packets (based on the Ethernet type). "pppoes" has the side-effect that
subsequent filter expressions will test the PPP header and headers
in the PPP payload, not the link-layer header and headers in the
link-layer payload.
to -1, set a "we're doing MPLS" flag, and check that flag rather than
checking for an off_linktype of -1; off_linktype can be -1 for reasons
having nothing to do with MPLS (e.g., a DLT_ of DLT_RAW), and those
should be handled as they have traditionally been.
Rename "gen_null()" to "gen_mpls_linktype()" to make it clearer what it
does (it checks the MPLS stack as well as the IP header).
centralize the MPLS check into gen_linktype() and backout the
specific checks in gen_proto_abrev(), gen_proto(), gen_host()
this adds as a by-product support for IPv6
if we have a MPLS label stack deeper > 1 then generate a match
for a cleared bottom-of-stack-bit of the previous MPLS shim header
rather than just incrementing the offset;
if there is a compined expression of MPLS and IP like e.g.
"mpls && ip" | "mpls && ip host" | "mpls && ip src net"
then poison the linkoffset to make sure that other code generators
do not try to match link-layer protos like Q_ARP, Q_RARP etc.
introduce a new function gen_null() that matches against the first nibble
of the IP header and matches if the bottom-of-stack bit is set;
TODO: IPv6 stuff i.e. gen_host6() etc.
the mpls stack processing is broken:
for example "mpls 10000 && mpls 20000" does produce
reading from file ppp.pcap, link-type PPP (PPP)
(000) ldh [2]
(001) jeq #0x00000281 jt 2 jf 11
(002) ld [4]
(003) and #0xfffff000
(004) jeq #0x02710000 jt 5 jf 11
(005) ldh [6]
(006) jeq #0x00000281 jt 7 jf 11
(007) ld [8]
(008) and #0xfffff000
(009) jeq #0x04e20000 jt 10 jf 11
(010) ret #1514
(011) ret #0
the extra match for 0x281 at instruction #6 is broken and
a copy&paste artifact from the vlan code generator, which
in contrast does require the VLAN tag 0x8100 at every instance
inside a VLAN stack;
correct code should be:
(000) ldh [2]
(001) jeq #0x281 jt 2 jf 9
(002) ld [4]
(003) and #0xfffff000
(004) jeq #0x2710000 jt 5 jf 9
(005) ld [8]
(006) and #0xfffff000
(007) jeq #0x4e20000 jt 8 jf 9
(008) ret #1514
(009) ret #0
including those with fixed-length radio headers (it already refers to
the 802.11 header for radiotap).
Add a new "radio" keyword, to allow access to the radio header. In
theory, something to allow testing for specific signal strengths, etc.
might be useful, but radiotap makes that difficult as the code can't
loop through the header looking for the signal strength field, the loop
has to be unrolled, and some of the other headers might not have
standardized the meaning of some of the fields, so we require the user
to construct such a filter themselves, for now.
value arguments are to other routines. Do the same with the value
argument to "gen_atmfield_code()".
"gen_load_a()" can return more than one statement; append to the list of
statements it returns with "sappend()", rather than manually appending
to the first statement.
Fix the argument list to one "gen_ncmp()" call, and get rid of the casts
in the other calls, as the arguments already have the right types.
Fix the casts in calls to "gen_atmfield_code()".
takes an argument indicating what the offset is relative to.
Make the various comparison generators take an argument of that sort as
well.
Tweak the arguments to "gen_ncmp()" to match those of the other
comparison routines, and make all the other comparison routines just
call "gen_ncmp()".
of the link-layer, network-layer, and transport-layer (assuming the
network layer is IPv4) headers. This makes it a bit clearer what stuff
would be changed for variable-length link-layer headers or
variable-length pseudo-headers before the link-layer header.
don't have __attribute__ support in the compiler.
While we're at it, get rid of the declaration of bpf_error() in
gencode.c, as it's already declared in gencode.h.
What it does includes checking whether the packet is of the type
specified by the <proto> argument, so there's no need to add such a
check when checking whether the ISO protocol type field has a particular
value; remove the extra check against the ISO protocol.
Fix a typo in a comment.
"gen_ether_linktype()" and "gen_linux_sll_linktype()", as well as
"gen_linktype()".
Add comments for those routines to indicate how they handle the protocol
type argument.
In "gen_linux_sll_linktype()", merge together the handling of
LLCSAP_ISONS, LLCSAP_IP, and LLCSAP_NETBEUI, as was done in
"gen_ether_linktype()" and "gen_llc_linktype()".
Merge the code to handle the LLCSAP_ISONS, LLCSAP_IP, and
LLCSAP_NETBEUI.
"gen_ether_linktype()" already handles SAPs as protocol IDs; just use it
for Ethernet, rather than using "gen_llc()" (which isn't prepared to
handle Ethernet, with off_linktype pointing to the type/length field
rather than the DSAP).
That also means that "gen_linktype(LLCSAP_ISONS)" can be used to test
for OSI packets on Ethernet.
Expand some comments.
Fix a typo ("off_nl = +4" should've been "off_nl += 4").
by checking the proto against the ethermtu and bumping
the link-layer offset by two.
-add support for vlan and mpls hierarchies by not absolute
setting offsets but rather incrementing them;
example(s):
mpls 100000 && mpls 1024
=filters for outerlabel 100000 and inner label 1024
vlan 100 && vlan 200
=filters for vlan 200 encapsulated withing vlan 100
vlan 300 && mpls 17
=filters for mpls label 17 encapsulated in vlan 300
rename it again to DLT_PPP_PPPD, and rename other #defines to match.
Add backwards-compatibility #defines of DLT_PPP_WITH_DIRECTION and
DLT_LINUX_PPP_WITHDIRECTION for software that used them.
that require it, and make pcap_fddipad private to the code generator, as
that's the only place that needs it (ideally, all *its* state should be
local as well). This makes opening an FDDI device, on platforms where
the padding is supplied as part of the packet, and opening other types
of devices or opening savefiles in the same program work better, as you
don't have to be sure you compile the filter for a given pcap_t before
opening the next pcap_t.
hannes