1 /*#define CHASE_CHAIN*/
3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998
4 * The Regents of the University of California. All rights reserved.
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that: (1) source code distributions
8 * retain the above copyright notice and this paragraph in its entirety, (2)
9 * distributions including binary code include the above copyright notice and
10 * this paragraph in its entirety in the documentation or other materials
11 * provided with the distribution, and (3) all advertising materials mentioning
12 * features or use of this software display the following acknowledgement:
13 * ``This product includes software developed by the University of California,
14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
15 * the University nor the names of its contributors may be used to endorse
16 * or promote products derived from this software without specific prior
18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
25 static const char rcsid[] =
26 "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.160 2001/11/30 07:25:48 guy Exp $ (LBL)";
33 #include <sys/types.h>
34 #include <sys/socket.h>
37 #include <sys/param.h>
44 #include <netinet/in.h>
54 #include "ethertype.h"
61 #include <pcap-namedb.h>
64 #include <sys/socket.h>
71 #define IPPROTO_SCTP 132
74 #ifdef HAVE_OS_PROTO_H
78 #define JMP(c) ((c)|BPF_JMP|BPF_K)
81 static jmp_buf top_ctx;
82 static pcap_t *bpf_pcap;
84 /* Hack for updating VLAN offsets. */
85 static u_int orig_linktype = -1, orig_nl = -1;
89 int pcap_fddipad = PCAP_FDDIPAD;
96 bpf_error(const char *fmt, ...)
102 if (bpf_pcap != NULL)
103 (void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE,
110 static void init_linktype(int);
112 static int alloc_reg(void);
113 static void free_reg(int);
115 static struct block *root;
118 * We divy out chunks of memory rather than call malloc each time so
119 * we don't have to worry about leaking memory. It's probably
120 * not a big deal if all this memory was wasted but it this ever
121 * goes into a library that would probably not be a good idea.
124 #define CHUNK0SIZE 1024
130 static struct chunk chunks[NCHUNKS];
131 static int cur_chunk;
133 static void *newchunk(u_int);
134 static void freechunks(void);
135 static inline struct block *new_block(int);
136 static inline struct slist *new_stmt(int);
137 static struct block *gen_retblk(int);
138 static inline void syntax(void);
140 static void backpatch(struct block *, struct block *);
141 static void merge(struct block *, struct block *);
142 static struct block *gen_cmp(u_int, u_int, bpf_int32);
143 static struct block *gen_cmp_gt(u_int, u_int, bpf_int32);
144 static struct block *gen_mcmp(u_int, u_int, bpf_int32, bpf_u_int32);
145 static struct block *gen_bcmp(u_int, u_int, const u_char *);
146 static struct block *gen_uncond(int);
147 static inline struct block *gen_true(void);
148 static inline struct block *gen_false(void);
149 static struct block *gen_linktype(int);
150 static struct block *gen_snap(bpf_u_int32, bpf_u_int32, u_int);
151 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int);
153 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int);
155 static struct block *gen_ahostop(const u_char *, int);
156 static struct block *gen_ehostop(const u_char *, int);
157 static struct block *gen_fhostop(const u_char *, int);
158 static struct block *gen_thostop(const u_char *, int);
159 static struct block *gen_dnhostop(bpf_u_int32, int, u_int);
160 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int);
162 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int);
165 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int);
167 static struct block *gen_ipfrag(void);
168 static struct block *gen_portatom(int, bpf_int32);
170 static struct block *gen_portatom6(int, bpf_int32);
172 struct block *gen_portop(int, int, int);
173 static struct block *gen_port(int, int, int);
175 struct block *gen_portop6(int, int, int);
176 static struct block *gen_port6(int, int, int);
178 static int lookup_proto(const char *, int);
179 static struct block *gen_protochain(int, int, int);
180 static struct block *gen_proto(int, int, int);
181 static struct slist *xfer_to_x(struct arth *);
182 static struct slist *xfer_to_a(struct arth *);
183 static struct block *gen_len(int, int);
193 /* XXX Round up to nearest long. */
194 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1);
196 /* XXX Round up to structure boundary. */
200 cp = &chunks[cur_chunk];
201 if (n > cp->n_left) {
202 ++cp, k = ++cur_chunk;
204 bpf_error("out of memory");
205 size = CHUNK0SIZE << k;
206 cp->m = (void *)malloc(size);
207 memset((char *)cp->m, 0, size);
210 bpf_error("out of memory");
213 return (void *)((char *)cp->m + cp->n_left);
222 for (i = 0; i < NCHUNKS; ++i)
223 if (chunks[i].m != NULL) {
230 * A strdup whose allocations are freed after code generation is over.
234 register const char *s;
236 int n = strlen(s) + 1;
237 char *cp = newchunk(n);
243 static inline struct block *
249 p = (struct block *)newchunk(sizeof(*p));
256 static inline struct slist *
262 p = (struct slist *)newchunk(sizeof(*p));
268 static struct block *
272 struct block *b = new_block(BPF_RET|BPF_K);
281 bpf_error("syntax error in filter expression");
284 static bpf_u_int32 netmask;
289 pcap_compile(pcap_t *p, struct bpf_program *program,
290 char *buf, int optimize, bpf_u_int32 mask)
299 if (setjmp(top_ctx)) {
307 snaplen = pcap_snapshot(p);
309 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
310 "snaplen of 0 rejects all packets");
314 lex_init(buf ? buf : "");
315 init_linktype(pcap_datalink(p));
322 root = gen_retblk(snaplen);
324 if (optimize && !no_optimize) {
327 (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0))
328 bpf_error("expression rejects all packets");
330 program->bf_insns = icode_to_fcode(root, &len);
331 program->bf_len = len;
339 * entry point for using the compiler with no pcap open
340 * pass in all the stuff that is needed explicitly instead.
343 pcap_compile_nopcap(int snaplen_arg, int linktype_arg,
344 struct bpf_program *program,
345 char *buf, int optimize, bpf_u_int32 mask)
350 p = pcap_open_dead(linktype_arg, snaplen_arg);
353 ret = pcap_compile(p, program, buf, optimize, mask);
359 * Clean up a "struct bpf_program" by freeing all the memory allocated
363 pcap_freecode(struct bpf_program *program)
366 if (program->bf_insns != NULL) {
367 free((char *)program->bf_insns);
368 program->bf_insns = NULL;
373 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates
374 * which of the jt and jf fields has been resolved and which is a pointer
375 * back to another unresolved block (or nil). At least one of the fields
376 * in each block is already resolved.
379 backpatch(list, target)
380 struct block *list, *target;
397 * Merge the lists in b0 and b1, using the 'sense' field to indicate
398 * which of jt and jf is the link.
402 struct block *b0, *b1;
404 register struct block **p = &b0;
406 /* Find end of list. */
408 p = !((*p)->sense) ? &JT(*p) : &JF(*p);
410 /* Concatenate the lists. */
418 backpatch(p, gen_retblk(snaplen));
419 p->sense = !p->sense;
420 backpatch(p, gen_retblk(0));
426 struct block *b0, *b1;
428 backpatch(b0, b1->head);
429 b0->sense = !b0->sense;
430 b1->sense = !b1->sense;
432 b1->sense = !b1->sense;
438 struct block *b0, *b1;
440 b0->sense = !b0->sense;
441 backpatch(b0, b1->head);
442 b0->sense = !b0->sense;
451 b->sense = !b->sense;
454 static struct block *
455 gen_cmp(offset, size, v)
462 s = new_stmt(BPF_LD|BPF_ABS|size);
465 b = new_block(JMP(BPF_JEQ));
472 static struct block *
473 gen_cmp_gt(offset, size, v)
480 s = new_stmt(BPF_LD|BPF_ABS|size);
483 b = new_block(JMP(BPF_JGT));
490 static struct block *
491 gen_mcmp(offset, size, v, mask)
496 struct block *b = gen_cmp(offset, size, v);
499 if (mask != 0xffffffff) {
500 s = new_stmt(BPF_ALU|BPF_AND|BPF_K);
507 static struct block *
508 gen_bcmp(offset, size, v)
509 register u_int offset, size;
510 register const u_char *v;
512 register struct block *b, *tmp;
516 register const u_char *p = &v[size - 4];
517 bpf_int32 w = ((bpf_int32)p[0] << 24) |
518 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3];
520 tmp = gen_cmp(offset + size - 4, BPF_W, w);
527 register const u_char *p = &v[size - 2];
528 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1];
530 tmp = gen_cmp(offset + size - 2, BPF_H, w);
537 tmp = gen_cmp(offset, BPF_B, (bpf_int32)v[0]);
546 * Various code constructs need to know the layout of the data link
547 * layer. These variables give the necessary offsets. off_linktype
548 * is set to -1 for no encapsulation, in which case, IP is assumed.
550 static u_int off_linktype;
567 off_nl = 6; /* XXX in reality, variable! */
571 off_linktype = 30; /* XXX variable */
582 * SLIP doesn't have a link level type. The 16 byte
583 * header is hacked into our SLIP driver.
590 /* XXX this may be the same as the DLT_PPP_BSDOS case */
603 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */
604 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */
611 * This does no include the Ethernet header, and
612 * only covers session state.
625 * FDDI doesn't really have a link-level type field.
626 * We set "off_linktype" to the offset of the LLC header.
628 * To check for Ethernet types, we assume that SSAP = SNAP
629 * is being used and pick out the encapsulated Ethernet type.
630 * XXX - should we generate code to check for SNAP?
634 off_linktype += pcap_fddipad;
638 off_nl += pcap_fddipad;
644 * Token Ring doesn't really have a link-level type field.
645 * We set "off_linktype" to the offset of the LLC header.
647 * To check for Ethernet types, we assume that SSAP = SNAP
648 * is being used and pick out the encapsulated Ethernet type.
649 * XXX - should we generate code to check for SNAP?
651 * XXX - the header is actually variable-length.
652 * Some various Linux patched versions gave 38
653 * as "off_linktype" and 40 as "off_nl"; however,
654 * if a token ring packet has *no* routing
655 * information, i.e. is not source-routed, the correct
656 * values are 20 and 22, as they are in the vanilla code.
658 * A packet is source-routed iff the uppermost bit
659 * of the first byte of the source address, at an
660 * offset of 8, has the uppermost bit set. If the
661 * packet is source-routed, the total number of bytes
662 * of routing information is 2 plus bits 0x1F00 of
663 * the 16-bit value at an offset of 14 (shifted right
664 * 8 - figure out which byte that is).
673 * 802.11 doesn't really have a link-level type field.
674 * We set "off_linktype" to the offset of the LLC header.
676 * To check for Ethernet types, we assume that SSAP = SNAP
677 * is being used and pick out the encapsulated Ethernet type.
678 * XXX - should we generate code to check for SNAP?
680 * XXX - the header is actually variable-length. We
681 * assume a 24-byte link-layer header, as appears in
682 * data frames in networks with no bridges.
689 case DLT_PRISM_HEADER:
691 * Same as 802.11, but with an additional header before
692 * the 802.11 header, containing a bunch of additional
693 * information including radio-level information.
695 * The header is 144 bytes long.
697 * XXX - same variable-length header problem; at least
698 * the Prism header is fixed-length.
700 off_linktype = 144+24;
704 case DLT_ATM_RFC1483:
706 * assume routed, non-ISO PDUs
707 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00)
718 case DLT_ATM_CLIP: /* Linux ATM defines this */
723 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */
730 * LocalTalk does have a 1-byte type field in the LLAP header,
731 * but really it just indicates whether there is a "short" or
732 * "long" DDP packet following.
738 bpf_error("unknown data link type %d", linktype);
742 static struct block *
749 s = new_stmt(BPF_LD|BPF_IMM);
751 b = new_block(JMP(BPF_JEQ));
757 static inline struct block *
760 return gen_uncond(1);
763 static inline struct block *
766 return gen_uncond(0);
770 * Byte-swap a 32-bit number.
771 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on
772 * big-endian platforms.)
774 #define SWAPLONG(y) \
775 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
777 static struct block *
781 struct block *b0, *b1;
790 * OSI protocols always use 802.2 encapsulation.
791 * XXX - should we check both the DSAP and the
792 * SSAP, like this, or should we check just the
795 b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
797 b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
798 ((LLCSAP_ISONS << 8) | LLCSAP_ISONS));
804 * NetBEUI always uses 802.2 encapsulation.
805 * XXX - should we check both the DSAP and the
806 * SSAP, like this, or should we check just the
809 b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
811 b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
812 ((LLCSAP_NETBEUI << 8) | LLCSAP_NETBEUI));
820 * Ethernet_II frames, which are Ethernet
821 * frames with a frame type of ETHERTYPE_IPX;
823 * Ethernet_802.3 frames, which are 802.3
824 * frames (i.e., the type/length field is
825 * a length field, <= ETHERMTU, rather than
826 * a type field) with the first two bytes
827 * after the Ethernet/802.3 header being
830 * Ethernet_802.2 frames, which are 802.3
831 * frames with an 802.2 LLC header and
832 * with the IPX LSAP as the DSAP in the LLC
835 * Ethernet_SNAP frames, which are 802.3
836 * frames with an LLC header and a SNAP
837 * header and with an OUI of 0x000000
838 * (encapsulated Ethernet) and a protocol
839 * ID of ETHERTYPE_IPX in the SNAP header.
841 * XXX - should we generate the same code both
842 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX?
846 * This generates code to check both for the
847 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3.
849 b0 = gen_cmp(off_linktype + 2, BPF_B,
850 (bpf_int32)LLCSAP_IPX);
851 b1 = gen_cmp(off_linktype + 2, BPF_H,
856 * Now we add code to check for SNAP frames with
857 * ETHERTYPE_IPX, i.e. Ethernet_SNAP.
859 b0 = gen_snap(0x000000, ETHERTYPE_IPX, 14);
863 * Now we generate code to check for 802.3
866 b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
870 * Now add the check for 802.3 frames before the
871 * check for Ethernet_802.2 and Ethernet_802.3,
872 * as those checks should only be done on 802.3
873 * frames, not on Ethernet frames.
878 * Now add the check for Ethernet_II frames, and
879 * do that before checking for the other frame
882 b0 = gen_cmp(off_linktype, BPF_H,
883 (bpf_int32)ETHERTYPE_IPX);
887 case ETHERTYPE_ATALK:
890 * EtherTalk (AppleTalk protocols on Ethernet link
891 * layer) may use 802.2 encapsulation.
895 * Check for 802.2 encapsulation (EtherTalk phase 2?);
896 * we check for an Ethernet type field less than
897 * 1500, which means it's an 802.3 length field.
899 b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
903 * 802.2-encapsulated ETHERTYPE_ATALK packets are
904 * SNAP packets with an organization code of
905 * 0x080007 (Apple, for Appletalk) and a protocol
906 * type of ETHERTYPE_ATALK (Appletalk).
908 * 802.2-encapsulated ETHERTYPE_AARP packets are
909 * SNAP packets with an organization code of
910 * 0x000000 (encapsulated Ethernet) and a protocol
911 * type of ETHERTYPE_AARP (Appletalk ARP).
913 if (proto == ETHERTYPE_ATALK)
914 b1 = gen_snap(0x080007, ETHERTYPE_ATALK, 14);
915 else /* proto == ETHERTYPE_AARP */
916 b1 = gen_snap(0x000000, ETHERTYPE_AARP, 14);
920 * Check for Ethernet encapsulation (Ethertalk
921 * phase 1?); we just check for the Ethernet
924 b0 = gen_cmp(off_linktype, BPF_H, (bpf_int32)proto);
930 if (proto <= ETHERMTU) {
932 * This is an LLC SAP value, so the frames
933 * that match would be 802.2 frames.
934 * Check that the frame is an 802.2 frame
935 * (i.e., that the length/type field is
936 * a length field, <= ETHERMTU) and
937 * then check the DSAP.
939 b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
941 b1 = gen_cmp(off_linktype + 2, BPF_B,
947 * This is an Ethernet type, so compare
948 * the length/type field with it (if
949 * the frame is an 802.2 frame, the length
950 * field will be <= ETHERMTU, and, as
951 * "proto" is > ETHERMTU, this test
952 * will fail and the frame won't match,
953 * which is what we want).
955 return gen_cmp(off_linktype, BPF_H,
962 case DLT_PRISM_HEADER:
965 case DLT_ATM_RFC1483:
968 * XXX - handle token-ring variable-length header.
973 return gen_cmp(off_linktype, BPF_H, (long)
974 ((LLCSAP_ISONS << 8) | LLCSAP_ISONS));
977 return gen_cmp(off_linktype, BPF_H, (long)
978 ((LLCSAP_NETBEUI << 8) | LLCSAP_NETBEUI));
982 * XXX - are there ever SNAP frames for IPX on
983 * non-Ethernet 802.x networks?
985 return gen_cmp(off_linktype, BPF_B,
986 (bpf_int32)LLCSAP_IPX);
988 case ETHERTYPE_ATALK:
990 * 802.2-encapsulated ETHERTYPE_ATALK packets are
991 * SNAP packets with an organization code of
992 * 0x080007 (Apple, for Appletalk) and a protocol
993 * type of ETHERTYPE_ATALK (Appletalk).
995 * XXX - check for an organization code of
996 * encapsulated Ethernet as well?
998 return gen_snap(0x080007, ETHERTYPE_ATALK,
1004 * XXX - we don't have to check for IPX 802.3
1005 * here, but should we check for the IPX Ethertype?
1007 if (proto <= ETHERMTU) {
1009 * This is an LLC SAP value, so check
1012 return gen_cmp(off_linktype, BPF_B,
1016 * This is an Ethernet type; we assume
1017 * that it's unlikely that it'll
1018 * appear in the right place at random,
1019 * and therefore check only the
1020 * location that would hold the Ethernet
1021 * type in a SNAP frame with an organization
1022 * code of 0x000000 (encapsulated Ethernet).
1024 * XXX - if we were to check for the SNAP DSAP
1025 * and LSAP, as per XXX, and were also to check
1026 * for an organization code of 0x000000
1027 * (encapsulated Ethernet), we'd do
1029 * return gen_snap(0x000000, proto,
1032 * here; for now, we don't, as per the above.
1033 * I don't know whether it's worth the
1034 * extra CPU time to do the right check
1037 return gen_cmp(off_linktype+6, BPF_H,
1048 * OSI protocols always use 802.2 encapsulation.
1049 * XXX - should we check both the DSAP and the
1050 * LSAP, like this, or should we check just the
1053 b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_2);
1054 b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
1055 ((LLCSAP_ISONS << 8) | LLCSAP_ISONS));
1059 case LLCSAP_NETBEUI:
1061 * NetBEUI always uses 802.2 encapsulation.
1062 * XXX - should we check both the DSAP and the
1063 * LSAP, like this, or should we check just the
1066 b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_2);
1067 b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
1068 ((LLCSAP_NETBEUI << 8) | LLCSAP_NETBEUI));
1074 * Ethernet_II frames, which are Ethernet
1075 * frames with a frame type of ETHERTYPE_IPX;
1077 * Ethernet_802.3 frames, which have a frame
1078 * type of LINUX_SLL_P_802_3;
1080 * Ethernet_802.2 frames, which are 802.3
1081 * frames with an 802.2 LLC header (i.e, have
1082 * a frame type of LINUX_SLL_P_802_2) and
1083 * with the IPX LSAP as the DSAP in the LLC
1086 * Ethernet_SNAP frames, which are 802.3
1087 * frames with an LLC header and a SNAP
1088 * header and with an OUI of 0x000000
1089 * (encapsulated Ethernet) and a protocol
1090 * ID of ETHERTYPE_IPX in the SNAP header.
1092 * First, do the checks on LINUX_SLL_P_802_2
1093 * frames; generate the check for either
1094 * Ethernet_802.2 or Ethernet_SNAP frames, and
1095 * then put a check for LINUX_SLL_P_802_2 frames
1098 b0 = gen_cmp(off_linktype + 2, BPF_B,
1099 (bpf_int32)LLCSAP_IPX);
1100 b1 = gen_snap(0x000000, ETHERTYPE_IPX,
1103 b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_2);
1107 * Now check for 802.3 frames and OR that with
1108 * the previous test.
1110 b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_3);
1114 * Now add the check for Ethernet_II frames, and
1115 * do that before checking for the other frame
1118 b0 = gen_cmp(off_linktype, BPF_H,
1119 (bpf_int32)ETHERTYPE_IPX);
1123 case ETHERTYPE_ATALK:
1124 case ETHERTYPE_AARP:
1126 * EtherTalk (AppleTalk protocols on Ethernet link
1127 * layer) may use 802.2 encapsulation.
1131 * Check for 802.2 encapsulation (EtherTalk phase 2?);
1132 * we check for the 802.2 protocol type in the
1133 * "Ethernet type" field.
1135 b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_2);
1138 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1139 * SNAP packets with an organization code of
1140 * 0x080007 (Apple, for Appletalk) and a protocol
1141 * type of ETHERTYPE_ATALK (Appletalk).
1143 * 802.2-encapsulated ETHERTYPE_AARP packets are
1144 * SNAP packets with an organization code of
1145 * 0x000000 (encapsulated Ethernet) and a protocol
1146 * type of ETHERTYPE_AARP (Appletalk ARP).
1148 if (proto == ETHERTYPE_ATALK)
1149 b1 = gen_snap(0x080007, ETHERTYPE_ATALK,
1151 else /* proto == ETHERTYPE_AARP */
1152 b1 = gen_snap(0x000000, ETHERTYPE_AARP,
1157 * Check for Ethernet encapsulation (Ethertalk
1158 * phase 1?); we just check for the Ethernet
1161 b0 = gen_cmp(off_linktype, BPF_H, (bpf_int32)proto);
1167 if (proto <= ETHERMTU) {
1169 * This is an LLC SAP value, so the frames
1170 * that match would be 802.2 frames.
1171 * Check for the 802.2 protocol type
1172 * in the "Ethernet type" field, and
1173 * then check the DSAP.
1175 b0 = gen_cmp(off_linktype, BPF_H,
1177 b1 = gen_cmp(off_linktype + 2, BPF_B,
1183 * This is an Ethernet type, so compare
1184 * the length/type field with it (if
1185 * the frame is an 802.2 frame, the length
1186 * field will be <= ETHERMTU, and, as
1187 * "proto" is > ETHERMTU, this test
1188 * will fail and the frame won't match,
1189 * which is what we want).
1191 return gen_cmp(off_linktype, BPF_H,
1198 case DLT_SLIP_BSDOS:
1201 * These types don't provide any type field; packets
1204 * XXX - for IPv4, check for a version number of 4, and,
1205 * for IPv6, check for a version number of 6?
1211 case ETHERTYPE_IPV6:
1213 return gen_true(); /* always true */
1216 return gen_false(); /* always false */
1221 case DLT_PPP_SERIAL:
1224 * We use Ethernet protocol types inside libpcap;
1225 * map them to the corresponding PPP protocol types.
1230 proto = PPP_IP; /* XXX was 0x21 */
1234 case ETHERTYPE_IPV6:
1243 case ETHERTYPE_ATALK:
1257 * I'm assuming the "Bridging PDU"s that go
1258 * over PPP are Spanning Tree Protocol
1272 * We use Ethernet protocol types inside libpcap;
1273 * map them to the corresponding PPP protocol types.
1278 b0 = gen_cmp(off_linktype, BPF_H, PPP_IP);
1279 b1 = gen_cmp(off_linktype, BPF_H, PPP_VJC);
1281 b0 = gen_cmp(off_linktype, BPF_H, PPP_VJNC);
1286 case ETHERTYPE_IPV6:
1296 case ETHERTYPE_ATALK:
1310 * I'm assuming the "Bridging PDU"s that go
1311 * over PPP are Spanning Tree Protocol
1326 * For DLT_NULL, the link-layer header is a 32-bit
1327 * word containing an AF_ value in *host* byte order.
1329 * In addition, if we're reading a saved capture file,
1330 * the host byte order in the capture may not be the
1331 * same as the host byte order on this machine.
1333 * For DLT_LOOP, the link-layer header is a 32-bit
1334 * word containing an AF_ value in *network* byte order.
1336 * XXX - AF_ values may, unfortunately, be platform-
1337 * dependent; for example, FreeBSD's AF_INET6 is 24
1338 * whilst NetBSD's and OpenBSD's is 26.
1340 * This means that, when reading a capture file, just
1341 * checking for our AF_INET6 value won't work if the
1342 * capture file came from another OS.
1351 case ETHERTYPE_IPV6:
1358 * Not a type on which we support filtering.
1359 * XXX - support those that have AF_ values
1360 * #defined on this platform, at least?
1365 if (linktype == DLT_NULL) {
1367 * The AF_ value is in host byte order, but
1368 * the BPF interpreter will convert it to
1369 * network byte order.
1371 * If this is a save file, and it's from a
1372 * machine with the opposite byte order to
1373 * ours, we byte-swap the AF_ value.
1375 * Then we run it through "htonl()", and
1376 * generate code to compare against the result.
1378 if (bpf_pcap->sf.rfile != NULL &&
1379 bpf_pcap->sf.swapped)
1380 proto = SWAPLONG(proto);
1381 proto = htonl(proto);
1383 return (gen_cmp(0, BPF_W, (bpf_int32)proto));
1387 * XXX should we check for first fragment if the protocol
1394 case ETHERTYPE_IPV6:
1395 return(gen_cmp(2, BPF_B,
1396 (bpf_int32)htonl(ARCTYPE_INET6)));
1399 b0 = gen_cmp(2, BPF_B, (bpf_int32)htonl(ARCTYPE_IP));
1400 b1 = gen_cmp(2, BPF_B,
1401 (bpf_int32)htonl(ARCTYPE_IP_OLD));
1405 b0 = gen_cmp(2, BPF_B, (bpf_int32)htonl(ARCTYPE_ARP));
1406 b1 = gen_cmp(2, BPF_B,
1407 (bpf_int32)htonl(ARCTYPE_ARP_OLD));
1410 case ETHERTYPE_REVARP:
1411 return(gen_cmp(2, BPF_B,
1412 (bpf_int32)htonl(ARCTYPE_REVARP)));
1413 case ETHERTYPE_ATALK:
1414 return(gen_cmp(2, BPF_B,
1415 (bpf_int32)htonl(ARCTYPE_ATALK)));
1421 case ETHERTYPE_ATALK:
1430 * All the types that have no encapsulation should either be
1431 * handled as DLT_SLIP, DLT_SLIP_BSDOS, and DLT_RAW are, if
1432 * all packets are IP packets, or should be handled in some
1433 * special case, if none of them are (if some are and some
1434 * aren't, the lack of encapsulation is a problem, as we'd
1435 * have to find some other way of determining the packet type).
1437 * Therefore, if "off_linktype" is -1, there's an error.
1439 if (off_linktype == -1)
1443 * Any type not handled above should always have an Ethernet
1444 * type at an offset of "off_linktype". (PPP is partially
1445 * handled above - the protocol type is mapped from the
1446 * Ethernet and LLC types we use internally to the corresponding
1447 * PPP type - but the PPP type is always specified by a value
1448 * at "off_linktype", so we don't have to do the code generation
1451 return gen_cmp(off_linktype, BPF_H, (bpf_int32)proto);
1455 * Check for an LLC SNAP packet with a given organization code and
1456 * protocol type; we check the entire contents of the 802.2 LLC and
1457 * snap headers, checking for DSAP and SSAP of SNAP and a control
1458 * field of 0x03 in the LLC header, and for the specified organization
1459 * code and protocol type in the SNAP header.
1461 static struct block *
1462 gen_snap(orgcode, ptype, offset)
1463 bpf_u_int32 orgcode;
1467 u_char snapblock[8];
1469 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */
1470 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */
1471 snapblock[2] = 0x03; /* control = UI */
1472 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */
1473 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */
1474 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */
1475 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */
1476 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */
1477 return gen_bcmp(offset, 8, snapblock);
1480 static struct block *
1481 gen_hostop(addr, mask, dir, proto, src_off, dst_off)
1485 u_int src_off, dst_off;
1487 struct block *b0, *b1;
1501 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
1502 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
1508 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
1509 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
1516 b0 = gen_linktype(proto);
1517 b1 = gen_mcmp(offset, BPF_W, (bpf_int32)addr, mask);
1523 static struct block *
1524 gen_hostop6(addr, mask, dir, proto, src_off, dst_off)
1525 struct in6_addr *addr;
1526 struct in6_addr *mask;
1528 u_int src_off, dst_off;
1530 struct block *b0, *b1;
1545 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
1546 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
1552 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
1553 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
1560 /* this order is important */
1561 a = (u_int32_t *)addr;
1562 m = (u_int32_t *)mask;
1563 b1 = gen_mcmp(offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3]));
1564 b0 = gen_mcmp(offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2]));
1566 b0 = gen_mcmp(offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1]));
1568 b0 = gen_mcmp(offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0]));
1570 b0 = gen_linktype(proto);
1576 static struct block *
1577 gen_ehostop(eaddr, dir)
1578 register const u_char *eaddr;
1581 register struct block *b0, *b1;
1585 return gen_bcmp(6, 6, eaddr);
1588 return gen_bcmp(0, 6, eaddr);
1591 b0 = gen_ehostop(eaddr, Q_SRC);
1592 b1 = gen_ehostop(eaddr, Q_DST);
1598 b0 = gen_ehostop(eaddr, Q_SRC);
1599 b1 = gen_ehostop(eaddr, Q_DST);
1608 * Like gen_ehostop, but for DLT_FDDI
1610 static struct block *
1611 gen_fhostop(eaddr, dir)
1612 register const u_char *eaddr;
1615 struct block *b0, *b1;
1620 return gen_bcmp(6 + 1 + pcap_fddipad, 6, eaddr);
1622 return gen_bcmp(6 + 1, 6, eaddr);
1627 return gen_bcmp(0 + 1 + pcap_fddipad, 6, eaddr);
1629 return gen_bcmp(0 + 1, 6, eaddr);
1633 b0 = gen_fhostop(eaddr, Q_SRC);
1634 b1 = gen_fhostop(eaddr, Q_DST);
1640 b0 = gen_fhostop(eaddr, Q_SRC);
1641 b1 = gen_fhostop(eaddr, Q_DST);
1650 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring)
1652 static struct block *
1653 gen_thostop(eaddr, dir)
1654 register const u_char *eaddr;
1657 register struct block *b0, *b1;
1661 return gen_bcmp(8, 6, eaddr);
1664 return gen_bcmp(2, 6, eaddr);
1667 b0 = gen_thostop(eaddr, Q_SRC);
1668 b1 = gen_thostop(eaddr, Q_DST);
1674 b0 = gen_thostop(eaddr, Q_SRC);
1675 b1 = gen_thostop(eaddr, Q_DST);
1684 * This is quite tricky because there may be pad bytes in front of the
1685 * DECNET header, and then there are two possible data packet formats that
1686 * carry both src and dst addresses, plus 5 packet types in a format that
1687 * carries only the src node, plus 2 types that use a different format and
1688 * also carry just the src node.
1692 * Instead of doing those all right, we just look for data packets with
1693 * 0 or 1 bytes of padding. If you want to look at other packets, that
1694 * will require a lot more hacking.
1696 * To add support for filtering on DECNET "areas" (network numbers)
1697 * one would want to add a "mask" argument to this routine. That would
1698 * make the filter even more inefficient, although one could be clever
1699 * and not generate masking instructions if the mask is 0xFFFF.
1701 static struct block *
1702 gen_dnhostop(addr, dir, base_off)
1707 struct block *b0, *b1, *b2, *tmp;
1708 u_int offset_lh; /* offset if long header is received */
1709 u_int offset_sh; /* offset if short header is received */
1714 offset_sh = 1; /* follows flags */
1715 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */
1719 offset_sh = 3; /* follows flags, dstnode */
1720 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */
1724 /* Inefficient because we do our Calvinball dance twice */
1725 b0 = gen_dnhostop(addr, Q_SRC, base_off);
1726 b1 = gen_dnhostop(addr, Q_DST, base_off);
1732 /* Inefficient because we do our Calvinball dance twice */
1733 b0 = gen_dnhostop(addr, Q_SRC, base_off);
1734 b1 = gen_dnhostop(addr, Q_DST, base_off);
1739 bpf_error("ISO host filtering not implemented");
1744 b0 = gen_linktype(ETHERTYPE_DN);
1745 /* Check for pad = 1, long header case */
1746 tmp = gen_mcmp(base_off + 2, BPF_H,
1747 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF));
1748 b1 = gen_cmp(base_off + 2 + 1 + offset_lh,
1749 BPF_H, (bpf_int32)ntohs(addr));
1751 /* Check for pad = 0, long header case */
1752 tmp = gen_mcmp(base_off + 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7);
1753 b2 = gen_cmp(base_off + 2 + offset_lh, BPF_H, (bpf_int32)ntohs(addr));
1756 /* Check for pad = 1, short header case */
1757 tmp = gen_mcmp(base_off + 2, BPF_H,
1758 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF));
1759 b2 = gen_cmp(base_off + 2 + 1 + offset_sh,
1760 BPF_H, (bpf_int32)ntohs(addr));
1763 /* Check for pad = 0, short header case */
1764 tmp = gen_mcmp(base_off + 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7);
1765 b2 = gen_cmp(base_off + 2 + offset_sh, BPF_H, (bpf_int32)ntohs(addr));
1769 /* Combine with test for linktype */
1774 static struct block *
1775 gen_host(addr, mask, proto, dir)
1781 struct block *b0, *b1;
1786 b0 = gen_host(addr, mask, Q_IP, dir);
1787 if (off_linktype != -1) {
1788 b1 = gen_host(addr, mask, Q_ARP, dir);
1790 b0 = gen_host(addr, mask, Q_RARP, dir);
1796 return gen_hostop(addr, mask, dir, ETHERTYPE_IP,
1797 off_nl + 12, off_nl + 16);
1800 return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP,
1801 off_nl + 14, off_nl + 24);
1804 return gen_hostop(addr, mask, dir, ETHERTYPE_ARP,
1805 off_nl + 14, off_nl + 24);
1808 bpf_error("'tcp' modifier applied to host");
1811 bpf_error("'sctp' modifier applied to host");
1814 bpf_error("'udp' modifier applied to host");
1817 bpf_error("'icmp' modifier applied to host");
1820 bpf_error("'igmp' modifier applied to host");
1823 bpf_error("'igrp' modifier applied to host");
1826 bpf_error("'pim' modifier applied to host");
1829 bpf_error("'vrrp' modifier applied to host");
1832 bpf_error("ATALK host filtering not implemented");
1835 bpf_error("AARP host filtering not implemented");
1838 return gen_dnhostop(addr, dir, off_nl);
1841 bpf_error("SCA host filtering not implemented");
1844 bpf_error("LAT host filtering not implemented");
1847 bpf_error("MOPDL host filtering not implemented");
1850 bpf_error("MOPRC host filtering not implemented");
1854 bpf_error("'ip6' modifier applied to ip host");
1857 bpf_error("'icmp6' modifier applied to host");
1861 bpf_error("'ah' modifier applied to host");
1864 bpf_error("'esp' modifier applied to host");
1867 bpf_error("ISO host filtering not implemented");
1870 bpf_error("'esis' modifier applied to host");
1873 bpf_error("'isis' modifier applied to host");
1876 bpf_error("'clnp' modifier applied to host");
1879 bpf_error("'stp' modifier applied to host");
1882 bpf_error("IPX host filtering not implemented");
1885 bpf_error("'netbeui' modifier applied to host");
1894 static struct block *
1895 gen_host6(addr, mask, proto, dir)
1896 struct in6_addr *addr;
1897 struct in6_addr *mask;
1904 return gen_host6(addr, mask, Q_IPV6, dir);
1907 bpf_error("'ip' modifier applied to ip6 host");
1910 bpf_error("'rarp' modifier applied to ip6 host");
1913 bpf_error("'arp' modifier applied to ip6 host");
1916 bpf_error("'sctp' modifier applied to host");
1919 bpf_error("'tcp' modifier applied to host");
1922 bpf_error("'udp' modifier applied to host");
1925 bpf_error("'icmp' modifier applied to host");
1928 bpf_error("'igmp' modifier applied to host");
1931 bpf_error("'igrp' modifier applied to host");
1934 bpf_error("'pim' modifier applied to host");
1937 bpf_error("'vrrp' modifier applied to host");
1940 bpf_error("ATALK host filtering not implemented");
1943 bpf_error("AARP host filtering not implemented");
1946 bpf_error("'decnet' modifier applied to ip6 host");
1949 bpf_error("SCA host filtering not implemented");
1952 bpf_error("LAT host filtering not implemented");
1955 bpf_error("MOPDL host filtering not implemented");
1958 bpf_error("MOPRC host filtering not implemented");
1961 return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6,
1962 off_nl + 8, off_nl + 24);
1965 bpf_error("'icmp6' modifier applied to host");
1968 bpf_error("'ah' modifier applied to host");
1971 bpf_error("'esp' modifier applied to host");
1974 bpf_error("ISO host filtering not implemented");
1977 bpf_error("'esis' modifier applied to host");
1980 bpf_error("'isis' modifier applied to host");
1983 bpf_error("'clnp' modifier applied to host");
1986 bpf_error("'stp' modifier applied to host");
1989 bpf_error("IPX host filtering not implemented");
1992 bpf_error("'netbeui' modifier applied to host");
2002 static struct block *
2003 gen_gateway(eaddr, alist, proto, dir)
2004 const u_char *eaddr;
2005 bpf_u_int32 **alist;
2009 struct block *b0, *b1, *tmp;
2012 bpf_error("direction applied to 'gateway'");
2019 if (linktype == DLT_EN10MB)
2020 b0 = gen_ehostop(eaddr, Q_OR);
2021 else if (linktype == DLT_FDDI)
2022 b0 = gen_fhostop(eaddr, Q_OR);
2023 else if (linktype == DLT_IEEE802)
2024 b0 = gen_thostop(eaddr, Q_OR);
2027 "'gateway' supported only on ethernet, FDDI or token ring");
2029 b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR);
2031 tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR);
2039 bpf_error("illegal modifier of 'gateway'");
2045 gen_proto_abbrev(proto)
2056 b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT);
2058 b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT);
2064 b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT);
2066 b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT);
2072 b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT);
2074 b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT);
2080 b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT);
2083 #ifndef IPPROTO_IGMP
2084 #define IPPROTO_IGMP 2
2088 b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT);
2091 #ifndef IPPROTO_IGRP
2092 #define IPPROTO_IGRP 9
2095 b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT);
2099 #define IPPROTO_PIM 103
2103 b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT);
2105 b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT);
2110 #ifndef IPPROTO_VRRP
2111 #define IPPROTO_VRRP 112
2115 b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT);
2119 b1 = gen_linktype(ETHERTYPE_IP);
2123 b1 = gen_linktype(ETHERTYPE_ARP);
2127 b1 = gen_linktype(ETHERTYPE_REVARP);
2131 bpf_error("link layer applied in wrong context");
2134 b1 = gen_linktype(ETHERTYPE_ATALK);
2138 b1 = gen_linktype(ETHERTYPE_AARP);
2142 b1 = gen_linktype(ETHERTYPE_DN);
2146 b1 = gen_linktype(ETHERTYPE_SCA);
2150 b1 = gen_linktype(ETHERTYPE_LAT);
2154 b1 = gen_linktype(ETHERTYPE_MOPDL);
2158 b1 = gen_linktype(ETHERTYPE_MOPRC);
2163 b1 = gen_linktype(ETHERTYPE_IPV6);
2166 #ifndef IPPROTO_ICMPV6
2167 #define IPPROTO_ICMPV6 58
2170 b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT);
2175 #define IPPROTO_AH 51
2178 b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT);
2180 b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT);
2186 #define IPPROTO_ESP 50
2189 b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT);
2191 b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT);
2197 b1 = gen_linktype(LLCSAP_ISONS);
2201 b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT);
2205 b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
2209 b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT);
2213 b1 = gen_linktype(LLCSAP_8021D);
2217 b1 = gen_linktype(LLCSAP_IPX);
2221 b1 = gen_linktype(LLCSAP_NETBEUI);
2230 static struct block *
2237 s = new_stmt(BPF_LD|BPF_H|BPF_ABS);
2238 s->s.k = off_nl + 6;
2239 b = new_block(JMP(BPF_JSET));
2247 static struct block *
2248 gen_portatom(off, v)
2255 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
2258 s->next = new_stmt(BPF_LD|BPF_IND|BPF_H);
2259 s->next->s.k = off_nl + off;
2261 b = new_block(JMP(BPF_JEQ));
2269 static struct block *
2270 gen_portatom6(off, v)
2274 return gen_cmp(off_nl + 40 + off, BPF_H, v);
2279 gen_portop(port, proto, dir)
2280 int port, proto, dir;
2282 struct block *b0, *b1, *tmp;
2284 /* ip proto 'proto' */
2285 tmp = gen_cmp(off_nl + 9, BPF_B, (bpf_int32)proto);
2291 b1 = gen_portatom(0, (bpf_int32)port);
2295 b1 = gen_portatom(2, (bpf_int32)port);
2300 tmp = gen_portatom(0, (bpf_int32)port);
2301 b1 = gen_portatom(2, (bpf_int32)port);
2306 tmp = gen_portatom(0, (bpf_int32)port);
2307 b1 = gen_portatom(2, (bpf_int32)port);
2319 static struct block *
2320 gen_port(port, ip_proto, dir)
2325 struct block *b0, *b1, *tmp;
2327 /* ether proto ip */
2328 b0 = gen_linktype(ETHERTYPE_IP);
2334 b1 = gen_portop(port, ip_proto, dir);
2338 tmp = gen_portop(port, IPPROTO_TCP, dir);
2339 b1 = gen_portop(port, IPPROTO_UDP, dir);
2341 tmp = gen_portop(port, IPPROTO_SCTP, dir);
2354 gen_portop6(port, proto, dir)
2355 int port, proto, dir;
2357 struct block *b0, *b1, *tmp;
2359 /* ip proto 'proto' */
2360 b0 = gen_cmp(off_nl + 6, BPF_B, (bpf_int32)proto);
2364 b1 = gen_portatom6(0, (bpf_int32)port);
2368 b1 = gen_portatom6(2, (bpf_int32)port);
2373 tmp = gen_portatom6(0, (bpf_int32)port);
2374 b1 = gen_portatom6(2, (bpf_int32)port);
2379 tmp = gen_portatom6(0, (bpf_int32)port);
2380 b1 = gen_portatom6(2, (bpf_int32)port);
2392 static struct block *
2393 gen_port6(port, ip_proto, dir)
2398 struct block *b0, *b1, *tmp;
2400 /* ether proto ip */
2401 b0 = gen_linktype(ETHERTYPE_IPV6);
2407 b1 = gen_portop6(port, ip_proto, dir);
2411 tmp = gen_portop6(port, IPPROTO_TCP, dir);
2412 b1 = gen_portop6(port, IPPROTO_UDP, dir);
2414 tmp = gen_portop6(port, IPPROTO_SCTP, dir);
2427 lookup_proto(name, proto)
2428 register const char *name;
2438 v = pcap_nametoproto(name);
2439 if (v == PROTO_UNDEF)
2440 bpf_error("unknown ip proto '%s'", name);
2444 /* XXX should look up h/w protocol type based on linktype */
2445 v = pcap_nametoeproto(name);
2446 if (v == PROTO_UNDEF)
2447 bpf_error("unknown ether proto '%s'", name);
2451 if (strcmp(name, "esis") == 0)
2453 else if (strcmp(name, "isis") == 0)
2455 else if (strcmp(name, "clnp") == 0)
2458 bpf_error("unknown osi proto '%s'", name);
2478 static struct block *
2479 gen_protochain(v, proto, dir)
2484 #ifdef NO_PROTOCHAIN
2485 return gen_proto(v, proto, dir);
2487 struct block *b0, *b;
2488 struct slist *s[100];
2489 int fix2, fix3, fix4, fix5;
2490 int ahcheck, again, end;
2492 int reg2 = alloc_reg();
2494 memset(s, 0, sizeof(s));
2495 fix2 = fix3 = fix4 = fix5 = 0;
2502 b0 = gen_protochain(v, Q_IP, dir);
2503 b = gen_protochain(v, Q_IPV6, dir);
2507 bpf_error("bad protocol applied for 'protochain'");
2511 no_optimize = 1; /*this code is not compatible with optimzer yet */
2514 * s[0] is a dummy entry to protect other BPF insn from damaged
2515 * by s[fix] = foo with uninitialized variable "fix". It is somewhat
2516 * hard to find interdependency made by jump table fixup.
2519 s[i] = new_stmt(0); /*dummy*/
2524 b0 = gen_linktype(ETHERTYPE_IP);
2527 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
2528 s[i]->s.k = off_nl + 9;
2530 /* X = ip->ip_hl << 2 */
2531 s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
2537 b0 = gen_linktype(ETHERTYPE_IPV6);
2539 /* A = ip6->ip_nxt */
2540 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
2541 s[i]->s.k = off_nl + 6;
2543 /* X = sizeof(struct ip6_hdr) */
2544 s[i] = new_stmt(BPF_LDX|BPF_IMM);
2550 bpf_error("unsupported proto to gen_protochain");
2554 /* again: if (A == v) goto end; else fall through; */
2556 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
2558 s[i]->s.jt = NULL; /*later*/
2559 s[i]->s.jf = NULL; /*update in next stmt*/
2563 #ifndef IPPROTO_NONE
2564 #define IPPROTO_NONE 59
2566 /* if (A == IPPROTO_NONE) goto end */
2567 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
2568 s[i]->s.jt = NULL; /*later*/
2569 s[i]->s.jf = NULL; /*update in next stmt*/
2570 s[i]->s.k = IPPROTO_NONE;
2571 s[fix5]->s.jf = s[i];
2576 if (proto == Q_IPV6) {
2577 int v6start, v6end, v6advance, j;
2580 /* if (A == IPPROTO_HOPOPTS) goto v6advance */
2581 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
2582 s[i]->s.jt = NULL; /*later*/
2583 s[i]->s.jf = NULL; /*update in next stmt*/
2584 s[i]->s.k = IPPROTO_HOPOPTS;
2585 s[fix2]->s.jf = s[i];
2587 /* if (A == IPPROTO_DSTOPTS) goto v6advance */
2588 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
2589 s[i]->s.jt = NULL; /*later*/
2590 s[i]->s.jf = NULL; /*update in next stmt*/
2591 s[i]->s.k = IPPROTO_DSTOPTS;
2593 /* if (A == IPPROTO_ROUTING) goto v6advance */
2594 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
2595 s[i]->s.jt = NULL; /*later*/
2596 s[i]->s.jf = NULL; /*update in next stmt*/
2597 s[i]->s.k = IPPROTO_ROUTING;
2599 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */
2600 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
2601 s[i]->s.jt = NULL; /*later*/
2602 s[i]->s.jf = NULL; /*later*/
2603 s[i]->s.k = IPPROTO_FRAGMENT;
2614 * X = X + (P[X + 1] + 1) * 8;
2617 s[i] = new_stmt(BPF_MISC|BPF_TXA);
2619 /* A = P[X + packet head] */
2620 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
2624 s[i] = new_stmt(BPF_ST);
2628 s[i] = new_stmt(BPF_MISC|BPF_TXA);
2631 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
2635 s[i] = new_stmt(BPF_MISC|BPF_TAX);
2637 /* A = P[X + packet head]; */
2638 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
2642 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
2646 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
2650 s[i] = new_stmt(BPF_MISC|BPF_TAX);
2653 s[i] = new_stmt(BPF_LD|BPF_MEM);
2657 /* goto again; (must use BPF_JA for backward jump) */
2658 s[i] = new_stmt(BPF_JMP|BPF_JA);
2659 s[i]->s.k = again - i - 1;
2660 s[i - 1]->s.jf = s[i];
2664 for (j = v6start; j <= v6end; j++)
2665 s[j]->s.jt = s[v6advance];
2670 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
2672 s[fix2]->s.jf = s[i];
2678 /* if (A == IPPROTO_AH) then fall through; else goto end; */
2679 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
2680 s[i]->s.jt = NULL; /*later*/
2681 s[i]->s.jf = NULL; /*later*/
2682 s[i]->s.k = IPPROTO_AH;
2684 s[fix3]->s.jf = s[ahcheck];
2691 * X = X + (P[X + 1] + 2) * 4;
2694 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
2696 /* A = P[X + packet head]; */
2697 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
2701 s[i] = new_stmt(BPF_ST);
2705 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
2708 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
2712 s[i] = new_stmt(BPF_MISC|BPF_TAX);
2714 /* A = P[X + packet head] */
2715 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
2719 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
2723 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
2727 s[i] = new_stmt(BPF_MISC|BPF_TAX);
2730 s[i] = new_stmt(BPF_LD|BPF_MEM);
2734 /* goto again; (must use BPF_JA for backward jump) */
2735 s[i] = new_stmt(BPF_JMP|BPF_JA);
2736 s[i]->s.k = again - i - 1;
2741 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
2743 s[fix2]->s.jt = s[end];
2744 s[fix4]->s.jf = s[end];
2745 s[fix5]->s.jt = s[end];
2752 for (i = 0; i < max - 1; i++)
2753 s[i]->next = s[i + 1];
2754 s[max - 1]->next = NULL;
2759 b = new_block(JMP(BPF_JEQ));
2760 b->stmts = s[1]; /*remember, s[0] is dummy*/
2770 static struct block *
2771 gen_proto(v, proto, dir)
2776 struct block *b0, *b1;
2778 if (dir != Q_DEFAULT)
2779 bpf_error("direction applied to 'proto'");
2784 b0 = gen_proto(v, Q_IP, dir);
2785 b1 = gen_proto(v, Q_IPV6, dir);
2792 b0 = gen_linktype(ETHERTYPE_IP);
2794 b1 = gen_cmp(off_nl + 9, BPF_B, (bpf_int32)v);
2796 b1 = gen_protochain(v, Q_IP);
2802 b0 = gen_linktype(LLCSAP_ISONS);
2803 b1 = gen_cmp(off_nl + 3, BPF_B, (long)v);
2808 bpf_error("arp does not encapsulate another protocol");
2812 bpf_error("rarp does not encapsulate another protocol");
2816 bpf_error("atalk encapsulation is not specifiable");
2820 bpf_error("decnet encapsulation is not specifiable");
2824 bpf_error("sca does not encapsulate another protocol");
2828 bpf_error("lat does not encapsulate another protocol");
2832 bpf_error("moprc does not encapsulate another protocol");
2836 bpf_error("mopdl does not encapsulate another protocol");
2840 return gen_linktype(v);
2843 bpf_error("'udp proto' is bogus");
2847 bpf_error("'tcp proto' is bogus");
2851 bpf_error("'sctp proto' is bogus");
2855 bpf_error("'icmp proto' is bogus");
2859 bpf_error("'igmp proto' is bogus");
2863 bpf_error("'igrp proto' is bogus");
2867 bpf_error("'pim proto' is bogus");
2871 bpf_error("'vrrp proto' is bogus");
2876 b0 = gen_linktype(ETHERTYPE_IPV6);
2878 b1 = gen_cmp(off_nl + 6, BPF_B, (bpf_int32)v);
2880 b1 = gen_protochain(v, Q_IPV6);
2886 bpf_error("'icmp6 proto' is bogus");
2890 bpf_error("'ah proto' is bogus");
2893 bpf_error("'ah proto' is bogus");
2896 bpf_error("'stp proto' is bogus");
2899 bpf_error("'ipx proto' is bogus");
2902 bpf_error("'netbeui proto' is bogus");
2913 register const char *name;
2916 int proto = q.proto;
2920 bpf_u_int32 mask, addr;
2922 bpf_u_int32 **alist;
2925 struct sockaddr_in *sin;
2926 struct sockaddr_in6 *sin6;
2927 struct addrinfo *res, *res0;
2928 struct in6_addr mask128;
2930 struct block *b, *tmp;
2931 int port, real_proto;
2936 addr = pcap_nametonetaddr(name);
2938 bpf_error("unknown network '%s'", name);
2939 /* Left justify network addr and calculate its network mask */
2941 while (addr && (addr & 0xff000000) == 0) {
2945 return gen_host(addr, mask, proto, dir);
2949 if (proto == Q_LINK) {
2953 eaddr = pcap_ether_hostton(name);
2956 "unknown ether host '%s'", name);
2957 b = gen_ehostop(eaddr, dir);
2962 eaddr = pcap_ether_hostton(name);
2965 "unknown FDDI host '%s'", name);
2966 b = gen_fhostop(eaddr, dir);
2971 eaddr = pcap_ether_hostton(name);
2974 "unknown token ring host '%s'", name);
2975 b = gen_thostop(eaddr, dir);
2981 "only ethernet/FDDI/token ring supports link-level host name");
2984 } else if (proto == Q_DECNET) {
2985 unsigned short dn_addr = __pcap_nametodnaddr(name);
2987 * I don't think DECNET hosts can be multihomed, so
2988 * there is no need to build up a list of addresses
2990 return (gen_host(dn_addr, 0, proto, dir));
2993 alist = pcap_nametoaddr(name);
2994 if (alist == NULL || *alist == NULL)
2995 bpf_error("unknown host '%s'", name);
2997 if (off_linktype == -1 && tproto == Q_DEFAULT)
2999 b = gen_host(**alist++, 0xffffffff, tproto, dir);
3001 tmp = gen_host(**alist++, 0xffffffff,
3008 memset(&mask128, 0xff, sizeof(mask128));
3009 res0 = res = pcap_nametoaddrinfo(name);
3011 bpf_error("unknown host '%s'", name);
3013 tproto = tproto6 = proto;
3014 if (off_linktype == -1 && tproto == Q_DEFAULT) {
3018 for (res = res0; res; res = res->ai_next) {
3019 switch (res->ai_family) {
3021 if (tproto == Q_IPV6)
3024 sin = (struct sockaddr_in *)
3026 tmp = gen_host(ntohl(sin->sin_addr.s_addr),
3027 0xffffffff, tproto, dir);
3030 if (tproto6 == Q_IP)
3033 sin6 = (struct sockaddr_in6 *)
3035 tmp = gen_host6(&sin6->sin6_addr,
3036 &mask128, tproto6, dir);
3047 bpf_error("unknown host '%s'%s", name,
3048 (proto == Q_DEFAULT)
3050 : " for specified address family");
3057 if (proto != Q_DEFAULT &&
3058 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
3059 bpf_error("illegal qualifier of 'port'");
3060 if (pcap_nametoport(name, &port, &real_proto) == 0)
3061 bpf_error("unknown port '%s'", name);
3062 if (proto == Q_UDP) {
3063 if (real_proto == IPPROTO_TCP)
3064 bpf_error("port '%s' is tcp", name);
3065 else if (real_proto == IPPROTO_SCTP)
3066 bpf_error("port '%s' is sctp", name);
3068 /* override PROTO_UNDEF */
3069 real_proto = IPPROTO_UDP;
3071 if (proto == Q_TCP) {
3072 if (real_proto == IPPROTO_UDP)
3073 bpf_error("port '%s' is udp", name);
3075 else if (real_proto == IPPROTO_SCTP)
3076 bpf_error("port '%s' is sctp", name);
3078 /* override PROTO_UNDEF */
3079 real_proto = IPPROTO_TCP;
3081 if (proto == Q_SCTP) {
3082 if (real_proto == IPPROTO_UDP)
3083 bpf_error("port '%s' is udp", name);
3085 else if (real_proto == IPPROTO_TCP)
3086 bpf_error("port '%s' is tcp", name);
3088 /* override PROTO_UNDEF */
3089 real_proto = IPPROTO_SCTP;
3092 return gen_port(port, real_proto, dir);
3096 b = gen_port(port, real_proto, dir);
3097 gen_or(gen_port6(port, real_proto, dir), b);
3104 eaddr = pcap_ether_hostton(name);
3106 bpf_error("unknown ether host: %s", name);
3108 alist = pcap_nametoaddr(name);
3109 if (alist == NULL || *alist == NULL)
3110 bpf_error("unknown host '%s'", name);
3111 b = gen_gateway(eaddr, alist, proto, dir);
3115 bpf_error("'gateway' not supported in this configuration");
3119 real_proto = lookup_proto(name, proto);
3120 if (real_proto >= 0)
3121 return gen_proto(real_proto, proto, dir);
3123 bpf_error("unknown protocol: %s", name);
3126 real_proto = lookup_proto(name, proto);
3127 if (real_proto >= 0)
3128 return gen_protochain(real_proto, proto, dir);
3130 bpf_error("unknown protocol: %s", name);
3142 gen_mcode(s1, s2, masklen, q)
3143 register const char *s1, *s2;
3144 register int masklen;
3147 register int nlen, mlen;
3150 nlen = __pcap_atoin(s1, &n);
3151 /* Promote short ipaddr */
3155 mlen = __pcap_atoin(s2, &m);
3156 /* Promote short ipaddr */
3159 bpf_error("non-network bits set in \"%s mask %s\"",
3162 /* Convert mask len to mask */
3164 bpf_error("mask length must be <= 32");
3165 m = 0xffffffff << (32 - masklen);
3167 bpf_error("non-network bits set in \"%s/%d\"",
3174 return gen_host(n, m, q.proto, q.dir);
3177 bpf_error("Mask syntax for networks only");
3184 register const char *s;
3189 int proto = q.proto;
3195 else if (q.proto == Q_DECNET)
3196 vlen = __pcap_atodn(s, &v);
3198 vlen = __pcap_atoin(s, &v);
3205 if (proto == Q_DECNET)
3206 return gen_host(v, 0, proto, dir);
3207 else if (proto == Q_LINK) {
3208 bpf_error("illegal link layer address");
3211 if (s == NULL && q.addr == Q_NET) {
3212 /* Promote short net number */
3213 while (v && (v & 0xff000000) == 0) {
3218 /* Promote short ipaddr */
3222 return gen_host(v, mask, proto, dir);
3227 proto = IPPROTO_UDP;
3228 else if (proto == Q_TCP)
3229 proto = IPPROTO_TCP;
3230 else if (proto == Q_SCTP)
3231 proto = IPPROTO_SCTP;
3232 else if (proto == Q_DEFAULT)
3233 proto = PROTO_UNDEF;
3235 bpf_error("illegal qualifier of 'port'");
3238 return gen_port((int)v, proto, dir);
3242 b = gen_port((int)v, proto, dir);
3243 gen_or(gen_port6((int)v, proto, dir), b);
3249 bpf_error("'gateway' requires a name");
3253 return gen_proto((int)v, proto, dir);
3256 return gen_protochain((int)v, proto, dir);
3271 gen_mcode6(s1, s2, masklen, q)
3272 register const char *s1, *s2;
3273 register int masklen;
3276 struct addrinfo *res;
3277 struct in6_addr *addr;
3278 struct in6_addr mask;
3283 bpf_error("no mask %s supported", s2);
3285 res = pcap_nametoaddrinfo(s1);
3287 bpf_error("invalid ip6 address %s", s1);
3289 bpf_error("%s resolved to multiple address", s1);
3290 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
3292 if (sizeof(mask) * 8 < masklen)
3293 bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8));
3294 memset(&mask, 0, sizeof(mask));
3295 memset(&mask, 0xff, masklen / 8);
3297 mask.s6_addr[masklen / 8] =
3298 (0xff << (8 - masklen % 8)) & 0xff;
3301 a = (u_int32_t *)addr;
3302 m = (u_int32_t *)&mask;
3303 if ((a[0] & ~m[0]) || (a[1] & ~m[1])
3304 || (a[2] & ~m[2]) || (a[3] & ~m[3])) {
3305 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen);
3313 bpf_error("Mask syntax for networks only");
3317 b = gen_host6(addr, &mask, q.proto, q.dir);
3322 bpf_error("invalid qualifier against IPv6 address");
3330 register const u_char *eaddr;
3333 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
3334 if (linktype == DLT_EN10MB)
3335 return gen_ehostop(eaddr, (int)q.dir);
3336 if (linktype == DLT_FDDI)
3337 return gen_fhostop(eaddr, (int)q.dir);
3338 if (linktype == DLT_IEEE802)
3339 return gen_thostop(eaddr, (int)q.dir);
3340 bpf_error("ethernet addresses supported only on ethernet, FDDI or token ring");
3342 bpf_error("ethernet address used in non-ether expression");
3348 struct slist *s0, *s1;
3351 * This is definitely not the best way to do this, but the
3352 * lists will rarely get long.
3359 static struct slist *
3365 s = new_stmt(BPF_LDX|BPF_MEM);
3370 static struct slist *
3376 s = new_stmt(BPF_LD|BPF_MEM);
3382 gen_load(proto, index, size)
3387 struct slist *s, *tmp;
3389 int regno = alloc_reg();
3391 free_reg(index->regno);
3395 bpf_error("data size must be 1, 2, or 4");
3411 bpf_error("unsupported index operation");
3414 s = xfer_to_x(index);
3415 tmp = new_stmt(BPF_LD|BPF_IND|size);
3417 sappend(index->s, s);
3432 /* XXX Note that we assume a fixed link header here. */
3433 s = xfer_to_x(index);
3434 tmp = new_stmt(BPF_LD|BPF_IND|size);
3437 sappend(index->s, s);
3439 b = gen_proto_abbrev(proto);
3441 gen_and(index->b, b);
3453 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
3455 sappend(s, xfer_to_a(index));
3456 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
3457 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
3458 sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size));
3460 sappend(index->s, s);
3462 gen_and(gen_proto_abbrev(proto), b = gen_ipfrag());
3464 gen_and(index->b, b);
3466 gen_and(gen_proto_abbrev(Q_IP), b);
3472 bpf_error("IPv6 upper-layer protocol is not supported by proto[x]");
3476 index->regno = regno;
3477 s = new_stmt(BPF_ST);
3479 sappend(index->s, s);
3485 gen_relation(code, a0, a1, reversed)
3487 struct arth *a0, *a1;
3490 struct slist *s0, *s1, *s2;
3491 struct block *b, *tmp;
3495 s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X);
3496 b = new_block(JMP(code));
3497 if (code == BPF_JGT || code == BPF_JGE) {
3498 reversed = !reversed;
3499 b->s.k = 0x80000000;
3507 sappend(a0->s, a1->s);
3511 free_reg(a0->regno);
3512 free_reg(a1->regno);
3514 /* 'and' together protocol checks */
3517 gen_and(a0->b, tmp = a1->b);
3533 int regno = alloc_reg();
3534 struct arth *a = (struct arth *)newchunk(sizeof(*a));
3537 s = new_stmt(BPF_LD|BPF_LEN);
3538 s->next = new_stmt(BPF_ST);
3539 s->next->s.k = regno;
3554 a = (struct arth *)newchunk(sizeof(*a));
3558 s = new_stmt(BPF_LD|BPF_IMM);
3560 s->next = new_stmt(BPF_ST);
3576 s = new_stmt(BPF_ALU|BPF_NEG);
3579 s = new_stmt(BPF_ST);
3587 gen_arth(code, a0, a1)
3589 struct arth *a0, *a1;
3591 struct slist *s0, *s1, *s2;
3595 s2 = new_stmt(BPF_ALU|BPF_X|code);
3600 sappend(a0->s, a1->s);
3602 free_reg(a1->regno);
3604 s0 = new_stmt(BPF_ST);
3605 a0->regno = s0->s.k = alloc_reg();
3612 * Here we handle simple allocation of the scratch registers.
3613 * If too many registers are alloc'd, the allocator punts.
3615 static int regused[BPF_MEMWORDS];
3619 * Return the next free register.
3624 int n = BPF_MEMWORDS;
3627 if (regused[curreg])
3628 curreg = (curreg + 1) % BPF_MEMWORDS;
3630 regused[curreg] = 1;
3634 bpf_error("too many registers needed to evaluate expression");
3639 * Return a register to the table so it can
3649 static struct block *
3656 s = new_stmt(BPF_LD|BPF_LEN);
3657 b = new_block(JMP(jmp));
3668 return gen_len(BPF_JGE, n);
3672 * Actually, this is less than or equal.
3680 b = gen_len(BPF_JGT, n);
3687 gen_byteop(op, idx, val)
3698 return gen_cmp((u_int)idx, BPF_B, (bpf_int32)val);
3701 b = gen_cmp((u_int)idx, BPF_B, (bpf_int32)val);
3702 b->s.code = JMP(BPF_JGE);
3707 b = gen_cmp((u_int)idx, BPF_B, (bpf_int32)val);
3708 b->s.code = JMP(BPF_JGT);
3712 s = new_stmt(BPF_ALU|BPF_OR|BPF_K);
3716 s = new_stmt(BPF_ALU|BPF_AND|BPF_K);
3720 b = new_block(JMP(BPF_JEQ));
3727 static u_char abroadcast[] = { 0x0 };
3730 gen_broadcast(proto)
3733 bpf_u_int32 hostmask;
3734 struct block *b0, *b1, *b2;
3735 static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
3741 if (linktype == DLT_ARCNET)
3742 return gen_ahostop(abroadcast, Q_DST);
3743 if (linktype == DLT_EN10MB)
3744 return gen_ehostop(ebroadcast, Q_DST);
3745 if (linktype == DLT_FDDI)
3746 return gen_fhostop(ebroadcast, Q_DST);
3747 if (linktype == DLT_IEEE802)
3748 return gen_thostop(ebroadcast, Q_DST);
3749 bpf_error("not a broadcast link");
3753 b0 = gen_linktype(ETHERTYPE_IP);
3754 hostmask = ~netmask;
3755 b1 = gen_mcmp(off_nl + 16, BPF_W, (bpf_int32)0, hostmask);
3756 b2 = gen_mcmp(off_nl + 16, BPF_W,
3757 (bpf_int32)(~0 & hostmask), hostmask);
3762 bpf_error("only ether/ip broadcast filters supported");
3766 gen_multicast(proto)
3769 register struct block *b0, *b1;
3770 register struct slist *s;
3776 if (linktype == DLT_ARCNET)
3777 /* all ARCnet multicasts use the same address */
3778 return gen_ahostop(abroadcast, Q_DST);
3780 if (linktype == DLT_EN10MB) {
3781 /* ether[0] & 1 != 0 */
3782 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
3784 b0 = new_block(JMP(BPF_JSET));
3790 if (linktype == DLT_FDDI) {
3791 /* XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX */
3792 /* fddi[1] & 1 != 0 */
3793 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
3795 b0 = new_block(JMP(BPF_JSET));
3801 /* TODO - check how token ring handles multicast */
3802 /* if (linktype == DLT_IEEE802) ... */
3804 /* Link not known to support multicasts */
3808 b0 = gen_linktype(ETHERTYPE_IP);
3809 b1 = gen_cmp(off_nl + 16, BPF_B, (bpf_int32)224);
3810 b1->s.code = JMP(BPF_JGE);
3816 b0 = gen_linktype(ETHERTYPE_IPV6);
3817 b1 = gen_cmp(off_nl + 24, BPF_B, (bpf_int32)255);
3822 bpf_error("only IP multicast filters supported on ethernet/FDDI");
3826 * generate command for inbound/outbound. It's here so we can
3827 * make it link-type specific. 'dir' = 0 implies "inbound",
3828 * = 1 implies "outbound".
3834 register struct block *b0;
3837 * Only some data link types support inbound/outbound qualifiers.
3842 b0 = gen_relation(BPF_JEQ,
3843 gen_load(Q_LINK, gen_loadi(0), 1),
3849 bpf_error("inbound/outbound not supported on linktype %d\n",
3859 register const u_char *eaddr;
3862 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
3863 if (linktype == DLT_ARCNET)
3864 return gen_ahostop(eaddr, (int)q.dir);
3866 bpf_error("ARCnet address used in non-arc expression");
3870 static struct block *
3871 gen_ahostop(eaddr, dir)
3872 register const u_char *eaddr;
3875 register struct block *b0, *b1;
3878 /* src comes first, different from Ethernet */
3880 return gen_bcmp(0, 1, eaddr);
3883 return gen_bcmp(1, 1, eaddr);
3886 b0 = gen_ahostop(eaddr, Q_SRC);
3887 b1 = gen_ahostop(eaddr, Q_DST);
3893 b0 = gen_ahostop(eaddr, Q_SRC);
3894 b1 = gen_ahostop(eaddr, Q_DST);
3903 * support IEEE 802.1Q VLAN trunk over ethernet
3912 * Change the offsets to point to the type and data fields within
3913 * the VLAN packet. This is somewhat of a kludge.
3915 if (orig_nl == (u_int)-1) {
3916 orig_linktype = off_linktype; /* save original values */
3927 bpf_error("no VLAN support for data link type %d",
3933 /* check for VLAN */
3934 b0 = gen_cmp(orig_linktype, BPF_H, (bpf_int32)ETHERTYPE_8021Q);
3936 /* If a specific VLAN is requested, check VLAN id */
3937 if (vlan_num >= 0) {
3940 b1 = gen_cmp(orig_nl, BPF_H, (bpf_int32)vlan_num);