_INET6_DARWIN 30 /* macOS, iOS, other Darwin-based OSes */
3184 * Generate code to match a particular packet type by matching the
3185 * link-layer type field or fields in the 802.2 LLC header.
3187 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
3188 * value, if <= ETHERMTU.
3190 static struct block *
3191 gen_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto)
3193 struct block *b0, *b1, *b2;
3194 const char *description;
3196 /* are we checking MPLS-encapsulated packets? */
3197 if (cstate->label_stack_depth > 0)
3198 return gen_mpls_linktype(cstate, ll_proto);
3200 switch (cstate->linktype) {
3203 case DLT_NETANALYZER:
3204 case DLT_NETANALYZER_TRANSPARENT:
3205 /* Geneve has an EtherType regardless of whether there is an
3207 if (!cstate->is_geneve)
3208 b0 = gen_prevlinkhdr_check(cstate);
3212 b1 = gen_ether_linktype(cstate, ll_proto);
3223 ll_proto = (ll_proto << 8 | LLCSAP_ISONS);
3227 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto);
3231 case DLT_IEEE802_11:
3232 case DLT_PRISM_HEADER:
3233 case DLT_IEEE802_11_RADIO_AVS:
3234 case DLT_IEEE802_11_RADIO:
3237 * Check that we have a data frame.
3239 b0 = gen_check_802_11_data_frame(cstate);
3242 * Now check for the specified link-layer type.
3244 b1 = gen_llc_linktype(cstate, ll_proto);
3251 * XXX - check for LLC frames.
3253 return gen_llc_linktype(cstate, ll_proto);
3258 * XXX - check for LLC PDUs, as per IEEE 802.5.
3260 return gen_llc_linktype(cstate, ll_proto);
3263 case DLT_ATM_RFC1483:
3265 case DLT_IP_OVER_FC:
3266 return gen_llc_linktype(cstate, ll_proto);
3271 * Check for an LLC-encapsulated version of this protocol;
3272 * if we were checking for LANE, linktype would no longer
3275 * Check for LLC encapsulation and then check the protocol.
3277 b0 = gen_atmfield_code_internal(cstate, A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
3278 b1 = gen_llc_linktype(cstate, ll_proto);
3284 return gen_linux_sll_linktype(cstate, ll_proto);
3288 case DLT_SLIP_BSDOS:
3291 * These types don't provide any type field; packets
3292 * are always IPv4 or IPv6.
3294 * XXX - for IPv4, check for a version number of 4, and,
3295 * for IPv6, check for a version number of 6?
3300 /* Check for a version number of 4. */
3301 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, 0x40, 0xF0);
3303 case ETHERTYPE_IPV6:
3304 /* Check for a version number of 6. */
3305 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, 0x60, 0xF0);
3308 return gen_false(cstate); /* always false */
3314 * Raw IPv4, so no type field.
3316 if (ll_proto == ETHERTYPE_IP)
3317 return gen_true(cstate); /* always true */
3319 /* Checking for something other than IPv4; always false */
3320 return gen_false(cstate);
3325 * Raw IPv6, so no type field.
3327 if (ll_proto == ETHERTYPE_IPV6)
3328 return gen_true(cstate); /* always true */
3330 /* Checking for something other than IPv6; always false */
3331 return gen_false(cstate);
3336 case DLT_PPP_SERIAL:
3339 * We use Ethernet protocol types inside libpcap;
3340 * map them to the corresponding PPP protocol types.
3342 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H,
3343 ethertype_to_ppptype(ll_proto));
3348 * We use Ethernet protocol types inside libpcap;
3349 * map them to the corresponding PPP protocol types.
3355 * Also check for Van Jacobson-compressed IP.
3356 * XXX - do this for other forms of PPP?
3358 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_IP);
3359 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_VJC);
3361 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_VJNC);
3366 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H,
3367 ethertype_to_ppptype(ll_proto));
3377 return (gen_loopback_linktype(cstate, AF_INET));
3379 case ETHERTYPE_IPV6:
3381 * AF_ values may, unfortunately, be platform-
3382 * dependent; AF_INET isn't, because everybody
3383 * used 4.2BSD's value, but AF_INET6 is, because
3384 * 4.2BSD didn't have a value for it (given that
3385 * IPv6 didn't exist back in the early 1980's),
3386 * and they all picked their own values.
3388 * This means that, if we're reading from a
3389 * savefile, we need to check for all the
3392 * If we're doing a live capture, we only need
3393 * to check for this platform's value; however,
3394 * Npcap uses 24, which isn't Windows's AF_INET6
3395 * value. (Given the multiple different values,
3396 * programs that read pcap files shouldn't be
3397 * checking for their platform's AF_INET6 value
3398 * anyway, they should check for all of the
3399 * possible values. and they might as well do
3400 * that even for live captures.)
3402 if (cstate->bpf_pcap->rfile != NULL) {
3404 * Savefile - check for all three
3405 * possible IPv6 values.
3407 b0 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_BSD);
3408 b1 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_FREEBSD);
3410 b0 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_DARWIN);
3415 * Live capture, so we only need to
3416 * check for the value used on this
3421 * Npcap doesn't use Windows's AF_INET6,
3422 * as that collides with AF_IPX on
3423 * some BSDs (both have the value 23).
3424 * Instead, it uses 24.
3426 return (gen_loopback_linktype(cstate, 24));
3429 return (gen_loopback_linktype(cstate, AF_INET6));
3430 #else /* AF_INET6 */
3432 * I guess this platform doesn't support
3433 * IPv6, so we just reject all packets.
3435 return gen_false(cstate);
3436 #endif /* AF_INET6 */
3442 * Not a type on which we support filtering.
3443 * XXX - support those that have AF_ values
3444 * #defined on this platform, at least?
3446 return gen_false(cstate);
3451 * af field is host byte order in contrast to the rest of
3454 if (ll_proto == ETHERTYPE_IP)
3455 return (gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, af),
3457 else if (ll_proto == ETHERTYPE_IPV6)
3458 return (gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, af),
3461 return gen_false(cstate);
3465 case DLT_ARCNET_LINUX:
3467 * XXX should we check for first fragment if the protocol
3473 return gen_false(cstate);
3475 case ETHERTYPE_IPV6:
3476 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3480 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3482 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3488 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3490 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3495 case ETHERTYPE_REVARP:
3496 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3499 case ETHERTYPE_ATALK:
3500 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3507 case ETHERTYPE_ATALK:
3508 return gen_true(cstate);
3510 return gen_false(cstate);
3516 * XXX - assumes a 2-byte Frame Relay header with
3517 * DLCI and flags. What if the address is longer?
3523 * Check for the special NLPID for IP.
3525 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0xcc);
3527 case ETHERTYPE_IPV6:
3529 * Check for the special NLPID for IPv6.
3531 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0x8e);
3535 * Check for several OSI protocols.
3537 * Frame Relay packets typically have an OSI
3538 * NLPID at the beginning; we check for each
3541 * What we check for is the NLPID and a frame
3542 * control field of UI, i.e. 0x03 followed
3545 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO8473_CLNP);
3546 b1 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO9542_ESIS);
3547 b2 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO10589_ISIS);
3553 return gen_false(cstate);
3558 bpf_error(cstate, "Multi-link Frame Relay link-layer type filtering not implemented");
3560 case DLT_JUNIPER_MFR:
3561 case DLT_JUNIPER_MLFR:
3562 case DLT_JUNIPER_MLPPP:
3563 case DLT_JUNIPER_ATM1:
3564 case DLT_JUNIPER_ATM2:
3565 case DLT_JUNIPER_PPPOE:
3566 case DLT_JUNIPER_PPPOE_ATM:
3567 case DLT_JUNIPER_GGSN:
3568 case DLT_JUNIPER_ES:
3569 case DLT_JUNIPER_MONITOR:
3570 case DLT_JUNIPER_SERVICES:
3571 case DLT_JUNIPER_ETHER:
3572 case DLT_JUNIPER_PPP:
3573 case DLT_JUNIPER_FRELAY:
3574 case DLT_JUNIPER_CHDLC:
3575 case DLT_JUNIPER_VP:
3576 case DLT_JUNIPER_ST:
3577 case DLT_JUNIPER_ISM:
3578 case DLT_JUNIPER_VS:
3579 case DLT_JUNIPER_SRX_E2E:
3580 case DLT_JUNIPER_FIBRECHANNEL:
3581 case DLT_JUNIPER_ATM_CEMIC:
3583 /* just lets verify the magic number for now -
3584 * on ATM we may have up to 6 different encapsulations on the wire
3585 * and need a lot of heuristics to figure out that the payload
3588 * FIXME encapsulation specific BPF_ filters
3590 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */
3592 case DLT_BACNET_MS_TP:
3593 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_W, 0x55FF0000, 0xffff0000);
3596 return gen_ipnet_linktype(cstate, ll_proto);
3598 case DLT_LINUX_IRDA:
3599 bpf_error(cstate, "IrDA link-layer type filtering not implemented");
3602 bpf_error(cstate, "DOCSIS link-layer type filtering not implemented");
3605 case DLT_MTP2_WITH_PHDR:
3606 bpf_error(cstate, "MTP2 link-layer type filtering not implemented");
3609 bpf_error(cstate, "ERF link-layer type filtering not implemented");
3612 bpf_error(cstate, "PFSYNC link-layer type filtering not implemented");
3614 case DLT_LINUX_LAPD:
3615 bpf_error(cstate, "LAPD link-layer type filtering not implemented");
3617 case DLT_USB_FREEBSD:
3619 case DLT_USB_LINUX_MMAPPED:
3621 bpf_error(cstate, "USB link-layer type filtering not implemented");
3623 case DLT_BLUETOOTH_HCI_H4:
3624 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR:
3625 bpf_error(cstate, "Bluetooth link-layer type filtering not implemented");
3628 case DLT_CAN_SOCKETCAN:
3629 bpf_error(cstate, "CAN link-layer type filtering not implemented");
3631 case DLT_IEEE802_15_4:
3632 case DLT_IEEE802_15_4_LINUX:
3633 case DLT_IEEE802_15_4_NONASK_PHY:
3634 case DLT_IEEE802_15_4_NOFCS:
3635 case DLT_IEEE802_15_4_TAP:
3636 bpf_error(cstate, "IEEE 802.15.4 link-layer type filtering not implemented");
3638 case DLT_IEEE802_16_MAC_CPS_RADIO:
3639 bpf_error(cstate, "IEEE 802.16 link-layer type filtering not implemented");
3642 bpf_error(cstate, "SITA link-layer type filtering not implemented");
3645 bpf_error(cstate, "RAIF1 link-layer type filtering not implemented");
3647 case DLT_IPMB_KONTRON:
3648 case DLT_IPMB_LINUX:
3649 bpf_error(cstate, "IPMB link-layer type filtering not implemented");
3652 bpf_error(cstate, "AX.25 link-layer type filtering not implemented");
3655 /* Using the fixed-size NFLOG header it is possible to tell only
3656 * the address family of the packet, other meaningful data is
3657 * either missing or behind TLVs.
3659 bpf_error(cstate, "NFLOG link-layer type filtering not implemented");
3663 * Does this link-layer header type have a field
3664 * indicating the type of the next protocol? If
3665 * so, off_linktype.constant_part will be the offset of that
3666 * field in the packet; if not, it will be OFFSET_NOT_SET.
3668 if (cstate->off_linktype.constant_part != OFFSET_NOT_SET) {
3670 * Yes; assume it's an Ethernet type. (If
3671 * it's not, it needs to be handled specially
3674 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto);
3678 * No; report an error.
3680 description = pcap_datalink_val_to_description_or_dlt(cstate->linktype);
3681 bpf_error(cstate, "%s link-layer type filtering not implemented",
3689 * Check for an LLC SNAP packet with a given organization code and
3690 * protocol type; we check the entire contents of the 802.2 LLC and
3691 * snap headers, checking for DSAP and SSAP of SNAP and a control
3692 * field of 0x03 in the LLC header, and for the specified organization
3693 * code and protocol type in the SNAP header.
3695 static struct block *
3696 gen_snap(compiler_state_t *cstate, bpf_u_int32 orgcode, bpf_u_int32 ptype)
3698 u_char snapblock[8];
3700 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */
3701 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */
3702 snapblock[2] = 0x03; /* control = UI */
3703 snapblock[3] = (u_char)(orgcode >> 16); /* upper 8 bits of organization code */
3704 snapblock[4] = (u_char)(orgcode >> 8); /* middle 8 bits of organization code */
3705 snapblock[5] = (u_char)(orgcode >> 0); /* lower 8 bits of organization code */
3706 snapblock[6] = (u_char)(ptype >> 8); /* upper 8 bits of protocol type */
3707 snapblock[7] = (u_char)(ptype >> 0); /* lower 8 bits of protocol type */
3708 return gen_bcmp(cstate, OR_LLC, 0, 8, snapblock);
3712 * Generate code to match frames with an LLC header.
3714 static struct block *
3715 gen_llc_internal(compiler_state_t *cstate)
3717 struct block *b0, *b1;
3719 switch (cstate->linktype) {
3723 * We check for an Ethernet type field less than
3724 * 1500, which means it's an 802.3 length field.
3726 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
3730 * Now check for the purported DSAP and SSAP not being
3731 * 0xFF, to rule out NetWare-over-802.3.
3733 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, 0xFFFF);
3740 * We check for LLC traffic.
3742 b0 = gen_atmtype_llc(cstate);
3745 case DLT_IEEE802: /* Token Ring */
3747 * XXX - check for LLC frames.
3749 return gen_true(cstate);
3753 * XXX - check for LLC frames.
3755 return gen_true(cstate);
3757 case DLT_ATM_RFC1483:
3759 * For LLC encapsulation, these are defined to have an
3762 * For VC encapsulation, they don't, but there's no
3763 * way to check for that; the protocol used on the VC
3764 * is negotiated out of band.
3766 return gen_true(cstate);
3768 case DLT_IEEE802_11:
3769 case DLT_PRISM_HEADER:
3770 case DLT_IEEE802_11_RADIO:
3771 case DLT_IEEE802_11_RADIO_AVS:
3774 * Check that we have a data frame.
3776 b0 = gen_check_802_11_data_frame(cstate);
3780 bpf_error(cstate, "'llc' not supported for %s",
3781 pcap_datalink_val_to_description_or_dlt(cstate->linktype));
3787 gen_llc(compiler_state_t *cstate)
3790 * Catch errors reported by us and routines below us, and return NULL
3793 if (setjmp(cstate->top_ctx))
3796 return gen_llc_internal(cstate);
3800 gen_llc_i(compiler_state_t *cstate)
3802 struct block *b0, *b1;
3806 * Catch errors reported by us and routines below us, and return NULL
3809 if (setjmp(cstate->top_ctx))
3813 * Check whether this is an LLC frame.
3815 b0 = gen_llc_internal(cstate);
3818 * Load the control byte and test the low-order bit; it must
3819 * be clear for I frames.
3821 s = gen_load_a(cstate, OR_LLC, 2, BPF_B);
3822 b1 = new_block(cstate, JMP(BPF_JSET));
3831 gen_llc_s(compiler_state_t *cstate)
3833 struct block *b0, *b1;
3836 * Catch errors reported by us and routines below us, and return NULL
3839 if (setjmp(cstate->top_ctx))
3843 * Check whether this is an LLC frame.
3845 b0 = gen_llc_internal(cstate);
3848 * Now compare the low-order 2 bit of the control byte against
3849 * the appropriate value for S frames.
3851 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, LLC_S_FMT, 0x03);
3857 gen_llc_u(compiler_state_t *cstate)
3859 struct block *b0, *b1;
3862 * Catch errors reported by us and routines below us, and return NULL
3865 if (setjmp(cstate->top_ctx))
3869 * Check whether this is an LLC frame.
3871 b0 = gen_llc_internal(cstate);
3874 * Now compare the low-order 2 bit of the control byte against
3875 * the appropriate value for U frames.
3877 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, LLC_U_FMT, 0x03);
3883 gen_llc_s_subtype(compiler_state_t *cstate, bpf_u_int32 subtype)
3885 struct block *b0, *b1;
3888 * Catch errors reported by us and routines below us, and return NULL
3891 if (setjmp(cstate->top_ctx))
3895 * Check whether this is an LLC frame.
3897 b0 = gen_llc_internal(cstate);
3900 * Now check for an S frame with the appropriate type.
3902 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, subtype, LLC_S_CMD_MASK);
3908 gen_llc_u_subtype(compiler_state_t *cstate, bpf_u_int32 subtype)
3910 struct block *b0, *b1;
3913 * Catch errors reported by us and routines below us, and return NULL
3916 if (setjmp(cstate->top_ctx))
3920 * Check whether this is an LLC frame.
3922 b0 = gen_llc_internal(cstate);
3925 * Now check for a U frame with the appropriate type.
3927 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, subtype, LLC_U_CMD_MASK);
3933 * Generate code to match a particular packet type, for link-layer types
3934 * using 802.2 LLC headers.
3936 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used
3937 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues.
3939 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
3940 * value, if <= ETHERMTU. We use that to determine whether to
3941 * match the DSAP or both DSAP and LSAP or to check the OUI and
3942 * protocol ID in a SNAP header.
3944 static struct block *
3945 gen_llc_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto)
3948 * XXX - handle token-ring variable-length header.
3954 case LLCSAP_NETBEUI:
3956 * XXX - should we check both the DSAP and the
3957 * SSAP, like this, or should we check just the
3958 * DSAP, as we do for other SAP values?
3960 return gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_u_int32)
3961 ((ll_proto << 8) | ll_proto));
3965 * XXX - are there ever SNAP frames for IPX on
3966 * non-Ethernet 802.x networks?
3968 return gen_cmp(cstate, OR_LLC, 0, BPF_B, LLCSAP_IPX);
3970 case ETHERTYPE_ATALK:
3972 * 802.2-encapsulated ETHERTYPE_ATALK packets are
3973 * SNAP packets with an organization code of
3974 * 0x080007 (Apple, for Appletalk) and a protocol
3975 * type of ETHERTYPE_ATALK (Appletalk).
3977 * XXX - check for an organization code of
3978 * encapsulated Ethernet as well?
3980 return gen_snap(cstate, 0x080007, ETHERTYPE_ATALK);
3984 * XXX - we don't have to check for IPX 802.3
3985 * here, but should we check for the IPX Ethertype?
3987 if (ll_proto <= ETHERMTU) {
3989 * This is an LLC SAP value, so check
3992 return gen_cmp(cstate, OR_LLC, 0, BPF_B, ll_proto);
3995 * This is an Ethernet type; we assume that it's
3996 * unlikely that it'll appear in the right place
3997 * at random, and therefore check only the
3998 * location that would hold the Ethernet type
3999 * in a SNAP frame with an organization code of
4000 * 0x000000 (encapsulated Ethernet).
4002 * XXX - if we were to check for the SNAP DSAP and
4003 * LSAP, as per XXX, and were also to check for an
4004 * organization code of 0x000000 (encapsulated
4005 * Ethernet), we'd do
4007 * return gen_snap(cstate, 0x000000, ll_proto);
4009 * here; for now, we don't, as per the above.
4010 * I don't know whether it's worth the extra CPU
4011 * time to do the right check or not.
4013 return gen_cmp(cstate, OR_LLC, 6, BPF_H, ll_proto);
4018 static struct block *
4019 gen_hostop(compiler_state_t *cstate, bpf_u_int32 addr, bpf_u_int32 mask,
4020 int dir, bpf_u_int32 ll_proto, u_int src_off, u_int dst_off)
4022 struct block *b0, *b1;
4036 b0 = gen_hostop(cstate, addr, mask, Q_SRC, ll_proto, src_off, dst_off);
4037 b1 = gen_hostop(cstate, addr, mask, Q_DST, ll_proto, src_off, dst_off);
4043 b0 = gen_hostop(cstate, addr, mask, Q_SRC, ll_proto, src_off, dst_off);
4044 b1 = gen_hostop(cstate, addr, mask, Q_DST, ll_proto, src_off, dst_off);
4049 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4053 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4057 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4061 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4065 bpf_error(cstate, "'ra' is not a valid qualifier for addresses other than 802.11 MAC addresses");
4069 bpf_error(cstate, "'ta' is not a valid qualifier for addresses other than 802.11 MAC addresses");
4076 b0 = gen_linktype(cstate, ll_proto);
4077 b1 = gen_mcmp(cstate, OR_LINKPL, offset, BPF_W, addr, mask);
4083 static struct block *
4084 gen_hostop6(compiler_state_t *cstate, struct in6_addr *addr,
4085 struct in6_addr *mask, int dir, bpf_u_int32 ll_proto, u_int src_off,
4088 struct block *b0, *b1;
4103 b0 = gen_hostop6(cstate, addr, mask, Q_SRC, ll_proto, src_off, dst_off);
4104 b1 = gen_hostop6(cstate, addr, mask, Q_DST, ll_proto, src_off, dst_off);
4110 b0 = gen_hostop6(cstate, addr, mask, Q_SRC, ll_proto, src_off, dst_off);
4111 b1 = gen_hostop6(cstate, addr, mask, Q_DST, ll_proto, src_off, dst_off);
4116 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4120 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4124 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4128 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4132 bpf_error(cstate, "'ra' is not a valid qualifier for addresses other than 802.11 MAC addresses");
4136 bpf_error(cstate, "'ta' is not a valid qualifier for addresses other than 802.11 MAC addresses");
4143 /* this order is important */
4144 a = (uint32_t *)addr;
4145 m = (uint32_t *)mask;
4146 b1 = gen_mcmp(cstate, OR_LINKPL, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3]));
4147 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2]));
4149 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1]));
4151 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0]));
4153 b0 = gen_linktype(cstate, ll_proto);
4159 static struct block *
4160 gen_ehostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4162 register struct block *b0, *b1;
4166 return gen_bcmp(cstate, OR_LINKHDR, 6, 6, eaddr);
4169 return gen_bcmp(cstate, OR_LINKHDR, 0, 6, eaddr);
4172 b0 = gen_ehostop(cstate, eaddr, Q_SRC);
4173 b1 = gen_ehostop(cstate, eaddr, Q_DST);
4179 b0 = gen_ehostop(cstate, eaddr, Q_SRC);
4180 b1 = gen_ehostop(cstate, eaddr, Q_DST);
4185 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11 with 802.11 headers");
4189 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11 with 802.11 headers");
4193 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11 with 802.11 headers");
4197 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11 with 802.11 headers");
4201 bpf_error(cstate, "'ra' is only supported on 802.11 with 802.11 headers");
4205 bpf_error(cstate, "'ta' is only supported on 802.11 with 802.11 headers");
4213 * Like gen_ehostop, but for DLT_FDDI
4215 static struct block *
4216 gen_fhostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4218 struct block *b0, *b1;
4222 return gen_bcmp(cstate, OR_LINKHDR, 6 + 1 + cstate->pcap_fddipad, 6, eaddr);
4225 return gen_bcmp(cstate, OR_LINKHDR, 0 + 1 + cstate->pcap_fddipad, 6, eaddr);
4228 b0 = gen_fhostop(cstate, eaddr, Q_SRC);
4229 b1 = gen_fhostop(cstate, eaddr, Q_DST);
4235 b0 = gen_fhostop(cstate, eaddr, Q_SRC);
4236 b1 = gen_fhostop(cstate, eaddr, Q_DST);
4241 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11");
4245 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11");
4249 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11");
4253 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11");
4257 bpf_error(cstate, "'ra' is only supported on 802.11");
4261 bpf_error(cstate, "'ta' is only supported on 802.11");
4269 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring)
4271 static struct block *
4272 gen_thostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4274 register struct block *b0, *b1;
4278 return gen_bcmp(cstate, OR_LINKHDR, 8, 6, eaddr);
4281 return gen_bcmp(cstate, OR_LINKHDR, 2, 6, eaddr);
4284 b0 = gen_thostop(cstate, eaddr, Q_SRC);
4285 b1 = gen_thostop(cstate, eaddr, Q_DST);
4291 b0 = gen_thostop(cstate, eaddr, Q_SRC);
4292 b1 = gen_thostop(cstate, eaddr, Q_DST);
4297 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11");
4301 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11");
4305 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11");
4309 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11");
4313 bpf_error(cstate, "'ra' is only supported on 802.11");
4317 bpf_error(cstate, "'ta' is only supported on 802.11");
4325 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and
4326 * various 802.11 + radio headers.
4328 static struct block *
4329 gen_wlanhostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4331 register struct block *b0, *b1, *b2;
4332 register struct slist *s;
4334 #ifdef ENABLE_WLAN_FILTERING_PATCH
4337 * We need to disable the optimizer because the optimizer is buggy
4338 * and wipes out some LD instructions generated by the below
4339 * code to validate the Frame Control bits
4341 cstate->no_optimize = 1;
4342 #endif /* ENABLE_WLAN_FILTERING_PATCH */
4349 * For control frames, there is no SA.
4351 * For management frames, SA is at an
4352 * offset of 10 from the beginning of
4355 * For data frames, SA is at an offset
4356 * of 10 from the beginning of the packet
4357 * if From DS is clear, at an offset of
4358 * 16 from the beginning of the packet
4359 * if From DS is set and To DS is clear,
4360 * and an offset of 24 from the beginning
4361 * of the packet if From DS is set and To DS
4366 * Generate the tests to be done for data frames
4369 * First, check for To DS set, i.e. check "link[1] & 0x01".
4371 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4372 b1 = new_block(cstate, JMP(BPF_JSET));
4373 b1->s.k = 0x01; /* To DS */
4377 * If To DS is set, the SA is at 24.
4379 b0 = gen_bcmp(cstate, OR_LINKHDR, 24, 6, eaddr);
4383 * Now, check for To DS not set, i.e. check
4384 * "!(link[1] & 0x01)".
4386 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4387 b2 = new_block(cstate, JMP(BPF_JSET));
4388 b2->s.k = 0x01; /* To DS */
4393 * If To DS is not set, the SA is at 16.
4395 b1 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr);
4399 * Now OR together the last two checks. That gives
4400 * the complete set of checks for data frames with
4406 * Now check for From DS being set, and AND that with
4407 * the ORed-together checks.
4409 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4410 b1 = new_block(cstate, JMP(BPF_JSET));
4411 b1->s.k = 0x02; /* From DS */
4416 * Now check for data frames with From DS not set.
4418 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4419 b2 = new_block(cstate, JMP(BPF_JSET));
4420 b2->s.k = 0x02; /* From DS */
4425 * If From DS isn't set, the SA is at 10.
4427 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4431 * Now OR together the checks for data frames with
4432 * From DS not set and for data frames with From DS
4433 * set; that gives the checks done for data frames.
4438 * Now check for a data frame.
4439 * I.e, check "link[0] & 0x08".
4441 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4442 b1 = new_block(cstate, JMP(BPF_JSET));
4447 * AND that with the checks done for data frames.
4452 * If the high-order bit of the type value is 0, this
4453 * is a management frame.
4454 * I.e, check "!(link[0] & 0x08)".
4456 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4457 b2 = new_block(cstate, JMP(BPF_JSET));
4463 * For management frames, the SA is at 10.
4465 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4469 * OR that with the checks done for data frames.
4470 * That gives the checks done for management and
4476 * If the low-order bit of the type value is 1,
4477 * this is either a control frame or a frame
4478 * with a reserved type, and thus not a
4481 * I.e., check "!(link[0] & 0x04)".
4483 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4484 b1 = new_block(cstate, JMP(BPF_JSET));
4490 * AND that with the checks for data and management
4500 * For control frames, there is no DA.
4502 * For management frames, DA is at an
4503 * offset of 4 from the beginning of
4506 * For data frames, DA is at an offset
4507 * of 4 from the beginning of the packet
4508 * if To DS is clear and at an offset of
4509 * 16 from the beginning of the packet
4514 * Generate the tests to be done for data frames.
4516 * First, check for To DS set, i.e. "link[1] & 0x01".
4518 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4519 b1 = new_block(cstate, JMP(BPF_JSET));
4520 b1->s.k = 0x01; /* To DS */
4524 * If To DS is set, the DA is at 16.
4526 b0 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr);
4530 * Now, check for To DS not set, i.e. check
4531 * "!(link[1] & 0x01)".
4533 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4534 b2 = new_block(cstate, JMP(BPF_JSET));
4535 b2->s.k = 0x01; /* To DS */
4540 * If To DS is not set, the DA is at 4.
4542 b1 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr);
4546 * Now OR together the last two checks. That gives
4547 * the complete set of checks for data frames.
4552 * Now check for a data frame.
4553 * I.e, check "link[0] & 0x08".
4555 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4556 b1 = new_block(cstate, JMP(BPF_JSET));
4561 * AND that with the checks done for data frames.
4566 * If the high-order bit of the type value is 0, this
4567 * is a management frame.
4568 * I.e, check "!(link[0] & 0x08)".
4570 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4571 b2 = new_block(cstate, JMP(BPF_JSET));
4577 * For management frames, the DA is at 4.
4579 b1 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr);
4583 * OR that with the checks done for data frames.
4584 * That gives the checks done for management and
4590 * If the low-order bit of the type value is 1,
4591 * this is either a control frame or a frame
4592 * with a reserved type, and thus not a
4595 * I.e., check "!(link[0] & 0x04)".
4597 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4598 b1 = new_block(cstate, JMP(BPF_JSET));
4604 * AND that with the checks for data and management
4611 b0 = gen_wlanhostop(cstate, eaddr, Q_SRC);
4612 b1 = gen_wlanhostop(cstate, eaddr, Q_DST);
4618 b0 = gen_wlanhostop(cstate, eaddr, Q_SRC);
4619 b1 = gen_wlanhostop(cstate, eaddr, Q_DST);
4624 * XXX - add BSSID keyword?
4627 return (gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr));
4631 * Not present in CTS or ACK control frames.
4633 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4634 IEEE80211_FC0_TYPE_MASK);
4636 b1 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS,
4637 IEEE80211_FC0_SUBTYPE_MASK);
4639 b2 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK,
4640 IEEE80211_FC0_SUBTYPE_MASK);
4644 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4650 * Not present in control frames.
4652 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4653 IEEE80211_FC0_TYPE_MASK);
4655 b1 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr);
4661 * Present only if the direction mask has both "From DS"
4662 * and "To DS" set. Neither control frames nor management
4663 * frames should have both of those set, so we don't
4664 * check the frame type.
4666 b0 = gen_mcmp(cstate, OR_LINKHDR, 1, BPF_B,
4667 IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK);
4668 b1 = gen_bcmp(cstate, OR_LINKHDR, 24, 6, eaddr);
4674 * Not present in management frames; addr1 in other
4679 * If the high-order bit of the type value is 0, this
4680 * is a management frame.
4681 * I.e, check "(link[0] & 0x08)".
4683 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4684 b1 = new_block(cstate, JMP(BPF_JSET));
4691 b0 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr);
4694 * AND that with the check of addr1.
4701 * Not present in management frames; addr2, if present,
4706 * Not present in CTS or ACK control frames.
4708 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4709 IEEE80211_FC0_TYPE_MASK);
4711 b1 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS,
4712 IEEE80211_FC0_SUBTYPE_MASK);
4714 b2 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK,
4715 IEEE80211_FC0_SUBTYPE_MASK);
4721 * If the high-order bit of the type value is 0, this
4722 * is a management frame.
4723 * I.e, check "(link[0] & 0x08)".
4725 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4726 b1 = new_block(cstate, JMP(BPF_JSET));
4731 * AND that with the check for frames other than
4732 * CTS and ACK frames.
4739 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4748 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel.
4749 * (We assume that the addresses are IEEE 48-bit MAC addresses,
4750 * as the RFC states.)
4752 static struct block *
4753 gen_ipfchostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4755 register struct block *b0, *b1;
4759 return gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4762 return gen_bcmp(cstate, OR_LINKHDR, 2, 6, eaddr);
4765 b0 = gen_ipfchostop(cstate, eaddr, Q_SRC);
4766 b1 = gen_ipfchostop(cstate, eaddr, Q_DST);
4772 b0 = gen_ipfchostop(cstate, eaddr, Q_SRC);
4773 b1 = gen_ipfchostop(cstate, eaddr, Q_DST);
4778 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11");
4782 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11");
4786 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11");
4790 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11");
4794 bpf_error(cstate, "'ra' is only supported on 802.11");
4798 bpf_error(cstate, "'ta' is only supported on 802.11");
4806 * This is quite tricky because there may be pad bytes in front of the
4807 * DECNET header, and then there are two possible data packet formats that
4808 * carry both src and dst addresses, plus 5 packet types in a format that
4809 * carries only the src node, plus 2 types that use a different format and
4810 * also carry just the src node.
4814 * Instead of doing those all right, we just look for data packets with
4815 * 0 or 1 bytes of padding. If you want to look at other packets, that
4816 * will require a lot more hacking.
4818 * To add support for filtering on DECNET "areas" (network numbers)
4819 * one would want to add a "mask" argument to this routine. That would
4820 * make the filter even more inefficient, although one could be clever
4821 * and not generate masking instructions if the mask is 0xFFFF.
4823 static struct block *
4824 gen_dnhostop(compiler_state_t *cstate, bpf_u_int32 addr, int dir)
4826 struct block *b0, *b1, *b2, *tmp;
4827 u_int offset_lh; /* offset if long header is received */
4828 u_int offset_sh; /* offset if short header is received */
4833 offset_sh = 1; /* follows flags */
4834 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */
4838 offset_sh = 3; /* follows flags, dstnode */
4839 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */
4843 /* Inefficient because we do our Calvinball dance twice */
4844 b0 = gen_dnhostop(cstate, addr, Q_SRC);
4845 b1 = gen_dnhostop(cstate, addr, Q_DST);
4851 /* Inefficient because we do our Calvinball dance twice */
4852 b0 = gen_dnhostop(cstate, addr, Q_SRC);
4853 b1 = gen_dnhostop(cstate, addr, Q_DST);
4858 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4862 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4866 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4870 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4874 bpf_error(cstate, "'ra' is not a valid qualifier for addresses other than 802.11 MAC addresses");
4878 bpf_error(cstate, "'ta' is not a valid qualifier for addresses other than 802.11 MAC addresses");
4885 b0 = gen_linktype(cstate, ETHERTYPE_DN);
4886 /* Check for pad = 1, long header case */
4887 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_H,
4888 (bpf_u_int32)ntohs(0x0681), (bpf_u_int32)ntohs(0x07FF));
4889 b1 = gen_cmp(cstate, OR_LINKPL, 2 + 1 + offset_lh,
4890 BPF_H, (bpf_u_int32)ntohs((u_short)addr));
4892 /* Check for pad = 0, long header case */
4893 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_B, (bpf_u_int32)0x06,
4895 b2 = gen_cmp(cstate, OR_LINKPL, 2 + offset_lh, BPF_H,
4896 (bpf_u_int32)ntohs((u_short)addr));
4899 /* Check for pad = 1, short header case */
4900 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_H,
4901 (bpf_u_int32)ntohs(0x0281), (bpf_u_int32)ntohs(0x07FF));
4902 b2 = gen_cmp(cstate, OR_LINKPL, 2 + 1 + offset_sh, BPF_H,
4903 (bpf_u_int32)ntohs((u_short)addr));
4906 /* Check for pad = 0, short header case */
4907 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_B, (bpf_u_int32)0x02,
4909 b2 = gen_cmp(cstate, OR_LINKPL, 2 + offset_sh, BPF_H,
4910 (bpf_u_int32)ntohs((u_short)addr));
4914 /* Combine with test for cstate->linktype */
4920 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets;
4921 * test the bottom-of-stack bit, and then check the version number
4922 * field in the IP header.
4924 static struct block *
4925 gen_mpls_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto)
4927 struct block *b0, *b1;
4932 /* match the bottom-of-stack bit */
4933 b0 = gen_mcmp(cstate, OR_LINKPL, (u_int)-2, BPF_B, 0x01, 0x01);
4934 /* match the IPv4 version number */
4935 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_B, 0x40, 0xf0);
4939 case ETHERTYPE_IPV6:
4940 /* match the bottom-of-stack bit */
4941 b0 = gen_mcmp(cstate, OR_LINKPL, (u_int)-2, BPF_B, 0x01, 0x01);
4942 /* match the IPv4 version number */
4943 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_B, 0x60, 0xf0);
4948 /* FIXME add other L3 proto IDs */
4949 bpf_error(cstate, "unsupported protocol over mpls");
4954 static struct block *
4955 gen_host(compiler_state_t *cstate, bpf_u_int32 addr, bpf_u_int32 mask,
4956 int proto, int dir, int type)
4958 struct block *b0, *b1;
4959 const char *typestr;
4969 b0 = gen_host(cstate, addr, mask, Q_IP, dir, type);
4971 * Only check for non-IPv4 addresses if we're not
4972 * checking MPLS-encapsulated packets.
4974 if (cstate->label_stack_depth == 0) {
4975 b1 = gen_host(cstate, addr, mask, Q_ARP, dir, type);
4977 b0 = gen_host(cstate, addr, mask, Q_RARP, dir, type);
4983 bpf_error(cstate, "link-layer modifier applied to %s", typestr);
4986 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_IP, 12, 16);
4989 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_REVARP, 14, 24);
4992 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_ARP, 14, 24);
4995 bpf_error(cstate, "'sctp' modifier applied to %s", typestr);
4998 bpf_error(cstate, "'tcp' modifier applied to %s", typestr);
5001 bpf_error(cstate, "'udp' modifier applied to %s", typestr);
5004 bpf_error(cstate, "'icmp' modifier applied to %s", typestr);
5007 bpf_error(cstate, "'igmp' modifier applied to %s", typestr);
5010 bpf_error(cstate, "'igrp' modifier applied to %s", typestr);
5013 bpf_error(cstate, "AppleTalk host filtering not implemented");
5016 return gen_dnhostop(cstate, addr, dir);
5019 bpf_error(cstate, "LAT host filtering not implemented");
5022 bpf_error(cstate, "SCA host filtering not implemented");
5025 bpf_error(cstate, "MOPRC host filtering not implemented");
5028 bpf_error(cstate, "MOPDL host filtering not implemented");
5031 bpf_error(cstate, "'ip6' modifier applied to ip host");
5034 bpf_error(cstate, "'icmp6' modifier applied to %s", typestr);
5037 bpf_error(cstate, "'ah' modifier applied to %s", typestr);
5040 bpf_error(cstate, "'esp' modifier applied to %s", typestr);
5043 bpf_error(cstate, "'pim' modifier applied to %s", typestr);
5046 bpf_error(cstate, "'vrrp' modifier applied to %s", typestr);
5049 bpf_error(cstate, "AARP host filtering not implemented");
5052 bpf_error(cstate, "ISO host filtering not implemented");
5055 bpf_error(cstate, "'esis' modifier applied to %s", typestr);
5058 bpf_error(cstate, "'isis' modifier applied to %s", typestr);
5061 bpf_error(cstate, "'clnp' modifier applied to %s", typestr);
5064 bpf_error(cstate, "'stp' modifier applied to %s", typestr);
5067 bpf_error(cstate, "IPX host filtering not implemented");
5070 bpf_error(cstate, "'netbeui' modifier applied to %s", typestr);
5073 bpf_error(cstate, "'l1' modifier applied to %s", typestr);
5076 bpf_error(cstate, "'l2' modifier applied to %s", typestr);
5079 bpf_error(cstate, "'iih' modifier applied to %s", typestr);
5082 bpf_error(cstate, "'snp' modifier applied to %s", typestr);
5085 bpf_error(cstate, "'csnp' modifier applied to %s", typestr);
5088 bpf_error(cstate, "'psnp' modifier applied to %s", typestr);
5091 bpf_error(cstate, "'lsp' modifier applied to %s", typestr);
5094 bpf_error(cstate, "'radio' modifier applied to %s", typestr);
5097 bpf_error(cstate, "'carp' modifier applied to %s", typestr);
5106 static struct block *
5107 gen_host6(compiler_state_t *cstate, struct in6_addr *addr,
5108 struct in6_addr *mask, int proto, int dir, int type)
5110 const char *typestr;
5120 return gen_host6(cstate, addr, mask, Q_IPV6, dir, type);
5123 bpf_error(cstate, "link-layer modifier applied to ip6 %s", typestr);
5126 bpf_error(cstate, "'ip' modifier applied to ip6 %s", typestr);
5129 bpf_error(cstate, "'rarp' modifier applied to ip6 %s", typestr);
5132 bpf_error(cstate, "'arp' modifier applied to ip6 %s", typestr);
5135 bpf_error(cstate, "'sctp' modifier applied to ip6 %s", typestr);
5138 bpf_error(cstate, "'tcp' modifier applied to ip6 %s", typestr);
5141 bpf_error(cstate, "'udp' modifier applied to ip6 %s", typestr);
5144 bpf_error(cstate, "'icmp' modifier applied to ip6 %s", typestr);
5147 bpf_error(cstate, "'igmp' modifier applied to ip6 %s", typestr);
5150 bpf_error(cstate, "'igrp' modifier applied to ip6 %s", typestr);
5153 bpf_error(cstate, "AppleTalk modifier applied to ip6 %s", typestr);
5156 bpf_error(cstate, "'decnet' modifier applied to ip6 %s", typestr);
5159 bpf_error(cstate, "'lat' modifier applied to ip6 %s", typestr);
5162 bpf_error(cstate, "'sca' modifier applied to ip6 %s", typestr);
5165 bpf_error(cstate, "'moprc' modifier applied to ip6 %s", typestr);
5168 bpf_error(cstate, "'mopdl' modifier applied to ip6 %s", typestr);
5171 return gen_hostop6(cstate, addr, mask, dir, ETHERTYPE_IPV6, 8, 24);
5174 bpf_error(cstate, "'icmp6' modifier applied to ip6 %s", typestr);
5177 bpf_error(cstate, "'ah' modifier applied to ip6 %s", typestr);
5180 bpf_error(cstate, "'esp' modifier applied to ip6 %s", typestr);
5183 bpf_error(cstate, "'pim' modifier applied to ip6 %s", typestr);
5186 bpf_error(cstate, "'vrrp' modifier applied to ip6 %s", typestr);
5189 bpf_error(cstate, "'aarp' modifier applied to ip6 %s", typestr);
5192 bpf_error(cstate, "'iso' modifier applied to ip6 %s", typestr);
5195 bpf_error(cstate, "'esis' modifier applied to ip6 %s", typestr);
5198 bpf_error(cstate, "'isis' modifier applied to ip6 %s", typestr);
5201 bpf_error(cstate, "'clnp' modifier applied to ip6 %s", typestr);
5204 bpf_error(cstate, "'stp' modifier applied to ip6 %s", typestr);
5207 bpf_error(cstate, "'ipx' modifier applied to ip6 %s", typestr);
5210 bpf_error(cstate, "'netbeui' modifier applied to ip6 %s", typestr);
5213 bpf_error(cstate, "'l1' modifier applied to ip6 %s", typestr);
5216 bpf_error(cstate, "'l2' modifier applied to ip6 %s", typestr);
5219 bpf_error(cstate, "'iih' modifier applied to ip6 %s", typestr);
5222 bpf_error(cstate, "'snp' modifier applied to ip6 %s", typestr);
5225 bpf_error(cstate, "'csnp' modifier applied to ip6 %s", typestr);
5228 bpf_error(cstate, "'psnp' modifier applied to ip6 %s", typestr);
5231 bpf_error(cstate, "'lsp' modifier applied to ip6 %s", typestr);
5234 bpf_error(cstate, "'radio' modifier applied to ip6 %s", typestr);
5237 bpf_error(cstate, "'carp' modifier applied to ip6 %s", typestr);
5247 static struct block *
5248 gen_gateway(compiler_state_t *cstate, const u_char *eaddr,
5249 struct addrinfo *alist, int proto, int dir)
5251 struct block *b0, *b1, *tmp;
5252 struct addrinfo *ai;
5253 struct sockaddr_in *sin;
5256 bpf_error(cstate, "direction applied to 'gateway'");
5263 switch (cstate->linktype) {
5265 case DLT_NETANALYZER:
5266 case DLT_NETANALYZER_TRANSPARENT:
5267 b1 = gen_prevlinkhdr_check(cstate);
5268 b0 = gen_ehostop(cstate, eaddr, Q_OR);
5273 b0 = gen_fhostop(cstate, eaddr, Q_OR);
5276 b0 = gen_thostop(cstate, eaddr, Q_OR);
5278 case DLT_IEEE802_11:
5279 case DLT_PRISM_HEADER:
5280 case DLT_IEEE802_11_RADIO_AVS:
5281 case DLT_IEEE802_11_RADIO:
5283 b0 = gen_wlanhostop(cstate, eaddr, Q_OR);
5287 * This is LLC-multiplexed traffic; if it were
5288 * LANE, cstate->linktype would have been set to
5292 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
5294 case DLT_IP_OVER_FC:
5295 b0 = gen_ipfchostop(cstate, eaddr, Q_OR);
5299 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
5302 for (ai = alist; ai != NULL; ai = ai->ai_next) {
5304 * Does it have an address?
5306 if (ai->ai_addr != NULL) {
5308 * Yes. Is it an IPv4 address?
5310 if (ai->ai_addr->sa_family == AF_INET) {
5312 * Generate an entry for it.
5314 sin = (struct sockaddr_in *)ai->ai_addr;
5315 tmp = gen_host(cstate,
5316 ntohl(sin->sin_addr.s_addr),
5317 0xffffffff, proto, Q_OR, Q_HOST);
5319 * Is it the *first* IPv4 address?
5323 * Yes, so start with it.
5328 * No, so OR it into the
5340 * No IPv4 addresses found.
5348 bpf_error(cstate, "illegal modifier of 'gateway'");
5353 static struct block *
5354 gen_proto_abbrev_internal(compiler_state_t *cstate, int proto)
5362 b1 = gen_proto(cstate, IPPROTO_SCTP, Q_DEFAULT, Q_DEFAULT);
5366 b1 = gen_proto(cstate, IPPROTO_TCP, Q_DEFAULT, Q_DEFAULT);
5370 b1 = gen_proto(cstate, IPPROTO_UDP, Q_DEFAULT, Q_DEFAULT);
5374 b1 = gen_proto(cstate, IPPROTO_ICMP, Q_IP, Q_DEFAULT);
5377 #ifndef IPPROTO_IGMP
5378 #define IPPROTO_IGMP 2
5382 b1 = gen_proto(cstate, IPPROTO_IGMP, Q_IP, Q_DEFAULT);
5385 #ifndef IPPROTO_IGRP
5386 #define IPPROTO_IGRP 9
5389 b1 = gen_proto(cstate, IPPROTO_IGRP, Q_IP, Q_DEFAULT);
5393 #define IPPROTO_PIM 103
5397 b1 = gen_proto(cstate, IPPROTO_PIM, Q_DEFAULT, Q_DEFAULT);
5400 #ifndef IPPROTO_VRRP
5401 #define IPPROTO_VRRP 112
5405 b1 = gen_proto(cstate, IPPROTO_VRRP, Q_IP, Q_DEFAULT);
5408 #ifndef IPPROTO_CARP
5409 #define IPPROTO_CARP 112
5413 b1 = gen_proto(cstate, IPPROTO_CARP, Q_IP, Q_DEFAULT);
5417 b1 = gen_linktype(cstate, ETHERTYPE_IP);
5421 b1 = gen_linktype(cstate, ETHERTYPE_ARP);
5425 b1 = gen_linktype(cstate, ETHERTYPE_REVARP);
5429 bpf_error(cstate, "link layer applied in wrong context");
5432 b1 = gen_linktype(cstate, ETHERTYPE_ATALK);
5436 b1 = gen_linktype(cstate, ETHERTYPE_AARP);
5440 b1 = gen_linktype(cstate, ETHERTYPE_DN);
5444 b1 = gen_linktype(cstate, ETHERTYPE_SCA);
5448 b1 = gen_linktype(cstate, ETHERTYPE_LAT);
5452 b1 = gen_linktype(cstate, ETHERTYPE_MOPDL);
5456 b1 = gen_linktype(cstate, ETHERTYPE_MOPRC);
5460 b1 = gen_linktype(cstate, ETHERTYPE_IPV6);
5463 #ifndef IPPROTO_ICMPV6
5464 #define IPPROTO_ICMPV6 58
5467 b1 = gen_proto(cstate, IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT);
5471 #define IPPROTO_AH 51
5474 b1 = gen_proto(cstate, IPPROTO_AH, Q_DEFAULT, Q_DEFAULT);
5478 #define IPPROTO_ESP 50
5481 b1 = gen_proto(cstate, IPPROTO_ESP, Q_DEFAULT, Q_DEFAULT);
5485 b1 = gen_linktype(cstate, LLCSAP_ISONS);
5489 b1 = gen_proto(cstate, ISO9542_ESIS, Q_ISO, Q_DEFAULT);
5493 b1 = gen_proto(cstate, ISO10589_ISIS, Q_ISO, Q_DEFAULT);
5496 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */
5497 b0 = gen_proto(cstate, ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
5498 b1 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
5500 b0 = gen_proto(cstate, ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
5502 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
5504 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
5508 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */
5509 b0 = gen_proto(cstate, ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
5510 b1 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
5512 b0 = gen_proto(cstate, ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
5514 b0 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
5516 b0 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
5520 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */
5521 b0 = gen_proto(cstate, ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
5522 b1 = gen_proto(cstate, ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
5524 b0 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT);
5529 b0 = gen_proto(cstate, ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
5530 b1 = gen_proto(cstate, ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
5535 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
5536 b1 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
5538 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
5540 b0 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
5545 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
5546 b1 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
5551 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
5552 b1 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
5557 b1 = gen_proto(cstate, ISO8473_CLNP, Q_ISO, Q_DEFAULT);
5561 b1 = gen_linktype(cstate, LLCSAP_8021D);
5565 b1 = gen_linktype(cstate, LLCSAP_IPX);
5569 b1 = gen_linktype(cstate, LLCSAP_NETBEUI);
5573 bpf_error(cstate, "'radio' is not a valid protocol type");
5582 gen_proto_abbrev(compiler_state_t *cstate, int proto)
5585 * Catch errors reported by us and routines below us, and return NULL
5588 if (setjmp(cstate->top_ctx))
5591 return gen_proto_abbrev_internal(cstate, proto);
5594 static struct block *
5595 gen_ipfrag(compiler_state_t *cstate)
5600 /* not IPv4 frag other than the first frag */
5601 s = gen_load_a(cstate, OR_LINKPL, 6, BPF_H);
5602 b = new_block(cstate, JMP(BPF_JSET));
5611 * Generate a comparison to a port value in the transport-layer header
5612 * at the specified offset from the beginning of that header.
5614 * XXX - this handles a variable-length prefix preceding the link-layer
5615 * header, such as the radiotap or AVS radio prefix, but doesn't handle
5616 * variable-length link-layer headers (such as Token Ring or 802.11
5619 static struct block *
5620 gen_portatom(compiler_state_t *cstate, int off, bpf_u_int32 v)
5622 return gen_cmp(cstate, OR_TRAN_IPV4, off, BPF_H, v);
5625 static struct block *
5626 gen_portatom6(compiler_state_t *cstate, int off, bpf_u_int32 v)
5628 return gen_cmp(cstate, OR_TRAN_IPV6, off, BPF_H, v);
5631 static struct block *
5632 gen_portop(compiler_state_t *cstate, u_int port, u_int proto, int dir)
5634 struct block *b0, *b1, *tmp;
5636 /* ip proto 'proto' and not a fragment other than the first fragment */
5637 tmp = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, proto);
5638 b0 = gen_ipfrag(cstate);
5643 b1 = gen_portatom(cstate, 0, port);
5647 b1 = gen_portatom(cstate, 2, port);
5651 tmp = gen_portatom(cstate, 0, port);
5652 b1 = gen_portatom(cstate, 2, port);
5658 tmp = gen_portatom(cstate, 0, port);
5659 b1 = gen_portatom(cstate, 2, port);
5664 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for ports");
5668 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for ports");
5672 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for ports");
5676 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for ports");
5680 bpf_error(cstate, "'ra' is not a valid qualifier for ports");
5684 bpf_error(cstate, "'ta' is not a valid qualifier for ports");
5696 static struct block *
5697 gen_port(compiler_state_t *cstate, u_int port, int ip_proto, int dir)
5699 struct block *b0, *b1, *tmp;
5704 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
5705 * not LLC encapsulation with LLCSAP_IP.
5707 * For IEEE 802 networks - which includes 802.5 token ring
5708 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
5709 * says that SNAP encapsulation is used, not LLC encapsulation
5712 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
5713 * RFC 2225 say that SNAP encapsulation is used, not LLC
5714 * encapsulation with LLCSAP_IP.
5716 * So we always check for ETHERTYPE_IP.
5718 b0 = gen_linktype(cstate, ETHERTYPE_IP);
5724 b1 = gen_portop(cstate, port, (u_int)ip_proto, dir);
5728 tmp = gen_portop(cstate, port, IPPROTO_TCP, dir);
5729 b1 = gen_portop(cstate, port, IPPROTO_UDP, dir);
5731 tmp = gen_portop(cstate, port, IPPROTO_SCTP, dir);
5743 gen_portop6(compiler_state_t *cstate, u_int port, u_int proto, int dir)
5745 struct block *b0, *b1, *tmp;
5747 /* ip6 proto 'proto' */
5748 /* XXX - catch the first fragment of a fragmented packet? */
5749 b0 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, proto);
5753 b1 = gen_portatom6(cstate, 0, port);
5757 b1 = gen_portatom6(cstate, 2, port);
5761 tmp = gen_portatom6(cstate, 0, port);
5762 b1 = gen_portatom6(cstate, 2, port);
5768 tmp = gen_portatom6(cstate, 0, port);
5769 b1 = gen_portatom6(cstate, 2, port);
5781 static struct block *
5782 gen_port6(compiler_state_t *cstate, u_int port, int ip_proto, int dir)
5784 struct block *b0, *b1, *tmp;
5786 /* link proto ip6 */
5787 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
5793 b1 = gen_portop6(cstate, port, (u_int)ip_proto, dir);
5797 tmp = gen_portop6(cstate, port, IPPROTO_TCP, dir);
5798 b1 = gen_portop6(cstate, port, IPPROTO_UDP, dir);
5800 tmp = gen_portop6(cstate, port, IPPROTO_SCTP, dir);
5811 /* gen_portrange code */
5812 static struct block *
5813 gen_portrangeatom(compiler_state_t *cstate, u_int off, bpf_u_int32 v1,
5816 struct block *b1, *b2;
5820 * Reverse the order of the ports, so v1 is the lower one.
5829 b1 = gen_cmp_ge(cstate, OR_TRAN_IPV4, off, BPF_H, v1);
5830 b2 = gen_cmp_le(cstate, OR_TRAN_IPV4, off, BPF_H, v2);
5837 static struct block *
5838 gen_portrangeop(compiler_state_t *cstate, u_int port1, u_int port2,
5839 bpf_u_int32 proto, int dir)
5841 struct block *b0, *b1, *tmp;
5843 /* ip proto 'proto' and not a fragment other than the first fragment */
5844 tmp = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, proto);
5845 b0 = gen_ipfrag(cstate);
5850 b1 = gen_portrangeatom(cstate, 0, port1, port2);
5854 b1 = gen_portrangeatom(cstate, 2, port1, port2);
5858 tmp = gen_portrangeatom(cstate, 0, port1, port2);
5859 b1 = gen_portrangeatom(cstate, 2, port1, port2);
5865 tmp = gen_portrangeatom(cstate, 0, port1, port2);
5866 b1 = gen_portrangeatom(cstate, 2, port1, port2);
5871 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for port ranges");
5875 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for port ranges");
5879 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for port ranges");
5883 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for port ranges");
5887 bpf_error(cstate, "'ra' is not a valid qualifier for port ranges");
5891 bpf_error(cstate, "'ta' is not a valid qualifier for port ranges");
5903 static struct block *
5904 gen_portrange(compiler_state_t *cstate, u_int port1, u_int port2, int ip_proto,
5907 struct block *b0, *b1, *tmp;
5910 b0 = gen_linktype(cstate, ETHERTYPE_IP);
5916 b1 = gen_portrangeop(cstate, port1, port2, (bpf_u_int32)ip_proto,
5921 tmp = gen_portrangeop(cstate, port1, port2, IPPROTO_TCP, dir);
5922 b1 = gen_portrangeop(cstate, port1, port2, IPPROTO_UDP, dir);
5924 tmp = gen_portrangeop(cstate, port1, port2, IPPROTO_SCTP, dir);
5935 static struct block *
5936 gen_portrangeatom6(compiler_state_t *cstate, u_int off, bpf_u_int32 v1,
5939 struct block *b1, *b2;
5943 * Reverse the order of the ports, so v1 is the lower one.
5952 b1 = gen_cmp_ge(cstate, OR_TRAN_IPV6, off, BPF_H, v1);
5953 b2 = gen_cmp_le(cstate, OR_TRAN_IPV6, off, BPF_H, v2);
5960 static struct block *
5961 gen_portrangeop6(compiler_state_t *cstate, u_int port1, u_int port2,
5962 bpf_u_int32 proto, int dir)
5964 struct block *b0, *b1, *tmp;
5966 /* ip6 proto 'proto' */
5967 /* XXX - catch the first fragment of a fragmented packet? */
5968 b0 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, proto);
5972 b1 = gen_portrangeatom6(cstate, 0, port1, port2);
5976 b1 = gen_portrangeatom6(cstate, 2, port1, port2);
5980 tmp = gen_portrangeatom6(cstate, 0, port1, port2);
5981 b1 = gen_portrangeatom6(cstate, 2, port1, port2);
5987 tmp = gen_portrangeatom6(cstate, 0, port1, port2);
5988 b1 = gen_portrangeatom6(cstate, 2, port1, port2);
6000 static struct block *
6001 gen_portrange6(compiler_state_t *cstate, u_int port1, u_int port2, int ip_proto,
6004 struct block *b0, *b1, *tmp;
6006 /* link proto ip6 */
6007 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
6013 b1 = gen_portrangeop6(cstate, port1, port2, (bpf_u_int32)ip_proto,
6018 tmp = gen_portrangeop6(cstate, port1, port2, IPPROTO_TCP, dir);
6019 b1 = gen_portrangeop6(cstate, port1, port2, IPPROTO_UDP, dir);
6021 tmp = gen_portrangeop6(cstate, port1, port2, IPPROTO_SCTP, dir);
6033 lookup_proto(compiler_state_t *cstate, const char *name, int proto)
6042 v = pcap_nametoproto(name);
6043 if (v == PROTO_UNDEF)
6044 bpf_error(cstate, "unknown ip proto '%s'", name);
6048 /* XXX should look up h/w protocol type based on cstate->linktype */
6049 v = pcap_nametoeproto(name);
6050 if (v == PROTO_UNDEF) {
6051 v = pcap_nametollc(name);
6052 if (v == PROTO_UNDEF)
6053 bpf_error(cstate, "unknown ether proto '%s'", name);
6058 if (strcmp(name, "esis") == 0)
6060 else if (strcmp(name, "isis") == 0)
6062 else if (strcmp(name, "clnp") == 0)
6065 bpf_error(cstate, "unknown osi proto '%s'", name);
6075 #if !defined(NO_PROTOCHAIN)
6076 static struct block *
6077 gen_protochain(compiler_state_t *cstate, bpf_u_int32 v, int proto)
6079 struct block *b0, *b;
6080 struct slist *s[100];
6081 int fix2, fix3, fix4, fix5;
6082 int ahcheck, again, end;
6084 int reg2 = alloc_reg(cstate);
6086 memset(s, 0, sizeof(s));
6087 fix3 = fix4 = fix5 = 0;
6094 b0 = gen_protochain(cstate, v, Q_IP);
6095 b = gen_protochain(cstate, v, Q_IPV6);
6099 bpf_error(cstate, "bad protocol applied for 'protochain'");
6104 * We don't handle variable-length prefixes before the link-layer
6105 * header, or variable-length link-layer headers, here yet.
6106 * We might want to add BPF instructions to do the protochain
6107 * work, to simplify that and, on platforms that have a BPF
6108 * interpreter with the new instructions, let the filtering
6109 * be done in the kernel. (We already require a modified BPF
6110 * engine to do the protochain stuff, to support backward
6111 * branches, and backward branch support is unlikely to appear
6112 * in kernel BPF engines.)
6114 if (cstate->off_linkpl.is_variable)
6115 bpf_error(cstate, "'protochain' not supported with variable length headers");
6118 * To quote a comment in optimize.c:
6120 * "These data structures are used in a Cocke and Shwarz style
6121 * value numbering scheme. Since the flowgraph is acyclic,
6122 * exit values can be propagated from a node's predecessors
6123 * provided it is uniquely defined."
6125 * "Acyclic" means "no backward branches", which means "no
6126 * loops", so we have to turn the optimizer off.
6128 cstate->no_optimize = 1;
6131 * s[0] is a dummy entry to protect other BPF insn from damage
6132 * by s[fix] = foo with uninitialized variable "fix". It is somewhat
6133 * hard to find interdependency made by jump table fixup.
6136 s[i] = new_stmt(cstate, 0); /*dummy*/
6141 b0 = gen_linktype(cstate, ETHERTYPE_IP);
6144 s[i] = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B);
6145 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 9;
6147 /* X = ip->ip_hl << 2 */
6148 s[i] = new_stmt(cstate, BPF_LDX|BPF_MSH|BPF_B);
6149 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
6154 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
6156 /* A = ip6->ip_nxt */
6157 s[i] = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B);
6158 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 6;
6160 /* X = sizeof(struct ip6_hdr) */
6161 s[i] = new_stmt(cstate, BPF_LDX|BPF_IMM);
6167 bpf_error(cstate, "unsupported proto to gen_protochain");
6171 /* again: if (A == v) goto end; else fall through; */
6173 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6175 s[i]->s.jt = NULL; /*later*/
6176 s[i]->s.jf = NULL; /*update in next stmt*/
6180 #ifndef IPPROTO_NONE
6181 #define IPPROTO_NONE 59
6183 /* if (A == IPPROTO_NONE) goto end */
6184 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6185 s[i]->s.jt = NULL; /*later*/
6186 s[i]->s.jf = NULL; /*update in next stmt*/
6187 s[i]->s.k = IPPROTO_NONE;
6188 s[fix5]->s.jf = s[i];
6192 if (proto == Q_IPV6) {
6193 int v6start, v6end, v6advance, j;
6196 /* if (A == IPPROTO_HOPOPTS) goto v6advance */
6197 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6198 s[i]->s.jt = NULL; /*later*/
6199 s[i]->s.jf = NULL; /*update in next stmt*/
6200 s[i]->s.k = IPPROTO_HOPOPTS;
6201 s[fix2]->s.jf = s[i];
6203 /* if (A == IPPROTO_DSTOPTS) goto v6advance */
6204 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6205 s[i]->s.jt = NULL; /*later*/
6206 s[i]->s.jf = NULL; /*update in next stmt*/
6207 s[i]->s.k = IPPROTO_DSTOPTS;
6209 /* if (A == IPPROTO_ROUTING) goto v6advance */
6210 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6211 s[i]->s.jt = NULL; /*later*/
6212 s[i]->s.jf = NULL; /*update in next stmt*/
6213 s[i]->s.k = IPPROTO_ROUTING;
6215 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */
6216 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6217 s[i]->s.jt = NULL; /*later*/
6218 s[i]->s.jf = NULL; /*later*/
6219 s[i]->s.k = IPPROTO_FRAGMENT;
6229 * A = P[X + packet head];
6230 * X = X + (P[X + packet head + 1] + 1) * 8;
6232 /* A = P[X + packet head] */
6233 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
6234 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
6237 s[i] = new_stmt(cstate, BPF_ST);
6240 /* A = P[X + packet head + 1]; */
6241 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
6242 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 1;
6245 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
6249 s[i] = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K);
6253 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X);
6257 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX);
6260 s[i] = new_stmt(cstate, BPF_LD|BPF_MEM);
6264 /* goto again; (must use BPF_JA for backward jump) */
6265 s[i] = new_stmt(cstate, BPF_JMP|BPF_JA);
6266 s[i]->s.k = again - i - 1;
6267 s[i - 1]->s.jf = s[i];
6271 for (j = v6start; j <= v6end; j++)
6272 s[j]->s.jt = s[v6advance];
6275 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
6277 s[fix2]->s.jf = s[i];
6283 /* if (A == IPPROTO_AH) then fall through; else goto end; */
6284 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6285 s[i]->s.jt = NULL; /*later*/
6286 s[i]->s.jf = NULL; /*later*/
6287 s[i]->s.k = IPPROTO_AH;
6289 s[fix3]->s.jf = s[ahcheck];
6296 * X = X + (P[X + 1] + 2) * 4;
6299 s[i - 1]->s.jt = s[i] = new_stmt(cstate, BPF_MISC|BPF_TXA);
6301 /* A = P[X + packet head]; */
6302 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
6303 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
6306 s[i] = new_stmt(cstate, BPF_ST);
6310 s[i - 1]->s.jt = s[i] = new_stmt(cstate, BPF_MISC|BPF_TXA);
6313 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
6317 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX);
6319 /* A = P[X + packet head] */
6320 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
6321 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
6324 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
6328 s[i] = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K);
6332 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX);
6335 s[i] = new_stmt(cstate, BPF_LD|BPF_MEM);
6339 /* goto again; (must use BPF_JA for backward jump) */
6340 s[i] = new_stmt(cstate, BPF_JMP|BPF_JA);
6341 s[i]->s.k = again - i - 1;
6346 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
6348 s[fix2]->s.jt = s[end];
6349 s[fix4]->s.jf = s[end];
6350 s[fix5]->s.jt = s[end];
6357 for (i = 0; i < max - 1; i++)
6358 s[i]->next = s[i + 1];
6359 s[max - 1]->next = NULL;
6364 b = new_block(cstate, JMP(BPF_JEQ));
6365 b->stmts = s[1]; /*remember, s[0] is dummy*/
6368 free_reg(cstate, reg2);
6373 #endif /* !defined(NO_PROTOCHAIN) */
6375 static struct block *
6376 gen_check_802_11_data_frame(compiler_state_t *cstate)
6379 struct block *b0, *b1;
6382 * A data frame has the 0x08 bit (b3) in the frame control field set
6383 * and the 0x04 bit (b2) clear.
6385 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
6386 b0 = new_block(cstate, JMP(BPF_JSET));
6390 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
6391 b1 = new_block(cstate, JMP(BPF_JSET));
6402 * Generate code that checks whether the packet is a packet for protocol
6403 * <proto> and whether the type field in that protocol's header has
6404 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an
6405 * IP packet and checks the protocol number in the IP header against <v>.
6407 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks
6408 * against Q_IP and Q_IPV6.
6410 static struct block *
6411 gen_proto(compiler_state_t *cstate, bpf_u_int32 v, int proto, int dir)
6413 struct block *b0, *b1;
6416 if (dir != Q_DEFAULT)
6417 bpf_error(cstate, "direction applied to 'proto'");
6421 b0 = gen_proto(cstate, v, Q_IP, dir);
6422 b1 = gen_proto(cstate, v, Q_IPV6, dir);
6427 return gen_linktype(cstate, v);
6431 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
6432 * not LLC encapsulation with LLCSAP_IP.
6434 * For IEEE 802 networks - which includes 802.5 token ring
6435 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
6436 * says that SNAP encapsulation is used, not LLC encapsulation
6439 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
6440 * RFC 2225 say that SNAP encapsulation is used, not LLC
6441 * encapsulation with LLCSAP_IP.
6443 * So we always check for ETHERTYPE_IP.
6445 b0 = gen_linktype(cstate, ETHERTYPE_IP);
6446 b1 = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, v);
6451 bpf_error(cstate, "arp does not encapsulate another protocol");
6455 bpf_error(cstate, "rarp does not encapsulate another protocol");
6459 bpf_error(cstate, "'sctp proto' is bogus");
6463 bpf_error(cstate, "'tcp proto' is bogus");
6467 bpf_error(cstate, "'udp proto' is bogus");
6471 bpf_error(cstate, "'icmp proto' is bogus");
6475 bpf_error(cstate, "'igmp proto' is bogus");
6479 bpf_error(cstate, "'igrp proto' is bogus");
6483 bpf_error(cstate, "AppleTalk encapsulation is not specifiable");
6487 bpf_error(cstate, "DECNET encapsulation is not specifiable");
6491 bpf_error(cstate, "LAT does not encapsulate another protocol");
6495 bpf_error(cstate, "SCA does not encapsulate another protocol");
6499 bpf_error(cstate, "MOPRC does not encapsulate another protocol");
6503 bpf_error(cstate, "MOPDL does not encapsulate another protocol");
6507 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
6509 * Also check for a fragment header before the final
6512 b2 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, IPPROTO_FRAGMENT);
6513 b1 = gen_cmp(cstate, OR_LINKPL, 40, BPF_B, v);
6515 b2 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, v);
6521 bpf_error(cstate, "'icmp6 proto' is bogus");
6525 bpf_error(cstate, "'ah proto' is bogus");
6529 bpf_error(cstate, "'esp proto' is bogus");
6533 bpf_error(cstate, "'pim proto' is bogus");
6537 bpf_error(cstate, "'vrrp proto' is bogus");
6541 bpf_error(cstate, "'aarp proto' is bogus");
6545 switch (cstate->linktype) {
6549 * Frame Relay packets typically have an OSI
6550 * NLPID at the beginning; "gen_linktype(cstate, LLCSAP_ISONS)"
6551 * generates code to check for all the OSI
6552 * NLPIDs, so calling it and then adding a check
6553 * for the particular NLPID for which we're
6554 * looking is bogus, as we can just check for
6557 * What we check for is the NLPID and a frame
6558 * control field value of UI, i.e. 0x03 followed
6561 * XXX - assumes a 2-byte Frame Relay header with
6562 * DLCI and flags. What if the address is longer?
6564 * XXX - what about SNAP-encapsulated frames?
6566 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | v);
6572 * Cisco uses an Ethertype lookalike - for OSI,
6575 b0 = gen_linktype(cstate, LLCSAP_ISONS<<8 | LLCSAP_ISONS);
6576 /* OSI in C-HDLC is stuffed with a fudge byte */
6577 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 1, BPF_B, v);
6582 b0 = gen_linktype(cstate, LLCSAP_ISONS);
6583 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 0, BPF_B, v);
6589 bpf_error(cstate, "'esis proto' is bogus");
6593 b0 = gen_proto(cstate, ISO10589_ISIS, Q_ISO, Q_DEFAULT);
6595 * 4 is the offset of the PDU type relative to the IS-IS
6598 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 4, BPF_B, v);
6603 bpf_error(cstate, "'clnp proto' is not supported");
6607 bpf_error(cstate, "'stp proto' is bogus");
6611 bpf_error(cstate, "'ipx proto' is bogus");
6615 bpf_error(cstate, "'netbeui proto' is bogus");
6619 bpf_error(cstate, "'l1 proto' is bogus");
6623 bpf_error(cstate, "'l2 proto' is bogus");
6627 bpf_error(cstate, "'iih proto' is bogus");
6631 bpf_error(cstate, "'snp proto' is bogus");
6635 bpf_error(cstate, "'csnp proto' is bogus");
6639 bpf_error(cstate, "'psnp proto' is bogus");
6643 bpf_error(cstate, "'lsp proto' is bogus");
6647 bpf_error(cstate, "'radio proto' is bogus");
6651 bpf_error(cstate, "'carp proto' is bogus");
6662 gen_scode(compiler_state_t *cstate, const char *name, struct qual q)
6664 int proto = q.proto;
6668 bpf_u_int32 mask, addr;
6669 struct addrinfo *res, *res0;
6670 struct sockaddr_in *sin4;
6673 struct sockaddr_in6 *sin6;
6674 struct in6_addr mask128;
6676 struct block *b, *tmp;
6677 int port, real_proto;
6681 * Catch errors reported by us and routines below us, and return NULL
6684 if (setjmp(cstate->top_ctx))
6690 addr = pcap_nametonetaddr(name);
6692 bpf_error(cstate, "unknown network '%s'", name);
6693 /* Left justify network addr and calculate its network mask */
6695 while (addr && (addr & 0xff000000) == 0) {
6699 return gen_host(cstate, addr, mask, proto, dir, q.addr);
6703 if (proto == Q_LINK) {
6704 switch (cstate->linktype) {
6707 case DLT_NETANALYZER:
6708 case DLT_NETANALYZER_TRANSPARENT:
6709 eaddr = pcap_ether_hostton(name);
6712 "unknown ether host '%s'", name);
6713 tmp = gen_prevlinkhdr_check(cstate);
6714 b = gen_ehostop(cstate, eaddr, dir);
6721 eaddr = pcap_ether_hostton(name);
6724 "unknown FDDI host '%s'", name);
6725 b = gen_fhostop(cstate, eaddr, dir);
6730 eaddr = pcap_ether_hostton(name);
6733 "unknown token ring host '%s'", name);
6734 b = gen_thostop(cstate, eaddr, dir);
6738 case DLT_IEEE802_11:
6739 case DLT_PRISM_HEADER:
6740 case DLT_IEEE802_11_RADIO_AVS:
6741 case DLT_IEEE802_11_RADIO:
6743 eaddr = pcap_ether_hostton(name);
6746 "unknown 802.11 host '%s'", name);
6747 b = gen_wlanhostop(cstate, eaddr, dir);
6751 case DLT_IP_OVER_FC:
6752 eaddr = pcap_ether_hostton(name);
6755 "unknown Fibre Channel host '%s'", name);
6756 b = gen_ipfchostop(cstate, eaddr, dir);
6761 bpf_error(cstate, "only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name");
6762 } else if (proto == Q_DECNET) {
6763 unsigned short dn_addr;
6765 if (!__pcap_nametodnaddr(name, &dn_addr)) {
6767 bpf_error(cstate, "unknown decnet host name '%s'\n", name);
6769 bpf_error(cstate, "decnet name support not included, '%s' cannot be translated\n",
6774 * I don't think DECNET hosts can be multihomed, so
6775 * there is no need to build up a list of addresses
6777 return (gen_host(cstate, dn_addr, 0, proto, dir, q.addr));
6780 memset(&mask128, 0xff, sizeof(mask128));
6782 res0 = res = pcap_nametoaddrinfo(name);
6784 bpf_error(cstate, "unknown host '%s'", name);
6791 if (cstate->off_linktype.constant_part == OFFSET_NOT_SET &&
6792 tproto == Q_DEFAULT) {
6798 for (res = res0; res; res = res->ai_next) {
6799 switch (res->ai_family) {
6802 if (tproto == Q_IPV6)
6806 sin4 = (struct sockaddr_in *)
6808 tmp = gen_host(cstate, ntohl(sin4->sin_addr.s_addr),
6809 0xffffffff, tproto, dir, q.addr);
6813 if (tproto6 == Q_IP)
6816 sin6 = (struct sockaddr_in6 *)
6818 tmp = gen_host6(cstate, &sin6->sin6_addr,
6819 &mask128, tproto6, dir, q.addr);
6832 bpf_error(cstate, "unknown host '%s'%s", name,
6833 (proto == Q_DEFAULT)
6835 : " for specified address family");
6841 if (proto != Q_DEFAULT &&
6842 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
6843 bpf_error(cstate, "illegal qualifier of 'port'");
6844 if (pcap_nametoport(name, &port, &real_proto) == 0)
6845 bpf_error(cstate, "unknown port '%s'", name);
6846 if (proto == Q_UDP) {
6847 if (real_proto == IPPROTO_TCP)
6848 bpf_error(cstate, "port '%s' is tcp", name);
6849 else if (real_proto == IPPROTO_SCTP)
6850 bpf_error(cstate, "port '%s' is sctp", name);
6852 /* override PROTO_UNDEF */
6853 real_proto = IPPROTO_UDP;
6855 if (proto == Q_TCP) {
6856 if (real_proto == IPPROTO_UDP)
6857 bpf_error(cstate, "port '%s' is udp", name);
6859 else if (real_proto == IPPROTO_SCTP)
6860 bpf_error(cstate, "port '%s' is sctp", name);
6862 /* override PROTO_UNDEF */
6863 real_proto = IPPROTO_TCP;
6865 if (proto == Q_SCTP) {
6866 if (real_proto == IPPROTO_UDP)
6867 bpf_error(cstate, "port '%s' is udp", name);
6869 else if (real_proto == IPPROTO_TCP)
6870 bpf_error(cstate, "port '%s' is tcp", name);
6872 /* override PROTO_UNDEF */
6873 real_proto = IPPROTO_SCTP;
6876 bpf_error(cstate, "illegal port number %d < 0", port);
6878 bpf_error(cstate, "illegal port number %d > 65535", port);
6879 b = gen_port(cstate, port, real_proto, dir);
6880 gen_or(gen_port6(cstate, port, real_proto, dir), b);
6884 if (proto != Q_DEFAULT &&
6885 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
6886 bpf_error(cstate, "illegal qualifier of 'portrange'");
6887 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0)
6888 bpf_error(cstate, "unknown port in range '%s'", name);
6889 if (proto == Q_UDP) {
6890 if (real_proto == IPPROTO_TCP)
6891 bpf_error(cstate, "port in range '%s' is tcp", name);
6892 else if (real_proto == IPPROTO_SCTP)
6893 bpf_error(cstate, "port in range '%s' is sctp", name);
6895 /* override PROTO_UNDEF */
6896 real_proto = IPPROTO_UDP;
6898 if (proto == Q_TCP) {
6899 if (real_proto == IPPROTO_UDP)
6900 bpf_error(cstate, "port in range '%s' is udp", name);
6901 else if (real_proto == IPPROTO_SCTP)
6902 bpf_error(cstate, "port in range '%s' is sctp", name);
6904 /* override PROTO_UNDEF */
6905 real_proto = IPPROTO_TCP;
6907 if (proto == Q_SCTP) {
6908 if (real_proto == IPPROTO_UDP)
6909 bpf_error(cstate, "port in range '%s' is udp", name);
6910 else if (real_proto == IPPROTO_TCP)
6911 bpf_error(cstate, "port in range '%s' is tcp", name);
6913 /* override PROTO_UNDEF */
6914 real_proto = IPPROTO_SCTP;
6917 bpf_error(cstate, "illegal port number %d < 0", port1);
6919 bpf_error(cstate, "illegal port number %d > 65535", port1);
6921 bpf_error(cstate, "illegal port number %d < 0", port2);
6923 bpf_error(cstate, "illegal port number %d > 65535", port2);
6925 b = gen_portrange(cstate, port1, port2, real_proto, dir);
6926 gen_or(gen_portrange6(cstate, port1, port2, real_proto, dir), b);
6931 eaddr = pcap_ether_hostton(name);
6933 bpf_error(cstate, "unknown ether host: %s", name);
6935 res = pcap_nametoaddrinfo(name);
6938 bpf_error(cstate, "unknown host '%s'", name);
6939 b = gen_gateway(cstate, eaddr, res, proto, dir);
6943 bpf_error(cstate, "unknown host '%s'", name);
6946 bpf_error(cstate, "'gateway' not supported in this configuration");
6950 real_proto = lookup_proto(cstate, name, proto);
6951 if (real_proto >= 0)
6952 return gen_proto(cstate, real_proto, proto, dir);
6954 bpf_error(cstate, "unknown protocol: %s", name);
6956 #if !defined(NO_PROTOCHAIN)
6958 real_proto = lookup_proto(cstate, name, proto);
6959 if (real_proto >= 0)
6960 return gen_protochain(cstate, real_proto, proto);
6962 bpf_error(cstate, "unknown protocol: %s", name);
6963 #endif /* !defined(NO_PROTOCHAIN) */
6974 gen_mcode(compiler_state_t *cstate, const char *s1, const char *s2,
6975 bpf_u_int32 masklen, struct qual q)
6977 register int nlen, mlen;
6981 * Catch errors reported by us and routines below us, and return NULL
6984 if (setjmp(cstate->top_ctx))
6987 nlen = __pcap_atoin(s1, &n);
6989 bpf_error(cstate, "invalid IPv4 address '%s'", s1);
6990 /* Promote short ipaddr */
6994 mlen = __pcap_atoin(s2, &m);
6996 bpf_error(cstate, "invalid IPv4 address '%s'", s2);
6997 /* Promote short ipaddr */
7000 bpf_error(cstate, "non-network bits set in \"%s mask %s\"",
7003 /* Convert mask len to mask */
7005 bpf_error(cstate, "mask length must be <= 32");
7008 * X << 32 is not guaranteed by C to be 0; it's
7013 m = 0xffffffff << (32 - masklen);
7015 bpf_error(cstate, "non-network bits set in \"%s/%d\"",
7022 return gen_host(cstate, n, m, q.proto, q.dir, q.addr);
7025 bpf_error(cstate, "Mask syntax for networks only");
7032 gen_ncode(compiler_state_t *cstate, const char *s, bpf_u_int32 v, struct qual q)
7040 * Catch errors reported by us and routines below us, and return NULL
7043 if (setjmp(cstate->top_ctx))
7050 else if (q.proto == Q_DECNET) {
7051 vlen = __pcap_atodn(s, &v);
7053 bpf_error(cstate, "malformed decnet address '%s'", s);
7055 vlen = __pcap_atoin(s, &v);
7057 bpf_error(cstate, "invalid IPv4 address '%s'", s);
7065 if (proto == Q_DECNET)
7066 return gen_host(cstate, v, 0, proto, dir, q.addr);
7067 else if (proto == Q_LINK) {
7068 bpf_error(cstate, "illegal link layer address");
7071 if (s == NULL && q.addr == Q_NET) {
7072 /* Promote short net number */
7073 while (v && (v & 0xff000000) == 0) {
7078 /* Promote short ipaddr */
7080 mask <<= 32 - vlen ;
7082 return gen_host(cstate, v, mask, proto, dir, q.addr);
7087 proto = IPPROTO_UDP;
7088 else if (proto == Q_TCP)
7089 proto = IPPROTO_TCP;
7090 else if (proto == Q_SCTP)
7091 proto = IPPROTO_SCTP;
7092 else if (proto == Q_DEFAULT)
7093 proto = PROTO_UNDEF;
7095 bpf_error(cstate, "illegal qualifier of 'port'");
7098 bpf_error(cstate, "illegal port number %u > 65535", v);
7102 b = gen_port(cstate, v, proto, dir);
7103 gen_or(gen_port6(cstate, v, proto, dir), b);
7109 proto = IPPROTO_UDP;
7110 else if (proto == Q_TCP)
7111 proto = IPPROTO_TCP;
7112 else if (proto == Q_SCTP)
7113 proto = IPPROTO_SCTP;
7114 else if (proto == Q_DEFAULT)
7115 proto = PROTO_UNDEF;
7117 bpf_error(cstate, "illegal qualifier of 'portrange'");
7120 bpf_error(cstate, "illegal port number %u > 65535", v);
7124 b = gen_portrange(cstate, v, v, proto, dir);
7125 gen_or(gen_portrange6(cstate, v, v, proto, dir), b);
7130 bpf_error(cstate, "'gateway' requires a name");
7134 return gen_proto(cstate, v, proto, dir);
7136 #if !defined(NO_PROTOCHAIN)
7138 return gen_protochain(cstate, v, proto);
7154 gen_mcode6(compiler_state_t *cstate, const char *s1, const char *s2,
7155 bpf_u_int32 masklen, struct qual q)
7157 struct addrinfo *res;
7158 struct in6_addr *addr;
7159 struct in6_addr mask;
7164 * Catch errors reported by us and routines below us, and return NULL
7167 if (setjmp(cstate->top_ctx))
7171 bpf_error(cstate, "no mask %s supported", s2);
7173 res = pcap_nametoaddrinfo(s1);
7175 bpf_error(cstate, "invalid ip6 address %s", s1);
7178 bpf_error(cstate, "%s resolved to multiple address", s1);
7179 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
7181 if (masklen > sizeof(mask.s6_addr) * 8)
7182 bpf_error(cstate, "mask length must be <= %u", (unsigned int)(sizeof(mask.s6_addr) * 8));
7183 memset(&mask, 0, sizeof(mask));
7184 memset(&mask.s6_addr, 0xff, masklen / 8);
7186 mask.s6_addr[masklen / 8] =
7187 (0xff << (8 - masklen % 8)) & 0xff;
7190 a = (uint32_t *)addr;
7191 m = (uint32_t *)&mask;
7192 if ((a[0] & ~m[0]) || (a[1] & ~m[1])
7193 || (a[2] & ~m[2]) || (a[3] & ~m[3])) {
7194 bpf_error(cstate, "non-network bits set in \"%s/%d\"", s1, masklen);
7202 bpf_error(cstate, "Mask syntax for networks only");
7206 b = gen_host6(cstate, addr, &mask, q.proto, q.dir, q.addr);
7212 bpf_error(cstate, "invalid qualifier against IPv6 address");
7219 gen_ecode(compiler_state_t *cstate, const char *s, struct qual q)
7221 struct block *b, *tmp;
7224 * Catch errors reported by us and routines below us, and return NULL
7227 if (setjmp(cstate->top_ctx))
7230 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
7231 cstate->e = pcap_ether_aton(s);
7232 if (cstate->e == NULL)
7233 bpf_error(cstate, "malloc");
7234 switch (cstate->linktype) {
7236 case DLT_NETANALYZER:
7237 case DLT_NETANALYZER_TRANSPARENT:
7238 tmp = gen_prevlinkhdr_check(cstate);
7239 b = gen_ehostop(cstate, cstate->e, (int)q.dir);
7244 b = gen_fhostop(cstate, cstate->e, (int)q.dir);
7247 b = gen_thostop(cstate, cstate->e, (int)q.dir);
7249 case DLT_IEEE802_11:
7250 case DLT_PRISM_HEADER:
7251 case DLT_IEEE802_11_RADIO_AVS:
7252 case DLT_IEEE802_11_RADIO:
7254 b = gen_wlanhostop(cstate, cstate->e, (int)q.dir);
7256 case DLT_IP_OVER_FC:
7257 b = gen_ipfchostop(cstate, cstate->e, (int)q.dir);
7262 bpf_error(cstate, "ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
7269 bpf_error(cstate, "ethernet address used in non-ether expression");
7274 sappend(struct slist *s0, struct slist *s1)
7277 * This is definitely not the best way to do this, but the
7278 * lists will rarely get long.
7285 static struct slist *
7286 xfer_to_x(compiler_state_t *cstate, struct arth *a)
7290 s = new_stmt(cstate, BPF_LDX|BPF_MEM);
7295 static struct slist *
7296 xfer_to_a(compiler_state_t *cstate, struct arth *a)
7300 s = new_stmt(cstate, BPF_LD|BPF_MEM);
7306 * Modify "index" to use the value stored into its register as an
7307 * offset relative to the beginning of the header for the protocol
7308 * "proto", and allocate a register and put an item "size" bytes long
7309 * (1, 2, or 4) at that offset into that register, making it the register
7312 static struct arth *
7313 gen_load_internal(compiler_state_t *cstate, int proto, struct arth *inst,
7317 struct slist *s, *tmp;
7319 int regno = alloc_reg(cstate);
7321 free_reg(cstate, inst->regno);
7325 bpf_error(cstate, "data size must be 1, 2, or 4");
7342 bpf_error(cstate, "unsupported index operation");
7346 * The offset is relative to the beginning of the packet
7347 * data, if we have a radio header. (If we don't, this
7350 if (cstate->linktype != DLT_IEEE802_11_RADIO_AVS &&
7351 cstate->linktype != DLT_IEEE802_11_RADIO &&
7352 cstate->linktype != DLT_PRISM_HEADER)
7353 bpf_error(cstate, "radio information not present in capture");
7356 * Load into the X register the offset computed into the
7357 * register specified by "index".
7359 s = xfer_to_x(cstate, inst);
7362 * Load the item at that offset.
7364 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size_code);
7366 sappend(inst->s, s);
7371 * The offset is relative to the beginning of
7372 * the link-layer header.
7374 * XXX - what about ATM LANE? Should the index be
7375 * relative to the beginning of the AAL5 frame, so
7376 * that 0 refers to the beginning of the LE Control
7377 * field, or relative to the beginning of the LAN
7378 * frame, so that 0 refers, for Ethernet LANE, to
7379 * the beginning of the destination address?
7381 s = gen_abs_offset_varpart(cstate, &cstate->off_linkhdr);
7384 * If "s" is non-null, it has code to arrange that the
7385 * X register contains the length of the prefix preceding
7386 * the link-layer header. Add to it the offset computed
7387 * into the register specified by "index", and move that
7388 * into the X register. Otherwise, just load into the X
7389 * register the offset computed into the register specified
7393 sappend(s, xfer_to_a(cstate, inst));
7394 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
7395 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
7397 s = xfer_to_x(cstate, inst);
7400 * Load the item at the sum of the offset we've put in the
7401 * X register and the offset of the start of the link
7402 * layer header (which is 0 if the radio header is
7403 * variable-length; that header length is what we put
7404 * into the X register and then added to the index).
7406 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size_code);
7407 tmp->s.k = cstate->off_linkhdr.constant_part;
7409 sappend(inst->s, s);
7423 * The offset is relative to the beginning of
7424 * the network-layer header.
7425 * XXX - are there any cases where we want
7426 * cstate->off_nl_nosnap?
7428 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl);
7431 * If "s" is non-null, it has code to arrange that the
7432 * X register contains the variable part of the offset
7433 * of the link-layer payload. Add to it the offset
7434 * computed into the register specified by "index",
7435 * and move that into the X register. Otherwise, just
7436 * load into the X register the offset computed into
7437 * the register specified by "index".
7440 sappend(s, xfer_to_a(cstate, inst));
7441 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
7442 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
7444 s = xfer_to_x(cstate, inst);
7447 * Load the item at the sum of the offset we've put in the
7448 * X register, the offset of the start of the network
7449 * layer header from the beginning of the link-layer
7450 * payload, and the constant part of the offset of the
7451 * start of the link-layer payload.
7453 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size_code);
7454 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
7456 sappend(inst->s, s);
7459 * Do the computation only if the packet contains
7460 * the protocol in question.
7462 b = gen_proto_abbrev_internal(cstate, proto);
7464 gen_and(inst->b, b);
7478 * The offset is relative to the beginning of
7479 * the transport-layer header.
7481 * Load the X register with the length of the IPv4 header
7482 * (plus the offset of the link-layer header, if it's
7483 * a variable-length header), in bytes.
7485 * XXX - are there any cases where we want
7486 * cstate->off_nl_nosnap?
7487 * XXX - we should, if we're built with
7488 * IPv6 support, generate code to load either
7489 * IPv4, IPv6, or both, as appropriate.
7491 s = gen_loadx_iphdrlen(cstate);
7494 * The X register now contains the sum of the variable
7495 * part of the offset of the link-layer payload and the
7496 * length of the network-layer header.
7498 * Load into the A register the offset relative to
7499 * the beginning of the transport layer header,
7500 * add the X register to that, move that to the
7501 * X register, and load with an offset from the
7502 * X register equal to the sum of the constant part of
7503 * the offset of the link-layer payload and the offset,
7504 * relative to the beginning of the link-layer payload,
7505 * of the network-layer header.
7507 sappend(s, xfer_to_a(cstate, inst));
7508 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
7509 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
7510 sappend(s, tmp = new_stmt(cstate, BPF_LD|BPF_IND|size_code));
7511 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
7512 sappend(inst->s, s);
7515 * Do the computation only if the packet contains
7516 * the protocol in question - which is true only
7517 * if this is an IP datagram and is the first or
7518 * only fragment of that datagram.
7520 gen_and(gen_proto_abbrev_internal(cstate, proto), b = gen_ipfrag(cstate));
7522 gen_and(inst->b, b);
7523 gen_and(gen_proto_abbrev_internal(cstate, Q_IP), b);
7528 * Do the computation only if the packet contains
7529 * the protocol in question.
7531 b = gen_proto_abbrev_internal(cstate, Q_IPV6);
7533 gen_and(inst->b, b);
7538 * Check if we have an icmp6 next header
7540 b = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, 58);
7542 gen_and(inst->b, b);
7547 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl);
7549 * If "s" is non-null, it has code to arrange that the
7550 * X register contains the variable part of the offset
7551 * of the link-layer payload. Add to it the offset
7552 * computed into the register specified by "index",
7553 * and move that into the X register. Otherwise, just
7554 * load into the X register the offset computed into
7555 * the register specified by "index".
7558 sappend(s, xfer_to_a(cstate, inst));
7559 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
7560 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
7562 s = xfer_to_x(cstate, inst);
7566 * Load the item at the sum of the offset we've put in the
7567 * X register, the offset of the start of the network
7568 * layer header from the beginning of the link-layer
7569 * payload, and the constant part of the offset of the
7570 * start of the link-layer payload.
7572 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size_code);
7573 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 40;
7576 sappend(inst->s, s);
7580 inst->regno = regno;
7581 s = new_stmt(cstate, BPF_ST);
7583 sappend(inst->s, s);
7589 gen_load(compiler_state_t *cstate, int proto, struct arth *inst,
7593 * Catch errors reported by us and routines below us, and return NULL
7596 if (setjmp(cstate->top_ctx))
7599 return gen_load_internal(cstate, proto, inst, size);
7602 static struct block *
7603 gen_relation_internal(compiler_state_t *cstate, int code, struct arth *a0,
7604 struct arth *a1, int reversed)
7606 struct slist *s0, *s1, *s2;
7607 struct block *b, *tmp;
7609 s0 = xfer_to_x(cstate, a1);
7610 s1 = xfer_to_a(cstate, a0);
7611 if (code == BPF_JEQ) {
7612 s2 = new_stmt(cstate, BPF_ALU|BPF_SUB|BPF_X);
7613 b = new_block(cstate, JMP(code));
7617 b = new_block(cstate, BPF_JMP|code|BPF_X);
7623 sappend(a0->s, a1->s);
7627 free_reg(cstate, a0->regno);
7628 free_reg(cstate, a1->regno);
7630 /* 'and' together protocol checks */
7633 gen_and(a0->b, tmp = a1->b);
7647 gen_relation(compiler_state_t *cstate, int code, struct arth *a0,
7648 struct arth *a1, int reversed)
7651 * Catch errors reported by us and routines below us, and return NULL
7654 if (setjmp(cstate->top_ctx))
7657 return gen_relation_internal(cstate, code, a0, a1, reversed);
7661 gen_loadlen(compiler_state_t *cstate)
7668 * Catch errors reported by us and routines below us, and return NULL
7671 if (setjmp(cstate->top_ctx))
7674 regno = alloc_reg(cstate);
7675 a = (struct arth *)newchunk(cstate, sizeof(*a));
7676 s = new_stmt(cstate, BPF_LD|BPF_LEN);
7677 s->next = new_stmt(cstate, BPF_ST);
7678 s->next->s.k = regno;
7685 static struct arth *
7686 gen_loadi_internal(compiler_state_t *cstate, bpf_u_int32 val)
7692 a = (struct arth *)newchunk(cstate, sizeof(*a));
7694 reg = alloc_reg(cstate);
7696 s = new_stmt(cstate, BPF_LD|BPF_IMM);
7698 s->next = new_stmt(cstate, BPF_ST);
7707 gen_loadi(compiler_state_t *cstate, bpf_u_int32 val)
7710 * Catch errors reported by us and routines below us, and return NULL
7713 if (setjmp(cstate->top_ctx))
7716 return gen_loadi_internal(cstate, val);
7720 * The a_arg dance is to avoid annoying whining by compilers that
7721 * a might be clobbered by longjmp - yeah, it might, but *WHO CARES*?
7722 * It's not *used* after setjmp returns.
7725 gen_neg(compiler_state_t *cstate, struct arth *a_arg)
7727 struct arth *a = a_arg;
7731 * Catch errors reported by us and routines below us, and return NULL
7734 if (setjmp(cstate->top_ctx))
7737 s = xfer_to_a(cstate, a);
7739 s = new_stmt(cstate, BPF_ALU|BPF_NEG);
7742 s = new_stmt(cstate, BPF_ST);
7750 * The a0_arg dance is to avoid annoying whining by compilers that
7751 * a0 might be clobbered by longjmp - yeah, it might, but *WHO CARES*?
7752 * It's not *used* after setjmp returns.
7755 gen_arth(compiler_state_t *cstate, int code, struct arth *a0_arg,
7758 struct arth *a0 = a0_arg;
7759 struct slist *s0, *s1, *s2;
7762 * Catch errors reported by us and routines below us, and return NULL
7765 if (setjmp(cstate->top_ctx))
7769 * Disallow division by, or modulus by, zero; we do this here
7770 * so that it gets done even if the optimizer is disabled.
7772 * Also disallow shifts by a value greater than 31; we do this
7773 * here, for the same reason.
7775 if (code == BPF_DIV) {
7776 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k == 0)
7777 bpf_error(cstate, "division by zero");
7778 } else if (code == BPF_MOD) {
7779 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k == 0)
7780 bpf_error(cstate, "modulus by zero");
7781 } else if (code == BPF_LSH || code == BPF_RSH) {
7782 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k > 31)
7783 bpf_error(cstate, "shift by more than 31 bits");
7785 s0 = xfer_to_x(cstate, a1);
7786 s1 = xfer_to_a(cstate, a0);
7787 s2 = new_stmt(cstate, BPF_ALU|BPF_X|code);
7792 sappend(a0->s, a1->s);
7794 free_reg(cstate, a0->regno);
7795 free_reg(cstate, a1->regno);
7797 s0 = new_stmt(cstate, BPF_ST);
7798 a0->regno = s0->s.k = alloc_reg(cstate);
7805 * Initialize the table of used registers and the current register.
7808 init_regs(compiler_state_t *cstate)
7811 memset(cstate->regused, 0, sizeof cstate->regused);
7815 * Return the next free register.
7818 alloc_reg(compiler_state_t *cstate)
7820 int n = BPF_MEMWORDS;
7823 if (cstate->regused[cstate->curreg])
7824 cstate->curreg = (cstate->curreg + 1) % BPF_MEMWORDS;
7826 cstate->regused[cstate->curreg] = 1;
7827 return cstate->curreg;
7830 bpf_error(cstate, "too many registers needed to evaluate expression");
7835 * Return a register to the table so it can
7839 free_reg(compiler_state_t *cstate, int n)
7841 cstate->regused[n] = 0;
7844 static struct block *
7845 gen_len(compiler_state_t *cstate, int jmp, int n)
7850 s = new_stmt(cstate, BPF_LD|BPF_LEN);
7851 b = new_block(cstate, JMP(jmp));
7859 gen_greater(compiler_state_t *cstate, int n)
7862 * Catch errors reported by us and routines below us, and return NULL
7865 if (setjmp(cstate->top_ctx))
7868 return gen_len(cstate, BPF_JGE, n);
7872 * Actually, this is less than or equal.
7875 gen_less(compiler_state_t *cstate, int n)
7880 * Catch errors reported by us and routines below us, and return NULL
7883 if (setjmp(cstate->top_ctx))
7886 b = gen_len(cstate, BPF_JGT, n);
7893 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to
7894 * the beginning of the link-layer header.
7895 * XXX - that means you can't test values in the radiotap header, but
7896 * as that header is difficult if not impossible to parse generally
7897 * without a loop, that might not be a severe problem. A new keyword
7898 * "radio" could be added for that, although what you'd really want
7899 * would be a way of testing particular radio header values, which
7900 * would generate code appropriate to the radio header in question.
7903 gen_byteop(compiler_state_t *cstate, int op, int idx, bpf_u_int32 val)
7909 * Catch errors reported by us and routines below us, and return NULL
7912 if (setjmp(cstate->top_ctx))
7920 return gen_cmp(cstate, OR_LINKHDR, (u_int)idx, BPF_B, val);
7923 b = gen_cmp_lt(cstate, OR_LINKHDR, (u_int)idx, BPF_B, val);
7927 b = gen_cmp_gt(cstate, OR_LINKHDR, (u_int)idx, BPF_B, val);
7931 s = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_K);
7935 s = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
7939 b = new_block(cstate, JMP(BPF_JEQ));
7946 static const u_char abroadcast[] = { 0x0 };
7949 gen_broadcast(compiler_state_t *cstate, int proto)
7951 bpf_u_int32 hostmask;
7952 struct block *b0, *b1, *b2;
7953 static const u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
7956 * Catch errors reported by us and routines below us, and return NULL
7959 if (setjmp(cstate->top_ctx))
7966 switch (cstate->linktype) {
7968 case DLT_ARCNET_LINUX:
7969 return gen_ahostop(cstate, abroadcast, Q_DST);
7971 case DLT_NETANALYZER:
7972 case DLT_NETANALYZER_TRANSPARENT:
7973 b1 = gen_prevlinkhdr_check(cstate);
7974 b0 = gen_ehostop(cstate, ebroadcast, Q_DST);
7979 return gen_fhostop(cstate, ebroadcast, Q_DST);
7981 return gen_thostop(cstate, ebroadcast, Q_DST);
7982 case DLT_IEEE802_11:
7983 case DLT_PRISM_HEADER:
7984 case DLT_IEEE802_11_RADIO_AVS:
7985 case DLT_IEEE802_11_RADIO:
7987 return gen_wlanhostop(cstate, ebroadcast, Q_DST);
7988 case DLT_IP_OVER_FC:
7989 return gen_ipfchostop(cstate, ebroadcast, Q_DST);
7991 bpf_error(cstate, "not a broadcast link");
7997 * We treat a netmask of PCAP_NETMASK_UNKNOWN (0xffffffff)
7998 * as an indication that we don't know the netmask, and fail
8001 if (cstate->netmask == PCAP_NETMASK_UNKNOWN)
8002 bpf_error(cstate, "netmask not known, so 'ip broadcast' not supported");
8003 b0 = gen_linktype(cstate, ETHERTYPE_IP);
8004 hostmask = ~cstate->netmask;
8005 b1 = gen_mcmp(cstate, OR_LINKPL, 16, BPF_W, 0, hostmask);
8006 b2 = gen_mcmp(cstate, OR_LINKPL, 16, BPF_W,
8007 ~0 & hostmask, hostmask);
8012 bpf_error(cstate, "only link-layer/IP broadcast filters supported");
8017 * Generate code to test the low-order bit of a MAC address (that's
8018 * the bottom bit of the *first* byte).
8020 static struct block *
8021 gen_mac_multicast(compiler_state_t *cstate, int offset)
8023 register struct block *b0;
8024 register struct slist *s;
8026 /* link[offset] & 1 != 0 */
8027 s = gen_load_a(cstate, OR_LINKHDR, offset, BPF_B);
8028 b0 = new_block(cstate, JMP(BPF_JSET));
8035 gen_multicast(compiler_state_t *cstate, int proto)
8037 register struct block *b0, *b1, *b2;
8038 register struct slist *s;
8041 * Catch errors reported by us and routines below us, and return NULL
8044 if (setjmp(cstate->top_ctx))
8051 switch (cstate->linktype) {
8053 case DLT_ARCNET_LINUX:
8054 /* all ARCnet multicasts use the same address */
8055 return gen_ahostop(cstate, abroadcast, Q_DST);
8057 case DLT_NETANALYZER:
8058 case DLT_NETANALYZER_TRANSPARENT:
8059 b1 = gen_prevlinkhdr_check(cstate);
8060 /* ether[0] & 1 != 0 */
8061 b0 = gen_mac_multicast(cstate, 0);
8067 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX
8069 * XXX - was that referring to bit-order issues?
8071 /* fddi[1] & 1 != 0 */
8072 return gen_mac_multicast(cstate, 1);
8074 /* tr[2] & 1 != 0 */
8075 return gen_mac_multicast(cstate, 2);
8076 case DLT_IEEE802_11:
8077 case DLT_PRISM_HEADER:
8078 case DLT_IEEE802_11_RADIO_AVS:
8079 case DLT_IEEE802_11_RADIO:
8084 * For control frames, there is no DA.
8086 * For management frames, DA is at an
8087 * offset of 4 from the beginning of
8090 * For data frames, DA is at an offset
8091 * of 4 from the beginning of the packet
8092 * if To DS is clear and at an offset of
8093 * 16 from the beginning of the packet
8098 * Generate the tests to be done for data frames.
8100 * First, check for To DS set, i.e. "link[1] & 0x01".
8102 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
8103 b1 = new_block(cstate, JMP(BPF_JSET));
8104 b1->s.k = 0x01; /* To DS */
8108 * If To DS is set, the DA is at 16.
8110 b0 = gen_mac_multicast(cstate, 16);
8114 * Now, check for To DS not set, i.e. check
8115 * "!(link[1] & 0x01)".
8117 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
8118 b2 = new_block(cstate, JMP(BPF_JSET));
8119 b2->s.k = 0x01; /* To DS */
8124 * If To DS is not set, the DA is at 4.
8126 b1 = gen_mac_multicast(cstate, 4);
8130 * Now OR together the last two checks. That gives
8131 * the complete set of checks for data frames.
8136 * Now check for a data frame.
8137 * I.e, check "link[0] & 0x08".
8139 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
8140 b1 = new_block(cstate, JMP(BPF_JSET));
8145 * AND that with the checks done for data frames.
8150 * If the high-order bit of the type value is 0, this
8151 * is a management frame.
8152 * I.e, check "!(link[0] & 0x08)".
8154 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
8155 b2 = new_block(cstate, JMP(BPF_JSET));
8161 * For management frames, the DA is at 4.
8163 b1 = gen_mac_multicast(cstate, 4);
8167 * OR that with the checks done for data frames.
8168 * That gives the checks done for management and
8174 * If the low-order bit of the type value is 1,
8175 * this is either a control frame or a frame
8176 * with a reserved type, and thus not a
8179 * I.e., check "!(link[0] & 0x04)".
8181 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
8182 b1 = new_block(cstate, JMP(BPF_JSET));
8188 * AND that with the checks for data and management
8193 case DLT_IP_OVER_FC:
8194 b0 = gen_mac_multicast(cstate, 2);
8199 /* Link not known to support multicasts */
8203 b0 = gen_linktype(cstate, ETHERTYPE_IP);
8204 b1 = gen_cmp_ge(cstate, OR_LINKPL, 16, BPF_B, 224);
8209 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
8210 b1 = gen_cmp(cstate, OR_LINKPL, 24, BPF_B, 255);
8214 bpf_error(cstate, "link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel");
8219 gen_ifindex(compiler_state_t *cstate, int ifindex)
8221 register struct block *b0;
8224 * Catch errors reported by us and routines below us, and return NULL
8227 if (setjmp(cstate->top_ctx))
8231 * Only some data link types support ifindex qualifiers.
8233 switch (cstate->linktype) {
8234 case DLT_LINUX_SLL2:
8235 /* match packets on this interface */
8236 b0 = gen_cmp(cstate, OR_LINKHDR, 4, BPF_W, ifindex);
8241 * This is Linux; we require PF_PACKET support.
8242 * If this is a *live* capture, we can look at
8243 * special meta-data in the filter expression;
8244 * if it's a savefile, we can't.
8246 if (cstate->bpf_pcap->rfile != NULL) {
8247 /* We have a FILE *, so this is a savefile */
8248 bpf_error(cstate, "ifindex not supported on %s when reading savefiles",
8249 pcap_datalink_val_to_description_or_dlt(cstate->linktype));
8254 b0 = gen_cmp(cstate, OR_LINKHDR, SKF_AD_OFF + SKF_AD_IFINDEX, BPF_W,
8256 #else /* defined(linux) */
8257 bpf_error(cstate, "ifindex not supported on %s",
8258 pcap_datalink_val_to_description_or_dlt(cstate->linktype));
8260 #endif /* defined(linux) */
8266 * Filter on inbound (dir == 0) or outbound (dir == 1) traffic.
8267 * Outbound traffic is sent by this machine, while inbound traffic is
8268 * sent by a remote machine (and may include packets destined for a
8269 * unicast or multicast link-layer address we are not subscribing to).
8270 * These are the same definitions implemented by pcap_setdirection().
8271 * Capturing only unicast traffic destined for this host is probably
8272 * better accomplished using a higher-layer filter.
8275 gen_inbound(compiler_state_t *cstate, int dir)
8277 register struct block *b0;
8280 * Catch errors reported by us and routines below us, and return NULL
8283 if (setjmp(cstate->top_ctx))
8287 * Only some data link types support inbound/outbound qualifiers.
8289 switch (cstate->linktype) {
8291 b0 = gen_relation_internal(cstate, BPF_JEQ,
8292 gen_load_internal(cstate, Q_LINK, gen_loadi_internal(cstate, 0), 1),
8293 gen_loadi_internal(cstate, 0),
8299 /* match outgoing packets */
8300 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, IPNET_OUTBOUND);
8302 /* match incoming packets */
8303 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, IPNET_INBOUND);
8308 /* match outgoing packets */
8309 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_H, LINUX_SLL_OUTGOING);
8311 /* to filter on inbound traffic, invert the match */
8316 case DLT_LINUX_SLL2:
8317 /* match outgoing packets */
8318 b0 = gen_cmp(cstate, OR_LINKHDR, 10, BPF_B, LINUX_SLL_OUTGOING);
8320 /* to filter on inbound traffic, invert the match */
8326 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, dir), BPF_B,
8327 ((dir == 0) ? PF_IN : PF_OUT));
8332 /* match outgoing packets */
8333 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_B, PPP_PPPD_OUT);
8335 /* match incoming packets */
8336 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_B, PPP_PPPD_IN);
8340 case DLT_JUNIPER_MFR:
8341 case DLT_JUNIPER_MLFR:
8342 case DLT_JUNIPER_MLPPP:
8343 case DLT_JUNIPER_ATM1:
8344 case DLT_JUNIPER_ATM2:
8345 case DLT_JUNIPER_PPPOE:
8346 case DLT_JUNIPER_PPPOE_ATM:
8347 case DLT_JUNIPER_GGSN:
8348 case DLT_JUNIPER_ES:
8349 case DLT_JUNIPER_MONITOR:
8350 case DLT_JUNIPER_SERVICES:
8351 case DLT_JUNIPER_ETHER:
8352 case DLT_JUNIPER_PPP:
8353 case DLT_JUNIPER_FRELAY:
8354 case DLT_JUNIPER_CHDLC:
8355 case DLT_JUNIPER_VP:
8356 case DLT_JUNIPER_ST:
8357 case DLT_JUNIPER_ISM:
8358 case DLT_JUNIPER_VS:
8359 case DLT_JUNIPER_SRX_E2E:
8360 case DLT_JUNIPER_FIBRECHANNEL:
8361 case DLT_JUNIPER_ATM_CEMIC:
8363 /* juniper flags (including direction) are stored
8364 * the byte after the 3-byte magic number */
8366 /* match outgoing packets */
8367 b0 = gen_mcmp(cstate, OR_LINKHDR, 3, BPF_B, 0, 0x01);
8369 /* match incoming packets */
8370 b0 = gen_mcmp(cstate, OR_LINKHDR, 3, BPF_B, 1, 0x01);
8376 * If we have packet meta-data indicating a direction,
8377 * and that metadata can be checked by BPF code, check
8378 * it. Otherwise, give up, as this link-layer type has
8379 * nothing in the packet data.
8381 * Currently, the only platform where a BPF filter can
8382 * check that metadata is Linux with the in-kernel
8383 * BPF interpreter. If other packet capture mechanisms
8384 * and BPF filters also supported this, it would be
8385 * nice. It would be even better if they made that
8386 * metadata available so that we could provide it
8387 * with newer capture APIs, allowing it to be saved
8392 * This is Linux; we require PF_PACKET support.
8393 * If this is a *live* capture, we can look at
8394 * special meta-data in the filter expression;
8395 * if it's a savefile, we can't.
8397 if (cstate->bpf_pcap->rfile != NULL) {
8398 /* We have a FILE *, so this is a savefile */
8399 bpf_error(cstate, "inbound/outbound not supported on %s when reading savefiles",
8400 pcap_datalink_val_to_description_or_dlt(cstate->linktype));
8403 /* match outgoing packets */
8404 b0 = gen_cmp(cstate, OR_LINKHDR, SKF_AD_OFF + SKF_AD_PKTTYPE, BPF_H,
8407 /* to filter on inbound traffic, invert the match */
8410 #else /* defined(linux) */
8411 bpf_error(cstate, "inbound/outbound not supported on %s",
8412 pcap_datalink_val_to_description_or_dlt(cstate->linktype));
8414 #endif /* defined(linux) */
8419 /* PF firewall log matched interface */
8421 gen_pf_ifname(compiler_state_t *cstate, const char *ifname)
8427 * Catch errors reported by us and routines below us, and return NULL
8430 if (setjmp(cstate->top_ctx))
8433 if (cstate->linktype != DLT_PFLOG) {
8434 bpf_error(cstate, "ifname supported only on PF linktype");
8437 len = sizeof(((struct pfloghdr *)0)->ifname);
8438 off = offsetof(struct pfloghdr, ifname);
8439 if (strlen(ifname) >= len) {
8440 bpf_error(cstate, "ifname interface names can only be %d characters",
8444 b0 = gen_bcmp(cstate, OR_LINKHDR, off, (u_int)strlen(ifname),
8445 (const u_char *)ifname);
8449 /* PF firewall log ruleset name */
8451 gen_pf_ruleset(compiler_state_t *cstate, char *ruleset)
8456 * Catch errors reported by us and routines below us, and return NULL
8459 if (setjmp(cstate->top_ctx))
8462 if (cstate->linktype != DLT_PFLOG) {
8463 bpf_error(cstate, "ruleset supported only on PF linktype");
8467 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) {
8468 bpf_error(cstate, "ruleset names can only be %ld characters",
8469 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1));
8473 b0 = gen_bcmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, ruleset),
8474 (u_int)strlen(ruleset), (const u_char *)ruleset);
8478 /* PF firewall log rule number */
8480 gen_pf_rnr(compiler_state_t *cstate, int rnr)
8485 * Catch errors reported by us and routines below us, and return NULL
8488 if (setjmp(cstate->top_ctx))
8491 if (cstate->linktype != DLT_PFLOG) {
8492 bpf_error(cstate, "rnr supported only on PF linktype");
8496 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, rulenr), BPF_W,
8501 /* PF firewall log sub-rule number */
8503 gen_pf_srnr(compiler_state_t *cstate, int srnr)
8508 * Catch errors reported by us and routines below us, and return NULL
8511 if (setjmp(cstate->top_ctx))
8514 if (cstate->linktype != DLT_PFLOG) {
8515 bpf_error(cstate, "srnr supported only on PF linktype");
8519 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, subrulenr), BPF_W,
8524 /* PF firewall log reason code */
8526 gen_pf_reason(compiler_state_t *cstate, int reason)
8531 * Catch errors reported by us and routines below us, and return NULL
8534 if (setjmp(cstate->top_ctx))
8537 if (cstate->linktype != DLT_PFLOG) {
8538 bpf_error(cstate, "reason supported only on PF linktype");
8542 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, reason), BPF_B,
8543 (bpf_u_int32)reason);
8547 /* PF firewall log action */
8549 gen_pf_action(compiler_state_t *cstate, int action)
8554 * Catch errors reported by us and routines below us, and return NULL
8557 if (setjmp(cstate->top_ctx))
8560 if (cstate->linktype != DLT_PFLOG) {
8561 bpf_error(cstate, "action supported only on PF linktype");
8565 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, action), BPF_B,
8566 (bpf_u_int32)action);
8570 /* IEEE 802.11 wireless header */
8572 gen_p80211_type(compiler_state_t *cstate, bpf_u_int32 type, bpf_u_int32 mask)
8577 * Catch errors reported by us and routines below us, and return NULL
8580 if (setjmp(cstate->top_ctx))
8583 switch (cstate->linktype) {
8585 case DLT_IEEE802_11:
8586 case DLT_PRISM_HEADER:
8587 case DLT_IEEE802_11_RADIO_AVS:
8588 case DLT_IEEE802_11_RADIO:
8589 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, type, mask);
8593 bpf_error(cstate, "802.11 link-layer types supported only on 802.11");
8601 gen_p80211_fcdir(compiler_state_t *cstate, bpf_u_int32 fcdir)
8606 * Catch errors reported by us and routines below us, and return NULL
8609 if (setjmp(cstate->top_ctx))
8612 switch (cstate->linktype) {
8614 case DLT_IEEE802_11:
8615 case DLT_PRISM_HEADER:
8616 case DLT_IEEE802_11_RADIO_AVS:
8617 case DLT_IEEE802_11_RADIO:
8621 bpf_error(cstate, "frame direction supported only with 802.11 headers");
8625 b0 = gen_mcmp(cstate, OR_LINKHDR, 1, BPF_B, fcdir,
8626 IEEE80211_FC1_DIR_MASK);
8632 gen_acode(compiler_state_t *cstate, const char *s, struct qual q)
8637 * Catch errors reported by us and routines below us, and return NULL
8640 if (setjmp(cstate->top_ctx))
8643 switch (cstate->linktype) {
8646 case DLT_ARCNET_LINUX:
8647 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) &&
8648 q.proto == Q_LINK) {
8649 cstate->e = pcap_ether_aton(s);
8650 if (cstate->e == NULL)
8651 bpf_error(cstate, "malloc");
8652 b = gen_ahostop(cstate, cstate->e, (int)q.dir);
8657 bpf_error(cstate, "ARCnet address used in non-arc expression");
8661 bpf_error(cstate, "aid supported only on ARCnet");
8666 static struct block *
8667 gen_ahostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
8669 register struct block *b0, *b1;
8672 /* src comes first, different from Ethernet */
8674 return gen_bcmp(cstate, OR_LINKHDR, 0, 1, eaddr);
8677 return gen_bcmp(cstate, OR_LINKHDR, 1, 1, eaddr);
8680 b0 = gen_ahostop(cstate, eaddr, Q_SRC);
8681 b1 = gen_ahostop(cstate, eaddr, Q_DST);
8687 b0 = gen_ahostop(cstate, eaddr, Q_SRC);
8688 b1 = gen_ahostop(cstate, eaddr, Q_DST);
8693 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11");
8697 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11");
8701 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11");
8705 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11");
8709 bpf_error(cstate, "'ra' is only supported on 802.11");
8713 bpf_error(cstate, "'ta' is only supported on 802.11");
8720 static struct block *
8721 gen_vlan_tpid_test(compiler_state_t *cstate)
8723 struct block *b0, *b1;
8725 /* check for VLAN, including 802.1ad and QinQ */
8726 b0 = gen_linktype(cstate, ETHERTYPE_8021Q);
8727 b1 = gen_linktype(cstate, ETHERTYPE_8021AD);
8730 b1 = gen_linktype(cstate, ETHERTYPE_8021QINQ);
8736 static struct block *
8737 gen_vlan_vid_test(compiler_state_t *cstate, bpf_u_int32 vlan_num)
8739 if (vlan_num > 0x0fff) {
8740 bpf_error(cstate, "VLAN tag %u greater than maximum %u",
8743 return gen_mcmp(cstate, OR_LINKPL, 0, BPF_H, vlan_num, 0x0fff);
8746 static struct block *
8747 gen_vlan_no_bpf_extensions(compiler_state_t *cstate, bpf_u_int32 vlan_num,
8750 struct block *b0, *b1;
8752 b0 = gen_vlan_tpid_test(cstate);
8755 b1 = gen_vlan_vid_test(cstate, vlan_num);
8761 * Both payload and link header type follow the VLAN tags so that
8762 * both need to be updated.
8764 cstate->off_linkpl.constant_part += 4;
8765 cstate->off_linktype.constant_part += 4;
8770 #if defined(SKF_AD_VLAN_TAG_PRESENT)
8771 /* add v to variable part of off */
8773 gen_vlan_vloffset_add(compiler_state_t *cstate, bpf_abs_offset *off,
8774 bpf_u_int32 v, struct slist *s)
8778 if (!off->is_variable)
8779 off->is_variable = 1;
8781 off->reg = alloc_reg(cstate);
8783 s2 = new_stmt(cstate, BPF_LD|BPF_MEM);
8786 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM);
8789 s2 = new_stmt(cstate, BPF_ST);
8795 * patch block b_tpid (VLAN TPID test) to update variable parts of link payload
8796 * and link type offsets first
8799 gen_vlan_patch_tpid_test(compiler_state_t *cstate, struct block *b_tpid)
8803 /* offset determined at run time, shift variable part */
8805 cstate->is_vlan_vloffset = 1;
8806 gen_vlan_vloffset_add(cstate, &cstate->off_linkpl, 4, &s);
8807 gen_vlan_vloffset_add(cstate, &cstate->off_linktype, 4, &s);
8809 /* we get a pointer to a chain of or-ed blocks, patch first of them */
8810 sappend(s.next, b_tpid->head->stmts);
8811 b_tpid->head->stmts = s.next;
8815 * patch block b_vid (VLAN id test) to load VID value either from packet
8816 * metadata (using BPF extensions) if SKF_AD_VLAN_TAG_PRESENT is true
8819 gen_vlan_patch_vid_test(compiler_state_t *cstate, struct block *b_vid)
8821 struct slist *s, *s2, *sjeq;
8824 s = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
8825 s->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT;
8827 /* true -> next instructions, false -> beginning of b_vid */
8828 sjeq = new_stmt(cstate, JMP(BPF_JEQ));
8830 sjeq->s.jf = b_vid->stmts;
8833 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
8834 s2->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG;
8838 /* Jump to the test in b_vid. We need to jump one instruction before
8839 * the end of the b_vid block so that we only skip loading the TCI
8840 * from packet data and not the 'and' instruction extractging VID.
8843 for (s2 = b_vid->stmts; s2; s2 = s2->next)
8845 s2 = new_stmt(cstate, JMP(BPF_JA));
8849 /* insert our statements at the beginning of b_vid */
8850 sappend(s, b_vid->stmts);
8855 * Generate check for "vlan" or "vlan <id>" on systems with support for BPF
8856 * extensions. Even if kernel supports VLAN BPF extensions, (outermost) VLAN
8857 * tag can be either in metadata or in packet data; therefore if the
8858 * SKF_AD_VLAN_TAG_PRESENT test is negative, we need to check link
8859 * header for VLAN tag. As the decision is done at run time, we need
8860 * update variable part of the offsets
8862 static struct block *
8863 gen_vlan_bpf_extensions(compiler_state_t *cstate, bpf_u_int32 vlan_num,
8866 struct block *b0, *b_tpid, *b_vid = NULL;
8869 /* generate new filter code based on extracting packet
8871 s = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
8872 s->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT;
8874 b0 = new_block(cstate, JMP(BPF_JEQ));
8879 * This is tricky. We need to insert the statements updating variable
8880 * parts of offsets before the traditional TPID and VID tests so
8881 * that they are called whenever SKF_AD_VLAN_TAG_PRESENT fails but
8882 * we do not want this update to affect those checks. That's why we
8883 * generate both test blocks first and insert the statements updating
8884 * variable parts of both offsets after that. This wouldn't work if
8885 * there already were variable length link header when entering this
8886 * function but gen_vlan_bpf_extensions() isn't called in that case.
8888 b_tpid = gen_vlan_tpid_test(cstate);
8890 b_vid = gen_vlan_vid_test(cstate, vlan_num);
8892 gen_vlan_patch_tpid_test(cstate, b_tpid);
8897 gen_vlan_patch_vid_test(cstate, b_vid);
8907 * support IEEE 802.1Q VLAN trunk over ethernet
8910 gen_vlan(compiler_state_t *cstate, bpf_u_int32 vlan_num, int has_vlan_tag)
8915 * Catch errors reported by us and routines below us, and return NULL
8918 if (setjmp(cstate->top_ctx))
8921 /* can't check for VLAN-encapsulated packets inside MPLS */
8922 if (cstate->label_stack_depth > 0)
8923 bpf_error(cstate, "no VLAN match after MPLS");
8926 * Check for a VLAN packet, and then change the offsets to point
8927 * to the type and data fields within the VLAN packet. Just
8928 * increment the offsets, so that we can support a hierarchy, e.g.
8929 * "vlan 300 && vlan 200" to capture VLAN 200 encapsulated within
8932 * XXX - this is a bit of a kludge. If we were to split the
8933 * compiler into a parser that parses an expression and
8934 * generates an expression tree, and a code generator that
8935 * takes an expression tree (which could come from our
8936 * parser or from some other parser) and generates BPF code,
8937 * we could perhaps make the offsets parameters of routines
8938 * and, in the handler for an "AND" node, pass to subnodes
8939 * other than the VLAN node the adjusted offsets.
8941 * This would mean that "vlan" would, instead of changing the
8942 * behavior of *all* tests after it, change only the behavior
8943 * of tests ANDed with it. That would change the documented
8944 * semantics of "vlan", which might break some expressions.
8945 * However, it would mean that "(vlan and ip) or ip" would check
8946 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
8947 * checking only for VLAN-encapsulated IP, so that could still
8948 * be considered worth doing; it wouldn't break expressions
8949 * that are of the form "vlan and ..." or "vlan N and ...",
8950 * which I suspect are the most common expressions involving
8951 * "vlan". "vlan or ..." doesn't necessarily do what the user
8952 * would really want, now, as all the "or ..." tests would
8953 * be done assuming a VLAN, even though the "or" could be viewed
8954 * as meaning "or, if this isn't a VLAN packet...".
8956 switch (cstate->linktype) {
8959 case DLT_NETANALYZER:
8960 case DLT_NETANALYZER_TRANSPARENT:
8961 #if defined(SKF_AD_VLAN_TAG_PRESENT)
8962 /* Verify that this is the outer part of the packet and
8963 * not encapsulated somehow. */
8964 if (cstate->vlan_stack_depth == 0 && !cstate->off_linkhdr.is_variable &&
8965 cstate->off_linkhdr.constant_part ==
8966 cstate->off_outermostlinkhdr.constant_part) {
8968 * Do we need special VLAN handling?
8970 if (cstate->bpf_pcap->bpf_codegen_flags & BPF_SPECIAL_VLAN_HANDLING)
8971 b0 = gen_vlan_bpf_extensions(cstate, vlan_num,
8974 b0 = gen_vlan_no_bpf_extensions(cstate,
8975 vlan_num, has_vlan_tag);
8978 b0 = gen_vlan_no_bpf_extensions(cstate, vlan_num,
8982 case DLT_IEEE802_11:
8983 case DLT_PRISM_HEADER:
8984 case DLT_IEEE802_11_RADIO_AVS:
8985 case DLT_IEEE802_11_RADIO:
8986 b0 = gen_vlan_no_bpf_extensions(cstate, vlan_num, has_vlan_tag);
8990 bpf_error(cstate, "no VLAN support for %s",
8991 pcap_datalink_val_to_description_or_dlt(cstate->linktype));
8995 cstate->vlan_stack_depth++;
9003 * The label_num_arg dance is to avoid annoying whining by compilers that
9004 * label_num might be clobbered by longjmp - yeah, it might, but *WHO CARES*?
9005 * It's not *used* after setjmp returns.
9008 gen_mpls(compiler_state_t *cstate, bpf_u_int32 label_num_arg,
9011 volatile bpf_u_int32 label_num = label_num_arg;
9012 struct block *b0, *b1;
9015 * Catch errors reported by us and routines below us, and return NULL
9018 if (setjmp(cstate->top_ctx))
9021 if (cstate->label_stack_depth > 0) {
9022 /* just match the bottom-of-stack bit clear */
9023 b0 = gen_mcmp(cstate, OR_PREVMPLSHDR, 2, BPF_B, 0, 0x01);
9026 * We're not in an MPLS stack yet, so check the link-layer
9027 * type against MPLS.
9029 switch (cstate->linktype) {
9031 case DLT_C_HDLC: /* fall through */
9034 case DLT_NETANALYZER:
9035 case DLT_NETANALYZER_TRANSPARENT:
9036 b0 = gen_linktype(cstate, ETHERTYPE_MPLS);
9040 b0 = gen_linktype(cstate, PPP_MPLS_UCAST);
9043 /* FIXME add other DLT_s ...
9044 * for Frame-Relay/and ATM this may get messy due to SNAP headers
9045 * leave it for now */
9048 bpf_error(cstate, "no MPLS support for %s",
9049 pcap_datalink_val_to_description_or_dlt(cstate->linktype));
9054 /* If a specific MPLS label is requested, check it */
9055 if (has_label_num) {
9056 if (label_num > 0xFFFFF) {
9057 bpf_error(cstate, "MPLS label %u greater than maximum %u",
9058 label_num, 0xFFFFF);
9060 label_num = label_num << 12; /* label is shifted 12 bits on the wire */
9061 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_W, label_num,
9062 0xfffff000); /* only compare the first 20 bits */
9068 * Change the offsets to point to the type and data fields within
9069 * the MPLS packet. Just increment the offsets, so that we
9070 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to
9071 * capture packets with an outer label of 100000 and an inner
9074 * Increment the MPLS stack depth as well; this indicates that
9075 * we're checking MPLS-encapsulated headers, to make sure higher
9076 * level code generators don't try to match against IP-related
9077 * protocols such as Q_ARP, Q_RARP etc.
9079 * XXX - this is a bit of a kludge. See comments in gen_vlan().
9081 cstate->off_nl_nosnap += 4;
9082 cstate->off_nl += 4;
9083 cstate->label_stack_depth++;
9088 * Support PPPOE discovery and session.
9091 gen_pppoed(compiler_state_t *cstate)
9094 * Catch errors reported by us and routines below us, and return NULL
9097 if (setjmp(cstate->top_ctx))
9100 /* check for PPPoE discovery */
9101 return gen_linktype(cstate, ETHERTYPE_PPPOED);
9105 gen_pppoes(compiler_state_t *cstate, bpf_u_int32 sess_num, int has_sess_num)
9107 struct block *b0, *b1;
9110 * Catch errors reported by us and routines below us, and return NULL
9113 if (setjmp(cstate->top_ctx))
9117 * Test against the PPPoE session link-layer type.
9119 b0 = gen_linktype(cstate, ETHERTYPE_PPPOES);
9121 /* If a specific session is requested, check PPPoE session id */
9123 if (sess_num > 0x0000ffff) {
9124 bpf_error(cstate, "PPPoE session number %u greater than maximum %u",
9125 sess_num, 0x0000ffff);
9127 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_W, sess_num, 0x0000ffff);
9133 * Change the offsets to point to the type and data fields within
9134 * the PPP packet, and note that this is PPPoE rather than
9137 * XXX - this is a bit of a kludge. See the comments in
9140 * The "network-layer" protocol is PPPoE, which has a 6-byte
9141 * PPPoE header, followed by a PPP packet.
9143 * There is no HDLC encapsulation for the PPP packet (it's
9144 * encapsulated in PPPoES instead), so the link-layer type
9145 * starts at the first byte of the PPP packet. For PPPoE,
9146 * that offset is relative to the beginning of the total
9147 * link-layer payload, including any 802.2 LLC header, so
9148 * it's 6 bytes past cstate->off_nl.
9150 PUSH_LINKHDR(cstate, DLT_PPP, cstate->off_linkpl.is_variable,
9151 cstate->off_linkpl.constant_part + cstate->off_nl + 6, /* 6 bytes past the PPPoE header */
9152 cstate->off_linkpl.reg);
9154 cstate->off_linktype = cstate->off_linkhdr;
9155 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 2;
9158 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
9163 /* Check that this is Geneve and the VNI is correct if
9164 * specified. Parameterized to handle both IPv4 and IPv6. */
9165 static struct block *
9166 gen_geneve_check(compiler_state_t *cstate,
9167 struct block *(*gen_portfn)(compiler_state_t *, u_int, int, int),
9168 enum e_offrel offrel, bpf_u_int32 vni, int has_vni)
9170 struct block *b0, *b1;
9172 b0 = gen_portfn(cstate, GENEVE_PORT, IPPROTO_UDP, Q_DST);
9174 /* Check that we are operating on version 0. Otherwise, we
9175 * can't decode the rest of the fields. The version is 2 bits
9176 * in the first byte of the Geneve header. */
9177 b1 = gen_mcmp(cstate, offrel, 8, BPF_B, 0, 0xc0);
9182 if (vni > 0xffffff) {
9183 bpf_error(cstate, "Geneve VNI %u greater than maximum %u",
9186 vni <<= 8; /* VNI is in the upper 3 bytes */
9187 b1 = gen_mcmp(cstate, offrel, 12, BPF_W, vni, 0xffffff00);
9195 /* The IPv4 and IPv6 Geneve checks need to do two things:
9196 * - Verify that this actually is Geneve with the right VNI.
9197 * - Place the IP header length (plus variable link prefix if
9198 * needed) into register A to be used later to compute
9199 * the inner packet offsets. */
9200 static struct block *
9201 gen_geneve4(compiler_state_t *cstate, bpf_u_int32 vni, int has_vni)
9203 struct block *b0, *b1;
9204 struct slist *s, *s1;
9206 b0 = gen_geneve_check(cstate, gen_port, OR_TRAN_IPV4, vni, has_vni);
9208 /* Load the IP header length into A. */
9209 s = gen_loadx_iphdrlen(cstate);
9211 s1 = new_stmt(cstate, BPF_MISC|BPF_TXA);
9214 /* Forcibly append these statements to the true condition
9215 * of the protocol check by creating a new block that is
9216 * always true and ANDing them. */
9217 b1 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X);
9226 static struct block *
9227 gen_geneve6(compiler_state_t *cstate, bpf_u_int32 vni, int has_vni)
9229 struct block *b0, *b1;
9230 struct slist *s, *s1;
9232 b0 = gen_geneve_check(cstate, gen_port6, OR_TRAN_IPV6, vni, has_vni);
9234 /* Load the IP header length. We need to account for a
9235 * variable length link prefix if there is one. */
9236 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl);
9238 s1 = new_stmt(cstate, BPF_LD|BPF_IMM);
9242 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X);
9246 s = new_stmt(cstate, BPF_LD|BPF_IMM);
9250 /* Forcibly append these statements to the true condition
9251 * of the protocol check by creating a new block that is
9252 * always true and ANDing them. */
9253 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX);
9256 b1 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X);
9265 /* We need to store three values based on the Geneve header::
9266 * - The offset of the linktype.
9267 * - The offset of the end of the Geneve header.
9268 * - The offset of the end of the encapsulated MAC header. */
9269 static struct slist *
9270 gen_geneve_offsets(compiler_state_t *cstate)
9272 struct slist *s, *s1, *s_proto;
9274 /* First we need to calculate the offset of the Geneve header
9275 * itself. This is composed of the IP header previously calculated
9276 * (include any variable link prefix) and stored in A plus the
9277 * fixed sized headers (fixed link prefix, MAC length, and UDP
9279 s = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9280 s->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 8;
9282 /* Stash this in X since we'll need it later. */
9283 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX);
9286 /* The EtherType in Geneve is 2 bytes in. Calculate this and
9288 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9292 cstate->off_linktype.reg = alloc_reg(cstate);
9293 cstate->off_linktype.is_variable = 1;
9294 cstate->off_linktype.constant_part = 0;
9296 s1 = new_stmt(cstate, BPF_ST);
9297 s1->s.k = cstate->off_linktype.reg;
9300 /* Load the Geneve option length and mask and shift to get the
9301 * number of bytes. It is stored in the first byte of the Geneve
9303 s1 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
9307 s1 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
9311 s1 = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K);
9315 /* Add in the rest of the Geneve base header. */
9316 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9320 /* Add the Geneve header length to its offset and store. */
9321 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X);
9325 /* Set the encapsulated type as Ethernet. Even though we may
9326 * not actually have Ethernet inside there are two reasons this
9328 * - The linktype field is always in EtherType format regardless
9329 * of whether it is in Geneve or an inner Ethernet frame.
9330 * - The only link layer that we have specific support for is
9331 * Ethernet. We will confirm that the packet actually is
9332 * Ethernet at runtime before executing these checks. */
9333 PUSH_LINKHDR(cstate, DLT_EN10MB, 1, 0, alloc_reg(cstate));
9335 s1 = new_stmt(cstate, BPF_ST);
9336 s1->s.k = cstate->off_linkhdr.reg;
9339 /* Calculate whether we have an Ethernet header or just raw IP/
9340 * MPLS/etc. If we have Ethernet, advance the end of the MAC offset
9341 * and linktype by 14 bytes so that the network header can be found
9342 * seamlessly. Otherwise, keep what we've calculated already. */
9344 /* We have a bare jmp so we can't use the optimizer. */
9345 cstate->no_optimize = 1;
9347 /* Load the EtherType in the Geneve header, 2 bytes in. */
9348 s1 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_H);
9352 /* Load X with the end of the Geneve header. */
9353 s1 = new_stmt(cstate, BPF_LDX|BPF_MEM);
9354 s1->s.k = cstate->off_linkhdr.reg;
9357 /* Check if the EtherType is Transparent Ethernet Bridging. At the
9358 * end of this check, we should have the total length in X. In
9359 * the non-Ethernet case, it's already there. */
9360 s_proto = new_stmt(cstate, JMP(BPF_JEQ));
9361 s_proto->s.k = ETHERTYPE_TEB;
9362 sappend(s, s_proto);
9364 s1 = new_stmt(cstate, BPF_MISC|BPF_TXA);
9368 /* Since this is Ethernet, use the EtherType of the payload
9369 * directly as the linktype. Overwrite what we already have. */
9370 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9374 s1 = new_stmt(cstate, BPF_ST);
9375 s1->s.k = cstate->off_linktype.reg;
9378 /* Advance two bytes further to get the end of the Ethernet
9380 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9384 /* Move the result to X. */
9385 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX);
9388 /* Store the final result of our linkpl calculation. */
9389 cstate->off_linkpl.reg = alloc_reg(cstate);
9390 cstate->off_linkpl.is_variable = 1;
9391 cstate->off_linkpl.constant_part = 0;
9393 s1 = new_stmt(cstate, BPF_STX);
9394 s1->s.k = cstate->off_linkpl.reg;
9403 /* Check to see if this is a Geneve packet. */
9405 gen_geneve(compiler_state_t *cstate, bpf_u_int32 vni, int has_vni)
9407 struct block *b0, *b1;
9411 * Catch errors reported by us and routines below us, and return NULL
9414 if (setjmp(cstate->top_ctx))
9417 b0 = gen_geneve4(cstate, vni, has_vni);
9418 b1 = gen_geneve6(cstate, vni, has_vni);
9423 /* Later filters should act on the payload of the Geneve frame,
9424 * update all of the header pointers. Attach this code so that
9425 * it gets executed in the event that the Geneve filter matches. */
9426 s = gen_geneve_offsets(cstate);
9428 b1 = gen_true(cstate);
9429 sappend(s, b1->stmts);
9434 cstate->is_geneve = 1;
9439 /* Check that the encapsulated frame has a link layer header
9440 * for Ethernet filters. */
9441 static struct block *
9442 gen_geneve_ll_check(compiler_state_t *cstate)
9445 struct slist *s, *s1;
9447 /* The easiest way to see if there is a link layer present
9448 * is to check if the link layer header and payload are not
9451 /* Geneve always generates pure variable offsets so we can
9452 * compare only the registers. */
9453 s = new_stmt(cstate, BPF_LD|BPF_MEM);
9454 s->s.k = cstate->off_linkhdr.reg;
9456 s1 = new_stmt(cstate, BPF_LDX|BPF_MEM);
9457 s1->s.k = cstate->off_linkpl.reg;
9460 b0 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X);
9468 static struct block *
9469 gen_atmfield_code_internal(compiler_state_t *cstate, int atmfield,
9470 bpf_u_int32 jvalue, int jtype, int reverse)
9477 if (!cstate->is_atm)
9478 bpf_error(cstate, "'vpi' supported only on raw ATM");
9479 if (cstate->off_vpi == OFFSET_NOT_SET)
9481 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_vpi, BPF_B,
9482 0xffffffffU, jtype, reverse, jvalue);
9486 if (!cstate->is_atm)
9487 bpf_error(cstate, "'vci' supported only on raw ATM");
9488 if (cstate->off_vci == OFFSET_NOT_SET)
9490 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_vci, BPF_H,
9491 0xffffffffU, jtype, reverse, jvalue);
9495 if (cstate->off_proto == OFFSET_NOT_SET)
9496 abort(); /* XXX - this isn't on FreeBSD */
9497 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_proto, BPF_B,
9498 0x0fU, jtype, reverse, jvalue);
9502 if (cstate->off_payload == OFFSET_NOT_SET)
9504 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_payload + MSG_TYPE_POS, BPF_B,
9505 0xffffffffU, jtype, reverse, jvalue);
9509 if (!cstate->is_atm)
9510 bpf_error(cstate, "'callref' supported only on raw ATM");
9511 if (cstate->off_proto == OFFSET_NOT_SET)
9513 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_proto, BPF_B,
9514 0xffffffffU, jtype, reverse, jvalue);
9523 static struct block *
9524 gen_atmtype_metac(compiler_state_t *cstate)
9526 struct block *b0, *b1;
9528 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
9529 b1 = gen_atmfield_code_internal(cstate, A_VCI, 1, BPF_JEQ, 0);
9534 static struct block *
9535 gen_atmtype_sc(compiler_state_t *cstate)
9537 struct block *b0, *b1;
9539 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
9540 b1 = gen_atmfield_code_internal(cstate, A_VCI, 5, BPF_JEQ, 0);
9545 static struct block *
9546 gen_atmtype_llc(compiler_state_t *cstate)
9550 b0 = gen_atmfield_code_internal(cstate, A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
9551 cstate->linktype = cstate->prevlinktype;
9556 gen_atmfield_code(compiler_state_t *cstate, int atmfield,
9557 bpf_u_int32 jvalue, int jtype, int reverse)
9560 * Catch errors reported by us and routines below us, and return NULL
9563 if (setjmp(cstate->top_ctx))
9566 return gen_atmfield_code_internal(cstate, atmfield, jvalue, jtype,
9571 gen_atmtype_abbrev(compiler_state_t *cstate, int type)
9573 struct block *b0, *b1;
9576 * Catch errors reported by us and routines below us, and return NULL
9579 if (setjmp(cstate->top_ctx))
9585 /* Get all packets in Meta signalling Circuit */
9586 if (!cstate->is_atm)
9587 bpf_error(cstate, "'metac' supported only on raw ATM");
9588 b1 = gen_atmtype_metac(cstate);
9592 /* Get all packets in Broadcast Circuit*/
9593 if (!cstate->is_atm)
9594 bpf_error(cstate, "'bcc' supported only on raw ATM");
9595 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
9596 b1 = gen_atmfield_code_internal(cstate, A_VCI, 2, BPF_JEQ, 0);
9601 /* Get all cells in Segment OAM F4 circuit*/
9602 if (!cstate->is_atm)
9603 bpf_error(cstate, "'oam4sc' supported only on raw ATM");
9604 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
9605 b1 = gen_atmfield_code_internal(cstate, A_VCI, 3, BPF_JEQ, 0);
9610 /* Get all cells in End-to-End OAM F4 Circuit*/
9611 if (!cstate->is_atm)
9612 bpf_error(cstate, "'oam4ec' supported only on raw ATM");
9613 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
9614 b1 = gen_atmfield_code_internal(cstate, A_VCI, 4, BPF_JEQ, 0);
9619 /* Get all packets in connection Signalling Circuit */
9620 if (!cstate->is_atm)
9621 bpf_error(cstate, "'sc' supported only on raw ATM");
9622 b1 = gen_atmtype_sc(cstate);
9626 /* Get all packets in ILMI Circuit */
9627 if (!cstate->is_atm)
9628 bpf_error(cstate, "'ilmic' supported only on raw ATM");
9629 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
9630 b1 = gen_atmfield_code_internal(cstate, A_VCI, 16, BPF_JEQ, 0);
9635 /* Get all LANE packets */
9636 if (!cstate->is_atm)
9637 bpf_error(cstate, "'lane' supported only on raw ATM");
9638 b1 = gen_atmfield_code_internal(cstate, A_PROTOTYPE, PT_LANE, BPF_JEQ, 0);
9641 * Arrange that all subsequent tests assume LANE
9642 * rather than LLC-encapsulated packets, and set
9643 * the offsets appropriately for LANE-encapsulated
9646 * We assume LANE means Ethernet, not Token Ring.
9648 PUSH_LINKHDR(cstate, DLT_EN10MB, 0,
9649 cstate->off_payload + 2, /* Ethernet header */
9651 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12;
9652 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* Ethernet */
9653 cstate->off_nl = 0; /* Ethernet II */
9654 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */
9658 /* Get all LLC-encapsulated packets */
9659 if (!cstate->is_atm)
9660 bpf_error(cstate, "'llc' supported only on raw ATM");
9661 b1 = gen_atmtype_llc(cstate);
9671 * Filtering for MTP2 messages based on li value
9672 * FISU, length is null
9673 * LSSU, length is 1 or 2
9674 * MSU, length is 3 or more
9675 * For MTP2_HSL, sequences are on 2 bytes, and length on 9 bits
9678 gen_mtp2type_abbrev(compiler_state_t *cstate, int type)
9680 struct block *b0, *b1;
9683 * Catch errors reported by us and routines below us, and return NULL
9686 if (setjmp(cstate->top_ctx))
9692 if ( (cstate->linktype != DLT_MTP2) &&
9693 (cstate->linktype != DLT_ERF) &&
9694 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
9695 bpf_error(cstate, "'fisu' supported only on MTP2");
9696 /* gen_ncmp(cstate, offrel, offset, size, mask, jtype, reverse, value) */
9697 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B,
9698 0x3fU, BPF_JEQ, 0, 0U);
9702 if ( (cstate->linktype != DLT_MTP2) &&
9703 (cstate->linktype != DLT_ERF) &&
9704 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
9705 bpf_error(cstate, "'lssu' supported only on MTP2");
9706 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B,
9707 0x3fU, BPF_JGT, 1, 2U);
9708 b1 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B,
9709 0x3fU, BPF_JGT, 0, 0U);
9714 if ( (cstate->linktype != DLT_MTP2) &&
9715 (cstate->linktype != DLT_ERF) &&
9716 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
9717 bpf_error(cstate, "'msu' supported only on MTP2");
9718 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B,
9719 0x3fU, BPF_JGT, 0, 2U);
9723 if ( (cstate->linktype != DLT_MTP2) &&
9724 (cstate->linktype != DLT_ERF) &&
9725 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
9726 bpf_error(cstate, "'hfisu' supported only on MTP2_HSL");
9727 /* gen_ncmp(cstate, offrel, offset, size, mask, jtype, reverse, value) */
9728 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H,
9729 0xff80U, BPF_JEQ, 0, 0U);
9733 if ( (cstate->linktype != DLT_MTP2) &&
9734 (cstate->linktype != DLT_ERF) &&
9735 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
9736 bpf_error(cstate, "'hlssu' supported only on MTP2_HSL");
9737 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H,
9738 0xff80U, BPF_JGT, 1, 0x0100U);
9739 b1 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H,
9740 0xff80U, BPF_JGT, 0, 0U);
9745 if ( (cstate->linktype != DLT_MTP2) &&
9746 (cstate->linktype != DLT_ERF) &&
9747 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
9748 bpf_error(cstate, "'hmsu' supported only on MTP2_HSL");
9749 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H,
9750 0xff80U, BPF_JGT, 0, 0x0100U);
9760 * The jvalue_arg dance is to avoid annoying whining by compilers that
9761 * jvalue might be clobbered by longjmp - yeah, it might, but *WHO CARES*?
9762 * It's not *used* after setjmp returns.
9765 gen_mtp3field_code(compiler_state_t *cstate, int mtp3field,
9766 bpf_u_int32 jvalue_arg, int jtype, int reverse)
9768 volatile bpf_u_int32 jvalue = jvalue_arg;
9770 bpf_u_int32 val1 , val2 , val3;
9777 * Catch errors reported by us and routines below us, and return NULL
9780 if (setjmp(cstate->top_ctx))
9783 newoff_sio = cstate->off_sio;
9784 newoff_opc = cstate->off_opc;
9785 newoff_dpc = cstate->off_dpc;
9786 newoff_sls = cstate->off_sls;
9787 switch (mtp3field) {
9790 newoff_sio += 3; /* offset for MTP2_HSL */
9794 if (cstate->off_sio == OFFSET_NOT_SET)
9795 bpf_error(cstate, "'sio' supported only on SS7");
9796 /* sio coded on 1 byte so max value 255 */
9798 bpf_error(cstate, "sio value %u too big; max value = 255",
9800 b0 = gen_ncmp(cstate, OR_PACKET, newoff_sio, BPF_B, 0xffffffffU,
9801 jtype, reverse, jvalue);
9809 if (cstate->off_opc == OFFSET_NOT_SET)
9810 bpf_error(cstate, "'opc' supported only on SS7");
9811 /* opc coded on 14 bits so max value 16383 */
9813 bpf_error(cstate, "opc value %u too big; max value = 16383",
9815 /* the following instructions are made to convert jvalue
9816 * to the form used to write opc in an ss7 message*/
9817 val1 = jvalue & 0x00003c00;
9819 val2 = jvalue & 0x000003fc;
9821 val3 = jvalue & 0x00000003;
9823 jvalue = val1 + val2 + val3;
9824 b0 = gen_ncmp(cstate, OR_PACKET, newoff_opc, BPF_W, 0x00c0ff0fU,
9825 jtype, reverse, jvalue);
9833 if (cstate->off_dpc == OFFSET_NOT_SET)
9834 bpf_error(cstate, "'dpc' supported only on SS7");
9835 /* dpc coded on 14 bits so max value 16383 */
9837 bpf_error(cstate, "dpc value %u too big; max value = 16383",
9839 /* the following instructions are made to convert jvalue
9840 * to the forme used to write dpc in an ss7 message*/
9841 val1 = jvalue & 0x000000ff;
9843 val2 = jvalue & 0x00003f00;
9845 jvalue = val1 + val2;
9846 b0 = gen_ncmp(cstate, OR_PACKET, newoff_dpc, BPF_W, 0xff3f0000U,
9847 jtype, reverse, jvalue);
9855 if (cstate->off_sls == OFFSET_NOT_SET)
9856 bpf_error(cstate, "'sls' supported only on SS7");
9857 /* sls coded on 4 bits so max value 15 */
9859 bpf_error(cstate, "sls value %u too big; max value = 15",
9861 /* the following instruction is made to convert jvalue
9862 * to the forme used to write sls in an ss7 message*/
9863 jvalue = jvalue << 4;
9864 b0 = gen_ncmp(cstate, OR_PACKET, newoff_sls, BPF_B, 0xf0U,
9865 jtype, reverse, jvalue);
9874 static struct block *
9875 gen_msg_abbrev(compiler_state_t *cstate, int type)
9880 * Q.2931 signalling protocol messages for handling virtual circuits
9881 * establishment and teardown
9886 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, SETUP, BPF_JEQ, 0);
9890 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0);
9894 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, CONNECT, BPF_JEQ, 0);
9898 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0);
9902 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, RELEASE, BPF_JEQ, 0);
9905 case A_RELEASE_DONE:
9906 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0);
9916 gen_atmmulti_abbrev(compiler_state_t *cstate, int type)
9918 struct block *b0, *b1;
9921 * Catch errors reported by us and routines below us, and return NULL
9924 if (setjmp(cstate->top_ctx))
9930 if (!cstate->is_atm)
9931 bpf_error(cstate, "'oam' supported only on raw ATM");
9933 b0 = gen_atmfield_code_internal(cstate, A_VCI, 3, BPF_JEQ, 0);
9934 b1 = gen_atmfield_code_internal(cstate, A_VCI, 4, BPF_JEQ, 0);
9936 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
9941 if (!cstate->is_atm)
9942 bpf_error(cstate, "'oamf4' supported only on raw ATM");
9944 b0 = gen_atmfield_code_internal(cstate, A_VCI, 3, BPF_JEQ, 0);
9945 b1 = gen_atmfield_code_internal(cstate, A_VCI, 4, BPF_JEQ, 0);
9947 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
9953 * Get Q.2931 signalling messages for switched
9954 * virtual connection
9956 if (!cstate->is_atm)
9957 bpf_error(cstate, "'connectmsg' supported only on raw ATM");
9958 b0 = gen_msg_abbrev(cstate, A_SETUP);
9959 b1 = gen_msg_abbrev(cstate, A_CALLPROCEED);
9961 b0 = gen_msg_abbrev(cstate, A_CONNECT);
9963 b0 = gen_msg_abbrev(cstate, A_CONNECTACK);
9965 b0 = gen_msg_abbrev(cstate, A_RELEASE);
9967 b0 = gen_msg_abbrev(cstate, A_RELEASE_DONE);
9969 b0 = gen_atmtype_sc(cstate);
9974 if (!cstate->is_atm)
9975 bpf_error(cstate, "'metaconnect' supported only on raw ATM");
9976 b0 = gen_msg_abbrev(cstate, A_SETUP);
9977 b1 = gen_msg_abbrev(cstate, A_CALLPROCEED);
9979 b0 = gen_msg_abbrev(cstate, A_CONNECT);
9981 b0 = gen_msg_abbrev(cstate, A_RELEASE);
9983 b0 = gen_msg_abbrev(cstate, A_RELEASE_DONE);
9985 b0 = gen_atmtype_metac(cstate);
projects / FreeBSD / FreeBSD.git / blob