1 /*#define CHASE_CHAIN*/ 2 /* 3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998 4 * The Regents of the University of California. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that: (1) source code distributions 8 * retain the above copyright notice and this paragraph in its entirety, (2) 9 * distributions including binary code include the above copyright notice and 10 * this paragraph in its entirety in the documentation or other materials 11 * provided with the distribution, and (3) all advertising materials mentioning 12 * features or use of this software display the following acknowledgement: 13 * ``This product includes software developed by the University of California, 14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 15 * the University nor the names of its contributors may be used to endorse 16 * or promote products derived from this software without specific prior 17 * written permission. 18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 21 */ 22 #ifndef lint 23 static const char rcsid[] _U_ = 24 "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.221.2.53 2007/09/12 19:17:24 guy Exp $ (LBL)"; 25 #endif 26 27 #ifdef HAVE_CONFIG_H 28 #include "config.h" 29 #endif 30 31 #ifdef WIN32 32 #include <pcap-stdinc.h> 33 #else /* WIN32 */ 34 #include <sys/types.h> 35 #include <sys/socket.h> 36 #endif /* WIN32 */ 37 38 /* 39 * XXX - why was this included even on UNIX? 40 */ 41 #ifdef __MINGW32__ 42 #include "IP6_misc.h" 43 #endif 44 45 #ifndef WIN32 46 47 #ifdef __NetBSD__ 48 #include <sys/param.h> 49 #endif 50 51 #include <netinet/in.h> 52 53 #endif /* WIN32 */ 54 55 #include <stdlib.h> 56 #include <string.h> 57 #include <memory.h> 58 #include <setjmp.h> 59 #include <stdarg.h> 60 61 #ifdef MSDOS 62 #include "pcap-dos.h" 63 #endif 64 65 #include "pcap-int.h" 66 67 #include "ethertype.h" 68 #include "nlpid.h" 69 #include "llc.h" 70 #include "gencode.h" 71 #include "atmuni31.h" 72 #include "sunatmpos.h" 73 #include "ppp.h" 74 #include "sll.h" 75 #include "arcnet.h" 76 #ifdef HAVE_NET_PFVAR_H 77 #include <sys/socket.h> 78 #include <net/if.h> 79 #include <net/if_var.h> 80 #include <net/pf/pfvar.h> 81 #include <net/pf/if_pflog.h> 82 #endif 83 #ifndef offsetof 84 #define offsetof(s, e) ((size_t)&((s *)0)->e) 85 #endif 86 #ifdef INET6 87 #ifndef WIN32 88 #include <netdb.h> /* for "struct addrinfo" */ 89 #endif /* WIN32 */ 90 #endif /*INET6*/ 91 #include <pcap-namedb.h> 92 93 #include <netproto/802_11/ieee80211.h> 94 #include <netproto/802_11/ieee80211_radiotap.h> 95 96 #define ETHERMTU 1500 97 98 #ifndef IPPROTO_SCTP 99 #define IPPROTO_SCTP 132 100 #endif 101 102 #ifdef HAVE_OS_PROTO_H 103 #include "os-proto.h" 104 #endif 105 106 #define JMP(c) ((c)|BPF_JMP|BPF_K) 107 108 /* Locals */ 109 static jmp_buf top_ctx; 110 static pcap_t *bpf_pcap; 111 112 #ifdef WIN32 113 /* Hack for updating VLAN, MPLS, and PPPoE offsets. */ 114 static u_int orig_linktype = (u_int)-1, orig_nl = (u_int)-1, label_stack_depth = (u_int)-1; 115 #else 116 static u_int orig_linktype = -1U, orig_nl = -1U, label_stack_depth = -1U; 117 #endif 118 119 /* XXX */ 120 #ifdef PCAP_FDDIPAD 121 static int pcap_fddipad; 122 #endif 123 124 /* VARARGS */ 125 void 126 bpf_error(const char *fmt, ...) 127 { 128 va_list ap; 129 130 va_start(ap, fmt); 131 if (bpf_pcap != NULL) 132 (void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE, 133 fmt, ap); 134 va_end(ap); 135 longjmp(top_ctx, 1); 136 /* NOTREACHED */ 137 } 138 139 static void init_linktype(pcap_t *); 140 141 static int alloc_reg(void); 142 static void free_reg(int); 143 144 static struct block *root; 145 146 /* 147 * Value passed to gen_load_a() to indicate what the offset argument 148 * is relative to. 149 */ 150 enum e_offrel { 151 OR_PACKET, /* relative to the beginning of the packet */ 152 OR_LINK, /* relative to the link-layer header */ 153 OR_NET, /* relative to the network-layer header */ 154 OR_NET_NOSNAP, /* relative to the network-layer header, with no SNAP header at the link layer */ 155 OR_TRAN_IPV4, /* relative to the transport-layer header, with IPv4 network layer */ 156 OR_TRAN_IPV6 /* relative to the transport-layer header, with IPv6 network layer */ 157 }; 158 159 /* 160 * We divy out chunks of memory rather than call malloc each time so 161 * we don't have to worry about leaking memory. It's probably 162 * not a big deal if all this memory was wasted but if this ever 163 * goes into a library that would probably not be a good idea. 164 * 165 * XXX - this *is* in a library.... 166 */ 167 #define NCHUNKS 16 168 #define CHUNK0SIZE 1024 169 struct chunk { 170 u_int n_left; 171 void *m; 172 }; 173 174 static struct chunk chunks[NCHUNKS]; 175 static int cur_chunk; 176 177 static void *newchunk(u_int); 178 static void freechunks(void); 179 static inline struct block *new_block(int); 180 static inline struct slist *new_stmt(int); 181 static struct block *gen_retblk(int); 182 static inline void syntax(void); 183 184 static void backpatch(struct block *, struct block *); 185 static void merge(struct block *, struct block *); 186 static struct block *gen_cmp(enum e_offrel, u_int, u_int, bpf_int32); 187 static struct block *gen_cmp_gt(enum e_offrel, u_int, u_int, bpf_int32); 188 static struct block *gen_cmp_ge(enum e_offrel, u_int, u_int, bpf_int32); 189 static struct block *gen_cmp_lt(enum e_offrel, u_int, u_int, bpf_int32); 190 static struct block *gen_cmp_le(enum e_offrel, u_int, u_int, bpf_int32); 191 static struct block *gen_mcmp(enum e_offrel, u_int, u_int, bpf_int32, 192 bpf_u_int32); 193 static struct block *gen_bcmp(enum e_offrel, u_int, u_int, const u_char *); 194 static struct block *gen_ncmp(enum e_offrel, bpf_u_int32, bpf_u_int32, 195 bpf_u_int32, bpf_u_int32, int, bpf_int32); 196 static struct slist *gen_load_llrel(u_int, u_int); 197 static struct slist *gen_load_a(enum e_offrel, u_int, u_int); 198 static struct slist *gen_loadx_iphdrlen(void); 199 static struct block *gen_uncond(int); 200 static inline struct block *gen_true(void); 201 static inline struct block *gen_false(void); 202 static struct block *gen_ether_linktype(int); 203 static struct block *gen_linux_sll_linktype(int); 204 static void insert_radiotap_load_llprefixlen(struct block *); 205 static void insert_ppi_load_llprefixlen(struct block *); 206 static void insert_load_llprefixlen(struct block *); 207 static struct slist *gen_llprefixlen(void); 208 static struct block *gen_linktype(int); 209 static struct block *gen_snap(bpf_u_int32, bpf_u_int32, u_int); 210 static struct block *gen_llc_linktype(int); 211 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int); 212 #ifdef INET6 213 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int); 214 #endif 215 static struct block *gen_ahostop(const u_char *, int); 216 static struct block *gen_ehostop(const u_char *, int); 217 static struct block *gen_fhostop(const u_char *, int); 218 static struct block *gen_thostop(const u_char *, int); 219 static struct block *gen_wlanhostop(const u_char *, int); 220 static struct block *gen_ipfchostop(const u_char *, int); 221 static struct block *gen_dnhostop(bpf_u_int32, int); 222 static struct block *gen_mpls_linktype(int); 223 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int, int); 224 #ifdef INET6 225 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int, int); 226 #endif 227 #ifndef INET6 228 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int); 229 #endif 230 static struct block *gen_ipfrag(void); 231 static struct block *gen_portatom(int, bpf_int32); 232 static struct block *gen_portrangeatom(int, bpf_int32, bpf_int32); 233 #ifdef INET6 234 static struct block *gen_portatom6(int, bpf_int32); 235 static struct block *gen_portrangeatom6(int, bpf_int32, bpf_int32); 236 #endif 237 struct block *gen_portop(int, int, int); 238 static struct block *gen_port(int, int, int); 239 struct block *gen_portrangeop(int, int, int, int); 240 static struct block *gen_portrange(int, int, int, int); 241 #ifdef INET6 242 struct block *gen_portop6(int, int, int); 243 static struct block *gen_port6(int, int, int); 244 struct block *gen_portrangeop6(int, int, int, int); 245 static struct block *gen_portrange6(int, int, int, int); 246 #endif 247 static int lookup_proto(const char *, int); 248 static struct block *gen_protochain(int, int, int); 249 static struct block *gen_proto(int, int, int); 250 static struct slist *xfer_to_x(struct arth *); 251 static struct slist *xfer_to_a(struct arth *); 252 static struct block *gen_mac_multicast(int); 253 static struct block *gen_len(int, int); 254 255 static struct block *gen_ppi_dlt_check(void); 256 static struct block *gen_msg_abbrev(int type); 257 258 static void * 259 newchunk(n) 260 u_int n; 261 { 262 struct chunk *cp; 263 int k; 264 size_t size; 265 266 #ifndef __NetBSD__ 267 /* XXX Round up to nearest long. */ 268 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1); 269 #else 270 /* XXX Round up to structure boundary. */ 271 n = ALIGN(n); 272 #endif 273 274 cp = &chunks[cur_chunk]; 275 if (n > cp->n_left) { 276 ++cp, k = ++cur_chunk; 277 if (k >= NCHUNKS) 278 bpf_error("out of memory"); 279 size = CHUNK0SIZE << k; 280 cp->m = (void *)malloc(size); 281 if (cp->m == NULL) 282 bpf_error("out of memory"); 283 memset((char *)cp->m, 0, size); 284 cp->n_left = size; 285 if (n > size) 286 bpf_error("out of memory"); 287 } 288 cp->n_left -= n; 289 return (void *)((char *)cp->m + cp->n_left); 290 } 291 292 static void 293 freechunks() 294 { 295 int i; 296 297 cur_chunk = 0; 298 for (i = 0; i < NCHUNKS; ++i) 299 if (chunks[i].m != NULL) { 300 free(chunks[i].m); 301 chunks[i].m = NULL; 302 } 303 } 304 305 /* 306 * A strdup whose allocations are freed after code generation is over. 307 */ 308 char * 309 sdup(s) 310 register const char *s; 311 { 312 int n = strlen(s) + 1; 313 char *cp = newchunk(n); 314 315 strlcpy(cp, s, n); 316 return (cp); 317 } 318 319 static inline struct block * 320 new_block(code) 321 int code; 322 { 323 struct block *p; 324 325 p = (struct block *)newchunk(sizeof(*p)); 326 p->s.code = code; 327 p->head = p; 328 329 return p; 330 } 331 332 static inline struct slist * 333 new_stmt(code) 334 int code; 335 { 336 struct slist *p; 337 338 p = (struct slist *)newchunk(sizeof(*p)); 339 p->s.code = code; 340 341 return p; 342 } 343 344 static struct block * 345 gen_retblk(v) 346 int v; 347 { 348 struct block *b = new_block(BPF_RET|BPF_K); 349 350 b->s.k = v; 351 return b; 352 } 353 354 static inline void 355 syntax() 356 { 357 bpf_error("syntax error in filter expression"); 358 } 359 360 static bpf_u_int32 netmask; 361 static int snaplen; 362 int no_optimize; 363 364 int 365 pcap_compile(pcap_t *p, struct bpf_program *program, 366 const char *buf, int optimize, bpf_u_int32 mask) 367 { 368 extern int n_errors; 369 const char * volatile xbuf = buf; 370 int len; 371 372 no_optimize = 0; 373 n_errors = 0; 374 root = NULL; 375 bpf_pcap = p; 376 if (setjmp(top_ctx)) { 377 lex_cleanup(); 378 freechunks(); 379 return (-1); 380 } 381 382 netmask = mask; 383 384 snaplen = pcap_snapshot(p); 385 if (snaplen == 0) { 386 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 387 "snaplen of 0 rejects all packets"); 388 return -1; 389 } 390 391 lex_init(xbuf ? xbuf : ""); 392 init_linktype(p); 393 (void)pcap_parse(); 394 395 if (n_errors) 396 syntax(); 397 398 if (root == NULL) 399 root = gen_retblk(snaplen); 400 401 if (optimize && !no_optimize) { 402 bpf_optimize(&root); 403 if (root == NULL || 404 (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0)) 405 bpf_error("expression rejects all packets"); 406 } 407 program->bf_insns = icode_to_fcode(root, &len); 408 program->bf_len = len; 409 410 lex_cleanup(); 411 freechunks(); 412 return (0); 413 } 414 415 /* 416 * entry point for using the compiler with no pcap open 417 * pass in all the stuff that is needed explicitly instead. 418 */ 419 int 420 pcap_compile_nopcap(int snaplen_arg, int linktype_arg, 421 struct bpf_program *program, 422 const char *buf, int optimize, bpf_u_int32 mask) 423 { 424 pcap_t *p; 425 int ret; 426 427 p = pcap_open_dead(linktype_arg, snaplen_arg); 428 if (p == NULL) 429 return (-1); 430 ret = pcap_compile(p, program, buf, optimize, mask); 431 pcap_close(p); 432 return (ret); 433 } 434 435 /* 436 * Clean up a "struct bpf_program" by freeing all the memory allocated 437 * in it. 438 */ 439 void 440 pcap_freecode(struct bpf_program *program) 441 { 442 program->bf_len = 0; 443 if (program->bf_insns != NULL) { 444 free((char *)program->bf_insns); 445 program->bf_insns = NULL; 446 } 447 } 448 449 /* 450 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates 451 * which of the jt and jf fields has been resolved and which is a pointer 452 * back to another unresolved block (or nil). At least one of the fields 453 * in each block is already resolved. 454 */ 455 static void 456 backpatch(list, target) 457 struct block *list, *target; 458 { 459 struct block *next; 460 461 while (list) { 462 if (!list->sense) { 463 next = JT(list); 464 JT(list) = target; 465 } else { 466 next = JF(list); 467 JF(list) = target; 468 } 469 list = next; 470 } 471 } 472 473 /* 474 * Merge the lists in b0 and b1, using the 'sense' field to indicate 475 * which of jt and jf is the link. 476 */ 477 static void 478 merge(b0, b1) 479 struct block *b0, *b1; 480 { 481 register struct block **p = &b0; 482 483 /* Find end of list. */ 484 while (*p) 485 p = !((*p)->sense) ? &JT(*p) : &JF(*p); 486 487 /* Concatenate the lists. */ 488 *p = b1; 489 } 490 491 492 void 493 finish_parse(p) 494 struct block *p; 495 { 496 struct block *ppi_dlt_check; 497 498 ppi_dlt_check = gen_ppi_dlt_check(); 499 500 if (ppi_dlt_check != NULL) 501 { 502 gen_and(ppi_dlt_check, p); 503 } 504 505 backpatch(p, gen_retblk(snaplen)); 506 p->sense = !p->sense; 507 backpatch(p, gen_retblk(0)); 508 root = p->head; 509 510 /* 511 * Insert before the statements of the first (root) block any 512 * statements needed to load the lengths of any variable-length 513 * headers into registers. 514 * 515 * XXX - a fancier strategy would be to insert those before the 516 * statements of all blocks that use those lengths and that 517 * have no predecessors that use them, so that we only compute 518 * the lengths if we need them. There might be even better 519 * approaches than that. However, as we're currently only 520 * handling variable-length radiotap headers, and as all 521 * filtering expressions other than raw link[M:N] tests 522 * require the length of that header, doing more for that 523 * header length isn't really worth the effort. 524 */ 525 526 insert_load_llprefixlen(root); 527 } 528 529 void 530 gen_and(b0, b1) 531 struct block *b0, *b1; 532 { 533 backpatch(b0, b1->head); 534 b0->sense = !b0->sense; 535 b1->sense = !b1->sense; 536 merge(b1, b0); 537 b1->sense = !b1->sense; 538 b1->head = b0->head; 539 } 540 541 void 542 gen_or(b0, b1) 543 struct block *b0, *b1; 544 { 545 b0->sense = !b0->sense; 546 backpatch(b0, b1->head); 547 b0->sense = !b0->sense; 548 merge(b1, b0); 549 b1->head = b0->head; 550 } 551 552 void 553 gen_not(b) 554 struct block *b; 555 { 556 b->sense = !b->sense; 557 } 558 559 static struct block * 560 gen_cmp(offrel, offset, size, v) 561 enum e_offrel offrel; 562 u_int offset, size; 563 bpf_int32 v; 564 { 565 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v); 566 } 567 568 static struct block * 569 gen_cmp_gt(offrel, offset, size, v) 570 enum e_offrel offrel; 571 u_int offset, size; 572 bpf_int32 v; 573 { 574 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 0, v); 575 } 576 577 static struct block * 578 gen_cmp_ge(offrel, offset, size, v) 579 enum e_offrel offrel; 580 u_int offset, size; 581 bpf_int32 v; 582 { 583 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 0, v); 584 } 585 586 static struct block * 587 gen_cmp_lt(offrel, offset, size, v) 588 enum e_offrel offrel; 589 u_int offset, size; 590 bpf_int32 v; 591 { 592 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 1, v); 593 } 594 595 static struct block * 596 gen_cmp_le(offrel, offset, size, v) 597 enum e_offrel offrel; 598 u_int offset, size; 599 bpf_int32 v; 600 { 601 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 1, v); 602 } 603 604 static struct block * 605 gen_mcmp(offrel, offset, size, v, mask) 606 enum e_offrel offrel; 607 u_int offset, size; 608 bpf_int32 v; 609 bpf_u_int32 mask; 610 { 611 return gen_ncmp(offrel, offset, size, mask, BPF_JEQ, 0, v); 612 } 613 614 static struct block * 615 gen_bcmp(offrel, offset, size, v) 616 enum e_offrel offrel; 617 register u_int offset, size; 618 register const u_char *v; 619 { 620 register struct block *b, *tmp; 621 622 b = NULL; 623 while (size >= 4) { 624 register const u_char *p = &v[size - 4]; 625 bpf_int32 w = ((bpf_int32)p[0] << 24) | 626 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3]; 627 628 tmp = gen_cmp(offrel, offset + size - 4, BPF_W, w); 629 if (b != NULL) 630 gen_and(b, tmp); 631 b = tmp; 632 size -= 4; 633 } 634 while (size >= 2) { 635 register const u_char *p = &v[size - 2]; 636 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1]; 637 638 tmp = gen_cmp(offrel, offset + size - 2, BPF_H, w); 639 if (b != NULL) 640 gen_and(b, tmp); 641 b = tmp; 642 size -= 2; 643 } 644 if (size > 0) { 645 tmp = gen_cmp(offrel, offset, BPF_B, (bpf_int32)v[0]); 646 if (b != NULL) 647 gen_and(b, tmp); 648 b = tmp; 649 } 650 return b; 651 } 652 653 /* 654 * AND the field of size "size" at offset "offset" relative to the header 655 * specified by "offrel" with "mask", and compare it with the value "v" 656 * with the test specified by "jtype"; if "reverse" is true, the test 657 * should test the opposite of "jtype". 658 */ 659 static struct block * 660 gen_ncmp(offrel, offset, size, mask, jtype, reverse, v) 661 enum e_offrel offrel; 662 bpf_int32 v; 663 bpf_u_int32 offset, size, mask, jtype; 664 int reverse; 665 { 666 struct slist *s, *s2; 667 struct block *b; 668 669 s = gen_load_a(offrel, offset, size); 670 671 if (mask != 0xffffffff) { 672 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 673 s2->s.k = mask; 674 sappend(s, s2); 675 } 676 677 b = new_block(JMP(jtype)); 678 b->stmts = s; 679 b->s.k = v; 680 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE)) 681 gen_not(b); 682 return b; 683 } 684 685 /* 686 * Various code constructs need to know the layout of the data link 687 * layer. These variables give the necessary offsets from the beginning 688 * of the packet data. 689 * 690 * If the link layer has variable_length headers, the offsets are offsets 691 * from the end of the link-link-layer header, and "reg_ll_size" is 692 * the register number for a register containing the length of the 693 * link-layer header. Otherwise, "reg_ll_size" is -1. 694 */ 695 static int reg_ll_size; 696 697 /* 698 * This is the offset of the beginning of the link-layer header from 699 * the beginning of the raw packet data. 700 * 701 * It's usually 0, except for 802.11 with a fixed-length radio header. 702 * (For 802.11 with a variable-length radio header, we have to generate 703 * code to compute that offset; off_ll is 0 in that case.) 704 */ 705 static u_int off_ll; 706 707 /* 708 * This is the offset of the beginning of the MAC-layer header. 709 * It's usually 0, except for ATM LANE, where it's the offset, relative 710 * to the beginning of the raw packet data, of the Ethernet header. 711 */ 712 static u_int off_mac; 713 714 /* 715 * "off_linktype" is the offset to information in the link-layer header 716 * giving the packet type. This offset is relative to the beginning 717 * of the link-layer header (i.e., it doesn't include off_ll). 718 * 719 * For Ethernet, it's the offset of the Ethernet type field. 720 * 721 * For link-layer types that always use 802.2 headers, it's the 722 * offset of the LLC header. 723 * 724 * For PPP, it's the offset of the PPP type field. 725 * 726 * For Cisco HDLC, it's the offset of the CHDLC type field. 727 * 728 * For BSD loopback, it's the offset of the AF_ value. 729 * 730 * For Linux cooked sockets, it's the offset of the type field. 731 * 732 * It's set to -1 for no encapsulation, in which case, IP is assumed. 733 */ 734 static u_int off_linktype; 735 736 /* 737 * TRUE if the link layer includes an ATM pseudo-header. 738 */ 739 static int is_atm = 0; 740 741 /* 742 * TRUE if "lane" appeared in the filter; it causes us to generate 743 * code that assumes LANE rather than LLC-encapsulated traffic in SunATM. 744 */ 745 static int is_lane = 0; 746 747 /* 748 * These are offsets for the ATM pseudo-header. 749 */ 750 static u_int off_vpi; 751 static u_int off_vci; 752 static u_int off_proto; 753 754 /* 755 * These are offsets for the MTP2 fields. 756 */ 757 static u_int off_li; 758 759 /* 760 * These are offsets for the MTP3 fields. 761 */ 762 static u_int off_sio; 763 static u_int off_opc; 764 static u_int off_dpc; 765 static u_int off_sls; 766 767 /* 768 * This is the offset of the first byte after the ATM pseudo_header, 769 * or -1 if there is no ATM pseudo-header. 770 */ 771 static u_int off_payload; 772 773 /* 774 * These are offsets to the beginning of the network-layer header. 775 * They are relative to the beginning of the link-layer header (i.e., 776 * they don't include off_ll). 777 * 778 * If the link layer never uses 802.2 LLC: 779 * 780 * "off_nl" and "off_nl_nosnap" are the same. 781 * 782 * If the link layer always uses 802.2 LLC: 783 * 784 * "off_nl" is the offset if there's a SNAP header following 785 * the 802.2 header; 786 * 787 * "off_nl_nosnap" is the offset if there's no SNAP header. 788 * 789 * If the link layer is Ethernet: 790 * 791 * "off_nl" is the offset if the packet is an Ethernet II packet 792 * (we assume no 802.3+802.2+SNAP); 793 * 794 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet 795 * with an 802.2 header following it. 796 */ 797 static u_int off_nl; 798 static u_int off_nl_nosnap; 799 800 static int linktype; 801 802 static void 803 init_linktype(p) 804 pcap_t *p; 805 { 806 linktype = pcap_datalink(p); 807 #ifdef PCAP_FDDIPAD 808 pcap_fddipad = p->fddipad; 809 #endif 810 811 /* 812 * Assume it's not raw ATM with a pseudo-header, for now. 813 */ 814 off_mac = 0; 815 is_atm = 0; 816 is_lane = 0; 817 off_vpi = -1; 818 off_vci = -1; 819 off_proto = -1; 820 off_payload = -1; 821 822 /* 823 * And assume we're not doing SS7. 824 */ 825 off_li = -1; 826 off_sio = -1; 827 off_opc = -1; 828 off_dpc = -1; 829 off_sls = -1; 830 831 /* 832 * Also assume it's not 802.11 with a fixed-length radio header. 833 */ 834 off_ll = 0; 835 836 orig_linktype = -1; 837 orig_nl = -1; 838 label_stack_depth = 0; 839 840 reg_ll_size = -1; 841 842 switch (linktype) { 843 844 case DLT_ARCNET: 845 off_linktype = 2; 846 off_nl = 6; /* XXX in reality, variable! */ 847 off_nl_nosnap = 6; /* no 802.2 LLC */ 848 return; 849 850 case DLT_ARCNET_LINUX: 851 off_linktype = 4; 852 off_nl = 8; /* XXX in reality, variable! */ 853 off_nl_nosnap = 8; /* no 802.2 LLC */ 854 return; 855 856 case DLT_EN10MB: 857 off_linktype = 12; 858 off_nl = 14; /* Ethernet II */ 859 off_nl_nosnap = 17; /* 802.3+802.2 */ 860 return; 861 862 case DLT_SLIP: 863 /* 864 * SLIP doesn't have a link level type. The 16 byte 865 * header is hacked into our SLIP driver. 866 */ 867 off_linktype = -1; 868 off_nl = 16; 869 off_nl_nosnap = 16; /* no 802.2 LLC */ 870 return; 871 872 case DLT_SLIP_BSDOS: 873 /* XXX this may be the same as the DLT_PPP_BSDOS case */ 874 off_linktype = -1; 875 /* XXX end */ 876 off_nl = 24; 877 off_nl_nosnap = 24; /* no 802.2 LLC */ 878 return; 879 880 case DLT_NULL: 881 case DLT_LOOP: 882 off_linktype = 0; 883 off_nl = 4; 884 off_nl_nosnap = 4; /* no 802.2 LLC */ 885 return; 886 887 case DLT_ENC: 888 off_linktype = 0; 889 off_nl = 12; 890 off_nl_nosnap = 12; /* no 802.2 LLC */ 891 return; 892 893 case DLT_PPP: 894 case DLT_PPP_PPPD: 895 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */ 896 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */ 897 off_linktype = 2; 898 off_nl = 4; 899 off_nl_nosnap = 4; /* no 802.2 LLC */ 900 return; 901 902 case DLT_PPP_ETHER: 903 /* 904 * This does no include the Ethernet header, and 905 * only covers session state. 906 */ 907 off_linktype = 6; 908 off_nl = 8; 909 off_nl_nosnap = 8; /* no 802.2 LLC */ 910 return; 911 912 case DLT_PPP_BSDOS: 913 off_linktype = 5; 914 off_nl = 24; 915 off_nl_nosnap = 24; /* no 802.2 LLC */ 916 return; 917 918 case DLT_FDDI: 919 /* 920 * FDDI doesn't really have a link-level type field. 921 * We set "off_linktype" to the offset of the LLC header. 922 * 923 * To check for Ethernet types, we assume that SSAP = SNAP 924 * is being used and pick out the encapsulated Ethernet type. 925 * XXX - should we generate code to check for SNAP? 926 */ 927 off_linktype = 13; 928 #ifdef PCAP_FDDIPAD 929 off_linktype += pcap_fddipad; 930 #endif 931 off_nl = 21; /* FDDI+802.2+SNAP */ 932 off_nl_nosnap = 16; /* FDDI+802.2 */ 933 #ifdef PCAP_FDDIPAD 934 off_nl += pcap_fddipad; 935 off_nl_nosnap += pcap_fddipad; 936 #endif 937 return; 938 939 case DLT_IEEE802: 940 /* 941 * Token Ring doesn't really have a link-level type field. 942 * We set "off_linktype" to the offset of the LLC header. 943 * 944 * To check for Ethernet types, we assume that SSAP = SNAP 945 * is being used and pick out the encapsulated Ethernet type. 946 * XXX - should we generate code to check for SNAP? 947 * 948 * XXX - the header is actually variable-length. 949 * Some various Linux patched versions gave 38 950 * as "off_linktype" and 40 as "off_nl"; however, 951 * if a token ring packet has *no* routing 952 * information, i.e. is not source-routed, the correct 953 * values are 20 and 22, as they are in the vanilla code. 954 * 955 * A packet is source-routed iff the uppermost bit 956 * of the first byte of the source address, at an 957 * offset of 8, has the uppermost bit set. If the 958 * packet is source-routed, the total number of bytes 959 * of routing information is 2 plus bits 0x1F00 of 960 * the 16-bit value at an offset of 14 (shifted right 961 * 8 - figure out which byte that is). 962 */ 963 off_linktype = 14; 964 off_nl = 22; /* Token Ring+802.2+SNAP */ 965 off_nl_nosnap = 17; /* Token Ring+802.2 */ 966 return; 967 968 case DLT_IEEE802_11: 969 /* 970 * 802.11 doesn't really have a link-level type field. 971 * We set "off_linktype" to the offset of the LLC header. 972 * 973 * To check for Ethernet types, we assume that SSAP = SNAP 974 * is being used and pick out the encapsulated Ethernet type. 975 * XXX - should we generate code to check for SNAP? 976 * 977 * XXX - the header is actually variable-length. We 978 * assume a 24-byte link-layer header, as appears in 979 * data frames in networks with no bridges. If the 980 * fromds and tods 802.11 header bits are both set, 981 * it's actually supposed to be 30 bytes. 982 */ 983 off_linktype = 24; 984 off_nl = 32; /* 802.11+802.2+SNAP */ 985 off_nl_nosnap = 27; /* 802.11+802.2 */ 986 return; 987 988 case DLT_PRISM_HEADER: 989 /* 990 * Same as 802.11, but with an additional header before 991 * the 802.11 header, containing a bunch of additional 992 * information including radio-level information. 993 * 994 * The header is 144 bytes long. 995 * 996 * XXX - same variable-length header problem; at least 997 * the Prism header is fixed-length. 998 */ 999 off_ll = 144; 1000 off_linktype = 24; 1001 off_nl = 32; /* Prism+802.11+802.2+SNAP */ 1002 off_nl_nosnap = 27; /* Prism+802.11+802.2 */ 1003 return; 1004 1005 case DLT_IEEE802_11_RADIO_AVS: 1006 /* 1007 * Same as 802.11, but with an additional header before 1008 * the 802.11 header, containing a bunch of additional 1009 * information including radio-level information. 1010 * 1011 * The header is 64 bytes long, at least in its 1012 * current incarnation. 1013 * 1014 * XXX - same variable-length header problem, only 1015 * more so; this header is also variable-length, 1016 * with the length being the 32-bit big-endian 1017 * number at an offset of 4 from the beginning 1018 * of the radio header. We should handle that the 1019 * same way we handle the length at the beginning 1020 * of the radiotap header. 1021 * 1022 * XXX - in Linux, do any drivers that supply an AVS 1023 * header supply a link-layer type other than 1024 * ARPHRD_IEEE80211_PRISM? If so, we should map that 1025 * to DLT_IEEE802_11_RADIO_AVS; if not, or if there are 1026 * any drivers that supply an AVS header but supply 1027 * an ARPHRD value of ARPHRD_IEEE80211_PRISM, we'll 1028 * have to check the header in the generated code to 1029 * determine whether it's Prism or AVS. 1030 */ 1031 off_ll = 64; 1032 off_linktype = 24; 1033 off_nl = 32; /* Radio+802.11+802.2+SNAP */ 1034 off_nl_nosnap = 27; /* Radio+802.11+802.2 */ 1035 return; 1036 1037 1038 /* 1039 * At the moment we treat PPI as normal Radiotap encoded 1040 * packets. The difference is in the function that generates 1041 * the code at the beginning to compute the header length. 1042 * Since this code generator of PPI supports bare 802.11 1043 * encapsulation only (i.e. the encapsulated DLT should be 1044 * DLT_IEEE802_11) we generate code to check for this too. 1045 */ 1046 case DLT_PPI: 1047 case DLT_IEEE802_11_RADIO: 1048 /* 1049 * Same as 802.11, but with an additional header before 1050 * the 802.11 header, containing a bunch of additional 1051 * information including radio-level information. 1052 * 1053 * The radiotap header is variable length, and we 1054 * generate code to compute its length and store it 1055 * in a register. These offsets are relative to the 1056 * beginning of the 802.11 header. 1057 */ 1058 off_linktype = 24; 1059 off_nl = 32; /* 802.11+802.2+SNAP */ 1060 off_nl_nosnap = 27; /* 802.11+802.2 */ 1061 return; 1062 1063 case DLT_ATM_RFC1483: 1064 case DLT_ATM_CLIP: /* Linux ATM defines this */ 1065 /* 1066 * assume routed, non-ISO PDUs 1067 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00) 1068 * 1069 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS, 1070 * or PPP with the PPP NLPID (e.g., PPPoA)? The 1071 * latter would presumably be treated the way PPPoE 1072 * should be, so you can do "pppoe and udp port 2049" 1073 * or "pppoa and tcp port 80" and have it check for 1074 * PPPo{A,E} and a PPP protocol of IP and.... 1075 */ 1076 off_linktype = 0; 1077 off_nl = 8; /* 802.2+SNAP */ 1078 off_nl_nosnap = 3; /* 802.2 */ 1079 return; 1080 1081 case DLT_SUNATM: 1082 /* 1083 * Full Frontal ATM; you get AALn PDUs with an ATM 1084 * pseudo-header. 1085 */ 1086 is_atm = 1; 1087 off_vpi = SUNATM_VPI_POS; 1088 off_vci = SUNATM_VCI_POS; 1089 off_proto = PROTO_POS; 1090 off_mac = -1; /* LLC-encapsulated, so no MAC-layer header */ 1091 off_payload = SUNATM_PKT_BEGIN_POS; 1092 off_linktype = off_payload; 1093 off_nl = off_payload+8; /* 802.2+SNAP */ 1094 off_nl_nosnap = off_payload+3; /* 802.2 */ 1095 return; 1096 1097 case DLT_RAW: 1098 off_linktype = -1; 1099 off_nl = 0; 1100 off_nl_nosnap = 0; /* no 802.2 LLC */ 1101 return; 1102 1103 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */ 1104 off_linktype = 14; 1105 off_nl = 16; 1106 off_nl_nosnap = 16; /* no 802.2 LLC */ 1107 return; 1108 1109 case DLT_LTALK: 1110 /* 1111 * LocalTalk does have a 1-byte type field in the LLAP header, 1112 * but really it just indicates whether there is a "short" or 1113 * "long" DDP packet following. 1114 */ 1115 off_linktype = -1; 1116 off_nl = 0; 1117 off_nl_nosnap = 0; /* no 802.2 LLC */ 1118 return; 1119 1120 case DLT_IP_OVER_FC: 1121 /* 1122 * RFC 2625 IP-over-Fibre-Channel doesn't really have a 1123 * link-level type field. We set "off_linktype" to the 1124 * offset of the LLC header. 1125 * 1126 * To check for Ethernet types, we assume that SSAP = SNAP 1127 * is being used and pick out the encapsulated Ethernet type. 1128 * XXX - should we generate code to check for SNAP? RFC 1129 * 2625 says SNAP should be used. 1130 */ 1131 off_linktype = 16; 1132 off_nl = 24; /* IPFC+802.2+SNAP */ 1133 off_nl_nosnap = 19; /* IPFC+802.2 */ 1134 return; 1135 1136 case DLT_FRELAY: 1137 /* 1138 * XXX - we should set this to handle SNAP-encapsulated 1139 * frames (NLPID of 0x80). 1140 */ 1141 off_linktype = -1; 1142 off_nl = 0; 1143 off_nl_nosnap = 0; /* no 802.2 LLC */ 1144 return; 1145 1146 /* 1147 * the only BPF-interesting FRF.16 frames are non-control frames; 1148 * Frame Relay has a variable length link-layer 1149 * so lets start with offset 4 for now and increments later on (FIXME); 1150 */ 1151 case DLT_MFR: 1152 off_linktype = -1; 1153 off_nl = 4; 1154 off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */ 1155 return; 1156 1157 case DLT_APPLE_IP_OVER_IEEE1394: 1158 off_linktype = 16; 1159 off_nl = 18; 1160 off_nl_nosnap = 18; /* no 802.2 LLC */ 1161 return; 1162 1163 case DLT_LINUX_IRDA: 1164 /* 1165 * Currently, only raw "link[N:M]" filtering is supported. 1166 */ 1167 off_linktype = -1; 1168 off_nl = -1; 1169 off_nl_nosnap = -1; 1170 return; 1171 1172 case DLT_DOCSIS: 1173 /* 1174 * Currently, only raw "link[N:M]" filtering is supported. 1175 */ 1176 off_linktype = -1; 1177 off_nl = -1; 1178 off_nl_nosnap = -1; 1179 return; 1180 1181 case DLT_SYMANTEC_FIREWALL: 1182 off_linktype = 6; 1183 off_nl = 44; /* Ethernet II */ 1184 off_nl_nosnap = 44; /* XXX - what does it do with 802.3 packets? */ 1185 return; 1186 1187 #ifdef HAVE_NET_PFVAR_H 1188 case DLT_PFLOG: 1189 off_linktype = 0; 1190 off_nl = PFLOG_HDRLEN; 1191 off_nl_nosnap = PFLOG_HDRLEN; /* no 802.2 LLC */ 1192 return; 1193 #endif 1194 1195 case DLT_JUNIPER_MFR: 1196 case DLT_JUNIPER_MLFR: 1197 case DLT_JUNIPER_MLPPP: 1198 case DLT_JUNIPER_PPP: 1199 case DLT_JUNIPER_CHDLC: 1200 case DLT_JUNIPER_FRELAY: 1201 off_linktype = 4; 1202 off_nl = 4; 1203 off_nl_nosnap = -1; /* no 802.2 LLC */ 1204 return; 1205 1206 case DLT_JUNIPER_ATM1: 1207 off_linktype = 4; /* in reality variable between 4-8 */ 1208 off_nl = 4; 1209 off_nl_nosnap = 14; 1210 return; 1211 1212 case DLT_JUNIPER_ATM2: 1213 off_linktype = 8; /* in reality variable between 8-12 */ 1214 off_nl = 8; 1215 off_nl_nosnap = 18; 1216 return; 1217 1218 /* frames captured on a Juniper PPPoE service PIC 1219 * contain raw ethernet frames */ 1220 case DLT_JUNIPER_PPPOE: 1221 case DLT_JUNIPER_ETHER: 1222 off_linktype = 16; 1223 off_nl = 18; /* Ethernet II */ 1224 off_nl_nosnap = 21; /* 802.3+802.2 */ 1225 return; 1226 1227 case DLT_JUNIPER_PPPOE_ATM: 1228 off_linktype = 4; 1229 off_nl = 6; 1230 off_nl_nosnap = -1; /* no 802.2 LLC */ 1231 return; 1232 1233 case DLT_JUNIPER_GGSN: 1234 off_linktype = 6; 1235 off_nl = 12; 1236 off_nl_nosnap = -1; /* no 802.2 LLC */ 1237 return; 1238 1239 case DLT_JUNIPER_ES: 1240 off_linktype = 6; 1241 off_nl = -1; /* not really a network layer but raw IP adresses */ 1242 off_nl_nosnap = -1; /* no 802.2 LLC */ 1243 return; 1244 1245 case DLT_JUNIPER_MONITOR: 1246 off_linktype = 12; 1247 off_nl = 12; /* raw IP/IP6 header */ 1248 off_nl_nosnap = -1; /* no 802.2 LLC */ 1249 return; 1250 1251 case DLT_JUNIPER_SERVICES: 1252 off_linktype = 12; 1253 off_nl = -1; /* L3 proto location dep. on cookie type */ 1254 off_nl_nosnap = -1; /* no 802.2 LLC */ 1255 return; 1256 1257 case DLT_JUNIPER_VP: 1258 off_linktype = 18; 1259 off_nl = -1; 1260 off_nl_nosnap = -1; 1261 return; 1262 1263 case DLT_MTP2: 1264 off_li = 2; 1265 off_sio = 3; 1266 off_opc = 4; 1267 off_dpc = 4; 1268 off_sls = 7; 1269 off_linktype = -1; 1270 off_nl = -1; 1271 off_nl_nosnap = -1; 1272 return; 1273 1274 case DLT_MTP2_WITH_PHDR: 1275 off_li = 6; 1276 off_sio = 7; 1277 off_opc = 8; 1278 off_dpc = 8; 1279 off_sls = 11; 1280 off_linktype = -1; 1281 off_nl = -1; 1282 off_nl_nosnap = -1; 1283 return; 1284 1285 #ifdef DLT_PFSYNC 1286 case DLT_PFSYNC: 1287 off_linktype = -1; 1288 off_nl = 4; 1289 off_nl_nosnap = 4; 1290 return; 1291 #endif 1292 1293 case DLT_LINUX_LAPD: 1294 /* 1295 * Currently, only raw "link[N:M]" filtering is supported. 1296 */ 1297 off_linktype = -1; 1298 off_nl = -1; 1299 off_nl_nosnap = -1; 1300 return; 1301 1302 case DLT_USB: 1303 /* 1304 * Currently, only raw "link[N:M]" filtering is supported. 1305 */ 1306 off_linktype = -1; 1307 off_nl = -1; 1308 off_nl_nosnap = -1; 1309 return; 1310 1311 case DLT_BLUETOOTH_HCI_H4: 1312 /* 1313 * Currently, only raw "link[N:M]" filtering is supported. 1314 */ 1315 off_linktype = -1; 1316 off_nl = -1; 1317 off_nl_nosnap = -1; 1318 return; 1319 } 1320 bpf_error("unknown data link type %d", linktype); 1321 /* NOTREACHED */ 1322 } 1323 1324 /* 1325 * Load a value relative to the beginning of the link-layer header. 1326 * The link-layer header doesn't necessarily begin at the beginning 1327 * of the packet data; there might be a variable-length prefix containing 1328 * radio information. 1329 */ 1330 static struct slist * 1331 gen_load_llrel(offset, size) 1332 u_int offset, size; 1333 { 1334 struct slist *s, *s2; 1335 1336 s = gen_llprefixlen(); 1337 1338 /* 1339 * If "s" is non-null, it has code to arrange that the X register 1340 * contains the length of the prefix preceding the link-layer 1341 * header. 1342 * 1343 * Otherwise, the length of the prefix preceding the link-layer 1344 * header is "off_ll". 1345 */ 1346 if (s != NULL) { 1347 /* 1348 * There's a variable-length prefix preceding the 1349 * link-layer header. "s" points to a list of statements 1350 * that put the length of that prefix into the X register. 1351 * do an indirect load, to use the X register as an offset. 1352 */ 1353 s2 = new_stmt(BPF_LD|BPF_IND|size); 1354 s2->s.k = offset; 1355 sappend(s, s2); 1356 } else { 1357 /* 1358 * There is no variable-length header preceding the 1359 * link-layer header; add in off_ll, which, if there's 1360 * a fixed-length header preceding the link-layer header, 1361 * is the length of that header. 1362 */ 1363 s = new_stmt(BPF_LD|BPF_ABS|size); 1364 s->s.k = offset + off_ll; 1365 } 1366 return s; 1367 } 1368 1369 1370 /* 1371 * Load a value relative to the beginning of the specified header. 1372 */ 1373 static struct slist * 1374 gen_load_a(offrel, offset, size) 1375 enum e_offrel offrel; 1376 u_int offset, size; 1377 { 1378 struct slist *s, *s2; 1379 1380 switch (offrel) { 1381 1382 case OR_PACKET: 1383 s = new_stmt(BPF_LD|BPF_ABS|size); 1384 s->s.k = offset; 1385 break; 1386 1387 case OR_LINK: 1388 s = gen_load_llrel(offset, size); 1389 break; 1390 1391 case OR_NET: 1392 s = gen_load_llrel(off_nl + offset, size); 1393 break; 1394 1395 case OR_NET_NOSNAP: 1396 s = gen_load_llrel(off_nl_nosnap + offset, size); 1397 break; 1398 1399 case OR_TRAN_IPV4: 1400 /* 1401 * Load the X register with the length of the IPv4 header 1402 * (plus the offset of the link-layer header, if it's 1403 * preceded by a variable-length header such as a radio 1404 * header), in bytes. 1405 */ 1406 s = gen_loadx_iphdrlen(); 1407 1408 /* 1409 * Load the item at {offset of the link-layer header} + 1410 * {offset, relative to the start of the link-layer 1411 * header, of the IPv4 header} + {length of the IPv4 header} + 1412 * {specified offset}. 1413 * 1414 * (If the link-layer is variable-length, it's included 1415 * in the value in the X register, and off_ll is 0.) 1416 */ 1417 s2 = new_stmt(BPF_LD|BPF_IND|size); 1418 s2->s.k = off_ll + off_nl + offset; 1419 sappend(s, s2); 1420 break; 1421 1422 case OR_TRAN_IPV6: 1423 s = gen_load_llrel(off_nl + 40 + offset, size); 1424 break; 1425 1426 default: 1427 abort(); 1428 return NULL; 1429 } 1430 return s; 1431 } 1432 1433 /* 1434 * Generate code to load into the X register the sum of the length of 1435 * the IPv4 header and any variable-length header preceding the link-layer 1436 * header. 1437 */ 1438 static struct slist * 1439 gen_loadx_iphdrlen() 1440 { 1441 struct slist *s, *s2; 1442 1443 s = gen_llprefixlen(); 1444 if (s != NULL) { 1445 /* 1446 * There's a variable-length prefix preceding the 1447 * link-layer header. "s" points to a list of statements 1448 * that put the length of that prefix into the X register. 1449 * The 4*([k]&0xf) addressing mode can't be used, as we 1450 * don't have a constant offset, so we have to load the 1451 * value in question into the A register and add to it 1452 * the value from the X register. 1453 */ 1454 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B); 1455 s2->s.k = off_nl; 1456 sappend(s, s2); 1457 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 1458 s2->s.k = 0xf; 1459 sappend(s, s2); 1460 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 1461 s2->s.k = 2; 1462 sappend(s, s2); 1463 1464 /* 1465 * The A register now contains the length of the 1466 * IP header. We need to add to it the length 1467 * of the prefix preceding the link-layer 1468 * header, which is still in the X register, and 1469 * move the result into the X register. 1470 */ 1471 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 1472 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 1473 } else { 1474 /* 1475 * There is no variable-length header preceding the 1476 * link-layer header; add in off_ll, which, if there's 1477 * a fixed-length header preceding the link-layer header, 1478 * is the length of that header. 1479 */ 1480 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B); 1481 s->s.k = off_ll + off_nl; 1482 } 1483 return s; 1484 } 1485 1486 static struct block * 1487 gen_uncond(rsense) 1488 int rsense; 1489 { 1490 struct block *b; 1491 struct slist *s; 1492 1493 s = new_stmt(BPF_LD|BPF_IMM); 1494 s->s.k = !rsense; 1495 b = new_block(JMP(BPF_JEQ)); 1496 b->stmts = s; 1497 1498 return b; 1499 } 1500 1501 static inline struct block * 1502 gen_true() 1503 { 1504 return gen_uncond(1); 1505 } 1506 1507 static inline struct block * 1508 gen_false() 1509 { 1510 return gen_uncond(0); 1511 } 1512 1513 /* 1514 * Byte-swap a 32-bit number. 1515 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on 1516 * big-endian platforms.) 1517 */ 1518 #define SWAPLONG(y) \ 1519 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff)) 1520 1521 /* 1522 * Generate code to match a particular packet type. 1523 * 1524 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1525 * value, if <= ETHERMTU. We use that to determine whether to 1526 * match the type/length field or to check the type/length field for 1527 * a value <= ETHERMTU to see whether it's a type field and then do 1528 * the appropriate test. 1529 */ 1530 static struct block * 1531 gen_ether_linktype(proto) 1532 register int proto; 1533 { 1534 struct block *b0, *b1; 1535 1536 switch (proto) { 1537 1538 case LLCSAP_ISONS: 1539 case LLCSAP_IP: 1540 case LLCSAP_NETBEUI: 1541 /* 1542 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1543 * so we check the DSAP and SSAP. 1544 * 1545 * LLCSAP_IP checks for IP-over-802.2, rather 1546 * than IP-over-Ethernet or IP-over-SNAP. 1547 * 1548 * XXX - should we check both the DSAP and the 1549 * SSAP, like this, or should we check just the 1550 * DSAP, as we do for other types <= ETHERMTU 1551 * (i.e., other SAP values)? 1552 */ 1553 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1554 gen_not(b0); 1555 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_H, (bpf_int32) 1556 ((proto << 8) | proto)); 1557 gen_and(b0, b1); 1558 return b1; 1559 1560 case LLCSAP_IPX: 1561 /* 1562 * Check for; 1563 * 1564 * Ethernet_II frames, which are Ethernet 1565 * frames with a frame type of ETHERTYPE_IPX; 1566 * 1567 * Ethernet_802.3 frames, which are 802.3 1568 * frames (i.e., the type/length field is 1569 * a length field, <= ETHERMTU, rather than 1570 * a type field) with the first two bytes 1571 * after the Ethernet/802.3 header being 1572 * 0xFFFF; 1573 * 1574 * Ethernet_802.2 frames, which are 802.3 1575 * frames with an 802.2 LLC header and 1576 * with the IPX LSAP as the DSAP in the LLC 1577 * header; 1578 * 1579 * Ethernet_SNAP frames, which are 802.3 1580 * frames with an LLC header and a SNAP 1581 * header and with an OUI of 0x000000 1582 * (encapsulated Ethernet) and a protocol 1583 * ID of ETHERTYPE_IPX in the SNAP header. 1584 * 1585 * XXX - should we generate the same code both 1586 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX? 1587 */ 1588 1589 /* 1590 * This generates code to check both for the 1591 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3. 1592 */ 1593 b0 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B, 1594 (bpf_int32)LLCSAP_IPX); 1595 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_H, 1596 (bpf_int32)0xFFFF); 1597 gen_or(b0, b1); 1598 1599 /* 1600 * Now we add code to check for SNAP frames with 1601 * ETHERTYPE_IPX, i.e. Ethernet_SNAP. 1602 */ 1603 b0 = gen_snap(0x000000, ETHERTYPE_IPX, 14); 1604 gen_or(b0, b1); 1605 1606 /* 1607 * Now we generate code to check for 802.3 1608 * frames in general. 1609 */ 1610 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1611 gen_not(b0); 1612 1613 /* 1614 * Now add the check for 802.3 frames before the 1615 * check for Ethernet_802.2 and Ethernet_802.3, 1616 * as those checks should only be done on 802.3 1617 * frames, not on Ethernet frames. 1618 */ 1619 gen_and(b0, b1); 1620 1621 /* 1622 * Now add the check for Ethernet_II frames, and 1623 * do that before checking for the other frame 1624 * types. 1625 */ 1626 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 1627 (bpf_int32)ETHERTYPE_IPX); 1628 gen_or(b0, b1); 1629 return b1; 1630 1631 case ETHERTYPE_ATALK: 1632 case ETHERTYPE_AARP: 1633 /* 1634 * EtherTalk (AppleTalk protocols on Ethernet link 1635 * layer) may use 802.2 encapsulation. 1636 */ 1637 1638 /* 1639 * Check for 802.2 encapsulation (EtherTalk phase 2?); 1640 * we check for an Ethernet type field less than 1641 * 1500, which means it's an 802.3 length field. 1642 */ 1643 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1644 gen_not(b0); 1645 1646 /* 1647 * 802.2-encapsulated ETHERTYPE_ATALK packets are 1648 * SNAP packets with an organization code of 1649 * 0x080007 (Apple, for Appletalk) and a protocol 1650 * type of ETHERTYPE_ATALK (Appletalk). 1651 * 1652 * 802.2-encapsulated ETHERTYPE_AARP packets are 1653 * SNAP packets with an organization code of 1654 * 0x000000 (encapsulated Ethernet) and a protocol 1655 * type of ETHERTYPE_AARP (Appletalk ARP). 1656 */ 1657 if (proto == ETHERTYPE_ATALK) 1658 b1 = gen_snap(0x080007, ETHERTYPE_ATALK, 14); 1659 else /* proto == ETHERTYPE_AARP */ 1660 b1 = gen_snap(0x000000, ETHERTYPE_AARP, 14); 1661 gen_and(b0, b1); 1662 1663 /* 1664 * Check for Ethernet encapsulation (Ethertalk 1665 * phase 1?); we just check for the Ethernet 1666 * protocol type. 1667 */ 1668 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 1669 1670 gen_or(b0, b1); 1671 return b1; 1672 1673 default: 1674 if (proto <= ETHERMTU) { 1675 /* 1676 * This is an LLC SAP value, so the frames 1677 * that match would be 802.2 frames. 1678 * Check that the frame is an 802.2 frame 1679 * (i.e., that the length/type field is 1680 * a length field, <= ETHERMTU) and 1681 * then check the DSAP. 1682 */ 1683 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1684 gen_not(b0); 1685 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B, 1686 (bpf_int32)proto); 1687 gen_and(b0, b1); 1688 return b1; 1689 } else { 1690 /* 1691 * This is an Ethernet type, so compare 1692 * the length/type field with it (if 1693 * the frame is an 802.2 frame, the length 1694 * field will be <= ETHERMTU, and, as 1695 * "proto" is > ETHERMTU, this test 1696 * will fail and the frame won't match, 1697 * which is what we want). 1698 */ 1699 return gen_cmp(OR_LINK, off_linktype, BPF_H, 1700 (bpf_int32)proto); 1701 } 1702 } 1703 } 1704 1705 /* 1706 * Generate code to match a particular packet type. 1707 * 1708 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1709 * value, if <= ETHERMTU. We use that to determine whether to 1710 * match the type field or to check the type field for the special 1711 * LINUX_SLL_P_802_2 value and then do the appropriate test. 1712 */ 1713 static struct block * 1714 gen_linux_sll_linktype(proto) 1715 register int proto; 1716 { 1717 struct block *b0, *b1; 1718 1719 switch (proto) { 1720 1721 case LLCSAP_ISONS: 1722 case LLCSAP_IP: 1723 case LLCSAP_NETBEUI: 1724 /* 1725 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1726 * so we check the DSAP and SSAP. 1727 * 1728 * LLCSAP_IP checks for IP-over-802.2, rather 1729 * than IP-over-Ethernet or IP-over-SNAP. 1730 * 1731 * XXX - should we check both the DSAP and the 1732 * SSAP, like this, or should we check just the 1733 * DSAP, as we do for other types <= ETHERMTU 1734 * (i.e., other SAP values)? 1735 */ 1736 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 1737 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_H, (bpf_int32) 1738 ((proto << 8) | proto)); 1739 gen_and(b0, b1); 1740 return b1; 1741 1742 case LLCSAP_IPX: 1743 /* 1744 * Ethernet_II frames, which are Ethernet 1745 * frames with a frame type of ETHERTYPE_IPX; 1746 * 1747 * Ethernet_802.3 frames, which have a frame 1748 * type of LINUX_SLL_P_802_3; 1749 * 1750 * Ethernet_802.2 frames, which are 802.3 1751 * frames with an 802.2 LLC header (i.e, have 1752 * a frame type of LINUX_SLL_P_802_2) and 1753 * with the IPX LSAP as the DSAP in the LLC 1754 * header; 1755 * 1756 * Ethernet_SNAP frames, which are 802.3 1757 * frames with an LLC header and a SNAP 1758 * header and with an OUI of 0x000000 1759 * (encapsulated Ethernet) and a protocol 1760 * ID of ETHERTYPE_IPX in the SNAP header. 1761 * 1762 * First, do the checks on LINUX_SLL_P_802_2 1763 * frames; generate the check for either 1764 * Ethernet_802.2 or Ethernet_SNAP frames, and 1765 * then put a check for LINUX_SLL_P_802_2 frames 1766 * before it. 1767 */ 1768 b0 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B, 1769 (bpf_int32)LLCSAP_IPX); 1770 b1 = gen_snap(0x000000, ETHERTYPE_IPX, 1771 off_linktype + 2); 1772 gen_or(b0, b1); 1773 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 1774 gen_and(b0, b1); 1775 1776 /* 1777 * Now check for 802.3 frames and OR that with 1778 * the previous test. 1779 */ 1780 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_3); 1781 gen_or(b0, b1); 1782 1783 /* 1784 * Now add the check for Ethernet_II frames, and 1785 * do that before checking for the other frame 1786 * types. 1787 */ 1788 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 1789 (bpf_int32)ETHERTYPE_IPX); 1790 gen_or(b0, b1); 1791 return b1; 1792 1793 case ETHERTYPE_ATALK: 1794 case ETHERTYPE_AARP: 1795 /* 1796 * EtherTalk (AppleTalk protocols on Ethernet link 1797 * layer) may use 802.2 encapsulation. 1798 */ 1799 1800 /* 1801 * Check for 802.2 encapsulation (EtherTalk phase 2?); 1802 * we check for the 802.2 protocol type in the 1803 * "Ethernet type" field. 1804 */ 1805 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 1806 1807 /* 1808 * 802.2-encapsulated ETHERTYPE_ATALK packets are 1809 * SNAP packets with an organization code of 1810 * 0x080007 (Apple, for Appletalk) and a protocol 1811 * type of ETHERTYPE_ATALK (Appletalk). 1812 * 1813 * 802.2-encapsulated ETHERTYPE_AARP packets are 1814 * SNAP packets with an organization code of 1815 * 0x000000 (encapsulated Ethernet) and a protocol 1816 * type of ETHERTYPE_AARP (Appletalk ARP). 1817 */ 1818 if (proto == ETHERTYPE_ATALK) 1819 b1 = gen_snap(0x080007, ETHERTYPE_ATALK, 1820 off_linktype + 2); 1821 else /* proto == ETHERTYPE_AARP */ 1822 b1 = gen_snap(0x000000, ETHERTYPE_AARP, 1823 off_linktype + 2); 1824 gen_and(b0, b1); 1825 1826 /* 1827 * Check for Ethernet encapsulation (Ethertalk 1828 * phase 1?); we just check for the Ethernet 1829 * protocol type. 1830 */ 1831 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 1832 1833 gen_or(b0, b1); 1834 return b1; 1835 1836 default: 1837 if (proto <= ETHERMTU) { 1838 /* 1839 * This is an LLC SAP value, so the frames 1840 * that match would be 802.2 frames. 1841 * Check for the 802.2 protocol type 1842 * in the "Ethernet type" field, and 1843 * then check the DSAP. 1844 */ 1845 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 1846 LINUX_SLL_P_802_2); 1847 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B, 1848 (bpf_int32)proto); 1849 gen_and(b0, b1); 1850 return b1; 1851 } else { 1852 /* 1853 * This is an Ethernet type, so compare 1854 * the length/type field with it (if 1855 * the frame is an 802.2 frame, the length 1856 * field will be <= ETHERMTU, and, as 1857 * "proto" is > ETHERMTU, this test 1858 * will fail and the frame won't match, 1859 * which is what we want). 1860 */ 1861 return gen_cmp(OR_LINK, off_linktype, BPF_H, 1862 (bpf_int32)proto); 1863 } 1864 } 1865 } 1866 1867 static void 1868 insert_radiotap_load_llprefixlen(b) 1869 struct block *b; 1870 { 1871 struct slist *s1, *s2; 1872 1873 /* 1874 * Prepend to the statements in this block code to load the 1875 * length of the radiotap header into the register assigned 1876 * to hold that length, if one has been assigned. 1877 */ 1878 if (reg_ll_size != -1) { 1879 /* 1880 * The 2 bytes at offsets of 2 and 3 from the beginning 1881 * of the radiotap header are the length of the radiotap 1882 * header; unfortunately, it's little-endian, so we have 1883 * to load it a byte at a time and construct the value. 1884 */ 1885 1886 /* 1887 * Load the high-order byte, at an offset of 3, shift it 1888 * left a byte, and put the result in the X register. 1889 */ 1890 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 1891 s1->s.k = 3; 1892 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 1893 sappend(s1, s2); 1894 s2->s.k = 8; 1895 s2 = new_stmt(BPF_MISC|BPF_TAX); 1896 sappend(s1, s2); 1897 1898 /* 1899 * Load the next byte, at an offset of 2, and OR the 1900 * value from the X register into it. 1901 */ 1902 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 1903 sappend(s1, s2); 1904 s2->s.k = 2; 1905 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X); 1906 sappend(s1, s2); 1907 1908 /* 1909 * Now allocate a register to hold that value and store 1910 * it. 1911 */ 1912 s2 = new_stmt(BPF_ST); 1913 s2->s.k = reg_ll_size; 1914 sappend(s1, s2); 1915 1916 /* 1917 * Now move it into the X register. 1918 */ 1919 s2 = new_stmt(BPF_MISC|BPF_TAX); 1920 sappend(s1, s2); 1921 1922 /* 1923 * Now append all the existing statements in this 1924 * block to these statements. 1925 */ 1926 sappend(s1, b->stmts); 1927 b->stmts = s1; 1928 } 1929 } 1930 1931 /* 1932 * At the moment we treat PPI as normal Radiotap encoded 1933 * packets. The difference is in the function that generates 1934 * the code at the beginning to compute the header length. 1935 * Since this code generator of PPI supports bare 802.11 1936 * encapsulation only (i.e. the encapsulated DLT should be 1937 * DLT_IEEE802_11) we generate code to check for this too. 1938 */ 1939 static void 1940 insert_ppi_load_llprefixlen(b) 1941 struct block *b; 1942 { 1943 struct slist *s1, *s2; 1944 1945 /* 1946 * Prepend to the statements in this block code to load the 1947 * length of the radiotap header into the register assigned 1948 * to hold that length, if one has been assigned. 1949 */ 1950 if (reg_ll_size != -1) { 1951 /* 1952 * The 2 bytes at offsets of 2 and 3 from the beginning 1953 * of the radiotap header are the length of the radiotap 1954 * header; unfortunately, it's little-endian, so we have 1955 * to load it a byte at a time and construct the value. 1956 */ 1957 1958 /* 1959 * Load the high-order byte, at an offset of 3, shift it 1960 * left a byte, and put the result in the X register. 1961 */ 1962 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 1963 s1->s.k = 3; 1964 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 1965 sappend(s1, s2); 1966 s2->s.k = 8; 1967 s2 = new_stmt(BPF_MISC|BPF_TAX); 1968 sappend(s1, s2); 1969 1970 /* 1971 * Load the next byte, at an offset of 2, and OR the 1972 * value from the X register into it. 1973 */ 1974 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 1975 sappend(s1, s2); 1976 s2->s.k = 2; 1977 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X); 1978 sappend(s1, s2); 1979 1980 /* 1981 * Now allocate a register to hold that value and store 1982 * it. 1983 */ 1984 s2 = new_stmt(BPF_ST); 1985 s2->s.k = reg_ll_size; 1986 sappend(s1, s2); 1987 1988 /* 1989 * Now move it into the X register. 1990 */ 1991 s2 = new_stmt(BPF_MISC|BPF_TAX); 1992 sappend(s1, s2); 1993 1994 /* 1995 * Now append all the existing statements in this 1996 * block to these statements. 1997 */ 1998 sappend(s1, b->stmts); 1999 b->stmts = s1; 2000 2001 } 2002 } 2003 2004 static struct block * 2005 gen_ppi_dlt_check(void) 2006 { 2007 struct slist *s_load_dlt; 2008 struct block *b; 2009 2010 if (linktype == DLT_PPI) 2011 { 2012 /* Create the statements that check for the DLT 2013 */ 2014 s_load_dlt = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2015 s_load_dlt->s.k = 4; 2016 2017 b = new_block(JMP(BPF_JEQ)); 2018 2019 b->stmts = s_load_dlt; 2020 b->s.k = SWAPLONG(DLT_IEEE802_11); 2021 } 2022 else 2023 { 2024 b = NULL; 2025 } 2026 2027 return b; 2028 } 2029 2030 static void 2031 insert_load_llprefixlen(b) 2032 struct block *b; 2033 { 2034 switch (linktype) { 2035 2036 /* 2037 * At the moment we treat PPI as normal Radiotap encoded 2038 * packets. The difference is in the function that generates 2039 * the code at the beginning to compute the header length. 2040 * Since this code generator of PPI supports bare 802.11 2041 * encapsulation only (i.e. the encapsulated DLT should be 2042 * DLT_IEEE802_11) we generate code to check for this too. 2043 */ 2044 case DLT_PPI: 2045 insert_ppi_load_llprefixlen(b); 2046 break; 2047 2048 case DLT_IEEE802_11_RADIO: 2049 insert_radiotap_load_llprefixlen(b); 2050 break; 2051 } 2052 } 2053 2054 2055 static struct slist * 2056 gen_radiotap_llprefixlen(void) 2057 { 2058 struct slist *s; 2059 2060 if (reg_ll_size == -1) { 2061 /* 2062 * We haven't yet assigned a register for the length 2063 * of the radiotap header; allocate one. 2064 */ 2065 reg_ll_size = alloc_reg(); 2066 } 2067 2068 /* 2069 * Load the register containing the radiotap length 2070 * into the X register. 2071 */ 2072 s = new_stmt(BPF_LDX|BPF_MEM); 2073 s->s.k = reg_ll_size; 2074 return s; 2075 } 2076 2077 /* 2078 * At the moment we treat PPI as normal Radiotap encoded 2079 * packets. The difference is in the function that generates 2080 * the code at the beginning to compute the header length. 2081 * Since this code generator of PPI supports bare 802.11 2082 * encapsulation only (i.e. the encapsulated DLT should be 2083 * DLT_IEEE802_11) we generate code to check for this too. 2084 */ 2085 static struct slist * 2086 gen_ppi_llprefixlen(void) 2087 { 2088 struct slist *s; 2089 2090 if (reg_ll_size == -1) { 2091 /* 2092 * We haven't yet assigned a register for the length 2093 * of the radiotap header; allocate one. 2094 */ 2095 reg_ll_size = alloc_reg(); 2096 } 2097 2098 /* 2099 * Load the register containing the radiotap length 2100 * into the X register. 2101 */ 2102 s = new_stmt(BPF_LDX|BPF_MEM); 2103 s->s.k = reg_ll_size; 2104 return s; 2105 } 2106 2107 2108 2109 /* 2110 * Generate code to compute the link-layer header length, if necessary, 2111 * putting it into the X register, and to return either a pointer to a 2112 * "struct slist" for the list of statements in that code, or NULL if 2113 * no code is necessary. 2114 */ 2115 static struct slist * 2116 gen_llprefixlen(void) 2117 { 2118 switch (linktype) { 2119 2120 case DLT_PPI: 2121 return gen_ppi_llprefixlen(); 2122 2123 2124 case DLT_IEEE802_11_RADIO: 2125 return gen_radiotap_llprefixlen(); 2126 2127 default: 2128 return NULL; 2129 } 2130 } 2131 2132 /* 2133 * Generate code to match a particular packet type by matching the 2134 * link-layer type field or fields in the 802.2 LLC header. 2135 * 2136 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 2137 * value, if <= ETHERMTU. 2138 */ 2139 static struct block * 2140 gen_linktype(proto) 2141 register int proto; 2142 { 2143 struct block *b0, *b1, *b2; 2144 2145 /* are we checking MPLS-encapsulated packets? */ 2146 if (label_stack_depth > 0) { 2147 switch (proto) { 2148 case ETHERTYPE_IP: 2149 case PPP_IP: 2150 /* FIXME add other L3 proto IDs */ 2151 return gen_mpls_linktype(Q_IP); 2152 2153 case ETHERTYPE_IPV6: 2154 case PPP_IPV6: 2155 /* FIXME add other L3 proto IDs */ 2156 return gen_mpls_linktype(Q_IPV6); 2157 2158 default: 2159 bpf_error("unsupported protocol over mpls"); 2160 /* NOTREACHED */ 2161 } 2162 } 2163 2164 switch (linktype) { 2165 2166 case DLT_EN10MB: 2167 return gen_ether_linktype(proto); 2168 /*NOTREACHED*/ 2169 break; 2170 2171 case DLT_C_HDLC: 2172 switch (proto) { 2173 2174 case LLCSAP_ISONS: 2175 proto = (proto << 8 | LLCSAP_ISONS); 2176 /* fall through */ 2177 2178 default: 2179 return gen_cmp(OR_LINK, off_linktype, BPF_H, 2180 (bpf_int32)proto); 2181 /*NOTREACHED*/ 2182 break; 2183 } 2184 break; 2185 2186 case DLT_PPI: 2187 case DLT_FDDI: 2188 case DLT_IEEE802: 2189 case DLT_IEEE802_11: 2190 case DLT_IEEE802_11_RADIO_AVS: 2191 case DLT_IEEE802_11_RADIO: 2192 case DLT_PRISM_HEADER: 2193 case DLT_ATM_RFC1483: 2194 case DLT_ATM_CLIP: 2195 case DLT_IP_OVER_FC: 2196 return gen_llc_linktype(proto); 2197 /*NOTREACHED*/ 2198 break; 2199 2200 case DLT_SUNATM: 2201 /* 2202 * If "is_lane" is set, check for a LANE-encapsulated 2203 * version of this protocol, otherwise check for an 2204 * LLC-encapsulated version of this protocol. 2205 * 2206 * We assume LANE means Ethernet, not Token Ring. 2207 */ 2208 if (is_lane) { 2209 /* 2210 * Check that the packet doesn't begin with an 2211 * LE Control marker. (We've already generated 2212 * a test for LANE.) 2213 */ 2214 b0 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 2215 0xFF00); 2216 gen_not(b0); 2217 2218 /* 2219 * Now generate an Ethernet test. 2220 */ 2221 b1 = gen_ether_linktype(proto); 2222 gen_and(b0, b1); 2223 return b1; 2224 } else { 2225 /* 2226 * Check for LLC encapsulation and then check the 2227 * protocol. 2228 */ 2229 b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 2230 b1 = gen_llc_linktype(proto); 2231 gen_and(b0, b1); 2232 return b1; 2233 } 2234 /*NOTREACHED*/ 2235 break; 2236 2237 case DLT_LINUX_SLL: 2238 return gen_linux_sll_linktype(proto); 2239 /*NOTREACHED*/ 2240 break; 2241 2242 case DLT_SLIP: 2243 case DLT_SLIP_BSDOS: 2244 case DLT_RAW: 2245 /* 2246 * These types don't provide any type field; packets 2247 * are always IPv4 or IPv6. 2248 * 2249 * XXX - for IPv4, check for a version number of 4, and, 2250 * for IPv6, check for a version number of 6? 2251 */ 2252 switch (proto) { 2253 2254 case ETHERTYPE_IP: 2255 /* Check for a version number of 4. */ 2256 return gen_mcmp(OR_LINK, 0, BPF_B, 0x40, 0xF0); 2257 #ifdef INET6 2258 case ETHERTYPE_IPV6: 2259 /* Check for a version number of 6. */ 2260 return gen_mcmp(OR_LINK, 0, BPF_B, 0x60, 0xF0); 2261 #endif 2262 2263 default: 2264 return gen_false(); /* always false */ 2265 } 2266 /*NOTREACHED*/ 2267 break; 2268 2269 case DLT_PPP: 2270 case DLT_PPP_PPPD: 2271 case DLT_PPP_SERIAL: 2272 case DLT_PPP_ETHER: 2273 /* 2274 * We use Ethernet protocol types inside libpcap; 2275 * map them to the corresponding PPP protocol types. 2276 */ 2277 switch (proto) { 2278 2279 case ETHERTYPE_IP: 2280 proto = PPP_IP; 2281 break; 2282 2283 #ifdef INET6 2284 case ETHERTYPE_IPV6: 2285 proto = PPP_IPV6; 2286 break; 2287 #endif 2288 2289 case ETHERTYPE_DN: 2290 proto = PPP_DECNET; 2291 break; 2292 2293 case ETHERTYPE_ATALK: 2294 proto = PPP_APPLE; 2295 break; 2296 2297 case ETHERTYPE_NS: 2298 proto = PPP_NS; 2299 break; 2300 2301 case LLCSAP_ISONS: 2302 proto = PPP_OSI; 2303 break; 2304 2305 case LLCSAP_8021D: 2306 /* 2307 * I'm assuming the "Bridging PDU"s that go 2308 * over PPP are Spanning Tree Protocol 2309 * Bridging PDUs. 2310 */ 2311 proto = PPP_BRPDU; 2312 break; 2313 2314 case LLCSAP_IPX: 2315 proto = PPP_IPX; 2316 break; 2317 } 2318 break; 2319 2320 case DLT_PPP_BSDOS: 2321 /* 2322 * We use Ethernet protocol types inside libpcap; 2323 * map them to the corresponding PPP protocol types. 2324 */ 2325 switch (proto) { 2326 2327 case ETHERTYPE_IP: 2328 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_IP); 2329 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJC); 2330 gen_or(b0, b1); 2331 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJNC); 2332 gen_or(b1, b0); 2333 return b0; 2334 2335 #ifdef INET6 2336 case ETHERTYPE_IPV6: 2337 proto = PPP_IPV6; 2338 /* more to go? */ 2339 break; 2340 #endif 2341 2342 case ETHERTYPE_DN: 2343 proto = PPP_DECNET; 2344 break; 2345 2346 case ETHERTYPE_ATALK: 2347 proto = PPP_APPLE; 2348 break; 2349 2350 case ETHERTYPE_NS: 2351 proto = PPP_NS; 2352 break; 2353 2354 case LLCSAP_ISONS: 2355 proto = PPP_OSI; 2356 break; 2357 2358 case LLCSAP_8021D: 2359 /* 2360 * I'm assuming the "Bridging PDU"s that go 2361 * over PPP are Spanning Tree Protocol 2362 * Bridging PDUs. 2363 */ 2364 proto = PPP_BRPDU; 2365 break; 2366 2367 case LLCSAP_IPX: 2368 proto = PPP_IPX; 2369 break; 2370 } 2371 break; 2372 2373 case DLT_NULL: 2374 case DLT_LOOP: 2375 case DLT_ENC: 2376 /* 2377 * For DLT_NULL, the link-layer header is a 32-bit 2378 * word containing an AF_ value in *host* byte order, 2379 * and for DLT_ENC, the link-layer header begins 2380 * with a 32-bit work containing an AF_ value in 2381 * host byte order. 2382 * 2383 * In addition, if we're reading a saved capture file, 2384 * the host byte order in the capture may not be the 2385 * same as the host byte order on this machine. 2386 * 2387 * For DLT_LOOP, the link-layer header is a 32-bit 2388 * word containing an AF_ value in *network* byte order. 2389 * 2390 * XXX - AF_ values may, unfortunately, be platform- 2391 * dependent; for example, FreeBSD's AF_INET6 is 24 2392 * whilst NetBSD's and OpenBSD's is 26. 2393 * 2394 * This means that, when reading a capture file, just 2395 * checking for our AF_INET6 value won't work if the 2396 * capture file came from another OS. 2397 */ 2398 switch (proto) { 2399 2400 case ETHERTYPE_IP: 2401 proto = AF_INET; 2402 break; 2403 2404 #ifdef INET6 2405 case ETHERTYPE_IPV6: 2406 proto = AF_INET6; 2407 break; 2408 #endif 2409 2410 default: 2411 /* 2412 * Not a type on which we support filtering. 2413 * XXX - support those that have AF_ values 2414 * #defined on this platform, at least? 2415 */ 2416 return gen_false(); 2417 } 2418 2419 if (linktype == DLT_NULL || linktype == DLT_ENC) { 2420 /* 2421 * The AF_ value is in host byte order, but 2422 * the BPF interpreter will convert it to 2423 * network byte order. 2424 * 2425 * If this is a save file, and it's from a 2426 * machine with the opposite byte order to 2427 * ours, we byte-swap the AF_ value. 2428 * 2429 * Then we run it through "htonl()", and 2430 * generate code to compare against the result. 2431 */ 2432 if (bpf_pcap->sf.rfile != NULL && 2433 bpf_pcap->sf.swapped) 2434 proto = SWAPLONG(proto); 2435 proto = htonl(proto); 2436 } 2437 return (gen_cmp(OR_LINK, 0, BPF_W, (bpf_int32)proto)); 2438 2439 #ifdef HAVE_NET_PFVAR_H 2440 case DLT_PFLOG: 2441 /* 2442 * af field is host byte order in contrast to the rest of 2443 * the packet. 2444 */ 2445 if (proto == ETHERTYPE_IP) 2446 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af), 2447 BPF_B, (bpf_int32)AF_INET)); 2448 #ifdef INET6 2449 else if (proto == ETHERTYPE_IPV6) 2450 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af), 2451 BPF_B, (bpf_int32)AF_INET6)); 2452 #endif /* INET6 */ 2453 else 2454 return gen_false(); 2455 /*NOTREACHED*/ 2456 break; 2457 #endif /* HAVE_NET_PFVAR_H */ 2458 2459 case DLT_ARCNET: 2460 case DLT_ARCNET_LINUX: 2461 /* 2462 * XXX should we check for first fragment if the protocol 2463 * uses PHDS? 2464 */ 2465 switch (proto) { 2466 2467 default: 2468 return gen_false(); 2469 2470 #ifdef INET6 2471 case ETHERTYPE_IPV6: 2472 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 2473 (bpf_int32)ARCTYPE_INET6)); 2474 #endif /* INET6 */ 2475 2476 case ETHERTYPE_IP: 2477 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B, 2478 (bpf_int32)ARCTYPE_IP); 2479 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B, 2480 (bpf_int32)ARCTYPE_IP_OLD); 2481 gen_or(b0, b1); 2482 return (b1); 2483 2484 case ETHERTYPE_ARP: 2485 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B, 2486 (bpf_int32)ARCTYPE_ARP); 2487 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B, 2488 (bpf_int32)ARCTYPE_ARP_OLD); 2489 gen_or(b0, b1); 2490 return (b1); 2491 2492 case ETHERTYPE_REVARP: 2493 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 2494 (bpf_int32)ARCTYPE_REVARP)); 2495 2496 case ETHERTYPE_ATALK: 2497 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 2498 (bpf_int32)ARCTYPE_ATALK)); 2499 } 2500 /*NOTREACHED*/ 2501 break; 2502 2503 case DLT_LTALK: 2504 switch (proto) { 2505 case ETHERTYPE_ATALK: 2506 return gen_true(); 2507 default: 2508 return gen_false(); 2509 } 2510 /*NOTREACHED*/ 2511 break; 2512 2513 case DLT_FRELAY: 2514 /* 2515 * XXX - assumes a 2-byte Frame Relay header with 2516 * DLCI and flags. What if the address is longer? 2517 */ 2518 switch (proto) { 2519 2520 case ETHERTYPE_IP: 2521 /* 2522 * Check for the special NLPID for IP. 2523 */ 2524 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0xcc); 2525 2526 #ifdef INET6 2527 case ETHERTYPE_IPV6: 2528 /* 2529 * Check for the special NLPID for IPv6. 2530 */ 2531 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0x8e); 2532 #endif 2533 2534 case LLCSAP_ISONS: 2535 /* 2536 * Check for several OSI protocols. 2537 * 2538 * Frame Relay packets typically have an OSI 2539 * NLPID at the beginning; we check for each 2540 * of them. 2541 * 2542 * What we check for is the NLPID and a frame 2543 * control field of UI, i.e. 0x03 followed 2544 * by the NLPID. 2545 */ 2546 b0 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO8473_CLNP); 2547 b1 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO9542_ESIS); 2548 b2 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO10589_ISIS); 2549 gen_or(b1, b2); 2550 gen_or(b0, b2); 2551 return b2; 2552 2553 default: 2554 return gen_false(); 2555 } 2556 /*NOTREACHED*/ 2557 break; 2558 2559 case DLT_JUNIPER_MFR: 2560 case DLT_JUNIPER_MLFR: 2561 case DLT_JUNIPER_MLPPP: 2562 case DLT_JUNIPER_ATM1: 2563 case DLT_JUNIPER_ATM2: 2564 case DLT_JUNIPER_PPPOE: 2565 case DLT_JUNIPER_PPPOE_ATM: 2566 case DLT_JUNIPER_GGSN: 2567 case DLT_JUNIPER_ES: 2568 case DLT_JUNIPER_MONITOR: 2569 case DLT_JUNIPER_SERVICES: 2570 case DLT_JUNIPER_ETHER: 2571 case DLT_JUNIPER_PPP: 2572 case DLT_JUNIPER_FRELAY: 2573 case DLT_JUNIPER_CHDLC: 2574 case DLT_JUNIPER_VP: 2575 /* just lets verify the magic number for now - 2576 * on ATM we may have up to 6 different encapsulations on the wire 2577 * and need a lot of heuristics to figure out that the payload 2578 * might be; 2579 * 2580 * FIXME encapsulation specific BPF_ filters 2581 */ 2582 return gen_mcmp(OR_LINK, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */ 2583 2584 case DLT_LINUX_IRDA: 2585 bpf_error("IrDA link-layer type filtering not implemented"); 2586 2587 case DLT_DOCSIS: 2588 bpf_error("DOCSIS link-layer type filtering not implemented"); 2589 2590 case DLT_LINUX_LAPD: 2591 bpf_error("LAPD link-layer type filtering not implemented"); 2592 } 2593 2594 /* 2595 * All the types that have no encapsulation should either be 2596 * handled as DLT_SLIP, DLT_SLIP_BSDOS, and DLT_RAW are, if 2597 * all packets are IP packets, or should be handled in some 2598 * special case, if none of them are (if some are and some 2599 * aren't, the lack of encapsulation is a problem, as we'd 2600 * have to find some other way of determining the packet type). 2601 * 2602 * Therefore, if "off_linktype" is -1, there's an error. 2603 */ 2604 if (off_linktype == (u_int)-1) 2605 abort(); 2606 2607 /* 2608 * Any type not handled above should always have an Ethernet 2609 * type at an offset of "off_linktype". (PPP is partially 2610 * handled above - the protocol type is mapped from the 2611 * Ethernet and LLC types we use internally to the corresponding 2612 * PPP type - but the PPP type is always specified by a value 2613 * at "off_linktype", so we don't have to do the code generation 2614 * above.) 2615 */ 2616 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 2617 } 2618 2619 /* 2620 * Check for an LLC SNAP packet with a given organization code and 2621 * protocol type; we check the entire contents of the 802.2 LLC and 2622 * snap headers, checking for DSAP and SSAP of SNAP and a control 2623 * field of 0x03 in the LLC header, and for the specified organization 2624 * code and protocol type in the SNAP header. 2625 */ 2626 static struct block * 2627 gen_snap(orgcode, ptype, offset) 2628 bpf_u_int32 orgcode; 2629 bpf_u_int32 ptype; 2630 u_int offset; 2631 { 2632 u_char snapblock[8]; 2633 2634 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */ 2635 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */ 2636 snapblock[2] = 0x03; /* control = UI */ 2637 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */ 2638 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */ 2639 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */ 2640 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */ 2641 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */ 2642 return gen_bcmp(OR_LINK, offset, 8, snapblock); 2643 } 2644 2645 /* 2646 * Generate code to match a particular packet type, for link-layer types 2647 * using 802.2 LLC headers. 2648 * 2649 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used 2650 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues. 2651 * 2652 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 2653 * value, if <= ETHERMTU. We use that to determine whether to 2654 * match the DSAP or both DSAP and LSAP or to check the OUI and 2655 * protocol ID in a SNAP header. 2656 */ 2657 static struct block * 2658 gen_llc_linktype(proto) 2659 int proto; 2660 { 2661 /* 2662 * XXX - handle token-ring variable-length header. 2663 */ 2664 switch (proto) { 2665 2666 case LLCSAP_IP: 2667 case LLCSAP_ISONS: 2668 case LLCSAP_NETBEUI: 2669 /* 2670 * XXX - should we check both the DSAP and the 2671 * SSAP, like this, or should we check just the 2672 * DSAP, as we do for other types <= ETHERMTU 2673 * (i.e., other SAP values)? 2674 */ 2675 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_u_int32) 2676 ((proto << 8) | proto)); 2677 2678 case LLCSAP_IPX: 2679 /* 2680 * XXX - are there ever SNAP frames for IPX on 2681 * non-Ethernet 802.x networks? 2682 */ 2683 return gen_cmp(OR_LINK, off_linktype, BPF_B, 2684 (bpf_int32)LLCSAP_IPX); 2685 2686 case ETHERTYPE_ATALK: 2687 /* 2688 * 802.2-encapsulated ETHERTYPE_ATALK packets are 2689 * SNAP packets with an organization code of 2690 * 0x080007 (Apple, for Appletalk) and a protocol 2691 * type of ETHERTYPE_ATALK (Appletalk). 2692 * 2693 * XXX - check for an organization code of 2694 * encapsulated Ethernet as well? 2695 */ 2696 return gen_snap(0x080007, ETHERTYPE_ATALK, off_linktype); 2697 2698 default: 2699 /* 2700 * XXX - we don't have to check for IPX 802.3 2701 * here, but should we check for the IPX Ethertype? 2702 */ 2703 if (proto <= ETHERMTU) { 2704 /* 2705 * This is an LLC SAP value, so check 2706 * the DSAP. 2707 */ 2708 return gen_cmp(OR_LINK, off_linktype, BPF_B, 2709 (bpf_int32)proto); 2710 } else { 2711 /* 2712 * This is an Ethernet type; we assume that it's 2713 * unlikely that it'll appear in the right place 2714 * at random, and therefore check only the 2715 * location that would hold the Ethernet type 2716 * in a SNAP frame with an organization code of 2717 * 0x000000 (encapsulated Ethernet). 2718 * 2719 * XXX - if we were to check for the SNAP DSAP and 2720 * LSAP, as per XXX, and were also to check for an 2721 * organization code of 0x000000 (encapsulated 2722 * Ethernet), we'd do 2723 * 2724 * return gen_snap(0x000000, proto, 2725 * off_linktype); 2726 * 2727 * here; for now, we don't, as per the above. 2728 * I don't know whether it's worth the extra CPU 2729 * time to do the right check or not. 2730 */ 2731 return gen_cmp(OR_LINK, off_linktype+6, BPF_H, 2732 (bpf_int32)proto); 2733 } 2734 } 2735 } 2736 2737 static struct block * 2738 gen_hostop(addr, mask, dir, proto, src_off, dst_off) 2739 bpf_u_int32 addr; 2740 bpf_u_int32 mask; 2741 int dir, proto; 2742 u_int src_off, dst_off; 2743 { 2744 struct block *b0, *b1; 2745 u_int offset; 2746 2747 switch (dir) { 2748 2749 case Q_SRC: 2750 offset = src_off; 2751 break; 2752 2753 case Q_DST: 2754 offset = dst_off; 2755 break; 2756 2757 case Q_AND: 2758 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off); 2759 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off); 2760 gen_and(b0, b1); 2761 return b1; 2762 2763 case Q_OR: 2764 case Q_DEFAULT: 2765 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off); 2766 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off); 2767 gen_or(b0, b1); 2768 return b1; 2769 2770 default: 2771 abort(); 2772 } 2773 b0 = gen_linktype(proto); 2774 b1 = gen_mcmp(OR_NET, offset, BPF_W, (bpf_int32)addr, mask); 2775 gen_and(b0, b1); 2776 return b1; 2777 } 2778 2779 #ifdef INET6 2780 static struct block * 2781 gen_hostop6(addr, mask, dir, proto, src_off, dst_off) 2782 struct in6_addr *addr; 2783 struct in6_addr *mask; 2784 int dir, proto; 2785 u_int src_off, dst_off; 2786 { 2787 struct block *b0, *b1; 2788 u_int offset; 2789 u_int32_t *a, *m; 2790 2791 switch (dir) { 2792 2793 case Q_SRC: 2794 offset = src_off; 2795 break; 2796 2797 case Q_DST: 2798 offset = dst_off; 2799 break; 2800 2801 case Q_AND: 2802 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off); 2803 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off); 2804 gen_and(b0, b1); 2805 return b1; 2806 2807 case Q_OR: 2808 case Q_DEFAULT: 2809 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off); 2810 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off); 2811 gen_or(b0, b1); 2812 return b1; 2813 2814 default: 2815 abort(); 2816 } 2817 /* this order is important */ 2818 a = (u_int32_t *)addr; 2819 m = (u_int32_t *)mask; 2820 b1 = gen_mcmp(OR_NET, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3])); 2821 b0 = gen_mcmp(OR_NET, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2])); 2822 gen_and(b0, b1); 2823 b0 = gen_mcmp(OR_NET, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1])); 2824 gen_and(b0, b1); 2825 b0 = gen_mcmp(OR_NET, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0])); 2826 gen_and(b0, b1); 2827 b0 = gen_linktype(proto); 2828 gen_and(b0, b1); 2829 return b1; 2830 } 2831 #endif /*INET6*/ 2832 2833 static struct block * 2834 gen_ehostop(eaddr, dir) 2835 register const u_char *eaddr; 2836 register int dir; 2837 { 2838 register struct block *b0, *b1; 2839 2840 switch (dir) { 2841 case Q_SRC: 2842 return gen_bcmp(OR_LINK, off_mac + 6, 6, eaddr); 2843 2844 case Q_DST: 2845 return gen_bcmp(OR_LINK, off_mac + 0, 6, eaddr); 2846 2847 case Q_AND: 2848 b0 = gen_ehostop(eaddr, Q_SRC); 2849 b1 = gen_ehostop(eaddr, Q_DST); 2850 gen_and(b0, b1); 2851 return b1; 2852 2853 case Q_DEFAULT: 2854 case Q_OR: 2855 b0 = gen_ehostop(eaddr, Q_SRC); 2856 b1 = gen_ehostop(eaddr, Q_DST); 2857 gen_or(b0, b1); 2858 return b1; 2859 } 2860 abort(); 2861 /* NOTREACHED */ 2862 } 2863 2864 /* 2865 * Like gen_ehostop, but for DLT_FDDI 2866 */ 2867 static struct block * 2868 gen_fhostop(eaddr, dir) 2869 register const u_char *eaddr; 2870 register int dir; 2871 { 2872 struct block *b0, *b1; 2873 2874 switch (dir) { 2875 case Q_SRC: 2876 #ifdef PCAP_FDDIPAD 2877 return gen_bcmp(OR_LINK, 6 + 1 + pcap_fddipad, 6, eaddr); 2878 #else 2879 return gen_bcmp(OR_LINK, 6 + 1, 6, eaddr); 2880 #endif 2881 2882 case Q_DST: 2883 #ifdef PCAP_FDDIPAD 2884 return gen_bcmp(OR_LINK, 0 + 1 + pcap_fddipad, 6, eaddr); 2885 #else 2886 return gen_bcmp(OR_LINK, 0 + 1, 6, eaddr); 2887 #endif 2888 2889 case Q_AND: 2890 b0 = gen_fhostop(eaddr, Q_SRC); 2891 b1 = gen_fhostop(eaddr, Q_DST); 2892 gen_and(b0, b1); 2893 return b1; 2894 2895 case Q_DEFAULT: 2896 case Q_OR: 2897 b0 = gen_fhostop(eaddr, Q_SRC); 2898 b1 = gen_fhostop(eaddr, Q_DST); 2899 gen_or(b0, b1); 2900 return b1; 2901 } 2902 abort(); 2903 /* NOTREACHED */ 2904 } 2905 2906 /* 2907 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring) 2908 */ 2909 static struct block * 2910 gen_thostop(eaddr, dir) 2911 register const u_char *eaddr; 2912 register int dir; 2913 { 2914 register struct block *b0, *b1; 2915 2916 switch (dir) { 2917 case Q_SRC: 2918 return gen_bcmp(OR_LINK, 8, 6, eaddr); 2919 2920 case Q_DST: 2921 return gen_bcmp(OR_LINK, 2, 6, eaddr); 2922 2923 case Q_AND: 2924 b0 = gen_thostop(eaddr, Q_SRC); 2925 b1 = gen_thostop(eaddr, Q_DST); 2926 gen_and(b0, b1); 2927 return b1; 2928 2929 case Q_DEFAULT: 2930 case Q_OR: 2931 b0 = gen_thostop(eaddr, Q_SRC); 2932 b1 = gen_thostop(eaddr, Q_DST); 2933 gen_or(b0, b1); 2934 return b1; 2935 } 2936 abort(); 2937 /* NOTREACHED */ 2938 } 2939 2940 /* 2941 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) 2942 */ 2943 static struct block * 2944 gen_wlanhostop(eaddr, dir) 2945 register const u_char *eaddr; 2946 register int dir; 2947 { 2948 register struct block *b0, *b1, *b2; 2949 register struct slist *s; 2950 2951 switch (dir) { 2952 case Q_SRC: 2953 /* 2954 * Oh, yuk. 2955 * 2956 * For control frames, there is no SA. 2957 * 2958 * For management frames, SA is at an 2959 * offset of 10 from the beginning of 2960 * the packet. 2961 * 2962 * For data frames, SA is at an offset 2963 * of 10 from the beginning of the packet 2964 * if From DS is clear, at an offset of 2965 * 16 from the beginning of the packet 2966 * if From DS is set and To DS is clear, 2967 * and an offset of 24 from the beginning 2968 * of the packet if From DS is set and To DS 2969 * is set. 2970 */ 2971 2972 /* 2973 * Generate the tests to be done for data frames 2974 * with From DS set. 2975 * 2976 * First, check for To DS set, i.e. check "link[1] & 0x01". 2977 */ 2978 s = gen_load_a(OR_LINK, 1, BPF_B); 2979 b1 = new_block(JMP(BPF_JSET)); 2980 b1->s.k = 0x01; /* To DS */ 2981 b1->stmts = s; 2982 2983 /* 2984 * If To DS is set, the SA is at 24. 2985 */ 2986 b0 = gen_bcmp(OR_LINK, 24, 6, eaddr); 2987 gen_and(b1, b0); 2988 2989 /* 2990 * Now, check for To DS not set, i.e. check 2991 * "!(link[1] & 0x01)". 2992 */ 2993 s = gen_load_a(OR_LINK, 1, BPF_B); 2994 b2 = new_block(JMP(BPF_JSET)); 2995 b2->s.k = 0x01; /* To DS */ 2996 b2->stmts = s; 2997 gen_not(b2); 2998 2999 /* 3000 * If To DS is not set, the SA is at 16. 3001 */ 3002 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr); 3003 gen_and(b2, b1); 3004 3005 /* 3006 * Now OR together the last two checks. That gives 3007 * the complete set of checks for data frames with 3008 * From DS set. 3009 */ 3010 gen_or(b1, b0); 3011 3012 /* 3013 * Now check for From DS being set, and AND that with 3014 * the ORed-together checks. 3015 */ 3016 s = gen_load_a(OR_LINK, 1, BPF_B); 3017 b1 = new_block(JMP(BPF_JSET)); 3018 b1->s.k = 0x02; /* From DS */ 3019 b1->stmts = s; 3020 gen_and(b1, b0); 3021 3022 /* 3023 * Now check for data frames with From DS not set. 3024 */ 3025 s = gen_load_a(OR_LINK, 1, BPF_B); 3026 b2 = new_block(JMP(BPF_JSET)); 3027 b2->s.k = 0x02; /* From DS */ 3028 b2->stmts = s; 3029 gen_not(b2); 3030 3031 /* 3032 * If From DS isn't set, the SA is at 10. 3033 */ 3034 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 3035 gen_and(b2, b1); 3036 3037 /* 3038 * Now OR together the checks for data frames with 3039 * From DS not set and for data frames with From DS 3040 * set; that gives the checks done for data frames. 3041 */ 3042 gen_or(b1, b0); 3043 3044 /* 3045 * Now check for a data frame. 3046 * I.e, check "link[0] & 0x08". 3047 */ 3048 gen_load_a(OR_LINK, 0, BPF_B); 3049 b1 = new_block(JMP(BPF_JSET)); 3050 b1->s.k = 0x08; 3051 b1->stmts = s; 3052 3053 /* 3054 * AND that with the checks done for data frames. 3055 */ 3056 gen_and(b1, b0); 3057 3058 /* 3059 * If the high-order bit of the type value is 0, this 3060 * is a management frame. 3061 * I.e, check "!(link[0] & 0x08)". 3062 */ 3063 s = gen_load_a(OR_LINK, 0, BPF_B); 3064 b2 = new_block(JMP(BPF_JSET)); 3065 b2->s.k = 0x08; 3066 b2->stmts = s; 3067 gen_not(b2); 3068 3069 /* 3070 * For management frames, the SA is at 10. 3071 */ 3072 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 3073 gen_and(b2, b1); 3074 3075 /* 3076 * OR that with the checks done for data frames. 3077 * That gives the checks done for management and 3078 * data frames. 3079 */ 3080 gen_or(b1, b0); 3081 3082 /* 3083 * If the low-order bit of the type value is 1, 3084 * this is either a control frame or a frame 3085 * with a reserved type, and thus not a 3086 * frame with an SA. 3087 * 3088 * I.e., check "!(link[0] & 0x04)". 3089 */ 3090 s = gen_load_a(OR_LINK, 0, BPF_B); 3091 b1 = new_block(JMP(BPF_JSET)); 3092 b1->s.k = 0x04; 3093 b1->stmts = s; 3094 gen_not(b1); 3095 3096 /* 3097 * AND that with the checks for data and management 3098 * frames. 3099 */ 3100 gen_and(b1, b0); 3101 return b0; 3102 3103 case Q_DST: 3104 /* 3105 * Oh, yuk. 3106 * 3107 * For control frames, there is no DA. 3108 * 3109 * For management frames, DA is at an 3110 * offset of 4 from the beginning of 3111 * the packet. 3112 * 3113 * For data frames, DA is at an offset 3114 * of 4 from the beginning of the packet 3115 * if To DS is clear and at an offset of 3116 * 16 from the beginning of the packet 3117 * if To DS is set. 3118 */ 3119 3120 /* 3121 * Generate the tests to be done for data frames. 3122 * 3123 * First, check for To DS set, i.e. "link[1] & 0x01". 3124 */ 3125 s = gen_load_a(OR_LINK, 1, BPF_B); 3126 b1 = new_block(JMP(BPF_JSET)); 3127 b1->s.k = 0x01; /* To DS */ 3128 b1->stmts = s; 3129 3130 /* 3131 * If To DS is set, the DA is at 16. 3132 */ 3133 b0 = gen_bcmp(OR_LINK, 16, 6, eaddr); 3134 gen_and(b1, b0); 3135 3136 /* 3137 * Now, check for To DS not set, i.e. check 3138 * "!(link[1] & 0x01)". 3139 */ 3140 s = gen_load_a(OR_LINK, 1, BPF_B); 3141 b2 = new_block(JMP(BPF_JSET)); 3142 b2->s.k = 0x01; /* To DS */ 3143 b2->stmts = s; 3144 gen_not(b2); 3145 3146 /* 3147 * If To DS is not set, the DA is at 4. 3148 */ 3149 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr); 3150 gen_and(b2, b1); 3151 3152 /* 3153 * Now OR together the last two checks. That gives 3154 * the complete set of checks for data frames. 3155 */ 3156 gen_or(b1, b0); 3157 3158 /* 3159 * Now check for a data frame. 3160 * I.e, check "link[0] & 0x08". 3161 */ 3162 s = gen_load_a(OR_LINK, 0, BPF_B); 3163 b1 = new_block(JMP(BPF_JSET)); 3164 b1->s.k = 0x08; 3165 b1->stmts = s; 3166 3167 /* 3168 * AND that with the checks done for data frames. 3169 */ 3170 gen_and(b1, b0); 3171 3172 /* 3173 * If the high-order bit of the type value is 0, this 3174 * is a management frame. 3175 * I.e, check "!(link[0] & 0x08)". 3176 */ 3177 s = gen_load_a(OR_LINK, 0, BPF_B); 3178 b2 = new_block(JMP(BPF_JSET)); 3179 b2->s.k = 0x08; 3180 b2->stmts = s; 3181 gen_not(b2); 3182 3183 /* 3184 * For management frames, the DA is at 4. 3185 */ 3186 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr); 3187 gen_and(b2, b1); 3188 3189 /* 3190 * OR that with the checks done for data frames. 3191 * That gives the checks done for management and 3192 * data frames. 3193 */ 3194 gen_or(b1, b0); 3195 3196 /* 3197 * If the low-order bit of the type value is 1, 3198 * this is either a control frame or a frame 3199 * with a reserved type, and thus not a 3200 * frame with an SA. 3201 * 3202 * I.e., check "!(link[0] & 0x04)". 3203 */ 3204 s = gen_load_a(OR_LINK, 0, BPF_B); 3205 b1 = new_block(JMP(BPF_JSET)); 3206 b1->s.k = 0x04; 3207 b1->stmts = s; 3208 gen_not(b1); 3209 3210 /* 3211 * AND that with the checks for data and management 3212 * frames. 3213 */ 3214 gen_and(b1, b0); 3215 return b0; 3216 3217 case Q_AND: 3218 b0 = gen_wlanhostop(eaddr, Q_SRC); 3219 b1 = gen_wlanhostop(eaddr, Q_DST); 3220 gen_and(b0, b1); 3221 return b1; 3222 3223 case Q_DEFAULT: 3224 case Q_OR: 3225 b0 = gen_wlanhostop(eaddr, Q_SRC); 3226 b1 = gen_wlanhostop(eaddr, Q_DST); 3227 gen_or(b0, b1); 3228 return b1; 3229 } 3230 abort(); 3231 /* NOTREACHED */ 3232 } 3233 3234 /* 3235 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel. 3236 * (We assume that the addresses are IEEE 48-bit MAC addresses, 3237 * as the RFC states.) 3238 */ 3239 static struct block * 3240 gen_ipfchostop(eaddr, dir) 3241 register const u_char *eaddr; 3242 register int dir; 3243 { 3244 register struct block *b0, *b1; 3245 3246 switch (dir) { 3247 case Q_SRC: 3248 return gen_bcmp(OR_LINK, 10, 6, eaddr); 3249 3250 case Q_DST: 3251 return gen_bcmp(OR_LINK, 2, 6, eaddr); 3252 3253 case Q_AND: 3254 b0 = gen_ipfchostop(eaddr, Q_SRC); 3255 b1 = gen_ipfchostop(eaddr, Q_DST); 3256 gen_and(b0, b1); 3257 return b1; 3258 3259 case Q_DEFAULT: 3260 case Q_OR: 3261 b0 = gen_ipfchostop(eaddr, Q_SRC); 3262 b1 = gen_ipfchostop(eaddr, Q_DST); 3263 gen_or(b0, b1); 3264 return b1; 3265 } 3266 abort(); 3267 /* NOTREACHED */ 3268 } 3269 3270 /* 3271 * This is quite tricky because there may be pad bytes in front of the 3272 * DECNET header, and then there are two possible data packet formats that 3273 * carry both src and dst addresses, plus 5 packet types in a format that 3274 * carries only the src node, plus 2 types that use a different format and 3275 * also carry just the src node. 3276 * 3277 * Yuck. 3278 * 3279 * Instead of doing those all right, we just look for data packets with 3280 * 0 or 1 bytes of padding. If you want to look at other packets, that 3281 * will require a lot more hacking. 3282 * 3283 * To add support for filtering on DECNET "areas" (network numbers) 3284 * one would want to add a "mask" argument to this routine. That would 3285 * make the filter even more inefficient, although one could be clever 3286 * and not generate masking instructions if the mask is 0xFFFF. 3287 */ 3288 static struct block * 3289 gen_dnhostop(addr, dir) 3290 bpf_u_int32 addr; 3291 int dir; 3292 { 3293 struct block *b0, *b1, *b2, *tmp; 3294 u_int offset_lh; /* offset if long header is received */ 3295 u_int offset_sh; /* offset if short header is received */ 3296 3297 switch (dir) { 3298 3299 case Q_DST: 3300 offset_sh = 1; /* follows flags */ 3301 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */ 3302 break; 3303 3304 case Q_SRC: 3305 offset_sh = 3; /* follows flags, dstnode */ 3306 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */ 3307 break; 3308 3309 case Q_AND: 3310 /* Inefficient because we do our Calvinball dance twice */ 3311 b0 = gen_dnhostop(addr, Q_SRC); 3312 b1 = gen_dnhostop(addr, Q_DST); 3313 gen_and(b0, b1); 3314 return b1; 3315 3316 case Q_OR: 3317 case Q_DEFAULT: 3318 /* Inefficient because we do our Calvinball dance twice */ 3319 b0 = gen_dnhostop(addr, Q_SRC); 3320 b1 = gen_dnhostop(addr, Q_DST); 3321 gen_or(b0, b1); 3322 return b1; 3323 3324 case Q_ISO: 3325 bpf_error("ISO host filtering not implemented"); 3326 3327 default: 3328 abort(); 3329 } 3330 b0 = gen_linktype(ETHERTYPE_DN); 3331 /* Check for pad = 1, long header case */ 3332 tmp = gen_mcmp(OR_NET, 2, BPF_H, 3333 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF)); 3334 b1 = gen_cmp(OR_NET, 2 + 1 + offset_lh, 3335 BPF_H, (bpf_int32)ntohs((u_short)addr)); 3336 gen_and(tmp, b1); 3337 /* Check for pad = 0, long header case */ 3338 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7); 3339 b2 = gen_cmp(OR_NET, 2 + offset_lh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 3340 gen_and(tmp, b2); 3341 gen_or(b2, b1); 3342 /* Check for pad = 1, short header case */ 3343 tmp = gen_mcmp(OR_NET, 2, BPF_H, 3344 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF)); 3345 b2 = gen_cmp(OR_NET, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 3346 gen_and(tmp, b2); 3347 gen_or(b2, b1); 3348 /* Check for pad = 0, short header case */ 3349 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7); 3350 b2 = gen_cmp(OR_NET, 2 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 3351 gen_and(tmp, b2); 3352 gen_or(b2, b1); 3353 3354 /* Combine with test for linktype */ 3355 gen_and(b0, b1); 3356 return b1; 3357 } 3358 3359 /* 3360 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets; 3361 * test the bottom-of-stack bit, and then check the version number 3362 * field in the IP header. 3363 */ 3364 static struct block * 3365 gen_mpls_linktype(proto) 3366 int proto; 3367 { 3368 struct block *b0, *b1; 3369 3370 switch (proto) { 3371 3372 case Q_IP: 3373 /* match the bottom-of-stack bit */ 3374 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01); 3375 /* match the IPv4 version number */ 3376 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x40, 0xf0); 3377 gen_and(b0, b1); 3378 return b1; 3379 3380 case Q_IPV6: 3381 /* match the bottom-of-stack bit */ 3382 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01); 3383 /* match the IPv4 version number */ 3384 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x60, 0xf0); 3385 gen_and(b0, b1); 3386 return b1; 3387 3388 default: 3389 abort(); 3390 } 3391 } 3392 3393 static struct block * 3394 gen_host(addr, mask, proto, dir, type) 3395 bpf_u_int32 addr; 3396 bpf_u_int32 mask; 3397 int proto; 3398 int dir; 3399 int type; 3400 { 3401 struct block *b0, *b1; 3402 const char *typestr; 3403 3404 if (type == Q_NET) 3405 typestr = "net"; 3406 else 3407 typestr = "host"; 3408 3409 switch (proto) { 3410 3411 case Q_DEFAULT: 3412 b0 = gen_host(addr, mask, Q_IP, dir, type); 3413 /* 3414 * Only check for non-IPv4 addresses if we're not 3415 * checking MPLS-encapsulated packets. 3416 */ 3417 if (label_stack_depth == 0) { 3418 b1 = gen_host(addr, mask, Q_ARP, dir, type); 3419 gen_or(b0, b1); 3420 b0 = gen_host(addr, mask, Q_RARP, dir, type); 3421 gen_or(b1, b0); 3422 } 3423 return b0; 3424 3425 case Q_IP: 3426 return gen_hostop(addr, mask, dir, ETHERTYPE_IP, 12, 16); 3427 3428 case Q_RARP: 3429 return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP, 14, 24); 3430 3431 case Q_ARP: 3432 return gen_hostop(addr, mask, dir, ETHERTYPE_ARP, 14, 24); 3433 3434 case Q_TCP: 3435 bpf_error("'tcp' modifier applied to %s", typestr); 3436 3437 case Q_SCTP: 3438 bpf_error("'sctp' modifier applied to %s", typestr); 3439 3440 case Q_UDP: 3441 bpf_error("'udp' modifier applied to %s", typestr); 3442 3443 case Q_ICMP: 3444 bpf_error("'icmp' modifier applied to %s", typestr); 3445 3446 case Q_IGMP: 3447 bpf_error("'igmp' modifier applied to %s", typestr); 3448 3449 case Q_IGRP: 3450 bpf_error("'igrp' modifier applied to %s", typestr); 3451 3452 case Q_PIM: 3453 bpf_error("'pim' modifier applied to %s", typestr); 3454 3455 case Q_VRRP: 3456 bpf_error("'vrrp' modifier applied to %s", typestr); 3457 3458 case Q_ATALK: 3459 bpf_error("ATALK host filtering not implemented"); 3460 3461 case Q_AARP: 3462 bpf_error("AARP host filtering not implemented"); 3463 3464 case Q_DECNET: 3465 return gen_dnhostop(addr, dir); 3466 3467 case Q_SCA: 3468 bpf_error("SCA host filtering not implemented"); 3469 3470 case Q_LAT: 3471 bpf_error("LAT host filtering not implemented"); 3472 3473 case Q_MOPDL: 3474 bpf_error("MOPDL host filtering not implemented"); 3475 3476 case Q_MOPRC: 3477 bpf_error("MOPRC host filtering not implemented"); 3478 3479 #ifdef INET6 3480 case Q_IPV6: 3481 bpf_error("'ip6' modifier applied to ip host"); 3482 3483 case Q_ICMPV6: 3484 bpf_error("'icmp6' modifier applied to %s", typestr); 3485 #endif /* INET6 */ 3486 3487 case Q_AH: 3488 bpf_error("'ah' modifier applied to %s", typestr); 3489 3490 case Q_ESP: 3491 bpf_error("'esp' modifier applied to %s", typestr); 3492 3493 case Q_ISO: 3494 bpf_error("ISO host filtering not implemented"); 3495 3496 case Q_ESIS: 3497 bpf_error("'esis' modifier applied to %s", typestr); 3498 3499 case Q_ISIS: 3500 bpf_error("'isis' modifier applied to %s", typestr); 3501 3502 case Q_CLNP: 3503 bpf_error("'clnp' modifier applied to %s", typestr); 3504 3505 case Q_STP: 3506 bpf_error("'stp' modifier applied to %s", typestr); 3507 3508 case Q_IPX: 3509 bpf_error("IPX host filtering not implemented"); 3510 3511 case Q_NETBEUI: 3512 bpf_error("'netbeui' modifier applied to %s", typestr); 3513 3514 case Q_RADIO: 3515 bpf_error("'radio' modifier applied to %s", typestr); 3516 3517 default: 3518 abort(); 3519 } 3520 /* NOTREACHED */ 3521 } 3522 3523 #ifdef INET6 3524 static struct block * 3525 gen_host6(addr, mask, proto, dir, type) 3526 struct in6_addr *addr; 3527 struct in6_addr *mask; 3528 int proto; 3529 int dir; 3530 int type; 3531 { 3532 const char *typestr; 3533 3534 if (type == Q_NET) 3535 typestr = "net"; 3536 else 3537 typestr = "host"; 3538 3539 switch (proto) { 3540 3541 case Q_DEFAULT: 3542 return gen_host6(addr, mask, Q_IPV6, dir, type); 3543 3544 case Q_IP: 3545 bpf_error("'ip' modifier applied to ip6 %s", typestr); 3546 3547 case Q_RARP: 3548 bpf_error("'rarp' modifier applied to ip6 %s", typestr); 3549 3550 case Q_ARP: 3551 bpf_error("'arp' modifier applied to ip6 %s", typestr); 3552 3553 case Q_SCTP: 3554 bpf_error("'sctp' modifier applied to %s", typestr); 3555 3556 case Q_TCP: 3557 bpf_error("'tcp' modifier applied to %s", typestr); 3558 3559 case Q_UDP: 3560 bpf_error("'udp' modifier applied to %s", typestr); 3561 3562 case Q_ICMP: 3563 bpf_error("'icmp' modifier applied to %s", typestr); 3564 3565 case Q_IGMP: 3566 bpf_error("'igmp' modifier applied to %s", typestr); 3567 3568 case Q_IGRP: 3569 bpf_error("'igrp' modifier applied to %s", typestr); 3570 3571 case Q_PIM: 3572 bpf_error("'pim' modifier applied to %s", typestr); 3573 3574 case Q_VRRP: 3575 bpf_error("'vrrp' modifier applied to %s", typestr); 3576 3577 case Q_ATALK: 3578 bpf_error("ATALK host filtering not implemented"); 3579 3580 case Q_AARP: 3581 bpf_error("AARP host filtering not implemented"); 3582 3583 case Q_DECNET: 3584 bpf_error("'decnet' modifier applied to ip6 %s", typestr); 3585 3586 case Q_SCA: 3587 bpf_error("SCA host filtering not implemented"); 3588 3589 case Q_LAT: 3590 bpf_error("LAT host filtering not implemented"); 3591 3592 case Q_MOPDL: 3593 bpf_error("MOPDL host filtering not implemented"); 3594 3595 case Q_MOPRC: 3596 bpf_error("MOPRC host filtering not implemented"); 3597 3598 case Q_IPV6: 3599 return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6, 8, 24); 3600 3601 case Q_ICMPV6: 3602 bpf_error("'icmp6' modifier applied to %s", typestr); 3603 3604 case Q_AH: 3605 bpf_error("'ah' modifier applied to %s", typestr); 3606 3607 case Q_ESP: 3608 bpf_error("'esp' modifier applied to %s", typestr); 3609 3610 case Q_ISO: 3611 bpf_error("ISO host filtering not implemented"); 3612 3613 case Q_ESIS: 3614 bpf_error("'esis' modifier applied to %s", typestr); 3615 3616 case Q_ISIS: 3617 bpf_error("'isis' modifier applied to %s", typestr); 3618 3619 case Q_CLNP: 3620 bpf_error("'clnp' modifier applied to %s", typestr); 3621 3622 case Q_STP: 3623 bpf_error("'stp' modifier applied to %s", typestr); 3624 3625 case Q_IPX: 3626 bpf_error("IPX host filtering not implemented"); 3627 3628 case Q_NETBEUI: 3629 bpf_error("'netbeui' modifier applied to %s", typestr); 3630 3631 case Q_RADIO: 3632 bpf_error("'radio' modifier applied to %s", typestr); 3633 3634 default: 3635 abort(); 3636 } 3637 /* NOTREACHED */ 3638 } 3639 #endif /*INET6*/ 3640 3641 #ifndef INET6 3642 static struct block * 3643 gen_gateway(eaddr, alist, proto, dir) 3644 const u_char *eaddr; 3645 bpf_u_int32 **alist; 3646 int proto; 3647 int dir; 3648 { 3649 struct block *b0, *b1, *tmp; 3650 3651 if (dir != 0) 3652 bpf_error("direction applied to 'gateway'"); 3653 3654 switch (proto) { 3655 case Q_DEFAULT: 3656 case Q_IP: 3657 case Q_ARP: 3658 case Q_RARP: 3659 switch (linktype) { 3660 case DLT_EN10MB: 3661 b0 = gen_ehostop(eaddr, Q_OR); 3662 break; 3663 case DLT_FDDI: 3664 b0 = gen_fhostop(eaddr, Q_OR); 3665 break; 3666 case DLT_IEEE802: 3667 b0 = gen_thostop(eaddr, Q_OR); 3668 break; 3669 case DLT_IEEE802_11: 3670 case DLT_IEEE802_11_RADIO_AVS: 3671 case DLT_PPI: 3672 case DLT_IEEE802_11_RADIO: 3673 case DLT_PRISM_HEADER: 3674 b0 = gen_wlanhostop(eaddr, Q_OR); 3675 break; 3676 case DLT_SUNATM: 3677 if (is_lane) { 3678 /* 3679 * Check that the packet doesn't begin with an 3680 * LE Control marker. (We've already generated 3681 * a test for LANE.) 3682 */ 3683 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 3684 0xFF00); 3685 gen_not(b1); 3686 3687 /* 3688 * Now check the MAC address. 3689 */ 3690 b0 = gen_ehostop(eaddr, Q_OR); 3691 gen_and(b1, b0); 3692 } 3693 break; 3694 case DLT_IP_OVER_FC: 3695 b0 = gen_ipfchostop(eaddr, Q_OR); 3696 break; 3697 default: 3698 bpf_error( 3699 "'gateway' supported only on ethernet/FDDI/token ring/802.11/Fibre Channel"); 3700 } 3701 b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR, Q_HOST); 3702 while (*alist) { 3703 tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR, 3704 Q_HOST); 3705 gen_or(b1, tmp); 3706 b1 = tmp; 3707 } 3708 gen_not(b1); 3709 gen_and(b0, b1); 3710 return b1; 3711 } 3712 bpf_error("illegal modifier of 'gateway'"); 3713 /* NOTREACHED */ 3714 } 3715 #endif 3716 3717 struct block * 3718 gen_proto_abbrev(proto) 3719 int proto; 3720 { 3721 struct block *b0; 3722 struct block *b1; 3723 3724 switch (proto) { 3725 3726 case Q_SCTP: 3727 b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT); 3728 #ifdef INET6 3729 b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT); 3730 gen_or(b0, b1); 3731 #endif 3732 break; 3733 3734 case Q_TCP: 3735 b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT); 3736 #ifdef INET6 3737 b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT); 3738 gen_or(b0, b1); 3739 #endif 3740 break; 3741 3742 case Q_UDP: 3743 b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT); 3744 #ifdef INET6 3745 b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT); 3746 gen_or(b0, b1); 3747 #endif 3748 break; 3749 3750 case Q_ICMP: 3751 b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT); 3752 break; 3753 3754 #ifndef IPPROTO_IGMP 3755 #define IPPROTO_IGMP 2 3756 #endif 3757 3758 case Q_IGMP: 3759 b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT); 3760 break; 3761 3762 #ifndef IPPROTO_IGRP 3763 #define IPPROTO_IGRP 9 3764 #endif 3765 case Q_IGRP: 3766 b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT); 3767 break; 3768 3769 #ifndef IPPROTO_PIM 3770 #define IPPROTO_PIM 103 3771 #endif 3772 3773 case Q_PIM: 3774 b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT); 3775 #ifdef INET6 3776 b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT); 3777 gen_or(b0, b1); 3778 #endif 3779 break; 3780 3781 #ifndef IPPROTO_VRRP 3782 #define IPPROTO_VRRP 112 3783 #endif 3784 3785 case Q_VRRP: 3786 b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT); 3787 break; 3788 3789 case Q_IP: 3790 b1 = gen_linktype(ETHERTYPE_IP); 3791 break; 3792 3793 case Q_ARP: 3794 b1 = gen_linktype(ETHERTYPE_ARP); 3795 break; 3796 3797 case Q_RARP: 3798 b1 = gen_linktype(ETHERTYPE_REVARP); 3799 break; 3800 3801 case Q_LINK: 3802 bpf_error("link layer applied in wrong context"); 3803 3804 case Q_ATALK: 3805 b1 = gen_linktype(ETHERTYPE_ATALK); 3806 break; 3807 3808 case Q_AARP: 3809 b1 = gen_linktype(ETHERTYPE_AARP); 3810 break; 3811 3812 case Q_DECNET: 3813 b1 = gen_linktype(ETHERTYPE_DN); 3814 break; 3815 3816 case Q_SCA: 3817 b1 = gen_linktype(ETHERTYPE_SCA); 3818 break; 3819 3820 case Q_LAT: 3821 b1 = gen_linktype(ETHERTYPE_LAT); 3822 break; 3823 3824 case Q_MOPDL: 3825 b1 = gen_linktype(ETHERTYPE_MOPDL); 3826 break; 3827 3828 case Q_MOPRC: 3829 b1 = gen_linktype(ETHERTYPE_MOPRC); 3830 break; 3831 3832 #ifdef INET6 3833 case Q_IPV6: 3834 b1 = gen_linktype(ETHERTYPE_IPV6); 3835 break; 3836 3837 #ifndef IPPROTO_ICMPV6 3838 #define IPPROTO_ICMPV6 58 3839 #endif 3840 case Q_ICMPV6: 3841 b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT); 3842 break; 3843 #endif /* INET6 */ 3844 3845 #ifndef IPPROTO_AH 3846 #define IPPROTO_AH 51 3847 #endif 3848 case Q_AH: 3849 b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT); 3850 #ifdef INET6 3851 b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT); 3852 gen_or(b0, b1); 3853 #endif 3854 break; 3855 3856 #ifndef IPPROTO_ESP 3857 #define IPPROTO_ESP 50 3858 #endif 3859 case Q_ESP: 3860 b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT); 3861 #ifdef INET6 3862 b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT); 3863 gen_or(b0, b1); 3864 #endif 3865 break; 3866 3867 case Q_ISO: 3868 b1 = gen_linktype(LLCSAP_ISONS); 3869 break; 3870 3871 case Q_ESIS: 3872 b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT); 3873 break; 3874 3875 case Q_ISIS: 3876 b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT); 3877 break; 3878 3879 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */ 3880 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 3881 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 3882 gen_or(b0, b1); 3883 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 3884 gen_or(b0, b1); 3885 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 3886 gen_or(b0, b1); 3887 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 3888 gen_or(b0, b1); 3889 break; 3890 3891 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */ 3892 b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 3893 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 3894 gen_or(b0, b1); 3895 b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 3896 gen_or(b0, b1); 3897 b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 3898 gen_or(b0, b1); 3899 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 3900 gen_or(b0, b1); 3901 break; 3902 3903 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */ 3904 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 3905 b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 3906 gen_or(b0, b1); 3907 b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); 3908 gen_or(b0, b1); 3909 break; 3910 3911 case Q_ISIS_LSP: 3912 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 3913 b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 3914 gen_or(b0, b1); 3915 break; 3916 3917 case Q_ISIS_SNP: 3918 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 3919 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 3920 gen_or(b0, b1); 3921 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 3922 gen_or(b0, b1); 3923 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 3924 gen_or(b0, b1); 3925 break; 3926 3927 case Q_ISIS_CSNP: 3928 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 3929 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 3930 gen_or(b0, b1); 3931 break; 3932 3933 case Q_ISIS_PSNP: 3934 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 3935 b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 3936 gen_or(b0, b1); 3937 break; 3938 3939 case Q_CLNP: 3940 b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT); 3941 break; 3942 3943 case Q_STP: 3944 b1 = gen_linktype(LLCSAP_8021D); 3945 break; 3946 3947 case Q_IPX: 3948 b1 = gen_linktype(LLCSAP_IPX); 3949 break; 3950 3951 case Q_NETBEUI: 3952 b1 = gen_linktype(LLCSAP_NETBEUI); 3953 break; 3954 3955 case Q_RADIO: 3956 bpf_error("'radio' is not a valid protocol type"); 3957 3958 default: 3959 abort(); 3960 } 3961 return b1; 3962 } 3963 3964 static struct block * 3965 gen_ipfrag() 3966 { 3967 struct slist *s; 3968 struct block *b; 3969 3970 /* not ip frag */ 3971 s = gen_load_a(OR_NET, 6, BPF_H); 3972 b = new_block(JMP(BPF_JSET)); 3973 b->s.k = 0x1fff; 3974 b->stmts = s; 3975 gen_not(b); 3976 3977 return b; 3978 } 3979 3980 /* 3981 * Generate a comparison to a port value in the transport-layer header 3982 * at the specified offset from the beginning of that header. 3983 * 3984 * XXX - this handles a variable-length prefix preceding the link-layer 3985 * header, such as the radiotap or AVS radio prefix, but doesn't handle 3986 * variable-length link-layer headers (such as Token Ring or 802.11 3987 * headers). 3988 */ 3989 static struct block * 3990 gen_portatom(off, v) 3991 int off; 3992 bpf_int32 v; 3993 { 3994 return gen_cmp(OR_TRAN_IPV4, off, BPF_H, v); 3995 } 3996 3997 #ifdef INET6 3998 static struct block * 3999 gen_portatom6(off, v) 4000 int off; 4001 bpf_int32 v; 4002 { 4003 return gen_cmp(OR_TRAN_IPV6, off, BPF_H, v); 4004 } 4005 #endif/*INET6*/ 4006 4007 struct block * 4008 gen_portop(port, proto, dir) 4009 int port, proto, dir; 4010 { 4011 struct block *b0, *b1, *tmp; 4012 4013 /* ip proto 'proto' */ 4014 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto); 4015 b0 = gen_ipfrag(); 4016 gen_and(tmp, b0); 4017 4018 switch (dir) { 4019 case Q_SRC: 4020 b1 = gen_portatom(0, (bpf_int32)port); 4021 break; 4022 4023 case Q_DST: 4024 b1 = gen_portatom(2, (bpf_int32)port); 4025 break; 4026 4027 case Q_OR: 4028 case Q_DEFAULT: 4029 tmp = gen_portatom(0, (bpf_int32)port); 4030 b1 = gen_portatom(2, (bpf_int32)port); 4031 gen_or(tmp, b1); 4032 break; 4033 4034 case Q_AND: 4035 tmp = gen_portatom(0, (bpf_int32)port); 4036 b1 = gen_portatom(2, (bpf_int32)port); 4037 gen_and(tmp, b1); 4038 break; 4039 4040 default: 4041 abort(); 4042 } 4043 gen_and(b0, b1); 4044 4045 return b1; 4046 } 4047 4048 static struct block * 4049 gen_port(port, ip_proto, dir) 4050 int port; 4051 int ip_proto; 4052 int dir; 4053 { 4054 struct block *b0, *b1, *tmp; 4055 4056 /* 4057 * ether proto ip 4058 * 4059 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 4060 * not LLC encapsulation with LLCSAP_IP. 4061 * 4062 * For IEEE 802 networks - which includes 802.5 token ring 4063 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 4064 * says that SNAP encapsulation is used, not LLC encapsulation 4065 * with LLCSAP_IP. 4066 * 4067 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 4068 * RFC 2225 say that SNAP encapsulation is used, not LLC 4069 * encapsulation with LLCSAP_IP. 4070 * 4071 * So we always check for ETHERTYPE_IP. 4072 */ 4073 b0 = gen_linktype(ETHERTYPE_IP); 4074 4075 switch (ip_proto) { 4076 case IPPROTO_UDP: 4077 case IPPROTO_TCP: 4078 case IPPROTO_SCTP: 4079 b1 = gen_portop(port, ip_proto, dir); 4080 break; 4081 4082 case PROTO_UNDEF: 4083 tmp = gen_portop(port, IPPROTO_TCP, dir); 4084 b1 = gen_portop(port, IPPROTO_UDP, dir); 4085 gen_or(tmp, b1); 4086 tmp = gen_portop(port, IPPROTO_SCTP, dir); 4087 gen_or(tmp, b1); 4088 break; 4089 4090 default: 4091 abort(); 4092 } 4093 gen_and(b0, b1); 4094 return b1; 4095 } 4096 4097 #ifdef INET6 4098 struct block * 4099 gen_portop6(port, proto, dir) 4100 int port, proto, dir; 4101 { 4102 struct block *b0, *b1, *tmp; 4103 4104 /* ip6 proto 'proto' */ 4105 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto); 4106 4107 switch (dir) { 4108 case Q_SRC: 4109 b1 = gen_portatom6(0, (bpf_int32)port); 4110 break; 4111 4112 case Q_DST: 4113 b1 = gen_portatom6(2, (bpf_int32)port); 4114 break; 4115 4116 case Q_OR: 4117 case Q_DEFAULT: 4118 tmp = gen_portatom6(0, (bpf_int32)port); 4119 b1 = gen_portatom6(2, (bpf_int32)port); 4120 gen_or(tmp, b1); 4121 break; 4122 4123 case Q_AND: 4124 tmp = gen_portatom6(0, (bpf_int32)port); 4125 b1 = gen_portatom6(2, (bpf_int32)port); 4126 gen_and(tmp, b1); 4127 break; 4128 4129 default: 4130 abort(); 4131 } 4132 gen_and(b0, b1); 4133 4134 return b1; 4135 } 4136 4137 static struct block * 4138 gen_port6(port, ip_proto, dir) 4139 int port; 4140 int ip_proto; 4141 int dir; 4142 { 4143 struct block *b0, *b1, *tmp; 4144 4145 /* link proto ip6 */ 4146 b0 = gen_linktype(ETHERTYPE_IPV6); 4147 4148 switch (ip_proto) { 4149 case IPPROTO_UDP: 4150 case IPPROTO_TCP: 4151 case IPPROTO_SCTP: 4152 b1 = gen_portop6(port, ip_proto, dir); 4153 break; 4154 4155 case PROTO_UNDEF: 4156 tmp = gen_portop6(port, IPPROTO_TCP, dir); 4157 b1 = gen_portop6(port, IPPROTO_UDP, dir); 4158 gen_or(tmp, b1); 4159 tmp = gen_portop6(port, IPPROTO_SCTP, dir); 4160 gen_or(tmp, b1); 4161 break; 4162 4163 default: 4164 abort(); 4165 } 4166 gen_and(b0, b1); 4167 return b1; 4168 } 4169 #endif /* INET6 */ 4170 4171 /* gen_portrange code */ 4172 static struct block * 4173 gen_portrangeatom(off, v1, v2) 4174 int off; 4175 bpf_int32 v1, v2; 4176 { 4177 struct block *b1, *b2; 4178 4179 if (v1 > v2) { 4180 /* 4181 * Reverse the order of the ports, so v1 is the lower one. 4182 */ 4183 bpf_int32 vtemp; 4184 4185 vtemp = v1; 4186 v1 = v2; 4187 v2 = vtemp; 4188 } 4189 4190 b1 = gen_cmp_ge(OR_TRAN_IPV4, off, BPF_H, v1); 4191 b2 = gen_cmp_le(OR_TRAN_IPV4, off, BPF_H, v2); 4192 4193 gen_and(b1, b2); 4194 4195 return b2; 4196 } 4197 4198 struct block * 4199 gen_portrangeop(port1, port2, proto, dir) 4200 int port1, port2; 4201 int proto; 4202 int dir; 4203 { 4204 struct block *b0, *b1, *tmp; 4205 4206 /* ip proto 'proto' */ 4207 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto); 4208 b0 = gen_ipfrag(); 4209 gen_and(tmp, b0); 4210 4211 switch (dir) { 4212 case Q_SRC: 4213 b1 = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 4214 break; 4215 4216 case Q_DST: 4217 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 4218 break; 4219 4220 case Q_OR: 4221 case Q_DEFAULT: 4222 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 4223 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 4224 gen_or(tmp, b1); 4225 break; 4226 4227 case Q_AND: 4228 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 4229 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 4230 gen_and(tmp, b1); 4231 break; 4232 4233 default: 4234 abort(); 4235 } 4236 gen_and(b0, b1); 4237 4238 return b1; 4239 } 4240 4241 static struct block * 4242 gen_portrange(port1, port2, ip_proto, dir) 4243 int port1, port2; 4244 int ip_proto; 4245 int dir; 4246 { 4247 struct block *b0, *b1, *tmp; 4248 4249 /* link proto ip */ 4250 b0 = gen_linktype(ETHERTYPE_IP); 4251 4252 switch (ip_proto) { 4253 case IPPROTO_UDP: 4254 case IPPROTO_TCP: 4255 case IPPROTO_SCTP: 4256 b1 = gen_portrangeop(port1, port2, ip_proto, dir); 4257 break; 4258 4259 case PROTO_UNDEF: 4260 tmp = gen_portrangeop(port1, port2, IPPROTO_TCP, dir); 4261 b1 = gen_portrangeop(port1, port2, IPPROTO_UDP, dir); 4262 gen_or(tmp, b1); 4263 tmp = gen_portrangeop(port1, port2, IPPROTO_SCTP, dir); 4264 gen_or(tmp, b1); 4265 break; 4266 4267 default: 4268 abort(); 4269 } 4270 gen_and(b0, b1); 4271 return b1; 4272 } 4273 4274 #ifdef INET6 4275 static struct block * 4276 gen_portrangeatom6(off, v1, v2) 4277 int off; 4278 bpf_int32 v1, v2; 4279 { 4280 struct block *b1, *b2; 4281 4282 if (v1 > v2) { 4283 /* 4284 * Reverse the order of the ports, so v1 is the lower one. 4285 */ 4286 bpf_int32 vtemp; 4287 4288 vtemp = v1; 4289 v1 = v2; 4290 v2 = vtemp; 4291 } 4292 4293 b1 = gen_cmp_ge(OR_TRAN_IPV6, off, BPF_H, v1); 4294 b2 = gen_cmp_le(OR_TRAN_IPV6, off, BPF_H, v2); 4295 4296 gen_and(b1, b2); 4297 4298 return b2; 4299 } 4300 4301 struct block * 4302 gen_portrangeop6(port1, port2, proto, dir) 4303 int port1, port2; 4304 int proto; 4305 int dir; 4306 { 4307 struct block *b0, *b1, *tmp; 4308 4309 /* ip6 proto 'proto' */ 4310 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto); 4311 4312 switch (dir) { 4313 case Q_SRC: 4314 b1 = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 4315 break; 4316 4317 case Q_DST: 4318 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 4319 break; 4320 4321 case Q_OR: 4322 case Q_DEFAULT: 4323 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 4324 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 4325 gen_or(tmp, b1); 4326 break; 4327 4328 case Q_AND: 4329 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 4330 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 4331 gen_and(tmp, b1); 4332 break; 4333 4334 default: 4335 abort(); 4336 } 4337 gen_and(b0, b1); 4338 4339 return b1; 4340 } 4341 4342 static struct block * 4343 gen_portrange6(port1, port2, ip_proto, dir) 4344 int port1, port2; 4345 int ip_proto; 4346 int dir; 4347 { 4348 struct block *b0, *b1, *tmp; 4349 4350 /* link proto ip6 */ 4351 b0 = gen_linktype(ETHERTYPE_IPV6); 4352 4353 switch (ip_proto) { 4354 case IPPROTO_UDP: 4355 case IPPROTO_TCP: 4356 case IPPROTO_SCTP: 4357 b1 = gen_portrangeop6(port1, port2, ip_proto, dir); 4358 break; 4359 4360 case PROTO_UNDEF: 4361 tmp = gen_portrangeop6(port1, port2, IPPROTO_TCP, dir); 4362 b1 = gen_portrangeop6(port1, port2, IPPROTO_UDP, dir); 4363 gen_or(tmp, b1); 4364 tmp = gen_portrangeop6(port1, port2, IPPROTO_SCTP, dir); 4365 gen_or(tmp, b1); 4366 break; 4367 4368 default: 4369 abort(); 4370 } 4371 gen_and(b0, b1); 4372 return b1; 4373 } 4374 #endif /* INET6 */ 4375 4376 static int 4377 lookup_proto(name, proto) 4378 register const char *name; 4379 register int proto; 4380 { 4381 register int v; 4382 4383 switch (proto) { 4384 4385 case Q_DEFAULT: 4386 case Q_IP: 4387 case Q_IPV6: 4388 v = pcap_nametoproto(name); 4389 if (v == PROTO_UNDEF) 4390 bpf_error("unknown ip proto '%s'", name); 4391 break; 4392 4393 case Q_LINK: 4394 /* XXX should look up h/w protocol type based on linktype */ 4395 v = pcap_nametoeproto(name); 4396 if (v == PROTO_UNDEF) { 4397 v = pcap_nametollc(name); 4398 if (v == PROTO_UNDEF) 4399 bpf_error("unknown ether proto '%s'", name); 4400 } 4401 break; 4402 4403 case Q_ISO: 4404 if (strcmp(name, "esis") == 0) 4405 v = ISO9542_ESIS; 4406 else if (strcmp(name, "isis") == 0) 4407 v = ISO10589_ISIS; 4408 else if (strcmp(name, "clnp") == 0) 4409 v = ISO8473_CLNP; 4410 else 4411 bpf_error("unknown osi proto '%s'", name); 4412 break; 4413 4414 default: 4415 v = PROTO_UNDEF; 4416 break; 4417 } 4418 return v; 4419 } 4420 4421 #if 0 4422 struct stmt * 4423 gen_joinsp(s, n) 4424 struct stmt **s; 4425 int n; 4426 { 4427 return NULL; 4428 } 4429 #endif 4430 4431 static struct block * 4432 gen_protochain(v, proto, dir) 4433 int v; 4434 int proto; 4435 int dir; 4436 { 4437 #ifdef NO_PROTOCHAIN 4438 return gen_proto(v, proto, dir); 4439 #else 4440 struct block *b0, *b; 4441 struct slist *s[100]; 4442 int fix2, fix3, fix4, fix5; 4443 int ahcheck, again, end; 4444 int i, max; 4445 int reg2 = alloc_reg(); 4446 4447 memset(s, 0, sizeof(s)); 4448 fix2 = fix3 = fix4 = fix5 = 0; 4449 4450 switch (proto) { 4451 case Q_IP: 4452 case Q_IPV6: 4453 break; 4454 case Q_DEFAULT: 4455 b0 = gen_protochain(v, Q_IP, dir); 4456 b = gen_protochain(v, Q_IPV6, dir); 4457 gen_or(b0, b); 4458 return b; 4459 default: 4460 bpf_error("bad protocol applied for 'protochain'"); 4461 /*NOTREACHED*/ 4462 } 4463 4464 /* 4465 * We don't handle variable-length radiotap here headers yet. 4466 * We might want to add BPF instructions to do the protochain 4467 * work, to simplify that and, on platforms that have a BPF 4468 * interpreter with the new instructions, let the filtering 4469 * be done in the kernel. (We already require a modified BPF 4470 * engine to do the protochain stuff, to support backward 4471 * branches, and backward branch support is unlikely to appear 4472 * in kernel BPF engines.) 4473 */ 4474 if (linktype == DLT_IEEE802_11_RADIO) 4475 bpf_error("'protochain' not supported with radiotap headers"); 4476 4477 if (linktype == DLT_PPI) 4478 bpf_error("'protochain' not supported with PPI headers"); 4479 4480 no_optimize = 1; /*this code is not compatible with optimzer yet */ 4481 4482 /* 4483 * s[0] is a dummy entry to protect other BPF insn from damage 4484 * by s[fix] = foo with uninitialized variable "fix". It is somewhat 4485 * hard to find interdependency made by jump table fixup. 4486 */ 4487 i = 0; 4488 s[i] = new_stmt(0); /*dummy*/ 4489 i++; 4490 4491 switch (proto) { 4492 case Q_IP: 4493 b0 = gen_linktype(ETHERTYPE_IP); 4494 4495 /* A = ip->ip_p */ 4496 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B); 4497 s[i]->s.k = off_ll + off_nl + 9; 4498 i++; 4499 /* X = ip->ip_hl << 2 */ 4500 s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B); 4501 s[i]->s.k = off_ll + off_nl; 4502 i++; 4503 break; 4504 #ifdef INET6 4505 case Q_IPV6: 4506 b0 = gen_linktype(ETHERTYPE_IPV6); 4507 4508 /* A = ip6->ip_nxt */ 4509 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B); 4510 s[i]->s.k = off_ll + off_nl + 6; 4511 i++; 4512 /* X = sizeof(struct ip6_hdr) */ 4513 s[i] = new_stmt(BPF_LDX|BPF_IMM); 4514 s[i]->s.k = 40; 4515 i++; 4516 break; 4517 #endif 4518 default: 4519 bpf_error("unsupported proto to gen_protochain"); 4520 /*NOTREACHED*/ 4521 } 4522 4523 /* again: if (A == v) goto end; else fall through; */ 4524 again = i; 4525 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 4526 s[i]->s.k = v; 4527 s[i]->s.jt = NULL; /*later*/ 4528 s[i]->s.jf = NULL; /*update in next stmt*/ 4529 fix5 = i; 4530 i++; 4531 4532 #ifndef IPPROTO_NONE 4533 #define IPPROTO_NONE 59 4534 #endif 4535 /* if (A == IPPROTO_NONE) goto end */ 4536 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 4537 s[i]->s.jt = NULL; /*later*/ 4538 s[i]->s.jf = NULL; /*update in next stmt*/ 4539 s[i]->s.k = IPPROTO_NONE; 4540 s[fix5]->s.jf = s[i]; 4541 fix2 = i; 4542 i++; 4543 4544 #ifdef INET6 4545 if (proto == Q_IPV6) { 4546 int v6start, v6end, v6advance, j; 4547 4548 v6start = i; 4549 /* if (A == IPPROTO_HOPOPTS) goto v6advance */ 4550 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 4551 s[i]->s.jt = NULL; /*later*/ 4552 s[i]->s.jf = NULL; /*update in next stmt*/ 4553 s[i]->s.k = IPPROTO_HOPOPTS; 4554 s[fix2]->s.jf = s[i]; 4555 i++; 4556 /* if (A == IPPROTO_DSTOPTS) goto v6advance */ 4557 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 4558 s[i]->s.jt = NULL; /*later*/ 4559 s[i]->s.jf = NULL; /*update in next stmt*/ 4560 s[i]->s.k = IPPROTO_DSTOPTS; 4561 i++; 4562 /* if (A == IPPROTO_ROUTING) goto v6advance */ 4563 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 4564 s[i]->s.jt = NULL; /*later*/ 4565 s[i]->s.jf = NULL; /*update in next stmt*/ 4566 s[i]->s.k = IPPROTO_ROUTING; 4567 i++; 4568 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */ 4569 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 4570 s[i]->s.jt = NULL; /*later*/ 4571 s[i]->s.jf = NULL; /*later*/ 4572 s[i]->s.k = IPPROTO_FRAGMENT; 4573 fix3 = i; 4574 v6end = i; 4575 i++; 4576 4577 /* v6advance: */ 4578 v6advance = i; 4579 4580 /* 4581 * in short, 4582 * A = P[X]; 4583 * X = X + (P[X + 1] + 1) * 8; 4584 */ 4585 /* A = X */ 4586 s[i] = new_stmt(BPF_MISC|BPF_TXA); 4587 i++; 4588 /* A = P[X + packet head] */ 4589 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 4590 s[i]->s.k = off_ll + off_nl; 4591 i++; 4592 /* MEM[reg2] = A */ 4593 s[i] = new_stmt(BPF_ST); 4594 s[i]->s.k = reg2; 4595 i++; 4596 /* A = X */ 4597 s[i] = new_stmt(BPF_MISC|BPF_TXA); 4598 i++; 4599 /* A += 1 */ 4600 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 4601 s[i]->s.k = 1; 4602 i++; 4603 /* X = A */ 4604 s[i] = new_stmt(BPF_MISC|BPF_TAX); 4605 i++; 4606 /* A = P[X + packet head]; */ 4607 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 4608 s[i]->s.k = off_ll + off_nl; 4609 i++; 4610 /* A += 1 */ 4611 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 4612 s[i]->s.k = 1; 4613 i++; 4614 /* A *= 8 */ 4615 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K); 4616 s[i]->s.k = 8; 4617 i++; 4618 /* X = A; */ 4619 s[i] = new_stmt(BPF_MISC|BPF_TAX); 4620 i++; 4621 /* A = MEM[reg2] */ 4622 s[i] = new_stmt(BPF_LD|BPF_MEM); 4623 s[i]->s.k = reg2; 4624 i++; 4625 4626 /* goto again; (must use BPF_JA for backward jump) */ 4627 s[i] = new_stmt(BPF_JMP|BPF_JA); 4628 s[i]->s.k = again - i - 1; 4629 s[i - 1]->s.jf = s[i]; 4630 i++; 4631 4632 /* fixup */ 4633 for (j = v6start; j <= v6end; j++) 4634 s[j]->s.jt = s[v6advance]; 4635 } else 4636 #endif 4637 { 4638 /* nop */ 4639 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 4640 s[i]->s.k = 0; 4641 s[fix2]->s.jf = s[i]; 4642 i++; 4643 } 4644 4645 /* ahcheck: */ 4646 ahcheck = i; 4647 /* if (A == IPPROTO_AH) then fall through; else goto end; */ 4648 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 4649 s[i]->s.jt = NULL; /*later*/ 4650 s[i]->s.jf = NULL; /*later*/ 4651 s[i]->s.k = IPPROTO_AH; 4652 if (fix3) 4653 s[fix3]->s.jf = s[ahcheck]; 4654 fix4 = i; 4655 i++; 4656 4657 /* 4658 * in short, 4659 * A = P[X]; 4660 * X = X + (P[X + 1] + 2) * 4; 4661 */ 4662 /* A = X */ 4663 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA); 4664 i++; 4665 /* A = P[X + packet head]; */ 4666 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 4667 s[i]->s.k = off_ll + off_nl; 4668 i++; 4669 /* MEM[reg2] = A */ 4670 s[i] = new_stmt(BPF_ST); 4671 s[i]->s.k = reg2; 4672 i++; 4673 /* A = X */ 4674 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA); 4675 i++; 4676 /* A += 1 */ 4677 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 4678 s[i]->s.k = 1; 4679 i++; 4680 /* X = A */ 4681 s[i] = new_stmt(BPF_MISC|BPF_TAX); 4682 i++; 4683 /* A = P[X + packet head] */ 4684 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 4685 s[i]->s.k = off_ll + off_nl; 4686 i++; 4687 /* A += 2 */ 4688 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 4689 s[i]->s.k = 2; 4690 i++; 4691 /* A *= 4 */ 4692 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K); 4693 s[i]->s.k = 4; 4694 i++; 4695 /* X = A; */ 4696 s[i] = new_stmt(BPF_MISC|BPF_TAX); 4697 i++; 4698 /* A = MEM[reg2] */ 4699 s[i] = new_stmt(BPF_LD|BPF_MEM); 4700 s[i]->s.k = reg2; 4701 i++; 4702 4703 /* goto again; (must use BPF_JA for backward jump) */ 4704 s[i] = new_stmt(BPF_JMP|BPF_JA); 4705 s[i]->s.k = again - i - 1; 4706 i++; 4707 4708 /* end: nop */ 4709 end = i; 4710 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 4711 s[i]->s.k = 0; 4712 s[fix2]->s.jt = s[end]; 4713 s[fix4]->s.jf = s[end]; 4714 s[fix5]->s.jt = s[end]; 4715 i++; 4716 4717 /* 4718 * make slist chain 4719 */ 4720 max = i; 4721 for (i = 0; i < max - 1; i++) 4722 s[i]->next = s[i + 1]; 4723 s[max - 1]->next = NULL; 4724 4725 /* 4726 * emit final check 4727 */ 4728 b = new_block(JMP(BPF_JEQ)); 4729 b->stmts = s[1]; /*remember, s[0] is dummy*/ 4730 b->s.k = v; 4731 4732 free_reg(reg2); 4733 4734 gen_and(b0, b); 4735 return b; 4736 #endif 4737 } 4738 4739 4740 /* 4741 * Generate code that checks whether the packet is a packet for protocol 4742 * <proto> and whether the type field in that protocol's header has 4743 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an 4744 * IP packet and checks the protocol number in the IP header against <v>. 4745 * 4746 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks 4747 * against Q_IP and Q_IPV6. 4748 */ 4749 static struct block * 4750 gen_proto(v, proto, dir) 4751 int v; 4752 int proto; 4753 int dir; 4754 { 4755 struct block *b0, *b1; 4756 4757 if (dir != Q_DEFAULT) 4758 bpf_error("direction applied to 'proto'"); 4759 4760 switch (proto) { 4761 case Q_DEFAULT: 4762 #ifdef INET6 4763 b0 = gen_proto(v, Q_IP, dir); 4764 b1 = gen_proto(v, Q_IPV6, dir); 4765 gen_or(b0, b1); 4766 return b1; 4767 #else 4768 /*FALLTHROUGH*/ 4769 #endif 4770 case Q_IP: 4771 /* 4772 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 4773 * not LLC encapsulation with LLCSAP_IP. 4774 * 4775 * For IEEE 802 networks - which includes 802.5 token ring 4776 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 4777 * says that SNAP encapsulation is used, not LLC encapsulation 4778 * with LLCSAP_IP. 4779 * 4780 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 4781 * RFC 2225 say that SNAP encapsulation is used, not LLC 4782 * encapsulation with LLCSAP_IP. 4783 * 4784 * So we always check for ETHERTYPE_IP. 4785 */ 4786 b0 = gen_linktype(ETHERTYPE_IP); 4787 #ifndef CHASE_CHAIN 4788 b1 = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)v); 4789 #else 4790 b1 = gen_protochain(v, Q_IP); 4791 #endif 4792 gen_and(b0, b1); 4793 return b1; 4794 4795 case Q_ISO: 4796 switch (linktype) { 4797 4798 case DLT_FRELAY: 4799 /* 4800 * Frame Relay packets typically have an OSI 4801 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)" 4802 * generates code to check for all the OSI 4803 * NLPIDs, so calling it and then adding a check 4804 * for the particular NLPID for which we're 4805 * looking is bogus, as we can just check for 4806 * the NLPID. 4807 * 4808 * What we check for is the NLPID and a frame 4809 * control field value of UI, i.e. 0x03 followed 4810 * by the NLPID. 4811 * 4812 * XXX - assumes a 2-byte Frame Relay header with 4813 * DLCI and flags. What if the address is longer? 4814 * 4815 * XXX - what about SNAP-encapsulated frames? 4816 */ 4817 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | v); 4818 /*NOTREACHED*/ 4819 break; 4820 4821 case DLT_C_HDLC: 4822 /* 4823 * Cisco uses an Ethertype lookalike - for OSI, 4824 * it's 0xfefe. 4825 */ 4826 b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS); 4827 /* OSI in C-HDLC is stuffed with a fudge byte */ 4828 b1 = gen_cmp(OR_NET_NOSNAP, 1, BPF_B, (long)v); 4829 gen_and(b0, b1); 4830 return b1; 4831 4832 default: 4833 b0 = gen_linktype(LLCSAP_ISONS); 4834 b1 = gen_cmp(OR_NET_NOSNAP, 0, BPF_B, (long)v); 4835 gen_and(b0, b1); 4836 return b1; 4837 } 4838 4839 case Q_ISIS: 4840 b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT); 4841 /* 4842 * 4 is the offset of the PDU type relative to the IS-IS 4843 * header. 4844 */ 4845 b1 = gen_cmp(OR_NET_NOSNAP, 4, BPF_B, (long)v); 4846 gen_and(b0, b1); 4847 return b1; 4848 4849 case Q_ARP: 4850 bpf_error("arp does not encapsulate another protocol"); 4851 /* NOTREACHED */ 4852 4853 case Q_RARP: 4854 bpf_error("rarp does not encapsulate another protocol"); 4855 /* NOTREACHED */ 4856 4857 case Q_ATALK: 4858 bpf_error("atalk encapsulation is not specifiable"); 4859 /* NOTREACHED */ 4860 4861 case Q_DECNET: 4862 bpf_error("decnet encapsulation is not specifiable"); 4863 /* NOTREACHED */ 4864 4865 case Q_SCA: 4866 bpf_error("sca does not encapsulate another protocol"); 4867 /* NOTREACHED */ 4868 4869 case Q_LAT: 4870 bpf_error("lat does not encapsulate another protocol"); 4871 /* NOTREACHED */ 4872 4873 case Q_MOPRC: 4874 bpf_error("moprc does not encapsulate another protocol"); 4875 /* NOTREACHED */ 4876 4877 case Q_MOPDL: 4878 bpf_error("mopdl does not encapsulate another protocol"); 4879 /* NOTREACHED */ 4880 4881 case Q_LINK: 4882 return gen_linktype(v); 4883 4884 case Q_UDP: 4885 bpf_error("'udp proto' is bogus"); 4886 /* NOTREACHED */ 4887 4888 case Q_TCP: 4889 bpf_error("'tcp proto' is bogus"); 4890 /* NOTREACHED */ 4891 4892 case Q_SCTP: 4893 bpf_error("'sctp proto' is bogus"); 4894 /* NOTREACHED */ 4895 4896 case Q_ICMP: 4897 bpf_error("'icmp proto' is bogus"); 4898 /* NOTREACHED */ 4899 4900 case Q_IGMP: 4901 bpf_error("'igmp proto' is bogus"); 4902 /* NOTREACHED */ 4903 4904 case Q_IGRP: 4905 bpf_error("'igrp proto' is bogus"); 4906 /* NOTREACHED */ 4907 4908 case Q_PIM: 4909 bpf_error("'pim proto' is bogus"); 4910 /* NOTREACHED */ 4911 4912 case Q_VRRP: 4913 bpf_error("'vrrp proto' is bogus"); 4914 /* NOTREACHED */ 4915 4916 #ifdef INET6 4917 case Q_IPV6: 4918 b0 = gen_linktype(ETHERTYPE_IPV6); 4919 #ifndef CHASE_CHAIN 4920 b1 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)v); 4921 #else 4922 b1 = gen_protochain(v, Q_IPV6); 4923 #endif 4924 gen_and(b0, b1); 4925 return b1; 4926 4927 case Q_ICMPV6: 4928 bpf_error("'icmp6 proto' is bogus"); 4929 #endif /* INET6 */ 4930 4931 case Q_AH: 4932 bpf_error("'ah proto' is bogus"); 4933 4934 case Q_ESP: 4935 bpf_error("'ah proto' is bogus"); 4936 4937 case Q_STP: 4938 bpf_error("'stp proto' is bogus"); 4939 4940 case Q_IPX: 4941 bpf_error("'ipx proto' is bogus"); 4942 4943 case Q_NETBEUI: 4944 bpf_error("'netbeui proto' is bogus"); 4945 4946 case Q_RADIO: 4947 bpf_error("'radio proto' is bogus"); 4948 4949 default: 4950 abort(); 4951 /* NOTREACHED */ 4952 } 4953 /* NOTREACHED */ 4954 } 4955 4956 struct block * 4957 gen_scode(name, q) 4958 register const char *name; 4959 struct qual q; 4960 { 4961 int proto = q.proto; 4962 int dir = q.dir; 4963 int tproto; 4964 u_char *eaddr; 4965 bpf_u_int32 mask, addr; 4966 #ifndef INET6 4967 bpf_u_int32 **alist; 4968 #else 4969 int tproto6; 4970 struct sockaddr_in *sin4; 4971 struct sockaddr_in6 *sin6; 4972 struct addrinfo *res, *res0; 4973 struct in6_addr mask128; 4974 #endif /*INET6*/ 4975 struct block *b, *tmp; 4976 int port, real_proto; 4977 int port1, port2; 4978 4979 switch (q.addr) { 4980 4981 case Q_NET: 4982 addr = pcap_nametonetaddr(name); 4983 if (addr == 0) 4984 bpf_error("unknown network '%s'", name); 4985 /* Left justify network addr and calculate its network mask */ 4986 mask = 0xffffffff; 4987 while (addr && (addr & 0xff000000) == 0) { 4988 addr <<= 8; 4989 mask <<= 8; 4990 } 4991 return gen_host(addr, mask, proto, dir, q.addr); 4992 4993 case Q_DEFAULT: 4994 case Q_HOST: 4995 if (proto == Q_LINK) { 4996 switch (linktype) { 4997 4998 case DLT_EN10MB: 4999 eaddr = pcap_ether_hostton(name); 5000 if (eaddr == NULL) 5001 bpf_error( 5002 "unknown ether host '%s'", name); 5003 b = gen_ehostop(eaddr, dir); 5004 free(eaddr); 5005 return b; 5006 5007 case DLT_FDDI: 5008 eaddr = pcap_ether_hostton(name); 5009 if (eaddr == NULL) 5010 bpf_error( 5011 "unknown FDDI host '%s'", name); 5012 b = gen_fhostop(eaddr, dir); 5013 free(eaddr); 5014 return b; 5015 5016 case DLT_IEEE802: 5017 eaddr = pcap_ether_hostton(name); 5018 if (eaddr == NULL) 5019 bpf_error( 5020 "unknown token ring host '%s'", name); 5021 b = gen_thostop(eaddr, dir); 5022 free(eaddr); 5023 return b; 5024 5025 case DLT_IEEE802_11: 5026 case DLT_IEEE802_11_RADIO_AVS: 5027 case DLT_IEEE802_11_RADIO: 5028 case DLT_PRISM_HEADER: 5029 case DLT_PPI: 5030 eaddr = pcap_ether_hostton(name); 5031 if (eaddr == NULL) 5032 bpf_error( 5033 "unknown 802.11 host '%s'", name); 5034 b = gen_wlanhostop(eaddr, dir); 5035 free(eaddr); 5036 return b; 5037 5038 case DLT_IP_OVER_FC: 5039 eaddr = pcap_ether_hostton(name); 5040 if (eaddr == NULL) 5041 bpf_error( 5042 "unknown Fibre Channel host '%s'", name); 5043 b = gen_ipfchostop(eaddr, dir); 5044 free(eaddr); 5045 return b; 5046 5047 case DLT_SUNATM: 5048 if (!is_lane) 5049 break; 5050 5051 /* 5052 * Check that the packet doesn't begin 5053 * with an LE Control marker. (We've 5054 * already generated a test for LANE.) 5055 */ 5056 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 5057 BPF_H, 0xFF00); 5058 gen_not(tmp); 5059 5060 eaddr = pcap_ether_hostton(name); 5061 if (eaddr == NULL) 5062 bpf_error( 5063 "unknown ether host '%s'", name); 5064 b = gen_ehostop(eaddr, dir); 5065 gen_and(tmp, b); 5066 free(eaddr); 5067 return b; 5068 } 5069 5070 bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name"); 5071 } else if (proto == Q_DECNET) { 5072 unsigned short dn_addr = __pcap_nametodnaddr(name); 5073 /* 5074 * I don't think DECNET hosts can be multihomed, so 5075 * there is no need to build up a list of addresses 5076 */ 5077 return (gen_host(dn_addr, 0, proto, dir, q.addr)); 5078 } else { 5079 #ifndef INET6 5080 alist = pcap_nametoaddr(name); 5081 if (alist == NULL || *alist == NULL) 5082 bpf_error("unknown host '%s'", name); 5083 tproto = proto; 5084 if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT) 5085 tproto = Q_IP; 5086 b = gen_host(**alist++, 0xffffffff, tproto, dir, q.addr); 5087 while (*alist) { 5088 tmp = gen_host(**alist++, 0xffffffff, 5089 tproto, dir, q.addr); 5090 gen_or(b, tmp); 5091 b = tmp; 5092 } 5093 return b; 5094 #else 5095 memset(&mask128, 0xff, sizeof(mask128)); 5096 res0 = res = pcap_nametoaddrinfo(name); 5097 if (res == NULL) 5098 bpf_error("unknown host '%s'", name); 5099 b = tmp = NULL; 5100 tproto = tproto6 = proto; 5101 if (off_linktype == -1 && tproto == Q_DEFAULT) { 5102 tproto = Q_IP; 5103 tproto6 = Q_IPV6; 5104 } 5105 for (res = res0; res; res = res->ai_next) { 5106 switch (res->ai_family) { 5107 case AF_INET: 5108 if (tproto == Q_IPV6) 5109 continue; 5110 5111 sin4 = (struct sockaddr_in *) 5112 res->ai_addr; 5113 tmp = gen_host(ntohl(sin4->sin_addr.s_addr), 5114 0xffffffff, tproto, dir, q.addr); 5115 break; 5116 case AF_INET6: 5117 if (tproto6 == Q_IP) 5118 continue; 5119 5120 sin6 = (struct sockaddr_in6 *) 5121 res->ai_addr; 5122 tmp = gen_host6(&sin6->sin6_addr, 5123 &mask128, tproto6, dir, q.addr); 5124 break; 5125 default: 5126 continue; 5127 } 5128 if (b) 5129 gen_or(b, tmp); 5130 b = tmp; 5131 } 5132 freeaddrinfo(res0); 5133 if (b == NULL) { 5134 bpf_error("unknown host '%s'%s", name, 5135 (proto == Q_DEFAULT) 5136 ? "" 5137 : " for specified address family"); 5138 } 5139 return b; 5140 #endif /*INET6*/ 5141 } 5142 5143 case Q_PORT: 5144 if (proto != Q_DEFAULT && 5145 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 5146 bpf_error("illegal qualifier of 'port'"); 5147 if (pcap_nametoport(name, &port, &real_proto) == 0) 5148 bpf_error("unknown port '%s'", name); 5149 if (proto == Q_UDP) { 5150 if (real_proto == IPPROTO_TCP) 5151 bpf_error("port '%s' is tcp", name); 5152 else if (real_proto == IPPROTO_SCTP) 5153 bpf_error("port '%s' is sctp", name); 5154 else 5155 /* override PROTO_UNDEF */ 5156 real_proto = IPPROTO_UDP; 5157 } 5158 if (proto == Q_TCP) { 5159 if (real_proto == IPPROTO_UDP) 5160 bpf_error("port '%s' is udp", name); 5161 5162 else if (real_proto == IPPROTO_SCTP) 5163 bpf_error("port '%s' is sctp", name); 5164 else 5165 /* override PROTO_UNDEF */ 5166 real_proto = IPPROTO_TCP; 5167 } 5168 if (proto == Q_SCTP) { 5169 if (real_proto == IPPROTO_UDP) 5170 bpf_error("port '%s' is udp", name); 5171 5172 else if (real_proto == IPPROTO_TCP) 5173 bpf_error("port '%s' is tcp", name); 5174 else 5175 /* override PROTO_UNDEF */ 5176 real_proto = IPPROTO_SCTP; 5177 } 5178 #ifndef INET6 5179 return gen_port(port, real_proto, dir); 5180 #else 5181 b = gen_port(port, real_proto, dir); 5182 gen_or(gen_port6(port, real_proto, dir), b); 5183 return b; 5184 #endif /* INET6 */ 5185 5186 case Q_PORTRANGE: 5187 if (proto != Q_DEFAULT && 5188 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 5189 bpf_error("illegal qualifier of 'portrange'"); 5190 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0) 5191 bpf_error("unknown port in range '%s'", name); 5192 if (proto == Q_UDP) { 5193 if (real_proto == IPPROTO_TCP) 5194 bpf_error("port in range '%s' is tcp", name); 5195 else if (real_proto == IPPROTO_SCTP) 5196 bpf_error("port in range '%s' is sctp", name); 5197 else 5198 /* override PROTO_UNDEF */ 5199 real_proto = IPPROTO_UDP; 5200 } 5201 if (proto == Q_TCP) { 5202 if (real_proto == IPPROTO_UDP) 5203 bpf_error("port in range '%s' is udp", name); 5204 else if (real_proto == IPPROTO_SCTP) 5205 bpf_error("port in range '%s' is sctp", name); 5206 else 5207 /* override PROTO_UNDEF */ 5208 real_proto = IPPROTO_TCP; 5209 } 5210 if (proto == Q_SCTP) { 5211 if (real_proto == IPPROTO_UDP) 5212 bpf_error("port in range '%s' is udp", name); 5213 else if (real_proto == IPPROTO_TCP) 5214 bpf_error("port in range '%s' is tcp", name); 5215 else 5216 /* override PROTO_UNDEF */ 5217 real_proto = IPPROTO_SCTP; 5218 } 5219 #ifndef INET6 5220 return gen_portrange(port1, port2, real_proto, dir); 5221 #else 5222 b = gen_portrange(port1, port2, real_proto, dir); 5223 gen_or(gen_portrange6(port1, port2, real_proto, dir), b); 5224 return b; 5225 #endif /* INET6 */ 5226 5227 case Q_GATEWAY: 5228 #ifndef INET6 5229 eaddr = pcap_ether_hostton(name); 5230 if (eaddr == NULL) 5231 bpf_error("unknown ether host: %s", name); 5232 5233 alist = pcap_nametoaddr(name); 5234 if (alist == NULL || *alist == NULL) 5235 bpf_error("unknown host '%s'", name); 5236 b = gen_gateway(eaddr, alist, proto, dir); 5237 free(eaddr); 5238 return b; 5239 #else 5240 bpf_error("'gateway' not supported in this configuration"); 5241 #endif /*INET6*/ 5242 5243 case Q_PROTO: 5244 real_proto = lookup_proto(name, proto); 5245 if (real_proto >= 0) 5246 return gen_proto(real_proto, proto, dir); 5247 else 5248 bpf_error("unknown protocol: %s", name); 5249 5250 case Q_PROTOCHAIN: 5251 real_proto = lookup_proto(name, proto); 5252 if (real_proto >= 0) 5253 return gen_protochain(real_proto, proto, dir); 5254 else 5255 bpf_error("unknown protocol: %s", name); 5256 5257 5258 case Q_UNDEF: 5259 syntax(); 5260 /* NOTREACHED */ 5261 } 5262 abort(); 5263 /* NOTREACHED */ 5264 } 5265 5266 struct block * 5267 gen_mcode(s1, s2, masklen, q) 5268 register const char *s1, *s2; 5269 register int masklen; 5270 struct qual q; 5271 { 5272 register int nlen, mlen; 5273 bpf_u_int32 n, m; 5274 5275 nlen = __pcap_atoin(s1, &n); 5276 /* Promote short ipaddr */ 5277 n <<= 32 - nlen; 5278 5279 if (s2 != NULL) { 5280 mlen = __pcap_atoin(s2, &m); 5281 /* Promote short ipaddr */ 5282 m <<= 32 - mlen; 5283 if ((n & ~m) != 0) 5284 bpf_error("non-network bits set in \"%s mask %s\"", 5285 s1, s2); 5286 } else { 5287 /* Convert mask len to mask */ 5288 if (masklen > 32) 5289 bpf_error("mask length must be <= 32"); 5290 if (masklen == 0) { 5291 /* 5292 * X << 32 is not guaranteed by C to be 0; it's 5293 * undefined. 5294 */ 5295 m = 0; 5296 } else 5297 m = 0xffffffff << (32 - masklen); 5298 if ((n & ~m) != 0) 5299 bpf_error("non-network bits set in \"%s/%d\"", 5300 s1, masklen); 5301 } 5302 5303 switch (q.addr) { 5304 5305 case Q_NET: 5306 return gen_host(n, m, q.proto, q.dir, q.addr); 5307 5308 default: 5309 bpf_error("Mask syntax for networks only"); 5310 /* NOTREACHED */ 5311 } 5312 /* NOTREACHED */ 5313 return NULL; 5314 } 5315 5316 struct block * 5317 gen_ncode(s, v, q) 5318 register const char *s; 5319 bpf_u_int32 v; 5320 struct qual q; 5321 { 5322 bpf_u_int32 mask; 5323 int proto = q.proto; 5324 int dir = q.dir; 5325 register int vlen; 5326 5327 if (s == NULL) 5328 vlen = 32; 5329 else if (q.proto == Q_DECNET) 5330 vlen = __pcap_atodn(s, &v); 5331 else 5332 vlen = __pcap_atoin(s, &v); 5333 5334 switch (q.addr) { 5335 5336 case Q_DEFAULT: 5337 case Q_HOST: 5338 case Q_NET: 5339 if (proto == Q_DECNET) 5340 return gen_host(v, 0, proto, dir, q.addr); 5341 else if (proto == Q_LINK) { 5342 bpf_error("illegal link layer address"); 5343 } else { 5344 mask = 0xffffffff; 5345 if (s == NULL && q.addr == Q_NET) { 5346 /* Promote short net number */ 5347 while (v && (v & 0xff000000) == 0) { 5348 v <<= 8; 5349 mask <<= 8; 5350 } 5351 } else { 5352 /* Promote short ipaddr */ 5353 v <<= 32 - vlen; 5354 mask <<= 32 - vlen; 5355 } 5356 return gen_host(v, mask, proto, dir, q.addr); 5357 } 5358 5359 case Q_PORT: 5360 if (proto == Q_UDP) 5361 proto = IPPROTO_UDP; 5362 else if (proto == Q_TCP) 5363 proto = IPPROTO_TCP; 5364 else if (proto == Q_SCTP) 5365 proto = IPPROTO_SCTP; 5366 else if (proto == Q_DEFAULT) 5367 proto = PROTO_UNDEF; 5368 else 5369 bpf_error("illegal qualifier of 'port'"); 5370 5371 #ifndef INET6 5372 return gen_port((int)v, proto, dir); 5373 #else 5374 { 5375 struct block *b; 5376 b = gen_port((int)v, proto, dir); 5377 gen_or(gen_port6((int)v, proto, dir), b); 5378 return b; 5379 } 5380 #endif /* INET6 */ 5381 5382 case Q_PORTRANGE: 5383 if (proto == Q_UDP) 5384 proto = IPPROTO_UDP; 5385 else if (proto == Q_TCP) 5386 proto = IPPROTO_TCP; 5387 else if (proto == Q_SCTP) 5388 proto = IPPROTO_SCTP; 5389 else if (proto == Q_DEFAULT) 5390 proto = PROTO_UNDEF; 5391 else 5392 bpf_error("illegal qualifier of 'portrange'"); 5393 5394 #ifndef INET6 5395 return gen_portrange((int)v, (int)v, proto, dir); 5396 #else 5397 { 5398 struct block *b; 5399 b = gen_portrange((int)v, (int)v, proto, dir); 5400 gen_or(gen_portrange6((int)v, (int)v, proto, dir), b); 5401 return b; 5402 } 5403 #endif /* INET6 */ 5404 5405 case Q_GATEWAY: 5406 bpf_error("'gateway' requires a name"); 5407 /* NOTREACHED */ 5408 5409 case Q_PROTO: 5410 return gen_proto((int)v, proto, dir); 5411 5412 case Q_PROTOCHAIN: 5413 return gen_protochain((int)v, proto, dir); 5414 5415 case Q_UNDEF: 5416 syntax(); 5417 /* NOTREACHED */ 5418 5419 default: 5420 abort(); 5421 /* NOTREACHED */ 5422 } 5423 /* NOTREACHED */ 5424 } 5425 5426 #ifdef INET6 5427 struct block * 5428 gen_mcode6(s1, s2, masklen, q) 5429 register const char *s1, *s2; 5430 register int masklen; 5431 struct qual q; 5432 { 5433 struct addrinfo *res; 5434 struct in6_addr *addr; 5435 struct in6_addr mask; 5436 struct block *b; 5437 u_int32_t *a, *m; 5438 5439 if (s2) 5440 bpf_error("no mask %s supported", s2); 5441 5442 res = pcap_nametoaddrinfo(s1); 5443 if (!res) 5444 bpf_error("invalid ip6 address %s", s1); 5445 if (res->ai_next) 5446 bpf_error("%s resolved to multiple address", s1); 5447 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr; 5448 5449 if (sizeof(mask) * 8 < masklen) 5450 bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8)); 5451 memset(&mask, 0, sizeof(mask)); 5452 memset(&mask, 0xff, masklen / 8); 5453 if (masklen % 8) { 5454 mask.s6_addr[masklen / 8] = 5455 (0xff << (8 - masklen % 8)) & 0xff; 5456 } 5457 5458 a = (u_int32_t *)addr; 5459 m = (u_int32_t *)&mask; 5460 if ((a[0] & ~m[0]) || (a[1] & ~m[1]) 5461 || (a[2] & ~m[2]) || (a[3] & ~m[3])) { 5462 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen); 5463 } 5464 5465 switch (q.addr) { 5466 5467 case Q_DEFAULT: 5468 case Q_HOST: 5469 if (masklen != 128) 5470 bpf_error("Mask syntax for networks only"); 5471 /* FALLTHROUGH */ 5472 5473 case Q_NET: 5474 b = gen_host6(addr, &mask, q.proto, q.dir, q.addr); 5475 freeaddrinfo(res); 5476 return b; 5477 5478 default: 5479 bpf_error("invalid qualifier against IPv6 address"); 5480 /* NOTREACHED */ 5481 } 5482 return NULL; 5483 } 5484 #endif /*INET6*/ 5485 5486 struct block * 5487 gen_ecode(eaddr, q) 5488 register const u_char *eaddr; 5489 struct qual q; 5490 { 5491 struct block *b, *tmp; 5492 5493 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) { 5494 switch (linktype) { 5495 case DLT_EN10MB: 5496 return gen_ehostop(eaddr, (int)q.dir); 5497 case DLT_FDDI: 5498 return gen_fhostop(eaddr, (int)q.dir); 5499 case DLT_IEEE802: 5500 return gen_thostop(eaddr, (int)q.dir); 5501 case DLT_IEEE802_11: 5502 case DLT_IEEE802_11_RADIO_AVS: 5503 case DLT_IEEE802_11_RADIO: 5504 case DLT_PRISM_HEADER: 5505 case DLT_PPI: 5506 return gen_wlanhostop(eaddr, (int)q.dir); 5507 case DLT_SUNATM: 5508 if (is_lane) { 5509 /* 5510 * Check that the packet doesn't begin with an 5511 * LE Control marker. (We've already generated 5512 * a test for LANE.) 5513 */ 5514 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 5515 0xFF00); 5516 gen_not(tmp); 5517 5518 /* 5519 * Now check the MAC address. 5520 */ 5521 b = gen_ehostop(eaddr, (int)q.dir); 5522 gen_and(tmp, b); 5523 return b; 5524 } 5525 break; 5526 case DLT_IP_OVER_FC: 5527 return gen_ipfchostop(eaddr, (int)q.dir); 5528 default: 5529 bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 5530 break; 5531 } 5532 } 5533 bpf_error("ethernet address used in non-ether expression"); 5534 /* NOTREACHED */ 5535 return NULL; 5536 } 5537 5538 void 5539 sappend(s0, s1) 5540 struct slist *s0, *s1; 5541 { 5542 /* 5543 * This is definitely not the best way to do this, but the 5544 * lists will rarely get long. 5545 */ 5546 while (s0->next) 5547 s0 = s0->next; 5548 s0->next = s1; 5549 } 5550 5551 static struct slist * 5552 xfer_to_x(a) 5553 struct arth *a; 5554 { 5555 struct slist *s; 5556 5557 s = new_stmt(BPF_LDX|BPF_MEM); 5558 s->s.k = a->regno; 5559 return s; 5560 } 5561 5562 static struct slist * 5563 xfer_to_a(a) 5564 struct arth *a; 5565 { 5566 struct slist *s; 5567 5568 s = new_stmt(BPF_LD|BPF_MEM); 5569 s->s.k = a->regno; 5570 return s; 5571 } 5572 5573 /* 5574 * Modify "index" to use the value stored into its register as an 5575 * offset relative to the beginning of the header for the protocol 5576 * "proto", and allocate a register and put an item "size" bytes long 5577 * (1, 2, or 4) at that offset into that register, making it the register 5578 * for "index". 5579 */ 5580 struct arth * 5581 gen_load(proto, inst, size) 5582 int proto; 5583 struct arth *inst; 5584 int size; 5585 { 5586 struct slist *s, *tmp; 5587 struct block *b; 5588 int regno = alloc_reg(); 5589 5590 free_reg(inst->regno); 5591 switch (size) { 5592 5593 default: 5594 bpf_error("data size must be 1, 2, or 4"); 5595 5596 case 1: 5597 size = BPF_B; 5598 break; 5599 5600 case 2: 5601 size = BPF_H; 5602 break; 5603 5604 case 4: 5605 size = BPF_W; 5606 break; 5607 } 5608 switch (proto) { 5609 default: 5610 bpf_error("unsupported index operation"); 5611 5612 case Q_RADIO: 5613 /* 5614 * The offset is relative to the beginning of the packet 5615 * data, if we have a radio header. (If we don't, this 5616 * is an error.) 5617 */ 5618 if (linktype != DLT_IEEE802_11_RADIO_AVS && 5619 linktype != DLT_IEEE802_11_RADIO && 5620 linktype != DLT_PRISM_HEADER) 5621 bpf_error("radio information not present in capture"); 5622 5623 /* 5624 * Load into the X register the offset computed into the 5625 * register specifed by "index". 5626 */ 5627 s = xfer_to_x(inst); 5628 5629 /* 5630 * Load the item at that offset. 5631 */ 5632 tmp = new_stmt(BPF_LD|BPF_IND|size); 5633 sappend(s, tmp); 5634 sappend(inst->s, s); 5635 break; 5636 5637 case Q_LINK: 5638 /* 5639 * The offset is relative to the beginning of 5640 * the link-layer header. 5641 * 5642 * XXX - what about ATM LANE? Should the index be 5643 * relative to the beginning of the AAL5 frame, so 5644 * that 0 refers to the beginning of the LE Control 5645 * field, or relative to the beginning of the LAN 5646 * frame, so that 0 refers, for Ethernet LANE, to 5647 * the beginning of the destination address? 5648 */ 5649 s = gen_llprefixlen(); 5650 5651 /* 5652 * If "s" is non-null, it has code to arrange that the 5653 * X register contains the length of the prefix preceding 5654 * the link-layer header. Add to it the offset computed 5655 * into the register specified by "index", and move that 5656 * into the X register. Otherwise, just load into the X 5657 * register the offset computed into the register specifed 5658 * by "index". 5659 */ 5660 if (s != NULL) { 5661 sappend(s, xfer_to_a(inst)); 5662 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 5663 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 5664 } else 5665 s = xfer_to_x(inst); 5666 5667 /* 5668 * Load the item at the sum of the offset we've put in the 5669 * X register and the offset of the start of the link 5670 * layer header (which is 0 if the radio header is 5671 * variable-length; that header length is what we put 5672 * into the X register and then added to the index). 5673 */ 5674 tmp = new_stmt(BPF_LD|BPF_IND|size); 5675 tmp->s.k = off_ll; 5676 sappend(s, tmp); 5677 sappend(inst->s, s); 5678 break; 5679 5680 case Q_IP: 5681 case Q_ARP: 5682 case Q_RARP: 5683 case Q_ATALK: 5684 case Q_DECNET: 5685 case Q_SCA: 5686 case Q_LAT: 5687 case Q_MOPRC: 5688 case Q_MOPDL: 5689 #ifdef INET6 5690 case Q_IPV6: 5691 #endif 5692 /* 5693 * The offset is relative to the beginning of 5694 * the network-layer header. 5695 * XXX - are there any cases where we want 5696 * off_nl_nosnap? 5697 */ 5698 s = gen_llprefixlen(); 5699 5700 /* 5701 * If "s" is non-null, it has code to arrange that the 5702 * X register contains the length of the prefix preceding 5703 * the link-layer header. Add to it the offset computed 5704 * into the register specified by "index", and move that 5705 * into the X register. Otherwise, just load into the X 5706 * register the offset computed into the register specifed 5707 * by "index". 5708 */ 5709 if (s != NULL) { 5710 sappend(s, xfer_to_a(inst)); 5711 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 5712 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 5713 } else 5714 s = xfer_to_x(inst); 5715 5716 /* 5717 * Load the item at the sum of the offset we've put in the 5718 * X register, the offset of the start of the network 5719 * layer header, and the offset of the start of the link 5720 * layer header (which is 0 if the radio header is 5721 * variable-length; that header length is what we put 5722 * into the X register and then added to the index). 5723 */ 5724 tmp = new_stmt(BPF_LD|BPF_IND|size); 5725 tmp->s.k = off_ll + off_nl; 5726 sappend(s, tmp); 5727 sappend(inst->s, s); 5728 5729 /* 5730 * Do the computation only if the packet contains 5731 * the protocol in question. 5732 */ 5733 b = gen_proto_abbrev(proto); 5734 if (inst->b) 5735 gen_and(inst->b, b); 5736 inst->b = b; 5737 break; 5738 5739 case Q_SCTP: 5740 case Q_TCP: 5741 case Q_UDP: 5742 case Q_ICMP: 5743 case Q_IGMP: 5744 case Q_IGRP: 5745 case Q_PIM: 5746 case Q_VRRP: 5747 /* 5748 * The offset is relative to the beginning of 5749 * the transport-layer header. 5750 * 5751 * Load the X register with the length of the IPv4 header 5752 * (plus the offset of the link-layer header, if it's 5753 * a variable-length header), in bytes. 5754 * 5755 * XXX - are there any cases where we want 5756 * off_nl_nosnap? 5757 * XXX - we should, if we're built with 5758 * IPv6 support, generate code to load either 5759 * IPv4, IPv6, or both, as appropriate. 5760 */ 5761 s = gen_loadx_iphdrlen(); 5762 5763 /* 5764 * The X register now contains the sum of the length 5765 * of any variable-length header preceding the link-layer 5766 * header and the length of the network-layer header. 5767 * Load into the A register the offset relative to 5768 * the beginning of the transport layer header, 5769 * add the X register to that, move that to the 5770 * X register, and load with an offset from the 5771 * X register equal to the offset of the network 5772 * layer header relative to the beginning of 5773 * the link-layer header plus the length of any 5774 * fixed-length header preceding the link-layer 5775 * header. 5776 */ 5777 sappend(s, xfer_to_a(inst)); 5778 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 5779 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 5780 sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size)); 5781 tmp->s.k = off_ll + off_nl; 5782 sappend(inst->s, s); 5783 5784 /* 5785 * Do the computation only if the packet contains 5786 * the protocol in question - which is true only 5787 * if this is an IP datagram and is the first or 5788 * only fragment of that datagram. 5789 */ 5790 gen_and(gen_proto_abbrev(proto), b = gen_ipfrag()); 5791 if (inst->b) 5792 gen_and(inst->b, b); 5793 #ifdef INET6 5794 gen_and(gen_proto_abbrev(Q_IP), b); 5795 #endif 5796 inst->b = b; 5797 break; 5798 #ifdef INET6 5799 case Q_ICMPV6: 5800 bpf_error("IPv6 upper-layer protocol is not supported by proto[x]"); 5801 /*NOTREACHED*/ 5802 #endif 5803 } 5804 inst->regno = regno; 5805 s = new_stmt(BPF_ST); 5806 s->s.k = regno; 5807 sappend(inst->s, s); 5808 5809 return inst; 5810 } 5811 5812 struct block * 5813 gen_relation(code, a0, a1, reversed) 5814 int code; 5815 struct arth *a0, *a1; 5816 int reversed; 5817 { 5818 struct slist *s0, *s1, *s2; 5819 struct block *b, *tmp; 5820 5821 s0 = xfer_to_x(a1); 5822 s1 = xfer_to_a(a0); 5823 if (code == BPF_JEQ) { 5824 s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X); 5825 b = new_block(JMP(code)); 5826 sappend(s1, s2); 5827 } 5828 else 5829 b = new_block(BPF_JMP|code|BPF_X); 5830 if (reversed) 5831 gen_not(b); 5832 5833 sappend(s0, s1); 5834 sappend(a1->s, s0); 5835 sappend(a0->s, a1->s); 5836 5837 b->stmts = a0->s; 5838 5839 free_reg(a0->regno); 5840 free_reg(a1->regno); 5841 5842 /* 'and' together protocol checks */ 5843 if (a0->b) { 5844 if (a1->b) { 5845 gen_and(a0->b, tmp = a1->b); 5846 } 5847 else 5848 tmp = a0->b; 5849 } else 5850 tmp = a1->b; 5851 5852 if (tmp) 5853 gen_and(tmp, b); 5854 5855 return b; 5856 } 5857 5858 struct arth * 5859 gen_loadlen() 5860 { 5861 int regno = alloc_reg(); 5862 struct arth *a = (struct arth *)newchunk(sizeof(*a)); 5863 struct slist *s; 5864 5865 s = new_stmt(BPF_LD|BPF_LEN); 5866 s->next = new_stmt(BPF_ST); 5867 s->next->s.k = regno; 5868 a->s = s; 5869 a->regno = regno; 5870 5871 return a; 5872 } 5873 5874 struct arth * 5875 gen_loadi(val) 5876 int val; 5877 { 5878 struct arth *a; 5879 struct slist *s; 5880 int reg; 5881 5882 a = (struct arth *)newchunk(sizeof(*a)); 5883 5884 reg = alloc_reg(); 5885 5886 s = new_stmt(BPF_LD|BPF_IMM); 5887 s->s.k = val; 5888 s->next = new_stmt(BPF_ST); 5889 s->next->s.k = reg; 5890 a->s = s; 5891 a->regno = reg; 5892 5893 return a; 5894 } 5895 5896 struct arth * 5897 gen_neg(a) 5898 struct arth *a; 5899 { 5900 struct slist *s; 5901 5902 s = xfer_to_a(a); 5903 sappend(a->s, s); 5904 s = new_stmt(BPF_ALU|BPF_NEG); 5905 s->s.k = 0; 5906 sappend(a->s, s); 5907 s = new_stmt(BPF_ST); 5908 s->s.k = a->regno; 5909 sappend(a->s, s); 5910 5911 return a; 5912 } 5913 5914 struct arth * 5915 gen_arth(code, a0, a1) 5916 int code; 5917 struct arth *a0, *a1; 5918 { 5919 struct slist *s0, *s1, *s2; 5920 5921 s0 = xfer_to_x(a1); 5922 s1 = xfer_to_a(a0); 5923 s2 = new_stmt(BPF_ALU|BPF_X|code); 5924 5925 sappend(s1, s2); 5926 sappend(s0, s1); 5927 sappend(a1->s, s0); 5928 sappend(a0->s, a1->s); 5929 5930 free_reg(a0->regno); 5931 free_reg(a1->regno); 5932 5933 s0 = new_stmt(BPF_ST); 5934 a0->regno = s0->s.k = alloc_reg(); 5935 sappend(a0->s, s0); 5936 5937 return a0; 5938 } 5939 5940 /* 5941 * Here we handle simple allocation of the scratch registers. 5942 * If too many registers are alloc'd, the allocator punts. 5943 */ 5944 static int regused[BPF_MEMWORDS]; 5945 static int curreg; 5946 5947 /* 5948 * Return the next free register. 5949 */ 5950 static int 5951 alloc_reg() 5952 { 5953 int n = BPF_MEMWORDS; 5954 5955 while (--n >= 0) { 5956 if (regused[curreg]) 5957 curreg = (curreg + 1) % BPF_MEMWORDS; 5958 else { 5959 regused[curreg] = 1; 5960 return curreg; 5961 } 5962 } 5963 bpf_error("too many registers needed to evaluate expression"); 5964 /* NOTREACHED */ 5965 return 0; 5966 } 5967 5968 /* 5969 * Return a register to the table so it can 5970 * be used later. 5971 */ 5972 static void 5973 free_reg(n) 5974 int n; 5975 { 5976 regused[n] = 0; 5977 } 5978 5979 static struct block * 5980 gen_len(jmp, n) 5981 int jmp, n; 5982 { 5983 struct slist *s; 5984 struct block *b; 5985 5986 s = new_stmt(BPF_LD|BPF_LEN); 5987 b = new_block(JMP(jmp)); 5988 b->stmts = s; 5989 b->s.k = n; 5990 5991 return b; 5992 } 5993 5994 struct block * 5995 gen_greater(n) 5996 int n; 5997 { 5998 return gen_len(BPF_JGE, n); 5999 } 6000 6001 /* 6002 * Actually, this is less than or equal. 6003 */ 6004 struct block * 6005 gen_less(n) 6006 int n; 6007 { 6008 struct block *b; 6009 6010 b = gen_len(BPF_JGT, n); 6011 gen_not(b); 6012 6013 return b; 6014 } 6015 6016 /* 6017 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to 6018 * the beginning of the link-layer header. 6019 * XXX - that means you can't test values in the radiotap header, but 6020 * as that header is difficult if not impossible to parse generally 6021 * without a loop, that might not be a severe problem. A new keyword 6022 * "radio" could be added for that, although what you'd really want 6023 * would be a way of testing particular radio header values, which 6024 * would generate code appropriate to the radio header in question. 6025 */ 6026 struct block * 6027 gen_byteop(op, idx, val) 6028 int op, idx, val; 6029 { 6030 struct block *b; 6031 struct slist *s; 6032 6033 switch (op) { 6034 default: 6035 abort(); 6036 6037 case '=': 6038 return gen_cmp(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 6039 6040 case '<': 6041 b = gen_cmp_lt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 6042 return b; 6043 6044 case '>': 6045 b = gen_cmp_gt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 6046 return b; 6047 6048 case '|': 6049 s = new_stmt(BPF_ALU|BPF_OR|BPF_K); 6050 break; 6051 6052 case '&': 6053 s = new_stmt(BPF_ALU|BPF_AND|BPF_K); 6054 break; 6055 } 6056 s->s.k = val; 6057 b = new_block(JMP(BPF_JEQ)); 6058 b->stmts = s; 6059 gen_not(b); 6060 6061 return b; 6062 } 6063 6064 static u_char abroadcast[] = { 0x0 }; 6065 6066 struct block * 6067 gen_broadcast(proto) 6068 int proto; 6069 { 6070 bpf_u_int32 hostmask; 6071 struct block *b0, *b1, *b2; 6072 static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; 6073 6074 switch (proto) { 6075 6076 case Q_DEFAULT: 6077 case Q_LINK: 6078 switch (linktype) { 6079 case DLT_ARCNET: 6080 case DLT_ARCNET_LINUX: 6081 return gen_ahostop(abroadcast, Q_DST); 6082 case DLT_EN10MB: 6083 return gen_ehostop(ebroadcast, Q_DST); 6084 case DLT_FDDI: 6085 return gen_fhostop(ebroadcast, Q_DST); 6086 case DLT_IEEE802: 6087 return gen_thostop(ebroadcast, Q_DST); 6088 case DLT_IEEE802_11: 6089 case DLT_IEEE802_11_RADIO_AVS: 6090 case DLT_IEEE802_11_RADIO: 6091 case DLT_PPI: 6092 case DLT_PRISM_HEADER: 6093 return gen_wlanhostop(ebroadcast, Q_DST); 6094 case DLT_IP_OVER_FC: 6095 return gen_ipfchostop(ebroadcast, Q_DST); 6096 case DLT_SUNATM: 6097 if (is_lane) { 6098 /* 6099 * Check that the packet doesn't begin with an 6100 * LE Control marker. (We've already generated 6101 * a test for LANE.) 6102 */ 6103 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 6104 0xFF00); 6105 gen_not(b1); 6106 6107 /* 6108 * Now check the MAC address. 6109 */ 6110 b0 = gen_ehostop(ebroadcast, Q_DST); 6111 gen_and(b1, b0); 6112 return b0; 6113 } 6114 break; 6115 default: 6116 bpf_error("not a broadcast link"); 6117 } 6118 break; 6119 6120 case Q_IP: 6121 b0 = gen_linktype(ETHERTYPE_IP); 6122 hostmask = ~netmask; 6123 b1 = gen_mcmp(OR_NET, 16, BPF_W, (bpf_int32)0, hostmask); 6124 b2 = gen_mcmp(OR_NET, 16, BPF_W, 6125 (bpf_int32)(~0 & hostmask), hostmask); 6126 gen_or(b1, b2); 6127 gen_and(b0, b2); 6128 return b2; 6129 } 6130 bpf_error("only link-layer/IP broadcast filters supported"); 6131 /* NOTREACHED */ 6132 return NULL; 6133 } 6134 6135 /* 6136 * Generate code to test the low-order bit of a MAC address (that's 6137 * the bottom bit of the *first* byte). 6138 */ 6139 static struct block * 6140 gen_mac_multicast(offset) 6141 int offset; 6142 { 6143 register struct block *b0; 6144 register struct slist *s; 6145 6146 /* link[offset] & 1 != 0 */ 6147 s = gen_load_a(OR_LINK, offset, BPF_B); 6148 b0 = new_block(JMP(BPF_JSET)); 6149 b0->s.k = 1; 6150 b0->stmts = s; 6151 return b0; 6152 } 6153 6154 struct block * 6155 gen_multicast(proto) 6156 int proto; 6157 { 6158 register struct block *b0, *b1, *b2; 6159 register struct slist *s; 6160 6161 switch (proto) { 6162 6163 case Q_DEFAULT: 6164 case Q_LINK: 6165 switch (linktype) { 6166 case DLT_ARCNET: 6167 case DLT_ARCNET_LINUX: 6168 /* all ARCnet multicasts use the same address */ 6169 return gen_ahostop(abroadcast, Q_DST); 6170 case DLT_EN10MB: 6171 /* ether[0] & 1 != 0 */ 6172 return gen_mac_multicast(0); 6173 case DLT_FDDI: 6174 /* 6175 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX 6176 * 6177 * XXX - was that referring to bit-order issues? 6178 */ 6179 /* fddi[1] & 1 != 0 */ 6180 return gen_mac_multicast(1); 6181 case DLT_IEEE802: 6182 /* tr[2] & 1 != 0 */ 6183 return gen_mac_multicast(2); 6184 case DLT_IEEE802_11: 6185 case DLT_IEEE802_11_RADIO_AVS: 6186 case DLT_PPI: 6187 case DLT_IEEE802_11_RADIO: 6188 case DLT_PRISM_HEADER: 6189 /* 6190 * Oh, yuk. 6191 * 6192 * For control frames, there is no DA. 6193 * 6194 * For management frames, DA is at an 6195 * offset of 4 from the beginning of 6196 * the packet. 6197 * 6198 * For data frames, DA is at an offset 6199 * of 4 from the beginning of the packet 6200 * if To DS is clear and at an offset of 6201 * 16 from the beginning of the packet 6202 * if To DS is set. 6203 */ 6204 6205 /* 6206 * Generate the tests to be done for data frames. 6207 * 6208 * First, check for To DS set, i.e. "link[1] & 0x01". 6209 */ 6210 s = gen_load_a(OR_LINK, 1, BPF_B); 6211 b1 = new_block(JMP(BPF_JSET)); 6212 b1->s.k = 0x01; /* To DS */ 6213 b1->stmts = s; 6214 6215 /* 6216 * If To DS is set, the DA is at 16. 6217 */ 6218 b0 = gen_mac_multicast(16); 6219 gen_and(b1, b0); 6220 6221 /* 6222 * Now, check for To DS not set, i.e. check 6223 * "!(link[1] & 0x01)". 6224 */ 6225 s = gen_load_a(OR_LINK, 1, BPF_B); 6226 b2 = new_block(JMP(BPF_JSET)); 6227 b2->s.k = 0x01; /* To DS */ 6228 b2->stmts = s; 6229 gen_not(b2); 6230 6231 /* 6232 * If To DS is not set, the DA is at 4. 6233 */ 6234 b1 = gen_mac_multicast(4); 6235 gen_and(b2, b1); 6236 6237 /* 6238 * Now OR together the last two checks. That gives 6239 * the complete set of checks for data frames. 6240 */ 6241 gen_or(b1, b0); 6242 6243 /* 6244 * Now check for a data frame. 6245 * I.e, check "link[0] & 0x08". 6246 */ 6247 s = gen_load_a(OR_LINK, 0, BPF_B); 6248 b1 = new_block(JMP(BPF_JSET)); 6249 b1->s.k = 0x08; 6250 b1->stmts = s; 6251 6252 /* 6253 * AND that with the checks done for data frames. 6254 */ 6255 gen_and(b1, b0); 6256 6257 /* 6258 * If the high-order bit of the type value is 0, this 6259 * is a management frame. 6260 * I.e, check "!(link[0] & 0x08)". 6261 */ 6262 s = gen_load_a(OR_LINK, 0, BPF_B); 6263 b2 = new_block(JMP(BPF_JSET)); 6264 b2->s.k = 0x08; 6265 b2->stmts = s; 6266 gen_not(b2); 6267 6268 /* 6269 * For management frames, the DA is at 4. 6270 */ 6271 b1 = gen_mac_multicast(4); 6272 gen_and(b2, b1); 6273 6274 /* 6275 * OR that with the checks done for data frames. 6276 * That gives the checks done for management and 6277 * data frames. 6278 */ 6279 gen_or(b1, b0); 6280 6281 /* 6282 * If the low-order bit of the type value is 1, 6283 * this is either a control frame or a frame 6284 * with a reserved type, and thus not a 6285 * frame with an SA. 6286 * 6287 * I.e., check "!(link[0] & 0x04)". 6288 */ 6289 s = gen_load_a(OR_LINK, 0, BPF_B); 6290 b1 = new_block(JMP(BPF_JSET)); 6291 b1->s.k = 0x04; 6292 b1->stmts = s; 6293 gen_not(b1); 6294 6295 /* 6296 * AND that with the checks for data and management 6297 * frames. 6298 */ 6299 gen_and(b1, b0); 6300 return b0; 6301 case DLT_IP_OVER_FC: 6302 b0 = gen_mac_multicast(2); 6303 return b0; 6304 case DLT_SUNATM: 6305 if (is_lane) { 6306 /* 6307 * Check that the packet doesn't begin with an 6308 * LE Control marker. (We've already generated 6309 * a test for LANE.) 6310 */ 6311 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 6312 0xFF00); 6313 gen_not(b1); 6314 6315 /* ether[off_mac] & 1 != 0 */ 6316 b0 = gen_mac_multicast(off_mac); 6317 gen_and(b1, b0); 6318 return b0; 6319 } 6320 break; 6321 default: 6322 break; 6323 } 6324 /* Link not known to support multicasts */ 6325 break; 6326 6327 case Q_IP: 6328 b0 = gen_linktype(ETHERTYPE_IP); 6329 b1 = gen_cmp_ge(OR_NET, 16, BPF_B, (bpf_int32)224); 6330 gen_and(b0, b1); 6331 return b1; 6332 6333 #ifdef INET6 6334 case Q_IPV6: 6335 b0 = gen_linktype(ETHERTYPE_IPV6); 6336 b1 = gen_cmp(OR_NET, 24, BPF_B, (bpf_int32)255); 6337 gen_and(b0, b1); 6338 return b1; 6339 #endif /* INET6 */ 6340 } 6341 bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel"); 6342 /* NOTREACHED */ 6343 return NULL; 6344 } 6345 6346 /* 6347 * generate command for inbound/outbound. It's here so we can 6348 * make it link-type specific. 'dir' = 0 implies "inbound", 6349 * = 1 implies "outbound". 6350 */ 6351 struct block * 6352 gen_inbound(dir) 6353 int dir; 6354 { 6355 register struct block *b0; 6356 6357 /* 6358 * Only some data link types support inbound/outbound qualifiers. 6359 */ 6360 switch (linktype) { 6361 case DLT_SLIP: 6362 b0 = gen_relation(BPF_JEQ, 6363 gen_load(Q_LINK, gen_loadi(0), 1), 6364 gen_loadi(0), 6365 dir); 6366 break; 6367 6368 case DLT_LINUX_SLL: 6369 if (dir) { 6370 /* 6371 * Match packets sent by this machine. 6372 */ 6373 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_OUTGOING); 6374 } else { 6375 /* 6376 * Match packets sent to this machine. 6377 * (No broadcast or multicast packets, or 6378 * packets sent to some other machine and 6379 * received promiscuously.) 6380 * 6381 * XXX - packets sent to other machines probably 6382 * shouldn't be matched, but what about broadcast 6383 * or multicast packets we received? 6384 */ 6385 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_HOST); 6386 } 6387 break; 6388 6389 #ifdef HAVE_NET_PFVAR_H 6390 case DLT_PFLOG: 6391 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, dir), BPF_B, 6392 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT)); 6393 break; 6394 #endif 6395 6396 case DLT_PPP_PPPD: 6397 if (dir) { 6398 /* match outgoing packets */ 6399 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_OUT); 6400 } else { 6401 /* match incoming packets */ 6402 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_IN); 6403 } 6404 break; 6405 6406 case DLT_JUNIPER_MFR: 6407 case DLT_JUNIPER_MLFR: 6408 case DLT_JUNIPER_MLPPP: 6409 case DLT_JUNIPER_ATM1: 6410 case DLT_JUNIPER_ATM2: 6411 case DLT_JUNIPER_PPPOE: 6412 case DLT_JUNIPER_PPPOE_ATM: 6413 case DLT_JUNIPER_GGSN: 6414 case DLT_JUNIPER_ES: 6415 case DLT_JUNIPER_MONITOR: 6416 case DLT_JUNIPER_SERVICES: 6417 case DLT_JUNIPER_ETHER: 6418 case DLT_JUNIPER_PPP: 6419 case DLT_JUNIPER_FRELAY: 6420 case DLT_JUNIPER_CHDLC: 6421 case DLT_JUNIPER_VP: 6422 /* juniper flags (including direction) are stored 6423 * the byte after the 3-byte magic number */ 6424 if (dir) { 6425 /* match outgoing packets */ 6426 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 0, 0x01); 6427 } else { 6428 /* match incoming packets */ 6429 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 1, 0x01); 6430 } 6431 break; 6432 6433 default: 6434 bpf_error("inbound/outbound not supported on linktype %d", 6435 linktype); 6436 b0 = NULL; 6437 /* NOTREACHED */ 6438 } 6439 return (b0); 6440 } 6441 6442 #ifdef HAVE_NET_PFVAR_H 6443 /* PF firewall log matched interface */ 6444 struct block * 6445 gen_pf_ifname(const char *ifname) 6446 { 6447 struct block *b0; 6448 u_int len, off; 6449 6450 if (linktype == DLT_PFLOG) { 6451 len = sizeof(((struct pfloghdr *)0)->ifname); 6452 off = offsetof(struct pfloghdr, ifname); 6453 } else { 6454 bpf_error("ifname not supported on linktype 0x%x", linktype); 6455 /* NOTREACHED */ 6456 } 6457 if (strlen(ifname) >= len) { 6458 bpf_error("ifname interface names can only be %d characters", 6459 len-1); 6460 /* NOTREACHED */ 6461 } 6462 b0 = gen_bcmp(OR_LINK, off, strlen(ifname), (const u_char *)ifname); 6463 return (b0); 6464 } 6465 6466 /* PF firewall log ruleset name */ 6467 struct block * 6468 gen_pf_ruleset(char *ruleset) 6469 { 6470 struct block *b0; 6471 6472 if (linktype != DLT_PFLOG) { 6473 bpf_error("ruleset not supported on linktype 0x%x", linktype); 6474 /* NOTREACHED */ 6475 } 6476 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) { 6477 bpf_error("ruleset names can only be %ld characters", 6478 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1)); 6479 /* NOTREACHED */ 6480 } 6481 b0 = gen_bcmp(OR_LINK, offsetof(struct pfloghdr, ruleset), 6482 strlen(ruleset), (const u_char *)ruleset); 6483 return (b0); 6484 } 6485 6486 /* PF firewall log rule number */ 6487 struct block * 6488 gen_pf_rnr(int rnr) 6489 { 6490 struct block *b0; 6491 6492 if (linktype == DLT_PFLOG) { 6493 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, rulenr), BPF_W, 6494 (bpf_int32)rnr); 6495 } else { 6496 bpf_error("rnr not supported on linktype 0x%x", linktype); 6497 /* NOTREACHED */ 6498 } 6499 6500 return (b0); 6501 } 6502 6503 /* PF firewall log sub-rule number */ 6504 struct block * 6505 gen_pf_srnr(int srnr) 6506 { 6507 struct block *b0; 6508 6509 if (linktype != DLT_PFLOG) { 6510 bpf_error("srnr not supported on linktype 0x%x", linktype); 6511 /* NOTREACHED */ 6512 } 6513 6514 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, subrulenr), BPF_W, 6515 (bpf_int32)srnr); 6516 return (b0); 6517 } 6518 6519 /* PF firewall log reason code */ 6520 struct block * 6521 gen_pf_reason(int reason) 6522 { 6523 struct block *b0; 6524 6525 if (linktype == DLT_PFLOG) { 6526 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, reason), BPF_B, 6527 (bpf_int32)reason); 6528 } else { 6529 bpf_error("reason not supported on linktype 0x%x", linktype); 6530 /* NOTREACHED */ 6531 } 6532 6533 return (b0); 6534 } 6535 6536 /* PF firewall log action */ 6537 struct block * 6538 gen_pf_action(int action) 6539 { 6540 struct block *b0; 6541 6542 if (linktype == DLT_PFLOG) { 6543 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, action), BPF_B, 6544 (bpf_int32)action); 6545 } else { 6546 bpf_error("action not supported on linktype 0x%x", linktype); 6547 /* NOTREACHED */ 6548 } 6549 6550 return (b0); 6551 } 6552 #else /* !HAVE_NET_PFVAR_H */ 6553 struct block * 6554 gen_pf_ifname(const char *ifname) 6555 { 6556 bpf_error("libpcap was compiled without pf support"); 6557 /* NOTREACHED */ 6558 return (NULL); 6559 } 6560 6561 struct block * 6562 gen_pf_ruleset(char *ruleset) 6563 { 6564 bpf_error("libpcap was compiled on a machine without pf support"); 6565 /* NOTREACHED */ 6566 return (NULL); 6567 } 6568 6569 struct block * 6570 gen_pf_rnr(int rnr) 6571 { 6572 bpf_error("libpcap was compiled on a machine without pf support"); 6573 /* NOTREACHED */ 6574 return (NULL); 6575 } 6576 6577 struct block * 6578 gen_pf_srnr(int srnr) 6579 { 6580 bpf_error("libpcap was compiled on a machine without pf support"); 6581 /* NOTREACHED */ 6582 return (NULL); 6583 } 6584 6585 struct block * 6586 gen_pf_reason(int reason) 6587 { 6588 bpf_error("libpcap was compiled on a machine without pf support"); 6589 /* NOTREACHED */ 6590 return (NULL); 6591 } 6592 6593 struct block * 6594 gen_pf_action(int action) 6595 { 6596 bpf_error("libpcap was compiled on a machine without pf support"); 6597 /* NOTREACHED */ 6598 return (NULL); 6599 } 6600 #endif /* HAVE_NET_PFVAR_H */ 6601 6602 /* IEEE 802.11 wireless header */ 6603 struct block * 6604 gen_p80211_type(int type, int mask) 6605 { 6606 struct block *b0; 6607 6608 if (linktype != DLT_IEEE802_11 && linktype != DLT_IEEE802_11_RADIO) { 6609 bpf_error("action not supported on linktype 0x%x\n", linktype); 6610 /* NOTREACHED */ 6611 } 6612 b0 = gen_mcmp(OR_LINK, offsetof(struct ieee80211_frame, i_fc[0]), 6613 BPF_B, (bpf_int32)type, (bpf_int32)mask); 6614 return (b0); 6615 } 6616 6617 struct block * 6618 gen_acode(eaddr, q) 6619 register const u_char *eaddr; 6620 struct qual q; 6621 { 6622 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) { 6623 if (linktype == DLT_ARCNET || linktype == DLT_ARCNET_LINUX) 6624 return gen_ahostop(eaddr, (int)q.dir); 6625 } 6626 bpf_error("ARCnet address used in non-arc expression"); 6627 /* NOTREACHED */ 6628 return NULL; 6629 } 6630 6631 static struct block * 6632 gen_ahostop(eaddr, dir) 6633 register const u_char *eaddr; 6634 register int dir; 6635 { 6636 register struct block *b0, *b1; 6637 6638 switch (dir) { 6639 /* src comes first, different from Ethernet */ 6640 case Q_SRC: 6641 return gen_bcmp(OR_LINK, 0, 1, eaddr); 6642 6643 case Q_DST: 6644 return gen_bcmp(OR_LINK, 1, 1, eaddr); 6645 6646 case Q_AND: 6647 b0 = gen_ahostop(eaddr, Q_SRC); 6648 b1 = gen_ahostop(eaddr, Q_DST); 6649 gen_and(b0, b1); 6650 return b1; 6651 6652 case Q_DEFAULT: 6653 case Q_OR: 6654 b0 = gen_ahostop(eaddr, Q_SRC); 6655 b1 = gen_ahostop(eaddr, Q_DST); 6656 gen_or(b0, b1); 6657 return b1; 6658 } 6659 abort(); 6660 /* NOTREACHED */ 6661 } 6662 6663 /* 6664 * support IEEE 802.1Q VLAN trunk over ethernet 6665 */ 6666 struct block * 6667 gen_vlan(vlan_num) 6668 int vlan_num; 6669 { 6670 struct block *b0, *b1; 6671 6672 /* can't check for VLAN-encapsulated packets inside MPLS */ 6673 if (label_stack_depth > 0) 6674 bpf_error("no VLAN match after MPLS"); 6675 6676 /* 6677 * Change the offsets to point to the type and data fields within 6678 * the VLAN packet. Just increment the offsets, so that we 6679 * can support a hierarchy, e.g. "vlan 300 && vlan 200" to 6680 * capture VLAN 200 encapsulated within VLAN 100. 6681 * 6682 * XXX - this is a bit of a kludge. If we were to split the 6683 * compiler into a parser that parses an expression and 6684 * generates an expression tree, and a code generator that 6685 * takes an expression tree (which could come from our 6686 * parser or from some other parser) and generates BPF code, 6687 * we could perhaps make the offsets parameters of routines 6688 * and, in the handler for an "AND" node, pass to subnodes 6689 * other than the VLAN node the adjusted offsets. 6690 * 6691 * This would mean that "vlan" would, instead of changing the 6692 * behavior of *all* tests after it, change only the behavior 6693 * of tests ANDed with it. That would change the documented 6694 * semantics of "vlan", which might break some expressions. 6695 * However, it would mean that "(vlan and ip) or ip" would check 6696 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 6697 * checking only for VLAN-encapsulated IP, so that could still 6698 * be considered worth doing; it wouldn't break expressions 6699 * that are of the form "vlan and ..." or "vlan N and ...", 6700 * which I suspect are the most common expressions involving 6701 * "vlan". "vlan or ..." doesn't necessarily do what the user 6702 * would really want, now, as all the "or ..." tests would 6703 * be done assuming a VLAN, even though the "or" could be viewed 6704 * as meaning "or, if this isn't a VLAN packet...". 6705 */ 6706 orig_linktype = off_linktype; /* save original values */ 6707 orig_nl = off_nl; 6708 6709 switch (linktype) { 6710 6711 case DLT_EN10MB: 6712 off_linktype += 4; 6713 off_nl_nosnap += 4; 6714 off_nl += 4; 6715 break; 6716 6717 default: 6718 bpf_error("no VLAN support for data link type %d", 6719 linktype); 6720 /*NOTREACHED*/ 6721 } 6722 6723 /* check for VLAN */ 6724 b0 = gen_cmp(OR_LINK, orig_linktype, BPF_H, (bpf_int32)ETHERTYPE_8021Q); 6725 6726 /* If a specific VLAN is requested, check VLAN id */ 6727 if (vlan_num >= 0) { 6728 b1 = gen_mcmp(OR_LINK, orig_nl, BPF_H, (bpf_int32)vlan_num, 6729 0x0fff); 6730 gen_and(b0, b1); 6731 b0 = b1; 6732 } 6733 6734 return (b0); 6735 } 6736 6737 /* 6738 * support for MPLS 6739 */ 6740 struct block * 6741 gen_mpls(label_num) 6742 int label_num; 6743 { 6744 struct block *b0,*b1; 6745 6746 /* 6747 * Change the offsets to point to the type and data fields within 6748 * the MPLS packet. Just increment the offsets, so that we 6749 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to 6750 * capture packets with an outer label of 100000 and an inner 6751 * label of 1024. 6752 * 6753 * XXX - this is a bit of a kludge. See comments in gen_vlan(). 6754 */ 6755 orig_nl = off_nl; 6756 6757 if (label_stack_depth > 0) { 6758 /* just match the bottom-of-stack bit clear */ 6759 b0 = gen_mcmp(OR_LINK, orig_nl-2, BPF_B, 0, 0x01); 6760 } else { 6761 /* 6762 * Indicate that we're checking MPLS-encapsulated headers, 6763 * to make sure higher level code generators don't try to 6764 * match against IP-related protocols such as Q_ARP, Q_RARP 6765 * etc. 6766 */ 6767 switch (linktype) { 6768 6769 case DLT_C_HDLC: /* fall through */ 6770 case DLT_EN10MB: 6771 b0 = gen_linktype(ETHERTYPE_MPLS); 6772 break; 6773 6774 case DLT_PPP: 6775 b0 = gen_linktype(PPP_MPLS_UCAST); 6776 break; 6777 6778 /* FIXME add other DLT_s ... 6779 * for Frame-Relay/and ATM this may get messy due to SNAP headers 6780 * leave it for now */ 6781 6782 default: 6783 bpf_error("no MPLS support for data link type %d", 6784 linktype); 6785 b0 = NULL; 6786 /*NOTREACHED*/ 6787 break; 6788 } 6789 } 6790 6791 /* If a specific MPLS label is requested, check it */ 6792 if (label_num >= 0) { 6793 label_num = label_num << 12; /* label is shifted 12 bits on the wire */ 6794 b1 = gen_mcmp(OR_LINK, orig_nl, BPF_W, (bpf_int32)label_num, 6795 0xfffff000); /* only compare the first 20 bits */ 6796 gen_and(b0, b1); 6797 b0 = b1; 6798 } 6799 6800 off_nl_nosnap += 4; 6801 off_nl += 4; 6802 label_stack_depth++; 6803 return (b0); 6804 } 6805 6806 /* 6807 * Support PPPOE discovery and session. 6808 */ 6809 struct block * 6810 gen_pppoed() 6811 { 6812 /* check for PPPoE discovery */ 6813 return gen_linktype((bpf_int32)ETHERTYPE_PPPOED); 6814 } 6815 6816 struct block * 6817 gen_pppoes() 6818 { 6819 struct block *b0; 6820 6821 /* 6822 * Test against the PPPoE session link-layer type. 6823 */ 6824 b0 = gen_linktype((bpf_int32)ETHERTYPE_PPPOES); 6825 6826 /* 6827 * Change the offsets to point to the type and data fields within 6828 * the PPP packet. 6829 * 6830 * XXX - this is a bit of a kludge. If we were to split the 6831 * compiler into a parser that parses an expression and 6832 * generates an expression tree, and a code generator that 6833 * takes an expression tree (which could come from our 6834 * parser or from some other parser) and generates BPF code, 6835 * we could perhaps make the offsets parameters of routines 6836 * and, in the handler for an "AND" node, pass to subnodes 6837 * other than the PPPoE node the adjusted offsets. 6838 * 6839 * This would mean that "pppoes" would, instead of changing the 6840 * behavior of *all* tests after it, change only the behavior 6841 * of tests ANDed with it. That would change the documented 6842 * semantics of "pppoes", which might break some expressions. 6843 * However, it would mean that "(pppoes and ip) or ip" would check 6844 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 6845 * checking only for VLAN-encapsulated IP, so that could still 6846 * be considered worth doing; it wouldn't break expressions 6847 * that are of the form "pppoes and ..." which I suspect are the 6848 * most common expressions involving "pppoes". "pppoes or ..." 6849 * doesn't necessarily do what the user would really want, now, 6850 * as all the "or ..." tests would be done assuming PPPoE, even 6851 * though the "or" could be viewed as meaning "or, if this isn't 6852 * a PPPoE packet...". 6853 */ 6854 orig_linktype = off_linktype; /* save original values */ 6855 orig_nl = off_nl; 6856 6857 /* 6858 * The "network-layer" protocol is PPPoE, which has a 6-byte 6859 * PPPoE header, followed by PPP payload, so we set the 6860 * offsets to the network layer offset plus 6 bytes for 6861 * the PPPoE header plus the values appropriate for PPP when 6862 * encapsulated in Ethernet (which means there's no HDLC 6863 * encapsulation). 6864 */ 6865 off_linktype = orig_nl + 6; 6866 off_nl = orig_nl + 6 + 2; 6867 off_nl_nosnap = orig_nl + 6 + 2; 6868 6869 /* 6870 * Set the link-layer type to PPP, as all subsequent tests will 6871 * be on the encapsulated PPP header. 6872 */ 6873 linktype = DLT_PPP; 6874 6875 return b0; 6876 } 6877 6878 struct block * 6879 gen_atmfield_code(atmfield, jvalue, jtype, reverse) 6880 int atmfield; 6881 bpf_int32 jvalue; 6882 bpf_u_int32 jtype; 6883 int reverse; 6884 { 6885 struct block *b0; 6886 6887 switch (atmfield) { 6888 6889 case A_VPI: 6890 if (!is_atm) 6891 bpf_error("'vpi' supported only on raw ATM"); 6892 if (off_vpi == (u_int)-1) 6893 abort(); 6894 b0 = gen_ncmp(OR_LINK, off_vpi, BPF_B, 0xffffffff, jtype, 6895 reverse, jvalue); 6896 break; 6897 6898 case A_VCI: 6899 if (!is_atm) 6900 bpf_error("'vci' supported only on raw ATM"); 6901 if (off_vci == (u_int)-1) 6902 abort(); 6903 b0 = gen_ncmp(OR_LINK, off_vci, BPF_H, 0xffffffff, jtype, 6904 reverse, jvalue); 6905 break; 6906 6907 case A_PROTOTYPE: 6908 if (off_proto == (u_int)-1) 6909 abort(); /* XXX - this isn't on FreeBSD */ 6910 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0x0f, jtype, 6911 reverse, jvalue); 6912 break; 6913 6914 case A_MSGTYPE: 6915 if (off_payload == (u_int)-1) 6916 abort(); 6917 b0 = gen_ncmp(OR_LINK, off_payload + MSG_TYPE_POS, BPF_B, 6918 0xffffffff, jtype, reverse, jvalue); 6919 break; 6920 6921 case A_CALLREFTYPE: 6922 if (!is_atm) 6923 bpf_error("'callref' supported only on raw ATM"); 6924 if (off_proto == (u_int)-1) 6925 abort(); 6926 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0xffffffff, 6927 jtype, reverse, jvalue); 6928 break; 6929 6930 default: 6931 abort(); 6932 } 6933 return b0; 6934 } 6935 6936 struct block * 6937 gen_atmtype_abbrev(type) 6938 int type; 6939 { 6940 struct block *b0, *b1; 6941 6942 switch (type) { 6943 6944 case A_METAC: 6945 /* Get all packets in Meta signalling Circuit */ 6946 if (!is_atm) 6947 bpf_error("'metac' supported only on raw ATM"); 6948 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 6949 b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0); 6950 gen_and(b0, b1); 6951 break; 6952 6953 case A_BCC: 6954 /* Get all packets in Broadcast Circuit*/ 6955 if (!is_atm) 6956 bpf_error("'bcc' supported only on raw ATM"); 6957 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 6958 b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0); 6959 gen_and(b0, b1); 6960 break; 6961 6962 case A_OAMF4SC: 6963 /* Get all cells in Segment OAM F4 circuit*/ 6964 if (!is_atm) 6965 bpf_error("'oam4sc' supported only on raw ATM"); 6966 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 6967 b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0); 6968 gen_and(b0, b1); 6969 break; 6970 6971 case A_OAMF4EC: 6972 /* Get all cells in End-to-End OAM F4 Circuit*/ 6973 if (!is_atm) 6974 bpf_error("'oam4ec' supported only on raw ATM"); 6975 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 6976 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0); 6977 gen_and(b0, b1); 6978 break; 6979 6980 case A_SC: 6981 /* Get all packets in connection Signalling Circuit */ 6982 if (!is_atm) 6983 bpf_error("'sc' supported only on raw ATM"); 6984 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 6985 b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0); 6986 gen_and(b0, b1); 6987 break; 6988 6989 case A_ILMIC: 6990 /* Get all packets in ILMI Circuit */ 6991 if (!is_atm) 6992 bpf_error("'ilmic' supported only on raw ATM"); 6993 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 6994 b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0); 6995 gen_and(b0, b1); 6996 break; 6997 6998 case A_LANE: 6999 /* Get all LANE packets */ 7000 if (!is_atm) 7001 bpf_error("'lane' supported only on raw ATM"); 7002 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0); 7003 7004 /* 7005 * Arrange that all subsequent tests assume LANE 7006 * rather than LLC-encapsulated packets, and set 7007 * the offsets appropriately for LANE-encapsulated 7008 * Ethernet. 7009 * 7010 * "off_mac" is the offset of the Ethernet header, 7011 * which is 2 bytes past the ATM pseudo-header 7012 * (skipping the pseudo-header and 2-byte LE Client 7013 * field). The other offsets are Ethernet offsets 7014 * relative to "off_mac". 7015 */ 7016 is_lane = 1; 7017 off_mac = off_payload + 2; /* MAC header */ 7018 off_linktype = off_mac + 12; 7019 off_nl = off_mac + 14; /* Ethernet II */ 7020 off_nl_nosnap = off_mac + 17; /* 802.3+802.2 */ 7021 break; 7022 7023 case A_LLC: 7024 /* Get all LLC-encapsulated packets */ 7025 if (!is_atm) 7026 bpf_error("'llc' supported only on raw ATM"); 7027 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 7028 is_lane = 0; 7029 break; 7030 7031 default: 7032 abort(); 7033 } 7034 return b1; 7035 } 7036 7037 /* 7038 * Filtering for MTP2 messages based on li value 7039 * FISU, length is null 7040 * LSSU, length is 1 or 2 7041 * MSU, length is 3 or more 7042 */ 7043 struct block * 7044 gen_mtp2type_abbrev(type) 7045 int type; 7046 { 7047 struct block *b0, *b1; 7048 7049 switch (type) { 7050 7051 case M_FISU: 7052 if ( (linktype != DLT_MTP2) && 7053 (linktype != DLT_MTP2_WITH_PHDR) ) 7054 bpf_error("'fisu' supported only on MTP2"); 7055 /* gen_ncmp(offrel, offset, size, mask, jtype, reverse, value) */ 7056 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JEQ, 0, 0); 7057 break; 7058 7059 case M_LSSU: 7060 if ( (linktype != DLT_MTP2) && 7061 (linktype != DLT_MTP2_WITH_PHDR) ) 7062 bpf_error("'lssu' supported only on MTP2"); 7063 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 1, 2); 7064 b1 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 0); 7065 gen_and(b1, b0); 7066 break; 7067 7068 case M_MSU: 7069 if ( (linktype != DLT_MTP2) && 7070 (linktype != DLT_MTP2_WITH_PHDR) ) 7071 bpf_error("'msu' supported only on MTP2"); 7072 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 2); 7073 break; 7074 7075 default: 7076 abort(); 7077 } 7078 return b0; 7079 } 7080 7081 struct block * 7082 gen_mtp3field_code(mtp3field, jvalue, jtype, reverse) 7083 int mtp3field; 7084 bpf_u_int32 jvalue; 7085 bpf_u_int32 jtype; 7086 int reverse; 7087 { 7088 struct block *b0; 7089 bpf_u_int32 val1 , val2 , val3; 7090 7091 switch (mtp3field) { 7092 7093 case M_SIO: 7094 if (off_sio == (u_int)-1) 7095 bpf_error("'sio' supported only on SS7"); 7096 /* sio coded on 1 byte so max value 255 */ 7097 if(jvalue > 255) 7098 bpf_error("sio value %u too big; max value = 255", 7099 jvalue); 7100 b0 = gen_ncmp(OR_PACKET, off_sio, BPF_B, 0xffffffff, 7101 (u_int)jtype, reverse, (u_int)jvalue); 7102 break; 7103 7104 case M_OPC: 7105 if (off_opc == (u_int)-1) 7106 bpf_error("'opc' supported only on SS7"); 7107 /* opc coded on 14 bits so max value 16383 */ 7108 if (jvalue > 16383) 7109 bpf_error("opc value %u too big; max value = 16383", 7110 jvalue); 7111 /* the following instructions are made to convert jvalue 7112 * to the form used to write opc in an ss7 message*/ 7113 val1 = jvalue & 0x00003c00; 7114 val1 = val1 >>10; 7115 val2 = jvalue & 0x000003fc; 7116 val2 = val2 <<6; 7117 val3 = jvalue & 0x00000003; 7118 val3 = val3 <<22; 7119 jvalue = val1 + val2 + val3; 7120 b0 = gen_ncmp(OR_PACKET, off_opc, BPF_W, 0x00c0ff0f, 7121 (u_int)jtype, reverse, (u_int)jvalue); 7122 break; 7123 7124 case M_DPC: 7125 if (off_dpc == (u_int)-1) 7126 bpf_error("'dpc' supported only on SS7"); 7127 /* dpc coded on 14 bits so max value 16383 */ 7128 if (jvalue > 16383) 7129 bpf_error("dpc value %u too big; max value = 16383", 7130 jvalue); 7131 /* the following instructions are made to convert jvalue 7132 * to the forme used to write dpc in an ss7 message*/ 7133 val1 = jvalue & 0x000000ff; 7134 val1 = val1 << 24; 7135 val2 = jvalue & 0x00003f00; 7136 val2 = val2 << 8; 7137 jvalue = val1 + val2; 7138 b0 = gen_ncmp(OR_PACKET, off_dpc, BPF_W, 0xff3f0000, 7139 (u_int)jtype, reverse, (u_int)jvalue); 7140 break; 7141 7142 case M_SLS: 7143 if (off_sls == (u_int)-1) 7144 bpf_error("'sls' supported only on SS7"); 7145 /* sls coded on 4 bits so max value 15 */ 7146 if (jvalue > 15) 7147 bpf_error("sls value %u too big; max value = 15", 7148 jvalue); 7149 /* the following instruction is made to convert jvalue 7150 * to the forme used to write sls in an ss7 message*/ 7151 jvalue = jvalue << 4; 7152 b0 = gen_ncmp(OR_PACKET, off_sls, BPF_B, 0xf0, 7153 (u_int)jtype,reverse, (u_int)jvalue); 7154 break; 7155 7156 default: 7157 abort(); 7158 } 7159 return b0; 7160 } 7161 7162 static struct block * 7163 gen_msg_abbrev(type) 7164 int type; 7165 { 7166 struct block *b1; 7167 7168 /* 7169 * Q.2931 signalling protocol messages for handling virtual circuits 7170 * establishment and teardown 7171 */ 7172 switch (type) { 7173 7174 case A_SETUP: 7175 b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0); 7176 break; 7177 7178 case A_CALLPROCEED: 7179 b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0); 7180 break; 7181 7182 case A_CONNECT: 7183 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0); 7184 break; 7185 7186 case A_CONNECTACK: 7187 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0); 7188 break; 7189 7190 case A_RELEASE: 7191 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0); 7192 break; 7193 7194 case A_RELEASE_DONE: 7195 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0); 7196 break; 7197 7198 default: 7199 abort(); 7200 } 7201 return b1; 7202 } 7203 7204 struct block * 7205 gen_atmmulti_abbrev(type) 7206 int type; 7207 { 7208 struct block *b0, *b1; 7209 7210 switch (type) { 7211 7212 case A_OAM: 7213 if (!is_atm) 7214 bpf_error("'oam' supported only on raw ATM"); 7215 b1 = gen_atmmulti_abbrev(A_OAMF4); 7216 break; 7217 7218 case A_OAMF4: 7219 if (!is_atm) 7220 bpf_error("'oamf4' supported only on raw ATM"); 7221 /* OAM F4 type */ 7222 b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0); 7223 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0); 7224 gen_or(b0, b1); 7225 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 7226 gen_and(b0, b1); 7227 break; 7228 7229 case A_CONNECTMSG: 7230 /* 7231 * Get Q.2931 signalling messages for switched 7232 * virtual connection 7233 */ 7234 if (!is_atm) 7235 bpf_error("'connectmsg' supported only on raw ATM"); 7236 b0 = gen_msg_abbrev(A_SETUP); 7237 b1 = gen_msg_abbrev(A_CALLPROCEED); 7238 gen_or(b0, b1); 7239 b0 = gen_msg_abbrev(A_CONNECT); 7240 gen_or(b0, b1); 7241 b0 = gen_msg_abbrev(A_CONNECTACK); 7242 gen_or(b0, b1); 7243 b0 = gen_msg_abbrev(A_RELEASE); 7244 gen_or(b0, b1); 7245 b0 = gen_msg_abbrev(A_RELEASE_DONE); 7246 gen_or(b0, b1); 7247 b0 = gen_atmtype_abbrev(A_SC); 7248 gen_and(b0, b1); 7249 break; 7250 7251 case A_METACONNECT: 7252 if (!is_atm) 7253 bpf_error("'metaconnect' supported only on raw ATM"); 7254 b0 = gen_msg_abbrev(A_SETUP); 7255 b1 = gen_msg_abbrev(A_CALLPROCEED); 7256 gen_or(b0, b1); 7257 b0 = gen_msg_abbrev(A_CONNECT); 7258 gen_or(b0, b1); 7259 b0 = gen_msg_abbrev(A_RELEASE); 7260 gen_or(b0, b1); 7261 b0 = gen_msg_abbrev(A_RELEASE_DONE); 7262 gen_or(b0, b1); 7263 b0 = gen_atmtype_abbrev(A_METAC); 7264 gen_and(b0, b1); 7265 break; 7266 7267 default: 7268 abort(); 7269 } 7270 return b1; 7271 } 7272