libpcap/pcap/bpf.h

a85e14b0SPeter Avalos/*-
a85e14b0SPeter Avalos * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
a85e14b0SPeter Avalos *	The Regents of the University of California.  All rights reserved.
a85e14b0SPeter Avalos *
a85e14b0SPeter Avalos * This code is derived from the Stanford/CMU enet packet filter,
a85e14b0SPeter Avalos * (net/enet.c) distributed as part of 4.3BSD, and code contributed
a85e14b0SPeter Avalos * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence
a85e14b0SPeter Avalos * Berkeley Laboratory.
a85e14b0SPeter Avalos *
a85e14b0SPeter Avalos * Redistribution and use in source and binary forms, with or without
a85e14b0SPeter Avalos * modification, are permitted provided that the following conditions
a85e14b0SPeter Avalos * are met:
a85e14b0SPeter Avalos * 1. Redistributions of source code must retain the above copyright
a85e14b0SPeter Avalos *    notice, this list of conditions and the following disclaimer.
a85e14b0SPeter Avalos * 2. Redistributions in binary form must reproduce the above copyright
a85e14b0SPeter Avalos *    notice, this list of conditions and the following disclaimer in the
a85e14b0SPeter Avalos *    documentation and/or other materials provided with the distribution.
3a289941SAaron LI * 3. Neither the name of the University nor the names of its contributors
a85e14b0SPeter Avalos *    may be used to endorse or promote products derived from this software
a85e14b0SPeter Avalos *    without specific prior written permission.
a85e14b0SPeter Avalos *
a85e14b0SPeter Avalos * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
a85e14b0SPeter Avalos * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
a85e14b0SPeter Avalos * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
a85e14b0SPeter Avalos * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
a85e14b0SPeter Avalos * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
a85e14b0SPeter Avalos * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
a85e14b0SPeter Avalos * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
a85e14b0SPeter Avalos * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
a85e14b0SPeter Avalos * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
a85e14b0SPeter Avalos * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
a85e14b0SPeter Avalos * SUCH DAMAGE.
a85e14b0SPeter Avalos *
a85e14b0SPeter Avalos *      @(#)bpf.h       7.1 (Berkeley) 5/7/91
a85e14b0SPeter Avalos */
a85e14b0SPeter Avalos
a85e14b0SPeter Avalos/*
a85e14b0SPeter Avalos * This is libpcap's cut-down version of bpf.h; it includes only
a85e14b0SPeter Avalos * the stuff needed for the code generator and the userland BPF
a85e14b0SPeter Avalos * interpreter, and the libpcap APIs for setting filters, etc..
a85e14b0SPeter Avalos *
a85e14b0SPeter Avalos * "pcap-bpf.c" will include the native OS version, as it deals with
a85e14b0SPeter Avalos * the OS's BPF implementation.
a85e14b0SPeter Avalos *
a85e14b0SPeter Avalos * At least two programs found by Google Code Search explicitly includes
a85e14b0SPeter Avalos * <pcap/bpf.h> (even though <pcap.h>/<pcap/pcap.h> includes it for you),
a85e14b0SPeter Avalos * so moving that stuff to <pcap/pcap.h> would break the build for some
a85e14b0SPeter Avalos * programs.
a85e14b0SPeter Avalos */
a85e14b0SPeter Avalos
a85e14b0SPeter Avalos/*
a85e14b0SPeter Avalos * If we've already included <net/bpf.h>, don't re-define this stuff.
a85e14b0SPeter Avalos * We assume BSD-style multiple-include protection in <net/bpf.h>,
a85e14b0SPeter Avalos * which is true of all but the oldest versions of FreeBSD and NetBSD,
a85e14b0SPeter Avalos * or Tru64 UNIX-style multiple-include protection (or, at least,
a85e14b0SPeter Avalos * Tru64 UNIX 5.x-style; I don't have earlier versions available to check),
a85e14b0SPeter Avalos * or AIX-style multiple-include protection (or, at least, AIX 5.x-style;
97a9217aSAntonio Huete Jimenez * I don't have earlier versions available to check), or QNX-style
97a9217aSAntonio Huete Jimenez * multiple-include protection (as per GitHub pull request #394).
a85e14b0SPeter Avalos *
*ea16f64eSAntonio Huete Jimenez * We trust that they will define structures and macros and types in
*ea16f64eSAntonio Huete Jimenez * a fashion that's source-compatible and binary-compatible with our
*ea16f64eSAntonio Huete Jimenez * definitions.
*ea16f64eSAntonio Huete Jimenez *
a85e14b0SPeter Avalos * We do not check for BPF_MAJOR_VERSION, as that's defined by
a85e14b0SPeter Avalos * <linux/filter.h>, which is directly or indirectly included in some
a85e14b0SPeter Avalos * programs that also include pcap.h, and <linux/filter.h> doesn't
*ea16f64eSAntonio Huete Jimenez * define stuff we need.  We *do* protect against <linux/filter.h>
*ea16f64eSAntonio Huete Jimenez * defining various macros for BPF code itself; <linux/filter.h> says
*ea16f64eSAntonio Huete Jimenez *
*ea16f64eSAntonio Huete Jimenez *	Try and keep these values and structures similar to BSD, especially
*ea16f64eSAntonio Huete Jimenez *	the BPF code definitions which need to match so you can share filters
*ea16f64eSAntonio Huete Jimenez *
*ea16f64eSAntonio Huete Jimenez * so we trust that it will define them in a fashion that's source-compatible
*ea16f64eSAntonio Huete Jimenez * and binary-compatible with our definitions.
a85e14b0SPeter Avalos *
a85e14b0SPeter Avalos * This also provides our own multiple-include protection.
a85e14b0SPeter Avalos */
97a9217aSAntonio Huete Jimenez#if !defined(_NET_BPF_H_) && !defined(_NET_BPF_H_INCLUDED) && !defined(_BPF_H_) && !defined(_H_BPF) && !defined(lib_pcap_bpf_h)
a85e14b0SPeter Avalos#define lib_pcap_bpf_h
a85e14b0SPeter Avalos
3a289941SAaron LI#include <pcap/funcattrs.h>
97a9217aSAntonio Huete Jimenez
*ea16f64eSAntonio Huete Jimenez#include <pcap/dlt.h>
*ea16f64eSAntonio Huete Jimenez
a85e14b0SPeter Avalos#ifdef __cplusplus
a85e14b0SPeter Avalosextern "C" {
a85e14b0SPeter Avalos#endif
a85e14b0SPeter Avalos
a85e14b0SPeter Avalos/* BSD style release date */
a85e14b0SPeter Avalos#define BPF_RELEASE 199606
a85e14b0SPeter Avalos
a85e14b0SPeter Avalos#ifdef MSDOS /* must be 32-bit */
a85e14b0SPeter Avalostypedef long          bpf_int32;
a85e14b0SPeter Avalostypedef unsigned long bpf_u_int32;
a85e14b0SPeter Avalos#else
a85e14b0SPeter Avalostypedef	int bpf_int32;
a85e14b0SPeter Avalostypedef	u_int bpf_u_int32;
a85e14b0SPeter Avalos#endif
a85e14b0SPeter Avalos
a85e14b0SPeter Avalos/*
a85e14b0SPeter Avalos * Alignment macros.  BPF_WORDALIGN rounds up to the next
a85e14b0SPeter Avalos * even multiple of BPF_ALIGNMENT.
a85e14b0SPeter Avalos *
a85e14b0SPeter Avalos * Tcpdump's print-pflog.c uses this, so we define it here.
a85e14b0SPeter Avalos */
a85e14b0SPeter Avalos#ifndef __NetBSD__
a85e14b0SPeter Avalos#define BPF_ALIGNMENT sizeof(bpf_int32)
a85e14b0SPeter Avalos#else
a85e14b0SPeter Avalos#define BPF_ALIGNMENT sizeof(long)
a85e14b0SPeter Avalos#endif
a85e14b0SPeter Avalos#define BPF_WORDALIGN(x) (((x)+(BPF_ALIGNMENT-1))&~(BPF_ALIGNMENT-1))
a85e14b0SPeter Avalos
a85e14b0SPeter Avalos/*
a85e14b0SPeter Avalos * Structure for "pcap_compile()", "pcap_setfilter()", etc..
a85e14b0SPeter Avalos */
a85e14b0SPeter Avalosstruct bpf_program {
a85e14b0SPeter Avalos	u_int bf_len;
a85e14b0SPeter Avalos	struct bpf_insn *bf_insns;
a85e14b0SPeter Avalos};
a85e14b0SPeter Avalos
a85e14b0SPeter Avalos/*
a85e14b0SPeter Avalos * The instruction encodings.
97a9217aSAntonio Huete Jimenez *
97a9217aSAntonio Huete Jimenez * Please inform tcpdump-workers@lists.tcpdump.org if you use any
97a9217aSAntonio Huete Jimenez * of the reserved values, so that we can note that they're used
97a9217aSAntonio Huete Jimenez * (and perhaps implement it in the reference BPF implementation
97a9217aSAntonio Huete Jimenez * and encourage its implementation elsewhere).
a85e14b0SPeter Avalos */
97a9217aSAntonio Huete Jimenez
97a9217aSAntonio Huete Jimenez/*
97a9217aSAntonio Huete Jimenez * The upper 8 bits of the opcode aren't used. BSD/OS used 0x8000.
97a9217aSAntonio Huete Jimenez */
97a9217aSAntonio Huete Jimenez
a85e14b0SPeter Avalos/* instruction classes */
a85e14b0SPeter Avalos#define BPF_CLASS(code) ((code) & 0x07)
a85e14b0SPeter Avalos#define		BPF_LD		0x00
a85e14b0SPeter Avalos#define		BPF_LDX		0x01
a85e14b0SPeter Avalos#define		BPF_ST		0x02
a85e14b0SPeter Avalos#define		BPF_STX		0x03
a85e14b0SPeter Avalos#define		BPF_ALU		0x04
a85e14b0SPeter Avalos#define		BPF_JMP		0x05
a85e14b0SPeter Avalos#define		BPF_RET		0x06
a85e14b0SPeter Avalos#define		BPF_MISC	0x07
a85e14b0SPeter Avalos
a85e14b0SPeter Avalos/* ld/ldx fields */
a85e14b0SPeter Avalos#define BPF_SIZE(code)	((code) & 0x18)
a85e14b0SPeter Avalos#define		BPF_W		0x00
a85e14b0SPeter Avalos#define		BPF_H		0x08
a85e14b0SPeter Avalos#define		BPF_B		0x10
97a9217aSAntonio Huete Jimenez/*				0x18	reserved; used by BSD/OS */
a85e14b0SPeter Avalos#define BPF_MODE(code)	((code) & 0xe0)
a85e14b0SPeter Avalos#define		BPF_IMM 	0x00
a85e14b0SPeter Avalos#define		BPF_ABS		0x20
a85e14b0SPeter Avalos#define		BPF_IND		0x40
a85e14b0SPeter Avalos#define		BPF_MEM		0x60
a85e14b0SPeter Avalos#define		BPF_LEN		0x80
a85e14b0SPeter Avalos#define		BPF_MSH		0xa0
97a9217aSAntonio Huete Jimenez/*				0xc0	reserved; used by BSD/OS */
97a9217aSAntonio Huete Jimenez/*				0xe0	reserved; used by BSD/OS */
a85e14b0SPeter Avalos
a85e14b0SPeter Avalos/* alu/jmp fields */
a85e14b0SPeter Avalos#define BPF_OP(code)	((code) & 0xf0)
a85e14b0SPeter Avalos#define		BPF_ADD		0x00
a85e14b0SPeter Avalos#define		BPF_SUB		0x10
a85e14b0SPeter Avalos#define		BPF_MUL		0x20
a85e14b0SPeter Avalos#define		BPF_DIV		0x30
a85e14b0SPeter Avalos#define		BPF_OR		0x40
a85e14b0SPeter Avalos#define		BPF_AND		0x50
a85e14b0SPeter Avalos#define		BPF_LSH		0x60
a85e14b0SPeter Avalos#define		BPF_RSH		0x70
a85e14b0SPeter Avalos#define		BPF_NEG		0x80
97a9217aSAntonio Huete Jimenez#define		BPF_MOD		0x90
97a9217aSAntonio Huete Jimenez#define		BPF_XOR		0xa0
97a9217aSAntonio Huete Jimenez/*				0xb0	reserved */
97a9217aSAntonio Huete Jimenez/*				0xc0	reserved */
97a9217aSAntonio Huete Jimenez/*				0xd0	reserved */
97a9217aSAntonio Huete Jimenez/*				0xe0	reserved */
97a9217aSAntonio Huete Jimenez/*				0xf0	reserved */
97a9217aSAntonio Huete Jimenez
a85e14b0SPeter Avalos#define		BPF_JA		0x00
a85e14b0SPeter Avalos#define		BPF_JEQ		0x10
a85e14b0SPeter Avalos#define		BPF_JGT		0x20
a85e14b0SPeter Avalos#define		BPF_JGE		0x30
a85e14b0SPeter Avalos#define		BPF_JSET	0x40
97a9217aSAntonio Huete Jimenez/*				0x50	reserved; used on BSD/OS */
97a9217aSAntonio Huete Jimenez/*				0x60	reserved */
97a9217aSAntonio Huete Jimenez/*				0x70	reserved */
97a9217aSAntonio Huete Jimenez/*				0x80	reserved */
97a9217aSAntonio Huete Jimenez/*				0x90	reserved */
97a9217aSAntonio Huete Jimenez/*				0xa0	reserved */
97a9217aSAntonio Huete Jimenez/*				0xb0	reserved */
97a9217aSAntonio Huete Jimenez/*				0xc0	reserved */
97a9217aSAntonio Huete Jimenez/*				0xd0	reserved */
97a9217aSAntonio Huete Jimenez/*				0xe0	reserved */
97a9217aSAntonio Huete Jimenez/*				0xf0	reserved */
a85e14b0SPeter Avalos#define BPF_SRC(code)	((code) & 0x08)
a85e14b0SPeter Avalos#define		BPF_K		0x00
a85e14b0SPeter Avalos#define		BPF_X		0x08
a85e14b0SPeter Avalos
a85e14b0SPeter Avalos/* ret - BPF_K and BPF_X also apply */
a85e14b0SPeter Avalos#define BPF_RVAL(code)	((code) & 0x18)
a85e14b0SPeter Avalos#define		BPF_A		0x10
97a9217aSAntonio Huete Jimenez/*				0x18	reserved */
a85e14b0SPeter Avalos
a85e14b0SPeter Avalos/* misc */
a85e14b0SPeter Avalos#define BPF_MISCOP(code) ((code) & 0xf8)
a85e14b0SPeter Avalos#define		BPF_TAX		0x00
97a9217aSAntonio Huete Jimenez/*				0x08	reserved */
97a9217aSAntonio Huete Jimenez/*				0x10	reserved */
97a9217aSAntonio Huete Jimenez/*				0x18	reserved */
97a9217aSAntonio Huete Jimenez/* #define	BPF_COP		0x20	NetBSD "coprocessor" extensions */
97a9217aSAntonio Huete Jimenez/*				0x28	reserved */
97a9217aSAntonio Huete Jimenez/*				0x30	reserved */
97a9217aSAntonio Huete Jimenez/*				0x38	reserved */
97a9217aSAntonio Huete Jimenez/* #define	BPF_COPX	0x40	NetBSD "coprocessor" extensions */
97a9217aSAntonio Huete Jimenez/*					also used on BSD/OS */
97a9217aSAntonio Huete Jimenez/*				0x48	reserved */
97a9217aSAntonio Huete Jimenez/*				0x50	reserved */
97a9217aSAntonio Huete Jimenez/*				0x58	reserved */
97a9217aSAntonio Huete Jimenez/*				0x60	reserved */
97a9217aSAntonio Huete Jimenez/*				0x68	reserved */
97a9217aSAntonio Huete Jimenez/*				0x70	reserved */
97a9217aSAntonio Huete Jimenez/*				0x78	reserved */
a85e14b0SPeter Avalos#define		BPF_TXA		0x80
97a9217aSAntonio Huete Jimenez/*				0x88	reserved */
97a9217aSAntonio Huete Jimenez/*				0x90	reserved */
97a9217aSAntonio Huete Jimenez/*				0x98	reserved */
97a9217aSAntonio Huete Jimenez/*				0xa0	reserved */
97a9217aSAntonio Huete Jimenez/*				0xa8	reserved */
97a9217aSAntonio Huete Jimenez/*				0xb0	reserved */
97a9217aSAntonio Huete Jimenez/*				0xb8	reserved */
97a9217aSAntonio Huete Jimenez/*				0xc0	reserved; used on BSD/OS */
97a9217aSAntonio Huete Jimenez/*				0xc8	reserved */
97a9217aSAntonio Huete Jimenez/*				0xd0	reserved */
97a9217aSAntonio Huete Jimenez/*				0xd8	reserved */
97a9217aSAntonio Huete Jimenez/*				0xe0	reserved */
97a9217aSAntonio Huete Jimenez/*				0xe8	reserved */
97a9217aSAntonio Huete Jimenez/*				0xf0	reserved */
97a9217aSAntonio Huete Jimenez/*				0xf8	reserved */
a85e14b0SPeter Avalos
a85e14b0SPeter Avalos/*
a85e14b0SPeter Avalos * The instruction data structure.
a85e14b0SPeter Avalos */
a85e14b0SPeter Avalosstruct bpf_insn {
a85e14b0SPeter Avalos	u_short	code;
a85e14b0SPeter Avalos	u_char 	jt;
a85e14b0SPeter Avalos	u_char 	jf;
a85e14b0SPeter Avalos	bpf_u_int32 k;
a85e14b0SPeter Avalos};
a85e14b0SPeter Avalos
a85e14b0SPeter Avalos/*
a85e14b0SPeter Avalos * Macros for insn array initializers.
*ea16f64eSAntonio Huete Jimenez *
*ea16f64eSAntonio Huete Jimenez * In case somebody's included <linux/filter.h>, or something else that
*ea16f64eSAntonio Huete Jimenez * gives the kernel's definitions of BPF statements, get rid of its
*ea16f64eSAntonio Huete Jimenez * definitions, so we can supply ours instead.  If some kernel's
*ea16f64eSAntonio Huete Jimenez * definitions aren't *binary-compatible* with what BPF has had
*ea16f64eSAntonio Huete Jimenez * since it first sprung from the brows of Van Jacobson and Steve
*ea16f64eSAntonio Huete Jimenez * McCanne, that kernel should be fixed.
a85e14b0SPeter Avalos */
*ea16f64eSAntonio Huete Jimenez#ifdef BPF_STMT
*ea16f64eSAntonio Huete Jimenez#undef BPF_STMT
*ea16f64eSAntonio Huete Jimenez#endif
a85e14b0SPeter Avalos#define BPF_STMT(code, k) { (u_short)(code), 0, 0, k }
*ea16f64eSAntonio Huete Jimenez#ifdef BPF_JUMP
*ea16f64eSAntonio Huete Jimenez#undef BPF_JUMP
*ea16f64eSAntonio Huete Jimenez#endif
a85e14b0SPeter Avalos#define BPF_JUMP(code, k, jt, jf) { (u_short)(code), jt, jf, k }
a85e14b0SPeter Avalos
*ea16f64eSAntonio Huete JimenezPCAP_AVAILABLE_0_4
97a9217aSAntonio Huete JimenezPCAP_API u_int	bpf_filter(const struct bpf_insn *, const u_char *, u_int, u_int);
a85e14b0SPeter Avalos
*ea16f64eSAntonio Huete JimenezPCAP_AVAILABLE_0_6
*ea16f64eSAntonio Huete JimenezPCAP_API int	bpf_validate(const struct bpf_insn *f, int len);
*ea16f64eSAntonio Huete Jimenez
*ea16f64eSAntonio Huete JimenezPCAP_AVAILABLE_0_4
*ea16f64eSAntonio Huete JimenezPCAP_API char	*bpf_image(const struct bpf_insn *, int);
*ea16f64eSAntonio Huete Jimenez
*ea16f64eSAntonio Huete JimenezPCAP_AVAILABLE_0_6
*ea16f64eSAntonio Huete JimenezPCAP_API void	bpf_dump(const struct bpf_program *, int);
*ea16f64eSAntonio Huete Jimenez
a85e14b0SPeter Avalos/*
a85e14b0SPeter Avalos * Number of scratch memory words (for BPF_LD|BPF_MEM and BPF_ST).
a85e14b0SPeter Avalos */
a85e14b0SPeter Avalos#define BPF_MEMWORDS 16
a85e14b0SPeter Avalos
a85e14b0SPeter Avalos#ifdef __cplusplus
a85e14b0SPeter Avalos}
a85e14b0SPeter Avalos#endif
a85e14b0SPeter Avalos
a85e14b0SPeter Avalos#endif /* !defined(_NET_BPF_H_) && !defined(_BPF_H_) && !defined(_H_BPF) && !defined(lib_pcap_bpf_h) */