Add support for filtering VNTag frames

Add a "vntag" keyword similar to the existing "vlan" and "mpls" keywords to filter on VNTag frames. VNTag was proposed as 802.1Qbh but has been replaced in the standards by 802.1Qbr although some vendors are still using VNTag.

Because VNTag is always followed by VLAN and the following VLAN has the next EtherType, both the VNTag and VLAN have to be present to match and both have to be skipped in processing. So, this commit also adds an optional `vlan [vlan_id]` after the `vntag` keyword to easily filter on the VLAN ID following the VNTag.

Fixes #770

Author: Stefan Baranoff

ethertype.h

@@ -115,6 +115,9 @@
 #ifndef ETHERTYPE_8021AD
 #define ETHERTYPE_8021AD	0x88a8
 #endif
+#ifndef ETHERTYPE_VNTAG
+#define ETHERTYPE_VNTAG		0x8926
+#endif
 #ifndef	ETHERTYPE_LOOPBACK
 #define ETHERTYPE_LOOPBACK	0x9000
 #endif

gencode.c

@@ -10715,3 +10715,60 @@ gen_atmmulti_abbrev(compiler_state_t *cstate, int type)
 	}
 	return b1;
 }
+
+/*
+ * support IEEE 802.1Q VLAN trunk over ethernet
+ */
+struct block *
+gen_vntag(compiler_state_t *cstate, bpf_u_int32 vlan_num, int has_vlan_tag)
+{
+	struct block *b0, *b1;
+
+	/*
+	 * Catch errors reported by us and routines below us, and return NULL
+	 * on an error.
+	 */
+	if (setjmp(cstate->top_ctx))
+		return (NULL);
+
+	/*
+	 * Check for a VNTag packet, and then change the offsets to point
+	 * to the type and data fields within the VLAN after the VNTag packet.
+	 * VNTag always requires VLAN afterwards, and that likely won't be
+	 * offloaded so handle it just like inline VLAN. Apply the same rules
+	 * and restrictions as VLAN, too.
+	 */
+	if (cstate->label_stack_depth > 0)
+		bpf_error(cstate, "no VNTag match after MPLS");
+
+	/* Assume any of the EtherTypes that can have VLAN can also have
+	 * VNTag as well. With VNTag not being accepted as 802.1Qbh but
+	 * being replaced in the standads by 802.1Qbr there's not much to go on
+	 * other than a few vendor proprietary implementations. So, assume that
+	 * because VNTag is tied to VLAN and they're the same in this regard.
+	 */
+	switch (cstate->linktype) {
+	case DLT_EN10MB:
+	case DLT_NETANALYZER:
+	case DLT_NETANALYZER_TRANSPARENT:
+	case DLT_IEEE802_11:
+	case DLT_PRISM_HEADER:
+	case DLT_IEEE802_11_RADIO_AVS:
+	case DLT_IEEE802_11_RADIO:
+		/* Make sure we have a VNTag frame, then jump over it. */
+		b0 = gen_linktype(cstate, ETHERTYPE_VNTAG);
+		cstate->off_linkpl.constant_part += 6;
+		cstate->off_linktype.constant_part += 6;
+		/* There should always be VLAN after VNTag. */
+		b1 = gen_vlan_no_bpf_extensions(cstate, vlan_num, has_vlan_tag);
+		gen_and(b0, b1);
+		break;
+	default:
+		bpf_error(cstate, "no VNTag support for %s",
+		      pcap_datalink_val_to_description_or_dlt(cstate->linktype));
+		/*NOTREACHED*/
+	}
+
+	cstate->vlan_stack_depth++;
+	return (b1);
+}

gencode.h

@@ -352,6 +352,7 @@ struct block *gen_llc_u_subtype(compiler_state_t *, bpf_u_int32);
 
 struct block *gen_vlan(compiler_state_t *, bpf_u_int32, int);
 struct block *gen_mpls(compiler_state_t *, bpf_u_int32, int);
+struct block *gen_vntag(compiler_state_t *, bpf_u_int32, int);
 
 struct block *gen_pppoed(compiler_state_t *);
 struct block *gen_pppoes(compiler_state_t *, bpf_u_int32, int);

grammar.y.in

@@ -389,7 +389,7 @@ DIAG_OFF_BISON_BYACC
 %token	LSH RSH
 %token  LEN
 %token  IPV6 ICMPV6 AH ESP
-%token	VLAN MPLS
+%token	VLAN MPLS VNTAG
 %token	PPPOED PPPOES GENEVE VXLAN
 %token  ISO ESIS CLNP ISIS L1 L2 IIH LSP SNP CSNP PSNP
 %token  STP
@@ -682,6 +682,8 @@ other:	  pqual TK_BROADCAST	{ CHECK_PTR_VAL(($$ = gen_broadcast(cstate, $1))); }
 	| VLAN			{ CHECK_PTR_VAL(($$ = gen_vlan(cstate, 0, 0))); }
 	| MPLS pnum		{ CHECK_PTR_VAL(($$ = gen_mpls(cstate, $2, 1))); }
 	| MPLS			{ CHECK_PTR_VAL(($$ = gen_mpls(cstate, 0, 0))); }
+	| VNTAG VLAN pnum	{ CHECK_PTR_VAL(($$ = gen_vntag(cstate, $3, 1))); }
+	| VNTAG			{ CHECK_PTR_VAL(($$ = gen_vntag(cstate, 0, 0))); }
 	| PPPOED		{ CHECK_PTR_VAL(($$ = gen_pppoed(cstate))); }
 	| PPPOES pnum		{ CHECK_PTR_VAL(($$ = gen_pppoes(cstate, $2, 1))); }
 	| PPPOES		{ CHECK_PTR_VAL(($$ = gen_pppoes(cstate, 0, 0))); }

pcap-filter.manmisc.in

@@ -1012,6 +1012,36 @@ filters packets with an outer label of 100000 and an inner label of
 .in -.5i
 filters packets to or from 192.9.200.1 with an inner label of 1024 and
 any outer label.
+.IP "\fBvntag \fI[vlan vlan_id]\fR"
+True if the packet is a VNTag packet EtherType 0x8926 followed by an
+IEEE 802.1Q VLAN packet. As with VLAN, this moves the link layer offsets forward
+past the VNTag and following VLAN headers.
+If the optional \fIvlan vlan_id\fR is specified, this term only matches if the
+packet has the specified \fIvlan_id\fR following the VNTag header. Without the
+\fIvlan_id\fR specified, there is an implicit check for any VLAN after VNTag.
+Note that the \fBvntag\fR keyword changes the decoding offsets for the remainder
+of the expression on the assumption that the packet is a VNTag + VLAN packet.
+Each use of that keyword increments the filter offsets by 10 (6 VNTag + 4 VLAN).
+.IP
+For example:
+.in +.5i
+.nf
+\fBvntag\fR and \fBip src host\fR 192.0.2.0
+.fi
+.in -.5i
+filters on VNTag followed by any VLAN followed by an IPv4 packet from 192.0.2.0
+.in +.5i
+.nf
+\fBvntag vlan\fR 100
+.fi
+.in -.5i
+filters on VNTag followed by VLAN 100
+.in +.5i
+.nf
+\fBvntag && vlan \fR300 \fB&& ip\fR
+.fi
+.in -.5i
+filters IPv4 protocol encapsulated in VLAN 300 encapsulated within any VLAN within VNTag.
 .IP \fBpppoed\fP
 True if the packet is a PPP-over-Ethernet Discovery packet (Ethernet
 type 0x8863).

scanner.l

@@ -339,6 +339,7 @@ pppoed		return PPPOED;
 pppoes		return PPPOES;
 geneve		return GENEVE;
 vxlan		return VXLAN;
+vntag		return VNTAG;
 
 lane		return LANE;
 llc		return LLC;

testprogs/TESTrun

@@ -9657,6 +9657,37 @@ my %accept_blocks = (
 			(020) ret      #0
 			',
 	}, # dst_portrange_degenerate
+	vntag_eth_vlan_nullary => {
+		DLT => 'EN10MB',
+		aliases => ['vntag'],
+		opt => '
+			(000) ldh      [12]
+			(001) jeq      #0x8926          jt 2	jf 7
+			(002) ldh      [18]
+			(003) jeq      #0x8100          jt 6	jf 4
+			(004) jeq      #0x88a8          jt 6	jf 5
+			(005) jeq      #0x9100          jt 6	jf 7
+			(006) ret      #262144
+			(007) ret      #0
+			',
+	}, # vntag_eth_vlan_nullary
+	vntag_eth_vlan_unary => {
+		DLT => 'EN10MB',
+		aliases => ['vntag vlan 4095'],
+		opt => '
+			(000) ldh      [12]
+			(001) jeq      #0x8926          jt 2	jf 10
+			(002) ldh      [18]
+			(003) jeq      #0x8100          jt 6	jf 4
+			(004) jeq      #0x88a8          jt 6	jf 5
+			(005) jeq      #0x9100          jt 6	jf 10
+			(006) ldh      [20]
+			(007) and      #0xfff
+			(008) jeq      #0xfff           jt 9	jf 10
+			(009) ret      #262144
+			(010) ret      #0
+			',
+	}, # vntag_eth_vlan_unary
 );
 
 # In apply_blocks the top-level keys are test block names.  Each test block
@@ -10067,6 +10098,21 @@ my %apply_blocks = (
 		expr => 'outbound',
 		results => [46],
 	},
+	vntag_simple => {
+		savefile => 'vntag.pcap',
+		expr => 'vntag',
+		results => [65535, 65535, 65535, 65535, 65535, 65535, 65535, 65535, 65535, 65535, 65535],
+	},
+	vntag_with_vid => {
+		savefile => 'vntag.pcap',
+		expr => 'vntag vlan 100',
+		results => [65535, 65535, 65535, 65535, 65535, 65535, 65535, 65535, 65535, 65535, 65535],
+	},
+	vntag_with_wrong_vid => {
+		savefile => 'vntag.pcap',
+		expr => 'vntag vlan 200',
+		results => [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
+	},
 );
 
 # * DLT, expr, netmask and skip: same as in accept_blocks above
@@ -10658,6 +10704,26 @@ my %reject_tests = (
 		expr => "ip6 gateway eth-ipv4-ipv6.host123.libpcap.test",
 		errstr => 'illegal modifier of \'gateway\'',
 	},
+	vntag_not_supported => {
+		DLT => 'RAW',
+		expr => 'vntag',
+		errstr => 'no VNTag support',
+	},
+	vntag_vlan_too_big => {
+		DLT => 'EN10MB',
+		expr => 'vntag vlan 4096',
+		errstr => 'VLAN tag 4096 greater than maximum 4095',
+	},
+	vntag_vlan_no_tag => {
+		DLT => 'EN10MB',
+		expr => 'vntag vlan',
+		errstr => 'syntax error',
+	},
+	vntag_vlan_not_immediate => {
+		DLT => 'EN10MB',
+		expr => 'vntag vlan (eth[20:2] & 0xfff)',
+		errstr => 'syntax error',
+	},
 );
 
 sub accept_test_label {