1 /*#define CHASE_CHAIN*/ 2 /* 3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998 4 * The Regents of the University of California. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that: (1) source code distributions 8 * retain the above copyright notice and this paragraph in its entirety, (2) 9 * distributions including binary code include the above copyright notice and 10 * this paragraph in its entirety in the documentation or other materials 11 * provided with the distribution, and (3) all advertising materials mentioning 12 * features or use of this software display the following acknowledgement: 13 * ``This product includes software developed by the University of California, 14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 15 * the University nor the names of its contributors may be used to endorse 16 * or promote products derived from this software without specific prior 17 * written permission. 18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 21 */ 22 #ifndef lint 23 static const char rcsid[] _U_ = 24 "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.309 2008-12-23 20:13:29 guy Exp $ (LBL)"; 25 #endif 26 27 #define _KERNEL_STRUCTURES 28 29 #ifdef HAVE_CONFIG_H 30 #include "config.h" 31 #endif 32 33 #ifdef WIN32 34 #include <pcap-stdinc.h> 35 #else /* WIN32 */ 36 #if HAVE_INTTYPES_H 37 #include <inttypes.h> 38 #elif HAVE_STDINT_H 39 #include <stdint.h> 40 #endif 41 #ifdef HAVE_SYS_BITYPES_H 42 #include <sys/bitypes.h> 43 #endif 44 #include <sys/types.h> 45 #include <sys/socket.h> 46 #endif /* WIN32 */ 47 48 /* 49 * XXX - why was this included even on UNIX? 50 */ 51 #ifdef __MINGW32__ 52 #include "ip6_misc.h" 53 #endif 54 55 #ifndef WIN32 56 57 #ifdef __NetBSD__ 58 #include <sys/param.h> 59 #endif 60 61 #include <netinet/in.h> 62 #include <arpa/inet.h> 63 64 #endif /* WIN32 */ 65 66 #include <stdlib.h> 67 #include <string.h> 68 #include <memory.h> 69 #include <setjmp.h> 70 #include <stdarg.h> 71 72 #ifdef MSDOS 73 #include "pcap-dos.h" 74 #endif 75 76 #include "pcap-int.h" 77 78 #include "ethertype.h" 79 #include "nlpid.h" 80 #include "llc.h" 81 #include "gencode.h" 82 #include "ieee80211.h" 83 #include "atmuni31.h" 84 #include "sunatmpos.h" 85 #include "ppp.h" 86 #include "pcap/sll.h" 87 #include "pcap/ipnet.h" 88 #include "arcnet.h" 89 #if defined(PF_PACKET) && defined(SO_ATTACH_FILTER) 90 #include <linux/types.h> 91 #include <linux/if_packet.h> 92 #include <linux/filter.h> 93 #endif 94 #ifdef HAVE_NET_PFVAR_H 95 #include <sys/socket.h> 96 #include <net/if.h> 97 #include <net/if_var.h> 98 #include <net/pf/pfvar.h> 99 #include <net/pf/if_pflog.h> 100 #endif 101 #ifndef offsetof 102 #define offsetof(s, e) ((size_t)&((s *)0)->e) 103 #endif 104 #ifdef INET6 105 #ifndef WIN32 106 #include <netdb.h> /* for "struct addrinfo" */ 107 #endif /* WIN32 */ 108 #endif /*INET6*/ 109 #include <pcap/namedb.h> 110 111 #define ETHERMTU 1500 112 113 #ifndef IPPROTO_HOPOPTS 114 #define IPPROTO_HOPOPTS 0 115 #endif 116 #ifndef IPPROTO_ROUTING 117 #define IPPROTO_ROUTING 43 118 #endif 119 #ifndef IPPROTO_FRAGMENT 120 #define IPPROTO_FRAGMENT 44 121 #endif 122 #ifndef IPPROTO_DSTOPTS 123 #define IPPROTO_DSTOPTS 60 124 #endif 125 #ifndef IPPROTO_SCTP 126 #define IPPROTO_SCTP 132 127 #endif 128 129 #ifdef HAVE_OS_PROTO_H 130 #include "os-proto.h" 131 #endif 132 133 #define JMP(c) ((c)|BPF_JMP|BPF_K) 134 135 /* Locals */ 136 static jmp_buf top_ctx; 137 static pcap_t *bpf_pcap; 138 139 /* Hack for updating VLAN, MPLS, and PPPoE offsets. */ 140 #ifdef WIN32 141 static u_int orig_linktype = (u_int)-1, orig_nl = (u_int)-1, label_stack_depth = (u_int)-1; 142 #else 143 static u_int orig_linktype = -1U, orig_nl = -1U, label_stack_depth = -1U; 144 #endif 145 146 /* XXX */ 147 #ifdef PCAP_FDDIPAD 148 static int pcap_fddipad; 149 #endif 150 151 /* VARARGS */ 152 void 153 bpf_error(const char *fmt, ...) 154 { 155 va_list ap; 156 157 va_start(ap, fmt); 158 if (bpf_pcap != NULL) 159 (void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE, 160 fmt, ap); 161 va_end(ap); 162 longjmp(top_ctx, 1); 163 /* NOTREACHED */ 164 } 165 166 static void init_linktype(pcap_t *); 167 168 static void init_regs(void); 169 static int alloc_reg(void); 170 static void free_reg(int); 171 172 static struct block *root; 173 174 /* 175 * Value passed to gen_load_a() to indicate what the offset argument 176 * is relative to. 177 */ 178 enum e_offrel { 179 OR_PACKET, /* relative to the beginning of the packet */ 180 OR_LINK, /* relative to the beginning of the link-layer header */ 181 OR_MACPL, /* relative to the end of the MAC-layer header */ 182 OR_NET, /* relative to the network-layer header */ 183 OR_NET_NOSNAP, /* relative to the network-layer header, with no SNAP header at the link layer */ 184 OR_TRAN_IPV4, /* relative to the transport-layer header, with IPv4 network layer */ 185 OR_TRAN_IPV6 /* relative to the transport-layer header, with IPv6 network layer */ 186 }; 187 188 #ifdef INET6 189 /* 190 * As errors are handled by a longjmp, anything allocated must be freed 191 * in the longjmp handler, so it must be reachable from that handler. 192 * One thing that's allocated is the result of pcap_nametoaddrinfo(); 193 * it must be freed with freeaddrinfo(). This variable points to any 194 * addrinfo structure that would need to be freed. 195 */ 196 static struct addrinfo *ai; 197 #endif 198 199 /* 200 * We divy out chunks of memory rather than call malloc each time so 201 * we don't have to worry about leaking memory. It's probably 202 * not a big deal if all this memory was wasted but if this ever 203 * goes into a library that would probably not be a good idea. 204 * 205 * XXX - this *is* in a library.... 206 */ 207 #define NCHUNKS 16 208 #define CHUNK0SIZE 1024 209 struct chunk { 210 u_int n_left; 211 void *m; 212 }; 213 214 static struct chunk chunks[NCHUNKS]; 215 static int cur_chunk; 216 217 static void *newchunk(u_int); 218 static void freechunks(void); 219 static inline struct block *new_block(int); 220 static inline struct slist *new_stmt(int); 221 static struct block *gen_retblk(int); 222 static inline void syntax(void); 223 224 static void backpatch(struct block *, struct block *); 225 static void merge(struct block *, struct block *); 226 static struct block *gen_cmp(enum e_offrel, u_int, u_int, bpf_int32); 227 static struct block *gen_cmp_gt(enum e_offrel, u_int, u_int, bpf_int32); 228 static struct block *gen_cmp_ge(enum e_offrel, u_int, u_int, bpf_int32); 229 static struct block *gen_cmp_lt(enum e_offrel, u_int, u_int, bpf_int32); 230 static struct block *gen_cmp_le(enum e_offrel, u_int, u_int, bpf_int32); 231 static struct block *gen_mcmp(enum e_offrel, u_int, u_int, bpf_int32, 232 bpf_u_int32); 233 static struct block *gen_bcmp(enum e_offrel, u_int, u_int, const u_char *); 234 static struct block *gen_ncmp(enum e_offrel, bpf_u_int32, bpf_u_int32, 235 bpf_u_int32, bpf_u_int32, int, bpf_int32); 236 static struct slist *gen_load_llrel(u_int, u_int); 237 static struct slist *gen_load_macplrel(u_int, u_int); 238 static struct slist *gen_load_a(enum e_offrel, u_int, u_int); 239 static struct slist *gen_loadx_iphdrlen(void); 240 static struct block *gen_uncond(int); 241 static inline struct block *gen_true(void); 242 static inline struct block *gen_false(void); 243 static struct block *gen_ether_linktype(int); 244 static struct block *gen_ipnet_linktype(int); 245 static struct block *gen_linux_sll_linktype(int); 246 static struct slist *gen_load_prism_llprefixlen(void); 247 static struct slist *gen_load_avs_llprefixlen(void); 248 static struct slist *gen_load_radiotap_llprefixlen(void); 249 static struct slist *gen_load_ppi_llprefixlen(void); 250 static void insert_compute_vloffsets(struct block *); 251 static struct slist *gen_llprefixlen(void); 252 static struct slist *gen_off_macpl(void); 253 static int ethertype_to_ppptype(int); 254 static struct block *gen_linktype(int); 255 static struct block *gen_snap(bpf_u_int32, bpf_u_int32); 256 static struct block *gen_llc_linktype(int); 257 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int); 258 #ifdef INET6 259 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int); 260 #endif 261 static struct block *gen_ahostop(const u_char *, int); 262 static struct block *gen_ehostop(const u_char *, int); 263 static struct block *gen_fhostop(const u_char *, int); 264 static struct block *gen_thostop(const u_char *, int); 265 static struct block *gen_wlanhostop(const u_char *, int); 266 static struct block *gen_ipfchostop(const u_char *, int); 267 static struct block *gen_dnhostop(bpf_u_int32, int); 268 static struct block *gen_mpls_linktype(int); 269 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int, int); 270 #ifdef INET6 271 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int, int); 272 #endif 273 #ifndef INET6 274 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int); 275 #endif 276 static struct block *gen_ipfrag(void); 277 static struct block *gen_portatom(int, bpf_int32); 278 static struct block *gen_portrangeatom(int, bpf_int32, bpf_int32); 279 static struct block *gen_portatom6(int, bpf_int32); 280 static struct block *gen_portrangeatom6(int, bpf_int32, bpf_int32); 281 struct block *gen_portop(int, int, int); 282 static struct block *gen_port(int, int, int); 283 struct block *gen_portrangeop(int, int, int, int); 284 static struct block *gen_portrange(int, int, int, int); 285 struct block *gen_portop6(int, int, int); 286 static struct block *gen_port6(int, int, int); 287 struct block *gen_portrangeop6(int, int, int, int); 288 static struct block *gen_portrange6(int, int, int, int); 289 static int lookup_proto(const char *, int); 290 static struct block *gen_protochain(int, int, int); 291 static struct block *gen_proto(int, int, int); 292 static struct slist *xfer_to_x(struct arth *); 293 static struct slist *xfer_to_a(struct arth *); 294 static struct block *gen_mac_multicast(int); 295 static struct block *gen_len(int, int); 296 static struct block *gen_check_802_11_data_frame(void); 297 298 static struct block *gen_ppi_dlt_check(void); 299 static struct block *gen_msg_abbrev(int type); 300 301 static void * 302 newchunk(n) 303 u_int n; 304 { 305 struct chunk *cp; 306 int k; 307 size_t size; 308 309 #ifndef __NetBSD__ 310 /* XXX Round up to nearest long. */ 311 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1); 312 #else 313 /* XXX Round up to structure boundary. */ 314 n = ALIGN(n); 315 #endif 316 317 cp = &chunks[cur_chunk]; 318 if (n > cp->n_left) { 319 ++cp, k = ++cur_chunk; 320 if (k >= NCHUNKS) 321 bpf_error("out of memory"); 322 size = CHUNK0SIZE << k; 323 cp->m = (void *)malloc(size); 324 if (cp->m == NULL) 325 bpf_error("out of memory"); 326 memset((char *)cp->m, 0, size); 327 cp->n_left = size; 328 if (n > size) 329 bpf_error("out of memory"); 330 } 331 cp->n_left -= n; 332 return (void *)((char *)cp->m + cp->n_left); 333 } 334 335 static void 336 freechunks() 337 { 338 int i; 339 340 cur_chunk = 0; 341 for (i = 0; i < NCHUNKS; ++i) 342 if (chunks[i].m != NULL) { 343 free(chunks[i].m); 344 chunks[i].m = NULL; 345 } 346 } 347 348 /* 349 * A strdup whose allocations are freed after code generation is over. 350 */ 351 char * 352 sdup(s) 353 register const char *s; 354 { 355 int n = strlen(s) + 1; 356 char *cp = newchunk(n); 357 358 strlcpy(cp, s, n); 359 return (cp); 360 } 361 362 static inline struct block * 363 new_block(code) 364 int code; 365 { 366 struct block *p; 367 368 p = (struct block *)newchunk(sizeof(*p)); 369 p->s.code = code; 370 p->head = p; 371 372 return p; 373 } 374 375 static inline struct slist * 376 new_stmt(code) 377 int code; 378 { 379 struct slist *p; 380 381 p = (struct slist *)newchunk(sizeof(*p)); 382 p->s.code = code; 383 384 return p; 385 } 386 387 static struct block * 388 gen_retblk(v) 389 int v; 390 { 391 struct block *b = new_block(BPF_RET|BPF_K); 392 393 b->s.k = v; 394 return b; 395 } 396 397 static inline void 398 syntax() 399 { 400 bpf_error("syntax error in filter expression"); 401 } 402 403 static bpf_u_int32 netmask; 404 static int snaplen; 405 int no_optimize; 406 #ifdef WIN32 407 static int 408 pcap_compile_unsafe(pcap_t *p, struct bpf_program *program, 409 const char *buf, int optimize, bpf_u_int32 mask); 410 411 int 412 pcap_compile(pcap_t *p, struct bpf_program *program, 413 const char *buf, int optimize, bpf_u_int32 mask) 414 { 415 int result; 416 417 EnterCriticalSection(&g_PcapCompileCriticalSection); 418 419 result = pcap_compile_unsafe(p, program, buf, optimize, mask); 420 421 LeaveCriticalSection(&g_PcapCompileCriticalSection); 422 423 return result; 424 } 425 426 static int 427 pcap_compile_unsafe(pcap_t *p, struct bpf_program *program, 428 const char *buf, int optimize, bpf_u_int32 mask) 429 #else /* WIN32 */ 430 int 431 pcap_compile(pcap_t *p, struct bpf_program *program, 432 const char *buf, int optimize, bpf_u_int32 mask) 433 #endif /* WIN32 */ 434 { 435 extern int n_errors; 436 const char * volatile xbuf = buf; 437 u_int len; 438 439 /* 440 * If this pcap_t hasn't been activated, it doesn't have a 441 * link-layer type, so we can't use it. 442 */ 443 if (!p->activated) { 444 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 445 "not-yet-activated pcap_t passed to pcap_compile"); 446 return (-1); 447 } 448 no_optimize = 0; 449 n_errors = 0; 450 root = NULL; 451 bpf_pcap = p; 452 init_regs(); 453 if (setjmp(top_ctx)) { 454 #ifdef INET6 455 if (ai != NULL) { 456 freeaddrinfo(ai); 457 ai = NULL; 458 } 459 #endif 460 lex_cleanup(); 461 freechunks(); 462 return (-1); 463 } 464 465 netmask = mask; 466 467 snaplen = pcap_snapshot(p); 468 if (snaplen == 0) { 469 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 470 "snaplen of 0 rejects all packets"); 471 return -1; 472 } 473 474 lex_init(xbuf ? xbuf : ""); 475 init_linktype(p); 476 (void)pcap_parse(); 477 478 if (n_errors) 479 syntax(); 480 481 if (root == NULL) 482 root = gen_retblk(snaplen); 483 484 if (optimize && !no_optimize) { 485 bpf_optimize(&root); 486 if (root == NULL || 487 (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0)) 488 bpf_error("expression rejects all packets"); 489 } 490 program->bf_insns = icode_to_fcode(root, &len); 491 program->bf_len = len; 492 493 lex_cleanup(); 494 freechunks(); 495 return (0); 496 } 497 498 /* 499 * entry point for using the compiler with no pcap open 500 * pass in all the stuff that is needed explicitly instead. 501 */ 502 int 503 pcap_compile_nopcap(int snaplen_arg, int linktype_arg, 504 struct bpf_program *program, 505 const char *buf, int optimize, bpf_u_int32 mask) 506 { 507 pcap_t *p; 508 int ret; 509 510 p = pcap_open_dead(linktype_arg, snaplen_arg); 511 if (p == NULL) 512 return (-1); 513 ret = pcap_compile(p, program, buf, optimize, mask); 514 pcap_close(p); 515 return (ret); 516 } 517 518 /* 519 * Clean up a "struct bpf_program" by freeing all the memory allocated 520 * in it. 521 */ 522 void 523 pcap_freecode(struct bpf_program *program) 524 { 525 program->bf_len = 0; 526 if (program->bf_insns != NULL) { 527 free((char *)program->bf_insns); 528 program->bf_insns = NULL; 529 } 530 } 531 532 /* 533 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates 534 * which of the jt and jf fields has been resolved and which is a pointer 535 * back to another unresolved block (or nil). At least one of the fields 536 * in each block is already resolved. 537 */ 538 static void 539 backpatch(list, target) 540 struct block *list, *target; 541 { 542 struct block *next; 543 544 while (list) { 545 if (!list->sense) { 546 next = JT(list); 547 JT(list) = target; 548 } else { 549 next = JF(list); 550 JF(list) = target; 551 } 552 list = next; 553 } 554 } 555 556 /* 557 * Merge the lists in b0 and b1, using the 'sense' field to indicate 558 * which of jt and jf is the link. 559 */ 560 static void 561 merge(b0, b1) 562 struct block *b0, *b1; 563 { 564 register struct block **p = &b0; 565 566 /* Find end of list. */ 567 while (*p) 568 p = !((*p)->sense) ? &JT(*p) : &JF(*p); 569 570 /* Concatenate the lists. */ 571 *p = b1; 572 } 573 574 void 575 finish_parse(p) 576 struct block *p; 577 { 578 struct block *ppi_dlt_check; 579 580 /* 581 * Insert before the statements of the first (root) block any 582 * statements needed to load the lengths of any variable-length 583 * headers into registers. 584 * 585 * XXX - a fancier strategy would be to insert those before the 586 * statements of all blocks that use those lengths and that 587 * have no predecessors that use them, so that we only compute 588 * the lengths if we need them. There might be even better 589 * approaches than that. 590 * 591 * However, those strategies would be more complicated, and 592 * as we don't generate code to compute a length if the 593 * program has no tests that use the length, and as most 594 * tests will probably use those lengths, we would just 595 * postpone computing the lengths so that it's not done 596 * for tests that fail early, and it's not clear that's 597 * worth the effort. 598 */ 599 insert_compute_vloffsets(p->head); 600 601 /* 602 * For DLT_PPI captures, generate a check of the per-packet 603 * DLT value to make sure it's DLT_IEEE802_11. 604 */ 605 ppi_dlt_check = gen_ppi_dlt_check(); 606 if (ppi_dlt_check != NULL) 607 gen_and(ppi_dlt_check, p); 608 609 backpatch(p, gen_retblk(snaplen)); 610 p->sense = !p->sense; 611 backpatch(p, gen_retblk(0)); 612 root = p->head; 613 } 614 615 void 616 gen_and(b0, b1) 617 struct block *b0, *b1; 618 { 619 backpatch(b0, b1->head); 620 b0->sense = !b0->sense; 621 b1->sense = !b1->sense; 622 merge(b1, b0); 623 b1->sense = !b1->sense; 624 b1->head = b0->head; 625 } 626 627 void 628 gen_or(b0, b1) 629 struct block *b0, *b1; 630 { 631 b0->sense = !b0->sense; 632 backpatch(b0, b1->head); 633 b0->sense = !b0->sense; 634 merge(b1, b0); 635 b1->head = b0->head; 636 } 637 638 void 639 gen_not(b) 640 struct block *b; 641 { 642 b->sense = !b->sense; 643 } 644 645 static struct block * 646 gen_cmp(offrel, offset, size, v) 647 enum e_offrel offrel; 648 u_int offset, size; 649 bpf_int32 v; 650 { 651 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v); 652 } 653 654 static struct block * 655 gen_cmp_gt(offrel, offset, size, v) 656 enum e_offrel offrel; 657 u_int offset, size; 658 bpf_int32 v; 659 { 660 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 0, v); 661 } 662 663 static struct block * 664 gen_cmp_ge(offrel, offset, size, v) 665 enum e_offrel offrel; 666 u_int offset, size; 667 bpf_int32 v; 668 { 669 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 0, v); 670 } 671 672 static struct block * 673 gen_cmp_lt(offrel, offset, size, v) 674 enum e_offrel offrel; 675 u_int offset, size; 676 bpf_int32 v; 677 { 678 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 1, v); 679 } 680 681 static struct block * 682 gen_cmp_le(offrel, offset, size, v) 683 enum e_offrel offrel; 684 u_int offset, size; 685 bpf_int32 v; 686 { 687 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 1, v); 688 } 689 690 static struct block * 691 gen_mcmp(offrel, offset, size, v, mask) 692 enum e_offrel offrel; 693 u_int offset, size; 694 bpf_int32 v; 695 bpf_u_int32 mask; 696 { 697 return gen_ncmp(offrel, offset, size, mask, BPF_JEQ, 0, v); 698 } 699 700 static struct block * 701 gen_bcmp(offrel, offset, size, v) 702 enum e_offrel offrel; 703 register u_int offset, size; 704 register const u_char *v; 705 { 706 register struct block *b, *tmp; 707 708 b = NULL; 709 while (size >= 4) { 710 register const u_char *p = &v[size - 4]; 711 bpf_int32 w = ((bpf_int32)p[0] << 24) | 712 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3]; 713 714 tmp = gen_cmp(offrel, offset + size - 4, BPF_W, w); 715 if (b != NULL) 716 gen_and(b, tmp); 717 b = tmp; 718 size -= 4; 719 } 720 while (size >= 2) { 721 register const u_char *p = &v[size - 2]; 722 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1]; 723 724 tmp = gen_cmp(offrel, offset + size - 2, BPF_H, w); 725 if (b != NULL) 726 gen_and(b, tmp); 727 b = tmp; 728 size -= 2; 729 } 730 if (size > 0) { 731 tmp = gen_cmp(offrel, offset, BPF_B, (bpf_int32)v[0]); 732 if (b != NULL) 733 gen_and(b, tmp); 734 b = tmp; 735 } 736 return b; 737 } 738 739 /* 740 * AND the field of size "size" at offset "offset" relative to the header 741 * specified by "offrel" with "mask", and compare it with the value "v" 742 * with the test specified by "jtype"; if "reverse" is true, the test 743 * should test the opposite of "jtype". 744 */ 745 static struct block * 746 gen_ncmp(offrel, offset, size, mask, jtype, reverse, v) 747 enum e_offrel offrel; 748 bpf_int32 v; 749 bpf_u_int32 offset, size, mask, jtype; 750 int reverse; 751 { 752 struct slist *s, *s2; 753 struct block *b; 754 755 s = gen_load_a(offrel, offset, size); 756 757 if (mask != 0xffffffff) { 758 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 759 s2->s.k = mask; 760 sappend(s, s2); 761 } 762 763 b = new_block(JMP(jtype)); 764 b->stmts = s; 765 b->s.k = v; 766 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE)) 767 gen_not(b); 768 return b; 769 } 770 771 /* 772 * Various code constructs need to know the layout of the data link 773 * layer. These variables give the necessary offsets from the beginning 774 * of the packet data. 775 */ 776 777 /* 778 * This is the offset of the beginning of the link-layer header from 779 * the beginning of the raw packet data. 780 * 781 * It's usually 0, except for 802.11 with a fixed-length radio header. 782 * (For 802.11 with a variable-length radio header, we have to generate 783 * code to compute that offset; off_ll is 0 in that case.) 784 */ 785 static u_int off_ll; 786 787 /* 788 * If there's a variable-length header preceding the link-layer header, 789 * "reg_off_ll" is the register number for a register containing the 790 * length of that header, and therefore the offset of the link-layer 791 * header from the beginning of the raw packet data. Otherwise, 792 * "reg_off_ll" is -1. 793 */ 794 static int reg_off_ll; 795 796 /* 797 * This is the offset of the beginning of the MAC-layer header from 798 * the beginning of the link-layer header. 799 * It's usually 0, except for ATM LANE, where it's the offset, relative 800 * to the beginning of the raw packet data, of the Ethernet header, and 801 * for Ethernet with various additional information. 802 */ 803 static u_int off_mac; 804 805 /* 806 * This is the offset of the beginning of the MAC-layer payload, 807 * from the beginning of the raw packet data. 808 * 809 * I.e., it's the sum of the length of the link-layer header (without, 810 * for example, any 802.2 LLC header, so it's the MAC-layer 811 * portion of that header), plus any prefix preceding the 812 * link-layer header. 813 */ 814 static u_int off_macpl; 815 816 /* 817 * This is 1 if the offset of the beginning of the MAC-layer payload 818 * from the beginning of the link-layer header is variable-length. 819 */ 820 static int off_macpl_is_variable; 821 822 /* 823 * If the link layer has variable_length headers, "reg_off_macpl" 824 * is the register number for a register containing the length of the 825 * link-layer header plus the length of any variable-length header 826 * preceding the link-layer header. Otherwise, "reg_off_macpl" 827 * is -1. 828 */ 829 static int reg_off_macpl; 830 831 /* 832 * "off_linktype" is the offset to information in the link-layer header 833 * giving the packet type. This offset is relative to the beginning 834 * of the link-layer header (i.e., it doesn't include off_ll). 835 * 836 * For Ethernet, it's the offset of the Ethernet type field. 837 * 838 * For link-layer types that always use 802.2 headers, it's the 839 * offset of the LLC header. 840 * 841 * For PPP, it's the offset of the PPP type field. 842 * 843 * For Cisco HDLC, it's the offset of the CHDLC type field. 844 * 845 * For BSD loopback, it's the offset of the AF_ value. 846 * 847 * For Linux cooked sockets, it's the offset of the type field. 848 * 849 * It's set to -1 for no encapsulation, in which case, IP is assumed. 850 */ 851 static u_int off_linktype; 852 853 /* 854 * TRUE if "pppoes" appeared in the filter; it causes link-layer type 855 * checks to check the PPP header, assumed to follow a LAN-style link- 856 * layer header and a PPPoE session header. 857 */ 858 static int is_pppoes = 0; 859 860 /* 861 * TRUE if the link layer includes an ATM pseudo-header. 862 */ 863 static int is_atm = 0; 864 865 /* 866 * TRUE if "lane" appeared in the filter; it causes us to generate 867 * code that assumes LANE rather than LLC-encapsulated traffic in SunATM. 868 */ 869 static int is_lane = 0; 870 871 /* 872 * These are offsets for the ATM pseudo-header. 873 */ 874 static u_int off_vpi; 875 static u_int off_vci; 876 static u_int off_proto; 877 878 /* 879 * These are offsets for the MTP2 fields. 880 */ 881 static u_int off_li; 882 883 /* 884 * These are offsets for the MTP3 fields. 885 */ 886 static u_int off_sio; 887 static u_int off_opc; 888 static u_int off_dpc; 889 static u_int off_sls; 890 891 /* 892 * This is the offset of the first byte after the ATM pseudo_header, 893 * or -1 if there is no ATM pseudo-header. 894 */ 895 static u_int off_payload; 896 897 /* 898 * These are offsets to the beginning of the network-layer header. 899 * They are relative to the beginning of the MAC-layer payload (i.e., 900 * they don't include off_ll or off_macpl). 901 * 902 * If the link layer never uses 802.2 LLC: 903 * 904 * "off_nl" and "off_nl_nosnap" are the same. 905 * 906 * If the link layer always uses 802.2 LLC: 907 * 908 * "off_nl" is the offset if there's a SNAP header following 909 * the 802.2 header; 910 * 911 * "off_nl_nosnap" is the offset if there's no SNAP header. 912 * 913 * If the link layer is Ethernet: 914 * 915 * "off_nl" is the offset if the packet is an Ethernet II packet 916 * (we assume no 802.3+802.2+SNAP); 917 * 918 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet 919 * with an 802.2 header following it. 920 */ 921 static u_int off_nl; 922 static u_int off_nl_nosnap; 923 924 static int linktype; 925 926 static void 927 init_linktype(p) 928 pcap_t *p; 929 { 930 linktype = pcap_datalink(p); 931 #ifdef PCAP_FDDIPAD 932 pcap_fddipad = p->fddipad; 933 #endif 934 935 /* 936 * Assume it's not raw ATM with a pseudo-header, for now. 937 */ 938 off_mac = 0; 939 is_atm = 0; 940 is_lane = 0; 941 off_vpi = -1; 942 off_vci = -1; 943 off_proto = -1; 944 off_payload = -1; 945 946 /* 947 * And that we're not doing PPPoE. 948 */ 949 is_pppoes = 0; 950 951 /* 952 * And assume we're not doing SS7. 953 */ 954 off_li = -1; 955 off_sio = -1; 956 off_opc = -1; 957 off_dpc = -1; 958 off_sls = -1; 959 960 /* 961 * Also assume it's not 802.11. 962 */ 963 off_ll = 0; 964 off_macpl = 0; 965 off_macpl_is_variable = 0; 966 967 orig_linktype = -1; 968 orig_nl = -1; 969 label_stack_depth = 0; 970 971 reg_off_ll = -1; 972 reg_off_macpl = -1; 973 974 switch (linktype) { 975 976 case DLT_ARCNET: 977 off_linktype = 2; 978 off_macpl = 6; 979 off_nl = 0; /* XXX in reality, variable! */ 980 off_nl_nosnap = 0; /* no 802.2 LLC */ 981 return; 982 983 case DLT_ARCNET_LINUX: 984 off_linktype = 4; 985 off_macpl = 8; 986 off_nl = 0; /* XXX in reality, variable! */ 987 off_nl_nosnap = 0; /* no 802.2 LLC */ 988 return; 989 990 case DLT_EN10MB: 991 off_linktype = 12; 992 off_macpl = 14; /* Ethernet header length */ 993 off_nl = 0; /* Ethernet II */ 994 off_nl_nosnap = 3; /* 802.3+802.2 */ 995 return; 996 997 case DLT_SLIP: 998 /* 999 * SLIP doesn't have a link level type. The 16 byte 1000 * header is hacked into our SLIP driver. 1001 */ 1002 off_linktype = -1; 1003 off_macpl = 16; 1004 off_nl = 0; 1005 off_nl_nosnap = 0; /* no 802.2 LLC */ 1006 return; 1007 1008 case DLT_SLIP_BSDOS: 1009 /* XXX this may be the same as the DLT_PPP_BSDOS case */ 1010 off_linktype = -1; 1011 /* XXX end */ 1012 off_macpl = 24; 1013 off_nl = 0; 1014 off_nl_nosnap = 0; /* no 802.2 LLC */ 1015 return; 1016 1017 case DLT_NULL: 1018 case DLT_LOOP: 1019 off_linktype = 0; 1020 off_macpl = 4; 1021 off_nl = 0; 1022 off_nl_nosnap = 0; /* no 802.2 LLC */ 1023 return; 1024 1025 case DLT_ENC: 1026 off_linktype = 0; 1027 off_macpl = 12; 1028 off_nl = 0; 1029 off_nl_nosnap = 0; /* no 802.2 LLC */ 1030 return; 1031 1032 case DLT_PPP: 1033 case DLT_PPP_PPPD: 1034 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */ 1035 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */ 1036 off_linktype = 2; 1037 off_macpl = 4; 1038 off_nl = 0; 1039 off_nl_nosnap = 0; /* no 802.2 LLC */ 1040 return; 1041 1042 case DLT_PPP_ETHER: 1043 /* 1044 * This does no include the Ethernet header, and 1045 * only covers session state. 1046 */ 1047 off_linktype = 6; 1048 off_macpl = 8; 1049 off_nl = 0; 1050 off_nl_nosnap = 0; /* no 802.2 LLC */ 1051 return; 1052 1053 case DLT_PPP_BSDOS: 1054 off_linktype = 5; 1055 off_macpl = 24; 1056 off_nl = 0; 1057 off_nl_nosnap = 0; /* no 802.2 LLC */ 1058 return; 1059 1060 case DLT_FDDI: 1061 /* 1062 * FDDI doesn't really have a link-level type field. 1063 * We set "off_linktype" to the offset of the LLC header. 1064 * 1065 * To check for Ethernet types, we assume that SSAP = SNAP 1066 * is being used and pick out the encapsulated Ethernet type. 1067 * XXX - should we generate code to check for SNAP? 1068 */ 1069 off_linktype = 13; 1070 #ifdef PCAP_FDDIPAD 1071 off_linktype += pcap_fddipad; 1072 #endif 1073 off_macpl = 13; /* FDDI MAC header length */ 1074 #ifdef PCAP_FDDIPAD 1075 off_macpl += pcap_fddipad; 1076 #endif 1077 off_nl = 8; /* 802.2+SNAP */ 1078 off_nl_nosnap = 3; /* 802.2 */ 1079 return; 1080 1081 case DLT_IEEE802: 1082 /* 1083 * Token Ring doesn't really have a link-level type field. 1084 * We set "off_linktype" to the offset of the LLC header. 1085 * 1086 * To check for Ethernet types, we assume that SSAP = SNAP 1087 * is being used and pick out the encapsulated Ethernet type. 1088 * XXX - should we generate code to check for SNAP? 1089 * 1090 * XXX - the header is actually variable-length. 1091 * Some various Linux patched versions gave 38 1092 * as "off_linktype" and 40 as "off_nl"; however, 1093 * if a token ring packet has *no* routing 1094 * information, i.e. is not source-routed, the correct 1095 * values are 20 and 22, as they are in the vanilla code. 1096 * 1097 * A packet is source-routed iff the uppermost bit 1098 * of the first byte of the source address, at an 1099 * offset of 8, has the uppermost bit set. If the 1100 * packet is source-routed, the total number of bytes 1101 * of routing information is 2 plus bits 0x1F00 of 1102 * the 16-bit value at an offset of 14 (shifted right 1103 * 8 - figure out which byte that is). 1104 */ 1105 off_linktype = 14; 1106 off_macpl = 14; /* Token Ring MAC header length */ 1107 off_nl = 8; /* 802.2+SNAP */ 1108 off_nl_nosnap = 3; /* 802.2 */ 1109 return; 1110 1111 case DLT_IEEE802_11: 1112 case DLT_PRISM_HEADER: 1113 case DLT_IEEE802_11_RADIO_AVS: 1114 case DLT_IEEE802_11_RADIO: 1115 /* 1116 * 802.11 doesn't really have a link-level type field. 1117 * We set "off_linktype" to the offset of the LLC header. 1118 * 1119 * To check for Ethernet types, we assume that SSAP = SNAP 1120 * is being used and pick out the encapsulated Ethernet type. 1121 * XXX - should we generate code to check for SNAP? 1122 * 1123 * We also handle variable-length radio headers here. 1124 * The Prism header is in theory variable-length, but in 1125 * practice it's always 144 bytes long. However, some 1126 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but 1127 * sometimes or always supply an AVS header, so we 1128 * have to check whether the radio header is a Prism 1129 * header or an AVS header, so, in practice, it's 1130 * variable-length. 1131 */ 1132 off_linktype = 24; 1133 off_macpl = 0; /* link-layer header is variable-length */ 1134 off_macpl_is_variable = 1; 1135 off_nl = 8; /* 802.2+SNAP */ 1136 off_nl_nosnap = 3; /* 802.2 */ 1137 return; 1138 1139 case DLT_PPI: 1140 /* 1141 * At the moment we treat PPI the same way that we treat 1142 * normal Radiotap encoded packets. The difference is in 1143 * the function that generates the code at the beginning 1144 * to compute the header length. Since this code generator 1145 * of PPI supports bare 802.11 encapsulation only (i.e. 1146 * the encapsulated DLT should be DLT_IEEE802_11) we 1147 * generate code to check for this too. 1148 */ 1149 off_linktype = 24; 1150 off_macpl = 0; /* link-layer header is variable-length */ 1151 off_macpl_is_variable = 1; 1152 off_nl = 8; /* 802.2+SNAP */ 1153 off_nl_nosnap = 3; /* 802.2 */ 1154 return; 1155 1156 case DLT_ATM_RFC1483: 1157 case DLT_ATM_CLIP: /* Linux ATM defines this */ 1158 /* 1159 * assume routed, non-ISO PDUs 1160 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00) 1161 * 1162 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS, 1163 * or PPP with the PPP NLPID (e.g., PPPoA)? The 1164 * latter would presumably be treated the way PPPoE 1165 * should be, so you can do "pppoe and udp port 2049" 1166 * or "pppoa and tcp port 80" and have it check for 1167 * PPPo{A,E} and a PPP protocol of IP and.... 1168 */ 1169 off_linktype = 0; 1170 off_macpl = 0; /* packet begins with LLC header */ 1171 off_nl = 8; /* 802.2+SNAP */ 1172 off_nl_nosnap = 3; /* 802.2 */ 1173 return; 1174 1175 case DLT_SUNATM: 1176 /* 1177 * Full Frontal ATM; you get AALn PDUs with an ATM 1178 * pseudo-header. 1179 */ 1180 is_atm = 1; 1181 off_vpi = SUNATM_VPI_POS; 1182 off_vci = SUNATM_VCI_POS; 1183 off_proto = PROTO_POS; 1184 off_mac = -1; /* assume LLC-encapsulated, so no MAC-layer header */ 1185 off_payload = SUNATM_PKT_BEGIN_POS; 1186 off_linktype = off_payload; 1187 off_macpl = off_payload; /* if LLC-encapsulated */ 1188 off_nl = 8; /* 802.2+SNAP */ 1189 off_nl_nosnap = 3; /* 802.2 */ 1190 return; 1191 1192 case DLT_RAW: 1193 case DLT_IPV4: 1194 case DLT_IPV6: 1195 off_linktype = -1; 1196 off_macpl = 0; 1197 off_nl = 0; 1198 off_nl_nosnap = 0; /* no 802.2 LLC */ 1199 return; 1200 1201 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */ 1202 off_linktype = 14; 1203 off_macpl = 16; 1204 off_nl = 0; 1205 off_nl_nosnap = 0; /* no 802.2 LLC */ 1206 return; 1207 1208 case DLT_LTALK: 1209 /* 1210 * LocalTalk does have a 1-byte type field in the LLAP header, 1211 * but really it just indicates whether there is a "short" or 1212 * "long" DDP packet following. 1213 */ 1214 off_linktype = -1; 1215 off_macpl = 0; 1216 off_nl = 0; 1217 off_nl_nosnap = 0; /* no 802.2 LLC */ 1218 return; 1219 1220 case DLT_IP_OVER_FC: 1221 /* 1222 * RFC 2625 IP-over-Fibre-Channel doesn't really have a 1223 * link-level type field. We set "off_linktype" to the 1224 * offset of the LLC header. 1225 * 1226 * To check for Ethernet types, we assume that SSAP = SNAP 1227 * is being used and pick out the encapsulated Ethernet type. 1228 * XXX - should we generate code to check for SNAP? RFC 1229 * 2625 says SNAP should be used. 1230 */ 1231 off_linktype = 16; 1232 off_macpl = 16; 1233 off_nl = 8; /* 802.2+SNAP */ 1234 off_nl_nosnap = 3; /* 802.2 */ 1235 return; 1236 1237 case DLT_FRELAY: 1238 /* 1239 * XXX - we should set this to handle SNAP-encapsulated 1240 * frames (NLPID of 0x80). 1241 */ 1242 off_linktype = -1; 1243 off_macpl = 0; 1244 off_nl = 0; 1245 off_nl_nosnap = 0; /* no 802.2 LLC */ 1246 return; 1247 1248 /* 1249 * the only BPF-interesting FRF.16 frames are non-control frames; 1250 * Frame Relay has a variable length link-layer 1251 * so lets start with offset 4 for now and increments later on (FIXME); 1252 */ 1253 case DLT_MFR: 1254 off_linktype = -1; 1255 off_macpl = 0; 1256 off_nl = 4; 1257 off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */ 1258 return; 1259 1260 case DLT_APPLE_IP_OVER_IEEE1394: 1261 off_linktype = 16; 1262 off_macpl = 18; 1263 off_nl = 0; 1264 off_nl_nosnap = 0; /* no 802.2 LLC */ 1265 return; 1266 1267 case DLT_SYMANTEC_FIREWALL: 1268 off_linktype = 6; 1269 off_macpl = 44; 1270 off_nl = 0; /* Ethernet II */ 1271 off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */ 1272 return; 1273 1274 #ifdef HAVE_NET_PFVAR_H 1275 case DLT_PFLOG: 1276 off_linktype = 0; 1277 off_macpl = PFLOG_HDRLEN; 1278 off_nl = 0; 1279 off_nl_nosnap = 0; /* no 802.2 LLC */ 1280 return; 1281 #endif 1282 1283 case DLT_JUNIPER_MFR: 1284 case DLT_JUNIPER_MLFR: 1285 case DLT_JUNIPER_MLPPP: 1286 case DLT_JUNIPER_PPP: 1287 case DLT_JUNIPER_CHDLC: 1288 case DLT_JUNIPER_FRELAY: 1289 off_linktype = 4; 1290 off_macpl = 4; 1291 off_nl = 0; 1292 off_nl_nosnap = -1; /* no 802.2 LLC */ 1293 return; 1294 1295 case DLT_JUNIPER_ATM1: 1296 off_linktype = 4; /* in reality variable between 4-8 */ 1297 off_macpl = 4; /* in reality variable between 4-8 */ 1298 off_nl = 0; 1299 off_nl_nosnap = 10; 1300 return; 1301 1302 case DLT_JUNIPER_ATM2: 1303 off_linktype = 8; /* in reality variable between 8-12 */ 1304 off_macpl = 8; /* in reality variable between 8-12 */ 1305 off_nl = 0; 1306 off_nl_nosnap = 10; 1307 return; 1308 1309 /* frames captured on a Juniper PPPoE service PIC 1310 * contain raw ethernet frames */ 1311 case DLT_JUNIPER_PPPOE: 1312 case DLT_JUNIPER_ETHER: 1313 off_macpl = 14; 1314 off_linktype = 16; 1315 off_nl = 18; /* Ethernet II */ 1316 off_nl_nosnap = 21; /* 802.3+802.2 */ 1317 return; 1318 1319 case DLT_JUNIPER_PPPOE_ATM: 1320 off_linktype = 4; 1321 off_macpl = 6; 1322 off_nl = 0; 1323 off_nl_nosnap = -1; /* no 802.2 LLC */ 1324 return; 1325 1326 case DLT_JUNIPER_GGSN: 1327 off_linktype = 6; 1328 off_macpl = 12; 1329 off_nl = 0; 1330 off_nl_nosnap = -1; /* no 802.2 LLC */ 1331 return; 1332 1333 case DLT_JUNIPER_ES: 1334 off_linktype = 6; 1335 off_macpl = -1; /* not really a network layer but raw IP addresses */ 1336 off_nl = -1; /* not really a network layer but raw IP addresses */ 1337 off_nl_nosnap = -1; /* no 802.2 LLC */ 1338 return; 1339 1340 case DLT_JUNIPER_MONITOR: 1341 off_linktype = 12; 1342 off_macpl = 12; 1343 off_nl = 0; /* raw IP/IP6 header */ 1344 off_nl_nosnap = -1; /* no 802.2 LLC */ 1345 return; 1346 1347 case DLT_JUNIPER_SERVICES: 1348 off_linktype = 12; 1349 off_macpl = -1; /* L3 proto location dep. on cookie type */ 1350 off_nl = -1; /* L3 proto location dep. on cookie type */ 1351 off_nl_nosnap = -1; /* no 802.2 LLC */ 1352 return; 1353 1354 case DLT_JUNIPER_VP: 1355 off_linktype = 18; 1356 off_macpl = -1; 1357 off_nl = -1; 1358 off_nl_nosnap = -1; 1359 return; 1360 1361 case DLT_JUNIPER_ST: 1362 off_linktype = 18; 1363 off_macpl = -1; 1364 off_nl = -1; 1365 off_nl_nosnap = -1; 1366 return; 1367 1368 case DLT_JUNIPER_ISM: 1369 off_linktype = 8; 1370 off_macpl = -1; 1371 off_nl = -1; 1372 off_nl_nosnap = -1; 1373 return; 1374 1375 case DLT_JUNIPER_VS: 1376 case DLT_JUNIPER_SRX_E2E: 1377 case DLT_JUNIPER_FIBRECHANNEL: 1378 case DLT_JUNIPER_ATM_CEMIC: 1379 off_linktype = 8; 1380 off_macpl = -1; 1381 off_nl = -1; 1382 off_nl_nosnap = -1; 1383 return; 1384 1385 case DLT_MTP2: 1386 off_li = 2; 1387 off_sio = 3; 1388 off_opc = 4; 1389 off_dpc = 4; 1390 off_sls = 7; 1391 off_linktype = -1; 1392 off_macpl = -1; 1393 off_nl = -1; 1394 off_nl_nosnap = -1; 1395 return; 1396 1397 case DLT_MTP2_WITH_PHDR: 1398 off_li = 6; 1399 off_sio = 7; 1400 off_opc = 8; 1401 off_dpc = 8; 1402 off_sls = 11; 1403 off_linktype = -1; 1404 off_macpl = -1; 1405 off_nl = -1; 1406 off_nl_nosnap = -1; 1407 return; 1408 1409 case DLT_ERF: 1410 off_li = 22; 1411 off_sio = 23; 1412 off_opc = 24; 1413 off_dpc = 24; 1414 off_sls = 27; 1415 off_linktype = -1; 1416 off_macpl = -1; 1417 off_nl = -1; 1418 off_nl_nosnap = -1; 1419 return; 1420 1421 case DLT_PFSYNC: 1422 off_linktype = -1; 1423 off_macpl = 4; 1424 off_nl = 0; 1425 off_nl_nosnap = 0; 1426 return; 1427 1428 case DLT_AX25_KISS: 1429 /* 1430 * Currently, only raw "link[N:M]" filtering is supported. 1431 */ 1432 off_linktype = -1; /* variable, min 15, max 71 steps of 7 */ 1433 off_macpl = -1; 1434 off_nl = -1; /* variable, min 16, max 71 steps of 7 */ 1435 off_nl_nosnap = -1; /* no 802.2 LLC */ 1436 off_mac = 1; /* step over the kiss length byte */ 1437 return; 1438 1439 case DLT_IPNET: 1440 off_linktype = 1; 1441 off_macpl = 24; /* ipnet header length */ 1442 off_nl = 0; 1443 off_nl_nosnap = -1; 1444 return; 1445 1446 case DLT_NETANALYZER: 1447 off_mac = 4; /* MAC header is past 4-byte pseudo-header */ 1448 off_linktype = 16; /* includes 4-byte pseudo-header */ 1449 off_macpl = 18; /* pseudo-header+Ethernet header length */ 1450 off_nl = 0; /* Ethernet II */ 1451 off_nl_nosnap = 3; /* 802.3+802.2 */ 1452 return; 1453 1454 case DLT_NETANALYZER_TRANSPARENT: 1455 off_mac = 12; /* MAC header is past 4-byte pseudo-header, preamble, and SFD */ 1456 off_linktype = 24; /* includes 4-byte pseudo-header+preamble+SFD */ 1457 off_macpl = 26; /* pseudo-header+preamble+SFD+Ethernet header length */ 1458 off_nl = 0; /* Ethernet II */ 1459 off_nl_nosnap = 3; /* 802.3+802.2 */ 1460 return; 1461 1462 default: 1463 /* 1464 * For values in the range in which we've assigned new 1465 * DLT_ values, only raw "link[N:M]" filtering is supported. 1466 */ 1467 if (linktype >= DLT_MATCHING_MIN && 1468 linktype <= DLT_MATCHING_MAX) { 1469 off_linktype = -1; 1470 off_macpl = -1; 1471 off_nl = -1; 1472 off_nl_nosnap = -1; 1473 return; 1474 } 1475 1476 } 1477 bpf_error("unknown data link type %d", linktype); 1478 /* NOTREACHED */ 1479 } 1480 1481 /* 1482 * Load a value relative to the beginning of the link-layer header. 1483 * The link-layer header doesn't necessarily begin at the beginning 1484 * of the packet data; there might be a variable-length prefix containing 1485 * radio information. 1486 */ 1487 static struct slist * 1488 gen_load_llrel(offset, size) 1489 u_int offset, size; 1490 { 1491 struct slist *s, *s2; 1492 1493 s = gen_llprefixlen(); 1494 1495 /* 1496 * If "s" is non-null, it has code to arrange that the X register 1497 * contains the length of the prefix preceding the link-layer 1498 * header. 1499 * 1500 * Otherwise, the length of the prefix preceding the link-layer 1501 * header is "off_ll". 1502 */ 1503 if (s != NULL) { 1504 /* 1505 * There's a variable-length prefix preceding the 1506 * link-layer header. "s" points to a list of statements 1507 * that put the length of that prefix into the X register. 1508 * do an indirect load, to use the X register as an offset. 1509 */ 1510 s2 = new_stmt(BPF_LD|BPF_IND|size); 1511 s2->s.k = offset; 1512 sappend(s, s2); 1513 } else { 1514 /* 1515 * There is no variable-length header preceding the 1516 * link-layer header; add in off_ll, which, if there's 1517 * a fixed-length header preceding the link-layer header, 1518 * is the length of that header. 1519 */ 1520 s = new_stmt(BPF_LD|BPF_ABS|size); 1521 s->s.k = offset + off_ll; 1522 } 1523 return s; 1524 } 1525 1526 /* 1527 * Load a value relative to the beginning of the MAC-layer payload. 1528 */ 1529 static struct slist * 1530 gen_load_macplrel(offset, size) 1531 u_int offset, size; 1532 { 1533 struct slist *s, *s2; 1534 1535 s = gen_off_macpl(); 1536 1537 /* 1538 * If s is non-null, the offset of the MAC-layer payload is 1539 * variable, and s points to a list of instructions that 1540 * arrange that the X register contains that offset. 1541 * 1542 * Otherwise, the offset of the MAC-layer payload is constant, 1543 * and is in off_macpl. 1544 */ 1545 if (s != NULL) { 1546 /* 1547 * The offset of the MAC-layer payload is in the X 1548 * register. Do an indirect load, to use the X register 1549 * as an offset. 1550 */ 1551 s2 = new_stmt(BPF_LD|BPF_IND|size); 1552 s2->s.k = offset; 1553 sappend(s, s2); 1554 } else { 1555 /* 1556 * The offset of the MAC-layer payload is constant, 1557 * and is in off_macpl; load the value at that offset 1558 * plus the specified offset. 1559 */ 1560 s = new_stmt(BPF_LD|BPF_ABS|size); 1561 s->s.k = off_macpl + offset; 1562 } 1563 return s; 1564 } 1565 1566 /* 1567 * Load a value relative to the beginning of the specified header. 1568 */ 1569 static struct slist * 1570 gen_load_a(offrel, offset, size) 1571 enum e_offrel offrel; 1572 u_int offset, size; 1573 { 1574 struct slist *s, *s2; 1575 1576 switch (offrel) { 1577 1578 case OR_PACKET: 1579 s = new_stmt(BPF_LD|BPF_ABS|size); 1580 s->s.k = offset; 1581 break; 1582 1583 case OR_LINK: 1584 s = gen_load_llrel(offset, size); 1585 break; 1586 1587 case OR_MACPL: 1588 s = gen_load_macplrel(offset, size); 1589 break; 1590 1591 case OR_NET: 1592 s = gen_load_macplrel(off_nl + offset, size); 1593 break; 1594 1595 case OR_NET_NOSNAP: 1596 s = gen_load_macplrel(off_nl_nosnap + offset, size); 1597 break; 1598 1599 case OR_TRAN_IPV4: 1600 /* 1601 * Load the X register with the length of the IPv4 header 1602 * (plus the offset of the link-layer header, if it's 1603 * preceded by a variable-length header such as a radio 1604 * header), in bytes. 1605 */ 1606 s = gen_loadx_iphdrlen(); 1607 1608 /* 1609 * Load the item at {offset of the MAC-layer payload} + 1610 * {offset, relative to the start of the MAC-layer 1611 * paylod, of the IPv4 header} + {length of the IPv4 header} + 1612 * {specified offset}. 1613 * 1614 * (If the offset of the MAC-layer payload is variable, 1615 * it's included in the value in the X register, and 1616 * off_macpl is 0.) 1617 */ 1618 s2 = new_stmt(BPF_LD|BPF_IND|size); 1619 s2->s.k = off_macpl + off_nl + offset; 1620 sappend(s, s2); 1621 break; 1622 1623 case OR_TRAN_IPV6: 1624 s = gen_load_macplrel(off_nl + 40 + offset, size); 1625 break; 1626 1627 default: 1628 abort(); 1629 return NULL; 1630 } 1631 return s; 1632 } 1633 1634 /* 1635 * Generate code to load into the X register the sum of the length of 1636 * the IPv4 header and any variable-length header preceding the link-layer 1637 * header. 1638 */ 1639 static struct slist * 1640 gen_loadx_iphdrlen() 1641 { 1642 struct slist *s, *s2; 1643 1644 s = gen_off_macpl(); 1645 if (s != NULL) { 1646 /* 1647 * There's a variable-length prefix preceding the 1648 * link-layer header, or the link-layer header is itself 1649 * variable-length. "s" points to a list of statements 1650 * that put the offset of the MAC-layer payload into 1651 * the X register. 1652 * 1653 * The 4*([k]&0xf) addressing mode can't be used, as we 1654 * don't have a constant offset, so we have to load the 1655 * value in question into the A register and add to it 1656 * the value from the X register. 1657 */ 1658 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B); 1659 s2->s.k = off_nl; 1660 sappend(s, s2); 1661 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 1662 s2->s.k = 0xf; 1663 sappend(s, s2); 1664 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 1665 s2->s.k = 2; 1666 sappend(s, s2); 1667 1668 /* 1669 * The A register now contains the length of the 1670 * IP header. We need to add to it the offset of 1671 * the MAC-layer payload, which is still in the X 1672 * register, and move the result into the X register. 1673 */ 1674 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 1675 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 1676 } else { 1677 /* 1678 * There is no variable-length header preceding the 1679 * link-layer header, and the link-layer header is 1680 * fixed-length; load the length of the IPv4 header, 1681 * which is at an offset of off_nl from the beginning 1682 * of the MAC-layer payload, and thus at an offset 1683 * of off_mac_pl + off_nl from the beginning of the 1684 * raw packet data. 1685 */ 1686 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B); 1687 s->s.k = off_macpl + off_nl; 1688 } 1689 return s; 1690 } 1691 1692 static struct block * 1693 gen_uncond(rsense) 1694 int rsense; 1695 { 1696 struct block *b; 1697 struct slist *s; 1698 1699 s = new_stmt(BPF_LD|BPF_IMM); 1700 s->s.k = !rsense; 1701 b = new_block(JMP(BPF_JEQ)); 1702 b->stmts = s; 1703 1704 return b; 1705 } 1706 1707 static inline struct block * 1708 gen_true() 1709 { 1710 return gen_uncond(1); 1711 } 1712 1713 static inline struct block * 1714 gen_false() 1715 { 1716 return gen_uncond(0); 1717 } 1718 1719 /* 1720 * Byte-swap a 32-bit number. 1721 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on 1722 * big-endian platforms.) 1723 */ 1724 #define SWAPLONG(y) \ 1725 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff)) 1726 1727 /* 1728 * Generate code to match a particular packet type. 1729 * 1730 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1731 * value, if <= ETHERMTU. We use that to determine whether to 1732 * match the type/length field or to check the type/length field for 1733 * a value <= ETHERMTU to see whether it's a type field and then do 1734 * the appropriate test. 1735 */ 1736 static struct block * 1737 gen_ether_linktype(proto) 1738 register int proto; 1739 { 1740 struct block *b0, *b1; 1741 1742 switch (proto) { 1743 1744 case LLCSAP_ISONS: 1745 case LLCSAP_IP: 1746 case LLCSAP_NETBEUI: 1747 /* 1748 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1749 * so we check the DSAP and SSAP. 1750 * 1751 * LLCSAP_IP checks for IP-over-802.2, rather 1752 * than IP-over-Ethernet or IP-over-SNAP. 1753 * 1754 * XXX - should we check both the DSAP and the 1755 * SSAP, like this, or should we check just the 1756 * DSAP, as we do for other types <= ETHERMTU 1757 * (i.e., other SAP values)? 1758 */ 1759 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1760 gen_not(b0); 1761 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32) 1762 ((proto << 8) | proto)); 1763 gen_and(b0, b1); 1764 return b1; 1765 1766 case LLCSAP_IPX: 1767 /* 1768 * Check for; 1769 * 1770 * Ethernet_II frames, which are Ethernet 1771 * frames with a frame type of ETHERTYPE_IPX; 1772 * 1773 * Ethernet_802.3 frames, which are 802.3 1774 * frames (i.e., the type/length field is 1775 * a length field, <= ETHERMTU, rather than 1776 * a type field) with the first two bytes 1777 * after the Ethernet/802.3 header being 1778 * 0xFFFF; 1779 * 1780 * Ethernet_802.2 frames, which are 802.3 1781 * frames with an 802.2 LLC header and 1782 * with the IPX LSAP as the DSAP in the LLC 1783 * header; 1784 * 1785 * Ethernet_SNAP frames, which are 802.3 1786 * frames with an LLC header and a SNAP 1787 * header and with an OUI of 0x000000 1788 * (encapsulated Ethernet) and a protocol 1789 * ID of ETHERTYPE_IPX in the SNAP header. 1790 * 1791 * XXX - should we generate the same code both 1792 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX? 1793 */ 1794 1795 /* 1796 * This generates code to check both for the 1797 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3. 1798 */ 1799 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX); 1800 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)0xFFFF); 1801 gen_or(b0, b1); 1802 1803 /* 1804 * Now we add code to check for SNAP frames with 1805 * ETHERTYPE_IPX, i.e. Ethernet_SNAP. 1806 */ 1807 b0 = gen_snap(0x000000, ETHERTYPE_IPX); 1808 gen_or(b0, b1); 1809 1810 /* 1811 * Now we generate code to check for 802.3 1812 * frames in general. 1813 */ 1814 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1815 gen_not(b0); 1816 1817 /* 1818 * Now add the check for 802.3 frames before the 1819 * check for Ethernet_802.2 and Ethernet_802.3, 1820 * as those checks should only be done on 802.3 1821 * frames, not on Ethernet frames. 1822 */ 1823 gen_and(b0, b1); 1824 1825 /* 1826 * Now add the check for Ethernet_II frames, and 1827 * do that before checking for the other frame 1828 * types. 1829 */ 1830 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 1831 (bpf_int32)ETHERTYPE_IPX); 1832 gen_or(b0, b1); 1833 return b1; 1834 1835 case ETHERTYPE_ATALK: 1836 case ETHERTYPE_AARP: 1837 /* 1838 * EtherTalk (AppleTalk protocols on Ethernet link 1839 * layer) may use 802.2 encapsulation. 1840 */ 1841 1842 /* 1843 * Check for 802.2 encapsulation (EtherTalk phase 2?); 1844 * we check for an Ethernet type field less than 1845 * 1500, which means it's an 802.3 length field. 1846 */ 1847 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1848 gen_not(b0); 1849 1850 /* 1851 * 802.2-encapsulated ETHERTYPE_ATALK packets are 1852 * SNAP packets with an organization code of 1853 * 0x080007 (Apple, for Appletalk) and a protocol 1854 * type of ETHERTYPE_ATALK (Appletalk). 1855 * 1856 * 802.2-encapsulated ETHERTYPE_AARP packets are 1857 * SNAP packets with an organization code of 1858 * 0x000000 (encapsulated Ethernet) and a protocol 1859 * type of ETHERTYPE_AARP (Appletalk ARP). 1860 */ 1861 if (proto == ETHERTYPE_ATALK) 1862 b1 = gen_snap(0x080007, ETHERTYPE_ATALK); 1863 else /* proto == ETHERTYPE_AARP */ 1864 b1 = gen_snap(0x000000, ETHERTYPE_AARP); 1865 gen_and(b0, b1); 1866 1867 /* 1868 * Check for Ethernet encapsulation (Ethertalk 1869 * phase 1?); we just check for the Ethernet 1870 * protocol type. 1871 */ 1872 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 1873 1874 gen_or(b0, b1); 1875 return b1; 1876 1877 default: 1878 if (proto <= ETHERMTU) { 1879 /* 1880 * This is an LLC SAP value, so the frames 1881 * that match would be 802.2 frames. 1882 * Check that the frame is an 802.2 frame 1883 * (i.e., that the length/type field is 1884 * a length field, <= ETHERMTU) and 1885 * then check the DSAP. 1886 */ 1887 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1888 gen_not(b0); 1889 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B, 1890 (bpf_int32)proto); 1891 gen_and(b0, b1); 1892 return b1; 1893 } else { 1894 /* 1895 * This is an Ethernet type, so compare 1896 * the length/type field with it (if 1897 * the frame is an 802.2 frame, the length 1898 * field will be <= ETHERMTU, and, as 1899 * "proto" is > ETHERMTU, this test 1900 * will fail and the frame won't match, 1901 * which is what we want). 1902 */ 1903 return gen_cmp(OR_LINK, off_linktype, BPF_H, 1904 (bpf_int32)proto); 1905 } 1906 } 1907 } 1908 1909 /* 1910 * "proto" is an Ethernet type value and for IPNET, if it is not IPv4 1911 * or IPv6 then we have an error. 1912 */ 1913 static struct block * 1914 gen_ipnet_linktype(proto) 1915 register int proto; 1916 { 1917 switch (proto) { 1918 1919 case ETHERTYPE_IP: 1920 return gen_cmp(OR_LINK, off_linktype, BPF_B, 1921 (bpf_int32)IPH_AF_INET); 1922 /* NOTREACHED */ 1923 1924 case ETHERTYPE_IPV6: 1925 return gen_cmp(OR_LINK, off_linktype, BPF_B, 1926 (bpf_int32)IPH_AF_INET6); 1927 /* NOTREACHED */ 1928 1929 default: 1930 break; 1931 } 1932 1933 return gen_false(); 1934 } 1935 1936 /* 1937 * Generate code to match a particular packet type. 1938 * 1939 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1940 * value, if <= ETHERMTU. We use that to determine whether to 1941 * match the type field or to check the type field for the special 1942 * LINUX_SLL_P_802_2 value and then do the appropriate test. 1943 */ 1944 static struct block * 1945 gen_linux_sll_linktype(proto) 1946 register int proto; 1947 { 1948 struct block *b0, *b1; 1949 1950 switch (proto) { 1951 1952 case LLCSAP_ISONS: 1953 case LLCSAP_IP: 1954 case LLCSAP_NETBEUI: 1955 /* 1956 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1957 * so we check the DSAP and SSAP. 1958 * 1959 * LLCSAP_IP checks for IP-over-802.2, rather 1960 * than IP-over-Ethernet or IP-over-SNAP. 1961 * 1962 * XXX - should we check both the DSAP and the 1963 * SSAP, like this, or should we check just the 1964 * DSAP, as we do for other types <= ETHERMTU 1965 * (i.e., other SAP values)? 1966 */ 1967 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 1968 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32) 1969 ((proto << 8) | proto)); 1970 gen_and(b0, b1); 1971 return b1; 1972 1973 case LLCSAP_IPX: 1974 /* 1975 * Ethernet_II frames, which are Ethernet 1976 * frames with a frame type of ETHERTYPE_IPX; 1977 * 1978 * Ethernet_802.3 frames, which have a frame 1979 * type of LINUX_SLL_P_802_3; 1980 * 1981 * Ethernet_802.2 frames, which are 802.3 1982 * frames with an 802.2 LLC header (i.e, have 1983 * a frame type of LINUX_SLL_P_802_2) and 1984 * with the IPX LSAP as the DSAP in the LLC 1985 * header; 1986 * 1987 * Ethernet_SNAP frames, which are 802.3 1988 * frames with an LLC header and a SNAP 1989 * header and with an OUI of 0x000000 1990 * (encapsulated Ethernet) and a protocol 1991 * ID of ETHERTYPE_IPX in the SNAP header. 1992 * 1993 * First, do the checks on LINUX_SLL_P_802_2 1994 * frames; generate the check for either 1995 * Ethernet_802.2 or Ethernet_SNAP frames, and 1996 * then put a check for LINUX_SLL_P_802_2 frames 1997 * before it. 1998 */ 1999 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX); 2000 b1 = gen_snap(0x000000, ETHERTYPE_IPX); 2001 gen_or(b0, b1); 2002 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 2003 gen_and(b0, b1); 2004 2005 /* 2006 * Now check for 802.3 frames and OR that with 2007 * the previous test. 2008 */ 2009 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_3); 2010 gen_or(b0, b1); 2011 2012 /* 2013 * Now add the check for Ethernet_II frames, and 2014 * do that before checking for the other frame 2015 * types. 2016 */ 2017 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 2018 (bpf_int32)ETHERTYPE_IPX); 2019 gen_or(b0, b1); 2020 return b1; 2021 2022 case ETHERTYPE_ATALK: 2023 case ETHERTYPE_AARP: 2024 /* 2025 * EtherTalk (AppleTalk protocols on Ethernet link 2026 * layer) may use 802.2 encapsulation. 2027 */ 2028 2029 /* 2030 * Check for 802.2 encapsulation (EtherTalk phase 2?); 2031 * we check for the 802.2 protocol type in the 2032 * "Ethernet type" field. 2033 */ 2034 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 2035 2036 /* 2037 * 802.2-encapsulated ETHERTYPE_ATALK packets are 2038 * SNAP packets with an organization code of 2039 * 0x080007 (Apple, for Appletalk) and a protocol 2040 * type of ETHERTYPE_ATALK (Appletalk). 2041 * 2042 * 802.2-encapsulated ETHERTYPE_AARP packets are 2043 * SNAP packets with an organization code of 2044 * 0x000000 (encapsulated Ethernet) and a protocol 2045 * type of ETHERTYPE_AARP (Appletalk ARP). 2046 */ 2047 if (proto == ETHERTYPE_ATALK) 2048 b1 = gen_snap(0x080007, ETHERTYPE_ATALK); 2049 else /* proto == ETHERTYPE_AARP */ 2050 b1 = gen_snap(0x000000, ETHERTYPE_AARP); 2051 gen_and(b0, b1); 2052 2053 /* 2054 * Check for Ethernet encapsulation (Ethertalk 2055 * phase 1?); we just check for the Ethernet 2056 * protocol type. 2057 */ 2058 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 2059 2060 gen_or(b0, b1); 2061 return b1; 2062 2063 default: 2064 if (proto <= ETHERMTU) { 2065 /* 2066 * This is an LLC SAP value, so the frames 2067 * that match would be 802.2 frames. 2068 * Check for the 802.2 protocol type 2069 * in the "Ethernet type" field, and 2070 * then check the DSAP. 2071 */ 2072 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 2073 LINUX_SLL_P_802_2); 2074 b1 = gen_cmp(OR_LINK, off_macpl, BPF_B, 2075 (bpf_int32)proto); 2076 gen_and(b0, b1); 2077 return b1; 2078 } else { 2079 /* 2080 * This is an Ethernet type, so compare 2081 * the length/type field with it (if 2082 * the frame is an 802.2 frame, the length 2083 * field will be <= ETHERMTU, and, as 2084 * "proto" is > ETHERMTU, this test 2085 * will fail and the frame won't match, 2086 * which is what we want). 2087 */ 2088 return gen_cmp(OR_LINK, off_linktype, BPF_H, 2089 (bpf_int32)proto); 2090 } 2091 } 2092 } 2093 2094 static struct slist * 2095 gen_load_prism_llprefixlen() 2096 { 2097 struct slist *s1, *s2; 2098 struct slist *sjeq_avs_cookie; 2099 struct slist *sjcommon; 2100 2101 /* 2102 * This code is not compatible with the optimizer, as 2103 * we are generating jmp instructions within a normal 2104 * slist of instructions 2105 */ 2106 no_optimize = 1; 2107 2108 /* 2109 * Generate code to load the length of the radio header into 2110 * the register assigned to hold that length, if one has been 2111 * assigned. (If one hasn't been assigned, no code we've 2112 * generated uses that prefix, so we don't need to generate any 2113 * code to load it.) 2114 * 2115 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes 2116 * or always use the AVS header rather than the Prism header. 2117 * We load a 4-byte big-endian value at the beginning of the 2118 * raw packet data, and see whether, when masked with 0xFFFFF000, 2119 * it's equal to 0x80211000. If so, that indicates that it's 2120 * an AVS header (the masked-out bits are the version number). 2121 * Otherwise, it's a Prism header. 2122 * 2123 * XXX - the Prism header is also, in theory, variable-length, 2124 * but no known software generates headers that aren't 144 2125 * bytes long. 2126 */ 2127 if (reg_off_ll != -1) { 2128 /* 2129 * Load the cookie. 2130 */ 2131 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2132 s1->s.k = 0; 2133 2134 /* 2135 * AND it with 0xFFFFF000. 2136 */ 2137 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 2138 s2->s.k = 0xFFFFF000; 2139 sappend(s1, s2); 2140 2141 /* 2142 * Compare with 0x80211000. 2143 */ 2144 sjeq_avs_cookie = new_stmt(JMP(BPF_JEQ)); 2145 sjeq_avs_cookie->s.k = 0x80211000; 2146 sappend(s1, sjeq_avs_cookie); 2147 2148 /* 2149 * If it's AVS: 2150 * 2151 * The 4 bytes at an offset of 4 from the beginning of 2152 * the AVS header are the length of the AVS header. 2153 * That field is big-endian. 2154 */ 2155 s2 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2156 s2->s.k = 4; 2157 sappend(s1, s2); 2158 sjeq_avs_cookie->s.jt = s2; 2159 2160 /* 2161 * Now jump to the code to allocate a register 2162 * into which to save the header length and 2163 * store the length there. (The "jump always" 2164 * instruction needs to have the k field set; 2165 * it's added to the PC, so, as we're jumping 2166 * over a single instruction, it should be 1.) 2167 */ 2168 sjcommon = new_stmt(JMP(BPF_JA)); 2169 sjcommon->s.k = 1; 2170 sappend(s1, sjcommon); 2171 2172 /* 2173 * Now for the code that handles the Prism header. 2174 * Just load the length of the Prism header (144) 2175 * into the A register. Have the test for an AVS 2176 * header branch here if we don't have an AVS header. 2177 */ 2178 s2 = new_stmt(BPF_LD|BPF_W|BPF_IMM); 2179 s2->s.k = 144; 2180 sappend(s1, s2); 2181 sjeq_avs_cookie->s.jf = s2; 2182 2183 /* 2184 * Now allocate a register to hold that value and store 2185 * it. The code for the AVS header will jump here after 2186 * loading the length of the AVS header. 2187 */ 2188 s2 = new_stmt(BPF_ST); 2189 s2->s.k = reg_off_ll; 2190 sappend(s1, s2); 2191 sjcommon->s.jf = s2; 2192 2193 /* 2194 * Now move it into the X register. 2195 */ 2196 s2 = new_stmt(BPF_MISC|BPF_TAX); 2197 sappend(s1, s2); 2198 2199 return (s1); 2200 } else 2201 return (NULL); 2202 } 2203 2204 static struct slist * 2205 gen_load_avs_llprefixlen() 2206 { 2207 struct slist *s1, *s2; 2208 2209 /* 2210 * Generate code to load the length of the AVS header into 2211 * the register assigned to hold that length, if one has been 2212 * assigned. (If one hasn't been assigned, no code we've 2213 * generated uses that prefix, so we don't need to generate any 2214 * code to load it.) 2215 */ 2216 if (reg_off_ll != -1) { 2217 /* 2218 * The 4 bytes at an offset of 4 from the beginning of 2219 * the AVS header are the length of the AVS header. 2220 * That field is big-endian. 2221 */ 2222 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2223 s1->s.k = 4; 2224 2225 /* 2226 * Now allocate a register to hold that value and store 2227 * it. 2228 */ 2229 s2 = new_stmt(BPF_ST); 2230 s2->s.k = reg_off_ll; 2231 sappend(s1, s2); 2232 2233 /* 2234 * Now move it into the X register. 2235 */ 2236 s2 = new_stmt(BPF_MISC|BPF_TAX); 2237 sappend(s1, s2); 2238 2239 return (s1); 2240 } else 2241 return (NULL); 2242 } 2243 2244 static struct slist * 2245 gen_load_radiotap_llprefixlen() 2246 { 2247 struct slist *s1, *s2; 2248 2249 /* 2250 * Generate code to load the length of the radiotap header into 2251 * the register assigned to hold that length, if one has been 2252 * assigned. (If one hasn't been assigned, no code we've 2253 * generated uses that prefix, so we don't need to generate any 2254 * code to load it.) 2255 */ 2256 if (reg_off_ll != -1) { 2257 /* 2258 * The 2 bytes at offsets of 2 and 3 from the beginning 2259 * of the radiotap header are the length of the radiotap 2260 * header; unfortunately, it's little-endian, so we have 2261 * to load it a byte at a time and construct the value. 2262 */ 2263 2264 /* 2265 * Load the high-order byte, at an offset of 3, shift it 2266 * left a byte, and put the result in the X register. 2267 */ 2268 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2269 s1->s.k = 3; 2270 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 2271 sappend(s1, s2); 2272 s2->s.k = 8; 2273 s2 = new_stmt(BPF_MISC|BPF_TAX); 2274 sappend(s1, s2); 2275 2276 /* 2277 * Load the next byte, at an offset of 2, and OR the 2278 * value from the X register into it. 2279 */ 2280 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2281 sappend(s1, s2); 2282 s2->s.k = 2; 2283 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X); 2284 sappend(s1, s2); 2285 2286 /* 2287 * Now allocate a register to hold that value and store 2288 * it. 2289 */ 2290 s2 = new_stmt(BPF_ST); 2291 s2->s.k = reg_off_ll; 2292 sappend(s1, s2); 2293 2294 /* 2295 * Now move it into the X register. 2296 */ 2297 s2 = new_stmt(BPF_MISC|BPF_TAX); 2298 sappend(s1, s2); 2299 2300 return (s1); 2301 } else 2302 return (NULL); 2303 } 2304 2305 /* 2306 * At the moment we treat PPI as normal Radiotap encoded 2307 * packets. The difference is in the function that generates 2308 * the code at the beginning to compute the header length. 2309 * Since this code generator of PPI supports bare 802.11 2310 * encapsulation only (i.e. the encapsulated DLT should be 2311 * DLT_IEEE802_11) we generate code to check for this too; 2312 * that's done in finish_parse(). 2313 */ 2314 static struct slist * 2315 gen_load_ppi_llprefixlen() 2316 { 2317 struct slist *s1, *s2; 2318 2319 /* 2320 * Generate code to load the length of the radiotap header 2321 * into the register assigned to hold that length, if one has 2322 * been assigned. 2323 */ 2324 if (reg_off_ll != -1) { 2325 /* 2326 * The 2 bytes at offsets of 2 and 3 from the beginning 2327 * of the radiotap header are the length of the radiotap 2328 * header; unfortunately, it's little-endian, so we have 2329 * to load it a byte at a time and construct the value. 2330 */ 2331 2332 /* 2333 * Load the high-order byte, at an offset of 3, shift it 2334 * left a byte, and put the result in the X register. 2335 */ 2336 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2337 s1->s.k = 3; 2338 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 2339 sappend(s1, s2); 2340 s2->s.k = 8; 2341 s2 = new_stmt(BPF_MISC|BPF_TAX); 2342 sappend(s1, s2); 2343 2344 /* 2345 * Load the next byte, at an offset of 2, and OR the 2346 * value from the X register into it. 2347 */ 2348 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2349 sappend(s1, s2); 2350 s2->s.k = 2; 2351 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X); 2352 sappend(s1, s2); 2353 2354 /* 2355 * Now allocate a register to hold that value and store 2356 * it. 2357 */ 2358 s2 = new_stmt(BPF_ST); 2359 s2->s.k = reg_off_ll; 2360 sappend(s1, s2); 2361 2362 /* 2363 * Now move it into the X register. 2364 */ 2365 s2 = new_stmt(BPF_MISC|BPF_TAX); 2366 sappend(s1, s2); 2367 2368 return (s1); 2369 } else 2370 return (NULL); 2371 } 2372 2373 /* 2374 * Load a value relative to the beginning of the link-layer header after the 802.11 2375 * header, i.e. LLC_SNAP. 2376 * The link-layer header doesn't necessarily begin at the beginning 2377 * of the packet data; there might be a variable-length prefix containing 2378 * radio information. 2379 */ 2380 static struct slist * 2381 gen_load_802_11_header_len(struct slist *s, struct slist *snext) 2382 { 2383 struct slist *s2; 2384 struct slist *sjset_data_frame_1; 2385 struct slist *sjset_data_frame_2; 2386 struct slist *sjset_qos; 2387 struct slist *sjset_radiotap_flags; 2388 struct slist *sjset_radiotap_tsft; 2389 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad; 2390 struct slist *s_roundup; 2391 2392 if (reg_off_macpl == -1) { 2393 /* 2394 * No register has been assigned to the offset of 2395 * the MAC-layer payload, which means nobody needs 2396 * it; don't bother computing it - just return 2397 * what we already have. 2398 */ 2399 return (s); 2400 } 2401 2402 /* 2403 * This code is not compatible with the optimizer, as 2404 * we are generating jmp instructions within a normal 2405 * slist of instructions 2406 */ 2407 no_optimize = 1; 2408 2409 /* 2410 * If "s" is non-null, it has code to arrange that the X register 2411 * contains the length of the prefix preceding the link-layer 2412 * header. 2413 * 2414 * Otherwise, the length of the prefix preceding the link-layer 2415 * header is "off_ll". 2416 */ 2417 if (s == NULL) { 2418 /* 2419 * There is no variable-length header preceding the 2420 * link-layer header. 2421 * 2422 * Load the length of the fixed-length prefix preceding 2423 * the link-layer header (if any) into the X register, 2424 * and store it in the reg_off_macpl register. 2425 * That length is off_ll. 2426 */ 2427 s = new_stmt(BPF_LDX|BPF_IMM); 2428 s->s.k = off_ll; 2429 } 2430 2431 /* 2432 * The X register contains the offset of the beginning of the 2433 * link-layer header; add 24, which is the minimum length 2434 * of the MAC header for a data frame, to that, and store it 2435 * in reg_off_macpl, and then load the Frame Control field, 2436 * which is at the offset in the X register, with an indexed load. 2437 */ 2438 s2 = new_stmt(BPF_MISC|BPF_TXA); 2439 sappend(s, s2); 2440 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 2441 s2->s.k = 24; 2442 sappend(s, s2); 2443 s2 = new_stmt(BPF_ST); 2444 s2->s.k = reg_off_macpl; 2445 sappend(s, s2); 2446 2447 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B); 2448 s2->s.k = 0; 2449 sappend(s, s2); 2450 2451 /* 2452 * Check the Frame Control field to see if this is a data frame; 2453 * a data frame has the 0x08 bit (b3) in that field set and the 2454 * 0x04 bit (b2) clear. 2455 */ 2456 sjset_data_frame_1 = new_stmt(JMP(BPF_JSET)); 2457 sjset_data_frame_1->s.k = 0x08; 2458 sappend(s, sjset_data_frame_1); 2459 2460 /* 2461 * If b3 is set, test b2, otherwise go to the first statement of 2462 * the rest of the program. 2463 */ 2464 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(JMP(BPF_JSET)); 2465 sjset_data_frame_2->s.k = 0x04; 2466 sappend(s, sjset_data_frame_2); 2467 sjset_data_frame_1->s.jf = snext; 2468 2469 /* 2470 * If b2 is not set, this is a data frame; test the QoS bit. 2471 * Otherwise, go to the first statement of the rest of the 2472 * program. 2473 */ 2474 sjset_data_frame_2->s.jt = snext; 2475 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(JMP(BPF_JSET)); 2476 sjset_qos->s.k = 0x80; /* QoS bit */ 2477 sappend(s, sjset_qos); 2478 2479 /* 2480 * If it's set, add 2 to reg_off_macpl, to skip the QoS 2481 * field. 2482 * Otherwise, go to the first statement of the rest of the 2483 * program. 2484 */ 2485 sjset_qos->s.jt = s2 = new_stmt(BPF_LD|BPF_MEM); 2486 s2->s.k = reg_off_macpl; 2487 sappend(s, s2); 2488 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM); 2489 s2->s.k = 2; 2490 sappend(s, s2); 2491 s2 = new_stmt(BPF_ST); 2492 s2->s.k = reg_off_macpl; 2493 sappend(s, s2); 2494 2495 /* 2496 * If we have a radiotap header, look at it to see whether 2497 * there's Atheros padding between the MAC-layer header 2498 * and the payload. 2499 * 2500 * Note: all of the fields in the radiotap header are 2501 * little-endian, so we byte-swap all of the values 2502 * we test against, as they will be loaded as big-endian 2503 * values. 2504 */ 2505 if (linktype == DLT_IEEE802_11_RADIO) { 2506 /* 2507 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set 2508 * in the presence flag? 2509 */ 2510 sjset_qos->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_W); 2511 s2->s.k = 4; 2512 sappend(s, s2); 2513 2514 sjset_radiotap_flags = new_stmt(JMP(BPF_JSET)); 2515 sjset_radiotap_flags->s.k = SWAPLONG(0x00000002); 2516 sappend(s, sjset_radiotap_flags); 2517 2518 /* 2519 * If not, skip all of this. 2520 */ 2521 sjset_radiotap_flags->s.jf = snext; 2522 2523 /* 2524 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set? 2525 */ 2526 sjset_radiotap_tsft = sjset_radiotap_flags->s.jt = 2527 new_stmt(JMP(BPF_JSET)); 2528 sjset_radiotap_tsft->s.k = SWAPLONG(0x00000001); 2529 sappend(s, sjset_radiotap_tsft); 2530 2531 /* 2532 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is 2533 * at an offset of 16 from the beginning of the raw packet 2534 * data (8 bytes for the radiotap header and 8 bytes for 2535 * the TSFT field). 2536 * 2537 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2538 * is set. 2539 */ 2540 sjset_radiotap_tsft->s.jt = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B); 2541 s2->s.k = 16; 2542 sappend(s, s2); 2543 2544 sjset_tsft_datapad = new_stmt(JMP(BPF_JSET)); 2545 sjset_tsft_datapad->s.k = 0x20; 2546 sappend(s, sjset_tsft_datapad); 2547 2548 /* 2549 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is 2550 * at an offset of 8 from the beginning of the raw packet 2551 * data (8 bytes for the radiotap header). 2552 * 2553 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2554 * is set. 2555 */ 2556 sjset_radiotap_tsft->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B); 2557 s2->s.k = 8; 2558 sappend(s, s2); 2559 2560 sjset_notsft_datapad = new_stmt(JMP(BPF_JSET)); 2561 sjset_notsft_datapad->s.k = 0x20; 2562 sappend(s, sjset_notsft_datapad); 2563 2564 /* 2565 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is 2566 * set, round the length of the 802.11 header to 2567 * a multiple of 4. Do that by adding 3 and then 2568 * dividing by and multiplying by 4, which we do by 2569 * ANDing with ~3. 2570 */ 2571 s_roundup = new_stmt(BPF_LD|BPF_MEM); 2572 s_roundup->s.k = reg_off_macpl; 2573 sappend(s, s_roundup); 2574 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM); 2575 s2->s.k = 3; 2576 sappend(s, s2); 2577 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_IMM); 2578 s2->s.k = ~3; 2579 sappend(s, s2); 2580 s2 = new_stmt(BPF_ST); 2581 s2->s.k = reg_off_macpl; 2582 sappend(s, s2); 2583 2584 sjset_tsft_datapad->s.jt = s_roundup; 2585 sjset_tsft_datapad->s.jf = snext; 2586 sjset_notsft_datapad->s.jt = s_roundup; 2587 sjset_notsft_datapad->s.jf = snext; 2588 } else 2589 sjset_qos->s.jf = snext; 2590 2591 return s; 2592 } 2593 2594 static void 2595 insert_compute_vloffsets(b) 2596 struct block *b; 2597 { 2598 struct slist *s; 2599 2600 /* 2601 * For link-layer types that have a variable-length header 2602 * preceding the link-layer header, generate code to load 2603 * the offset of the link-layer header into the register 2604 * assigned to that offset, if any. 2605 */ 2606 switch (linktype) { 2607 2608 case DLT_PRISM_HEADER: 2609 s = gen_load_prism_llprefixlen(); 2610 break; 2611 2612 case DLT_IEEE802_11_RADIO_AVS: 2613 s = gen_load_avs_llprefixlen(); 2614 break; 2615 2616 case DLT_IEEE802_11_RADIO: 2617 s = gen_load_radiotap_llprefixlen(); 2618 break; 2619 2620 case DLT_PPI: 2621 s = gen_load_ppi_llprefixlen(); 2622 break; 2623 2624 default: 2625 s = NULL; 2626 break; 2627 } 2628 2629 /* 2630 * For link-layer types that have a variable-length link-layer 2631 * header, generate code to load the offset of the MAC-layer 2632 * payload into the register assigned to that offset, if any. 2633 */ 2634 switch (linktype) { 2635 2636 case DLT_IEEE802_11: 2637 case DLT_PRISM_HEADER: 2638 case DLT_IEEE802_11_RADIO_AVS: 2639 case DLT_IEEE802_11_RADIO: 2640 case DLT_PPI: 2641 s = gen_load_802_11_header_len(s, b->stmts); 2642 break; 2643 } 2644 2645 /* 2646 * If we have any offset-loading code, append all the 2647 * existing statements in the block to those statements, 2648 * and make the resulting list the list of statements 2649 * for the block. 2650 */ 2651 if (s != NULL) { 2652 sappend(s, b->stmts); 2653 b->stmts = s; 2654 } 2655 } 2656 2657 static struct block * 2658 gen_ppi_dlt_check(void) 2659 { 2660 struct slist *s_load_dlt; 2661 struct block *b; 2662 2663 if (linktype == DLT_PPI) 2664 { 2665 /* Create the statements that check for the DLT 2666 */ 2667 s_load_dlt = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2668 s_load_dlt->s.k = 4; 2669 2670 b = new_block(JMP(BPF_JEQ)); 2671 2672 b->stmts = s_load_dlt; 2673 b->s.k = SWAPLONG(DLT_IEEE802_11); 2674 } 2675 else 2676 { 2677 b = NULL; 2678 } 2679 2680 return b; 2681 } 2682 2683 static struct slist * 2684 gen_prism_llprefixlen(void) 2685 { 2686 struct slist *s; 2687 2688 if (reg_off_ll == -1) { 2689 /* 2690 * We haven't yet assigned a register for the length 2691 * of the radio header; allocate one. 2692 */ 2693 reg_off_ll = alloc_reg(); 2694 } 2695 2696 /* 2697 * Load the register containing the radio length 2698 * into the X register. 2699 */ 2700 s = new_stmt(BPF_LDX|BPF_MEM); 2701 s->s.k = reg_off_ll; 2702 return s; 2703 } 2704 2705 static struct slist * 2706 gen_avs_llprefixlen(void) 2707 { 2708 struct slist *s; 2709 2710 if (reg_off_ll == -1) { 2711 /* 2712 * We haven't yet assigned a register for the length 2713 * of the AVS header; allocate one. 2714 */ 2715 reg_off_ll = alloc_reg(); 2716 } 2717 2718 /* 2719 * Load the register containing the AVS length 2720 * into the X register. 2721 */ 2722 s = new_stmt(BPF_LDX|BPF_MEM); 2723 s->s.k = reg_off_ll; 2724 return s; 2725 } 2726 2727 static struct slist * 2728 gen_radiotap_llprefixlen(void) 2729 { 2730 struct slist *s; 2731 2732 if (reg_off_ll == -1) { 2733 /* 2734 * We haven't yet assigned a register for the length 2735 * of the radiotap header; allocate one. 2736 */ 2737 reg_off_ll = alloc_reg(); 2738 } 2739 2740 /* 2741 * Load the register containing the radiotap length 2742 * into the X register. 2743 */ 2744 s = new_stmt(BPF_LDX|BPF_MEM); 2745 s->s.k = reg_off_ll; 2746 return s; 2747 } 2748 2749 /* 2750 * At the moment we treat PPI as normal Radiotap encoded 2751 * packets. The difference is in the function that generates 2752 * the code at the beginning to compute the header length. 2753 * Since this code generator of PPI supports bare 802.11 2754 * encapsulation only (i.e. the encapsulated DLT should be 2755 * DLT_IEEE802_11) we generate code to check for this too. 2756 */ 2757 static struct slist * 2758 gen_ppi_llprefixlen(void) 2759 { 2760 struct slist *s; 2761 2762 if (reg_off_ll == -1) { 2763 /* 2764 * We haven't yet assigned a register for the length 2765 * of the radiotap header; allocate one. 2766 */ 2767 reg_off_ll = alloc_reg(); 2768 } 2769 2770 /* 2771 * Load the register containing the PPI length 2772 * into the X register. 2773 */ 2774 s = new_stmt(BPF_LDX|BPF_MEM); 2775 s->s.k = reg_off_ll; 2776 return s; 2777 } 2778 2779 /* 2780 * Generate code to compute the link-layer header length, if necessary, 2781 * putting it into the X register, and to return either a pointer to a 2782 * "struct slist" for the list of statements in that code, or NULL if 2783 * no code is necessary. 2784 */ 2785 static struct slist * 2786 gen_llprefixlen(void) 2787 { 2788 switch (linktype) { 2789 2790 case DLT_PRISM_HEADER: 2791 return gen_prism_llprefixlen(); 2792 2793 case DLT_IEEE802_11_RADIO_AVS: 2794 return gen_avs_llprefixlen(); 2795 2796 case DLT_IEEE802_11_RADIO: 2797 return gen_radiotap_llprefixlen(); 2798 2799 case DLT_PPI: 2800 return gen_ppi_llprefixlen(); 2801 2802 default: 2803 return NULL; 2804 } 2805 } 2806 2807 /* 2808 * Generate code to load the register containing the offset of the 2809 * MAC-layer payload into the X register; if no register for that offset 2810 * has been allocated, allocate it first. 2811 */ 2812 static struct slist * 2813 gen_off_macpl(void) 2814 { 2815 struct slist *s; 2816 2817 if (off_macpl_is_variable) { 2818 if (reg_off_macpl == -1) { 2819 /* 2820 * We haven't yet assigned a register for the offset 2821 * of the MAC-layer payload; allocate one. 2822 */ 2823 reg_off_macpl = alloc_reg(); 2824 } 2825 2826 /* 2827 * Load the register containing the offset of the MAC-layer 2828 * payload into the X register. 2829 */ 2830 s = new_stmt(BPF_LDX|BPF_MEM); 2831 s->s.k = reg_off_macpl; 2832 return s; 2833 } else { 2834 /* 2835 * That offset isn't variable, so we don't need to 2836 * generate any code. 2837 */ 2838 return NULL; 2839 } 2840 } 2841 2842 /* 2843 * Map an Ethernet type to the equivalent PPP type. 2844 */ 2845 static int 2846 ethertype_to_ppptype(proto) 2847 int proto; 2848 { 2849 switch (proto) { 2850 2851 case ETHERTYPE_IP: 2852 proto = PPP_IP; 2853 break; 2854 2855 case ETHERTYPE_IPV6: 2856 proto = PPP_IPV6; 2857 break; 2858 2859 case ETHERTYPE_DN: 2860 proto = PPP_DECNET; 2861 break; 2862 2863 case ETHERTYPE_ATALK: 2864 proto = PPP_APPLE; 2865 break; 2866 2867 case ETHERTYPE_NS: 2868 proto = PPP_NS; 2869 break; 2870 2871 case LLCSAP_ISONS: 2872 proto = PPP_OSI; 2873 break; 2874 2875 case LLCSAP_8021D: 2876 /* 2877 * I'm assuming the "Bridging PDU"s that go 2878 * over PPP are Spanning Tree Protocol 2879 * Bridging PDUs. 2880 */ 2881 proto = PPP_BRPDU; 2882 break; 2883 2884 case LLCSAP_IPX: 2885 proto = PPP_IPX; 2886 break; 2887 } 2888 return (proto); 2889 } 2890 2891 /* 2892 * Generate code to match a particular packet type by matching the 2893 * link-layer type field or fields in the 802.2 LLC header. 2894 * 2895 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 2896 * value, if <= ETHERMTU. 2897 */ 2898 static struct block * 2899 gen_linktype(proto) 2900 register int proto; 2901 { 2902 struct block *b0, *b1, *b2; 2903 2904 /* are we checking MPLS-encapsulated packets? */ 2905 if (label_stack_depth > 0) { 2906 switch (proto) { 2907 case ETHERTYPE_IP: 2908 case PPP_IP: 2909 /* FIXME add other L3 proto IDs */ 2910 return gen_mpls_linktype(Q_IP); 2911 2912 case ETHERTYPE_IPV6: 2913 case PPP_IPV6: 2914 /* FIXME add other L3 proto IDs */ 2915 return gen_mpls_linktype(Q_IPV6); 2916 2917 default: 2918 bpf_error("unsupported protocol over mpls"); 2919 /* NOTREACHED */ 2920 } 2921 } 2922 2923 /* 2924 * Are we testing PPPoE packets? 2925 */ 2926 if (is_pppoes) { 2927 /* 2928 * The PPPoE session header is part of the 2929 * MAC-layer payload, so all references 2930 * should be relative to the beginning of 2931 * that payload. 2932 */ 2933 2934 /* 2935 * We use Ethernet protocol types inside libpcap; 2936 * map them to the corresponding PPP protocol types. 2937 */ 2938 proto = ethertype_to_ppptype(proto); 2939 return gen_cmp(OR_MACPL, off_linktype, BPF_H, (bpf_int32)proto); 2940 } 2941 2942 switch (linktype) { 2943 2944 case DLT_EN10MB: 2945 case DLT_NETANALYZER: 2946 case DLT_NETANALYZER_TRANSPARENT: 2947 return gen_ether_linktype(proto); 2948 /*NOTREACHED*/ 2949 break; 2950 2951 case DLT_C_HDLC: 2952 switch (proto) { 2953 2954 case LLCSAP_ISONS: 2955 proto = (proto << 8 | LLCSAP_ISONS); 2956 /* fall through */ 2957 2958 default: 2959 return gen_cmp(OR_LINK, off_linktype, BPF_H, 2960 (bpf_int32)proto); 2961 /*NOTREACHED*/ 2962 break; 2963 } 2964 break; 2965 2966 case DLT_IEEE802_11: 2967 case DLT_PRISM_HEADER: 2968 case DLT_IEEE802_11_RADIO_AVS: 2969 case DLT_IEEE802_11_RADIO: 2970 case DLT_PPI: 2971 /* 2972 * Check that we have a data frame. 2973 */ 2974 b0 = gen_check_802_11_data_frame(); 2975 2976 /* 2977 * Now check for the specified link-layer type. 2978 */ 2979 b1 = gen_llc_linktype(proto); 2980 gen_and(b0, b1); 2981 return b1; 2982 /*NOTREACHED*/ 2983 break; 2984 2985 case DLT_FDDI: 2986 /* 2987 * XXX - check for asynchronous frames, as per RFC 1103. 2988 */ 2989 return gen_llc_linktype(proto); 2990 /*NOTREACHED*/ 2991 break; 2992 2993 case DLT_IEEE802: 2994 /* 2995 * XXX - check for LLC PDUs, as per IEEE 802.5. 2996 */ 2997 return gen_llc_linktype(proto); 2998 /*NOTREACHED*/ 2999 break; 3000 3001 case DLT_ATM_RFC1483: 3002 case DLT_ATM_CLIP: 3003 case DLT_IP_OVER_FC: 3004 return gen_llc_linktype(proto); 3005 /*NOTREACHED*/ 3006 break; 3007 3008 case DLT_SUNATM: 3009 /* 3010 * If "is_lane" is set, check for a LANE-encapsulated 3011 * version of this protocol, otherwise check for an 3012 * LLC-encapsulated version of this protocol. 3013 * 3014 * We assume LANE means Ethernet, not Token Ring. 3015 */ 3016 if (is_lane) { 3017 /* 3018 * Check that the packet doesn't begin with an 3019 * LE Control marker. (We've already generated 3020 * a test for LANE.) 3021 */ 3022 b0 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 3023 0xFF00); 3024 gen_not(b0); 3025 3026 /* 3027 * Now generate an Ethernet test. 3028 */ 3029 b1 = gen_ether_linktype(proto); 3030 gen_and(b0, b1); 3031 return b1; 3032 } else { 3033 /* 3034 * Check for LLC encapsulation and then check the 3035 * protocol. 3036 */ 3037 b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 3038 b1 = gen_llc_linktype(proto); 3039 gen_and(b0, b1); 3040 return b1; 3041 } 3042 /*NOTREACHED*/ 3043 break; 3044 3045 case DLT_LINUX_SLL: 3046 return gen_linux_sll_linktype(proto); 3047 /*NOTREACHED*/ 3048 break; 3049 3050 case DLT_SLIP: 3051 case DLT_SLIP_BSDOS: 3052 case DLT_RAW: 3053 /* 3054 * These types don't provide any type field; packets 3055 * are always IPv4 or IPv6. 3056 * 3057 * XXX - for IPv4, check for a version number of 4, and, 3058 * for IPv6, check for a version number of 6? 3059 */ 3060 switch (proto) { 3061 3062 case ETHERTYPE_IP: 3063 /* Check for a version number of 4. */ 3064 return gen_mcmp(OR_LINK, 0, BPF_B, 0x40, 0xF0); 3065 3066 case ETHERTYPE_IPV6: 3067 /* Check for a version number of 6. */ 3068 return gen_mcmp(OR_LINK, 0, BPF_B, 0x60, 0xF0); 3069 3070 default: 3071 return gen_false(); /* always false */ 3072 } 3073 /*NOTREACHED*/ 3074 break; 3075 3076 case DLT_IPV4: 3077 /* 3078 * Raw IPv4, so no type field. 3079 */ 3080 if (proto == ETHERTYPE_IP) 3081 return gen_true(); /* always true */ 3082 3083 /* Checking for something other than IPv4; always false */ 3084 return gen_false(); 3085 /*NOTREACHED*/ 3086 break; 3087 3088 case DLT_IPV6: 3089 /* 3090 * Raw IPv6, so no type field. 3091 */ 3092 if (proto == ETHERTYPE_IPV6) 3093 return gen_true(); /* always true */ 3094 3095 /* Checking for something other than IPv6; always false */ 3096 return gen_false(); 3097 /*NOTREACHED*/ 3098 break; 3099 3100 case DLT_PPP: 3101 case DLT_PPP_PPPD: 3102 case DLT_PPP_SERIAL: 3103 case DLT_PPP_ETHER: 3104 /* 3105 * We use Ethernet protocol types inside libpcap; 3106 * map them to the corresponding PPP protocol types. 3107 */ 3108 proto = ethertype_to_ppptype(proto); 3109 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 3110 /*NOTREACHED*/ 3111 break; 3112 3113 case DLT_PPP_BSDOS: 3114 /* 3115 * We use Ethernet protocol types inside libpcap; 3116 * map them to the corresponding PPP protocol types. 3117 */ 3118 switch (proto) { 3119 3120 case ETHERTYPE_IP: 3121 /* 3122 * Also check for Van Jacobson-compressed IP. 3123 * XXX - do this for other forms of PPP? 3124 */ 3125 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_IP); 3126 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJC); 3127 gen_or(b0, b1); 3128 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJNC); 3129 gen_or(b1, b0); 3130 return b0; 3131 3132 default: 3133 proto = ethertype_to_ppptype(proto); 3134 return gen_cmp(OR_LINK, off_linktype, BPF_H, 3135 (bpf_int32)proto); 3136 } 3137 /*NOTREACHED*/ 3138 break; 3139 3140 case DLT_NULL: 3141 case DLT_LOOP: 3142 case DLT_ENC: 3143 /* 3144 * For DLT_NULL, the link-layer header is a 32-bit 3145 * word containing an AF_ value in *host* byte order, 3146 * and for DLT_ENC, the link-layer header begins 3147 * with a 32-bit work containing an AF_ value in 3148 * host byte order. 3149 * 3150 * In addition, if we're reading a saved capture file, 3151 * the host byte order in the capture may not be the 3152 * same as the host byte order on this machine. 3153 * 3154 * For DLT_LOOP, the link-layer header is a 32-bit 3155 * word containing an AF_ value in *network* byte order. 3156 * 3157 * XXX - AF_ values may, unfortunately, be platform- 3158 * dependent; for example, FreeBSD's AF_INET6 is 24 3159 * whilst NetBSD's and OpenBSD's is 26. 3160 * 3161 * This means that, when reading a capture file, just 3162 * checking for our AF_INET6 value won't work if the 3163 * capture file came from another OS. 3164 */ 3165 switch (proto) { 3166 3167 case ETHERTYPE_IP: 3168 proto = AF_INET; 3169 break; 3170 3171 #ifdef INET6 3172 case ETHERTYPE_IPV6: 3173 proto = AF_INET6; 3174 break; 3175 #endif 3176 3177 default: 3178 /* 3179 * Not a type on which we support filtering. 3180 * XXX - support those that have AF_ values 3181 * #defined on this platform, at least? 3182 */ 3183 return gen_false(); 3184 } 3185 3186 if (linktype == DLT_NULL || linktype == DLT_ENC) { 3187 /* 3188 * The AF_ value is in host byte order, but 3189 * the BPF interpreter will convert it to 3190 * network byte order. 3191 * 3192 * If this is a save file, and it's from a 3193 * machine with the opposite byte order to 3194 * ours, we byte-swap the AF_ value. 3195 * 3196 * Then we run it through "htonl()", and 3197 * generate code to compare against the result. 3198 */ 3199 if (bpf_pcap->sf.rfile != NULL && 3200 bpf_pcap->sf.swapped) 3201 proto = SWAPLONG(proto); 3202 proto = htonl(proto); 3203 } 3204 return (gen_cmp(OR_LINK, 0, BPF_W, (bpf_int32)proto)); 3205 3206 #ifdef HAVE_NET_PFVAR_H 3207 case DLT_PFLOG: 3208 /* 3209 * af field is host byte order in contrast to the rest of 3210 * the packet. 3211 */ 3212 if (proto == ETHERTYPE_IP) 3213 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af), 3214 BPF_B, (bpf_int32)AF_INET)); 3215 else if (proto == ETHERTYPE_IPV6) 3216 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af), 3217 BPF_B, (bpf_int32)AF_INET6)); 3218 else 3219 return gen_false(); 3220 /*NOTREACHED*/ 3221 break; 3222 #endif /* HAVE_NET_PFVAR_H */ 3223 3224 case DLT_ARCNET: 3225 case DLT_ARCNET_LINUX: 3226 /* 3227 * XXX should we check for first fragment if the protocol 3228 * uses PHDS? 3229 */ 3230 switch (proto) { 3231 3232 default: 3233 return gen_false(); 3234 3235 case ETHERTYPE_IPV6: 3236 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 3237 (bpf_int32)ARCTYPE_INET6)); 3238 3239 case ETHERTYPE_IP: 3240 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3241 (bpf_int32)ARCTYPE_IP); 3242 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3243 (bpf_int32)ARCTYPE_IP_OLD); 3244 gen_or(b0, b1); 3245 return (b1); 3246 3247 case ETHERTYPE_ARP: 3248 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3249 (bpf_int32)ARCTYPE_ARP); 3250 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3251 (bpf_int32)ARCTYPE_ARP_OLD); 3252 gen_or(b0, b1); 3253 return (b1); 3254 3255 case ETHERTYPE_REVARP: 3256 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 3257 (bpf_int32)ARCTYPE_REVARP)); 3258 3259 case ETHERTYPE_ATALK: 3260 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 3261 (bpf_int32)ARCTYPE_ATALK)); 3262 } 3263 /*NOTREACHED*/ 3264 break; 3265 3266 case DLT_LTALK: 3267 switch (proto) { 3268 case ETHERTYPE_ATALK: 3269 return gen_true(); 3270 default: 3271 return gen_false(); 3272 } 3273 /*NOTREACHED*/ 3274 break; 3275 3276 case DLT_FRELAY: 3277 /* 3278 * XXX - assumes a 2-byte Frame Relay header with 3279 * DLCI and flags. What if the address is longer? 3280 */ 3281 switch (proto) { 3282 3283 case ETHERTYPE_IP: 3284 /* 3285 * Check for the special NLPID for IP. 3286 */ 3287 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0xcc); 3288 3289 case ETHERTYPE_IPV6: 3290 /* 3291 * Check for the special NLPID for IPv6. 3292 */ 3293 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0x8e); 3294 3295 case LLCSAP_ISONS: 3296 /* 3297 * Check for several OSI protocols. 3298 * 3299 * Frame Relay packets typically have an OSI 3300 * NLPID at the beginning; we check for each 3301 * of them. 3302 * 3303 * What we check for is the NLPID and a frame 3304 * control field of UI, i.e. 0x03 followed 3305 * by the NLPID. 3306 */ 3307 b0 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO8473_CLNP); 3308 b1 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO9542_ESIS); 3309 b2 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO10589_ISIS); 3310 gen_or(b1, b2); 3311 gen_or(b0, b2); 3312 return b2; 3313 3314 default: 3315 return gen_false(); 3316 } 3317 /*NOTREACHED*/ 3318 break; 3319 3320 case DLT_MFR: 3321 bpf_error("Multi-link Frame Relay link-layer type filtering not implemented"); 3322 3323 case DLT_JUNIPER_MFR: 3324 case DLT_JUNIPER_MLFR: 3325 case DLT_JUNIPER_MLPPP: 3326 case DLT_JUNIPER_ATM1: 3327 case DLT_JUNIPER_ATM2: 3328 case DLT_JUNIPER_PPPOE: 3329 case DLT_JUNIPER_PPPOE_ATM: 3330 case DLT_JUNIPER_GGSN: 3331 case DLT_JUNIPER_ES: 3332 case DLT_JUNIPER_MONITOR: 3333 case DLT_JUNIPER_SERVICES: 3334 case DLT_JUNIPER_ETHER: 3335 case DLT_JUNIPER_PPP: 3336 case DLT_JUNIPER_FRELAY: 3337 case DLT_JUNIPER_CHDLC: 3338 case DLT_JUNIPER_VP: 3339 case DLT_JUNIPER_ST: 3340 case DLT_JUNIPER_ISM: 3341 case DLT_JUNIPER_VS: 3342 case DLT_JUNIPER_SRX_E2E: 3343 case DLT_JUNIPER_FIBRECHANNEL: 3344 case DLT_JUNIPER_ATM_CEMIC: 3345 3346 /* just lets verify the magic number for now - 3347 * on ATM we may have up to 6 different encapsulations on the wire 3348 * and need a lot of heuristics to figure out that the payload 3349 * might be; 3350 * 3351 * FIXME encapsulation specific BPF_ filters 3352 */ 3353 return gen_mcmp(OR_LINK, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */ 3354 3355 case DLT_IPNET: 3356 return gen_ipnet_linktype(proto); 3357 3358 case DLT_LINUX_IRDA: 3359 bpf_error("IrDA link-layer type filtering not implemented"); 3360 3361 case DLT_DOCSIS: 3362 bpf_error("DOCSIS link-layer type filtering not implemented"); 3363 3364 case DLT_MTP2: 3365 case DLT_MTP2_WITH_PHDR: 3366 bpf_error("MTP2 link-layer type filtering not implemented"); 3367 3368 case DLT_ERF: 3369 bpf_error("ERF link-layer type filtering not implemented"); 3370 3371 case DLT_PFSYNC: 3372 bpf_error("PFSYNC link-layer type filtering not implemented"); 3373 3374 case DLT_LINUX_LAPD: 3375 bpf_error("LAPD link-layer type filtering not implemented"); 3376 3377 case DLT_USB: 3378 case DLT_USB_LINUX: 3379 case DLT_USB_LINUX_MMAPPED: 3380 bpf_error("USB link-layer type filtering not implemented"); 3381 3382 case DLT_BLUETOOTH_HCI_H4: 3383 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR: 3384 bpf_error("Bluetooth link-layer type filtering not implemented"); 3385 3386 case DLT_CAN20B: 3387 case DLT_CAN_SOCKETCAN: 3388 bpf_error("CAN link-layer type filtering not implemented"); 3389 3390 case DLT_IEEE802_15_4: 3391 case DLT_IEEE802_15_4_LINUX: 3392 case DLT_IEEE802_15_4_NONASK_PHY: 3393 case DLT_IEEE802_15_4_NOFCS: 3394 bpf_error("IEEE 802.15.4 link-layer type filtering not implemented"); 3395 3396 case DLT_IEEE802_16_MAC_CPS_RADIO: 3397 bpf_error("IEEE 802.16 link-layer type filtering not implemented"); 3398 3399 case DLT_SITA: 3400 bpf_error("SITA link-layer type filtering not implemented"); 3401 3402 case DLT_RAIF1: 3403 bpf_error("RAIF1 link-layer type filtering not implemented"); 3404 3405 case DLT_IPMB: 3406 bpf_error("IPMB link-layer type filtering not implemented"); 3407 3408 case DLT_AX25_KISS: 3409 bpf_error("AX.25 link-layer type filtering not implemented"); 3410 } 3411 3412 /* 3413 * All the types that have no encapsulation should either be 3414 * handled as DLT_SLIP, DLT_SLIP_BSDOS, and DLT_RAW are, if 3415 * all packets are IP packets, or should be handled in some 3416 * special case, if none of them are (if some are and some 3417 * aren't, the lack of encapsulation is a problem, as we'd 3418 * have to find some other way of determining the packet type). 3419 * 3420 * Therefore, if "off_linktype" is -1, there's an error. 3421 */ 3422 if (off_linktype == (u_int)-1) 3423 abort(); 3424 3425 /* 3426 * Any type not handled above should always have an Ethernet 3427 * type at an offset of "off_linktype". 3428 */ 3429 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 3430 } 3431 3432 /* 3433 * Check for an LLC SNAP packet with a given organization code and 3434 * protocol type; we check the entire contents of the 802.2 LLC and 3435 * snap headers, checking for DSAP and SSAP of SNAP and a control 3436 * field of 0x03 in the LLC header, and for the specified organization 3437 * code and protocol type in the SNAP header. 3438 */ 3439 static struct block * 3440 gen_snap(orgcode, ptype) 3441 bpf_u_int32 orgcode; 3442 bpf_u_int32 ptype; 3443 { 3444 u_char snapblock[8]; 3445 3446 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */ 3447 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */ 3448 snapblock[2] = 0x03; /* control = UI */ 3449 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */ 3450 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */ 3451 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */ 3452 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */ 3453 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */ 3454 return gen_bcmp(OR_MACPL, 0, 8, snapblock); 3455 } 3456 3457 /* 3458 * Generate code to match a particular packet type, for link-layer types 3459 * using 802.2 LLC headers. 3460 * 3461 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used 3462 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues. 3463 * 3464 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 3465 * value, if <= ETHERMTU. We use that to determine whether to 3466 * match the DSAP or both DSAP and LSAP or to check the OUI and 3467 * protocol ID in a SNAP header. 3468 */ 3469 static struct block * 3470 gen_llc_linktype(proto) 3471 int proto; 3472 { 3473 /* 3474 * XXX - handle token-ring variable-length header. 3475 */ 3476 switch (proto) { 3477 3478 case LLCSAP_IP: 3479 case LLCSAP_ISONS: 3480 case LLCSAP_NETBEUI: 3481 /* 3482 * XXX - should we check both the DSAP and the 3483 * SSAP, like this, or should we check just the 3484 * DSAP, as we do for other types <= ETHERMTU 3485 * (i.e., other SAP values)? 3486 */ 3487 return gen_cmp(OR_MACPL, 0, BPF_H, (bpf_u_int32) 3488 ((proto << 8) | proto)); 3489 3490 case LLCSAP_IPX: 3491 /* 3492 * XXX - are there ever SNAP frames for IPX on 3493 * non-Ethernet 802.x networks? 3494 */ 3495 return gen_cmp(OR_MACPL, 0, BPF_B, 3496 (bpf_int32)LLCSAP_IPX); 3497 3498 case ETHERTYPE_ATALK: 3499 /* 3500 * 802.2-encapsulated ETHERTYPE_ATALK packets are 3501 * SNAP packets with an organization code of 3502 * 0x080007 (Apple, for Appletalk) and a protocol 3503 * type of ETHERTYPE_ATALK (Appletalk). 3504 * 3505 * XXX - check for an organization code of 3506 * encapsulated Ethernet as well? 3507 */ 3508 return gen_snap(0x080007, ETHERTYPE_ATALK); 3509 3510 default: 3511 /* 3512 * XXX - we don't have to check for IPX 802.3 3513 * here, but should we check for the IPX Ethertype? 3514 */ 3515 if (proto <= ETHERMTU) { 3516 /* 3517 * This is an LLC SAP value, so check 3518 * the DSAP. 3519 */ 3520 return gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)proto); 3521 } else { 3522 /* 3523 * This is an Ethernet type; we assume that it's 3524 * unlikely that it'll appear in the right place 3525 * at random, and therefore check only the 3526 * location that would hold the Ethernet type 3527 * in a SNAP frame with an organization code of 3528 * 0x000000 (encapsulated Ethernet). 3529 * 3530 * XXX - if we were to check for the SNAP DSAP and 3531 * LSAP, as per XXX, and were also to check for an 3532 * organization code of 0x000000 (encapsulated 3533 * Ethernet), we'd do 3534 * 3535 * return gen_snap(0x000000, proto); 3536 * 3537 * here; for now, we don't, as per the above. 3538 * I don't know whether it's worth the extra CPU 3539 * time to do the right check or not. 3540 */ 3541 return gen_cmp(OR_MACPL, 6, BPF_H, (bpf_int32)proto); 3542 } 3543 } 3544 } 3545 3546 static struct block * 3547 gen_hostop(addr, mask, dir, proto, src_off, dst_off) 3548 bpf_u_int32 addr; 3549 bpf_u_int32 mask; 3550 int dir, proto; 3551 u_int src_off, dst_off; 3552 { 3553 struct block *b0, *b1; 3554 u_int offset; 3555 3556 switch (dir) { 3557 3558 case Q_SRC: 3559 offset = src_off; 3560 break; 3561 3562 case Q_DST: 3563 offset = dst_off; 3564 break; 3565 3566 case Q_AND: 3567 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off); 3568 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off); 3569 gen_and(b0, b1); 3570 return b1; 3571 3572 case Q_OR: 3573 case Q_DEFAULT: 3574 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off); 3575 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off); 3576 gen_or(b0, b1); 3577 return b1; 3578 3579 default: 3580 abort(); 3581 } 3582 b0 = gen_linktype(proto); 3583 b1 = gen_mcmp(OR_NET, offset, BPF_W, (bpf_int32)addr, mask); 3584 gen_and(b0, b1); 3585 return b1; 3586 } 3587 3588 #ifdef INET6 3589 static struct block * 3590 gen_hostop6(addr, mask, dir, proto, src_off, dst_off) 3591 struct in6_addr *addr; 3592 struct in6_addr *mask; 3593 int dir, proto; 3594 u_int src_off, dst_off; 3595 { 3596 struct block *b0, *b1; 3597 u_int offset; 3598 u_int32_t *a, *m; 3599 3600 switch (dir) { 3601 3602 case Q_SRC: 3603 offset = src_off; 3604 break; 3605 3606 case Q_DST: 3607 offset = dst_off; 3608 break; 3609 3610 case Q_AND: 3611 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off); 3612 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off); 3613 gen_and(b0, b1); 3614 return b1; 3615 3616 case Q_OR: 3617 case Q_DEFAULT: 3618 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off); 3619 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off); 3620 gen_or(b0, b1); 3621 return b1; 3622 3623 default: 3624 abort(); 3625 } 3626 /* this order is important */ 3627 a = (u_int32_t *)addr; 3628 m = (u_int32_t *)mask; 3629 b1 = gen_mcmp(OR_NET, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3])); 3630 b0 = gen_mcmp(OR_NET, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2])); 3631 gen_and(b0, b1); 3632 b0 = gen_mcmp(OR_NET, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1])); 3633 gen_and(b0, b1); 3634 b0 = gen_mcmp(OR_NET, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0])); 3635 gen_and(b0, b1); 3636 b0 = gen_linktype(proto); 3637 gen_and(b0, b1); 3638 return b1; 3639 } 3640 #endif 3641 3642 static struct block * 3643 gen_ehostop(eaddr, dir) 3644 register const u_char *eaddr; 3645 register int dir; 3646 { 3647 register struct block *b0, *b1; 3648 3649 switch (dir) { 3650 case Q_SRC: 3651 return gen_bcmp(OR_LINK, off_mac + 6, 6, eaddr); 3652 3653 case Q_DST: 3654 return gen_bcmp(OR_LINK, off_mac + 0, 6, eaddr); 3655 3656 case Q_AND: 3657 b0 = gen_ehostop(eaddr, Q_SRC); 3658 b1 = gen_ehostop(eaddr, Q_DST); 3659 gen_and(b0, b1); 3660 return b1; 3661 3662 case Q_DEFAULT: 3663 case Q_OR: 3664 b0 = gen_ehostop(eaddr, Q_SRC); 3665 b1 = gen_ehostop(eaddr, Q_DST); 3666 gen_or(b0, b1); 3667 return b1; 3668 3669 case Q_ADDR1: 3670 bpf_error("'addr1' is only supported on 802.11 with 802.11 headers"); 3671 break; 3672 3673 case Q_ADDR2: 3674 bpf_error("'addr2' is only supported on 802.11 with 802.11 headers"); 3675 break; 3676 3677 case Q_ADDR3: 3678 bpf_error("'addr3' is only supported on 802.11 with 802.11 headers"); 3679 break; 3680 3681 case Q_ADDR4: 3682 bpf_error("'addr4' is only supported on 802.11 with 802.11 headers"); 3683 break; 3684 3685 case Q_RA: 3686 bpf_error("'ra' is only supported on 802.11 with 802.11 headers"); 3687 break; 3688 3689 case Q_TA: 3690 bpf_error("'ta' is only supported on 802.11 with 802.11 headers"); 3691 break; 3692 } 3693 abort(); 3694 /* NOTREACHED */ 3695 } 3696 3697 /* 3698 * Like gen_ehostop, but for DLT_FDDI 3699 */ 3700 static struct block * 3701 gen_fhostop(eaddr, dir) 3702 register const u_char *eaddr; 3703 register int dir; 3704 { 3705 struct block *b0, *b1; 3706 3707 switch (dir) { 3708 case Q_SRC: 3709 #ifdef PCAP_FDDIPAD 3710 return gen_bcmp(OR_LINK, 6 + 1 + pcap_fddipad, 6, eaddr); 3711 #else 3712 return gen_bcmp(OR_LINK, 6 + 1, 6, eaddr); 3713 #endif 3714 3715 case Q_DST: 3716 #ifdef PCAP_FDDIPAD 3717 return gen_bcmp(OR_LINK, 0 + 1 + pcap_fddipad, 6, eaddr); 3718 #else 3719 return gen_bcmp(OR_LINK, 0 + 1, 6, eaddr); 3720 #endif 3721 3722 case Q_AND: 3723 b0 = gen_fhostop(eaddr, Q_SRC); 3724 b1 = gen_fhostop(eaddr, Q_DST); 3725 gen_and(b0, b1); 3726 return b1; 3727 3728 case Q_DEFAULT: 3729 case Q_OR: 3730 b0 = gen_fhostop(eaddr, Q_SRC); 3731 b1 = gen_fhostop(eaddr, Q_DST); 3732 gen_or(b0, b1); 3733 return b1; 3734 3735 case Q_ADDR1: 3736 bpf_error("'addr1' is only supported on 802.11"); 3737 break; 3738 3739 case Q_ADDR2: 3740 bpf_error("'addr2' is only supported on 802.11"); 3741 break; 3742 3743 case Q_ADDR3: 3744 bpf_error("'addr3' is only supported on 802.11"); 3745 break; 3746 3747 case Q_ADDR4: 3748 bpf_error("'addr4' is only supported on 802.11"); 3749 break; 3750 3751 case Q_RA: 3752 bpf_error("'ra' is only supported on 802.11"); 3753 break; 3754 3755 case Q_TA: 3756 bpf_error("'ta' is only supported on 802.11"); 3757 break; 3758 } 3759 abort(); 3760 /* NOTREACHED */ 3761 } 3762 3763 /* 3764 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring) 3765 */ 3766 static struct block * 3767 gen_thostop(eaddr, dir) 3768 register const u_char *eaddr; 3769 register int dir; 3770 { 3771 register struct block *b0, *b1; 3772 3773 switch (dir) { 3774 case Q_SRC: 3775 return gen_bcmp(OR_LINK, 8, 6, eaddr); 3776 3777 case Q_DST: 3778 return gen_bcmp(OR_LINK, 2, 6, eaddr); 3779 3780 case Q_AND: 3781 b0 = gen_thostop(eaddr, Q_SRC); 3782 b1 = gen_thostop(eaddr, Q_DST); 3783 gen_and(b0, b1); 3784 return b1; 3785 3786 case Q_DEFAULT: 3787 case Q_OR: 3788 b0 = gen_thostop(eaddr, Q_SRC); 3789 b1 = gen_thostop(eaddr, Q_DST); 3790 gen_or(b0, b1); 3791 return b1; 3792 3793 case Q_ADDR1: 3794 bpf_error("'addr1' is only supported on 802.11"); 3795 break; 3796 3797 case Q_ADDR2: 3798 bpf_error("'addr2' is only supported on 802.11"); 3799 break; 3800 3801 case Q_ADDR3: 3802 bpf_error("'addr3' is only supported on 802.11"); 3803 break; 3804 3805 case Q_ADDR4: 3806 bpf_error("'addr4' is only supported on 802.11"); 3807 break; 3808 3809 case Q_RA: 3810 bpf_error("'ra' is only supported on 802.11"); 3811 break; 3812 3813 case Q_TA: 3814 bpf_error("'ta' is only supported on 802.11"); 3815 break; 3816 } 3817 abort(); 3818 /* NOTREACHED */ 3819 } 3820 3821 /* 3822 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and 3823 * various 802.11 + radio headers. 3824 */ 3825 static struct block * 3826 gen_wlanhostop(eaddr, dir) 3827 register const u_char *eaddr; 3828 register int dir; 3829 { 3830 register struct block *b0, *b1, *b2; 3831 register struct slist *s; 3832 3833 #ifdef ENABLE_WLAN_FILTERING_PATCH 3834 /* 3835 * TODO GV 20070613 3836 * We need to disable the optimizer because the optimizer is buggy 3837 * and wipes out some LD instructions generated by the below 3838 * code to validate the Frame Control bits 3839 */ 3840 no_optimize = 1; 3841 #endif /* ENABLE_WLAN_FILTERING_PATCH */ 3842 3843 switch (dir) { 3844 case Q_SRC: 3845 /* 3846 * Oh, yuk. 3847 * 3848 * For control frames, there is no SA. 3849 * 3850 * For management frames, SA is at an 3851 * offset of 10 from the beginning of 3852 * the packet. 3853 * 3854 * For data frames, SA is at an offset 3855 * of 10 from the beginning of the packet 3856 * if From DS is clear, at an offset of 3857 * 16 from the beginning of the packet 3858 * if From DS is set and To DS is clear, 3859 * and an offset of 24 from the beginning 3860 * of the packet if From DS is set and To DS 3861 * is set. 3862 */ 3863 3864 /* 3865 * Generate the tests to be done for data frames 3866 * with From DS set. 3867 * 3868 * First, check for To DS set, i.e. check "link[1] & 0x01". 3869 */ 3870 s = gen_load_a(OR_LINK, 1, BPF_B); 3871 b1 = new_block(JMP(BPF_JSET)); 3872 b1->s.k = 0x01; /* To DS */ 3873 b1->stmts = s; 3874 3875 /* 3876 * If To DS is set, the SA is at 24. 3877 */ 3878 b0 = gen_bcmp(OR_LINK, 24, 6, eaddr); 3879 gen_and(b1, b0); 3880 3881 /* 3882 * Now, check for To DS not set, i.e. check 3883 * "!(link[1] & 0x01)". 3884 */ 3885 s = gen_load_a(OR_LINK, 1, BPF_B); 3886 b2 = new_block(JMP(BPF_JSET)); 3887 b2->s.k = 0x01; /* To DS */ 3888 b2->stmts = s; 3889 gen_not(b2); 3890 3891 /* 3892 * If To DS is not set, the SA is at 16. 3893 */ 3894 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr); 3895 gen_and(b2, b1); 3896 3897 /* 3898 * Now OR together the last two checks. That gives 3899 * the complete set of checks for data frames with 3900 * From DS set. 3901 */ 3902 gen_or(b1, b0); 3903 3904 /* 3905 * Now check for From DS being set, and AND that with 3906 * the ORed-together checks. 3907 */ 3908 s = gen_load_a(OR_LINK, 1, BPF_B); 3909 b1 = new_block(JMP(BPF_JSET)); 3910 b1->s.k = 0x02; /* From DS */ 3911 b1->stmts = s; 3912 gen_and(b1, b0); 3913 3914 /* 3915 * Now check for data frames with From DS not set. 3916 */ 3917 s = gen_load_a(OR_LINK, 1, BPF_B); 3918 b2 = new_block(JMP(BPF_JSET)); 3919 b2->s.k = 0x02; /* From DS */ 3920 b2->stmts = s; 3921 gen_not(b2); 3922 3923 /* 3924 * If From DS isn't set, the SA is at 10. 3925 */ 3926 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 3927 gen_and(b2, b1); 3928 3929 /* 3930 * Now OR together the checks for data frames with 3931 * From DS not set and for data frames with From DS 3932 * set; that gives the checks done for data frames. 3933 */ 3934 gen_or(b1, b0); 3935 3936 /* 3937 * Now check for a data frame. 3938 * I.e, check "link[0] & 0x08". 3939 */ 3940 s = gen_load_a(OR_LINK, 0, BPF_B); 3941 b1 = new_block(JMP(BPF_JSET)); 3942 b1->s.k = 0x08; 3943 b1->stmts = s; 3944 3945 /* 3946 * AND that with the checks done for data frames. 3947 */ 3948 gen_and(b1, b0); 3949 3950 /* 3951 * If the high-order bit of the type value is 0, this 3952 * is a management frame. 3953 * I.e, check "!(link[0] & 0x08)". 3954 */ 3955 s = gen_load_a(OR_LINK, 0, BPF_B); 3956 b2 = new_block(JMP(BPF_JSET)); 3957 b2->s.k = 0x08; 3958 b2->stmts = s; 3959 gen_not(b2); 3960 3961 /* 3962 * For management frames, the SA is at 10. 3963 */ 3964 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 3965 gen_and(b2, b1); 3966 3967 /* 3968 * OR that with the checks done for data frames. 3969 * That gives the checks done for management and 3970 * data frames. 3971 */ 3972 gen_or(b1, b0); 3973 3974 /* 3975 * If the low-order bit of the type value is 1, 3976 * this is either a control frame or a frame 3977 * with a reserved type, and thus not a 3978 * frame with an SA. 3979 * 3980 * I.e., check "!(link[0] & 0x04)". 3981 */ 3982 s = gen_load_a(OR_LINK, 0, BPF_B); 3983 b1 = new_block(JMP(BPF_JSET)); 3984 b1->s.k = 0x04; 3985 b1->stmts = s; 3986 gen_not(b1); 3987 3988 /* 3989 * AND that with the checks for data and management 3990 * frames. 3991 */ 3992 gen_and(b1, b0); 3993 return b0; 3994 3995 case Q_DST: 3996 /* 3997 * Oh, yuk. 3998 * 3999 * For control frames, there is no DA. 4000 * 4001 * For management frames, DA is at an 4002 * offset of 4 from the beginning of 4003 * the packet. 4004 * 4005 * For data frames, DA is at an offset 4006 * of 4 from the beginning of the packet 4007 * if To DS is clear and at an offset of 4008 * 16 from the beginning of the packet 4009 * if To DS is set. 4010 */ 4011 4012 /* 4013 * Generate the tests to be done for data frames. 4014 * 4015 * First, check for To DS set, i.e. "link[1] & 0x01". 4016 */ 4017 s = gen_load_a(OR_LINK, 1, BPF_B); 4018 b1 = new_block(JMP(BPF_JSET)); 4019 b1->s.k = 0x01; /* To DS */ 4020 b1->stmts = s; 4021 4022 /* 4023 * If To DS is set, the DA is at 16. 4024 */ 4025 b0 = gen_bcmp(OR_LINK, 16, 6, eaddr); 4026 gen_and(b1, b0); 4027 4028 /* 4029 * Now, check for To DS not set, i.e. check 4030 * "!(link[1] & 0x01)". 4031 */ 4032 s = gen_load_a(OR_LINK, 1, BPF_B); 4033 b2 = new_block(JMP(BPF_JSET)); 4034 b2->s.k = 0x01; /* To DS */ 4035 b2->stmts = s; 4036 gen_not(b2); 4037 4038 /* 4039 * If To DS is not set, the DA is at 4. 4040 */ 4041 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr); 4042 gen_and(b2, b1); 4043 4044 /* 4045 * Now OR together the last two checks. That gives 4046 * the complete set of checks for data frames. 4047 */ 4048 gen_or(b1, b0); 4049 4050 /* 4051 * Now check for a data frame. 4052 * I.e, check "link[0] & 0x08". 4053 */ 4054 s = gen_load_a(OR_LINK, 0, BPF_B); 4055 b1 = new_block(JMP(BPF_JSET)); 4056 b1->s.k = 0x08; 4057 b1->stmts = s; 4058 4059 /* 4060 * AND that with the checks done for data frames. 4061 */ 4062 gen_and(b1, b0); 4063 4064 /* 4065 * If the high-order bit of the type value is 0, this 4066 * is a management frame. 4067 * I.e, check "!(link[0] & 0x08)". 4068 */ 4069 s = gen_load_a(OR_LINK, 0, BPF_B); 4070 b2 = new_block(JMP(BPF_JSET)); 4071 b2->s.k = 0x08; 4072 b2->stmts = s; 4073 gen_not(b2); 4074 4075 /* 4076 * For management frames, the DA is at 4. 4077 */ 4078 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr); 4079 gen_and(b2, b1); 4080 4081 /* 4082 * OR that with the checks done for data frames. 4083 * That gives the checks done for management and 4084 * data frames. 4085 */ 4086 gen_or(b1, b0); 4087 4088 /* 4089 * If the low-order bit of the type value is 1, 4090 * this is either a control frame or a frame 4091 * with a reserved type, and thus not a 4092 * frame with an SA. 4093 * 4094 * I.e., check "!(link[0] & 0x04)". 4095 */ 4096 s = gen_load_a(OR_LINK, 0, BPF_B); 4097 b1 = new_block(JMP(BPF_JSET)); 4098 b1->s.k = 0x04; 4099 b1->stmts = s; 4100 gen_not(b1); 4101 4102 /* 4103 * AND that with the checks for data and management 4104 * frames. 4105 */ 4106 gen_and(b1, b0); 4107 return b0; 4108 4109 case Q_RA: 4110 /* 4111 * Not present in management frames; addr1 in other 4112 * frames. 4113 */ 4114 4115 /* 4116 * If the high-order bit of the type value is 0, this 4117 * is a management frame. 4118 * I.e, check "(link[0] & 0x08)". 4119 */ 4120 s = gen_load_a(OR_LINK, 0, BPF_B); 4121 b1 = new_block(JMP(BPF_JSET)); 4122 b1->s.k = 0x08; 4123 b1->stmts = s; 4124 4125 /* 4126 * Check addr1. 4127 */ 4128 b0 = gen_bcmp(OR_LINK, 4, 6, eaddr); 4129 4130 /* 4131 * AND that with the check of addr1. 4132 */ 4133 gen_and(b1, b0); 4134 return (b0); 4135 4136 case Q_TA: 4137 /* 4138 * Not present in management frames; addr2, if present, 4139 * in other frames. 4140 */ 4141 4142 /* 4143 * Not present in CTS or ACK control frames. 4144 */ 4145 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4146 IEEE80211_FC0_TYPE_MASK); 4147 gen_not(b0); 4148 b1 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS, 4149 IEEE80211_FC0_SUBTYPE_MASK); 4150 gen_not(b1); 4151 b2 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK, 4152 IEEE80211_FC0_SUBTYPE_MASK); 4153 gen_not(b2); 4154 gen_and(b1, b2); 4155 gen_or(b0, b2); 4156 4157 /* 4158 * If the high-order bit of the type value is 0, this 4159 * is a management frame. 4160 * I.e, check "(link[0] & 0x08)". 4161 */ 4162 s = gen_load_a(OR_LINK, 0, BPF_B); 4163 b1 = new_block(JMP(BPF_JSET)); 4164 b1->s.k = 0x08; 4165 b1->stmts = s; 4166 4167 /* 4168 * AND that with the check for frames other than 4169 * CTS and ACK frames. 4170 */ 4171 gen_and(b1, b2); 4172 4173 /* 4174 * Check addr2. 4175 */ 4176 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 4177 gen_and(b2, b1); 4178 return b1; 4179 4180 /* 4181 * XXX - add BSSID keyword? 4182 */ 4183 case Q_ADDR1: 4184 return (gen_bcmp(OR_LINK, 4, 6, eaddr)); 4185 4186 case Q_ADDR2: 4187 /* 4188 * Not present in CTS or ACK control frames. 4189 */ 4190 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4191 IEEE80211_FC0_TYPE_MASK); 4192 gen_not(b0); 4193 b1 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS, 4194 IEEE80211_FC0_SUBTYPE_MASK); 4195 gen_not(b1); 4196 b2 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK, 4197 IEEE80211_FC0_SUBTYPE_MASK); 4198 gen_not(b2); 4199 gen_and(b1, b2); 4200 gen_or(b0, b2); 4201 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 4202 gen_and(b2, b1); 4203 return b1; 4204 4205 case Q_ADDR3: 4206 /* 4207 * Not present in control frames. 4208 */ 4209 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4210 IEEE80211_FC0_TYPE_MASK); 4211 gen_not(b0); 4212 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr); 4213 gen_and(b0, b1); 4214 return b1; 4215 4216 case Q_ADDR4: 4217 /* 4218 * Present only if the direction mask has both "From DS" 4219 * and "To DS" set. Neither control frames nor management 4220 * frames should have both of those set, so we don't 4221 * check the frame type. 4222 */ 4223 b0 = gen_mcmp(OR_LINK, 1, BPF_B, 4224 IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK); 4225 b1 = gen_bcmp(OR_LINK, 24, 6, eaddr); 4226 gen_and(b0, b1); 4227 return b1; 4228 4229 case Q_AND: 4230 b0 = gen_wlanhostop(eaddr, Q_SRC); 4231 b1 = gen_wlanhostop(eaddr, Q_DST); 4232 gen_and(b0, b1); 4233 return b1; 4234 4235 case Q_DEFAULT: 4236 case Q_OR: 4237 b0 = gen_wlanhostop(eaddr, Q_SRC); 4238 b1 = gen_wlanhostop(eaddr, Q_DST); 4239 gen_or(b0, b1); 4240 return b1; 4241 } 4242 abort(); 4243 /* NOTREACHED */ 4244 } 4245 4246 /* 4247 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel. 4248 * (We assume that the addresses are IEEE 48-bit MAC addresses, 4249 * as the RFC states.) 4250 */ 4251 static struct block * 4252 gen_ipfchostop(eaddr, dir) 4253 register const u_char *eaddr; 4254 register int dir; 4255 { 4256 register struct block *b0, *b1; 4257 4258 switch (dir) { 4259 case Q_SRC: 4260 return gen_bcmp(OR_LINK, 10, 6, eaddr); 4261 4262 case Q_DST: 4263 return gen_bcmp(OR_LINK, 2, 6, eaddr); 4264 4265 case Q_AND: 4266 b0 = gen_ipfchostop(eaddr, Q_SRC); 4267 b1 = gen_ipfchostop(eaddr, Q_DST); 4268 gen_and(b0, b1); 4269 return b1; 4270 4271 case Q_DEFAULT: 4272 case Q_OR: 4273 b0 = gen_ipfchostop(eaddr, Q_SRC); 4274 b1 = gen_ipfchostop(eaddr, Q_DST); 4275 gen_or(b0, b1); 4276 return b1; 4277 4278 case Q_ADDR1: 4279 bpf_error("'addr1' is only supported on 802.11"); 4280 break; 4281 4282 case Q_ADDR2: 4283 bpf_error("'addr2' is only supported on 802.11"); 4284 break; 4285 4286 case Q_ADDR3: 4287 bpf_error("'addr3' is only supported on 802.11"); 4288 break; 4289 4290 case Q_ADDR4: 4291 bpf_error("'addr4' is only supported on 802.11"); 4292 break; 4293 4294 case Q_RA: 4295 bpf_error("'ra' is only supported on 802.11"); 4296 break; 4297 4298 case Q_TA: 4299 bpf_error("'ta' is only supported on 802.11"); 4300 break; 4301 } 4302 abort(); 4303 /* NOTREACHED */ 4304 } 4305 4306 /* 4307 * This is quite tricky because there may be pad bytes in front of the 4308 * DECNET header, and then there are two possible data packet formats that 4309 * carry both src and dst addresses, plus 5 packet types in a format that 4310 * carries only the src node, plus 2 types that use a different format and 4311 * also carry just the src node. 4312 * 4313 * Yuck. 4314 * 4315 * Instead of doing those all right, we just look for data packets with 4316 * 0 or 1 bytes of padding. If you want to look at other packets, that 4317 * will require a lot more hacking. 4318 * 4319 * To add support for filtering on DECNET "areas" (network numbers) 4320 * one would want to add a "mask" argument to this routine. That would 4321 * make the filter even more inefficient, although one could be clever 4322 * and not generate masking instructions if the mask is 0xFFFF. 4323 */ 4324 static struct block * 4325 gen_dnhostop(addr, dir) 4326 bpf_u_int32 addr; 4327 int dir; 4328 { 4329 struct block *b0, *b1, *b2, *tmp; 4330 u_int offset_lh; /* offset if long header is received */ 4331 u_int offset_sh; /* offset if short header is received */ 4332 4333 switch (dir) { 4334 4335 case Q_DST: 4336 offset_sh = 1; /* follows flags */ 4337 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */ 4338 break; 4339 4340 case Q_SRC: 4341 offset_sh = 3; /* follows flags, dstnode */ 4342 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */ 4343 break; 4344 4345 case Q_AND: 4346 /* Inefficient because we do our Calvinball dance twice */ 4347 b0 = gen_dnhostop(addr, Q_SRC); 4348 b1 = gen_dnhostop(addr, Q_DST); 4349 gen_and(b0, b1); 4350 return b1; 4351 4352 case Q_OR: 4353 case Q_DEFAULT: 4354 /* Inefficient because we do our Calvinball dance twice */ 4355 b0 = gen_dnhostop(addr, Q_SRC); 4356 b1 = gen_dnhostop(addr, Q_DST); 4357 gen_or(b0, b1); 4358 return b1; 4359 4360 case Q_ISO: 4361 bpf_error("ISO host filtering not implemented"); 4362 4363 default: 4364 abort(); 4365 } 4366 b0 = gen_linktype(ETHERTYPE_DN); 4367 /* Check for pad = 1, long header case */ 4368 tmp = gen_mcmp(OR_NET, 2, BPF_H, 4369 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF)); 4370 b1 = gen_cmp(OR_NET, 2 + 1 + offset_lh, 4371 BPF_H, (bpf_int32)ntohs((u_short)addr)); 4372 gen_and(tmp, b1); 4373 /* Check for pad = 0, long header case */ 4374 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7); 4375 b2 = gen_cmp(OR_NET, 2 + offset_lh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4376 gen_and(tmp, b2); 4377 gen_or(b2, b1); 4378 /* Check for pad = 1, short header case */ 4379 tmp = gen_mcmp(OR_NET, 2, BPF_H, 4380 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF)); 4381 b2 = gen_cmp(OR_NET, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4382 gen_and(tmp, b2); 4383 gen_or(b2, b1); 4384 /* Check for pad = 0, short header case */ 4385 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7); 4386 b2 = gen_cmp(OR_NET, 2 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4387 gen_and(tmp, b2); 4388 gen_or(b2, b1); 4389 4390 /* Combine with test for linktype */ 4391 gen_and(b0, b1); 4392 return b1; 4393 } 4394 4395 /* 4396 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets; 4397 * test the bottom-of-stack bit, and then check the version number 4398 * field in the IP header. 4399 */ 4400 static struct block * 4401 gen_mpls_linktype(proto) 4402 int proto; 4403 { 4404 struct block *b0, *b1; 4405 4406 switch (proto) { 4407 4408 case Q_IP: 4409 /* match the bottom-of-stack bit */ 4410 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01); 4411 /* match the IPv4 version number */ 4412 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x40, 0xf0); 4413 gen_and(b0, b1); 4414 return b1; 4415 4416 case Q_IPV6: 4417 /* match the bottom-of-stack bit */ 4418 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01); 4419 /* match the IPv4 version number */ 4420 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x60, 0xf0); 4421 gen_and(b0, b1); 4422 return b1; 4423 4424 default: 4425 abort(); 4426 } 4427 } 4428 4429 static struct block * 4430 gen_host(addr, mask, proto, dir, type) 4431 bpf_u_int32 addr; 4432 bpf_u_int32 mask; 4433 int proto; 4434 int dir; 4435 int type; 4436 { 4437 struct block *b0, *b1; 4438 const char *typestr; 4439 4440 if (type == Q_NET) 4441 typestr = "net"; 4442 else 4443 typestr = "host"; 4444 4445 switch (proto) { 4446 4447 case Q_DEFAULT: 4448 b0 = gen_host(addr, mask, Q_IP, dir, type); 4449 /* 4450 * Only check for non-IPv4 addresses if we're not 4451 * checking MPLS-encapsulated packets. 4452 */ 4453 if (label_stack_depth == 0) { 4454 b1 = gen_host(addr, mask, Q_ARP, dir, type); 4455 gen_or(b0, b1); 4456 b0 = gen_host(addr, mask, Q_RARP, dir, type); 4457 gen_or(b1, b0); 4458 } 4459 return b0; 4460 4461 case Q_IP: 4462 return gen_hostop(addr, mask, dir, ETHERTYPE_IP, 12, 16); 4463 4464 case Q_RARP: 4465 return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP, 14, 24); 4466 4467 case Q_ARP: 4468 return gen_hostop(addr, mask, dir, ETHERTYPE_ARP, 14, 24); 4469 4470 case Q_TCP: 4471 bpf_error("'tcp' modifier applied to %s", typestr); 4472 4473 case Q_SCTP: 4474 bpf_error("'sctp' modifier applied to %s", typestr); 4475 4476 case Q_UDP: 4477 bpf_error("'udp' modifier applied to %s", typestr); 4478 4479 case Q_ICMP: 4480 bpf_error("'icmp' modifier applied to %s", typestr); 4481 4482 case Q_IGMP: 4483 bpf_error("'igmp' modifier applied to %s", typestr); 4484 4485 case Q_IGRP: 4486 bpf_error("'igrp' modifier applied to %s", typestr); 4487 4488 case Q_PIM: 4489 bpf_error("'pim' modifier applied to %s", typestr); 4490 4491 case Q_VRRP: 4492 bpf_error("'vrrp' modifier applied to %s", typestr); 4493 4494 case Q_CARP: 4495 bpf_error("'carp' modifier applied to %s", typestr); 4496 4497 case Q_ATALK: 4498 bpf_error("ATALK host filtering not implemented"); 4499 4500 case Q_AARP: 4501 bpf_error("AARP host filtering not implemented"); 4502 4503 case Q_DECNET: 4504 return gen_dnhostop(addr, dir); 4505 4506 case Q_SCA: 4507 bpf_error("SCA host filtering not implemented"); 4508 4509 case Q_LAT: 4510 bpf_error("LAT host filtering not implemented"); 4511 4512 case Q_MOPDL: 4513 bpf_error("MOPDL host filtering not implemented"); 4514 4515 case Q_MOPRC: 4516 bpf_error("MOPRC host filtering not implemented"); 4517 4518 case Q_IPV6: 4519 bpf_error("'ip6' modifier applied to ip host"); 4520 4521 case Q_ICMPV6: 4522 bpf_error("'icmp6' modifier applied to %s", typestr); 4523 4524 case Q_AH: 4525 bpf_error("'ah' modifier applied to %s", typestr); 4526 4527 case Q_ESP: 4528 bpf_error("'esp' modifier applied to %s", typestr); 4529 4530 case Q_ISO: 4531 bpf_error("ISO host filtering not implemented"); 4532 4533 case Q_ESIS: 4534 bpf_error("'esis' modifier applied to %s", typestr); 4535 4536 case Q_ISIS: 4537 bpf_error("'isis' modifier applied to %s", typestr); 4538 4539 case Q_CLNP: 4540 bpf_error("'clnp' modifier applied to %s", typestr); 4541 4542 case Q_STP: 4543 bpf_error("'stp' modifier applied to %s", typestr); 4544 4545 case Q_IPX: 4546 bpf_error("IPX host filtering not implemented"); 4547 4548 case Q_NETBEUI: 4549 bpf_error("'netbeui' modifier applied to %s", typestr); 4550 4551 case Q_RADIO: 4552 bpf_error("'radio' modifier applied to %s", typestr); 4553 4554 default: 4555 abort(); 4556 } 4557 /* NOTREACHED */ 4558 } 4559 4560 #ifdef INET6 4561 static struct block * 4562 gen_host6(addr, mask, proto, dir, type) 4563 struct in6_addr *addr; 4564 struct in6_addr *mask; 4565 int proto; 4566 int dir; 4567 int type; 4568 { 4569 const char *typestr; 4570 4571 if (type == Q_NET) 4572 typestr = "net"; 4573 else 4574 typestr = "host"; 4575 4576 switch (proto) { 4577 4578 case Q_DEFAULT: 4579 return gen_host6(addr, mask, Q_IPV6, dir, type); 4580 4581 case Q_IP: 4582 bpf_error("'ip' modifier applied to ip6 %s", typestr); 4583 4584 case Q_RARP: 4585 bpf_error("'rarp' modifier applied to ip6 %s", typestr); 4586 4587 case Q_ARP: 4588 bpf_error("'arp' modifier applied to ip6 %s", typestr); 4589 4590 case Q_SCTP: 4591 bpf_error("'sctp' modifier applied to %s", typestr); 4592 4593 case Q_TCP: 4594 bpf_error("'tcp' modifier applied to %s", typestr); 4595 4596 case Q_UDP: 4597 bpf_error("'udp' modifier applied to %s", typestr); 4598 4599 case Q_ICMP: 4600 bpf_error("'icmp' modifier applied to %s", typestr); 4601 4602 case Q_IGMP: 4603 bpf_error("'igmp' modifier applied to %s", typestr); 4604 4605 case Q_IGRP: 4606 bpf_error("'igrp' modifier applied to %s", typestr); 4607 4608 case Q_PIM: 4609 bpf_error("'pim' modifier applied to %s", typestr); 4610 4611 case Q_VRRP: 4612 bpf_error("'vrrp' modifier applied to %s", typestr); 4613 4614 case Q_CARP: 4615 bpf_error("'carp' modifier applied to %s", typestr); 4616 4617 case Q_ATALK: 4618 bpf_error("ATALK host filtering not implemented"); 4619 4620 case Q_AARP: 4621 bpf_error("AARP host filtering not implemented"); 4622 4623 case Q_DECNET: 4624 bpf_error("'decnet' modifier applied to ip6 %s", typestr); 4625 4626 case Q_SCA: 4627 bpf_error("SCA host filtering not implemented"); 4628 4629 case Q_LAT: 4630 bpf_error("LAT host filtering not implemented"); 4631 4632 case Q_MOPDL: 4633 bpf_error("MOPDL host filtering not implemented"); 4634 4635 case Q_MOPRC: 4636 bpf_error("MOPRC host filtering not implemented"); 4637 4638 case Q_IPV6: 4639 return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6, 8, 24); 4640 4641 case Q_ICMPV6: 4642 bpf_error("'icmp6' modifier applied to %s", typestr); 4643 4644 case Q_AH: 4645 bpf_error("'ah' modifier applied to %s", typestr); 4646 4647 case Q_ESP: 4648 bpf_error("'esp' modifier applied to %s", typestr); 4649 4650 case Q_ISO: 4651 bpf_error("ISO host filtering not implemented"); 4652 4653 case Q_ESIS: 4654 bpf_error("'esis' modifier applied to %s", typestr); 4655 4656 case Q_ISIS: 4657 bpf_error("'isis' modifier applied to %s", typestr); 4658 4659 case Q_CLNP: 4660 bpf_error("'clnp' modifier applied to %s", typestr); 4661 4662 case Q_STP: 4663 bpf_error("'stp' modifier applied to %s", typestr); 4664 4665 case Q_IPX: 4666 bpf_error("IPX host filtering not implemented"); 4667 4668 case Q_NETBEUI: 4669 bpf_error("'netbeui' modifier applied to %s", typestr); 4670 4671 case Q_RADIO: 4672 bpf_error("'radio' modifier applied to %s", typestr); 4673 4674 default: 4675 abort(); 4676 } 4677 /* NOTREACHED */ 4678 } 4679 #endif 4680 4681 #ifndef INET6 4682 static struct block * 4683 gen_gateway(eaddr, alist, proto, dir) 4684 const u_char *eaddr; 4685 bpf_u_int32 **alist; 4686 int proto; 4687 int dir; 4688 { 4689 struct block *b0, *b1, *tmp; 4690 4691 if (dir != 0) 4692 bpf_error("direction applied to 'gateway'"); 4693 4694 switch (proto) { 4695 case Q_DEFAULT: 4696 case Q_IP: 4697 case Q_ARP: 4698 case Q_RARP: 4699 switch (linktype) { 4700 case DLT_EN10MB: 4701 case DLT_NETANALYZER: 4702 case DLT_NETANALYZER_TRANSPARENT: 4703 b0 = gen_ehostop(eaddr, Q_OR); 4704 break; 4705 case DLT_FDDI: 4706 b0 = gen_fhostop(eaddr, Q_OR); 4707 break; 4708 case DLT_IEEE802: 4709 b0 = gen_thostop(eaddr, Q_OR); 4710 break; 4711 case DLT_IEEE802_11: 4712 case DLT_PRISM_HEADER: 4713 case DLT_IEEE802_11_RADIO_AVS: 4714 case DLT_IEEE802_11_RADIO: 4715 case DLT_PPI: 4716 b0 = gen_wlanhostop(eaddr, Q_OR); 4717 break; 4718 case DLT_SUNATM: 4719 if (!is_lane) 4720 bpf_error( 4721 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 4722 /* 4723 * Check that the packet doesn't begin with an 4724 * LE Control marker. (We've already generated 4725 * a test for LANE.) 4726 */ 4727 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 4728 BPF_H, 0xFF00); 4729 gen_not(b1); 4730 4731 /* 4732 * Now check the MAC address. 4733 */ 4734 b0 = gen_ehostop(eaddr, Q_OR); 4735 gen_and(b1, b0); 4736 break; 4737 case DLT_IP_OVER_FC: 4738 b0 = gen_ipfchostop(eaddr, Q_OR); 4739 break; 4740 default: 4741 bpf_error( 4742 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 4743 } 4744 b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR, Q_HOST); 4745 while (*alist) { 4746 tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR, 4747 Q_HOST); 4748 gen_or(b1, tmp); 4749 b1 = tmp; 4750 } 4751 gen_not(b1); 4752 gen_and(b0, b1); 4753 return b1; 4754 } 4755 bpf_error("illegal modifier of 'gateway'"); 4756 /* NOTREACHED */ 4757 } 4758 #endif 4759 4760 struct block * 4761 gen_proto_abbrev(proto) 4762 int proto; 4763 { 4764 struct block *b0; 4765 struct block *b1; 4766 4767 switch (proto) { 4768 4769 case Q_SCTP: 4770 b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT); 4771 b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT); 4772 gen_or(b0, b1); 4773 break; 4774 4775 case Q_TCP: 4776 b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT); 4777 b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT); 4778 gen_or(b0, b1); 4779 break; 4780 4781 case Q_UDP: 4782 b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT); 4783 b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT); 4784 gen_or(b0, b1); 4785 break; 4786 4787 case Q_ICMP: 4788 b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT); 4789 break; 4790 4791 #ifndef IPPROTO_IGMP 4792 #define IPPROTO_IGMP 2 4793 #endif 4794 4795 case Q_IGMP: 4796 b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT); 4797 break; 4798 4799 #ifndef IPPROTO_IGRP 4800 #define IPPROTO_IGRP 9 4801 #endif 4802 case Q_IGRP: 4803 b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT); 4804 break; 4805 4806 #ifndef IPPROTO_PIM 4807 #define IPPROTO_PIM 103 4808 #endif 4809 4810 case Q_PIM: 4811 b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT); 4812 b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT); 4813 gen_or(b0, b1); 4814 break; 4815 4816 #ifndef IPPROTO_VRRP 4817 #define IPPROTO_VRRP 112 4818 #endif 4819 4820 case Q_VRRP: 4821 b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT); 4822 break; 4823 4824 #ifndef IPPROTO_CARP 4825 #define IPPROTO_CARP 112 4826 #endif 4827 4828 case Q_CARP: 4829 b1 = gen_proto(IPPROTO_CARP, Q_IP, Q_DEFAULT); 4830 break; 4831 4832 case Q_IP: 4833 b1 = gen_linktype(ETHERTYPE_IP); 4834 break; 4835 4836 case Q_ARP: 4837 b1 = gen_linktype(ETHERTYPE_ARP); 4838 break; 4839 4840 case Q_RARP: 4841 b1 = gen_linktype(ETHERTYPE_REVARP); 4842 break; 4843 4844 case Q_LINK: 4845 bpf_error("link layer applied in wrong context"); 4846 4847 case Q_ATALK: 4848 b1 = gen_linktype(ETHERTYPE_ATALK); 4849 break; 4850 4851 case Q_AARP: 4852 b1 = gen_linktype(ETHERTYPE_AARP); 4853 break; 4854 4855 case Q_DECNET: 4856 b1 = gen_linktype(ETHERTYPE_DN); 4857 break; 4858 4859 case Q_SCA: 4860 b1 = gen_linktype(ETHERTYPE_SCA); 4861 break; 4862 4863 case Q_LAT: 4864 b1 = gen_linktype(ETHERTYPE_LAT); 4865 break; 4866 4867 case Q_MOPDL: 4868 b1 = gen_linktype(ETHERTYPE_MOPDL); 4869 break; 4870 4871 case Q_MOPRC: 4872 b1 = gen_linktype(ETHERTYPE_MOPRC); 4873 break; 4874 4875 case Q_IPV6: 4876 b1 = gen_linktype(ETHERTYPE_IPV6); 4877 break; 4878 4879 #ifndef IPPROTO_ICMPV6 4880 #define IPPROTO_ICMPV6 58 4881 #endif 4882 case Q_ICMPV6: 4883 b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT); 4884 break; 4885 4886 #ifndef IPPROTO_AH 4887 #define IPPROTO_AH 51 4888 #endif 4889 case Q_AH: 4890 b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT); 4891 b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT); 4892 gen_or(b0, b1); 4893 break; 4894 4895 #ifndef IPPROTO_ESP 4896 #define IPPROTO_ESP 50 4897 #endif 4898 case Q_ESP: 4899 b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT); 4900 b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT); 4901 gen_or(b0, b1); 4902 break; 4903 4904 case Q_ISO: 4905 b1 = gen_linktype(LLCSAP_ISONS); 4906 break; 4907 4908 case Q_ESIS: 4909 b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT); 4910 break; 4911 4912 case Q_ISIS: 4913 b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT); 4914 break; 4915 4916 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */ 4917 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 4918 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 4919 gen_or(b0, b1); 4920 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 4921 gen_or(b0, b1); 4922 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 4923 gen_or(b0, b1); 4924 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 4925 gen_or(b0, b1); 4926 break; 4927 4928 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */ 4929 b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 4930 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 4931 gen_or(b0, b1); 4932 b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 4933 gen_or(b0, b1); 4934 b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 4935 gen_or(b0, b1); 4936 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 4937 gen_or(b0, b1); 4938 break; 4939 4940 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */ 4941 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 4942 b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 4943 gen_or(b0, b1); 4944 b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); 4945 gen_or(b0, b1); 4946 break; 4947 4948 case Q_ISIS_LSP: 4949 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 4950 b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 4951 gen_or(b0, b1); 4952 break; 4953 4954 case Q_ISIS_SNP: 4955 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 4956 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 4957 gen_or(b0, b1); 4958 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 4959 gen_or(b0, b1); 4960 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 4961 gen_or(b0, b1); 4962 break; 4963 4964 case Q_ISIS_CSNP: 4965 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 4966 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 4967 gen_or(b0, b1); 4968 break; 4969 4970 case Q_ISIS_PSNP: 4971 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 4972 b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 4973 gen_or(b0, b1); 4974 break; 4975 4976 case Q_CLNP: 4977 b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT); 4978 break; 4979 4980 case Q_STP: 4981 b1 = gen_linktype(LLCSAP_8021D); 4982 break; 4983 4984 case Q_IPX: 4985 b1 = gen_linktype(LLCSAP_IPX); 4986 break; 4987 4988 case Q_NETBEUI: 4989 b1 = gen_linktype(LLCSAP_NETBEUI); 4990 break; 4991 4992 case Q_RADIO: 4993 bpf_error("'radio' is not a valid protocol type"); 4994 4995 default: 4996 abort(); 4997 } 4998 return b1; 4999 } 5000 5001 static struct block * 5002 gen_ipfrag() 5003 { 5004 struct slist *s; 5005 struct block *b; 5006 5007 /* not IPv4 frag other than the first frag */ 5008 s = gen_load_a(OR_NET, 6, BPF_H); 5009 b = new_block(JMP(BPF_JSET)); 5010 b->s.k = 0x1fff; 5011 b->stmts = s; 5012 gen_not(b); 5013 5014 return b; 5015 } 5016 5017 /* 5018 * Generate a comparison to a port value in the transport-layer header 5019 * at the specified offset from the beginning of that header. 5020 * 5021 * XXX - this handles a variable-length prefix preceding the link-layer 5022 * header, such as the radiotap or AVS radio prefix, but doesn't handle 5023 * variable-length link-layer headers (such as Token Ring or 802.11 5024 * headers). 5025 */ 5026 static struct block * 5027 gen_portatom(off, v) 5028 int off; 5029 bpf_int32 v; 5030 { 5031 return gen_cmp(OR_TRAN_IPV4, off, BPF_H, v); 5032 } 5033 5034 static struct block * 5035 gen_portatom6(off, v) 5036 int off; 5037 bpf_int32 v; 5038 { 5039 return gen_cmp(OR_TRAN_IPV6, off, BPF_H, v); 5040 } 5041 5042 struct block * 5043 gen_portop(port, proto, dir) 5044 int port, proto, dir; 5045 { 5046 struct block *b0, *b1, *tmp; 5047 5048 /* ip proto 'proto' and not a fragment other than the first fragment */ 5049 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto); 5050 b0 = gen_ipfrag(); 5051 gen_and(tmp, b0); 5052 5053 switch (dir) { 5054 case Q_SRC: 5055 b1 = gen_portatom(0, (bpf_int32)port); 5056 break; 5057 5058 case Q_DST: 5059 b1 = gen_portatom(2, (bpf_int32)port); 5060 break; 5061 5062 case Q_OR: 5063 case Q_DEFAULT: 5064 tmp = gen_portatom(0, (bpf_int32)port); 5065 b1 = gen_portatom(2, (bpf_int32)port); 5066 gen_or(tmp, b1); 5067 break; 5068 5069 case Q_AND: 5070 tmp = gen_portatom(0, (bpf_int32)port); 5071 b1 = gen_portatom(2, (bpf_int32)port); 5072 gen_and(tmp, b1); 5073 break; 5074 5075 default: 5076 abort(); 5077 } 5078 gen_and(b0, b1); 5079 5080 return b1; 5081 } 5082 5083 static struct block * 5084 gen_port(port, ip_proto, dir) 5085 int port; 5086 int ip_proto; 5087 int dir; 5088 { 5089 struct block *b0, *b1, *tmp; 5090 5091 /* 5092 * ether proto ip 5093 * 5094 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 5095 * not LLC encapsulation with LLCSAP_IP. 5096 * 5097 * For IEEE 802 networks - which includes 802.5 token ring 5098 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 5099 * says that SNAP encapsulation is used, not LLC encapsulation 5100 * with LLCSAP_IP. 5101 * 5102 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 5103 * RFC 2225 say that SNAP encapsulation is used, not LLC 5104 * encapsulation with LLCSAP_IP. 5105 * 5106 * So we always check for ETHERTYPE_IP. 5107 */ 5108 b0 = gen_linktype(ETHERTYPE_IP); 5109 5110 switch (ip_proto) { 5111 case IPPROTO_UDP: 5112 case IPPROTO_TCP: 5113 case IPPROTO_SCTP: 5114 b1 = gen_portop(port, ip_proto, dir); 5115 break; 5116 5117 case PROTO_UNDEF: 5118 tmp = gen_portop(port, IPPROTO_TCP, dir); 5119 b1 = gen_portop(port, IPPROTO_UDP, dir); 5120 gen_or(tmp, b1); 5121 tmp = gen_portop(port, IPPROTO_SCTP, dir); 5122 gen_or(tmp, b1); 5123 break; 5124 5125 default: 5126 abort(); 5127 } 5128 gen_and(b0, b1); 5129 return b1; 5130 } 5131 5132 struct block * 5133 gen_portop6(port, proto, dir) 5134 int port, proto, dir; 5135 { 5136 struct block *b0, *b1, *tmp; 5137 5138 /* ip6 proto 'proto' */ 5139 /* XXX - catch the first fragment of a fragmented packet? */ 5140 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto); 5141 5142 switch (dir) { 5143 case Q_SRC: 5144 b1 = gen_portatom6(0, (bpf_int32)port); 5145 break; 5146 5147 case Q_DST: 5148 b1 = gen_portatom6(2, (bpf_int32)port); 5149 break; 5150 5151 case Q_OR: 5152 case Q_DEFAULT: 5153 tmp = gen_portatom6(0, (bpf_int32)port); 5154 b1 = gen_portatom6(2, (bpf_int32)port); 5155 gen_or(tmp, b1); 5156 break; 5157 5158 case Q_AND: 5159 tmp = gen_portatom6(0, (bpf_int32)port); 5160 b1 = gen_portatom6(2, (bpf_int32)port); 5161 gen_and(tmp, b1); 5162 break; 5163 5164 default: 5165 abort(); 5166 } 5167 gen_and(b0, b1); 5168 5169 return b1; 5170 } 5171 5172 static struct block * 5173 gen_port6(port, ip_proto, dir) 5174 int port; 5175 int ip_proto; 5176 int dir; 5177 { 5178 struct block *b0, *b1, *tmp; 5179 5180 /* link proto ip6 */ 5181 b0 = gen_linktype(ETHERTYPE_IPV6); 5182 5183 switch (ip_proto) { 5184 case IPPROTO_UDP: 5185 case IPPROTO_TCP: 5186 case IPPROTO_SCTP: 5187 b1 = gen_portop6(port, ip_proto, dir); 5188 break; 5189 5190 case PROTO_UNDEF: 5191 tmp = gen_portop6(port, IPPROTO_TCP, dir); 5192 b1 = gen_portop6(port, IPPROTO_UDP, dir); 5193 gen_or(tmp, b1); 5194 tmp = gen_portop6(port, IPPROTO_SCTP, dir); 5195 gen_or(tmp, b1); 5196 break; 5197 5198 default: 5199 abort(); 5200 } 5201 gen_and(b0, b1); 5202 return b1; 5203 } 5204 5205 /* gen_portrange code */ 5206 static struct block * 5207 gen_portrangeatom(off, v1, v2) 5208 int off; 5209 bpf_int32 v1, v2; 5210 { 5211 struct block *b1, *b2; 5212 5213 if (v1 > v2) { 5214 /* 5215 * Reverse the order of the ports, so v1 is the lower one. 5216 */ 5217 bpf_int32 vtemp; 5218 5219 vtemp = v1; 5220 v1 = v2; 5221 v2 = vtemp; 5222 } 5223 5224 b1 = gen_cmp_ge(OR_TRAN_IPV4, off, BPF_H, v1); 5225 b2 = gen_cmp_le(OR_TRAN_IPV4, off, BPF_H, v2); 5226 5227 gen_and(b1, b2); 5228 5229 return b2; 5230 } 5231 5232 struct block * 5233 gen_portrangeop(port1, port2, proto, dir) 5234 int port1, port2; 5235 int proto; 5236 int dir; 5237 { 5238 struct block *b0, *b1, *tmp; 5239 5240 /* ip proto 'proto' and not a fragment other than the first fragment */ 5241 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto); 5242 b0 = gen_ipfrag(); 5243 gen_and(tmp, b0); 5244 5245 switch (dir) { 5246 case Q_SRC: 5247 b1 = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5248 break; 5249 5250 case Q_DST: 5251 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5252 break; 5253 5254 case Q_OR: 5255 case Q_DEFAULT: 5256 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5257 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5258 gen_or(tmp, b1); 5259 break; 5260 5261 case Q_AND: 5262 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5263 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5264 gen_and(tmp, b1); 5265 break; 5266 5267 default: 5268 abort(); 5269 } 5270 gen_and(b0, b1); 5271 5272 return b1; 5273 } 5274 5275 static struct block * 5276 gen_portrange(port1, port2, ip_proto, dir) 5277 int port1, port2; 5278 int ip_proto; 5279 int dir; 5280 { 5281 struct block *b0, *b1, *tmp; 5282 5283 /* link proto ip */ 5284 b0 = gen_linktype(ETHERTYPE_IP); 5285 5286 switch (ip_proto) { 5287 case IPPROTO_UDP: 5288 case IPPROTO_TCP: 5289 case IPPROTO_SCTP: 5290 b1 = gen_portrangeop(port1, port2, ip_proto, dir); 5291 break; 5292 5293 case PROTO_UNDEF: 5294 tmp = gen_portrangeop(port1, port2, IPPROTO_TCP, dir); 5295 b1 = gen_portrangeop(port1, port2, IPPROTO_UDP, dir); 5296 gen_or(tmp, b1); 5297 tmp = gen_portrangeop(port1, port2, IPPROTO_SCTP, dir); 5298 gen_or(tmp, b1); 5299 break; 5300 5301 default: 5302 abort(); 5303 } 5304 gen_and(b0, b1); 5305 return b1; 5306 } 5307 5308 static struct block * 5309 gen_portrangeatom6(off, v1, v2) 5310 int off; 5311 bpf_int32 v1, v2; 5312 { 5313 struct block *b1, *b2; 5314 5315 if (v1 > v2) { 5316 /* 5317 * Reverse the order of the ports, so v1 is the lower one. 5318 */ 5319 bpf_int32 vtemp; 5320 5321 vtemp = v1; 5322 v1 = v2; 5323 v2 = vtemp; 5324 } 5325 5326 b1 = gen_cmp_ge(OR_TRAN_IPV6, off, BPF_H, v1); 5327 b2 = gen_cmp_le(OR_TRAN_IPV6, off, BPF_H, v2); 5328 5329 gen_and(b1, b2); 5330 5331 return b2; 5332 } 5333 5334 struct block * 5335 gen_portrangeop6(port1, port2, proto, dir) 5336 int port1, port2; 5337 int proto; 5338 int dir; 5339 { 5340 struct block *b0, *b1, *tmp; 5341 5342 /* ip6 proto 'proto' */ 5343 /* XXX - catch the first fragment of a fragmented packet? */ 5344 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto); 5345 5346 switch (dir) { 5347 case Q_SRC: 5348 b1 = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5349 break; 5350 5351 case Q_DST: 5352 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5353 break; 5354 5355 case Q_OR: 5356 case Q_DEFAULT: 5357 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5358 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5359 gen_or(tmp, b1); 5360 break; 5361 5362 case Q_AND: 5363 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5364 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5365 gen_and(tmp, b1); 5366 break; 5367 5368 default: 5369 abort(); 5370 } 5371 gen_and(b0, b1); 5372 5373 return b1; 5374 } 5375 5376 static struct block * 5377 gen_portrange6(port1, port2, ip_proto, dir) 5378 int port1, port2; 5379 int ip_proto; 5380 int dir; 5381 { 5382 struct block *b0, *b1, *tmp; 5383 5384 /* link proto ip6 */ 5385 b0 = gen_linktype(ETHERTYPE_IPV6); 5386 5387 switch (ip_proto) { 5388 case IPPROTO_UDP: 5389 case IPPROTO_TCP: 5390 case IPPROTO_SCTP: 5391 b1 = gen_portrangeop6(port1, port2, ip_proto, dir); 5392 break; 5393 5394 case PROTO_UNDEF: 5395 tmp = gen_portrangeop6(port1, port2, IPPROTO_TCP, dir); 5396 b1 = gen_portrangeop6(port1, port2, IPPROTO_UDP, dir); 5397 gen_or(tmp, b1); 5398 tmp = gen_portrangeop6(port1, port2, IPPROTO_SCTP, dir); 5399 gen_or(tmp, b1); 5400 break; 5401 5402 default: 5403 abort(); 5404 } 5405 gen_and(b0, b1); 5406 return b1; 5407 } 5408 5409 static int 5410 lookup_proto(name, proto) 5411 register const char *name; 5412 register int proto; 5413 { 5414 register int v; 5415 5416 switch (proto) { 5417 5418 case Q_DEFAULT: 5419 case Q_IP: 5420 case Q_IPV6: 5421 v = pcap_nametoproto(name); 5422 if (v == PROTO_UNDEF) 5423 bpf_error("unknown ip proto '%s'", name); 5424 break; 5425 5426 case Q_LINK: 5427 /* XXX should look up h/w protocol type based on linktype */ 5428 v = pcap_nametoeproto(name); 5429 if (v == PROTO_UNDEF) { 5430 v = pcap_nametollc(name); 5431 if (v == PROTO_UNDEF) 5432 bpf_error("unknown ether proto '%s'", name); 5433 } 5434 break; 5435 5436 case Q_ISO: 5437 if (strcmp(name, "esis") == 0) 5438 v = ISO9542_ESIS; 5439 else if (strcmp(name, "isis") == 0) 5440 v = ISO10589_ISIS; 5441 else if (strcmp(name, "clnp") == 0) 5442 v = ISO8473_CLNP; 5443 else 5444 bpf_error("unknown osi proto '%s'", name); 5445 break; 5446 5447 default: 5448 v = PROTO_UNDEF; 5449 break; 5450 } 5451 return v; 5452 } 5453 5454 #if 0 5455 struct stmt * 5456 gen_joinsp(s, n) 5457 struct stmt **s; 5458 int n; 5459 { 5460 return NULL; 5461 } 5462 #endif 5463 5464 static struct block * 5465 gen_protochain(v, proto, dir) 5466 int v; 5467 int proto; 5468 int dir; 5469 { 5470 #ifdef NO_PROTOCHAIN 5471 return gen_proto(v, proto, dir); 5472 #else 5473 struct block *b0, *b; 5474 struct slist *s[100]; 5475 int fix2, fix3, fix4, fix5; 5476 int ahcheck, again, end; 5477 int i, max; 5478 int reg2 = alloc_reg(); 5479 5480 memset(s, 0, sizeof(s)); 5481 fix2 = fix3 = fix4 = fix5 = 0; 5482 5483 switch (proto) { 5484 case Q_IP: 5485 case Q_IPV6: 5486 break; 5487 case Q_DEFAULT: 5488 b0 = gen_protochain(v, Q_IP, dir); 5489 b = gen_protochain(v, Q_IPV6, dir); 5490 gen_or(b0, b); 5491 return b; 5492 default: 5493 bpf_error("bad protocol applied for 'protochain'"); 5494 /*NOTREACHED*/ 5495 } 5496 5497 /* 5498 * We don't handle variable-length prefixes before the link-layer 5499 * header, or variable-length link-layer headers, here yet. 5500 * We might want to add BPF instructions to do the protochain 5501 * work, to simplify that and, on platforms that have a BPF 5502 * interpreter with the new instructions, let the filtering 5503 * be done in the kernel. (We already require a modified BPF 5504 * engine to do the protochain stuff, to support backward 5505 * branches, and backward branch support is unlikely to appear 5506 * in kernel BPF engines.) 5507 */ 5508 switch (linktype) { 5509 5510 case DLT_IEEE802_11: 5511 case DLT_PRISM_HEADER: 5512 case DLT_IEEE802_11_RADIO_AVS: 5513 case DLT_IEEE802_11_RADIO: 5514 case DLT_PPI: 5515 bpf_error("'protochain' not supported with 802.11"); 5516 } 5517 5518 no_optimize = 1; /*this code is not compatible with optimzer yet */ 5519 5520 /* 5521 * s[0] is a dummy entry to protect other BPF insn from damage 5522 * by s[fix] = foo with uninitialized variable "fix". It is somewhat 5523 * hard to find interdependency made by jump table fixup. 5524 */ 5525 i = 0; 5526 s[i] = new_stmt(0); /*dummy*/ 5527 i++; 5528 5529 switch (proto) { 5530 case Q_IP: 5531 b0 = gen_linktype(ETHERTYPE_IP); 5532 5533 /* A = ip->ip_p */ 5534 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B); 5535 s[i]->s.k = off_macpl + off_nl + 9; 5536 i++; 5537 /* X = ip->ip_hl << 2 */ 5538 s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B); 5539 s[i]->s.k = off_macpl + off_nl; 5540 i++; 5541 break; 5542 5543 case Q_IPV6: 5544 b0 = gen_linktype(ETHERTYPE_IPV6); 5545 5546 /* A = ip6->ip_nxt */ 5547 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B); 5548 s[i]->s.k = off_macpl + off_nl + 6; 5549 i++; 5550 /* X = sizeof(struct ip6_hdr) */ 5551 s[i] = new_stmt(BPF_LDX|BPF_IMM); 5552 s[i]->s.k = 40; 5553 i++; 5554 break; 5555 5556 default: 5557 bpf_error("unsupported proto to gen_protochain"); 5558 /*NOTREACHED*/ 5559 } 5560 5561 /* again: if (A == v) goto end; else fall through; */ 5562 again = i; 5563 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5564 s[i]->s.k = v; 5565 s[i]->s.jt = NULL; /*later*/ 5566 s[i]->s.jf = NULL; /*update in next stmt*/ 5567 fix5 = i; 5568 i++; 5569 5570 #ifndef IPPROTO_NONE 5571 #define IPPROTO_NONE 59 5572 #endif 5573 /* if (A == IPPROTO_NONE) goto end */ 5574 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5575 s[i]->s.jt = NULL; /*later*/ 5576 s[i]->s.jf = NULL; /*update in next stmt*/ 5577 s[i]->s.k = IPPROTO_NONE; 5578 s[fix5]->s.jf = s[i]; 5579 fix2 = i; 5580 i++; 5581 5582 if (proto == Q_IPV6) { 5583 int v6start, v6end, v6advance, j; 5584 5585 v6start = i; 5586 /* if (A == IPPROTO_HOPOPTS) goto v6advance */ 5587 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5588 s[i]->s.jt = NULL; /*later*/ 5589 s[i]->s.jf = NULL; /*update in next stmt*/ 5590 s[i]->s.k = IPPROTO_HOPOPTS; 5591 s[fix2]->s.jf = s[i]; 5592 i++; 5593 /* if (A == IPPROTO_DSTOPTS) goto v6advance */ 5594 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5595 s[i]->s.jt = NULL; /*later*/ 5596 s[i]->s.jf = NULL; /*update in next stmt*/ 5597 s[i]->s.k = IPPROTO_DSTOPTS; 5598 i++; 5599 /* if (A == IPPROTO_ROUTING) goto v6advance */ 5600 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5601 s[i]->s.jt = NULL; /*later*/ 5602 s[i]->s.jf = NULL; /*update in next stmt*/ 5603 s[i]->s.k = IPPROTO_ROUTING; 5604 i++; 5605 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */ 5606 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5607 s[i]->s.jt = NULL; /*later*/ 5608 s[i]->s.jf = NULL; /*later*/ 5609 s[i]->s.k = IPPROTO_FRAGMENT; 5610 fix3 = i; 5611 v6end = i; 5612 i++; 5613 5614 /* v6advance: */ 5615 v6advance = i; 5616 5617 /* 5618 * in short, 5619 * A = P[X + packet head]; 5620 * X = X + (P[X + packet head + 1] + 1) * 8; 5621 */ 5622 /* A = P[X + packet head] */ 5623 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5624 s[i]->s.k = off_macpl + off_nl; 5625 i++; 5626 /* MEM[reg2] = A */ 5627 s[i] = new_stmt(BPF_ST); 5628 s[i]->s.k = reg2; 5629 i++; 5630 /* A = P[X + packet head + 1]; */ 5631 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5632 s[i]->s.k = off_macpl + off_nl + 1; 5633 i++; 5634 /* A += 1 */ 5635 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5636 s[i]->s.k = 1; 5637 i++; 5638 /* A *= 8 */ 5639 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K); 5640 s[i]->s.k = 8; 5641 i++; 5642 /* A += X */ 5643 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_X); 5644 s[i]->s.k = 0; 5645 i++; 5646 /* X = A; */ 5647 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5648 i++; 5649 /* A = MEM[reg2] */ 5650 s[i] = new_stmt(BPF_LD|BPF_MEM); 5651 s[i]->s.k = reg2; 5652 i++; 5653 5654 /* goto again; (must use BPF_JA for backward jump) */ 5655 s[i] = new_stmt(BPF_JMP|BPF_JA); 5656 s[i]->s.k = again - i - 1; 5657 s[i - 1]->s.jf = s[i]; 5658 i++; 5659 5660 /* fixup */ 5661 for (j = v6start; j <= v6end; j++) 5662 s[j]->s.jt = s[v6advance]; 5663 } else { 5664 /* nop */ 5665 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5666 s[i]->s.k = 0; 5667 s[fix2]->s.jf = s[i]; 5668 i++; 5669 } 5670 5671 /* ahcheck: */ 5672 ahcheck = i; 5673 /* if (A == IPPROTO_AH) then fall through; else goto end; */ 5674 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5675 s[i]->s.jt = NULL; /*later*/ 5676 s[i]->s.jf = NULL; /*later*/ 5677 s[i]->s.k = IPPROTO_AH; 5678 if (fix3) 5679 s[fix3]->s.jf = s[ahcheck]; 5680 fix4 = i; 5681 i++; 5682 5683 /* 5684 * in short, 5685 * A = P[X]; 5686 * X = X + (P[X + 1] + 2) * 4; 5687 */ 5688 /* A = X */ 5689 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA); 5690 i++; 5691 /* A = P[X + packet head]; */ 5692 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5693 s[i]->s.k = off_macpl + off_nl; 5694 i++; 5695 /* MEM[reg2] = A */ 5696 s[i] = new_stmt(BPF_ST); 5697 s[i]->s.k = reg2; 5698 i++; 5699 /* A = X */ 5700 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA); 5701 i++; 5702 /* A += 1 */ 5703 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5704 s[i]->s.k = 1; 5705 i++; 5706 /* X = A */ 5707 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5708 i++; 5709 /* A = P[X + packet head] */ 5710 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5711 s[i]->s.k = off_macpl + off_nl; 5712 i++; 5713 /* A += 2 */ 5714 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5715 s[i]->s.k = 2; 5716 i++; 5717 /* A *= 4 */ 5718 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K); 5719 s[i]->s.k = 4; 5720 i++; 5721 /* X = A; */ 5722 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5723 i++; 5724 /* A = MEM[reg2] */ 5725 s[i] = new_stmt(BPF_LD|BPF_MEM); 5726 s[i]->s.k = reg2; 5727 i++; 5728 5729 /* goto again; (must use BPF_JA for backward jump) */ 5730 s[i] = new_stmt(BPF_JMP|BPF_JA); 5731 s[i]->s.k = again - i - 1; 5732 i++; 5733 5734 /* end: nop */ 5735 end = i; 5736 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5737 s[i]->s.k = 0; 5738 s[fix2]->s.jt = s[end]; 5739 s[fix4]->s.jf = s[end]; 5740 s[fix5]->s.jt = s[end]; 5741 i++; 5742 5743 /* 5744 * make slist chain 5745 */ 5746 max = i; 5747 for (i = 0; i < max - 1; i++) 5748 s[i]->next = s[i + 1]; 5749 s[max - 1]->next = NULL; 5750 5751 /* 5752 * emit final check 5753 */ 5754 b = new_block(JMP(BPF_JEQ)); 5755 b->stmts = s[1]; /*remember, s[0] is dummy*/ 5756 b->s.k = v; 5757 5758 free_reg(reg2); 5759 5760 gen_and(b0, b); 5761 return b; 5762 #endif 5763 } 5764 5765 static struct block * 5766 gen_check_802_11_data_frame() 5767 { 5768 struct slist *s; 5769 struct block *b0, *b1; 5770 5771 /* 5772 * A data frame has the 0x08 bit (b3) in the frame control field set 5773 * and the 0x04 bit (b2) clear. 5774 */ 5775 s = gen_load_a(OR_LINK, 0, BPF_B); 5776 b0 = new_block(JMP(BPF_JSET)); 5777 b0->s.k = 0x08; 5778 b0->stmts = s; 5779 5780 s = gen_load_a(OR_LINK, 0, BPF_B); 5781 b1 = new_block(JMP(BPF_JSET)); 5782 b1->s.k = 0x04; 5783 b1->stmts = s; 5784 gen_not(b1); 5785 5786 gen_and(b1, b0); 5787 5788 return b0; 5789 } 5790 5791 /* 5792 * Generate code that checks whether the packet is a packet for protocol 5793 * <proto> and whether the type field in that protocol's header has 5794 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an 5795 * IP packet and checks the protocol number in the IP header against <v>. 5796 * 5797 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks 5798 * against Q_IP and Q_IPV6. 5799 */ 5800 static struct block * 5801 gen_proto(v, proto, dir) 5802 int v; 5803 int proto; 5804 int dir; 5805 { 5806 struct block *b0, *b1; 5807 #ifndef CHASE_CHAIN 5808 struct block *b2; 5809 #endif 5810 5811 if (dir != Q_DEFAULT) 5812 bpf_error("direction applied to 'proto'"); 5813 5814 switch (proto) { 5815 case Q_DEFAULT: 5816 b0 = gen_proto(v, Q_IP, dir); 5817 b1 = gen_proto(v, Q_IPV6, dir); 5818 gen_or(b0, b1); 5819 return b1; 5820 5821 case Q_IP: 5822 /* 5823 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 5824 * not LLC encapsulation with LLCSAP_IP. 5825 * 5826 * For IEEE 802 networks - which includes 802.5 token ring 5827 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 5828 * says that SNAP encapsulation is used, not LLC encapsulation 5829 * with LLCSAP_IP. 5830 * 5831 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 5832 * RFC 2225 say that SNAP encapsulation is used, not LLC 5833 * encapsulation with LLCSAP_IP. 5834 * 5835 * So we always check for ETHERTYPE_IP. 5836 */ 5837 b0 = gen_linktype(ETHERTYPE_IP); 5838 #ifndef CHASE_CHAIN 5839 b1 = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)v); 5840 #else 5841 b1 = gen_protochain(v, Q_IP); 5842 #endif 5843 gen_and(b0, b1); 5844 return b1; 5845 5846 case Q_ISO: 5847 switch (linktype) { 5848 5849 case DLT_FRELAY: 5850 /* 5851 * Frame Relay packets typically have an OSI 5852 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)" 5853 * generates code to check for all the OSI 5854 * NLPIDs, so calling it and then adding a check 5855 * for the particular NLPID for which we're 5856 * looking is bogus, as we can just check for 5857 * the NLPID. 5858 * 5859 * What we check for is the NLPID and a frame 5860 * control field value of UI, i.e. 0x03 followed 5861 * by the NLPID. 5862 * 5863 * XXX - assumes a 2-byte Frame Relay header with 5864 * DLCI and flags. What if the address is longer? 5865 * 5866 * XXX - what about SNAP-encapsulated frames? 5867 */ 5868 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | v); 5869 /*NOTREACHED*/ 5870 break; 5871 5872 case DLT_C_HDLC: 5873 /* 5874 * Cisco uses an Ethertype lookalike - for OSI, 5875 * it's 0xfefe. 5876 */ 5877 b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS); 5878 /* OSI in C-HDLC is stuffed with a fudge byte */ 5879 b1 = gen_cmp(OR_NET_NOSNAP, 1, BPF_B, (long)v); 5880 gen_and(b0, b1); 5881 return b1; 5882 5883 default: 5884 b0 = gen_linktype(LLCSAP_ISONS); 5885 b1 = gen_cmp(OR_NET_NOSNAP, 0, BPF_B, (long)v); 5886 gen_and(b0, b1); 5887 return b1; 5888 } 5889 5890 case Q_ISIS: 5891 b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT); 5892 /* 5893 * 4 is the offset of the PDU type relative to the IS-IS 5894 * header. 5895 */ 5896 b1 = gen_cmp(OR_NET_NOSNAP, 4, BPF_B, (long)v); 5897 gen_and(b0, b1); 5898 return b1; 5899 5900 case Q_ARP: 5901 bpf_error("arp does not encapsulate another protocol"); 5902 /* NOTREACHED */ 5903 5904 case Q_RARP: 5905 bpf_error("rarp does not encapsulate another protocol"); 5906 /* NOTREACHED */ 5907 5908 case Q_ATALK: 5909 bpf_error("atalk encapsulation is not specifiable"); 5910 /* NOTREACHED */ 5911 5912 case Q_DECNET: 5913 bpf_error("decnet encapsulation is not specifiable"); 5914 /* NOTREACHED */ 5915 5916 case Q_SCA: 5917 bpf_error("sca does not encapsulate another protocol"); 5918 /* NOTREACHED */ 5919 5920 case Q_LAT: 5921 bpf_error("lat does not encapsulate another protocol"); 5922 /* NOTREACHED */ 5923 5924 case Q_MOPRC: 5925 bpf_error("moprc does not encapsulate another protocol"); 5926 /* NOTREACHED */ 5927 5928 case Q_MOPDL: 5929 bpf_error("mopdl does not encapsulate another protocol"); 5930 /* NOTREACHED */ 5931 5932 case Q_LINK: 5933 return gen_linktype(v); 5934 5935 case Q_UDP: 5936 bpf_error("'udp proto' is bogus"); 5937 /* NOTREACHED */ 5938 5939 case Q_TCP: 5940 bpf_error("'tcp proto' is bogus"); 5941 /* NOTREACHED */ 5942 5943 case Q_SCTP: 5944 bpf_error("'sctp proto' is bogus"); 5945 /* NOTREACHED */ 5946 5947 case Q_ICMP: 5948 bpf_error("'icmp proto' is bogus"); 5949 /* NOTREACHED */ 5950 5951 case Q_IGMP: 5952 bpf_error("'igmp proto' is bogus"); 5953 /* NOTREACHED */ 5954 5955 case Q_IGRP: 5956 bpf_error("'igrp proto' is bogus"); 5957 /* NOTREACHED */ 5958 5959 case Q_PIM: 5960 bpf_error("'pim proto' is bogus"); 5961 /* NOTREACHED */ 5962 5963 case Q_VRRP: 5964 bpf_error("'vrrp proto' is bogus"); 5965 /* NOTREACHED */ 5966 5967 case Q_CARP: 5968 bpf_error("'carp proto' is bogus"); 5969 /* NOTREACHED */ 5970 5971 case Q_IPV6: 5972 b0 = gen_linktype(ETHERTYPE_IPV6); 5973 #ifndef CHASE_CHAIN 5974 /* 5975 * Also check for a fragment header before the final 5976 * header. 5977 */ 5978 b2 = gen_cmp(OR_NET, 6, BPF_B, IPPROTO_FRAGMENT); 5979 b1 = gen_cmp(OR_NET, 40, BPF_B, (bpf_int32)v); 5980 gen_and(b2, b1); 5981 b2 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)v); 5982 gen_or(b2, b1); 5983 #else 5984 b1 = gen_protochain(v, Q_IPV6); 5985 #endif 5986 gen_and(b0, b1); 5987 return b1; 5988 5989 case Q_ICMPV6: 5990 bpf_error("'icmp6 proto' is bogus"); 5991 5992 case Q_AH: 5993 bpf_error("'ah proto' is bogus"); 5994 5995 case Q_ESP: 5996 bpf_error("'ah proto' is bogus"); 5997 5998 case Q_STP: 5999 bpf_error("'stp proto' is bogus"); 6000 6001 case Q_IPX: 6002 bpf_error("'ipx proto' is bogus"); 6003 6004 case Q_NETBEUI: 6005 bpf_error("'netbeui proto' is bogus"); 6006 6007 case Q_RADIO: 6008 bpf_error("'radio proto' is bogus"); 6009 6010 default: 6011 abort(); 6012 /* NOTREACHED */ 6013 } 6014 /* NOTREACHED */ 6015 } 6016 6017 struct block * 6018 gen_scode(name, q) 6019 register const char *name; 6020 struct qual q; 6021 { 6022 int proto = q.proto; 6023 int dir = q.dir; 6024 int tproto; 6025 u_char *eaddr; 6026 bpf_u_int32 mask, addr; 6027 #ifndef INET6 6028 bpf_u_int32 **alist; 6029 #else 6030 int tproto6; 6031 struct sockaddr_in *sin4; 6032 struct sockaddr_in6 *sin6; 6033 struct addrinfo *res, *res0; 6034 struct in6_addr mask128; 6035 #endif /*INET6*/ 6036 struct block *b, *tmp; 6037 int port, real_proto; 6038 int port1, port2; 6039 6040 switch (q.addr) { 6041 6042 case Q_NET: 6043 addr = pcap_nametonetaddr(name); 6044 if (addr == 0) 6045 bpf_error("unknown network '%s'", name); 6046 /* Left justify network addr and calculate its network mask */ 6047 mask = 0xffffffff; 6048 while (addr && (addr & 0xff000000) == 0) { 6049 addr <<= 8; 6050 mask <<= 8; 6051 } 6052 return gen_host(addr, mask, proto, dir, q.addr); 6053 6054 case Q_DEFAULT: 6055 case Q_HOST: 6056 if (proto == Q_LINK) { 6057 switch (linktype) { 6058 6059 case DLT_EN10MB: 6060 case DLT_NETANALYZER: 6061 case DLT_NETANALYZER_TRANSPARENT: 6062 eaddr = pcap_ether_hostton(name); 6063 if (eaddr == NULL) 6064 bpf_error( 6065 "unknown ether host '%s'", name); 6066 b = gen_ehostop(eaddr, dir); 6067 free(eaddr); 6068 return b; 6069 6070 case DLT_FDDI: 6071 eaddr = pcap_ether_hostton(name); 6072 if (eaddr == NULL) 6073 bpf_error( 6074 "unknown FDDI host '%s'", name); 6075 b = gen_fhostop(eaddr, dir); 6076 free(eaddr); 6077 return b; 6078 6079 case DLT_IEEE802: 6080 eaddr = pcap_ether_hostton(name); 6081 if (eaddr == NULL) 6082 bpf_error( 6083 "unknown token ring host '%s'", name); 6084 b = gen_thostop(eaddr, dir); 6085 free(eaddr); 6086 return b; 6087 6088 case DLT_IEEE802_11: 6089 case DLT_PRISM_HEADER: 6090 case DLT_IEEE802_11_RADIO_AVS: 6091 case DLT_IEEE802_11_RADIO: 6092 case DLT_PPI: 6093 eaddr = pcap_ether_hostton(name); 6094 if (eaddr == NULL) 6095 bpf_error( 6096 "unknown 802.11 host '%s'", name); 6097 b = gen_wlanhostop(eaddr, dir); 6098 free(eaddr); 6099 return b; 6100 6101 case DLT_IP_OVER_FC: 6102 eaddr = pcap_ether_hostton(name); 6103 if (eaddr == NULL) 6104 bpf_error( 6105 "unknown Fibre Channel host '%s'", name); 6106 b = gen_ipfchostop(eaddr, dir); 6107 free(eaddr); 6108 return b; 6109 6110 case DLT_SUNATM: 6111 if (!is_lane) 6112 break; 6113 6114 /* 6115 * Check that the packet doesn't begin 6116 * with an LE Control marker. (We've 6117 * already generated a test for LANE.) 6118 */ 6119 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 6120 BPF_H, 0xFF00); 6121 gen_not(tmp); 6122 6123 eaddr = pcap_ether_hostton(name); 6124 if (eaddr == NULL) 6125 bpf_error( 6126 "unknown ether host '%s'", name); 6127 b = gen_ehostop(eaddr, dir); 6128 gen_and(tmp, b); 6129 free(eaddr); 6130 return b; 6131 } 6132 6133 bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name"); 6134 } else if (proto == Q_DECNET) { 6135 unsigned short dn_addr = __pcap_nametodnaddr(name); 6136 /* 6137 * I don't think DECNET hosts can be multihomed, so 6138 * there is no need to build up a list of addresses 6139 */ 6140 return (gen_host(dn_addr, 0, proto, dir, q.addr)); 6141 } else { 6142 #ifndef INET6 6143 alist = pcap_nametoaddr(name); 6144 if (alist == NULL || *alist == NULL) 6145 bpf_error("unknown host '%s'", name); 6146 tproto = proto; 6147 if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT) 6148 tproto = Q_IP; 6149 b = gen_host(**alist++, 0xffffffff, tproto, dir, q.addr); 6150 while (*alist) { 6151 tmp = gen_host(**alist++, 0xffffffff, 6152 tproto, dir, q.addr); 6153 gen_or(b, tmp); 6154 b = tmp; 6155 } 6156 return b; 6157 #else 6158 memset(&mask128, 0xff, sizeof(mask128)); 6159 res0 = res = pcap_nametoaddrinfo(name); 6160 if (res == NULL) 6161 bpf_error("unknown host '%s'", name); 6162 ai = res; 6163 b = tmp = NULL; 6164 tproto = tproto6 = proto; 6165 if (off_linktype == -1 && tproto == Q_DEFAULT) { 6166 tproto = Q_IP; 6167 tproto6 = Q_IPV6; 6168 } 6169 for (res = res0; res; res = res->ai_next) { 6170 switch (res->ai_family) { 6171 case AF_INET: 6172 if (tproto == Q_IPV6) 6173 continue; 6174 6175 sin4 = (struct sockaddr_in *) 6176 res->ai_addr; 6177 tmp = gen_host(ntohl(sin4->sin_addr.s_addr), 6178 0xffffffff, tproto, dir, q.addr); 6179 break; 6180 case AF_INET6: 6181 if (tproto6 == Q_IP) 6182 continue; 6183 6184 sin6 = (struct sockaddr_in6 *) 6185 res->ai_addr; 6186 tmp = gen_host6(&sin6->sin6_addr, 6187 &mask128, tproto6, dir, q.addr); 6188 break; 6189 default: 6190 continue; 6191 } 6192 if (b) 6193 gen_or(b, tmp); 6194 b = tmp; 6195 } 6196 ai = NULL; 6197 freeaddrinfo(res0); 6198 if (b == NULL) { 6199 bpf_error("unknown host '%s'%s", name, 6200 (proto == Q_DEFAULT) 6201 ? "" 6202 : " for specified address family"); 6203 } 6204 return b; 6205 #endif /*INET6*/ 6206 } 6207 6208 case Q_PORT: 6209 if (proto != Q_DEFAULT && 6210 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6211 bpf_error("illegal qualifier of 'port'"); 6212 if (pcap_nametoport(name, &port, &real_proto) == 0) 6213 bpf_error("unknown port '%s'", name); 6214 if (proto == Q_UDP) { 6215 if (real_proto == IPPROTO_TCP) 6216 bpf_error("port '%s' is tcp", name); 6217 else if (real_proto == IPPROTO_SCTP) 6218 bpf_error("port '%s' is sctp", name); 6219 else 6220 /* override PROTO_UNDEF */ 6221 real_proto = IPPROTO_UDP; 6222 } 6223 if (proto == Q_TCP) { 6224 if (real_proto == IPPROTO_UDP) 6225 bpf_error("port '%s' is udp", name); 6226 6227 else if (real_proto == IPPROTO_SCTP) 6228 bpf_error("port '%s' is sctp", name); 6229 else 6230 /* override PROTO_UNDEF */ 6231 real_proto = IPPROTO_TCP; 6232 } 6233 if (proto == Q_SCTP) { 6234 if (real_proto == IPPROTO_UDP) 6235 bpf_error("port '%s' is udp", name); 6236 6237 else if (real_proto == IPPROTO_TCP) 6238 bpf_error("port '%s' is tcp", name); 6239 else 6240 /* override PROTO_UNDEF */ 6241 real_proto = IPPROTO_SCTP; 6242 } 6243 if (port < 0) 6244 bpf_error("illegal port number %d < 0", port); 6245 if (port > 65535) 6246 bpf_error("illegal port number %d > 65535", port); 6247 b = gen_port(port, real_proto, dir); 6248 gen_or(gen_port6(port, real_proto, dir), b); 6249 return b; 6250 6251 case Q_PORTRANGE: 6252 if (proto != Q_DEFAULT && 6253 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6254 bpf_error("illegal qualifier of 'portrange'"); 6255 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0) 6256 bpf_error("unknown port in range '%s'", name); 6257 if (proto == Q_UDP) { 6258 if (real_proto == IPPROTO_TCP) 6259 bpf_error("port in range '%s' is tcp", name); 6260 else if (real_proto == IPPROTO_SCTP) 6261 bpf_error("port in range '%s' is sctp", name); 6262 else 6263 /* override PROTO_UNDEF */ 6264 real_proto = IPPROTO_UDP; 6265 } 6266 if (proto == Q_TCP) { 6267 if (real_proto == IPPROTO_UDP) 6268 bpf_error("port in range '%s' is udp", name); 6269 else if (real_proto == IPPROTO_SCTP) 6270 bpf_error("port in range '%s' is sctp", name); 6271 else 6272 /* override PROTO_UNDEF */ 6273 real_proto = IPPROTO_TCP; 6274 } 6275 if (proto == Q_SCTP) { 6276 if (real_proto == IPPROTO_UDP) 6277 bpf_error("port in range '%s' is udp", name); 6278 else if (real_proto == IPPROTO_TCP) 6279 bpf_error("port in range '%s' is tcp", name); 6280 else 6281 /* override PROTO_UNDEF */ 6282 real_proto = IPPROTO_SCTP; 6283 } 6284 if (port1 < 0) 6285 bpf_error("illegal port number %d < 0", port1); 6286 if (port1 > 65535) 6287 bpf_error("illegal port number %d > 65535", port1); 6288 if (port2 < 0) 6289 bpf_error("illegal port number %d < 0", port2); 6290 if (port2 > 65535) 6291 bpf_error("illegal port number %d > 65535", port2); 6292 6293 b = gen_portrange(port1, port2, real_proto, dir); 6294 gen_or(gen_portrange6(port1, port2, real_proto, dir), b); 6295 return b; 6296 6297 case Q_GATEWAY: 6298 #ifndef INET6 6299 eaddr = pcap_ether_hostton(name); 6300 if (eaddr == NULL) 6301 bpf_error("unknown ether host: %s", name); 6302 6303 alist = pcap_nametoaddr(name); 6304 if (alist == NULL || *alist == NULL) 6305 bpf_error("unknown host '%s'", name); 6306 b = gen_gateway(eaddr, alist, proto, dir); 6307 free(eaddr); 6308 return b; 6309 #else 6310 bpf_error("'gateway' not supported in this configuration"); 6311 #endif /*INET6*/ 6312 6313 case Q_PROTO: 6314 real_proto = lookup_proto(name, proto); 6315 if (real_proto >= 0) 6316 return gen_proto(real_proto, proto, dir); 6317 else 6318 bpf_error("unknown protocol: %s", name); 6319 6320 case Q_PROTOCHAIN: 6321 real_proto = lookup_proto(name, proto); 6322 if (real_proto >= 0) 6323 return gen_protochain(real_proto, proto, dir); 6324 else 6325 bpf_error("unknown protocol: %s", name); 6326 6327 case Q_UNDEF: 6328 syntax(); 6329 /* NOTREACHED */ 6330 } 6331 abort(); 6332 /* NOTREACHED */ 6333 } 6334 6335 struct block * 6336 gen_mcode(s1, s2, masklen, q) 6337 register const char *s1, *s2; 6338 register int masklen; 6339 struct qual q; 6340 { 6341 register int nlen, mlen; 6342 bpf_u_int32 n, m; 6343 6344 nlen = __pcap_atoin(s1, &n); 6345 /* Promote short ipaddr */ 6346 n <<= 32 - nlen; 6347 6348 if (s2 != NULL) { 6349 mlen = __pcap_atoin(s2, &m); 6350 /* Promote short ipaddr */ 6351 m <<= 32 - mlen; 6352 if ((n & ~m) != 0) 6353 bpf_error("non-network bits set in \"%s mask %s\"", 6354 s1, s2); 6355 } else { 6356 /* Convert mask len to mask */ 6357 if (masklen > 32) 6358 bpf_error("mask length must be <= 32"); 6359 if (masklen == 0) { 6360 /* 6361 * X << 32 is not guaranteed by C to be 0; it's 6362 * undefined. 6363 */ 6364 m = 0; 6365 } else 6366 m = 0xffffffff << (32 - masklen); 6367 if ((n & ~m) != 0) 6368 bpf_error("non-network bits set in \"%s/%d\"", 6369 s1, masklen); 6370 } 6371 6372 switch (q.addr) { 6373 6374 case Q_NET: 6375 return gen_host(n, m, q.proto, q.dir, q.addr); 6376 6377 default: 6378 bpf_error("Mask syntax for networks only"); 6379 /* NOTREACHED */ 6380 } 6381 /* NOTREACHED */ 6382 return NULL; 6383 } 6384 6385 struct block * 6386 gen_ncode(s, v, q) 6387 register const char *s; 6388 bpf_u_int32 v; 6389 struct qual q; 6390 { 6391 bpf_u_int32 mask; 6392 int proto = q.proto; 6393 int dir = q.dir; 6394 register int vlen; 6395 6396 if (s == NULL) 6397 vlen = 32; 6398 else if (q.proto == Q_DECNET) 6399 vlen = __pcap_atodn(s, &v); 6400 else 6401 vlen = __pcap_atoin(s, &v); 6402 6403 switch (q.addr) { 6404 6405 case Q_DEFAULT: 6406 case Q_HOST: 6407 case Q_NET: 6408 if (proto == Q_DECNET) 6409 return gen_host(v, 0, proto, dir, q.addr); 6410 else if (proto == Q_LINK) { 6411 bpf_error("illegal link layer address"); 6412 } else { 6413 mask = 0xffffffff; 6414 if (s == NULL && q.addr == Q_NET) { 6415 /* Promote short net number */ 6416 while (v && (v & 0xff000000) == 0) { 6417 v <<= 8; 6418 mask <<= 8; 6419 } 6420 } else { 6421 /* Promote short ipaddr */ 6422 v <<= 32 - vlen; 6423 mask <<= 32 - vlen; 6424 } 6425 return gen_host(v, mask, proto, dir, q.addr); 6426 } 6427 6428 case Q_PORT: 6429 if (proto == Q_UDP) 6430 proto = IPPROTO_UDP; 6431 else if (proto == Q_TCP) 6432 proto = IPPROTO_TCP; 6433 else if (proto == Q_SCTP) 6434 proto = IPPROTO_SCTP; 6435 else if (proto == Q_DEFAULT) 6436 proto = PROTO_UNDEF; 6437 else 6438 bpf_error("illegal qualifier of 'port'"); 6439 6440 if (v > 65535) 6441 bpf_error("illegal port number %u > 65535", v); 6442 6443 { 6444 struct block *b; 6445 b = gen_port((int)v, proto, dir); 6446 gen_or(gen_port6((int)v, proto, dir), b); 6447 return b; 6448 } 6449 6450 case Q_PORTRANGE: 6451 if (proto == Q_UDP) 6452 proto = IPPROTO_UDP; 6453 else if (proto == Q_TCP) 6454 proto = IPPROTO_TCP; 6455 else if (proto == Q_SCTP) 6456 proto = IPPROTO_SCTP; 6457 else if (proto == Q_DEFAULT) 6458 proto = PROTO_UNDEF; 6459 else 6460 bpf_error("illegal qualifier of 'portrange'"); 6461 6462 if (v > 65535) 6463 bpf_error("illegal port number %u > 65535", v); 6464 6465 { 6466 struct block *b; 6467 b = gen_portrange((int)v, (int)v, proto, dir); 6468 gen_or(gen_portrange6((int)v, (int)v, proto, dir), b); 6469 return b; 6470 } 6471 6472 case Q_GATEWAY: 6473 bpf_error("'gateway' requires a name"); 6474 /* NOTREACHED */ 6475 6476 case Q_PROTO: 6477 return gen_proto((int)v, proto, dir); 6478 6479 case Q_PROTOCHAIN: 6480 return gen_protochain((int)v, proto, dir); 6481 6482 case Q_UNDEF: 6483 syntax(); 6484 /* NOTREACHED */ 6485 6486 default: 6487 abort(); 6488 /* NOTREACHED */ 6489 } 6490 /* NOTREACHED */ 6491 } 6492 6493 #ifdef INET6 6494 struct block * 6495 gen_mcode6(s1, s2, masklen, q) 6496 register const char *s1, *s2; 6497 register int masklen; 6498 struct qual q; 6499 { 6500 struct addrinfo *res; 6501 struct in6_addr *addr; 6502 struct in6_addr mask; 6503 struct block *b; 6504 u_int32_t *a, *m; 6505 6506 if (s2) 6507 bpf_error("no mask %s supported", s2); 6508 6509 res = pcap_nametoaddrinfo(s1); 6510 if (!res) 6511 bpf_error("invalid ip6 address %s", s1); 6512 ai = res; 6513 if (res->ai_next) 6514 bpf_error("%s resolved to multiple address", s1); 6515 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr; 6516 6517 if (sizeof(mask) * 8 < masklen) 6518 bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8)); 6519 memset(&mask, 0, sizeof(mask)); 6520 memset(&mask, 0xff, masklen / 8); 6521 if (masklen % 8) { 6522 mask.s6_addr[masklen / 8] = 6523 (0xff << (8 - masklen % 8)) & 0xff; 6524 } 6525 6526 a = (u_int32_t *)addr; 6527 m = (u_int32_t *)&mask; 6528 if ((a[0] & ~m[0]) || (a[1] & ~m[1]) 6529 || (a[2] & ~m[2]) || (a[3] & ~m[3])) { 6530 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen); 6531 } 6532 6533 switch (q.addr) { 6534 6535 case Q_DEFAULT: 6536 case Q_HOST: 6537 if (masklen != 128) 6538 bpf_error("Mask syntax for networks only"); 6539 /* FALLTHROUGH */ 6540 6541 case Q_NET: 6542 b = gen_host6(addr, &mask, q.proto, q.dir, q.addr); 6543 ai = NULL; 6544 freeaddrinfo(res); 6545 return b; 6546 6547 default: 6548 bpf_error("invalid qualifier against IPv6 address"); 6549 /* NOTREACHED */ 6550 } 6551 return NULL; 6552 } 6553 #endif /*INET6*/ 6554 6555 struct block * 6556 gen_ecode(eaddr, q) 6557 register const u_char *eaddr; 6558 struct qual q; 6559 { 6560 struct block *b, *tmp; 6561 6562 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) { 6563 switch (linktype) { 6564 case DLT_EN10MB: 6565 case DLT_NETANALYZER: 6566 case DLT_NETANALYZER_TRANSPARENT: 6567 return gen_ehostop(eaddr, (int)q.dir); 6568 case DLT_FDDI: 6569 return gen_fhostop(eaddr, (int)q.dir); 6570 case DLT_IEEE802: 6571 return gen_thostop(eaddr, (int)q.dir); 6572 case DLT_IEEE802_11: 6573 case DLT_PRISM_HEADER: 6574 case DLT_IEEE802_11_RADIO_AVS: 6575 case DLT_IEEE802_11_RADIO: 6576 case DLT_PPI: 6577 return gen_wlanhostop(eaddr, (int)q.dir); 6578 case DLT_SUNATM: 6579 if (is_lane) { 6580 /* 6581 * Check that the packet doesn't begin with an 6582 * LE Control marker. (We've already generated 6583 * a test for LANE.) 6584 */ 6585 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 6586 0xFF00); 6587 gen_not(tmp); 6588 6589 /* 6590 * Now check the MAC address. 6591 */ 6592 b = gen_ehostop(eaddr, (int)q.dir); 6593 gen_and(tmp, b); 6594 return b; 6595 } 6596 break; 6597 case DLT_IP_OVER_FC: 6598 return gen_ipfchostop(eaddr, (int)q.dir); 6599 default: 6600 bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 6601 break; 6602 } 6603 } 6604 bpf_error("ethernet address used in non-ether expression"); 6605 /* NOTREACHED */ 6606 return NULL; 6607 } 6608 6609 void 6610 sappend(s0, s1) 6611 struct slist *s0, *s1; 6612 { 6613 /* 6614 * This is definitely not the best way to do this, but the 6615 * lists will rarely get long. 6616 */ 6617 while (s0->next) 6618 s0 = s0->next; 6619 s0->next = s1; 6620 } 6621 6622 static struct slist * 6623 xfer_to_x(a) 6624 struct arth *a; 6625 { 6626 struct slist *s; 6627 6628 s = new_stmt(BPF_LDX|BPF_MEM); 6629 s->s.k = a->regno; 6630 return s; 6631 } 6632 6633 static struct slist * 6634 xfer_to_a(a) 6635 struct arth *a; 6636 { 6637 struct slist *s; 6638 6639 s = new_stmt(BPF_LD|BPF_MEM); 6640 s->s.k = a->regno; 6641 return s; 6642 } 6643 6644 /* 6645 * Modify "index" to use the value stored into its register as an 6646 * offset relative to the beginning of the header for the protocol 6647 * "proto", and allocate a register and put an item "size" bytes long 6648 * (1, 2, or 4) at that offset into that register, making it the register 6649 * for "index". 6650 */ 6651 struct arth * 6652 gen_load(proto, inst, size) 6653 int proto; 6654 struct arth *inst; 6655 int size; 6656 { 6657 struct slist *s, *tmp; 6658 struct block *b; 6659 int regno = alloc_reg(); 6660 6661 free_reg(inst->regno); 6662 switch (size) { 6663 6664 default: 6665 bpf_error("data size must be 1, 2, or 4"); 6666 6667 case 1: 6668 size = BPF_B; 6669 break; 6670 6671 case 2: 6672 size = BPF_H; 6673 break; 6674 6675 case 4: 6676 size = BPF_W; 6677 break; 6678 } 6679 switch (proto) { 6680 default: 6681 bpf_error("unsupported index operation"); 6682 6683 case Q_RADIO: 6684 /* 6685 * The offset is relative to the beginning of the packet 6686 * data, if we have a radio header. (If we don't, this 6687 * is an error.) 6688 */ 6689 if (linktype != DLT_IEEE802_11_RADIO_AVS && 6690 linktype != DLT_IEEE802_11_RADIO && 6691 linktype != DLT_PRISM_HEADER) 6692 bpf_error("radio information not present in capture"); 6693 6694 /* 6695 * Load into the X register the offset computed into the 6696 * register specified by "index". 6697 */ 6698 s = xfer_to_x(inst); 6699 6700 /* 6701 * Load the item at that offset. 6702 */ 6703 tmp = new_stmt(BPF_LD|BPF_IND|size); 6704 sappend(s, tmp); 6705 sappend(inst->s, s); 6706 break; 6707 6708 case Q_LINK: 6709 /* 6710 * The offset is relative to the beginning of 6711 * the link-layer header. 6712 * 6713 * XXX - what about ATM LANE? Should the index be 6714 * relative to the beginning of the AAL5 frame, so 6715 * that 0 refers to the beginning of the LE Control 6716 * field, or relative to the beginning of the LAN 6717 * frame, so that 0 refers, for Ethernet LANE, to 6718 * the beginning of the destination address? 6719 */ 6720 s = gen_llprefixlen(); 6721 6722 /* 6723 * If "s" is non-null, it has code to arrange that the 6724 * X register contains the length of the prefix preceding 6725 * the link-layer header. Add to it the offset computed 6726 * into the register specified by "index", and move that 6727 * into the X register. Otherwise, just load into the X 6728 * register the offset computed into the register specified 6729 * by "index". 6730 */ 6731 if (s != NULL) { 6732 sappend(s, xfer_to_a(inst)); 6733 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 6734 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 6735 } else 6736 s = xfer_to_x(inst); 6737 6738 /* 6739 * Load the item at the sum of the offset we've put in the 6740 * X register and the offset of the start of the link 6741 * layer header (which is 0 if the radio header is 6742 * variable-length; that header length is what we put 6743 * into the X register and then added to the index). 6744 */ 6745 tmp = new_stmt(BPF_LD|BPF_IND|size); 6746 tmp->s.k = off_ll; 6747 sappend(s, tmp); 6748 sappend(inst->s, s); 6749 break; 6750 6751 case Q_IP: 6752 case Q_ARP: 6753 case Q_RARP: 6754 case Q_ATALK: 6755 case Q_DECNET: 6756 case Q_SCA: 6757 case Q_LAT: 6758 case Q_MOPRC: 6759 case Q_MOPDL: 6760 case Q_IPV6: 6761 /* 6762 * The offset is relative to the beginning of 6763 * the network-layer header. 6764 * XXX - are there any cases where we want 6765 * off_nl_nosnap? 6766 */ 6767 s = gen_off_macpl(); 6768 6769 /* 6770 * If "s" is non-null, it has code to arrange that the 6771 * X register contains the offset of the MAC-layer 6772 * payload. Add to it the offset computed into the 6773 * register specified by "index", and move that into 6774 * the X register. Otherwise, just load into the X 6775 * register the offset computed into the register specified 6776 * by "index". 6777 */ 6778 if (s != NULL) { 6779 sappend(s, xfer_to_a(inst)); 6780 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 6781 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 6782 } else 6783 s = xfer_to_x(inst); 6784 6785 /* 6786 * Load the item at the sum of the offset we've put in the 6787 * X register, the offset of the start of the network 6788 * layer header from the beginning of the MAC-layer 6789 * payload, and the purported offset of the start of the 6790 * MAC-layer payload (which might be 0 if there's a 6791 * variable-length prefix before the link-layer header 6792 * or the link-layer header itself is variable-length; 6793 * the variable-length offset of the start of the 6794 * MAC-layer payload is what we put into the X register 6795 * and then added to the index). 6796 */ 6797 tmp = new_stmt(BPF_LD|BPF_IND|size); 6798 tmp->s.k = off_macpl + off_nl; 6799 sappend(s, tmp); 6800 sappend(inst->s, s); 6801 6802 /* 6803 * Do the computation only if the packet contains 6804 * the protocol in question. 6805 */ 6806 b = gen_proto_abbrev(proto); 6807 if (inst->b) 6808 gen_and(inst->b, b); 6809 inst->b = b; 6810 break; 6811 6812 case Q_SCTP: 6813 case Q_TCP: 6814 case Q_UDP: 6815 case Q_ICMP: 6816 case Q_IGMP: 6817 case Q_IGRP: 6818 case Q_PIM: 6819 case Q_VRRP: 6820 case Q_CARP: 6821 /* 6822 * The offset is relative to the beginning of 6823 * the transport-layer header. 6824 * 6825 * Load the X register with the length of the IPv4 header 6826 * (plus the offset of the link-layer header, if it's 6827 * a variable-length header), in bytes. 6828 * 6829 * XXX - are there any cases where we want 6830 * off_nl_nosnap? 6831 * XXX - we should, if we're built with 6832 * IPv6 support, generate code to load either 6833 * IPv4, IPv6, or both, as appropriate. 6834 */ 6835 s = gen_loadx_iphdrlen(); 6836 6837 /* 6838 * The X register now contains the sum of the length 6839 * of any variable-length header preceding the link-layer 6840 * header, any variable-length link-layer header, and the 6841 * length of the network-layer header. 6842 * 6843 * Load into the A register the offset relative to 6844 * the beginning of the transport layer header, 6845 * add the X register to that, move that to the 6846 * X register, and load with an offset from the 6847 * X register equal to the offset of the network 6848 * layer header relative to the beginning of 6849 * the MAC-layer payload plus the fixed-length 6850 * portion of the offset of the MAC-layer payload 6851 * from the beginning of the raw packet data. 6852 */ 6853 sappend(s, xfer_to_a(inst)); 6854 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 6855 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 6856 sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size)); 6857 tmp->s.k = off_macpl + off_nl; 6858 sappend(inst->s, s); 6859 6860 /* 6861 * Do the computation only if the packet contains 6862 * the protocol in question - which is true only 6863 * if this is an IP datagram and is the first or 6864 * only fragment of that datagram. 6865 */ 6866 gen_and(gen_proto_abbrev(proto), b = gen_ipfrag()); 6867 if (inst->b) 6868 gen_and(inst->b, b); 6869 gen_and(gen_proto_abbrev(Q_IP), b); 6870 inst->b = b; 6871 break; 6872 case Q_ICMPV6: 6873 bpf_error("IPv6 upper-layer protocol is not supported by proto[x]"); 6874 /*NOTREACHED*/ 6875 } 6876 inst->regno = regno; 6877 s = new_stmt(BPF_ST); 6878 s->s.k = regno; 6879 sappend(inst->s, s); 6880 6881 return inst; 6882 } 6883 6884 struct block * 6885 gen_relation(code, a0, a1, reversed) 6886 int code; 6887 struct arth *a0, *a1; 6888 int reversed; 6889 { 6890 struct slist *s0, *s1, *s2; 6891 struct block *b, *tmp; 6892 6893 s0 = xfer_to_x(a1); 6894 s1 = xfer_to_a(a0); 6895 if (code == BPF_JEQ) { 6896 s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X); 6897 b = new_block(JMP(code)); 6898 sappend(s1, s2); 6899 } 6900 else 6901 b = new_block(BPF_JMP|code|BPF_X); 6902 if (reversed) 6903 gen_not(b); 6904 6905 sappend(s0, s1); 6906 sappend(a1->s, s0); 6907 sappend(a0->s, a1->s); 6908 6909 b->stmts = a0->s; 6910 6911 free_reg(a0->regno); 6912 free_reg(a1->regno); 6913 6914 /* 'and' together protocol checks */ 6915 if (a0->b) { 6916 if (a1->b) { 6917 gen_and(a0->b, tmp = a1->b); 6918 } 6919 else 6920 tmp = a0->b; 6921 } else 6922 tmp = a1->b; 6923 6924 if (tmp) 6925 gen_and(tmp, b); 6926 6927 return b; 6928 } 6929 6930 struct arth * 6931 gen_loadlen() 6932 { 6933 int regno = alloc_reg(); 6934 struct arth *a = (struct arth *)newchunk(sizeof(*a)); 6935 struct slist *s; 6936 6937 s = new_stmt(BPF_LD|BPF_LEN); 6938 s->next = new_stmt(BPF_ST); 6939 s->next->s.k = regno; 6940 a->s = s; 6941 a->regno = regno; 6942 6943 return a; 6944 } 6945 6946 struct arth * 6947 gen_loadi(val) 6948 int val; 6949 { 6950 struct arth *a; 6951 struct slist *s; 6952 int reg; 6953 6954 a = (struct arth *)newchunk(sizeof(*a)); 6955 6956 reg = alloc_reg(); 6957 6958 s = new_stmt(BPF_LD|BPF_IMM); 6959 s->s.k = val; 6960 s->next = new_stmt(BPF_ST); 6961 s->next->s.k = reg; 6962 a->s = s; 6963 a->regno = reg; 6964 6965 return a; 6966 } 6967 6968 struct arth * 6969 gen_neg(a) 6970 struct arth *a; 6971 { 6972 struct slist *s; 6973 6974 s = xfer_to_a(a); 6975 sappend(a->s, s); 6976 s = new_stmt(BPF_ALU|BPF_NEG); 6977 s->s.k = 0; 6978 sappend(a->s, s); 6979 s = new_stmt(BPF_ST); 6980 s->s.k = a->regno; 6981 sappend(a->s, s); 6982 6983 return a; 6984 } 6985 6986 struct arth * 6987 gen_arth(code, a0, a1) 6988 int code; 6989 struct arth *a0, *a1; 6990 { 6991 struct slist *s0, *s1, *s2; 6992 6993 s0 = xfer_to_x(a1); 6994 s1 = xfer_to_a(a0); 6995 s2 = new_stmt(BPF_ALU|BPF_X|code); 6996 6997 sappend(s1, s2); 6998 sappend(s0, s1); 6999 sappend(a1->s, s0); 7000 sappend(a0->s, a1->s); 7001 7002 free_reg(a0->regno); 7003 free_reg(a1->regno); 7004 7005 s0 = new_stmt(BPF_ST); 7006 a0->regno = s0->s.k = alloc_reg(); 7007 sappend(a0->s, s0); 7008 7009 return a0; 7010 } 7011 7012 /* 7013 * Here we handle simple allocation of the scratch registers. 7014 * If too many registers are alloc'd, the allocator punts. 7015 */ 7016 static int regused[BPF_MEMWORDS]; 7017 static int curreg; 7018 7019 /* 7020 * Initialize the table of used registers and the current register. 7021 */ 7022 static void 7023 init_regs() 7024 { 7025 curreg = 0; 7026 memset(regused, 0, sizeof regused); 7027 } 7028 7029 /* 7030 * Return the next free register. 7031 */ 7032 static int 7033 alloc_reg() 7034 { 7035 int n = BPF_MEMWORDS; 7036 7037 while (--n >= 0) { 7038 if (regused[curreg]) 7039 curreg = (curreg + 1) % BPF_MEMWORDS; 7040 else { 7041 regused[curreg] = 1; 7042 return curreg; 7043 } 7044 } 7045 bpf_error("too many registers needed to evaluate expression"); 7046 /* NOTREACHED */ 7047 return 0; 7048 } 7049 7050 /* 7051 * Return a register to the table so it can 7052 * be used later. 7053 */ 7054 static void 7055 free_reg(n) 7056 int n; 7057 { 7058 regused[n] = 0; 7059 } 7060 7061 static struct block * 7062 gen_len(jmp, n) 7063 int jmp, n; 7064 { 7065 struct slist *s; 7066 struct block *b; 7067 7068 s = new_stmt(BPF_LD|BPF_LEN); 7069 b = new_block(JMP(jmp)); 7070 b->stmts = s; 7071 b->s.k = n; 7072 7073 return b; 7074 } 7075 7076 struct block * 7077 gen_greater(n) 7078 int n; 7079 { 7080 return gen_len(BPF_JGE, n); 7081 } 7082 7083 /* 7084 * Actually, this is less than or equal. 7085 */ 7086 struct block * 7087 gen_less(n) 7088 int n; 7089 { 7090 struct block *b; 7091 7092 b = gen_len(BPF_JGT, n); 7093 gen_not(b); 7094 7095 return b; 7096 } 7097 7098 /* 7099 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to 7100 * the beginning of the link-layer header. 7101 * XXX - that means you can't test values in the radiotap header, but 7102 * as that header is difficult if not impossible to parse generally 7103 * without a loop, that might not be a severe problem. A new keyword 7104 * "radio" could be added for that, although what you'd really want 7105 * would be a way of testing particular radio header values, which 7106 * would generate code appropriate to the radio header in question. 7107 */ 7108 struct block * 7109 gen_byteop(op, idx, val) 7110 int op, idx, val; 7111 { 7112 struct block *b; 7113 struct slist *s; 7114 7115 switch (op) { 7116 default: 7117 abort(); 7118 7119 case '=': 7120 return gen_cmp(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 7121 7122 case '<': 7123 b = gen_cmp_lt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 7124 return b; 7125 7126 case '>': 7127 b = gen_cmp_gt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 7128 return b; 7129 7130 case '|': 7131 s = new_stmt(BPF_ALU|BPF_OR|BPF_K); 7132 break; 7133 7134 case '&': 7135 s = new_stmt(BPF_ALU|BPF_AND|BPF_K); 7136 break; 7137 } 7138 s->s.k = val; 7139 b = new_block(JMP(BPF_JEQ)); 7140 b->stmts = s; 7141 gen_not(b); 7142 7143 return b; 7144 } 7145 7146 static u_char abroadcast[] = { 0x0 }; 7147 7148 struct block * 7149 gen_broadcast(proto) 7150 int proto; 7151 { 7152 bpf_u_int32 hostmask; 7153 struct block *b0, *b1, *b2; 7154 static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; 7155 7156 switch (proto) { 7157 7158 case Q_DEFAULT: 7159 case Q_LINK: 7160 switch (linktype) { 7161 case DLT_ARCNET: 7162 case DLT_ARCNET_LINUX: 7163 return gen_ahostop(abroadcast, Q_DST); 7164 case DLT_EN10MB: 7165 case DLT_NETANALYZER: 7166 case DLT_NETANALYZER_TRANSPARENT: 7167 return gen_ehostop(ebroadcast, Q_DST); 7168 case DLT_FDDI: 7169 return gen_fhostop(ebroadcast, Q_DST); 7170 case DLT_IEEE802: 7171 return gen_thostop(ebroadcast, Q_DST); 7172 case DLT_IEEE802_11: 7173 case DLT_PRISM_HEADER: 7174 case DLT_IEEE802_11_RADIO_AVS: 7175 case DLT_IEEE802_11_RADIO: 7176 case DLT_PPI: 7177 return gen_wlanhostop(ebroadcast, Q_DST); 7178 case DLT_IP_OVER_FC: 7179 return gen_ipfchostop(ebroadcast, Q_DST); 7180 case DLT_SUNATM: 7181 if (is_lane) { 7182 /* 7183 * Check that the packet doesn't begin with an 7184 * LE Control marker. (We've already generated 7185 * a test for LANE.) 7186 */ 7187 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 7188 BPF_H, 0xFF00); 7189 gen_not(b1); 7190 7191 /* 7192 * Now check the MAC address. 7193 */ 7194 b0 = gen_ehostop(ebroadcast, Q_DST); 7195 gen_and(b1, b0); 7196 return b0; 7197 } 7198 break; 7199 default: 7200 bpf_error("not a broadcast link"); 7201 } 7202 break; 7203 7204 case Q_IP: 7205 /* 7206 * We treat a netmask of PCAP_NETMASK_UNKNOWN (0xffffffff) 7207 * as an indication that we don't know the netmask, and fail 7208 * in that case. 7209 */ 7210 if (netmask == PCAP_NETMASK_UNKNOWN) 7211 bpf_error("netmask not known, so 'ip broadcast' not supported"); 7212 b0 = gen_linktype(ETHERTYPE_IP); 7213 hostmask = ~netmask; 7214 b1 = gen_mcmp(OR_NET, 16, BPF_W, (bpf_int32)0, hostmask); 7215 b2 = gen_mcmp(OR_NET, 16, BPF_W, 7216 (bpf_int32)(~0 & hostmask), hostmask); 7217 gen_or(b1, b2); 7218 gen_and(b0, b2); 7219 return b2; 7220 } 7221 bpf_error("only link-layer/IP broadcast filters supported"); 7222 /* NOTREACHED */ 7223 return NULL; 7224 } 7225 7226 /* 7227 * Generate code to test the low-order bit of a MAC address (that's 7228 * the bottom bit of the *first* byte). 7229 */ 7230 static struct block * 7231 gen_mac_multicast(offset) 7232 int offset; 7233 { 7234 register struct block *b0; 7235 register struct slist *s; 7236 7237 /* link[offset] & 1 != 0 */ 7238 s = gen_load_a(OR_LINK, offset, BPF_B); 7239 b0 = new_block(JMP(BPF_JSET)); 7240 b0->s.k = 1; 7241 b0->stmts = s; 7242 return b0; 7243 } 7244 7245 struct block * 7246 gen_multicast(proto) 7247 int proto; 7248 { 7249 register struct block *b0, *b1, *b2; 7250 register struct slist *s; 7251 7252 switch (proto) { 7253 7254 case Q_DEFAULT: 7255 case Q_LINK: 7256 switch (linktype) { 7257 case DLT_ARCNET: 7258 case DLT_ARCNET_LINUX: 7259 /* all ARCnet multicasts use the same address */ 7260 return gen_ahostop(abroadcast, Q_DST); 7261 case DLT_EN10MB: 7262 case DLT_NETANALYZER: 7263 case DLT_NETANALYZER_TRANSPARENT: 7264 /* ether[0] & 1 != 0 */ 7265 return gen_mac_multicast(0); 7266 case DLT_FDDI: 7267 /* 7268 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX 7269 * 7270 * XXX - was that referring to bit-order issues? 7271 */ 7272 /* fddi[1] & 1 != 0 */ 7273 return gen_mac_multicast(1); 7274 case DLT_IEEE802: 7275 /* tr[2] & 1 != 0 */ 7276 return gen_mac_multicast(2); 7277 case DLT_IEEE802_11: 7278 case DLT_PRISM_HEADER: 7279 case DLT_IEEE802_11_RADIO_AVS: 7280 case DLT_IEEE802_11_RADIO: 7281 case DLT_PPI: 7282 /* 7283 * Oh, yuk. 7284 * 7285 * For control frames, there is no DA. 7286 * 7287 * For management frames, DA is at an 7288 * offset of 4 from the beginning of 7289 * the packet. 7290 * 7291 * For data frames, DA is at an offset 7292 * of 4 from the beginning of the packet 7293 * if To DS is clear and at an offset of 7294 * 16 from the beginning of the packet 7295 * if To DS is set. 7296 */ 7297 7298 /* 7299 * Generate the tests to be done for data frames. 7300 * 7301 * First, check for To DS set, i.e. "link[1] & 0x01". 7302 */ 7303 s = gen_load_a(OR_LINK, 1, BPF_B); 7304 b1 = new_block(JMP(BPF_JSET)); 7305 b1->s.k = 0x01; /* To DS */ 7306 b1->stmts = s; 7307 7308 /* 7309 * If To DS is set, the DA is at 16. 7310 */ 7311 b0 = gen_mac_multicast(16); 7312 gen_and(b1, b0); 7313 7314 /* 7315 * Now, check for To DS not set, i.e. check 7316 * "!(link[1] & 0x01)". 7317 */ 7318 s = gen_load_a(OR_LINK, 1, BPF_B); 7319 b2 = new_block(JMP(BPF_JSET)); 7320 b2->s.k = 0x01; /* To DS */ 7321 b2->stmts = s; 7322 gen_not(b2); 7323 7324 /* 7325 * If To DS is not set, the DA is at 4. 7326 */ 7327 b1 = gen_mac_multicast(4); 7328 gen_and(b2, b1); 7329 7330 /* 7331 * Now OR together the last two checks. That gives 7332 * the complete set of checks for data frames. 7333 */ 7334 gen_or(b1, b0); 7335 7336 /* 7337 * Now check for a data frame. 7338 * I.e, check "link[0] & 0x08". 7339 */ 7340 s = gen_load_a(OR_LINK, 0, BPF_B); 7341 b1 = new_block(JMP(BPF_JSET)); 7342 b1->s.k = 0x08; 7343 b1->stmts = s; 7344 7345 /* 7346 * AND that with the checks done for data frames. 7347 */ 7348 gen_and(b1, b0); 7349 7350 /* 7351 * If the high-order bit of the type value is 0, this 7352 * is a management frame. 7353 * I.e, check "!(link[0] & 0x08)". 7354 */ 7355 s = gen_load_a(OR_LINK, 0, BPF_B); 7356 b2 = new_block(JMP(BPF_JSET)); 7357 b2->s.k = 0x08; 7358 b2->stmts = s; 7359 gen_not(b2); 7360 7361 /* 7362 * For management frames, the DA is at 4. 7363 */ 7364 b1 = gen_mac_multicast(4); 7365 gen_and(b2, b1); 7366 7367 /* 7368 * OR that with the checks done for data frames. 7369 * That gives the checks done for management and 7370 * data frames. 7371 */ 7372 gen_or(b1, b0); 7373 7374 /* 7375 * If the low-order bit of the type value is 1, 7376 * this is either a control frame or a frame 7377 * with a reserved type, and thus not a 7378 * frame with an SA. 7379 * 7380 * I.e., check "!(link[0] & 0x04)". 7381 */ 7382 s = gen_load_a(OR_LINK, 0, BPF_B); 7383 b1 = new_block(JMP(BPF_JSET)); 7384 b1->s.k = 0x04; 7385 b1->stmts = s; 7386 gen_not(b1); 7387 7388 /* 7389 * AND that with the checks for data and management 7390 * frames. 7391 */ 7392 gen_and(b1, b0); 7393 return b0; 7394 case DLT_IP_OVER_FC: 7395 b0 = gen_mac_multicast(2); 7396 return b0; 7397 case DLT_SUNATM: 7398 if (is_lane) { 7399 /* 7400 * Check that the packet doesn't begin with an 7401 * LE Control marker. (We've already generated 7402 * a test for LANE.) 7403 */ 7404 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 7405 BPF_H, 0xFF00); 7406 gen_not(b1); 7407 7408 /* ether[off_mac] & 1 != 0 */ 7409 b0 = gen_mac_multicast(off_mac); 7410 gen_and(b1, b0); 7411 return b0; 7412 } 7413 break; 7414 default: 7415 break; 7416 } 7417 /* Link not known to support multicasts */ 7418 break; 7419 7420 case Q_IP: 7421 b0 = gen_linktype(ETHERTYPE_IP); 7422 b1 = gen_cmp_ge(OR_NET, 16, BPF_B, (bpf_int32)224); 7423 gen_and(b0, b1); 7424 return b1; 7425 7426 case Q_IPV6: 7427 b0 = gen_linktype(ETHERTYPE_IPV6); 7428 b1 = gen_cmp(OR_NET, 24, BPF_B, (bpf_int32)255); 7429 gen_and(b0, b1); 7430 return b1; 7431 } 7432 bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel"); 7433 /* NOTREACHED */ 7434 return NULL; 7435 } 7436 7437 /* 7438 * Filter on inbound (dir == 0) or outbound (dir == 1) traffic. 7439 * Outbound traffic is sent by this machine, while inbound traffic is 7440 * sent by a remote machine (and may include packets destined for a 7441 * unicast or multicast link-layer address we are not subscribing to). 7442 * These are the same definitions implemented by pcap_setdirection(). 7443 * Capturing only unicast traffic destined for this host is probably 7444 * better accomplished using a higher-layer filter. 7445 */ 7446 struct block * 7447 gen_inbound(dir) 7448 int dir; 7449 { 7450 register struct block *b0; 7451 7452 /* 7453 * Only some data link types support inbound/outbound qualifiers. 7454 */ 7455 switch (linktype) { 7456 case DLT_SLIP: 7457 b0 = gen_relation(BPF_JEQ, 7458 gen_load(Q_LINK, gen_loadi(0), 1), 7459 gen_loadi(0), 7460 dir); 7461 break; 7462 7463 case DLT_IPNET: 7464 if (dir) { 7465 /* match outgoing packets */ 7466 b0 = gen_cmp(OR_LINK, 2, BPF_H, IPNET_OUTBOUND); 7467 } else { 7468 /* match incoming packets */ 7469 b0 = gen_cmp(OR_LINK, 2, BPF_H, IPNET_INBOUND); 7470 } 7471 break; 7472 7473 case DLT_LINUX_SLL: 7474 /* match outgoing packets */ 7475 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_OUTGOING); 7476 if (!dir) { 7477 /* to filter on inbound traffic, invert the match */ 7478 gen_not(b0); 7479 } 7480 break; 7481 7482 #ifdef HAVE_NET_PFVAR_H 7483 case DLT_PFLOG: 7484 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, dir), BPF_B, 7485 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT)); 7486 break; 7487 #endif 7488 7489 case DLT_PPP_PPPD: 7490 if (dir) { 7491 /* match outgoing packets */ 7492 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_OUT); 7493 } else { 7494 /* match incoming packets */ 7495 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_IN); 7496 } 7497 break; 7498 7499 case DLT_JUNIPER_MFR: 7500 case DLT_JUNIPER_MLFR: 7501 case DLT_JUNIPER_MLPPP: 7502 case DLT_JUNIPER_ATM1: 7503 case DLT_JUNIPER_ATM2: 7504 case DLT_JUNIPER_PPPOE: 7505 case DLT_JUNIPER_PPPOE_ATM: 7506 case DLT_JUNIPER_GGSN: 7507 case DLT_JUNIPER_ES: 7508 case DLT_JUNIPER_MONITOR: 7509 case DLT_JUNIPER_SERVICES: 7510 case DLT_JUNIPER_ETHER: 7511 case DLT_JUNIPER_PPP: 7512 case DLT_JUNIPER_FRELAY: 7513 case DLT_JUNIPER_CHDLC: 7514 case DLT_JUNIPER_VP: 7515 case DLT_JUNIPER_ST: 7516 case DLT_JUNIPER_ISM: 7517 case DLT_JUNIPER_VS: 7518 case DLT_JUNIPER_SRX_E2E: 7519 case DLT_JUNIPER_FIBRECHANNEL: 7520 case DLT_JUNIPER_ATM_CEMIC: 7521 7522 /* juniper flags (including direction) are stored 7523 * the byte after the 3-byte magic number */ 7524 if (dir) { 7525 /* match outgoing packets */ 7526 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 0, 0x01); 7527 } else { 7528 /* match incoming packets */ 7529 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 1, 0x01); 7530 } 7531 break; 7532 7533 default: 7534 /* 7535 * If we have packet meta-data indicating a direction, 7536 * check it, otherwise give up as this link-layer type 7537 * has nothing in the packet data. 7538 */ 7539 #if defined(PF_PACKET) && defined(SO_ATTACH_FILTER) 7540 /* 7541 * We infer that this is Linux with PF_PACKET support. 7542 * If this is a *live* capture, we can look at 7543 * special meta-data in the filter expression; 7544 * if it's a savefile, we can't. 7545 */ 7546 if (bpf_pcap->sf.rfile != NULL) { 7547 /* We have a FILE *, so this is a savefile */ 7548 bpf_error("inbound/outbound not supported on linktype %d when reading savefiles", 7549 linktype); 7550 b0 = NULL; 7551 /* NOTREACHED */ 7552 } 7553 /* match outgoing packets */ 7554 b0 = gen_cmp(OR_LINK, SKF_AD_OFF + SKF_AD_PKTTYPE, BPF_H, 7555 PACKET_OUTGOING); 7556 if (!dir) { 7557 /* to filter on inbound traffic, invert the match */ 7558 gen_not(b0); 7559 } 7560 #else /* defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */ 7561 bpf_error("inbound/outbound not supported on linktype %d", 7562 linktype); 7563 b0 = NULL; 7564 /* NOTREACHED */ 7565 #endif /* defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */ 7566 } 7567 return (b0); 7568 } 7569 7570 #ifdef HAVE_NET_PFVAR_H 7571 /* PF firewall log matched interface */ 7572 struct block * 7573 gen_pf_ifname(const char *ifname) 7574 { 7575 struct block *b0; 7576 u_int len, off; 7577 7578 if (linktype != DLT_PFLOG) { 7579 bpf_error("ifname supported only on PF linktype"); 7580 /* NOTREACHED */ 7581 } 7582 len = sizeof(((struct pfloghdr *)0)->ifname); 7583 off = offsetof(struct pfloghdr, ifname); 7584 if (strlen(ifname) >= len) { 7585 bpf_error("ifname interface names can only be %d characters", 7586 len-1); 7587 /* NOTREACHED */ 7588 } 7589 b0 = gen_bcmp(OR_LINK, off, strlen(ifname), (const u_char *)ifname); 7590 return (b0); 7591 } 7592 7593 /* PF firewall log ruleset name */ 7594 struct block * 7595 gen_pf_ruleset(char *ruleset) 7596 { 7597 struct block *b0; 7598 7599 if (linktype != DLT_PFLOG) { 7600 bpf_error("ruleset supported only on PF linktype"); 7601 /* NOTREACHED */ 7602 } 7603 7604 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) { 7605 bpf_error("ruleset names can only be %ld characters", 7606 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1)); 7607 /* NOTREACHED */ 7608 } 7609 7610 b0 = gen_bcmp(OR_LINK, offsetof(struct pfloghdr, ruleset), 7611 strlen(ruleset), (const u_char *)ruleset); 7612 return (b0); 7613 } 7614 7615 /* PF firewall log rule number */ 7616 struct block * 7617 gen_pf_rnr(int rnr) 7618 { 7619 struct block *b0; 7620 7621 if (linktype != DLT_PFLOG) { 7622 bpf_error("rnr supported only on PF linktype"); 7623 /* NOTREACHED */ 7624 } 7625 7626 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, rulenr), BPF_W, 7627 (bpf_int32)rnr); 7628 return (b0); 7629 } 7630 7631 /* PF firewall log sub-rule number */ 7632 struct block * 7633 gen_pf_srnr(int srnr) 7634 { 7635 struct block *b0; 7636 7637 if (linktype != DLT_PFLOG) { 7638 bpf_error("srnr supported only on PF linktype"); 7639 /* NOTREACHED */ 7640 } 7641 7642 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, subrulenr), BPF_W, 7643 (bpf_int32)srnr); 7644 return (b0); 7645 } 7646 7647 /* PF firewall log reason code */ 7648 struct block * 7649 gen_pf_reason(int reason) 7650 { 7651 struct block *b0; 7652 7653 if (linktype != DLT_PFLOG) { 7654 bpf_error("reason supported only on PF linktype"); 7655 /* NOTREACHED */ 7656 } 7657 7658 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, reason), BPF_B, 7659 (bpf_int32)reason); 7660 return (b0); 7661 } 7662 7663 /* PF firewall log action */ 7664 struct block * 7665 gen_pf_action(int action) 7666 { 7667 struct block *b0; 7668 7669 if (linktype != DLT_PFLOG) { 7670 bpf_error("action supported only on PF linktype"); 7671 /* NOTREACHED */ 7672 } 7673 7674 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, action), BPF_B, 7675 (bpf_int32)action); 7676 return (b0); 7677 } 7678 #else /* !HAVE_NET_PFVAR_H */ 7679 struct block * 7680 gen_pf_ifname(const char *ifname) 7681 { 7682 bpf_error("libpcap was compiled without pf support"); 7683 /* NOTREACHED */ 7684 return (NULL); 7685 } 7686 7687 struct block * 7688 gen_pf_ruleset(char *ruleset) 7689 { 7690 bpf_error("libpcap was compiled on a machine without pf support"); 7691 /* NOTREACHED */ 7692 return (NULL); 7693 } 7694 7695 struct block * 7696 gen_pf_rnr(int rnr) 7697 { 7698 bpf_error("libpcap was compiled on a machine without pf support"); 7699 /* NOTREACHED */ 7700 return (NULL); 7701 } 7702 7703 struct block * 7704 gen_pf_srnr(int srnr) 7705 { 7706 bpf_error("libpcap was compiled on a machine without pf support"); 7707 /* NOTREACHED */ 7708 return (NULL); 7709 } 7710 7711 struct block * 7712 gen_pf_reason(int reason) 7713 { 7714 bpf_error("libpcap was compiled on a machine without pf support"); 7715 /* NOTREACHED */ 7716 return (NULL); 7717 } 7718 7719 struct block * 7720 gen_pf_action(int action) 7721 { 7722 bpf_error("libpcap was compiled on a machine without pf support"); 7723 /* NOTREACHED */ 7724 return (NULL); 7725 } 7726 #endif /* HAVE_NET_PFVAR_H */ 7727 7728 /* IEEE 802.11 wireless header */ 7729 struct block * 7730 gen_p80211_type(int type, int mask) 7731 { 7732 struct block *b0; 7733 7734 switch (linktype) { 7735 7736 case DLT_IEEE802_11: 7737 case DLT_PRISM_HEADER: 7738 case DLT_IEEE802_11_RADIO_AVS: 7739 case DLT_IEEE802_11_RADIO: 7740 b0 = gen_mcmp(OR_LINK, 0, BPF_B, (bpf_int32)type, 7741 (bpf_int32)mask); 7742 break; 7743 7744 default: 7745 bpf_error("802.11 link-layer types supported only on 802.11"); 7746 /* NOTREACHED */ 7747 } 7748 7749 return (b0); 7750 } 7751 7752 struct block * 7753 gen_p80211_fcdir(int fcdir) 7754 { 7755 struct block *b0; 7756 7757 switch (linktype) { 7758 7759 case DLT_IEEE802_11: 7760 case DLT_PRISM_HEADER: 7761 case DLT_IEEE802_11_RADIO_AVS: 7762 case DLT_IEEE802_11_RADIO: 7763 break; 7764 7765 default: 7766 bpf_error("frame direction supported only with 802.11 headers"); 7767 /* NOTREACHED */ 7768 } 7769 7770 b0 = gen_mcmp(OR_LINK, 1, BPF_B, (bpf_int32)fcdir, 7771 (bpf_u_int32)IEEE80211_FC1_DIR_MASK); 7772 7773 return (b0); 7774 } 7775 7776 struct block * 7777 gen_acode(eaddr, q) 7778 register const u_char *eaddr; 7779 struct qual q; 7780 { 7781 switch (linktype) { 7782 7783 case DLT_ARCNET: 7784 case DLT_ARCNET_LINUX: 7785 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && 7786 q.proto == Q_LINK) 7787 return (gen_ahostop(eaddr, (int)q.dir)); 7788 else { 7789 bpf_error("ARCnet address used in non-arc expression"); 7790 /* NOTREACHED */ 7791 } 7792 break; 7793 7794 default: 7795 bpf_error("aid supported only on ARCnet"); 7796 /* NOTREACHED */ 7797 } 7798 bpf_error("ARCnet address used in non-arc expression"); 7799 /* NOTREACHED */ 7800 return NULL; 7801 } 7802 7803 static struct block * 7804 gen_ahostop(eaddr, dir) 7805 register const u_char *eaddr; 7806 register int dir; 7807 { 7808 register struct block *b0, *b1; 7809 7810 switch (dir) { 7811 /* src comes first, different from Ethernet */ 7812 case Q_SRC: 7813 return gen_bcmp(OR_LINK, 0, 1, eaddr); 7814 7815 case Q_DST: 7816 return gen_bcmp(OR_LINK, 1, 1, eaddr); 7817 7818 case Q_AND: 7819 b0 = gen_ahostop(eaddr, Q_SRC); 7820 b1 = gen_ahostop(eaddr, Q_DST); 7821 gen_and(b0, b1); 7822 return b1; 7823 7824 case Q_DEFAULT: 7825 case Q_OR: 7826 b0 = gen_ahostop(eaddr, Q_SRC); 7827 b1 = gen_ahostop(eaddr, Q_DST); 7828 gen_or(b0, b1); 7829 return b1; 7830 7831 case Q_ADDR1: 7832 bpf_error("'addr1' is only supported on 802.11"); 7833 break; 7834 7835 case Q_ADDR2: 7836 bpf_error("'addr2' is only supported on 802.11"); 7837 break; 7838 7839 case Q_ADDR3: 7840 bpf_error("'addr3' is only supported on 802.11"); 7841 break; 7842 7843 case Q_ADDR4: 7844 bpf_error("'addr4' is only supported on 802.11"); 7845 break; 7846 7847 case Q_RA: 7848 bpf_error("'ra' is only supported on 802.11"); 7849 break; 7850 7851 case Q_TA: 7852 bpf_error("'ta' is only supported on 802.11"); 7853 break; 7854 } 7855 abort(); 7856 /* NOTREACHED */ 7857 } 7858 7859 /* 7860 * support IEEE 802.1Q VLAN trunk over ethernet 7861 */ 7862 struct block * 7863 gen_vlan(vlan_num) 7864 int vlan_num; 7865 { 7866 struct block *b0, *b1; 7867 7868 /* can't check for VLAN-encapsulated packets inside MPLS */ 7869 if (label_stack_depth > 0) 7870 bpf_error("no VLAN match after MPLS"); 7871 7872 /* 7873 * Check for a VLAN packet, and then change the offsets to point 7874 * to the type and data fields within the VLAN packet. Just 7875 * increment the offsets, so that we can support a hierarchy, e.g. 7876 * "vlan 300 && vlan 200" to capture VLAN 200 encapsulated within 7877 * VLAN 100. 7878 * 7879 * XXX - this is a bit of a kludge. If we were to split the 7880 * compiler into a parser that parses an expression and 7881 * generates an expression tree, and a code generator that 7882 * takes an expression tree (which could come from our 7883 * parser or from some other parser) and generates BPF code, 7884 * we could perhaps make the offsets parameters of routines 7885 * and, in the handler for an "AND" node, pass to subnodes 7886 * other than the VLAN node the adjusted offsets. 7887 * 7888 * This would mean that "vlan" would, instead of changing the 7889 * behavior of *all* tests after it, change only the behavior 7890 * of tests ANDed with it. That would change the documented 7891 * semantics of "vlan", which might break some expressions. 7892 * However, it would mean that "(vlan and ip) or ip" would check 7893 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 7894 * checking only for VLAN-encapsulated IP, so that could still 7895 * be considered worth doing; it wouldn't break expressions 7896 * that are of the form "vlan and ..." or "vlan N and ...", 7897 * which I suspect are the most common expressions involving 7898 * "vlan". "vlan or ..." doesn't necessarily do what the user 7899 * would really want, now, as all the "or ..." tests would 7900 * be done assuming a VLAN, even though the "or" could be viewed 7901 * as meaning "or, if this isn't a VLAN packet...". 7902 */ 7903 orig_nl = off_nl; 7904 7905 switch (linktype) { 7906 7907 case DLT_EN10MB: 7908 case DLT_NETANALYZER: 7909 case DLT_NETANALYZER_TRANSPARENT: 7910 /* check for VLAN, including QinQ */ 7911 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 7912 (bpf_int32)ETHERTYPE_8021Q); 7913 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, 7914 (bpf_int32)ETHERTYPE_8021QINQ); 7915 gen_or(b0,b1); 7916 b0 = b1; 7917 7918 /* If a specific VLAN is requested, check VLAN id */ 7919 if (vlan_num >= 0) { 7920 b1 = gen_mcmp(OR_MACPL, 0, BPF_H, 7921 (bpf_int32)vlan_num, 0x0fff); 7922 gen_and(b0, b1); 7923 b0 = b1; 7924 } 7925 7926 off_macpl += 4; 7927 off_linktype += 4; 7928 #if 0 7929 off_nl_nosnap += 4; 7930 off_nl += 4; 7931 #endif 7932 break; 7933 7934 default: 7935 bpf_error("no VLAN support for data link type %d", 7936 linktype); 7937 /*NOTREACHED*/ 7938 } 7939 7940 return (b0); 7941 } 7942 7943 /* 7944 * support for MPLS 7945 */ 7946 struct block * 7947 gen_mpls(label_num) 7948 int label_num; 7949 { 7950 struct block *b0,*b1; 7951 7952 /* 7953 * Change the offsets to point to the type and data fields within 7954 * the MPLS packet. Just increment the offsets, so that we 7955 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to 7956 * capture packets with an outer label of 100000 and an inner 7957 * label of 1024. 7958 * 7959 * XXX - this is a bit of a kludge. See comments in gen_vlan(). 7960 */ 7961 orig_nl = off_nl; 7962 7963 if (label_stack_depth > 0) { 7964 /* just match the bottom-of-stack bit clear */ 7965 b0 = gen_mcmp(OR_MACPL, orig_nl-2, BPF_B, 0, 0x01); 7966 } else { 7967 /* 7968 * Indicate that we're checking MPLS-encapsulated headers, 7969 * to make sure higher level code generators don't try to 7970 * match against IP-related protocols such as Q_ARP, Q_RARP 7971 * etc. 7972 */ 7973 switch (linktype) { 7974 7975 case DLT_C_HDLC: /* fall through */ 7976 case DLT_EN10MB: 7977 case DLT_NETANALYZER: 7978 case DLT_NETANALYZER_TRANSPARENT: 7979 b0 = gen_linktype(ETHERTYPE_MPLS); 7980 break; 7981 7982 case DLT_PPP: 7983 b0 = gen_linktype(PPP_MPLS_UCAST); 7984 break; 7985 7986 /* FIXME add other DLT_s ... 7987 * for Frame-Relay/and ATM this may get messy due to SNAP headers 7988 * leave it for now */ 7989 7990 default: 7991 bpf_error("no MPLS support for data link type %d", 7992 linktype); 7993 b0 = NULL; 7994 /*NOTREACHED*/ 7995 break; 7996 } 7997 } 7998 7999 /* If a specific MPLS label is requested, check it */ 8000 if (label_num >= 0) { 8001 label_num = label_num << 12; /* label is shifted 12 bits on the wire */ 8002 b1 = gen_mcmp(OR_MACPL, orig_nl, BPF_W, (bpf_int32)label_num, 8003 0xfffff000); /* only compare the first 20 bits */ 8004 gen_and(b0, b1); 8005 b0 = b1; 8006 } 8007 8008 off_nl_nosnap += 4; 8009 off_nl += 4; 8010 label_stack_depth++; 8011 return (b0); 8012 } 8013 8014 /* 8015 * Support PPPOE discovery and session. 8016 */ 8017 struct block * 8018 gen_pppoed() 8019 { 8020 /* check for PPPoE discovery */ 8021 return gen_linktype((bpf_int32)ETHERTYPE_PPPOED); 8022 } 8023 8024 struct block * 8025 gen_pppoes() 8026 { 8027 struct block *b0; 8028 8029 /* 8030 * Test against the PPPoE session link-layer type. 8031 */ 8032 b0 = gen_linktype((bpf_int32)ETHERTYPE_PPPOES); 8033 8034 /* 8035 * Change the offsets to point to the type and data fields within 8036 * the PPP packet, and note that this is PPPoE rather than 8037 * raw PPP. 8038 * 8039 * XXX - this is a bit of a kludge. If we were to split the 8040 * compiler into a parser that parses an expression and 8041 * generates an expression tree, and a code generator that 8042 * takes an expression tree (which could come from our 8043 * parser or from some other parser) and generates BPF code, 8044 * we could perhaps make the offsets parameters of routines 8045 * and, in the handler for an "AND" node, pass to subnodes 8046 * other than the PPPoE node the adjusted offsets. 8047 * 8048 * This would mean that "pppoes" would, instead of changing the 8049 * behavior of *all* tests after it, change only the behavior 8050 * of tests ANDed with it. That would change the documented 8051 * semantics of "pppoes", which might break some expressions. 8052 * However, it would mean that "(pppoes and ip) or ip" would check 8053 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 8054 * checking only for VLAN-encapsulated IP, so that could still 8055 * be considered worth doing; it wouldn't break expressions 8056 * that are of the form "pppoes and ..." which I suspect are the 8057 * most common expressions involving "pppoes". "pppoes or ..." 8058 * doesn't necessarily do what the user would really want, now, 8059 * as all the "or ..." tests would be done assuming PPPoE, even 8060 * though the "or" could be viewed as meaning "or, if this isn't 8061 * a PPPoE packet...". 8062 */ 8063 orig_linktype = off_linktype; /* save original values */ 8064 orig_nl = off_nl; 8065 is_pppoes = 1; 8066 8067 /* 8068 * The "network-layer" protocol is PPPoE, which has a 6-byte 8069 * PPPoE header, followed by a PPP packet. 8070 * 8071 * There is no HDLC encapsulation for the PPP packet (it's 8072 * encapsulated in PPPoES instead), so the link-layer type 8073 * starts at the first byte of the PPP packet. For PPPoE, 8074 * that offset is relative to the beginning of the total 8075 * link-layer payload, including any 802.2 LLC header, so 8076 * it's 6 bytes past off_nl. 8077 */ 8078 off_linktype = off_nl + 6; 8079 8080 /* 8081 * The network-layer offsets are relative to the beginning 8082 * of the MAC-layer payload; that's past the 6-byte 8083 * PPPoE header and the 2-byte PPP header. 8084 */ 8085 off_nl = 6+2; 8086 off_nl_nosnap = 6+2; 8087 8088 return b0; 8089 } 8090 8091 struct block * 8092 gen_atmfield_code(atmfield, jvalue, jtype, reverse) 8093 int atmfield; 8094 bpf_int32 jvalue; 8095 bpf_u_int32 jtype; 8096 int reverse; 8097 { 8098 struct block *b0; 8099 8100 switch (atmfield) { 8101 8102 case A_VPI: 8103 if (!is_atm) 8104 bpf_error("'vpi' supported only on raw ATM"); 8105 if (off_vpi == (u_int)-1) 8106 abort(); 8107 b0 = gen_ncmp(OR_LINK, off_vpi, BPF_B, 0xffffffff, jtype, 8108 reverse, jvalue); 8109 break; 8110 8111 case A_VCI: 8112 if (!is_atm) 8113 bpf_error("'vci' supported only on raw ATM"); 8114 if (off_vci == (u_int)-1) 8115 abort(); 8116 b0 = gen_ncmp(OR_LINK, off_vci, BPF_H, 0xffffffff, jtype, 8117 reverse, jvalue); 8118 break; 8119 8120 case A_PROTOTYPE: 8121 if (off_proto == (u_int)-1) 8122 abort(); /* XXX - this isn't on FreeBSD */ 8123 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0x0f, jtype, 8124 reverse, jvalue); 8125 break; 8126 8127 case A_MSGTYPE: 8128 if (off_payload == (u_int)-1) 8129 abort(); 8130 b0 = gen_ncmp(OR_LINK, off_payload + MSG_TYPE_POS, BPF_B, 8131 0xffffffff, jtype, reverse, jvalue); 8132 break; 8133 8134 case A_CALLREFTYPE: 8135 if (!is_atm) 8136 bpf_error("'callref' supported only on raw ATM"); 8137 if (off_proto == (u_int)-1) 8138 abort(); 8139 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0xffffffff, 8140 jtype, reverse, jvalue); 8141 break; 8142 8143 default: 8144 abort(); 8145 } 8146 return b0; 8147 } 8148 8149 struct block * 8150 gen_atmtype_abbrev(type) 8151 int type; 8152 { 8153 struct block *b0, *b1; 8154 8155 switch (type) { 8156 8157 case A_METAC: 8158 /* Get all packets in Meta signalling Circuit */ 8159 if (!is_atm) 8160 bpf_error("'metac' supported only on raw ATM"); 8161 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8162 b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0); 8163 gen_and(b0, b1); 8164 break; 8165 8166 case A_BCC: 8167 /* Get all packets in Broadcast Circuit*/ 8168 if (!is_atm) 8169 bpf_error("'bcc' supported only on raw ATM"); 8170 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8171 b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0); 8172 gen_and(b0, b1); 8173 break; 8174 8175 case A_OAMF4SC: 8176 /* Get all cells in Segment OAM F4 circuit*/ 8177 if (!is_atm) 8178 bpf_error("'oam4sc' supported only on raw ATM"); 8179 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8180 b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0); 8181 gen_and(b0, b1); 8182 break; 8183 8184 case A_OAMF4EC: 8185 /* Get all cells in End-to-End OAM F4 Circuit*/ 8186 if (!is_atm) 8187 bpf_error("'oam4ec' supported only on raw ATM"); 8188 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8189 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0); 8190 gen_and(b0, b1); 8191 break; 8192 8193 case A_SC: 8194 /* Get all packets in connection Signalling Circuit */ 8195 if (!is_atm) 8196 bpf_error("'sc' supported only on raw ATM"); 8197 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8198 b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0); 8199 gen_and(b0, b1); 8200 break; 8201 8202 case A_ILMIC: 8203 /* Get all packets in ILMI Circuit */ 8204 if (!is_atm) 8205 bpf_error("'ilmic' supported only on raw ATM"); 8206 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8207 b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0); 8208 gen_and(b0, b1); 8209 break; 8210 8211 case A_LANE: 8212 /* Get all LANE packets */ 8213 if (!is_atm) 8214 bpf_error("'lane' supported only on raw ATM"); 8215 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0); 8216 8217 /* 8218 * Arrange that all subsequent tests assume LANE 8219 * rather than LLC-encapsulated packets, and set 8220 * the offsets appropriately for LANE-encapsulated 8221 * Ethernet. 8222 * 8223 * "off_mac" is the offset of the Ethernet header, 8224 * which is 2 bytes past the ATM pseudo-header 8225 * (skipping the pseudo-header and 2-byte LE Client 8226 * field). The other offsets are Ethernet offsets 8227 * relative to "off_mac". 8228 */ 8229 is_lane = 1; 8230 off_mac = off_payload + 2; /* MAC header */ 8231 off_linktype = off_mac + 12; 8232 off_macpl = off_mac + 14; /* Ethernet */ 8233 off_nl = 0; /* Ethernet II */ 8234 off_nl_nosnap = 3; /* 802.3+802.2 */ 8235 break; 8236 8237 case A_LLC: 8238 /* Get all LLC-encapsulated packets */ 8239 if (!is_atm) 8240 bpf_error("'llc' supported only on raw ATM"); 8241 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 8242 is_lane = 0; 8243 break; 8244 8245 default: 8246 abort(); 8247 } 8248 return b1; 8249 } 8250 8251 /* 8252 * Filtering for MTP2 messages based on li value 8253 * FISU, length is null 8254 * LSSU, length is 1 or 2 8255 * MSU, length is 3 or more 8256 */ 8257 struct block * 8258 gen_mtp2type_abbrev(type) 8259 int type; 8260 { 8261 struct block *b0, *b1; 8262 8263 switch (type) { 8264 8265 case M_FISU: 8266 if ( (linktype != DLT_MTP2) && 8267 (linktype != DLT_ERF) && 8268 (linktype != DLT_MTP2_WITH_PHDR) ) 8269 bpf_error("'fisu' supported only on MTP2"); 8270 /* gen_ncmp(offrel, offset, size, mask, jtype, reverse, value) */ 8271 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JEQ, 0, 0); 8272 break; 8273 8274 case M_LSSU: 8275 if ( (linktype != DLT_MTP2) && 8276 (linktype != DLT_ERF) && 8277 (linktype != DLT_MTP2_WITH_PHDR) ) 8278 bpf_error("'lssu' supported only on MTP2"); 8279 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 1, 2); 8280 b1 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 0); 8281 gen_and(b1, b0); 8282 break; 8283 8284 case M_MSU: 8285 if ( (linktype != DLT_MTP2) && 8286 (linktype != DLT_ERF) && 8287 (linktype != DLT_MTP2_WITH_PHDR) ) 8288 bpf_error("'msu' supported only on MTP2"); 8289 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 2); 8290 break; 8291 8292 default: 8293 abort(); 8294 } 8295 return b0; 8296 } 8297 8298 struct block * 8299 gen_mtp3field_code(mtp3field, jvalue, jtype, reverse) 8300 int mtp3field; 8301 bpf_u_int32 jvalue; 8302 bpf_u_int32 jtype; 8303 int reverse; 8304 { 8305 struct block *b0; 8306 bpf_u_int32 val1 , val2 , val3; 8307 8308 switch (mtp3field) { 8309 8310 case M_SIO: 8311 if (off_sio == (u_int)-1) 8312 bpf_error("'sio' supported only on SS7"); 8313 /* sio coded on 1 byte so max value 255 */ 8314 if(jvalue > 255) 8315 bpf_error("sio value %u too big; max value = 255", 8316 jvalue); 8317 b0 = gen_ncmp(OR_PACKET, off_sio, BPF_B, 0xffffffff, 8318 (u_int)jtype, reverse, (u_int)jvalue); 8319 break; 8320 8321 case M_OPC: 8322 if (off_opc == (u_int)-1) 8323 bpf_error("'opc' supported only on SS7"); 8324 /* opc coded on 14 bits so max value 16383 */ 8325 if (jvalue > 16383) 8326 bpf_error("opc value %u too big; max value = 16383", 8327 jvalue); 8328 /* the following instructions are made to convert jvalue 8329 * to the form used to write opc in an ss7 message*/ 8330 val1 = jvalue & 0x00003c00; 8331 val1 = val1 >>10; 8332 val2 = jvalue & 0x000003fc; 8333 val2 = val2 <<6; 8334 val3 = jvalue & 0x00000003; 8335 val3 = val3 <<22; 8336 jvalue = val1 + val2 + val3; 8337 b0 = gen_ncmp(OR_PACKET, off_opc, BPF_W, 0x00c0ff0f, 8338 (u_int)jtype, reverse, (u_int)jvalue); 8339 break; 8340 8341 case M_DPC: 8342 if (off_dpc == (u_int)-1) 8343 bpf_error("'dpc' supported only on SS7"); 8344 /* dpc coded on 14 bits so max value 16383 */ 8345 if (jvalue > 16383) 8346 bpf_error("dpc value %u too big; max value = 16383", 8347 jvalue); 8348 /* the following instructions are made to convert jvalue 8349 * to the forme used to write dpc in an ss7 message*/ 8350 val1 = jvalue & 0x000000ff; 8351 val1 = val1 << 24; 8352 val2 = jvalue & 0x00003f00; 8353 val2 = val2 << 8; 8354 jvalue = val1 + val2; 8355 b0 = gen_ncmp(OR_PACKET, off_dpc, BPF_W, 0xff3f0000, 8356 (u_int)jtype, reverse, (u_int)jvalue); 8357 break; 8358 8359 case M_SLS: 8360 if (off_sls == (u_int)-1) 8361 bpf_error("'sls' supported only on SS7"); 8362 /* sls coded on 4 bits so max value 15 */ 8363 if (jvalue > 15) 8364 bpf_error("sls value %u too big; max value = 15", 8365 jvalue); 8366 /* the following instruction is made to convert jvalue 8367 * to the forme used to write sls in an ss7 message*/ 8368 jvalue = jvalue << 4; 8369 b0 = gen_ncmp(OR_PACKET, off_sls, BPF_B, 0xf0, 8370 (u_int)jtype,reverse, (u_int)jvalue); 8371 break; 8372 8373 default: 8374 abort(); 8375 } 8376 return b0; 8377 } 8378 8379 static struct block * 8380 gen_msg_abbrev(type) 8381 int type; 8382 { 8383 struct block *b1; 8384 8385 /* 8386 * Q.2931 signalling protocol messages for handling virtual circuits 8387 * establishment and teardown 8388 */ 8389 switch (type) { 8390 8391 case A_SETUP: 8392 b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0); 8393 break; 8394 8395 case A_CALLPROCEED: 8396 b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0); 8397 break; 8398 8399 case A_CONNECT: 8400 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0); 8401 break; 8402 8403 case A_CONNECTACK: 8404 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0); 8405 break; 8406 8407 case A_RELEASE: 8408 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0); 8409 break; 8410 8411 case A_RELEASE_DONE: 8412 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0); 8413 break; 8414 8415 default: 8416 abort(); 8417 } 8418 return b1; 8419 } 8420 8421 struct block * 8422 gen_atmmulti_abbrev(type) 8423 int type; 8424 { 8425 struct block *b0, *b1; 8426 8427 switch (type) { 8428 8429 case A_OAM: 8430 if (!is_atm) 8431 bpf_error("'oam' supported only on raw ATM"); 8432 b1 = gen_atmmulti_abbrev(A_OAMF4); 8433 break; 8434 8435 case A_OAMF4: 8436 if (!is_atm) 8437 bpf_error("'oamf4' supported only on raw ATM"); 8438 /* OAM F4 type */ 8439 b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0); 8440 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0); 8441 gen_or(b0, b1); 8442 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8443 gen_and(b0, b1); 8444 break; 8445 8446 case A_CONNECTMSG: 8447 /* 8448 * Get Q.2931 signalling messages for switched 8449 * virtual connection 8450 */ 8451 if (!is_atm) 8452 bpf_error("'connectmsg' supported only on raw ATM"); 8453 b0 = gen_msg_abbrev(A_SETUP); 8454 b1 = gen_msg_abbrev(A_CALLPROCEED); 8455 gen_or(b0, b1); 8456 b0 = gen_msg_abbrev(A_CONNECT); 8457 gen_or(b0, b1); 8458 b0 = gen_msg_abbrev(A_CONNECTACK); 8459 gen_or(b0, b1); 8460 b0 = gen_msg_abbrev(A_RELEASE); 8461 gen_or(b0, b1); 8462 b0 = gen_msg_abbrev(A_RELEASE_DONE); 8463 gen_or(b0, b1); 8464 b0 = gen_atmtype_abbrev(A_SC); 8465 gen_and(b0, b1); 8466 break; 8467 8468 case A_METACONNECT: 8469 if (!is_atm) 8470 bpf_error("'metaconnect' supported only on raw ATM"); 8471 b0 = gen_msg_abbrev(A_SETUP); 8472 b1 = gen_msg_abbrev(A_CALLPROCEED); 8473 gen_or(b0, b1); 8474 b0 = gen_msg_abbrev(A_CONNECT); 8475 gen_or(b0, b1); 8476 b0 = gen_msg_abbrev(A_RELEASE); 8477 gen_or(b0, b1); 8478 b0 = gen_msg_abbrev(A_RELEASE_DONE); 8479 gen_or(b0, b1); 8480 b0 = gen_atmtype_abbrev(A_METAC); 8481 gen_and(b0, b1); 8482 break; 8483 8484 default: 8485 abort(); 8486 } 8487 return b1; 8488 } 8489