1 /*#define CHASE_CHAIN*/
3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998
4 * The Regents of the University of California. All rights reserved.
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that: (1) source code distributions
8 * retain the above copyright notice and this paragraph in its entirety, (2)
9 * distributions including binary code include the above copyright notice and
10 * this paragraph in its entirety in the documentation or other materials
11 * provided with the distribution, and (3) all advertising materials mentioning
12 * features or use of this software display the following acknowledgement:
13 * ``This product includes software developed by the University of California,
14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
15 * the University nor the names of its contributors may be used to endorse
16 * or promote products derived from this software without specific prior
18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
30 #include <pcap-stdinc.h>
37 #ifdef HAVE_SYS_BITYPES_H
38 #include <sys/bitypes.h>
40 #include <sys/types.h>
41 #include <sys/socket.h>
45 * XXX - why was this included even on UNIX?
54 #include <sys/param.h>
57 #include <netinet/in.h>
58 #include <arpa/inet.h>
74 #include "ethertype.h"
78 #include "ieee80211.h"
80 #include "sunatmpos.h"
83 #include "pcap/ipnet.h"
85 #if defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER)
86 #include <linux/types.h>
87 #include <linux/if_packet.h>
88 #include <linux/filter.h>
90 #ifdef HAVE_NET_PFVAR_H
91 #include <sys/socket.h>
93 #include <net/pfvar.h>
94 #include <net/if_pflog.h>
97 #define offsetof(s, e) ((size_t)&((s *)0)->e)
101 #include <netdb.h> /* for "struct addrinfo" */
104 #include <pcap/namedb.h>
106 #define ETHERMTU 1500
108 #ifndef IPPROTO_HOPOPTS
109 #define IPPROTO_HOPOPTS 0
111 #ifndef IPPROTO_ROUTING
112 #define IPPROTO_ROUTING 43
114 #ifndef IPPROTO_FRAGMENT
115 #define IPPROTO_FRAGMENT 44
117 #ifndef IPPROTO_DSTOPTS
118 #define IPPROTO_DSTOPTS 60
121 #define IPPROTO_SCTP 132
124 #ifdef HAVE_OS_PROTO_H
125 #include "os-proto.h"
128 #define JMP(c) ((c)|BPF_JMP|BPF_K)
131 static jmp_buf top_ctx;
132 static pcap_t *bpf_pcap;
134 /* Hack for updating VLAN, MPLS, and PPPoE offsets. */
136 static u_int orig_linktype = (u_int)-1, orig_nl = (u_int)-1, label_stack_depth = (u_int)-1;
138 static u_int orig_linktype = -1U, orig_nl = -1U, label_stack_depth = -1U;
142 static int pcap_fddipad;
146 bpf_error(const char *fmt, ...)
151 if (bpf_pcap != NULL)
152 (void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE,
159 static void init_linktype(pcap_t *);
161 static void init_regs(void);
162 static int alloc_reg(void);
163 static void free_reg(int);
165 static struct block *root;
168 * Value passed to gen_load_a() to indicate what the offset argument
172 OR_PACKET, /* relative to the beginning of the packet */
173 OR_LINK, /* relative to the beginning of the link-layer header */
174 OR_MACPL, /* relative to the end of the MAC-layer header */
175 OR_NET, /* relative to the network-layer header */
176 OR_NET_NOSNAP, /* relative to the network-layer header, with no SNAP header at the link layer */
177 OR_TRAN_IPV4, /* relative to the transport-layer header, with IPv4 network layer */
178 OR_TRAN_IPV6 /* relative to the transport-layer header, with IPv6 network layer */
183 * As errors are handled by a longjmp, anything allocated must be freed
184 * in the longjmp handler, so it must be reachable from that handler.
185 * One thing that's allocated is the result of pcap_nametoaddrinfo();
186 * it must be freed with freeaddrinfo(). This variable points to any
187 * addrinfo structure that would need to be freed.
189 static struct addrinfo *ai;
193 * We divy out chunks of memory rather than call malloc each time so
194 * we don't have to worry about leaking memory. It's probably
195 * not a big deal if all this memory was wasted but if this ever
196 * goes into a library that would probably not be a good idea.
198 * XXX - this *is* in a library....
201 #define CHUNK0SIZE 1024
207 static struct chunk chunks[NCHUNKS];
208 static int cur_chunk;
210 static void *newchunk(u_int);
211 static void freechunks(void);
212 static inline struct block *new_block(int);
213 static inline struct slist *new_stmt(int);
214 static struct block *gen_retblk(int);
215 static inline void syntax(void);
217 static void backpatch(struct block *, struct block *);
218 static void merge(struct block *, struct block *);
219 static struct block *gen_cmp(enum e_offrel, u_int, u_int, bpf_int32);
220 static struct block *gen_cmp_gt(enum e_offrel, u_int, u_int, bpf_int32);
221 static struct block *gen_cmp_ge(enum e_offrel, u_int, u_int, bpf_int32);
222 static struct block *gen_cmp_lt(enum e_offrel, u_int, u_int, bpf_int32);
223 static struct block *gen_cmp_le(enum e_offrel, u_int, u_int, bpf_int32);
224 static struct block *gen_mcmp(enum e_offrel, u_int, u_int, bpf_int32,
226 static struct block *gen_bcmp(enum e_offrel, u_int, u_int, const u_char *);
227 static struct block *gen_ncmp(enum e_offrel, bpf_u_int32, bpf_u_int32,
228 bpf_u_int32, bpf_u_int32, int, bpf_int32);
229 static struct slist *gen_load_llrel(u_int, u_int);
230 static struct slist *gen_load_macplrel(u_int, u_int);
231 static struct slist *gen_load_a(enum e_offrel, u_int, u_int);
232 static struct slist *gen_loadx_iphdrlen(void);
233 static struct block *gen_uncond(int);
234 static inline struct block *gen_true(void);
235 static inline struct block *gen_false(void);
236 static struct block *gen_ether_linktype(int);
237 static struct block *gen_ipnet_linktype(int);
238 static struct block *gen_linux_sll_linktype(int);
239 static struct slist *gen_load_prism_llprefixlen(void);
240 static struct slist *gen_load_avs_llprefixlen(void);
241 static struct slist *gen_load_radiotap_llprefixlen(void);
242 static struct slist *gen_load_ppi_llprefixlen(void);
243 static void insert_compute_vloffsets(struct block *);
244 static struct slist *gen_llprefixlen(void);
245 static struct slist *gen_off_macpl(void);
246 static int ethertype_to_ppptype(int);
247 static struct block *gen_linktype(int);
248 static struct block *gen_snap(bpf_u_int32, bpf_u_int32);
249 static struct block *gen_llc_linktype(int);
250 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int);
252 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int);
254 static struct block *gen_ahostop(const u_char *, int);
255 static struct block *gen_ehostop(const u_char *, int);
256 static struct block *gen_fhostop(const u_char *, int);
257 static struct block *gen_thostop(const u_char *, int);
258 static struct block *gen_wlanhostop(const u_char *, int);
259 static struct block *gen_ipfchostop(const u_char *, int);
260 static struct block *gen_dnhostop(bpf_u_int32, int);
261 static struct block *gen_mpls_linktype(int);
262 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int, int);
264 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int, int);
267 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int);
269 static struct block *gen_ipfrag(void);
270 static struct block *gen_portatom(int, bpf_int32);
271 static struct block *gen_portrangeatom(int, bpf_int32, bpf_int32);
272 static struct block *gen_portatom6(int, bpf_int32);
273 static struct block *gen_portrangeatom6(int, bpf_int32, bpf_int32);
274 struct block *gen_portop(int, int, int);
275 static struct block *gen_port(int, int, int);
276 struct block *gen_portrangeop(int, int, int, int);
277 static struct block *gen_portrange(int, int, int, int);
278 struct block *gen_portop6(int, int, int);
279 static struct block *gen_port6(int, int, int);
280 struct block *gen_portrangeop6(int, int, int, int);
281 static struct block *gen_portrange6(int, int, int, int);
282 static int lookup_proto(const char *, int);
283 static struct block *gen_protochain(int, int, int);
284 static struct block *gen_proto(int, int, int);
285 static struct slist *xfer_to_x(struct arth *);
286 static struct slist *xfer_to_a(struct arth *);
287 static struct block *gen_mac_multicast(int);
288 static struct block *gen_len(int, int);
289 static struct block *gen_check_802_11_data_frame(void);
291 static struct block *gen_ppi_dlt_check(void);
292 static struct block *gen_msg_abbrev(int type);
303 /* XXX Round up to nearest long. */
304 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1);
306 /* XXX Round up to structure boundary. */
310 cp = &chunks[cur_chunk];
311 if (n > cp->n_left) {
312 ++cp, k = ++cur_chunk;
314 bpf_error("out of memory");
315 size = CHUNK0SIZE << k;
316 cp->m = (void *)malloc(size);
318 bpf_error("out of memory");
319 memset((char *)cp->m, 0, size);
322 bpf_error("out of memory");
325 return (void *)((char *)cp->m + cp->n_left);
334 for (i = 0; i < NCHUNKS; ++i)
335 if (chunks[i].m != NULL) {
342 * A strdup whose allocations are freed after code generation is over.
346 register const char *s;
348 int n = strlen(s) + 1;
349 char *cp = newchunk(n);
355 static inline struct block *
361 p = (struct block *)newchunk(sizeof(*p));
368 static inline struct slist *
374 p = (struct slist *)newchunk(sizeof(*p));
380 static struct block *
384 struct block *b = new_block(BPF_RET|BPF_K);
393 bpf_error("syntax error in filter expression");
396 static bpf_u_int32 netmask;
401 pcap_compile(pcap_t *p, struct bpf_program *program,
402 const char *buf, int optimize, bpf_u_int32 mask)
405 const char * volatile xbuf = buf;
410 * XXX - single-thread this code path with pthread calls on
411 * UN*X, if the platform supports pthreads? If that requires
412 * a separate -lpthread, we might not want to do that.
415 extern int wsockinit (void);
421 EnterCriticalSection(&g_PcapCompileCriticalSection);
425 * If this pcap_t hasn't been activated, it doesn't have a
426 * link-layer type, so we can't use it.
429 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
430 "not-yet-activated pcap_t passed to pcap_compile");
440 if (setjmp(top_ctx)) {
455 snaplen = pcap_snapshot(p);
457 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
458 "snaplen of 0 rejects all packets");
463 lex_init(xbuf ? xbuf : "");
471 root = gen_retblk(snaplen);
473 if (optimize && !no_optimize) {
476 (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0))
477 bpf_error("expression rejects all packets");
479 program->bf_insns = icode_to_fcode(root, &len);
480 program->bf_len = len;
485 rc = 0; /* We're all okay */
490 LeaveCriticalSection(&g_PcapCompileCriticalSection);
497 * entry point for using the compiler with no pcap open
498 * pass in all the stuff that is needed explicitly instead.
501 pcap_compile_nopcap(int snaplen_arg, int linktype_arg,
502 struct bpf_program *program,
503 const char *buf, int optimize, bpf_u_int32 mask)
508 p = pcap_open_dead(linktype_arg, snaplen_arg);
511 ret = pcap_compile(p, program, buf, optimize, mask);
517 * Clean up a "struct bpf_program" by freeing all the memory allocated
521 pcap_freecode(struct bpf_program *program)
524 if (program->bf_insns != NULL) {
525 free((char *)program->bf_insns);
526 program->bf_insns = NULL;
531 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates
532 * which of the jt and jf fields has been resolved and which is a pointer
533 * back to another unresolved block (or nil). At least one of the fields
534 * in each block is already resolved.
537 backpatch(list, target)
538 struct block *list, *target;
555 * Merge the lists in b0 and b1, using the 'sense' field to indicate
556 * which of jt and jf is the link.
560 struct block *b0, *b1;
562 register struct block **p = &b0;
564 /* Find end of list. */
566 p = !((*p)->sense) ? &JT(*p) : &JF(*p);
568 /* Concatenate the lists. */
576 struct block *ppi_dlt_check;
579 * Insert before the statements of the first (root) block any
580 * statements needed to load the lengths of any variable-length
581 * headers into registers.
583 * XXX - a fancier strategy would be to insert those before the
584 * statements of all blocks that use those lengths and that
585 * have no predecessors that use them, so that we only compute
586 * the lengths if we need them. There might be even better
587 * approaches than that.
589 * However, those strategies would be more complicated, and
590 * as we don't generate code to compute a length if the
591 * program has no tests that use the length, and as most
592 * tests will probably use those lengths, we would just
593 * postpone computing the lengths so that it's not done
594 * for tests that fail early, and it's not clear that's
597 insert_compute_vloffsets(p->head);
600 * For DLT_PPI captures, generate a check of the per-packet
601 * DLT value to make sure it's DLT_IEEE802_11.
603 ppi_dlt_check = gen_ppi_dlt_check();
604 if (ppi_dlt_check != NULL)
605 gen_and(ppi_dlt_check, p);
607 backpatch(p, gen_retblk(snaplen));
608 p->sense = !p->sense;
609 backpatch(p, gen_retblk(0));
615 struct block *b0, *b1;
617 backpatch(b0, b1->head);
618 b0->sense = !b0->sense;
619 b1->sense = !b1->sense;
621 b1->sense = !b1->sense;
627 struct block *b0, *b1;
629 b0->sense = !b0->sense;
630 backpatch(b0, b1->head);
631 b0->sense = !b0->sense;
640 b->sense = !b->sense;
643 static struct block *
644 gen_cmp(offrel, offset, size, v)
645 enum e_offrel offrel;
649 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v);
652 static struct block *
653 gen_cmp_gt(offrel, offset, size, v)
654 enum e_offrel offrel;
658 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 0, v);
661 static struct block *
662 gen_cmp_ge(offrel, offset, size, v)
663 enum e_offrel offrel;
667 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 0, v);
670 static struct block *
671 gen_cmp_lt(offrel, offset, size, v)
672 enum e_offrel offrel;
676 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 1, v);
679 static struct block *
680 gen_cmp_le(offrel, offset, size, v)
681 enum e_offrel offrel;
685 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 1, v);
688 static struct block *
689 gen_mcmp(offrel, offset, size, v, mask)
690 enum e_offrel offrel;
695 return gen_ncmp(offrel, offset, size, mask, BPF_JEQ, 0, v);
698 static struct block *
699 gen_bcmp(offrel, offset, size, v)
700 enum e_offrel offrel;
701 register u_int offset, size;
702 register const u_char *v;
704 register struct block *b, *tmp;
708 register const u_char *p = &v[size - 4];
709 bpf_int32 w = ((bpf_int32)p[0] << 24) |
710 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3];
712 tmp = gen_cmp(offrel, offset + size - 4, BPF_W, w);
719 register const u_char *p = &v[size - 2];
720 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1];
722 tmp = gen_cmp(offrel, offset + size - 2, BPF_H, w);
729 tmp = gen_cmp(offrel, offset, BPF_B, (bpf_int32)v[0]);
738 * AND the field of size "size" at offset "offset" relative to the header
739 * specified by "offrel" with "mask", and compare it with the value "v"
740 * with the test specified by "jtype"; if "reverse" is true, the test
741 * should test the opposite of "jtype".
743 static struct block *
744 gen_ncmp(offrel, offset, size, mask, jtype, reverse, v)
745 enum e_offrel offrel;
747 bpf_u_int32 offset, size, mask, jtype;
750 struct slist *s, *s2;
753 s = gen_load_a(offrel, offset, size);
755 if (mask != 0xffffffff) {
756 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
761 b = new_block(JMP(jtype));
764 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE))
770 * Various code constructs need to know the layout of the data link
771 * layer. These variables give the necessary offsets from the beginning
772 * of the packet data.
776 * This is the offset of the beginning of the link-layer header from
777 * the beginning of the raw packet data.
779 * It's usually 0, except for 802.11 with a fixed-length radio header.
780 * (For 802.11 with a variable-length radio header, we have to generate
781 * code to compute that offset; off_ll is 0 in that case.)
786 * If there's a variable-length header preceding the link-layer header,
787 * "reg_off_ll" is the register number for a register containing the
788 * length of that header, and therefore the offset of the link-layer
789 * header from the beginning of the raw packet data. Otherwise,
790 * "reg_off_ll" is -1.
792 static int reg_off_ll;
795 * This is the offset of the beginning of the MAC-layer header from
796 * the beginning of the link-layer header.
797 * It's usually 0, except for ATM LANE, where it's the offset, relative
798 * to the beginning of the raw packet data, of the Ethernet header, and
799 * for Ethernet with various additional information.
801 static u_int off_mac;
804 * This is the offset of the beginning of the MAC-layer payload,
805 * from the beginning of the raw packet data.
807 * I.e., it's the sum of the length of the link-layer header (without,
808 * for example, any 802.2 LLC header, so it's the MAC-layer
809 * portion of that header), plus any prefix preceding the
812 static u_int off_macpl;
815 * This is 1 if the offset of the beginning of the MAC-layer payload
816 * from the beginning of the link-layer header is variable-length.
818 static int off_macpl_is_variable;
821 * If the link layer has variable_length headers, "reg_off_macpl"
822 * is the register number for a register containing the length of the
823 * link-layer header plus the length of any variable-length header
824 * preceding the link-layer header. Otherwise, "reg_off_macpl"
827 static int reg_off_macpl;
830 * "off_linktype" is the offset to information in the link-layer header
831 * giving the packet type. This offset is relative to the beginning
832 * of the link-layer header (i.e., it doesn't include off_ll).
834 * For Ethernet, it's the offset of the Ethernet type field.
836 * For link-layer types that always use 802.2 headers, it's the
837 * offset of the LLC header.
839 * For PPP, it's the offset of the PPP type field.
841 * For Cisco HDLC, it's the offset of the CHDLC type field.
843 * For BSD loopback, it's the offset of the AF_ value.
845 * For Linux cooked sockets, it's the offset of the type field.
847 * It's set to -1 for no encapsulation, in which case, IP is assumed.
849 static u_int off_linktype;
852 * TRUE if "pppoes" appeared in the filter; it causes link-layer type
853 * checks to check the PPP header, assumed to follow a LAN-style link-
854 * layer header and a PPPoE session header.
856 static int is_pppoes = 0;
859 * TRUE if the link layer includes an ATM pseudo-header.
861 static int is_atm = 0;
864 * TRUE if "lane" appeared in the filter; it causes us to generate
865 * code that assumes LANE rather than LLC-encapsulated traffic in SunATM.
867 static int is_lane = 0;
870 * These are offsets for the ATM pseudo-header.
872 static u_int off_vpi;
873 static u_int off_vci;
874 static u_int off_proto;
877 * These are offsets for the MTP2 fields.
880 static u_int off_li_hsl;
883 * These are offsets for the MTP3 fields.
885 static u_int off_sio;
886 static u_int off_opc;
887 static u_int off_dpc;
888 static u_int off_sls;
891 * This is the offset of the first byte after the ATM pseudo_header,
892 * or -1 if there is no ATM pseudo-header.
894 static u_int off_payload;
897 * These are offsets to the beginning of the network-layer header.
898 * They are relative to the beginning of the MAC-layer payload (i.e.,
899 * they don't include off_ll or off_macpl).
901 * If the link layer never uses 802.2 LLC:
903 * "off_nl" and "off_nl_nosnap" are the same.
905 * If the link layer always uses 802.2 LLC:
907 * "off_nl" is the offset if there's a SNAP header following
910 * "off_nl_nosnap" is the offset if there's no SNAP header.
912 * If the link layer is Ethernet:
914 * "off_nl" is the offset if the packet is an Ethernet II packet
915 * (we assume no 802.3+802.2+SNAP);
917 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet
918 * with an 802.2 header following it.
921 static u_int off_nl_nosnap;
929 linktype = pcap_datalink(p);
930 pcap_fddipad = p->fddipad;
933 * Assume it's not raw ATM with a pseudo-header, for now.
944 * And that we're not doing PPPoE.
949 * And assume we're not doing SS7.
959 * Also assume it's not 802.11.
963 off_macpl_is_variable = 0;
967 label_stack_depth = 0;
977 off_nl = 0; /* XXX in reality, variable! */
978 off_nl_nosnap = 0; /* no 802.2 LLC */
981 case DLT_ARCNET_LINUX:
984 off_nl = 0; /* XXX in reality, variable! */
985 off_nl_nosnap = 0; /* no 802.2 LLC */
990 off_macpl = 14; /* Ethernet header length */
991 off_nl = 0; /* Ethernet II */
992 off_nl_nosnap = 3; /* 802.3+802.2 */
997 * SLIP doesn't have a link level type. The 16 byte
998 * header is hacked into our SLIP driver.
1003 off_nl_nosnap = 0; /* no 802.2 LLC */
1006 case DLT_SLIP_BSDOS:
1007 /* XXX this may be the same as the DLT_PPP_BSDOS case */
1012 off_nl_nosnap = 0; /* no 802.2 LLC */
1020 off_nl_nosnap = 0; /* no 802.2 LLC */
1027 off_nl_nosnap = 0; /* no 802.2 LLC */
1032 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */
1033 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */
1037 off_nl_nosnap = 0; /* no 802.2 LLC */
1042 * This does no include the Ethernet header, and
1043 * only covers session state.
1048 off_nl_nosnap = 0; /* no 802.2 LLC */
1055 off_nl_nosnap = 0; /* no 802.2 LLC */
1060 * FDDI doesn't really have a link-level type field.
1061 * We set "off_linktype" to the offset of the LLC header.
1063 * To check for Ethernet types, we assume that SSAP = SNAP
1064 * is being used and pick out the encapsulated Ethernet type.
1065 * XXX - should we generate code to check for SNAP?
1068 off_linktype += pcap_fddipad;
1069 off_macpl = 13; /* FDDI MAC header length */
1070 off_macpl += pcap_fddipad;
1071 off_nl = 8; /* 802.2+SNAP */
1072 off_nl_nosnap = 3; /* 802.2 */
1077 * Token Ring doesn't really have a link-level type field.
1078 * We set "off_linktype" to the offset of the LLC header.
1080 * To check for Ethernet types, we assume that SSAP = SNAP
1081 * is being used and pick out the encapsulated Ethernet type.
1082 * XXX - should we generate code to check for SNAP?
1084 * XXX - the header is actually variable-length.
1085 * Some various Linux patched versions gave 38
1086 * as "off_linktype" and 40 as "off_nl"; however,
1087 * if a token ring packet has *no* routing
1088 * information, i.e. is not source-routed, the correct
1089 * values are 20 and 22, as they are in the vanilla code.
1091 * A packet is source-routed iff the uppermost bit
1092 * of the first byte of the source address, at an
1093 * offset of 8, has the uppermost bit set. If the
1094 * packet is source-routed, the total number of bytes
1095 * of routing information is 2 plus bits 0x1F00 of
1096 * the 16-bit value at an offset of 14 (shifted right
1097 * 8 - figure out which byte that is).
1100 off_macpl = 14; /* Token Ring MAC header length */
1101 off_nl = 8; /* 802.2+SNAP */
1102 off_nl_nosnap = 3; /* 802.2 */
1105 case DLT_IEEE802_11:
1106 case DLT_PRISM_HEADER:
1107 case DLT_IEEE802_11_RADIO_AVS:
1108 case DLT_IEEE802_11_RADIO:
1110 * 802.11 doesn't really have a link-level type field.
1111 * We set "off_linktype" to the offset of the LLC header.
1113 * To check for Ethernet types, we assume that SSAP = SNAP
1114 * is being used and pick out the encapsulated Ethernet type.
1115 * XXX - should we generate code to check for SNAP?
1117 * We also handle variable-length radio headers here.
1118 * The Prism header is in theory variable-length, but in
1119 * practice it's always 144 bytes long. However, some
1120 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but
1121 * sometimes or always supply an AVS header, so we
1122 * have to check whether the radio header is a Prism
1123 * header or an AVS header, so, in practice, it's
1127 off_macpl = 0; /* link-layer header is variable-length */
1128 off_macpl_is_variable = 1;
1129 off_nl = 8; /* 802.2+SNAP */
1130 off_nl_nosnap = 3; /* 802.2 */
1135 * At the moment we treat PPI the same way that we treat
1136 * normal Radiotap encoded packets. The difference is in
1137 * the function that generates the code at the beginning
1138 * to compute the header length. Since this code generator
1139 * of PPI supports bare 802.11 encapsulation only (i.e.
1140 * the encapsulated DLT should be DLT_IEEE802_11) we
1141 * generate code to check for this too.
1144 off_macpl = 0; /* link-layer header is variable-length */
1145 off_macpl_is_variable = 1;
1146 off_nl = 8; /* 802.2+SNAP */
1147 off_nl_nosnap = 3; /* 802.2 */
1150 case DLT_ATM_RFC1483:
1151 case DLT_ATM_CLIP: /* Linux ATM defines this */
1153 * assume routed, non-ISO PDUs
1154 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00)
1156 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS,
1157 * or PPP with the PPP NLPID (e.g., PPPoA)? The
1158 * latter would presumably be treated the way PPPoE
1159 * should be, so you can do "pppoe and udp port 2049"
1160 * or "pppoa and tcp port 80" and have it check for
1161 * PPPo{A,E} and a PPP protocol of IP and....
1164 off_macpl = 0; /* packet begins with LLC header */
1165 off_nl = 8; /* 802.2+SNAP */
1166 off_nl_nosnap = 3; /* 802.2 */
1171 * Full Frontal ATM; you get AALn PDUs with an ATM
1175 off_vpi = SUNATM_VPI_POS;
1176 off_vci = SUNATM_VCI_POS;
1177 off_proto = PROTO_POS;
1178 off_mac = -1; /* assume LLC-encapsulated, so no MAC-layer header */
1179 off_payload = SUNATM_PKT_BEGIN_POS;
1180 off_linktype = off_payload;
1181 off_macpl = off_payload; /* if LLC-encapsulated */
1182 off_nl = 8; /* 802.2+SNAP */
1183 off_nl_nosnap = 3; /* 802.2 */
1192 off_nl_nosnap = 0; /* no 802.2 LLC */
1195 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */
1199 off_nl_nosnap = 0; /* no 802.2 LLC */
1204 * LocalTalk does have a 1-byte type field in the LLAP header,
1205 * but really it just indicates whether there is a "short" or
1206 * "long" DDP packet following.
1211 off_nl_nosnap = 0; /* no 802.2 LLC */
1214 case DLT_IP_OVER_FC:
1216 * RFC 2625 IP-over-Fibre-Channel doesn't really have a
1217 * link-level type field. We set "off_linktype" to the
1218 * offset of the LLC header.
1220 * To check for Ethernet types, we assume that SSAP = SNAP
1221 * is being used and pick out the encapsulated Ethernet type.
1222 * XXX - should we generate code to check for SNAP? RFC
1223 * 2625 says SNAP should be used.
1227 off_nl = 8; /* 802.2+SNAP */
1228 off_nl_nosnap = 3; /* 802.2 */
1233 * XXX - we should set this to handle SNAP-encapsulated
1234 * frames (NLPID of 0x80).
1239 off_nl_nosnap = 0; /* no 802.2 LLC */
1243 * the only BPF-interesting FRF.16 frames are non-control frames;
1244 * Frame Relay has a variable length link-layer
1245 * so lets start with offset 4 for now and increments later on (FIXME);
1251 off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */
1254 case DLT_APPLE_IP_OVER_IEEE1394:
1258 off_nl_nosnap = 0; /* no 802.2 LLC */
1261 case DLT_SYMANTEC_FIREWALL:
1264 off_nl = 0; /* Ethernet II */
1265 off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */
1268 #ifdef HAVE_NET_PFVAR_H
1271 off_macpl = PFLOG_HDRLEN;
1273 off_nl_nosnap = 0; /* no 802.2 LLC */
1277 case DLT_JUNIPER_MFR:
1278 case DLT_JUNIPER_MLFR:
1279 case DLT_JUNIPER_MLPPP:
1280 case DLT_JUNIPER_PPP:
1281 case DLT_JUNIPER_CHDLC:
1282 case DLT_JUNIPER_FRELAY:
1286 off_nl_nosnap = -1; /* no 802.2 LLC */
1289 case DLT_JUNIPER_ATM1:
1290 off_linktype = 4; /* in reality variable between 4-8 */
1291 off_macpl = 4; /* in reality variable between 4-8 */
1296 case DLT_JUNIPER_ATM2:
1297 off_linktype = 8; /* in reality variable between 8-12 */
1298 off_macpl = 8; /* in reality variable between 8-12 */
1303 /* frames captured on a Juniper PPPoE service PIC
1304 * contain raw ethernet frames */
1305 case DLT_JUNIPER_PPPOE:
1306 case DLT_JUNIPER_ETHER:
1309 off_nl = 18; /* Ethernet II */
1310 off_nl_nosnap = 21; /* 802.3+802.2 */
1313 case DLT_JUNIPER_PPPOE_ATM:
1317 off_nl_nosnap = -1; /* no 802.2 LLC */
1320 case DLT_JUNIPER_GGSN:
1324 off_nl_nosnap = -1; /* no 802.2 LLC */
1327 case DLT_JUNIPER_ES:
1329 off_macpl = -1; /* not really a network layer but raw IP addresses */
1330 off_nl = -1; /* not really a network layer but raw IP addresses */
1331 off_nl_nosnap = -1; /* no 802.2 LLC */
1334 case DLT_JUNIPER_MONITOR:
1337 off_nl = 0; /* raw IP/IP6 header */
1338 off_nl_nosnap = -1; /* no 802.2 LLC */
1341 case DLT_BACNET_MS_TP:
1348 case DLT_JUNIPER_SERVICES:
1350 off_macpl = -1; /* L3 proto location dep. on cookie type */
1351 off_nl = -1; /* L3 proto location dep. on cookie type */
1352 off_nl_nosnap = -1; /* no 802.2 LLC */
1355 case DLT_JUNIPER_VP:
1362 case DLT_JUNIPER_ST:
1369 case DLT_JUNIPER_ISM:
1376 case DLT_JUNIPER_VS:
1377 case DLT_JUNIPER_SRX_E2E:
1378 case DLT_JUNIPER_FIBRECHANNEL:
1379 case DLT_JUNIPER_ATM_CEMIC:
1399 case DLT_MTP2_WITH_PHDR:
1434 * Currently, only raw "link[N:M]" filtering is supported.
1436 off_linktype = -1; /* variable, min 15, max 71 steps of 7 */
1438 off_nl = -1; /* variable, min 16, max 71 steps of 7 */
1439 off_nl_nosnap = -1; /* no 802.2 LLC */
1440 off_mac = 1; /* step over the kiss length byte */
1445 off_macpl = 24; /* ipnet header length */
1450 case DLT_NETANALYZER:
1451 off_mac = 4; /* MAC header is past 4-byte pseudo-header */
1452 off_linktype = 16; /* includes 4-byte pseudo-header */
1453 off_macpl = 18; /* pseudo-header+Ethernet header length */
1454 off_nl = 0; /* Ethernet II */
1455 off_nl_nosnap = 3; /* 802.3+802.2 */
1458 case DLT_NETANALYZER_TRANSPARENT:
1459 off_mac = 12; /* MAC header is past 4-byte pseudo-header, preamble, and SFD */
1460 off_linktype = 24; /* includes 4-byte pseudo-header+preamble+SFD */
1461 off_macpl = 26; /* pseudo-header+preamble+SFD+Ethernet header length */
1462 off_nl = 0; /* Ethernet II */
1463 off_nl_nosnap = 3; /* 802.3+802.2 */
1468 * For values in the range in which we've assigned new
1469 * DLT_ values, only raw "link[N:M]" filtering is supported.
1471 if (linktype >= DLT_MATCHING_MIN &&
1472 linktype <= DLT_MATCHING_MAX) {
1481 bpf_error("unknown data link type %d", linktype);
1486 * Load a value relative to the beginning of the link-layer header.
1487 * The link-layer header doesn't necessarily begin at the beginning
1488 * of the packet data; there might be a variable-length prefix containing
1489 * radio information.
1491 static struct slist *
1492 gen_load_llrel(offset, size)
1495 struct slist *s, *s2;
1497 s = gen_llprefixlen();
1500 * If "s" is non-null, it has code to arrange that the X register
1501 * contains the length of the prefix preceding the link-layer
1504 * Otherwise, the length of the prefix preceding the link-layer
1505 * header is "off_ll".
1509 * There's a variable-length prefix preceding the
1510 * link-layer header. "s" points to a list of statements
1511 * that put the length of that prefix into the X register.
1512 * do an indirect load, to use the X register as an offset.
1514 s2 = new_stmt(BPF_LD|BPF_IND|size);
1519 * There is no variable-length header preceding the
1520 * link-layer header; add in off_ll, which, if there's
1521 * a fixed-length header preceding the link-layer header,
1522 * is the length of that header.
1524 s = new_stmt(BPF_LD|BPF_ABS|size);
1525 s->s.k = offset + off_ll;
1531 * Load a value relative to the beginning of the MAC-layer payload.
1533 static struct slist *
1534 gen_load_macplrel(offset, size)
1537 struct slist *s, *s2;
1539 s = gen_off_macpl();
1542 * If s is non-null, the offset of the MAC-layer payload is
1543 * variable, and s points to a list of instructions that
1544 * arrange that the X register contains that offset.
1546 * Otherwise, the offset of the MAC-layer payload is constant,
1547 * and is in off_macpl.
1551 * The offset of the MAC-layer payload is in the X
1552 * register. Do an indirect load, to use the X register
1555 s2 = new_stmt(BPF_LD|BPF_IND|size);
1560 * The offset of the MAC-layer payload is constant,
1561 * and is in off_macpl; load the value at that offset
1562 * plus the specified offset.
1564 s = new_stmt(BPF_LD|BPF_ABS|size);
1565 s->s.k = off_macpl + offset;
1571 * Load a value relative to the beginning of the specified header.
1573 static struct slist *
1574 gen_load_a(offrel, offset, size)
1575 enum e_offrel offrel;
1578 struct slist *s, *s2;
1583 s = new_stmt(BPF_LD|BPF_ABS|size);
1588 s = gen_load_llrel(offset, size);
1592 s = gen_load_macplrel(offset, size);
1596 s = gen_load_macplrel(off_nl + offset, size);
1600 s = gen_load_macplrel(off_nl_nosnap + offset, size);
1605 * Load the X register with the length of the IPv4 header
1606 * (plus the offset of the link-layer header, if it's
1607 * preceded by a variable-length header such as a radio
1608 * header), in bytes.
1610 s = gen_loadx_iphdrlen();
1613 * Load the item at {offset of the MAC-layer payload} +
1614 * {offset, relative to the start of the MAC-layer
1615 * paylod, of the IPv4 header} + {length of the IPv4 header} +
1616 * {specified offset}.
1618 * (If the offset of the MAC-layer payload is variable,
1619 * it's included in the value in the X register, and
1622 s2 = new_stmt(BPF_LD|BPF_IND|size);
1623 s2->s.k = off_macpl + off_nl + offset;
1628 s = gen_load_macplrel(off_nl + 40 + offset, size);
1639 * Generate code to load into the X register the sum of the length of
1640 * the IPv4 header and any variable-length header preceding the link-layer
1643 static struct slist *
1644 gen_loadx_iphdrlen()
1646 struct slist *s, *s2;
1648 s = gen_off_macpl();
1651 * There's a variable-length prefix preceding the
1652 * link-layer header, or the link-layer header is itself
1653 * variable-length. "s" points to a list of statements
1654 * that put the offset of the MAC-layer payload into
1657 * The 4*([k]&0xf) addressing mode can't be used, as we
1658 * don't have a constant offset, so we have to load the
1659 * value in question into the A register and add to it
1660 * the value from the X register.
1662 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B);
1665 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
1668 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
1673 * The A register now contains the length of the
1674 * IP header. We need to add to it the offset of
1675 * the MAC-layer payload, which is still in the X
1676 * register, and move the result into the X register.
1678 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
1679 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
1682 * There is no variable-length header preceding the
1683 * link-layer header, and the link-layer header is
1684 * fixed-length; load the length of the IPv4 header,
1685 * which is at an offset of off_nl from the beginning
1686 * of the MAC-layer payload, and thus at an offset
1687 * of off_mac_pl + off_nl from the beginning of the
1690 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
1691 s->s.k = off_macpl + off_nl;
1696 static struct block *
1703 s = new_stmt(BPF_LD|BPF_IMM);
1705 b = new_block(JMP(BPF_JEQ));
1711 static inline struct block *
1714 return gen_uncond(1);
1717 static inline struct block *
1720 return gen_uncond(0);
1724 * Byte-swap a 32-bit number.
1725 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on
1726 * big-endian platforms.)
1728 #define SWAPLONG(y) \
1729 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
1732 * Generate code to match a particular packet type.
1734 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1735 * value, if <= ETHERMTU. We use that to determine whether to
1736 * match the type/length field or to check the type/length field for
1737 * a value <= ETHERMTU to see whether it's a type field and then do
1738 * the appropriate test.
1740 static struct block *
1741 gen_ether_linktype(proto)
1744 struct block *b0, *b1;
1750 case LLCSAP_NETBEUI:
1752 * OSI protocols and NetBEUI always use 802.2 encapsulation,
1753 * so we check the DSAP and SSAP.
1755 * LLCSAP_IP checks for IP-over-802.2, rather
1756 * than IP-over-Ethernet or IP-over-SNAP.
1758 * XXX - should we check both the DSAP and the
1759 * SSAP, like this, or should we check just the
1760 * DSAP, as we do for other types <= ETHERMTU
1761 * (i.e., other SAP values)?
1763 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1765 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)
1766 ((proto << 8) | proto));
1774 * Ethernet_II frames, which are Ethernet
1775 * frames with a frame type of ETHERTYPE_IPX;
1777 * Ethernet_802.3 frames, which are 802.3
1778 * frames (i.e., the type/length field is
1779 * a length field, <= ETHERMTU, rather than
1780 * a type field) with the first two bytes
1781 * after the Ethernet/802.3 header being
1784 * Ethernet_802.2 frames, which are 802.3
1785 * frames with an 802.2 LLC header and
1786 * with the IPX LSAP as the DSAP in the LLC
1789 * Ethernet_SNAP frames, which are 802.3
1790 * frames with an LLC header and a SNAP
1791 * header and with an OUI of 0x000000
1792 * (encapsulated Ethernet) and a protocol
1793 * ID of ETHERTYPE_IPX in the SNAP header.
1795 * XXX - should we generate the same code both
1796 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX?
1800 * This generates code to check both for the
1801 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3.
1803 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX);
1804 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)0xFFFF);
1808 * Now we add code to check for SNAP frames with
1809 * ETHERTYPE_IPX, i.e. Ethernet_SNAP.
1811 b0 = gen_snap(0x000000, ETHERTYPE_IPX);
1815 * Now we generate code to check for 802.3
1816 * frames in general.
1818 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1822 * Now add the check for 802.3 frames before the
1823 * check for Ethernet_802.2 and Ethernet_802.3,
1824 * as those checks should only be done on 802.3
1825 * frames, not on Ethernet frames.
1830 * Now add the check for Ethernet_II frames, and
1831 * do that before checking for the other frame
1834 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
1835 (bpf_int32)ETHERTYPE_IPX);
1839 case ETHERTYPE_ATALK:
1840 case ETHERTYPE_AARP:
1842 * EtherTalk (AppleTalk protocols on Ethernet link
1843 * layer) may use 802.2 encapsulation.
1847 * Check for 802.2 encapsulation (EtherTalk phase 2?);
1848 * we check for an Ethernet type field less than
1849 * 1500, which means it's an 802.3 length field.
1851 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1855 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1856 * SNAP packets with an organization code of
1857 * 0x080007 (Apple, for Appletalk) and a protocol
1858 * type of ETHERTYPE_ATALK (Appletalk).
1860 * 802.2-encapsulated ETHERTYPE_AARP packets are
1861 * SNAP packets with an organization code of
1862 * 0x000000 (encapsulated Ethernet) and a protocol
1863 * type of ETHERTYPE_AARP (Appletalk ARP).
1865 if (proto == ETHERTYPE_ATALK)
1866 b1 = gen_snap(0x080007, ETHERTYPE_ATALK);
1867 else /* proto == ETHERTYPE_AARP */
1868 b1 = gen_snap(0x000000, ETHERTYPE_AARP);
1872 * Check for Ethernet encapsulation (Ethertalk
1873 * phase 1?); we just check for the Ethernet
1876 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
1882 if (proto <= ETHERMTU) {
1884 * This is an LLC SAP value, so the frames
1885 * that match would be 802.2 frames.
1886 * Check that the frame is an 802.2 frame
1887 * (i.e., that the length/type field is
1888 * a length field, <= ETHERMTU) and
1889 * then check the DSAP.
1891 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1893 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B,
1899 * This is an Ethernet type, so compare
1900 * the length/type field with it (if
1901 * the frame is an 802.2 frame, the length
1902 * field will be <= ETHERMTU, and, as
1903 * "proto" is > ETHERMTU, this test
1904 * will fail and the frame won't match,
1905 * which is what we want).
1907 return gen_cmp(OR_LINK, off_linktype, BPF_H,
1914 * "proto" is an Ethernet type value and for IPNET, if it is not IPv4
1915 * or IPv6 then we have an error.
1917 static struct block *
1918 gen_ipnet_linktype(proto)
1924 return gen_cmp(OR_LINK, off_linktype, BPF_B,
1925 (bpf_int32)IPH_AF_INET);
1928 case ETHERTYPE_IPV6:
1929 return gen_cmp(OR_LINK, off_linktype, BPF_B,
1930 (bpf_int32)IPH_AF_INET6);
1941 * Generate code to match a particular packet type.
1943 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1944 * value, if <= ETHERMTU. We use that to determine whether to
1945 * match the type field or to check the type field for the special
1946 * LINUX_SLL_P_802_2 value and then do the appropriate test.
1948 static struct block *
1949 gen_linux_sll_linktype(proto)
1952 struct block *b0, *b1;
1958 case LLCSAP_NETBEUI:
1960 * OSI protocols and NetBEUI always use 802.2 encapsulation,
1961 * so we check the DSAP and SSAP.
1963 * LLCSAP_IP checks for IP-over-802.2, rather
1964 * than IP-over-Ethernet or IP-over-SNAP.
1966 * XXX - should we check both the DSAP and the
1967 * SSAP, like this, or should we check just the
1968 * DSAP, as we do for other types <= ETHERMTU
1969 * (i.e., other SAP values)?
1971 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
1972 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)
1973 ((proto << 8) | proto));
1979 * Ethernet_II frames, which are Ethernet
1980 * frames with a frame type of ETHERTYPE_IPX;
1982 * Ethernet_802.3 frames, which have a frame
1983 * type of LINUX_SLL_P_802_3;
1985 * Ethernet_802.2 frames, which are 802.3
1986 * frames with an 802.2 LLC header (i.e, have
1987 * a frame type of LINUX_SLL_P_802_2) and
1988 * with the IPX LSAP as the DSAP in the LLC
1991 * Ethernet_SNAP frames, which are 802.3
1992 * frames with an LLC header and a SNAP
1993 * header and with an OUI of 0x000000
1994 * (encapsulated Ethernet) and a protocol
1995 * ID of ETHERTYPE_IPX in the SNAP header.
1997 * First, do the checks on LINUX_SLL_P_802_2
1998 * frames; generate the check for either
1999 * Ethernet_802.2 or Ethernet_SNAP frames, and
2000 * then put a check for LINUX_SLL_P_802_2 frames
2003 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX);
2004 b1 = gen_snap(0x000000, ETHERTYPE_IPX);
2006 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
2010 * Now check for 802.3 frames and OR that with
2011 * the previous test.
2013 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_3);
2017 * Now add the check for Ethernet_II frames, and
2018 * do that before checking for the other frame
2021 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
2022 (bpf_int32)ETHERTYPE_IPX);
2026 case ETHERTYPE_ATALK:
2027 case ETHERTYPE_AARP:
2029 * EtherTalk (AppleTalk protocols on Ethernet link
2030 * layer) may use 802.2 encapsulation.
2034 * Check for 802.2 encapsulation (EtherTalk phase 2?);
2035 * we check for the 802.2 protocol type in the
2036 * "Ethernet type" field.
2038 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
2041 * 802.2-encapsulated ETHERTYPE_ATALK packets are
2042 * SNAP packets with an organization code of
2043 * 0x080007 (Apple, for Appletalk) and a protocol
2044 * type of ETHERTYPE_ATALK (Appletalk).
2046 * 802.2-encapsulated ETHERTYPE_AARP packets are
2047 * SNAP packets with an organization code of
2048 * 0x000000 (encapsulated Ethernet) and a protocol
2049 * type of ETHERTYPE_AARP (Appletalk ARP).
2051 if (proto == ETHERTYPE_ATALK)
2052 b1 = gen_snap(0x080007, ETHERTYPE_ATALK);
2053 else /* proto == ETHERTYPE_AARP */
2054 b1 = gen_snap(0x000000, ETHERTYPE_AARP);
2058 * Check for Ethernet encapsulation (Ethertalk
2059 * phase 1?); we just check for the Ethernet
2062 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
2068 if (proto <= ETHERMTU) {
2070 * This is an LLC SAP value, so the frames
2071 * that match would be 802.2 frames.
2072 * Check for the 802.2 protocol type
2073 * in the "Ethernet type" field, and
2074 * then check the DSAP.
2076 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
2078 b1 = gen_cmp(OR_LINK, off_macpl, BPF_B,
2084 * This is an Ethernet type, so compare
2085 * the length/type field with it (if
2086 * the frame is an 802.2 frame, the length
2087 * field will be <= ETHERMTU, and, as
2088 * "proto" is > ETHERMTU, this test
2089 * will fail and the frame won't match,
2090 * which is what we want).
2092 return gen_cmp(OR_LINK, off_linktype, BPF_H,
2098 static struct slist *
2099 gen_load_prism_llprefixlen()
2101 struct slist *s1, *s2;
2102 struct slist *sjeq_avs_cookie;
2103 struct slist *sjcommon;
2106 * This code is not compatible with the optimizer, as
2107 * we are generating jmp instructions within a normal
2108 * slist of instructions
2113 * Generate code to load the length of the radio header into
2114 * the register assigned to hold that length, if one has been
2115 * assigned. (If one hasn't been assigned, no code we've
2116 * generated uses that prefix, so we don't need to generate any
2119 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes
2120 * or always use the AVS header rather than the Prism header.
2121 * We load a 4-byte big-endian value at the beginning of the
2122 * raw packet data, and see whether, when masked with 0xFFFFF000,
2123 * it's equal to 0x80211000. If so, that indicates that it's
2124 * an AVS header (the masked-out bits are the version number).
2125 * Otherwise, it's a Prism header.
2127 * XXX - the Prism header is also, in theory, variable-length,
2128 * but no known software generates headers that aren't 144
2131 if (reg_off_ll != -1) {
2135 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2139 * AND it with 0xFFFFF000.
2141 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
2142 s2->s.k = 0xFFFFF000;
2146 * Compare with 0x80211000.
2148 sjeq_avs_cookie = new_stmt(JMP(BPF_JEQ));
2149 sjeq_avs_cookie->s.k = 0x80211000;
2150 sappend(s1, sjeq_avs_cookie);
2155 * The 4 bytes at an offset of 4 from the beginning of
2156 * the AVS header are the length of the AVS header.
2157 * That field is big-endian.
2159 s2 = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2162 sjeq_avs_cookie->s.jt = s2;
2165 * Now jump to the code to allocate a register
2166 * into which to save the header length and
2167 * store the length there. (The "jump always"
2168 * instruction needs to have the k field set;
2169 * it's added to the PC, so, as we're jumping
2170 * over a single instruction, it should be 1.)
2172 sjcommon = new_stmt(JMP(BPF_JA));
2174 sappend(s1, sjcommon);
2177 * Now for the code that handles the Prism header.
2178 * Just load the length of the Prism header (144)
2179 * into the A register. Have the test for an AVS
2180 * header branch here if we don't have an AVS header.
2182 s2 = new_stmt(BPF_LD|BPF_W|BPF_IMM);
2185 sjeq_avs_cookie->s.jf = s2;
2188 * Now allocate a register to hold that value and store
2189 * it. The code for the AVS header will jump here after
2190 * loading the length of the AVS header.
2192 s2 = new_stmt(BPF_ST);
2193 s2->s.k = reg_off_ll;
2195 sjcommon->s.jf = s2;
2198 * Now move it into the X register.
2200 s2 = new_stmt(BPF_MISC|BPF_TAX);
2208 static struct slist *
2209 gen_load_avs_llprefixlen()
2211 struct slist *s1, *s2;
2214 * Generate code to load the length of the AVS header into
2215 * the register assigned to hold that length, if one has been
2216 * assigned. (If one hasn't been assigned, no code we've
2217 * generated uses that prefix, so we don't need to generate any
2220 if (reg_off_ll != -1) {
2222 * The 4 bytes at an offset of 4 from the beginning of
2223 * the AVS header are the length of the AVS header.
2224 * That field is big-endian.
2226 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2230 * Now allocate a register to hold that value and store
2233 s2 = new_stmt(BPF_ST);
2234 s2->s.k = reg_off_ll;
2238 * Now move it into the X register.
2240 s2 = new_stmt(BPF_MISC|BPF_TAX);
2248 static struct slist *
2249 gen_load_radiotap_llprefixlen()
2251 struct slist *s1, *s2;
2254 * Generate code to load the length of the radiotap header into
2255 * the register assigned to hold that length, if one has been
2256 * assigned. (If one hasn't been assigned, no code we've
2257 * generated uses that prefix, so we don't need to generate any
2260 if (reg_off_ll != -1) {
2262 * The 2 bytes at offsets of 2 and 3 from the beginning
2263 * of the radiotap header are the length of the radiotap
2264 * header; unfortunately, it's little-endian, so we have
2265 * to load it a byte at a time and construct the value.
2269 * Load the high-order byte, at an offset of 3, shift it
2270 * left a byte, and put the result in the X register.
2272 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2274 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
2277 s2 = new_stmt(BPF_MISC|BPF_TAX);
2281 * Load the next byte, at an offset of 2, and OR the
2282 * value from the X register into it.
2284 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2287 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X);
2291 * Now allocate a register to hold that value and store
2294 s2 = new_stmt(BPF_ST);
2295 s2->s.k = reg_off_ll;
2299 * Now move it into the X register.
2301 s2 = new_stmt(BPF_MISC|BPF_TAX);
2310 * At the moment we treat PPI as normal Radiotap encoded
2311 * packets. The difference is in the function that generates
2312 * the code at the beginning to compute the header length.
2313 * Since this code generator of PPI supports bare 802.11
2314 * encapsulation only (i.e. the encapsulated DLT should be
2315 * DLT_IEEE802_11) we generate code to check for this too;
2316 * that's done in finish_parse().
2318 static struct slist *
2319 gen_load_ppi_llprefixlen()
2321 struct slist *s1, *s2;
2324 * Generate code to load the length of the radiotap header
2325 * into the register assigned to hold that length, if one has
2328 if (reg_off_ll != -1) {
2330 * The 2 bytes at offsets of 2 and 3 from the beginning
2331 * of the radiotap header are the length of the radiotap
2332 * header; unfortunately, it's little-endian, so we have
2333 * to load it a byte at a time and construct the value.
2337 * Load the high-order byte, at an offset of 3, shift it
2338 * left a byte, and put the result in the X register.
2340 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2342 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
2345 s2 = new_stmt(BPF_MISC|BPF_TAX);
2349 * Load the next byte, at an offset of 2, and OR the
2350 * value from the X register into it.
2352 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2355 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X);
2359 * Now allocate a register to hold that value and store
2362 s2 = new_stmt(BPF_ST);
2363 s2->s.k = reg_off_ll;
2367 * Now move it into the X register.
2369 s2 = new_stmt(BPF_MISC|BPF_TAX);
2378 * Load a value relative to the beginning of the link-layer header after the 802.11
2379 * header, i.e. LLC_SNAP.
2380 * The link-layer header doesn't necessarily begin at the beginning
2381 * of the packet data; there might be a variable-length prefix containing
2382 * radio information.
2384 static struct slist *
2385 gen_load_802_11_header_len(struct slist *s, struct slist *snext)
2388 struct slist *sjset_data_frame_1;
2389 struct slist *sjset_data_frame_2;
2390 struct slist *sjset_qos;
2391 struct slist *sjset_radiotap_flags;
2392 struct slist *sjset_radiotap_tsft;
2393 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad;
2394 struct slist *s_roundup;
2396 if (reg_off_macpl == -1) {
2398 * No register has been assigned to the offset of
2399 * the MAC-layer payload, which means nobody needs
2400 * it; don't bother computing it - just return
2401 * what we already have.
2407 * This code is not compatible with the optimizer, as
2408 * we are generating jmp instructions within a normal
2409 * slist of instructions
2414 * If "s" is non-null, it has code to arrange that the X register
2415 * contains the length of the prefix preceding the link-layer
2418 * Otherwise, the length of the prefix preceding the link-layer
2419 * header is "off_ll".
2423 * There is no variable-length header preceding the
2424 * link-layer header.
2426 * Load the length of the fixed-length prefix preceding
2427 * the link-layer header (if any) into the X register,
2428 * and store it in the reg_off_macpl register.
2429 * That length is off_ll.
2431 s = new_stmt(BPF_LDX|BPF_IMM);
2436 * The X register contains the offset of the beginning of the
2437 * link-layer header; add 24, which is the minimum length
2438 * of the MAC header for a data frame, to that, and store it
2439 * in reg_off_macpl, and then load the Frame Control field,
2440 * which is at the offset in the X register, with an indexed load.
2442 s2 = new_stmt(BPF_MISC|BPF_TXA);
2444 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
2447 s2 = new_stmt(BPF_ST);
2448 s2->s.k = reg_off_macpl;
2451 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B);
2456 * Check the Frame Control field to see if this is a data frame;
2457 * a data frame has the 0x08 bit (b3) in that field set and the
2458 * 0x04 bit (b2) clear.
2460 sjset_data_frame_1 = new_stmt(JMP(BPF_JSET));
2461 sjset_data_frame_1->s.k = 0x08;
2462 sappend(s, sjset_data_frame_1);
2465 * If b3 is set, test b2, otherwise go to the first statement of
2466 * the rest of the program.
2468 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(JMP(BPF_JSET));
2469 sjset_data_frame_2->s.k = 0x04;
2470 sappend(s, sjset_data_frame_2);
2471 sjset_data_frame_1->s.jf = snext;
2474 * If b2 is not set, this is a data frame; test the QoS bit.
2475 * Otherwise, go to the first statement of the rest of the
2478 sjset_data_frame_2->s.jt = snext;
2479 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(JMP(BPF_JSET));
2480 sjset_qos->s.k = 0x80; /* QoS bit */
2481 sappend(s, sjset_qos);
2484 * If it's set, add 2 to reg_off_macpl, to skip the QoS
2486 * Otherwise, go to the first statement of the rest of the
2489 sjset_qos->s.jt = s2 = new_stmt(BPF_LD|BPF_MEM);
2490 s2->s.k = reg_off_macpl;
2492 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM);
2495 s2 = new_stmt(BPF_ST);
2496 s2->s.k = reg_off_macpl;
2500 * If we have a radiotap header, look at it to see whether
2501 * there's Atheros padding between the MAC-layer header
2504 * Note: all of the fields in the radiotap header are
2505 * little-endian, so we byte-swap all of the values
2506 * we test against, as they will be loaded as big-endian
2509 if (linktype == DLT_IEEE802_11_RADIO) {
2511 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set
2512 * in the presence flag?
2514 sjset_qos->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_W);
2518 sjset_radiotap_flags = new_stmt(JMP(BPF_JSET));
2519 sjset_radiotap_flags->s.k = SWAPLONG(0x00000002);
2520 sappend(s, sjset_radiotap_flags);
2523 * If not, skip all of this.
2525 sjset_radiotap_flags->s.jf = snext;
2528 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set?
2530 sjset_radiotap_tsft = sjset_radiotap_flags->s.jt =
2531 new_stmt(JMP(BPF_JSET));
2532 sjset_radiotap_tsft->s.k = SWAPLONG(0x00000001);
2533 sappend(s, sjset_radiotap_tsft);
2536 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is
2537 * at an offset of 16 from the beginning of the raw packet
2538 * data (8 bytes for the radiotap header and 8 bytes for
2541 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
2544 sjset_radiotap_tsft->s.jt = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B);
2548 sjset_tsft_datapad = new_stmt(JMP(BPF_JSET));
2549 sjset_tsft_datapad->s.k = 0x20;
2550 sappend(s, sjset_tsft_datapad);
2553 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is
2554 * at an offset of 8 from the beginning of the raw packet
2555 * data (8 bytes for the radiotap header).
2557 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
2560 sjset_radiotap_tsft->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B);
2564 sjset_notsft_datapad = new_stmt(JMP(BPF_JSET));
2565 sjset_notsft_datapad->s.k = 0x20;
2566 sappend(s, sjset_notsft_datapad);
2569 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is
2570 * set, round the length of the 802.11 header to
2571 * a multiple of 4. Do that by adding 3 and then
2572 * dividing by and multiplying by 4, which we do by
2575 s_roundup = new_stmt(BPF_LD|BPF_MEM);
2576 s_roundup->s.k = reg_off_macpl;
2577 sappend(s, s_roundup);
2578 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM);
2581 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_IMM);
2584 s2 = new_stmt(BPF_ST);
2585 s2->s.k = reg_off_macpl;
2588 sjset_tsft_datapad->s.jt = s_roundup;
2589 sjset_tsft_datapad->s.jf = snext;
2590 sjset_notsft_datapad->s.jt = s_roundup;
2591 sjset_notsft_datapad->s.jf = snext;
2593 sjset_qos->s.jf = snext;
2599 insert_compute_vloffsets(b)
2605 * For link-layer types that have a variable-length header
2606 * preceding the link-layer header, generate code to load
2607 * the offset of the link-layer header into the register
2608 * assigned to that offset, if any.
2612 case DLT_PRISM_HEADER:
2613 s = gen_load_prism_llprefixlen();
2616 case DLT_IEEE802_11_RADIO_AVS:
2617 s = gen_load_avs_llprefixlen();
2620 case DLT_IEEE802_11_RADIO:
2621 s = gen_load_radiotap_llprefixlen();
2625 s = gen_load_ppi_llprefixlen();
2634 * For link-layer types that have a variable-length link-layer
2635 * header, generate code to load the offset of the MAC-layer
2636 * payload into the register assigned to that offset, if any.
2640 case DLT_IEEE802_11:
2641 case DLT_PRISM_HEADER:
2642 case DLT_IEEE802_11_RADIO_AVS:
2643 case DLT_IEEE802_11_RADIO:
2645 s = gen_load_802_11_header_len(s, b->stmts);
2650 * If we have any offset-loading code, append all the
2651 * existing statements in the block to those statements,
2652 * and make the resulting list the list of statements
2656 sappend(s, b->stmts);
2661 static struct block *
2662 gen_ppi_dlt_check(void)
2664 struct slist *s_load_dlt;
2667 if (linktype == DLT_PPI)
2669 /* Create the statements that check for the DLT
2671 s_load_dlt = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2672 s_load_dlt->s.k = 4;
2674 b = new_block(JMP(BPF_JEQ));
2676 b->stmts = s_load_dlt;
2677 b->s.k = SWAPLONG(DLT_IEEE802_11);
2687 static struct slist *
2688 gen_prism_llprefixlen(void)
2692 if (reg_off_ll == -1) {
2694 * We haven't yet assigned a register for the length
2695 * of the radio header; allocate one.
2697 reg_off_ll = alloc_reg();
2701 * Load the register containing the radio length
2702 * into the X register.
2704 s = new_stmt(BPF_LDX|BPF_MEM);
2705 s->s.k = reg_off_ll;
2709 static struct slist *
2710 gen_avs_llprefixlen(void)
2714 if (reg_off_ll == -1) {
2716 * We haven't yet assigned a register for the length
2717 * of the AVS header; allocate one.
2719 reg_off_ll = alloc_reg();
2723 * Load the register containing the AVS length
2724 * into the X register.
2726 s = new_stmt(BPF_LDX|BPF_MEM);
2727 s->s.k = reg_off_ll;
2731 static struct slist *
2732 gen_radiotap_llprefixlen(void)
2736 if (reg_off_ll == -1) {
2738 * We haven't yet assigned a register for the length
2739 * of the radiotap header; allocate one.
2741 reg_off_ll = alloc_reg();
2745 * Load the register containing the radiotap length
2746 * into the X register.
2748 s = new_stmt(BPF_LDX|BPF_MEM);
2749 s->s.k = reg_off_ll;
2754 * At the moment we treat PPI as normal Radiotap encoded
2755 * packets. The difference is in the function that generates
2756 * the code at the beginning to compute the header length.
2757 * Since this code generator of PPI supports bare 802.11
2758 * encapsulation only (i.e. the encapsulated DLT should be
2759 * DLT_IEEE802_11) we generate code to check for this too.
2761 static struct slist *
2762 gen_ppi_llprefixlen(void)
2766 if (reg_off_ll == -1) {
2768 * We haven't yet assigned a register for the length
2769 * of the radiotap header; allocate one.
2771 reg_off_ll = alloc_reg();
2775 * Load the register containing the PPI length
2776 * into the X register.
2778 s = new_stmt(BPF_LDX|BPF_MEM);
2779 s->s.k = reg_off_ll;
2784 * Generate code to compute the link-layer header length, if necessary,
2785 * putting it into the X register, and to return either a pointer to a
2786 * "struct slist" for the list of statements in that code, or NULL if
2787 * no code is necessary.
2789 static struct slist *
2790 gen_llprefixlen(void)
2794 case DLT_PRISM_HEADER:
2795 return gen_prism_llprefixlen();
2797 case DLT_IEEE802_11_RADIO_AVS:
2798 return gen_avs_llprefixlen();
2800 case DLT_IEEE802_11_RADIO:
2801 return gen_radiotap_llprefixlen();
2804 return gen_ppi_llprefixlen();
2812 * Generate code to load the register containing the offset of the
2813 * MAC-layer payload into the X register; if no register for that offset
2814 * has been allocated, allocate it first.
2816 static struct slist *
2821 if (off_macpl_is_variable) {
2822 if (reg_off_macpl == -1) {
2824 * We haven't yet assigned a register for the offset
2825 * of the MAC-layer payload; allocate one.
2827 reg_off_macpl = alloc_reg();
2831 * Load the register containing the offset of the MAC-layer
2832 * payload into the X register.
2834 s = new_stmt(BPF_LDX|BPF_MEM);
2835 s->s.k = reg_off_macpl;
2839 * That offset isn't variable, so we don't need to
2840 * generate any code.
2847 * Map an Ethernet type to the equivalent PPP type.
2850 ethertype_to_ppptype(proto)
2859 case ETHERTYPE_IPV6:
2867 case ETHERTYPE_ATALK:
2881 * I'm assuming the "Bridging PDU"s that go
2882 * over PPP are Spanning Tree Protocol
2896 * Generate code to match a particular packet type by matching the
2897 * link-layer type field or fields in the 802.2 LLC header.
2899 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
2900 * value, if <= ETHERMTU.
2902 static struct block *
2906 struct block *b0, *b1, *b2;
2907 const char *description;
2909 /* are we checking MPLS-encapsulated packets? */
2910 if (label_stack_depth > 0) {
2914 /* FIXME add other L3 proto IDs */
2915 return gen_mpls_linktype(Q_IP);
2917 case ETHERTYPE_IPV6:
2919 /* FIXME add other L3 proto IDs */
2920 return gen_mpls_linktype(Q_IPV6);
2923 bpf_error("unsupported protocol over mpls");
2929 * Are we testing PPPoE packets?
2933 * The PPPoE session header is part of the
2934 * MAC-layer payload, so all references
2935 * should be relative to the beginning of
2940 * We use Ethernet protocol types inside libpcap;
2941 * map them to the corresponding PPP protocol types.
2943 proto = ethertype_to_ppptype(proto);
2944 return gen_cmp(OR_MACPL, off_linktype, BPF_H, (bpf_int32)proto);
2950 case DLT_NETANALYZER:
2951 case DLT_NETANALYZER_TRANSPARENT:
2952 return gen_ether_linktype(proto);
2960 proto = (proto << 8 | LLCSAP_ISONS);
2964 return gen_cmp(OR_LINK, off_linktype, BPF_H,
2971 case DLT_IEEE802_11:
2972 case DLT_PRISM_HEADER:
2973 case DLT_IEEE802_11_RADIO_AVS:
2974 case DLT_IEEE802_11_RADIO:
2977 * Check that we have a data frame.
2979 b0 = gen_check_802_11_data_frame();
2982 * Now check for the specified link-layer type.
2984 b1 = gen_llc_linktype(proto);
2992 * XXX - check for LLC frames.
2994 return gen_llc_linktype(proto);
3000 * XXX - check for LLC PDUs, as per IEEE 802.5.
3002 return gen_llc_linktype(proto);
3006 case DLT_ATM_RFC1483:
3008 case DLT_IP_OVER_FC:
3009 return gen_llc_linktype(proto);
3015 * If "is_lane" is set, check for a LANE-encapsulated
3016 * version of this protocol, otherwise check for an
3017 * LLC-encapsulated version of this protocol.
3019 * We assume LANE means Ethernet, not Token Ring.
3023 * Check that the packet doesn't begin with an
3024 * LE Control marker. (We've already generated
3027 b0 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
3032 * Now generate an Ethernet test.
3034 b1 = gen_ether_linktype(proto);
3039 * Check for LLC encapsulation and then check the
3042 b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
3043 b1 = gen_llc_linktype(proto);
3051 return gen_linux_sll_linktype(proto);
3056 case DLT_SLIP_BSDOS:
3059 * These types don't provide any type field; packets
3060 * are always IPv4 or IPv6.
3062 * XXX - for IPv4, check for a version number of 4, and,
3063 * for IPv6, check for a version number of 6?
3068 /* Check for a version number of 4. */
3069 return gen_mcmp(OR_LINK, 0, BPF_B, 0x40, 0xF0);
3071 case ETHERTYPE_IPV6:
3072 /* Check for a version number of 6. */
3073 return gen_mcmp(OR_LINK, 0, BPF_B, 0x60, 0xF0);
3076 return gen_false(); /* always false */
3083 * Raw IPv4, so no type field.
3085 if (proto == ETHERTYPE_IP)
3086 return gen_true(); /* always true */
3088 /* Checking for something other than IPv4; always false */
3095 * Raw IPv6, so no type field.
3097 if (proto == ETHERTYPE_IPV6)
3098 return gen_true(); /* always true */
3100 /* Checking for something other than IPv6; always false */
3107 case DLT_PPP_SERIAL:
3110 * We use Ethernet protocol types inside libpcap;
3111 * map them to the corresponding PPP protocol types.
3113 proto = ethertype_to_ppptype(proto);
3114 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
3120 * We use Ethernet protocol types inside libpcap;
3121 * map them to the corresponding PPP protocol types.
3127 * Also check for Van Jacobson-compressed IP.
3128 * XXX - do this for other forms of PPP?
3130 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_IP);
3131 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJC);
3133 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJNC);
3138 proto = ethertype_to_ppptype(proto);
3139 return gen_cmp(OR_LINK, off_linktype, BPF_H,
3149 * For DLT_NULL, the link-layer header is a 32-bit
3150 * word containing an AF_ value in *host* byte order,
3151 * and for DLT_ENC, the link-layer header begins
3152 * with a 32-bit work containing an AF_ value in
3155 * In addition, if we're reading a saved capture file,
3156 * the host byte order in the capture may not be the
3157 * same as the host byte order on this machine.
3159 * For DLT_LOOP, the link-layer header is a 32-bit
3160 * word containing an AF_ value in *network* byte order.
3162 * XXX - AF_ values may, unfortunately, be platform-
3163 * dependent; for example, FreeBSD's AF_INET6 is 24
3164 * whilst NetBSD's and OpenBSD's is 26.
3166 * This means that, when reading a capture file, just
3167 * checking for our AF_INET6 value won't work if the
3168 * capture file came from another OS.
3177 case ETHERTYPE_IPV6:
3184 * Not a type on which we support filtering.
3185 * XXX - support those that have AF_ values
3186 * #defined on this platform, at least?
3191 if (linktype == DLT_NULL || linktype == DLT_ENC) {
3193 * The AF_ value is in host byte order, but
3194 * the BPF interpreter will convert it to
3195 * network byte order.
3197 * If this is a save file, and it's from a
3198 * machine with the opposite byte order to
3199 * ours, we byte-swap the AF_ value.
3201 * Then we run it through "htonl()", and
3202 * generate code to compare against the result.
3204 if (bpf_pcap->rfile != NULL && bpf_pcap->swapped)
3205 proto = SWAPLONG(proto);
3206 proto = htonl(proto);
3208 return (gen_cmp(OR_LINK, 0, BPF_W, (bpf_int32)proto));
3210 #ifdef HAVE_NET_PFVAR_H
3213 * af field is host byte order in contrast to the rest of
3216 if (proto == ETHERTYPE_IP)
3217 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af),
3218 BPF_B, (bpf_int32)AF_INET));
3219 else if (proto == ETHERTYPE_IPV6)
3220 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af),
3221 BPF_B, (bpf_int32)AF_INET6));
3226 #endif /* HAVE_NET_PFVAR_H */
3229 case DLT_ARCNET_LINUX:
3231 * XXX should we check for first fragment if the protocol
3239 case ETHERTYPE_IPV6:
3240 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
3241 (bpf_int32)ARCTYPE_INET6));
3244 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B,
3245 (bpf_int32)ARCTYPE_IP);
3246 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B,
3247 (bpf_int32)ARCTYPE_IP_OLD);
3252 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B,
3253 (bpf_int32)ARCTYPE_ARP);
3254 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B,
3255 (bpf_int32)ARCTYPE_ARP_OLD);
3259 case ETHERTYPE_REVARP:
3260 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
3261 (bpf_int32)ARCTYPE_REVARP));
3263 case ETHERTYPE_ATALK:
3264 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
3265 (bpf_int32)ARCTYPE_ATALK));
3272 case ETHERTYPE_ATALK:
3282 * XXX - assumes a 2-byte Frame Relay header with
3283 * DLCI and flags. What if the address is longer?
3289 * Check for the special NLPID for IP.
3291 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0xcc);
3293 case ETHERTYPE_IPV6:
3295 * Check for the special NLPID for IPv6.
3297 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0x8e);
3301 * Check for several OSI protocols.
3303 * Frame Relay packets typically have an OSI
3304 * NLPID at the beginning; we check for each
3307 * What we check for is the NLPID and a frame
3308 * control field of UI, i.e. 0x03 followed
3311 b0 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO8473_CLNP);
3312 b1 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO9542_ESIS);
3313 b2 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO10589_ISIS);
3325 bpf_error("Multi-link Frame Relay link-layer type filtering not implemented");
3327 case DLT_JUNIPER_MFR:
3328 case DLT_JUNIPER_MLFR:
3329 case DLT_JUNIPER_MLPPP:
3330 case DLT_JUNIPER_ATM1:
3331 case DLT_JUNIPER_ATM2:
3332 case DLT_JUNIPER_PPPOE:
3333 case DLT_JUNIPER_PPPOE_ATM:
3334 case DLT_JUNIPER_GGSN:
3335 case DLT_JUNIPER_ES:
3336 case DLT_JUNIPER_MONITOR:
3337 case DLT_JUNIPER_SERVICES:
3338 case DLT_JUNIPER_ETHER:
3339 case DLT_JUNIPER_PPP:
3340 case DLT_JUNIPER_FRELAY:
3341 case DLT_JUNIPER_CHDLC:
3342 case DLT_JUNIPER_VP:
3343 case DLT_JUNIPER_ST:
3344 case DLT_JUNIPER_ISM:
3345 case DLT_JUNIPER_VS:
3346 case DLT_JUNIPER_SRX_E2E:
3347 case DLT_JUNIPER_FIBRECHANNEL:
3348 case DLT_JUNIPER_ATM_CEMIC:
3350 /* just lets verify the magic number for now -
3351 * on ATM we may have up to 6 different encapsulations on the wire
3352 * and need a lot of heuristics to figure out that the payload
3355 * FIXME encapsulation specific BPF_ filters
3357 return gen_mcmp(OR_LINK, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */
3359 case DLT_BACNET_MS_TP:
3360 return gen_mcmp(OR_LINK, 0, BPF_W, 0x55FF0000, 0xffff0000);
3363 return gen_ipnet_linktype(proto);
3365 case DLT_LINUX_IRDA:
3366 bpf_error("IrDA link-layer type filtering not implemented");
3369 bpf_error("DOCSIS link-layer type filtering not implemented");
3372 case DLT_MTP2_WITH_PHDR:
3373 bpf_error("MTP2 link-layer type filtering not implemented");
3376 bpf_error("ERF link-layer type filtering not implemented");
3379 bpf_error("PFSYNC link-layer type filtering not implemented");
3381 case DLT_LINUX_LAPD:
3382 bpf_error("LAPD link-layer type filtering not implemented");
3386 case DLT_USB_LINUX_MMAPPED:
3387 bpf_error("USB link-layer type filtering not implemented");
3389 case DLT_BLUETOOTH_HCI_H4:
3390 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR:
3391 bpf_error("Bluetooth link-layer type filtering not implemented");
3394 case DLT_CAN_SOCKETCAN:
3395 bpf_error("CAN link-layer type filtering not implemented");
3397 case DLT_IEEE802_15_4:
3398 case DLT_IEEE802_15_4_LINUX:
3399 case DLT_IEEE802_15_4_NONASK_PHY:
3400 case DLT_IEEE802_15_4_NOFCS:
3401 bpf_error("IEEE 802.15.4 link-layer type filtering not implemented");
3403 case DLT_IEEE802_16_MAC_CPS_RADIO:
3404 bpf_error("IEEE 802.16 link-layer type filtering not implemented");
3407 bpf_error("SITA link-layer type filtering not implemented");
3410 bpf_error("RAIF1 link-layer type filtering not implemented");
3413 bpf_error("IPMB link-layer type filtering not implemented");
3416 bpf_error("AX.25 link-layer type filtering not implemented");
3419 /* Using the fixed-size NFLOG header it is possible to tell only
3420 * the address family of the packet, other meaningful data is
3421 * either missing or behind TLVs.
3423 bpf_error("NFLOG link-layer type filtering not implemented");
3427 * Does this link-layer header type have a field
3428 * indicating the type of the next protocol? If
3429 * so, off_linktype will be the offset of that
3430 * field in the packet; if not, it will be -1.
3432 if (off_linktype != (u_int)-1) {
3434 * Yes; assume it's an Ethernet type. (If
3435 * it's not, it needs to be handled specially
3438 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
3441 * No; report an error.
3443 description = pcap_datalink_val_to_description(linktype);
3444 if (description != NULL) {
3445 bpf_error("%s link-layer type filtering not implemented",
3448 bpf_error("DLT %u link-layer type filtering not implemented",
3457 * Check for an LLC SNAP packet with a given organization code and
3458 * protocol type; we check the entire contents of the 802.2 LLC and
3459 * snap headers, checking for DSAP and SSAP of SNAP and a control
3460 * field of 0x03 in the LLC header, and for the specified organization
3461 * code and protocol type in the SNAP header.
3463 static struct block *
3464 gen_snap(orgcode, ptype)
3465 bpf_u_int32 orgcode;
3468 u_char snapblock[8];
3470 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */
3471 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */
3472 snapblock[2] = 0x03; /* control = UI */
3473 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */
3474 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */
3475 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */
3476 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */
3477 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */
3478 return gen_bcmp(OR_MACPL, 0, 8, snapblock);
3482 * Generate code to match frames with an LLC header.
3487 struct block *b0, *b1;
3493 * We check for an Ethernet type field less than
3494 * 1500, which means it's an 802.3 length field.
3496 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
3500 * Now check for the purported DSAP and SSAP not being
3501 * 0xFF, to rule out NetWare-over-802.3.
3503 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)0xFFFF);
3510 * We check for LLC traffic.
3512 b0 = gen_atmtype_abbrev(A_LLC);
3515 case DLT_IEEE802: /* Token Ring */
3517 * XXX - check for LLC frames.
3523 * XXX - check for LLC frames.
3527 case DLT_ATM_RFC1483:
3529 * For LLC encapsulation, these are defined to have an
3532 * For VC encapsulation, they don't, but there's no
3533 * way to check for that; the protocol used on the VC
3534 * is negotiated out of band.
3538 case DLT_IEEE802_11:
3539 case DLT_PRISM_HEADER:
3540 case DLT_IEEE802_11_RADIO:
3541 case DLT_IEEE802_11_RADIO_AVS:
3544 * Check that we have a data frame.
3546 b0 = gen_check_802_11_data_frame();
3550 bpf_error("'llc' not supported for linktype %d", linktype);
3558 struct block *b0, *b1;
3562 * Check whether this is an LLC frame.
3567 * Load the control byte and test the low-order bit; it must
3568 * be clear for I frames.
3570 s = gen_load_a(OR_MACPL, 2, BPF_B);
3571 b1 = new_block(JMP(BPF_JSET));
3582 struct block *b0, *b1;
3585 * Check whether this is an LLC frame.
3590 * Now compare the low-order 2 bit of the control byte against
3591 * the appropriate value for S frames.
3593 b1 = gen_mcmp(OR_MACPL, 2, BPF_B, LLC_S_FMT, 0x03);
3601 struct block *b0, *b1;
3604 * Check whether this is an LLC frame.
3609 * Now compare the low-order 2 bit of the control byte against
3610 * the appropriate value for U frames.
3612 b1 = gen_mcmp(OR_MACPL, 2, BPF_B, LLC_U_FMT, 0x03);
3618 gen_llc_s_subtype(bpf_u_int32 subtype)
3620 struct block *b0, *b1;
3623 * Check whether this is an LLC frame.
3628 * Now check for an S frame with the appropriate type.
3630 b1 = gen_mcmp(OR_MACPL, 2, BPF_B, subtype, LLC_S_CMD_MASK);
3636 gen_llc_u_subtype(bpf_u_int32 subtype)
3638 struct block *b0, *b1;
3641 * Check whether this is an LLC frame.
3646 * Now check for a U frame with the appropriate type.
3648 b1 = gen_mcmp(OR_MACPL, 2, BPF_B, subtype, LLC_U_CMD_MASK);
3654 * Generate code to match a particular packet type, for link-layer types
3655 * using 802.2 LLC headers.
3657 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used
3658 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues.
3660 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
3661 * value, if <= ETHERMTU. We use that to determine whether to
3662 * match the DSAP or both DSAP and LSAP or to check the OUI and
3663 * protocol ID in a SNAP header.
3665 static struct block *
3666 gen_llc_linktype(proto)
3670 * XXX - handle token-ring variable-length header.
3676 case LLCSAP_NETBEUI:
3678 * XXX - should we check both the DSAP and the
3679 * SSAP, like this, or should we check just the
3680 * DSAP, as we do for other types <= ETHERMTU
3681 * (i.e., other SAP values)?
3683 return gen_cmp(OR_MACPL, 0, BPF_H, (bpf_u_int32)
3684 ((proto << 8) | proto));
3688 * XXX - are there ever SNAP frames for IPX on
3689 * non-Ethernet 802.x networks?
3691 return gen_cmp(OR_MACPL, 0, BPF_B,
3692 (bpf_int32)LLCSAP_IPX);
3694 case ETHERTYPE_ATALK:
3696 * 802.2-encapsulated ETHERTYPE_ATALK packets are
3697 * SNAP packets with an organization code of
3698 * 0x080007 (Apple, for Appletalk) and a protocol
3699 * type of ETHERTYPE_ATALK (Appletalk).
3701 * XXX - check for an organization code of
3702 * encapsulated Ethernet as well?
3704 return gen_snap(0x080007, ETHERTYPE_ATALK);
3708 * XXX - we don't have to check for IPX 802.3
3709 * here, but should we check for the IPX Ethertype?
3711 if (proto <= ETHERMTU) {
3713 * This is an LLC SAP value, so check
3716 return gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)proto);
3719 * This is an Ethernet type; we assume that it's
3720 * unlikely that it'll appear in the right place
3721 * at random, and therefore check only the
3722 * location that would hold the Ethernet type
3723 * in a SNAP frame with an organization code of
3724 * 0x000000 (encapsulated Ethernet).
3726 * XXX - if we were to check for the SNAP DSAP and
3727 * LSAP, as per XXX, and were also to check for an
3728 * organization code of 0x000000 (encapsulated
3729 * Ethernet), we'd do
3731 * return gen_snap(0x000000, proto);
3733 * here; for now, we don't, as per the above.
3734 * I don't know whether it's worth the extra CPU
3735 * time to do the right check or not.
3737 return gen_cmp(OR_MACPL, 6, BPF_H, (bpf_int32)proto);
3742 static struct block *
3743 gen_hostop(addr, mask, dir, proto, src_off, dst_off)
3747 u_int src_off, dst_off;
3749 struct block *b0, *b1;
3763 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
3764 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
3770 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
3771 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
3778 b0 = gen_linktype(proto);
3779 b1 = gen_mcmp(OR_NET, offset, BPF_W, (bpf_int32)addr, mask);
3785 static struct block *
3786 gen_hostop6(addr, mask, dir, proto, src_off, dst_off)
3787 struct in6_addr *addr;
3788 struct in6_addr *mask;
3790 u_int src_off, dst_off;
3792 struct block *b0, *b1;
3807 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
3808 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
3814 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
3815 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
3822 /* this order is important */
3823 a = (u_int32_t *)addr;
3824 m = (u_int32_t *)mask;
3825 b1 = gen_mcmp(OR_NET, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3]));
3826 b0 = gen_mcmp(OR_NET, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2]));
3828 b0 = gen_mcmp(OR_NET, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1]));
3830 b0 = gen_mcmp(OR_NET, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0]));
3832 b0 = gen_linktype(proto);
3838 static struct block *
3839 gen_ehostop(eaddr, dir)
3840 register const u_char *eaddr;
3843 register struct block *b0, *b1;
3847 return gen_bcmp(OR_LINK, off_mac + 6, 6, eaddr);
3850 return gen_bcmp(OR_LINK, off_mac + 0, 6, eaddr);
3853 b0 = gen_ehostop(eaddr, Q_SRC);
3854 b1 = gen_ehostop(eaddr, Q_DST);
3860 b0 = gen_ehostop(eaddr, Q_SRC);
3861 b1 = gen_ehostop(eaddr, Q_DST);
3866 bpf_error("'addr1' is only supported on 802.11 with 802.11 headers");
3870 bpf_error("'addr2' is only supported on 802.11 with 802.11 headers");
3874 bpf_error("'addr3' is only supported on 802.11 with 802.11 headers");
3878 bpf_error("'addr4' is only supported on 802.11 with 802.11 headers");
3882 bpf_error("'ra' is only supported on 802.11 with 802.11 headers");
3886 bpf_error("'ta' is only supported on 802.11 with 802.11 headers");
3894 * Like gen_ehostop, but for DLT_FDDI
3896 static struct block *
3897 gen_fhostop(eaddr, dir)
3898 register const u_char *eaddr;
3901 struct block *b0, *b1;
3905 return gen_bcmp(OR_LINK, 6 + 1 + pcap_fddipad, 6, eaddr);
3908 return gen_bcmp(OR_LINK, 0 + 1 + pcap_fddipad, 6, eaddr);
3911 b0 = gen_fhostop(eaddr, Q_SRC);
3912 b1 = gen_fhostop(eaddr, Q_DST);
3918 b0 = gen_fhostop(eaddr, Q_SRC);
3919 b1 = gen_fhostop(eaddr, Q_DST);
3924 bpf_error("'addr1' is only supported on 802.11");
3928 bpf_error("'addr2' is only supported on 802.11");
3932 bpf_error("'addr3' is only supported on 802.11");
3936 bpf_error("'addr4' is only supported on 802.11");
3940 bpf_error("'ra' is only supported on 802.11");
3944 bpf_error("'ta' is only supported on 802.11");
3952 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring)
3954 static struct block *
3955 gen_thostop(eaddr, dir)
3956 register const u_char *eaddr;
3959 register struct block *b0, *b1;
3963 return gen_bcmp(OR_LINK, 8, 6, eaddr);
3966 return gen_bcmp(OR_LINK, 2, 6, eaddr);
3969 b0 = gen_thostop(eaddr, Q_SRC);
3970 b1 = gen_thostop(eaddr, Q_DST);
3976 b0 = gen_thostop(eaddr, Q_SRC);
3977 b1 = gen_thostop(eaddr, Q_DST);
3982 bpf_error("'addr1' is only supported on 802.11");
3986 bpf_error("'addr2' is only supported on 802.11");
3990 bpf_error("'addr3' is only supported on 802.11");
3994 bpf_error("'addr4' is only supported on 802.11");
3998 bpf_error("'ra' is only supported on 802.11");
4002 bpf_error("'ta' is only supported on 802.11");
4010 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and
4011 * various 802.11 + radio headers.
4013 static struct block *
4014 gen_wlanhostop(eaddr, dir)
4015 register const u_char *eaddr;
4018 register struct block *b0, *b1, *b2;
4019 register struct slist *s;
4021 #ifdef ENABLE_WLAN_FILTERING_PATCH
4024 * We need to disable the optimizer because the optimizer is buggy
4025 * and wipes out some LD instructions generated by the below
4026 * code to validate the Frame Control bits
4029 #endif /* ENABLE_WLAN_FILTERING_PATCH */
4036 * For control frames, there is no SA.
4038 * For management frames, SA is at an
4039 * offset of 10 from the beginning of
4042 * For data frames, SA is at an offset
4043 * of 10 from the beginning of the packet
4044 * if From DS is clear, at an offset of
4045 * 16 from the beginning of the packet
4046 * if From DS is set and To DS is clear,
4047 * and an offset of 24 from the beginning
4048 * of the packet if From DS is set and To DS
4053 * Generate the tests to be done for data frames
4056 * First, check for To DS set, i.e. check "link[1] & 0x01".
4058 s = gen_load_a(OR_LINK, 1, BPF_B);
4059 b1 = new_block(JMP(BPF_JSET));
4060 b1->s.k = 0x01; /* To DS */
4064 * If To DS is set, the SA is at 24.
4066 b0 = gen_bcmp(OR_LINK, 24, 6, eaddr);
4070 * Now, check for To DS not set, i.e. check
4071 * "!(link[1] & 0x01)".
4073 s = gen_load_a(OR_LINK, 1, BPF_B);
4074 b2 = new_block(JMP(BPF_JSET));
4075 b2->s.k = 0x01; /* To DS */
4080 * If To DS is not set, the SA is at 16.
4082 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr);
4086 * Now OR together the last two checks. That gives
4087 * the complete set of checks for data frames with
4093 * Now check for From DS being set, and AND that with
4094 * the ORed-together checks.
4096 s = gen_load_a(OR_LINK, 1, BPF_B);
4097 b1 = new_block(JMP(BPF_JSET));
4098 b1->s.k = 0x02; /* From DS */
4103 * Now check for data frames with From DS not set.
4105 s = gen_load_a(OR_LINK, 1, BPF_B);
4106 b2 = new_block(JMP(BPF_JSET));
4107 b2->s.k = 0x02; /* From DS */
4112 * If From DS isn't set, the SA is at 10.
4114 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
4118 * Now OR together the checks for data frames with
4119 * From DS not set and for data frames with From DS
4120 * set; that gives the checks done for data frames.
4125 * Now check for a data frame.
4126 * I.e, check "link[0] & 0x08".
4128 s = gen_load_a(OR_LINK, 0, BPF_B);
4129 b1 = new_block(JMP(BPF_JSET));
4134 * AND that with the checks done for data frames.
4139 * If the high-order bit of the type value is 0, this
4140 * is a management frame.
4141 * I.e, check "!(link[0] & 0x08)".
4143 s = gen_load_a(OR_LINK, 0, BPF_B);
4144 b2 = new_block(JMP(BPF_JSET));
4150 * For management frames, the SA is at 10.
4152 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
4156 * OR that with the checks done for data frames.
4157 * That gives the checks done for management and
4163 * If the low-order bit of the type value is 1,
4164 * this is either a control frame or a frame
4165 * with a reserved type, and thus not a
4168 * I.e., check "!(link[0] & 0x04)".
4170 s = gen_load_a(OR_LINK, 0, BPF_B);
4171 b1 = new_block(JMP(BPF_JSET));
4177 * AND that with the checks for data and management
4187 * For control frames, there is no DA.
4189 * For management frames, DA is at an
4190 * offset of 4 from the beginning of
4193 * For data frames, DA is at an offset
4194 * of 4 from the beginning of the packet
4195 * if To DS is clear and at an offset of
4196 * 16 from the beginning of the packet
4201 * Generate the tests to be done for data frames.
4203 * First, check for To DS set, i.e. "link[1] & 0x01".
4205 s = gen_load_a(OR_LINK, 1, BPF_B);
4206 b1 = new_block(JMP(BPF_JSET));
4207 b1->s.k = 0x01; /* To DS */
4211 * If To DS is set, the DA is at 16.
4213 b0 = gen_bcmp(OR_LINK, 16, 6, eaddr);
4217 * Now, check for To DS not set, i.e. check
4218 * "!(link[1] & 0x01)".
4220 s = gen_load_a(OR_LINK, 1, BPF_B);
4221 b2 = new_block(JMP(BPF_JSET));
4222 b2->s.k = 0x01; /* To DS */
4227 * If To DS is not set, the DA is at 4.
4229 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr);
4233 * Now OR together the last two checks. That gives
4234 * the complete set of checks for data frames.
4239 * Now check for a data frame.
4240 * I.e, check "link[0] & 0x08".
4242 s = gen_load_a(OR_LINK, 0, BPF_B);
4243 b1 = new_block(JMP(BPF_JSET));
4248 * AND that with the checks done for data frames.
4253 * If the high-order bit of the type value is 0, this
4254 * is a management frame.
4255 * I.e, check "!(link[0] & 0x08)".
4257 s = gen_load_a(OR_LINK, 0, BPF_B);
4258 b2 = new_block(JMP(BPF_JSET));
4264 * For management frames, the DA is at 4.
4266 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr);
4270 * OR that with the checks done for data frames.
4271 * That gives the checks done for management and
4277 * If the low-order bit of the type value is 1,
4278 * this is either a control frame or a frame
4279 * with a reserved type, and thus not a
4282 * I.e., check "!(link[0] & 0x04)".
4284 s = gen_load_a(OR_LINK, 0, BPF_B);
4285 b1 = new_block(JMP(BPF_JSET));
4291 * AND that with the checks for data and management
4299 * Not present in management frames; addr1 in other
4304 * If the high-order bit of the type value is 0, this
4305 * is a management frame.
4306 * I.e, check "(link[0] & 0x08)".
4308 s = gen_load_a(OR_LINK, 0, BPF_B);
4309 b1 = new_block(JMP(BPF_JSET));
4316 b0 = gen_bcmp(OR_LINK, 4, 6, eaddr);
4319 * AND that with the check of addr1.
4326 * Not present in management frames; addr2, if present,
4331 * Not present in CTS or ACK control frames.
4333 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4334 IEEE80211_FC0_TYPE_MASK);
4336 b1 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS,
4337 IEEE80211_FC0_SUBTYPE_MASK);
4339 b2 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK,
4340 IEEE80211_FC0_SUBTYPE_MASK);
4346 * If the high-order bit of the type value is 0, this
4347 * is a management frame.
4348 * I.e, check "(link[0] & 0x08)".
4350 s = gen_load_a(OR_LINK, 0, BPF_B);
4351 b1 = new_block(JMP(BPF_JSET));
4356 * AND that with the check for frames other than
4357 * CTS and ACK frames.
4364 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
4369 * XXX - add BSSID keyword?
4372 return (gen_bcmp(OR_LINK, 4, 6, eaddr));
4376 * Not present in CTS or ACK control frames.
4378 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4379 IEEE80211_FC0_TYPE_MASK);
4381 b1 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS,
4382 IEEE80211_FC0_SUBTYPE_MASK);
4384 b2 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK,
4385 IEEE80211_FC0_SUBTYPE_MASK);
4389 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
4395 * Not present in control frames.
4397 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4398 IEEE80211_FC0_TYPE_MASK);
4400 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr);
4406 * Present only if the direction mask has both "From DS"
4407 * and "To DS" set. Neither control frames nor management
4408 * frames should have both of those set, so we don't
4409 * check the frame type.
4411 b0 = gen_mcmp(OR_LINK, 1, BPF_B,
4412 IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK);
4413 b1 = gen_bcmp(OR_LINK, 24, 6, eaddr);
4418 b0 = gen_wlanhostop(eaddr, Q_SRC);
4419 b1 = gen_wlanhostop(eaddr, Q_DST);
4425 b0 = gen_wlanhostop(eaddr, Q_SRC);
4426 b1 = gen_wlanhostop(eaddr, Q_DST);
4435 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel.
4436 * (We assume that the addresses are IEEE 48-bit MAC addresses,
4437 * as the RFC states.)
4439 static struct block *
4440 gen_ipfchostop(eaddr, dir)
4441 register const u_char *eaddr;
4444 register struct block *b0, *b1;
4448 return gen_bcmp(OR_LINK, 10, 6, eaddr);
4451 return gen_bcmp(OR_LINK, 2, 6, eaddr);
4454 b0 = gen_ipfchostop(eaddr, Q_SRC);
4455 b1 = gen_ipfchostop(eaddr, Q_DST);
4461 b0 = gen_ipfchostop(eaddr, Q_SRC);
4462 b1 = gen_ipfchostop(eaddr, Q_DST);
4467 bpf_error("'addr1' is only supported on 802.11");
4471 bpf_error("'addr2' is only supported on 802.11");
4475 bpf_error("'addr3' is only supported on 802.11");
4479 bpf_error("'addr4' is only supported on 802.11");
4483 bpf_error("'ra' is only supported on 802.11");
4487 bpf_error("'ta' is only supported on 802.11");
4495 * This is quite tricky because there may be pad bytes in front of the
4496 * DECNET header, and then there are two possible data packet formats that
4497 * carry both src and dst addresses, plus 5 packet types in a format that
4498 * carries only the src node, plus 2 types that use a different format and
4499 * also carry just the src node.
4503 * Instead of doing those all right, we just look for data packets with
4504 * 0 or 1 bytes of padding. If you want to look at other packets, that
4505 * will require a lot more hacking.
4507 * To add support for filtering on DECNET "areas" (network numbers)
4508 * one would want to add a "mask" argument to this routine. That would
4509 * make the filter even more inefficient, although one could be clever
4510 * and not generate masking instructions if the mask is 0xFFFF.
4512 static struct block *
4513 gen_dnhostop(addr, dir)
4517 struct block *b0, *b1, *b2, *tmp;
4518 u_int offset_lh; /* offset if long header is received */
4519 u_int offset_sh; /* offset if short header is received */
4524 offset_sh = 1; /* follows flags */
4525 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */
4529 offset_sh = 3; /* follows flags, dstnode */
4530 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */
4534 /* Inefficient because we do our Calvinball dance twice */
4535 b0 = gen_dnhostop(addr, Q_SRC);
4536 b1 = gen_dnhostop(addr, Q_DST);
4542 /* Inefficient because we do our Calvinball dance twice */
4543 b0 = gen_dnhostop(addr, Q_SRC);
4544 b1 = gen_dnhostop(addr, Q_DST);
4549 bpf_error("ISO host filtering not implemented");
4554 b0 = gen_linktype(ETHERTYPE_DN);
4555 /* Check for pad = 1, long header case */
4556 tmp = gen_mcmp(OR_NET, 2, BPF_H,
4557 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF));
4558 b1 = gen_cmp(OR_NET, 2 + 1 + offset_lh,
4559 BPF_H, (bpf_int32)ntohs((u_short)addr));
4561 /* Check for pad = 0, long header case */
4562 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7);
4563 b2 = gen_cmp(OR_NET, 2 + offset_lh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4566 /* Check for pad = 1, short header case */
4567 tmp = gen_mcmp(OR_NET, 2, BPF_H,
4568 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF));
4569 b2 = gen_cmp(OR_NET, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4572 /* Check for pad = 0, short header case */
4573 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7);
4574 b2 = gen_cmp(OR_NET, 2 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4578 /* Combine with test for linktype */
4584 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets;
4585 * test the bottom-of-stack bit, and then check the version number
4586 * field in the IP header.
4588 static struct block *
4589 gen_mpls_linktype(proto)
4592 struct block *b0, *b1;
4597 /* match the bottom-of-stack bit */
4598 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01);
4599 /* match the IPv4 version number */
4600 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x40, 0xf0);
4605 /* match the bottom-of-stack bit */
4606 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01);
4607 /* match the IPv4 version number */
4608 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x60, 0xf0);
4617 static struct block *
4618 gen_host(addr, mask, proto, dir, type)
4625 struct block *b0, *b1;
4626 const char *typestr;
4636 b0 = gen_host(addr, mask, Q_IP, dir, type);
4638 * Only check for non-IPv4 addresses if we're not
4639 * checking MPLS-encapsulated packets.
4641 if (label_stack_depth == 0) {
4642 b1 = gen_host(addr, mask, Q_ARP, dir, type);
4644 b0 = gen_host(addr, mask, Q_RARP, dir, type);
4650 return gen_hostop(addr, mask, dir, ETHERTYPE_IP, 12, 16);
4653 return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP, 14, 24);
4656 return gen_hostop(addr, mask, dir, ETHERTYPE_ARP, 14, 24);
4659 bpf_error("'tcp' modifier applied to %s", typestr);
4662 bpf_error("'sctp' modifier applied to %s", typestr);
4665 bpf_error("'udp' modifier applied to %s", typestr);
4668 bpf_error("'icmp' modifier applied to %s", typestr);
4671 bpf_error("'igmp' modifier applied to %s", typestr);
4674 bpf_error("'igrp' modifier applied to %s", typestr);
4677 bpf_error("'pim' modifier applied to %s", typestr);
4680 bpf_error("'vrrp' modifier applied to %s", typestr);
4683 bpf_error("'carp' modifier applied to %s", typestr);
4686 bpf_error("ATALK host filtering not implemented");
4689 bpf_error("AARP host filtering not implemented");
4692 return gen_dnhostop(addr, dir);
4695 bpf_error("SCA host filtering not implemented");
4698 bpf_error("LAT host filtering not implemented");
4701 bpf_error("MOPDL host filtering not implemented");
4704 bpf_error("MOPRC host filtering not implemented");
4707 bpf_error("'ip6' modifier applied to ip host");
4710 bpf_error("'icmp6' modifier applied to %s", typestr);
4713 bpf_error("'ah' modifier applied to %s", typestr);
4716 bpf_error("'esp' modifier applied to %s", typestr);
4719 bpf_error("ISO host filtering not implemented");
4722 bpf_error("'esis' modifier applied to %s", typestr);
4725 bpf_error("'isis' modifier applied to %s", typestr);
4728 bpf_error("'clnp' modifier applied to %s", typestr);
4731 bpf_error("'stp' modifier applied to %s", typestr);
4734 bpf_error("IPX host filtering not implemented");
4737 bpf_error("'netbeui' modifier applied to %s", typestr);
4740 bpf_error("'radio' modifier applied to %s", typestr);
4749 static struct block *
4750 gen_host6(addr, mask, proto, dir, type)
4751 struct in6_addr *addr;
4752 struct in6_addr *mask;
4757 const char *typestr;
4767 return gen_host6(addr, mask, Q_IPV6, dir, type);
4770 bpf_error("link-layer modifier applied to ip6 %s", typestr);
4773 bpf_error("'ip' modifier applied to ip6 %s", typestr);
4776 bpf_error("'rarp' modifier applied to ip6 %s", typestr);
4779 bpf_error("'arp' modifier applied to ip6 %s", typestr);
4782 bpf_error("'sctp' modifier applied to %s", typestr);
4785 bpf_error("'tcp' modifier applied to %s", typestr);
4788 bpf_error("'udp' modifier applied to %s", typestr);
4791 bpf_error("'icmp' modifier applied to %s", typestr);
4794 bpf_error("'igmp' modifier applied to %s", typestr);
4797 bpf_error("'igrp' modifier applied to %s", typestr);
4800 bpf_error("'pim' modifier applied to %s", typestr);
4803 bpf_error("'vrrp' modifier applied to %s", typestr);
4806 bpf_error("'carp' modifier applied to %s", typestr);
4809 bpf_error("ATALK host filtering not implemented");
4812 bpf_error("AARP host filtering not implemented");
4815 bpf_error("'decnet' modifier applied to ip6 %s", typestr);
4818 bpf_error("SCA host filtering not implemented");
4821 bpf_error("LAT host filtering not implemented");
4824 bpf_error("MOPDL host filtering not implemented");
4827 bpf_error("MOPRC host filtering not implemented");
4830 return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6, 8, 24);
4833 bpf_error("'icmp6' modifier applied to %s", typestr);
4836 bpf_error("'ah' modifier applied to %s", typestr);
4839 bpf_error("'esp' modifier applied to %s", typestr);
4842 bpf_error("ISO host filtering not implemented");
4845 bpf_error("'esis' modifier applied to %s", typestr);
4848 bpf_error("'isis' modifier applied to %s", typestr);
4851 bpf_error("'clnp' modifier applied to %s", typestr);
4854 bpf_error("'stp' modifier applied to %s", typestr);
4857 bpf_error("IPX host filtering not implemented");
4860 bpf_error("'netbeui' modifier applied to %s", typestr);
4863 bpf_error("'radio' modifier applied to %s", typestr);
4873 static struct block *
4874 gen_gateway(eaddr, alist, proto, dir)
4875 const u_char *eaddr;
4876 bpf_u_int32 **alist;
4880 struct block *b0, *b1, *tmp;
4883 bpf_error("direction applied to 'gateway'");
4892 case DLT_NETANALYZER:
4893 case DLT_NETANALYZER_TRANSPARENT:
4894 b0 = gen_ehostop(eaddr, Q_OR);
4897 b0 = gen_fhostop(eaddr, Q_OR);
4900 b0 = gen_thostop(eaddr, Q_OR);
4902 case DLT_IEEE802_11:
4903 case DLT_PRISM_HEADER:
4904 case DLT_IEEE802_11_RADIO_AVS:
4905 case DLT_IEEE802_11_RADIO:
4907 b0 = gen_wlanhostop(eaddr, Q_OR);
4912 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
4914 * Check that the packet doesn't begin with an
4915 * LE Control marker. (We've already generated
4918 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
4923 * Now check the MAC address.
4925 b0 = gen_ehostop(eaddr, Q_OR);
4928 case DLT_IP_OVER_FC:
4929 b0 = gen_ipfchostop(eaddr, Q_OR);
4933 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
4935 b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR, Q_HOST);
4937 tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR,
4946 bpf_error("illegal modifier of 'gateway'");
4952 gen_proto_abbrev(proto)
4961 b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT);
4962 b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT);
4967 b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT);
4968 b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT);
4973 b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT);
4974 b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT);
4979 b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT);
4982 #ifndef IPPROTO_IGMP
4983 #define IPPROTO_IGMP 2
4987 b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT);
4990 #ifndef IPPROTO_IGRP
4991 #define IPPROTO_IGRP 9
4994 b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT);
4998 #define IPPROTO_PIM 103
5002 b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT);
5003 b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT);
5007 #ifndef IPPROTO_VRRP
5008 #define IPPROTO_VRRP 112
5012 b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT);
5015 #ifndef IPPROTO_CARP
5016 #define IPPROTO_CARP 112
5020 b1 = gen_proto(IPPROTO_CARP, Q_IP, Q_DEFAULT);
5024 b1 = gen_linktype(ETHERTYPE_IP);
5028 b1 = gen_linktype(ETHERTYPE_ARP);
5032 b1 = gen_linktype(ETHERTYPE_REVARP);
5036 bpf_error("link layer applied in wrong context");
5039 b1 = gen_linktype(ETHERTYPE_ATALK);
5043 b1 = gen_linktype(ETHERTYPE_AARP);
5047 b1 = gen_linktype(ETHERTYPE_DN);
5051 b1 = gen_linktype(ETHERTYPE_SCA);
5055 b1 = gen_linktype(ETHERTYPE_LAT);
5059 b1 = gen_linktype(ETHERTYPE_MOPDL);
5063 b1 = gen_linktype(ETHERTYPE_MOPRC);
5067 b1 = gen_linktype(ETHERTYPE_IPV6);
5070 #ifndef IPPROTO_ICMPV6
5071 #define IPPROTO_ICMPV6 58
5074 b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT);
5078 #define IPPROTO_AH 51
5081 b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT);
5082 b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT);
5087 #define IPPROTO_ESP 50
5090 b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT);
5091 b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT);
5096 b1 = gen_linktype(LLCSAP_ISONS);
5100 b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT);
5104 b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
5107 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */
5108 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
5109 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
5111 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
5113 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
5115 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
5119 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */
5120 b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
5121 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
5123 b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
5125 b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
5127 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
5131 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */
5132 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
5133 b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
5135 b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT);
5140 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
5141 b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
5146 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
5147 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
5149 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
5151 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
5156 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
5157 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
5162 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
5163 b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
5168 b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT);
5172 b1 = gen_linktype(LLCSAP_8021D);
5176 b1 = gen_linktype(LLCSAP_IPX);
5180 b1 = gen_linktype(LLCSAP_NETBEUI);
5184 bpf_error("'radio' is not a valid protocol type");
5192 static struct block *
5198 /* not IPv4 frag other than the first frag */
5199 s = gen_load_a(OR_NET, 6, BPF_H);
5200 b = new_block(JMP(BPF_JSET));
5209 * Generate a comparison to a port value in the transport-layer header
5210 * at the specified offset from the beginning of that header.
5212 * XXX - this handles a variable-length prefix preceding the link-layer
5213 * header, such as the radiotap or AVS radio prefix, but doesn't handle
5214 * variable-length link-layer headers (such as Token Ring or 802.11
5217 static struct block *
5218 gen_portatom(off, v)
5222 return gen_cmp(OR_TRAN_IPV4, off, BPF_H, v);
5225 static struct block *
5226 gen_portatom6(off, v)
5230 return gen_cmp(OR_TRAN_IPV6, off, BPF_H, v);
5234 gen_portop(port, proto, dir)
5235 int port, proto, dir;
5237 struct block *b0, *b1, *tmp;
5239 /* ip proto 'proto' and not a fragment other than the first fragment */
5240 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto);
5246 b1 = gen_portatom(0, (bpf_int32)port);
5250 b1 = gen_portatom(2, (bpf_int32)port);
5255 tmp = gen_portatom(0, (bpf_int32)port);
5256 b1 = gen_portatom(2, (bpf_int32)port);
5261 tmp = gen_portatom(0, (bpf_int32)port);
5262 b1 = gen_portatom(2, (bpf_int32)port);
5274 static struct block *
5275 gen_port(port, ip_proto, dir)
5280 struct block *b0, *b1, *tmp;
5285 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
5286 * not LLC encapsulation with LLCSAP_IP.
5288 * For IEEE 802 networks - which includes 802.5 token ring
5289 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
5290 * says that SNAP encapsulation is used, not LLC encapsulation
5293 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
5294 * RFC 2225 say that SNAP encapsulation is used, not LLC
5295 * encapsulation with LLCSAP_IP.
5297 * So we always check for ETHERTYPE_IP.
5299 b0 = gen_linktype(ETHERTYPE_IP);
5305 b1 = gen_portop(port, ip_proto, dir);
5309 tmp = gen_portop(port, IPPROTO_TCP, dir);
5310 b1 = gen_portop(port, IPPROTO_UDP, dir);
5312 tmp = gen_portop(port, IPPROTO_SCTP, dir);
5324 gen_portop6(port, proto, dir)
5325 int port, proto, dir;
5327 struct block *b0, *b1, *tmp;
5329 /* ip6 proto 'proto' */
5330 /* XXX - catch the first fragment of a fragmented packet? */
5331 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto);
5335 b1 = gen_portatom6(0, (bpf_int32)port);
5339 b1 = gen_portatom6(2, (bpf_int32)port);
5344 tmp = gen_portatom6(0, (bpf_int32)port);
5345 b1 = gen_portatom6(2, (bpf_int32)port);
5350 tmp = gen_portatom6(0, (bpf_int32)port);
5351 b1 = gen_portatom6(2, (bpf_int32)port);
5363 static struct block *
5364 gen_port6(port, ip_proto, dir)
5369 struct block *b0, *b1, *tmp;
5371 /* link proto ip6 */
5372 b0 = gen_linktype(ETHERTYPE_IPV6);
5378 b1 = gen_portop6(port, ip_proto, dir);
5382 tmp = gen_portop6(port, IPPROTO_TCP, dir);
5383 b1 = gen_portop6(port, IPPROTO_UDP, dir);
5385 tmp = gen_portop6(port, IPPROTO_SCTP, dir);
5396 /* gen_portrange code */
5397 static struct block *
5398 gen_portrangeatom(off, v1, v2)
5402 struct block *b1, *b2;
5406 * Reverse the order of the ports, so v1 is the lower one.
5415 b1 = gen_cmp_ge(OR_TRAN_IPV4, off, BPF_H, v1);
5416 b2 = gen_cmp_le(OR_TRAN_IPV4, off, BPF_H, v2);
5424 gen_portrangeop(port1, port2, proto, dir)
5429 struct block *b0, *b1, *tmp;
5431 /* ip proto 'proto' and not a fragment other than the first fragment */
5432 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto);
5438 b1 = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
5442 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
5447 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
5448 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
5453 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
5454 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
5466 static struct block *
5467 gen_portrange(port1, port2, ip_proto, dir)
5472 struct block *b0, *b1, *tmp;
5475 b0 = gen_linktype(ETHERTYPE_IP);
5481 b1 = gen_portrangeop(port1, port2, ip_proto, dir);
5485 tmp = gen_portrangeop(port1, port2, IPPROTO_TCP, dir);
5486 b1 = gen_portrangeop(port1, port2, IPPROTO_UDP, dir);
5488 tmp = gen_portrangeop(port1, port2, IPPROTO_SCTP, dir);
5499 static struct block *
5500 gen_portrangeatom6(off, v1, v2)
5504 struct block *b1, *b2;
5508 * Reverse the order of the ports, so v1 is the lower one.
5517 b1 = gen_cmp_ge(OR_TRAN_IPV6, off, BPF_H, v1);
5518 b2 = gen_cmp_le(OR_TRAN_IPV6, off, BPF_H, v2);
5526 gen_portrangeop6(port1, port2, proto, dir)
5531 struct block *b0, *b1, *tmp;
5533 /* ip6 proto 'proto' */
5534 /* XXX - catch the first fragment of a fragmented packet? */
5535 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto);
5539 b1 = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
5543 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
5548 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
5549 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
5554 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
5555 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
5567 static struct block *
5568 gen_portrange6(port1, port2, ip_proto, dir)
5573 struct block *b0, *b1, *tmp;
5575 /* link proto ip6 */
5576 b0 = gen_linktype(ETHERTYPE_IPV6);
5582 b1 = gen_portrangeop6(port1, port2, ip_proto, dir);
5586 tmp = gen_portrangeop6(port1, port2, IPPROTO_TCP, dir);
5587 b1 = gen_portrangeop6(port1, port2, IPPROTO_UDP, dir);
5589 tmp = gen_portrangeop6(port1, port2, IPPROTO_SCTP, dir);
5601 lookup_proto(name, proto)
5602 register const char *name;
5612 v = pcap_nametoproto(name);
5613 if (v == PROTO_UNDEF)
5614 bpf_error("unknown ip proto '%s'", name);
5618 /* XXX should look up h/w protocol type based on linktype */
5619 v = pcap_nametoeproto(name);
5620 if (v == PROTO_UNDEF) {
5621 v = pcap_nametollc(name);
5622 if (v == PROTO_UNDEF)
5623 bpf_error("unknown ether proto '%s'", name);
5628 if (strcmp(name, "esis") == 0)
5630 else if (strcmp(name, "isis") == 0)
5632 else if (strcmp(name, "clnp") == 0)
5635 bpf_error("unknown osi proto '%s'", name);
5655 static struct block *
5656 gen_protochain(v, proto, dir)
5661 #ifdef NO_PROTOCHAIN
5662 return gen_proto(v, proto, dir);
5664 struct block *b0, *b;
5665 struct slist *s[100];
5666 int fix2, fix3, fix4, fix5;
5667 int ahcheck, again, end;
5669 int reg2 = alloc_reg();
5671 memset(s, 0, sizeof(s));
5672 fix2 = fix3 = fix4 = fix5 = 0;
5679 b0 = gen_protochain(v, Q_IP, dir);
5680 b = gen_protochain(v, Q_IPV6, dir);
5684 bpf_error("bad protocol applied for 'protochain'");
5689 * We don't handle variable-length prefixes before the link-layer
5690 * header, or variable-length link-layer headers, here yet.
5691 * We might want to add BPF instructions to do the protochain
5692 * work, to simplify that and, on platforms that have a BPF
5693 * interpreter with the new instructions, let the filtering
5694 * be done in the kernel. (We already require a modified BPF
5695 * engine to do the protochain stuff, to support backward
5696 * branches, and backward branch support is unlikely to appear
5697 * in kernel BPF engines.)
5701 case DLT_IEEE802_11:
5702 case DLT_PRISM_HEADER:
5703 case DLT_IEEE802_11_RADIO_AVS:
5704 case DLT_IEEE802_11_RADIO:
5706 bpf_error("'protochain' not supported with 802.11");
5709 no_optimize = 1; /*this code is not compatible with optimzer yet */
5712 * s[0] is a dummy entry to protect other BPF insn from damage
5713 * by s[fix] = foo with uninitialized variable "fix". It is somewhat
5714 * hard to find interdependency made by jump table fixup.
5717 s[i] = new_stmt(0); /*dummy*/
5722 b0 = gen_linktype(ETHERTYPE_IP);
5725 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
5726 s[i]->s.k = off_macpl + off_nl + 9;
5728 /* X = ip->ip_hl << 2 */
5729 s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
5730 s[i]->s.k = off_macpl + off_nl;
5735 b0 = gen_linktype(ETHERTYPE_IPV6);
5737 /* A = ip6->ip_nxt */
5738 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
5739 s[i]->s.k = off_macpl + off_nl + 6;
5741 /* X = sizeof(struct ip6_hdr) */
5742 s[i] = new_stmt(BPF_LDX|BPF_IMM);
5748 bpf_error("unsupported proto to gen_protochain");
5752 /* again: if (A == v) goto end; else fall through; */
5754 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5756 s[i]->s.jt = NULL; /*later*/
5757 s[i]->s.jf = NULL; /*update in next stmt*/
5761 #ifndef IPPROTO_NONE
5762 #define IPPROTO_NONE 59
5764 /* if (A == IPPROTO_NONE) goto end */
5765 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5766 s[i]->s.jt = NULL; /*later*/
5767 s[i]->s.jf = NULL; /*update in next stmt*/
5768 s[i]->s.k = IPPROTO_NONE;
5769 s[fix5]->s.jf = s[i];
5773 if (proto == Q_IPV6) {
5774 int v6start, v6end, v6advance, j;
5777 /* if (A == IPPROTO_HOPOPTS) goto v6advance */
5778 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5779 s[i]->s.jt = NULL; /*later*/
5780 s[i]->s.jf = NULL; /*update in next stmt*/
5781 s[i]->s.k = IPPROTO_HOPOPTS;
5782 s[fix2]->s.jf = s[i];
5784 /* if (A == IPPROTO_DSTOPTS) goto v6advance */
5785 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5786 s[i]->s.jt = NULL; /*later*/
5787 s[i]->s.jf = NULL; /*update in next stmt*/
5788 s[i]->s.k = IPPROTO_DSTOPTS;
5790 /* if (A == IPPROTO_ROUTING) goto v6advance */
5791 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5792 s[i]->s.jt = NULL; /*later*/
5793 s[i]->s.jf = NULL; /*update in next stmt*/
5794 s[i]->s.k = IPPROTO_ROUTING;
5796 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */
5797 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5798 s[i]->s.jt = NULL; /*later*/
5799 s[i]->s.jf = NULL; /*later*/
5800 s[i]->s.k = IPPROTO_FRAGMENT;
5810 * A = P[X + packet head];
5811 * X = X + (P[X + packet head + 1] + 1) * 8;
5813 /* A = P[X + packet head] */
5814 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5815 s[i]->s.k = off_macpl + off_nl;
5818 s[i] = new_stmt(BPF_ST);
5821 /* A = P[X + packet head + 1]; */
5822 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5823 s[i]->s.k = off_macpl + off_nl + 1;
5826 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5830 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
5834 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_X);
5838 s[i] = new_stmt(BPF_MISC|BPF_TAX);
5841 s[i] = new_stmt(BPF_LD|BPF_MEM);
5845 /* goto again; (must use BPF_JA for backward jump) */
5846 s[i] = new_stmt(BPF_JMP|BPF_JA);
5847 s[i]->s.k = again - i - 1;
5848 s[i - 1]->s.jf = s[i];
5852 for (j = v6start; j <= v6end; j++)
5853 s[j]->s.jt = s[v6advance];
5856 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5858 s[fix2]->s.jf = s[i];
5864 /* if (A == IPPROTO_AH) then fall through; else goto end; */
5865 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5866 s[i]->s.jt = NULL; /*later*/
5867 s[i]->s.jf = NULL; /*later*/
5868 s[i]->s.k = IPPROTO_AH;
5870 s[fix3]->s.jf = s[ahcheck];
5877 * X = X + (P[X + 1] + 2) * 4;
5880 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
5882 /* A = P[X + packet head]; */
5883 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5884 s[i]->s.k = off_macpl + off_nl;
5887 s[i] = new_stmt(BPF_ST);
5891 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
5894 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5898 s[i] = new_stmt(BPF_MISC|BPF_TAX);
5900 /* A = P[X + packet head] */
5901 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5902 s[i]->s.k = off_macpl + off_nl;
5905 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5909 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
5913 s[i] = new_stmt(BPF_MISC|BPF_TAX);
5916 s[i] = new_stmt(BPF_LD|BPF_MEM);
5920 /* goto again; (must use BPF_JA for backward jump) */
5921 s[i] = new_stmt(BPF_JMP|BPF_JA);
5922 s[i]->s.k = again - i - 1;
5927 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5929 s[fix2]->s.jt = s[end];
5930 s[fix4]->s.jf = s[end];
5931 s[fix5]->s.jt = s[end];
5938 for (i = 0; i < max - 1; i++)
5939 s[i]->next = s[i + 1];
5940 s[max - 1]->next = NULL;
5945 b = new_block(JMP(BPF_JEQ));
5946 b->stmts = s[1]; /*remember, s[0] is dummy*/
5956 static struct block *
5957 gen_check_802_11_data_frame()
5960 struct block *b0, *b1;
5963 * A data frame has the 0x08 bit (b3) in the frame control field set
5964 * and the 0x04 bit (b2) clear.
5966 s = gen_load_a(OR_LINK, 0, BPF_B);
5967 b0 = new_block(JMP(BPF_JSET));
5971 s = gen_load_a(OR_LINK, 0, BPF_B);
5972 b1 = new_block(JMP(BPF_JSET));
5983 * Generate code that checks whether the packet is a packet for protocol
5984 * <proto> and whether the type field in that protocol's header has
5985 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an
5986 * IP packet and checks the protocol number in the IP header against <v>.
5988 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks
5989 * against Q_IP and Q_IPV6.
5991 static struct block *
5992 gen_proto(v, proto, dir)
5997 struct block *b0, *b1;
6002 if (dir != Q_DEFAULT)
6003 bpf_error("direction applied to 'proto'");
6007 b0 = gen_proto(v, Q_IP, dir);
6008 b1 = gen_proto(v, Q_IPV6, dir);
6014 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
6015 * not LLC encapsulation with LLCSAP_IP.
6017 * For IEEE 802 networks - which includes 802.5 token ring
6018 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
6019 * says that SNAP encapsulation is used, not LLC encapsulation
6022 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
6023 * RFC 2225 say that SNAP encapsulation is used, not LLC
6024 * encapsulation with LLCSAP_IP.
6026 * So we always check for ETHERTYPE_IP.
6028 b0 = gen_linktype(ETHERTYPE_IP);
6030 b1 = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)v);
6032 b1 = gen_protochain(v, Q_IP);
6042 * Frame Relay packets typically have an OSI
6043 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)"
6044 * generates code to check for all the OSI
6045 * NLPIDs, so calling it and then adding a check
6046 * for the particular NLPID for which we're
6047 * looking is bogus, as we can just check for
6050 * What we check for is the NLPID and a frame
6051 * control field value of UI, i.e. 0x03 followed
6054 * XXX - assumes a 2-byte Frame Relay header with
6055 * DLCI and flags. What if the address is longer?
6057 * XXX - what about SNAP-encapsulated frames?
6059 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | v);
6065 * Cisco uses an Ethertype lookalike - for OSI,
6068 b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS);
6069 /* OSI in C-HDLC is stuffed with a fudge byte */
6070 b1 = gen_cmp(OR_NET_NOSNAP, 1, BPF_B, (long)v);
6075 b0 = gen_linktype(LLCSAP_ISONS);
6076 b1 = gen_cmp(OR_NET_NOSNAP, 0, BPF_B, (long)v);
6082 b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
6084 * 4 is the offset of the PDU type relative to the IS-IS
6087 b1 = gen_cmp(OR_NET_NOSNAP, 4, BPF_B, (long)v);
6092 bpf_error("arp does not encapsulate another protocol");
6096 bpf_error("rarp does not encapsulate another protocol");
6100 bpf_error("atalk encapsulation is not specifiable");
6104 bpf_error("decnet encapsulation is not specifiable");
6108 bpf_error("sca does not encapsulate another protocol");
6112 bpf_error("lat does not encapsulate another protocol");
6116 bpf_error("moprc does not encapsulate another protocol");
6120 bpf_error("mopdl does not encapsulate another protocol");
6124 return gen_linktype(v);
6127 bpf_error("'udp proto' is bogus");
6131 bpf_error("'tcp proto' is bogus");
6135 bpf_error("'sctp proto' is bogus");
6139 bpf_error("'icmp proto' is bogus");
6143 bpf_error("'igmp proto' is bogus");
6147 bpf_error("'igrp proto' is bogus");
6151 bpf_error("'pim proto' is bogus");
6155 bpf_error("'vrrp proto' is bogus");
6159 bpf_error("'carp proto' is bogus");
6163 b0 = gen_linktype(ETHERTYPE_IPV6);
6166 * Also check for a fragment header before the final
6169 b2 = gen_cmp(OR_NET, 6, BPF_B, IPPROTO_FRAGMENT);
6170 b1 = gen_cmp(OR_NET, 40, BPF_B, (bpf_int32)v);
6172 b2 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)v);
6175 b1 = gen_protochain(v, Q_IPV6);
6181 bpf_error("'icmp6 proto' is bogus");
6184 bpf_error("'ah proto' is bogus");
6187 bpf_error("'ah proto' is bogus");
6190 bpf_error("'stp proto' is bogus");
6193 bpf_error("'ipx proto' is bogus");
6196 bpf_error("'netbeui proto' is bogus");
6199 bpf_error("'radio proto' is bogus");
6210 register const char *name;
6213 int proto = q.proto;
6217 bpf_u_int32 mask, addr;
6219 bpf_u_int32 **alist;
6222 struct sockaddr_in *sin4;
6223 struct sockaddr_in6 *sin6;
6224 struct addrinfo *res, *res0;
6225 struct in6_addr mask128;
6227 struct block *b, *tmp;
6228 int port, real_proto;
6234 addr = pcap_nametonetaddr(name);
6236 bpf_error("unknown network '%s'", name);
6237 /* Left justify network addr and calculate its network mask */
6239 while (addr && (addr & 0xff000000) == 0) {
6243 return gen_host(addr, mask, proto, dir, q.addr);
6247 if (proto == Q_LINK) {
6251 case DLT_NETANALYZER:
6252 case DLT_NETANALYZER_TRANSPARENT:
6253 eaddr = pcap_ether_hostton(name);
6256 "unknown ether host '%s'", name);
6257 b = gen_ehostop(eaddr, dir);
6262 eaddr = pcap_ether_hostton(name);
6265 "unknown FDDI host '%s'", name);
6266 b = gen_fhostop(eaddr, dir);
6271 eaddr = pcap_ether_hostton(name);
6274 "unknown token ring host '%s'", name);
6275 b = gen_thostop(eaddr, dir);
6279 case DLT_IEEE802_11:
6280 case DLT_PRISM_HEADER:
6281 case DLT_IEEE802_11_RADIO_AVS:
6282 case DLT_IEEE802_11_RADIO:
6284 eaddr = pcap_ether_hostton(name);
6287 "unknown 802.11 host '%s'", name);
6288 b = gen_wlanhostop(eaddr, dir);
6292 case DLT_IP_OVER_FC:
6293 eaddr = pcap_ether_hostton(name);
6296 "unknown Fibre Channel host '%s'", name);
6297 b = gen_ipfchostop(eaddr, dir);
6306 * Check that the packet doesn't begin
6307 * with an LE Control marker. (We've
6308 * already generated a test for LANE.)
6310 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
6314 eaddr = pcap_ether_hostton(name);
6317 "unknown ether host '%s'", name);
6318 b = gen_ehostop(eaddr, dir);
6324 bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name");
6325 } else if (proto == Q_DECNET) {
6326 unsigned short dn_addr = __pcap_nametodnaddr(name);
6328 * I don't think DECNET hosts can be multihomed, so
6329 * there is no need to build up a list of addresses
6331 return (gen_host(dn_addr, 0, proto, dir, q.addr));
6334 alist = pcap_nametoaddr(name);
6335 if (alist == NULL || *alist == NULL)
6336 bpf_error("unknown host '%s'", name);
6338 if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT)
6340 b = gen_host(**alist++, 0xffffffff, tproto, dir, q.addr);
6342 tmp = gen_host(**alist++, 0xffffffff,
6343 tproto, dir, q.addr);
6349 memset(&mask128, 0xff, sizeof(mask128));
6350 res0 = res = pcap_nametoaddrinfo(name);
6352 bpf_error("unknown host '%s'", name);
6355 tproto = tproto6 = proto;
6356 if (off_linktype == -1 && tproto == Q_DEFAULT) {
6360 for (res = res0; res; res = res->ai_next) {
6361 switch (res->ai_family) {
6363 if (tproto == Q_IPV6)
6366 sin4 = (struct sockaddr_in *)
6368 tmp = gen_host(ntohl(sin4->sin_addr.s_addr),
6369 0xffffffff, tproto, dir, q.addr);
6372 if (tproto6 == Q_IP)
6375 sin6 = (struct sockaddr_in6 *)
6377 tmp = gen_host6(&sin6->sin6_addr,
6378 &mask128, tproto6, dir, q.addr);
6390 bpf_error("unknown host '%s'%s", name,
6391 (proto == Q_DEFAULT)
6393 : " for specified address family");
6400 if (proto != Q_DEFAULT &&
6401 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
6402 bpf_error("illegal qualifier of 'port'");
6403 if (pcap_nametoport(name, &port, &real_proto) == 0)
6404 bpf_error("unknown port '%s'", name);
6405 if (proto == Q_UDP) {
6406 if (real_proto == IPPROTO_TCP)
6407 bpf_error("port '%s' is tcp", name);
6408 else if (real_proto == IPPROTO_SCTP)
6409 bpf_error("port '%s' is sctp", name);
6411 /* override PROTO_UNDEF */
6412 real_proto = IPPROTO_UDP;
6414 if (proto == Q_TCP) {
6415 if (real_proto == IPPROTO_UDP)
6416 bpf_error("port '%s' is udp", name);
6418 else if (real_proto == IPPROTO_SCTP)
6419 bpf_error("port '%s' is sctp", name);
6421 /* override PROTO_UNDEF */
6422 real_proto = IPPROTO_TCP;
6424 if (proto == Q_SCTP) {
6425 if (real_proto == IPPROTO_UDP)
6426 bpf_error("port '%s' is udp", name);
6428 else if (real_proto == IPPROTO_TCP)
6429 bpf_error("port '%s' is tcp", name);
6431 /* override PROTO_UNDEF */
6432 real_proto = IPPROTO_SCTP;
6435 bpf_error("illegal port number %d < 0", port);
6437 bpf_error("illegal port number %d > 65535", port);
6438 b = gen_port(port, real_proto, dir);
6439 gen_or(gen_port6(port, real_proto, dir), b);
6443 if (proto != Q_DEFAULT &&
6444 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
6445 bpf_error("illegal qualifier of 'portrange'");
6446 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0)
6447 bpf_error("unknown port in range '%s'", name);
6448 if (proto == Q_UDP) {
6449 if (real_proto == IPPROTO_TCP)
6450 bpf_error("port in range '%s' is tcp", name);
6451 else if (real_proto == IPPROTO_SCTP)
6452 bpf_error("port in range '%s' is sctp", name);
6454 /* override PROTO_UNDEF */
6455 real_proto = IPPROTO_UDP;
6457 if (proto == Q_TCP) {
6458 if (real_proto == IPPROTO_UDP)
6459 bpf_error("port in range '%s' is udp", name);
6460 else if (real_proto == IPPROTO_SCTP)
6461 bpf_error("port in range '%s' is sctp", name);
6463 /* override PROTO_UNDEF */
6464 real_proto = IPPROTO_TCP;
6466 if (proto == Q_SCTP) {
6467 if (real_proto == IPPROTO_UDP)
6468 bpf_error("port in range '%s' is udp", name);
6469 else if (real_proto == IPPROTO_TCP)
6470 bpf_error("port in range '%s' is tcp", name);
6472 /* override PROTO_UNDEF */
6473 real_proto = IPPROTO_SCTP;
6476 bpf_error("illegal port number %d < 0", port1);
6478 bpf_error("illegal port number %d > 65535", port1);
6480 bpf_error("illegal port number %d < 0", port2);
6482 bpf_error("illegal port number %d > 65535", port2);
6484 b = gen_portrange(port1, port2, real_proto, dir);
6485 gen_or(gen_portrange6(port1, port2, real_proto, dir), b);
6490 eaddr = pcap_ether_hostton(name);
6492 bpf_error("unknown ether host: %s", name);
6494 alist = pcap_nametoaddr(name);
6495 if (alist == NULL || *alist == NULL)
6496 bpf_error("unknown host '%s'", name);
6497 b = gen_gateway(eaddr, alist, proto, dir);
6501 bpf_error("'gateway' not supported in this configuration");
6505 real_proto = lookup_proto(name, proto);
6506 if (real_proto >= 0)
6507 return gen_proto(real_proto, proto, dir);
6509 bpf_error("unknown protocol: %s", name);
6512 real_proto = lookup_proto(name, proto);
6513 if (real_proto >= 0)
6514 return gen_protochain(real_proto, proto, dir);
6516 bpf_error("unknown protocol: %s", name);
6527 gen_mcode(s1, s2, masklen, q)
6528 register const char *s1, *s2;
6529 register int masklen;
6532 register int nlen, mlen;
6535 nlen = __pcap_atoin(s1, &n);
6536 /* Promote short ipaddr */
6540 mlen = __pcap_atoin(s2, &m);
6541 /* Promote short ipaddr */
6544 bpf_error("non-network bits set in \"%s mask %s\"",
6547 /* Convert mask len to mask */
6549 bpf_error("mask length must be <= 32");
6552 * X << 32 is not guaranteed by C to be 0; it's
6557 m = 0xffffffff << (32 - masklen);
6559 bpf_error("non-network bits set in \"%s/%d\"",
6566 return gen_host(n, m, q.proto, q.dir, q.addr);
6569 bpf_error("Mask syntax for networks only");
6578 register const char *s;
6583 int proto = q.proto;
6589 else if (q.proto == Q_DECNET)
6590 vlen = __pcap_atodn(s, &v);
6592 vlen = __pcap_atoin(s, &v);
6599 if (proto == Q_DECNET)
6600 return gen_host(v, 0, proto, dir, q.addr);
6601 else if (proto == Q_LINK) {
6602 bpf_error("illegal link layer address");
6605 if (s == NULL && q.addr == Q_NET) {
6606 /* Promote short net number */
6607 while (v && (v & 0xff000000) == 0) {
6612 /* Promote short ipaddr */
6616 return gen_host(v, mask, proto, dir, q.addr);
6621 proto = IPPROTO_UDP;
6622 else if (proto == Q_TCP)
6623 proto = IPPROTO_TCP;
6624 else if (proto == Q_SCTP)
6625 proto = IPPROTO_SCTP;
6626 else if (proto == Q_DEFAULT)
6627 proto = PROTO_UNDEF;
6629 bpf_error("illegal qualifier of 'port'");
6632 bpf_error("illegal port number %u > 65535", v);
6636 b = gen_port((int)v, proto, dir);
6637 gen_or(gen_port6((int)v, proto, dir), b);
6643 proto = IPPROTO_UDP;
6644 else if (proto == Q_TCP)
6645 proto = IPPROTO_TCP;
6646 else if (proto == Q_SCTP)
6647 proto = IPPROTO_SCTP;
6648 else if (proto == Q_DEFAULT)
6649 proto = PROTO_UNDEF;
6651 bpf_error("illegal qualifier of 'portrange'");
6654 bpf_error("illegal port number %u > 65535", v);
6658 b = gen_portrange((int)v, (int)v, proto, dir);
6659 gen_or(gen_portrange6((int)v, (int)v, proto, dir), b);
6664 bpf_error("'gateway' requires a name");
6668 return gen_proto((int)v, proto, dir);
6671 return gen_protochain((int)v, proto, dir);
6686 gen_mcode6(s1, s2, masklen, q)
6687 register const char *s1, *s2;
6688 register int masklen;
6691 struct addrinfo *res;
6692 struct in6_addr *addr;
6693 struct in6_addr mask;
6698 bpf_error("no mask %s supported", s2);
6700 res = pcap_nametoaddrinfo(s1);
6702 bpf_error("invalid ip6 address %s", s1);
6705 bpf_error("%s resolved to multiple address", s1);
6706 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
6708 if (sizeof(mask) * 8 < masklen)
6709 bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8));
6710 memset(&mask, 0, sizeof(mask));
6711 memset(&mask, 0xff, masklen / 8);
6713 mask.s6_addr[masklen / 8] =
6714 (0xff << (8 - masklen % 8)) & 0xff;
6717 a = (u_int32_t *)addr;
6718 m = (u_int32_t *)&mask;
6719 if ((a[0] & ~m[0]) || (a[1] & ~m[1])
6720 || (a[2] & ~m[2]) || (a[3] & ~m[3])) {
6721 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen);
6729 bpf_error("Mask syntax for networks only");
6733 b = gen_host6(addr, &mask, q.proto, q.dir, q.addr);
6739 bpf_error("invalid qualifier against IPv6 address");
6748 register const u_char *eaddr;
6751 struct block *b, *tmp;
6753 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
6756 case DLT_NETANALYZER:
6757 case DLT_NETANALYZER_TRANSPARENT:
6758 return gen_ehostop(eaddr, (int)q.dir);
6760 return gen_fhostop(eaddr, (int)q.dir);
6762 return gen_thostop(eaddr, (int)q.dir);
6763 case DLT_IEEE802_11:
6764 case DLT_PRISM_HEADER:
6765 case DLT_IEEE802_11_RADIO_AVS:
6766 case DLT_IEEE802_11_RADIO:
6768 return gen_wlanhostop(eaddr, (int)q.dir);
6772 * Check that the packet doesn't begin with an
6773 * LE Control marker. (We've already generated
6776 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
6781 * Now check the MAC address.
6783 b = gen_ehostop(eaddr, (int)q.dir);
6788 case DLT_IP_OVER_FC:
6789 return gen_ipfchostop(eaddr, (int)q.dir);
6791 bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
6795 bpf_error("ethernet address used in non-ether expression");
6802 struct slist *s0, *s1;
6805 * This is definitely not the best way to do this, but the
6806 * lists will rarely get long.
6813 static struct slist *
6819 s = new_stmt(BPF_LDX|BPF_MEM);
6824 static struct slist *
6830 s = new_stmt(BPF_LD|BPF_MEM);
6836 * Modify "index" to use the value stored into its register as an
6837 * offset relative to the beginning of the header for the protocol
6838 * "proto", and allocate a register and put an item "size" bytes long
6839 * (1, 2, or 4) at that offset into that register, making it the register
6843 gen_load(proto, inst, size)
6848 struct slist *s, *tmp;
6850 int regno = alloc_reg();
6852 free_reg(inst->regno);
6856 bpf_error("data size must be 1, 2, or 4");
6872 bpf_error("unsupported index operation");
6876 * The offset is relative to the beginning of the packet
6877 * data, if we have a radio header. (If we don't, this
6880 if (linktype != DLT_IEEE802_11_RADIO_AVS &&
6881 linktype != DLT_IEEE802_11_RADIO &&
6882 linktype != DLT_PRISM_HEADER)
6883 bpf_error("radio information not present in capture");
6886 * Load into the X register the offset computed into the
6887 * register specified by "index".
6889 s = xfer_to_x(inst);
6892 * Load the item at that offset.
6894 tmp = new_stmt(BPF_LD|BPF_IND|size);
6896 sappend(inst->s, s);
6901 * The offset is relative to the beginning of
6902 * the link-layer header.
6904 * XXX - what about ATM LANE? Should the index be
6905 * relative to the beginning of the AAL5 frame, so
6906 * that 0 refers to the beginning of the LE Control
6907 * field, or relative to the beginning of the LAN
6908 * frame, so that 0 refers, for Ethernet LANE, to
6909 * the beginning of the destination address?
6911 s = gen_llprefixlen();
6914 * If "s" is non-null, it has code to arrange that the
6915 * X register contains the length of the prefix preceding
6916 * the link-layer header. Add to it the offset computed
6917 * into the register specified by "index", and move that
6918 * into the X register. Otherwise, just load into the X
6919 * register the offset computed into the register specified
6923 sappend(s, xfer_to_a(inst));
6924 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
6925 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
6927 s = xfer_to_x(inst);
6930 * Load the item at the sum of the offset we've put in the
6931 * X register and the offset of the start of the link
6932 * layer header (which is 0 if the radio header is
6933 * variable-length; that header length is what we put
6934 * into the X register and then added to the index).
6936 tmp = new_stmt(BPF_LD|BPF_IND|size);
6939 sappend(inst->s, s);
6953 * The offset is relative to the beginning of
6954 * the network-layer header.
6955 * XXX - are there any cases where we want
6958 s = gen_off_macpl();
6961 * If "s" is non-null, it has code to arrange that the
6962 * X register contains the offset of the MAC-layer
6963 * payload. Add to it the offset computed into the
6964 * register specified by "index", and move that into
6965 * the X register. Otherwise, just load into the X
6966 * register the offset computed into the register specified
6970 sappend(s, xfer_to_a(inst));
6971 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
6972 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
6974 s = xfer_to_x(inst);
6977 * Load the item at the sum of the offset we've put in the
6978 * X register, the offset of the start of the network
6979 * layer header from the beginning of the MAC-layer
6980 * payload, and the purported offset of the start of the
6981 * MAC-layer payload (which might be 0 if there's a
6982 * variable-length prefix before the link-layer header
6983 * or the link-layer header itself is variable-length;
6984 * the variable-length offset of the start of the
6985 * MAC-layer payload is what we put into the X register
6986 * and then added to the index).
6988 tmp = new_stmt(BPF_LD|BPF_IND|size);
6989 tmp->s.k = off_macpl + off_nl;
6991 sappend(inst->s, s);
6994 * Do the computation only if the packet contains
6995 * the protocol in question.
6997 b = gen_proto_abbrev(proto);
6999 gen_and(inst->b, b);
7013 * The offset is relative to the beginning of
7014 * the transport-layer header.
7016 * Load the X register with the length of the IPv4 header
7017 * (plus the offset of the link-layer header, if it's
7018 * a variable-length header), in bytes.
7020 * XXX - are there any cases where we want
7022 * XXX - we should, if we're built with
7023 * IPv6 support, generate code to load either
7024 * IPv4, IPv6, or both, as appropriate.
7026 s = gen_loadx_iphdrlen();
7029 * The X register now contains the sum of the length
7030 * of any variable-length header preceding the link-layer
7031 * header, any variable-length link-layer header, and the
7032 * length of the network-layer header.
7034 * Load into the A register the offset relative to
7035 * the beginning of the transport layer header,
7036 * add the X register to that, move that to the
7037 * X register, and load with an offset from the
7038 * X register equal to the offset of the network
7039 * layer header relative to the beginning of
7040 * the MAC-layer payload plus the fixed-length
7041 * portion of the offset of the MAC-layer payload
7042 * from the beginning of the raw packet data.
7044 sappend(s, xfer_to_a(inst));
7045 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
7046 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
7047 sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size));
7048 tmp->s.k = off_macpl + off_nl;
7049 sappend(inst->s, s);
7052 * Do the computation only if the packet contains
7053 * the protocol in question - which is true only
7054 * if this is an IP datagram and is the first or
7055 * only fragment of that datagram.
7057 gen_and(gen_proto_abbrev(proto), b = gen_ipfrag());
7059 gen_and(inst->b, b);
7060 gen_and(gen_proto_abbrev(Q_IP), b);
7064 bpf_error("IPv6 upper-layer protocol is not supported by proto[x]");
7067 inst->regno = regno;
7068 s = new_stmt(BPF_ST);
7070 sappend(inst->s, s);
7076 gen_relation(code, a0, a1, reversed)
7078 struct arth *a0, *a1;
7081 struct slist *s0, *s1, *s2;
7082 struct block *b, *tmp;
7086 if (code == BPF_JEQ) {
7087 s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X);
7088 b = new_block(JMP(code));
7092 b = new_block(BPF_JMP|code|BPF_X);
7098 sappend(a0->s, a1->s);
7102 free_reg(a0->regno);
7103 free_reg(a1->regno);
7105 /* 'and' together protocol checks */
7108 gen_and(a0->b, tmp = a1->b);
7124 int regno = alloc_reg();
7125 struct arth *a = (struct arth *)newchunk(sizeof(*a));
7128 s = new_stmt(BPF_LD|BPF_LEN);
7129 s->next = new_stmt(BPF_ST);
7130 s->next->s.k = regno;
7145 a = (struct arth *)newchunk(sizeof(*a));
7149 s = new_stmt(BPF_LD|BPF_IMM);
7151 s->next = new_stmt(BPF_ST);
7167 s = new_stmt(BPF_ALU|BPF_NEG);
7170 s = new_stmt(BPF_ST);
7178 gen_arth(code, a0, a1)
7180 struct arth *a0, *a1;
7182 struct slist *s0, *s1, *s2;
7186 s2 = new_stmt(BPF_ALU|BPF_X|code);
7191 sappend(a0->s, a1->s);
7193 free_reg(a0->regno);
7194 free_reg(a1->regno);
7196 s0 = new_stmt(BPF_ST);
7197 a0->regno = s0->s.k = alloc_reg();
7204 * Here we handle simple allocation of the scratch registers.
7205 * If too many registers are alloc'd, the allocator punts.
7207 static int regused[BPF_MEMWORDS];
7211 * Initialize the table of used registers and the current register.
7217 memset(regused, 0, sizeof regused);
7221 * Return the next free register.
7226 int n = BPF_MEMWORDS;
7229 if (regused[curreg])
7230 curreg = (curreg + 1) % BPF_MEMWORDS;
7232 regused[curreg] = 1;
7236 bpf_error("too many registers needed to evaluate expression");
7242 * Return a register to the table so it can
7252 static struct block *
7259 s = new_stmt(BPF_LD|BPF_LEN);
7260 b = new_block(JMP(jmp));
7271 return gen_len(BPF_JGE, n);
7275 * Actually, this is less than or equal.
7283 b = gen_len(BPF_JGT, n);
7290 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to
7291 * the beginning of the link-layer header.
7292 * XXX - that means you can't test values in the radiotap header, but
7293 * as that header is difficult if not impossible to parse generally
7294 * without a loop, that might not be a severe problem. A new keyword
7295 * "radio" could be added for that, although what you'd really want
7296 * would be a way of testing particular radio header values, which
7297 * would generate code appropriate to the radio header in question.
7300 gen_byteop(op, idx, val)
7311 return gen_cmp(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
7314 b = gen_cmp_lt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
7318 b = gen_cmp_gt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
7322 s = new_stmt(BPF_ALU|BPF_OR|BPF_K);
7326 s = new_stmt(BPF_ALU|BPF_AND|BPF_K);
7330 b = new_block(JMP(BPF_JEQ));
7337 static u_char abroadcast[] = { 0x0 };
7340 gen_broadcast(proto)
7343 bpf_u_int32 hostmask;
7344 struct block *b0, *b1, *b2;
7345 static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
7353 case DLT_ARCNET_LINUX:
7354 return gen_ahostop(abroadcast, Q_DST);
7356 case DLT_NETANALYZER:
7357 case DLT_NETANALYZER_TRANSPARENT:
7358 return gen_ehostop(ebroadcast, Q_DST);
7360 return gen_fhostop(ebroadcast, Q_DST);
7362 return gen_thostop(ebroadcast, Q_DST);
7363 case DLT_IEEE802_11:
7364 case DLT_PRISM_HEADER:
7365 case DLT_IEEE802_11_RADIO_AVS:
7366 case DLT_IEEE802_11_RADIO:
7368 return gen_wlanhostop(ebroadcast, Q_DST);
7369 case DLT_IP_OVER_FC:
7370 return gen_ipfchostop(ebroadcast, Q_DST);
7374 * Check that the packet doesn't begin with an
7375 * LE Control marker. (We've already generated
7378 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
7383 * Now check the MAC address.
7385 b0 = gen_ehostop(ebroadcast, Q_DST);
7391 bpf_error("not a broadcast link");
7397 * We treat a netmask of PCAP_NETMASK_UNKNOWN (0xffffffff)
7398 * as an indication that we don't know the netmask, and fail
7401 if (netmask == PCAP_NETMASK_UNKNOWN)
7402 bpf_error("netmask not known, so 'ip broadcast' not supported");
7403 b0 = gen_linktype(ETHERTYPE_IP);
7404 hostmask = ~netmask;
7405 b1 = gen_mcmp(OR_NET, 16, BPF_W, (bpf_int32)0, hostmask);
7406 b2 = gen_mcmp(OR_NET, 16, BPF_W,
7407 (bpf_int32)(~0 & hostmask), hostmask);
7412 bpf_error("only link-layer/IP broadcast filters supported");
7418 * Generate code to test the low-order bit of a MAC address (that's
7419 * the bottom bit of the *first* byte).
7421 static struct block *
7422 gen_mac_multicast(offset)
7425 register struct block *b0;
7426 register struct slist *s;
7428 /* link[offset] & 1 != 0 */
7429 s = gen_load_a(OR_LINK, offset, BPF_B);
7430 b0 = new_block(JMP(BPF_JSET));
7437 gen_multicast(proto)
7440 register struct block *b0, *b1, *b2;
7441 register struct slist *s;
7449 case DLT_ARCNET_LINUX:
7450 /* all ARCnet multicasts use the same address */
7451 return gen_ahostop(abroadcast, Q_DST);
7453 case DLT_NETANALYZER:
7454 case DLT_NETANALYZER_TRANSPARENT:
7455 /* ether[0] & 1 != 0 */
7456 return gen_mac_multicast(0);
7459 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX
7461 * XXX - was that referring to bit-order issues?
7463 /* fddi[1] & 1 != 0 */
7464 return gen_mac_multicast(1);
7466 /* tr[2] & 1 != 0 */
7467 return gen_mac_multicast(2);
7468 case DLT_IEEE802_11:
7469 case DLT_PRISM_HEADER:
7470 case DLT_IEEE802_11_RADIO_AVS:
7471 case DLT_IEEE802_11_RADIO:
7476 * For control frames, there is no DA.
7478 * For management frames, DA is at an
7479 * offset of 4 from the beginning of
7482 * For data frames, DA is at an offset
7483 * of 4 from the beginning of the packet
7484 * if To DS is clear and at an offset of
7485 * 16 from the beginning of the packet
7490 * Generate the tests to be done for data frames.
7492 * First, check for To DS set, i.e. "link[1] & 0x01".
7494 s = gen_load_a(OR_LINK, 1, BPF_B);
7495 b1 = new_block(JMP(BPF_JSET));
7496 b1->s.k = 0x01; /* To DS */
7500 * If To DS is set, the DA is at 16.
7502 b0 = gen_mac_multicast(16);
7506 * Now, check for To DS not set, i.e. check
7507 * "!(link[1] & 0x01)".
7509 s = gen_load_a(OR_LINK, 1, BPF_B);
7510 b2 = new_block(JMP(BPF_JSET));
7511 b2->s.k = 0x01; /* To DS */
7516 * If To DS is not set, the DA is at 4.
7518 b1 = gen_mac_multicast(4);
7522 * Now OR together the last two checks. That gives
7523 * the complete set of checks for data frames.
7528 * Now check for a data frame.
7529 * I.e, check "link[0] & 0x08".
7531 s = gen_load_a(OR_LINK, 0, BPF_B);
7532 b1 = new_block(JMP(BPF_JSET));
7537 * AND that with the checks done for data frames.
7542 * If the high-order bit of the type value is 0, this
7543 * is a management frame.
7544 * I.e, check "!(link[0] & 0x08)".
7546 s = gen_load_a(OR_LINK, 0, BPF_B);
7547 b2 = new_block(JMP(BPF_JSET));
7553 * For management frames, the DA is at 4.
7555 b1 = gen_mac_multicast(4);
7559 * OR that with the checks done for data frames.
7560 * That gives the checks done for management and
7566 * If the low-order bit of the type value is 1,
7567 * this is either a control frame or a frame
7568 * with a reserved type, and thus not a
7571 * I.e., check "!(link[0] & 0x04)".
7573 s = gen_load_a(OR_LINK, 0, BPF_B);
7574 b1 = new_block(JMP(BPF_JSET));
7580 * AND that with the checks for data and management
7585 case DLT_IP_OVER_FC:
7586 b0 = gen_mac_multicast(2);
7591 * Check that the packet doesn't begin with an
7592 * LE Control marker. (We've already generated
7595 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
7599 /* ether[off_mac] & 1 != 0 */
7600 b0 = gen_mac_multicast(off_mac);
7608 /* Link not known to support multicasts */
7612 b0 = gen_linktype(ETHERTYPE_IP);
7613 b1 = gen_cmp_ge(OR_NET, 16, BPF_B, (bpf_int32)224);
7618 b0 = gen_linktype(ETHERTYPE_IPV6);
7619 b1 = gen_cmp(OR_NET, 24, BPF_B, (bpf_int32)255);
7623 bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel");
7629 * Filter on inbound (dir == 0) or outbound (dir == 1) traffic.
7630 * Outbound traffic is sent by this machine, while inbound traffic is
7631 * sent by a remote machine (and may include packets destined for a
7632 * unicast or multicast link-layer address we are not subscribing to).
7633 * These are the same definitions implemented by pcap_setdirection().
7634 * Capturing only unicast traffic destined for this host is probably
7635 * better accomplished using a higher-layer filter.
7641 register struct block *b0;
7644 * Only some data link types support inbound/outbound qualifiers.
7648 b0 = gen_relation(BPF_JEQ,
7649 gen_load(Q_LINK, gen_loadi(0), 1),
7656 /* match outgoing packets */
7657 b0 = gen_cmp(OR_LINK, 2, BPF_H, IPNET_OUTBOUND);
7659 /* match incoming packets */
7660 b0 = gen_cmp(OR_LINK, 2, BPF_H, IPNET_INBOUND);
7665 /* match outgoing packets */
7666 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_OUTGOING);
7668 /* to filter on inbound traffic, invert the match */
7673 #ifdef HAVE_NET_PFVAR_H
7675 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, dir), BPF_B,
7676 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT));
7682 /* match outgoing packets */
7683 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_OUT);
7685 /* match incoming packets */
7686 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_IN);
7690 case DLT_JUNIPER_MFR:
7691 case DLT_JUNIPER_MLFR:
7692 case DLT_JUNIPER_MLPPP:
7693 case DLT_JUNIPER_ATM1:
7694 case DLT_JUNIPER_ATM2:
7695 case DLT_JUNIPER_PPPOE:
7696 case DLT_JUNIPER_PPPOE_ATM:
7697 case DLT_JUNIPER_GGSN:
7698 case DLT_JUNIPER_ES:
7699 case DLT_JUNIPER_MONITOR:
7700 case DLT_JUNIPER_SERVICES:
7701 case DLT_JUNIPER_ETHER:
7702 case DLT_JUNIPER_PPP:
7703 case DLT_JUNIPER_FRELAY:
7704 case DLT_JUNIPER_CHDLC:
7705 case DLT_JUNIPER_VP:
7706 case DLT_JUNIPER_ST:
7707 case DLT_JUNIPER_ISM:
7708 case DLT_JUNIPER_VS:
7709 case DLT_JUNIPER_SRX_E2E:
7710 case DLT_JUNIPER_FIBRECHANNEL:
7711 case DLT_JUNIPER_ATM_CEMIC:
7713 /* juniper flags (including direction) are stored
7714 * the byte after the 3-byte magic number */
7716 /* match outgoing packets */
7717 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 0, 0x01);
7719 /* match incoming packets */
7720 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 1, 0x01);
7726 * If we have packet meta-data indicating a direction,
7727 * check it, otherwise give up as this link-layer type
7728 * has nothing in the packet data.
7730 #if defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER)
7732 * This is Linux with PF_PACKET support.
7733 * If this is a *live* capture, we can look at
7734 * special meta-data in the filter expression;
7735 * if it's a savefile, we can't.
7737 if (bpf_pcap->rfile != NULL) {
7738 /* We have a FILE *, so this is a savefile */
7739 bpf_error("inbound/outbound not supported on linktype %d when reading savefiles",
7744 /* match outgoing packets */
7745 b0 = gen_cmp(OR_LINK, SKF_AD_OFF + SKF_AD_PKTTYPE, BPF_H,
7748 /* to filter on inbound traffic, invert the match */
7751 #else /* defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */
7752 bpf_error("inbound/outbound not supported on linktype %d",
7756 #endif /* defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */
7761 #ifdef HAVE_NET_PFVAR_H
7762 /* PF firewall log matched interface */
7764 gen_pf_ifname(const char *ifname)
7769 if (linktype != DLT_PFLOG) {
7770 bpf_error("ifname supported only on PF linktype");
7773 len = sizeof(((struct pfloghdr *)0)->ifname);
7774 off = offsetof(struct pfloghdr, ifname);
7775 if (strlen(ifname) >= len) {
7776 bpf_error("ifname interface names can only be %d characters",
7780 b0 = gen_bcmp(OR_LINK, off, strlen(ifname), (const u_char *)ifname);
7784 /* PF firewall log ruleset name */
7786 gen_pf_ruleset(char *ruleset)
7790 if (linktype != DLT_PFLOG) {
7791 bpf_error("ruleset supported only on PF linktype");
7795 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) {
7796 bpf_error("ruleset names can only be %ld characters",
7797 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1));
7801 b0 = gen_bcmp(OR_LINK, offsetof(struct pfloghdr, ruleset),
7802 strlen(ruleset), (const u_char *)ruleset);
7806 /* PF firewall log rule number */
7812 if (linktype != DLT_PFLOG) {
7813 bpf_error("rnr supported only on PF linktype");
7817 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, rulenr), BPF_W,
7822 /* PF firewall log sub-rule number */
7824 gen_pf_srnr(int srnr)
7828 if (linktype != DLT_PFLOG) {
7829 bpf_error("srnr supported only on PF linktype");
7833 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, subrulenr), BPF_W,
7838 /* PF firewall log reason code */
7840 gen_pf_reason(int reason)
7844 if (linktype != DLT_PFLOG) {
7845 bpf_error("reason supported only on PF linktype");
7849 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, reason), BPF_B,
7854 /* PF firewall log action */
7856 gen_pf_action(int action)
7860 if (linktype != DLT_PFLOG) {
7861 bpf_error("action supported only on PF linktype");
7865 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, action), BPF_B,
7869 #else /* !HAVE_NET_PFVAR_H */
7871 gen_pf_ifname(const char *ifname)
7873 bpf_error("libpcap was compiled without pf support");
7879 gen_pf_ruleset(char *ruleset)
7881 bpf_error("libpcap was compiled on a machine without pf support");
7889 bpf_error("libpcap was compiled on a machine without pf support");
7895 gen_pf_srnr(int srnr)
7897 bpf_error("libpcap was compiled on a machine without pf support");
7903 gen_pf_reason(int reason)
7905 bpf_error("libpcap was compiled on a machine without pf support");
7911 gen_pf_action(int action)
7913 bpf_error("libpcap was compiled on a machine without pf support");
7917 #endif /* HAVE_NET_PFVAR_H */
7919 /* IEEE 802.11 wireless header */
7921 gen_p80211_type(int type, int mask)
7927 case DLT_IEEE802_11:
7928 case DLT_PRISM_HEADER:
7929 case DLT_IEEE802_11_RADIO_AVS:
7930 case DLT_IEEE802_11_RADIO:
7931 b0 = gen_mcmp(OR_LINK, 0, BPF_B, (bpf_int32)type,
7936 bpf_error("802.11 link-layer types supported only on 802.11");
7944 gen_p80211_fcdir(int fcdir)
7950 case DLT_IEEE802_11:
7951 case DLT_PRISM_HEADER:
7952 case DLT_IEEE802_11_RADIO_AVS:
7953 case DLT_IEEE802_11_RADIO:
7957 bpf_error("frame direction supported only with 802.11 headers");
7961 b0 = gen_mcmp(OR_LINK, 1, BPF_B, (bpf_int32)fcdir,
7962 (bpf_u_int32)IEEE80211_FC1_DIR_MASK);
7969 register const u_char *eaddr;
7975 case DLT_ARCNET_LINUX:
7976 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) &&
7978 return (gen_ahostop(eaddr, (int)q.dir));
7980 bpf_error("ARCnet address used in non-arc expression");
7986 bpf_error("aid supported only on ARCnet");
7989 bpf_error("ARCnet address used in non-arc expression");
7994 static struct block *
7995 gen_ahostop(eaddr, dir)
7996 register const u_char *eaddr;
7999 register struct block *b0, *b1;
8002 /* src comes first, different from Ethernet */
8004 return gen_bcmp(OR_LINK, 0, 1, eaddr);
8007 return gen_bcmp(OR_LINK, 1, 1, eaddr);
8010 b0 = gen_ahostop(eaddr, Q_SRC);
8011 b1 = gen_ahostop(eaddr, Q_DST);
8017 b0 = gen_ahostop(eaddr, Q_SRC);
8018 b1 = gen_ahostop(eaddr, Q_DST);
8023 bpf_error("'addr1' is only supported on 802.11");
8027 bpf_error("'addr2' is only supported on 802.11");
8031 bpf_error("'addr3' is only supported on 802.11");
8035 bpf_error("'addr4' is only supported on 802.11");
8039 bpf_error("'ra' is only supported on 802.11");
8043 bpf_error("'ta' is only supported on 802.11");
8051 * support IEEE 802.1Q VLAN trunk over ethernet
8057 struct block *b0, *b1;
8059 /* can't check for VLAN-encapsulated packets inside MPLS */
8060 if (label_stack_depth > 0)
8061 bpf_error("no VLAN match after MPLS");
8064 * Check for a VLAN packet, and then change the offsets to point
8065 * to the type and data fields within the VLAN packet. Just
8066 * increment the offsets, so that we can support a hierarchy, e.g.
8067 * "vlan 300 && vlan 200" to capture VLAN 200 encapsulated within
8070 * XXX - this is a bit of a kludge. If we were to split the
8071 * compiler into a parser that parses an expression and
8072 * generates an expression tree, and a code generator that
8073 * takes an expression tree (which could come from our
8074 * parser or from some other parser) and generates BPF code,
8075 * we could perhaps make the offsets parameters of routines
8076 * and, in the handler for an "AND" node, pass to subnodes
8077 * other than the VLAN node the adjusted offsets.
8079 * This would mean that "vlan" would, instead of changing the
8080 * behavior of *all* tests after it, change only the behavior
8081 * of tests ANDed with it. That would change the documented
8082 * semantics of "vlan", which might break some expressions.
8083 * However, it would mean that "(vlan and ip) or ip" would check
8084 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
8085 * checking only for VLAN-encapsulated IP, so that could still
8086 * be considered worth doing; it wouldn't break expressions
8087 * that are of the form "vlan and ..." or "vlan N and ...",
8088 * which I suspect are the most common expressions involving
8089 * "vlan". "vlan or ..." doesn't necessarily do what the user
8090 * would really want, now, as all the "or ..." tests would
8091 * be done assuming a VLAN, even though the "or" could be viewed
8092 * as meaning "or, if this isn't a VLAN packet...".
8099 case DLT_NETANALYZER:
8100 case DLT_NETANALYZER_TRANSPARENT:
8101 /* check for VLAN, including QinQ */
8102 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
8103 (bpf_int32)ETHERTYPE_8021Q);
8104 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H,
8105 (bpf_int32)ETHERTYPE_8021QINQ);
8109 /* If a specific VLAN is requested, check VLAN id */
8110 if (vlan_num >= 0) {
8111 b1 = gen_mcmp(OR_MACPL, 0, BPF_H,
8112 (bpf_int32)vlan_num, 0x0fff);
8126 bpf_error("no VLAN support for data link type %d",
8141 struct block *b0,*b1;
8144 * Change the offsets to point to the type and data fields within
8145 * the MPLS packet. Just increment the offsets, so that we
8146 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to
8147 * capture packets with an outer label of 100000 and an inner
8150 * XXX - this is a bit of a kludge. See comments in gen_vlan().
8154 if (label_stack_depth > 0) {
8155 /* just match the bottom-of-stack bit clear */
8156 b0 = gen_mcmp(OR_MACPL, orig_nl-2, BPF_B, 0, 0x01);
8159 * Indicate that we're checking MPLS-encapsulated headers,
8160 * to make sure higher level code generators don't try to
8161 * match against IP-related protocols such as Q_ARP, Q_RARP
8166 case DLT_C_HDLC: /* fall through */
8168 case DLT_NETANALYZER:
8169 case DLT_NETANALYZER_TRANSPARENT:
8170 b0 = gen_linktype(ETHERTYPE_MPLS);
8174 b0 = gen_linktype(PPP_MPLS_UCAST);
8177 /* FIXME add other DLT_s ...
8178 * for Frame-Relay/and ATM this may get messy due to SNAP headers
8179 * leave it for now */
8182 bpf_error("no MPLS support for data link type %d",
8190 /* If a specific MPLS label is requested, check it */
8191 if (label_num >= 0) {
8192 label_num = label_num << 12; /* label is shifted 12 bits on the wire */
8193 b1 = gen_mcmp(OR_MACPL, orig_nl, BPF_W, (bpf_int32)label_num,
8194 0xfffff000); /* only compare the first 20 bits */
8201 label_stack_depth++;
8206 * Support PPPOE discovery and session.
8211 /* check for PPPoE discovery */
8212 return gen_linktype((bpf_int32)ETHERTYPE_PPPOED);
8216 gen_pppoes(sess_num)
8219 struct block *b0, *b1;
8222 * Test against the PPPoE session link-layer type.
8224 b0 = gen_linktype((bpf_int32)ETHERTYPE_PPPOES);
8227 * Change the offsets to point to the type and data fields within
8228 * the PPP packet, and note that this is PPPoE rather than
8231 * XXX - this is a bit of a kludge. If we were to split the
8232 * compiler into a parser that parses an expression and
8233 * generates an expression tree, and a code generator that
8234 * takes an expression tree (which could come from our
8235 * parser or from some other parser) and generates BPF code,
8236 * we could perhaps make the offsets parameters of routines
8237 * and, in the handler for an "AND" node, pass to subnodes
8238 * other than the PPPoE node the adjusted offsets.
8240 * This would mean that "pppoes" would, instead of changing the
8241 * behavior of *all* tests after it, change only the behavior
8242 * of tests ANDed with it. That would change the documented
8243 * semantics of "pppoes", which might break some expressions.
8244 * However, it would mean that "(pppoes and ip) or ip" would check
8245 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
8246 * checking only for VLAN-encapsulated IP, so that could still
8247 * be considered worth doing; it wouldn't break expressions
8248 * that are of the form "pppoes and ..." which I suspect are the
8249 * most common expressions involving "pppoes". "pppoes or ..."
8250 * doesn't necessarily do what the user would really want, now,
8251 * as all the "or ..." tests would be done assuming PPPoE, even
8252 * though the "or" could be viewed as meaning "or, if this isn't
8253 * a PPPoE packet...".
8255 orig_linktype = off_linktype; /* save original values */
8259 /* If a specific session is requested, check PPPoE session id */
8260 if (sess_num >= 0) {
8261 b1 = gen_mcmp(OR_MACPL, orig_nl, BPF_W,
8262 (bpf_int32)sess_num, 0x0000ffff);
8268 * The "network-layer" protocol is PPPoE, which has a 6-byte
8269 * PPPoE header, followed by a PPP packet.
8271 * There is no HDLC encapsulation for the PPP packet (it's
8272 * encapsulated in PPPoES instead), so the link-layer type
8273 * starts at the first byte of the PPP packet. For PPPoE,
8274 * that offset is relative to the beginning of the total
8275 * link-layer payload, including any 802.2 LLC header, so
8276 * it's 6 bytes past off_nl.
8278 off_linktype = off_nl + 6;
8281 * The network-layer offsets are relative to the beginning
8282 * of the MAC-layer payload; that's past the 6-byte
8283 * PPPoE header and the 2-byte PPP header.
8286 off_nl_nosnap = 6+2;
8292 gen_atmfield_code(atmfield, jvalue, jtype, reverse)
8304 bpf_error("'vpi' supported only on raw ATM");
8305 if (off_vpi == (u_int)-1)
8307 b0 = gen_ncmp(OR_LINK, off_vpi, BPF_B, 0xffffffff, jtype,
8313 bpf_error("'vci' supported only on raw ATM");
8314 if (off_vci == (u_int)-1)
8316 b0 = gen_ncmp(OR_LINK, off_vci, BPF_H, 0xffffffff, jtype,
8321 if (off_proto == (u_int)-1)
8322 abort(); /* XXX - this isn't on FreeBSD */
8323 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0x0f, jtype,
8328 if (off_payload == (u_int)-1)
8330 b0 = gen_ncmp(OR_LINK, off_payload + MSG_TYPE_POS, BPF_B,
8331 0xffffffff, jtype, reverse, jvalue);
8336 bpf_error("'callref' supported only on raw ATM");
8337 if (off_proto == (u_int)-1)
8339 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0xffffffff,
8340 jtype, reverse, jvalue);
8350 gen_atmtype_abbrev(type)
8353 struct block *b0, *b1;
8358 /* Get all packets in Meta signalling Circuit */
8360 bpf_error("'metac' supported only on raw ATM");
8361 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8362 b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0);
8367 /* Get all packets in Broadcast Circuit*/
8369 bpf_error("'bcc' supported only on raw ATM");
8370 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8371 b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0);
8376 /* Get all cells in Segment OAM F4 circuit*/
8378 bpf_error("'oam4sc' supported only on raw ATM");
8379 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8380 b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
8385 /* Get all cells in End-to-End OAM F4 Circuit*/
8387 bpf_error("'oam4ec' supported only on raw ATM");
8388 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8389 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
8394 /* Get all packets in connection Signalling Circuit */
8396 bpf_error("'sc' supported only on raw ATM");
8397 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8398 b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0);
8403 /* Get all packets in ILMI Circuit */
8405 bpf_error("'ilmic' supported only on raw ATM");
8406 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8407 b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0);
8412 /* Get all LANE packets */
8414 bpf_error("'lane' supported only on raw ATM");
8415 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0);
8418 * Arrange that all subsequent tests assume LANE
8419 * rather than LLC-encapsulated packets, and set
8420 * the offsets appropriately for LANE-encapsulated
8423 * "off_mac" is the offset of the Ethernet header,
8424 * which is 2 bytes past the ATM pseudo-header
8425 * (skipping the pseudo-header and 2-byte LE Client
8426 * field). The other offsets are Ethernet offsets
8427 * relative to "off_mac".
8430 off_mac = off_payload + 2; /* MAC header */
8431 off_linktype = off_mac + 12;
8432 off_macpl = off_mac + 14; /* Ethernet */
8433 off_nl = 0; /* Ethernet II */
8434 off_nl_nosnap = 3; /* 802.3+802.2 */
8438 /* Get all LLC-encapsulated packets */
8440 bpf_error("'llc' supported only on raw ATM");
8441 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
8452 * Filtering for MTP2 messages based on li value
8453 * FISU, length is null
8454 * LSSU, length is 1 or 2
8455 * MSU, length is 3 or more
8456 * For MTP2_HSL, sequences are on 2 bytes, and length on 9 bits
8459 gen_mtp2type_abbrev(type)
8462 struct block *b0, *b1;
8467 if ( (linktype != DLT_MTP2) &&
8468 (linktype != DLT_ERF) &&
8469 (linktype != DLT_MTP2_WITH_PHDR) )
8470 bpf_error("'fisu' supported only on MTP2");
8471 /* gen_ncmp(offrel, offset, size, mask, jtype, reverse, value) */
8472 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JEQ, 0, 0);
8476 if ( (linktype != DLT_MTP2) &&
8477 (linktype != DLT_ERF) &&
8478 (linktype != DLT_MTP2_WITH_PHDR) )
8479 bpf_error("'lssu' supported only on MTP2");
8480 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 1, 2);
8481 b1 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 0);
8486 if ( (linktype != DLT_MTP2) &&
8487 (linktype != DLT_ERF) &&
8488 (linktype != DLT_MTP2_WITH_PHDR) )
8489 bpf_error("'msu' supported only on MTP2");
8490 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 2);
8494 if ( (linktype != DLT_MTP2) &&
8495 (linktype != DLT_ERF) &&
8496 (linktype != DLT_MTP2_WITH_PHDR) )
8497 bpf_error("'hfisu' supported only on MTP2_HSL");
8498 /* gen_ncmp(offrel, offset, size, mask, jtype, reverse, value) */
8499 b0 = gen_ncmp(OR_PACKET, off_li_hsl, BPF_H, 0xff80, BPF_JEQ, 0, 0);
8503 if ( (linktype != DLT_MTP2) &&
8504 (linktype != DLT_ERF) &&
8505 (linktype != DLT_MTP2_WITH_PHDR) )
8506 bpf_error("'hlssu' supported only on MTP2_HSL");
8507 b0 = gen_ncmp(OR_PACKET, off_li_hsl, BPF_H, 0xff80, BPF_JGT, 1, 0x0100);
8508 b1 = gen_ncmp(OR_PACKET, off_li_hsl, BPF_H, 0xff80, BPF_JGT, 0, 0);
8513 if ( (linktype != DLT_MTP2) &&
8514 (linktype != DLT_ERF) &&
8515 (linktype != DLT_MTP2_WITH_PHDR) )
8516 bpf_error("'hmsu' supported only on MTP2_HSL");
8517 b0 = gen_ncmp(OR_PACKET, off_li_hsl, BPF_H, 0xff80, BPF_JGT, 0, 0x0100);
8527 gen_mtp3field_code(mtp3field, jvalue, jtype, reverse)
8534 bpf_u_int32 val1 , val2 , val3;
8535 u_int newoff_sio=off_sio;
8536 u_int newoff_opc=off_opc;
8537 u_int newoff_dpc=off_dpc;
8538 u_int newoff_sls=off_sls;
8540 switch (mtp3field) {
8543 newoff_sio += 3; /* offset for MTP2_HSL */
8547 if (off_sio == (u_int)-1)
8548 bpf_error("'sio' supported only on SS7");
8549 /* sio coded on 1 byte so max value 255 */
8551 bpf_error("sio value %u too big; max value = 255",
8553 b0 = gen_ncmp(OR_PACKET, newoff_sio, BPF_B, 0xffffffff,
8554 (u_int)jtype, reverse, (u_int)jvalue);
8560 if (off_opc == (u_int)-1)
8561 bpf_error("'opc' supported only on SS7");
8562 /* opc coded on 14 bits so max value 16383 */
8564 bpf_error("opc value %u too big; max value = 16383",
8566 /* the following instructions are made to convert jvalue
8567 * to the form used to write opc in an ss7 message*/
8568 val1 = jvalue & 0x00003c00;
8570 val2 = jvalue & 0x000003fc;
8572 val3 = jvalue & 0x00000003;
8574 jvalue = val1 + val2 + val3;
8575 b0 = gen_ncmp(OR_PACKET, newoff_opc, BPF_W, 0x00c0ff0f,
8576 (u_int)jtype, reverse, (u_int)jvalue);
8584 if (off_dpc == (u_int)-1)
8585 bpf_error("'dpc' supported only on SS7");
8586 /* dpc coded on 14 bits so max value 16383 */
8588 bpf_error("dpc value %u too big; max value = 16383",
8590 /* the following instructions are made to convert jvalue
8591 * to the forme used to write dpc in an ss7 message*/
8592 val1 = jvalue & 0x000000ff;
8594 val2 = jvalue & 0x00003f00;
8596 jvalue = val1 + val2;
8597 b0 = gen_ncmp(OR_PACKET, newoff_dpc, BPF_W, 0xff3f0000,
8598 (u_int)jtype, reverse, (u_int)jvalue);
8604 if (off_sls == (u_int)-1)
8605 bpf_error("'sls' supported only on SS7");
8606 /* sls coded on 4 bits so max value 15 */
8608 bpf_error("sls value %u too big; max value = 15",
8610 /* the following instruction is made to convert jvalue
8611 * to the forme used to write sls in an ss7 message*/
8612 jvalue = jvalue << 4;
8613 b0 = gen_ncmp(OR_PACKET, newoff_sls, BPF_B, 0xf0,
8614 (u_int)jtype,reverse, (u_int)jvalue);
8623 static struct block *
8624 gen_msg_abbrev(type)
8630 * Q.2931 signalling protocol messages for handling virtual circuits
8631 * establishment and teardown
8636 b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0);
8640 b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0);
8644 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0);
8648 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0);
8652 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0);
8655 case A_RELEASE_DONE:
8656 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0);
8666 gen_atmmulti_abbrev(type)
8669 struct block *b0, *b1;
8675 bpf_error("'oam' supported only on raw ATM");
8676 b1 = gen_atmmulti_abbrev(A_OAMF4);
8681 bpf_error("'oamf4' supported only on raw ATM");
8683 b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
8684 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
8686 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8692 * Get Q.2931 signalling messages for switched
8693 * virtual connection
8696 bpf_error("'connectmsg' supported only on raw ATM");
8697 b0 = gen_msg_abbrev(A_SETUP);
8698 b1 = gen_msg_abbrev(A_CALLPROCEED);
8700 b0 = gen_msg_abbrev(A_CONNECT);
8702 b0 = gen_msg_abbrev(A_CONNECTACK);
8704 b0 = gen_msg_abbrev(A_RELEASE);
8706 b0 = gen_msg_abbrev(A_RELEASE_DONE);
8708 b0 = gen_atmtype_abbrev(A_SC);
8714 bpf_error("'metaconnect' supported only on raw ATM");
8715 b0 = gen_msg_abbrev(A_SETUP);
8716 b1 = gen_msg_abbrev(A_CALLPROCEED);
8718 b0 = gen_msg_abbrev(A_CONNECT);
8720 b0 = gen_msg_abbrev(A_RELEASE);
8722 b0 = gen_msg_abbrev(A_RELEASE_DONE);
8724 b0 = gen_atmtype_abbrev(A_METAC);