1 /*#define CHASE_CHAIN*/
3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998
4 * The Regents of the University of California. All rights reserved.
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that: (1) source code distributions
8 * retain the above copyright notice and this paragraph in its entirety, (2)
9 * distributions including binary code include the above copyright notice and
10 * this paragraph in its entirety in the documentation or other materials
11 * provided with the distribution, and (3) all advertising materials mentioning
12 * features or use of this software display the following acknowledgement:
13 * ``This product includes software developed by the University of California,
14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
15 * the University nor the names of its contributors may be used to endorse
16 * or promote products derived from this software without specific prior
18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
25 static const char rcsid[] _U_ =
26 "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.221 2005/03/27 22:10:23 guy Exp $ (LBL)";
34 #include <pcap-stdinc.h>
36 #include <sys/types.h>
37 #include <sys/socket.h>
41 * XXX - why was this included even on UNIX?
50 #include <sys/param.h>
53 #include <netinet/in.h>
69 #include "ethertype.h"
74 #include "sunatmpos.h"
80 #define offsetof(s, e) ((size_t)&((s *)0)->e)
84 #include <netdb.h> /* for "struct addrinfo" */
87 #include <pcap-namedb.h>
93 #define IPPROTO_SCTP 132
96 #ifdef HAVE_OS_PROTO_H
100 #define JMP(c) ((c)|BPF_JMP|BPF_K)
103 static jmp_buf top_ctx;
104 static pcap_t *bpf_pcap;
106 /* Hack for updating VLAN, MPLS offsets. */
107 static u_int orig_linktype = -1U, orig_nl = -1U, orig_nl_nosnap = -1U;
111 static int pcap_fddipad;
116 bpf_error(const char *fmt, ...)
122 if (bpf_pcap != NULL)
123 (void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE,
130 static void init_linktype(pcap_t *);
132 static int alloc_reg(void);
133 static void free_reg(int);
135 static struct block *root;
138 * We divy out chunks of memory rather than call malloc each time so
139 * we don't have to worry about leaking memory. It's probably
140 * not a big deal if all this memory was wasted but if this ever
141 * goes into a library that would probably not be a good idea.
143 * XXX - this *is* in a library....
146 #define CHUNK0SIZE 1024
152 static struct chunk chunks[NCHUNKS];
153 static int cur_chunk;
155 static void *newchunk(u_int);
156 static void freechunks(void);
157 static inline struct block *new_block(int);
158 static inline struct slist *new_stmt(int);
159 static struct block *gen_retblk(int);
160 static inline void syntax(void);
162 static void backpatch(struct block *, struct block *);
163 static void merge(struct block *, struct block *);
164 static struct block *gen_cmp(u_int, u_int, bpf_int32);
165 static struct block *gen_cmp_gt(u_int, u_int, bpf_int32);
166 static struct block *gen_mcmp(u_int, u_int, bpf_int32, bpf_u_int32);
167 static struct block *gen_bcmp(u_int, u_int, const u_char *);
168 static struct block *gen_ncmp(bpf_u_int32, bpf_u_int32, bpf_u_int32,
169 bpf_u_int32, bpf_u_int32, int);
170 static struct block *gen_uncond(int);
171 static inline struct block *gen_true(void);
172 static inline struct block *gen_false(void);
173 static struct block *gen_ether_linktype(int);
174 static struct block *gen_linux_sll_linktype(int);
175 static struct block *gen_linktype(int);
176 static struct block *gen_snap(bpf_u_int32, bpf_u_int32, u_int);
177 static struct block *gen_llc(int);
178 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int);
180 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int);
182 static struct block *gen_ahostop(const u_char *, int);
183 static struct block *gen_ehostop(const u_char *, int);
184 static struct block *gen_fhostop(const u_char *, int);
185 static struct block *gen_thostop(const u_char *, int);
186 static struct block *gen_wlanhostop(const u_char *, int);
187 static struct block *gen_ipfchostop(const u_char *, int);
188 static struct block *gen_dnhostop(bpf_u_int32, int, u_int);
189 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int);
191 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int);
194 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int);
196 static struct block *gen_ipfrag(void);
197 static struct block *gen_portatom(int, bpf_int32);
199 static struct block *gen_portatom6(int, bpf_int32);
201 struct block *gen_portop(int, int, int);
202 static struct block *gen_port(int, int, int);
204 struct block *gen_portop6(int, int, int);
205 static struct block *gen_port6(int, int, int);
207 static int lookup_proto(const char *, int);
208 static struct block *gen_protochain(int, int, int);
209 static struct block *gen_proto(int, int, int);
210 static struct slist *xfer_to_x(struct arth *);
211 static struct slist *xfer_to_a(struct arth *);
212 static struct block *gen_mac_multicast(int);
213 static struct block *gen_len(int, int);
215 static struct block *gen_msg_abbrev(int type);
226 /* XXX Round up to nearest long. */
227 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1);
229 /* XXX Round up to structure boundary. */
233 cp = &chunks[cur_chunk];
234 if (n > cp->n_left) {
235 ++cp, k = ++cur_chunk;
237 bpf_error("out of memory");
238 size = CHUNK0SIZE << k;
239 cp->m = (void *)malloc(size);
241 bpf_error("out of memory");
242 memset((char *)cp->m, 0, size);
245 bpf_error("out of memory");
248 return (void *)((char *)cp->m + cp->n_left);
257 for (i = 0; i < NCHUNKS; ++i)
258 if (chunks[i].m != NULL) {
265 * A strdup whose allocations are freed after code generation is over.
269 register const char *s;
271 int n = strlen(s) + 1;
272 char *cp = newchunk(n);
278 static inline struct block *
284 p = (struct block *)newchunk(sizeof(*p));
291 static inline struct slist *
297 p = (struct slist *)newchunk(sizeof(*p));
303 static struct block *
307 struct block *b = new_block(BPF_RET|BPF_K);
316 bpf_error("syntax error in filter expression");
319 static bpf_u_int32 netmask;
324 pcap_compile(pcap_t *p, struct bpf_program *program,
325 char *buf, int optimize, bpf_u_int32 mask)
334 if (setjmp(top_ctx)) {
342 snaplen = pcap_snapshot(p);
344 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
345 "snaplen of 0 rejects all packets");
349 lex_init(buf ? buf : "");
357 root = gen_retblk(snaplen);
359 if (optimize && !no_optimize) {
362 (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0))
363 bpf_error("expression rejects all packets");
365 program->bf_insns = icode_to_fcode(root, &len);
366 program->bf_len = len;
374 * entry point for using the compiler with no pcap open
375 * pass in all the stuff that is needed explicitly instead.
378 pcap_compile_nopcap(int snaplen_arg, int linktype_arg,
379 struct bpf_program *program,
380 char *buf, int optimize, bpf_u_int32 mask)
385 p = pcap_open_dead(linktype_arg, snaplen_arg);
388 ret = pcap_compile(p, program, buf, optimize, mask);
394 * Clean up a "struct bpf_program" by freeing all the memory allocated
398 pcap_freecode(struct bpf_program *program)
401 if (program->bf_insns != NULL) {
402 free((char *)program->bf_insns);
403 program->bf_insns = NULL;
408 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates
409 * which of the jt and jf fields has been resolved and which is a pointer
410 * back to another unresolved block (or nil). At least one of the fields
411 * in each block is already resolved.
414 backpatch(list, target)
415 struct block *list, *target;
432 * Merge the lists in b0 and b1, using the 'sense' field to indicate
433 * which of jt and jf is the link.
437 struct block *b0, *b1;
439 register struct block **p = &b0;
441 /* Find end of list. */
443 p = !((*p)->sense) ? &JT(*p) : &JF(*p);
445 /* Concatenate the lists. */
453 backpatch(p, gen_retblk(snaplen));
454 p->sense = !p->sense;
455 backpatch(p, gen_retblk(0));
461 struct block *b0, *b1;
463 backpatch(b0, b1->head);
464 b0->sense = !b0->sense;
465 b1->sense = !b1->sense;
467 b1->sense = !b1->sense;
473 struct block *b0, *b1;
475 b0->sense = !b0->sense;
476 backpatch(b0, b1->head);
477 b0->sense = !b0->sense;
486 b->sense = !b->sense;
489 static struct block *
490 gen_cmp(offset, size, v)
497 s = new_stmt(BPF_LD|BPF_ABS|size);
500 b = new_block(JMP(BPF_JEQ));
507 static struct block *
508 gen_cmp_gt(offset, size, v)
515 s = new_stmt(BPF_LD|BPF_ABS|size);
518 b = new_block(JMP(BPF_JGT));
525 static struct block *
526 gen_mcmp(offset, size, v, mask)
531 struct block *b = gen_cmp(offset, size, v);
534 if (mask != 0xffffffff) {
535 s = new_stmt(BPF_ALU|BPF_AND|BPF_K);
542 static struct block *
543 gen_bcmp(offset, size, v)
544 register u_int offset, size;
545 register const u_char *v;
547 register struct block *b, *tmp;
551 register const u_char *p = &v[size - 4];
552 bpf_int32 w = ((bpf_int32)p[0] << 24) |
553 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3];
555 tmp = gen_cmp(offset + size - 4, BPF_W, w);
562 register const u_char *p = &v[size - 2];
563 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1];
565 tmp = gen_cmp(offset + size - 2, BPF_H, w);
572 tmp = gen_cmp(offset, BPF_B, (bpf_int32)v[0]);
580 static struct block *
581 gen_ncmp(datasize, offset, mask, jtype, jvalue, reverse)
582 bpf_u_int32 datasize, offset, mask, jtype, jvalue;
588 s = new_stmt(BPF_LD|datasize|BPF_ABS);
591 if (mask != 0xffffffff) {
592 s->next = new_stmt(BPF_ALU|BPF_AND|BPF_K);
596 b = new_block(JMP(jtype));
599 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE))
605 * Various code constructs need to know the layout of the data link
606 * layer. These variables give the necessary offsets.
610 * This is the offset of the beginning of the MAC-layer header.
611 * It's usually 0, except for ATM LANE.
613 static u_int off_mac;
616 * "off_linktype" is the offset to information in the link-layer header
617 * giving the packet type.
619 * For Ethernet, it's the offset of the Ethernet type field.
621 * For link-layer types that always use 802.2 headers, it's the
622 * offset of the LLC header.
624 * For PPP, it's the offset of the PPP type field.
626 * For Cisco HDLC, it's the offset of the CHDLC type field.
628 * For BSD loopback, it's the offset of the AF_ value.
630 * For Linux cooked sockets, it's the offset of the type field.
632 * It's set to -1 for no encapsulation, in which case, IP is assumed.
634 static u_int off_linktype;
637 * TRUE if the link layer includes an ATM pseudo-header.
639 static int is_atm = 0;
642 * TRUE if "lane" appeared in the filter; it causes us to generate
643 * code that assumes LANE rather than LLC-encapsulated traffic in SunATM.
645 static int is_lane = 0;
648 * These are offsets for the ATM pseudo-header.
650 static u_int off_vpi;
651 static u_int off_vci;
652 static u_int off_proto;
655 * This is the offset of the first byte after the ATM pseudo_header,
656 * or -1 if there is no ATM pseudo-header.
658 static u_int off_payload;
661 * These are offsets to the beginning of the network-layer header.
663 * If the link layer never uses 802.2 LLC:
665 * "off_nl" and "off_nl_nosnap" are the same.
667 * If the link layer always uses 802.2 LLC:
669 * "off_nl" is the offset if there's a SNAP header following
672 * "off_nl_nosnap" is the offset if there's no SNAP header.
674 * If the link layer is Ethernet:
676 * "off_nl" is the offset if the packet is an Ethernet II packet
677 * (we assume no 802.3+802.2+SNAP);
679 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet
680 * with an 802.2 header following it.
683 static u_int off_nl_nosnap;
691 linktype = pcap_datalink(p);
693 pcap_fddipad = p->fddipad;
697 * Assume it's not raw ATM with a pseudo-header, for now.
715 off_nl = 6; /* XXX in reality, variable! */
716 off_nl_nosnap = 6; /* no 802.2 LLC */
719 case DLT_ARCNET_LINUX:
721 off_nl = 8; /* XXX in reality, variable! */
722 off_nl_nosnap = 8; /* no 802.2 LLC */
727 off_nl = 14; /* Ethernet II */
728 off_nl_nosnap = 17; /* 802.3+802.2 */
733 * SLIP doesn't have a link level type. The 16 byte
734 * header is hacked into our SLIP driver.
738 off_nl_nosnap = 16; /* no 802.2 LLC */
742 /* XXX this may be the same as the DLT_PPP_BSDOS case */
746 off_nl_nosnap = 24; /* no 802.2 LLC */
753 off_nl_nosnap = 4; /* no 802.2 LLC */
759 off_nl_nosnap = 12; /* no 802.2 LLC */
764 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */
765 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */
768 off_nl_nosnap = 4; /* no 802.2 LLC */
773 * This does no include the Ethernet header, and
774 * only covers session state.
778 off_nl_nosnap = 8; /* no 802.2 LLC */
784 off_nl_nosnap = 24; /* no 802.2 LLC */
789 * FDDI doesn't really have a link-level type field.
790 * We set "off_linktype" to the offset of the LLC header.
792 * To check for Ethernet types, we assume that SSAP = SNAP
793 * is being used and pick out the encapsulated Ethernet type.
794 * XXX - should we generate code to check for SNAP?
798 off_linktype += pcap_fddipad;
800 off_nl = 21; /* FDDI+802.2+SNAP */
801 off_nl_nosnap = 16; /* FDDI+802.2 */
803 off_nl += pcap_fddipad;
804 off_nl_nosnap += pcap_fddipad;
810 * Token Ring doesn't really have a link-level type field.
811 * We set "off_linktype" to the offset of the LLC header.
813 * To check for Ethernet types, we assume that SSAP = SNAP
814 * is being used and pick out the encapsulated Ethernet type.
815 * XXX - should we generate code to check for SNAP?
817 * XXX - the header is actually variable-length.
818 * Some various Linux patched versions gave 38
819 * as "off_linktype" and 40 as "off_nl"; however,
820 * if a token ring packet has *no* routing
821 * information, i.e. is not source-routed, the correct
822 * values are 20 and 22, as they are in the vanilla code.
824 * A packet is source-routed iff the uppermost bit
825 * of the first byte of the source address, at an
826 * offset of 8, has the uppermost bit set. If the
827 * packet is source-routed, the total number of bytes
828 * of routing information is 2 plus bits 0x1F00 of
829 * the 16-bit value at an offset of 14 (shifted right
830 * 8 - figure out which byte that is).
833 off_nl = 22; /* Token Ring+802.2+SNAP */
834 off_nl_nosnap = 17; /* Token Ring+802.2 */
839 * 802.11 doesn't really have a link-level type field.
840 * We set "off_linktype" to the offset of the LLC header.
842 * To check for Ethernet types, we assume that SSAP = SNAP
843 * is being used and pick out the encapsulated Ethernet type.
844 * XXX - should we generate code to check for SNAP?
846 * XXX - the header is actually variable-length. We
847 * assume a 24-byte link-layer header, as appears in
848 * data frames in networks with no bridges. If the
849 * fromds and tods 802.11 header bits are both set,
850 * it's actually supposed to be 30 bytes.
853 off_nl = 32; /* 802.11+802.2+SNAP */
854 off_nl_nosnap = 27; /* 802.11+802.2 */
857 case DLT_PRISM_HEADER:
859 * Same as 802.11, but with an additional header before
860 * the 802.11 header, containing a bunch of additional
861 * information including radio-level information.
863 * The header is 144 bytes long.
865 * XXX - same variable-length header problem; at least
866 * the Prism header is fixed-length.
868 off_linktype = 144+24;
869 off_nl = 144+32; /* Prism+802.11+802.2+SNAP */
870 off_nl_nosnap = 144+27; /* Prism+802.11+802.2 */
873 case DLT_IEEE802_11_RADIO_AVS:
875 * Same as 802.11, but with an additional header before
876 * the 802.11 header, containing a bunch of additional
877 * information including radio-level information.
879 * The header is 64 bytes long, at least in its
880 * current incarnation.
882 * XXX - same variable-length header problem, only
883 * more so; this header is also variable-length,
884 * with the length being the 32-bit big-endian
885 * number at an offset of 4 from the beginning
886 * of the radio header.
888 off_linktype = 64+24;
889 off_nl = 64+32; /* Radio+802.11+802.2+SNAP */
890 off_nl_nosnap = 64+27; /* Radio+802.11+802.2 */
893 case DLT_IEEE802_11_RADIO:
895 * Same as 802.11, but with an additional header before
896 * the 802.11 header, containing a bunch of additional
897 * information including radio-level information.
899 * XXX - same variable-length header problem, only
900 * even *more* so; this header is also variable-length,
901 * with the length being the 16-bit number at an offset
902 * of 2 from the beginning of the radio header, and it's
903 * device-dependent (different devices might supply
904 * different amounts of information), so we can't even
905 * assume a fixed length for the current version of the
908 * Therefore, currently, only raw "link[N:M]" filtering is
916 case DLT_ATM_RFC1483:
917 case DLT_ATM_CLIP: /* Linux ATM defines this */
919 * assume routed, non-ISO PDUs
920 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00)
923 off_nl = 8; /* 802.2+SNAP */
924 off_nl_nosnap = 3; /* 802.2 */
929 * Full Frontal ATM; you get AALn PDUs with an ATM
933 off_vpi = SUNATM_VPI_POS;
934 off_vci = SUNATM_VCI_POS;
935 off_proto = PROTO_POS;
936 off_mac = -1; /* LLC-encapsulated, so no MAC-layer header */
937 off_payload = SUNATM_PKT_BEGIN_POS;
938 off_linktype = off_payload;
939 off_nl = off_payload+8; /* 802.2+SNAP */
940 off_nl_nosnap = off_payload+3; /* 802.2 */
946 off_nl_nosnap = 0; /* no 802.2 LLC */
949 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */
952 off_nl_nosnap = 16; /* no 802.2 LLC */
957 * LocalTalk does have a 1-byte type field in the LLAP header,
958 * but really it just indicates whether there is a "short" or
959 * "long" DDP packet following.
963 off_nl_nosnap = 0; /* no 802.2 LLC */
968 * RFC 2625 IP-over-Fibre-Channel doesn't really have a
969 * link-level type field. We set "off_linktype" to the
970 * offset of the LLC header.
972 * To check for Ethernet types, we assume that SSAP = SNAP
973 * is being used and pick out the encapsulated Ethernet type.
974 * XXX - should we generate code to check for SNAP? RFC
975 * 2625 says SNAP should be used.
978 off_nl = 24; /* IPFC+802.2+SNAP */
979 off_nl_nosnap = 19; /* IPFC+802.2 */
984 * XXX - we should set this to handle SNAP-encapsulated
985 * frames (NLPID of 0x80).
989 off_nl_nosnap = 0; /* no 802.2 LLC */
992 case DLT_APPLE_IP_OVER_IEEE1394:
995 off_nl_nosnap = 0; /* no 802.2 LLC */
1000 * Currently, only raw "link[N:M]" filtering is supported.
1009 * Currently, only raw "link[N:M]" filtering is supported.
1016 case DLT_SYMANTEC_FIREWALL:
1018 off_nl = 44; /* Ethernet II */
1019 off_nl_nosnap = 44; /* XXX - what does it do with 802.3 packets? */
1024 /* XXX read from header? */
1025 off_nl = PFLOG_HDRLEN;
1026 off_nl_nosnap = PFLOG_HDRLEN;
1029 case DLT_JUNIPER_MLFR:
1030 case DLT_JUNIPER_MLPPP:
1036 case DLT_JUNIPER_ATM1:
1037 off_linktype = 4; /* in reality variable between 4-8 */
1042 case DLT_JUNIPER_ATM2:
1043 off_linktype = 8; /* in reality variable between 8-12 */
1056 bpf_error("unknown data link type %d", linktype);
1060 static struct block *
1067 s = new_stmt(BPF_LD|BPF_IMM);
1069 b = new_block(JMP(BPF_JEQ));
1075 static inline struct block *
1078 return gen_uncond(1);
1081 static inline struct block *
1084 return gen_uncond(0);
1088 * Byte-swap a 32-bit number.
1089 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on
1090 * big-endian platforms.)
1092 #define SWAPLONG(y) \
1093 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
1095 static struct block *
1096 gen_ether_linktype(proto)
1099 struct block *b0, *b1;
1105 * OSI protocols always use 802.2 encapsulation.
1106 * XXX - should we check both the DSAP and the
1107 * SSAP, like this, or should we check just the
1110 b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
1112 b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
1113 ((LLCSAP_ISONS << 8) | LLCSAP_ISONS));
1118 b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
1120 b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
1121 ((LLCSAP_IP << 8) | LLCSAP_IP));
1125 case LLCSAP_NETBEUI:
1127 * NetBEUI always uses 802.2 encapsulation.
1128 * XXX - should we check both the DSAP and the
1129 * SSAP, like this, or should we check just the
1132 b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
1134 b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
1135 ((LLCSAP_NETBEUI << 8) | LLCSAP_NETBEUI));
1143 * Ethernet_II frames, which are Ethernet
1144 * frames with a frame type of ETHERTYPE_IPX;
1146 * Ethernet_802.3 frames, which are 802.3
1147 * frames (i.e., the type/length field is
1148 * a length field, <= ETHERMTU, rather than
1149 * a type field) with the first two bytes
1150 * after the Ethernet/802.3 header being
1153 * Ethernet_802.2 frames, which are 802.3
1154 * frames with an 802.2 LLC header and
1155 * with the IPX LSAP as the DSAP in the LLC
1158 * Ethernet_SNAP frames, which are 802.3
1159 * frames with an LLC header and a SNAP
1160 * header and with an OUI of 0x000000
1161 * (encapsulated Ethernet) and a protocol
1162 * ID of ETHERTYPE_IPX in the SNAP header.
1164 * XXX - should we generate the same code both
1165 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX?
1169 * This generates code to check both for the
1170 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3.
1172 b0 = gen_cmp(off_linktype + 2, BPF_B, (bpf_int32)LLCSAP_IPX);
1173 b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)0xFFFF);
1177 * Now we add code to check for SNAP frames with
1178 * ETHERTYPE_IPX, i.e. Ethernet_SNAP.
1180 b0 = gen_snap(0x000000, ETHERTYPE_IPX, 14);
1184 * Now we generate code to check for 802.3
1185 * frames in general.
1187 b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
1191 * Now add the check for 802.3 frames before the
1192 * check for Ethernet_802.2 and Ethernet_802.3,
1193 * as those checks should only be done on 802.3
1194 * frames, not on Ethernet frames.
1199 * Now add the check for Ethernet_II frames, and
1200 * do that before checking for the other frame
1203 b0 = gen_cmp(off_linktype, BPF_H, (bpf_int32)ETHERTYPE_IPX);
1207 case ETHERTYPE_ATALK:
1208 case ETHERTYPE_AARP:
1210 * EtherTalk (AppleTalk protocols on Ethernet link
1211 * layer) may use 802.2 encapsulation.
1215 * Check for 802.2 encapsulation (EtherTalk phase 2?);
1216 * we check for an Ethernet type field less than
1217 * 1500, which means it's an 802.3 length field.
1219 b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
1223 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1224 * SNAP packets with an organization code of
1225 * 0x080007 (Apple, for Appletalk) and a protocol
1226 * type of ETHERTYPE_ATALK (Appletalk).
1228 * 802.2-encapsulated ETHERTYPE_AARP packets are
1229 * SNAP packets with an organization code of
1230 * 0x000000 (encapsulated Ethernet) and a protocol
1231 * type of ETHERTYPE_AARP (Appletalk ARP).
1233 if (proto == ETHERTYPE_ATALK)
1234 b1 = gen_snap(0x080007, ETHERTYPE_ATALK, 14);
1235 else /* proto == ETHERTYPE_AARP */
1236 b1 = gen_snap(0x000000, ETHERTYPE_AARP, 14);
1240 * Check for Ethernet encapsulation (Ethertalk
1241 * phase 1?); we just check for the Ethernet
1244 b0 = gen_cmp(off_linktype, BPF_H, (bpf_int32)proto);
1250 if (proto <= ETHERMTU) {
1252 * This is an LLC SAP value, so the frames
1253 * that match would be 802.2 frames.
1254 * Check that the frame is an 802.2 frame
1255 * (i.e., that the length/type field is
1256 * a length field, <= ETHERMTU) and
1257 * then check the DSAP.
1259 b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
1261 b1 = gen_cmp(off_linktype + 2, BPF_B, (bpf_int32)proto);
1266 * This is an Ethernet type, so compare
1267 * the length/type field with it (if
1268 * the frame is an 802.2 frame, the length
1269 * field will be <= ETHERMTU, and, as
1270 * "proto" is > ETHERMTU, this test
1271 * will fail and the frame won't match,
1272 * which is what we want).
1274 return gen_cmp(off_linktype, BPF_H, (bpf_int32)proto);
1279 static struct block *
1280 gen_linux_sll_linktype(proto)
1283 struct block *b0, *b1;
1288 b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_2);
1289 b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
1290 ((LLCSAP_IP << 8) | LLCSAP_IP));
1296 * OSI protocols always use 802.2 encapsulation.
1297 * XXX - should we check both the DSAP and the
1298 * SSAP, like this, or should we check just the
1301 b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_2);
1302 b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
1303 ((LLCSAP_ISONS << 8) | LLCSAP_ISONS));
1307 case LLCSAP_NETBEUI:
1309 * NetBEUI always uses 802.2 encapsulation.
1310 * XXX - should we check both the DSAP and the
1311 * LSAP, like this, or should we check just the
1314 b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_2);
1315 b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
1316 ((LLCSAP_NETBEUI << 8) | LLCSAP_NETBEUI));
1322 * Ethernet_II frames, which are Ethernet
1323 * frames with a frame type of ETHERTYPE_IPX;
1325 * Ethernet_802.3 frames, which have a frame
1326 * type of LINUX_SLL_P_802_3;
1328 * Ethernet_802.2 frames, which are 802.3
1329 * frames with an 802.2 LLC header (i.e, have
1330 * a frame type of LINUX_SLL_P_802_2) and
1331 * with the IPX LSAP as the DSAP in the LLC
1334 * Ethernet_SNAP frames, which are 802.3
1335 * frames with an LLC header and a SNAP
1336 * header and with an OUI of 0x000000
1337 * (encapsulated Ethernet) and a protocol
1338 * ID of ETHERTYPE_IPX in the SNAP header.
1340 * First, do the checks on LINUX_SLL_P_802_2
1341 * frames; generate the check for either
1342 * Ethernet_802.2 or Ethernet_SNAP frames, and
1343 * then put a check for LINUX_SLL_P_802_2 frames
1346 b0 = gen_cmp(off_linktype + 2, BPF_B,
1347 (bpf_int32)LLCSAP_IPX);
1348 b1 = gen_snap(0x000000, ETHERTYPE_IPX,
1351 b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_2);
1355 * Now check for 802.3 frames and OR that with
1356 * the previous test.
1358 b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_3);
1362 * Now add the check for Ethernet_II frames, and
1363 * do that before checking for the other frame
1366 b0 = gen_cmp(off_linktype, BPF_H,
1367 (bpf_int32)ETHERTYPE_IPX);
1371 case ETHERTYPE_ATALK:
1372 case ETHERTYPE_AARP:
1374 * EtherTalk (AppleTalk protocols on Ethernet link
1375 * layer) may use 802.2 encapsulation.
1379 * Check for 802.2 encapsulation (EtherTalk phase 2?);
1380 * we check for the 802.2 protocol type in the
1381 * "Ethernet type" field.
1383 b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_2);
1386 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1387 * SNAP packets with an organization code of
1388 * 0x080007 (Apple, for Appletalk) and a protocol
1389 * type of ETHERTYPE_ATALK (Appletalk).
1391 * 802.2-encapsulated ETHERTYPE_AARP packets are
1392 * SNAP packets with an organization code of
1393 * 0x000000 (encapsulated Ethernet) and a protocol
1394 * type of ETHERTYPE_AARP (Appletalk ARP).
1396 if (proto == ETHERTYPE_ATALK)
1397 b1 = gen_snap(0x080007, ETHERTYPE_ATALK,
1399 else /* proto == ETHERTYPE_AARP */
1400 b1 = gen_snap(0x000000, ETHERTYPE_AARP,
1405 * Check for Ethernet encapsulation (Ethertalk
1406 * phase 1?); we just check for the Ethernet
1409 b0 = gen_cmp(off_linktype, BPF_H, (bpf_int32)proto);
1415 if (proto <= ETHERMTU) {
1417 * This is an LLC SAP value, so the frames
1418 * that match would be 802.2 frames.
1419 * Check for the 802.2 protocol type
1420 * in the "Ethernet type" field, and
1421 * then check the DSAP.
1423 b0 = gen_cmp(off_linktype, BPF_H,
1425 b1 = gen_cmp(off_linktype + 2, BPF_B,
1431 * This is an Ethernet type, so compare
1432 * the length/type field with it (if
1433 * the frame is an 802.2 frame, the length
1434 * field will be <= ETHERMTU, and, as
1435 * "proto" is > ETHERMTU, this test
1436 * will fail and the frame won't match,
1437 * which is what we want).
1439 return gen_cmp(off_linktype, BPF_H,
1445 static struct block *
1449 struct block *b0, *b1, *b2;
1454 return gen_ether_linktype(proto);
1462 proto = (proto << 8 | LLCSAP_ISONS);
1466 return gen_cmp(off_linktype, BPF_H, (bpf_int32)proto);
1472 case DLT_IEEE802_11:
1473 case DLT_PRISM_HEADER:
1474 case DLT_IEEE802_11_RADIO:
1477 case DLT_ATM_RFC1483:
1479 case DLT_IP_OVER_FC:
1480 return gen_llc(proto);
1486 * If "is_lane" is set, check for a LANE-encapsulated
1487 * version of this protocol, otherwise check for an
1488 * LLC-encapsulated version of this protocol.
1490 * We assume LANE means Ethernet, not Token Ring.
1494 * Check that the packet doesn't begin with an
1495 * LE Control marker. (We've already generated
1498 b0 = gen_cmp(SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
1502 * Now generate an Ethernet test.
1504 b1 = gen_ether_linktype(proto);
1509 * Check for LLC encapsulation and then check the
1512 b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
1513 b1 = gen_llc(proto);
1519 return gen_linux_sll_linktype(proto);
1524 case DLT_SLIP_BSDOS:
1527 * These types don't provide any type field; packets
1530 * XXX - for IPv4, check for a version number of 4, and,
1531 * for IPv6, check for a version number of 6?
1537 case ETHERTYPE_IPV6:
1539 return gen_true(); /* always true */
1542 return gen_false(); /* always false */
1549 case DLT_PPP_SERIAL:
1552 * We use Ethernet protocol types inside libpcap;
1553 * map them to the corresponding PPP protocol types.
1562 case ETHERTYPE_IPV6:
1571 case ETHERTYPE_ATALK:
1585 * I'm assuming the "Bridging PDU"s that go
1586 * over PPP are Spanning Tree Protocol
1600 * We use Ethernet protocol types inside libpcap;
1601 * map them to the corresponding PPP protocol types.
1606 b0 = gen_cmp(off_linktype, BPF_H, PPP_IP);
1607 b1 = gen_cmp(off_linktype, BPF_H, PPP_VJC);
1609 b0 = gen_cmp(off_linktype, BPF_H, PPP_VJNC);
1614 case ETHERTYPE_IPV6:
1624 case ETHERTYPE_ATALK:
1638 * I'm assuming the "Bridging PDU"s that go
1639 * over PPP are Spanning Tree Protocol
1655 * For DLT_NULL, the link-layer header is a 32-bit
1656 * word containing an AF_ value in *host* byte order,
1657 * and for DLT_ENC, the link-layer header begins
1658 * with a 32-bit work containing an AF_ value in
1661 * In addition, if we're reading a saved capture file,
1662 * the host byte order in the capture may not be the
1663 * same as the host byte order on this machine.
1665 * For DLT_LOOP, the link-layer header is a 32-bit
1666 * word containing an AF_ value in *network* byte order.
1668 * XXX - AF_ values may, unfortunately, be platform-
1669 * dependent; for example, FreeBSD's AF_INET6 is 24
1670 * whilst NetBSD's and OpenBSD's is 26.
1672 * This means that, when reading a capture file, just
1673 * checking for our AF_INET6 value won't work if the
1674 * capture file came from another OS.
1683 case ETHERTYPE_IPV6:
1690 * Not a type on which we support filtering.
1691 * XXX - support those that have AF_ values
1692 * #defined on this platform, at least?
1697 if (linktype == DLT_NULL || linktype == DLT_ENC) {
1699 * The AF_ value is in host byte order, but
1700 * the BPF interpreter will convert it to
1701 * network byte order.
1703 * If this is a save file, and it's from a
1704 * machine with the opposite byte order to
1705 * ours, we byte-swap the AF_ value.
1707 * Then we run it through "htonl()", and
1708 * generate code to compare against the result.
1710 if (bpf_pcap->sf.rfile != NULL &&
1711 bpf_pcap->sf.swapped)
1712 proto = SWAPLONG(proto);
1713 proto = htonl(proto);
1715 return (gen_cmp(0, BPF_W, (bpf_int32)proto));
1719 * af field is host byte order in contrast to the rest of
1722 if (proto == ETHERTYPE_IP)
1723 return (gen_cmp(offsetof(struct pfloghdr, af), BPF_B,
1724 (bpf_int32)AF_INET));
1726 else if (proto == ETHERTYPE_IPV6)
1727 return (gen_cmp(offsetof(struct pfloghdr, af), BPF_B,
1728 (bpf_int32)AF_INET6));
1736 case DLT_ARCNET_LINUX:
1738 * XXX should we check for first fragment if the protocol
1747 case ETHERTYPE_IPV6:
1748 return (gen_cmp(off_linktype, BPF_B,
1749 (bpf_int32)ARCTYPE_INET6));
1753 b0 = gen_cmp(off_linktype, BPF_B,
1754 (bpf_int32)ARCTYPE_IP);
1755 b1 = gen_cmp(off_linktype, BPF_B,
1756 (bpf_int32)ARCTYPE_IP_OLD);
1761 b0 = gen_cmp(off_linktype, BPF_B,
1762 (bpf_int32)ARCTYPE_ARP);
1763 b1 = gen_cmp(off_linktype, BPF_B,
1764 (bpf_int32)ARCTYPE_ARP_OLD);
1768 case ETHERTYPE_REVARP:
1769 return (gen_cmp(off_linktype, BPF_B,
1770 (bpf_int32)ARCTYPE_REVARP));
1772 case ETHERTYPE_ATALK:
1773 return (gen_cmp(off_linktype, BPF_B,
1774 (bpf_int32)ARCTYPE_ATALK));
1781 case ETHERTYPE_ATALK:
1791 * XXX - assumes a 2-byte Frame Relay header with
1792 * DLCI and flags. What if the address is longer?
1798 * Check for the special NLPID for IP.
1800 return gen_cmp(2, BPF_H, (0x03<<8) | 0xcc);
1803 case ETHERTYPE_IPV6:
1805 * Check for the special NLPID for IPv6.
1807 return gen_cmp(2, BPF_H, (0x03<<8) | 0x8e);
1812 * Check for several OSI protocols.
1814 * Frame Relay packets typically have an OSI
1815 * NLPID at the beginning; we check for each
1818 * What we check for is the NLPID and a frame
1819 * control field of UI, i.e. 0x03 followed
1822 b0 = gen_cmp(2, BPF_H, (0x03<<8) | ISO8473_CLNP);
1823 b1 = gen_cmp(2, BPF_H, (0x03<<8) | ISO9542_ESIS);
1824 b2 = gen_cmp(2, BPF_H, (0x03<<8) | ISO10589_ISIS);
1835 case DLT_JUNIPER_MLFR:
1836 case DLT_JUNIPER_MLPPP:
1837 case DLT_JUNIPER_ATM1:
1838 case DLT_JUNIPER_ATM2:
1839 /* just lets verify the magic number for now -
1840 * on ATM we may have up to 6 different encapsulations on the wire
1841 * and need a lot of heuristics to figure out that the payload
1844 * FIXME encapsulation specific BPF_ filters
1846 return gen_mcmp(0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */
1848 case DLT_LINUX_IRDA:
1849 bpf_error("IrDA link-layer type filtering not implemented");
1852 bpf_error("DOCSIS link-layer type filtering not implemented");
1856 * All the types that have no encapsulation should either be
1857 * handled as DLT_SLIP, DLT_SLIP_BSDOS, and DLT_RAW are, if
1858 * all packets are IP packets, or should be handled in some
1859 * special case, if none of them are (if some are and some
1860 * aren't, the lack of encapsulation is a problem, as we'd
1861 * have to find some other way of determining the packet type).
1863 * Therefore, if "off_linktype" is -1, there's an error.
1865 if (off_linktype == (u_int)-1)
1869 * Any type not handled above should always have an Ethernet
1870 * type at an offset of "off_linktype". (PPP is partially
1871 * handled above - the protocol type is mapped from the
1872 * Ethernet and LLC types we use internally to the corresponding
1873 * PPP type - but the PPP type is always specified by a value
1874 * at "off_linktype", so we don't have to do the code generation
1877 return gen_cmp(off_linktype, BPF_H, (bpf_int32)proto);
1881 * Check for an LLC SNAP packet with a given organization code and
1882 * protocol type; we check the entire contents of the 802.2 LLC and
1883 * snap headers, checking for DSAP and SSAP of SNAP and a control
1884 * field of 0x03 in the LLC header, and for the specified organization
1885 * code and protocol type in the SNAP header.
1887 static struct block *
1888 gen_snap(orgcode, ptype, offset)
1889 bpf_u_int32 orgcode;
1893 u_char snapblock[8];
1895 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */
1896 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */
1897 snapblock[2] = 0x03; /* control = UI */
1898 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */
1899 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */
1900 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */
1901 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */
1902 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */
1903 return gen_bcmp(offset, 8, snapblock);
1907 * Check for a given protocol value assuming an 802.2 LLC header.
1909 static struct block *
1914 * XXX - handle token-ring variable-length header.
1919 return gen_cmp(off_linktype, BPF_H, (long)
1920 ((LLCSAP_IP << 8) | LLCSAP_IP));
1923 return gen_cmp(off_linktype, BPF_H, (long)
1924 ((LLCSAP_ISONS << 8) | LLCSAP_ISONS));
1926 case LLCSAP_NETBEUI:
1927 return gen_cmp(off_linktype, BPF_H, (long)
1928 ((LLCSAP_NETBEUI << 8) | LLCSAP_NETBEUI));
1932 * XXX - are there ever SNAP frames for IPX on
1933 * non-Ethernet 802.x networks?
1935 return gen_cmp(off_linktype, BPF_B, (bpf_int32)LLCSAP_IPX);
1937 case ETHERTYPE_ATALK:
1939 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1940 * SNAP packets with an organization code of
1941 * 0x080007 (Apple, for Appletalk) and a protocol
1942 * type of ETHERTYPE_ATALK (Appletalk).
1944 * XXX - check for an organization code of
1945 * encapsulated Ethernet as well?
1947 return gen_snap(0x080007, ETHERTYPE_ATALK, off_linktype);
1951 * XXX - we don't have to check for IPX 802.3
1952 * here, but should we check for the IPX Ethertype?
1954 if (proto <= ETHERMTU) {
1956 * This is an LLC SAP value, so check
1959 return gen_cmp(off_linktype, BPF_B, (bpf_int32)proto);
1962 * This is an Ethernet type; we assume that it's
1963 * unlikely that it'll appear in the right place
1964 * at random, and therefore check only the
1965 * location that would hold the Ethernet type
1966 * in a SNAP frame with an organization code of
1967 * 0x000000 (encapsulated Ethernet).
1969 * XXX - if we were to check for the SNAP DSAP and
1970 * LSAP, as per XXX, and were also to check for an
1971 * organization code of 0x000000 (encapsulated
1972 * Ethernet), we'd do
1974 * return gen_snap(0x000000, proto,
1977 * here; for now, we don't, as per the above.
1978 * I don't know whether it's worth the extra CPU
1979 * time to do the right check or not.
1981 return gen_cmp(off_linktype+6, BPF_H, (bpf_int32)proto);
1986 static struct block *
1987 gen_hostop(addr, mask, dir, proto, src_off, dst_off)
1991 u_int src_off, dst_off;
1993 struct block *b0, *b1;
2007 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
2008 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
2014 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
2015 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
2022 b0 = gen_linktype(proto);
2023 b1 = gen_mcmp(offset, BPF_W, (bpf_int32)addr, mask);
2029 static struct block *
2030 gen_hostop6(addr, mask, dir, proto, src_off, dst_off)
2031 struct in6_addr *addr;
2032 struct in6_addr *mask;
2034 u_int src_off, dst_off;
2036 struct block *b0, *b1;
2051 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
2052 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
2058 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
2059 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
2066 /* this order is important */
2067 a = (u_int32_t *)addr;
2068 m = (u_int32_t *)mask;
2069 b1 = gen_mcmp(offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3]));
2070 b0 = gen_mcmp(offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2]));
2072 b0 = gen_mcmp(offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1]));
2074 b0 = gen_mcmp(offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0]));
2076 b0 = gen_linktype(proto);
2082 static struct block *
2083 gen_ehostop(eaddr, dir)
2084 register const u_char *eaddr;
2087 register struct block *b0, *b1;
2091 return gen_bcmp(off_mac + 6, 6, eaddr);
2094 return gen_bcmp(off_mac + 0, 6, eaddr);
2097 b0 = gen_ehostop(eaddr, Q_SRC);
2098 b1 = gen_ehostop(eaddr, Q_DST);
2104 b0 = gen_ehostop(eaddr, Q_SRC);
2105 b1 = gen_ehostop(eaddr, Q_DST);
2114 * Like gen_ehostop, but for DLT_FDDI
2116 static struct block *
2117 gen_fhostop(eaddr, dir)
2118 register const u_char *eaddr;
2121 struct block *b0, *b1;
2126 return gen_bcmp(6 + 1 + pcap_fddipad, 6, eaddr);
2128 return gen_bcmp(6 + 1, 6, eaddr);
2133 return gen_bcmp(0 + 1 + pcap_fddipad, 6, eaddr);
2135 return gen_bcmp(0 + 1, 6, eaddr);
2139 b0 = gen_fhostop(eaddr, Q_SRC);
2140 b1 = gen_fhostop(eaddr, Q_DST);
2146 b0 = gen_fhostop(eaddr, Q_SRC);
2147 b1 = gen_fhostop(eaddr, Q_DST);
2156 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring)
2158 static struct block *
2159 gen_thostop(eaddr, dir)
2160 register const u_char *eaddr;
2163 register struct block *b0, *b1;
2167 return gen_bcmp(8, 6, eaddr);
2170 return gen_bcmp(2, 6, eaddr);
2173 b0 = gen_thostop(eaddr, Q_SRC);
2174 b1 = gen_thostop(eaddr, Q_DST);
2180 b0 = gen_thostop(eaddr, Q_SRC);
2181 b1 = gen_thostop(eaddr, Q_DST);
2190 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN)
2192 static struct block *
2193 gen_wlanhostop(eaddr, dir)
2194 register const u_char *eaddr;
2197 register struct block *b0, *b1, *b2;
2198 register struct slist *s;
2205 * For control frames, there is no SA.
2207 * For management frames, SA is at an
2208 * offset of 10 from the beginning of
2211 * For data frames, SA is at an offset
2212 * of 10 from the beginning of the packet
2213 * if From DS is clear, at an offset of
2214 * 16 from the beginning of the packet
2215 * if From DS is set and To DS is clear,
2216 * and an offset of 24 from the beginning
2217 * of the packet if From DS is set and To DS
2222 * Generate the tests to be done for data frames
2225 * First, check for To DS set, i.e. check "link[1] & 0x01".
2227 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2229 b1 = new_block(JMP(BPF_JSET));
2230 b1->s.k = 0x01; /* To DS */
2234 * If To DS is set, the SA is at 24.
2236 b0 = gen_bcmp(24, 6, eaddr);
2240 * Now, check for To DS not set, i.e. check
2241 * "!(link[1] & 0x01)".
2243 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2245 b2 = new_block(JMP(BPF_JSET));
2246 b2->s.k = 0x01; /* To DS */
2251 * If To DS is not set, the SA is at 16.
2253 b1 = gen_bcmp(16, 6, eaddr);
2257 * Now OR together the last two checks. That gives
2258 * the complete set of checks for data frames with
2264 * Now check for From DS being set, and AND that with
2265 * the ORed-together checks.
2267 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2269 b1 = new_block(JMP(BPF_JSET));
2270 b1->s.k = 0x02; /* From DS */
2275 * Now check for data frames with From DS not set.
2277 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2279 b2 = new_block(JMP(BPF_JSET));
2280 b2->s.k = 0x02; /* From DS */
2285 * If From DS isn't set, the SA is at 10.
2287 b1 = gen_bcmp(10, 6, eaddr);
2291 * Now OR together the checks for data frames with
2292 * From DS not set and for data frames with From DS
2293 * set; that gives the checks done for data frames.
2298 * Now check for a data frame.
2299 * I.e, check "link[0] & 0x08".
2301 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2303 b1 = new_block(JMP(BPF_JSET));
2308 * AND that with the checks done for data frames.
2313 * If the high-order bit of the type value is 0, this
2314 * is a management frame.
2315 * I.e, check "!(link[0] & 0x08)".
2317 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2319 b2 = new_block(JMP(BPF_JSET));
2325 * For management frames, the SA is at 10.
2327 b1 = gen_bcmp(10, 6, eaddr);
2331 * OR that with the checks done for data frames.
2332 * That gives the checks done for management and
2338 * If the low-order bit of the type value is 1,
2339 * this is either a control frame or a frame
2340 * with a reserved type, and thus not a
2343 * I.e., check "!(link[0] & 0x04)".
2345 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2347 b1 = new_block(JMP(BPF_JSET));
2353 * AND that with the checks for data and management
2363 * For control frames, there is no DA.
2365 * For management frames, DA is at an
2366 * offset of 4 from the beginning of
2369 * For data frames, DA is at an offset
2370 * of 4 from the beginning of the packet
2371 * if To DS is clear and at an offset of
2372 * 16 from the beginning of the packet
2377 * Generate the tests to be done for data frames.
2379 * First, check for To DS set, i.e. "link[1] & 0x01".
2381 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2383 b1 = new_block(JMP(BPF_JSET));
2384 b1->s.k = 0x01; /* To DS */
2388 * If To DS is set, the DA is at 16.
2390 b0 = gen_bcmp(16, 6, eaddr);
2394 * Now, check for To DS not set, i.e. check
2395 * "!(link[1] & 0x01)".
2397 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2399 b2 = new_block(JMP(BPF_JSET));
2400 b2->s.k = 0x01; /* To DS */
2405 * If To DS is not set, the DA is at 4.
2407 b1 = gen_bcmp(4, 6, eaddr);
2411 * Now OR together the last two checks. That gives
2412 * the complete set of checks for data frames.
2417 * Now check for a data frame.
2418 * I.e, check "link[0] & 0x08".
2420 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2422 b1 = new_block(JMP(BPF_JSET));
2427 * AND that with the checks done for data frames.
2432 * If the high-order bit of the type value is 0, this
2433 * is a management frame.
2434 * I.e, check "!(link[0] & 0x08)".
2436 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2438 b2 = new_block(JMP(BPF_JSET));
2444 * For management frames, the DA is at 4.
2446 b1 = gen_bcmp(4, 6, eaddr);
2450 * OR that with the checks done for data frames.
2451 * That gives the checks done for management and
2457 * If the low-order bit of the type value is 1,
2458 * this is either a control frame or a frame
2459 * with a reserved type, and thus not a
2462 * I.e., check "!(link[0] & 0x04)".
2464 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2466 b1 = new_block(JMP(BPF_JSET));
2472 * AND that with the checks for data and management
2479 b0 = gen_wlanhostop(eaddr, Q_SRC);
2480 b1 = gen_wlanhostop(eaddr, Q_DST);
2486 b0 = gen_wlanhostop(eaddr, Q_SRC);
2487 b1 = gen_wlanhostop(eaddr, Q_DST);
2496 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel.
2497 * (We assume that the addresses are IEEE 48-bit MAC addresses,
2498 * as the RFC states.)
2500 static struct block *
2501 gen_ipfchostop(eaddr, dir)
2502 register const u_char *eaddr;
2505 register struct block *b0, *b1;
2509 return gen_bcmp(10, 6, eaddr);
2512 return gen_bcmp(2, 6, eaddr);
2515 b0 = gen_ipfchostop(eaddr, Q_SRC);
2516 b1 = gen_ipfchostop(eaddr, Q_DST);
2522 b0 = gen_ipfchostop(eaddr, Q_SRC);
2523 b1 = gen_ipfchostop(eaddr, Q_DST);
2532 * This is quite tricky because there may be pad bytes in front of the
2533 * DECNET header, and then there are two possible data packet formats that
2534 * carry both src and dst addresses, plus 5 packet types in a format that
2535 * carries only the src node, plus 2 types that use a different format and
2536 * also carry just the src node.
2540 * Instead of doing those all right, we just look for data packets with
2541 * 0 or 1 bytes of padding. If you want to look at other packets, that
2542 * will require a lot more hacking.
2544 * To add support for filtering on DECNET "areas" (network numbers)
2545 * one would want to add a "mask" argument to this routine. That would
2546 * make the filter even more inefficient, although one could be clever
2547 * and not generate masking instructions if the mask is 0xFFFF.
2549 static struct block *
2550 gen_dnhostop(addr, dir, base_off)
2555 struct block *b0, *b1, *b2, *tmp;
2556 u_int offset_lh; /* offset if long header is received */
2557 u_int offset_sh; /* offset if short header is received */
2562 offset_sh = 1; /* follows flags */
2563 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */
2567 offset_sh = 3; /* follows flags, dstnode */
2568 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */
2572 /* Inefficient because we do our Calvinball dance twice */
2573 b0 = gen_dnhostop(addr, Q_SRC, base_off);
2574 b1 = gen_dnhostop(addr, Q_DST, base_off);
2580 /* Inefficient because we do our Calvinball dance twice */
2581 b0 = gen_dnhostop(addr, Q_SRC, base_off);
2582 b1 = gen_dnhostop(addr, Q_DST, base_off);
2587 bpf_error("ISO host filtering not implemented");
2592 b0 = gen_linktype(ETHERTYPE_DN);
2593 /* Check for pad = 1, long header case */
2594 tmp = gen_mcmp(base_off + 2, BPF_H,
2595 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF));
2596 b1 = gen_cmp(base_off + 2 + 1 + offset_lh,
2597 BPF_H, (bpf_int32)ntohs(addr));
2599 /* Check for pad = 0, long header case */
2600 tmp = gen_mcmp(base_off + 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7);
2601 b2 = gen_cmp(base_off + 2 + offset_lh, BPF_H, (bpf_int32)ntohs(addr));
2604 /* Check for pad = 1, short header case */
2605 tmp = gen_mcmp(base_off + 2, BPF_H,
2606 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF));
2607 b2 = gen_cmp(base_off + 2 + 1 + offset_sh,
2608 BPF_H, (bpf_int32)ntohs(addr));
2611 /* Check for pad = 0, short header case */
2612 tmp = gen_mcmp(base_off + 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7);
2613 b2 = gen_cmp(base_off + 2 + offset_sh, BPF_H, (bpf_int32)ntohs(addr));
2617 /* Combine with test for linktype */
2622 static struct block *
2623 gen_host(addr, mask, proto, dir)
2629 struct block *b0, *b1;
2634 b0 = gen_host(addr, mask, Q_IP, dir);
2635 if (off_linktype != (u_int)-1) {
2636 b1 = gen_host(addr, mask, Q_ARP, dir);
2638 b0 = gen_host(addr, mask, Q_RARP, dir);
2644 return gen_hostop(addr, mask, dir, ETHERTYPE_IP,
2645 off_nl + 12, off_nl + 16);
2648 return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP,
2649 off_nl + 14, off_nl + 24);
2652 return gen_hostop(addr, mask, dir, ETHERTYPE_ARP,
2653 off_nl + 14, off_nl + 24);
2656 bpf_error("'tcp' modifier applied to host");
2659 bpf_error("'sctp' modifier applied to host");
2662 bpf_error("'udp' modifier applied to host");
2665 bpf_error("'icmp' modifier applied to host");
2668 bpf_error("'igmp' modifier applied to host");
2671 bpf_error("'igrp' modifier applied to host");
2674 bpf_error("'pim' modifier applied to host");
2677 bpf_error("'vrrp' modifier applied to host");
2680 bpf_error("ATALK host filtering not implemented");
2683 bpf_error("AARP host filtering not implemented");
2686 return gen_dnhostop(addr, dir, off_nl);
2689 bpf_error("SCA host filtering not implemented");
2692 bpf_error("LAT host filtering not implemented");
2695 bpf_error("MOPDL host filtering not implemented");
2698 bpf_error("MOPRC host filtering not implemented");
2702 bpf_error("'ip6' modifier applied to ip host");
2705 bpf_error("'icmp6' modifier applied to host");
2709 bpf_error("'ah' modifier applied to host");
2712 bpf_error("'esp' modifier applied to host");
2715 bpf_error("ISO host filtering not implemented");
2718 bpf_error("'esis' modifier applied to host");
2721 bpf_error("'isis' modifier applied to host");
2724 bpf_error("'clnp' modifier applied to host");
2727 bpf_error("'stp' modifier applied to host");
2730 bpf_error("IPX host filtering not implemented");
2733 bpf_error("'netbeui' modifier applied to host");
2742 static struct block *
2743 gen_host6(addr, mask, proto, dir)
2744 struct in6_addr *addr;
2745 struct in6_addr *mask;
2752 return gen_host6(addr, mask, Q_IPV6, dir);
2755 bpf_error("'ip' modifier applied to ip6 host");
2758 bpf_error("'rarp' modifier applied to ip6 host");
2761 bpf_error("'arp' modifier applied to ip6 host");
2764 bpf_error("'sctp' modifier applied to host");
2767 bpf_error("'tcp' modifier applied to host");
2770 bpf_error("'udp' modifier applied to host");
2773 bpf_error("'icmp' modifier applied to host");
2776 bpf_error("'igmp' modifier applied to host");
2779 bpf_error("'igrp' modifier applied to host");
2782 bpf_error("'pim' modifier applied to host");
2785 bpf_error("'vrrp' modifier applied to host");
2788 bpf_error("ATALK host filtering not implemented");
2791 bpf_error("AARP host filtering not implemented");
2794 bpf_error("'decnet' modifier applied to ip6 host");
2797 bpf_error("SCA host filtering not implemented");
2800 bpf_error("LAT host filtering not implemented");
2803 bpf_error("MOPDL host filtering not implemented");
2806 bpf_error("MOPRC host filtering not implemented");
2809 return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6,
2810 off_nl + 8, off_nl + 24);
2813 bpf_error("'icmp6' modifier applied to host");
2816 bpf_error("'ah' modifier applied to host");
2819 bpf_error("'esp' modifier applied to host");
2822 bpf_error("ISO host filtering not implemented");
2825 bpf_error("'esis' modifier applied to host");
2828 bpf_error("'isis' modifier applied to host");
2831 bpf_error("'clnp' modifier applied to host");
2834 bpf_error("'stp' modifier applied to host");
2837 bpf_error("IPX host filtering not implemented");
2840 bpf_error("'netbeui' modifier applied to host");
2850 static struct block *
2851 gen_gateway(eaddr, alist, proto, dir)
2852 const u_char *eaddr;
2853 bpf_u_int32 **alist;
2857 struct block *b0, *b1, *tmp;
2860 bpf_error("direction applied to 'gateway'");
2867 if (linktype == DLT_EN10MB)
2868 b0 = gen_ehostop(eaddr, Q_OR);
2869 else if (linktype == DLT_FDDI)
2870 b0 = gen_fhostop(eaddr, Q_OR);
2871 else if (linktype == DLT_IEEE802)
2872 b0 = gen_thostop(eaddr, Q_OR);
2873 else if (linktype == DLT_IEEE802_11)
2874 b0 = gen_wlanhostop(eaddr, Q_OR);
2875 else if (linktype == DLT_SUNATM && is_lane) {
2877 * Check that the packet doesn't begin with an
2878 * LE Control marker. (We've already generated
2881 b1 = gen_cmp(SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
2885 * Now check the MAC address.
2887 b0 = gen_ehostop(eaddr, Q_OR);
2889 } else if (linktype == DLT_IP_OVER_FC)
2890 b0 = gen_ipfchostop(eaddr, Q_OR);
2893 "'gateway' supported only on ethernet/FDDI/token ring/802.11/Fibre Channel");
2895 b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR);
2897 tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR);
2905 bpf_error("illegal modifier of 'gateway'");
2911 gen_proto_abbrev(proto)
2920 b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT);
2922 b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT);
2928 b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT);
2930 b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT);
2936 b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT);
2938 b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT);
2944 b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT);
2947 #ifndef IPPROTO_IGMP
2948 #define IPPROTO_IGMP 2
2952 b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT);
2955 #ifndef IPPROTO_IGRP
2956 #define IPPROTO_IGRP 9
2959 b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT);
2963 #define IPPROTO_PIM 103
2967 b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT);
2969 b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT);
2974 #ifndef IPPROTO_VRRP
2975 #define IPPROTO_VRRP 112
2979 b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT);
2983 b1 = gen_linktype(ETHERTYPE_IP);
2987 b1 = gen_linktype(ETHERTYPE_ARP);
2991 b1 = gen_linktype(ETHERTYPE_REVARP);
2995 bpf_error("link layer applied in wrong context");
2998 b1 = gen_linktype(ETHERTYPE_ATALK);
3002 b1 = gen_linktype(ETHERTYPE_AARP);
3006 b1 = gen_linktype(ETHERTYPE_DN);
3010 b1 = gen_linktype(ETHERTYPE_SCA);
3014 b1 = gen_linktype(ETHERTYPE_LAT);
3018 b1 = gen_linktype(ETHERTYPE_MOPDL);
3022 b1 = gen_linktype(ETHERTYPE_MOPRC);
3027 b1 = gen_linktype(ETHERTYPE_IPV6);
3030 #ifndef IPPROTO_ICMPV6
3031 #define IPPROTO_ICMPV6 58
3034 b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT);
3039 #define IPPROTO_AH 51
3042 b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT);
3044 b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT);
3050 #define IPPROTO_ESP 50
3053 b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT);
3055 b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT);
3061 b1 = gen_linktype(LLCSAP_ISONS);
3065 b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT);
3069 b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
3072 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */
3073 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
3074 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
3076 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
3078 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
3080 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
3084 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */
3085 b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
3086 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
3088 b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
3090 b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
3092 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
3096 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */
3097 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
3098 b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
3100 b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT);
3105 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
3106 b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
3111 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
3112 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
3114 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
3116 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
3121 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
3122 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
3127 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
3128 b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
3133 b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT);
3137 b1 = gen_linktype(LLCSAP_8021D);
3141 b1 = gen_linktype(LLCSAP_IPX);
3145 b1 = gen_linktype(LLCSAP_NETBEUI);
3154 static struct block *
3161 s = new_stmt(BPF_LD|BPF_H|BPF_ABS);
3162 s->s.k = off_nl + 6;
3163 b = new_block(JMP(BPF_JSET));
3171 static struct block *
3172 gen_portatom(off, v)
3179 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
3182 s->next = new_stmt(BPF_LD|BPF_IND|BPF_H);
3183 s->next->s.k = off_nl + off;
3185 b = new_block(JMP(BPF_JEQ));
3193 static struct block *
3194 gen_portatom6(off, v)
3198 return gen_cmp(off_nl + 40 + off, BPF_H, v);
3203 gen_portop(port, proto, dir)
3204 int port, proto, dir;
3206 struct block *b0, *b1, *tmp;
3208 /* ip proto 'proto' */
3209 tmp = gen_cmp(off_nl + 9, BPF_B, (bpf_int32)proto);
3215 b1 = gen_portatom(0, (bpf_int32)port);
3219 b1 = gen_portatom(2, (bpf_int32)port);
3224 tmp = gen_portatom(0, (bpf_int32)port);
3225 b1 = gen_portatom(2, (bpf_int32)port);
3230 tmp = gen_portatom(0, (bpf_int32)port);
3231 b1 = gen_portatom(2, (bpf_int32)port);
3243 static struct block *
3244 gen_port(port, ip_proto, dir)
3249 struct block *b0, *b1, *tmp;
3254 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
3255 * not LLC encapsulation with LLCSAP_IP.
3257 * For IEEE 802 networks - which includes 802.5 token ring
3258 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
3259 * says that SNAP encapsulation is used, not LLC encapsulation
3262 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
3263 * RFC 2225 say that SNAP encapsulation is used, not LLC
3264 * encapsulation with LLCSAP_IP.
3266 * So we always check for ETHERTYPE_IP.
3268 b0 = gen_linktype(ETHERTYPE_IP);
3274 b1 = gen_portop(port, ip_proto, dir);
3278 tmp = gen_portop(port, IPPROTO_TCP, dir);
3279 b1 = gen_portop(port, IPPROTO_UDP, dir);
3281 tmp = gen_portop(port, IPPROTO_SCTP, dir);
3294 gen_portop6(port, proto, dir)
3295 int port, proto, dir;
3297 struct block *b0, *b1, *tmp;
3299 /* ip proto 'proto' */
3300 b0 = gen_cmp(off_nl + 6, BPF_B, (bpf_int32)proto);
3304 b1 = gen_portatom6(0, (bpf_int32)port);
3308 b1 = gen_portatom6(2, (bpf_int32)port);
3313 tmp = gen_portatom6(0, (bpf_int32)port);
3314 b1 = gen_portatom6(2, (bpf_int32)port);
3319 tmp = gen_portatom6(0, (bpf_int32)port);
3320 b1 = gen_portatom6(2, (bpf_int32)port);
3332 static struct block *
3333 gen_port6(port, ip_proto, dir)
3338 struct block *b0, *b1, *tmp;
3340 /* ether proto ip */
3341 b0 = gen_linktype(ETHERTYPE_IPV6);
3347 b1 = gen_portop6(port, ip_proto, dir);
3351 tmp = gen_portop6(port, IPPROTO_TCP, dir);
3352 b1 = gen_portop6(port, IPPROTO_UDP, dir);
3354 tmp = gen_portop6(port, IPPROTO_SCTP, dir);
3367 lookup_proto(name, proto)
3368 register const char *name;
3378 v = pcap_nametoproto(name);
3379 if (v == PROTO_UNDEF)
3380 bpf_error("unknown ip proto '%s'", name);
3384 /* XXX should look up h/w protocol type based on linktype */
3385 v = pcap_nametoeproto(name);
3386 if (v == PROTO_UNDEF) {
3387 v = pcap_nametollc(name);
3388 if (v == PROTO_UNDEF)
3389 bpf_error("unknown ether proto '%s'", name);
3394 if (strcmp(name, "esis") == 0)
3396 else if (strcmp(name, "isis") == 0)
3398 else if (strcmp(name, "clnp") == 0)
3401 bpf_error("unknown osi proto '%s'", name);
3421 static struct block *
3422 gen_protochain(v, proto, dir)
3427 #ifdef NO_PROTOCHAIN
3428 return gen_proto(v, proto, dir);
3430 struct block *b0, *b;
3431 struct slist *s[100];
3432 int fix2, fix3, fix4, fix5;
3433 int ahcheck, again, end;
3435 int reg2 = alloc_reg();
3437 memset(s, 0, sizeof(s));
3438 fix2 = fix3 = fix4 = fix5 = 0;
3445 b0 = gen_protochain(v, Q_IP, dir);
3446 b = gen_protochain(v, Q_IPV6, dir);
3450 bpf_error("bad protocol applied for 'protochain'");
3454 no_optimize = 1; /*this code is not compatible with optimzer yet */
3457 * s[0] is a dummy entry to protect other BPF insn from damaged
3458 * by s[fix] = foo with uninitialized variable "fix". It is somewhat
3459 * hard to find interdependency made by jump table fixup.
3462 s[i] = new_stmt(0); /*dummy*/
3467 b0 = gen_linktype(ETHERTYPE_IP);
3470 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
3471 s[i]->s.k = off_nl + 9;
3473 /* X = ip->ip_hl << 2 */
3474 s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
3480 b0 = gen_linktype(ETHERTYPE_IPV6);
3482 /* A = ip6->ip_nxt */
3483 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
3484 s[i]->s.k = off_nl + 6;
3486 /* X = sizeof(struct ip6_hdr) */
3487 s[i] = new_stmt(BPF_LDX|BPF_IMM);
3493 bpf_error("unsupported proto to gen_protochain");
3497 /* again: if (A == v) goto end; else fall through; */
3499 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
3501 s[i]->s.jt = NULL; /*later*/
3502 s[i]->s.jf = NULL; /*update in next stmt*/
3506 #ifndef IPPROTO_NONE
3507 #define IPPROTO_NONE 59
3509 /* if (A == IPPROTO_NONE) goto end */
3510 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
3511 s[i]->s.jt = NULL; /*later*/
3512 s[i]->s.jf = NULL; /*update in next stmt*/
3513 s[i]->s.k = IPPROTO_NONE;
3514 s[fix5]->s.jf = s[i];
3519 if (proto == Q_IPV6) {
3520 int v6start, v6end, v6advance, j;
3523 /* if (A == IPPROTO_HOPOPTS) goto v6advance */
3524 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
3525 s[i]->s.jt = NULL; /*later*/
3526 s[i]->s.jf = NULL; /*update in next stmt*/
3527 s[i]->s.k = IPPROTO_HOPOPTS;
3528 s[fix2]->s.jf = s[i];
3530 /* if (A == IPPROTO_DSTOPTS) goto v6advance */
3531 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
3532 s[i]->s.jt = NULL; /*later*/
3533 s[i]->s.jf = NULL; /*update in next stmt*/
3534 s[i]->s.k = IPPROTO_DSTOPTS;
3536 /* if (A == IPPROTO_ROUTING) goto v6advance */
3537 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
3538 s[i]->s.jt = NULL; /*later*/
3539 s[i]->s.jf = NULL; /*update in next stmt*/
3540 s[i]->s.k = IPPROTO_ROUTING;
3542 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */
3543 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
3544 s[i]->s.jt = NULL; /*later*/
3545 s[i]->s.jf = NULL; /*later*/
3546 s[i]->s.k = IPPROTO_FRAGMENT;
3557 * X = X + (P[X + 1] + 1) * 8;
3560 s[i] = new_stmt(BPF_MISC|BPF_TXA);
3562 /* A = P[X + packet head] */
3563 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
3567 s[i] = new_stmt(BPF_ST);
3571 s[i] = new_stmt(BPF_MISC|BPF_TXA);
3574 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
3578 s[i] = new_stmt(BPF_MISC|BPF_TAX);
3580 /* A = P[X + packet head]; */
3581 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
3585 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
3589 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
3593 s[i] = new_stmt(BPF_MISC|BPF_TAX);
3596 s[i] = new_stmt(BPF_LD|BPF_MEM);
3600 /* goto again; (must use BPF_JA for backward jump) */
3601 s[i] = new_stmt(BPF_JMP|BPF_JA);
3602 s[i]->s.k = again - i - 1;
3603 s[i - 1]->s.jf = s[i];
3607 for (j = v6start; j <= v6end; j++)
3608 s[j]->s.jt = s[v6advance];
3613 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
3615 s[fix2]->s.jf = s[i];
3621 /* if (A == IPPROTO_AH) then fall through; else goto end; */
3622 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
3623 s[i]->s.jt = NULL; /*later*/
3624 s[i]->s.jf = NULL; /*later*/
3625 s[i]->s.k = IPPROTO_AH;
3627 s[fix3]->s.jf = s[ahcheck];
3634 * X = X + (P[X + 1] + 2) * 4;
3637 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
3639 /* A = P[X + packet head]; */
3640 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
3644 s[i] = new_stmt(BPF_ST);
3648 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
3651 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
3655 s[i] = new_stmt(BPF_MISC|BPF_TAX);
3657 /* A = P[X + packet head] */
3658 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
3662 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
3666 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
3670 s[i] = new_stmt(BPF_MISC|BPF_TAX);
3673 s[i] = new_stmt(BPF_LD|BPF_MEM);
3677 /* goto again; (must use BPF_JA for backward jump) */
3678 s[i] = new_stmt(BPF_JMP|BPF_JA);
3679 s[i]->s.k = again - i - 1;
3684 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
3686 s[fix2]->s.jt = s[end];
3687 s[fix4]->s.jf = s[end];
3688 s[fix5]->s.jt = s[end];
3695 for (i = 0; i < max - 1; i++)
3696 s[i]->next = s[i + 1];
3697 s[max - 1]->next = NULL;
3702 b = new_block(JMP(BPF_JEQ));
3703 b->stmts = s[1]; /*remember, s[0] is dummy*/
3713 static struct block *
3714 gen_proto(v, proto, dir)
3719 struct block *b0, *b1;
3721 if (dir != Q_DEFAULT)
3722 bpf_error("direction applied to 'proto'");
3727 b0 = gen_proto(v, Q_IP, dir);
3728 b1 = gen_proto(v, Q_IPV6, dir);
3736 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
3737 * not LLC encapsulation with LLCSAP_IP.
3739 * For IEEE 802 networks - which includes 802.5 token ring
3740 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
3741 * says that SNAP encapsulation is used, not LLC encapsulation
3744 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
3745 * RFC 2225 say that SNAP encapsulation is used, not LLC
3746 * encapsulation with LLCSAP_IP.
3748 * So we always check for ETHERTYPE_IP.
3750 b0 = gen_linktype(ETHERTYPE_IP);
3752 b1 = gen_cmp(off_nl + 9, BPF_B, (bpf_int32)v);
3754 b1 = gen_protochain(v, Q_IP);
3764 * Frame Relay packets typically have an OSI
3765 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)"
3766 * generates code to check for all the OSI
3767 * NLPIDs, so calling it and then adding a check
3768 * for the particular NLPID for which we're
3769 * looking is bogus, as we can just check for
3772 * What we check for is the NLPID and a frame
3773 * control field value of UI, i.e. 0x03 followed
3776 * XXX - assumes a 2-byte Frame Relay header with
3777 * DLCI and flags. What if the address is longer?
3779 * XXX - what about SNAP-encapsulated frames?
3781 return gen_cmp(2, BPF_H, (0x03<<8) | v);
3787 * Cisco uses an Ethertype lookalike - for OSI,
3790 b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS);
3791 /* OSI in C-HDLC is stuffed with a fudge byte */
3792 b1 = gen_cmp(off_nl_nosnap+1, BPF_B, (long)v);
3797 b0 = gen_linktype(LLCSAP_ISONS);
3798 b1 = gen_cmp(off_nl_nosnap, BPF_B, (long)v);
3804 b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
3806 * 4 is the offset of the PDU type relative to the IS-IS
3809 b1 = gen_cmp(off_nl_nosnap+4, BPF_B, (long)v);
3814 bpf_error("arp does not encapsulate another protocol");
3818 bpf_error("rarp does not encapsulate another protocol");
3822 bpf_error("atalk encapsulation is not specifiable");
3826 bpf_error("decnet encapsulation is not specifiable");
3830 bpf_error("sca does not encapsulate another protocol");
3834 bpf_error("lat does not encapsulate another protocol");
3838 bpf_error("moprc does not encapsulate another protocol");
3842 bpf_error("mopdl does not encapsulate another protocol");
3846 return gen_linktype(v);
3849 bpf_error("'udp proto' is bogus");
3853 bpf_error("'tcp proto' is bogus");
3857 bpf_error("'sctp proto' is bogus");
3861 bpf_error("'icmp proto' is bogus");
3865 bpf_error("'igmp proto' is bogus");
3869 bpf_error("'igrp proto' is bogus");
3873 bpf_error("'pim proto' is bogus");
3877 bpf_error("'vrrp proto' is bogus");
3882 b0 = gen_linktype(ETHERTYPE_IPV6);
3884 b1 = gen_cmp(off_nl + 6, BPF_B, (bpf_int32)v);
3886 b1 = gen_protochain(v, Q_IPV6);
3892 bpf_error("'icmp6 proto' is bogus");
3896 bpf_error("'ah proto' is bogus");
3899 bpf_error("'ah proto' is bogus");
3902 bpf_error("'stp proto' is bogus");
3905 bpf_error("'ipx proto' is bogus");
3908 bpf_error("'netbeui proto' is bogus");
3919 register const char *name;
3922 int proto = q.proto;
3926 bpf_u_int32 mask, addr;
3928 bpf_u_int32 **alist;
3931 struct sockaddr_in *sin;
3932 struct sockaddr_in6 *sin6;
3933 struct addrinfo *res, *res0;
3934 struct in6_addr mask128;
3936 struct block *b, *tmp;
3937 int port, real_proto;
3942 addr = pcap_nametonetaddr(name);
3944 bpf_error("unknown network '%s'", name);
3945 /* Left justify network addr and calculate its network mask */
3947 while (addr && (addr & 0xff000000) == 0) {
3951 return gen_host(addr, mask, proto, dir);
3955 if (proto == Q_LINK) {
3959 eaddr = pcap_ether_hostton(name);
3962 "unknown ether host '%s'", name);
3963 b = gen_ehostop(eaddr, dir);
3968 eaddr = pcap_ether_hostton(name);
3971 "unknown FDDI host '%s'", name);
3972 b = gen_fhostop(eaddr, dir);
3977 eaddr = pcap_ether_hostton(name);
3980 "unknown token ring host '%s'", name);
3981 b = gen_thostop(eaddr, dir);
3985 case DLT_IEEE802_11:
3986 eaddr = pcap_ether_hostton(name);
3989 "unknown 802.11 host '%s'", name);
3990 b = gen_wlanhostop(eaddr, dir);
3994 case DLT_IP_OVER_FC:
3995 eaddr = pcap_ether_hostton(name);
3998 "unknown Fibre Channel host '%s'", name);
3999 b = gen_ipfchostop(eaddr, dir);
4008 * Check that the packet doesn't begin
4009 * with an LE Control marker. (We've
4010 * already generated a test for LANE.)
4012 tmp = gen_cmp(SUNATM_PKT_BEGIN_POS, BPF_H,
4016 eaddr = pcap_ether_hostton(name);
4019 "unknown ether host '%s'", name);
4020 b = gen_ehostop(eaddr, dir);
4026 bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name");
4027 } else if (proto == Q_DECNET) {
4028 unsigned short dn_addr = __pcap_nametodnaddr(name);
4030 * I don't think DECNET hosts can be multihomed, so
4031 * there is no need to build up a list of addresses
4033 return (gen_host(dn_addr, 0, proto, dir));
4036 alist = pcap_nametoaddr(name);
4037 if (alist == NULL || *alist == NULL)
4038 bpf_error("unknown host '%s'", name);
4040 if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT)
4042 b = gen_host(**alist++, 0xffffffff, tproto, dir);
4044 tmp = gen_host(**alist++, 0xffffffff,
4051 memset(&mask128, 0xff, sizeof(mask128));
4052 res0 = res = pcap_nametoaddrinfo(name);
4054 bpf_error("unknown host '%s'", name);
4056 tproto = tproto6 = proto;
4057 if (off_linktype == -1 && tproto == Q_DEFAULT) {
4061 for (res = res0; res; res = res->ai_next) {
4062 switch (res->ai_family) {
4064 if (tproto == Q_IPV6)
4067 sin = (struct sockaddr_in *)
4069 tmp = gen_host(ntohl(sin->sin_addr.s_addr),
4070 0xffffffff, tproto, dir);
4073 if (tproto6 == Q_IP)
4076 sin6 = (struct sockaddr_in6 *)
4078 tmp = gen_host6(&sin6->sin6_addr,
4079 &mask128, tproto6, dir);
4090 bpf_error("unknown host '%s'%s", name,
4091 (proto == Q_DEFAULT)
4093 : " for specified address family");
4100 if (proto != Q_DEFAULT &&
4101 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
4102 bpf_error("illegal qualifier of 'port'");
4103 if (pcap_nametoport(name, &port, &real_proto) == 0)
4104 bpf_error("unknown port '%s'", name);
4105 if (proto == Q_UDP) {
4106 if (real_proto == IPPROTO_TCP)
4107 bpf_error("port '%s' is tcp", name);
4108 else if (real_proto == IPPROTO_SCTP)
4109 bpf_error("port '%s' is sctp", name);
4111 /* override PROTO_UNDEF */
4112 real_proto = IPPROTO_UDP;
4114 if (proto == Q_TCP) {
4115 if (real_proto == IPPROTO_UDP)
4116 bpf_error("port '%s' is udp", name);
4118 else if (real_proto == IPPROTO_SCTP)
4119 bpf_error("port '%s' is sctp", name);
4121 /* override PROTO_UNDEF */
4122 real_proto = IPPROTO_TCP;
4124 if (proto == Q_SCTP) {
4125 if (real_proto == IPPROTO_UDP)
4126 bpf_error("port '%s' is udp", name);
4128 else if (real_proto == IPPROTO_TCP)
4129 bpf_error("port '%s' is tcp", name);
4131 /* override PROTO_UNDEF */
4132 real_proto = IPPROTO_SCTP;
4135 return gen_port(port, real_proto, dir);
4139 b = gen_port(port, real_proto, dir);
4140 gen_or(gen_port6(port, real_proto, dir), b);
4147 eaddr = pcap_ether_hostton(name);
4149 bpf_error("unknown ether host: %s", name);
4151 alist = pcap_nametoaddr(name);
4152 if (alist == NULL || *alist == NULL)
4153 bpf_error("unknown host '%s'", name);
4154 b = gen_gateway(eaddr, alist, proto, dir);
4158 bpf_error("'gateway' not supported in this configuration");
4162 real_proto = lookup_proto(name, proto);
4163 if (real_proto >= 0)
4164 return gen_proto(real_proto, proto, dir);
4166 bpf_error("unknown protocol: %s", name);
4169 real_proto = lookup_proto(name, proto);
4170 if (real_proto >= 0)
4171 return gen_protochain(real_proto, proto, dir);
4173 bpf_error("unknown protocol: %s", name);
4185 gen_mcode(s1, s2, masklen, q)
4186 register const char *s1, *s2;
4187 register int masklen;
4190 register int nlen, mlen;
4193 nlen = __pcap_atoin(s1, &n);
4194 /* Promote short ipaddr */
4198 mlen = __pcap_atoin(s2, &m);
4199 /* Promote short ipaddr */
4202 bpf_error("non-network bits set in \"%s mask %s\"",
4205 /* Convert mask len to mask */
4207 bpf_error("mask length must be <= 32");
4208 m = 0xffffffff << (32 - masklen);
4210 bpf_error("non-network bits set in \"%s/%d\"",
4217 return gen_host(n, m, q.proto, q.dir);
4220 bpf_error("Mask syntax for networks only");
4228 register const char *s;
4233 int proto = q.proto;
4239 else if (q.proto == Q_DECNET)
4240 vlen = __pcap_atodn(s, &v);
4242 vlen = __pcap_atoin(s, &v);
4249 if (proto == Q_DECNET)
4250 return gen_host(v, 0, proto, dir);
4251 else if (proto == Q_LINK) {
4252 bpf_error("illegal link layer address");
4255 if (s == NULL && q.addr == Q_NET) {
4256 /* Promote short net number */
4257 while (v && (v & 0xff000000) == 0) {
4262 /* Promote short ipaddr */
4266 return gen_host(v, mask, proto, dir);
4271 proto = IPPROTO_UDP;
4272 else if (proto == Q_TCP)
4273 proto = IPPROTO_TCP;
4274 else if (proto == Q_SCTP)
4275 proto = IPPROTO_SCTP;
4276 else if (proto == Q_DEFAULT)
4277 proto = PROTO_UNDEF;
4279 bpf_error("illegal qualifier of 'port'");
4282 return gen_port((int)v, proto, dir);
4286 b = gen_port((int)v, proto, dir);
4287 gen_or(gen_port6((int)v, proto, dir), b);
4293 bpf_error("'gateway' requires a name");
4297 return gen_proto((int)v, proto, dir);
4300 return gen_protochain((int)v, proto, dir);
4315 gen_mcode6(s1, s2, masklen, q)
4316 register const char *s1, *s2;
4317 register int masklen;
4320 struct addrinfo *res;
4321 struct in6_addr *addr;
4322 struct in6_addr mask;
4327 bpf_error("no mask %s supported", s2);
4329 res = pcap_nametoaddrinfo(s1);
4331 bpf_error("invalid ip6 address %s", s1);
4333 bpf_error("%s resolved to multiple address", s1);
4334 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
4336 if (sizeof(mask) * 8 < masklen)
4337 bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8));
4338 memset(&mask, 0, sizeof(mask));
4339 memset(&mask, 0xff, masklen / 8);
4341 mask.s6_addr[masklen / 8] =
4342 (0xff << (8 - masklen % 8)) & 0xff;
4345 a = (u_int32_t *)addr;
4346 m = (u_int32_t *)&mask;
4347 if ((a[0] & ~m[0]) || (a[1] & ~m[1])
4348 || (a[2] & ~m[2]) || (a[3] & ~m[3])) {
4349 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen);
4357 bpf_error("Mask syntax for networks only");
4361 b = gen_host6(addr, &mask, q.proto, q.dir);
4366 bpf_error("invalid qualifier against IPv6 address");
4374 register const u_char *eaddr;
4377 struct block *b, *tmp;
4379 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
4380 if (linktype == DLT_EN10MB)
4381 return gen_ehostop(eaddr, (int)q.dir);
4382 if (linktype == DLT_FDDI)
4383 return gen_fhostop(eaddr, (int)q.dir);
4384 if (linktype == DLT_IEEE802)
4385 return gen_thostop(eaddr, (int)q.dir);
4386 if (linktype == DLT_IEEE802_11)
4387 return gen_wlanhostop(eaddr, (int)q.dir);
4388 if (linktype == DLT_SUNATM && is_lane) {
4390 * Check that the packet doesn't begin with an
4391 * LE Control marker. (We've already generated
4394 tmp = gen_cmp(SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
4398 * Now check the MAC address.
4400 b = gen_ehostop(eaddr, (int)q.dir);
4404 if (linktype == DLT_IP_OVER_FC)
4405 return gen_ipfchostop(eaddr, (int)q.dir);
4406 bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
4408 bpf_error("ethernet address used in non-ether expression");
4414 struct slist *s0, *s1;
4417 * This is definitely not the best way to do this, but the
4418 * lists will rarely get long.
4425 static struct slist *
4431 s = new_stmt(BPF_LDX|BPF_MEM);
4436 static struct slist *
4442 s = new_stmt(BPF_LD|BPF_MEM);
4448 gen_load(proto, index, size)
4453 struct slist *s, *tmp;
4455 int regno = alloc_reg();
4457 free_reg(index->regno);
4461 bpf_error("data size must be 1, 2, or 4");
4477 bpf_error("unsupported index operation");
4481 * XXX - what about ATM LANE? Should the index be
4482 * relative to the beginning of the AAL5 frame, so
4483 * that 0 refers to the beginning of the LE Control
4484 * field, or relative to the beginning of the LAN
4485 * frame, so that 0 refers, for Ethernet LANE, to
4486 * the beginning of the destination address?
4488 s = xfer_to_x(index);
4489 tmp = new_stmt(BPF_LD|BPF_IND|size);
4491 sappend(index->s, s);
4506 /* XXX Note that we assume a fixed link header here. */
4507 s = xfer_to_x(index);
4508 tmp = new_stmt(BPF_LD|BPF_IND|size);
4511 sappend(index->s, s);
4513 b = gen_proto_abbrev(proto);
4515 gen_and(index->b, b);
4527 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
4529 sappend(s, xfer_to_a(index));
4530 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
4531 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
4532 sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size));
4534 sappend(index->s, s);
4536 gen_and(gen_proto_abbrev(proto), b = gen_ipfrag());
4538 gen_and(index->b, b);
4540 gen_and(gen_proto_abbrev(Q_IP), b);
4546 bpf_error("IPv6 upper-layer protocol is not supported by proto[x]");
4550 index->regno = regno;
4551 s = new_stmt(BPF_ST);
4553 sappend(index->s, s);
4559 gen_relation(code, a0, a1, reversed)
4561 struct arth *a0, *a1;
4564 struct slist *s0, *s1, *s2;
4565 struct block *b, *tmp;
4569 if (code == BPF_JEQ) {
4570 s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X);
4571 b = new_block(JMP(code));
4575 b = new_block(BPF_JMP|code|BPF_X);
4581 sappend(a0->s, a1->s);
4585 free_reg(a0->regno);
4586 free_reg(a1->regno);
4588 /* 'and' together protocol checks */
4591 gen_and(a0->b, tmp = a1->b);
4607 int regno = alloc_reg();
4608 struct arth *a = (struct arth *)newchunk(sizeof(*a));
4611 s = new_stmt(BPF_LD|BPF_LEN);
4612 s->next = new_stmt(BPF_ST);
4613 s->next->s.k = regno;
4628 a = (struct arth *)newchunk(sizeof(*a));
4632 s = new_stmt(BPF_LD|BPF_IMM);
4634 s->next = new_stmt(BPF_ST);
4650 s = new_stmt(BPF_ALU|BPF_NEG);
4653 s = new_stmt(BPF_ST);
4661 gen_arth(code, a0, a1)
4663 struct arth *a0, *a1;
4665 struct slist *s0, *s1, *s2;
4669 s2 = new_stmt(BPF_ALU|BPF_X|code);
4674 sappend(a0->s, a1->s);
4676 free_reg(a0->regno);
4677 free_reg(a1->regno);
4679 s0 = new_stmt(BPF_ST);
4680 a0->regno = s0->s.k = alloc_reg();
4687 * Here we handle simple allocation of the scratch registers.
4688 * If too many registers are alloc'd, the allocator punts.
4690 static int regused[BPF_MEMWORDS];
4694 * Return the next free register.
4699 int n = BPF_MEMWORDS;
4702 if (regused[curreg])
4703 curreg = (curreg + 1) % BPF_MEMWORDS;
4705 regused[curreg] = 1;
4709 bpf_error("too many registers needed to evaluate expression");
4714 * Return a register to the table so it can
4724 static struct block *
4731 s = new_stmt(BPF_LD|BPF_LEN);
4732 b = new_block(JMP(jmp));
4743 return gen_len(BPF_JGE, n);
4747 * Actually, this is less than or equal.
4755 b = gen_len(BPF_JGT, n);
4762 gen_byteop(op, idx, val)
4773 return gen_cmp((u_int)idx, BPF_B, (bpf_int32)val);
4776 b = gen_cmp((u_int)idx, BPF_B, (bpf_int32)val);
4777 b->s.code = JMP(BPF_JGE);
4782 b = gen_cmp((u_int)idx, BPF_B, (bpf_int32)val);
4783 b->s.code = JMP(BPF_JGT);
4787 s = new_stmt(BPF_ALU|BPF_OR|BPF_K);
4791 s = new_stmt(BPF_ALU|BPF_AND|BPF_K);
4795 b = new_block(JMP(BPF_JEQ));
4802 static u_char abroadcast[] = { 0x0 };
4805 gen_broadcast(proto)
4808 bpf_u_int32 hostmask;
4809 struct block *b0, *b1, *b2;
4810 static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
4816 if (linktype == DLT_ARCNET || linktype == DLT_ARCNET_LINUX)
4817 return gen_ahostop(abroadcast, Q_DST);
4818 if (linktype == DLT_EN10MB)
4819 return gen_ehostop(ebroadcast, Q_DST);
4820 if (linktype == DLT_FDDI)
4821 return gen_fhostop(ebroadcast, Q_DST);
4822 if (linktype == DLT_IEEE802)
4823 return gen_thostop(ebroadcast, Q_DST);
4824 if (linktype == DLT_IEEE802_11)
4825 return gen_wlanhostop(ebroadcast, Q_DST);
4826 if (linktype == DLT_IP_OVER_FC)
4827 return gen_ipfchostop(ebroadcast, Q_DST);
4828 if (linktype == DLT_SUNATM && is_lane) {
4830 * Check that the packet doesn't begin with an
4831 * LE Control marker. (We've already generated
4834 b1 = gen_cmp(SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
4838 * Now check the MAC address.
4840 b0 = gen_ehostop(ebroadcast, Q_DST);
4844 bpf_error("not a broadcast link");
4848 b0 = gen_linktype(ETHERTYPE_IP);
4849 hostmask = ~netmask;
4850 b1 = gen_mcmp(off_nl + 16, BPF_W, (bpf_int32)0, hostmask);
4851 b2 = gen_mcmp(off_nl + 16, BPF_W,
4852 (bpf_int32)(~0 & hostmask), hostmask);
4857 bpf_error("only link-layer/IP broadcast filters supported");
4862 * Generate code to test the low-order bit of a MAC address (that's
4863 * the bottom bit of the *first* byte).
4865 static struct block *
4866 gen_mac_multicast(offset)
4869 register struct block *b0;
4870 register struct slist *s;
4872 /* link[offset] & 1 != 0 */
4873 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
4875 b0 = new_block(JMP(BPF_JSET));
4882 gen_multicast(proto)
4885 register struct block *b0, *b1, *b2;
4886 register struct slist *s;
4892 if (linktype == DLT_ARCNET || linktype == DLT_ARCNET_LINUX)
4893 /* all ARCnet multicasts use the same address */
4894 return gen_ahostop(abroadcast, Q_DST);
4896 if (linktype == DLT_EN10MB) {
4897 /* ether[0] & 1 != 0 */
4898 return gen_mac_multicast(0);
4901 if (linktype == DLT_FDDI) {
4903 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX
4905 * XXX - was that referring to bit-order issues?
4907 /* fddi[1] & 1 != 0 */
4908 return gen_mac_multicast(1);
4911 if (linktype == DLT_IEEE802) {
4912 /* tr[2] & 1 != 0 */
4913 return gen_mac_multicast(2);
4916 if (linktype == DLT_IEEE802_11) {
4920 * For control frames, there is no DA.
4922 * For management frames, DA is at an
4923 * offset of 4 from the beginning of
4926 * For data frames, DA is at an offset
4927 * of 4 from the beginning of the packet
4928 * if To DS is clear and at an offset of
4929 * 16 from the beginning of the packet
4934 * Generate the tests to be done for data frames.
4936 * First, check for To DS set, i.e. "link[1] & 0x01".
4938 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
4940 b1 = new_block(JMP(BPF_JSET));
4941 b1->s.k = 0x01; /* To DS */
4945 * If To DS is set, the DA is at 16.
4947 b0 = gen_mac_multicast(16);
4951 * Now, check for To DS not set, i.e. check
4952 * "!(link[1] & 0x01)".
4954 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
4956 b2 = new_block(JMP(BPF_JSET));
4957 b2->s.k = 0x01; /* To DS */
4962 * If To DS is not set, the DA is at 4.
4964 b1 = gen_mac_multicast(4);
4968 * Now OR together the last two checks. That gives
4969 * the complete set of checks for data frames.
4974 * Now check for a data frame.
4975 * I.e, check "link[0] & 0x08".
4977 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
4979 b1 = new_block(JMP(BPF_JSET));
4984 * AND that with the checks done for data frames.
4989 * If the high-order bit of the type value is 0, this
4990 * is a management frame.
4991 * I.e, check "!(link[0] & 0x08)".
4993 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
4995 b2 = new_block(JMP(BPF_JSET));
5001 * For management frames, the DA is at 4.
5003 b1 = gen_mac_multicast(4);
5007 * OR that with the checks done for data frames.
5008 * That gives the checks done for management and
5014 * If the low-order bit of the type value is 1,
5015 * this is either a control frame or a frame
5016 * with a reserved type, and thus not a
5019 * I.e., check "!(link[0] & 0x04)".
5021 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
5023 b1 = new_block(JMP(BPF_JSET));
5029 * AND that with the checks for data and management
5036 if (linktype == DLT_IP_OVER_FC) {
5037 b0 = gen_mac_multicast(2);
5041 if (linktype == DLT_SUNATM && is_lane) {
5043 * Check that the packet doesn't begin with an
5044 * LE Control marker. (We've already generated
5047 b1 = gen_cmp(SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
5050 /* ether[off_mac] & 1 != 0 */
5051 b0 = gen_mac_multicast(off_mac);
5056 /* Link not known to support multicasts */
5060 b0 = gen_linktype(ETHERTYPE_IP);
5061 b1 = gen_cmp(off_nl + 16, BPF_B, (bpf_int32)224);
5062 b1->s.code = JMP(BPF_JGE);
5068 b0 = gen_linktype(ETHERTYPE_IPV6);
5069 b1 = gen_cmp(off_nl + 24, BPF_B, (bpf_int32)255);
5074 bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel");
5079 * generate command for inbound/outbound. It's here so we can
5080 * make it link-type specific. 'dir' = 0 implies "inbound",
5081 * = 1 implies "outbound".
5087 register struct block *b0;
5090 * Only some data link types support inbound/outbound qualifiers.
5094 b0 = gen_relation(BPF_JEQ,
5095 gen_load(Q_LINK, gen_loadi(0), 1),
5103 * Match packets sent by this machine.
5105 b0 = gen_cmp(0, BPF_H, LINUX_SLL_OUTGOING);
5108 * Match packets sent to this machine.
5109 * (No broadcast or multicast packets, or
5110 * packets sent to some other machine and
5111 * received promiscuously.)
5113 * XXX - packets sent to other machines probably
5114 * shouldn't be matched, but what about broadcast
5115 * or multicast packets we received?
5117 b0 = gen_cmp(0, BPF_H, LINUX_SLL_HOST);
5122 b0 = gen_cmp(offsetof(struct pfloghdr, dir), BPF_B,
5123 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT));
5128 /* match outgoing packets */
5129 b0 = gen_cmp(0, BPF_B, PPP_PPPD_OUT);
5131 /* match incoming packets */
5132 b0 = gen_cmp(0, BPF_B, PPP_PPPD_IN);
5136 case DLT_JUNIPER_MLFR:
5137 case DLT_JUNIPER_MLPPP:
5138 case DLT_JUNIPER_ATM1:
5139 case DLT_JUNIPER_ATM2:
5140 /* juniper flags (including direction) are stored
5141 * the byte after the 3-byte magic number */
5143 /* match outgoing packets */
5144 b0 = gen_mcmp(3, BPF_B, 0, 0x01);
5146 /* match incoming packets */
5147 b0 = gen_mcmp(3, BPF_B, 1, 0x01);
5152 bpf_error("inbound/outbound not supported on linktype %d",
5160 /* PF firewall log matched interface */
5162 gen_pf_ifname(const char *ifname)
5167 if (linktype == DLT_PFLOG) {
5168 len = sizeof(((struct pfloghdr *)0)->ifname);
5169 off = offsetof(struct pfloghdr, ifname);
5171 bpf_error("ifname not supported on linktype 0x%x", linktype);
5174 if (strlen(ifname) >= len) {
5175 bpf_error("ifname interface names can only be %d characters",
5179 b0 = gen_bcmp(off, strlen(ifname), (const u_char *)ifname);
5183 /* PF firewall log matched interface */
5185 gen_pf_ruleset(char *ruleset)
5189 if (linktype != DLT_PFLOG) {
5190 bpf_error("ruleset not supported on linktype 0x%x", linktype);
5193 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) {
5194 bpf_error("ruleset names can only be %ld characters",
5195 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1));
5198 b0 = gen_bcmp(offsetof(struct pfloghdr, ruleset),
5199 strlen(ruleset), (const u_char *)ruleset);
5203 /* PF firewall log rule number */
5209 if (linktype == DLT_PFLOG) {
5210 b0 = gen_cmp(offsetof(struct pfloghdr, rulenr), BPF_W,
5213 bpf_error("rnr not supported on linktype 0x%x", linktype);
5220 /* PF firewall log sub-rule number */
5222 gen_pf_srnr(int srnr)
5226 if (linktype != DLT_PFLOG) {
5227 bpf_error("srnr not supported on linktype 0x%x", linktype);
5231 b0 = gen_cmp(offsetof(struct pfloghdr, subrulenr), BPF_W,
5236 /* PF firewall log reason code */
5238 gen_pf_reason(int reason)
5242 if (linktype == DLT_PFLOG) {
5243 b0 = gen_cmp(offsetof(struct pfloghdr, reason), BPF_B,
5246 bpf_error("reason not supported on linktype 0x%x", linktype);
5253 /* PF firewall log action */
5255 gen_pf_action(int action)
5259 if (linktype == DLT_PFLOG) {
5260 b0 = gen_cmp(offsetof(struct pfloghdr, action), BPF_B,
5263 bpf_error("action not supported on linktype 0x%x", linktype);
5272 register const u_char *eaddr;
5275 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
5276 if (linktype == DLT_ARCNET || linktype == DLT_ARCNET_LINUX)
5277 return gen_ahostop(eaddr, (int)q.dir);
5279 bpf_error("ARCnet address used in non-arc expression");
5283 static struct block *
5284 gen_ahostop(eaddr, dir)
5285 register const u_char *eaddr;
5288 register struct block *b0, *b1;
5291 /* src comes first, different from Ethernet */
5293 return gen_bcmp(0, 1, eaddr);
5296 return gen_bcmp(1, 1, eaddr);
5299 b0 = gen_ahostop(eaddr, Q_SRC);
5300 b1 = gen_ahostop(eaddr, Q_DST);
5306 b0 = gen_ahostop(eaddr, Q_SRC);
5307 b1 = gen_ahostop(eaddr, Q_DST);
5316 * support IEEE 802.1Q VLAN trunk over ethernet
5325 * Change the offsets to point to the type and data fields within
5326 * the VLAN packet. This is somewhat of a kludge.
5328 if (orig_nl == (u_int)-1) {
5329 orig_linktype = off_linktype; /* save original values */
5331 orig_nl_nosnap = off_nl_nosnap;
5342 bpf_error("no VLAN support for data link type %d",
5348 /* check for VLAN */
5349 b0 = gen_cmp(orig_linktype, BPF_H, (bpf_int32)ETHERTYPE_8021Q);
5351 /* If a specific VLAN is requested, check VLAN id */
5352 if (vlan_num >= 0) {
5355 b1 = gen_mcmp(orig_nl, BPF_H, (bpf_int32)vlan_num, 0x0fff);
5373 * Change the offsets to point to the type and data fields within
5374 * the MPLS packet. This is somewhat of a kludge.
5376 if (orig_nl == (u_int)-1) {
5377 orig_linktype = off_linktype; /* save original values */
5379 orig_nl_nosnap = off_nl_nosnap;
5388 b0 = gen_cmp(orig_linktype, BPF_H, (bpf_int32)ETHERTYPE_MPLS);
5396 b0 = gen_cmp(orig_linktype, BPF_H, (bpf_int32)PPP_MPLS_UCAST);
5404 b0 = gen_cmp(orig_linktype, BPF_H, (bpf_int32)ETHERTYPE_MPLS);
5407 /* FIXME add other DLT_s ...
5408 * for Frame-Relay/and ATM this may get messy due to SNAP headers
5409 * leave it for now */
5412 bpf_error("no MPLS support for data link type %d",
5418 bpf_error("'mpls' can't be combined with 'vlan' or another 'mpls'");
5423 /* If a specific MPLS label is requested, check it */
5424 if (label_num >= 0) {
5427 label_num = label_num << 12; /* label is shifted 12 bits on the wire */
5428 b1 = gen_mcmp(orig_nl, BPF_W, (bpf_int32)label_num, 0xfffff000); /* only compare the first 20 bits */
5437 gen_atmfield_code(atmfield, jvalue, jtype, reverse)
5449 bpf_error("'vpi' supported only on raw ATM");
5450 if (off_vpi == (u_int)-1)
5452 b0 = gen_ncmp(BPF_B, off_vpi, 0xffffffff, (u_int)jtype,
5453 (u_int)jvalue, reverse);
5458 bpf_error("'vci' supported only on raw ATM");
5459 if (off_vci == (u_int)-1)
5461 b0 = gen_ncmp(BPF_H, off_vci, 0xffffffff, (u_int)jtype,
5462 (u_int)jvalue, reverse);
5466 if (off_proto == (u_int)-1)
5467 abort(); /* XXX - this isn't on FreeBSD */
5468 b0 = gen_ncmp(BPF_B, off_proto, 0x0f, (u_int)jtype,
5469 (u_int)jvalue, reverse);
5473 if (off_payload == (u_int)-1)
5475 b0 = gen_ncmp(BPF_B, off_payload + MSG_TYPE_POS, 0xffffffff,
5476 (u_int)jtype, (u_int)jvalue, reverse);
5481 bpf_error("'callref' supported only on raw ATM");
5482 if (off_proto == (u_int)-1)
5484 b0 = gen_ncmp(BPF_B, off_proto, 0xffffffff, (u_int)jtype,
5485 (u_int)jvalue, reverse);
5495 gen_atmtype_abbrev(type)
5498 struct block *b0, *b1;
5503 /* Get all packets in Meta signalling Circuit */
5505 bpf_error("'metac' supported only on raw ATM");
5506 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
5507 b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0);
5512 /* Get all packets in Broadcast Circuit*/
5514 bpf_error("'bcc' supported only on raw ATM");
5515 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
5516 b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0);
5521 /* Get all cells in Segment OAM F4 circuit*/
5523 bpf_error("'oam4sc' supported only on raw ATM");
5524 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
5525 b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
5530 /* Get all cells in End-to-End OAM F4 Circuit*/
5532 bpf_error("'oam4ec' supported only on raw ATM");
5533 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
5534 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
5539 /* Get all packets in connection Signalling Circuit */
5541 bpf_error("'sc' supported only on raw ATM");
5542 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
5543 b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0);
5548 /* Get all packets in ILMI Circuit */
5550 bpf_error("'ilmic' supported only on raw ATM");
5551 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
5552 b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0);
5557 /* Get all LANE packets */
5559 bpf_error("'lane' supported only on raw ATM");
5560 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0);
5563 * Arrange that all subsequent tests assume LANE
5564 * rather than LLC-encapsulated packets, and set
5565 * the offsets appropriately for LANE-encapsulated
5568 * "off_mac" is the offset of the Ethernet header,
5569 * which is 2 bytes past the ATM pseudo-header
5570 * (skipping the pseudo-header and 2-byte LE Client
5571 * field). The other offsets are Ethernet offsets
5572 * relative to "off_mac".
5575 off_mac = off_payload + 2; /* MAC header */
5576 off_linktype = off_mac + 12;
5577 off_nl = off_mac + 14; /* Ethernet II */
5578 off_nl_nosnap = off_mac + 17; /* 802.3+802.2 */
5582 /* Get all LLC-encapsulated packets */
5584 bpf_error("'llc' supported only on raw ATM");
5585 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
5596 static struct block *
5597 gen_msg_abbrev(type)
5603 * Q.2931 signalling protocol messages for handling virtual circuits
5604 * establishment and teardown
5609 b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0);
5613 b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0);
5617 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0);
5621 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0);
5625 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0);
5628 case A_RELEASE_DONE:
5629 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0);
5639 gen_atmmulti_abbrev(type)
5642 struct block *b0, *b1;
5648 bpf_error("'oam' supported only on raw ATM");
5649 b1 = gen_atmmulti_abbrev(A_OAMF4);
5654 bpf_error("'oamf4' supported only on raw ATM");
5656 b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
5657 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
5659 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
5665 * Get Q.2931 signalling messages for switched
5666 * virtual connection
5669 bpf_error("'connectmsg' supported only on raw ATM");
5670 b0 = gen_msg_abbrev(A_SETUP);
5671 b1 = gen_msg_abbrev(A_CALLPROCEED);
5673 b0 = gen_msg_abbrev(A_CONNECT);
5675 b0 = gen_msg_abbrev(A_CONNECTACK);
5677 b0 = gen_msg_abbrev(A_RELEASE);
5679 b0 = gen_msg_abbrev(A_RELEASE_DONE);
5681 b0 = gen_atmtype_abbrev(A_SC);
5687 bpf_error("'metaconnect' supported only on raw ATM");
5688 b0 = gen_msg_abbrev(A_SETUP);
5689 b1 = gen_msg_abbrev(A_CALLPROCEED);
5691 b0 = gen_msg_abbrev(A_CONNECT);
5693 b0 = gen_msg_abbrev(A_RELEASE);
5695 b0 = gen_msg_abbrev(A_RELEASE_DONE);
5697 b0 = gen_atmtype_abbrev(A_METAC);
projects / FreeBSD / FreeBSD.git / blob