1 /*-
2  * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
3  *	The Regents of the University of California.  All rights reserved.
4  *
5  * This code is derived from the Stanford/CMU enet packet filter,
6  * (net/enet.c) distributed as part of 4.3BSD, and code contributed
7  * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence
8  * Berkeley Laboratory.
9  *
10  * Redistribution and use in source and binary forms, with or without
11  * modification, are permitted provided that the following conditions
12  * are met:
13  * 1. Redistributions of source code must retain the above copyright
14  *    notice, this list of conditions and the following disclaimer.
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in the
17  *    documentation and/or other materials provided with the distribution.
18  * 3. All advertising materials mentioning features or use of this software
19  *    must display the following acknowledgement:
20  *      This product includes software developed by the University of
21  *      California, Berkeley and its contributors.
22  * 4. Neither the name of the University nor the names of its contributors
23  *    may be used to endorse or promote products derived from this software
24  *    without specific prior written permission.
25  *
26  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
27  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
28  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
29  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
30  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
31  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
32  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
33  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
34  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
35  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36  * SUCH DAMAGE.
37  *
38  *      @(#)bpf.h       7.1 (Berkeley) 5/7/91
39  *
40  * @(#) $Header: /usr/cvsroot_private/winpcap/packetNtx/driver/win_bpf.h,v 1.2.2.1 2005/12/02 22:12:58 gianlucav Exp $ (LBL)
41  */
42 
43 #ifndef BPF_MAJOR_VERSION
44 
45 /* BSD style release date */
46 #define BPF_RELEASE 199606
47 
48 #ifdef WIN_NT_DRIVER
49 #include <ndis.h>
50 #endif
51 
52 
53 #include "tme.h"
54 #include "time_calls.h"
55 
56 typedef	UCHAR u_char;
57 typedef	USHORT u_short;
58 
59 #ifdef WIN_NT_DRIVER
60 typedef	ULONG u_int;
61 #endif
62 
63 typedef	LONG bpf_int32;
64 typedef	ULONG bpf_u_int32;
65 typedef	ULONG u_int32;
66 
67 #define BPF_MAXINSNS 512
68 #define BPF_MAXBUFSIZE 0x8000
69 #define BPF_MINBUFSIZE 32
70 
71 /*
72  * The instruction data structure.
73  */
74 struct bpf_insn {
75 	u_short	code;
76 	u_char 	jt;
77 	u_char 	jf;
78 	bpf_u_int32 k;
79 };
80 
81 /*
82  *  Structure for BIOCSETF.
83  */
84 struct bpf_program {
85 	u_int bf_len;
86 	struct bpf_insn *bf_insns;
87 };
88 
89 /*
90  * Struct returned by BIOCGSTATS.
91  */
92 struct bpf_stat {
93 	UINT bs_recv;		///< Number of packets that the driver received from the network adapter
94 						///< from the beginning of the current capture. This value includes the packets
95 						///< lost by the driver.
96 	UINT bs_drop;		///< number of packets that the driver lost from the beginning of a capture.
97 						///< Basically, a packet is lost when the the buffer of the driver is full.
98 						///< In this situation the packet cannot be stored and the driver rejects it.
99 	UINT ps_ifdrop;		///< drops by interface. XXX not yet supported
100 	UINT bs_capt;		///< number of packets that pass the filter, find place in the kernel buffer and
101 						///< thus reach the application.
102 };
103 
104 /*
105  * Struct return by BIOCVERSION.  This represents the version number of
106  * the filter language described by the instruction encodings below.
107  * bpf understands a program iff kernel_major == filter_major &&
108  * kernel_minor >= filter_minor, that is, if the value returned by the
109  * running kernel has the same major number and a minor number equal
110  * equal to or less than the filter being downloaded.  Otherwise, the
111  * results are undefined, meaning an error may be returned or packets
112  * may be accepted haphazardly.
113  * It has nothing to do with the source code version.
114  */
115 struct bpf_version {
116 	u_short bv_major;
117 	u_short bv_minor;
118 };
119 /* Current version number of filter architecture. */
120 #define BPF_MAJOR_VERSION 1
121 #define BPF_MINOR_VERSION 1
122 
123 
124 /*
125  * Structure prepended to each packet.
126  */
127 struct bpf_hdr {
128 	struct timeval	bh_tstamp;	/* time stamp */
129 	bpf_u_int32	bh_caplen;	/* length of captured portion */
130 	bpf_u_int32	bh_datalen;	/* original length of packet */
131 	u_short		bh_hdrlen;	/* length of bpf header (this struct
132 					   plus alignment padding) */
133 };
134 
135 /*
136  * Data-link level type codes.
137  */
138 
139 /*
140  * These are the types that are the same on all platforms; on other
141  * platforms, a <net/bpf.h> should be supplied that defines the additional
142  * DLT_* codes appropriately for that platform (the BSDs, for example,
143  * should not just pick up this version of "bpf.h"; they should also define
144  * the additional DLT_* codes used by their kernels, as well as the values
145  * defined here - and, if the values they use for particular DLT_ types
146  * differ from those here, they should use their values, not the ones
147  * here).
148  */
149 #define DLT_NULL	0	/* no link-layer encapsulation */
150 #define DLT_EN10MB	1	/* Ethernet (10Mb) */
151 #define DLT_EN3MB	2	/* Experimental Ethernet (3Mb) */
152 #define DLT_AX25	3	/* Amateur Radio AX.25 */
153 #define DLT_PRONET	4	/* Proteon ProNET Token Ring */
154 #define DLT_CHAOS	5	/* Chaos */
155 #define DLT_IEEE802	6	/* IEEE 802 Networks */
156 #define DLT_ARCNET	7	/* ARCNET */
157 #define DLT_SLIP	8	/* Serial Line IP */
158 #define DLT_PPP		9	/* Point-to-point Protocol */
159 #define DLT_FDDI	10	/* FDDI */
160 
161 /*
162  * These are values from the traditional libpcap "bpf.h".
163  * Ports of this to particular platforms should replace these definitions
164  * with the ones appropriate to that platform, if the values are
165  * different on that platform.
166  */
167 #define DLT_ATM_RFC1483	11	/* LLC/SNAP encapsulated atm */
168 #define DLT_RAW		12	/* raw IP */
169 
170 /*
171  * These are values from BSD/OS's "bpf.h".
172  * These are not the same as the values from the traditional libpcap
173  * "bpf.h"; however, these values shouldn't be generated by any
174  * OS other than BSD/OS, so the correct values to use here are the
175  * BSD/OS values.
176  *
177  * Platforms that have already assigned these values to other
178  * DLT_ codes, however, should give these codes the values
179  * from that platform, so that programs that use these codes will
180  * continue to compile - even though they won't correctly read
181  * files of these types.
182  */
183 #define DLT_SLIP_BSDOS	15	/* BSD/OS Serial Line IP */
184 #define DLT_PPP_BSDOS	16	/* BSD/OS Point-to-point Protocol */
185 
186 #define DLT_ATM_CLIP	19	/* Linux Classical-IP over ATM */
187 
188 /*
189  * This value is defined by NetBSD; other platforms should refrain from
190  * using it for other purposes, so that NetBSD savefiles with a link
191  * type of 50 can be read as this type on all platforms.
192  */
193 #define DLT_PPP_SERIAL	50	/* PPP over serial with HDLC encapsulation */
194 
195 /*
196  * This value was defined by libpcap 0.5; platforms that have defined
197  * it with a different value should define it here with that value -
198  * a link type of 104 in a save file will be mapped to DLT_C_HDLC,
199  * whatever value that happens to be, so programs will correctly
200  * handle files with that link type regardless of the value of
201  * DLT_C_HDLC.
202  *
203  * The name DLT_C_HDLC was used by BSD/OS; we use that name for source
204  * compatibility with programs written for BSD/OS.
205  *
206  * libpcap 0.5 defined it as DLT_CHDLC; we define DLT_CHDLC as well,
207  * for source compatibility with programs written for libpcap 0.5.
208  */
209 #define DLT_C_HDLC	104	/* Cisco HDLC */
210 #define DLT_CHDLC	DLT_C_HDLC
211 
212 /*
213  * Reserved for future use.
214  * Do not pick other numerical value for these unless you have also
215  * picked up the tcpdump.org top-of-CVS-tree version of "savefile.c",
216  * which will arrange that capture files for these DLT_ types have
217  * the same "network" value on all platforms, regardless of what
218  * value is chosen for their DLT_ type (thus allowing captures made
219  * on one platform to be read on other platforms, even if the two
220  * platforms don't use the same numerical values for all DLT_ types).
221  */
222 #define DLT_IEEE802_11	105	/* IEEE 802.11 wireless */
223 
224 /*
225  * Values between 106 and 107 are used in capture file headers as
226  * link-layer types corresponding to DLT_ types that might differ
227  * between platforms; don't use those values for new DLT_ new types.
228  */
229 
230 /*
231  * OpenBSD DLT_LOOP, for loopback devices; it's like DLT_NULL, except
232  * that the AF_ type in the link-layer header is in network byte order.
233  *
234  * OpenBSD defines it as 12, but that collides with DLT_RAW, so we
235  * define it as 108 here.  If OpenBSD picks up this file, it should
236  * define DLT_LOOP as 12 in its version, as per the comment above -
237  * and should not use 108 for any purpose.
238  */
239 #define DLT_LOOP	108
240 
241 /*
242  * Values between 109 and 112 are used in capture file headers as
243  * link-layer types corresponding to DLT_ types that might differ
244  * between platforms; don't use those values for new DLT_ new types.
245  */
246 
247 /*
248  * This is for Linux cooked sockets.
249  */
250 #define DLT_LINUX_SLL	113
251 
252 /*
253  * The instruction encodings.
254  */
255 /* instruction classes */
256 #define BPF_CLASS(code) ((code) & 0x07)
257 #define		BPF_LD		0x00
258 #define		BPF_LDX		0x01
259 #define		BPF_ST		0x02
260 #define		BPF_STX		0x03
261 #define		BPF_ALU		0x04
262 #define		BPF_JMP		0x05
263 #define		BPF_RET		0x06
264 #define		BPF_MISC	0x07
265 
266 /* ld/ldx fields */
267 #define BPF_SIZE(code)	((code) & 0x18)
268 #define		BPF_W		0x00
269 #define		BPF_H		0x08
270 #define		BPF_B		0x10
271 #define BPF_MODE(code)	((code) & 0xe0)
272 #define		BPF_IMM 	0x00
273 #define		BPF_ABS		0x20
274 #define		BPF_IND		0x40
275 #define		BPF_MEM		0x60
276 #define		BPF_LEN		0x80
277 #define		BPF_MSH		0xa0
278 
279 /* alu/jmp fields */
280 #define BPF_OP(code)	((code) & 0xf0)
281 #define		BPF_ADD		0x00
282 #define		BPF_SUB		0x10
283 #define		BPF_MUL		0x20
284 #define		BPF_DIV		0x30
285 #define		BPF_OR		0x40
286 #define		BPF_AND		0x50
287 #define		BPF_LSH		0x60
288 #define		BPF_RSH		0x70
289 #define		BPF_NEG		0x80
290 #define		BPF_JA		0x00
291 #define		BPF_JEQ		0x10
292 #define		BPF_JGT		0x20
293 #define		BPF_JGE		0x30
294 #define		BPF_JSET	0x40
295 #define BPF_SRC(code)	((code) & 0x08)
296 #define		BPF_K		0x00
297 #define		BPF_X		0x08
298 
299 /* ret - BPF_K and BPF_X also apply */
300 #define BPF_RVAL(code)	((code) & 0x18)
301 #define		BPF_A		0x10
302 
303 /* misc */
304 #define BPF_MISCOP(code) ((code) & 0xf8)
305 #define		BPF_TAX		0x00
306 #define		BPF_TXA		0x80
307 
308 /* TME instructions */
309 #define		BPF_TME					0x08
310 
311 #define		BPF_LOOKUP				0x90
312 #define		BPF_EXECUTE				0xa0
313 #define		BPF_INIT				0xb0
314 #define		BPF_VALIDATE			0xc0
315 #define		BPF_SET_ACTIVE			0xd0
316 #define		BPF_RESET				0xe0
317 #define		BPF_SET_MEMORY			0x80
318 #define		BPF_GET_REGISTER_VALUE	0x70
319 #define		BPF_SET_REGISTER_VALUE	0x60
320 #define		BPF_SET_WORKING			0x50
321 #define		BPF_SET_ACTIVE_READ		0x40
322 #define		BPF_SET_AUTODELETION	0x30
323 #define		BPF_SEPARATION			0xff
324 
325 #define		BPF_MEM_EX_IMM	0xc0
326 #define		BPF_MEM_EX_IND	0xe0
327 /*used for ST */
328 #define		BPF_MEM_EX		0xc0
329 
330 
331 /*
332  * Macros for insn array initializers.
333  */
334 #define BPF_STMT(code, k) { (u_short)(code), 0, 0, k }
335 #define BPF_JUMP(code, k, jt, jf) { (u_short)(code), jt, jf, k }
336 
337 /*
338  * Number of scratch memory words (for BPF_LD|BPF_MEM and BPF_ST).
339  */
340 #define BPF_MEMWORDS 16
341 
342 #ifdef __cplusplus
343 extern "C"
344 {
345 #endif
346 
347 /*!
348   \brief Validates a filtering program arriving from the user-level app.
349   \param f The filter.
350   \param len Its length, in pseudo instructions.
351   \param mem_ex_size The length of the extended memory, used to validate LD/ST to that memory
352   \return true if f is a valid filter program..
353 
354   The kernel needs to be able to verify an application's filter code. Otherwise, a bogus program could easily
355   crash the system.
356   This function returns true if f is a valid filter program. The constraints are that each jump be forward and
357   to a valid code.  The code must terminate with either an accept or reject.
358 */
359 int32 bpf_validate(struct bpf_insn *f,int32 len, uint32 mem_ex_size);
360 
361 /*!
362   \brief The filtering pseudo-machine interpreter.
363   \param pc The filter.
364   \param p Pointer to a memory buffer containing the packet on which the filter will be executed.
365   \param wirelen Original length of the packet.
366   \param buflen Current length of the packet. In some cases (for example when the transfer of the packet to the RAM
367   has not yet finished), bpf_filter can be executed on a portion of the packet.
368   \param mem_ex The extended memory.
369   \param tme The virtualization of the TME co-processor
370   \param time_ref Data structure needed by the TME co-processor to timestamp data
371   \return The portion of the packet to keep, in bytes. 0 means that the packet must be rejected, -1 means that
372    the whole packet must be kept.
373 
374   \note this function is not used in normal situations, because the jitter creates a native filtering function
375   that is faster than the interpreter.
376 */
377 u_int bpf_filter(register struct bpf_insn *pc,
378 				register UCHAR *p,
379 				u_int wirelen,
380 				register u_int buflen ,
381 				PMEM_TYPE mem_ex,
382 				PTME_CORE tme ,
383 				struct time_conv *time_ref);
384 
385 /*!
386   \brief The filtering pseudo-machine interpreter with two buffers. This function is slower than bpf_filter(),
387   but works correctly also if the MAC header and the data of the packet are in two different buffers.
388   \param pc The filter.
389   \param p Pointer to a memory buffer containing the MAC header of the packet.
390   \param pd Pointer to a memory buffer containing the data of the packet.
391   \param wirelen Original length of the packet.
392   \param buflen Current length of the packet. In some cases (for example when the transfer of the packet to the RAM
393   has not yet finished), bpf_filter can be executed on a portion of the packet.
394   \param mem_ex The extended memory.
395   \param tme The virtualization of the TME co-processor
396   \param time_ref Data structure needed by the TME co-processor to timestamp data
397   \return The portion of the packet to keep, in bytes. 0 means that the packet must be rejected, -1 means that
398    the whole packet must be kept.
399 
400   This function is used when NDIS passes the packet to NPF_tap() in two buffers instead than in a single one.
401 */
402 u_int bpf_filter_with_2_buffers(register struct bpf_insn *pc,
403 							   register u_char *p,
404 							   register u_char *pd,
405 							   register int headersize,
406 							   u_int wirelen,
407 							   register u_int buflen,
408 							   PMEM_TYPE mem_ex,
409 				               PTME_CORE tme,
410 							   struct time_conv *time_ref);
411 
412 #ifdef __cplusplus
413 }
414 #endif
415 
416 
417 #endif
418