forked from osmocom/wireshark
121 lines
3.3 KiB
C
121 lines
3.3 KiB
C
/* bpf-engine.h
|
|
* ------------
|
|
* The BPF engine used for offline ("display") filters in wiretap.
|
|
* The code is taken from the Linux Socket Filter, and only slightly
|
|
* modified for use in wiretap.
|
|
*
|
|
* Gilbert Ramirez <gram@verdict.uthscsa.edu>
|
|
*/
|
|
|
|
/*
|
|
* Linux Socket Filter - Kernel level socket filtering
|
|
*
|
|
* Author:
|
|
* Jay Schulist <Jay.Schulist@spacs.k12.wi.us>
|
|
*
|
|
* Based on the design of:
|
|
* - The Berkeley Packet Filter
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU General Public License
|
|
* as published by the Free Software Foundation; either version
|
|
* 2 of the License, or (at your option) any later version.
|
|
*/
|
|
|
|
/*
|
|
* Linux Socket Filter Data Structures
|
|
*/
|
|
|
|
/*
|
|
* Current version of the filter code architecture.
|
|
*/
|
|
#define BPF_MAJOR_VERSION 1
|
|
#define BPF_MINOR_VERSION 1
|
|
|
|
/* each BPF instruction is a block of 8 bytes */
|
|
struct bpf_instruction {
|
|
guint16 code; /* Actual filter code */
|
|
guint8 jt; /* Jump true */
|
|
guint8 jf; /* Jump false */
|
|
guint32 k; /* Generic multiuse field */
|
|
|
|
};
|
|
|
|
struct bpf_code_unit {
|
|
int line_label;
|
|
struct bpf_instruction bpf;
|
|
};
|
|
|
|
int bpf_run_filter(unsigned char *data, int len, struct bpf_instruction *filter, int flen);
|
|
int bpf_chk_filter(struct bpf_instruction *filter, int flen);
|
|
|
|
/*
|
|
* Instruction classes
|
|
*/
|
|
|
|
#define BPF_CLASS(code) ((code) & 0x07)
|
|
#define BPF_LD 0x00
|
|
#define BPF_LDX 0x01
|
|
#define BPF_ST 0x02
|
|
#define BPF_STX 0x03
|
|
#define BPF_ALU 0x04
|
|
#define BPF_JMP 0x05
|
|
#define BPF_RET 0x06
|
|
#define BPF_MISC 0x07
|
|
|
|
/* ld/ldx fields */
|
|
#define BPF_SIZE(code) ((code) & 0x18)
|
|
#define BPF_W 0x00
|
|
#define BPF_H 0x08
|
|
#define BPF_B 0x10
|
|
#define BPF_MODE(code) ((code) & 0xe0)
|
|
#define BPF_IMM 0x00
|
|
#define BPF_ABS 0x20
|
|
#define BPF_IND 0x40
|
|
#define BPF_MEM 0x60
|
|
#define BPF_LEN 0x80
|
|
#define BPF_MSH 0xa0
|
|
|
|
/* alu/jmp fields */
|
|
#define BPF_OP(code) ((code) & 0xf0)
|
|
#define BPF_ADD 0x00
|
|
#define BPF_SUB 0x10
|
|
#define BPF_MUL 0x20
|
|
#define BPF_DIV 0x30
|
|
#define BPF_OR 0x40
|
|
#define BPF_AND 0x50
|
|
#define BPF_LSH 0x60
|
|
#define BPF_RSH 0x70
|
|
#define BPF_NEG 0x80
|
|
#define BPF_JA 0x00
|
|
#define BPF_JEQ 0x10
|
|
#define BPF_JGT 0x20
|
|
#define BPF_JGE 0x30
|
|
#define BPF_JSET 0x40
|
|
#define BPF_SRC(code) ((code) & 0x08)
|
|
#define BPF_K 0x00
|
|
#define BPF_X 0x08
|
|
|
|
/* ret - BPF_K and BPF_X also apply */
|
|
#define BPF_RVAL(code) ((code) & 0x18)
|
|
#define BPF_A 0x10
|
|
|
|
/* misc */
|
|
#define BPF_MISCOP(code) ((code) & 0xf8)
|
|
#define BPF_TAX 0x00
|
|
#define BPF_TXA 0x80
|
|
|
|
#define BPF_MAXINSNS 512
|
|
|
|
/*
|
|
* Macros for filter block array initializers.
|
|
*/
|
|
#define BPF_STMT(code, k) { (unsigned short)(code), 0, 0, k }
|
|
#define BPF_JUMP(code, k, jt, jf) { (unsigned short)(code), jt, jf, k }
|
|
|
|
/*
|
|
* Number of scratch memory words for: BPF_ST and BPF_STX
|
|
*/
|
|
#define BPF_MEMWORDS 16
|
|
|