1 /*#define CHASE_CHAIN*/
3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998
4 * The Regents of the University of California. All rights reserved.
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that: (1) source code distributions
8 * retain the above copyright notice and this paragraph in its entirety, (2)
9 * distributions including binary code include the above copyright notice and
10 * this paragraph in its entirety in the documentation or other materials
11 * provided with the distribution, and (3) all advertising materials mentioning
12 * features or use of this software display the following acknowledgement:
13 * ``This product includes software developed by the University of California,
14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
15 * the University nor the names of its contributors may be used to endorse
16 * or promote products derived from this software without specific prior
18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
27 #include <pcap-types.h>
31 #include <sys/socket.h>
34 #include <sys/param.h>
37 #include <netinet/in.h>
38 #include <arpa/inet.h>
53 #include "ethertype.h"
57 #include "ieee80211.h"
59 #include "sunatmpos.h"
62 #include "pcap/ipnet.h"
68 #if defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER)
69 #include <linux/types.h>
70 #include <linux/if_packet.h>
71 #include <linux/filter.h>
74 #ifdef HAVE_NET_PFVAR_H
75 #include <sys/socket.h>
77 #include <net/pfvar.h>
78 #include <net/if_pflog.h>
82 #define offsetof(s, e) ((size_t)&((s *)0)->e)
87 #if defined(__MINGW32__) && defined(DEFINE_ADDITIONAL_IPV6_STUFF)
94 uint16_t u6_addr16[8];
95 uint32_t u6_addr32[4];
97 #define s6_addr in6_u.u6_addr8
98 #define s6_addr16 in6_u.u6_addr16
99 #define s6_addr32 in6_u.u6_addr32
100 #define s6_addr64 in6_u.u6_addr64
103 typedef unsigned short sa_family_t;
105 #define __SOCKADDR_COMMON(sa_prefix) \
106 sa_family_t sa_prefix##family
108 /* Ditto, for IPv6. */
111 __SOCKADDR_COMMON (sin6_);
112 uint16_t sin6_port; /* Transport layer port # */
113 uint32_t sin6_flowinfo; /* IPv6 flow information */
114 struct in6_addr sin6_addr; /* IPv6 address */
117 #ifndef EAI_ADDRFAMILY
119 int ai_flags; /* AI_PASSIVE, AI_CANONNAME */
120 int ai_family; /* PF_xxx */
121 int ai_socktype; /* SOCK_xxx */
122 int ai_protocol; /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
123 size_t ai_addrlen; /* length of ai_addr */
124 char *ai_canonname; /* canonical name for hostname */
125 struct sockaddr *ai_addr; /* binary address */
126 struct addrinfo *ai_next; /* next structure in linked list */
128 #endif /* EAI_ADDRFAMILY */
129 #endif /* defined(__MINGW32__) && defined(DEFINE_ADDITIONAL_IPV6_STUFF) */
132 #include <netdb.h> /* for "struct addrinfo" */
134 #include <pcap/namedb.h>
136 #include "nametoaddr.h"
138 #define ETHERMTU 1500
140 #ifndef ETHERTYPE_TEB
141 #define ETHERTYPE_TEB 0x6558
144 #ifndef IPPROTO_HOPOPTS
145 #define IPPROTO_HOPOPTS 0
147 #ifndef IPPROTO_ROUTING
148 #define IPPROTO_ROUTING 43
150 #ifndef IPPROTO_FRAGMENT
151 #define IPPROTO_FRAGMENT 44
153 #ifndef IPPROTO_DSTOPTS
154 #define IPPROTO_DSTOPTS 60
157 #define IPPROTO_SCTP 132
160 #define GENEVE_PORT 6081
162 #ifdef HAVE_OS_PROTO_H
163 #include "os-proto.h"
166 #define JMP(c) ((c)|BPF_JMP|BPF_K)
169 * "Push" the current value of the link-layer header type and link-layer
170 * header offset onto a "stack", and set a new value. (It's not a
171 * full-blown stack; we keep only the top two items.)
173 #define PUSH_LINKHDR(cs, new_linktype, new_is_variable, new_constant_part, new_reg) \
175 (cs)->prevlinktype = (cs)->linktype; \
176 (cs)->off_prevlinkhdr = (cs)->off_linkhdr; \
177 (cs)->linktype = (new_linktype); \
178 (cs)->off_linkhdr.is_variable = (new_is_variable); \
179 (cs)->off_linkhdr.constant_part = (new_constant_part); \
180 (cs)->off_linkhdr.reg = (new_reg); \
181 (cs)->is_geneve = 0; \
185 * Offset "not set" value.
187 #define OFFSET_NOT_SET 0xffffffffU
190 * Absolute offsets, which are offsets from the beginning of the raw
191 * packet data, are, in the general case, the sum of a variable value
192 * and a constant value; the variable value may be absent, in which
193 * case the offset is only the constant value, and the constant value
194 * may be zero, in which case the offset is only the variable value.
196 * bpf_abs_offset is a structure containing all that information:
198 * is_variable is 1 if there's a variable part.
200 * constant_part is the constant part of the value, possibly zero;
202 * if is_variable is 1, reg is the register number for a register
203 * containing the variable value if the register has been assigned,
213 * Value passed to gen_load_a() to indicate what the offset argument
214 * is relative to the beginning of.
217 OR_PACKET, /* full packet data */
218 OR_LINKHDR, /* link-layer header */
219 OR_PREVLINKHDR, /* previous link-layer header */
220 OR_LLC, /* 802.2 LLC header */
221 OR_PREVMPLSHDR, /* previous MPLS header */
222 OR_LINKTYPE, /* link-layer type */
223 OR_LINKPL, /* link-layer payload */
224 OR_LINKPL_NOSNAP, /* link-layer payload, with no SNAP header at the link layer */
225 OR_TRAN_IPV4, /* transport-layer header, with IPv4 network layer */
226 OR_TRAN_IPV6 /* transport-layer header, with IPv6 network layer */
230 * We divy out chunks of memory rather than call malloc each time so
231 * we don't have to worry about leaking memory. It's probably
232 * not a big deal if all this memory was wasted but if this ever
233 * goes into a library that would probably not be a good idea.
235 * XXX - this *is* in a library....
238 #define CHUNK0SIZE 1024
244 /* Code generator state */
246 struct _compiler_state {
256 int outermostlinktype;
261 /* Hack for handling VLAN and MPLS stacks. */
262 u_int label_stack_depth;
263 u_int vlan_stack_depth;
269 * As errors are handled by a longjmp, anything allocated must
270 * be freed in the longjmp handler, so it must be reachable
273 * One thing that's allocated is the result of pcap_nametoaddrinfo();
274 * it must be freed with freeaddrinfo(). This variable points to
275 * any addrinfo structure that would need to be freed.
280 * Various code constructs need to know the layout of the packet.
281 * These values give the necessary offsets from the beginning
282 * of the packet data.
286 * Absolute offset of the beginning of the link-layer header.
288 bpf_abs_offset off_linkhdr;
291 * If we're checking a link-layer header for a packet encapsulated
292 * in another protocol layer, this is the equivalent information
293 * for the previous layers' link-layer header from the beginning
294 * of the raw packet data.
296 bpf_abs_offset off_prevlinkhdr;
299 * This is the equivalent information for the outermost layers'
302 bpf_abs_offset off_outermostlinkhdr;
305 * Absolute offset of the beginning of the link-layer payload.
307 bpf_abs_offset off_linkpl;
310 * "off_linktype" is the offset to information in the link-layer
311 * header giving the packet type. This is an absolute offset
312 * from the beginning of the packet.
314 * For Ethernet, it's the offset of the Ethernet type field; this
315 * means that it must have a value that skips VLAN tags.
317 * For link-layer types that always use 802.2 headers, it's the
318 * offset of the LLC header; this means that it must have a value
319 * that skips VLAN tags.
321 * For PPP, it's the offset of the PPP type field.
323 * For Cisco HDLC, it's the offset of the CHDLC type field.
325 * For BSD loopback, it's the offset of the AF_ value.
327 * For Linux cooked sockets, it's the offset of the type field.
329 * off_linktype.constant_part is set to OFFSET_NOT_SET for no
330 * encapsulation, in which case, IP is assumed.
332 bpf_abs_offset off_linktype;
335 * TRUE if the link layer includes an ATM pseudo-header.
340 * TRUE if "geneve" appeared in the filter; it causes us to
341 * generate code that checks for a Geneve header and assume
342 * that later filters apply to the encapsulated payload.
347 * TRUE if we need variable length part of VLAN offset
349 int is_vlan_vloffset;
352 * These are offsets for the ATM pseudo-header.
359 * These are offsets for the MTP2 fields.
365 * These are offsets for the MTP3 fields.
373 * This is the offset of the first byte after the ATM pseudo_header,
374 * or -1 if there is no ATM pseudo-header.
379 * These are offsets to the beginning of the network-layer header.
380 * They are relative to the beginning of the link-layer payload
381 * (i.e., they don't include off_linkhdr.constant_part or
382 * off_linkpl.constant_part).
384 * If the link layer never uses 802.2 LLC:
386 * "off_nl" and "off_nl_nosnap" are the same.
388 * If the link layer always uses 802.2 LLC:
390 * "off_nl" is the offset if there's a SNAP header following
393 * "off_nl_nosnap" is the offset if there's no SNAP header.
395 * If the link layer is Ethernet:
397 * "off_nl" is the offset if the packet is an Ethernet II packet
398 * (we assume no 802.3+802.2+SNAP);
400 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet
401 * with an 802.2 header following it.
407 * Here we handle simple allocation of the scratch registers.
408 * If too many registers are alloc'd, the allocator punts.
410 int regused[BPF_MEMWORDS];
416 struct chunk chunks[NCHUNKS];
421 bpf_syntax_error(compiler_state_t *cstate, const char *msg)
423 bpf_error(cstate, "syntax error in filter expression: %s", msg);
429 bpf_error(compiler_state_t *cstate, const char *fmt, ...)
434 if (cstate->bpf_pcap != NULL)
435 (void)pcap_vsnprintf(pcap_geterr(cstate->bpf_pcap),
436 PCAP_ERRBUF_SIZE, fmt, ap);
438 longjmp(cstate->top_ctx, 1);
442 static void init_linktype(compiler_state_t *, pcap_t *);
444 static void init_regs(compiler_state_t *);
445 static int alloc_reg(compiler_state_t *);
446 static void free_reg(compiler_state_t *, int);
448 static void initchunks(compiler_state_t *cstate);
449 static void *newchunk(compiler_state_t *cstate, size_t);
450 static void freechunks(compiler_state_t *cstate);
451 static inline struct block *new_block(compiler_state_t *cstate, int);
452 static inline struct slist *new_stmt(compiler_state_t *cstate, int);
453 static struct block *gen_retblk(compiler_state_t *cstate, int);
454 static inline void syntax(compiler_state_t *cstate);
456 static void backpatch(struct block *, struct block *);
457 static void merge(struct block *, struct block *);
458 static struct block *gen_cmp(compiler_state_t *, enum e_offrel, u_int,
460 static struct block *gen_cmp_gt(compiler_state_t *, enum e_offrel, u_int,
462 static struct block *gen_cmp_ge(compiler_state_t *, enum e_offrel, u_int,
464 static struct block *gen_cmp_lt(compiler_state_t *, enum e_offrel, u_int,
466 static struct block *gen_cmp_le(compiler_state_t *, enum e_offrel, u_int,
468 static struct block *gen_mcmp(compiler_state_t *, enum e_offrel, u_int,
469 u_int, bpf_int32, bpf_u_int32);
470 static struct block *gen_bcmp(compiler_state_t *, enum e_offrel, u_int,
471 u_int, const u_char *);
472 static struct block *gen_ncmp(compiler_state_t *, enum e_offrel, bpf_u_int32,
473 bpf_u_int32, bpf_u_int32, bpf_u_int32, int, bpf_int32);
474 static struct slist *gen_load_absoffsetrel(compiler_state_t *, bpf_abs_offset *,
476 static struct slist *gen_load_a(compiler_state_t *, enum e_offrel, u_int,
478 static struct slist *gen_loadx_iphdrlen(compiler_state_t *);
479 static struct block *gen_uncond(compiler_state_t *, int);
480 static inline struct block *gen_true(compiler_state_t *);
481 static inline struct block *gen_false(compiler_state_t *);
482 static struct block *gen_ether_linktype(compiler_state_t *, int);
483 static struct block *gen_ipnet_linktype(compiler_state_t *, int);
484 static struct block *gen_linux_sll_linktype(compiler_state_t *, int);
485 static struct slist *gen_load_prism_llprefixlen(compiler_state_t *);
486 static struct slist *gen_load_avs_llprefixlen(compiler_state_t *);
487 static struct slist *gen_load_radiotap_llprefixlen(compiler_state_t *);
488 static struct slist *gen_load_ppi_llprefixlen(compiler_state_t *);
489 static void insert_compute_vloffsets(compiler_state_t *, struct block *);
490 static struct slist *gen_abs_offset_varpart(compiler_state_t *,
492 static int ethertype_to_ppptype(int);
493 static struct block *gen_linktype(compiler_state_t *, int);
494 static struct block *gen_snap(compiler_state_t *, bpf_u_int32, bpf_u_int32);
495 static struct block *gen_llc_linktype(compiler_state_t *, int);
496 static struct block *gen_hostop(compiler_state_t *, bpf_u_int32, bpf_u_int32,
497 int, int, u_int, u_int);
499 static struct block *gen_hostop6(compiler_state_t *, struct in6_addr *,
500 struct in6_addr *, int, int, u_int, u_int);
502 static struct block *gen_ahostop(compiler_state_t *, const u_char *, int);
503 static struct block *gen_ehostop(compiler_state_t *, const u_char *, int);
504 static struct block *gen_fhostop(compiler_state_t *, const u_char *, int);
505 static struct block *gen_thostop(compiler_state_t *, const u_char *, int);
506 static struct block *gen_wlanhostop(compiler_state_t *, const u_char *, int);
507 static struct block *gen_ipfchostop(compiler_state_t *, const u_char *, int);
508 static struct block *gen_dnhostop(compiler_state_t *, bpf_u_int32, int);
509 static struct block *gen_mpls_linktype(compiler_state_t *, int);
510 static struct block *gen_host(compiler_state_t *, bpf_u_int32, bpf_u_int32,
513 static struct block *gen_host6(compiler_state_t *, struct in6_addr *,
514 struct in6_addr *, int, int, int);
517 static struct block *gen_gateway(compiler_state_t *, const u_char *,
518 struct addrinfo *, int, int);
520 static struct block *gen_ipfrag(compiler_state_t *);
521 static struct block *gen_portatom(compiler_state_t *, int, bpf_int32);
522 static struct block *gen_portrangeatom(compiler_state_t *, int, bpf_int32,
524 static struct block *gen_portatom6(compiler_state_t *, int, bpf_int32);
525 static struct block *gen_portrangeatom6(compiler_state_t *, int, bpf_int32,
527 struct block *gen_portop(compiler_state_t *, int, int, int);
528 static struct block *gen_port(compiler_state_t *, int, int, int);
529 struct block *gen_portrangeop(compiler_state_t *, int, int, int, int);
530 static struct block *gen_portrange(compiler_state_t *, int, int, int, int);
531 struct block *gen_portop6(compiler_state_t *, int, int, int);
532 static struct block *gen_port6(compiler_state_t *, int, int, int);
533 struct block *gen_portrangeop6(compiler_state_t *, int, int, int, int);
534 static struct block *gen_portrange6(compiler_state_t *, int, int, int, int);
535 static int lookup_proto(compiler_state_t *, const char *, int);
536 static struct block *gen_protochain(compiler_state_t *, int, int, int);
537 static struct block *gen_proto(compiler_state_t *, int, int, int);
538 static struct slist *xfer_to_x(compiler_state_t *, struct arth *);
539 static struct slist *xfer_to_a(compiler_state_t *, struct arth *);
540 static struct block *gen_mac_multicast(compiler_state_t *, int);
541 static struct block *gen_len(compiler_state_t *, int, int);
542 static struct block *gen_check_802_11_data_frame(compiler_state_t *);
543 static struct block *gen_geneve_ll_check(compiler_state_t *cstate);
545 static struct block *gen_ppi_dlt_check(compiler_state_t *);
546 static struct block *gen_msg_abbrev(compiler_state_t *, int type);
549 initchunks(compiler_state_t *cstate)
553 for (i = 0; i < NCHUNKS; i++) {
554 cstate->chunks[i].n_left = 0;
555 cstate->chunks[i].m = NULL;
557 cstate->cur_chunk = 0;
561 newchunk(compiler_state_t *cstate, size_t n)
568 /* XXX Round up to nearest long. */
569 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1);
571 /* XXX Round up to structure boundary. */
575 cp = &cstate->chunks[cstate->cur_chunk];
576 if (n > cp->n_left) {
578 k = ++cstate->cur_chunk;
580 bpf_error(cstate, "out of memory");
581 size = CHUNK0SIZE << k;
582 cp->m = (void *)malloc(size);
584 bpf_error(cstate, "out of memory");
585 memset((char *)cp->m, 0, size);
588 bpf_error(cstate, "out of memory");
591 return (void *)((char *)cp->m + cp->n_left);
595 freechunks(compiler_state_t *cstate)
599 for (i = 0; i < NCHUNKS; ++i)
600 if (cstate->chunks[i].m != NULL)
601 free(cstate->chunks[i].m);
605 * A strdup whose allocations are freed after code generation is over.
608 sdup(compiler_state_t *cstate, const char *s)
610 size_t n = strlen(s) + 1;
611 char *cp = newchunk(cstate, n);
617 static inline struct block *
618 new_block(compiler_state_t *cstate, int code)
622 p = (struct block *)newchunk(cstate, sizeof(*p));
629 static inline struct slist *
630 new_stmt(compiler_state_t *cstate, int code)
634 p = (struct slist *)newchunk(cstate, sizeof(*p));
640 static struct block *
641 gen_retblk(compiler_state_t *cstate, int v)
643 struct block *b = new_block(cstate, BPF_RET|BPF_K);
649 static inline PCAP_NORETURN_DEF void
650 syntax(compiler_state_t *cstate)
652 bpf_error(cstate, "syntax error in filter expression");
656 pcap_compile(pcap_t *p, struct bpf_program *program,
657 const char *buf, int optimize, bpf_u_int32 mask)
662 compiler_state_t cstate;
663 const char * volatile xbuf = buf;
664 yyscan_t scanner = NULL;
665 YY_BUFFER_STATE in_buffer = NULL;
670 * If this pcap_t hasn't been activated, it doesn't have a
671 * link-layer type, so we can't use it.
674 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
675 "not-yet-activated pcap_t passed to pcap_compile");
687 * If the device on which we're capturing need to be notified
688 * that a new filter is being compiled, do so.
690 * This allows them to save a copy of it, in case, for example,
691 * they're implementing a form of remote packet capture, and
692 * want the remote machine to filter out the packets in which
693 * it's sending the packets it's captured.
695 * XXX - the fact that we happen to be compiling a filter
696 * doesn't necessarily mean we'll be installing it as the
697 * filter for this pcap_t; we might be running it from userland
698 * on captured packets to do packet classification. We really
699 * need a better way of handling this, but this is all that
700 * the WinPcap code did.
702 if (p->save_current_filter_op != NULL)
703 (p->save_current_filter_op)(p, buf);
707 cstate.no_optimize = 0;
711 cstate.ic.root = NULL;
712 cstate.ic.cur_mark = 0;
716 if (setjmp(cstate.top_ctx)) {
718 if (cstate.ai != NULL)
719 freeaddrinfo(cstate.ai);
725 cstate.netmask = mask;
727 cstate.snaplen = pcap_snapshot(p);
728 if (cstate.snaplen == 0) {
729 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
730 "snaplen of 0 rejects all packets");
735 if (pcap_lex_init(&scanner) != 0)
736 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
737 errno, "can't initialize scanner");
738 in_buffer = pcap__scan_string(xbuf ? xbuf : "", scanner);
741 * Associate the compiler state with the lexical analyzer
744 pcap_set_extra(&cstate, scanner);
746 init_linktype(&cstate, p);
747 (void)pcap_parse(scanner, &cstate);
749 if (cstate.ic.root == NULL)
750 cstate.ic.root = gen_retblk(&cstate, cstate.snaplen);
752 if (optimize && !cstate.no_optimize) {
753 bpf_optimize(&cstate, &cstate.ic);
754 if (cstate.ic.root == NULL ||
755 (cstate.ic.root->s.code == (BPF_RET|BPF_K) && cstate.ic.root->s.k == 0))
756 bpf_error(&cstate, "expression rejects all packets");
758 program->bf_insns = icode_to_fcode(&cstate, &cstate.ic, cstate.ic.root, &len);
759 program->bf_len = len;
761 rc = 0; /* We're all okay */
765 * Clean up everything for the lexical analyzer.
767 if (in_buffer != NULL)
768 pcap__delete_buffer(in_buffer, scanner);
770 pcap_lex_destroy(scanner);
773 * Clean up our own allocated memory.
781 * entry point for using the compiler with no pcap open
782 * pass in all the stuff that is needed explicitly instead.
785 pcap_compile_nopcap(int snaplen_arg, int linktype_arg,
786 struct bpf_program *program,
787 const char *buf, int optimize, bpf_u_int32 mask)
792 p = pcap_open_dead(linktype_arg, snaplen_arg);
795 ret = pcap_compile(p, program, buf, optimize, mask);
801 * Clean up a "struct bpf_program" by freeing all the memory allocated
805 pcap_freecode(struct bpf_program *program)
808 if (program->bf_insns != NULL) {
809 free((char *)program->bf_insns);
810 program->bf_insns = NULL;
815 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates
816 * which of the jt and jf fields has been resolved and which is a pointer
817 * back to another unresolved block (or nil). At least one of the fields
818 * in each block is already resolved.
821 backpatch(struct block *list, struct block *target)
838 * Merge the lists in b0 and b1, using the 'sense' field to indicate
839 * which of jt and jf is the link.
842 merge(struct block *b0, struct block *b1)
844 register struct block **p = &b0;
846 /* Find end of list. */
848 p = !((*p)->sense) ? &JT(*p) : &JF(*p);
850 /* Concatenate the lists. */
855 finish_parse(compiler_state_t *cstate, struct block *p)
857 struct block *ppi_dlt_check;
860 * Insert before the statements of the first (root) block any
861 * statements needed to load the lengths of any variable-length
862 * headers into registers.
864 * XXX - a fancier strategy would be to insert those before the
865 * statements of all blocks that use those lengths and that
866 * have no predecessors that use them, so that we only compute
867 * the lengths if we need them. There might be even better
868 * approaches than that.
870 * However, those strategies would be more complicated, and
871 * as we don't generate code to compute a length if the
872 * program has no tests that use the length, and as most
873 * tests will probably use those lengths, we would just
874 * postpone computing the lengths so that it's not done
875 * for tests that fail early, and it's not clear that's
878 insert_compute_vloffsets(cstate, p->head);
881 * For DLT_PPI captures, generate a check of the per-packet
882 * DLT value to make sure it's DLT_IEEE802_11.
884 * XXX - TurboCap cards use DLT_PPI for Ethernet.
885 * Can we just define some DLT_ETHERNET_WITH_PHDR pseudo-header
886 * with appropriate Ethernet information and use that rather
887 * than using something such as DLT_PPI where you don't know
888 * the link-layer header type until runtime, which, in the
889 * general case, would force us to generate both Ethernet *and*
890 * 802.11 code (*and* anything else for which PPI is used)
891 * and choose between them early in the BPF program?
893 ppi_dlt_check = gen_ppi_dlt_check(cstate);
894 if (ppi_dlt_check != NULL)
895 gen_and(ppi_dlt_check, p);
897 backpatch(p, gen_retblk(cstate, cstate->snaplen));
898 p->sense = !p->sense;
899 backpatch(p, gen_retblk(cstate, 0));
900 cstate->ic.root = p->head;
904 gen_and(struct block *b0, struct block *b1)
906 backpatch(b0, b1->head);
907 b0->sense = !b0->sense;
908 b1->sense = !b1->sense;
910 b1->sense = !b1->sense;
915 gen_or(struct block *b0, struct block *b1)
917 b0->sense = !b0->sense;
918 backpatch(b0, b1->head);
919 b0->sense = !b0->sense;
925 gen_not(struct block *b)
927 b->sense = !b->sense;
930 static struct block *
931 gen_cmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
932 u_int size, bpf_int32 v)
934 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v);
937 static struct block *
938 gen_cmp_gt(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
939 u_int size, bpf_int32 v)
941 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGT, 0, v);
944 static struct block *
945 gen_cmp_ge(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
946 u_int size, bpf_int32 v)
948 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGE, 0, v);
951 static struct block *
952 gen_cmp_lt(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
953 u_int size, bpf_int32 v)
955 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGE, 1, v);
958 static struct block *
959 gen_cmp_le(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
960 u_int size, bpf_int32 v)
962 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGT, 1, v);
965 static struct block *
966 gen_mcmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
967 u_int size, bpf_int32 v, bpf_u_int32 mask)
969 return gen_ncmp(cstate, offrel, offset, size, mask, BPF_JEQ, 0, v);
972 static struct block *
973 gen_bcmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
974 u_int size, const u_char *v)
976 register struct block *b, *tmp;
980 register const u_char *p = &v[size - 4];
981 bpf_int32 w = ((bpf_int32)p[0] << 24) |
982 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3];
984 tmp = gen_cmp(cstate, offrel, offset + size - 4, BPF_W, w);
991 register const u_char *p = &v[size - 2];
992 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1];
994 tmp = gen_cmp(cstate, offrel, offset + size - 2, BPF_H, w);
1001 tmp = gen_cmp(cstate, offrel, offset, BPF_B, (bpf_int32)v[0]);
1010 * AND the field of size "size" at offset "offset" relative to the header
1011 * specified by "offrel" with "mask", and compare it with the value "v"
1012 * with the test specified by "jtype"; if "reverse" is true, the test
1013 * should test the opposite of "jtype".
1015 static struct block *
1016 gen_ncmp(compiler_state_t *cstate, enum e_offrel offrel, bpf_u_int32 offset,
1017 bpf_u_int32 size, bpf_u_int32 mask, bpf_u_int32 jtype, int reverse,
1020 struct slist *s, *s2;
1023 s = gen_load_a(cstate, offrel, offset, size);
1025 if (mask != 0xffffffff) {
1026 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
1031 b = new_block(cstate, JMP(jtype));
1034 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE))
1040 init_linktype(compiler_state_t *cstate, pcap_t *p)
1042 cstate->pcap_fddipad = p->fddipad;
1045 * We start out with only one link-layer header.
1047 cstate->outermostlinktype = pcap_datalink(p);
1048 cstate->off_outermostlinkhdr.constant_part = 0;
1049 cstate->off_outermostlinkhdr.is_variable = 0;
1050 cstate->off_outermostlinkhdr.reg = -1;
1052 cstate->prevlinktype = cstate->outermostlinktype;
1053 cstate->off_prevlinkhdr.constant_part = 0;
1054 cstate->off_prevlinkhdr.is_variable = 0;
1055 cstate->off_prevlinkhdr.reg = -1;
1057 cstate->linktype = cstate->outermostlinktype;
1058 cstate->off_linkhdr.constant_part = 0;
1059 cstate->off_linkhdr.is_variable = 0;
1060 cstate->off_linkhdr.reg = -1;
1065 cstate->off_linkpl.constant_part = 0;
1066 cstate->off_linkpl.is_variable = 0;
1067 cstate->off_linkpl.reg = -1;
1069 cstate->off_linktype.constant_part = 0;
1070 cstate->off_linktype.is_variable = 0;
1071 cstate->off_linktype.reg = -1;
1074 * Assume it's not raw ATM with a pseudo-header, for now.
1077 cstate->off_vpi = OFFSET_NOT_SET;
1078 cstate->off_vci = OFFSET_NOT_SET;
1079 cstate->off_proto = OFFSET_NOT_SET;
1080 cstate->off_payload = OFFSET_NOT_SET;
1085 cstate->is_geneve = 0;
1088 * No variable length VLAN offset by default
1090 cstate->is_vlan_vloffset = 0;
1093 * And assume we're not doing SS7.
1095 cstate->off_li = OFFSET_NOT_SET;
1096 cstate->off_li_hsl = OFFSET_NOT_SET;
1097 cstate->off_sio = OFFSET_NOT_SET;
1098 cstate->off_opc = OFFSET_NOT_SET;
1099 cstate->off_dpc = OFFSET_NOT_SET;
1100 cstate->off_sls = OFFSET_NOT_SET;
1102 cstate->label_stack_depth = 0;
1103 cstate->vlan_stack_depth = 0;
1105 switch (cstate->linktype) {
1108 cstate->off_linktype.constant_part = 2;
1109 cstate->off_linkpl.constant_part = 6;
1110 cstate->off_nl = 0; /* XXX in reality, variable! */
1111 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1114 case DLT_ARCNET_LINUX:
1115 cstate->off_linktype.constant_part = 4;
1116 cstate->off_linkpl.constant_part = 8;
1117 cstate->off_nl = 0; /* XXX in reality, variable! */
1118 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1122 cstate->off_linktype.constant_part = 12;
1123 cstate->off_linkpl.constant_part = 14; /* Ethernet header length */
1124 cstate->off_nl = 0; /* Ethernet II */
1125 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */
1130 * SLIP doesn't have a link level type. The 16 byte
1131 * header is hacked into our SLIP driver.
1133 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1134 cstate->off_linkpl.constant_part = 16;
1136 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1139 case DLT_SLIP_BSDOS:
1140 /* XXX this may be the same as the DLT_PPP_BSDOS case */
1141 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1143 cstate->off_linkpl.constant_part = 24;
1145 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1150 cstate->off_linktype.constant_part = 0;
1151 cstate->off_linkpl.constant_part = 4;
1153 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1157 cstate->off_linktype.constant_part = 0;
1158 cstate->off_linkpl.constant_part = 12;
1160 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1165 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */
1166 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */
1167 cstate->off_linktype.constant_part = 2; /* skip HDLC-like framing */
1168 cstate->off_linkpl.constant_part = 4; /* skip HDLC-like framing and protocol field */
1170 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1175 * This does no include the Ethernet header, and
1176 * only covers session state.
1178 cstate->off_linktype.constant_part = 6;
1179 cstate->off_linkpl.constant_part = 8;
1181 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1185 cstate->off_linktype.constant_part = 5;
1186 cstate->off_linkpl.constant_part = 24;
1188 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1193 * FDDI doesn't really have a link-level type field.
1194 * We set "off_linktype" to the offset of the LLC header.
1196 * To check for Ethernet types, we assume that SSAP = SNAP
1197 * is being used and pick out the encapsulated Ethernet type.
1198 * XXX - should we generate code to check for SNAP?
1200 cstate->off_linktype.constant_part = 13;
1201 cstate->off_linktype.constant_part += cstate->pcap_fddipad;
1202 cstate->off_linkpl.constant_part = 13; /* FDDI MAC header length */
1203 cstate->off_linkpl.constant_part += cstate->pcap_fddipad;
1204 cstate->off_nl = 8; /* 802.2+SNAP */
1205 cstate->off_nl_nosnap = 3; /* 802.2 */
1210 * Token Ring doesn't really have a link-level type field.
1211 * We set "off_linktype" to the offset of the LLC header.
1213 * To check for Ethernet types, we assume that SSAP = SNAP
1214 * is being used and pick out the encapsulated Ethernet type.
1215 * XXX - should we generate code to check for SNAP?
1217 * XXX - the header is actually variable-length.
1218 * Some various Linux patched versions gave 38
1219 * as "off_linktype" and 40 as "off_nl"; however,
1220 * if a token ring packet has *no* routing
1221 * information, i.e. is not source-routed, the correct
1222 * values are 20 and 22, as they are in the vanilla code.
1224 * A packet is source-routed iff the uppermost bit
1225 * of the first byte of the source address, at an
1226 * offset of 8, has the uppermost bit set. If the
1227 * packet is source-routed, the total number of bytes
1228 * of routing information is 2 plus bits 0x1F00 of
1229 * the 16-bit value at an offset of 14 (shifted right
1230 * 8 - figure out which byte that is).
1232 cstate->off_linktype.constant_part = 14;
1233 cstate->off_linkpl.constant_part = 14; /* Token Ring MAC header length */
1234 cstate->off_nl = 8; /* 802.2+SNAP */
1235 cstate->off_nl_nosnap = 3; /* 802.2 */
1238 case DLT_PRISM_HEADER:
1239 case DLT_IEEE802_11_RADIO_AVS:
1240 case DLT_IEEE802_11_RADIO:
1241 cstate->off_linkhdr.is_variable = 1;
1242 /* Fall through, 802.11 doesn't have a variable link
1243 * prefix but is otherwise the same. */
1245 case DLT_IEEE802_11:
1247 * 802.11 doesn't really have a link-level type field.
1248 * We set "off_linktype.constant_part" to the offset of
1251 * To check for Ethernet types, we assume that SSAP = SNAP
1252 * is being used and pick out the encapsulated Ethernet type.
1253 * XXX - should we generate code to check for SNAP?
1255 * We also handle variable-length radio headers here.
1256 * The Prism header is in theory variable-length, but in
1257 * practice it's always 144 bytes long. However, some
1258 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but
1259 * sometimes or always supply an AVS header, so we
1260 * have to check whether the radio header is a Prism
1261 * header or an AVS header, so, in practice, it's
1264 cstate->off_linktype.constant_part = 24;
1265 cstate->off_linkpl.constant_part = 0; /* link-layer header is variable-length */
1266 cstate->off_linkpl.is_variable = 1;
1267 cstate->off_nl = 8; /* 802.2+SNAP */
1268 cstate->off_nl_nosnap = 3; /* 802.2 */
1273 * At the moment we treat PPI the same way that we treat
1274 * normal Radiotap encoded packets. The difference is in
1275 * the function that generates the code at the beginning
1276 * to compute the header length. Since this code generator
1277 * of PPI supports bare 802.11 encapsulation only (i.e.
1278 * the encapsulated DLT should be DLT_IEEE802_11) we
1279 * generate code to check for this too.
1281 cstate->off_linktype.constant_part = 24;
1282 cstate->off_linkpl.constant_part = 0; /* link-layer header is variable-length */
1283 cstate->off_linkpl.is_variable = 1;
1284 cstate->off_linkhdr.is_variable = 1;
1285 cstate->off_nl = 8; /* 802.2+SNAP */
1286 cstate->off_nl_nosnap = 3; /* 802.2 */
1289 case DLT_ATM_RFC1483:
1290 case DLT_ATM_CLIP: /* Linux ATM defines this */
1292 * assume routed, non-ISO PDUs
1293 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00)
1295 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS,
1296 * or PPP with the PPP NLPID (e.g., PPPoA)? The
1297 * latter would presumably be treated the way PPPoE
1298 * should be, so you can do "pppoe and udp port 2049"
1299 * or "pppoa and tcp port 80" and have it check for
1300 * PPPo{A,E} and a PPP protocol of IP and....
1302 cstate->off_linktype.constant_part = 0;
1303 cstate->off_linkpl.constant_part = 0; /* packet begins with LLC header */
1304 cstate->off_nl = 8; /* 802.2+SNAP */
1305 cstate->off_nl_nosnap = 3; /* 802.2 */
1310 * Full Frontal ATM; you get AALn PDUs with an ATM
1314 cstate->off_vpi = SUNATM_VPI_POS;
1315 cstate->off_vci = SUNATM_VCI_POS;
1316 cstate->off_proto = PROTO_POS;
1317 cstate->off_payload = SUNATM_PKT_BEGIN_POS;
1318 cstate->off_linktype.constant_part = cstate->off_payload;
1319 cstate->off_linkpl.constant_part = cstate->off_payload; /* if LLC-encapsulated */
1320 cstate->off_nl = 8; /* 802.2+SNAP */
1321 cstate->off_nl_nosnap = 3; /* 802.2 */
1327 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1328 cstate->off_linkpl.constant_part = 0;
1330 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1333 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */
1334 cstate->off_linktype.constant_part = 14;
1335 cstate->off_linkpl.constant_part = 16;
1337 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1342 * LocalTalk does have a 1-byte type field in the LLAP header,
1343 * but really it just indicates whether there is a "short" or
1344 * "long" DDP packet following.
1346 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1347 cstate->off_linkpl.constant_part = 0;
1349 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1352 case DLT_IP_OVER_FC:
1354 * RFC 2625 IP-over-Fibre-Channel doesn't really have a
1355 * link-level type field. We set "off_linktype" to the
1356 * offset of the LLC header.
1358 * To check for Ethernet types, we assume that SSAP = SNAP
1359 * is being used and pick out the encapsulated Ethernet type.
1360 * XXX - should we generate code to check for SNAP? RFC
1361 * 2625 says SNAP should be used.
1363 cstate->off_linktype.constant_part = 16;
1364 cstate->off_linkpl.constant_part = 16;
1365 cstate->off_nl = 8; /* 802.2+SNAP */
1366 cstate->off_nl_nosnap = 3; /* 802.2 */
1371 * XXX - we should set this to handle SNAP-encapsulated
1372 * frames (NLPID of 0x80).
1374 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1375 cstate->off_linkpl.constant_part = 0;
1377 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1381 * the only BPF-interesting FRF.16 frames are non-control frames;
1382 * Frame Relay has a variable length link-layer
1383 * so lets start with offset 4 for now and increments later on (FIXME);
1386 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1387 cstate->off_linkpl.constant_part = 0;
1389 cstate->off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */
1392 case DLT_APPLE_IP_OVER_IEEE1394:
1393 cstate->off_linktype.constant_part = 16;
1394 cstate->off_linkpl.constant_part = 18;
1396 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1399 case DLT_SYMANTEC_FIREWALL:
1400 cstate->off_linktype.constant_part = 6;
1401 cstate->off_linkpl.constant_part = 44;
1402 cstate->off_nl = 0; /* Ethernet II */
1403 cstate->off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */
1406 #ifdef HAVE_NET_PFVAR_H
1408 cstate->off_linktype.constant_part = 0;
1409 cstate->off_linkpl.constant_part = PFLOG_HDRLEN;
1411 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1415 case DLT_JUNIPER_MFR:
1416 case DLT_JUNIPER_MLFR:
1417 case DLT_JUNIPER_MLPPP:
1418 case DLT_JUNIPER_PPP:
1419 case DLT_JUNIPER_CHDLC:
1420 case DLT_JUNIPER_FRELAY:
1421 cstate->off_linktype.constant_part = 4;
1422 cstate->off_linkpl.constant_part = 4;
1424 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1427 case DLT_JUNIPER_ATM1:
1428 cstate->off_linktype.constant_part = 4; /* in reality variable between 4-8 */
1429 cstate->off_linkpl.constant_part = 4; /* in reality variable between 4-8 */
1431 cstate->off_nl_nosnap = 10;
1434 case DLT_JUNIPER_ATM2:
1435 cstate->off_linktype.constant_part = 8; /* in reality variable between 8-12 */
1436 cstate->off_linkpl.constant_part = 8; /* in reality variable between 8-12 */
1438 cstate->off_nl_nosnap = 10;
1441 /* frames captured on a Juniper PPPoE service PIC
1442 * contain raw ethernet frames */
1443 case DLT_JUNIPER_PPPOE:
1444 case DLT_JUNIPER_ETHER:
1445 cstate->off_linkpl.constant_part = 14;
1446 cstate->off_linktype.constant_part = 16;
1447 cstate->off_nl = 18; /* Ethernet II */
1448 cstate->off_nl_nosnap = 21; /* 802.3+802.2 */
1451 case DLT_JUNIPER_PPPOE_ATM:
1452 cstate->off_linktype.constant_part = 4;
1453 cstate->off_linkpl.constant_part = 6;
1455 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1458 case DLT_JUNIPER_GGSN:
1459 cstate->off_linktype.constant_part = 6;
1460 cstate->off_linkpl.constant_part = 12;
1462 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1465 case DLT_JUNIPER_ES:
1466 cstate->off_linktype.constant_part = 6;
1467 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; /* not really a network layer but raw IP addresses */
1468 cstate->off_nl = OFFSET_NOT_SET; /* not really a network layer but raw IP addresses */
1469 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1472 case DLT_JUNIPER_MONITOR:
1473 cstate->off_linktype.constant_part = 12;
1474 cstate->off_linkpl.constant_part = 12;
1475 cstate->off_nl = 0; /* raw IP/IP6 header */
1476 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1479 case DLT_BACNET_MS_TP:
1480 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1481 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1482 cstate->off_nl = OFFSET_NOT_SET;
1483 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1486 case DLT_JUNIPER_SERVICES:
1487 cstate->off_linktype.constant_part = 12;
1488 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; /* L3 proto location dep. on cookie type */
1489 cstate->off_nl = OFFSET_NOT_SET; /* L3 proto location dep. on cookie type */
1490 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1493 case DLT_JUNIPER_VP:
1494 cstate->off_linktype.constant_part = 18;
1495 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1496 cstate->off_nl = OFFSET_NOT_SET;
1497 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1500 case DLT_JUNIPER_ST:
1501 cstate->off_linktype.constant_part = 18;
1502 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1503 cstate->off_nl = OFFSET_NOT_SET;
1504 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1507 case DLT_JUNIPER_ISM:
1508 cstate->off_linktype.constant_part = 8;
1509 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1510 cstate->off_nl = OFFSET_NOT_SET;
1511 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1514 case DLT_JUNIPER_VS:
1515 case DLT_JUNIPER_SRX_E2E:
1516 case DLT_JUNIPER_FIBRECHANNEL:
1517 case DLT_JUNIPER_ATM_CEMIC:
1518 cstate->off_linktype.constant_part = 8;
1519 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1520 cstate->off_nl = OFFSET_NOT_SET;
1521 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1526 cstate->off_li_hsl = 4;
1527 cstate->off_sio = 3;
1528 cstate->off_opc = 4;
1529 cstate->off_dpc = 4;
1530 cstate->off_sls = 7;
1531 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1532 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1533 cstate->off_nl = OFFSET_NOT_SET;
1534 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1537 case DLT_MTP2_WITH_PHDR:
1539 cstate->off_li_hsl = 8;
1540 cstate->off_sio = 7;
1541 cstate->off_opc = 8;
1542 cstate->off_dpc = 8;
1543 cstate->off_sls = 11;
1544 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1545 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1546 cstate->off_nl = OFFSET_NOT_SET;
1547 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1551 cstate->off_li = 22;
1552 cstate->off_li_hsl = 24;
1553 cstate->off_sio = 23;
1554 cstate->off_opc = 24;
1555 cstate->off_dpc = 24;
1556 cstate->off_sls = 27;
1557 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1558 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1559 cstate->off_nl = OFFSET_NOT_SET;
1560 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1564 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1565 cstate->off_linkpl.constant_part = 4;
1567 cstate->off_nl_nosnap = 0;
1572 * Currently, only raw "link[N:M]" filtering is supported.
1574 cstate->off_linktype.constant_part = OFFSET_NOT_SET; /* variable, min 15, max 71 steps of 7 */
1575 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1576 cstate->off_nl = OFFSET_NOT_SET; /* variable, min 16, max 71 steps of 7 */
1577 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1581 cstate->off_linktype.constant_part = 1;
1582 cstate->off_linkpl.constant_part = 24; /* ipnet header length */
1584 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1587 case DLT_NETANALYZER:
1588 cstate->off_linkhdr.constant_part = 4; /* Ethernet header is past 4-byte pseudo-header */
1589 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12;
1590 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* pseudo-header+Ethernet header length */
1591 cstate->off_nl = 0; /* Ethernet II */
1592 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */
1595 case DLT_NETANALYZER_TRANSPARENT:
1596 cstate->off_linkhdr.constant_part = 12; /* MAC header is past 4-byte pseudo-header, preamble, and SFD */
1597 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12;
1598 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* pseudo-header+preamble+SFD+Ethernet header length */
1599 cstate->off_nl = 0; /* Ethernet II */
1600 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */
1605 * For values in the range in which we've assigned new
1606 * DLT_ values, only raw "link[N:M]" filtering is supported.
1608 if (cstate->linktype >= DLT_MATCHING_MIN &&
1609 cstate->linktype <= DLT_MATCHING_MAX) {
1610 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1611 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1612 cstate->off_nl = OFFSET_NOT_SET;
1613 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1615 bpf_error(cstate, "unknown data link type %d", cstate->linktype);
1620 cstate->off_outermostlinkhdr = cstate->off_prevlinkhdr = cstate->off_linkhdr;
1624 * Load a value relative to the specified absolute offset.
1626 static struct slist *
1627 gen_load_absoffsetrel(compiler_state_t *cstate, bpf_abs_offset *abs_offset,
1628 u_int offset, u_int size)
1630 struct slist *s, *s2;
1632 s = gen_abs_offset_varpart(cstate, abs_offset);
1635 * If "s" is non-null, it has code to arrange that the X register
1636 * contains the variable part of the absolute offset, so we
1637 * generate a load relative to that, with an offset of
1638 * abs_offset->constant_part + offset.
1640 * Otherwise, we can do an absolute load with an offset of
1641 * abs_offset->constant_part + offset.
1645 * "s" points to a list of statements that puts the
1646 * variable part of the absolute offset into the X register.
1647 * Do an indirect load, to use the X register as an offset.
1649 s2 = new_stmt(cstate, BPF_LD|BPF_IND|size);
1650 s2->s.k = abs_offset->constant_part + offset;
1654 * There is no variable part of the absolute offset, so
1655 * just do an absolute load.
1657 s = new_stmt(cstate, BPF_LD|BPF_ABS|size);
1658 s->s.k = abs_offset->constant_part + offset;
1664 * Load a value relative to the beginning of the specified header.
1666 static struct slist *
1667 gen_load_a(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1670 struct slist *s, *s2;
1675 s = new_stmt(cstate, BPF_LD|BPF_ABS|size);
1680 s = gen_load_absoffsetrel(cstate, &cstate->off_linkhdr, offset, size);
1683 case OR_PREVLINKHDR:
1684 s = gen_load_absoffsetrel(cstate, &cstate->off_prevlinkhdr, offset, size);
1688 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, offset, size);
1691 case OR_PREVMPLSHDR:
1692 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl - 4 + offset, size);
1696 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl + offset, size);
1699 case OR_LINKPL_NOSNAP:
1700 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl_nosnap + offset, size);
1704 s = gen_load_absoffsetrel(cstate, &cstate->off_linktype, offset, size);
1709 * Load the X register with the length of the IPv4 header
1710 * (plus the offset of the link-layer header, if it's
1711 * preceded by a variable-length header such as a radio
1712 * header), in bytes.
1714 s = gen_loadx_iphdrlen(cstate);
1717 * Load the item at {offset of the link-layer payload} +
1718 * {offset, relative to the start of the link-layer
1719 * paylod, of the IPv4 header} + {length of the IPv4 header} +
1720 * {specified offset}.
1722 * If the offset of the link-layer payload is variable,
1723 * the variable part of that offset is included in the
1724 * value in the X register, and we include the constant
1725 * part in the offset of the load.
1727 s2 = new_stmt(cstate, BPF_LD|BPF_IND|size);
1728 s2->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + offset;
1733 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl + 40 + offset, size);
1744 * Generate code to load into the X register the sum of the length of
1745 * the IPv4 header and the variable part of the offset of the link-layer
1748 static struct slist *
1749 gen_loadx_iphdrlen(compiler_state_t *cstate)
1751 struct slist *s, *s2;
1753 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl);
1756 * The offset of the link-layer payload has a variable
1757 * part. "s" points to a list of statements that put
1758 * the variable part of that offset into the X register.
1760 * The 4*([k]&0xf) addressing mode can't be used, as we
1761 * don't have a constant offset, so we have to load the
1762 * value in question into the A register and add to it
1763 * the value from the X register.
1765 s2 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
1766 s2->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
1768 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
1771 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K);
1776 * The A register now contains the length of the IP header.
1777 * We need to add to it the variable part of the offset of
1778 * the link-layer payload, which is still in the X
1779 * register, and move the result into the X register.
1781 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
1782 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
1785 * The offset of the link-layer payload is a constant,
1786 * so no code was generated to load the (non-existent)
1787 * variable part of that offset.
1789 * This means we can use the 4*([k]&0xf) addressing
1790 * mode. Load the length of the IPv4 header, which
1791 * is at an offset of cstate->off_nl from the beginning of
1792 * the link-layer payload, and thus at an offset of
1793 * cstate->off_linkpl.constant_part + cstate->off_nl from the beginning
1794 * of the raw packet data, using that addressing mode.
1796 s = new_stmt(cstate, BPF_LDX|BPF_MSH|BPF_B);
1797 s->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
1803 static struct block *
1804 gen_uncond(compiler_state_t *cstate, int rsense)
1809 s = new_stmt(cstate, BPF_LD|BPF_IMM);
1811 b = new_block(cstate, JMP(BPF_JEQ));
1817 static inline struct block *
1818 gen_true(compiler_state_t *cstate)
1820 return gen_uncond(cstate, 1);
1823 static inline struct block *
1824 gen_false(compiler_state_t *cstate)
1826 return gen_uncond(cstate, 0);
1830 * Byte-swap a 32-bit number.
1831 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on
1832 * big-endian platforms.)
1834 #define SWAPLONG(y) \
1835 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
1838 * Generate code to match a particular packet type.
1840 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1841 * value, if <= ETHERMTU. We use that to determine whether to
1842 * match the type/length field or to check the type/length field for
1843 * a value <= ETHERMTU to see whether it's a type field and then do
1844 * the appropriate test.
1846 static struct block *
1847 gen_ether_linktype(compiler_state_t *cstate, int proto)
1849 struct block *b0, *b1;
1855 case LLCSAP_NETBEUI:
1857 * OSI protocols and NetBEUI always use 802.2 encapsulation,
1858 * so we check the DSAP and SSAP.
1860 * LLCSAP_IP checks for IP-over-802.2, rather
1861 * than IP-over-Ethernet or IP-over-SNAP.
1863 * XXX - should we check both the DSAP and the
1864 * SSAP, like this, or should we check just the
1865 * DSAP, as we do for other types <= ETHERMTU
1866 * (i.e., other SAP values)?
1868 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
1870 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_int32)
1871 ((proto << 8) | proto));
1879 * Ethernet_II frames, which are Ethernet
1880 * frames with a frame type of ETHERTYPE_IPX;
1882 * Ethernet_802.3 frames, which are 802.3
1883 * frames (i.e., the type/length field is
1884 * a length field, <= ETHERMTU, rather than
1885 * a type field) with the first two bytes
1886 * after the Ethernet/802.3 header being
1889 * Ethernet_802.2 frames, which are 802.3
1890 * frames with an 802.2 LLC header and
1891 * with the IPX LSAP as the DSAP in the LLC
1894 * Ethernet_SNAP frames, which are 802.3
1895 * frames with an LLC header and a SNAP
1896 * header and with an OUI of 0x000000
1897 * (encapsulated Ethernet) and a protocol
1898 * ID of ETHERTYPE_IPX in the SNAP header.
1900 * XXX - should we generate the same code both
1901 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX?
1905 * This generates code to check both for the
1906 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3.
1908 b0 = gen_cmp(cstate, OR_LLC, 0, BPF_B, (bpf_int32)LLCSAP_IPX);
1909 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_int32)0xFFFF);
1913 * Now we add code to check for SNAP frames with
1914 * ETHERTYPE_IPX, i.e. Ethernet_SNAP.
1916 b0 = gen_snap(cstate, 0x000000, ETHERTYPE_IPX);
1920 * Now we generate code to check for 802.3
1921 * frames in general.
1923 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
1927 * Now add the check for 802.3 frames before the
1928 * check for Ethernet_802.2 and Ethernet_802.3,
1929 * as those checks should only be done on 802.3
1930 * frames, not on Ethernet frames.
1935 * Now add the check for Ethernet_II frames, and
1936 * do that before checking for the other frame
1939 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)ETHERTYPE_IPX);
1943 case ETHERTYPE_ATALK:
1944 case ETHERTYPE_AARP:
1946 * EtherTalk (AppleTalk protocols on Ethernet link
1947 * layer) may use 802.2 encapsulation.
1951 * Check for 802.2 encapsulation (EtherTalk phase 2?);
1952 * we check for an Ethernet type field less than
1953 * 1500, which means it's an 802.3 length field.
1955 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
1959 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1960 * SNAP packets with an organization code of
1961 * 0x080007 (Apple, for Appletalk) and a protocol
1962 * type of ETHERTYPE_ATALK (Appletalk).
1964 * 802.2-encapsulated ETHERTYPE_AARP packets are
1965 * SNAP packets with an organization code of
1966 * 0x000000 (encapsulated Ethernet) and a protocol
1967 * type of ETHERTYPE_AARP (Appletalk ARP).
1969 if (proto == ETHERTYPE_ATALK)
1970 b1 = gen_snap(cstate, 0x080007, ETHERTYPE_ATALK);
1971 else /* proto == ETHERTYPE_AARP */
1972 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_AARP);
1976 * Check for Ethernet encapsulation (Ethertalk
1977 * phase 1?); we just check for the Ethernet
1980 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto);
1986 if (proto <= ETHERMTU) {
1988 * This is an LLC SAP value, so the frames
1989 * that match would be 802.2 frames.
1990 * Check that the frame is an 802.2 frame
1991 * (i.e., that the length/type field is
1992 * a length field, <= ETHERMTU) and
1993 * then check the DSAP.
1995 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
1997 b1 = gen_cmp(cstate, OR_LINKTYPE, 2, BPF_B, (bpf_int32)proto);
2002 * This is an Ethernet type, so compare
2003 * the length/type field with it (if
2004 * the frame is an 802.2 frame, the length
2005 * field will be <= ETHERMTU, and, as
2006 * "proto" is > ETHERMTU, this test
2007 * will fail and the frame won't match,
2008 * which is what we want).
2010 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H,
2016 static struct block *
2017 gen_loopback_linktype(compiler_state_t *cstate, int proto)
2020 * For DLT_NULL, the link-layer header is a 32-bit word
2021 * containing an AF_ value in *host* byte order, and for
2022 * DLT_ENC, the link-layer header begins with a 32-bit
2023 * word containing an AF_ value in host byte order.
2025 * In addition, if we're reading a saved capture file,
2026 * the host byte order in the capture may not be the
2027 * same as the host byte order on this machine.
2029 * For DLT_LOOP, the link-layer header is a 32-bit
2030 * word containing an AF_ value in *network* byte order.
2032 if (cstate->linktype == DLT_NULL || cstate->linktype == DLT_ENC) {
2034 * The AF_ value is in host byte order, but the BPF
2035 * interpreter will convert it to network byte order.
2037 * If this is a save file, and it's from a machine
2038 * with the opposite byte order to ours, we byte-swap
2041 * Then we run it through "htonl()", and generate
2042 * code to compare against the result.
2044 if (cstate->bpf_pcap->rfile != NULL && cstate->bpf_pcap->swapped)
2045 proto = SWAPLONG(proto);
2046 proto = htonl(proto);
2048 return (gen_cmp(cstate, OR_LINKHDR, 0, BPF_W, (bpf_int32)proto));
2052 * "proto" is an Ethernet type value and for IPNET, if it is not IPv4
2053 * or IPv6 then we have an error.
2055 static struct block *
2056 gen_ipnet_linktype(compiler_state_t *cstate, int proto)
2061 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, (bpf_int32)IPH_AF_INET);
2064 case ETHERTYPE_IPV6:
2065 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
2066 (bpf_int32)IPH_AF_INET6);
2073 return gen_false(cstate);
2077 * Generate code to match a particular packet type.
2079 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
2080 * value, if <= ETHERMTU. We use that to determine whether to
2081 * match the type field or to check the type field for the special
2082 * LINUX_SLL_P_802_2 value and then do the appropriate test.
2084 static struct block *
2085 gen_linux_sll_linktype(compiler_state_t *cstate, int proto)
2087 struct block *b0, *b1;
2093 case LLCSAP_NETBEUI:
2095 * OSI protocols and NetBEUI always use 802.2 encapsulation,
2096 * so we check the DSAP and SSAP.
2098 * LLCSAP_IP checks for IP-over-802.2, rather
2099 * than IP-over-Ethernet or IP-over-SNAP.
2101 * XXX - should we check both the DSAP and the
2102 * SSAP, like this, or should we check just the
2103 * DSAP, as we do for other types <= ETHERMTU
2104 * (i.e., other SAP values)?
2106 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2107 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_int32)
2108 ((proto << 8) | proto));
2114 * Ethernet_II frames, which are Ethernet
2115 * frames with a frame type of ETHERTYPE_IPX;
2117 * Ethernet_802.3 frames, which have a frame
2118 * type of LINUX_SLL_P_802_3;
2120 * Ethernet_802.2 frames, which are 802.3
2121 * frames with an 802.2 LLC header (i.e, have
2122 * a frame type of LINUX_SLL_P_802_2) and
2123 * with the IPX LSAP as the DSAP in the LLC
2126 * Ethernet_SNAP frames, which are 802.3
2127 * frames with an LLC header and a SNAP
2128 * header and with an OUI of 0x000000
2129 * (encapsulated Ethernet) and a protocol
2130 * ID of ETHERTYPE_IPX in the SNAP header.
2132 * First, do the checks on LINUX_SLL_P_802_2
2133 * frames; generate the check for either
2134 * Ethernet_802.2 or Ethernet_SNAP frames, and
2135 * then put a check for LINUX_SLL_P_802_2 frames
2138 b0 = gen_cmp(cstate, OR_LLC, 0, BPF_B, (bpf_int32)LLCSAP_IPX);
2139 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_IPX);
2141 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2145 * Now check for 802.3 frames and OR that with
2146 * the previous test.
2148 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_3);
2152 * Now add the check for Ethernet_II frames, and
2153 * do that before checking for the other frame
2156 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)ETHERTYPE_IPX);
2160 case ETHERTYPE_ATALK:
2161 case ETHERTYPE_AARP:
2163 * EtherTalk (AppleTalk protocols on Ethernet link
2164 * layer) may use 802.2 encapsulation.
2168 * Check for 802.2 encapsulation (EtherTalk phase 2?);
2169 * we check for the 802.2 protocol type in the
2170 * "Ethernet type" field.
2172 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2175 * 802.2-encapsulated ETHERTYPE_ATALK packets are
2176 * SNAP packets with an organization code of
2177 * 0x080007 (Apple, for Appletalk) and a protocol
2178 * type of ETHERTYPE_ATALK (Appletalk).
2180 * 802.2-encapsulated ETHERTYPE_AARP packets are
2181 * SNAP packets with an organization code of
2182 * 0x000000 (encapsulated Ethernet) and a protocol
2183 * type of ETHERTYPE_AARP (Appletalk ARP).
2185 if (proto == ETHERTYPE_ATALK)
2186 b1 = gen_snap(cstate, 0x080007, ETHERTYPE_ATALK);
2187 else /* proto == ETHERTYPE_AARP */
2188 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_AARP);
2192 * Check for Ethernet encapsulation (Ethertalk
2193 * phase 1?); we just check for the Ethernet
2196 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto);
2202 if (proto <= ETHERMTU) {
2204 * This is an LLC SAP value, so the frames
2205 * that match would be 802.2 frames.
2206 * Check for the 802.2 protocol type
2207 * in the "Ethernet type" field, and
2208 * then check the DSAP.
2210 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2211 b1 = gen_cmp(cstate, OR_LINKHDR, cstate->off_linkpl.constant_part, BPF_B,
2217 * This is an Ethernet type, so compare
2218 * the length/type field with it (if
2219 * the frame is an 802.2 frame, the length
2220 * field will be <= ETHERMTU, and, as
2221 * "proto" is > ETHERMTU, this test
2222 * will fail and the frame won't match,
2223 * which is what we want).
2225 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto);
2230 static struct slist *
2231 gen_load_prism_llprefixlen(compiler_state_t *cstate)
2233 struct slist *s1, *s2;
2234 struct slist *sjeq_avs_cookie;
2235 struct slist *sjcommon;
2238 * This code is not compatible with the optimizer, as
2239 * we are generating jmp instructions within a normal
2240 * slist of instructions
2242 cstate->no_optimize = 1;
2245 * Generate code to load the length of the radio header into
2246 * the register assigned to hold that length, if one has been
2247 * assigned. (If one hasn't been assigned, no code we've
2248 * generated uses that prefix, so we don't need to generate any
2251 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes
2252 * or always use the AVS header rather than the Prism header.
2253 * We load a 4-byte big-endian value at the beginning of the
2254 * raw packet data, and see whether, when masked with 0xFFFFF000,
2255 * it's equal to 0x80211000. If so, that indicates that it's
2256 * an AVS header (the masked-out bits are the version number).
2257 * Otherwise, it's a Prism header.
2259 * XXX - the Prism header is also, in theory, variable-length,
2260 * but no known software generates headers that aren't 144
2263 if (cstate->off_linkhdr.reg != -1) {
2267 s1 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS);
2271 * AND it with 0xFFFFF000.
2273 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
2274 s2->s.k = 0xFFFFF000;
2278 * Compare with 0x80211000.
2280 sjeq_avs_cookie = new_stmt(cstate, JMP(BPF_JEQ));
2281 sjeq_avs_cookie->s.k = 0x80211000;
2282 sappend(s1, sjeq_avs_cookie);
2287 * The 4 bytes at an offset of 4 from the beginning of
2288 * the AVS header are the length of the AVS header.
2289 * That field is big-endian.
2291 s2 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS);
2294 sjeq_avs_cookie->s.jt = s2;
2297 * Now jump to the code to allocate a register
2298 * into which to save the header length and
2299 * store the length there. (The "jump always"
2300 * instruction needs to have the k field set;
2301 * it's added to the PC, so, as we're jumping
2302 * over a single instruction, it should be 1.)
2304 sjcommon = new_stmt(cstate, JMP(BPF_JA));
2306 sappend(s1, sjcommon);
2309 * Now for the code that handles the Prism header.
2310 * Just load the length of the Prism header (144)
2311 * into the A register. Have the test for an AVS
2312 * header branch here if we don't have an AVS header.
2314 s2 = new_stmt(cstate, BPF_LD|BPF_W|BPF_IMM);
2317 sjeq_avs_cookie->s.jf = s2;
2320 * Now allocate a register to hold that value and store
2321 * it. The code for the AVS header will jump here after
2322 * loading the length of the AVS header.
2324 s2 = new_stmt(cstate, BPF_ST);
2325 s2->s.k = cstate->off_linkhdr.reg;
2327 sjcommon->s.jf = s2;
2330 * Now move it into the X register.
2332 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2340 static struct slist *
2341 gen_load_avs_llprefixlen(compiler_state_t *cstate)
2343 struct slist *s1, *s2;
2346 * Generate code to load the length of the AVS header into
2347 * the register assigned to hold that length, if one has been
2348 * assigned. (If one hasn't been assigned, no code we've
2349 * generated uses that prefix, so we don't need to generate any
2352 if (cstate->off_linkhdr.reg != -1) {
2354 * The 4 bytes at an offset of 4 from the beginning of
2355 * the AVS header are the length of the AVS header.
2356 * That field is big-endian.
2358 s1 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS);
2362 * Now allocate a register to hold that value and store
2365 s2 = new_stmt(cstate, BPF_ST);
2366 s2->s.k = cstate->off_linkhdr.reg;
2370 * Now move it into the X register.
2372 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2380 static struct slist *
2381 gen_load_radiotap_llprefixlen(compiler_state_t *cstate)
2383 struct slist *s1, *s2;
2386 * Generate code to load the length of the radiotap header into
2387 * the register assigned to hold that length, if one has been
2388 * assigned. (If one hasn't been assigned, no code we've
2389 * generated uses that prefix, so we don't need to generate any
2392 if (cstate->off_linkhdr.reg != -1) {
2394 * The 2 bytes at offsets of 2 and 3 from the beginning
2395 * of the radiotap header are the length of the radiotap
2396 * header; unfortunately, it's little-endian, so we have
2397 * to load it a byte at a time and construct the value.
2401 * Load the high-order byte, at an offset of 3, shift it
2402 * left a byte, and put the result in the X register.
2404 s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2406 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K);
2409 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2413 * Load the next byte, at an offset of 2, and OR the
2414 * value from the X register into it.
2416 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2419 s2 = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_X);
2423 * Now allocate a register to hold that value and store
2426 s2 = new_stmt(cstate, BPF_ST);
2427 s2->s.k = cstate->off_linkhdr.reg;
2431 * Now move it into the X register.
2433 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2442 * At the moment we treat PPI as normal Radiotap encoded
2443 * packets. The difference is in the function that generates
2444 * the code at the beginning to compute the header length.
2445 * Since this code generator of PPI supports bare 802.11
2446 * encapsulation only (i.e. the encapsulated DLT should be
2447 * DLT_IEEE802_11) we generate code to check for this too;
2448 * that's done in finish_parse().
2450 static struct slist *
2451 gen_load_ppi_llprefixlen(compiler_state_t *cstate)
2453 struct slist *s1, *s2;
2456 * Generate code to load the length of the radiotap header
2457 * into the register assigned to hold that length, if one has
2460 if (cstate->off_linkhdr.reg != -1) {
2462 * The 2 bytes at offsets of 2 and 3 from the beginning
2463 * of the radiotap header are the length of the radiotap
2464 * header; unfortunately, it's little-endian, so we have
2465 * to load it a byte at a time and construct the value.
2469 * Load the high-order byte, at an offset of 3, shift it
2470 * left a byte, and put the result in the X register.
2472 s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2474 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K);
2477 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2481 * Load the next byte, at an offset of 2, and OR the
2482 * value from the X register into it.
2484 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2487 s2 = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_X);
2491 * Now allocate a register to hold that value and store
2494 s2 = new_stmt(cstate, BPF_ST);
2495 s2->s.k = cstate->off_linkhdr.reg;
2499 * Now move it into the X register.
2501 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2510 * Load a value relative to the beginning of the link-layer header after the 802.11
2511 * header, i.e. LLC_SNAP.
2512 * The link-layer header doesn't necessarily begin at the beginning
2513 * of the packet data; there might be a variable-length prefix containing
2514 * radio information.
2516 static struct slist *
2517 gen_load_802_11_header_len(compiler_state_t *cstate, struct slist *s, struct slist *snext)
2520 struct slist *sjset_data_frame_1;
2521 struct slist *sjset_data_frame_2;
2522 struct slist *sjset_qos;
2523 struct slist *sjset_radiotap_flags_present;
2524 struct slist *sjset_radiotap_ext_present;
2525 struct slist *sjset_radiotap_tsft_present;
2526 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad;
2527 struct slist *s_roundup;
2529 if (cstate->off_linkpl.reg == -1) {
2531 * No register has been assigned to the offset of
2532 * the link-layer payload, which means nobody needs
2533 * it; don't bother computing it - just return
2534 * what we already have.
2540 * This code is not compatible with the optimizer, as
2541 * we are generating jmp instructions within a normal
2542 * slist of instructions
2544 cstate->no_optimize = 1;
2547 * If "s" is non-null, it has code to arrange that the X register
2548 * contains the length of the prefix preceding the link-layer
2551 * Otherwise, the length of the prefix preceding the link-layer
2552 * header is "off_outermostlinkhdr.constant_part".
2556 * There is no variable-length header preceding the
2557 * link-layer header.
2559 * Load the length of the fixed-length prefix preceding
2560 * the link-layer header (if any) into the X register,
2561 * and store it in the cstate->off_linkpl.reg register.
2562 * That length is off_outermostlinkhdr.constant_part.
2564 s = new_stmt(cstate, BPF_LDX|BPF_IMM);
2565 s->s.k = cstate->off_outermostlinkhdr.constant_part;
2569 * The X register contains the offset of the beginning of the
2570 * link-layer header; add 24, which is the minimum length
2571 * of the MAC header for a data frame, to that, and store it
2572 * in cstate->off_linkpl.reg, and then load the Frame Control field,
2573 * which is at the offset in the X register, with an indexed load.
2575 s2 = new_stmt(cstate, BPF_MISC|BPF_TXA);
2577 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
2580 s2 = new_stmt(cstate, BPF_ST);
2581 s2->s.k = cstate->off_linkpl.reg;
2584 s2 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
2589 * Check the Frame Control field to see if this is a data frame;
2590 * a data frame has the 0x08 bit (b3) in that field set and the
2591 * 0x04 bit (b2) clear.
2593 sjset_data_frame_1 = new_stmt(cstate, JMP(BPF_JSET));
2594 sjset_data_frame_1->s.k = 0x08;
2595 sappend(s, sjset_data_frame_1);
2598 * If b3 is set, test b2, otherwise go to the first statement of
2599 * the rest of the program.
2601 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(cstate, JMP(BPF_JSET));
2602 sjset_data_frame_2->s.k = 0x04;
2603 sappend(s, sjset_data_frame_2);
2604 sjset_data_frame_1->s.jf = snext;
2607 * If b2 is not set, this is a data frame; test the QoS bit.
2608 * Otherwise, go to the first statement of the rest of the
2611 sjset_data_frame_2->s.jt = snext;
2612 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(cstate, JMP(BPF_JSET));
2613 sjset_qos->s.k = 0x80; /* QoS bit */
2614 sappend(s, sjset_qos);
2617 * If it's set, add 2 to cstate->off_linkpl.reg, to skip the QoS
2619 * Otherwise, go to the first statement of the rest of the
2622 sjset_qos->s.jt = s2 = new_stmt(cstate, BPF_LD|BPF_MEM);
2623 s2->s.k = cstate->off_linkpl.reg;
2625 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM);
2628 s2 = new_stmt(cstate, BPF_ST);
2629 s2->s.k = cstate->off_linkpl.reg;
2633 * If we have a radiotap header, look at it to see whether
2634 * there's Atheros padding between the MAC-layer header
2637 * Note: all of the fields in the radiotap header are
2638 * little-endian, so we byte-swap all of the values
2639 * we test against, as they will be loaded as big-endian
2642 * XXX - in the general case, we would have to scan through
2643 * *all* the presence bits, if there's more than one word of
2644 * presence bits. That would require a loop, meaning that
2645 * we wouldn't be able to run the filter in the kernel.
2647 * We assume here that the Atheros adapters that insert the
2648 * annoying padding don't have multiple antennae and therefore
2649 * do not generate radiotap headers with multiple presence words.
2651 if (cstate->linktype == DLT_IEEE802_11_RADIO) {
2653 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set
2654 * in the first presence flag word?
2656 sjset_qos->s.jf = s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_W);
2660 sjset_radiotap_flags_present = new_stmt(cstate, JMP(BPF_JSET));
2661 sjset_radiotap_flags_present->s.k = SWAPLONG(0x00000002);
2662 sappend(s, sjset_radiotap_flags_present);
2665 * If not, skip all of this.
2667 sjset_radiotap_flags_present->s.jf = snext;
2670 * Otherwise, is the "extension" bit set in that word?
2672 sjset_radiotap_ext_present = new_stmt(cstate, JMP(BPF_JSET));
2673 sjset_radiotap_ext_present->s.k = SWAPLONG(0x80000000);
2674 sappend(s, sjset_radiotap_ext_present);
2675 sjset_radiotap_flags_present->s.jt = sjset_radiotap_ext_present;
2678 * If so, skip all of this.
2680 sjset_radiotap_ext_present->s.jt = snext;
2683 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set?
2685 sjset_radiotap_tsft_present = new_stmt(cstate, JMP(BPF_JSET));
2686 sjset_radiotap_tsft_present->s.k = SWAPLONG(0x00000001);
2687 sappend(s, sjset_radiotap_tsft_present);
2688 sjset_radiotap_ext_present->s.jf = sjset_radiotap_tsft_present;
2691 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is
2692 * at an offset of 16 from the beginning of the raw packet
2693 * data (8 bytes for the radiotap header and 8 bytes for
2696 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
2699 s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B);
2702 sjset_radiotap_tsft_present->s.jt = s2;
2704 sjset_tsft_datapad = new_stmt(cstate, JMP(BPF_JSET));
2705 sjset_tsft_datapad->s.k = 0x20;
2706 sappend(s, sjset_tsft_datapad);
2709 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is
2710 * at an offset of 8 from the beginning of the raw packet
2711 * data (8 bytes for the radiotap header).
2713 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
2716 s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B);
2719 sjset_radiotap_tsft_present->s.jf = s2;
2721 sjset_notsft_datapad = new_stmt(cstate, JMP(BPF_JSET));
2722 sjset_notsft_datapad->s.k = 0x20;
2723 sappend(s, sjset_notsft_datapad);
2726 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is
2727 * set, round the length of the 802.11 header to
2728 * a multiple of 4. Do that by adding 3 and then
2729 * dividing by and multiplying by 4, which we do by
2732 s_roundup = new_stmt(cstate, BPF_LD|BPF_MEM);
2733 s_roundup->s.k = cstate->off_linkpl.reg;
2734 sappend(s, s_roundup);
2735 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM);
2738 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_IMM);
2741 s2 = new_stmt(cstate, BPF_ST);
2742 s2->s.k = cstate->off_linkpl.reg;
2745 sjset_tsft_datapad->s.jt = s_roundup;
2746 sjset_tsft_datapad->s.jf = snext;
2747 sjset_notsft_datapad->s.jt = s_roundup;
2748 sjset_notsft_datapad->s.jf = snext;
2750 sjset_qos->s.jf = snext;
2756 insert_compute_vloffsets(compiler_state_t *cstate, struct block *b)
2760 /* There is an implicit dependency between the link
2761 * payload and link header since the payload computation
2762 * includes the variable part of the header. Therefore,
2763 * if nobody else has allocated a register for the link
2764 * header and we need it, do it now. */
2765 if (cstate->off_linkpl.reg != -1 && cstate->off_linkhdr.is_variable &&
2766 cstate->off_linkhdr.reg == -1)
2767 cstate->off_linkhdr.reg = alloc_reg(cstate);
2770 * For link-layer types that have a variable-length header
2771 * preceding the link-layer header, generate code to load
2772 * the offset of the link-layer header into the register
2773 * assigned to that offset, if any.
2775 * XXX - this, and the next switch statement, won't handle
2776 * encapsulation of 802.11 or 802.11+radio information in
2777 * some other protocol stack. That's significantly more
2780 switch (cstate->outermostlinktype) {
2782 case DLT_PRISM_HEADER:
2783 s = gen_load_prism_llprefixlen(cstate);
2786 case DLT_IEEE802_11_RADIO_AVS:
2787 s = gen_load_avs_llprefixlen(cstate);
2790 case DLT_IEEE802_11_RADIO:
2791 s = gen_load_radiotap_llprefixlen(cstate);
2795 s = gen_load_ppi_llprefixlen(cstate);
2804 * For link-layer types that have a variable-length link-layer
2805 * header, generate code to load the offset of the link-layer
2806 * payload into the register assigned to that offset, if any.
2808 switch (cstate->outermostlinktype) {
2810 case DLT_IEEE802_11:
2811 case DLT_PRISM_HEADER:
2812 case DLT_IEEE802_11_RADIO_AVS:
2813 case DLT_IEEE802_11_RADIO:
2815 s = gen_load_802_11_header_len(cstate, s, b->stmts);
2820 * If there there is no initialization yet and we need variable
2821 * length offsets for VLAN, initialize them to zero
2823 if (s == NULL && cstate->is_vlan_vloffset) {
2826 if (cstate->off_linkpl.reg == -1)
2827 cstate->off_linkpl.reg = alloc_reg(cstate);
2828 if (cstate->off_linktype.reg == -1)
2829 cstate->off_linktype.reg = alloc_reg(cstate);
2831 s = new_stmt(cstate, BPF_LD|BPF_W|BPF_IMM);
2833 s2 = new_stmt(cstate, BPF_ST);
2834 s2->s.k = cstate->off_linkpl.reg;
2836 s2 = new_stmt(cstate, BPF_ST);
2837 s2->s.k = cstate->off_linktype.reg;
2842 * If we have any offset-loading code, append all the
2843 * existing statements in the block to those statements,
2844 * and make the resulting list the list of statements
2848 sappend(s, b->stmts);
2853 static struct block *
2854 gen_ppi_dlt_check(compiler_state_t *cstate)
2856 struct slist *s_load_dlt;
2859 if (cstate->linktype == DLT_PPI)
2861 /* Create the statements that check for the DLT
2863 s_load_dlt = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS);
2864 s_load_dlt->s.k = 4;
2866 b = new_block(cstate, JMP(BPF_JEQ));
2868 b->stmts = s_load_dlt;
2869 b->s.k = SWAPLONG(DLT_IEEE802_11);
2880 * Take an absolute offset, and:
2882 * if it has no variable part, return NULL;
2884 * if it has a variable part, generate code to load the register
2885 * containing that variable part into the X register, returning
2886 * a pointer to that code - if no register for that offset has
2887 * been allocated, allocate it first.
2889 * (The code to set that register will be generated later, but will
2890 * be placed earlier in the code sequence.)
2892 static struct slist *
2893 gen_abs_offset_varpart(compiler_state_t *cstate, bpf_abs_offset *off)
2897 if (off->is_variable) {
2898 if (off->reg == -1) {
2900 * We haven't yet assigned a register for the
2901 * variable part of the offset of the link-layer
2902 * header; allocate one.
2904 off->reg = alloc_reg(cstate);
2908 * Load the register containing the variable part of the
2909 * offset of the link-layer header into the X register.
2911 s = new_stmt(cstate, BPF_LDX|BPF_MEM);
2916 * That offset isn't variable, there's no variable part,
2917 * so we don't need to generate any code.
2924 * Map an Ethernet type to the equivalent PPP type.
2927 ethertype_to_ppptype(int proto)
2935 case ETHERTYPE_IPV6:
2943 case ETHERTYPE_ATALK:
2957 * I'm assuming the "Bridging PDU"s that go
2958 * over PPP are Spanning Tree Protocol
2972 * Generate any tests that, for encapsulation of a link-layer packet
2973 * inside another protocol stack, need to be done to check for those
2974 * link-layer packets (and that haven't already been done by a check
2975 * for that encapsulation).
2977 static struct block *
2978 gen_prevlinkhdr_check(compiler_state_t *cstate)
2982 if (cstate->is_geneve)
2983 return gen_geneve_ll_check(cstate);
2985 switch (cstate->prevlinktype) {
2989 * This is LANE-encapsulated Ethernet; check that the LANE
2990 * packet doesn't begin with an LE Control marker, i.e.
2991 * that it's data, not a control message.
2993 * (We've already generated a test for LANE.)
2995 b0 = gen_cmp(cstate, OR_PREVLINKHDR, SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
3001 * No such tests are necessary.
3009 * The three different values we should check for when checking for an
3010 * IPv6 packet with DLT_NULL.
3012 #define BSD_AFNUM_INET6_BSD 24 /* NetBSD, OpenBSD, BSD/OS, Npcap */
3013 #define BSD_AFNUM_INET6_FREEBSD 28 /* FreeBSD */
3014 #define BSD_AFNUM_INET6_DARWIN 30 /* macOS, iOS, other Darwin-based OSes */
3017 * Generate code to match a particular packet type by matching the
3018 * link-layer type field or fields in the 802.2 LLC header.
3020 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
3021 * value, if <= ETHERMTU.
3023 static struct block *
3024 gen_linktype(compiler_state_t *cstate, int proto)
3026 struct block *b0, *b1, *b2;
3027 const char *description;
3029 /* are we checking MPLS-encapsulated packets? */
3030 if (cstate->label_stack_depth > 0) {
3034 /* FIXME add other L3 proto IDs */
3035 return gen_mpls_linktype(cstate, Q_IP);
3037 case ETHERTYPE_IPV6:
3039 /* FIXME add other L3 proto IDs */
3040 return gen_mpls_linktype(cstate, Q_IPV6);
3043 bpf_error(cstate, "unsupported protocol over mpls");
3048 switch (cstate->linktype) {
3051 case DLT_NETANALYZER:
3052 case DLT_NETANALYZER_TRANSPARENT:
3053 /* Geneve has an EtherType regardless of whether there is an
3055 if (!cstate->is_geneve)
3056 b0 = gen_prevlinkhdr_check(cstate);
3060 b1 = gen_ether_linktype(cstate, proto);
3071 proto = (proto << 8 | LLCSAP_ISONS);
3075 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto);
3081 case DLT_IEEE802_11:
3082 case DLT_PRISM_HEADER:
3083 case DLT_IEEE802_11_RADIO_AVS:
3084 case DLT_IEEE802_11_RADIO:
3087 * Check that we have a data frame.
3089 b0 = gen_check_802_11_data_frame(cstate);
3092 * Now check for the specified link-layer type.
3094 b1 = gen_llc_linktype(cstate, proto);
3102 * XXX - check for LLC frames.
3104 return gen_llc_linktype(cstate, proto);
3110 * XXX - check for LLC PDUs, as per IEEE 802.5.
3112 return gen_llc_linktype(cstate, proto);
3116 case DLT_ATM_RFC1483:
3118 case DLT_IP_OVER_FC:
3119 return gen_llc_linktype(cstate, proto);
3125 * Check for an LLC-encapsulated version of this protocol;
3126 * if we were checking for LANE, linktype would no longer
3129 * Check for LLC encapsulation and then check the protocol.
3131 b0 = gen_atmfield_code(cstate, A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
3132 b1 = gen_llc_linktype(cstate, proto);
3139 return gen_linux_sll_linktype(cstate, proto);
3144 case DLT_SLIP_BSDOS:
3147 * These types don't provide any type field; packets
3148 * are always IPv4 or IPv6.
3150 * XXX - for IPv4, check for a version number of 4, and,
3151 * for IPv6, check for a version number of 6?
3156 /* Check for a version number of 4. */
3157 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, 0x40, 0xF0);
3159 case ETHERTYPE_IPV6:
3160 /* Check for a version number of 6. */
3161 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, 0x60, 0xF0);
3164 return gen_false(cstate); /* always false */
3171 * Raw IPv4, so no type field.
3173 if (proto == ETHERTYPE_IP)
3174 return gen_true(cstate); /* always true */
3176 /* Checking for something other than IPv4; always false */
3177 return gen_false(cstate);
3183 * Raw IPv6, so no type field.
3185 if (proto == ETHERTYPE_IPV6)
3186 return gen_true(cstate); /* always true */
3188 /* Checking for something other than IPv6; always false */
3189 return gen_false(cstate);
3195 case DLT_PPP_SERIAL:
3198 * We use Ethernet protocol types inside libpcap;
3199 * map them to the corresponding PPP protocol types.
3201 proto = ethertype_to_ppptype(proto);
3202 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto);
3208 * We use Ethernet protocol types inside libpcap;
3209 * map them to the corresponding PPP protocol types.
3215 * Also check for Van Jacobson-compressed IP.
3216 * XXX - do this for other forms of PPP?
3218 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_IP);
3219 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_VJC);
3221 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_VJNC);
3226 proto = ethertype_to_ppptype(proto);
3227 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H,
3239 return (gen_loopback_linktype(cstate, AF_INET));
3241 case ETHERTYPE_IPV6:
3243 * AF_ values may, unfortunately, be platform-
3244 * dependent; AF_INET isn't, because everybody
3245 * used 4.2BSD's value, but AF_INET6 is, because
3246 * 4.2BSD didn't have a value for it (given that
3247 * IPv6 didn't exist back in the early 1980's),
3248 * and they all picked their own values.
3250 * This means that, if we're reading from a
3251 * savefile, we need to check for all the
3254 * If we're doing a live capture, we only need
3255 * to check for this platform's value; however,
3256 * Npcap uses 24, which isn't Windows's AF_INET6
3257 * value. (Given the multiple different values,
3258 * programs that read pcap files shouldn't be
3259 * checking for their platform's AF_INET6 value
3260 * anyway, they should check for all of the
3261 * possible values. and they might as well do
3262 * that even for live captures.)
3264 if (cstate->bpf_pcap->rfile != NULL) {
3266 * Savefile - check for all three
3267 * possible IPv6 values.
3269 b0 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_BSD);
3270 b1 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_FREEBSD);
3272 b0 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_DARWIN);
3277 * Live capture, so we only need to
3278 * check for the value used on this
3283 * Npcap doesn't use Windows's AF_INET6,
3284 * as that collides with AF_IPX on
3285 * some BSDs (both have the value 23).
3286 * Instead, it uses 24.
3288 return (gen_loopback_linktype(cstate, 24));
3291 return (gen_loopback_linktype(cstate, AF_INET6));
3292 #else /* AF_INET6 */
3294 * I guess this platform doesn't support
3295 * IPv6, so we just reject all packets.
3297 return gen_false(cstate);
3298 #endif /* AF_INET6 */
3304 * Not a type on which we support filtering.
3305 * XXX - support those that have AF_ values
3306 * #defined on this platform, at least?
3308 return gen_false(cstate);
3311 #ifdef HAVE_NET_PFVAR_H
3314 * af field is host byte order in contrast to the rest of
3317 if (proto == ETHERTYPE_IP)
3318 return (gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, af),
3319 BPF_B, (bpf_int32)AF_INET));
3320 else if (proto == ETHERTYPE_IPV6)
3321 return (gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, af),
3322 BPF_B, (bpf_int32)AF_INET6));
3324 return gen_false(cstate);
3327 #endif /* HAVE_NET_PFVAR_H */
3330 case DLT_ARCNET_LINUX:
3332 * XXX should we check for first fragment if the protocol
3338 return gen_false(cstate);
3340 case ETHERTYPE_IPV6:
3341 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3342 (bpf_int32)ARCTYPE_INET6));
3345 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3346 (bpf_int32)ARCTYPE_IP);
3347 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3348 (bpf_int32)ARCTYPE_IP_OLD);
3353 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3354 (bpf_int32)ARCTYPE_ARP);
3355 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3356 (bpf_int32)ARCTYPE_ARP_OLD);
3360 case ETHERTYPE_REVARP:
3361 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3362 (bpf_int32)ARCTYPE_REVARP));
3364 case ETHERTYPE_ATALK:
3365 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3366 (bpf_int32)ARCTYPE_ATALK));
3373 case ETHERTYPE_ATALK:
3374 return gen_true(cstate);
3376 return gen_false(cstate);
3383 * XXX - assumes a 2-byte Frame Relay header with
3384 * DLCI and flags. What if the address is longer?
3390 * Check for the special NLPID for IP.
3392 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0xcc);
3394 case ETHERTYPE_IPV6:
3396 * Check for the special NLPID for IPv6.
3398 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0x8e);
3402 * Check for several OSI protocols.
3404 * Frame Relay packets typically have an OSI
3405 * NLPID at the beginning; we check for each
3408 * What we check for is the NLPID and a frame
3409 * control field of UI, i.e. 0x03 followed
3412 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO8473_CLNP);
3413 b1 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO9542_ESIS);
3414 b2 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO10589_ISIS);
3420 return gen_false(cstate);
3426 bpf_error(cstate, "Multi-link Frame Relay link-layer type filtering not implemented");
3428 case DLT_JUNIPER_MFR:
3429 case DLT_JUNIPER_MLFR:
3430 case DLT_JUNIPER_MLPPP:
3431 case DLT_JUNIPER_ATM1:
3432 case DLT_JUNIPER_ATM2:
3433 case DLT_JUNIPER_PPPOE:
3434 case DLT_JUNIPER_PPPOE_ATM:
3435 case DLT_JUNIPER_GGSN:
3436 case DLT_JUNIPER_ES:
3437 case DLT_JUNIPER_MONITOR:
3438 case DLT_JUNIPER_SERVICES:
3439 case DLT_JUNIPER_ETHER:
3440 case DLT_JUNIPER_PPP:
3441 case DLT_JUNIPER_FRELAY:
3442 case DLT_JUNIPER_CHDLC:
3443 case DLT_JUNIPER_VP:
3444 case DLT_JUNIPER_ST:
3445 case DLT_JUNIPER_ISM:
3446 case DLT_JUNIPER_VS:
3447 case DLT_JUNIPER_SRX_E2E:
3448 case DLT_JUNIPER_FIBRECHANNEL:
3449 case DLT_JUNIPER_ATM_CEMIC:
3451 /* just lets verify the magic number for now -
3452 * on ATM we may have up to 6 different encapsulations on the wire
3453 * and need a lot of heuristics to figure out that the payload
3456 * FIXME encapsulation specific BPF_ filters
3458 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */
3460 case DLT_BACNET_MS_TP:
3461 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_W, 0x55FF0000, 0xffff0000);
3464 return gen_ipnet_linktype(cstate, proto);
3466 case DLT_LINUX_IRDA:
3467 bpf_error(cstate, "IrDA link-layer type filtering not implemented");
3470 bpf_error(cstate, "DOCSIS link-layer type filtering not implemented");
3473 case DLT_MTP2_WITH_PHDR:
3474 bpf_error(cstate, "MTP2 link-layer type filtering not implemented");
3477 bpf_error(cstate, "ERF link-layer type filtering not implemented");
3480 bpf_error(cstate, "PFSYNC link-layer type filtering not implemented");
3482 case DLT_LINUX_LAPD:
3483 bpf_error(cstate, "LAPD link-layer type filtering not implemented");
3485 case DLT_USB_FREEBSD:
3487 case DLT_USB_LINUX_MMAPPED:
3489 bpf_error(cstate, "USB link-layer type filtering not implemented");
3491 case DLT_BLUETOOTH_HCI_H4:
3492 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR:
3493 bpf_error(cstate, "Bluetooth link-layer type filtering not implemented");
3496 case DLT_CAN_SOCKETCAN:
3497 bpf_error(cstate, "CAN link-layer type filtering not implemented");
3499 case DLT_IEEE802_15_4:
3500 case DLT_IEEE802_15_4_LINUX:
3501 case DLT_IEEE802_15_4_NONASK_PHY:
3502 case DLT_IEEE802_15_4_NOFCS:
3503 bpf_error(cstate, "IEEE 802.15.4 link-layer type filtering not implemented");
3505 case DLT_IEEE802_16_MAC_CPS_RADIO:
3506 bpf_error(cstate, "IEEE 802.16 link-layer type filtering not implemented");
3509 bpf_error(cstate, "SITA link-layer type filtering not implemented");
3512 bpf_error(cstate, "RAIF1 link-layer type filtering not implemented");
3515 bpf_error(cstate, "IPMB link-layer type filtering not implemented");
3518 bpf_error(cstate, "AX.25 link-layer type filtering not implemented");
3521 /* Using the fixed-size NFLOG header it is possible to tell only
3522 * the address family of the packet, other meaningful data is
3523 * either missing or behind TLVs.
3525 bpf_error(cstate, "NFLOG link-layer type filtering not implemented");
3529 * Does this link-layer header type have a field
3530 * indicating the type of the next protocol? If
3531 * so, off_linktype.constant_part will be the offset of that
3532 * field in the packet; if not, it will be OFFSET_NOT_SET.
3534 if (cstate->off_linktype.constant_part != OFFSET_NOT_SET) {
3536 * Yes; assume it's an Ethernet type. (If
3537 * it's not, it needs to be handled specially
3540 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto);
3543 * No; report an error.
3545 description = pcap_datalink_val_to_description(cstate->linktype);
3546 if (description != NULL) {
3547 bpf_error(cstate, "%s link-layer type filtering not implemented",
3550 bpf_error(cstate, "DLT %u link-layer type filtering not implemented",
3559 * Check for an LLC SNAP packet with a given organization code and
3560 * protocol type; we check the entire contents of the 802.2 LLC and
3561 * snap headers, checking for DSAP and SSAP of SNAP and a control
3562 * field of 0x03 in the LLC header, and for the specified organization
3563 * code and protocol type in the SNAP header.
3565 static struct block *
3566 gen_snap(compiler_state_t *cstate, bpf_u_int32 orgcode, bpf_u_int32 ptype)
3568 u_char snapblock[8];
3570 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */
3571 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */
3572 snapblock[2] = 0x03; /* control = UI */
3573 snapblock[3] = (u_char)(orgcode >> 16); /* upper 8 bits of organization code */
3574 snapblock[4] = (u_char)(orgcode >> 8); /* middle 8 bits of organization code */
3575 snapblock[5] = (u_char)(orgcode >> 0); /* lower 8 bits of organization code */
3576 snapblock[6] = (u_char)(ptype >> 8); /* upper 8 bits of protocol type */
3577 snapblock[7] = (u_char)(ptype >> 0); /* lower 8 bits of protocol type */
3578 return gen_bcmp(cstate, OR_LLC, 0, 8, snapblock);
3582 * Generate code to match frames with an LLC header.
3585 gen_llc(compiler_state_t *cstate)
3587 struct block *b0, *b1;
3589 switch (cstate->linktype) {
3593 * We check for an Ethernet type field less than
3594 * 1500, which means it's an 802.3 length field.
3596 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
3600 * Now check for the purported DSAP and SSAP not being
3601 * 0xFF, to rule out NetWare-over-802.3.
3603 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_int32)0xFFFF);
3610 * We check for LLC traffic.
3612 b0 = gen_atmtype_abbrev(cstate, A_LLC);
3615 case DLT_IEEE802: /* Token Ring */
3617 * XXX - check for LLC frames.
3619 return gen_true(cstate);
3623 * XXX - check for LLC frames.
3625 return gen_true(cstate);
3627 case DLT_ATM_RFC1483:
3629 * For LLC encapsulation, these are defined to have an
3632 * For VC encapsulation, they don't, but there's no
3633 * way to check for that; the protocol used on the VC
3634 * is negotiated out of band.
3636 return gen_true(cstate);
3638 case DLT_IEEE802_11:
3639 case DLT_PRISM_HEADER:
3640 case DLT_IEEE802_11_RADIO:
3641 case DLT_IEEE802_11_RADIO_AVS:
3644 * Check that we have a data frame.
3646 b0 = gen_check_802_11_data_frame(cstate);
3650 bpf_error(cstate, "'llc' not supported for linktype %d", cstate->linktype);
3656 gen_llc_i(compiler_state_t *cstate)
3658 struct block *b0, *b1;
3662 * Check whether this is an LLC frame.
3664 b0 = gen_llc(cstate);
3667 * Load the control byte and test the low-order bit; it must
3668 * be clear for I frames.
3670 s = gen_load_a(cstate, OR_LLC, 2, BPF_B);
3671 b1 = new_block(cstate, JMP(BPF_JSET));
3680 gen_llc_s(compiler_state_t *cstate)
3682 struct block *b0, *b1;
3685 * Check whether this is an LLC frame.
3687 b0 = gen_llc(cstate);
3690 * Now compare the low-order 2 bit of the control byte against
3691 * the appropriate value for S frames.
3693 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, LLC_S_FMT, 0x03);
3699 gen_llc_u(compiler_state_t *cstate)
3701 struct block *b0, *b1;
3704 * Check whether this is an LLC frame.
3706 b0 = gen_llc(cstate);
3709 * Now compare the low-order 2 bit of the control byte against
3710 * the appropriate value for U frames.
3712 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, LLC_U_FMT, 0x03);
3718 gen_llc_s_subtype(compiler_state_t *cstate, bpf_u_int32 subtype)
3720 struct block *b0, *b1;
3723 * Check whether this is an LLC frame.
3725 b0 = gen_llc(cstate);
3728 * Now check for an S frame with the appropriate type.
3730 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, subtype, LLC_S_CMD_MASK);
3736 gen_llc_u_subtype(compiler_state_t *cstate, bpf_u_int32 subtype)
3738 struct block *b0, *b1;
3741 * Check whether this is an LLC frame.
3743 b0 = gen_llc(cstate);
3746 * Now check for a U frame with the appropriate type.
3748 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, subtype, LLC_U_CMD_MASK);
3754 * Generate code to match a particular packet type, for link-layer types
3755 * using 802.2 LLC headers.
3757 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used
3758 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues.
3760 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
3761 * value, if <= ETHERMTU. We use that to determine whether to
3762 * match the DSAP or both DSAP and LSAP or to check the OUI and
3763 * protocol ID in a SNAP header.
3765 static struct block *
3766 gen_llc_linktype(compiler_state_t *cstate, int proto)
3769 * XXX - handle token-ring variable-length header.
3775 case LLCSAP_NETBEUI:
3777 * XXX - should we check both the DSAP and the
3778 * SSAP, like this, or should we check just the
3779 * DSAP, as we do for other SAP values?
3781 return gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_u_int32)
3782 ((proto << 8) | proto));
3786 * XXX - are there ever SNAP frames for IPX on
3787 * non-Ethernet 802.x networks?
3789 return gen_cmp(cstate, OR_LLC, 0, BPF_B,
3790 (bpf_int32)LLCSAP_IPX);
3792 case ETHERTYPE_ATALK:
3794 * 802.2-encapsulated ETHERTYPE_ATALK packets are
3795 * SNAP packets with an organization code of
3796 * 0x080007 (Apple, for Appletalk) and a protocol
3797 * type of ETHERTYPE_ATALK (Appletalk).
3799 * XXX - check for an organization code of
3800 * encapsulated Ethernet as well?
3802 return gen_snap(cstate, 0x080007, ETHERTYPE_ATALK);
3806 * XXX - we don't have to check for IPX 802.3
3807 * here, but should we check for the IPX Ethertype?
3809 if (proto <= ETHERMTU) {
3811 * This is an LLC SAP value, so check
3814 return gen_cmp(cstate, OR_LLC, 0, BPF_B, (bpf_int32)proto);
3817 * This is an Ethernet type; we assume that it's
3818 * unlikely that it'll appear in the right place
3819 * at random, and therefore check only the
3820 * location that would hold the Ethernet type
3821 * in a SNAP frame with an organization code of
3822 * 0x000000 (encapsulated Ethernet).
3824 * XXX - if we were to check for the SNAP DSAP and
3825 * LSAP, as per XXX, and were also to check for an
3826 * organization code of 0x000000 (encapsulated
3827 * Ethernet), we'd do
3829 * return gen_snap(cstate, 0x000000, proto);
3831 * here; for now, we don't, as per the above.
3832 * I don't know whether it's worth the extra CPU
3833 * time to do the right check or not.
3835 return gen_cmp(cstate, OR_LLC, 6, BPF_H, (bpf_int32)proto);
3840 static struct block *
3841 gen_hostop(compiler_state_t *cstate, bpf_u_int32 addr, bpf_u_int32 mask,
3842 int dir, int proto, u_int src_off, u_int dst_off)
3844 struct block *b0, *b1;
3858 b0 = gen_hostop(cstate, addr, mask, Q_SRC, proto, src_off, dst_off);
3859 b1 = gen_hostop(cstate, addr, mask, Q_DST, proto, src_off, dst_off);
3865 b0 = gen_hostop(cstate, addr, mask, Q_SRC, proto, src_off, dst_off);
3866 b1 = gen_hostop(cstate, addr, mask, Q_DST, proto, src_off, dst_off);
3871 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for addresses other than 802.11 MAC addresses");
3875 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for addresses other than 802.11 MAC addresses");
3879 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for addresses other than 802.11 MAC addresses");
3883 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for addresses other than 802.11 MAC addresses");
3887 bpf_error(cstate, "'ra' is not a valid qualifier for addresses other than 802.11 MAC addresses");
3891 bpf_error(cstate, "'ta' is not a valid qualifier for addresses other than 802.11 MAC addresses");
3897 b0 = gen_linktype(cstate, proto);
3898 b1 = gen_mcmp(cstate, OR_LINKPL, offset, BPF_W, (bpf_int32)addr, mask);
3904 static struct block *
3905 gen_hostop6(compiler_state_t *cstate, struct in6_addr *addr,
3906 struct in6_addr *mask, int dir, int proto, u_int src_off, u_int dst_off)
3908 struct block *b0, *b1;
3923 b0 = gen_hostop6(cstate, addr, mask, Q_SRC, proto, src_off, dst_off);
3924 b1 = gen_hostop6(cstate, addr, mask, Q_DST, proto, src_off, dst_off);
3930 b0 = gen_hostop6(cstate, addr, mask, Q_SRC, proto, src_off, dst_off);
3931 b1 = gen_hostop6(cstate, addr, mask, Q_DST, proto, src_off, dst_off);
3936 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for addresses other than 802.11 MAC addresses");
3940 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for addresses other than 802.11 MAC addresses");
3944 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for addresses other than 802.11 MAC addresses");
3948 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for addresses other than 802.11 MAC addresses");
3952 bpf_error(cstate, "'ra' is not a valid qualifier for addresses other than 802.11 MAC addresses");
3956 bpf_error(cstate, "'ta' is not a valid qualifier for addresses other than 802.11 MAC addresses");
3962 /* this order is important */
3963 a = (uint32_t *)addr;
3964 m = (uint32_t *)mask;
3965 b1 = gen_mcmp(cstate, OR_LINKPL, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3]));
3966 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2]));
3968 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1]));
3970 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0]));
3972 b0 = gen_linktype(cstate, proto);
3978 static struct block *
3979 gen_ehostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
3981 register struct block *b0, *b1;
3985 return gen_bcmp(cstate, OR_LINKHDR, 6, 6, eaddr);
3988 return gen_bcmp(cstate, OR_LINKHDR, 0, 6, eaddr);
3991 b0 = gen_ehostop(cstate, eaddr, Q_SRC);
3992 b1 = gen_ehostop(cstate, eaddr, Q_DST);
3998 b0 = gen_ehostop(cstate, eaddr, Q_SRC);
3999 b1 = gen_ehostop(cstate, eaddr, Q_DST);
4004 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11 with 802.11 headers");
4008 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11 with 802.11 headers");
4012 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11 with 802.11 headers");
4016 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11 with 802.11 headers");
4020 bpf_error(cstate, "'ra' is only supported on 802.11 with 802.11 headers");
4024 bpf_error(cstate, "'ta' is only supported on 802.11 with 802.11 headers");
4032 * Like gen_ehostop, but for DLT_FDDI
4034 static struct block *
4035 gen_fhostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4037 struct block *b0, *b1;
4041 return gen_bcmp(cstate, OR_LINKHDR, 6 + 1 + cstate->pcap_fddipad, 6, eaddr);
4044 return gen_bcmp(cstate, OR_LINKHDR, 0 + 1 + cstate->pcap_fddipad, 6, eaddr);
4047 b0 = gen_fhostop(cstate, eaddr, Q_SRC);
4048 b1 = gen_fhostop(cstate, eaddr, Q_DST);
4054 b0 = gen_fhostop(cstate, eaddr, Q_SRC);
4055 b1 = gen_fhostop(cstate, eaddr, Q_DST);
4060 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11");
4064 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11");
4068 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11");
4072 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11");
4076 bpf_error(cstate, "'ra' is only supported on 802.11");
4080 bpf_error(cstate, "'ta' is only supported on 802.11");
4088 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring)
4090 static struct block *
4091 gen_thostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4093 register struct block *b0, *b1;
4097 return gen_bcmp(cstate, OR_LINKHDR, 8, 6, eaddr);
4100 return gen_bcmp(cstate, OR_LINKHDR, 2, 6, eaddr);
4103 b0 = gen_thostop(cstate, eaddr, Q_SRC);
4104 b1 = gen_thostop(cstate, eaddr, Q_DST);
4110 b0 = gen_thostop(cstate, eaddr, Q_SRC);
4111 b1 = gen_thostop(cstate, eaddr, Q_DST);
4116 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11");
4120 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11");
4124 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11");
4128 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11");
4132 bpf_error(cstate, "'ra' is only supported on 802.11");
4136 bpf_error(cstate, "'ta' is only supported on 802.11");
4144 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and
4145 * various 802.11 + radio headers.
4147 static struct block *
4148 gen_wlanhostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4150 register struct block *b0, *b1, *b2;
4151 register struct slist *s;
4153 #ifdef ENABLE_WLAN_FILTERING_PATCH
4156 * We need to disable the optimizer because the optimizer is buggy
4157 * and wipes out some LD instructions generated by the below
4158 * code to validate the Frame Control bits
4160 cstate->no_optimize = 1;
4161 #endif /* ENABLE_WLAN_FILTERING_PATCH */
4168 * For control frames, there is no SA.
4170 * For management frames, SA is at an
4171 * offset of 10 from the beginning of
4174 * For data frames, SA is at an offset
4175 * of 10 from the beginning of the packet
4176 * if From DS is clear, at an offset of
4177 * 16 from the beginning of the packet
4178 * if From DS is set and To DS is clear,
4179 * and an offset of 24 from the beginning
4180 * of the packet if From DS is set and To DS
4185 * Generate the tests to be done for data frames
4188 * First, check for To DS set, i.e. check "link[1] & 0x01".
4190 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4191 b1 = new_block(cstate, JMP(BPF_JSET));
4192 b1->s.k = 0x01; /* To DS */
4196 * If To DS is set, the SA is at 24.
4198 b0 = gen_bcmp(cstate, OR_LINKHDR, 24, 6, eaddr);
4202 * Now, check for To DS not set, i.e. check
4203 * "!(link[1] & 0x01)".
4205 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4206 b2 = new_block(cstate, JMP(BPF_JSET));
4207 b2->s.k = 0x01; /* To DS */
4212 * If To DS is not set, the SA is at 16.
4214 b1 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr);
4218 * Now OR together the last two checks. That gives
4219 * the complete set of checks for data frames with
4225 * Now check for From DS being set, and AND that with
4226 * the ORed-together checks.
4228 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4229 b1 = new_block(cstate, JMP(BPF_JSET));
4230 b1->s.k = 0x02; /* From DS */
4235 * Now check for data frames with From DS not set.
4237 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4238 b2 = new_block(cstate, JMP(BPF_JSET));
4239 b2->s.k = 0x02; /* From DS */
4244 * If From DS isn't set, the SA is at 10.
4246 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4250 * Now OR together the checks for data frames with
4251 * From DS not set and for data frames with From DS
4252 * set; that gives the checks done for data frames.
4257 * Now check for a data frame.
4258 * I.e, check "link[0] & 0x08".
4260 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4261 b1 = new_block(cstate, JMP(BPF_JSET));
4266 * AND that with the checks done for data frames.
4271 * If the high-order bit of the type value is 0, this
4272 * is a management frame.
4273 * I.e, check "!(link[0] & 0x08)".
4275 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4276 b2 = new_block(cstate, JMP(BPF_JSET));
4282 * For management frames, the SA is at 10.
4284 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4288 * OR that with the checks done for data frames.
4289 * That gives the checks done for management and
4295 * If the low-order bit of the type value is 1,
4296 * this is either a control frame or a frame
4297 * with a reserved type, and thus not a
4300 * I.e., check "!(link[0] & 0x04)".
4302 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4303 b1 = new_block(cstate, JMP(BPF_JSET));
4309 * AND that with the checks for data and management
4319 * For control frames, there is no DA.
4321 * For management frames, DA is at an
4322 * offset of 4 from the beginning of
4325 * For data frames, DA is at an offset
4326 * of 4 from the beginning of the packet
4327 * if To DS is clear and at an offset of
4328 * 16 from the beginning of the packet
4333 * Generate the tests to be done for data frames.
4335 * First, check for To DS set, i.e. "link[1] & 0x01".
4337 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4338 b1 = new_block(cstate, JMP(BPF_JSET));
4339 b1->s.k = 0x01; /* To DS */
4343 * If To DS is set, the DA is at 16.
4345 b0 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr);
4349 * Now, check for To DS not set, i.e. check
4350 * "!(link[1] & 0x01)".
4352 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4353 b2 = new_block(cstate, JMP(BPF_JSET));
4354 b2->s.k = 0x01; /* To DS */
4359 * If To DS is not set, the DA is at 4.
4361 b1 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr);
4365 * Now OR together the last two checks. That gives
4366 * the complete set of checks for data frames.
4371 * Now check for a data frame.
4372 * I.e, check "link[0] & 0x08".
4374 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4375 b1 = new_block(cstate, JMP(BPF_JSET));
4380 * AND that with the checks done for data frames.
4385 * If the high-order bit of the type value is 0, this
4386 * is a management frame.
4387 * I.e, check "!(link[0] & 0x08)".
4389 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4390 b2 = new_block(cstate, JMP(BPF_JSET));
4396 * For management frames, the DA is at 4.
4398 b1 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr);
4402 * OR that with the checks done for data frames.
4403 * That gives the checks done for management and
4409 * If the low-order bit of the type value is 1,
4410 * this is either a control frame or a frame
4411 * with a reserved type, and thus not a
4414 * I.e., check "!(link[0] & 0x04)".
4416 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4417 b1 = new_block(cstate, JMP(BPF_JSET));
4423 * AND that with the checks for data and management
4431 * Not present in management frames; addr1 in other
4436 * If the high-order bit of the type value is 0, this
4437 * is a management frame.
4438 * I.e, check "(link[0] & 0x08)".
4440 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4441 b1 = new_block(cstate, JMP(BPF_JSET));
4448 b0 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr);
4451 * AND that with the check of addr1.
4458 * Not present in management frames; addr2, if present,
4463 * Not present in CTS or ACK control frames.
4465 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4466 IEEE80211_FC0_TYPE_MASK);
4468 b1 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS,
4469 IEEE80211_FC0_SUBTYPE_MASK);
4471 b2 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK,
4472 IEEE80211_FC0_SUBTYPE_MASK);
4478 * If the high-order bit of the type value is 0, this
4479 * is a management frame.
4480 * I.e, check "(link[0] & 0x08)".
4482 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4483 b1 = new_block(cstate, JMP(BPF_JSET));
4488 * AND that with the check for frames other than
4489 * CTS and ACK frames.
4496 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4501 * XXX - add BSSID keyword?
4504 return (gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr));
4508 * Not present in CTS or ACK control frames.
4510 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4511 IEEE80211_FC0_TYPE_MASK);
4513 b1 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS,
4514 IEEE80211_FC0_SUBTYPE_MASK);
4516 b2 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK,
4517 IEEE80211_FC0_SUBTYPE_MASK);
4521 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4527 * Not present in control frames.
4529 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4530 IEEE80211_FC0_TYPE_MASK);
4532 b1 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr);
4538 * Present only if the direction mask has both "From DS"
4539 * and "To DS" set. Neither control frames nor management
4540 * frames should have both of those set, so we don't
4541 * check the frame type.
4543 b0 = gen_mcmp(cstate, OR_LINKHDR, 1, BPF_B,
4544 IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK);
4545 b1 = gen_bcmp(cstate, OR_LINKHDR, 24, 6, eaddr);
4550 b0 = gen_wlanhostop(cstate, eaddr, Q_SRC);
4551 b1 = gen_wlanhostop(cstate, eaddr, Q_DST);
4557 b0 = gen_wlanhostop(cstate, eaddr, Q_SRC);
4558 b1 = gen_wlanhostop(cstate, eaddr, Q_DST);
4567 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel.
4568 * (We assume that the addresses are IEEE 48-bit MAC addresses,
4569 * as the RFC states.)
4571 static struct block *
4572 gen_ipfchostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4574 register struct block *b0, *b1;
4578 return gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4581 return gen_bcmp(cstate, OR_LINKHDR, 2, 6, eaddr);
4584 b0 = gen_ipfchostop(cstate, eaddr, Q_SRC);
4585 b1 = gen_ipfchostop(cstate, eaddr, Q_DST);
4591 b0 = gen_ipfchostop(cstate, eaddr, Q_SRC);
4592 b1 = gen_ipfchostop(cstate, eaddr, Q_DST);
4597 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11");
4601 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11");
4605 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11");
4609 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11");
4613 bpf_error(cstate, "'ra' is only supported on 802.11");
4617 bpf_error(cstate, "'ta' is only supported on 802.11");
4625 * This is quite tricky because there may be pad bytes in front of the
4626 * DECNET header, and then there are two possible data packet formats that
4627 * carry both src and dst addresses, plus 5 packet types in a format that
4628 * carries only the src node, plus 2 types that use a different format and
4629 * also carry just the src node.
4633 * Instead of doing those all right, we just look for data packets with
4634 * 0 or 1 bytes of padding. If you want to look at other packets, that
4635 * will require a lot more hacking.
4637 * To add support for filtering on DECNET "areas" (network numbers)
4638 * one would want to add a "mask" argument to this routine. That would
4639 * make the filter even more inefficient, although one could be clever
4640 * and not generate masking instructions if the mask is 0xFFFF.
4642 static struct block *
4643 gen_dnhostop(compiler_state_t *cstate, bpf_u_int32 addr, int dir)
4645 struct block *b0, *b1, *b2, *tmp;
4646 u_int offset_lh; /* offset if long header is received */
4647 u_int offset_sh; /* offset if short header is received */
4652 offset_sh = 1; /* follows flags */
4653 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */
4657 offset_sh = 3; /* follows flags, dstnode */
4658 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */
4662 /* Inefficient because we do our Calvinball dance twice */
4663 b0 = gen_dnhostop(cstate, addr, Q_SRC);
4664 b1 = gen_dnhostop(cstate, addr, Q_DST);
4670 /* Inefficient because we do our Calvinball dance twice */
4671 b0 = gen_dnhostop(cstate, addr, Q_SRC);
4672 b1 = gen_dnhostop(cstate, addr, Q_DST);
4677 bpf_error(cstate, "ISO host filtering not implemented");
4682 b0 = gen_linktype(cstate, ETHERTYPE_DN);
4683 /* Check for pad = 1, long header case */
4684 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_H,
4685 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF));
4686 b1 = gen_cmp(cstate, OR_LINKPL, 2 + 1 + offset_lh,
4687 BPF_H, (bpf_int32)ntohs((u_short)addr));
4689 /* Check for pad = 0, long header case */
4690 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7);
4691 b2 = gen_cmp(cstate, OR_LINKPL, 2 + offset_lh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4694 /* Check for pad = 1, short header case */
4695 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_H,
4696 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF));
4697 b2 = gen_cmp(cstate, OR_LINKPL, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4700 /* Check for pad = 0, short header case */
4701 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7);
4702 b2 = gen_cmp(cstate, OR_LINKPL, 2 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4706 /* Combine with test for cstate->linktype */
4712 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets;
4713 * test the bottom-of-stack bit, and then check the version number
4714 * field in the IP header.
4716 static struct block *
4717 gen_mpls_linktype(compiler_state_t *cstate, int proto)
4719 struct block *b0, *b1;
4724 /* match the bottom-of-stack bit */
4725 b0 = gen_mcmp(cstate, OR_LINKPL, (u_int)-2, BPF_B, 0x01, 0x01);
4726 /* match the IPv4 version number */
4727 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_B, 0x40, 0xf0);
4732 /* match the bottom-of-stack bit */
4733 b0 = gen_mcmp(cstate, OR_LINKPL, (u_int)-2, BPF_B, 0x01, 0x01);
4734 /* match the IPv4 version number */
4735 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_B, 0x60, 0xf0);
4744 static struct block *
4745 gen_host(compiler_state_t *cstate, bpf_u_int32 addr, bpf_u_int32 mask,
4746 int proto, int dir, int type)
4748 struct block *b0, *b1;
4749 const char *typestr;
4759 b0 = gen_host(cstate, addr, mask, Q_IP, dir, type);
4761 * Only check for non-IPv4 addresses if we're not
4762 * checking MPLS-encapsulated packets.
4764 if (cstate->label_stack_depth == 0) {
4765 b1 = gen_host(cstate, addr, mask, Q_ARP, dir, type);
4767 b0 = gen_host(cstate, addr, mask, Q_RARP, dir, type);
4773 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_IP, 12, 16);
4776 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_REVARP, 14, 24);
4779 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_ARP, 14, 24);
4782 bpf_error(cstate, "'tcp' modifier applied to %s", typestr);
4785 bpf_error(cstate, "'sctp' modifier applied to %s", typestr);
4788 bpf_error(cstate, "'udp' modifier applied to %s", typestr);
4791 bpf_error(cstate, "'icmp' modifier applied to %s", typestr);
4794 bpf_error(cstate, "'igmp' modifier applied to %s", typestr);
4797 bpf_error(cstate, "'igrp' modifier applied to %s", typestr);
4800 bpf_error(cstate, "'pim' modifier applied to %s", typestr);
4803 bpf_error(cstate, "'vrrp' modifier applied to %s", typestr);
4806 bpf_error(cstate, "'carp' modifier applied to %s", typestr);
4809 bpf_error(cstate, "ATALK host filtering not implemented");
4812 bpf_error(cstate, "AARP host filtering not implemented");
4815 return gen_dnhostop(cstate, addr, dir);
4818 bpf_error(cstate, "SCA host filtering not implemented");
4821 bpf_error(cstate, "LAT host filtering not implemented");
4824 bpf_error(cstate, "MOPDL host filtering not implemented");
4827 bpf_error(cstate, "MOPRC host filtering not implemented");
4830 bpf_error(cstate, "'ip6' modifier applied to ip host");
4833 bpf_error(cstate, "'icmp6' modifier applied to %s", typestr);
4836 bpf_error(cstate, "'ah' modifier applied to %s", typestr);
4839 bpf_error(cstate, "'esp' modifier applied to %s", typestr);
4842 bpf_error(cstate, "ISO host filtering not implemented");
4845 bpf_error(cstate, "'esis' modifier applied to %s", typestr);
4848 bpf_error(cstate, "'isis' modifier applied to %s", typestr);
4851 bpf_error(cstate, "'clnp' modifier applied to %s", typestr);
4854 bpf_error(cstate, "'stp' modifier applied to %s", typestr);
4857 bpf_error(cstate, "IPX host filtering not implemented");
4860 bpf_error(cstate, "'netbeui' modifier applied to %s", typestr);
4863 bpf_error(cstate, "'radio' modifier applied to %s", typestr);
4872 static struct block *
4873 gen_host6(compiler_state_t *cstate, struct in6_addr *addr,
4874 struct in6_addr *mask, int proto, int dir, int type)
4876 const char *typestr;
4886 return gen_host6(cstate, addr, mask, Q_IPV6, dir, type);
4889 bpf_error(cstate, "link-layer modifier applied to ip6 %s", typestr);
4892 bpf_error(cstate, "'ip' modifier applied to ip6 %s", typestr);
4895 bpf_error(cstate, "'rarp' modifier applied to ip6 %s", typestr);
4898 bpf_error(cstate, "'arp' modifier applied to ip6 %s", typestr);
4901 bpf_error(cstate, "'sctp' modifier applied to %s", typestr);
4904 bpf_error(cstate, "'tcp' modifier applied to %s", typestr);
4907 bpf_error(cstate, "'udp' modifier applied to %s", typestr);
4910 bpf_error(cstate, "'icmp' modifier applied to %s", typestr);
4913 bpf_error(cstate, "'igmp' modifier applied to %s", typestr);
4916 bpf_error(cstate, "'igrp' modifier applied to %s", typestr);
4919 bpf_error(cstate, "'pim' modifier applied to %s", typestr);
4922 bpf_error(cstate, "'vrrp' modifier applied to %s", typestr);
4925 bpf_error(cstate, "'carp' modifier applied to %s", typestr);
4928 bpf_error(cstate, "ATALK host filtering not implemented");
4931 bpf_error(cstate, "AARP host filtering not implemented");
4934 bpf_error(cstate, "'decnet' modifier applied to ip6 %s", typestr);
4937 bpf_error(cstate, "SCA host filtering not implemented");
4940 bpf_error(cstate, "LAT host filtering not implemented");
4943 bpf_error(cstate, "MOPDL host filtering not implemented");
4946 bpf_error(cstate, "MOPRC host filtering not implemented");
4949 return gen_hostop6(cstate, addr, mask, dir, ETHERTYPE_IPV6, 8, 24);
4952 bpf_error(cstate, "'icmp6' modifier applied to %s", typestr);
4955 bpf_error(cstate, "'ah' modifier applied to %s", typestr);
4958 bpf_error(cstate, "'esp' modifier applied to %s", typestr);
4961 bpf_error(cstate, "ISO host filtering not implemented");
4964 bpf_error(cstate, "'esis' modifier applied to %s", typestr);
4967 bpf_error(cstate, "'isis' modifier applied to %s", typestr);
4970 bpf_error(cstate, "'clnp' modifier applied to %s", typestr);
4973 bpf_error(cstate, "'stp' modifier applied to %s", typestr);
4976 bpf_error(cstate, "IPX host filtering not implemented");
4979 bpf_error(cstate, "'netbeui' modifier applied to %s", typestr);
4982 bpf_error(cstate, "'radio' modifier applied to %s", typestr);
4992 static struct block *
4993 gen_gateway(compiler_state_t *cstate, const u_char *eaddr,
4994 struct addrinfo *alist, int proto, int dir)
4996 struct block *b0, *b1, *tmp;
4997 struct addrinfo *ai;
4998 struct sockaddr_in *sin;
5001 bpf_error(cstate, "direction applied to 'gateway'");
5008 switch (cstate->linktype) {
5010 case DLT_NETANALYZER:
5011 case DLT_NETANALYZER_TRANSPARENT:
5012 b1 = gen_prevlinkhdr_check(cstate);
5013 b0 = gen_ehostop(cstate, eaddr, Q_OR);
5018 b0 = gen_fhostop(cstate, eaddr, Q_OR);
5021 b0 = gen_thostop(cstate, eaddr, Q_OR);
5023 case DLT_IEEE802_11:
5024 case DLT_PRISM_HEADER:
5025 case DLT_IEEE802_11_RADIO_AVS:
5026 case DLT_IEEE802_11_RADIO:
5028 b0 = gen_wlanhostop(cstate, eaddr, Q_OR);
5032 * This is LLC-multiplexed traffic; if it were
5033 * LANE, cstate->linktype would have been set to
5037 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
5039 case DLT_IP_OVER_FC:
5040 b0 = gen_ipfchostop(cstate, eaddr, Q_OR);
5044 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
5047 for (ai = alist; ai != NULL; ai = ai->ai_next) {
5049 * Does it have an address?
5051 if (ai->ai_addr != NULL) {
5053 * Yes. Is it an IPv4 address?
5055 if (ai->ai_addr->sa_family == AF_INET) {
5057 * Generate an entry for it.
5059 sin = (struct sockaddr_in *)ai->ai_addr;
5060 tmp = gen_host(cstate,
5061 ntohl(sin->sin_addr.s_addr),
5062 0xffffffff, proto, Q_OR, Q_HOST);
5064 * Is it the *first* IPv4 address?
5068 * Yes, so start with it.
5073 * No, so OR it into the
5085 * No IPv4 addresses found.
5093 bpf_error(cstate, "illegal modifier of 'gateway'");
5099 gen_proto_abbrev(compiler_state_t *cstate, int proto)
5107 b1 = gen_proto(cstate, IPPROTO_SCTP, Q_IP, Q_DEFAULT);
5108 b0 = gen_proto(cstate, IPPROTO_SCTP, Q_IPV6, Q_DEFAULT);
5113 b1 = gen_proto(cstate, IPPROTO_TCP, Q_IP, Q_DEFAULT);
5114 b0 = gen_proto(cstate, IPPROTO_TCP, Q_IPV6, Q_DEFAULT);
5119 b1 = gen_proto(cstate, IPPROTO_UDP, Q_IP, Q_DEFAULT);
5120 b0 = gen_proto(cstate, IPPROTO_UDP, Q_IPV6, Q_DEFAULT);
5125 b1 = gen_proto(cstate, IPPROTO_ICMP, Q_IP, Q_DEFAULT);
5128 #ifndef IPPROTO_IGMP
5129 #define IPPROTO_IGMP 2
5133 b1 = gen_proto(cstate, IPPROTO_IGMP, Q_IP, Q_DEFAULT);
5136 #ifndef IPPROTO_IGRP
5137 #define IPPROTO_IGRP 9
5140 b1 = gen_proto(cstate, IPPROTO_IGRP, Q_IP, Q_DEFAULT);
5144 #define IPPROTO_PIM 103
5148 b1 = gen_proto(cstate, IPPROTO_PIM, Q_IP, Q_DEFAULT);
5149 b0 = gen_proto(cstate, IPPROTO_PIM, Q_IPV6, Q_DEFAULT);
5153 #ifndef IPPROTO_VRRP
5154 #define IPPROTO_VRRP 112
5158 b1 = gen_proto(cstate, IPPROTO_VRRP, Q_IP, Q_DEFAULT);
5161 #ifndef IPPROTO_CARP
5162 #define IPPROTO_CARP 112
5166 b1 = gen_proto(cstate, IPPROTO_CARP, Q_IP, Q_DEFAULT);
5170 b1 = gen_linktype(cstate, ETHERTYPE_IP);
5174 b1 = gen_linktype(cstate, ETHERTYPE_ARP);
5178 b1 = gen_linktype(cstate, ETHERTYPE_REVARP);
5182 bpf_error(cstate, "link layer applied in wrong context");
5185 b1 = gen_linktype(cstate, ETHERTYPE_ATALK);
5189 b1 = gen_linktype(cstate, ETHERTYPE_AARP);
5193 b1 = gen_linktype(cstate, ETHERTYPE_DN);
5197 b1 = gen_linktype(cstate, ETHERTYPE_SCA);
5201 b1 = gen_linktype(cstate, ETHERTYPE_LAT);
5205 b1 = gen_linktype(cstate, ETHERTYPE_MOPDL);
5209 b1 = gen_linktype(cstate, ETHERTYPE_MOPRC);
5213 b1 = gen_linktype(cstate, ETHERTYPE_IPV6);
5216 #ifndef IPPROTO_ICMPV6
5217 #define IPPROTO_ICMPV6 58
5220 b1 = gen_proto(cstate, IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT);
5224 #define IPPROTO_AH 51
5227 b1 = gen_proto(cstate, IPPROTO_AH, Q_IP, Q_DEFAULT);
5228 b0 = gen_proto(cstate, IPPROTO_AH, Q_IPV6, Q_DEFAULT);
5233 #define IPPROTO_ESP 50
5236 b1 = gen_proto(cstate, IPPROTO_ESP, Q_IP, Q_DEFAULT);
5237 b0 = gen_proto(cstate, IPPROTO_ESP, Q_IPV6, Q_DEFAULT);
5242 b1 = gen_linktype(cstate, LLCSAP_ISONS);
5246 b1 = gen_proto(cstate, ISO9542_ESIS, Q_ISO, Q_DEFAULT);
5250 b1 = gen_proto(cstate, ISO10589_ISIS, Q_ISO, Q_DEFAULT);
5253 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */
5254 b0 = gen_proto(cstate, ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
5255 b1 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
5257 b0 = gen_proto(cstate, ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
5259 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
5261 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
5265 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */
5266 b0 = gen_proto(cstate, ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
5267 b1 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
5269 b0 = gen_proto(cstate, ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
5271 b0 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
5273 b0 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
5277 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */
5278 b0 = gen_proto(cstate, ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
5279 b1 = gen_proto(cstate, ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
5281 b0 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT);
5286 b0 = gen_proto(cstate, ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
5287 b1 = gen_proto(cstate, ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
5292 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
5293 b1 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
5295 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
5297 b0 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
5302 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
5303 b1 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
5308 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
5309 b1 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
5314 b1 = gen_proto(cstate, ISO8473_CLNP, Q_ISO, Q_DEFAULT);
5318 b1 = gen_linktype(cstate, LLCSAP_8021D);
5322 b1 = gen_linktype(cstate, LLCSAP_IPX);
5326 b1 = gen_linktype(cstate, LLCSAP_NETBEUI);
5330 bpf_error(cstate, "'radio' is not a valid protocol type");
5338 static struct block *
5339 gen_ipfrag(compiler_state_t *cstate)
5344 /* not IPv4 frag other than the first frag */
5345 s = gen_load_a(cstate, OR_LINKPL, 6, BPF_H);
5346 b = new_block(cstate, JMP(BPF_JSET));
5355 * Generate a comparison to a port value in the transport-layer header
5356 * at the specified offset from the beginning of that header.
5358 * XXX - this handles a variable-length prefix preceding the link-layer
5359 * header, such as the radiotap or AVS radio prefix, but doesn't handle
5360 * variable-length link-layer headers (such as Token Ring or 802.11
5363 static struct block *
5364 gen_portatom(compiler_state_t *cstate, int off, bpf_int32 v)
5366 return gen_cmp(cstate, OR_TRAN_IPV4, off, BPF_H, v);
5369 static struct block *
5370 gen_portatom6(compiler_state_t *cstate, int off, bpf_int32 v)
5372 return gen_cmp(cstate, OR_TRAN_IPV6, off, BPF_H, v);
5376 gen_portop(compiler_state_t *cstate, int port, int proto, int dir)
5378 struct block *b0, *b1, *tmp;
5380 /* ip proto 'proto' and not a fragment other than the first fragment */
5381 tmp = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, (bpf_int32)proto);
5382 b0 = gen_ipfrag(cstate);
5387 b1 = gen_portatom(cstate, 0, (bpf_int32)port);
5391 b1 = gen_portatom(cstate, 2, (bpf_int32)port);
5396 tmp = gen_portatom(cstate, 0, (bpf_int32)port);
5397 b1 = gen_portatom(cstate, 2, (bpf_int32)port);
5402 tmp = gen_portatom(cstate, 0, (bpf_int32)port);
5403 b1 = gen_portatom(cstate, 2, (bpf_int32)port);
5415 static struct block *
5416 gen_port(compiler_state_t *cstate, int port, int ip_proto, int dir)
5418 struct block *b0, *b1, *tmp;
5423 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
5424 * not LLC encapsulation with LLCSAP_IP.
5426 * For IEEE 802 networks - which includes 802.5 token ring
5427 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
5428 * says that SNAP encapsulation is used, not LLC encapsulation
5431 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
5432 * RFC 2225 say that SNAP encapsulation is used, not LLC
5433 * encapsulation with LLCSAP_IP.
5435 * So we always check for ETHERTYPE_IP.
5437 b0 = gen_linktype(cstate, ETHERTYPE_IP);
5443 b1 = gen_portop(cstate, port, ip_proto, dir);
5447 tmp = gen_portop(cstate, port, IPPROTO_TCP, dir);
5448 b1 = gen_portop(cstate, port, IPPROTO_UDP, dir);
5450 tmp = gen_portop(cstate, port, IPPROTO_SCTP, dir);
5462 gen_portop6(compiler_state_t *cstate, int port, int proto, int dir)
5464 struct block *b0, *b1, *tmp;
5466 /* ip6 proto 'proto' */
5467 /* XXX - catch the first fragment of a fragmented packet? */
5468 b0 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, (bpf_int32)proto);
5472 b1 = gen_portatom6(cstate, 0, (bpf_int32)port);
5476 b1 = gen_portatom6(cstate, 2, (bpf_int32)port);
5481 tmp = gen_portatom6(cstate, 0, (bpf_int32)port);
5482 b1 = gen_portatom6(cstate, 2, (bpf_int32)port);
5487 tmp = gen_portatom6(cstate, 0, (bpf_int32)port);
5488 b1 = gen_portatom6(cstate, 2, (bpf_int32)port);
5500 static struct block *
5501 gen_port6(compiler_state_t *cstate, int port, int ip_proto, int dir)
5503 struct block *b0, *b1, *tmp;
5505 /* link proto ip6 */
5506 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
5512 b1 = gen_portop6(cstate, port, ip_proto, dir);
5516 tmp = gen_portop6(cstate, port, IPPROTO_TCP, dir);
5517 b1 = gen_portop6(cstate, port, IPPROTO_UDP, dir);
5519 tmp = gen_portop6(cstate, port, IPPROTO_SCTP, dir);
5530 /* gen_portrange code */
5531 static struct block *
5532 gen_portrangeatom(compiler_state_t *cstate, int off, bpf_int32 v1,
5535 struct block *b1, *b2;
5539 * Reverse the order of the ports, so v1 is the lower one.
5548 b1 = gen_cmp_ge(cstate, OR_TRAN_IPV4, off, BPF_H, v1);
5549 b2 = gen_cmp_le(cstate, OR_TRAN_IPV4, off, BPF_H, v2);
5557 gen_portrangeop(compiler_state_t *cstate, int port1, int port2, int proto,
5560 struct block *b0, *b1, *tmp;
5562 /* ip proto 'proto' and not a fragment other than the first fragment */
5563 tmp = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, (bpf_int32)proto);
5564 b0 = gen_ipfrag(cstate);
5569 b1 = gen_portrangeatom(cstate, 0, (bpf_int32)port1, (bpf_int32)port2);
5573 b1 = gen_portrangeatom(cstate, 2, (bpf_int32)port1, (bpf_int32)port2);
5578 tmp = gen_portrangeatom(cstate, 0, (bpf_int32)port1, (bpf_int32)port2);
5579 b1 = gen_portrangeatom(cstate, 2, (bpf_int32)port1, (bpf_int32)port2);
5584 tmp = gen_portrangeatom(cstate, 0, (bpf_int32)port1, (bpf_int32)port2);
5585 b1 = gen_portrangeatom(cstate, 2, (bpf_int32)port1, (bpf_int32)port2);
5597 static struct block *
5598 gen_portrange(compiler_state_t *cstate, int port1, int port2, int ip_proto,
5601 struct block *b0, *b1, *tmp;
5604 b0 = gen_linktype(cstate, ETHERTYPE_IP);
5610 b1 = gen_portrangeop(cstate, port1, port2, ip_proto, dir);
5614 tmp = gen_portrangeop(cstate, port1, port2, IPPROTO_TCP, dir);
5615 b1 = gen_portrangeop(cstate, port1, port2, IPPROTO_UDP, dir);
5617 tmp = gen_portrangeop(cstate, port1, port2, IPPROTO_SCTP, dir);
5628 static struct block *
5629 gen_portrangeatom6(compiler_state_t *cstate, int off, bpf_int32 v1,
5632 struct block *b1, *b2;
5636 * Reverse the order of the ports, so v1 is the lower one.
5645 b1 = gen_cmp_ge(cstate, OR_TRAN_IPV6, off, BPF_H, v1);
5646 b2 = gen_cmp_le(cstate, OR_TRAN_IPV6, off, BPF_H, v2);
5654 gen_portrangeop6(compiler_state_t *cstate, int port1, int port2, int proto,
5657 struct block *b0, *b1, *tmp;
5659 /* ip6 proto 'proto' */
5660 /* XXX - catch the first fragment of a fragmented packet? */
5661 b0 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, (bpf_int32)proto);
5665 b1 = gen_portrangeatom6(cstate, 0, (bpf_int32)port1, (bpf_int32)port2);
5669 b1 = gen_portrangeatom6(cstate, 2, (bpf_int32)port1, (bpf_int32)port2);
5674 tmp = gen_portrangeatom6(cstate, 0, (bpf_int32)port1, (bpf_int32)port2);
5675 b1 = gen_portrangeatom6(cstate, 2, (bpf_int32)port1, (bpf_int32)port2);
5680 tmp = gen_portrangeatom6(cstate, 0, (bpf_int32)port1, (bpf_int32)port2);
5681 b1 = gen_portrangeatom6(cstate, 2, (bpf_int32)port1, (bpf_int32)port2);
5693 static struct block *
5694 gen_portrange6(compiler_state_t *cstate, int port1, int port2, int ip_proto,
5697 struct block *b0, *b1, *tmp;
5699 /* link proto ip6 */
5700 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
5706 b1 = gen_portrangeop6(cstate, port1, port2, ip_proto, dir);
5710 tmp = gen_portrangeop6(cstate, port1, port2, IPPROTO_TCP, dir);
5711 b1 = gen_portrangeop6(cstate, port1, port2, IPPROTO_UDP, dir);
5713 tmp = gen_portrangeop6(cstate, port1, port2, IPPROTO_SCTP, dir);
5725 lookup_proto(compiler_state_t *cstate, const char *name, int proto)
5734 v = pcap_nametoproto(name);
5735 if (v == PROTO_UNDEF)
5736 bpf_error(cstate, "unknown ip proto '%s'", name);
5740 /* XXX should look up h/w protocol type based on cstate->linktype */
5741 v = pcap_nametoeproto(name);
5742 if (v == PROTO_UNDEF) {
5743 v = pcap_nametollc(name);
5744 if (v == PROTO_UNDEF)
5745 bpf_error(cstate, "unknown ether proto '%s'", name);
5750 if (strcmp(name, "esis") == 0)
5752 else if (strcmp(name, "isis") == 0)
5754 else if (strcmp(name, "clnp") == 0)
5757 bpf_error(cstate, "unknown osi proto '%s'", name);
5769 gen_joinsp(struct stmt **s, int n)
5775 static struct block *
5776 gen_protochain(compiler_state_t *cstate, int v, int proto, int dir)
5778 #ifdef NO_PROTOCHAIN
5779 return gen_proto(cstate, v, proto, dir);
5781 struct block *b0, *b;
5782 struct slist *s[100];
5783 int fix2, fix3, fix4, fix5;
5784 int ahcheck, again, end;
5786 int reg2 = alloc_reg(cstate);
5788 memset(s, 0, sizeof(s));
5789 fix3 = fix4 = fix5 = 0;
5796 b0 = gen_protochain(cstate, v, Q_IP, dir);
5797 b = gen_protochain(cstate, v, Q_IPV6, dir);
5801 bpf_error(cstate, "bad protocol applied for 'protochain'");
5806 * We don't handle variable-length prefixes before the link-layer
5807 * header, or variable-length link-layer headers, here yet.
5808 * We might want to add BPF instructions to do the protochain
5809 * work, to simplify that and, on platforms that have a BPF
5810 * interpreter with the new instructions, let the filtering
5811 * be done in the kernel. (We already require a modified BPF
5812 * engine to do the protochain stuff, to support backward
5813 * branches, and backward branch support is unlikely to appear
5814 * in kernel BPF engines.)
5816 if (cstate->off_linkpl.is_variable)
5817 bpf_error(cstate, "'protochain' not supported with variable length headers");
5819 cstate->no_optimize = 1; /* this code is not compatible with optimizer yet */
5822 * s[0] is a dummy entry to protect other BPF insn from damage
5823 * by s[fix] = foo with uninitialized variable "fix". It is somewhat
5824 * hard to find interdependency made by jump table fixup.
5827 s[i] = new_stmt(cstate, 0); /*dummy*/
5832 b0 = gen_linktype(cstate, ETHERTYPE_IP);
5835 s[i] = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B);
5836 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 9;
5838 /* X = ip->ip_hl << 2 */
5839 s[i] = new_stmt(cstate, BPF_LDX|BPF_MSH|BPF_B);
5840 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
5845 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
5847 /* A = ip6->ip_nxt */
5848 s[i] = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B);
5849 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 6;
5851 /* X = sizeof(struct ip6_hdr) */
5852 s[i] = new_stmt(cstate, BPF_LDX|BPF_IMM);
5858 bpf_error(cstate, "unsupported proto to gen_protochain");
5862 /* again: if (A == v) goto end; else fall through; */
5864 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
5866 s[i]->s.jt = NULL; /*later*/
5867 s[i]->s.jf = NULL; /*update in next stmt*/
5871 #ifndef IPPROTO_NONE
5872 #define IPPROTO_NONE 59
5874 /* if (A == IPPROTO_NONE) goto end */
5875 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
5876 s[i]->s.jt = NULL; /*later*/
5877 s[i]->s.jf = NULL; /*update in next stmt*/
5878 s[i]->s.k = IPPROTO_NONE;
5879 s[fix5]->s.jf = s[i];
5883 if (proto == Q_IPV6) {
5884 int v6start, v6end, v6advance, j;
5887 /* if (A == IPPROTO_HOPOPTS) goto v6advance */
5888 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
5889 s[i]->s.jt = NULL; /*later*/
5890 s[i]->s.jf = NULL; /*update in next stmt*/
5891 s[i]->s.k = IPPROTO_HOPOPTS;
5892 s[fix2]->s.jf = s[i];
5894 /* if (A == IPPROTO_DSTOPTS) goto v6advance */
5895 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
5896 s[i]->s.jt = NULL; /*later*/
5897 s[i]->s.jf = NULL; /*update in next stmt*/
5898 s[i]->s.k = IPPROTO_DSTOPTS;
5900 /* if (A == IPPROTO_ROUTING) goto v6advance */
5901 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
5902 s[i]->s.jt = NULL; /*later*/
5903 s[i]->s.jf = NULL; /*update in next stmt*/
5904 s[i]->s.k = IPPROTO_ROUTING;
5906 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */
5907 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
5908 s[i]->s.jt = NULL; /*later*/
5909 s[i]->s.jf = NULL; /*later*/
5910 s[i]->s.k = IPPROTO_FRAGMENT;
5920 * A = P[X + packet head];
5921 * X = X + (P[X + packet head + 1] + 1) * 8;
5923 /* A = P[X + packet head] */
5924 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
5925 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
5928 s[i] = new_stmt(cstate, BPF_ST);
5931 /* A = P[X + packet head + 1]; */
5932 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
5933 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 1;
5936 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
5940 s[i] = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K);
5944 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X);
5948 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX);
5951 s[i] = new_stmt(cstate, BPF_LD|BPF_MEM);
5955 /* goto again; (must use BPF_JA for backward jump) */
5956 s[i] = new_stmt(cstate, BPF_JMP|BPF_JA);
5957 s[i]->s.k = again - i - 1;
5958 s[i - 1]->s.jf = s[i];
5962 for (j = v6start; j <= v6end; j++)
5963 s[j]->s.jt = s[v6advance];
5966 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
5968 s[fix2]->s.jf = s[i];
5974 /* if (A == IPPROTO_AH) then fall through; else goto end; */
5975 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
5976 s[i]->s.jt = NULL; /*later*/
5977 s[i]->s.jf = NULL; /*later*/
5978 s[i]->s.k = IPPROTO_AH;
5980 s[fix3]->s.jf = s[ahcheck];
5987 * X = X + (P[X + 1] + 2) * 4;
5990 s[i - 1]->s.jt = s[i] = new_stmt(cstate, BPF_MISC|BPF_TXA);
5992 /* A = P[X + packet head]; */
5993 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
5994 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
5997 s[i] = new_stmt(cstate, BPF_ST);
6001 s[i - 1]->s.jt = s[i] = new_stmt(cstate, BPF_MISC|BPF_TXA);
6004 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
6008 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX);
6010 /* A = P[X + packet head] */
6011 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
6012 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
6015 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
6019 s[i] = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K);
6023 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX);
6026 s[i] = new_stmt(cstate, BPF_LD|BPF_MEM);
6030 /* goto again; (must use BPF_JA for backward jump) */
6031 s[i] = new_stmt(cstate, BPF_JMP|BPF_JA);
6032 s[i]->s.k = again - i - 1;
6037 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
6039 s[fix2]->s.jt = s[end];
6040 s[fix4]->s.jf = s[end];
6041 s[fix5]->s.jt = s[end];
6048 for (i = 0; i < max - 1; i++)
6049 s[i]->next = s[i + 1];
6050 s[max - 1]->next = NULL;
6055 b = new_block(cstate, JMP(BPF_JEQ));
6056 b->stmts = s[1]; /*remember, s[0] is dummy*/
6059 free_reg(cstate, reg2);
6066 static struct block *
6067 gen_check_802_11_data_frame(compiler_state_t *cstate)
6070 struct block *b0, *b1;
6073 * A data frame has the 0x08 bit (b3) in the frame control field set
6074 * and the 0x04 bit (b2) clear.
6076 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
6077 b0 = new_block(cstate, JMP(BPF_JSET));
6081 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
6082 b1 = new_block(cstate, JMP(BPF_JSET));
6093 * Generate code that checks whether the packet is a packet for protocol
6094 * <proto> and whether the type field in that protocol's header has
6095 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an
6096 * IP packet and checks the protocol number in the IP header against <v>.
6098 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks
6099 * against Q_IP and Q_IPV6.
6101 static struct block *
6102 gen_proto(compiler_state_t *cstate, int v, int proto, int dir)
6104 struct block *b0, *b1;
6109 if (dir != Q_DEFAULT)
6110 bpf_error(cstate, "direction applied to 'proto'");
6114 b0 = gen_proto(cstate, v, Q_IP, dir);
6115 b1 = gen_proto(cstate, v, Q_IPV6, dir);
6121 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
6122 * not LLC encapsulation with LLCSAP_IP.
6124 * For IEEE 802 networks - which includes 802.5 token ring
6125 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
6126 * says that SNAP encapsulation is used, not LLC encapsulation
6129 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
6130 * RFC 2225 say that SNAP encapsulation is used, not LLC
6131 * encapsulation with LLCSAP_IP.
6133 * So we always check for ETHERTYPE_IP.
6135 b0 = gen_linktype(cstate, ETHERTYPE_IP);
6137 b1 = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, (bpf_int32)v);
6139 b1 = gen_protochain(cstate, v, Q_IP);
6145 switch (cstate->linktype) {
6149 * Frame Relay packets typically have an OSI
6150 * NLPID at the beginning; "gen_linktype(cstate, LLCSAP_ISONS)"
6151 * generates code to check for all the OSI
6152 * NLPIDs, so calling it and then adding a check
6153 * for the particular NLPID for which we're
6154 * looking is bogus, as we can just check for
6157 * What we check for is the NLPID and a frame
6158 * control field value of UI, i.e. 0x03 followed
6161 * XXX - assumes a 2-byte Frame Relay header with
6162 * DLCI and flags. What if the address is longer?
6164 * XXX - what about SNAP-encapsulated frames?
6166 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | v);
6172 * Cisco uses an Ethertype lookalike - for OSI,
6175 b0 = gen_linktype(cstate, LLCSAP_ISONS<<8 | LLCSAP_ISONS);
6176 /* OSI in C-HDLC is stuffed with a fudge byte */
6177 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 1, BPF_B, (long)v);
6182 b0 = gen_linktype(cstate, LLCSAP_ISONS);
6183 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 0, BPF_B, (long)v);
6189 b0 = gen_proto(cstate, ISO10589_ISIS, Q_ISO, Q_DEFAULT);
6191 * 4 is the offset of the PDU type relative to the IS-IS
6194 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 4, BPF_B, (long)v);
6199 bpf_error(cstate, "arp does not encapsulate another protocol");
6203 bpf_error(cstate, "rarp does not encapsulate another protocol");
6207 bpf_error(cstate, "atalk encapsulation is not specifiable");
6211 bpf_error(cstate, "decnet encapsulation is not specifiable");
6215 bpf_error(cstate, "sca does not encapsulate another protocol");
6219 bpf_error(cstate, "lat does not encapsulate another protocol");
6223 bpf_error(cstate, "moprc does not encapsulate another protocol");
6227 bpf_error(cstate, "mopdl does not encapsulate another protocol");
6231 return gen_linktype(cstate, v);
6234 bpf_error(cstate, "'udp proto' is bogus");
6238 bpf_error(cstate, "'tcp proto' is bogus");
6242 bpf_error(cstate, "'sctp proto' is bogus");
6246 bpf_error(cstate, "'icmp proto' is bogus");
6250 bpf_error(cstate, "'igmp proto' is bogus");
6254 bpf_error(cstate, "'igrp proto' is bogus");
6258 bpf_error(cstate, "'pim proto' is bogus");
6262 bpf_error(cstate, "'vrrp proto' is bogus");
6266 bpf_error(cstate, "'carp proto' is bogus");
6270 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
6273 * Also check for a fragment header before the final
6276 b2 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, IPPROTO_FRAGMENT);
6277 b1 = gen_cmp(cstate, OR_LINKPL, 40, BPF_B, (bpf_int32)v);
6279 b2 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, (bpf_int32)v);
6282 b1 = gen_protochain(cstate, v, Q_IPV6);
6288 bpf_error(cstate, "'icmp6 proto' is bogus");
6291 bpf_error(cstate, "'ah proto' is bogus");
6294 bpf_error(cstate, "'ah proto' is bogus");
6297 bpf_error(cstate, "'stp proto' is bogus");
6300 bpf_error(cstate, "'ipx proto' is bogus");
6303 bpf_error(cstate, "'netbeui proto' is bogus");
6306 bpf_error(cstate, "'radio proto' is bogus");
6316 gen_scode(compiler_state_t *cstate, const char *name, struct qual q)
6318 int proto = q.proto;
6322 bpf_u_int32 mask, addr;
6323 struct addrinfo *res, *res0;
6324 struct sockaddr_in *sin4;
6327 struct sockaddr_in6 *sin6;
6328 struct in6_addr mask128;
6330 struct block *b, *tmp;
6331 int port, real_proto;
6337 addr = pcap_nametonetaddr(name);
6339 bpf_error(cstate, "unknown network '%s'", name);
6340 /* Left justify network addr and calculate its network mask */
6342 while (addr && (addr & 0xff000000) == 0) {
6346 return gen_host(cstate, addr, mask, proto, dir, q.addr);
6350 if (proto == Q_LINK) {
6351 switch (cstate->linktype) {
6354 case DLT_NETANALYZER:
6355 case DLT_NETANALYZER_TRANSPARENT:
6356 eaddr = pcap_ether_hostton(name);
6359 "unknown ether host '%s'", name);
6360 tmp = gen_prevlinkhdr_check(cstate);
6361 b = gen_ehostop(cstate, eaddr, dir);
6368 eaddr = pcap_ether_hostton(name);
6371 "unknown FDDI host '%s'", name);
6372 b = gen_fhostop(cstate, eaddr, dir);
6377 eaddr = pcap_ether_hostton(name);
6380 "unknown token ring host '%s'", name);
6381 b = gen_thostop(cstate, eaddr, dir);
6385 case DLT_IEEE802_11:
6386 case DLT_PRISM_HEADER:
6387 case DLT_IEEE802_11_RADIO_AVS:
6388 case DLT_IEEE802_11_RADIO:
6390 eaddr = pcap_ether_hostton(name);
6393 "unknown 802.11 host '%s'", name);
6394 b = gen_wlanhostop(cstate, eaddr, dir);
6398 case DLT_IP_OVER_FC:
6399 eaddr = pcap_ether_hostton(name);
6402 "unknown Fibre Channel host '%s'", name);
6403 b = gen_ipfchostop(cstate, eaddr, dir);
6408 bpf_error(cstate, "only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name");
6409 } else if (proto == Q_DECNET) {
6410 unsigned short dn_addr;
6412 if (!__pcap_nametodnaddr(name, &dn_addr)) {
6414 bpf_error(cstate, "unknown decnet host name '%s'\n", name);
6416 bpf_error(cstate, "decnet name support not included, '%s' cannot be translated\n",
6421 * I don't think DECNET hosts can be multihomed, so
6422 * there is no need to build up a list of addresses
6424 return (gen_host(cstate, dn_addr, 0, proto, dir, q.addr));
6427 memset(&mask128, 0xff, sizeof(mask128));
6429 res0 = res = pcap_nametoaddrinfo(name);
6431 bpf_error(cstate, "unknown host '%s'", name);
6438 if (cstate->off_linktype.constant_part == OFFSET_NOT_SET &&
6439 tproto == Q_DEFAULT) {
6445 for (res = res0; res; res = res->ai_next) {
6446 switch (res->ai_family) {
6449 if (tproto == Q_IPV6)
6453 sin4 = (struct sockaddr_in *)
6455 tmp = gen_host(cstate, ntohl(sin4->sin_addr.s_addr),
6456 0xffffffff, tproto, dir, q.addr);
6460 if (tproto6 == Q_IP)
6463 sin6 = (struct sockaddr_in6 *)
6465 tmp = gen_host6(cstate, &sin6->sin6_addr,
6466 &mask128, tproto6, dir, q.addr);
6479 bpf_error(cstate, "unknown host '%s'%s", name,
6480 (proto == Q_DEFAULT)
6482 : " for specified address family");
6488 if (proto != Q_DEFAULT &&
6489 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
6490 bpf_error(cstate, "illegal qualifier of 'port'");
6491 if (pcap_nametoport(name, &port, &real_proto) == 0)
6492 bpf_error(cstate, "unknown port '%s'", name);
6493 if (proto == Q_UDP) {
6494 if (real_proto == IPPROTO_TCP)
6495 bpf_error(cstate, "port '%s' is tcp", name);
6496 else if (real_proto == IPPROTO_SCTP)
6497 bpf_error(cstate, "port '%s' is sctp", name);
6499 /* override PROTO_UNDEF */
6500 real_proto = IPPROTO_UDP;
6502 if (proto == Q_TCP) {
6503 if (real_proto == IPPROTO_UDP)
6504 bpf_error(cstate, "port '%s' is udp", name);
6506 else if (real_proto == IPPROTO_SCTP)
6507 bpf_error(cstate, "port '%s' is sctp", name);
6509 /* override PROTO_UNDEF */
6510 real_proto = IPPROTO_TCP;
6512 if (proto == Q_SCTP) {
6513 if (real_proto == IPPROTO_UDP)
6514 bpf_error(cstate, "port '%s' is udp", name);
6516 else if (real_proto == IPPROTO_TCP)
6517 bpf_error(cstate, "port '%s' is tcp", name);
6519 /* override PROTO_UNDEF */
6520 real_proto = IPPROTO_SCTP;
6523 bpf_error(cstate, "illegal port number %d < 0", port);
6525 bpf_error(cstate, "illegal port number %d > 65535", port);
6526 b = gen_port(cstate, port, real_proto, dir);
6527 gen_or(gen_port6(cstate, port, real_proto, dir), b);
6531 if (proto != Q_DEFAULT &&
6532 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
6533 bpf_error(cstate, "illegal qualifier of 'portrange'");
6534 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0)
6535 bpf_error(cstate, "unknown port in range '%s'", name);
6536 if (proto == Q_UDP) {
6537 if (real_proto == IPPROTO_TCP)
6538 bpf_error(cstate, "port in range '%s' is tcp", name);
6539 else if (real_proto == IPPROTO_SCTP)
6540 bpf_error(cstate, "port in range '%s' is sctp", name);
6542 /* override PROTO_UNDEF */
6543 real_proto = IPPROTO_UDP;
6545 if (proto == Q_TCP) {
6546 if (real_proto == IPPROTO_UDP)
6547 bpf_error(cstate, "port in range '%s' is udp", name);
6548 else if (real_proto == IPPROTO_SCTP)
6549 bpf_error(cstate, "port in range '%s' is sctp", name);
6551 /* override PROTO_UNDEF */
6552 real_proto = IPPROTO_TCP;
6554 if (proto == Q_SCTP) {
6555 if (real_proto == IPPROTO_UDP)
6556 bpf_error(cstate, "port in range '%s' is udp", name);
6557 else if (real_proto == IPPROTO_TCP)
6558 bpf_error(cstate, "port in range '%s' is tcp", name);
6560 /* override PROTO_UNDEF */
6561 real_proto = IPPROTO_SCTP;
6564 bpf_error(cstate, "illegal port number %d < 0", port1);
6566 bpf_error(cstate, "illegal port number %d > 65535", port1);
6568 bpf_error(cstate, "illegal port number %d < 0", port2);
6570 bpf_error(cstate, "illegal port number %d > 65535", port2);
6572 b = gen_portrange(cstate, port1, port2, real_proto, dir);
6573 gen_or(gen_portrange6(cstate, port1, port2, real_proto, dir), b);
6578 eaddr = pcap_ether_hostton(name);
6580 bpf_error(cstate, "unknown ether host: %s", name);
6582 res = pcap_nametoaddrinfo(name);
6585 bpf_error(cstate, "unknown host '%s'", name);
6586 b = gen_gateway(cstate, eaddr, res, proto, dir);
6590 bpf_error(cstate, "unknown host '%s'", name);
6593 bpf_error(cstate, "'gateway' not supported in this configuration");
6597 real_proto = lookup_proto(cstate, name, proto);
6598 if (real_proto >= 0)
6599 return gen_proto(cstate, real_proto, proto, dir);
6601 bpf_error(cstate, "unknown protocol: %s", name);
6604 real_proto = lookup_proto(cstate, name, proto);
6605 if (real_proto >= 0)
6606 return gen_protochain(cstate, real_proto, proto, dir);
6608 bpf_error(cstate, "unknown protocol: %s", name);
6619 gen_mcode(compiler_state_t *cstate, const char *s1, const char *s2,
6620 unsigned int masklen, struct qual q)
6622 register int nlen, mlen;
6625 nlen = __pcap_atoin(s1, &n);
6626 /* Promote short ipaddr */
6630 mlen = __pcap_atoin(s2, &m);
6631 /* Promote short ipaddr */
6634 bpf_error(cstate, "non-network bits set in \"%s mask %s\"",
6637 /* Convert mask len to mask */
6639 bpf_error(cstate, "mask length must be <= 32");
6642 * X << 32 is not guaranteed by C to be 0; it's
6647 m = 0xffffffff << (32 - masklen);
6649 bpf_error(cstate, "non-network bits set in \"%s/%d\"",
6656 return gen_host(cstate, n, m, q.proto, q.dir, q.addr);
6659 bpf_error(cstate, "Mask syntax for networks only");
6666 gen_ncode(compiler_state_t *cstate, const char *s, bpf_u_int32 v, struct qual q)
6669 int proto = q.proto;
6675 else if (q.proto == Q_DECNET) {
6676 vlen = __pcap_atodn(s, &v);
6678 bpf_error(cstate, "malformed decnet address '%s'", s);
6680 vlen = __pcap_atoin(s, &v);
6687 if (proto == Q_DECNET)
6688 return gen_host(cstate, v, 0, proto, dir, q.addr);
6689 else if (proto == Q_LINK) {
6690 bpf_error(cstate, "illegal link layer address");
6693 if (s == NULL && q.addr == Q_NET) {
6694 /* Promote short net number */
6695 while (v && (v & 0xff000000) == 0) {
6700 /* Promote short ipaddr */
6702 mask <<= 32 - vlen ;
6704 return gen_host(cstate, v, mask, proto, dir, q.addr);
6709 proto = IPPROTO_UDP;
6710 else if (proto == Q_TCP)
6711 proto = IPPROTO_TCP;
6712 else if (proto == Q_SCTP)
6713 proto = IPPROTO_SCTP;
6714 else if (proto == Q_DEFAULT)
6715 proto = PROTO_UNDEF;
6717 bpf_error(cstate, "illegal qualifier of 'port'");
6720 bpf_error(cstate, "illegal port number %u > 65535", v);
6724 b = gen_port(cstate, (int)v, proto, dir);
6725 gen_or(gen_port6(cstate, (int)v, proto, dir), b);
6731 proto = IPPROTO_UDP;
6732 else if (proto == Q_TCP)
6733 proto = IPPROTO_TCP;
6734 else if (proto == Q_SCTP)
6735 proto = IPPROTO_SCTP;
6736 else if (proto == Q_DEFAULT)
6737 proto = PROTO_UNDEF;
6739 bpf_error(cstate, "illegal qualifier of 'portrange'");
6742 bpf_error(cstate, "illegal port number %u > 65535", v);
6746 b = gen_portrange(cstate, (int)v, (int)v, proto, dir);
6747 gen_or(gen_portrange6(cstate, (int)v, (int)v, proto, dir), b);
6752 bpf_error(cstate, "'gateway' requires a name");
6756 return gen_proto(cstate, (int)v, proto, dir);
6759 return gen_protochain(cstate, (int)v, proto, dir);
6774 gen_mcode6(compiler_state_t *cstate, const char *s1, const char *s2,
6775 unsigned int masklen, struct qual q)
6777 struct addrinfo *res;
6778 struct in6_addr *addr;
6779 struct in6_addr mask;
6784 bpf_error(cstate, "no mask %s supported", s2);
6786 res = pcap_nametoaddrinfo(s1);
6788 bpf_error(cstate, "invalid ip6 address %s", s1);
6791 bpf_error(cstate, "%s resolved to multiple address", s1);
6792 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
6794 if (sizeof(mask) * 8 < masklen)
6795 bpf_error(cstate, "mask length must be <= %u", (unsigned int)(sizeof(mask) * 8));
6796 memset(&mask, 0, sizeof(mask));
6797 memset(&mask, 0xff, masklen / 8);
6799 mask.s6_addr[masklen / 8] =
6800 (0xff << (8 - masklen % 8)) & 0xff;
6803 a = (uint32_t *)addr;
6804 m = (uint32_t *)&mask;
6805 if ((a[0] & ~m[0]) || (a[1] & ~m[1])
6806 || (a[2] & ~m[2]) || (a[3] & ~m[3])) {
6807 bpf_error(cstate, "non-network bits set in \"%s/%d\"", s1, masklen);
6815 bpf_error(cstate, "Mask syntax for networks only");
6819 b = gen_host6(cstate, addr, &mask, q.proto, q.dir, q.addr);
6825 bpf_error(cstate, "invalid qualifier against IPv6 address");
6832 gen_ecode(compiler_state_t *cstate, const u_char *eaddr, struct qual q)
6834 struct block *b, *tmp;
6836 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
6837 switch (cstate->linktype) {
6839 case DLT_NETANALYZER:
6840 case DLT_NETANALYZER_TRANSPARENT:
6841 tmp = gen_prevlinkhdr_check(cstate);
6842 b = gen_ehostop(cstate, eaddr, (int)q.dir);
6847 return gen_fhostop(cstate, eaddr, (int)q.dir);
6849 return gen_thostop(cstate, eaddr, (int)q.dir);
6850 case DLT_IEEE802_11:
6851 case DLT_PRISM_HEADER:
6852 case DLT_IEEE802_11_RADIO_AVS:
6853 case DLT_IEEE802_11_RADIO:
6855 return gen_wlanhostop(cstate, eaddr, (int)q.dir);
6856 case DLT_IP_OVER_FC:
6857 return gen_ipfchostop(cstate, eaddr, (int)q.dir);
6859 bpf_error(cstate, "ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
6863 bpf_error(cstate, "ethernet address used in non-ether expression");
6868 sappend(struct slist *s0, struct slist *s1)
6871 * This is definitely not the best way to do this, but the
6872 * lists will rarely get long.
6879 static struct slist *
6880 xfer_to_x(compiler_state_t *cstate, struct arth *a)
6884 s = new_stmt(cstate, BPF_LDX|BPF_MEM);
6889 static struct slist *
6890 xfer_to_a(compiler_state_t *cstate, struct arth *a)
6894 s = new_stmt(cstate, BPF_LD|BPF_MEM);
6900 * Modify "index" to use the value stored into its register as an
6901 * offset relative to the beginning of the header for the protocol
6902 * "proto", and allocate a register and put an item "size" bytes long
6903 * (1, 2, or 4) at that offset into that register, making it the register
6907 gen_load(compiler_state_t *cstate, int proto, struct arth *inst, int size)
6909 struct slist *s, *tmp;
6911 int regno = alloc_reg(cstate);
6913 free_reg(cstate, inst->regno);
6917 bpf_error(cstate, "data size must be 1, 2, or 4");
6933 bpf_error(cstate, "unsupported index operation");
6937 * The offset is relative to the beginning of the packet
6938 * data, if we have a radio header. (If we don't, this
6941 if (cstate->linktype != DLT_IEEE802_11_RADIO_AVS &&
6942 cstate->linktype != DLT_IEEE802_11_RADIO &&
6943 cstate->linktype != DLT_PRISM_HEADER)
6944 bpf_error(cstate, "radio information not present in capture");
6947 * Load into the X register the offset computed into the
6948 * register specified by "index".
6950 s = xfer_to_x(cstate, inst);
6953 * Load the item at that offset.
6955 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size);
6957 sappend(inst->s, s);
6962 * The offset is relative to the beginning of
6963 * the link-layer header.
6965 * XXX - what about ATM LANE? Should the index be
6966 * relative to the beginning of the AAL5 frame, so
6967 * that 0 refers to the beginning of the LE Control
6968 * field, or relative to the beginning of the LAN
6969 * frame, so that 0 refers, for Ethernet LANE, to
6970 * the beginning of the destination address?
6972 s = gen_abs_offset_varpart(cstate, &cstate->off_linkhdr);
6975 * If "s" is non-null, it has code to arrange that the
6976 * X register contains the length of the prefix preceding
6977 * the link-layer header. Add to it the offset computed
6978 * into the register specified by "index", and move that
6979 * into the X register. Otherwise, just load into the X
6980 * register the offset computed into the register specified
6984 sappend(s, xfer_to_a(cstate, inst));
6985 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
6986 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
6988 s = xfer_to_x(cstate, inst);
6991 * Load the item at the sum of the offset we've put in the
6992 * X register and the offset of the start of the link
6993 * layer header (which is 0 if the radio header is
6994 * variable-length; that header length is what we put
6995 * into the X register and then added to the index).
6997 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size);
6998 tmp->s.k = cstate->off_linkhdr.constant_part;
7000 sappend(inst->s, s);
7014 * The offset is relative to the beginning of
7015 * the network-layer header.
7016 * XXX - are there any cases where we want
7017 * cstate->off_nl_nosnap?
7019 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl);
7022 * If "s" is non-null, it has code to arrange that the
7023 * X register contains the variable part of the offset
7024 * of the link-layer payload. Add to it the offset
7025 * computed into the register specified by "index",
7026 * and move that into the X register. Otherwise, just
7027 * load into the X register the offset computed into
7028 * the register specified by "index".
7031 sappend(s, xfer_to_a(cstate, inst));
7032 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
7033 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
7035 s = xfer_to_x(cstate, inst);
7038 * Load the item at the sum of the offset we've put in the
7039 * X register, the offset of the start of the network
7040 * layer header from the beginning of the link-layer
7041 * payload, and the constant part of the offset of the
7042 * start of the link-layer payload.
7044 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size);
7045 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
7047 sappend(inst->s, s);
7050 * Do the computation only if the packet contains
7051 * the protocol in question.
7053 b = gen_proto_abbrev(cstate, proto);
7055 gen_and(inst->b, b);
7069 * The offset is relative to the beginning of
7070 * the transport-layer header.
7072 * Load the X register with the length of the IPv4 header
7073 * (plus the offset of the link-layer header, if it's
7074 * a variable-length header), in bytes.
7076 * XXX - are there any cases where we want
7077 * cstate->off_nl_nosnap?
7078 * XXX - we should, if we're built with
7079 * IPv6 support, generate code to load either
7080 * IPv4, IPv6, or both, as appropriate.
7082 s = gen_loadx_iphdrlen(cstate);
7085 * The X register now contains the sum of the variable
7086 * part of the offset of the link-layer payload and the
7087 * length of the network-layer header.
7089 * Load into the A register the offset relative to
7090 * the beginning of the transport layer header,
7091 * add the X register to that, move that to the
7092 * X register, and load with an offset from the
7093 * X register equal to the sum of the constant part of
7094 * the offset of the link-layer payload and the offset,
7095 * relative to the beginning of the link-layer payload,
7096 * of the network-layer header.
7098 sappend(s, xfer_to_a(cstate, inst));
7099 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
7100 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
7101 sappend(s, tmp = new_stmt(cstate, BPF_LD|BPF_IND|size));
7102 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
7103 sappend(inst->s, s);
7106 * Do the computation only if the packet contains
7107 * the protocol in question - which is true only
7108 * if this is an IP datagram and is the first or
7109 * only fragment of that datagram.
7111 gen_and(gen_proto_abbrev(cstate, proto), b = gen_ipfrag(cstate));
7113 gen_and(inst->b, b);
7114 gen_and(gen_proto_abbrev(cstate, Q_IP), b);
7119 * Do the computation only if the packet contains
7120 * the protocol in question.
7122 b = gen_proto_abbrev(cstate, Q_IPV6);
7124 gen_and(inst->b, b);
7129 * Check if we have an icmp6 next header
7131 b = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, 58);
7133 gen_and(inst->b, b);
7138 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl);
7140 * If "s" is non-null, it has code to arrange that the
7141 * X register contains the variable part of the offset
7142 * of the link-layer payload. Add to it the offset
7143 * computed into the register specified by "index",
7144 * and move that into the X register. Otherwise, just
7145 * load into the X register the offset computed into
7146 * the register specified by "index".
7149 sappend(s, xfer_to_a(cstate, inst));
7150 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
7151 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
7153 s = xfer_to_x(cstate, inst);
7157 * Load the item at the sum of the offset we've put in the
7158 * X register, the offset of the start of the network
7159 * layer header from the beginning of the link-layer
7160 * payload, and the constant part of the offset of the
7161 * start of the link-layer payload.
7163 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size);
7164 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 40;
7167 sappend(inst->s, s);
7171 inst->regno = regno;
7172 s = new_stmt(cstate, BPF_ST);
7174 sappend(inst->s, s);
7180 gen_relation(compiler_state_t *cstate, int code, struct arth *a0,
7181 struct arth *a1, int reversed)
7183 struct slist *s0, *s1, *s2;
7184 struct block *b, *tmp;
7186 s0 = xfer_to_x(cstate, a1);
7187 s1 = xfer_to_a(cstate, a0);
7188 if (code == BPF_JEQ) {
7189 s2 = new_stmt(cstate, BPF_ALU|BPF_SUB|BPF_X);
7190 b = new_block(cstate, JMP(code));
7194 b = new_block(cstate, BPF_JMP|code|BPF_X);
7200 sappend(a0->s, a1->s);
7204 free_reg(cstate, a0->regno);
7205 free_reg(cstate, a1->regno);
7207 /* 'and' together protocol checks */
7210 gen_and(a0->b, tmp = a1->b);
7224 gen_loadlen(compiler_state_t *cstate)
7226 int regno = alloc_reg(cstate);
7227 struct arth *a = (struct arth *)newchunk(cstate, sizeof(*a));
7230 s = new_stmt(cstate, BPF_LD|BPF_LEN);
7231 s->next = new_stmt(cstate, BPF_ST);
7232 s->next->s.k = regno;
7240 gen_loadi(compiler_state_t *cstate, int val)
7246 a = (struct arth *)newchunk(cstate, sizeof(*a));
7248 reg = alloc_reg(cstate);
7250 s = new_stmt(cstate, BPF_LD|BPF_IMM);
7252 s->next = new_stmt(cstate, BPF_ST);
7261 gen_neg(compiler_state_t *cstate, struct arth *a)
7265 s = xfer_to_a(cstate, a);
7267 s = new_stmt(cstate, BPF_ALU|BPF_NEG);
7270 s = new_stmt(cstate, BPF_ST);
7278 gen_arth(compiler_state_t *cstate, int code, struct arth *a0,
7281 struct slist *s0, *s1, *s2;
7284 * Disallow division by, or modulus by, zero; we do this here
7285 * so that it gets done even if the optimizer is disabled.
7287 if (code == BPF_DIV) {
7288 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k == 0)
7289 bpf_error(cstate, "division by zero");
7290 } else if (code == BPF_MOD) {
7291 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k == 0)
7292 bpf_error(cstate, "modulus by zero");
7294 s0 = xfer_to_x(cstate, a1);
7295 s1 = xfer_to_a(cstate, a0);
7296 s2 = new_stmt(cstate, BPF_ALU|BPF_X|code);
7301 sappend(a0->s, a1->s);
7303 free_reg(cstate, a0->regno);
7304 free_reg(cstate, a1->regno);
7306 s0 = new_stmt(cstate, BPF_ST);
7307 a0->regno = s0->s.k = alloc_reg(cstate);
7314 * Initialize the table of used registers and the current register.
7317 init_regs(compiler_state_t *cstate)
7320 memset(cstate->regused, 0, sizeof cstate->regused);
7324 * Return the next free register.
7327 alloc_reg(compiler_state_t *cstate)
7329 int n = BPF_MEMWORDS;
7332 if (cstate->regused[cstate->curreg])
7333 cstate->curreg = (cstate->curreg + 1) % BPF_MEMWORDS;
7335 cstate->regused[cstate->curreg] = 1;
7336 return cstate->curreg;
7339 bpf_error(cstate, "too many registers needed to evaluate expression");
7344 * Return a register to the table so it can
7348 free_reg(compiler_state_t *cstate, int n)
7350 cstate->regused[n] = 0;
7353 static struct block *
7354 gen_len(compiler_state_t *cstate, int jmp, int n)
7359 s = new_stmt(cstate, BPF_LD|BPF_LEN);
7360 b = new_block(cstate, JMP(jmp));
7368 gen_greater(compiler_state_t *cstate, int n)
7370 return gen_len(cstate, BPF_JGE, n);
7374 * Actually, this is less than or equal.
7377 gen_less(compiler_state_t *cstate, int n)
7381 b = gen_len(cstate, BPF_JGT, n);
7388 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to
7389 * the beginning of the link-layer header.
7390 * XXX - that means you can't test values in the radiotap header, but
7391 * as that header is difficult if not impossible to parse generally
7392 * without a loop, that might not be a severe problem. A new keyword
7393 * "radio" could be added for that, although what you'd really want
7394 * would be a way of testing particular radio header values, which
7395 * would generate code appropriate to the radio header in question.
7398 gen_byteop(compiler_state_t *cstate, int op, int idx, int val)
7408 return gen_cmp(cstate, OR_LINKHDR, (u_int)idx, BPF_B, (bpf_int32)val);
7411 b = gen_cmp_lt(cstate, OR_LINKHDR, (u_int)idx, BPF_B, (bpf_int32)val);
7415 b = gen_cmp_gt(cstate, OR_LINKHDR, (u_int)idx, BPF_B, (bpf_int32)val);
7419 s = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_K);
7423 s = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
7427 b = new_block(cstate, JMP(BPF_JEQ));
7434 static const u_char abroadcast[] = { 0x0 };
7437 gen_broadcast(compiler_state_t *cstate, int proto)
7439 bpf_u_int32 hostmask;
7440 struct block *b0, *b1, *b2;
7441 static const u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
7447 switch (cstate->linktype) {
7449 case DLT_ARCNET_LINUX:
7450 return gen_ahostop(cstate, abroadcast, Q_DST);
7452 case DLT_NETANALYZER:
7453 case DLT_NETANALYZER_TRANSPARENT:
7454 b1 = gen_prevlinkhdr_check(cstate);
7455 b0 = gen_ehostop(cstate, ebroadcast, Q_DST);
7460 return gen_fhostop(cstate, ebroadcast, Q_DST);
7462 return gen_thostop(cstate, ebroadcast, Q_DST);
7463 case DLT_IEEE802_11:
7464 case DLT_PRISM_HEADER:
7465 case DLT_IEEE802_11_RADIO_AVS:
7466 case DLT_IEEE802_11_RADIO:
7468 return gen_wlanhostop(cstate, ebroadcast, Q_DST);
7469 case DLT_IP_OVER_FC:
7470 return gen_ipfchostop(cstate, ebroadcast, Q_DST);
7472 bpf_error(cstate, "not a broadcast link");
7478 * We treat a netmask of PCAP_NETMASK_UNKNOWN (0xffffffff)
7479 * as an indication that we don't know the netmask, and fail
7482 if (cstate->netmask == PCAP_NETMASK_UNKNOWN)
7483 bpf_error(cstate, "netmask not known, so 'ip broadcast' not supported");
7484 b0 = gen_linktype(cstate, ETHERTYPE_IP);
7485 hostmask = ~cstate->netmask;
7486 b1 = gen_mcmp(cstate, OR_LINKPL, 16, BPF_W, (bpf_int32)0, hostmask);
7487 b2 = gen_mcmp(cstate, OR_LINKPL, 16, BPF_W,
7488 (bpf_int32)(~0 & hostmask), hostmask);
7493 bpf_error(cstate, "only link-layer/IP broadcast filters supported");
7498 * Generate code to test the low-order bit of a MAC address (that's
7499 * the bottom bit of the *first* byte).
7501 static struct block *
7502 gen_mac_multicast(compiler_state_t *cstate, int offset)
7504 register struct block *b0;
7505 register struct slist *s;
7507 /* link[offset] & 1 != 0 */
7508 s = gen_load_a(cstate, OR_LINKHDR, offset, BPF_B);
7509 b0 = new_block(cstate, JMP(BPF_JSET));
7516 gen_multicast(compiler_state_t *cstate, int proto)
7518 register struct block *b0, *b1, *b2;
7519 register struct slist *s;
7525 switch (cstate->linktype) {
7527 case DLT_ARCNET_LINUX:
7528 /* all ARCnet multicasts use the same address */
7529 return gen_ahostop(cstate, abroadcast, Q_DST);
7531 case DLT_NETANALYZER:
7532 case DLT_NETANALYZER_TRANSPARENT:
7533 b1 = gen_prevlinkhdr_check(cstate);
7534 /* ether[0] & 1 != 0 */
7535 b0 = gen_mac_multicast(cstate, 0);
7541 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX
7543 * XXX - was that referring to bit-order issues?
7545 /* fddi[1] & 1 != 0 */
7546 return gen_mac_multicast(cstate, 1);
7548 /* tr[2] & 1 != 0 */
7549 return gen_mac_multicast(cstate, 2);
7550 case DLT_IEEE802_11:
7551 case DLT_PRISM_HEADER:
7552 case DLT_IEEE802_11_RADIO_AVS:
7553 case DLT_IEEE802_11_RADIO:
7558 * For control frames, there is no DA.
7560 * For management frames, DA is at an
7561 * offset of 4 from the beginning of
7564 * For data frames, DA is at an offset
7565 * of 4 from the beginning of the packet
7566 * if To DS is clear and at an offset of
7567 * 16 from the beginning of the packet
7572 * Generate the tests to be done for data frames.
7574 * First, check for To DS set, i.e. "link[1] & 0x01".
7576 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
7577 b1 = new_block(cstate, JMP(BPF_JSET));
7578 b1->s.k = 0x01; /* To DS */
7582 * If To DS is set, the DA is at 16.
7584 b0 = gen_mac_multicast(cstate, 16);
7588 * Now, check for To DS not set, i.e. check
7589 * "!(link[1] & 0x01)".
7591 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
7592 b2 = new_block(cstate, JMP(BPF_JSET));
7593 b2->s.k = 0x01; /* To DS */
7598 * If To DS is not set, the DA is at 4.
7600 b1 = gen_mac_multicast(cstate, 4);
7604 * Now OR together the last two checks. That gives
7605 * the complete set of checks for data frames.
7610 * Now check for a data frame.
7611 * I.e, check "link[0] & 0x08".
7613 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
7614 b1 = new_block(cstate, JMP(BPF_JSET));
7619 * AND that with the checks done for data frames.
7624 * If the high-order bit of the type value is 0, this
7625 * is a management frame.
7626 * I.e, check "!(link[0] & 0x08)".
7628 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
7629 b2 = new_block(cstate, JMP(BPF_JSET));
7635 * For management frames, the DA is at 4.
7637 b1 = gen_mac_multicast(cstate, 4);
7641 * OR that with the checks done for data frames.
7642 * That gives the checks done for management and
7648 * If the low-order bit of the type value is 1,
7649 * this is either a control frame or a frame
7650 * with a reserved type, and thus not a
7653 * I.e., check "!(link[0] & 0x04)".
7655 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
7656 b1 = new_block(cstate, JMP(BPF_JSET));
7662 * AND that with the checks for data and management
7667 case DLT_IP_OVER_FC:
7668 b0 = gen_mac_multicast(cstate, 2);
7673 /* Link not known to support multicasts */
7677 b0 = gen_linktype(cstate, ETHERTYPE_IP);
7678 b1 = gen_cmp_ge(cstate, OR_LINKPL, 16, BPF_B, (bpf_int32)224);
7683 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
7684 b1 = gen_cmp(cstate, OR_LINKPL, 24, BPF_B, (bpf_int32)255);
7688 bpf_error(cstate, "link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel");
7693 * Filter on inbound (dir == 0) or outbound (dir == 1) traffic.
7694 * Outbound traffic is sent by this machine, while inbound traffic is
7695 * sent by a remote machine (and may include packets destined for a
7696 * unicast or multicast link-layer address we are not subscribing to).
7697 * These are the same definitions implemented by pcap_setdirection().
7698 * Capturing only unicast traffic destined for this host is probably
7699 * better accomplished using a higher-layer filter.
7702 gen_inbound(compiler_state_t *cstate, int dir)
7704 register struct block *b0;
7707 * Only some data link types support inbound/outbound qualifiers.
7709 switch (cstate->linktype) {
7711 b0 = gen_relation(cstate, BPF_JEQ,
7712 gen_load(cstate, Q_LINK, gen_loadi(cstate, 0), 1),
7713 gen_loadi(cstate, 0),
7719 /* match outgoing packets */
7720 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, IPNET_OUTBOUND);
7722 /* match incoming packets */
7723 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, IPNET_INBOUND);
7728 /* match outgoing packets */
7729 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_H, LINUX_SLL_OUTGOING);
7731 /* to filter on inbound traffic, invert the match */
7736 #ifdef HAVE_NET_PFVAR_H
7738 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, dir), BPF_B,
7739 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT));
7745 /* match outgoing packets */
7746 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_B, PPP_PPPD_OUT);
7748 /* match incoming packets */
7749 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_B, PPP_PPPD_IN);
7753 case DLT_JUNIPER_MFR:
7754 case DLT_JUNIPER_MLFR:
7755 case DLT_JUNIPER_MLPPP:
7756 case DLT_JUNIPER_ATM1:
7757 case DLT_JUNIPER_ATM2:
7758 case DLT_JUNIPER_PPPOE:
7759 case DLT_JUNIPER_PPPOE_ATM:
7760 case DLT_JUNIPER_GGSN:
7761 case DLT_JUNIPER_ES:
7762 case DLT_JUNIPER_MONITOR:
7763 case DLT_JUNIPER_SERVICES:
7764 case DLT_JUNIPER_ETHER:
7765 case DLT_JUNIPER_PPP:
7766 case DLT_JUNIPER_FRELAY:
7767 case DLT_JUNIPER_CHDLC:
7768 case DLT_JUNIPER_VP:
7769 case DLT_JUNIPER_ST:
7770 case DLT_JUNIPER_ISM:
7771 case DLT_JUNIPER_VS:
7772 case DLT_JUNIPER_SRX_E2E:
7773 case DLT_JUNIPER_FIBRECHANNEL:
7774 case DLT_JUNIPER_ATM_CEMIC:
7776 /* juniper flags (including direction) are stored
7777 * the byte after the 3-byte magic number */
7779 /* match outgoing packets */
7780 b0 = gen_mcmp(cstate, OR_LINKHDR, 3, BPF_B, 0, 0x01);
7782 /* match incoming packets */
7783 b0 = gen_mcmp(cstate, OR_LINKHDR, 3, BPF_B, 1, 0x01);
7789 * If we have packet meta-data indicating a direction,
7790 * and that metadata can be checked by BPF code, check
7791 * it. Otherwise, give up, as this link-layer type has
7792 * nothing in the packet data.
7794 * Currently, the only platform where a BPF filter can
7795 * check that metadata is Linux with the in-kernel
7796 * BPF interpreter. If other packet capture mechanisms
7797 * and BPF filters also supported this, it would be
7798 * nice. It would be even better if they made that
7799 * metadata available so that we could provide it
7800 * with newer capture APIs, allowing it to be saved
7803 #if defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER)
7805 * This is Linux with PF_PACKET support.
7806 * If this is a *live* capture, we can look at
7807 * special meta-data in the filter expression;
7808 * if it's a savefile, we can't.
7810 if (cstate->bpf_pcap->rfile != NULL) {
7811 /* We have a FILE *, so this is a savefile */
7812 bpf_error(cstate, "inbound/outbound not supported on linktype %d when reading savefiles",
7817 /* match outgoing packets */
7818 b0 = gen_cmp(cstate, OR_LINKHDR, SKF_AD_OFF + SKF_AD_PKTTYPE, BPF_H,
7821 /* to filter on inbound traffic, invert the match */
7824 #else /* defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */
7825 bpf_error(cstate, "inbound/outbound not supported on linktype %d",
7828 #endif /* defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */
7833 #ifdef HAVE_NET_PFVAR_H
7834 /* PF firewall log matched interface */
7836 gen_pf_ifname(compiler_state_t *cstate, const char *ifname)
7841 if (cstate->linktype != DLT_PFLOG) {
7842 bpf_error(cstate, "ifname supported only on PF linktype");
7845 len = sizeof(((struct pfloghdr *)0)->ifname);
7846 off = offsetof(struct pfloghdr, ifname);
7847 if (strlen(ifname) >= len) {
7848 bpf_error(cstate, "ifname interface names can only be %d characters",
7852 b0 = gen_bcmp(cstate, OR_LINKHDR, off, strlen(ifname), (const u_char *)ifname);
7856 /* PF firewall log ruleset name */
7858 gen_pf_ruleset(compiler_state_t *cstate, char *ruleset)
7862 if (cstate->linktype != DLT_PFLOG) {
7863 bpf_error(cstate, "ruleset supported only on PF linktype");
7867 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) {
7868 bpf_error(cstate, "ruleset names can only be %ld characters",
7869 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1));
7873 b0 = gen_bcmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, ruleset),
7874 strlen(ruleset), (const u_char *)ruleset);
7878 /* PF firewall log rule number */
7880 gen_pf_rnr(compiler_state_t *cstate, int rnr)
7884 if (cstate->linktype != DLT_PFLOG) {
7885 bpf_error(cstate, "rnr supported only on PF linktype");
7889 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, rulenr), BPF_W,
7894 /* PF firewall log sub-rule number */
7896 gen_pf_srnr(compiler_state_t *cstate, int srnr)
7900 if (cstate->linktype != DLT_PFLOG) {
7901 bpf_error(cstate, "srnr supported only on PF linktype");
7905 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, subrulenr), BPF_W,
7910 /* PF firewall log reason code */
7912 gen_pf_reason(compiler_state_t *cstate, int reason)
7916 if (cstate->linktype != DLT_PFLOG) {
7917 bpf_error(cstate, "reason supported only on PF linktype");
7921 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, reason), BPF_B,
7926 /* PF firewall log action */
7928 gen_pf_action(compiler_state_t *cstate, int action)
7932 if (cstate->linktype != DLT_PFLOG) {
7933 bpf_error(cstate, "action supported only on PF linktype");
7937 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, action), BPF_B,
7941 #else /* !HAVE_NET_PFVAR_H */
7943 gen_pf_ifname(compiler_state_t *cstate, const char *ifname _U_)
7945 bpf_error(cstate, "libpcap was compiled without pf support");
7950 gen_pf_ruleset(compiler_state_t *cstate, char *ruleset _U_)
7952 bpf_error(cstate, "libpcap was compiled on a machine without pf support");
7957 gen_pf_rnr(compiler_state_t *cstate, int rnr _U_)
7959 bpf_error(cstate, "libpcap was compiled on a machine without pf support");
7964 gen_pf_srnr(compiler_state_t *cstate, int srnr _U_)
7966 bpf_error(cstate, "libpcap was compiled on a machine without pf support");
7971 gen_pf_reason(compiler_state_t *cstate, int reason _U_)
7973 bpf_error(cstate, "libpcap was compiled on a machine without pf support");
7978 gen_pf_action(compiler_state_t *cstate, int action _U_)
7980 bpf_error(cstate, "libpcap was compiled on a machine without pf support");
7983 #endif /* HAVE_NET_PFVAR_H */
7985 /* IEEE 802.11 wireless header */
7987 gen_p80211_type(compiler_state_t *cstate, int type, int mask)
7991 switch (cstate->linktype) {
7993 case DLT_IEEE802_11:
7994 case DLT_PRISM_HEADER:
7995 case DLT_IEEE802_11_RADIO_AVS:
7996 case DLT_IEEE802_11_RADIO:
7997 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, (bpf_int32)type,
8002 bpf_error(cstate, "802.11 link-layer types supported only on 802.11");
8010 gen_p80211_fcdir(compiler_state_t *cstate, int fcdir)
8014 switch (cstate->linktype) {
8016 case DLT_IEEE802_11:
8017 case DLT_PRISM_HEADER:
8018 case DLT_IEEE802_11_RADIO_AVS:
8019 case DLT_IEEE802_11_RADIO:
8023 bpf_error(cstate, "frame direction supported only with 802.11 headers");
8027 b0 = gen_mcmp(cstate, OR_LINKHDR, 1, BPF_B, (bpf_int32)fcdir,
8028 (bpf_u_int32)IEEE80211_FC1_DIR_MASK);
8034 gen_acode(compiler_state_t *cstate, const u_char *eaddr, struct qual q)
8036 switch (cstate->linktype) {
8039 case DLT_ARCNET_LINUX:
8040 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) &&
8042 return (gen_ahostop(cstate, eaddr, (int)q.dir));
8044 bpf_error(cstate, "ARCnet address used in non-arc expression");
8050 bpf_error(cstate, "aid supported only on ARCnet");
8055 static struct block *
8056 gen_ahostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
8058 register struct block *b0, *b1;
8061 /* src comes first, different from Ethernet */
8063 return gen_bcmp(cstate, OR_LINKHDR, 0, 1, eaddr);
8066 return gen_bcmp(cstate, OR_LINKHDR, 1, 1, eaddr);
8069 b0 = gen_ahostop(cstate, eaddr, Q_SRC);
8070 b1 = gen_ahostop(cstate, eaddr, Q_DST);
8076 b0 = gen_ahostop(cstate, eaddr, Q_SRC);
8077 b1 = gen_ahostop(cstate, eaddr, Q_DST);
8082 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11");
8086 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11");
8090 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11");
8094 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11");
8098 bpf_error(cstate, "'ra' is only supported on 802.11");
8102 bpf_error(cstate, "'ta' is only supported on 802.11");
8109 static struct block *
8110 gen_vlan_tpid_test(compiler_state_t *cstate)
8112 struct block *b0, *b1;
8114 /* check for VLAN, including QinQ */
8115 b0 = gen_linktype(cstate, ETHERTYPE_8021Q);
8116 b1 = gen_linktype(cstate, ETHERTYPE_8021AD);
8119 b1 = gen_linktype(cstate, ETHERTYPE_8021QINQ);
8125 static struct block *
8126 gen_vlan_vid_test(compiler_state_t *cstate, int vlan_num)
8128 return gen_mcmp(cstate, OR_LINKPL, 0, BPF_H, (bpf_int32)vlan_num, 0x0fff);
8131 static struct block *
8132 gen_vlan_no_bpf_extensions(compiler_state_t *cstate, int vlan_num)
8134 struct block *b0, *b1;
8136 b0 = gen_vlan_tpid_test(cstate);
8138 if (vlan_num >= 0) {
8139 b1 = gen_vlan_vid_test(cstate, vlan_num);
8145 * Both payload and link header type follow the VLAN tags so that
8146 * both need to be updated.
8148 cstate->off_linkpl.constant_part += 4;
8149 cstate->off_linktype.constant_part += 4;
8154 #if defined(SKF_AD_VLAN_TAG_PRESENT)
8155 /* add v to variable part of off */
8157 gen_vlan_vloffset_add(compiler_state_t *cstate, bpf_abs_offset *off, int v, struct slist *s)
8161 if (!off->is_variable)
8162 off->is_variable = 1;
8164 off->reg = alloc_reg(cstate);
8166 s2 = new_stmt(cstate, BPF_LD|BPF_MEM);
8169 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM);
8172 s2 = new_stmt(cstate, BPF_ST);
8178 * patch block b_tpid (VLAN TPID test) to update variable parts of link payload
8179 * and link type offsets first
8182 gen_vlan_patch_tpid_test(compiler_state_t *cstate, struct block *b_tpid)
8186 /* offset determined at run time, shift variable part */
8188 cstate->is_vlan_vloffset = 1;
8189 gen_vlan_vloffset_add(cstate, &cstate->off_linkpl, 4, &s);
8190 gen_vlan_vloffset_add(cstate, &cstate->off_linktype, 4, &s);
8192 /* we get a pointer to a chain of or-ed blocks, patch first of them */
8193 sappend(s.next, b_tpid->head->stmts);
8194 b_tpid->head->stmts = s.next;
8198 * patch block b_vid (VLAN id test) to load VID value either from packet
8199 * metadata (using BPF extensions) if SKF_AD_VLAN_TAG_PRESENT is true
8202 gen_vlan_patch_vid_test(compiler_state_t *cstate, struct block *b_vid)
8204 struct slist *s, *s2, *sjeq;
8207 s = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
8208 s->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT;
8210 /* true -> next instructions, false -> beginning of b_vid */
8211 sjeq = new_stmt(cstate, JMP(BPF_JEQ));
8213 sjeq->s.jf = b_vid->stmts;
8216 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
8217 s2->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG;
8221 /* jump to the test in b_vid (bypass loading VID from packet data) */
8223 for (s2 = b_vid->stmts; s2; s2 = s2->next)
8225 s2 = new_stmt(cstate, JMP(BPF_JA));
8229 /* insert our statements at the beginning of b_vid */
8230 sappend(s, b_vid->stmts);
8235 * Generate check for "vlan" or "vlan <id>" on systems with support for BPF
8236 * extensions. Even if kernel supports VLAN BPF extensions, (outermost) VLAN
8237 * tag can be either in metadata or in packet data; therefore if the
8238 * SKF_AD_VLAN_TAG_PRESENT test is negative, we need to check link
8239 * header for VLAN tag. As the decision is done at run time, we need
8240 * update variable part of the offsets
8242 static struct block *
8243 gen_vlan_bpf_extensions(compiler_state_t *cstate, int vlan_num)
8245 struct block *b0, *b_tpid, *b_vid = NULL;
8248 /* generate new filter code based on extracting packet
8250 s = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
8251 s->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT;
8253 b0 = new_block(cstate, JMP(BPF_JEQ));
8258 * This is tricky. We need to insert the statements updating variable
8259 * parts of offsets before the the traditional TPID and VID tests so
8260 * that they are called whenever SKF_AD_VLAN_TAG_PRESENT fails but
8261 * we do not want this update to affect those checks. That's why we
8262 * generate both test blocks first and insert the statements updating
8263 * variable parts of both offsets after that. This wouldn't work if
8264 * there already were variable length link header when entering this
8265 * function but gen_vlan_bpf_extensions() isn't called in that case.
8267 b_tpid = gen_vlan_tpid_test(cstate);
8269 b_vid = gen_vlan_vid_test(cstate, vlan_num);
8271 gen_vlan_patch_tpid_test(cstate, b_tpid);
8275 if (vlan_num >= 0) {
8276 gen_vlan_patch_vid_test(cstate, b_vid);
8286 * support IEEE 802.1Q VLAN trunk over ethernet
8289 gen_vlan(compiler_state_t *cstate, int vlan_num)
8293 /* can't check for VLAN-encapsulated packets inside MPLS */
8294 if (cstate->label_stack_depth > 0)
8295 bpf_error(cstate, "no VLAN match after MPLS");
8298 * Check for a VLAN packet, and then change the offsets to point
8299 * to the type and data fields within the VLAN packet. Just
8300 * increment the offsets, so that we can support a hierarchy, e.g.
8301 * "vlan 300 && vlan 200" to capture VLAN 200 encapsulated within
8304 * XXX - this is a bit of a kludge. If we were to split the
8305 * compiler into a parser that parses an expression and
8306 * generates an expression tree, and a code generator that
8307 * takes an expression tree (which could come from our
8308 * parser or from some other parser) and generates BPF code,
8309 * we could perhaps make the offsets parameters of routines
8310 * and, in the handler for an "AND" node, pass to subnodes
8311 * other than the VLAN node the adjusted offsets.
8313 * This would mean that "vlan" would, instead of changing the
8314 * behavior of *all* tests after it, change only the behavior
8315 * of tests ANDed with it. That would change the documented
8316 * semantics of "vlan", which might break some expressions.
8317 * However, it would mean that "(vlan and ip) or ip" would check
8318 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
8319 * checking only for VLAN-encapsulated IP, so that could still
8320 * be considered worth doing; it wouldn't break expressions
8321 * that are of the form "vlan and ..." or "vlan N and ...",
8322 * which I suspect are the most common expressions involving
8323 * "vlan". "vlan or ..." doesn't necessarily do what the user
8324 * would really want, now, as all the "or ..." tests would
8325 * be done assuming a VLAN, even though the "or" could be viewed
8326 * as meaning "or, if this isn't a VLAN packet...".
8328 switch (cstate->linktype) {
8331 case DLT_NETANALYZER:
8332 case DLT_NETANALYZER_TRANSPARENT:
8333 #if defined(SKF_AD_VLAN_TAG_PRESENT)
8334 /* Verify that this is the outer part of the packet and
8335 * not encapsulated somehow. */
8336 if (cstate->vlan_stack_depth == 0 && !cstate->off_linkhdr.is_variable &&
8337 cstate->off_linkhdr.constant_part ==
8338 cstate->off_outermostlinkhdr.constant_part) {
8340 * Do we need special VLAN handling?
8342 if (cstate->bpf_pcap->bpf_codegen_flags & BPF_SPECIAL_VLAN_HANDLING)
8343 b0 = gen_vlan_bpf_extensions(cstate, vlan_num);
8345 b0 = gen_vlan_no_bpf_extensions(cstate, vlan_num);
8348 b0 = gen_vlan_no_bpf_extensions(cstate, vlan_num);
8351 case DLT_IEEE802_11:
8352 case DLT_PRISM_HEADER:
8353 case DLT_IEEE802_11_RADIO_AVS:
8354 case DLT_IEEE802_11_RADIO:
8355 b0 = gen_vlan_no_bpf_extensions(cstate, vlan_num);
8359 bpf_error(cstate, "no VLAN support for data link type %d",
8364 cstate->vlan_stack_depth++;
8373 gen_mpls(compiler_state_t *cstate, int label_num)
8375 struct block *b0, *b1;
8377 if (cstate->label_stack_depth > 0) {
8378 /* just match the bottom-of-stack bit clear */
8379 b0 = gen_mcmp(cstate, OR_PREVMPLSHDR, 2, BPF_B, 0, 0x01);
8382 * We're not in an MPLS stack yet, so check the link-layer
8383 * type against MPLS.
8385 switch (cstate->linktype) {
8387 case DLT_C_HDLC: /* fall through */
8389 case DLT_NETANALYZER:
8390 case DLT_NETANALYZER_TRANSPARENT:
8391 b0 = gen_linktype(cstate, ETHERTYPE_MPLS);
8395 b0 = gen_linktype(cstate, PPP_MPLS_UCAST);
8398 /* FIXME add other DLT_s ...
8399 * for Frame-Relay/and ATM this may get messy due to SNAP headers
8400 * leave it for now */
8403 bpf_error(cstate, "no MPLS support for data link type %d",
8410 /* If a specific MPLS label is requested, check it */
8411 if (label_num >= 0) {
8412 label_num = label_num << 12; /* label is shifted 12 bits on the wire */
8413 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_W, (bpf_int32)label_num,
8414 0xfffff000); /* only compare the first 20 bits */
8420 * Change the offsets to point to the type and data fields within
8421 * the MPLS packet. Just increment the offsets, so that we
8422 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to
8423 * capture packets with an outer label of 100000 and an inner
8426 * Increment the MPLS stack depth as well; this indicates that
8427 * we're checking MPLS-encapsulated headers, to make sure higher
8428 * level code generators don't try to match against IP-related
8429 * protocols such as Q_ARP, Q_RARP etc.
8431 * XXX - this is a bit of a kludge. See comments in gen_vlan().
8433 cstate->off_nl_nosnap += 4;
8434 cstate->off_nl += 4;
8435 cstate->label_stack_depth++;
8440 * Support PPPOE discovery and session.
8443 gen_pppoed(compiler_state_t *cstate)
8445 /* check for PPPoE discovery */
8446 return gen_linktype(cstate, (bpf_int32)ETHERTYPE_PPPOED);
8450 gen_pppoes(compiler_state_t *cstate, int sess_num)
8452 struct block *b0, *b1;
8455 * Test against the PPPoE session link-layer type.
8457 b0 = gen_linktype(cstate, (bpf_int32)ETHERTYPE_PPPOES);
8459 /* If a specific session is requested, check PPPoE session id */
8460 if (sess_num >= 0) {
8461 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_W,
8462 (bpf_int32)sess_num, 0x0000ffff);
8468 * Change the offsets to point to the type and data fields within
8469 * the PPP packet, and note that this is PPPoE rather than
8472 * XXX - this is a bit of a kludge. If we were to split the
8473 * compiler into a parser that parses an expression and
8474 * generates an expression tree, and a code generator that
8475 * takes an expression tree (which could come from our
8476 * parser or from some other parser) and generates BPF code,
8477 * we could perhaps make the offsets parameters of routines
8478 * and, in the handler for an "AND" node, pass to subnodes
8479 * other than the PPPoE node the adjusted offsets.
8481 * This would mean that "pppoes" would, instead of changing the
8482 * behavior of *all* tests after it, change only the behavior
8483 * of tests ANDed with it. That would change the documented
8484 * semantics of "pppoes", which might break some expressions.
8485 * However, it would mean that "(pppoes and ip) or ip" would check
8486 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
8487 * checking only for VLAN-encapsulated IP, so that could still
8488 * be considered worth doing; it wouldn't break expressions
8489 * that are of the form "pppoes and ..." which I suspect are the
8490 * most common expressions involving "pppoes". "pppoes or ..."
8491 * doesn't necessarily do what the user would really want, now,
8492 * as all the "or ..." tests would be done assuming PPPoE, even
8493 * though the "or" could be viewed as meaning "or, if this isn't
8494 * a PPPoE packet...".
8496 * The "network-layer" protocol is PPPoE, which has a 6-byte
8497 * PPPoE header, followed by a PPP packet.
8499 * There is no HDLC encapsulation for the PPP packet (it's
8500 * encapsulated in PPPoES instead), so the link-layer type
8501 * starts at the first byte of the PPP packet. For PPPoE,
8502 * that offset is relative to the beginning of the total
8503 * link-layer payload, including any 802.2 LLC header, so
8504 * it's 6 bytes past cstate->off_nl.
8506 PUSH_LINKHDR(cstate, DLT_PPP, cstate->off_linkpl.is_variable,
8507 cstate->off_linkpl.constant_part + cstate->off_nl + 6, /* 6 bytes past the PPPoE header */
8508 cstate->off_linkpl.reg);
8510 cstate->off_linktype = cstate->off_linkhdr;
8511 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 2;
8514 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
8519 /* Check that this is Geneve and the VNI is correct if
8520 * specified. Parameterized to handle both IPv4 and IPv6. */
8521 static struct block *
8522 gen_geneve_check(compiler_state_t *cstate,
8523 struct block *(*gen_portfn)(compiler_state_t *, int, int, int),
8524 enum e_offrel offrel, int vni)
8526 struct block *b0, *b1;
8528 b0 = gen_portfn(cstate, GENEVE_PORT, IPPROTO_UDP, Q_DST);
8530 /* Check that we are operating on version 0. Otherwise, we
8531 * can't decode the rest of the fields. The version is 2 bits
8532 * in the first byte of the Geneve header. */
8533 b1 = gen_mcmp(cstate, offrel, 8, BPF_B, (bpf_int32)0, 0xc0);
8538 vni <<= 8; /* VNI is in the upper 3 bytes */
8539 b1 = gen_mcmp(cstate, offrel, 12, BPF_W, (bpf_int32)vni,
8548 /* The IPv4 and IPv6 Geneve checks need to do two things:
8549 * - Verify that this actually is Geneve with the right VNI.
8550 * - Place the IP header length (plus variable link prefix if
8551 * needed) into register A to be used later to compute
8552 * the inner packet offsets. */
8553 static struct block *
8554 gen_geneve4(compiler_state_t *cstate, int vni)
8556 struct block *b0, *b1;
8557 struct slist *s, *s1;
8559 b0 = gen_geneve_check(cstate, gen_port, OR_TRAN_IPV4, vni);
8561 /* Load the IP header length into A. */
8562 s = gen_loadx_iphdrlen(cstate);
8564 s1 = new_stmt(cstate, BPF_MISC|BPF_TXA);
8567 /* Forcibly append these statements to the true condition
8568 * of the protocol check by creating a new block that is
8569 * always true and ANDing them. */
8570 b1 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X);
8579 static struct block *
8580 gen_geneve6(compiler_state_t *cstate, int vni)
8582 struct block *b0, *b1;
8583 struct slist *s, *s1;
8585 b0 = gen_geneve_check(cstate, gen_port6, OR_TRAN_IPV6, vni);
8587 /* Load the IP header length. We need to account for a
8588 * variable length link prefix if there is one. */
8589 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl);
8591 s1 = new_stmt(cstate, BPF_LD|BPF_IMM);
8595 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X);
8599 s = new_stmt(cstate, BPF_LD|BPF_IMM);
8603 /* Forcibly append these statements to the true condition
8604 * of the protocol check by creating a new block that is
8605 * always true and ANDing them. */
8606 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX);
8609 b1 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X);
8618 /* We need to store three values based on the Geneve header::
8619 * - The offset of the linktype.
8620 * - The offset of the end of the Geneve header.
8621 * - The offset of the end of the encapsulated MAC header. */
8622 static struct slist *
8623 gen_geneve_offsets(compiler_state_t *cstate)
8625 struct slist *s, *s1, *s_proto;
8627 /* First we need to calculate the offset of the Geneve header
8628 * itself. This is composed of the IP header previously calculated
8629 * (include any variable link prefix) and stored in A plus the
8630 * fixed sized headers (fixed link prefix, MAC length, and UDP
8632 s = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
8633 s->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 8;
8635 /* Stash this in X since we'll need it later. */
8636 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX);
8639 /* The EtherType in Geneve is 2 bytes in. Calculate this and
8641 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
8645 cstate->off_linktype.reg = alloc_reg(cstate);
8646 cstate->off_linktype.is_variable = 1;
8647 cstate->off_linktype.constant_part = 0;
8649 s1 = new_stmt(cstate, BPF_ST);
8650 s1->s.k = cstate->off_linktype.reg;
8653 /* Load the Geneve option length and mask and shift to get the
8654 * number of bytes. It is stored in the first byte of the Geneve
8656 s1 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
8660 s1 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
8664 s1 = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K);
8668 /* Add in the rest of the Geneve base header. */
8669 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
8673 /* Add the Geneve header length to its offset and store. */
8674 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X);
8678 /* Set the encapsulated type as Ethernet. Even though we may
8679 * not actually have Ethernet inside there are two reasons this
8681 * - The linktype field is always in EtherType format regardless
8682 * of whether it is in Geneve or an inner Ethernet frame.
8683 * - The only link layer that we have specific support for is
8684 * Ethernet. We will confirm that the packet actually is
8685 * Ethernet at runtime before executing these checks. */
8686 PUSH_LINKHDR(cstate, DLT_EN10MB, 1, 0, alloc_reg(cstate));
8688 s1 = new_stmt(cstate, BPF_ST);
8689 s1->s.k = cstate->off_linkhdr.reg;
8692 /* Calculate whether we have an Ethernet header or just raw IP/
8693 * MPLS/etc. If we have Ethernet, advance the end of the MAC offset
8694 * and linktype by 14 bytes so that the network header can be found
8695 * seamlessly. Otherwise, keep what we've calculated already. */
8697 /* We have a bare jmp so we can't use the optimizer. */
8698 cstate->no_optimize = 1;
8700 /* Load the EtherType in the Geneve header, 2 bytes in. */
8701 s1 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_H);
8705 /* Load X with the end of the Geneve header. */
8706 s1 = new_stmt(cstate, BPF_LDX|BPF_MEM);
8707 s1->s.k = cstate->off_linkhdr.reg;
8710 /* Check if the EtherType is Transparent Ethernet Bridging. At the
8711 * end of this check, we should have the total length in X. In
8712 * the non-Ethernet case, it's already there. */
8713 s_proto = new_stmt(cstate, JMP(BPF_JEQ));
8714 s_proto->s.k = ETHERTYPE_TEB;
8715 sappend(s, s_proto);
8717 s1 = new_stmt(cstate, BPF_MISC|BPF_TXA);
8721 /* Since this is Ethernet, use the EtherType of the payload
8722 * directly as the linktype. Overwrite what we already have. */
8723 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
8727 s1 = new_stmt(cstate, BPF_ST);
8728 s1->s.k = cstate->off_linktype.reg;
8731 /* Advance two bytes further to get the end of the Ethernet
8733 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
8737 /* Move the result to X. */
8738 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX);
8741 /* Store the final result of our linkpl calculation. */
8742 cstate->off_linkpl.reg = alloc_reg(cstate);
8743 cstate->off_linkpl.is_variable = 1;
8744 cstate->off_linkpl.constant_part = 0;
8746 s1 = new_stmt(cstate, BPF_STX);
8747 s1->s.k = cstate->off_linkpl.reg;
8756 /* Check to see if this is a Geneve packet. */
8758 gen_geneve(compiler_state_t *cstate, int vni)
8760 struct block *b0, *b1;
8763 b0 = gen_geneve4(cstate, vni);
8764 b1 = gen_geneve6(cstate, vni);
8769 /* Later filters should act on the payload of the Geneve frame,
8770 * update all of the header pointers. Attach this code so that
8771 * it gets executed in the event that the Geneve filter matches. */
8772 s = gen_geneve_offsets(cstate);
8774 b1 = gen_true(cstate);
8775 sappend(s, b1->stmts);
8780 cstate->is_geneve = 1;
8785 /* Check that the encapsulated frame has a link layer header
8786 * for Ethernet filters. */
8787 static struct block *
8788 gen_geneve_ll_check(compiler_state_t *cstate)
8791 struct slist *s, *s1;
8793 /* The easiest way to see if there is a link layer present
8794 * is to check if the link layer header and payload are not
8797 /* Geneve always generates pure variable offsets so we can
8798 * compare only the registers. */
8799 s = new_stmt(cstate, BPF_LD|BPF_MEM);
8800 s->s.k = cstate->off_linkhdr.reg;
8802 s1 = new_stmt(cstate, BPF_LDX|BPF_MEM);
8803 s1->s.k = cstate->off_linkpl.reg;
8806 b0 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X);
8815 gen_atmfield_code(compiler_state_t *cstate, int atmfield, bpf_int32 jvalue,
8816 bpf_u_int32 jtype, int reverse)
8823 if (!cstate->is_atm)
8824 bpf_error(cstate, "'vpi' supported only on raw ATM");
8825 if (cstate->off_vpi == OFFSET_NOT_SET)
8827 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_vpi, BPF_B, 0xffffffff, jtype,
8832 if (!cstate->is_atm)
8833 bpf_error(cstate, "'vci' supported only on raw ATM");
8834 if (cstate->off_vci == OFFSET_NOT_SET)
8836 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_vci, BPF_H, 0xffffffff, jtype,
8841 if (cstate->off_proto == OFFSET_NOT_SET)
8842 abort(); /* XXX - this isn't on FreeBSD */
8843 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_proto, BPF_B, 0x0f, jtype,
8848 if (cstate->off_payload == OFFSET_NOT_SET)
8850 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_payload + MSG_TYPE_POS, BPF_B,
8851 0xffffffff, jtype, reverse, jvalue);
8855 if (!cstate->is_atm)
8856 bpf_error(cstate, "'callref' supported only on raw ATM");
8857 if (cstate->off_proto == OFFSET_NOT_SET)
8859 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_proto, BPF_B, 0xffffffff,
8860 jtype, reverse, jvalue);
8870 gen_atmtype_abbrev(compiler_state_t *cstate, int type)
8872 struct block *b0, *b1;
8877 /* Get all packets in Meta signalling Circuit */
8878 if (!cstate->is_atm)
8879 bpf_error(cstate, "'metac' supported only on raw ATM");
8880 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0);
8881 b1 = gen_atmfield_code(cstate, A_VCI, 1, BPF_JEQ, 0);
8886 /* Get all packets in Broadcast Circuit*/
8887 if (!cstate->is_atm)
8888 bpf_error(cstate, "'bcc' supported only on raw ATM");
8889 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0);
8890 b1 = gen_atmfield_code(cstate, A_VCI, 2, BPF_JEQ, 0);
8895 /* Get all cells in Segment OAM F4 circuit*/
8896 if (!cstate->is_atm)
8897 bpf_error(cstate, "'oam4sc' supported only on raw ATM");
8898 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0);
8899 b1 = gen_atmfield_code(cstate, A_VCI, 3, BPF_JEQ, 0);
8904 /* Get all cells in End-to-End OAM F4 Circuit*/
8905 if (!cstate->is_atm)
8906 bpf_error(cstate, "'oam4ec' supported only on raw ATM");
8907 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0);
8908 b1 = gen_atmfield_code(cstate, A_VCI, 4, BPF_JEQ, 0);
8913 /* Get all packets in connection Signalling Circuit */
8914 if (!cstate->is_atm)
8915 bpf_error(cstate, "'sc' supported only on raw ATM");
8916 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0);
8917 b1 = gen_atmfield_code(cstate, A_VCI, 5, BPF_JEQ, 0);
8922 /* Get all packets in ILMI Circuit */
8923 if (!cstate->is_atm)
8924 bpf_error(cstate, "'ilmic' supported only on raw ATM");
8925 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0);
8926 b1 = gen_atmfield_code(cstate, A_VCI, 16, BPF_JEQ, 0);
8931 /* Get all LANE packets */
8932 if (!cstate->is_atm)
8933 bpf_error(cstate, "'lane' supported only on raw ATM");
8934 b1 = gen_atmfield_code(cstate, A_PROTOTYPE, PT_LANE, BPF_JEQ, 0);
8937 * Arrange that all subsequent tests assume LANE
8938 * rather than LLC-encapsulated packets, and set
8939 * the offsets appropriately for LANE-encapsulated
8942 * We assume LANE means Ethernet, not Token Ring.
8944 PUSH_LINKHDR(cstate, DLT_EN10MB, 0,
8945 cstate->off_payload + 2, /* Ethernet header */
8947 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12;
8948 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* Ethernet */
8949 cstate->off_nl = 0; /* Ethernet II */
8950 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */
8954 /* Get all LLC-encapsulated packets */
8955 if (!cstate->is_atm)
8956 bpf_error(cstate, "'llc' supported only on raw ATM");
8957 b1 = gen_atmfield_code(cstate, A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
8958 cstate->linktype = cstate->prevlinktype;
8968 * Filtering for MTP2 messages based on li value
8969 * FISU, length is null
8970 * LSSU, length is 1 or 2
8971 * MSU, length is 3 or more
8972 * For MTP2_HSL, sequences are on 2 bytes, and length on 9 bits
8975 gen_mtp2type_abbrev(compiler_state_t *cstate, int type)
8977 struct block *b0, *b1;
8982 if ( (cstate->linktype != DLT_MTP2) &&
8983 (cstate->linktype != DLT_ERF) &&
8984 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
8985 bpf_error(cstate, "'fisu' supported only on MTP2");
8986 /* gen_ncmp(cstate, offrel, offset, size, mask, jtype, reverse, value) */
8987 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 0x3f, BPF_JEQ, 0, 0);
8991 if ( (cstate->linktype != DLT_MTP2) &&
8992 (cstate->linktype != DLT_ERF) &&
8993 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
8994 bpf_error(cstate, "'lssu' supported only on MTP2");
8995 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 0x3f, BPF_JGT, 1, 2);
8996 b1 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 0x3f, BPF_JGT, 0, 0);
9001 if ( (cstate->linktype != DLT_MTP2) &&
9002 (cstate->linktype != DLT_ERF) &&
9003 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
9004 bpf_error(cstate, "'msu' supported only on MTP2");
9005 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 0x3f, BPF_JGT, 0, 2);
9009 if ( (cstate->linktype != DLT_MTP2) &&
9010 (cstate->linktype != DLT_ERF) &&
9011 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
9012 bpf_error(cstate, "'hfisu' supported only on MTP2_HSL");
9013 /* gen_ncmp(cstate, offrel, offset, size, mask, jtype, reverse, value) */
9014 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 0xff80, BPF_JEQ, 0, 0);
9018 if ( (cstate->linktype != DLT_MTP2) &&
9019 (cstate->linktype != DLT_ERF) &&
9020 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
9021 bpf_error(cstate, "'hlssu' supported only on MTP2_HSL");
9022 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 0xff80, BPF_JGT, 1, 0x0100);
9023 b1 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 0xff80, BPF_JGT, 0, 0);
9028 if ( (cstate->linktype != DLT_MTP2) &&
9029 (cstate->linktype != DLT_ERF) &&
9030 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
9031 bpf_error(cstate, "'hmsu' supported only on MTP2_HSL");
9032 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 0xff80, BPF_JGT, 0, 0x0100);
9042 gen_mtp3field_code(compiler_state_t *cstate, int mtp3field, bpf_u_int32 jvalue,
9043 bpf_u_int32 jtype, int reverse)
9046 bpf_u_int32 val1 , val2 , val3;
9047 u_int newoff_sio = cstate->off_sio;
9048 u_int newoff_opc = cstate->off_opc;
9049 u_int newoff_dpc = cstate->off_dpc;
9050 u_int newoff_sls = cstate->off_sls;
9052 switch (mtp3field) {
9055 newoff_sio += 3; /* offset for MTP2_HSL */
9059 if (cstate->off_sio == OFFSET_NOT_SET)
9060 bpf_error(cstate, "'sio' supported only on SS7");
9061 /* sio coded on 1 byte so max value 255 */
9063 bpf_error(cstate, "sio value %u too big; max value = 255",
9065 b0 = gen_ncmp(cstate, OR_PACKET, newoff_sio, BPF_B, 0xffffffff,
9066 (u_int)jtype, reverse, (u_int)jvalue);
9072 if (cstate->off_opc == OFFSET_NOT_SET)
9073 bpf_error(cstate, "'opc' supported only on SS7");
9074 /* opc coded on 14 bits so max value 16383 */
9076 bpf_error(cstate, "opc value %u too big; max value = 16383",
9078 /* the following instructions are made to convert jvalue
9079 * to the form used to write opc in an ss7 message*/
9080 val1 = jvalue & 0x00003c00;
9082 val2 = jvalue & 0x000003fc;
9084 val3 = jvalue & 0x00000003;
9086 jvalue = val1 + val2 + val3;
9087 b0 = gen_ncmp(cstate, OR_PACKET, newoff_opc, BPF_W, 0x00c0ff0f,
9088 (u_int)jtype, reverse, (u_int)jvalue);
9096 if (cstate->off_dpc == OFFSET_NOT_SET)
9097 bpf_error(cstate, "'dpc' supported only on SS7");
9098 /* dpc coded on 14 bits so max value 16383 */
9100 bpf_error(cstate, "dpc value %u too big; max value = 16383",
9102 /* the following instructions are made to convert jvalue
9103 * to the forme used to write dpc in an ss7 message*/
9104 val1 = jvalue & 0x000000ff;
9106 val2 = jvalue & 0x00003f00;
9108 jvalue = val1 + val2;
9109 b0 = gen_ncmp(cstate, OR_PACKET, newoff_dpc, BPF_W, 0xff3f0000,
9110 (u_int)jtype, reverse, (u_int)jvalue);
9116 if (cstate->off_sls == OFFSET_NOT_SET)
9117 bpf_error(cstate, "'sls' supported only on SS7");
9118 /* sls coded on 4 bits so max value 15 */
9120 bpf_error(cstate, "sls value %u too big; max value = 15",
9122 /* the following instruction is made to convert jvalue
9123 * to the forme used to write sls in an ss7 message*/
9124 jvalue = jvalue << 4;
9125 b0 = gen_ncmp(cstate, OR_PACKET, newoff_sls, BPF_B, 0xf0,
9126 (u_int)jtype,reverse, (u_int)jvalue);
9135 static struct block *
9136 gen_msg_abbrev(compiler_state_t *cstate, int type)
9141 * Q.2931 signalling protocol messages for handling virtual circuits
9142 * establishment and teardown
9147 b1 = gen_atmfield_code(cstate, A_MSGTYPE, SETUP, BPF_JEQ, 0);
9151 b1 = gen_atmfield_code(cstate, A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0);
9155 b1 = gen_atmfield_code(cstate, A_MSGTYPE, CONNECT, BPF_JEQ, 0);
9159 b1 = gen_atmfield_code(cstate, A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0);
9163 b1 = gen_atmfield_code(cstate, A_MSGTYPE, RELEASE, BPF_JEQ, 0);
9166 case A_RELEASE_DONE:
9167 b1 = gen_atmfield_code(cstate, A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0);
9177 gen_atmmulti_abbrev(compiler_state_t *cstate, int type)
9179 struct block *b0, *b1;
9184 if (!cstate->is_atm)
9185 bpf_error(cstate, "'oam' supported only on raw ATM");
9186 b1 = gen_atmmulti_abbrev(cstate, A_OAMF4);
9190 if (!cstate->is_atm)
9191 bpf_error(cstate, "'oamf4' supported only on raw ATM");
9193 b0 = gen_atmfield_code(cstate, A_VCI, 3, BPF_JEQ, 0);
9194 b1 = gen_atmfield_code(cstate, A_VCI, 4, BPF_JEQ, 0);
9196 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0);
9202 * Get Q.2931 signalling messages for switched
9203 * virtual connection
9205 if (!cstate->is_atm)
9206 bpf_error(cstate, "'connectmsg' supported only on raw ATM");
9207 b0 = gen_msg_abbrev(cstate, A_SETUP);
9208 b1 = gen_msg_abbrev(cstate, A_CALLPROCEED);
9210 b0 = gen_msg_abbrev(cstate, A_CONNECT);
9212 b0 = gen_msg_abbrev(cstate, A_CONNECTACK);
9214 b0 = gen_msg_abbrev(cstate, A_RELEASE);
9216 b0 = gen_msg_abbrev(cstate, A_RELEASE_DONE);
9218 b0 = gen_atmtype_abbrev(cstate, A_SC);
9223 if (!cstate->is_atm)
9224 bpf_error(cstate, "'metaconnect' supported only on raw ATM");
9225 b0 = gen_msg_abbrev(cstate, A_SETUP);
9226 b1 = gen_msg_abbrev(cstate, A_CALLPROCEED);
9228 b0 = gen_msg_abbrev(cstate, A_CONNECT);
9230 b0 = gen_msg_abbrev(cstate, A_RELEASE);
9232 b0 = gen_msg_abbrev(cstate, A_RELEASE_DONE);
9234 b0 = gen_atmtype_abbrev(cstate, A_METAC);
projects / FreeBSD / FreeBSD.git / blob