1 /*#define CHASE_CHAIN*/
3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998
4 * The Regents of the University of California. All rights reserved.
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that: (1) source code distributions
8 * retain the above copyright notice and this paragraph in its entirety, (2)
9 * distributions including binary code include the above copyright notice and
10 * this paragraph in its entirety in the documentation or other materials
11 * provided with the distribution, and (3) all advertising materials mentioning
12 * features or use of this software display the following acknowledgement:
13 * ``This product includes software developed by the University of California,
14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
15 * the University nor the names of its contributors may be used to endorse
16 * or promote products derived from this software without specific prior
18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
25 static const char rcsid[] _U_ =
26 "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.309 2008-12-23 20:13:29 guy Exp $ (LBL)";
34 #include <pcap-stdinc.h>
41 #ifdef HAVE_SYS_BITYPES_H
42 #include <sys/bitypes.h>
44 #include <sys/types.h>
45 #include <sys/socket.h>
49 * XXX - why was this included even on UNIX?
58 #include <sys/param.h>
61 #include <netinet/in.h>
62 #include <arpa/inet.h>
78 #include "ethertype.h"
82 #include "ieee80211.h"
84 #include "sunatmpos.h"
87 #include "pcap/ipnet.h"
89 #ifdef HAVE_NET_PFVAR_H
90 #include <sys/socket.h>
92 #include <net/pfvar.h>
93 #include <net/if_pflog.h>
96 #define offsetof(s, e) ((size_t)&((s *)0)->e)
100 #include <netdb.h> /* for "struct addrinfo" */
103 #include <pcap/namedb.h>
105 #define ETHERMTU 1500
108 #define IPPROTO_SCTP 132
111 #ifdef HAVE_OS_PROTO_H
112 #include "os-proto.h"
115 #define JMP(c) ((c)|BPF_JMP|BPF_K)
118 static jmp_buf top_ctx;
119 static pcap_t *bpf_pcap;
121 /* Hack for updating VLAN, MPLS, and PPPoE offsets. */
123 static u_int orig_linktype = (u_int)-1, orig_nl = (u_int)-1, label_stack_depth = (u_int)-1;
125 static u_int orig_linktype = -1U, orig_nl = -1U, label_stack_depth = -1U;
130 static int pcap_fddipad;
135 bpf_error(const char *fmt, ...)
140 if (bpf_pcap != NULL)
141 (void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE,
148 static void init_linktype(pcap_t *);
150 static void init_regs(void);
151 static int alloc_reg(void);
152 static void free_reg(int);
154 static struct block *root;
157 * Value passed to gen_load_a() to indicate what the offset argument
161 OR_PACKET, /* relative to the beginning of the packet */
162 OR_LINK, /* relative to the beginning of the link-layer header */
163 OR_MACPL, /* relative to the end of the MAC-layer header */
164 OR_NET, /* relative to the network-layer header */
165 OR_NET_NOSNAP, /* relative to the network-layer header, with no SNAP header at the link layer */
166 OR_TRAN_IPV4, /* relative to the transport-layer header, with IPv4 network layer */
167 OR_TRAN_IPV6 /* relative to the transport-layer header, with IPv6 network layer */
172 * As errors are handled by a longjmp, anything allocated must be freed
173 * in the longjmp handler, so it must be reachable from that handler.
174 * One thing that's allocated is the result of pcap_nametoaddrinfo();
175 * it must be freed with freeaddrinfo(). This variable points to any
176 * addrinfo structure that would need to be freed.
178 static struct addrinfo *ai;
182 * We divy out chunks of memory rather than call malloc each time so
183 * we don't have to worry about leaking memory. It's probably
184 * not a big deal if all this memory was wasted but if this ever
185 * goes into a library that would probably not be a good idea.
187 * XXX - this *is* in a library....
190 #define CHUNK0SIZE 1024
196 static struct chunk chunks[NCHUNKS];
197 static int cur_chunk;
199 static void *newchunk(u_int);
200 static void freechunks(void);
201 static inline struct block *new_block(int);
202 static inline struct slist *new_stmt(int);
203 static struct block *gen_retblk(int);
204 static inline void syntax(void);
206 static void backpatch(struct block *, struct block *);
207 static void merge(struct block *, struct block *);
208 static struct block *gen_cmp(enum e_offrel, u_int, u_int, bpf_int32);
209 static struct block *gen_cmp_gt(enum e_offrel, u_int, u_int, bpf_int32);
210 static struct block *gen_cmp_ge(enum e_offrel, u_int, u_int, bpf_int32);
211 static struct block *gen_cmp_lt(enum e_offrel, u_int, u_int, bpf_int32);
212 static struct block *gen_cmp_le(enum e_offrel, u_int, u_int, bpf_int32);
213 static struct block *gen_mcmp(enum e_offrel, u_int, u_int, bpf_int32,
215 static struct block *gen_bcmp(enum e_offrel, u_int, u_int, const u_char *);
216 static struct block *gen_ncmp(enum e_offrel, bpf_u_int32, bpf_u_int32,
217 bpf_u_int32, bpf_u_int32, int, bpf_int32);
218 static struct slist *gen_load_llrel(u_int, u_int);
219 static struct slist *gen_load_macplrel(u_int, u_int);
220 static struct slist *gen_load_a(enum e_offrel, u_int, u_int);
221 static struct slist *gen_loadx_iphdrlen(void);
222 static struct block *gen_uncond(int);
223 static inline struct block *gen_true(void);
224 static inline struct block *gen_false(void);
225 static struct block *gen_ether_linktype(int);
226 static struct block *gen_ipnet_linktype(int);
227 static struct block *gen_linux_sll_linktype(int);
228 static struct slist *gen_load_prism_llprefixlen(void);
229 static struct slist *gen_load_avs_llprefixlen(void);
230 static struct slist *gen_load_radiotap_llprefixlen(void);
231 static struct slist *gen_load_ppi_llprefixlen(void);
232 static void insert_compute_vloffsets(struct block *);
233 static struct slist *gen_llprefixlen(void);
234 static struct slist *gen_off_macpl(void);
235 static int ethertype_to_ppptype(int);
236 static struct block *gen_linktype(int);
237 static struct block *gen_snap(bpf_u_int32, bpf_u_int32);
238 static struct block *gen_llc_linktype(int);
239 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int);
241 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int);
243 static struct block *gen_ahostop(const u_char *, int);
244 static struct block *gen_ehostop(const u_char *, int);
245 static struct block *gen_fhostop(const u_char *, int);
246 static struct block *gen_thostop(const u_char *, int);
247 static struct block *gen_wlanhostop(const u_char *, int);
248 static struct block *gen_ipfchostop(const u_char *, int);
249 static struct block *gen_dnhostop(bpf_u_int32, int);
250 static struct block *gen_mpls_linktype(int);
251 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int, int);
253 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int, int);
256 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int);
258 static struct block *gen_ipfrag(void);
259 static struct block *gen_portatom(int, bpf_int32);
260 static struct block *gen_portrangeatom(int, bpf_int32, bpf_int32);
262 static struct block *gen_portatom6(int, bpf_int32);
263 static struct block *gen_portrangeatom6(int, bpf_int32, bpf_int32);
265 struct block *gen_portop(int, int, int);
266 static struct block *gen_port(int, int, int);
267 struct block *gen_portrangeop(int, int, int, int);
268 static struct block *gen_portrange(int, int, int, int);
270 struct block *gen_portop6(int, int, int);
271 static struct block *gen_port6(int, int, int);
272 struct block *gen_portrangeop6(int, int, int, int);
273 static struct block *gen_portrange6(int, int, int, int);
275 static int lookup_proto(const char *, int);
276 static struct block *gen_protochain(int, int, int);
277 static struct block *gen_proto(int, int, int);
278 static struct slist *xfer_to_x(struct arth *);
279 static struct slist *xfer_to_a(struct arth *);
280 static struct block *gen_mac_multicast(int);
281 static struct block *gen_len(int, int);
282 static struct block *gen_check_802_11_data_frame(void);
284 static struct block *gen_ppi_dlt_check(void);
285 static struct block *gen_msg_abbrev(int type);
296 /* XXX Round up to nearest long. */
297 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1);
299 /* XXX Round up to structure boundary. */
303 cp = &chunks[cur_chunk];
304 if (n > cp->n_left) {
305 ++cp, k = ++cur_chunk;
307 bpf_error("out of memory");
308 size = CHUNK0SIZE << k;
309 cp->m = (void *)malloc(size);
311 bpf_error("out of memory");
312 memset((char *)cp->m, 0, size);
315 bpf_error("out of memory");
318 return (void *)((char *)cp->m + cp->n_left);
327 for (i = 0; i < NCHUNKS; ++i)
328 if (chunks[i].m != NULL) {
335 * A strdup whose allocations are freed after code generation is over.
339 register const char *s;
341 int n = strlen(s) + 1;
342 char *cp = newchunk(n);
348 static inline struct block *
354 p = (struct block *)newchunk(sizeof(*p));
361 static inline struct slist *
367 p = (struct slist *)newchunk(sizeof(*p));
373 static struct block *
377 struct block *b = new_block(BPF_RET|BPF_K);
386 bpf_error("syntax error in filter expression");
389 static bpf_u_int32 netmask;
394 pcap_compile_unsafe(pcap_t *p, struct bpf_program *program,
395 const char *buf, int optimize, bpf_u_int32 mask);
398 pcap_compile(pcap_t *p, struct bpf_program *program,
399 const char *buf, int optimize, bpf_u_int32 mask)
403 EnterCriticalSection(&g_PcapCompileCriticalSection);
405 result = pcap_compile_unsafe(p, program, buf, optimize, mask);
407 LeaveCriticalSection(&g_PcapCompileCriticalSection);
413 pcap_compile_unsafe(pcap_t *p, struct bpf_program *program,
414 const char *buf, int optimize, bpf_u_int32 mask)
417 pcap_compile(pcap_t *p, struct bpf_program *program,
418 const char *buf, int optimize, bpf_u_int32 mask)
422 const char * volatile xbuf = buf;
430 if (setjmp(top_ctx)) {
444 snaplen = pcap_snapshot(p);
446 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
447 "snaplen of 0 rejects all packets");
451 lex_init(xbuf ? xbuf : "");
459 root = gen_retblk(snaplen);
461 if (optimize && !no_optimize) {
464 (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0))
465 bpf_error("expression rejects all packets");
467 program->bf_insns = icode_to_fcode(root, &len);
468 program->bf_len = len;
476 * entry point for using the compiler with no pcap open
477 * pass in all the stuff that is needed explicitly instead.
480 pcap_compile_nopcap(int snaplen_arg, int linktype_arg,
481 struct bpf_program *program,
482 const char *buf, int optimize, bpf_u_int32 mask)
487 p = pcap_open_dead(linktype_arg, snaplen_arg);
490 ret = pcap_compile(p, program, buf, optimize, mask);
496 * Clean up a "struct bpf_program" by freeing all the memory allocated
500 pcap_freecode(struct bpf_program *program)
503 if (program->bf_insns != NULL) {
504 free((char *)program->bf_insns);
505 program->bf_insns = NULL;
510 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates
511 * which of the jt and jf fields has been resolved and which is a pointer
512 * back to another unresolved block (or nil). At least one of the fields
513 * in each block is already resolved.
516 backpatch(list, target)
517 struct block *list, *target;
534 * Merge the lists in b0 and b1, using the 'sense' field to indicate
535 * which of jt and jf is the link.
539 struct block *b0, *b1;
541 register struct block **p = &b0;
543 /* Find end of list. */
545 p = !((*p)->sense) ? &JT(*p) : &JF(*p);
547 /* Concatenate the lists. */
555 struct block *ppi_dlt_check;
558 * Insert before the statements of the first (root) block any
559 * statements needed to load the lengths of any variable-length
560 * headers into registers.
562 * XXX - a fancier strategy would be to insert those before the
563 * statements of all blocks that use those lengths and that
564 * have no predecessors that use them, so that we only compute
565 * the lengths if we need them. There might be even better
566 * approaches than that.
568 * However, those strategies would be more complicated, and
569 * as we don't generate code to compute a length if the
570 * program has no tests that use the length, and as most
571 * tests will probably use those lengths, we would just
572 * postpone computing the lengths so that it's not done
573 * for tests that fail early, and it's not clear that's
576 insert_compute_vloffsets(p->head);
579 * For DLT_PPI captures, generate a check of the per-packet
580 * DLT value to make sure it's DLT_IEEE802_11.
582 ppi_dlt_check = gen_ppi_dlt_check();
583 if (ppi_dlt_check != NULL)
584 gen_and(ppi_dlt_check, p);
586 backpatch(p, gen_retblk(snaplen));
587 p->sense = !p->sense;
588 backpatch(p, gen_retblk(0));
594 struct block *b0, *b1;
596 backpatch(b0, b1->head);
597 b0->sense = !b0->sense;
598 b1->sense = !b1->sense;
600 b1->sense = !b1->sense;
606 struct block *b0, *b1;
608 b0->sense = !b0->sense;
609 backpatch(b0, b1->head);
610 b0->sense = !b0->sense;
619 b->sense = !b->sense;
622 static struct block *
623 gen_cmp(offrel, offset, size, v)
624 enum e_offrel offrel;
628 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v);
631 static struct block *
632 gen_cmp_gt(offrel, offset, size, v)
633 enum e_offrel offrel;
637 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 0, v);
640 static struct block *
641 gen_cmp_ge(offrel, offset, size, v)
642 enum e_offrel offrel;
646 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 0, v);
649 static struct block *
650 gen_cmp_lt(offrel, offset, size, v)
651 enum e_offrel offrel;
655 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 1, v);
658 static struct block *
659 gen_cmp_le(offrel, offset, size, v)
660 enum e_offrel offrel;
664 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 1, v);
667 static struct block *
668 gen_mcmp(offrel, offset, size, v, mask)
669 enum e_offrel offrel;
674 return gen_ncmp(offrel, offset, size, mask, BPF_JEQ, 0, v);
677 static struct block *
678 gen_bcmp(offrel, offset, size, v)
679 enum e_offrel offrel;
680 register u_int offset, size;
681 register const u_char *v;
683 register struct block *b, *tmp;
687 register const u_char *p = &v[size - 4];
688 bpf_int32 w = ((bpf_int32)p[0] << 24) |
689 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3];
691 tmp = gen_cmp(offrel, offset + size - 4, BPF_W, w);
698 register const u_char *p = &v[size - 2];
699 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1];
701 tmp = gen_cmp(offrel, offset + size - 2, BPF_H, w);
708 tmp = gen_cmp(offrel, offset, BPF_B, (bpf_int32)v[0]);
717 * AND the field of size "size" at offset "offset" relative to the header
718 * specified by "offrel" with "mask", and compare it with the value "v"
719 * with the test specified by "jtype"; if "reverse" is true, the test
720 * should test the opposite of "jtype".
722 static struct block *
723 gen_ncmp(offrel, offset, size, mask, jtype, reverse, v)
724 enum e_offrel offrel;
726 bpf_u_int32 offset, size, mask, jtype;
729 struct slist *s, *s2;
732 s = gen_load_a(offrel, offset, size);
734 if (mask != 0xffffffff) {
735 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
740 b = new_block(JMP(jtype));
743 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE))
749 * Various code constructs need to know the layout of the data link
750 * layer. These variables give the necessary offsets from the beginning
751 * of the packet data.
755 * This is the offset of the beginning of the link-layer header from
756 * the beginning of the raw packet data.
758 * It's usually 0, except for 802.11 with a fixed-length radio header.
759 * (For 802.11 with a variable-length radio header, we have to generate
760 * code to compute that offset; off_ll is 0 in that case.)
765 * If there's a variable-length header preceding the link-layer header,
766 * "reg_off_ll" is the register number for a register containing the
767 * length of that header, and therefore the offset of the link-layer
768 * header from the beginning of the raw packet data. Otherwise,
769 * "reg_off_ll" is -1.
771 static int reg_off_ll;
774 * This is the offset of the beginning of the MAC-layer header from
775 * the beginning of the link-layer header.
776 * It's usually 0, except for ATM LANE, where it's the offset, relative
777 * to the beginning of the raw packet data, of the Ethernet header.
779 static u_int off_mac;
782 * This is the offset of the beginning of the MAC-layer payload,
783 * from the beginning of the raw packet data.
785 * I.e., it's the sum of the length of the link-layer header (without,
786 * for example, any 802.2 LLC header, so it's the MAC-layer
787 * portion of that header), plus any prefix preceding the
790 static u_int off_macpl;
793 * This is 1 if the offset of the beginning of the MAC-layer payload
794 * from the beginning of the link-layer header is variable-length.
796 static int off_macpl_is_variable;
799 * If the link layer has variable_length headers, "reg_off_macpl"
800 * is the register number for a register containing the length of the
801 * link-layer header plus the length of any variable-length header
802 * preceding the link-layer header. Otherwise, "reg_off_macpl"
805 static int reg_off_macpl;
808 * "off_linktype" is the offset to information in the link-layer header
809 * giving the packet type. This offset is relative to the beginning
810 * of the link-layer header (i.e., it doesn't include off_ll).
812 * For Ethernet, it's the offset of the Ethernet type field.
814 * For link-layer types that always use 802.2 headers, it's the
815 * offset of the LLC header.
817 * For PPP, it's the offset of the PPP type field.
819 * For Cisco HDLC, it's the offset of the CHDLC type field.
821 * For BSD loopback, it's the offset of the AF_ value.
823 * For Linux cooked sockets, it's the offset of the type field.
825 * It's set to -1 for no encapsulation, in which case, IP is assumed.
827 static u_int off_linktype;
830 * TRUE if "pppoes" appeared in the filter; it causes link-layer type
831 * checks to check the PPP header, assumed to follow a LAN-style link-
832 * layer header and a PPPoE session header.
834 static int is_pppoes = 0;
837 * TRUE if the link layer includes an ATM pseudo-header.
839 static int is_atm = 0;
842 * TRUE if "lane" appeared in the filter; it causes us to generate
843 * code that assumes LANE rather than LLC-encapsulated traffic in SunATM.
845 static int is_lane = 0;
848 * These are offsets for the ATM pseudo-header.
850 static u_int off_vpi;
851 static u_int off_vci;
852 static u_int off_proto;
855 * These are offsets for the MTP2 fields.
860 * These are offsets for the MTP3 fields.
862 static u_int off_sio;
863 static u_int off_opc;
864 static u_int off_dpc;
865 static u_int off_sls;
868 * This is the offset of the first byte after the ATM pseudo_header,
869 * or -1 if there is no ATM pseudo-header.
871 static u_int off_payload;
874 * These are offsets to the beginning of the network-layer header.
875 * They are relative to the beginning of the MAC-layer payload (i.e.,
876 * they don't include off_ll or off_macpl).
878 * If the link layer never uses 802.2 LLC:
880 * "off_nl" and "off_nl_nosnap" are the same.
882 * If the link layer always uses 802.2 LLC:
884 * "off_nl" is the offset if there's a SNAP header following
887 * "off_nl_nosnap" is the offset if there's no SNAP header.
889 * If the link layer is Ethernet:
891 * "off_nl" is the offset if the packet is an Ethernet II packet
892 * (we assume no 802.3+802.2+SNAP);
894 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet
895 * with an 802.2 header following it.
898 static u_int off_nl_nosnap;
906 linktype = pcap_datalink(p);
908 pcap_fddipad = p->fddipad;
912 * Assume it's not raw ATM with a pseudo-header, for now.
923 * And that we're not doing PPPoE.
928 * And assume we're not doing SS7.
937 * Also assume it's not 802.11.
941 off_macpl_is_variable = 0;
945 label_stack_depth = 0;
955 off_nl = 0; /* XXX in reality, variable! */
956 off_nl_nosnap = 0; /* no 802.2 LLC */
959 case DLT_ARCNET_LINUX:
962 off_nl = 0; /* XXX in reality, variable! */
963 off_nl_nosnap = 0; /* no 802.2 LLC */
968 off_macpl = 14; /* Ethernet header length */
969 off_nl = 0; /* Ethernet II */
970 off_nl_nosnap = 3; /* 802.3+802.2 */
975 * SLIP doesn't have a link level type. The 16 byte
976 * header is hacked into our SLIP driver.
981 off_nl_nosnap = 0; /* no 802.2 LLC */
985 /* XXX this may be the same as the DLT_PPP_BSDOS case */
990 off_nl_nosnap = 0; /* no 802.2 LLC */
998 off_nl_nosnap = 0; /* no 802.2 LLC */
1005 off_nl_nosnap = 0; /* no 802.2 LLC */
1010 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */
1011 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */
1015 off_nl_nosnap = 0; /* no 802.2 LLC */
1020 * This does no include the Ethernet header, and
1021 * only covers session state.
1026 off_nl_nosnap = 0; /* no 802.2 LLC */
1033 off_nl_nosnap = 0; /* no 802.2 LLC */
1038 * FDDI doesn't really have a link-level type field.
1039 * We set "off_linktype" to the offset of the LLC header.
1041 * To check for Ethernet types, we assume that SSAP = SNAP
1042 * is being used and pick out the encapsulated Ethernet type.
1043 * XXX - should we generate code to check for SNAP?
1047 off_linktype += pcap_fddipad;
1049 off_macpl = 13; /* FDDI MAC header length */
1051 off_macpl += pcap_fddipad;
1053 off_nl = 8; /* 802.2+SNAP */
1054 off_nl_nosnap = 3; /* 802.2 */
1059 * Token Ring doesn't really have a link-level type field.
1060 * We set "off_linktype" to the offset of the LLC header.
1062 * To check for Ethernet types, we assume that SSAP = SNAP
1063 * is being used and pick out the encapsulated Ethernet type.
1064 * XXX - should we generate code to check for SNAP?
1066 * XXX - the header is actually variable-length.
1067 * Some various Linux patched versions gave 38
1068 * as "off_linktype" and 40 as "off_nl"; however,
1069 * if a token ring packet has *no* routing
1070 * information, i.e. is not source-routed, the correct
1071 * values are 20 and 22, as they are in the vanilla code.
1073 * A packet is source-routed iff the uppermost bit
1074 * of the first byte of the source address, at an
1075 * offset of 8, has the uppermost bit set. If the
1076 * packet is source-routed, the total number of bytes
1077 * of routing information is 2 plus bits 0x1F00 of
1078 * the 16-bit value at an offset of 14 (shifted right
1079 * 8 - figure out which byte that is).
1082 off_macpl = 14; /* Token Ring MAC header length */
1083 off_nl = 8; /* 802.2+SNAP */
1084 off_nl_nosnap = 3; /* 802.2 */
1087 case DLT_IEEE802_11:
1088 case DLT_PRISM_HEADER:
1089 case DLT_IEEE802_11_RADIO_AVS:
1090 case DLT_IEEE802_11_RADIO:
1092 * 802.11 doesn't really have a link-level type field.
1093 * We set "off_linktype" to the offset of the LLC header.
1095 * To check for Ethernet types, we assume that SSAP = SNAP
1096 * is being used and pick out the encapsulated Ethernet type.
1097 * XXX - should we generate code to check for SNAP?
1099 * We also handle variable-length radio headers here.
1100 * The Prism header is in theory variable-length, but in
1101 * practice it's always 144 bytes long. However, some
1102 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but
1103 * sometimes or always supply an AVS header, so we
1104 * have to check whether the radio header is a Prism
1105 * header or an AVS header, so, in practice, it's
1109 off_macpl = 0; /* link-layer header is variable-length */
1110 off_macpl_is_variable = 1;
1111 off_nl = 8; /* 802.2+SNAP */
1112 off_nl_nosnap = 3; /* 802.2 */
1117 * At the moment we treat PPI the same way that we treat
1118 * normal Radiotap encoded packets. The difference is in
1119 * the function that generates the code at the beginning
1120 * to compute the header length. Since this code generator
1121 * of PPI supports bare 802.11 encapsulation only (i.e.
1122 * the encapsulated DLT should be DLT_IEEE802_11) we
1123 * generate code to check for this too.
1126 off_macpl = 0; /* link-layer header is variable-length */
1127 off_macpl_is_variable = 1;
1128 off_nl = 8; /* 802.2+SNAP */
1129 off_nl_nosnap = 3; /* 802.2 */
1132 case DLT_ATM_RFC1483:
1133 case DLT_ATM_CLIP: /* Linux ATM defines this */
1135 * assume routed, non-ISO PDUs
1136 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00)
1138 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS,
1139 * or PPP with the PPP NLPID (e.g., PPPoA)? The
1140 * latter would presumably be treated the way PPPoE
1141 * should be, so you can do "pppoe and udp port 2049"
1142 * or "pppoa and tcp port 80" and have it check for
1143 * PPPo{A,E} and a PPP protocol of IP and....
1146 off_macpl = 0; /* packet begins with LLC header */
1147 off_nl = 8; /* 802.2+SNAP */
1148 off_nl_nosnap = 3; /* 802.2 */
1153 * Full Frontal ATM; you get AALn PDUs with an ATM
1157 off_vpi = SUNATM_VPI_POS;
1158 off_vci = SUNATM_VCI_POS;
1159 off_proto = PROTO_POS;
1160 off_mac = -1; /* assume LLC-encapsulated, so no MAC-layer header */
1161 off_payload = SUNATM_PKT_BEGIN_POS;
1162 off_linktype = off_payload;
1163 off_macpl = off_payload; /* if LLC-encapsulated */
1164 off_nl = 8; /* 802.2+SNAP */
1165 off_nl_nosnap = 3; /* 802.2 */
1174 off_nl_nosnap = 0; /* no 802.2 LLC */
1177 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */
1181 off_nl_nosnap = 0; /* no 802.2 LLC */
1186 * LocalTalk does have a 1-byte type field in the LLAP header,
1187 * but really it just indicates whether there is a "short" or
1188 * "long" DDP packet following.
1193 off_nl_nosnap = 0; /* no 802.2 LLC */
1196 case DLT_IP_OVER_FC:
1198 * RFC 2625 IP-over-Fibre-Channel doesn't really have a
1199 * link-level type field. We set "off_linktype" to the
1200 * offset of the LLC header.
1202 * To check for Ethernet types, we assume that SSAP = SNAP
1203 * is being used and pick out the encapsulated Ethernet type.
1204 * XXX - should we generate code to check for SNAP? RFC
1205 * 2625 says SNAP should be used.
1209 off_nl = 8; /* 802.2+SNAP */
1210 off_nl_nosnap = 3; /* 802.2 */
1215 * XXX - we should set this to handle SNAP-encapsulated
1216 * frames (NLPID of 0x80).
1221 off_nl_nosnap = 0; /* no 802.2 LLC */
1225 * the only BPF-interesting FRF.16 frames are non-control frames;
1226 * Frame Relay has a variable length link-layer
1227 * so lets start with offset 4 for now and increments later on (FIXME);
1233 off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */
1236 case DLT_APPLE_IP_OVER_IEEE1394:
1240 off_nl_nosnap = 0; /* no 802.2 LLC */
1243 case DLT_LINUX_IRDA:
1245 * Currently, only raw "link[N:M]" filtering is supported.
1255 * Currently, only raw "link[N:M]" filtering is supported.
1263 case DLT_SYMANTEC_FIREWALL:
1266 off_nl = 0; /* Ethernet II */
1267 off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */
1270 #ifdef HAVE_NET_PFVAR_H
1273 off_macpl = PFLOG_HDRLEN;
1275 off_nl_nosnap = 0; /* no 802.2 LLC */
1279 case DLT_JUNIPER_MFR:
1280 case DLT_JUNIPER_MLFR:
1281 case DLT_JUNIPER_MLPPP:
1282 case DLT_JUNIPER_PPP:
1283 case DLT_JUNIPER_CHDLC:
1284 case DLT_JUNIPER_FRELAY:
1288 off_nl_nosnap = -1; /* no 802.2 LLC */
1291 case DLT_JUNIPER_ATM1:
1292 off_linktype = 4; /* in reality variable between 4-8 */
1293 off_macpl = 4; /* in reality variable between 4-8 */
1298 case DLT_JUNIPER_ATM2:
1299 off_linktype = 8; /* in reality variable between 8-12 */
1300 off_macpl = 8; /* in reality variable between 8-12 */
1305 /* frames captured on a Juniper PPPoE service PIC
1306 * contain raw ethernet frames */
1307 case DLT_JUNIPER_PPPOE:
1308 case DLT_JUNIPER_ETHER:
1311 off_nl = 18; /* Ethernet II */
1312 off_nl_nosnap = 21; /* 802.3+802.2 */
1315 case DLT_JUNIPER_PPPOE_ATM:
1319 off_nl_nosnap = -1; /* no 802.2 LLC */
1322 case DLT_JUNIPER_GGSN:
1326 off_nl_nosnap = -1; /* no 802.2 LLC */
1329 case DLT_JUNIPER_ES:
1331 off_macpl = -1; /* not really a network layer but raw IP addresses */
1332 off_nl = -1; /* not really a network layer but raw IP addresses */
1333 off_nl_nosnap = -1; /* no 802.2 LLC */
1336 case DLT_JUNIPER_MONITOR:
1339 off_nl = 0; /* raw IP/IP6 header */
1340 off_nl_nosnap = -1; /* no 802.2 LLC */
1343 case DLT_JUNIPER_SERVICES:
1345 off_macpl = -1; /* L3 proto location dep. on cookie type */
1346 off_nl = -1; /* L3 proto location dep. on cookie type */
1347 off_nl_nosnap = -1; /* no 802.2 LLC */
1350 case DLT_JUNIPER_VP:
1357 case DLT_JUNIPER_ST:
1364 case DLT_JUNIPER_ISM:
1383 case DLT_MTP2_WITH_PHDR:
1416 case DLT_LINUX_LAPD:
1418 * Currently, only raw "link[N:M]" filtering is supported.
1428 * Currently, only raw "link[N:M]" filtering is supported.
1436 case DLT_BLUETOOTH_HCI_H4:
1438 * Currently, only raw "link[N:M]" filtering is supported.
1448 * Currently, only raw "link[N:M]" filtering is supported.
1458 * Currently, only raw "link[N:M]" filtering is supported.
1466 case DLT_IEEE802_15_4_LINUX:
1468 * Currently, only raw "link[N:M]" filtering is supported.
1476 case DLT_IEEE802_16_MAC_CPS_RADIO:
1478 * Currently, only raw "link[N:M]" filtering is supported.
1486 case DLT_IEEE802_15_4:
1488 * Currently, only raw "link[N:M]" filtering is supported.
1498 * Currently, only raw "link[N:M]" filtering is supported.
1508 * Currently, only raw "link[N:M]" filtering is supported.
1518 * Currently, only raw "link[N:M]" filtering is supported.
1526 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR:
1528 * Currently, only raw "link[N:M]" filtering is supported.
1538 * Currently, only raw "link[N:M]" filtering is supported.
1540 off_linktype = -1; /* variable, min 15, max 71 steps of 7 */
1542 off_nl = -1; /* variable, min 16, max 71 steps of 7 */
1543 off_nl_nosnap = -1; /* no 802.2 LLC */
1544 off_mac = 1; /* step over the kiss length byte */
1547 case DLT_IEEE802_15_4_NONASK_PHY:
1549 * Currently, only raw "link[N:M]" filtering is supported.
1559 * Currently, only raw "link[N:M]" filtering is supported.
1567 case DLT_USB_LINUX_MMAPPED:
1569 * Currently, only raw "link[N:M]" filtering is supported.
1577 case DLT_CAN_SOCKETCAN:
1579 * Currently, only raw "link[N:M]" filtering is supported.
1589 off_macpl = 24; /* ipnet header length */
1594 bpf_error("unknown data link type %d", linktype);
1599 * Load a value relative to the beginning of the link-layer header.
1600 * The link-layer header doesn't necessarily begin at the beginning
1601 * of the packet data; there might be a variable-length prefix containing
1602 * radio information.
1604 static struct slist *
1605 gen_load_llrel(offset, size)
1608 struct slist *s, *s2;
1610 s = gen_llprefixlen();
1613 * If "s" is non-null, it has code to arrange that the X register
1614 * contains the length of the prefix preceding the link-layer
1617 * Otherwise, the length of the prefix preceding the link-layer
1618 * header is "off_ll".
1622 * There's a variable-length prefix preceding the
1623 * link-layer header. "s" points to a list of statements
1624 * that put the length of that prefix into the X register.
1625 * do an indirect load, to use the X register as an offset.
1627 s2 = new_stmt(BPF_LD|BPF_IND|size);
1632 * There is no variable-length header preceding the
1633 * link-layer header; add in off_ll, which, if there's
1634 * a fixed-length header preceding the link-layer header,
1635 * is the length of that header.
1637 s = new_stmt(BPF_LD|BPF_ABS|size);
1638 s->s.k = offset + off_ll;
1644 * Load a value relative to the beginning of the MAC-layer payload.
1646 static struct slist *
1647 gen_load_macplrel(offset, size)
1650 struct slist *s, *s2;
1652 s = gen_off_macpl();
1655 * If s is non-null, the offset of the MAC-layer payload is
1656 * variable, and s points to a list of instructions that
1657 * arrange that the X register contains that offset.
1659 * Otherwise, the offset of the MAC-layer payload is constant,
1660 * and is in off_macpl.
1664 * The offset of the MAC-layer payload is in the X
1665 * register. Do an indirect load, to use the X register
1668 s2 = new_stmt(BPF_LD|BPF_IND|size);
1673 * The offset of the MAC-layer payload is constant,
1674 * and is in off_macpl; load the value at that offset
1675 * plus the specified offset.
1677 s = new_stmt(BPF_LD|BPF_ABS|size);
1678 s->s.k = off_macpl + offset;
1684 * Load a value relative to the beginning of the specified header.
1686 static struct slist *
1687 gen_load_a(offrel, offset, size)
1688 enum e_offrel offrel;
1691 struct slist *s, *s2;
1696 s = new_stmt(BPF_LD|BPF_ABS|size);
1701 s = gen_load_llrel(offset, size);
1705 s = gen_load_macplrel(offset, size);
1709 s = gen_load_macplrel(off_nl + offset, size);
1713 s = gen_load_macplrel(off_nl_nosnap + offset, size);
1718 * Load the X register with the length of the IPv4 header
1719 * (plus the offset of the link-layer header, if it's
1720 * preceded by a variable-length header such as a radio
1721 * header), in bytes.
1723 s = gen_loadx_iphdrlen();
1726 * Load the item at {offset of the MAC-layer payload} +
1727 * {offset, relative to the start of the MAC-layer
1728 * paylod, of the IPv4 header} + {length of the IPv4 header} +
1729 * {specified offset}.
1731 * (If the offset of the MAC-layer payload is variable,
1732 * it's included in the value in the X register, and
1735 s2 = new_stmt(BPF_LD|BPF_IND|size);
1736 s2->s.k = off_macpl + off_nl + offset;
1741 s = gen_load_macplrel(off_nl + 40 + offset, size);
1752 * Generate code to load into the X register the sum of the length of
1753 * the IPv4 header and any variable-length header preceding the link-layer
1756 static struct slist *
1757 gen_loadx_iphdrlen()
1759 struct slist *s, *s2;
1761 s = gen_off_macpl();
1764 * There's a variable-length prefix preceding the
1765 * link-layer header, or the link-layer header is itself
1766 * variable-length. "s" points to a list of statements
1767 * that put the offset of the MAC-layer payload into
1770 * The 4*([k]&0xf) addressing mode can't be used, as we
1771 * don't have a constant offset, so we have to load the
1772 * value in question into the A register and add to it
1773 * the value from the X register.
1775 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B);
1778 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
1781 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
1786 * The A register now contains the length of the
1787 * IP header. We need to add to it the offset of
1788 * the MAC-layer payload, which is still in the X
1789 * register, and move the result into the X register.
1791 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
1792 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
1795 * There is no variable-length header preceding the
1796 * link-layer header, and the link-layer header is
1797 * fixed-length; load the length of the IPv4 header,
1798 * which is at an offset of off_nl from the beginning
1799 * of the MAC-layer payload, and thus at an offset
1800 * of off_mac_pl + off_nl from the beginning of the
1803 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
1804 s->s.k = off_macpl + off_nl;
1809 static struct block *
1816 s = new_stmt(BPF_LD|BPF_IMM);
1818 b = new_block(JMP(BPF_JEQ));
1824 static inline struct block *
1827 return gen_uncond(1);
1830 static inline struct block *
1833 return gen_uncond(0);
1837 * Byte-swap a 32-bit number.
1838 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on
1839 * big-endian platforms.)
1841 #define SWAPLONG(y) \
1842 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
1845 * Generate code to match a particular packet type.
1847 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1848 * value, if <= ETHERMTU. We use that to determine whether to
1849 * match the type/length field or to check the type/length field for
1850 * a value <= ETHERMTU to see whether it's a type field and then do
1851 * the appropriate test.
1853 static struct block *
1854 gen_ether_linktype(proto)
1857 struct block *b0, *b1;
1863 case LLCSAP_NETBEUI:
1865 * OSI protocols and NetBEUI always use 802.2 encapsulation,
1866 * so we check the DSAP and SSAP.
1868 * LLCSAP_IP checks for IP-over-802.2, rather
1869 * than IP-over-Ethernet or IP-over-SNAP.
1871 * XXX - should we check both the DSAP and the
1872 * SSAP, like this, or should we check just the
1873 * DSAP, as we do for other types <= ETHERMTU
1874 * (i.e., other SAP values)?
1876 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1878 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)
1879 ((proto << 8) | proto));
1887 * Ethernet_II frames, which are Ethernet
1888 * frames with a frame type of ETHERTYPE_IPX;
1890 * Ethernet_802.3 frames, which are 802.3
1891 * frames (i.e., the type/length field is
1892 * a length field, <= ETHERMTU, rather than
1893 * a type field) with the first two bytes
1894 * after the Ethernet/802.3 header being
1897 * Ethernet_802.2 frames, which are 802.3
1898 * frames with an 802.2 LLC header and
1899 * with the IPX LSAP as the DSAP in the LLC
1902 * Ethernet_SNAP frames, which are 802.3
1903 * frames with an LLC header and a SNAP
1904 * header and with an OUI of 0x000000
1905 * (encapsulated Ethernet) and a protocol
1906 * ID of ETHERTYPE_IPX in the SNAP header.
1908 * XXX - should we generate the same code both
1909 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX?
1913 * This generates code to check both for the
1914 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3.
1916 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX);
1917 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)0xFFFF);
1921 * Now we add code to check for SNAP frames with
1922 * ETHERTYPE_IPX, i.e. Ethernet_SNAP.
1924 b0 = gen_snap(0x000000, ETHERTYPE_IPX);
1928 * Now we generate code to check for 802.3
1929 * frames in general.
1931 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1935 * Now add the check for 802.3 frames before the
1936 * check for Ethernet_802.2 and Ethernet_802.3,
1937 * as those checks should only be done on 802.3
1938 * frames, not on Ethernet frames.
1943 * Now add the check for Ethernet_II frames, and
1944 * do that before checking for the other frame
1947 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
1948 (bpf_int32)ETHERTYPE_IPX);
1952 case ETHERTYPE_ATALK:
1953 case ETHERTYPE_AARP:
1955 * EtherTalk (AppleTalk protocols on Ethernet link
1956 * layer) may use 802.2 encapsulation.
1960 * Check for 802.2 encapsulation (EtherTalk phase 2?);
1961 * we check for an Ethernet type field less than
1962 * 1500, which means it's an 802.3 length field.
1964 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1968 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1969 * SNAP packets with an organization code of
1970 * 0x080007 (Apple, for Appletalk) and a protocol
1971 * type of ETHERTYPE_ATALK (Appletalk).
1973 * 802.2-encapsulated ETHERTYPE_AARP packets are
1974 * SNAP packets with an organization code of
1975 * 0x000000 (encapsulated Ethernet) and a protocol
1976 * type of ETHERTYPE_AARP (Appletalk ARP).
1978 if (proto == ETHERTYPE_ATALK)
1979 b1 = gen_snap(0x080007, ETHERTYPE_ATALK);
1980 else /* proto == ETHERTYPE_AARP */
1981 b1 = gen_snap(0x000000, ETHERTYPE_AARP);
1985 * Check for Ethernet encapsulation (Ethertalk
1986 * phase 1?); we just check for the Ethernet
1989 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
1995 if (proto <= ETHERMTU) {
1997 * This is an LLC SAP value, so the frames
1998 * that match would be 802.2 frames.
1999 * Check that the frame is an 802.2 frame
2000 * (i.e., that the length/type field is
2001 * a length field, <= ETHERMTU) and
2002 * then check the DSAP.
2004 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
2006 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B,
2012 * This is an Ethernet type, so compare
2013 * the length/type field with it (if
2014 * the frame is an 802.2 frame, the length
2015 * field will be <= ETHERMTU, and, as
2016 * "proto" is > ETHERMTU, this test
2017 * will fail and the frame won't match,
2018 * which is what we want).
2020 return gen_cmp(OR_LINK, off_linktype, BPF_H,
2027 * "proto" is an Ethernet type value and for IPNET, if it is not IPv4
2028 * or IPv6 then we have an error.
2030 static struct block *
2031 gen_ipnet_linktype(proto)
2037 return gen_cmp(OR_LINK, off_linktype, BPF_B,
2038 (bpf_int32)IPH_AF_INET);
2041 case ETHERTYPE_IPV6:
2042 return gen_cmp(OR_LINK, off_linktype, BPF_B,
2043 (bpf_int32)IPH_AF_INET6);
2054 * Generate code to match a particular packet type.
2056 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
2057 * value, if <= ETHERMTU. We use that to determine whether to
2058 * match the type field or to check the type field for the special
2059 * LINUX_SLL_P_802_2 value and then do the appropriate test.
2061 static struct block *
2062 gen_linux_sll_linktype(proto)
2065 struct block *b0, *b1;
2071 case LLCSAP_NETBEUI:
2073 * OSI protocols and NetBEUI always use 802.2 encapsulation,
2074 * so we check the DSAP and SSAP.
2076 * LLCSAP_IP checks for IP-over-802.2, rather
2077 * than IP-over-Ethernet or IP-over-SNAP.
2079 * XXX - should we check both the DSAP and the
2080 * SSAP, like this, or should we check just the
2081 * DSAP, as we do for other types <= ETHERMTU
2082 * (i.e., other SAP values)?
2084 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
2085 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)
2086 ((proto << 8) | proto));
2092 * Ethernet_II frames, which are Ethernet
2093 * frames with a frame type of ETHERTYPE_IPX;
2095 * Ethernet_802.3 frames, which have a frame
2096 * type of LINUX_SLL_P_802_3;
2098 * Ethernet_802.2 frames, which are 802.3
2099 * frames with an 802.2 LLC header (i.e, have
2100 * a frame type of LINUX_SLL_P_802_2) and
2101 * with the IPX LSAP as the DSAP in the LLC
2104 * Ethernet_SNAP frames, which are 802.3
2105 * frames with an LLC header and a SNAP
2106 * header and with an OUI of 0x000000
2107 * (encapsulated Ethernet) and a protocol
2108 * ID of ETHERTYPE_IPX in the SNAP header.
2110 * First, do the checks on LINUX_SLL_P_802_2
2111 * frames; generate the check for either
2112 * Ethernet_802.2 or Ethernet_SNAP frames, and
2113 * then put a check for LINUX_SLL_P_802_2 frames
2116 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX);
2117 b1 = gen_snap(0x000000, ETHERTYPE_IPX);
2119 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
2123 * Now check for 802.3 frames and OR that with
2124 * the previous test.
2126 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_3);
2130 * Now add the check for Ethernet_II frames, and
2131 * do that before checking for the other frame
2134 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
2135 (bpf_int32)ETHERTYPE_IPX);
2139 case ETHERTYPE_ATALK:
2140 case ETHERTYPE_AARP:
2142 * EtherTalk (AppleTalk protocols on Ethernet link
2143 * layer) may use 802.2 encapsulation.
2147 * Check for 802.2 encapsulation (EtherTalk phase 2?);
2148 * we check for the 802.2 protocol type in the
2149 * "Ethernet type" field.
2151 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
2154 * 802.2-encapsulated ETHERTYPE_ATALK packets are
2155 * SNAP packets with an organization code of
2156 * 0x080007 (Apple, for Appletalk) and a protocol
2157 * type of ETHERTYPE_ATALK (Appletalk).
2159 * 802.2-encapsulated ETHERTYPE_AARP packets are
2160 * SNAP packets with an organization code of
2161 * 0x000000 (encapsulated Ethernet) and a protocol
2162 * type of ETHERTYPE_AARP (Appletalk ARP).
2164 if (proto == ETHERTYPE_ATALK)
2165 b1 = gen_snap(0x080007, ETHERTYPE_ATALK);
2166 else /* proto == ETHERTYPE_AARP */
2167 b1 = gen_snap(0x000000, ETHERTYPE_AARP);
2171 * Check for Ethernet encapsulation (Ethertalk
2172 * phase 1?); we just check for the Ethernet
2175 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
2181 if (proto <= ETHERMTU) {
2183 * This is an LLC SAP value, so the frames
2184 * that match would be 802.2 frames.
2185 * Check for the 802.2 protocol type
2186 * in the "Ethernet type" field, and
2187 * then check the DSAP.
2189 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
2191 b1 = gen_cmp(OR_LINK, off_macpl, BPF_B,
2197 * This is an Ethernet type, so compare
2198 * the length/type field with it (if
2199 * the frame is an 802.2 frame, the length
2200 * field will be <= ETHERMTU, and, as
2201 * "proto" is > ETHERMTU, this test
2202 * will fail and the frame won't match,
2203 * which is what we want).
2205 return gen_cmp(OR_LINK, off_linktype, BPF_H,
2211 static struct slist *
2212 gen_load_prism_llprefixlen()
2214 struct slist *s1, *s2;
2215 struct slist *sjeq_avs_cookie;
2216 struct slist *sjcommon;
2219 * This code is not compatible with the optimizer, as
2220 * we are generating jmp instructions within a normal
2221 * slist of instructions
2226 * Generate code to load the length of the radio header into
2227 * the register assigned to hold that length, if one has been
2228 * assigned. (If one hasn't been assigned, no code we've
2229 * generated uses that prefix, so we don't need to generate any
2232 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes
2233 * or always use the AVS header rather than the Prism header.
2234 * We load a 4-byte big-endian value at the beginning of the
2235 * raw packet data, and see whether, when masked with 0xFFFFF000,
2236 * it's equal to 0x80211000. If so, that indicates that it's
2237 * an AVS header (the masked-out bits are the version number).
2238 * Otherwise, it's a Prism header.
2240 * XXX - the Prism header is also, in theory, variable-length,
2241 * but no known software generates headers that aren't 144
2244 if (reg_off_ll != -1) {
2248 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2252 * AND it with 0xFFFFF000.
2254 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
2255 s2->s.k = 0xFFFFF000;
2259 * Compare with 0x80211000.
2261 sjeq_avs_cookie = new_stmt(JMP(BPF_JEQ));
2262 sjeq_avs_cookie->s.k = 0x80211000;
2263 sappend(s1, sjeq_avs_cookie);
2268 * The 4 bytes at an offset of 4 from the beginning of
2269 * the AVS header are the length of the AVS header.
2270 * That field is big-endian.
2272 s2 = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2275 sjeq_avs_cookie->s.jt = s2;
2278 * Now jump to the code to allocate a register
2279 * into which to save the header length and
2280 * store the length there. (The "jump always"
2281 * instruction needs to have the k field set;
2282 * it's added to the PC, so, as we're jumping
2283 * over a single instruction, it should be 1.)
2285 sjcommon = new_stmt(JMP(BPF_JA));
2287 sappend(s1, sjcommon);
2290 * Now for the code that handles the Prism header.
2291 * Just load the length of the Prism header (144)
2292 * into the A register. Have the test for an AVS
2293 * header branch here if we don't have an AVS header.
2295 s2 = new_stmt(BPF_LD|BPF_W|BPF_IMM);
2298 sjeq_avs_cookie->s.jf = s2;
2301 * Now allocate a register to hold that value and store
2302 * it. The code for the AVS header will jump here after
2303 * loading the length of the AVS header.
2305 s2 = new_stmt(BPF_ST);
2306 s2->s.k = reg_off_ll;
2308 sjcommon->s.jf = s2;
2311 * Now move it into the X register.
2313 s2 = new_stmt(BPF_MISC|BPF_TAX);
2321 static struct slist *
2322 gen_load_avs_llprefixlen()
2324 struct slist *s1, *s2;
2327 * Generate code to load the length of the AVS header into
2328 * the register assigned to hold that length, if one has been
2329 * assigned. (If one hasn't been assigned, no code we've
2330 * generated uses that prefix, so we don't need to generate any
2333 if (reg_off_ll != -1) {
2335 * The 4 bytes at an offset of 4 from the beginning of
2336 * the AVS header are the length of the AVS header.
2337 * That field is big-endian.
2339 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2343 * Now allocate a register to hold that value and store
2346 s2 = new_stmt(BPF_ST);
2347 s2->s.k = reg_off_ll;
2351 * Now move it into the X register.
2353 s2 = new_stmt(BPF_MISC|BPF_TAX);
2361 static struct slist *
2362 gen_load_radiotap_llprefixlen()
2364 struct slist *s1, *s2;
2367 * Generate code to load the length of the radiotap header into
2368 * the register assigned to hold that length, if one has been
2369 * assigned. (If one hasn't been assigned, no code we've
2370 * generated uses that prefix, so we don't need to generate any
2373 if (reg_off_ll != -1) {
2375 * The 2 bytes at offsets of 2 and 3 from the beginning
2376 * of the radiotap header are the length of the radiotap
2377 * header; unfortunately, it's little-endian, so we have
2378 * to load it a byte at a time and construct the value.
2382 * Load the high-order byte, at an offset of 3, shift it
2383 * left a byte, and put the result in the X register.
2385 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2387 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
2390 s2 = new_stmt(BPF_MISC|BPF_TAX);
2394 * Load the next byte, at an offset of 2, and OR the
2395 * value from the X register into it.
2397 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2400 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X);
2404 * Now allocate a register to hold that value and store
2407 s2 = new_stmt(BPF_ST);
2408 s2->s.k = reg_off_ll;
2412 * Now move it into the X register.
2414 s2 = new_stmt(BPF_MISC|BPF_TAX);
2423 * At the moment we treat PPI as normal Radiotap encoded
2424 * packets. The difference is in the function that generates
2425 * the code at the beginning to compute the header length.
2426 * Since this code generator of PPI supports bare 802.11
2427 * encapsulation only (i.e. the encapsulated DLT should be
2428 * DLT_IEEE802_11) we generate code to check for this too;
2429 * that's done in finish_parse().
2431 static struct slist *
2432 gen_load_ppi_llprefixlen()
2434 struct slist *s1, *s2;
2437 * Generate code to load the length of the radiotap header
2438 * into the register assigned to hold that length, if one has
2441 if (reg_off_ll != -1) {
2443 * The 2 bytes at offsets of 2 and 3 from the beginning
2444 * of the radiotap header are the length of the radiotap
2445 * header; unfortunately, it's little-endian, so we have
2446 * to load it a byte at a time and construct the value.
2450 * Load the high-order byte, at an offset of 3, shift it
2451 * left a byte, and put the result in the X register.
2453 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2455 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
2458 s2 = new_stmt(BPF_MISC|BPF_TAX);
2462 * Load the next byte, at an offset of 2, and OR the
2463 * value from the X register into it.
2465 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2468 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X);
2472 * Now allocate a register to hold that value and store
2475 s2 = new_stmt(BPF_ST);
2476 s2->s.k = reg_off_ll;
2480 * Now move it into the X register.
2482 s2 = new_stmt(BPF_MISC|BPF_TAX);
2491 * Load a value relative to the beginning of the link-layer header after the 802.11
2492 * header, i.e. LLC_SNAP.
2493 * The link-layer header doesn't necessarily begin at the beginning
2494 * of the packet data; there might be a variable-length prefix containing
2495 * radio information.
2497 static struct slist *
2498 gen_load_802_11_header_len(struct slist *s, struct slist *snext)
2501 struct slist *sjset_data_frame_1;
2502 struct slist *sjset_data_frame_2;
2503 struct slist *sjset_qos;
2504 struct slist *sjset_radiotap_flags;
2505 struct slist *sjset_radiotap_tsft;
2506 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad;
2507 struct slist *s_roundup;
2509 if (reg_off_macpl == -1) {
2511 * No register has been assigned to the offset of
2512 * the MAC-layer payload, which means nobody needs
2513 * it; don't bother computing it - just return
2514 * what we already have.
2520 * This code is not compatible with the optimizer, as
2521 * we are generating jmp instructions within a normal
2522 * slist of instructions
2527 * If "s" is non-null, it has code to arrange that the X register
2528 * contains the length of the prefix preceding the link-layer
2531 * Otherwise, the length of the prefix preceding the link-layer
2532 * header is "off_ll".
2536 * There is no variable-length header preceding the
2537 * link-layer header.
2539 * Load the length of the fixed-length prefix preceding
2540 * the link-layer header (if any) into the X register,
2541 * and store it in the reg_off_macpl register.
2542 * That length is off_ll.
2544 s = new_stmt(BPF_LDX|BPF_IMM);
2549 * The X register contains the offset of the beginning of the
2550 * link-layer header; add 24, which is the minimum length
2551 * of the MAC header for a data frame, to that, and store it
2552 * in reg_off_macpl, and then load the Frame Control field,
2553 * which is at the offset in the X register, with an indexed load.
2555 s2 = new_stmt(BPF_MISC|BPF_TXA);
2557 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
2560 s2 = new_stmt(BPF_ST);
2561 s2->s.k = reg_off_macpl;
2564 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B);
2569 * Check the Frame Control field to see if this is a data frame;
2570 * a data frame has the 0x08 bit (b3) in that field set and the
2571 * 0x04 bit (b2) clear.
2573 sjset_data_frame_1 = new_stmt(JMP(BPF_JSET));
2574 sjset_data_frame_1->s.k = 0x08;
2575 sappend(s, sjset_data_frame_1);
2578 * If b3 is set, test b2, otherwise go to the first statement of
2579 * the rest of the program.
2581 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(JMP(BPF_JSET));
2582 sjset_data_frame_2->s.k = 0x04;
2583 sappend(s, sjset_data_frame_2);
2584 sjset_data_frame_1->s.jf = snext;
2587 * If b2 is not set, this is a data frame; test the QoS bit.
2588 * Otherwise, go to the first statement of the rest of the
2591 sjset_data_frame_2->s.jt = snext;
2592 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(JMP(BPF_JSET));
2593 sjset_qos->s.k = 0x80; /* QoS bit */
2594 sappend(s, sjset_qos);
2597 * If it's set, add 2 to reg_off_macpl, to skip the QoS
2599 * Otherwise, go to the first statement of the rest of the
2602 sjset_qos->s.jt = s2 = new_stmt(BPF_LD|BPF_MEM);
2603 s2->s.k = reg_off_macpl;
2605 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM);
2608 s2 = new_stmt(BPF_ST);
2609 s2->s.k = reg_off_macpl;
2613 * If we have a radiotap header, look at it to see whether
2614 * there's Atheros padding between the MAC-layer header
2617 * Note: all of the fields in the radiotap header are
2618 * little-endian, so we byte-swap all of the values
2619 * we test against, as they will be loaded as big-endian
2622 if (linktype == DLT_IEEE802_11_RADIO) {
2624 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set
2625 * in the presence flag?
2627 sjset_qos->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_W);
2631 sjset_radiotap_flags = new_stmt(JMP(BPF_JSET));
2632 sjset_radiotap_flags->s.k = SWAPLONG(0x00000002);
2633 sappend(s, sjset_radiotap_flags);
2636 * If not, skip all of this.
2638 sjset_radiotap_flags->s.jf = snext;
2641 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set?
2643 sjset_radiotap_tsft = sjset_radiotap_flags->s.jt =
2644 new_stmt(JMP(BPF_JSET));
2645 sjset_radiotap_tsft->s.k = SWAPLONG(0x00000001);
2646 sappend(s, sjset_radiotap_tsft);
2649 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is
2650 * at an offset of 16 from the beginning of the raw packet
2651 * data (8 bytes for the radiotap header and 8 bytes for
2654 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
2657 sjset_radiotap_tsft->s.jt = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B);
2661 sjset_tsft_datapad = new_stmt(JMP(BPF_JSET));
2662 sjset_tsft_datapad->s.k = 0x20;
2663 sappend(s, sjset_tsft_datapad);
2666 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is
2667 * at an offset of 8 from the beginning of the raw packet
2668 * data (8 bytes for the radiotap header).
2670 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
2673 sjset_radiotap_tsft->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B);
2677 sjset_notsft_datapad = new_stmt(JMP(BPF_JSET));
2678 sjset_notsft_datapad->s.k = 0x20;
2679 sappend(s, sjset_notsft_datapad);
2682 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is
2683 * set, round the length of the 802.11 header to
2684 * a multiple of 4. Do that by adding 3 and then
2685 * dividing by and multiplying by 4, which we do by
2688 s_roundup = new_stmt(BPF_LD|BPF_MEM);
2689 s_roundup->s.k = reg_off_macpl;
2690 sappend(s, s_roundup);
2691 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM);
2694 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_IMM);
2697 s2 = new_stmt(BPF_ST);
2698 s2->s.k = reg_off_macpl;
2701 sjset_tsft_datapad->s.jt = s_roundup;
2702 sjset_tsft_datapad->s.jf = snext;
2703 sjset_notsft_datapad->s.jt = s_roundup;
2704 sjset_notsft_datapad->s.jf = snext;
2706 sjset_qos->s.jf = snext;
2712 insert_compute_vloffsets(b)
2718 * For link-layer types that have a variable-length header
2719 * preceding the link-layer header, generate code to load
2720 * the offset of the link-layer header into the register
2721 * assigned to that offset, if any.
2725 case DLT_PRISM_HEADER:
2726 s = gen_load_prism_llprefixlen();
2729 case DLT_IEEE802_11_RADIO_AVS:
2730 s = gen_load_avs_llprefixlen();
2733 case DLT_IEEE802_11_RADIO:
2734 s = gen_load_radiotap_llprefixlen();
2738 s = gen_load_ppi_llprefixlen();
2747 * For link-layer types that have a variable-length link-layer
2748 * header, generate code to load the offset of the MAC-layer
2749 * payload into the register assigned to that offset, if any.
2753 case DLT_IEEE802_11:
2754 case DLT_PRISM_HEADER:
2755 case DLT_IEEE802_11_RADIO_AVS:
2756 case DLT_IEEE802_11_RADIO:
2758 s = gen_load_802_11_header_len(s, b->stmts);
2763 * If we have any offset-loading code, append all the
2764 * existing statements in the block to those statements,
2765 * and make the resulting list the list of statements
2769 sappend(s, b->stmts);
2774 static struct block *
2775 gen_ppi_dlt_check(void)
2777 struct slist *s_load_dlt;
2780 if (linktype == DLT_PPI)
2782 /* Create the statements that check for the DLT
2784 s_load_dlt = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2785 s_load_dlt->s.k = 4;
2787 b = new_block(JMP(BPF_JEQ));
2789 b->stmts = s_load_dlt;
2790 b->s.k = SWAPLONG(DLT_IEEE802_11);
2800 static struct slist *
2801 gen_prism_llprefixlen(void)
2805 if (reg_off_ll == -1) {
2807 * We haven't yet assigned a register for the length
2808 * of the radio header; allocate one.
2810 reg_off_ll = alloc_reg();
2814 * Load the register containing the radio length
2815 * into the X register.
2817 s = new_stmt(BPF_LDX|BPF_MEM);
2818 s->s.k = reg_off_ll;
2822 static struct slist *
2823 gen_avs_llprefixlen(void)
2827 if (reg_off_ll == -1) {
2829 * We haven't yet assigned a register for the length
2830 * of the AVS header; allocate one.
2832 reg_off_ll = alloc_reg();
2836 * Load the register containing the AVS length
2837 * into the X register.
2839 s = new_stmt(BPF_LDX|BPF_MEM);
2840 s->s.k = reg_off_ll;
2844 static struct slist *
2845 gen_radiotap_llprefixlen(void)
2849 if (reg_off_ll == -1) {
2851 * We haven't yet assigned a register for the length
2852 * of the radiotap header; allocate one.
2854 reg_off_ll = alloc_reg();
2858 * Load the register containing the radiotap length
2859 * into the X register.
2861 s = new_stmt(BPF_LDX|BPF_MEM);
2862 s->s.k = reg_off_ll;
2867 * At the moment we treat PPI as normal Radiotap encoded
2868 * packets. The difference is in the function that generates
2869 * the code at the beginning to compute the header length.
2870 * Since this code generator of PPI supports bare 802.11
2871 * encapsulation only (i.e. the encapsulated DLT should be
2872 * DLT_IEEE802_11) we generate code to check for this too.
2874 static struct slist *
2875 gen_ppi_llprefixlen(void)
2879 if (reg_off_ll == -1) {
2881 * We haven't yet assigned a register for the length
2882 * of the radiotap header; allocate one.
2884 reg_off_ll = alloc_reg();
2888 * Load the register containing the PPI length
2889 * into the X register.
2891 s = new_stmt(BPF_LDX|BPF_MEM);
2892 s->s.k = reg_off_ll;
2897 * Generate code to compute the link-layer header length, if necessary,
2898 * putting it into the X register, and to return either a pointer to a
2899 * "struct slist" for the list of statements in that code, or NULL if
2900 * no code is necessary.
2902 static struct slist *
2903 gen_llprefixlen(void)
2907 case DLT_PRISM_HEADER:
2908 return gen_prism_llprefixlen();
2910 case DLT_IEEE802_11_RADIO_AVS:
2911 return gen_avs_llprefixlen();
2913 case DLT_IEEE802_11_RADIO:
2914 return gen_radiotap_llprefixlen();
2917 return gen_ppi_llprefixlen();
2925 * Generate code to load the register containing the offset of the
2926 * MAC-layer payload into the X register; if no register for that offset
2927 * has been allocated, allocate it first.
2929 static struct slist *
2934 if (off_macpl_is_variable) {
2935 if (reg_off_macpl == -1) {
2937 * We haven't yet assigned a register for the offset
2938 * of the MAC-layer payload; allocate one.
2940 reg_off_macpl = alloc_reg();
2944 * Load the register containing the offset of the MAC-layer
2945 * payload into the X register.
2947 s = new_stmt(BPF_LDX|BPF_MEM);
2948 s->s.k = reg_off_macpl;
2952 * That offset isn't variable, so we don't need to
2953 * generate any code.
2960 * Map an Ethernet type to the equivalent PPP type.
2963 ethertype_to_ppptype(proto)
2973 case ETHERTYPE_IPV6:
2982 case ETHERTYPE_ATALK:
2996 * I'm assuming the "Bridging PDU"s that go
2997 * over PPP are Spanning Tree Protocol
3011 * Generate code to match a particular packet type by matching the
3012 * link-layer type field or fields in the 802.2 LLC header.
3014 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
3015 * value, if <= ETHERMTU.
3017 static struct block *
3021 struct block *b0, *b1, *b2;
3023 /* are we checking MPLS-encapsulated packets? */
3024 if (label_stack_depth > 0) {
3028 /* FIXME add other L3 proto IDs */
3029 return gen_mpls_linktype(Q_IP);
3031 case ETHERTYPE_IPV6:
3033 /* FIXME add other L3 proto IDs */
3034 return gen_mpls_linktype(Q_IPV6);
3037 bpf_error("unsupported protocol over mpls");
3043 * Are we testing PPPoE packets?
3047 * The PPPoE session header is part of the
3048 * MAC-layer payload, so all references
3049 * should be relative to the beginning of
3054 * We use Ethernet protocol types inside libpcap;
3055 * map them to the corresponding PPP protocol types.
3057 proto = ethertype_to_ppptype(proto);
3058 return gen_cmp(OR_MACPL, off_linktype, BPF_H, (bpf_int32)proto);
3064 return gen_ether_linktype(proto);
3072 proto = (proto << 8 | LLCSAP_ISONS);
3076 return gen_cmp(OR_LINK, off_linktype, BPF_H,
3083 case DLT_IEEE802_11:
3084 case DLT_PRISM_HEADER:
3085 case DLT_IEEE802_11_RADIO_AVS:
3086 case DLT_IEEE802_11_RADIO:
3089 * Check that we have a data frame.
3091 b0 = gen_check_802_11_data_frame();
3094 * Now check for the specified link-layer type.
3096 b1 = gen_llc_linktype(proto);
3104 * XXX - check for asynchronous frames, as per RFC 1103.
3106 return gen_llc_linktype(proto);
3112 * XXX - check for LLC PDUs, as per IEEE 802.5.
3114 return gen_llc_linktype(proto);
3118 case DLT_ATM_RFC1483:
3120 case DLT_IP_OVER_FC:
3121 return gen_llc_linktype(proto);
3127 * If "is_lane" is set, check for a LANE-encapsulated
3128 * version of this protocol, otherwise check for an
3129 * LLC-encapsulated version of this protocol.
3131 * We assume LANE means Ethernet, not Token Ring.
3135 * Check that the packet doesn't begin with an
3136 * LE Control marker. (We've already generated
3139 b0 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
3144 * Now generate an Ethernet test.
3146 b1 = gen_ether_linktype(proto);
3151 * Check for LLC encapsulation and then check the
3154 b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
3155 b1 = gen_llc_linktype(proto);
3163 return gen_linux_sll_linktype(proto);
3168 case DLT_SLIP_BSDOS:
3171 * These types don't provide any type field; packets
3172 * are always IPv4 or IPv6.
3174 * XXX - for IPv4, check for a version number of 4, and,
3175 * for IPv6, check for a version number of 6?
3180 /* Check for a version number of 4. */
3181 return gen_mcmp(OR_LINK, 0, BPF_B, 0x40, 0xF0);
3183 case ETHERTYPE_IPV6:
3184 /* Check for a version number of 6. */
3185 return gen_mcmp(OR_LINK, 0, BPF_B, 0x60, 0xF0);
3189 return gen_false(); /* always false */
3196 * Raw IPv4, so no type field.
3198 if (proto == ETHERTYPE_IP)
3199 return gen_true(); /* always true */
3201 /* Checking for something other than IPv4; always false */
3208 * Raw IPv6, so no type field.
3211 if (proto == ETHERTYPE_IPV6)
3212 return gen_true(); /* always true */
3215 /* Checking for something other than IPv6; always false */
3222 case DLT_PPP_SERIAL:
3225 * We use Ethernet protocol types inside libpcap;
3226 * map them to the corresponding PPP protocol types.
3228 proto = ethertype_to_ppptype(proto);
3229 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
3235 * We use Ethernet protocol types inside libpcap;
3236 * map them to the corresponding PPP protocol types.
3242 * Also check for Van Jacobson-compressed IP.
3243 * XXX - do this for other forms of PPP?
3245 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_IP);
3246 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJC);
3248 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJNC);
3253 proto = ethertype_to_ppptype(proto);
3254 return gen_cmp(OR_LINK, off_linktype, BPF_H,
3264 * For DLT_NULL, the link-layer header is a 32-bit
3265 * word containing an AF_ value in *host* byte order,
3266 * and for DLT_ENC, the link-layer header begins
3267 * with a 32-bit work containing an AF_ value in
3270 * In addition, if we're reading a saved capture file,
3271 * the host byte order in the capture may not be the
3272 * same as the host byte order on this machine.
3274 * For DLT_LOOP, the link-layer header is a 32-bit
3275 * word containing an AF_ value in *network* byte order.
3277 * XXX - AF_ values may, unfortunately, be platform-
3278 * dependent; for example, FreeBSD's AF_INET6 is 24
3279 * whilst NetBSD's and OpenBSD's is 26.
3281 * This means that, when reading a capture file, just
3282 * checking for our AF_INET6 value won't work if the
3283 * capture file came from another OS.
3292 case ETHERTYPE_IPV6:
3299 * Not a type on which we support filtering.
3300 * XXX - support those that have AF_ values
3301 * #defined on this platform, at least?
3306 if (linktype == DLT_NULL || linktype == DLT_ENC) {
3308 * The AF_ value is in host byte order, but
3309 * the BPF interpreter will convert it to
3310 * network byte order.
3312 * If this is a save file, and it's from a
3313 * machine with the opposite byte order to
3314 * ours, we byte-swap the AF_ value.
3316 * Then we run it through "htonl()", and
3317 * generate code to compare against the result.
3319 if (bpf_pcap->sf.rfile != NULL &&
3320 bpf_pcap->sf.swapped)
3321 proto = SWAPLONG(proto);
3322 proto = htonl(proto);
3324 return (gen_cmp(OR_LINK, 0, BPF_W, (bpf_int32)proto));
3326 #ifdef HAVE_NET_PFVAR_H
3329 * af field is host byte order in contrast to the rest of
3332 if (proto == ETHERTYPE_IP)
3333 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af),
3334 BPF_B, (bpf_int32)AF_INET));
3336 else if (proto == ETHERTYPE_IPV6)
3337 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af),
3338 BPF_B, (bpf_int32)AF_INET6));
3344 #endif /* HAVE_NET_PFVAR_H */
3347 case DLT_ARCNET_LINUX:
3349 * XXX should we check for first fragment if the protocol
3358 case ETHERTYPE_IPV6:
3359 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
3360 (bpf_int32)ARCTYPE_INET6));
3364 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B,
3365 (bpf_int32)ARCTYPE_IP);
3366 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B,
3367 (bpf_int32)ARCTYPE_IP_OLD);
3372 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B,
3373 (bpf_int32)ARCTYPE_ARP);
3374 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B,
3375 (bpf_int32)ARCTYPE_ARP_OLD);
3379 case ETHERTYPE_REVARP:
3380 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
3381 (bpf_int32)ARCTYPE_REVARP));
3383 case ETHERTYPE_ATALK:
3384 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
3385 (bpf_int32)ARCTYPE_ATALK));
3392 case ETHERTYPE_ATALK:
3402 * XXX - assumes a 2-byte Frame Relay header with
3403 * DLCI and flags. What if the address is longer?
3409 * Check for the special NLPID for IP.
3411 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0xcc);
3414 case ETHERTYPE_IPV6:
3416 * Check for the special NLPID for IPv6.
3418 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0x8e);
3423 * Check for several OSI protocols.
3425 * Frame Relay packets typically have an OSI
3426 * NLPID at the beginning; we check for each
3429 * What we check for is the NLPID and a frame
3430 * control field of UI, i.e. 0x03 followed
3433 b0 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO8473_CLNP);
3434 b1 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO9542_ESIS);
3435 b2 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO10589_ISIS);
3447 bpf_error("Multi-link Frame Relay link-layer type filtering not implemented");
3449 case DLT_JUNIPER_MFR:
3450 case DLT_JUNIPER_MLFR:
3451 case DLT_JUNIPER_MLPPP:
3452 case DLT_JUNIPER_ATM1:
3453 case DLT_JUNIPER_ATM2:
3454 case DLT_JUNIPER_PPPOE:
3455 case DLT_JUNIPER_PPPOE_ATM:
3456 case DLT_JUNIPER_GGSN:
3457 case DLT_JUNIPER_ES:
3458 case DLT_JUNIPER_MONITOR:
3459 case DLT_JUNIPER_SERVICES:
3460 case DLT_JUNIPER_ETHER:
3461 case DLT_JUNIPER_PPP:
3462 case DLT_JUNIPER_FRELAY:
3463 case DLT_JUNIPER_CHDLC:
3464 case DLT_JUNIPER_VP:
3465 case DLT_JUNIPER_ST:
3466 case DLT_JUNIPER_ISM:
3467 /* just lets verify the magic number for now -
3468 * on ATM we may have up to 6 different encapsulations on the wire
3469 * and need a lot of heuristics to figure out that the payload
3472 * FIXME encapsulation specific BPF_ filters
3474 return gen_mcmp(OR_LINK, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */
3477 return gen_ipnet_linktype(proto);
3479 case DLT_LINUX_IRDA:
3480 bpf_error("IrDA link-layer type filtering not implemented");
3483 bpf_error("DOCSIS link-layer type filtering not implemented");
3486 case DLT_MTP2_WITH_PHDR:
3487 bpf_error("MTP2 link-layer type filtering not implemented");
3490 bpf_error("ERF link-layer type filtering not implemented");
3494 bpf_error("PFSYNC link-layer type filtering not implemented");
3497 case DLT_LINUX_LAPD:
3498 bpf_error("LAPD link-layer type filtering not implemented");
3502 case DLT_USB_LINUX_MMAPPED:
3503 bpf_error("USB link-layer type filtering not implemented");
3505 case DLT_BLUETOOTH_HCI_H4:
3506 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR:
3507 bpf_error("Bluetooth link-layer type filtering not implemented");
3510 case DLT_CAN_SOCKETCAN:
3511 bpf_error("CAN link-layer type filtering not implemented");
3513 case DLT_IEEE802_15_4:
3514 case DLT_IEEE802_15_4_LINUX:
3515 case DLT_IEEE802_15_4_NONASK_PHY:
3516 bpf_error("IEEE 802.15.4 link-layer type filtering not implemented");
3518 case DLT_IEEE802_16_MAC_CPS_RADIO:
3519 bpf_error("IEEE 802.16 link-layer type filtering not implemented");
3522 bpf_error("SITA link-layer type filtering not implemented");
3525 bpf_error("RAIF1 link-layer type filtering not implemented");
3528 bpf_error("IPMB link-layer type filtering not implemented");
3531 bpf_error("AX.25 link-layer type filtering not implemented");
3535 * All the types that have no encapsulation should either be
3536 * handled as DLT_SLIP, DLT_SLIP_BSDOS, and DLT_RAW are, if
3537 * all packets are IP packets, or should be handled in some
3538 * special case, if none of them are (if some are and some
3539 * aren't, the lack of encapsulation is a problem, as we'd
3540 * have to find some other way of determining the packet type).
3542 * Therefore, if "off_linktype" is -1, there's an error.
3544 if (off_linktype == (u_int)-1)
3548 * Any type not handled above should always have an Ethernet
3549 * type at an offset of "off_linktype".
3551 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
3555 * Check for an LLC SNAP packet with a given organization code and
3556 * protocol type; we check the entire contents of the 802.2 LLC and
3557 * snap headers, checking for DSAP and SSAP of SNAP and a control
3558 * field of 0x03 in the LLC header, and for the specified organization
3559 * code and protocol type in the SNAP header.
3561 static struct block *
3562 gen_snap(orgcode, ptype)
3563 bpf_u_int32 orgcode;
3566 u_char snapblock[8];
3568 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */
3569 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */
3570 snapblock[2] = 0x03; /* control = UI */
3571 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */
3572 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */
3573 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */
3574 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */
3575 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */
3576 return gen_bcmp(OR_MACPL, 0, 8, snapblock);
3580 * Generate code to match a particular packet type, for link-layer types
3581 * using 802.2 LLC headers.
3583 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used
3584 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues.
3586 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
3587 * value, if <= ETHERMTU. We use that to determine whether to
3588 * match the DSAP or both DSAP and LSAP or to check the OUI and
3589 * protocol ID in a SNAP header.
3591 static struct block *
3592 gen_llc_linktype(proto)
3596 * XXX - handle token-ring variable-length header.
3602 case LLCSAP_NETBEUI:
3604 * XXX - should we check both the DSAP and the
3605 * SSAP, like this, or should we check just the
3606 * DSAP, as we do for other types <= ETHERMTU
3607 * (i.e., other SAP values)?
3609 return gen_cmp(OR_MACPL, 0, BPF_H, (bpf_u_int32)
3610 ((proto << 8) | proto));
3614 * XXX - are there ever SNAP frames for IPX on
3615 * non-Ethernet 802.x networks?
3617 return gen_cmp(OR_MACPL, 0, BPF_B,
3618 (bpf_int32)LLCSAP_IPX);
3620 case ETHERTYPE_ATALK:
3622 * 802.2-encapsulated ETHERTYPE_ATALK packets are
3623 * SNAP packets with an organization code of
3624 * 0x080007 (Apple, for Appletalk) and a protocol
3625 * type of ETHERTYPE_ATALK (Appletalk).
3627 * XXX - check for an organization code of
3628 * encapsulated Ethernet as well?
3630 return gen_snap(0x080007, ETHERTYPE_ATALK);
3634 * XXX - we don't have to check for IPX 802.3
3635 * here, but should we check for the IPX Ethertype?
3637 if (proto <= ETHERMTU) {
3639 * This is an LLC SAP value, so check
3642 return gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)proto);
3645 * This is an Ethernet type; we assume that it's
3646 * unlikely that it'll appear in the right place
3647 * at random, and therefore check only the
3648 * location that would hold the Ethernet type
3649 * in a SNAP frame with an organization code of
3650 * 0x000000 (encapsulated Ethernet).
3652 * XXX - if we were to check for the SNAP DSAP and
3653 * LSAP, as per XXX, and were also to check for an
3654 * organization code of 0x000000 (encapsulated
3655 * Ethernet), we'd do
3657 * return gen_snap(0x000000, proto);
3659 * here; for now, we don't, as per the above.
3660 * I don't know whether it's worth the extra CPU
3661 * time to do the right check or not.
3663 return gen_cmp(OR_MACPL, 6, BPF_H, (bpf_int32)proto);
3668 static struct block *
3669 gen_hostop(addr, mask, dir, proto, src_off, dst_off)
3673 u_int src_off, dst_off;
3675 struct block *b0, *b1;
3689 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
3690 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
3696 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
3697 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
3704 b0 = gen_linktype(proto);
3705 b1 = gen_mcmp(OR_NET, offset, BPF_W, (bpf_int32)addr, mask);
3711 static struct block *
3712 gen_hostop6(addr, mask, dir, proto, src_off, dst_off)
3713 struct in6_addr *addr;
3714 struct in6_addr *mask;
3716 u_int src_off, dst_off;
3718 struct block *b0, *b1;
3733 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
3734 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
3740 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
3741 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
3748 /* this order is important */
3749 a = (u_int32_t *)addr;
3750 m = (u_int32_t *)mask;
3751 b1 = gen_mcmp(OR_NET, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3]));
3752 b0 = gen_mcmp(OR_NET, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2]));
3754 b0 = gen_mcmp(OR_NET, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1]));
3756 b0 = gen_mcmp(OR_NET, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0]));
3758 b0 = gen_linktype(proto);
3764 static struct block *
3765 gen_ehostop(eaddr, dir)
3766 register const u_char *eaddr;
3769 register struct block *b0, *b1;
3773 return gen_bcmp(OR_LINK, off_mac + 6, 6, eaddr);
3776 return gen_bcmp(OR_LINK, off_mac + 0, 6, eaddr);
3779 b0 = gen_ehostop(eaddr, Q_SRC);
3780 b1 = gen_ehostop(eaddr, Q_DST);
3786 b0 = gen_ehostop(eaddr, Q_SRC);
3787 b1 = gen_ehostop(eaddr, Q_DST);
3796 * Like gen_ehostop, but for DLT_FDDI
3798 static struct block *
3799 gen_fhostop(eaddr, dir)
3800 register const u_char *eaddr;
3803 struct block *b0, *b1;
3808 return gen_bcmp(OR_LINK, 6 + 1 + pcap_fddipad, 6, eaddr);
3810 return gen_bcmp(OR_LINK, 6 + 1, 6, eaddr);
3815 return gen_bcmp(OR_LINK, 0 + 1 + pcap_fddipad, 6, eaddr);
3817 return gen_bcmp(OR_LINK, 0 + 1, 6, eaddr);
3821 b0 = gen_fhostop(eaddr, Q_SRC);
3822 b1 = gen_fhostop(eaddr, Q_DST);
3828 b0 = gen_fhostop(eaddr, Q_SRC);
3829 b1 = gen_fhostop(eaddr, Q_DST);
3838 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring)
3840 static struct block *
3841 gen_thostop(eaddr, dir)
3842 register const u_char *eaddr;
3845 register struct block *b0, *b1;
3849 return gen_bcmp(OR_LINK, 8, 6, eaddr);
3852 return gen_bcmp(OR_LINK, 2, 6, eaddr);
3855 b0 = gen_thostop(eaddr, Q_SRC);
3856 b1 = gen_thostop(eaddr, Q_DST);
3862 b0 = gen_thostop(eaddr, Q_SRC);
3863 b1 = gen_thostop(eaddr, Q_DST);
3872 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and
3873 * various 802.11 + radio headers.
3875 static struct block *
3876 gen_wlanhostop(eaddr, dir)
3877 register const u_char *eaddr;
3880 register struct block *b0, *b1, *b2;
3881 register struct slist *s;
3883 #ifdef ENABLE_WLAN_FILTERING_PATCH
3886 * We need to disable the optimizer because the optimizer is buggy
3887 * and wipes out some LD instructions generated by the below
3888 * code to validate the Frame Control bits
3891 #endif /* ENABLE_WLAN_FILTERING_PATCH */
3898 * For control frames, there is no SA.
3900 * For management frames, SA is at an
3901 * offset of 10 from the beginning of
3904 * For data frames, SA is at an offset
3905 * of 10 from the beginning of the packet
3906 * if From DS is clear, at an offset of
3907 * 16 from the beginning of the packet
3908 * if From DS is set and To DS is clear,
3909 * and an offset of 24 from the beginning
3910 * of the packet if From DS is set and To DS
3915 * Generate the tests to be done for data frames
3918 * First, check for To DS set, i.e. check "link[1] & 0x01".
3920 s = gen_load_a(OR_LINK, 1, BPF_B);
3921 b1 = new_block(JMP(BPF_JSET));
3922 b1->s.k = 0x01; /* To DS */
3926 * If To DS is set, the SA is at 24.
3928 b0 = gen_bcmp(OR_LINK, 24, 6, eaddr);
3932 * Now, check for To DS not set, i.e. check
3933 * "!(link[1] & 0x01)".
3935 s = gen_load_a(OR_LINK, 1, BPF_B);
3936 b2 = new_block(JMP(BPF_JSET));
3937 b2->s.k = 0x01; /* To DS */
3942 * If To DS is not set, the SA is at 16.
3944 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr);
3948 * Now OR together the last two checks. That gives
3949 * the complete set of checks for data frames with
3955 * Now check for From DS being set, and AND that with
3956 * the ORed-together checks.
3958 s = gen_load_a(OR_LINK, 1, BPF_B);
3959 b1 = new_block(JMP(BPF_JSET));
3960 b1->s.k = 0x02; /* From DS */
3965 * Now check for data frames with From DS not set.
3967 s = gen_load_a(OR_LINK, 1, BPF_B);
3968 b2 = new_block(JMP(BPF_JSET));
3969 b2->s.k = 0x02; /* From DS */
3974 * If From DS isn't set, the SA is at 10.
3976 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
3980 * Now OR together the checks for data frames with
3981 * From DS not set and for data frames with From DS
3982 * set; that gives the checks done for data frames.
3987 * Now check for a data frame.
3988 * I.e, check "link[0] & 0x08".
3990 s = gen_load_a(OR_LINK, 0, BPF_B);
3991 b1 = new_block(JMP(BPF_JSET));
3996 * AND that with the checks done for data frames.
4001 * If the high-order bit of the type value is 0, this
4002 * is a management frame.
4003 * I.e, check "!(link[0] & 0x08)".
4005 s = gen_load_a(OR_LINK, 0, BPF_B);
4006 b2 = new_block(JMP(BPF_JSET));
4012 * For management frames, the SA is at 10.
4014 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
4018 * OR that with the checks done for data frames.
4019 * That gives the checks done for management and
4025 * If the low-order bit of the type value is 1,
4026 * this is either a control frame or a frame
4027 * with a reserved type, and thus not a
4030 * I.e., check "!(link[0] & 0x04)".
4032 s = gen_load_a(OR_LINK, 0, BPF_B);
4033 b1 = new_block(JMP(BPF_JSET));
4039 * AND that with the checks for data and management
4049 * For control frames, there is no DA.
4051 * For management frames, DA is at an
4052 * offset of 4 from the beginning of
4055 * For data frames, DA is at an offset
4056 * of 4 from the beginning of the packet
4057 * if To DS is clear and at an offset of
4058 * 16 from the beginning of the packet
4063 * Generate the tests to be done for data frames.
4065 * First, check for To DS set, i.e. "link[1] & 0x01".
4067 s = gen_load_a(OR_LINK, 1, BPF_B);
4068 b1 = new_block(JMP(BPF_JSET));
4069 b1->s.k = 0x01; /* To DS */
4073 * If To DS is set, the DA is at 16.
4075 b0 = gen_bcmp(OR_LINK, 16, 6, eaddr);
4079 * Now, check for To DS not set, i.e. check
4080 * "!(link[1] & 0x01)".
4082 s = gen_load_a(OR_LINK, 1, BPF_B);
4083 b2 = new_block(JMP(BPF_JSET));
4084 b2->s.k = 0x01; /* To DS */
4089 * If To DS is not set, the DA is at 4.
4091 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr);
4095 * Now OR together the last two checks. That gives
4096 * the complete set of checks for data frames.
4101 * Now check for a data frame.
4102 * I.e, check "link[0] & 0x08".
4104 s = gen_load_a(OR_LINK, 0, BPF_B);
4105 b1 = new_block(JMP(BPF_JSET));
4110 * AND that with the checks done for data frames.
4115 * If the high-order bit of the type value is 0, this
4116 * is a management frame.
4117 * I.e, check "!(link[0] & 0x08)".
4119 s = gen_load_a(OR_LINK, 0, BPF_B);
4120 b2 = new_block(JMP(BPF_JSET));
4126 * For management frames, the DA is at 4.
4128 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr);
4132 * OR that with the checks done for data frames.
4133 * That gives the checks done for management and
4139 * If the low-order bit of the type value is 1,
4140 * this is either a control frame or a frame
4141 * with a reserved type, and thus not a
4144 * I.e., check "!(link[0] & 0x04)".
4146 s = gen_load_a(OR_LINK, 0, BPF_B);
4147 b1 = new_block(JMP(BPF_JSET));
4153 * AND that with the checks for data and management
4160 * XXX - add RA, TA, and BSSID keywords?
4163 return (gen_bcmp(OR_LINK, 4, 6, eaddr));
4167 * Not present in CTS or ACK control frames.
4169 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4170 IEEE80211_FC0_TYPE_MASK);
4172 b1 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS,
4173 IEEE80211_FC0_SUBTYPE_MASK);
4175 b2 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK,
4176 IEEE80211_FC0_SUBTYPE_MASK);
4180 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
4186 * Not present in control frames.
4188 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4189 IEEE80211_FC0_TYPE_MASK);
4191 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr);
4197 * Present only if the direction mask has both "From DS"
4198 * and "To DS" set. Neither control frames nor management
4199 * frames should have both of those set, so we don't
4200 * check the frame type.
4202 b0 = gen_mcmp(OR_LINK, 1, BPF_B,
4203 IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK);
4204 b1 = gen_bcmp(OR_LINK, 24, 6, eaddr);
4209 b0 = gen_wlanhostop(eaddr, Q_SRC);
4210 b1 = gen_wlanhostop(eaddr, Q_DST);
4216 b0 = gen_wlanhostop(eaddr, Q_SRC);
4217 b1 = gen_wlanhostop(eaddr, Q_DST);
4226 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel.
4227 * (We assume that the addresses are IEEE 48-bit MAC addresses,
4228 * as the RFC states.)
4230 static struct block *
4231 gen_ipfchostop(eaddr, dir)
4232 register const u_char *eaddr;
4235 register struct block *b0, *b1;
4239 return gen_bcmp(OR_LINK, 10, 6, eaddr);
4242 return gen_bcmp(OR_LINK, 2, 6, eaddr);
4245 b0 = gen_ipfchostop(eaddr, Q_SRC);
4246 b1 = gen_ipfchostop(eaddr, Q_DST);
4252 b0 = gen_ipfchostop(eaddr, Q_SRC);
4253 b1 = gen_ipfchostop(eaddr, Q_DST);
4262 * This is quite tricky because there may be pad bytes in front of the
4263 * DECNET header, and then there are two possible data packet formats that
4264 * carry both src and dst addresses, plus 5 packet types in a format that
4265 * carries only the src node, plus 2 types that use a different format and
4266 * also carry just the src node.
4270 * Instead of doing those all right, we just look for data packets with
4271 * 0 or 1 bytes of padding. If you want to look at other packets, that
4272 * will require a lot more hacking.
4274 * To add support for filtering on DECNET "areas" (network numbers)
4275 * one would want to add a "mask" argument to this routine. That would
4276 * make the filter even more inefficient, although one could be clever
4277 * and not generate masking instructions if the mask is 0xFFFF.
4279 static struct block *
4280 gen_dnhostop(addr, dir)
4284 struct block *b0, *b1, *b2, *tmp;
4285 u_int offset_lh; /* offset if long header is received */
4286 u_int offset_sh; /* offset if short header is received */
4291 offset_sh = 1; /* follows flags */
4292 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */
4296 offset_sh = 3; /* follows flags, dstnode */
4297 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */
4301 /* Inefficient because we do our Calvinball dance twice */
4302 b0 = gen_dnhostop(addr, Q_SRC);
4303 b1 = gen_dnhostop(addr, Q_DST);
4309 /* Inefficient because we do our Calvinball dance twice */
4310 b0 = gen_dnhostop(addr, Q_SRC);
4311 b1 = gen_dnhostop(addr, Q_DST);
4316 bpf_error("ISO host filtering not implemented");
4321 b0 = gen_linktype(ETHERTYPE_DN);
4322 /* Check for pad = 1, long header case */
4323 tmp = gen_mcmp(OR_NET, 2, BPF_H,
4324 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF));
4325 b1 = gen_cmp(OR_NET, 2 + 1 + offset_lh,
4326 BPF_H, (bpf_int32)ntohs((u_short)addr));
4328 /* Check for pad = 0, long header case */
4329 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7);
4330 b2 = gen_cmp(OR_NET, 2 + offset_lh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4333 /* Check for pad = 1, short header case */
4334 tmp = gen_mcmp(OR_NET, 2, BPF_H,
4335 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF));
4336 b2 = gen_cmp(OR_NET, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4339 /* Check for pad = 0, short header case */
4340 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7);
4341 b2 = gen_cmp(OR_NET, 2 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4345 /* Combine with test for linktype */
4351 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets;
4352 * test the bottom-of-stack bit, and then check the version number
4353 * field in the IP header.
4355 static struct block *
4356 gen_mpls_linktype(proto)
4359 struct block *b0, *b1;
4364 /* match the bottom-of-stack bit */
4365 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01);
4366 /* match the IPv4 version number */
4367 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x40, 0xf0);
4372 /* match the bottom-of-stack bit */
4373 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01);
4374 /* match the IPv4 version number */
4375 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x60, 0xf0);
4384 static struct block *
4385 gen_host(addr, mask, proto, dir, type)
4392 struct block *b0, *b1;
4393 const char *typestr;
4403 b0 = gen_host(addr, mask, Q_IP, dir, type);
4405 * Only check for non-IPv4 addresses if we're not
4406 * checking MPLS-encapsulated packets.
4408 if (label_stack_depth == 0) {
4409 b1 = gen_host(addr, mask, Q_ARP, dir, type);
4411 b0 = gen_host(addr, mask, Q_RARP, dir, type);
4417 return gen_hostop(addr, mask, dir, ETHERTYPE_IP, 12, 16);
4420 return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP, 14, 24);
4423 return gen_hostop(addr, mask, dir, ETHERTYPE_ARP, 14, 24);
4426 bpf_error("'tcp' modifier applied to %s", typestr);
4429 bpf_error("'sctp' modifier applied to %s", typestr);
4432 bpf_error("'udp' modifier applied to %s", typestr);
4435 bpf_error("'icmp' modifier applied to %s", typestr);
4438 bpf_error("'igmp' modifier applied to %s", typestr);
4441 bpf_error("'igrp' modifier applied to %s", typestr);
4444 bpf_error("'pim' modifier applied to %s", typestr);
4447 bpf_error("'vrrp' modifier applied to %s", typestr);
4450 bpf_error("ATALK host filtering not implemented");
4453 bpf_error("AARP host filtering not implemented");
4456 return gen_dnhostop(addr, dir);
4459 bpf_error("SCA host filtering not implemented");
4462 bpf_error("LAT host filtering not implemented");
4465 bpf_error("MOPDL host filtering not implemented");
4468 bpf_error("MOPRC host filtering not implemented");
4472 bpf_error("'ip6' modifier applied to ip host");
4475 bpf_error("'icmp6' modifier applied to %s", typestr);
4479 bpf_error("'ah' modifier applied to %s", typestr);
4482 bpf_error("'esp' modifier applied to %s", typestr);
4485 bpf_error("ISO host filtering not implemented");
4488 bpf_error("'esis' modifier applied to %s", typestr);
4491 bpf_error("'isis' modifier applied to %s", typestr);
4494 bpf_error("'clnp' modifier applied to %s", typestr);
4497 bpf_error("'stp' modifier applied to %s", typestr);
4500 bpf_error("IPX host filtering not implemented");
4503 bpf_error("'netbeui' modifier applied to %s", typestr);
4506 bpf_error("'radio' modifier applied to %s", typestr);
4515 static struct block *
4516 gen_host6(addr, mask, proto, dir, type)
4517 struct in6_addr *addr;
4518 struct in6_addr *mask;
4523 const char *typestr;
4533 return gen_host6(addr, mask, Q_IPV6, dir, type);
4536 bpf_error("'ip' modifier applied to ip6 %s", typestr);
4539 bpf_error("'rarp' modifier applied to ip6 %s", typestr);
4542 bpf_error("'arp' modifier applied to ip6 %s", typestr);
4545 bpf_error("'sctp' modifier applied to %s", typestr);
4548 bpf_error("'tcp' modifier applied to %s", typestr);
4551 bpf_error("'udp' modifier applied to %s", typestr);
4554 bpf_error("'icmp' modifier applied to %s", typestr);
4557 bpf_error("'igmp' modifier applied to %s", typestr);
4560 bpf_error("'igrp' modifier applied to %s", typestr);
4563 bpf_error("'pim' modifier applied to %s", typestr);
4566 bpf_error("'vrrp' modifier applied to %s", typestr);
4569 bpf_error("ATALK host filtering not implemented");
4572 bpf_error("AARP host filtering not implemented");
4575 bpf_error("'decnet' modifier applied to ip6 %s", typestr);
4578 bpf_error("SCA host filtering not implemented");
4581 bpf_error("LAT host filtering not implemented");
4584 bpf_error("MOPDL host filtering not implemented");
4587 bpf_error("MOPRC host filtering not implemented");
4590 return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6, 8, 24);
4593 bpf_error("'icmp6' modifier applied to %s", typestr);
4596 bpf_error("'ah' modifier applied to %s", typestr);
4599 bpf_error("'esp' modifier applied to %s", typestr);
4602 bpf_error("ISO host filtering not implemented");
4605 bpf_error("'esis' modifier applied to %s", typestr);
4608 bpf_error("'isis' modifier applied to %s", typestr);
4611 bpf_error("'clnp' modifier applied to %s", typestr);
4614 bpf_error("'stp' modifier applied to %s", typestr);
4617 bpf_error("IPX host filtering not implemented");
4620 bpf_error("'netbeui' modifier applied to %s", typestr);
4623 bpf_error("'radio' modifier applied to %s", typestr);
4633 static struct block *
4634 gen_gateway(eaddr, alist, proto, dir)
4635 const u_char *eaddr;
4636 bpf_u_int32 **alist;
4640 struct block *b0, *b1, *tmp;
4643 bpf_error("direction applied to 'gateway'");
4652 b0 = gen_ehostop(eaddr, Q_OR);
4655 b0 = gen_fhostop(eaddr, Q_OR);
4658 b0 = gen_thostop(eaddr, Q_OR);
4660 case DLT_IEEE802_11:
4661 case DLT_PRISM_HEADER:
4662 case DLT_IEEE802_11_RADIO_AVS:
4663 case DLT_IEEE802_11_RADIO:
4665 b0 = gen_wlanhostop(eaddr, Q_OR);
4670 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
4672 * Check that the packet doesn't begin with an
4673 * LE Control marker. (We've already generated
4676 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
4681 * Now check the MAC address.
4683 b0 = gen_ehostop(eaddr, Q_OR);
4686 case DLT_IP_OVER_FC:
4687 b0 = gen_ipfchostop(eaddr, Q_OR);
4691 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
4693 b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR, Q_HOST);
4695 tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR,
4704 bpf_error("illegal modifier of 'gateway'");
4710 gen_proto_abbrev(proto)
4719 b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT);
4721 b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT);
4727 b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT);
4729 b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT);
4735 b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT);
4737 b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT);
4743 b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT);
4746 #ifndef IPPROTO_IGMP
4747 #define IPPROTO_IGMP 2
4751 b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT);
4754 #ifndef IPPROTO_IGRP
4755 #define IPPROTO_IGRP 9
4758 b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT);
4762 #define IPPROTO_PIM 103
4766 b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT);
4768 b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT);
4773 #ifndef IPPROTO_VRRP
4774 #define IPPROTO_VRRP 112
4778 b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT);
4782 b1 = gen_linktype(ETHERTYPE_IP);
4786 b1 = gen_linktype(ETHERTYPE_ARP);
4790 b1 = gen_linktype(ETHERTYPE_REVARP);
4794 bpf_error("link layer applied in wrong context");
4797 b1 = gen_linktype(ETHERTYPE_ATALK);
4801 b1 = gen_linktype(ETHERTYPE_AARP);
4805 b1 = gen_linktype(ETHERTYPE_DN);
4809 b1 = gen_linktype(ETHERTYPE_SCA);
4813 b1 = gen_linktype(ETHERTYPE_LAT);
4817 b1 = gen_linktype(ETHERTYPE_MOPDL);
4821 b1 = gen_linktype(ETHERTYPE_MOPRC);
4826 b1 = gen_linktype(ETHERTYPE_IPV6);
4829 #ifndef IPPROTO_ICMPV6
4830 #define IPPROTO_ICMPV6 58
4833 b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT);
4838 #define IPPROTO_AH 51
4841 b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT);
4843 b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT);
4849 #define IPPROTO_ESP 50
4852 b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT);
4854 b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT);
4860 b1 = gen_linktype(LLCSAP_ISONS);
4864 b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT);
4868 b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
4871 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */
4872 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
4873 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
4875 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
4877 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
4879 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
4883 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */
4884 b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
4885 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
4887 b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
4889 b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
4891 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
4895 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */
4896 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
4897 b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
4899 b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT);
4904 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
4905 b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
4910 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
4911 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
4913 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
4915 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
4920 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
4921 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
4926 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
4927 b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
4932 b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT);
4936 b1 = gen_linktype(LLCSAP_8021D);
4940 b1 = gen_linktype(LLCSAP_IPX);
4944 b1 = gen_linktype(LLCSAP_NETBEUI);
4948 bpf_error("'radio' is not a valid protocol type");
4956 static struct block *
4963 s = gen_load_a(OR_NET, 6, BPF_H);
4964 b = new_block(JMP(BPF_JSET));
4973 * Generate a comparison to a port value in the transport-layer header
4974 * at the specified offset from the beginning of that header.
4976 * XXX - this handles a variable-length prefix preceding the link-layer
4977 * header, such as the radiotap or AVS radio prefix, but doesn't handle
4978 * variable-length link-layer headers (such as Token Ring or 802.11
4981 static struct block *
4982 gen_portatom(off, v)
4986 return gen_cmp(OR_TRAN_IPV4, off, BPF_H, v);
4990 static struct block *
4991 gen_portatom6(off, v)
4995 return gen_cmp(OR_TRAN_IPV6, off, BPF_H, v);
5000 gen_portop(port, proto, dir)
5001 int port, proto, dir;
5003 struct block *b0, *b1, *tmp;
5005 /* ip proto 'proto' */
5006 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto);
5012 b1 = gen_portatom(0, (bpf_int32)port);
5016 b1 = gen_portatom(2, (bpf_int32)port);
5021 tmp = gen_portatom(0, (bpf_int32)port);
5022 b1 = gen_portatom(2, (bpf_int32)port);
5027 tmp = gen_portatom(0, (bpf_int32)port);
5028 b1 = gen_portatom(2, (bpf_int32)port);
5040 static struct block *
5041 gen_port(port, ip_proto, dir)
5046 struct block *b0, *b1, *tmp;
5051 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
5052 * not LLC encapsulation with LLCSAP_IP.
5054 * For IEEE 802 networks - which includes 802.5 token ring
5055 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
5056 * says that SNAP encapsulation is used, not LLC encapsulation
5059 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
5060 * RFC 2225 say that SNAP encapsulation is used, not LLC
5061 * encapsulation with LLCSAP_IP.
5063 * So we always check for ETHERTYPE_IP.
5065 b0 = gen_linktype(ETHERTYPE_IP);
5071 b1 = gen_portop(port, ip_proto, dir);
5075 tmp = gen_portop(port, IPPROTO_TCP, dir);
5076 b1 = gen_portop(port, IPPROTO_UDP, dir);
5078 tmp = gen_portop(port, IPPROTO_SCTP, dir);
5091 gen_portop6(port, proto, dir)
5092 int port, proto, dir;
5094 struct block *b0, *b1, *tmp;
5096 /* ip6 proto 'proto' */
5097 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto);
5101 b1 = gen_portatom6(0, (bpf_int32)port);
5105 b1 = gen_portatom6(2, (bpf_int32)port);
5110 tmp = gen_portatom6(0, (bpf_int32)port);
5111 b1 = gen_portatom6(2, (bpf_int32)port);
5116 tmp = gen_portatom6(0, (bpf_int32)port);
5117 b1 = gen_portatom6(2, (bpf_int32)port);
5129 static struct block *
5130 gen_port6(port, ip_proto, dir)
5135 struct block *b0, *b1, *tmp;
5137 /* link proto ip6 */
5138 b0 = gen_linktype(ETHERTYPE_IPV6);
5144 b1 = gen_portop6(port, ip_proto, dir);
5148 tmp = gen_portop6(port, IPPROTO_TCP, dir);
5149 b1 = gen_portop6(port, IPPROTO_UDP, dir);
5151 tmp = gen_portop6(port, IPPROTO_SCTP, dir);
5163 /* gen_portrange code */
5164 static struct block *
5165 gen_portrangeatom(off, v1, v2)
5169 struct block *b1, *b2;
5173 * Reverse the order of the ports, so v1 is the lower one.
5182 b1 = gen_cmp_ge(OR_TRAN_IPV4, off, BPF_H, v1);
5183 b2 = gen_cmp_le(OR_TRAN_IPV4, off, BPF_H, v2);
5191 gen_portrangeop(port1, port2, proto, dir)
5196 struct block *b0, *b1, *tmp;
5198 /* ip proto 'proto' */
5199 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto);
5205 b1 = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
5209 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
5214 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
5215 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
5220 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
5221 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
5233 static struct block *
5234 gen_portrange(port1, port2, ip_proto, dir)
5239 struct block *b0, *b1, *tmp;
5242 b0 = gen_linktype(ETHERTYPE_IP);
5248 b1 = gen_portrangeop(port1, port2, ip_proto, dir);
5252 tmp = gen_portrangeop(port1, port2, IPPROTO_TCP, dir);
5253 b1 = gen_portrangeop(port1, port2, IPPROTO_UDP, dir);
5255 tmp = gen_portrangeop(port1, port2, IPPROTO_SCTP, dir);
5267 static struct block *
5268 gen_portrangeatom6(off, v1, v2)
5272 struct block *b1, *b2;
5276 * Reverse the order of the ports, so v1 is the lower one.
5285 b1 = gen_cmp_ge(OR_TRAN_IPV6, off, BPF_H, v1);
5286 b2 = gen_cmp_le(OR_TRAN_IPV6, off, BPF_H, v2);
5294 gen_portrangeop6(port1, port2, proto, dir)
5299 struct block *b0, *b1, *tmp;
5301 /* ip6 proto 'proto' */
5302 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto);
5306 b1 = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
5310 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
5315 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
5316 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
5321 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
5322 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
5334 static struct block *
5335 gen_portrange6(port1, port2, ip_proto, dir)
5340 struct block *b0, *b1, *tmp;
5342 /* link proto ip6 */
5343 b0 = gen_linktype(ETHERTYPE_IPV6);
5349 b1 = gen_portrangeop6(port1, port2, ip_proto, dir);
5353 tmp = gen_portrangeop6(port1, port2, IPPROTO_TCP, dir);
5354 b1 = gen_portrangeop6(port1, port2, IPPROTO_UDP, dir);
5356 tmp = gen_portrangeop6(port1, port2, IPPROTO_SCTP, dir);
5369 lookup_proto(name, proto)
5370 register const char *name;
5380 v = pcap_nametoproto(name);
5381 if (v == PROTO_UNDEF)
5382 bpf_error("unknown ip proto '%s'", name);
5386 /* XXX should look up h/w protocol type based on linktype */
5387 v = pcap_nametoeproto(name);
5388 if (v == PROTO_UNDEF) {
5389 v = pcap_nametollc(name);
5390 if (v == PROTO_UNDEF)
5391 bpf_error("unknown ether proto '%s'", name);
5396 if (strcmp(name, "esis") == 0)
5398 else if (strcmp(name, "isis") == 0)
5400 else if (strcmp(name, "clnp") == 0)
5403 bpf_error("unknown osi proto '%s'", name);
5423 static struct block *
5424 gen_protochain(v, proto, dir)
5429 #ifdef NO_PROTOCHAIN
5430 return gen_proto(v, proto, dir);
5432 struct block *b0, *b;
5433 struct slist *s[100];
5434 int fix2, fix3, fix4, fix5;
5435 int ahcheck, again, end;
5437 int reg2 = alloc_reg();
5439 memset(s, 0, sizeof(s));
5440 fix2 = fix3 = fix4 = fix5 = 0;
5447 b0 = gen_protochain(v, Q_IP, dir);
5448 b = gen_protochain(v, Q_IPV6, dir);
5452 bpf_error("bad protocol applied for 'protochain'");
5457 * We don't handle variable-length prefixes before the link-layer
5458 * header, or variable-length link-layer headers, here yet.
5459 * We might want to add BPF instructions to do the protochain
5460 * work, to simplify that and, on platforms that have a BPF
5461 * interpreter with the new instructions, let the filtering
5462 * be done in the kernel. (We already require a modified BPF
5463 * engine to do the protochain stuff, to support backward
5464 * branches, and backward branch support is unlikely to appear
5465 * in kernel BPF engines.)
5469 case DLT_IEEE802_11:
5470 case DLT_PRISM_HEADER:
5471 case DLT_IEEE802_11_RADIO_AVS:
5472 case DLT_IEEE802_11_RADIO:
5474 bpf_error("'protochain' not supported with 802.11");
5477 no_optimize = 1; /*this code is not compatible with optimzer yet */
5480 * s[0] is a dummy entry to protect other BPF insn from damage
5481 * by s[fix] = foo with uninitialized variable "fix". It is somewhat
5482 * hard to find interdependency made by jump table fixup.
5485 s[i] = new_stmt(0); /*dummy*/
5490 b0 = gen_linktype(ETHERTYPE_IP);
5493 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
5494 s[i]->s.k = off_macpl + off_nl + 9;
5496 /* X = ip->ip_hl << 2 */
5497 s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
5498 s[i]->s.k = off_macpl + off_nl;
5503 b0 = gen_linktype(ETHERTYPE_IPV6);
5505 /* A = ip6->ip_nxt */
5506 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
5507 s[i]->s.k = off_macpl + off_nl + 6;
5509 /* X = sizeof(struct ip6_hdr) */
5510 s[i] = new_stmt(BPF_LDX|BPF_IMM);
5516 bpf_error("unsupported proto to gen_protochain");
5520 /* again: if (A == v) goto end; else fall through; */
5522 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5524 s[i]->s.jt = NULL; /*later*/
5525 s[i]->s.jf = NULL; /*update in next stmt*/
5529 #ifndef IPPROTO_NONE
5530 #define IPPROTO_NONE 59
5532 /* if (A == IPPROTO_NONE) goto end */
5533 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5534 s[i]->s.jt = NULL; /*later*/
5535 s[i]->s.jf = NULL; /*update in next stmt*/
5536 s[i]->s.k = IPPROTO_NONE;
5537 s[fix5]->s.jf = s[i];
5542 if (proto == Q_IPV6) {
5543 int v6start, v6end, v6advance, j;
5546 /* if (A == IPPROTO_HOPOPTS) goto v6advance */
5547 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5548 s[i]->s.jt = NULL; /*later*/
5549 s[i]->s.jf = NULL; /*update in next stmt*/
5550 s[i]->s.k = IPPROTO_HOPOPTS;
5551 s[fix2]->s.jf = s[i];
5553 /* if (A == IPPROTO_DSTOPTS) goto v6advance */
5554 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5555 s[i]->s.jt = NULL; /*later*/
5556 s[i]->s.jf = NULL; /*update in next stmt*/
5557 s[i]->s.k = IPPROTO_DSTOPTS;
5559 /* if (A == IPPROTO_ROUTING) goto v6advance */
5560 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5561 s[i]->s.jt = NULL; /*later*/
5562 s[i]->s.jf = NULL; /*update in next stmt*/
5563 s[i]->s.k = IPPROTO_ROUTING;
5565 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */
5566 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5567 s[i]->s.jt = NULL; /*later*/
5568 s[i]->s.jf = NULL; /*later*/
5569 s[i]->s.k = IPPROTO_FRAGMENT;
5580 * X = X + (P[X + 1] + 1) * 8;
5583 s[i] = new_stmt(BPF_MISC|BPF_TXA);
5585 /* A = P[X + packet head] */
5586 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5587 s[i]->s.k = off_macpl + off_nl;
5590 s[i] = new_stmt(BPF_ST);
5594 s[i] = new_stmt(BPF_MISC|BPF_TXA);
5597 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5601 s[i] = new_stmt(BPF_MISC|BPF_TAX);
5603 /* A = P[X + packet head]; */
5604 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5605 s[i]->s.k = off_macpl + off_nl;
5608 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5612 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
5616 s[i] = new_stmt(BPF_MISC|BPF_TAX);
5619 s[i] = new_stmt(BPF_LD|BPF_MEM);
5623 /* goto again; (must use BPF_JA for backward jump) */
5624 s[i] = new_stmt(BPF_JMP|BPF_JA);
5625 s[i]->s.k = again - i - 1;
5626 s[i - 1]->s.jf = s[i];
5630 for (j = v6start; j <= v6end; j++)
5631 s[j]->s.jt = s[v6advance];
5636 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5638 s[fix2]->s.jf = s[i];
5644 /* if (A == IPPROTO_AH) then fall through; else goto end; */
5645 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5646 s[i]->s.jt = NULL; /*later*/
5647 s[i]->s.jf = NULL; /*later*/
5648 s[i]->s.k = IPPROTO_AH;
5650 s[fix3]->s.jf = s[ahcheck];
5657 * X = X + (P[X + 1] + 2) * 4;
5660 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
5662 /* A = P[X + packet head]; */
5663 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5664 s[i]->s.k = off_macpl + off_nl;
5667 s[i] = new_stmt(BPF_ST);
5671 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
5674 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5678 s[i] = new_stmt(BPF_MISC|BPF_TAX);
5680 /* A = P[X + packet head] */
5681 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5682 s[i]->s.k = off_macpl + off_nl;
5685 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5689 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
5693 s[i] = new_stmt(BPF_MISC|BPF_TAX);
5696 s[i] = new_stmt(BPF_LD|BPF_MEM);
5700 /* goto again; (must use BPF_JA for backward jump) */
5701 s[i] = new_stmt(BPF_JMP|BPF_JA);
5702 s[i]->s.k = again - i - 1;
5707 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5709 s[fix2]->s.jt = s[end];
5710 s[fix4]->s.jf = s[end];
5711 s[fix5]->s.jt = s[end];
5718 for (i = 0; i < max - 1; i++)
5719 s[i]->next = s[i + 1];
5720 s[max - 1]->next = NULL;
5725 b = new_block(JMP(BPF_JEQ));
5726 b->stmts = s[1]; /*remember, s[0] is dummy*/
5736 static struct block *
5737 gen_check_802_11_data_frame()
5740 struct block *b0, *b1;
5743 * A data frame has the 0x08 bit (b3) in the frame control field set
5744 * and the 0x04 bit (b2) clear.
5746 s = gen_load_a(OR_LINK, 0, BPF_B);
5747 b0 = new_block(JMP(BPF_JSET));
5751 s = gen_load_a(OR_LINK, 0, BPF_B);
5752 b1 = new_block(JMP(BPF_JSET));
5763 * Generate code that checks whether the packet is a packet for protocol
5764 * <proto> and whether the type field in that protocol's header has
5765 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an
5766 * IP packet and checks the protocol number in the IP header against <v>.
5768 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks
5769 * against Q_IP and Q_IPV6.
5771 static struct block *
5772 gen_proto(v, proto, dir)
5777 struct block *b0, *b1;
5779 if (dir != Q_DEFAULT)
5780 bpf_error("direction applied to 'proto'");
5785 b0 = gen_proto(v, Q_IP, dir);
5786 b1 = gen_proto(v, Q_IPV6, dir);
5794 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
5795 * not LLC encapsulation with LLCSAP_IP.
5797 * For IEEE 802 networks - which includes 802.5 token ring
5798 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
5799 * says that SNAP encapsulation is used, not LLC encapsulation
5802 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
5803 * RFC 2225 say that SNAP encapsulation is used, not LLC
5804 * encapsulation with LLCSAP_IP.
5806 * So we always check for ETHERTYPE_IP.
5808 b0 = gen_linktype(ETHERTYPE_IP);
5810 b1 = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)v);
5812 b1 = gen_protochain(v, Q_IP);
5822 * Frame Relay packets typically have an OSI
5823 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)"
5824 * generates code to check for all the OSI
5825 * NLPIDs, so calling it and then adding a check
5826 * for the particular NLPID for which we're
5827 * looking is bogus, as we can just check for
5830 * What we check for is the NLPID and a frame
5831 * control field value of UI, i.e. 0x03 followed
5834 * XXX - assumes a 2-byte Frame Relay header with
5835 * DLCI and flags. What if the address is longer?
5837 * XXX - what about SNAP-encapsulated frames?
5839 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | v);
5845 * Cisco uses an Ethertype lookalike - for OSI,
5848 b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS);
5849 /* OSI in C-HDLC is stuffed with a fudge byte */
5850 b1 = gen_cmp(OR_NET_NOSNAP, 1, BPF_B, (long)v);
5855 b0 = gen_linktype(LLCSAP_ISONS);
5856 b1 = gen_cmp(OR_NET_NOSNAP, 0, BPF_B, (long)v);
5862 b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
5864 * 4 is the offset of the PDU type relative to the IS-IS
5867 b1 = gen_cmp(OR_NET_NOSNAP, 4, BPF_B, (long)v);
5872 bpf_error("arp does not encapsulate another protocol");
5876 bpf_error("rarp does not encapsulate another protocol");
5880 bpf_error("atalk encapsulation is not specifiable");
5884 bpf_error("decnet encapsulation is not specifiable");
5888 bpf_error("sca does not encapsulate another protocol");
5892 bpf_error("lat does not encapsulate another protocol");
5896 bpf_error("moprc does not encapsulate another protocol");
5900 bpf_error("mopdl does not encapsulate another protocol");
5904 return gen_linktype(v);
5907 bpf_error("'udp proto' is bogus");
5911 bpf_error("'tcp proto' is bogus");
5915 bpf_error("'sctp proto' is bogus");
5919 bpf_error("'icmp proto' is bogus");
5923 bpf_error("'igmp proto' is bogus");
5927 bpf_error("'igrp proto' is bogus");
5931 bpf_error("'pim proto' is bogus");
5935 bpf_error("'vrrp proto' is bogus");
5940 b0 = gen_linktype(ETHERTYPE_IPV6);
5942 b1 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)v);
5944 b1 = gen_protochain(v, Q_IPV6);
5950 bpf_error("'icmp6 proto' is bogus");
5954 bpf_error("'ah proto' is bogus");
5957 bpf_error("'ah proto' is bogus");
5960 bpf_error("'stp proto' is bogus");
5963 bpf_error("'ipx proto' is bogus");
5966 bpf_error("'netbeui proto' is bogus");
5969 bpf_error("'radio proto' is bogus");
5980 register const char *name;
5983 int proto = q.proto;
5987 bpf_u_int32 mask, addr;
5989 bpf_u_int32 **alist;
5992 struct sockaddr_in *sin4;
5993 struct sockaddr_in6 *sin6;
5994 struct addrinfo *res, *res0;
5995 struct in6_addr mask128;
5997 struct block *b, *tmp;
5998 int port, real_proto;
6004 addr = pcap_nametonetaddr(name);
6006 bpf_error("unknown network '%s'", name);
6007 /* Left justify network addr and calculate its network mask */
6009 while (addr && (addr & 0xff000000) == 0) {
6013 return gen_host(addr, mask, proto, dir, q.addr);
6017 if (proto == Q_LINK) {
6021 eaddr = pcap_ether_hostton(name);
6024 "unknown ether host '%s'", name);
6025 b = gen_ehostop(eaddr, dir);
6030 eaddr = pcap_ether_hostton(name);
6033 "unknown FDDI host '%s'", name);
6034 b = gen_fhostop(eaddr, dir);
6039 eaddr = pcap_ether_hostton(name);
6042 "unknown token ring host '%s'", name);
6043 b = gen_thostop(eaddr, dir);
6047 case DLT_IEEE802_11:
6048 case DLT_PRISM_HEADER:
6049 case DLT_IEEE802_11_RADIO_AVS:
6050 case DLT_IEEE802_11_RADIO:
6052 eaddr = pcap_ether_hostton(name);
6055 "unknown 802.11 host '%s'", name);
6056 b = gen_wlanhostop(eaddr, dir);
6060 case DLT_IP_OVER_FC:
6061 eaddr = pcap_ether_hostton(name);
6064 "unknown Fibre Channel host '%s'", name);
6065 b = gen_ipfchostop(eaddr, dir);
6074 * Check that the packet doesn't begin
6075 * with an LE Control marker. (We've
6076 * already generated a test for LANE.)
6078 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
6082 eaddr = pcap_ether_hostton(name);
6085 "unknown ether host '%s'", name);
6086 b = gen_ehostop(eaddr, dir);
6092 bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name");
6093 } else if (proto == Q_DECNET) {
6094 unsigned short dn_addr = __pcap_nametodnaddr(name);
6096 * I don't think DECNET hosts can be multihomed, so
6097 * there is no need to build up a list of addresses
6099 return (gen_host(dn_addr, 0, proto, dir, q.addr));
6102 alist = pcap_nametoaddr(name);
6103 if (alist == NULL || *alist == NULL)
6104 bpf_error("unknown host '%s'", name);
6106 if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT)
6108 b = gen_host(**alist++, 0xffffffff, tproto, dir, q.addr);
6110 tmp = gen_host(**alist++, 0xffffffff,
6111 tproto, dir, q.addr);
6117 memset(&mask128, 0xff, sizeof(mask128));
6118 res0 = res = pcap_nametoaddrinfo(name);
6120 bpf_error("unknown host '%s'", name);
6123 tproto = tproto6 = proto;
6124 if (off_linktype == -1 && tproto == Q_DEFAULT) {
6128 for (res = res0; res; res = res->ai_next) {
6129 switch (res->ai_family) {
6131 if (tproto == Q_IPV6)
6134 sin4 = (struct sockaddr_in *)
6136 tmp = gen_host(ntohl(sin4->sin_addr.s_addr),
6137 0xffffffff, tproto, dir, q.addr);
6140 if (tproto6 == Q_IP)
6143 sin6 = (struct sockaddr_in6 *)
6145 tmp = gen_host6(&sin6->sin6_addr,
6146 &mask128, tproto6, dir, q.addr);
6158 bpf_error("unknown host '%s'%s", name,
6159 (proto == Q_DEFAULT)
6161 : " for specified address family");
6168 if (proto != Q_DEFAULT &&
6169 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
6170 bpf_error("illegal qualifier of 'port'");
6171 if (pcap_nametoport(name, &port, &real_proto) == 0)
6172 bpf_error("unknown port '%s'", name);
6173 if (proto == Q_UDP) {
6174 if (real_proto == IPPROTO_TCP)
6175 bpf_error("port '%s' is tcp", name);
6176 else if (real_proto == IPPROTO_SCTP)
6177 bpf_error("port '%s' is sctp", name);
6179 /* override PROTO_UNDEF */
6180 real_proto = IPPROTO_UDP;
6182 if (proto == Q_TCP) {
6183 if (real_proto == IPPROTO_UDP)
6184 bpf_error("port '%s' is udp", name);
6186 else if (real_proto == IPPROTO_SCTP)
6187 bpf_error("port '%s' is sctp", name);
6189 /* override PROTO_UNDEF */
6190 real_proto = IPPROTO_TCP;
6192 if (proto == Q_SCTP) {
6193 if (real_proto == IPPROTO_UDP)
6194 bpf_error("port '%s' is udp", name);
6196 else if (real_proto == IPPROTO_TCP)
6197 bpf_error("port '%s' is tcp", name);
6199 /* override PROTO_UNDEF */
6200 real_proto = IPPROTO_SCTP;
6203 return gen_port(port, real_proto, dir);
6205 b = gen_port(port, real_proto, dir);
6206 gen_or(gen_port6(port, real_proto, dir), b);
6211 if (proto != Q_DEFAULT &&
6212 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
6213 bpf_error("illegal qualifier of 'portrange'");
6214 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0)
6215 bpf_error("unknown port in range '%s'", name);
6216 if (proto == Q_UDP) {
6217 if (real_proto == IPPROTO_TCP)
6218 bpf_error("port in range '%s' is tcp", name);
6219 else if (real_proto == IPPROTO_SCTP)
6220 bpf_error("port in range '%s' is sctp", name);
6222 /* override PROTO_UNDEF */
6223 real_proto = IPPROTO_UDP;
6225 if (proto == Q_TCP) {
6226 if (real_proto == IPPROTO_UDP)
6227 bpf_error("port in range '%s' is udp", name);
6228 else if (real_proto == IPPROTO_SCTP)
6229 bpf_error("port in range '%s' is sctp", name);
6231 /* override PROTO_UNDEF */
6232 real_proto = IPPROTO_TCP;
6234 if (proto == Q_SCTP) {
6235 if (real_proto == IPPROTO_UDP)
6236 bpf_error("port in range '%s' is udp", name);
6237 else if (real_proto == IPPROTO_TCP)
6238 bpf_error("port in range '%s' is tcp", name);
6240 /* override PROTO_UNDEF */
6241 real_proto = IPPROTO_SCTP;
6244 return gen_portrange(port1, port2, real_proto, dir);
6246 b = gen_portrange(port1, port2, real_proto, dir);
6247 gen_or(gen_portrange6(port1, port2, real_proto, dir), b);
6253 eaddr = pcap_ether_hostton(name);
6255 bpf_error("unknown ether host: %s", name);
6257 alist = pcap_nametoaddr(name);
6258 if (alist == NULL || *alist == NULL)
6259 bpf_error("unknown host '%s'", name);
6260 b = gen_gateway(eaddr, alist, proto, dir);
6264 bpf_error("'gateway' not supported in this configuration");
6268 real_proto = lookup_proto(name, proto);
6269 if (real_proto >= 0)
6270 return gen_proto(real_proto, proto, dir);
6272 bpf_error("unknown protocol: %s", name);
6275 real_proto = lookup_proto(name, proto);
6276 if (real_proto >= 0)
6277 return gen_protochain(real_proto, proto, dir);
6279 bpf_error("unknown protocol: %s", name);
6290 gen_mcode(s1, s2, masklen, q)
6291 register const char *s1, *s2;
6292 register int masklen;
6295 register int nlen, mlen;
6298 nlen = __pcap_atoin(s1, &n);
6299 /* Promote short ipaddr */
6303 mlen = __pcap_atoin(s2, &m);
6304 /* Promote short ipaddr */
6307 bpf_error("non-network bits set in \"%s mask %s\"",
6310 /* Convert mask len to mask */
6312 bpf_error("mask length must be <= 32");
6315 * X << 32 is not guaranteed by C to be 0; it's
6320 m = 0xffffffff << (32 - masklen);
6322 bpf_error("non-network bits set in \"%s/%d\"",
6329 return gen_host(n, m, q.proto, q.dir, q.addr);
6332 bpf_error("Mask syntax for networks only");
6341 register const char *s;
6346 int proto = q.proto;
6352 else if (q.proto == Q_DECNET)
6353 vlen = __pcap_atodn(s, &v);
6355 vlen = __pcap_atoin(s, &v);
6362 if (proto == Q_DECNET)
6363 return gen_host(v, 0, proto, dir, q.addr);
6364 else if (proto == Q_LINK) {
6365 bpf_error("illegal link layer address");
6368 if (s == NULL && q.addr == Q_NET) {
6369 /* Promote short net number */
6370 while (v && (v & 0xff000000) == 0) {
6375 /* Promote short ipaddr */
6379 return gen_host(v, mask, proto, dir, q.addr);
6384 proto = IPPROTO_UDP;
6385 else if (proto == Q_TCP)
6386 proto = IPPROTO_TCP;
6387 else if (proto == Q_SCTP)
6388 proto = IPPROTO_SCTP;
6389 else if (proto == Q_DEFAULT)
6390 proto = PROTO_UNDEF;
6392 bpf_error("illegal qualifier of 'port'");
6395 return gen_port((int)v, proto, dir);
6399 b = gen_port((int)v, proto, dir);
6400 gen_or(gen_port6((int)v, proto, dir), b);
6407 proto = IPPROTO_UDP;
6408 else if (proto == Q_TCP)
6409 proto = IPPROTO_TCP;
6410 else if (proto == Q_SCTP)
6411 proto = IPPROTO_SCTP;
6412 else if (proto == Q_DEFAULT)
6413 proto = PROTO_UNDEF;
6415 bpf_error("illegal qualifier of 'portrange'");
6418 return gen_portrange((int)v, (int)v, proto, dir);
6422 b = gen_portrange((int)v, (int)v, proto, dir);
6423 gen_or(gen_portrange6((int)v, (int)v, proto, dir), b);
6429 bpf_error("'gateway' requires a name");
6433 return gen_proto((int)v, proto, dir);
6436 return gen_protochain((int)v, proto, dir);
6451 gen_mcode6(s1, s2, masklen, q)
6452 register const char *s1, *s2;
6453 register int masklen;
6456 struct addrinfo *res;
6457 struct in6_addr *addr;
6458 struct in6_addr mask;
6463 bpf_error("no mask %s supported", s2);
6465 res = pcap_nametoaddrinfo(s1);
6467 bpf_error("invalid ip6 address %s", s1);
6470 bpf_error("%s resolved to multiple address", s1);
6471 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
6473 if (sizeof(mask) * 8 < masklen)
6474 bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8));
6475 memset(&mask, 0, sizeof(mask));
6476 memset(&mask, 0xff, masklen / 8);
6478 mask.s6_addr[masklen / 8] =
6479 (0xff << (8 - masklen % 8)) & 0xff;
6482 a = (u_int32_t *)addr;
6483 m = (u_int32_t *)&mask;
6484 if ((a[0] & ~m[0]) || (a[1] & ~m[1])
6485 || (a[2] & ~m[2]) || (a[3] & ~m[3])) {
6486 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen);
6494 bpf_error("Mask syntax for networks only");
6498 b = gen_host6(addr, &mask, q.proto, q.dir, q.addr);
6504 bpf_error("invalid qualifier against IPv6 address");
6513 register const u_char *eaddr;
6516 struct block *b, *tmp;
6518 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
6521 return gen_ehostop(eaddr, (int)q.dir);
6523 return gen_fhostop(eaddr, (int)q.dir);
6525 return gen_thostop(eaddr, (int)q.dir);
6526 case DLT_IEEE802_11:
6527 case DLT_PRISM_HEADER:
6528 case DLT_IEEE802_11_RADIO_AVS:
6529 case DLT_IEEE802_11_RADIO:
6531 return gen_wlanhostop(eaddr, (int)q.dir);
6535 * Check that the packet doesn't begin with an
6536 * LE Control marker. (We've already generated
6539 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
6544 * Now check the MAC address.
6546 b = gen_ehostop(eaddr, (int)q.dir);
6551 case DLT_IP_OVER_FC:
6552 return gen_ipfchostop(eaddr, (int)q.dir);
6554 bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
6558 bpf_error("ethernet address used in non-ether expression");
6565 struct slist *s0, *s1;
6568 * This is definitely not the best way to do this, but the
6569 * lists will rarely get long.
6576 static struct slist *
6582 s = new_stmt(BPF_LDX|BPF_MEM);
6587 static struct slist *
6593 s = new_stmt(BPF_LD|BPF_MEM);
6599 * Modify "index" to use the value stored into its register as an
6600 * offset relative to the beginning of the header for the protocol
6601 * "proto", and allocate a register and put an item "size" bytes long
6602 * (1, 2, or 4) at that offset into that register, making it the register
6606 gen_load(proto, inst, size)
6611 struct slist *s, *tmp;
6613 int regno = alloc_reg();
6615 free_reg(inst->regno);
6619 bpf_error("data size must be 1, 2, or 4");
6635 bpf_error("unsupported index operation");
6639 * The offset is relative to the beginning of the packet
6640 * data, if we have a radio header. (If we don't, this
6643 if (linktype != DLT_IEEE802_11_RADIO_AVS &&
6644 linktype != DLT_IEEE802_11_RADIO &&
6645 linktype != DLT_PRISM_HEADER)
6646 bpf_error("radio information not present in capture");
6649 * Load into the X register the offset computed into the
6650 * register specifed by "index".
6652 s = xfer_to_x(inst);
6655 * Load the item at that offset.
6657 tmp = new_stmt(BPF_LD|BPF_IND|size);
6659 sappend(inst->s, s);
6664 * The offset is relative to the beginning of
6665 * the link-layer header.
6667 * XXX - what about ATM LANE? Should the index be
6668 * relative to the beginning of the AAL5 frame, so
6669 * that 0 refers to the beginning of the LE Control
6670 * field, or relative to the beginning of the LAN
6671 * frame, so that 0 refers, for Ethernet LANE, to
6672 * the beginning of the destination address?
6674 s = gen_llprefixlen();
6677 * If "s" is non-null, it has code to arrange that the
6678 * X register contains the length of the prefix preceding
6679 * the link-layer header. Add to it the offset computed
6680 * into the register specified by "index", and move that
6681 * into the X register. Otherwise, just load into the X
6682 * register the offset computed into the register specifed
6686 sappend(s, xfer_to_a(inst));
6687 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
6688 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
6690 s = xfer_to_x(inst);
6693 * Load the item at the sum of the offset we've put in the
6694 * X register and the offset of the start of the link
6695 * layer header (which is 0 if the radio header is
6696 * variable-length; that header length is what we put
6697 * into the X register and then added to the index).
6699 tmp = new_stmt(BPF_LD|BPF_IND|size);
6702 sappend(inst->s, s);
6718 * The offset is relative to the beginning of
6719 * the network-layer header.
6720 * XXX - are there any cases where we want
6723 s = gen_off_macpl();
6726 * If "s" is non-null, it has code to arrange that the
6727 * X register contains the offset of the MAC-layer
6728 * payload. Add to it the offset computed into the
6729 * register specified by "index", and move that into
6730 * the X register. Otherwise, just load into the X
6731 * register the offset computed into the register specifed
6735 sappend(s, xfer_to_a(inst));
6736 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
6737 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
6739 s = xfer_to_x(inst);
6742 * Load the item at the sum of the offset we've put in the
6743 * X register, the offset of the start of the network
6744 * layer header from the beginning of the MAC-layer
6745 * payload, and the purported offset of the start of the
6746 * MAC-layer payload (which might be 0 if there's a
6747 * variable-length prefix before the link-layer header
6748 * or the link-layer header itself is variable-length;
6749 * the variable-length offset of the start of the
6750 * MAC-layer payload is what we put into the X register
6751 * and then added to the index).
6753 tmp = new_stmt(BPF_LD|BPF_IND|size);
6754 tmp->s.k = off_macpl + off_nl;
6756 sappend(inst->s, s);
6759 * Do the computation only if the packet contains
6760 * the protocol in question.
6762 b = gen_proto_abbrev(proto);
6764 gen_and(inst->b, b);
6777 * The offset is relative to the beginning of
6778 * the transport-layer header.
6780 * Load the X register with the length of the IPv4 header
6781 * (plus the offset of the link-layer header, if it's
6782 * a variable-length header), in bytes.
6784 * XXX - are there any cases where we want
6786 * XXX - we should, if we're built with
6787 * IPv6 support, generate code to load either
6788 * IPv4, IPv6, or both, as appropriate.
6790 s = gen_loadx_iphdrlen();
6793 * The X register now contains the sum of the length
6794 * of any variable-length header preceding the link-layer
6795 * header, any variable-length link-layer header, and the
6796 * length of the network-layer header.
6798 * Load into the A register the offset relative to
6799 * the beginning of the transport layer header,
6800 * add the X register to that, move that to the
6801 * X register, and load with an offset from the
6802 * X register equal to the offset of the network
6803 * layer header relative to the beginning of
6804 * the MAC-layer payload plus the fixed-length
6805 * portion of the offset of the MAC-layer payload
6806 * from the beginning of the raw packet data.
6808 sappend(s, xfer_to_a(inst));
6809 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
6810 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
6811 sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size));
6812 tmp->s.k = off_macpl + off_nl;
6813 sappend(inst->s, s);
6816 * Do the computation only if the packet contains
6817 * the protocol in question - which is true only
6818 * if this is an IP datagram and is the first or
6819 * only fragment of that datagram.
6821 gen_and(gen_proto_abbrev(proto), b = gen_ipfrag());
6823 gen_and(inst->b, b);
6825 gen_and(gen_proto_abbrev(Q_IP), b);
6831 bpf_error("IPv6 upper-layer protocol is not supported by proto[x]");
6835 inst->regno = regno;
6836 s = new_stmt(BPF_ST);
6838 sappend(inst->s, s);
6844 gen_relation(code, a0, a1, reversed)
6846 struct arth *a0, *a1;
6849 struct slist *s0, *s1, *s2;
6850 struct block *b, *tmp;
6854 if (code == BPF_JEQ) {
6855 s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X);
6856 b = new_block(JMP(code));
6860 b = new_block(BPF_JMP|code|BPF_X);
6866 sappend(a0->s, a1->s);
6870 free_reg(a0->regno);
6871 free_reg(a1->regno);
6873 /* 'and' together protocol checks */
6876 gen_and(a0->b, tmp = a1->b);
6892 int regno = alloc_reg();
6893 struct arth *a = (struct arth *)newchunk(sizeof(*a));
6896 s = new_stmt(BPF_LD|BPF_LEN);
6897 s->next = new_stmt(BPF_ST);
6898 s->next->s.k = regno;
6913 a = (struct arth *)newchunk(sizeof(*a));
6917 s = new_stmt(BPF_LD|BPF_IMM);
6919 s->next = new_stmt(BPF_ST);
6935 s = new_stmt(BPF_ALU|BPF_NEG);
6938 s = new_stmt(BPF_ST);
6946 gen_arth(code, a0, a1)
6948 struct arth *a0, *a1;
6950 struct slist *s0, *s1, *s2;
6954 s2 = new_stmt(BPF_ALU|BPF_X|code);
6959 sappend(a0->s, a1->s);
6961 free_reg(a0->regno);
6962 free_reg(a1->regno);
6964 s0 = new_stmt(BPF_ST);
6965 a0->regno = s0->s.k = alloc_reg();
6972 * Here we handle simple allocation of the scratch registers.
6973 * If too many registers are alloc'd, the allocator punts.
6975 static int regused[BPF_MEMWORDS];
6979 * Initialize the table of used registers and the current register.
6985 memset(regused, 0, sizeof regused);
6989 * Return the next free register.
6994 int n = BPF_MEMWORDS;
6997 if (regused[curreg])
6998 curreg = (curreg + 1) % BPF_MEMWORDS;
7000 regused[curreg] = 1;
7004 bpf_error("too many registers needed to evaluate expression");
7010 * Return a register to the table so it can
7020 static struct block *
7027 s = new_stmt(BPF_LD|BPF_LEN);
7028 b = new_block(JMP(jmp));
7039 return gen_len(BPF_JGE, n);
7043 * Actually, this is less than or equal.
7051 b = gen_len(BPF_JGT, n);
7058 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to
7059 * the beginning of the link-layer header.
7060 * XXX - that means you can't test values in the radiotap header, but
7061 * as that header is difficult if not impossible to parse generally
7062 * without a loop, that might not be a severe problem. A new keyword
7063 * "radio" could be added for that, although what you'd really want
7064 * would be a way of testing particular radio header values, which
7065 * would generate code appropriate to the radio header in question.
7068 gen_byteop(op, idx, val)
7079 return gen_cmp(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
7082 b = gen_cmp_lt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
7086 b = gen_cmp_gt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
7090 s = new_stmt(BPF_ALU|BPF_OR|BPF_K);
7094 s = new_stmt(BPF_ALU|BPF_AND|BPF_K);
7098 b = new_block(JMP(BPF_JEQ));
7105 static u_char abroadcast[] = { 0x0 };
7108 gen_broadcast(proto)
7111 bpf_u_int32 hostmask;
7112 struct block *b0, *b1, *b2;
7113 static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
7121 case DLT_ARCNET_LINUX:
7122 return gen_ahostop(abroadcast, Q_DST);
7124 return gen_ehostop(ebroadcast, Q_DST);
7126 return gen_fhostop(ebroadcast, Q_DST);
7128 return gen_thostop(ebroadcast, Q_DST);
7129 case DLT_IEEE802_11:
7130 case DLT_PRISM_HEADER:
7131 case DLT_IEEE802_11_RADIO_AVS:
7132 case DLT_IEEE802_11_RADIO:
7134 return gen_wlanhostop(ebroadcast, Q_DST);
7135 case DLT_IP_OVER_FC:
7136 return gen_ipfchostop(ebroadcast, Q_DST);
7140 * Check that the packet doesn't begin with an
7141 * LE Control marker. (We've already generated
7144 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
7149 * Now check the MAC address.
7151 b0 = gen_ehostop(ebroadcast, Q_DST);
7157 bpf_error("not a broadcast link");
7163 * We treat a netmask of PCAP_NETMASK_UNKNOWN (0xffffffff)
7164 * as an indication that we don't know the netmask, and fail
7167 if (netmask == PCAP_NETMASK_UNKNOWN)
7168 bpf_error("netmask not known, so 'ip broadcast' not supported");
7169 b0 = gen_linktype(ETHERTYPE_IP);
7170 hostmask = ~netmask;
7171 b1 = gen_mcmp(OR_NET, 16, BPF_W, (bpf_int32)0, hostmask);
7172 b2 = gen_mcmp(OR_NET, 16, BPF_W,
7173 (bpf_int32)(~0 & hostmask), hostmask);
7178 bpf_error("only link-layer/IP broadcast filters supported");
7184 * Generate code to test the low-order bit of a MAC address (that's
7185 * the bottom bit of the *first* byte).
7187 static struct block *
7188 gen_mac_multicast(offset)
7191 register struct block *b0;
7192 register struct slist *s;
7194 /* link[offset] & 1 != 0 */
7195 s = gen_load_a(OR_LINK, offset, BPF_B);
7196 b0 = new_block(JMP(BPF_JSET));
7203 gen_multicast(proto)
7206 register struct block *b0, *b1, *b2;
7207 register struct slist *s;
7215 case DLT_ARCNET_LINUX:
7216 /* all ARCnet multicasts use the same address */
7217 return gen_ahostop(abroadcast, Q_DST);
7219 /* ether[0] & 1 != 0 */
7220 return gen_mac_multicast(0);
7223 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX
7225 * XXX - was that referring to bit-order issues?
7227 /* fddi[1] & 1 != 0 */
7228 return gen_mac_multicast(1);
7230 /* tr[2] & 1 != 0 */
7231 return gen_mac_multicast(2);
7232 case DLT_IEEE802_11:
7233 case DLT_PRISM_HEADER:
7234 case DLT_IEEE802_11_RADIO_AVS:
7235 case DLT_IEEE802_11_RADIO:
7240 * For control frames, there is no DA.
7242 * For management frames, DA is at an
7243 * offset of 4 from the beginning of
7246 * For data frames, DA is at an offset
7247 * of 4 from the beginning of the packet
7248 * if To DS is clear and at an offset of
7249 * 16 from the beginning of the packet
7254 * Generate the tests to be done for data frames.
7256 * First, check for To DS set, i.e. "link[1] & 0x01".
7258 s = gen_load_a(OR_LINK, 1, BPF_B);
7259 b1 = new_block(JMP(BPF_JSET));
7260 b1->s.k = 0x01; /* To DS */
7264 * If To DS is set, the DA is at 16.
7266 b0 = gen_mac_multicast(16);
7270 * Now, check for To DS not set, i.e. check
7271 * "!(link[1] & 0x01)".
7273 s = gen_load_a(OR_LINK, 1, BPF_B);
7274 b2 = new_block(JMP(BPF_JSET));
7275 b2->s.k = 0x01; /* To DS */
7280 * If To DS is not set, the DA is at 4.
7282 b1 = gen_mac_multicast(4);
7286 * Now OR together the last two checks. That gives
7287 * the complete set of checks for data frames.
7292 * Now check for a data frame.
7293 * I.e, check "link[0] & 0x08".
7295 s = gen_load_a(OR_LINK, 0, BPF_B);
7296 b1 = new_block(JMP(BPF_JSET));
7301 * AND that with the checks done for data frames.
7306 * If the high-order bit of the type value is 0, this
7307 * is a management frame.
7308 * I.e, check "!(link[0] & 0x08)".
7310 s = gen_load_a(OR_LINK, 0, BPF_B);
7311 b2 = new_block(JMP(BPF_JSET));
7317 * For management frames, the DA is at 4.
7319 b1 = gen_mac_multicast(4);
7323 * OR that with the checks done for data frames.
7324 * That gives the checks done for management and
7330 * If the low-order bit of the type value is 1,
7331 * this is either a control frame or a frame
7332 * with a reserved type, and thus not a
7335 * I.e., check "!(link[0] & 0x04)".
7337 s = gen_load_a(OR_LINK, 0, BPF_B);
7338 b1 = new_block(JMP(BPF_JSET));
7344 * AND that with the checks for data and management
7349 case DLT_IP_OVER_FC:
7350 b0 = gen_mac_multicast(2);
7355 * Check that the packet doesn't begin with an
7356 * LE Control marker. (We've already generated
7359 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
7363 /* ether[off_mac] & 1 != 0 */
7364 b0 = gen_mac_multicast(off_mac);
7372 /* Link not known to support multicasts */
7376 b0 = gen_linktype(ETHERTYPE_IP);
7377 b1 = gen_cmp_ge(OR_NET, 16, BPF_B, (bpf_int32)224);
7383 b0 = gen_linktype(ETHERTYPE_IPV6);
7384 b1 = gen_cmp(OR_NET, 24, BPF_B, (bpf_int32)255);
7389 bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel");
7395 * generate command for inbound/outbound. It's here so we can
7396 * make it link-type specific. 'dir' = 0 implies "inbound",
7397 * = 1 implies "outbound".
7403 register struct block *b0;
7406 * Only some data link types support inbound/outbound qualifiers.
7410 b0 = gen_relation(BPF_JEQ,
7411 gen_load(Q_LINK, gen_loadi(0), 1),
7418 /* match outgoing packets */
7419 b0 = gen_cmp(OR_LINK, 2, BPF_H, IPNET_OUTBOUND);
7421 /* match incoming packets */
7422 b0 = gen_cmp(OR_LINK, 2, BPF_H, IPNET_INBOUND);
7429 * Match packets sent by this machine.
7431 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_OUTGOING);
7434 * Match packets sent to this machine.
7435 * (No broadcast or multicast packets, or
7436 * packets sent to some other machine and
7437 * received promiscuously.)
7439 * XXX - packets sent to other machines probably
7440 * shouldn't be matched, but what about broadcast
7441 * or multicast packets we received?
7443 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_HOST);
7447 #ifdef HAVE_NET_PFVAR_H
7449 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, dir), BPF_B,
7450 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT));
7456 /* match outgoing packets */
7457 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_OUT);
7459 /* match incoming packets */
7460 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_IN);
7464 case DLT_JUNIPER_MFR:
7465 case DLT_JUNIPER_MLFR:
7466 case DLT_JUNIPER_MLPPP:
7467 case DLT_JUNIPER_ATM1:
7468 case DLT_JUNIPER_ATM2:
7469 case DLT_JUNIPER_PPPOE:
7470 case DLT_JUNIPER_PPPOE_ATM:
7471 case DLT_JUNIPER_GGSN:
7472 case DLT_JUNIPER_ES:
7473 case DLT_JUNIPER_MONITOR:
7474 case DLT_JUNIPER_SERVICES:
7475 case DLT_JUNIPER_ETHER:
7476 case DLT_JUNIPER_PPP:
7477 case DLT_JUNIPER_FRELAY:
7478 case DLT_JUNIPER_CHDLC:
7479 case DLT_JUNIPER_VP:
7480 case DLT_JUNIPER_ST:
7481 case DLT_JUNIPER_ISM:
7482 /* juniper flags (including direction) are stored
7483 * the byte after the 3-byte magic number */
7485 /* match outgoing packets */
7486 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 0, 0x01);
7488 /* match incoming packets */
7489 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 1, 0x01);
7494 bpf_error("inbound/outbound not supported on linktype %d",
7502 #ifdef HAVE_NET_PFVAR_H
7503 /* PF firewall log matched interface */
7505 gen_pf_ifname(const char *ifname)
7510 if (linktype != DLT_PFLOG) {
7511 bpf_error("ifname supported only on PF linktype");
7514 len = sizeof(((struct pfloghdr *)0)->ifname);
7515 off = offsetof(struct pfloghdr, ifname);
7516 if (strlen(ifname) >= len) {
7517 bpf_error("ifname interface names can only be %d characters",
7521 b0 = gen_bcmp(OR_LINK, off, strlen(ifname), (const u_char *)ifname);
7525 /* PF firewall log ruleset name */
7527 gen_pf_ruleset(char *ruleset)
7531 if (linktype != DLT_PFLOG) {
7532 bpf_error("ruleset supported only on PF linktype");
7536 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) {
7537 bpf_error("ruleset names can only be %ld characters",
7538 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1));
7542 b0 = gen_bcmp(OR_LINK, offsetof(struct pfloghdr, ruleset),
7543 strlen(ruleset), (const u_char *)ruleset);
7547 /* PF firewall log rule number */
7553 if (linktype != DLT_PFLOG) {
7554 bpf_error("rnr supported only on PF linktype");
7558 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, rulenr), BPF_W,
7563 /* PF firewall log sub-rule number */
7565 gen_pf_srnr(int srnr)
7569 if (linktype != DLT_PFLOG) {
7570 bpf_error("srnr supported only on PF linktype");
7574 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, subrulenr), BPF_W,
7579 /* PF firewall log reason code */
7581 gen_pf_reason(int reason)
7585 if (linktype != DLT_PFLOG) {
7586 bpf_error("reason supported only on PF linktype");
7590 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, reason), BPF_B,
7595 /* PF firewall log action */
7597 gen_pf_action(int action)
7601 if (linktype != DLT_PFLOG) {
7602 bpf_error("action supported only on PF linktype");
7606 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, action), BPF_B,
7610 #else /* !HAVE_NET_PFVAR_H */
7612 gen_pf_ifname(const char *ifname)
7614 bpf_error("libpcap was compiled without pf support");
7620 gen_pf_ruleset(char *ruleset)
7622 bpf_error("libpcap was compiled on a machine without pf support");
7630 bpf_error("libpcap was compiled on a machine without pf support");
7636 gen_pf_srnr(int srnr)
7638 bpf_error("libpcap was compiled on a machine without pf support");
7644 gen_pf_reason(int reason)
7646 bpf_error("libpcap was compiled on a machine without pf support");
7652 gen_pf_action(int action)
7654 bpf_error("libpcap was compiled on a machine without pf support");
7658 #endif /* HAVE_NET_PFVAR_H */
7660 /* IEEE 802.11 wireless header */
7662 gen_p80211_type(int type, int mask)
7668 case DLT_IEEE802_11:
7669 case DLT_PRISM_HEADER:
7670 case DLT_IEEE802_11_RADIO_AVS:
7671 case DLT_IEEE802_11_RADIO:
7672 b0 = gen_mcmp(OR_LINK, 0, BPF_B, (bpf_int32)type,
7677 bpf_error("802.11 link-layer types supported only on 802.11");
7685 gen_p80211_fcdir(int fcdir)
7691 case DLT_IEEE802_11:
7692 case DLT_PRISM_HEADER:
7693 case DLT_IEEE802_11_RADIO_AVS:
7694 case DLT_IEEE802_11_RADIO:
7698 bpf_error("frame direction supported only with 802.11 headers");
7702 b0 = gen_mcmp(OR_LINK, 1, BPF_B, (bpf_int32)fcdir,
7703 (bpf_u_int32)IEEE80211_FC1_DIR_MASK);
7710 register const u_char *eaddr;
7716 case DLT_ARCNET_LINUX:
7717 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) &&
7719 return (gen_ahostop(eaddr, (int)q.dir));
7721 bpf_error("ARCnet address used in non-arc expression");
7727 bpf_error("aid supported only on ARCnet");
7730 bpf_error("ARCnet address used in non-arc expression");
7735 static struct block *
7736 gen_ahostop(eaddr, dir)
7737 register const u_char *eaddr;
7740 register struct block *b0, *b1;
7743 /* src comes first, different from Ethernet */
7745 return gen_bcmp(OR_LINK, 0, 1, eaddr);
7748 return gen_bcmp(OR_LINK, 1, 1, eaddr);
7751 b0 = gen_ahostop(eaddr, Q_SRC);
7752 b1 = gen_ahostop(eaddr, Q_DST);
7758 b0 = gen_ahostop(eaddr, Q_SRC);
7759 b1 = gen_ahostop(eaddr, Q_DST);
7768 * support IEEE 802.1Q VLAN trunk over ethernet
7774 struct block *b0, *b1;
7776 /* can't check for VLAN-encapsulated packets inside MPLS */
7777 if (label_stack_depth > 0)
7778 bpf_error("no VLAN match after MPLS");
7781 * Check for a VLAN packet, and then change the offsets to point
7782 * to the type and data fields within the VLAN packet. Just
7783 * increment the offsets, so that we can support a hierarchy, e.g.
7784 * "vlan 300 && vlan 200" to capture VLAN 200 encapsulated within
7787 * XXX - this is a bit of a kludge. If we were to split the
7788 * compiler into a parser that parses an expression and
7789 * generates an expression tree, and a code generator that
7790 * takes an expression tree (which could come from our
7791 * parser or from some other parser) and generates BPF code,
7792 * we could perhaps make the offsets parameters of routines
7793 * and, in the handler for an "AND" node, pass to subnodes
7794 * other than the VLAN node the adjusted offsets.
7796 * This would mean that "vlan" would, instead of changing the
7797 * behavior of *all* tests after it, change only the behavior
7798 * of tests ANDed with it. That would change the documented
7799 * semantics of "vlan", which might break some expressions.
7800 * However, it would mean that "(vlan and ip) or ip" would check
7801 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
7802 * checking only for VLAN-encapsulated IP, so that could still
7803 * be considered worth doing; it wouldn't break expressions
7804 * that are of the form "vlan and ..." or "vlan N and ...",
7805 * which I suspect are the most common expressions involving
7806 * "vlan". "vlan or ..." doesn't necessarily do what the user
7807 * would really want, now, as all the "or ..." tests would
7808 * be done assuming a VLAN, even though the "or" could be viewed
7809 * as meaning "or, if this isn't a VLAN packet...".
7816 /* check for VLAN */
7817 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
7818 (bpf_int32)ETHERTYPE_8021Q);
7820 /* If a specific VLAN is requested, check VLAN id */
7821 if (vlan_num >= 0) {
7822 b1 = gen_mcmp(OR_MACPL, 0, BPF_H,
7823 (bpf_int32)vlan_num, 0x0fff);
7837 bpf_error("no VLAN support for data link type %d",
7852 struct block *b0,*b1;
7855 * Change the offsets to point to the type and data fields within
7856 * the MPLS packet. Just increment the offsets, so that we
7857 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to
7858 * capture packets with an outer label of 100000 and an inner
7861 * XXX - this is a bit of a kludge. See comments in gen_vlan().
7865 if (label_stack_depth > 0) {
7866 /* just match the bottom-of-stack bit clear */
7867 b0 = gen_mcmp(OR_MACPL, orig_nl-2, BPF_B, 0, 0x01);
7870 * Indicate that we're checking MPLS-encapsulated headers,
7871 * to make sure higher level code generators don't try to
7872 * match against IP-related protocols such as Q_ARP, Q_RARP
7877 case DLT_C_HDLC: /* fall through */
7879 b0 = gen_linktype(ETHERTYPE_MPLS);
7883 b0 = gen_linktype(PPP_MPLS_UCAST);
7886 /* FIXME add other DLT_s ...
7887 * for Frame-Relay/and ATM this may get messy due to SNAP headers
7888 * leave it for now */
7891 bpf_error("no MPLS support for data link type %d",
7899 /* If a specific MPLS label is requested, check it */
7900 if (label_num >= 0) {
7901 label_num = label_num << 12; /* label is shifted 12 bits on the wire */
7902 b1 = gen_mcmp(OR_MACPL, orig_nl, BPF_W, (bpf_int32)label_num,
7903 0xfffff000); /* only compare the first 20 bits */
7910 label_stack_depth++;
7915 * Support PPPOE discovery and session.
7920 /* check for PPPoE discovery */
7921 return gen_linktype((bpf_int32)ETHERTYPE_PPPOED);
7930 * Test against the PPPoE session link-layer type.
7932 b0 = gen_linktype((bpf_int32)ETHERTYPE_PPPOES);
7935 * Change the offsets to point to the type and data fields within
7936 * the PPP packet, and note that this is PPPoE rather than
7939 * XXX - this is a bit of a kludge. If we were to split the
7940 * compiler into a parser that parses an expression and
7941 * generates an expression tree, and a code generator that
7942 * takes an expression tree (which could come from our
7943 * parser or from some other parser) and generates BPF code,
7944 * we could perhaps make the offsets parameters of routines
7945 * and, in the handler for an "AND" node, pass to subnodes
7946 * other than the PPPoE node the adjusted offsets.
7948 * This would mean that "pppoes" would, instead of changing the
7949 * behavior of *all* tests after it, change only the behavior
7950 * of tests ANDed with it. That would change the documented
7951 * semantics of "pppoes", which might break some expressions.
7952 * However, it would mean that "(pppoes and ip) or ip" would check
7953 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
7954 * checking only for VLAN-encapsulated IP, so that could still
7955 * be considered worth doing; it wouldn't break expressions
7956 * that are of the form "pppoes and ..." which I suspect are the
7957 * most common expressions involving "pppoes". "pppoes or ..."
7958 * doesn't necessarily do what the user would really want, now,
7959 * as all the "or ..." tests would be done assuming PPPoE, even
7960 * though the "or" could be viewed as meaning "or, if this isn't
7961 * a PPPoE packet...".
7963 orig_linktype = off_linktype; /* save original values */
7968 * The "network-layer" protocol is PPPoE, which has a 6-byte
7969 * PPPoE header, followed by a PPP packet.
7971 * There is no HDLC encapsulation for the PPP packet (it's
7972 * encapsulated in PPPoES instead), so the link-layer type
7973 * starts at the first byte of the PPP packet. For PPPoE,
7974 * that offset is relative to the beginning of the total
7975 * link-layer payload, including any 802.2 LLC header, so
7976 * it's 6 bytes past off_nl.
7978 off_linktype = off_nl + 6;
7981 * The network-layer offsets are relative to the beginning
7982 * of the MAC-layer payload; that's past the 6-byte
7983 * PPPoE header and the 2-byte PPP header.
7986 off_nl_nosnap = 6+2;
7992 gen_atmfield_code(atmfield, jvalue, jtype, reverse)
8004 bpf_error("'vpi' supported only on raw ATM");
8005 if (off_vpi == (u_int)-1)
8007 b0 = gen_ncmp(OR_LINK, off_vpi, BPF_B, 0xffffffff, jtype,
8013 bpf_error("'vci' supported only on raw ATM");
8014 if (off_vci == (u_int)-1)
8016 b0 = gen_ncmp(OR_LINK, off_vci, BPF_H, 0xffffffff, jtype,
8021 if (off_proto == (u_int)-1)
8022 abort(); /* XXX - this isn't on FreeBSD */
8023 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0x0f, jtype,
8028 if (off_payload == (u_int)-1)
8030 b0 = gen_ncmp(OR_LINK, off_payload + MSG_TYPE_POS, BPF_B,
8031 0xffffffff, jtype, reverse, jvalue);
8036 bpf_error("'callref' supported only on raw ATM");
8037 if (off_proto == (u_int)-1)
8039 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0xffffffff,
8040 jtype, reverse, jvalue);
8050 gen_atmtype_abbrev(type)
8053 struct block *b0, *b1;
8058 /* Get all packets in Meta signalling Circuit */
8060 bpf_error("'metac' supported only on raw ATM");
8061 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8062 b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0);
8067 /* Get all packets in Broadcast Circuit*/
8069 bpf_error("'bcc' supported only on raw ATM");
8070 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8071 b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0);
8076 /* Get all cells in Segment OAM F4 circuit*/
8078 bpf_error("'oam4sc' supported only on raw ATM");
8079 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8080 b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
8085 /* Get all cells in End-to-End OAM F4 Circuit*/
8087 bpf_error("'oam4ec' supported only on raw ATM");
8088 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8089 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
8094 /* Get all packets in connection Signalling Circuit */
8096 bpf_error("'sc' supported only on raw ATM");
8097 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8098 b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0);
8103 /* Get all packets in ILMI Circuit */
8105 bpf_error("'ilmic' supported only on raw ATM");
8106 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8107 b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0);
8112 /* Get all LANE packets */
8114 bpf_error("'lane' supported only on raw ATM");
8115 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0);
8118 * Arrange that all subsequent tests assume LANE
8119 * rather than LLC-encapsulated packets, and set
8120 * the offsets appropriately for LANE-encapsulated
8123 * "off_mac" is the offset of the Ethernet header,
8124 * which is 2 bytes past the ATM pseudo-header
8125 * (skipping the pseudo-header and 2-byte LE Client
8126 * field). The other offsets are Ethernet offsets
8127 * relative to "off_mac".
8130 off_mac = off_payload + 2; /* MAC header */
8131 off_linktype = off_mac + 12;
8132 off_macpl = off_mac + 14; /* Ethernet */
8133 off_nl = 0; /* Ethernet II */
8134 off_nl_nosnap = 3; /* 802.3+802.2 */
8138 /* Get all LLC-encapsulated packets */
8140 bpf_error("'llc' supported only on raw ATM");
8141 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
8152 * Filtering for MTP2 messages based on li value
8153 * FISU, length is null
8154 * LSSU, length is 1 or 2
8155 * MSU, length is 3 or more
8158 gen_mtp2type_abbrev(type)
8161 struct block *b0, *b1;
8166 if ( (linktype != DLT_MTP2) &&
8167 (linktype != DLT_ERF) &&
8168 (linktype != DLT_MTP2_WITH_PHDR) )
8169 bpf_error("'fisu' supported only on MTP2");
8170 /* gen_ncmp(offrel, offset, size, mask, jtype, reverse, value) */
8171 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JEQ, 0, 0);
8175 if ( (linktype != DLT_MTP2) &&
8176 (linktype != DLT_ERF) &&
8177 (linktype != DLT_MTP2_WITH_PHDR) )
8178 bpf_error("'lssu' supported only on MTP2");
8179 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 1, 2);
8180 b1 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 0);
8185 if ( (linktype != DLT_MTP2) &&
8186 (linktype != DLT_ERF) &&
8187 (linktype != DLT_MTP2_WITH_PHDR) )
8188 bpf_error("'msu' supported only on MTP2");
8189 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 2);
8199 gen_mtp3field_code(mtp3field, jvalue, jtype, reverse)
8206 bpf_u_int32 val1 , val2 , val3;
8208 switch (mtp3field) {
8211 if (off_sio == (u_int)-1)
8212 bpf_error("'sio' supported only on SS7");
8213 /* sio coded on 1 byte so max value 255 */
8215 bpf_error("sio value %u too big; max value = 255",
8217 b0 = gen_ncmp(OR_PACKET, off_sio, BPF_B, 0xffffffff,
8218 (u_int)jtype, reverse, (u_int)jvalue);
8222 if (off_opc == (u_int)-1)
8223 bpf_error("'opc' supported only on SS7");
8224 /* opc coded on 14 bits so max value 16383 */
8226 bpf_error("opc value %u too big; max value = 16383",
8228 /* the following instructions are made to convert jvalue
8229 * to the form used to write opc in an ss7 message*/
8230 val1 = jvalue & 0x00003c00;
8232 val2 = jvalue & 0x000003fc;
8234 val3 = jvalue & 0x00000003;
8236 jvalue = val1 + val2 + val3;
8237 b0 = gen_ncmp(OR_PACKET, off_opc, BPF_W, 0x00c0ff0f,
8238 (u_int)jtype, reverse, (u_int)jvalue);
8242 if (off_dpc == (u_int)-1)
8243 bpf_error("'dpc' supported only on SS7");
8244 /* dpc coded on 14 bits so max value 16383 */
8246 bpf_error("dpc value %u too big; max value = 16383",
8248 /* the following instructions are made to convert jvalue
8249 * to the forme used to write dpc in an ss7 message*/
8250 val1 = jvalue & 0x000000ff;
8252 val2 = jvalue & 0x00003f00;
8254 jvalue = val1 + val2;
8255 b0 = gen_ncmp(OR_PACKET, off_dpc, BPF_W, 0xff3f0000,
8256 (u_int)jtype, reverse, (u_int)jvalue);
8260 if (off_sls == (u_int)-1)
8261 bpf_error("'sls' supported only on SS7");
8262 /* sls coded on 4 bits so max value 15 */
8264 bpf_error("sls value %u too big; max value = 15",
8266 /* the following instruction is made to convert jvalue
8267 * to the forme used to write sls in an ss7 message*/
8268 jvalue = jvalue << 4;
8269 b0 = gen_ncmp(OR_PACKET, off_sls, BPF_B, 0xf0,
8270 (u_int)jtype,reverse, (u_int)jvalue);
8279 static struct block *
8280 gen_msg_abbrev(type)
8286 * Q.2931 signalling protocol messages for handling virtual circuits
8287 * establishment and teardown
8292 b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0);
8296 b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0);
8300 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0);
8304 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0);
8308 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0);
8311 case A_RELEASE_DONE:
8312 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0);
8322 gen_atmmulti_abbrev(type)
8325 struct block *b0, *b1;
8331 bpf_error("'oam' supported only on raw ATM");
8332 b1 = gen_atmmulti_abbrev(A_OAMF4);
8337 bpf_error("'oamf4' supported only on raw ATM");
8339 b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
8340 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
8342 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8348 * Get Q.2931 signalling messages for switched
8349 * virtual connection
8352 bpf_error("'connectmsg' supported only on raw ATM");
8353 b0 = gen_msg_abbrev(A_SETUP);
8354 b1 = gen_msg_abbrev(A_CALLPROCEED);
8356 b0 = gen_msg_abbrev(A_CONNECT);
8358 b0 = gen_msg_abbrev(A_CONNECTACK);
8360 b0 = gen_msg_abbrev(A_RELEASE);
8362 b0 = gen_msg_abbrev(A_RELEASE_DONE);
8364 b0 = gen_atmtype_abbrev(A_SC);
8370 bpf_error("'metaconnect' supported only on raw ATM");
8371 b0 = gen_msg_abbrev(A_SETUP);
8372 b1 = gen_msg_abbrev(A_CALLPROCEED);
8374 b0 = gen_msg_abbrev(A_CONNECT);
8376 b0 = gen_msg_abbrev(A_RELEASE);
8378 b0 = gen_msg_abbrev(A_RELEASE_DONE);
8380 b0 = gen_atmtype_abbrev(A_METAC);
projects / FreeBSD / releng / 9.0.git / blob