1 /* $NetBSD: gencode.c,v 1.12 2019/10/01 16:02:11 christos Exp $ */ 2 3 /*#define CHASE_CHAIN*/ 4 /* 5 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998 6 * The Regents of the University of California. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that: (1) source code distributions 10 * retain the above copyright notice and this paragraph in its entirety, (2) 11 * distributions including binary code include the above copyright notice and 12 * this paragraph in its entirety in the documentation or other materials 13 * provided with the distribution, and (3) all advertising materials mentioning 14 * features or use of this software display the following acknowledgement: 15 * ``This product includes software developed by the University of California, 16 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 17 * the University nor the names of its contributors may be used to endorse 18 * or promote products derived from this software without specific prior 19 * written permission. 20 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 21 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 22 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 23 */ 24 25 #include <sys/cdefs.h> 26 __RCSID("$NetBSD: gencode.c,v 1.12 2019/10/01 16:02:11 christos Exp $"); 27 28 #ifdef HAVE_CONFIG_H 29 #include <config.h> 30 #endif 31 32 #include <pcap-types.h> 33 #ifdef _WIN32 34 #include <ws2tcpip.h> 35 #else 36 #include <sys/socket.h> 37 38 #ifdef __NetBSD__ 39 #include <sys/param.h> 40 #endif 41 42 #include <netinet/in.h> 43 #include <arpa/inet.h> 44 #endif /* _WIN32 */ 45 46 #include <stdlib.h> 47 #include <string.h> 48 #include <memory.h> 49 #include <setjmp.h> 50 #include <stdarg.h> 51 52 #ifdef MSDOS 53 #include "pcap-dos.h" 54 #endif 55 56 #include "pcap-int.h" 57 58 #include "extract.h" 59 60 #include "ethertype.h" 61 #include "nlpid.h" 62 #include "llc.h" 63 #include "gencode.h" 64 #include "ieee80211.h" 65 #include "atmuni31.h" 66 #include "sunatmpos.h" 67 #include "ppp.h" 68 #include "pcap/sll.h" 69 #include "pcap/ipnet.h" 70 #include "arcnet.h" 71 72 #include "grammar.h" 73 #include "scanner.h" 74 75 #if defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) 76 #include <linux/types.h> 77 #include <linux/if_packet.h> 78 #include <linux/filter.h> 79 #endif 80 81 #ifdef HAVE_NET_PFVAR_H 82 #include <sys/socket.h> 83 #include <net/if.h> 84 #include <net/pfvar.h> 85 #include <net/if_pflog.h> 86 #endif 87 88 #ifndef offsetof 89 #define offsetof(s, e) ((size_t)&((s *)0)->e) 90 #endif 91 92 #ifdef _WIN32 93 #ifdef INET6 94 #if defined(__MINGW32__) && defined(DEFINE_ADDITIONAL_IPV6_STUFF) 95 /* IPv6 address */ 96 struct in6_addr 97 { 98 union 99 { 100 uint8_t u6_addr8[16]; 101 uint16_t u6_addr16[8]; 102 uint32_t u6_addr32[4]; 103 } in6_u; 104 #define s6_addr in6_u.u6_addr8 105 #define s6_addr16 in6_u.u6_addr16 106 #define s6_addr32 in6_u.u6_addr32 107 #define s6_addr64 in6_u.u6_addr64 108 }; 109 110 typedef unsigned short sa_family_t; 111 112 #define __SOCKADDR_COMMON(sa_prefix) \ 113 sa_family_t sa_prefix##family 114 115 /* Ditto, for IPv6. */ 116 struct sockaddr_in6 117 { 118 __SOCKADDR_COMMON (sin6_); 119 uint16_t sin6_port; /* Transport layer port # */ 120 uint32_t sin6_flowinfo; /* IPv6 flow information */ 121 struct in6_addr sin6_addr; /* IPv6 address */ 122 }; 123 124 #ifndef EAI_ADDRFAMILY 125 struct addrinfo { 126 int ai_flags; /* AI_PASSIVE, AI_CANONNAME */ 127 int ai_family; /* PF_xxx */ 128 int ai_socktype; /* SOCK_xxx */ 129 int ai_protocol; /* 0 or IPPROTO_xxx for IPv4 and IPv6 */ 130 size_t ai_addrlen; /* length of ai_addr */ 131 char *ai_canonname; /* canonical name for hostname */ 132 struct sockaddr *ai_addr; /* binary address */ 133 struct addrinfo *ai_next; /* next structure in linked list */ 134 }; 135 #endif /* EAI_ADDRFAMILY */ 136 #endif /* defined(__MINGW32__) && defined(DEFINE_ADDITIONAL_IPV6_STUFF) */ 137 #endif /* INET6 */ 138 #else /* _WIN32 */ 139 #include <netdb.h> /* for "struct addrinfo" */ 140 #endif /* _WIN32 */ 141 #include <pcap/namedb.h> 142 143 #include "nametoaddr.h" 144 145 #define ETHERMTU 1500 146 147 #ifndef ETHERTYPE_TEB 148 #define ETHERTYPE_TEB 0x6558 149 #endif 150 151 #ifndef IPPROTO_HOPOPTS 152 #define IPPROTO_HOPOPTS 0 153 #endif 154 #ifndef IPPROTO_ROUTING 155 #define IPPROTO_ROUTING 43 156 #endif 157 #ifndef IPPROTO_FRAGMENT 158 #define IPPROTO_FRAGMENT 44 159 #endif 160 #ifndef IPPROTO_DSTOPTS 161 #define IPPROTO_DSTOPTS 60 162 #endif 163 #ifndef IPPROTO_SCTP 164 #define IPPROTO_SCTP 132 165 #endif 166 167 #define GENEVE_PORT 6081 168 169 #ifdef HAVE_OS_PROTO_H 170 #include "os-proto.h" 171 #endif 172 173 #define JMP(c) ((c)|BPF_JMP|BPF_K) 174 175 /* 176 * "Push" the current value of the link-layer header type and link-layer 177 * header offset onto a "stack", and set a new value. (It's not a 178 * full-blown stack; we keep only the top two items.) 179 */ 180 #define PUSH_LINKHDR(cs, new_linktype, new_is_variable, new_constant_part, new_reg) \ 181 { \ 182 (cs)->prevlinktype = (cs)->linktype; \ 183 (cs)->off_prevlinkhdr = (cs)->off_linkhdr; \ 184 (cs)->linktype = (new_linktype); \ 185 (cs)->off_linkhdr.is_variable = (new_is_variable); \ 186 (cs)->off_linkhdr.constant_part = (new_constant_part); \ 187 (cs)->off_linkhdr.reg = (new_reg); \ 188 (cs)->is_geneve = 0; \ 189 } 190 191 /* 192 * Offset "not set" value. 193 */ 194 #define OFFSET_NOT_SET 0xffffffffU 195 196 /* 197 * Absolute offsets, which are offsets from the beginning of the raw 198 * packet data, are, in the general case, the sum of a variable value 199 * and a constant value; the variable value may be absent, in which 200 * case the offset is only the constant value, and the constant value 201 * may be zero, in which case the offset is only the variable value. 202 * 203 * bpf_abs_offset is a structure containing all that information: 204 * 205 * is_variable is 1 if there's a variable part. 206 * 207 * constant_part is the constant part of the value, possibly zero; 208 * 209 * if is_variable is 1, reg is the register number for a register 210 * containing the variable value if the register has been assigned, 211 * and -1 otherwise. 212 */ 213 typedef struct { 214 int is_variable; 215 u_int constant_part; 216 int reg; 217 } bpf_abs_offset; 218 219 /* 220 * Value passed to gen_load_a() to indicate what the offset argument 221 * is relative to the beginning of. 222 */ 223 enum e_offrel { 224 OR_PACKET, /* full packet data */ 225 OR_LINKHDR, /* link-layer header */ 226 OR_PREVLINKHDR, /* previous link-layer header */ 227 OR_LLC, /* 802.2 LLC header */ 228 OR_PREVMPLSHDR, /* previous MPLS header */ 229 OR_LINKTYPE, /* link-layer type */ 230 OR_LINKPL, /* link-layer payload */ 231 OR_LINKPL_NOSNAP, /* link-layer payload, with no SNAP header at the link layer */ 232 OR_TRAN_IPV4, /* transport-layer header, with IPv4 network layer */ 233 OR_TRAN_IPV6 /* transport-layer header, with IPv6 network layer */ 234 }; 235 236 /* 237 * We divy out chunks of memory rather than call malloc each time so 238 * we don't have to worry about leaking memory. It's probably 239 * not a big deal if all this memory was wasted but if this ever 240 * goes into a library that would probably not be a good idea. 241 * 242 * XXX - this *is* in a library.... 243 */ 244 #define NCHUNKS 16 245 #define CHUNK0SIZE 1024 246 struct chunk { 247 size_t n_left; 248 void *m; 249 }; 250 251 /* Code generator state */ 252 253 struct _compiler_state { 254 jmp_buf top_ctx; 255 pcap_t *bpf_pcap; 256 257 struct icode ic; 258 259 int snaplen; 260 261 int linktype; 262 int prevlinktype; 263 int outermostlinktype; 264 265 bpf_u_int32 netmask; 266 int no_optimize; 267 268 /* Hack for handling VLAN and MPLS stacks. */ 269 u_int label_stack_depth; 270 u_int vlan_stack_depth; 271 272 /* XXX */ 273 u_int pcap_fddipad; 274 275 /* 276 * As errors are handled by a longjmp, anything allocated must 277 * be freed in the longjmp handler, so it must be reachable 278 * from that handler. 279 * 280 * One thing that's allocated is the result of pcap_nametoaddrinfo(); 281 * it must be freed with freeaddrinfo(). This variable points to 282 * any addrinfo structure that would need to be freed. 283 */ 284 struct addrinfo *ai; 285 286 /* 287 * Another thing that's allocated is the result of pcap_ether_aton(); 288 * it must be freed with free(). This variable points to any 289 * address that would need to be freed. 290 */ 291 u_char *e; 292 293 /* 294 * Various code constructs need to know the layout of the packet. 295 * These values give the necessary offsets from the beginning 296 * of the packet data. 297 */ 298 299 /* 300 * Absolute offset of the beginning of the link-layer header. 301 */ 302 bpf_abs_offset off_linkhdr; 303 304 /* 305 * If we're checking a link-layer header for a packet encapsulated 306 * in another protocol layer, this is the equivalent information 307 * for the previous layers' link-layer header from the beginning 308 * of the raw packet data. 309 */ 310 bpf_abs_offset off_prevlinkhdr; 311 312 /* 313 * This is the equivalent information for the outermost layers' 314 * link-layer header. 315 */ 316 bpf_abs_offset off_outermostlinkhdr; 317 318 /* 319 * Absolute offset of the beginning of the link-layer payload. 320 */ 321 bpf_abs_offset off_linkpl; 322 323 /* 324 * "off_linktype" is the offset to information in the link-layer 325 * header giving the packet type. This is an absolute offset 326 * from the beginning of the packet. 327 * 328 * For Ethernet, it's the offset of the Ethernet type field; this 329 * means that it must have a value that skips VLAN tags. 330 * 331 * For link-layer types that always use 802.2 headers, it's the 332 * offset of the LLC header; this means that it must have a value 333 * that skips VLAN tags. 334 * 335 * For PPP, it's the offset of the PPP type field. 336 * 337 * For Cisco HDLC, it's the offset of the CHDLC type field. 338 * 339 * For BSD loopback, it's the offset of the AF_ value. 340 * 341 * For Linux cooked sockets, it's the offset of the type field. 342 * 343 * off_linktype.constant_part is set to OFFSET_NOT_SET for no 344 * encapsulation, in which case, IP is assumed. 345 */ 346 bpf_abs_offset off_linktype; 347 348 /* 349 * TRUE if the link layer includes an ATM pseudo-header. 350 */ 351 int is_atm; 352 353 /* 354 * TRUE if "geneve" appeared in the filter; it causes us to 355 * generate code that checks for a Geneve header and assume 356 * that later filters apply to the encapsulated payload. 357 */ 358 int is_geneve; 359 360 /* 361 * TRUE if we need variable length part of VLAN offset 362 */ 363 int is_vlan_vloffset; 364 365 /* 366 * These are offsets for the ATM pseudo-header. 367 */ 368 u_int off_vpi; 369 u_int off_vci; 370 u_int off_proto; 371 372 /* 373 * These are offsets for the MTP2 fields. 374 */ 375 u_int off_li; 376 u_int off_li_hsl; 377 378 /* 379 * These are offsets for the MTP3 fields. 380 */ 381 u_int off_sio; 382 u_int off_opc; 383 u_int off_dpc; 384 u_int off_sls; 385 386 /* 387 * This is the offset of the first byte after the ATM pseudo_header, 388 * or -1 if there is no ATM pseudo-header. 389 */ 390 u_int off_payload; 391 392 /* 393 * These are offsets to the beginning of the network-layer header. 394 * They are relative to the beginning of the link-layer payload 395 * (i.e., they don't include off_linkhdr.constant_part or 396 * off_linkpl.constant_part). 397 * 398 * If the link layer never uses 802.2 LLC: 399 * 400 * "off_nl" and "off_nl_nosnap" are the same. 401 * 402 * If the link layer always uses 802.2 LLC: 403 * 404 * "off_nl" is the offset if there's a SNAP header following 405 * the 802.2 header; 406 * 407 * "off_nl_nosnap" is the offset if there's no SNAP header. 408 * 409 * If the link layer is Ethernet: 410 * 411 * "off_nl" is the offset if the packet is an Ethernet II packet 412 * (we assume no 802.3+802.2+SNAP); 413 * 414 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet 415 * with an 802.2 header following it. 416 */ 417 u_int off_nl; 418 u_int off_nl_nosnap; 419 420 /* 421 * Here we handle simple allocation of the scratch registers. 422 * If too many registers are alloc'd, the allocator punts. 423 */ 424 int regused[BPF_MEMWORDS]; 425 int curreg; 426 427 /* 428 * Memory chunks. 429 */ 430 struct chunk chunks[NCHUNKS]; 431 int cur_chunk; 432 }; 433 434 /* 435 * For use by routines outside this file. 436 */ 437 /* VARARGS */ 438 void 439 bpf_set_error(compiler_state_t *cstate, const char *fmt, ...) 440 { 441 va_list ap; 442 443 va_start(ap, fmt); 444 (void)pcap_vsnprintf(cstate->bpf_pcap->errbuf, PCAP_ERRBUF_SIZE, 445 fmt, ap); 446 va_end(ap); 447 } 448 449 /* 450 * For use *ONLY* in routines in this file. 451 */ 452 static void PCAP_NORETURN bpf_error(compiler_state_t *, const char *, ...) 453 PCAP_PRINTFLIKE(2, 3); 454 455 /* VARARGS */ 456 static void PCAP_NORETURN 457 bpf_error(compiler_state_t *cstate, const char *fmt, ...) 458 { 459 va_list ap; 460 461 va_start(ap, fmt); 462 (void)pcap_vsnprintf(cstate->bpf_pcap->errbuf, PCAP_ERRBUF_SIZE, 463 fmt, ap); 464 va_end(ap); 465 longjmp(cstate->top_ctx, 1); 466 /*NOTREACHED*/ 467 } 468 469 static int init_linktype(compiler_state_t *, pcap_t *); 470 471 static void init_regs(compiler_state_t *); 472 static int alloc_reg(compiler_state_t *); 473 static void free_reg(compiler_state_t *, int); 474 475 static void initchunks(compiler_state_t *cstate); 476 static void *newchunk_nolongjmp(compiler_state_t *cstate, size_t); 477 static void *newchunk(compiler_state_t *cstate, size_t); 478 static void freechunks(compiler_state_t *cstate); 479 static inline struct block *new_block(compiler_state_t *cstate, int); 480 static inline struct slist *new_stmt(compiler_state_t *cstate, int); 481 static struct block *gen_retblk(compiler_state_t *cstate, int); 482 static inline void syntax(compiler_state_t *cstate); 483 484 static void backpatch(struct block *, struct block *); 485 static void merge(struct block *, struct block *); 486 static struct block *gen_cmp(compiler_state_t *, enum e_offrel, u_int, 487 u_int, bpf_int32); 488 static struct block *gen_cmp_gt(compiler_state_t *, enum e_offrel, u_int, 489 u_int, bpf_int32); 490 static struct block *gen_cmp_ge(compiler_state_t *, enum e_offrel, u_int, 491 u_int, bpf_int32); 492 static struct block *gen_cmp_lt(compiler_state_t *, enum e_offrel, u_int, 493 u_int, bpf_int32); 494 static struct block *gen_cmp_le(compiler_state_t *, enum e_offrel, u_int, 495 u_int, bpf_int32); 496 static struct block *gen_mcmp(compiler_state_t *, enum e_offrel, u_int, 497 u_int, bpf_int32, bpf_u_int32); 498 static struct block *gen_bcmp(compiler_state_t *, enum e_offrel, u_int, 499 u_int, const u_char *); 500 static struct block *gen_ncmp(compiler_state_t *, enum e_offrel, bpf_u_int32, 501 bpf_u_int32, bpf_u_int32, bpf_u_int32, int, bpf_int32); 502 static struct slist *gen_load_absoffsetrel(compiler_state_t *, bpf_abs_offset *, 503 u_int, u_int); 504 static struct slist *gen_load_a(compiler_state_t *, enum e_offrel, u_int, 505 u_int); 506 static struct slist *gen_loadx_iphdrlen(compiler_state_t *); 507 static struct block *gen_uncond(compiler_state_t *, int); 508 static inline struct block *gen_true(compiler_state_t *); 509 static inline struct block *gen_false(compiler_state_t *); 510 static struct block *gen_ether_linktype(compiler_state_t *, int); 511 static struct block *gen_ipnet_linktype(compiler_state_t *, int); 512 static struct block *gen_linux_sll_linktype(compiler_state_t *, int); 513 static struct slist *gen_load_prism_llprefixlen(compiler_state_t *); 514 static struct slist *gen_load_avs_llprefixlen(compiler_state_t *); 515 static struct slist *gen_load_radiotap_llprefixlen(compiler_state_t *); 516 static struct slist *gen_load_ppi_llprefixlen(compiler_state_t *); 517 static void insert_compute_vloffsets(compiler_state_t *, struct block *); 518 static struct slist *gen_abs_offset_varpart(compiler_state_t *, 519 bpf_abs_offset *); 520 static int ethertype_to_ppptype(int); 521 static struct block *gen_linktype(compiler_state_t *, int); 522 static struct block *gen_snap(compiler_state_t *, bpf_u_int32, bpf_u_int32); 523 static struct block *gen_llc_linktype(compiler_state_t *, int); 524 static struct block *gen_hostop(compiler_state_t *, bpf_u_int32, bpf_u_int32, 525 int, int, u_int, u_int); 526 #ifdef INET6 527 static struct block *gen_hostop6(compiler_state_t *, struct in6_addr *, 528 struct in6_addr *, int, int, u_int, u_int); 529 #endif 530 static struct block *gen_ahostop(compiler_state_t *, const u_char *, int); 531 static struct block *gen_ehostop(compiler_state_t *, const u_char *, int); 532 static struct block *gen_fhostop(compiler_state_t *, const u_char *, int); 533 static struct block *gen_thostop(compiler_state_t *, const u_char *, int); 534 static struct block *gen_wlanhostop(compiler_state_t *, const u_char *, int); 535 static struct block *gen_ipfchostop(compiler_state_t *, const u_char *, int); 536 static struct block *gen_dnhostop(compiler_state_t *, bpf_u_int32, int); 537 static struct block *gen_mpls_linktype(compiler_state_t *, int); 538 static struct block *gen_host(compiler_state_t *, bpf_u_int32, bpf_u_int32, 539 int, int, int); 540 #ifdef INET6 541 static struct block *gen_host6(compiler_state_t *, struct in6_addr *, 542 struct in6_addr *, int, int, int); 543 #endif 544 #ifndef INET6 545 static struct block *gen_gateway(compiler_state_t *, const u_char *, 546 struct addrinfo *, int, int); 547 #endif 548 static struct block *gen_ipfrag(compiler_state_t *); 549 static struct block *gen_portatom(compiler_state_t *, int, bpf_int32); 550 static struct block *gen_portrangeatom(compiler_state_t *, int, bpf_int32, 551 bpf_int32); 552 static struct block *gen_portatom6(compiler_state_t *, int, bpf_int32); 553 static struct block *gen_portrangeatom6(compiler_state_t *, int, bpf_int32, 554 bpf_int32); 555 struct block *gen_portop(compiler_state_t *, int, int, int); 556 static struct block *gen_port(compiler_state_t *, int, int, int); 557 struct block *gen_portrangeop(compiler_state_t *, int, int, int, int); 558 static struct block *gen_portrange(compiler_state_t *, int, int, int, int); 559 struct block *gen_portop6(compiler_state_t *, int, int, int); 560 static struct block *gen_port6(compiler_state_t *, int, int, int); 561 struct block *gen_portrangeop6(compiler_state_t *, int, int, int, int); 562 static struct block *gen_portrange6(compiler_state_t *, int, int, int, int); 563 static int lookup_proto(compiler_state_t *, const char *, int); 564 static struct block *gen_protochain(compiler_state_t *, int, int, int); 565 static struct block *gen_proto(compiler_state_t *, int, int, int); 566 static struct slist *xfer_to_x(compiler_state_t *, struct arth *); 567 static struct slist *xfer_to_a(compiler_state_t *, struct arth *); 568 static struct block *gen_mac_multicast(compiler_state_t *, int); 569 static struct block *gen_len(compiler_state_t *, int, int); 570 static struct block *gen_check_802_11_data_frame(compiler_state_t *); 571 static struct block *gen_geneve_ll_check(compiler_state_t *cstate); 572 573 static struct block *gen_ppi_dlt_check(compiler_state_t *); 574 static struct block *gen_atmfield_code_internal(compiler_state_t *, int, 575 bpf_int32, bpf_u_int32, int); 576 static struct block *gen_atmtype_llc(compiler_state_t *); 577 static struct block *gen_msg_abbrev(compiler_state_t *, int type); 578 579 static void 580 initchunks(compiler_state_t *cstate) 581 { 582 int i; 583 584 for (i = 0; i < NCHUNKS; i++) { 585 cstate->chunks[i].n_left = 0; 586 cstate->chunks[i].m = NULL; 587 } 588 cstate->cur_chunk = 0; 589 } 590 591 static void * 592 newchunk_nolongjmp(compiler_state_t *cstate, size_t n) 593 { 594 struct chunk *cp; 595 int k; 596 size_t size; 597 598 #ifndef __NetBSD__ 599 /* XXX Round up to nearest long. */ 600 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1); 601 #else 602 /* XXX Round up to structure boundary. */ 603 n = ALIGN(n); 604 #endif 605 606 cp = &cstate->chunks[cstate->cur_chunk]; 607 if (n > cp->n_left) { 608 ++cp; 609 k = ++cstate->cur_chunk; 610 if (k >= NCHUNKS) { 611 bpf_set_error(cstate, "out of memory"); 612 return (NULL); 613 } 614 size = CHUNK0SIZE << k; 615 cp->m = (void *)malloc(size); 616 if (cp->m == NULL) { 617 bpf_set_error(cstate, "out of memory"); 618 return (NULL); 619 } 620 memset((char *)cp->m, 0, size); 621 cp->n_left = size; 622 if (n > size) { 623 bpf_set_error(cstate, "out of memory"); 624 return (NULL); 625 } 626 } 627 cp->n_left -= n; 628 return (void *)((char *)cp->m + cp->n_left); 629 } 630 631 static void * 632 newchunk(compiler_state_t *cstate, size_t n) 633 { 634 void *p; 635 636 p = newchunk_nolongjmp(cstate, n); 637 if (p == NULL) { 638 longjmp(cstate->top_ctx, 1); 639 /*NOTREACHED*/ 640 } 641 return (p); 642 } 643 644 static void 645 freechunks(compiler_state_t *cstate) 646 { 647 int i; 648 649 for (i = 0; i < NCHUNKS; ++i) 650 if (cstate->chunks[i].m != NULL) 651 free(cstate->chunks[i].m); 652 } 653 654 /* 655 * A strdup whose allocations are freed after code generation is over. 656 * This is used by the lexical analyzer, so it can't longjmp; it just 657 * returns NULL on an allocation error, and the callers must check 658 * for it. 659 */ 660 char * 661 sdup(compiler_state_t *cstate, const char *s) 662 { 663 size_t n = strlen(s) + 1; 664 char *cp = newchunk_nolongjmp(cstate, n); 665 666 if (cp == NULL) 667 return (NULL); 668 pcap_strlcpy(cp, s, n); 669 return (cp); 670 } 671 672 static inline struct block * 673 new_block(compiler_state_t *cstate, int code) 674 { 675 struct block *p; 676 677 p = (struct block *)newchunk(cstate, sizeof(*p)); 678 p->s.code = code; 679 p->head = p; 680 681 return p; 682 } 683 684 static inline struct slist * 685 new_stmt(compiler_state_t *cstate, int code) 686 { 687 struct slist *p; 688 689 p = (struct slist *)newchunk(cstate, sizeof(*p)); 690 p->s.code = code; 691 692 return p; 693 } 694 695 static struct block * 696 gen_retblk(compiler_state_t *cstate, int v) 697 { 698 struct block *b = new_block(cstate, BPF_RET|BPF_K); 699 700 b->s.k = v; 701 return b; 702 } 703 704 static inline PCAP_NORETURN_DEF void 705 syntax(compiler_state_t *cstate) 706 { 707 bpf_error(cstate, "syntax error in filter expression"); 708 } 709 710 int 711 pcap_compile(pcap_t *p, struct bpf_program *program, 712 const char *buf, int optimize, bpf_u_int32 mask) 713 { 714 #ifdef _WIN32 715 static int done = 0; 716 #endif 717 compiler_state_t cstate; 718 const char * volatile xbuf = buf; 719 yyscan_t scanner = NULL; 720 volatile YY_BUFFER_STATE in_buffer = NULL; 721 u_int len; 722 int rc; 723 724 /* 725 * If this pcap_t hasn't been activated, it doesn't have a 726 * link-layer type, so we can't use it. 727 */ 728 if (!p->activated) { 729 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 730 "not-yet-activated pcap_t passed to pcap_compile"); 731 return (-1); 732 } 733 734 #ifdef _WIN32 735 if (!done) 736 pcap_wsockinit(); 737 done = 1; 738 #endif 739 740 #ifdef ENABLE_REMOTE 741 /* 742 * If the device on which we're capturing need to be notified 743 * that a new filter is being compiled, do so. 744 * 745 * This allows them to save a copy of it, in case, for example, 746 * they're implementing a form of remote packet capture, and 747 * want the remote machine to filter out the packets in which 748 * it's sending the packets it's captured. 749 * 750 * XXX - the fact that we happen to be compiling a filter 751 * doesn't necessarily mean we'll be installing it as the 752 * filter for this pcap_t; we might be running it from userland 753 * on captured packets to do packet classification. We really 754 * need a better way of handling this, but this is all that 755 * the WinPcap remote capture code did. 756 */ 757 if (p->save_current_filter_op != NULL) 758 (p->save_current_filter_op)(p, buf); 759 #endif 760 761 initchunks(&cstate); 762 cstate.no_optimize = 0; 763 #ifdef INET6 764 cstate.ai = NULL; 765 #endif 766 cstate.e = NULL; 767 cstate.ic.root = NULL; 768 cstate.ic.cur_mark = 0; 769 cstate.bpf_pcap = p; 770 init_regs(&cstate); 771 772 cstate.netmask = mask; 773 774 cstate.snaplen = pcap_snapshot(p); 775 if (cstate.snaplen == 0) { 776 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 777 "snaplen of 0 rejects all packets"); 778 rc = -1; 779 goto quit; 780 } 781 782 if (pcap_lex_init(&scanner) != 0) 783 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, 784 errno, "can't initialize scanner"); 785 in_buffer = pcap__scan_string(xbuf ? xbuf : "", scanner); 786 787 /* 788 * Associate the compiler state with the lexical analyzer 789 * state. 790 */ 791 pcap_set_extra(&cstate, scanner); 792 793 if (init_linktype(&cstate, p) == -1) { 794 rc = -1; 795 goto quit; 796 } 797 if (pcap_parse(scanner, &cstate) != 0) { 798 #ifdef INET6 799 if (cstate.ai != NULL) 800 freeaddrinfo(cstate.ai); 801 #endif 802 if (cstate.e != NULL) 803 free(cstate.e); 804 rc = -1; 805 goto quit; 806 } 807 808 if (cstate.ic.root == NULL) { 809 /* 810 * Catch errors reported by gen_retblk(). 811 */ 812 if (setjmp(cstate.top_ctx)) { 813 rc = -1; 814 goto quit; 815 } 816 cstate.ic.root = gen_retblk(&cstate, cstate.snaplen); 817 } 818 819 if (optimize && !cstate.no_optimize) { 820 if (bpf_optimize(&cstate.ic, p->errbuf) == -1) { 821 /* Failure */ 822 rc = -1; 823 goto quit; 824 } 825 if (cstate.ic.root == NULL || 826 (cstate.ic.root->s.code == (BPF_RET|BPF_K) && cstate.ic.root->s.k == 0)) { 827 (void)pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 828 "expression rejects all packets"); 829 rc = -1; 830 goto quit; 831 } 832 } 833 program->bf_insns = icode_to_fcode(&cstate.ic, 834 cstate.ic.root, &len, p->errbuf); 835 if (program->bf_insns == NULL) { 836 /* Failure */ 837 rc = -1; 838 goto quit; 839 } 840 program->bf_len = len; 841 842 rc = 0; /* We're all okay */ 843 844 quit: 845 /* 846 * Clean up everything for the lexical analyzer. 847 */ 848 if (in_buffer != NULL) 849 pcap__delete_buffer(in_buffer, scanner); 850 if (scanner != NULL) 851 pcap_lex_destroy(scanner); 852 853 /* 854 * Clean up our own allocated memory. 855 */ 856 freechunks(&cstate); 857 858 return (rc); 859 } 860 861 /* 862 * entry point for using the compiler with no pcap open 863 * pass in all the stuff that is needed explicitly instead. 864 */ 865 int 866 pcap_compile_nopcap(int snaplen_arg, int linktype_arg, 867 struct bpf_program *program, 868 const char *buf, int optimize, bpf_u_int32 mask) 869 { 870 pcap_t *p; 871 int ret; 872 873 p = pcap_open_dead(linktype_arg, snaplen_arg); 874 if (p == NULL) 875 return (-1); 876 ret = pcap_compile(p, program, buf, optimize, mask); 877 pcap_close(p); 878 return (ret); 879 } 880 881 /* 882 * Clean up a "struct bpf_program" by freeing all the memory allocated 883 * in it. 884 */ 885 void 886 pcap_freecode(struct bpf_program *program) 887 { 888 program->bf_len = 0; 889 if (program->bf_insns != NULL) { 890 free((char *)program->bf_insns); 891 program->bf_insns = NULL; 892 } 893 } 894 895 /* 896 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates 897 * which of the jt and jf fields has been resolved and which is a pointer 898 * back to another unresolved block (or nil). At least one of the fields 899 * in each block is already resolved. 900 */ 901 static void 902 backpatch(struct block *list, struct block *target) 903 { 904 struct block *next; 905 906 while (list) { 907 if (!list->sense) { 908 next = JT(list); 909 JT(list) = target; 910 } else { 911 next = JF(list); 912 JF(list) = target; 913 } 914 list = next; 915 } 916 } 917 918 /* 919 * Merge the lists in b0 and b1, using the 'sense' field to indicate 920 * which of jt and jf is the link. 921 */ 922 static void 923 merge(struct block *b0, struct block *b1) 924 { 925 register struct block **p = &b0; 926 927 /* Find end of list. */ 928 while (*p) 929 p = !((*p)->sense) ? &JT(*p) : &JF(*p); 930 931 /* Concatenate the lists. */ 932 *p = b1; 933 } 934 935 int 936 finish_parse(compiler_state_t *cstate, struct block *p) 937 { 938 struct block *ppi_dlt_check; 939 940 /* 941 * Catch errors reported by us and routines below us, and return -1 942 * on an error. 943 */ 944 if (setjmp(cstate->top_ctx)) 945 return (-1); 946 947 /* 948 * Insert before the statements of the first (root) block any 949 * statements needed to load the lengths of any variable-length 950 * headers into registers. 951 * 952 * XXX - a fancier strategy would be to insert those before the 953 * statements of all blocks that use those lengths and that 954 * have no predecessors that use them, so that we only compute 955 * the lengths if we need them. There might be even better 956 * approaches than that. 957 * 958 * However, those strategies would be more complicated, and 959 * as we don't generate code to compute a length if the 960 * program has no tests that use the length, and as most 961 * tests will probably use those lengths, we would just 962 * postpone computing the lengths so that it's not done 963 * for tests that fail early, and it's not clear that's 964 * worth the effort. 965 */ 966 insert_compute_vloffsets(cstate, p->head); 967 968 /* 969 * For DLT_PPI captures, generate a check of the per-packet 970 * DLT value to make sure it's DLT_IEEE802_11. 971 * 972 * XXX - TurboCap cards use DLT_PPI for Ethernet. 973 * Can we just define some DLT_ETHERNET_WITH_PHDR pseudo-header 974 * with appropriate Ethernet information and use that rather 975 * than using something such as DLT_PPI where you don't know 976 * the link-layer header type until runtime, which, in the 977 * general case, would force us to generate both Ethernet *and* 978 * 802.11 code (*and* anything else for which PPI is used) 979 * and choose between them early in the BPF program? 980 */ 981 ppi_dlt_check = gen_ppi_dlt_check(cstate); 982 if (ppi_dlt_check != NULL) 983 gen_and(ppi_dlt_check, p); 984 985 backpatch(p, gen_retblk(cstate, cstate->snaplen)); 986 p->sense = !p->sense; 987 backpatch(p, gen_retblk(cstate, 0)); 988 cstate->ic.root = p->head; 989 return (0); 990 } 991 992 void 993 gen_and(struct block *b0, struct block *b1) 994 { 995 backpatch(b0, b1->head); 996 b0->sense = !b0->sense; 997 b1->sense = !b1->sense; 998 merge(b1, b0); 999 b1->sense = !b1->sense; 1000 b1->head = b0->head; 1001 } 1002 1003 void 1004 gen_or(struct block *b0, struct block *b1) 1005 { 1006 b0->sense = !b0->sense; 1007 backpatch(b0, b1->head); 1008 b0->sense = !b0->sense; 1009 merge(b1, b0); 1010 b1->head = b0->head; 1011 } 1012 1013 void 1014 gen_not(struct block *b) 1015 { 1016 b->sense = !b->sense; 1017 } 1018 1019 static struct block * 1020 gen_cmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 1021 u_int size, bpf_int32 v) 1022 { 1023 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v); 1024 } 1025 1026 static struct block * 1027 gen_cmp_gt(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 1028 u_int size, bpf_int32 v) 1029 { 1030 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGT, 0, v); 1031 } 1032 1033 static struct block * 1034 gen_cmp_ge(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 1035 u_int size, bpf_int32 v) 1036 { 1037 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGE, 0, v); 1038 } 1039 1040 static struct block * 1041 gen_cmp_lt(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 1042 u_int size, bpf_int32 v) 1043 { 1044 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGE, 1, v); 1045 } 1046 1047 static struct block * 1048 gen_cmp_le(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 1049 u_int size, bpf_int32 v) 1050 { 1051 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGT, 1, v); 1052 } 1053 1054 static struct block * 1055 gen_mcmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 1056 u_int size, bpf_int32 v, bpf_u_int32 mask) 1057 { 1058 return gen_ncmp(cstate, offrel, offset, size, mask, BPF_JEQ, 0, v); 1059 } 1060 1061 static struct block * 1062 gen_bcmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 1063 u_int size, const u_char *v) 1064 { 1065 register struct block *b, *tmp; 1066 1067 /* 1068 * XXX - the actual *instructions* do unsigned comparisons on 1069 * most platforms, and the load instructions don't do sign 1070 * extension, so gen_cmp() should really take an unsigned 1071 * value argument. 1072 * 1073 * As the load instructons also don't do sign-extension, we 1074 * fetch the values from the byte array as unsigned. We don't 1075 * want to use the signed versions of the extract calls. 1076 */ 1077 b = NULL; 1078 while (size >= 4) { 1079 register const u_char *p = &v[size - 4]; 1080 1081 tmp = gen_cmp(cstate, offrel, offset + size - 4, BPF_W, 1082 (bpf_int32)EXTRACT_32BITS(p)); 1083 if (b != NULL) 1084 gen_and(b, tmp); 1085 b = tmp; 1086 size -= 4; 1087 } 1088 while (size >= 2) { 1089 register const u_char *p = &v[size - 2]; 1090 1091 tmp = gen_cmp(cstate, offrel, offset + size - 2, BPF_H, 1092 (bpf_int32)EXTRACT_16BITS(p)); 1093 if (b != NULL) 1094 gen_and(b, tmp); 1095 b = tmp; 1096 size -= 2; 1097 } 1098 if (size > 0) { 1099 tmp = gen_cmp(cstate, offrel, offset, BPF_B, (bpf_int32)v[0]); 1100 if (b != NULL) 1101 gen_and(b, tmp); 1102 b = tmp; 1103 } 1104 return b; 1105 } 1106 1107 /* 1108 * AND the field of size "size" at offset "offset" relative to the header 1109 * specified by "offrel" with "mask", and compare it with the value "v" 1110 * with the test specified by "jtype"; if "reverse" is true, the test 1111 * should test the opposite of "jtype". 1112 */ 1113 static struct block * 1114 gen_ncmp(compiler_state_t *cstate, enum e_offrel offrel, bpf_u_int32 offset, 1115 bpf_u_int32 size, bpf_u_int32 mask, bpf_u_int32 jtype, int reverse, 1116 bpf_int32 v) 1117 { 1118 struct slist *s, *s2; 1119 struct block *b; 1120 1121 s = gen_load_a(cstate, offrel, offset, size); 1122 1123 if (mask != 0xffffffff) { 1124 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K); 1125 s2->s.k = mask; 1126 sappend(s, s2); 1127 } 1128 1129 b = new_block(cstate, JMP(jtype)); 1130 b->stmts = s; 1131 b->s.k = v; 1132 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE)) 1133 gen_not(b); 1134 return b; 1135 } 1136 1137 static int 1138 init_linktype(compiler_state_t *cstate, pcap_t *p) 1139 { 1140 cstate->pcap_fddipad = p->fddipad; 1141 1142 /* 1143 * We start out with only one link-layer header. 1144 */ 1145 cstate->outermostlinktype = pcap_datalink(p); 1146 cstate->off_outermostlinkhdr.constant_part = 0; 1147 cstate->off_outermostlinkhdr.is_variable = 0; 1148 cstate->off_outermostlinkhdr.reg = -1; 1149 1150 cstate->prevlinktype = cstate->outermostlinktype; 1151 cstate->off_prevlinkhdr.constant_part = 0; 1152 cstate->off_prevlinkhdr.is_variable = 0; 1153 cstate->off_prevlinkhdr.reg = -1; 1154 1155 cstate->linktype = cstate->outermostlinktype; 1156 cstate->off_linkhdr.constant_part = 0; 1157 cstate->off_linkhdr.is_variable = 0; 1158 cstate->off_linkhdr.reg = -1; 1159 1160 /* 1161 * XXX 1162 */ 1163 cstate->off_linkpl.constant_part = 0; 1164 cstate->off_linkpl.is_variable = 0; 1165 cstate->off_linkpl.reg = -1; 1166 1167 cstate->off_linktype.constant_part = 0; 1168 cstate->off_linktype.is_variable = 0; 1169 cstate->off_linktype.reg = -1; 1170 1171 /* 1172 * Assume it's not raw ATM with a pseudo-header, for now. 1173 */ 1174 cstate->is_atm = 0; 1175 cstate->off_vpi = OFFSET_NOT_SET; 1176 cstate->off_vci = OFFSET_NOT_SET; 1177 cstate->off_proto = OFFSET_NOT_SET; 1178 cstate->off_payload = OFFSET_NOT_SET; 1179 1180 /* 1181 * And not Geneve. 1182 */ 1183 cstate->is_geneve = 0; 1184 1185 /* 1186 * No variable length VLAN offset by default 1187 */ 1188 cstate->is_vlan_vloffset = 0; 1189 1190 /* 1191 * And assume we're not doing SS7. 1192 */ 1193 cstate->off_li = OFFSET_NOT_SET; 1194 cstate->off_li_hsl = OFFSET_NOT_SET; 1195 cstate->off_sio = OFFSET_NOT_SET; 1196 cstate->off_opc = OFFSET_NOT_SET; 1197 cstate->off_dpc = OFFSET_NOT_SET; 1198 cstate->off_sls = OFFSET_NOT_SET; 1199 1200 cstate->label_stack_depth = 0; 1201 cstate->vlan_stack_depth = 0; 1202 1203 switch (cstate->linktype) { 1204 1205 case DLT_ARCNET: 1206 cstate->off_linktype.constant_part = 2; 1207 cstate->off_linkpl.constant_part = 6; 1208 cstate->off_nl = 0; /* XXX in reality, variable! */ 1209 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1210 break; 1211 1212 case DLT_ARCNET_LINUX: 1213 cstate->off_linktype.constant_part = 4; 1214 cstate->off_linkpl.constant_part = 8; 1215 cstate->off_nl = 0; /* XXX in reality, variable! */ 1216 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1217 break; 1218 1219 case DLT_EN10MB: 1220 cstate->off_linktype.constant_part = 12; 1221 cstate->off_linkpl.constant_part = 14; /* Ethernet header length */ 1222 cstate->off_nl = 0; /* Ethernet II */ 1223 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */ 1224 break; 1225 1226 case DLT_SLIP: 1227 /* 1228 * SLIP doesn't have a link level type. The 16 byte 1229 * header is hacked into our SLIP driver. 1230 */ 1231 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1232 cstate->off_linkpl.constant_part = 16; 1233 cstate->off_nl = 0; 1234 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1235 break; 1236 1237 case DLT_SLIP_BSDOS: 1238 /* XXX this may be the same as the DLT_PPP_BSDOS case */ 1239 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1240 /* XXX end */ 1241 cstate->off_linkpl.constant_part = 24; 1242 cstate->off_nl = 0; 1243 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1244 break; 1245 1246 case DLT_NULL: 1247 case DLT_LOOP: 1248 cstate->off_linktype.constant_part = 0; 1249 cstate->off_linkpl.constant_part = 4; 1250 cstate->off_nl = 0; 1251 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1252 break; 1253 1254 case DLT_ENC: 1255 cstate->off_linktype.constant_part = 0; 1256 cstate->off_linkpl.constant_part = 12; 1257 cstate->off_nl = 0; 1258 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1259 break; 1260 1261 case DLT_PPP: 1262 case DLT_PPP_PPPD: 1263 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */ 1264 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */ 1265 cstate->off_linktype.constant_part = 2; /* skip HDLC-like framing */ 1266 cstate->off_linkpl.constant_part = 4; /* skip HDLC-like framing and protocol field */ 1267 cstate->off_nl = 0; 1268 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1269 break; 1270 1271 case DLT_PPP_ETHER: 1272 /* 1273 * This does no include the Ethernet header, and 1274 * only covers session state. 1275 */ 1276 cstate->off_linktype.constant_part = 6; 1277 cstate->off_linkpl.constant_part = 8; 1278 cstate->off_nl = 0; 1279 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1280 break; 1281 1282 case DLT_PPP_BSDOS: 1283 cstate->off_linktype.constant_part = 5; 1284 cstate->off_linkpl.constant_part = 24; 1285 cstate->off_nl = 0; 1286 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1287 break; 1288 1289 case DLT_FDDI: 1290 /* 1291 * FDDI doesn't really have a link-level type field. 1292 * We set "off_linktype" to the offset of the LLC header. 1293 * 1294 * To check for Ethernet types, we assume that SSAP = SNAP 1295 * is being used and pick out the encapsulated Ethernet type. 1296 * XXX - should we generate code to check for SNAP? 1297 */ 1298 cstate->off_linktype.constant_part = 13; 1299 cstate->off_linktype.constant_part += cstate->pcap_fddipad; 1300 cstate->off_linkpl.constant_part = 13; /* FDDI MAC header length */ 1301 cstate->off_linkpl.constant_part += cstate->pcap_fddipad; 1302 cstate->off_nl = 8; /* 802.2+SNAP */ 1303 cstate->off_nl_nosnap = 3; /* 802.2 */ 1304 break; 1305 1306 case DLT_IEEE802: 1307 /* 1308 * Token Ring doesn't really have a link-level type field. 1309 * We set "off_linktype" to the offset of the LLC header. 1310 * 1311 * To check for Ethernet types, we assume that SSAP = SNAP 1312 * is being used and pick out the encapsulated Ethernet type. 1313 * XXX - should we generate code to check for SNAP? 1314 * 1315 * XXX - the header is actually variable-length. 1316 * Some various Linux patched versions gave 38 1317 * as "off_linktype" and 40 as "off_nl"; however, 1318 * if a token ring packet has *no* routing 1319 * information, i.e. is not source-routed, the correct 1320 * values are 20 and 22, as they are in the vanilla code. 1321 * 1322 * A packet is source-routed iff the uppermost bit 1323 * of the first byte of the source address, at an 1324 * offset of 8, has the uppermost bit set. If the 1325 * packet is source-routed, the total number of bytes 1326 * of routing information is 2 plus bits 0x1F00 of 1327 * the 16-bit value at an offset of 14 (shifted right 1328 * 8 - figure out which byte that is). 1329 */ 1330 cstate->off_linktype.constant_part = 14; 1331 cstate->off_linkpl.constant_part = 14; /* Token Ring MAC header length */ 1332 cstate->off_nl = 8; /* 802.2+SNAP */ 1333 cstate->off_nl_nosnap = 3; /* 802.2 */ 1334 break; 1335 1336 case DLT_PRISM_HEADER: 1337 case DLT_IEEE802_11_RADIO_AVS: 1338 case DLT_IEEE802_11_RADIO: 1339 cstate->off_linkhdr.is_variable = 1; 1340 /* Fall through, 802.11 doesn't have a variable link 1341 * prefix but is otherwise the same. */ 1342 /* FALLTHROUGH */ 1343 1344 case DLT_IEEE802_11: 1345 /* 1346 * 802.11 doesn't really have a link-level type field. 1347 * We set "off_linktype.constant_part" to the offset of 1348 * the LLC header. 1349 * 1350 * To check for Ethernet types, we assume that SSAP = SNAP 1351 * is being used and pick out the encapsulated Ethernet type. 1352 * XXX - should we generate code to check for SNAP? 1353 * 1354 * We also handle variable-length radio headers here. 1355 * The Prism header is in theory variable-length, but in 1356 * practice it's always 144 bytes long. However, some 1357 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but 1358 * sometimes or always supply an AVS header, so we 1359 * have to check whether the radio header is a Prism 1360 * header or an AVS header, so, in practice, it's 1361 * variable-length. 1362 */ 1363 cstate->off_linktype.constant_part = 24; 1364 cstate->off_linkpl.constant_part = 0; /* link-layer header is variable-length */ 1365 cstate->off_linkpl.is_variable = 1; 1366 cstate->off_nl = 8; /* 802.2+SNAP */ 1367 cstate->off_nl_nosnap = 3; /* 802.2 */ 1368 break; 1369 1370 case DLT_PPI: 1371 /* 1372 * At the moment we treat PPI the same way that we treat 1373 * normal Radiotap encoded packets. The difference is in 1374 * the function that generates the code at the beginning 1375 * to compute the header length. Since this code generator 1376 * of PPI supports bare 802.11 encapsulation only (i.e. 1377 * the encapsulated DLT should be DLT_IEEE802_11) we 1378 * generate code to check for this too. 1379 */ 1380 cstate->off_linktype.constant_part = 24; 1381 cstate->off_linkpl.constant_part = 0; /* link-layer header is variable-length */ 1382 cstate->off_linkpl.is_variable = 1; 1383 cstate->off_linkhdr.is_variable = 1; 1384 cstate->off_nl = 8; /* 802.2+SNAP */ 1385 cstate->off_nl_nosnap = 3; /* 802.2 */ 1386 break; 1387 1388 case DLT_ATM_RFC1483: 1389 case DLT_ATM_CLIP: /* Linux ATM defines this */ 1390 /* 1391 * assume routed, non-ISO PDUs 1392 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00) 1393 * 1394 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS, 1395 * or PPP with the PPP NLPID (e.g., PPPoA)? The 1396 * latter would presumably be treated the way PPPoE 1397 * should be, so you can do "pppoe and udp port 2049" 1398 * or "pppoa and tcp port 80" and have it check for 1399 * PPPo{A,E} and a PPP protocol of IP and.... 1400 */ 1401 cstate->off_linktype.constant_part = 0; 1402 cstate->off_linkpl.constant_part = 0; /* packet begins with LLC header */ 1403 cstate->off_nl = 8; /* 802.2+SNAP */ 1404 cstate->off_nl_nosnap = 3; /* 802.2 */ 1405 break; 1406 1407 case DLT_SUNATM: 1408 /* 1409 * Full Frontal ATM; you get AALn PDUs with an ATM 1410 * pseudo-header. 1411 */ 1412 cstate->is_atm = 1; 1413 cstate->off_vpi = SUNATM_VPI_POS; 1414 cstate->off_vci = SUNATM_VCI_POS; 1415 cstate->off_proto = PROTO_POS; 1416 cstate->off_payload = SUNATM_PKT_BEGIN_POS; 1417 cstate->off_linktype.constant_part = cstate->off_payload; 1418 cstate->off_linkpl.constant_part = cstate->off_payload; /* if LLC-encapsulated */ 1419 cstate->off_nl = 8; /* 802.2+SNAP */ 1420 cstate->off_nl_nosnap = 3; /* 802.2 */ 1421 break; 1422 1423 case DLT_RAW: 1424 case DLT_IPV4: 1425 case DLT_IPV6: 1426 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1427 cstate->off_linkpl.constant_part = 0; 1428 cstate->off_nl = 0; 1429 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1430 break; 1431 1432 case DLT_LINUX_SLL: /* fake header for Linux cooked socket v1 */ 1433 cstate->off_linktype.constant_part = 14; 1434 cstate->off_linkpl.constant_part = 16; 1435 cstate->off_nl = 0; 1436 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1437 break; 1438 1439 case DLT_LINUX_SLL2: /* fake header for Linux cooked socket v2 */ 1440 cstate->off_linktype.constant_part = 0; 1441 cstate->off_linkpl.constant_part = 20; 1442 cstate->off_nl = 0; 1443 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1444 break; 1445 1446 case DLT_LTALK: 1447 /* 1448 * LocalTalk does have a 1-byte type field in the LLAP header, 1449 * but really it just indicates whether there is a "short" or 1450 * "long" DDP packet following. 1451 */ 1452 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1453 cstate->off_linkpl.constant_part = 0; 1454 cstate->off_nl = 0; 1455 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1456 break; 1457 1458 case DLT_IP_OVER_FC: 1459 /* 1460 * RFC 2625 IP-over-Fibre-Channel doesn't really have a 1461 * link-level type field. We set "off_linktype" to the 1462 * offset of the LLC header. 1463 * 1464 * To check for Ethernet types, we assume that SSAP = SNAP 1465 * is being used and pick out the encapsulated Ethernet type. 1466 * XXX - should we generate code to check for SNAP? RFC 1467 * 2625 says SNAP should be used. 1468 */ 1469 cstate->off_linktype.constant_part = 16; 1470 cstate->off_linkpl.constant_part = 16; 1471 cstate->off_nl = 8; /* 802.2+SNAP */ 1472 cstate->off_nl_nosnap = 3; /* 802.2 */ 1473 break; 1474 1475 case DLT_FRELAY: 1476 /* 1477 * XXX - we should set this to handle SNAP-encapsulated 1478 * frames (NLPID of 0x80). 1479 */ 1480 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1481 cstate->off_linkpl.constant_part = 0; 1482 cstate->off_nl = 0; 1483 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1484 break; 1485 1486 /* 1487 * the only BPF-interesting FRF.16 frames are non-control frames; 1488 * Frame Relay has a variable length link-layer 1489 * so lets start with offset 4 for now and increments later on (FIXME); 1490 */ 1491 case DLT_MFR: 1492 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1493 cstate->off_linkpl.constant_part = 0; 1494 cstate->off_nl = 4; 1495 cstate->off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */ 1496 break; 1497 1498 case DLT_APPLE_IP_OVER_IEEE1394: 1499 cstate->off_linktype.constant_part = 16; 1500 cstate->off_linkpl.constant_part = 18; 1501 cstate->off_nl = 0; 1502 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1503 break; 1504 1505 case DLT_SYMANTEC_FIREWALL: 1506 cstate->off_linktype.constant_part = 6; 1507 cstate->off_linkpl.constant_part = 44; 1508 cstate->off_nl = 0; /* Ethernet II */ 1509 cstate->off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */ 1510 break; 1511 1512 #ifdef HAVE_NET_PFVAR_H 1513 case DLT_PFLOG: 1514 cstate->off_linktype.constant_part = 0; 1515 cstate->off_linkpl.constant_part = PFLOG_HDRLEN; 1516 cstate->off_nl = 0; 1517 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1518 break; 1519 #endif 1520 1521 case DLT_JUNIPER_MFR: 1522 case DLT_JUNIPER_MLFR: 1523 case DLT_JUNIPER_MLPPP: 1524 case DLT_JUNIPER_PPP: 1525 case DLT_JUNIPER_CHDLC: 1526 case DLT_JUNIPER_FRELAY: 1527 cstate->off_linktype.constant_part = 4; 1528 cstate->off_linkpl.constant_part = 4; 1529 cstate->off_nl = 0; 1530 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */ 1531 break; 1532 1533 case DLT_JUNIPER_ATM1: 1534 cstate->off_linktype.constant_part = 4; /* in reality variable between 4-8 */ 1535 cstate->off_linkpl.constant_part = 4; /* in reality variable between 4-8 */ 1536 cstate->off_nl = 0; 1537 cstate->off_nl_nosnap = 10; 1538 break; 1539 1540 case DLT_JUNIPER_ATM2: 1541 cstate->off_linktype.constant_part = 8; /* in reality variable between 8-12 */ 1542 cstate->off_linkpl.constant_part = 8; /* in reality variable between 8-12 */ 1543 cstate->off_nl = 0; 1544 cstate->off_nl_nosnap = 10; 1545 break; 1546 1547 /* frames captured on a Juniper PPPoE service PIC 1548 * contain raw ethernet frames */ 1549 case DLT_JUNIPER_PPPOE: 1550 case DLT_JUNIPER_ETHER: 1551 cstate->off_linkpl.constant_part = 14; 1552 cstate->off_linktype.constant_part = 16; 1553 cstate->off_nl = 18; /* Ethernet II */ 1554 cstate->off_nl_nosnap = 21; /* 802.3+802.2 */ 1555 break; 1556 1557 case DLT_JUNIPER_PPPOE_ATM: 1558 cstate->off_linktype.constant_part = 4; 1559 cstate->off_linkpl.constant_part = 6; 1560 cstate->off_nl = 0; 1561 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */ 1562 break; 1563 1564 case DLT_JUNIPER_GGSN: 1565 cstate->off_linktype.constant_part = 6; 1566 cstate->off_linkpl.constant_part = 12; 1567 cstate->off_nl = 0; 1568 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */ 1569 break; 1570 1571 case DLT_JUNIPER_ES: 1572 cstate->off_linktype.constant_part = 6; 1573 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; /* not really a network layer but raw IP addresses */ 1574 cstate->off_nl = OFFSET_NOT_SET; /* not really a network layer but raw IP addresses */ 1575 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */ 1576 break; 1577 1578 case DLT_JUNIPER_MONITOR: 1579 cstate->off_linktype.constant_part = 12; 1580 cstate->off_linkpl.constant_part = 12; 1581 cstate->off_nl = 0; /* raw IP/IP6 header */ 1582 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */ 1583 break; 1584 1585 case DLT_BACNET_MS_TP: 1586 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1587 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1588 cstate->off_nl = OFFSET_NOT_SET; 1589 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1590 break; 1591 1592 case DLT_JUNIPER_SERVICES: 1593 cstate->off_linktype.constant_part = 12; 1594 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; /* L3 proto location dep. on cookie type */ 1595 cstate->off_nl = OFFSET_NOT_SET; /* L3 proto location dep. on cookie type */ 1596 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */ 1597 break; 1598 1599 case DLT_JUNIPER_VP: 1600 cstate->off_linktype.constant_part = 18; 1601 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1602 cstate->off_nl = OFFSET_NOT_SET; 1603 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1604 break; 1605 1606 case DLT_JUNIPER_ST: 1607 cstate->off_linktype.constant_part = 18; 1608 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1609 cstate->off_nl = OFFSET_NOT_SET; 1610 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1611 break; 1612 1613 case DLT_JUNIPER_ISM: 1614 cstate->off_linktype.constant_part = 8; 1615 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1616 cstate->off_nl = OFFSET_NOT_SET; 1617 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1618 break; 1619 1620 case DLT_JUNIPER_VS: 1621 case DLT_JUNIPER_SRX_E2E: 1622 case DLT_JUNIPER_FIBRECHANNEL: 1623 case DLT_JUNIPER_ATM_CEMIC: 1624 cstate->off_linktype.constant_part = 8; 1625 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1626 cstate->off_nl = OFFSET_NOT_SET; 1627 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1628 break; 1629 1630 case DLT_MTP2: 1631 cstate->off_li = 2; 1632 cstate->off_li_hsl = 4; 1633 cstate->off_sio = 3; 1634 cstate->off_opc = 4; 1635 cstate->off_dpc = 4; 1636 cstate->off_sls = 7; 1637 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1638 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1639 cstate->off_nl = OFFSET_NOT_SET; 1640 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1641 break; 1642 1643 case DLT_MTP2_WITH_PHDR: 1644 cstate->off_li = 6; 1645 cstate->off_li_hsl = 8; 1646 cstate->off_sio = 7; 1647 cstate->off_opc = 8; 1648 cstate->off_dpc = 8; 1649 cstate->off_sls = 11; 1650 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1651 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1652 cstate->off_nl = OFFSET_NOT_SET; 1653 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1654 break; 1655 1656 case DLT_ERF: 1657 cstate->off_li = 22; 1658 cstate->off_li_hsl = 24; 1659 cstate->off_sio = 23; 1660 cstate->off_opc = 24; 1661 cstate->off_dpc = 24; 1662 cstate->off_sls = 27; 1663 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1664 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1665 cstate->off_nl = OFFSET_NOT_SET; 1666 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1667 break; 1668 1669 case DLT_PFSYNC: 1670 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1671 cstate->off_linkpl.constant_part = 4; 1672 cstate->off_nl = 0; 1673 cstate->off_nl_nosnap = 0; 1674 break; 1675 1676 case DLT_AX25_KISS: 1677 /* 1678 * Currently, only raw "link[N:M]" filtering is supported. 1679 */ 1680 cstate->off_linktype.constant_part = OFFSET_NOT_SET; /* variable, min 15, max 71 steps of 7 */ 1681 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1682 cstate->off_nl = OFFSET_NOT_SET; /* variable, min 16, max 71 steps of 7 */ 1683 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */ 1684 break; 1685 1686 case DLT_IPNET: 1687 cstate->off_linktype.constant_part = 1; 1688 cstate->off_linkpl.constant_part = 24; /* ipnet header length */ 1689 cstate->off_nl = 0; 1690 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1691 break; 1692 1693 case DLT_NETANALYZER: 1694 cstate->off_linkhdr.constant_part = 4; /* Ethernet header is past 4-byte pseudo-header */ 1695 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12; 1696 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* pseudo-header+Ethernet header length */ 1697 cstate->off_nl = 0; /* Ethernet II */ 1698 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */ 1699 break; 1700 1701 case DLT_NETANALYZER_TRANSPARENT: 1702 cstate->off_linkhdr.constant_part = 12; /* MAC header is past 4-byte pseudo-header, preamble, and SFD */ 1703 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12; 1704 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* pseudo-header+preamble+SFD+Ethernet header length */ 1705 cstate->off_nl = 0; /* Ethernet II */ 1706 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */ 1707 break; 1708 1709 default: 1710 /* 1711 * For values in the range in which we've assigned new 1712 * DLT_ values, only raw "link[N:M]" filtering is supported. 1713 */ 1714 if (cstate->linktype >= DLT_MATCHING_MIN && 1715 cstate->linktype <= DLT_MATCHING_MAX) { 1716 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1717 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1718 cstate->off_nl = OFFSET_NOT_SET; 1719 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1720 } else { 1721 bpf_set_error(cstate, "unknown data link type %d", cstate->linktype); 1722 return (-1); 1723 } 1724 break; 1725 } 1726 1727 cstate->off_outermostlinkhdr = cstate->off_prevlinkhdr = cstate->off_linkhdr; 1728 return (0); 1729 } 1730 1731 /* 1732 * Load a value relative to the specified absolute offset. 1733 */ 1734 static struct slist * 1735 gen_load_absoffsetrel(compiler_state_t *cstate, bpf_abs_offset *abs_offset, 1736 u_int offset, u_int size) 1737 { 1738 struct slist *s, *s2; 1739 1740 s = gen_abs_offset_varpart(cstate, abs_offset); 1741 1742 /* 1743 * If "s" is non-null, it has code to arrange that the X register 1744 * contains the variable part of the absolute offset, so we 1745 * generate a load relative to that, with an offset of 1746 * abs_offset->constant_part + offset. 1747 * 1748 * Otherwise, we can do an absolute load with an offset of 1749 * abs_offset->constant_part + offset. 1750 */ 1751 if (s != NULL) { 1752 /* 1753 * "s" points to a list of statements that puts the 1754 * variable part of the absolute offset into the X register. 1755 * Do an indirect load, to use the X register as an offset. 1756 */ 1757 s2 = new_stmt(cstate, BPF_LD|BPF_IND|size); 1758 s2->s.k = abs_offset->constant_part + offset; 1759 sappend(s, s2); 1760 } else { 1761 /* 1762 * There is no variable part of the absolute offset, so 1763 * just do an absolute load. 1764 */ 1765 s = new_stmt(cstate, BPF_LD|BPF_ABS|size); 1766 s->s.k = abs_offset->constant_part + offset; 1767 } 1768 return s; 1769 } 1770 1771 /* 1772 * Load a value relative to the beginning of the specified header. 1773 */ 1774 static struct slist * 1775 gen_load_a(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 1776 u_int size) 1777 { 1778 struct slist *s, *s2; 1779 1780 /* 1781 * Squelch warnings from compilers that *don't* assume that 1782 * offrel always has a valid enum value and therefore don't 1783 * assume that we'll always go through one of the case arms. 1784 * 1785 * If we have a default case, compilers that *do* assume that 1786 * will then complain about the default case code being 1787 * unreachable. 1788 * 1789 * Damned if you do, damned if you don't. 1790 */ 1791 s = NULL; 1792 1793 switch (offrel) { 1794 1795 case OR_PACKET: 1796 s = new_stmt(cstate, BPF_LD|BPF_ABS|size); 1797 s->s.k = offset; 1798 break; 1799 1800 case OR_LINKHDR: 1801 s = gen_load_absoffsetrel(cstate, &cstate->off_linkhdr, offset, size); 1802 break; 1803 1804 case OR_PREVLINKHDR: 1805 s = gen_load_absoffsetrel(cstate, &cstate->off_prevlinkhdr, offset, size); 1806 break; 1807 1808 case OR_LLC: 1809 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, offset, size); 1810 break; 1811 1812 case OR_PREVMPLSHDR: 1813 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl - 4 + offset, size); 1814 break; 1815 1816 case OR_LINKPL: 1817 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl + offset, size); 1818 break; 1819 1820 case OR_LINKPL_NOSNAP: 1821 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl_nosnap + offset, size); 1822 break; 1823 1824 case OR_LINKTYPE: 1825 s = gen_load_absoffsetrel(cstate, &cstate->off_linktype, offset, size); 1826 break; 1827 1828 case OR_TRAN_IPV4: 1829 /* 1830 * Load the X register with the length of the IPv4 header 1831 * (plus the offset of the link-layer header, if it's 1832 * preceded by a variable-length header such as a radio 1833 * header), in bytes. 1834 */ 1835 s = gen_loadx_iphdrlen(cstate); 1836 1837 /* 1838 * Load the item at {offset of the link-layer payload} + 1839 * {offset, relative to the start of the link-layer 1840 * paylod, of the IPv4 header} + {length of the IPv4 header} + 1841 * {specified offset}. 1842 * 1843 * If the offset of the link-layer payload is variable, 1844 * the variable part of that offset is included in the 1845 * value in the X register, and we include the constant 1846 * part in the offset of the load. 1847 */ 1848 s2 = new_stmt(cstate, BPF_LD|BPF_IND|size); 1849 s2->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + offset; 1850 sappend(s, s2); 1851 break; 1852 1853 case OR_TRAN_IPV6: 1854 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl + 40 + offset, size); 1855 break; 1856 } 1857 return s; 1858 } 1859 1860 /* 1861 * Generate code to load into the X register the sum of the length of 1862 * the IPv4 header and the variable part of the offset of the link-layer 1863 * payload. 1864 */ 1865 static struct slist * 1866 gen_loadx_iphdrlen(compiler_state_t *cstate) 1867 { 1868 struct slist *s, *s2; 1869 1870 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl); 1871 if (s != NULL) { 1872 /* 1873 * The offset of the link-layer payload has a variable 1874 * part. "s" points to a list of statements that put 1875 * the variable part of that offset into the X register. 1876 * 1877 * The 4*([k]&0xf) addressing mode can't be used, as we 1878 * don't have a constant offset, so we have to load the 1879 * value in question into the A register and add to it 1880 * the value from the X register. 1881 */ 1882 s2 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 1883 s2->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 1884 sappend(s, s2); 1885 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K); 1886 s2->s.k = 0xf; 1887 sappend(s, s2); 1888 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K); 1889 s2->s.k = 2; 1890 sappend(s, s2); 1891 1892 /* 1893 * The A register now contains the length of the IP header. 1894 * We need to add to it the variable part of the offset of 1895 * the link-layer payload, which is still in the X 1896 * register, and move the result into the X register. 1897 */ 1898 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X)); 1899 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX)); 1900 } else { 1901 /* 1902 * The offset of the link-layer payload is a constant, 1903 * so no code was generated to load the (non-existent) 1904 * variable part of that offset. 1905 * 1906 * This means we can use the 4*([k]&0xf) addressing 1907 * mode. Load the length of the IPv4 header, which 1908 * is at an offset of cstate->off_nl from the beginning of 1909 * the link-layer payload, and thus at an offset of 1910 * cstate->off_linkpl.constant_part + cstate->off_nl from the beginning 1911 * of the raw packet data, using that addressing mode. 1912 */ 1913 s = new_stmt(cstate, BPF_LDX|BPF_MSH|BPF_B); 1914 s->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 1915 } 1916 return s; 1917 } 1918 1919 1920 static struct block * 1921 gen_uncond(compiler_state_t *cstate, int rsense) 1922 { 1923 struct block *b; 1924 struct slist *s; 1925 1926 s = new_stmt(cstate, BPF_LD|BPF_IMM); 1927 s->s.k = !rsense; 1928 b = new_block(cstate, JMP(BPF_JEQ)); 1929 b->stmts = s; 1930 1931 return b; 1932 } 1933 1934 static inline struct block * 1935 gen_true(compiler_state_t *cstate) 1936 { 1937 return gen_uncond(cstate, 1); 1938 } 1939 1940 static inline struct block * 1941 gen_false(compiler_state_t *cstate) 1942 { 1943 return gen_uncond(cstate, 0); 1944 } 1945 1946 /* 1947 * Byte-swap a 32-bit number. 1948 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on 1949 * big-endian platforms.) 1950 */ 1951 #define SWAPLONG(y) \ 1952 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff)) 1953 1954 /* 1955 * Generate code to match a particular packet type. 1956 * 1957 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1958 * value, if <= ETHERMTU. We use that to determine whether to 1959 * match the type/length field or to check the type/length field for 1960 * a value <= ETHERMTU to see whether it's a type field and then do 1961 * the appropriate test. 1962 */ 1963 static struct block * 1964 gen_ether_linktype(compiler_state_t *cstate, int proto) 1965 { 1966 struct block *b0, *b1; 1967 1968 switch (proto) { 1969 1970 case LLCSAP_ISONS: 1971 case LLCSAP_IP: 1972 case LLCSAP_NETBEUI: 1973 /* 1974 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1975 * so we check the DSAP and SSAP. 1976 * 1977 * LLCSAP_IP checks for IP-over-802.2, rather 1978 * than IP-over-Ethernet or IP-over-SNAP. 1979 * 1980 * XXX - should we check both the DSAP and the 1981 * SSAP, like this, or should we check just the 1982 * DSAP, as we do for other types <= ETHERMTU 1983 * (i.e., other SAP values)? 1984 */ 1985 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU); 1986 gen_not(b0); 1987 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_int32) 1988 ((proto << 8) | proto)); 1989 gen_and(b0, b1); 1990 return b1; 1991 1992 case LLCSAP_IPX: 1993 /* 1994 * Check for; 1995 * 1996 * Ethernet_II frames, which are Ethernet 1997 * frames with a frame type of ETHERTYPE_IPX; 1998 * 1999 * Ethernet_802.3 frames, which are 802.3 2000 * frames (i.e., the type/length field is 2001 * a length field, <= ETHERMTU, rather than 2002 * a type field) with the first two bytes 2003 * after the Ethernet/802.3 header being 2004 * 0xFFFF; 2005 * 2006 * Ethernet_802.2 frames, which are 802.3 2007 * frames with an 802.2 LLC header and 2008 * with the IPX LSAP as the DSAP in the LLC 2009 * header; 2010 * 2011 * Ethernet_SNAP frames, which are 802.3 2012 * frames with an LLC header and a SNAP 2013 * header and with an OUI of 0x000000 2014 * (encapsulated Ethernet) and a protocol 2015 * ID of ETHERTYPE_IPX in the SNAP header. 2016 * 2017 * XXX - should we generate the same code both 2018 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX? 2019 */ 2020 2021 /* 2022 * This generates code to check both for the 2023 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3. 2024 */ 2025 b0 = gen_cmp(cstate, OR_LLC, 0, BPF_B, (bpf_int32)LLCSAP_IPX); 2026 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_int32)0xFFFF); 2027 gen_or(b0, b1); 2028 2029 /* 2030 * Now we add code to check for SNAP frames with 2031 * ETHERTYPE_IPX, i.e. Ethernet_SNAP. 2032 */ 2033 b0 = gen_snap(cstate, 0x000000, ETHERTYPE_IPX); 2034 gen_or(b0, b1); 2035 2036 /* 2037 * Now we generate code to check for 802.3 2038 * frames in general. 2039 */ 2040 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU); 2041 gen_not(b0); 2042 2043 /* 2044 * Now add the check for 802.3 frames before the 2045 * check for Ethernet_802.2 and Ethernet_802.3, 2046 * as those checks should only be done on 802.3 2047 * frames, not on Ethernet frames. 2048 */ 2049 gen_and(b0, b1); 2050 2051 /* 2052 * Now add the check for Ethernet_II frames, and 2053 * do that before checking for the other frame 2054 * types. 2055 */ 2056 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)ETHERTYPE_IPX); 2057 gen_or(b0, b1); 2058 return b1; 2059 2060 case ETHERTYPE_ATALK: 2061 case ETHERTYPE_AARP: 2062 /* 2063 * EtherTalk (AppleTalk protocols on Ethernet link 2064 * layer) may use 802.2 encapsulation. 2065 */ 2066 2067 /* 2068 * Check for 802.2 encapsulation (EtherTalk phase 2?); 2069 * we check for an Ethernet type field less than 2070 * 1500, which means it's an 802.3 length field. 2071 */ 2072 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU); 2073 gen_not(b0); 2074 2075 /* 2076 * 802.2-encapsulated ETHERTYPE_ATALK packets are 2077 * SNAP packets with an organization code of 2078 * 0x080007 (Apple, for Appletalk) and a protocol 2079 * type of ETHERTYPE_ATALK (Appletalk). 2080 * 2081 * 802.2-encapsulated ETHERTYPE_AARP packets are 2082 * SNAP packets with an organization code of 2083 * 0x000000 (encapsulated Ethernet) and a protocol 2084 * type of ETHERTYPE_AARP (Appletalk ARP). 2085 */ 2086 if (proto == ETHERTYPE_ATALK) 2087 b1 = gen_snap(cstate, 0x080007, ETHERTYPE_ATALK); 2088 else /* proto == ETHERTYPE_AARP */ 2089 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_AARP); 2090 gen_and(b0, b1); 2091 2092 /* 2093 * Check for Ethernet encapsulation (Ethertalk 2094 * phase 1?); we just check for the Ethernet 2095 * protocol type. 2096 */ 2097 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 2098 2099 gen_or(b0, b1); 2100 return b1; 2101 2102 default: 2103 if (proto <= ETHERMTU) { 2104 /* 2105 * This is an LLC SAP value, so the frames 2106 * that match would be 802.2 frames. 2107 * Check that the frame is an 802.2 frame 2108 * (i.e., that the length/type field is 2109 * a length field, <= ETHERMTU) and 2110 * then check the DSAP. 2111 */ 2112 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU); 2113 gen_not(b0); 2114 b1 = gen_cmp(cstate, OR_LINKTYPE, 2, BPF_B, (bpf_int32)proto); 2115 gen_and(b0, b1); 2116 return b1; 2117 } else { 2118 /* 2119 * This is an Ethernet type, so compare 2120 * the length/type field with it (if 2121 * the frame is an 802.2 frame, the length 2122 * field will be <= ETHERMTU, and, as 2123 * "proto" is > ETHERMTU, this test 2124 * will fail and the frame won't match, 2125 * which is what we want). 2126 */ 2127 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, 2128 (bpf_int32)proto); 2129 } 2130 } 2131 } 2132 2133 static struct block * 2134 gen_loopback_linktype(compiler_state_t *cstate, int proto) 2135 { 2136 /* 2137 * For DLT_NULL, the link-layer header is a 32-bit word 2138 * containing an AF_ value in *host* byte order, and for 2139 * DLT_ENC, the link-layer header begins with a 32-bit 2140 * word containing an AF_ value in host byte order. 2141 * 2142 * In addition, if we're reading a saved capture file, 2143 * the host byte order in the capture may not be the 2144 * same as the host byte order on this machine. 2145 * 2146 * For DLT_LOOP, the link-layer header is a 32-bit 2147 * word containing an AF_ value in *network* byte order. 2148 */ 2149 if (cstate->linktype == DLT_NULL || cstate->linktype == DLT_ENC) { 2150 /* 2151 * The AF_ value is in host byte order, but the BPF 2152 * interpreter will convert it to network byte order. 2153 * 2154 * If this is a save file, and it's from a machine 2155 * with the opposite byte order to ours, we byte-swap 2156 * the AF_ value. 2157 * 2158 * Then we run it through "htonl()", and generate 2159 * code to compare against the result. 2160 */ 2161 if (cstate->bpf_pcap->rfile != NULL && cstate->bpf_pcap->swapped) 2162 proto = SWAPLONG(proto); 2163 proto = htonl(proto); 2164 } 2165 return (gen_cmp(cstate, OR_LINKHDR, 0, BPF_W, (bpf_int32)proto)); 2166 } 2167 2168 /* 2169 * "proto" is an Ethernet type value and for IPNET, if it is not IPv4 2170 * or IPv6 then we have an error. 2171 */ 2172 static struct block * 2173 gen_ipnet_linktype(compiler_state_t *cstate, int proto) 2174 { 2175 switch (proto) { 2176 2177 case ETHERTYPE_IP: 2178 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, (bpf_int32)IPH_AF_INET); 2179 /*NOTREACHED*/ 2180 2181 case ETHERTYPE_IPV6: 2182 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 2183 (bpf_int32)IPH_AF_INET6); 2184 /*NOTREACHED*/ 2185 2186 default: 2187 break; 2188 } 2189 2190 return gen_false(cstate); 2191 } 2192 2193 /* 2194 * Generate code to match a particular packet type. 2195 * 2196 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 2197 * value, if <= ETHERMTU. We use that to determine whether to 2198 * match the type field or to check the type field for the special 2199 * LINUX_SLL_P_802_2 value and then do the appropriate test. 2200 */ 2201 static struct block * 2202 gen_linux_sll_linktype(compiler_state_t *cstate, int proto) 2203 { 2204 struct block *b0, *b1; 2205 2206 switch (proto) { 2207 2208 case LLCSAP_ISONS: 2209 case LLCSAP_IP: 2210 case LLCSAP_NETBEUI: 2211 /* 2212 * OSI protocols and NetBEUI always use 802.2 encapsulation, 2213 * so we check the DSAP and SSAP. 2214 * 2215 * LLCSAP_IP checks for IP-over-802.2, rather 2216 * than IP-over-Ethernet or IP-over-SNAP. 2217 * 2218 * XXX - should we check both the DSAP and the 2219 * SSAP, like this, or should we check just the 2220 * DSAP, as we do for other types <= ETHERMTU 2221 * (i.e., other SAP values)? 2222 */ 2223 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2); 2224 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_int32) 2225 ((proto << 8) | proto)); 2226 gen_and(b0, b1); 2227 return b1; 2228 2229 case LLCSAP_IPX: 2230 /* 2231 * Ethernet_II frames, which are Ethernet 2232 * frames with a frame type of ETHERTYPE_IPX; 2233 * 2234 * Ethernet_802.3 frames, which have a frame 2235 * type of LINUX_SLL_P_802_3; 2236 * 2237 * Ethernet_802.2 frames, which are 802.3 2238 * frames with an 802.2 LLC header (i.e, have 2239 * a frame type of LINUX_SLL_P_802_2) and 2240 * with the IPX LSAP as the DSAP in the LLC 2241 * header; 2242 * 2243 * Ethernet_SNAP frames, which are 802.3 2244 * frames with an LLC header and a SNAP 2245 * header and with an OUI of 0x000000 2246 * (encapsulated Ethernet) and a protocol 2247 * ID of ETHERTYPE_IPX in the SNAP header. 2248 * 2249 * First, do the checks on LINUX_SLL_P_802_2 2250 * frames; generate the check for either 2251 * Ethernet_802.2 or Ethernet_SNAP frames, and 2252 * then put a check for LINUX_SLL_P_802_2 frames 2253 * before it. 2254 */ 2255 b0 = gen_cmp(cstate, OR_LLC, 0, BPF_B, (bpf_int32)LLCSAP_IPX); 2256 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_IPX); 2257 gen_or(b0, b1); 2258 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2); 2259 gen_and(b0, b1); 2260 2261 /* 2262 * Now check for 802.3 frames and OR that with 2263 * the previous test. 2264 */ 2265 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_3); 2266 gen_or(b0, b1); 2267 2268 /* 2269 * Now add the check for Ethernet_II frames, and 2270 * do that before checking for the other frame 2271 * types. 2272 */ 2273 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)ETHERTYPE_IPX); 2274 gen_or(b0, b1); 2275 return b1; 2276 2277 case ETHERTYPE_ATALK: 2278 case ETHERTYPE_AARP: 2279 /* 2280 * EtherTalk (AppleTalk protocols on Ethernet link 2281 * layer) may use 802.2 encapsulation. 2282 */ 2283 2284 /* 2285 * Check for 802.2 encapsulation (EtherTalk phase 2?); 2286 * we check for the 802.2 protocol type in the 2287 * "Ethernet type" field. 2288 */ 2289 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2); 2290 2291 /* 2292 * 802.2-encapsulated ETHERTYPE_ATALK packets are 2293 * SNAP packets with an organization code of 2294 * 0x080007 (Apple, for Appletalk) and a protocol 2295 * type of ETHERTYPE_ATALK (Appletalk). 2296 * 2297 * 802.2-encapsulated ETHERTYPE_AARP packets are 2298 * SNAP packets with an organization code of 2299 * 0x000000 (encapsulated Ethernet) and a protocol 2300 * type of ETHERTYPE_AARP (Appletalk ARP). 2301 */ 2302 if (proto == ETHERTYPE_ATALK) 2303 b1 = gen_snap(cstate, 0x080007, ETHERTYPE_ATALK); 2304 else /* proto == ETHERTYPE_AARP */ 2305 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_AARP); 2306 gen_and(b0, b1); 2307 2308 /* 2309 * Check for Ethernet encapsulation (Ethertalk 2310 * phase 1?); we just check for the Ethernet 2311 * protocol type. 2312 */ 2313 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 2314 2315 gen_or(b0, b1); 2316 return b1; 2317 2318 default: 2319 if (proto <= ETHERMTU) { 2320 /* 2321 * This is an LLC SAP value, so the frames 2322 * that match would be 802.2 frames. 2323 * Check for the 802.2 protocol type 2324 * in the "Ethernet type" field, and 2325 * then check the DSAP. 2326 */ 2327 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2); 2328 b1 = gen_cmp(cstate, OR_LINKHDR, cstate->off_linkpl.constant_part, BPF_B, 2329 (bpf_int32)proto); 2330 gen_and(b0, b1); 2331 return b1; 2332 } else { 2333 /* 2334 * This is an Ethernet type, so compare 2335 * the length/type field with it (if 2336 * the frame is an 802.2 frame, the length 2337 * field will be <= ETHERMTU, and, as 2338 * "proto" is > ETHERMTU, this test 2339 * will fail and the frame won't match, 2340 * which is what we want). 2341 */ 2342 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 2343 } 2344 } 2345 } 2346 2347 static struct slist * 2348 gen_load_prism_llprefixlen(compiler_state_t *cstate) 2349 { 2350 struct slist *s1, *s2; 2351 struct slist *sjeq_avs_cookie; 2352 struct slist *sjcommon; 2353 2354 /* 2355 * This code is not compatible with the optimizer, as 2356 * we are generating jmp instructions within a normal 2357 * slist of instructions 2358 */ 2359 cstate->no_optimize = 1; 2360 2361 /* 2362 * Generate code to load the length of the radio header into 2363 * the register assigned to hold that length, if one has been 2364 * assigned. (If one hasn't been assigned, no code we've 2365 * generated uses that prefix, so we don't need to generate any 2366 * code to load it.) 2367 * 2368 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes 2369 * or always use the AVS header rather than the Prism header. 2370 * We load a 4-byte big-endian value at the beginning of the 2371 * raw packet data, and see whether, when masked with 0xFFFFF000, 2372 * it's equal to 0x80211000. If so, that indicates that it's 2373 * an AVS header (the masked-out bits are the version number). 2374 * Otherwise, it's a Prism header. 2375 * 2376 * XXX - the Prism header is also, in theory, variable-length, 2377 * but no known software generates headers that aren't 144 2378 * bytes long. 2379 */ 2380 if (cstate->off_linkhdr.reg != -1) { 2381 /* 2382 * Load the cookie. 2383 */ 2384 s1 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS); 2385 s1->s.k = 0; 2386 2387 /* 2388 * AND it with 0xFFFFF000. 2389 */ 2390 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K); 2391 s2->s.k = 0xFFFFF000; 2392 sappend(s1, s2); 2393 2394 /* 2395 * Compare with 0x80211000. 2396 */ 2397 sjeq_avs_cookie = new_stmt(cstate, JMP(BPF_JEQ)); 2398 sjeq_avs_cookie->s.k = 0x80211000; 2399 sappend(s1, sjeq_avs_cookie); 2400 2401 /* 2402 * If it's AVS: 2403 * 2404 * The 4 bytes at an offset of 4 from the beginning of 2405 * the AVS header are the length of the AVS header. 2406 * That field is big-endian. 2407 */ 2408 s2 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS); 2409 s2->s.k = 4; 2410 sappend(s1, s2); 2411 sjeq_avs_cookie->s.jt = s2; 2412 2413 /* 2414 * Now jump to the code to allocate a register 2415 * into which to save the header length and 2416 * store the length there. (The "jump always" 2417 * instruction needs to have the k field set; 2418 * it's added to the PC, so, as we're jumping 2419 * over a single instruction, it should be 1.) 2420 */ 2421 sjcommon = new_stmt(cstate, JMP(BPF_JA)); 2422 sjcommon->s.k = 1; 2423 sappend(s1, sjcommon); 2424 2425 /* 2426 * Now for the code that handles the Prism header. 2427 * Just load the length of the Prism header (144) 2428 * into the A register. Have the test for an AVS 2429 * header branch here if we don't have an AVS header. 2430 */ 2431 s2 = new_stmt(cstate, BPF_LD|BPF_W|BPF_IMM); 2432 s2->s.k = 144; 2433 sappend(s1, s2); 2434 sjeq_avs_cookie->s.jf = s2; 2435 2436 /* 2437 * Now allocate a register to hold that value and store 2438 * it. The code for the AVS header will jump here after 2439 * loading the length of the AVS header. 2440 */ 2441 s2 = new_stmt(cstate, BPF_ST); 2442 s2->s.k = cstate->off_linkhdr.reg; 2443 sappend(s1, s2); 2444 sjcommon->s.jf = s2; 2445 2446 /* 2447 * Now move it into the X register. 2448 */ 2449 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2450 sappend(s1, s2); 2451 2452 return (s1); 2453 } else 2454 return (NULL); 2455 } 2456 2457 static struct slist * 2458 gen_load_avs_llprefixlen(compiler_state_t *cstate) 2459 { 2460 struct slist *s1, *s2; 2461 2462 /* 2463 * Generate code to load the length of the AVS header into 2464 * the register assigned to hold that length, if one has been 2465 * assigned. (If one hasn't been assigned, no code we've 2466 * generated uses that prefix, so we don't need to generate any 2467 * code to load it.) 2468 */ 2469 if (cstate->off_linkhdr.reg != -1) { 2470 /* 2471 * The 4 bytes at an offset of 4 from the beginning of 2472 * the AVS header are the length of the AVS header. 2473 * That field is big-endian. 2474 */ 2475 s1 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS); 2476 s1->s.k = 4; 2477 2478 /* 2479 * Now allocate a register to hold that value and store 2480 * it. 2481 */ 2482 s2 = new_stmt(cstate, BPF_ST); 2483 s2->s.k = cstate->off_linkhdr.reg; 2484 sappend(s1, s2); 2485 2486 /* 2487 * Now move it into the X register. 2488 */ 2489 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2490 sappend(s1, s2); 2491 2492 return (s1); 2493 } else 2494 return (NULL); 2495 } 2496 2497 static struct slist * 2498 gen_load_radiotap_llprefixlen(compiler_state_t *cstate) 2499 { 2500 struct slist *s1, *s2; 2501 2502 /* 2503 * Generate code to load the length of the radiotap header into 2504 * the register assigned to hold that length, if one has been 2505 * assigned. (If one hasn't been assigned, no code we've 2506 * generated uses that prefix, so we don't need to generate any 2507 * code to load it.) 2508 */ 2509 if (cstate->off_linkhdr.reg != -1) { 2510 /* 2511 * The 2 bytes at offsets of 2 and 3 from the beginning 2512 * of the radiotap header are the length of the radiotap 2513 * header; unfortunately, it's little-endian, so we have 2514 * to load it a byte at a time and construct the value. 2515 */ 2516 2517 /* 2518 * Load the high-order byte, at an offset of 3, shift it 2519 * left a byte, and put the result in the X register. 2520 */ 2521 s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 2522 s1->s.k = 3; 2523 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K); 2524 sappend(s1, s2); 2525 s2->s.k = 8; 2526 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2527 sappend(s1, s2); 2528 2529 /* 2530 * Load the next byte, at an offset of 2, and OR the 2531 * value from the X register into it. 2532 */ 2533 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 2534 sappend(s1, s2); 2535 s2->s.k = 2; 2536 s2 = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_X); 2537 sappend(s1, s2); 2538 2539 /* 2540 * Now allocate a register to hold that value and store 2541 * it. 2542 */ 2543 s2 = new_stmt(cstate, BPF_ST); 2544 s2->s.k = cstate->off_linkhdr.reg; 2545 sappend(s1, s2); 2546 2547 /* 2548 * Now move it into the X register. 2549 */ 2550 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2551 sappend(s1, s2); 2552 2553 return (s1); 2554 } else 2555 return (NULL); 2556 } 2557 2558 /* 2559 * At the moment we treat PPI as normal Radiotap encoded 2560 * packets. The difference is in the function that generates 2561 * the code at the beginning to compute the header length. 2562 * Since this code generator of PPI supports bare 802.11 2563 * encapsulation only (i.e. the encapsulated DLT should be 2564 * DLT_IEEE802_11) we generate code to check for this too; 2565 * that's done in finish_parse(). 2566 */ 2567 static struct slist * 2568 gen_load_ppi_llprefixlen(compiler_state_t *cstate) 2569 { 2570 struct slist *s1, *s2; 2571 2572 /* 2573 * Generate code to load the length of the radiotap header 2574 * into the register assigned to hold that length, if one has 2575 * been assigned. 2576 */ 2577 if (cstate->off_linkhdr.reg != -1) { 2578 /* 2579 * The 2 bytes at offsets of 2 and 3 from the beginning 2580 * of the radiotap header are the length of the radiotap 2581 * header; unfortunately, it's little-endian, so we have 2582 * to load it a byte at a time and construct the value. 2583 */ 2584 2585 /* 2586 * Load the high-order byte, at an offset of 3, shift it 2587 * left a byte, and put the result in the X register. 2588 */ 2589 s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 2590 s1->s.k = 3; 2591 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K); 2592 sappend(s1, s2); 2593 s2->s.k = 8; 2594 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2595 sappend(s1, s2); 2596 2597 /* 2598 * Load the next byte, at an offset of 2, and OR the 2599 * value from the X register into it. 2600 */ 2601 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 2602 sappend(s1, s2); 2603 s2->s.k = 2; 2604 s2 = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_X); 2605 sappend(s1, s2); 2606 2607 /* 2608 * Now allocate a register to hold that value and store 2609 * it. 2610 */ 2611 s2 = new_stmt(cstate, BPF_ST); 2612 s2->s.k = cstate->off_linkhdr.reg; 2613 sappend(s1, s2); 2614 2615 /* 2616 * Now move it into the X register. 2617 */ 2618 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2619 sappend(s1, s2); 2620 2621 return (s1); 2622 } else 2623 return (NULL); 2624 } 2625 2626 /* 2627 * Load a value relative to the beginning of the link-layer header after the 802.11 2628 * header, i.e. LLC_SNAP. 2629 * The link-layer header doesn't necessarily begin at the beginning 2630 * of the packet data; there might be a variable-length prefix containing 2631 * radio information. 2632 */ 2633 static struct slist * 2634 gen_load_802_11_header_len(compiler_state_t *cstate, struct slist *s, struct slist *snext) 2635 { 2636 struct slist *s2; 2637 struct slist *sjset_data_frame_1; 2638 struct slist *sjset_data_frame_2; 2639 struct slist *sjset_qos; 2640 struct slist *sjset_radiotap_flags_present; 2641 struct slist *sjset_radiotap_ext_present; 2642 struct slist *sjset_radiotap_tsft_present; 2643 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad; 2644 struct slist *s_roundup; 2645 2646 if (cstate->off_linkpl.reg == -1) { 2647 /* 2648 * No register has been assigned to the offset of 2649 * the link-layer payload, which means nobody needs 2650 * it; don't bother computing it - just return 2651 * what we already have. 2652 */ 2653 return (s); 2654 } 2655 2656 /* 2657 * This code is not compatible with the optimizer, as 2658 * we are generating jmp instructions within a normal 2659 * slist of instructions 2660 */ 2661 cstate->no_optimize = 1; 2662 2663 /* 2664 * If "s" is non-null, it has code to arrange that the X register 2665 * contains the length of the prefix preceding the link-layer 2666 * header. 2667 * 2668 * Otherwise, the length of the prefix preceding the link-layer 2669 * header is "off_outermostlinkhdr.constant_part". 2670 */ 2671 if (s == NULL) { 2672 /* 2673 * There is no variable-length header preceding the 2674 * link-layer header. 2675 * 2676 * Load the length of the fixed-length prefix preceding 2677 * the link-layer header (if any) into the X register, 2678 * and store it in the cstate->off_linkpl.reg register. 2679 * That length is off_outermostlinkhdr.constant_part. 2680 */ 2681 s = new_stmt(cstate, BPF_LDX|BPF_IMM); 2682 s->s.k = cstate->off_outermostlinkhdr.constant_part; 2683 } 2684 2685 /* 2686 * The X register contains the offset of the beginning of the 2687 * link-layer header; add 24, which is the minimum length 2688 * of the MAC header for a data frame, to that, and store it 2689 * in cstate->off_linkpl.reg, and then load the Frame Control field, 2690 * which is at the offset in the X register, with an indexed load. 2691 */ 2692 s2 = new_stmt(cstate, BPF_MISC|BPF_TXA); 2693 sappend(s, s2); 2694 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 2695 s2->s.k = 24; 2696 sappend(s, s2); 2697 s2 = new_stmt(cstate, BPF_ST); 2698 s2->s.k = cstate->off_linkpl.reg; 2699 sappend(s, s2); 2700 2701 s2 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 2702 s2->s.k = 0; 2703 sappend(s, s2); 2704 2705 /* 2706 * Check the Frame Control field to see if this is a data frame; 2707 * a data frame has the 0x08 bit (b3) in that field set and the 2708 * 0x04 bit (b2) clear. 2709 */ 2710 sjset_data_frame_1 = new_stmt(cstate, JMP(BPF_JSET)); 2711 sjset_data_frame_1->s.k = 0x08; 2712 sappend(s, sjset_data_frame_1); 2713 2714 /* 2715 * If b3 is set, test b2, otherwise go to the first statement of 2716 * the rest of the program. 2717 */ 2718 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(cstate, JMP(BPF_JSET)); 2719 sjset_data_frame_2->s.k = 0x04; 2720 sappend(s, sjset_data_frame_2); 2721 sjset_data_frame_1->s.jf = snext; 2722 2723 /* 2724 * If b2 is not set, this is a data frame; test the QoS bit. 2725 * Otherwise, go to the first statement of the rest of the 2726 * program. 2727 */ 2728 sjset_data_frame_2->s.jt = snext; 2729 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(cstate, JMP(BPF_JSET)); 2730 sjset_qos->s.k = 0x80; /* QoS bit */ 2731 sappend(s, sjset_qos); 2732 2733 /* 2734 * If it's set, add 2 to cstate->off_linkpl.reg, to skip the QoS 2735 * field. 2736 * Otherwise, go to the first statement of the rest of the 2737 * program. 2738 */ 2739 sjset_qos->s.jt = s2 = new_stmt(cstate, BPF_LD|BPF_MEM); 2740 s2->s.k = cstate->off_linkpl.reg; 2741 sappend(s, s2); 2742 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM); 2743 s2->s.k = 2; 2744 sappend(s, s2); 2745 s2 = new_stmt(cstate, BPF_ST); 2746 s2->s.k = cstate->off_linkpl.reg; 2747 sappend(s, s2); 2748 2749 /* 2750 * If we have a radiotap header, look at it to see whether 2751 * there's Atheros padding between the MAC-layer header 2752 * and the payload. 2753 * 2754 * Note: all of the fields in the radiotap header are 2755 * little-endian, so we byte-swap all of the values 2756 * we test against, as they will be loaded as big-endian 2757 * values. 2758 * 2759 * XXX - in the general case, we would have to scan through 2760 * *all* the presence bits, if there's more than one word of 2761 * presence bits. That would require a loop, meaning that 2762 * we wouldn't be able to run the filter in the kernel. 2763 * 2764 * We assume here that the Atheros adapters that insert the 2765 * annoying padding don't have multiple antennae and therefore 2766 * do not generate radiotap headers with multiple presence words. 2767 */ 2768 if (cstate->linktype == DLT_IEEE802_11_RADIO) { 2769 /* 2770 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set 2771 * in the first presence flag word? 2772 */ 2773 sjset_qos->s.jf = s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_W); 2774 s2->s.k = 4; 2775 sappend(s, s2); 2776 2777 sjset_radiotap_flags_present = new_stmt(cstate, JMP(BPF_JSET)); 2778 sjset_radiotap_flags_present->s.k = SWAPLONG(0x00000002); 2779 sappend(s, sjset_radiotap_flags_present); 2780 2781 /* 2782 * If not, skip all of this. 2783 */ 2784 sjset_radiotap_flags_present->s.jf = snext; 2785 2786 /* 2787 * Otherwise, is the "extension" bit set in that word? 2788 */ 2789 sjset_radiotap_ext_present = new_stmt(cstate, JMP(BPF_JSET)); 2790 sjset_radiotap_ext_present->s.k = SWAPLONG(0x80000000); 2791 sappend(s, sjset_radiotap_ext_present); 2792 sjset_radiotap_flags_present->s.jt = sjset_radiotap_ext_present; 2793 2794 /* 2795 * If so, skip all of this. 2796 */ 2797 sjset_radiotap_ext_present->s.jt = snext; 2798 2799 /* 2800 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set? 2801 */ 2802 sjset_radiotap_tsft_present = new_stmt(cstate, JMP(BPF_JSET)); 2803 sjset_radiotap_tsft_present->s.k = SWAPLONG(0x00000001); 2804 sappend(s, sjset_radiotap_tsft_present); 2805 sjset_radiotap_ext_present->s.jf = sjset_radiotap_tsft_present; 2806 2807 /* 2808 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is 2809 * at an offset of 16 from the beginning of the raw packet 2810 * data (8 bytes for the radiotap header and 8 bytes for 2811 * the TSFT field). 2812 * 2813 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2814 * is set. 2815 */ 2816 s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B); 2817 s2->s.k = 16; 2818 sappend(s, s2); 2819 sjset_radiotap_tsft_present->s.jt = s2; 2820 2821 sjset_tsft_datapad = new_stmt(cstate, JMP(BPF_JSET)); 2822 sjset_tsft_datapad->s.k = 0x20; 2823 sappend(s, sjset_tsft_datapad); 2824 2825 /* 2826 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is 2827 * at an offset of 8 from the beginning of the raw packet 2828 * data (8 bytes for the radiotap header). 2829 * 2830 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2831 * is set. 2832 */ 2833 s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B); 2834 s2->s.k = 8; 2835 sappend(s, s2); 2836 sjset_radiotap_tsft_present->s.jf = s2; 2837 2838 sjset_notsft_datapad = new_stmt(cstate, JMP(BPF_JSET)); 2839 sjset_notsft_datapad->s.k = 0x20; 2840 sappend(s, sjset_notsft_datapad); 2841 2842 /* 2843 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is 2844 * set, round the length of the 802.11 header to 2845 * a multiple of 4. Do that by adding 3 and then 2846 * dividing by and multiplying by 4, which we do by 2847 * ANDing with ~3. 2848 */ 2849 s_roundup = new_stmt(cstate, BPF_LD|BPF_MEM); 2850 s_roundup->s.k = cstate->off_linkpl.reg; 2851 sappend(s, s_roundup); 2852 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM); 2853 s2->s.k = 3; 2854 sappend(s, s2); 2855 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_IMM); 2856 s2->s.k = ~3; 2857 sappend(s, s2); 2858 s2 = new_stmt(cstate, BPF_ST); 2859 s2->s.k = cstate->off_linkpl.reg; 2860 sappend(s, s2); 2861 2862 sjset_tsft_datapad->s.jt = s_roundup; 2863 sjset_tsft_datapad->s.jf = snext; 2864 sjset_notsft_datapad->s.jt = s_roundup; 2865 sjset_notsft_datapad->s.jf = snext; 2866 } else 2867 sjset_qos->s.jf = snext; 2868 2869 return s; 2870 } 2871 2872 static void 2873 insert_compute_vloffsets(compiler_state_t *cstate, struct block *b) 2874 { 2875 struct slist *s; 2876 2877 /* There is an implicit dependency between the link 2878 * payload and link header since the payload computation 2879 * includes the variable part of the header. Therefore, 2880 * if nobody else has allocated a register for the link 2881 * header and we need it, do it now. */ 2882 if (cstate->off_linkpl.reg != -1 && cstate->off_linkhdr.is_variable && 2883 cstate->off_linkhdr.reg == -1) 2884 cstate->off_linkhdr.reg = alloc_reg(cstate); 2885 2886 /* 2887 * For link-layer types that have a variable-length header 2888 * preceding the link-layer header, generate code to load 2889 * the offset of the link-layer header into the register 2890 * assigned to that offset, if any. 2891 * 2892 * XXX - this, and the next switch statement, won't handle 2893 * encapsulation of 802.11 or 802.11+radio information in 2894 * some other protocol stack. That's significantly more 2895 * complicated. 2896 */ 2897 switch (cstate->outermostlinktype) { 2898 2899 case DLT_PRISM_HEADER: 2900 s = gen_load_prism_llprefixlen(cstate); 2901 break; 2902 2903 case DLT_IEEE802_11_RADIO_AVS: 2904 s = gen_load_avs_llprefixlen(cstate); 2905 break; 2906 2907 case DLT_IEEE802_11_RADIO: 2908 s = gen_load_radiotap_llprefixlen(cstate); 2909 break; 2910 2911 case DLT_PPI: 2912 s = gen_load_ppi_llprefixlen(cstate); 2913 break; 2914 2915 default: 2916 s = NULL; 2917 break; 2918 } 2919 2920 /* 2921 * For link-layer types that have a variable-length link-layer 2922 * header, generate code to load the offset of the link-layer 2923 * payload into the register assigned to that offset, if any. 2924 */ 2925 switch (cstate->outermostlinktype) { 2926 2927 case DLT_IEEE802_11: 2928 case DLT_PRISM_HEADER: 2929 case DLT_IEEE802_11_RADIO_AVS: 2930 case DLT_IEEE802_11_RADIO: 2931 case DLT_PPI: 2932 s = gen_load_802_11_header_len(cstate, s, b->stmts); 2933 break; 2934 } 2935 2936 /* 2937 * If there there is no initialization yet and we need variable 2938 * length offsets for VLAN, initialize them to zero 2939 */ 2940 if (s == NULL && cstate->is_vlan_vloffset) { 2941 struct slist *s2; 2942 2943 if (cstate->off_linkpl.reg == -1) 2944 cstate->off_linkpl.reg = alloc_reg(cstate); 2945 if (cstate->off_linktype.reg == -1) 2946 cstate->off_linktype.reg = alloc_reg(cstate); 2947 2948 s = new_stmt(cstate, BPF_LD|BPF_W|BPF_IMM); 2949 s->s.k = 0; 2950 s2 = new_stmt(cstate, BPF_ST); 2951 s2->s.k = cstate->off_linkpl.reg; 2952 sappend(s, s2); 2953 s2 = new_stmt(cstate, BPF_ST); 2954 s2->s.k = cstate->off_linktype.reg; 2955 sappend(s, s2); 2956 } 2957 2958 /* 2959 * If we have any offset-loading code, append all the 2960 * existing statements in the block to those statements, 2961 * and make the resulting list the list of statements 2962 * for the block. 2963 */ 2964 if (s != NULL) { 2965 sappend(s, b->stmts); 2966 b->stmts = s; 2967 } 2968 } 2969 2970 static struct block * 2971 gen_ppi_dlt_check(compiler_state_t *cstate) 2972 { 2973 struct slist *s_load_dlt; 2974 struct block *b; 2975 2976 if (cstate->linktype == DLT_PPI) 2977 { 2978 /* Create the statements that check for the DLT 2979 */ 2980 s_load_dlt = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS); 2981 s_load_dlt->s.k = 4; 2982 2983 b = new_block(cstate, JMP(BPF_JEQ)); 2984 2985 b->stmts = s_load_dlt; 2986 b->s.k = SWAPLONG(DLT_IEEE802_11); 2987 } 2988 else 2989 { 2990 b = NULL; 2991 } 2992 2993 return b; 2994 } 2995 2996 /* 2997 * Take an absolute offset, and: 2998 * 2999 * if it has no variable part, return NULL; 3000 * 3001 * if it has a variable part, generate code to load the register 3002 * containing that variable part into the X register, returning 3003 * a pointer to that code - if no register for that offset has 3004 * been allocated, allocate it first. 3005 * 3006 * (The code to set that register will be generated later, but will 3007 * be placed earlier in the code sequence.) 3008 */ 3009 static struct slist * 3010 gen_abs_offset_varpart(compiler_state_t *cstate, bpf_abs_offset *off) 3011 { 3012 struct slist *s; 3013 3014 if (off->is_variable) { 3015 if (off->reg == -1) { 3016 /* 3017 * We haven't yet assigned a register for the 3018 * variable part of the offset of the link-layer 3019 * header; allocate one. 3020 */ 3021 off->reg = alloc_reg(cstate); 3022 } 3023 3024 /* 3025 * Load the register containing the variable part of the 3026 * offset of the link-layer header into the X register. 3027 */ 3028 s = new_stmt(cstate, BPF_LDX|BPF_MEM); 3029 s->s.k = off->reg; 3030 return s; 3031 } else { 3032 /* 3033 * That offset isn't variable, there's no variable part, 3034 * so we don't need to generate any code. 3035 */ 3036 return NULL; 3037 } 3038 } 3039 3040 /* 3041 * Map an Ethernet type to the equivalent PPP type. 3042 */ 3043 static int 3044 ethertype_to_ppptype(int proto) 3045 { 3046 switch (proto) { 3047 3048 case ETHERTYPE_IP: 3049 proto = PPP_IP; 3050 break; 3051 3052 case ETHERTYPE_IPV6: 3053 proto = PPP_IPV6; 3054 break; 3055 3056 case ETHERTYPE_DN: 3057 proto = PPP_DECNET; 3058 break; 3059 3060 case ETHERTYPE_ATALK: 3061 proto = PPP_APPLE; 3062 break; 3063 3064 case ETHERTYPE_NS: 3065 proto = PPP_NS; 3066 break; 3067 3068 case LLCSAP_ISONS: 3069 proto = PPP_OSI; 3070 break; 3071 3072 case LLCSAP_8021D: 3073 /* 3074 * I'm assuming the "Bridging PDU"s that go 3075 * over PPP are Spanning Tree Protocol 3076 * Bridging PDUs. 3077 */ 3078 proto = PPP_BRPDU; 3079 break; 3080 3081 case LLCSAP_IPX: 3082 proto = PPP_IPX; 3083 break; 3084 } 3085 return (proto); 3086 } 3087 3088 /* 3089 * Generate any tests that, for encapsulation of a link-layer packet 3090 * inside another protocol stack, need to be done to check for those 3091 * link-layer packets (and that haven't already been done by a check 3092 * for that encapsulation). 3093 */ 3094 static struct block * 3095 gen_prevlinkhdr_check(compiler_state_t *cstate) 3096 { 3097 struct block *b0; 3098 3099 if (cstate->is_geneve) 3100 return gen_geneve_ll_check(cstate); 3101 3102 switch (cstate->prevlinktype) { 3103 3104 case DLT_SUNATM: 3105 /* 3106 * This is LANE-encapsulated Ethernet; check that the LANE 3107 * packet doesn't begin with an LE Control marker, i.e. 3108 * that it's data, not a control message. 3109 * 3110 * (We've already generated a test for LANE.) 3111 */ 3112 b0 = gen_cmp(cstate, OR_PREVLINKHDR, SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00); 3113 gen_not(b0); 3114 return b0; 3115 3116 default: 3117 /* 3118 * No such tests are necessary. 3119 */ 3120 return NULL; 3121 } 3122 /*NOTREACHED*/ 3123 } 3124 3125 /* 3126 * The three different values we should check for when checking for an 3127 * IPv6 packet with DLT_NULL. 3128 */ 3129 #define BSD_AFNUM_INET6_BSD 24 /* NetBSD, OpenBSD, BSD/OS, Npcap */ 3130 #define BSD_AFNUM_INET6_FREEBSD 28 /* FreeBSD */ 3131 #define BSD_AFNUM_INET6_DARWIN 30 /* macOS, iOS, other Darwin-based OSes */ 3132 3133 /* 3134 * Generate code to match a particular packet type by matching the 3135 * link-layer type field or fields in the 802.2 LLC header. 3136 * 3137 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 3138 * value, if <= ETHERMTU. 3139 */ 3140 static struct block * 3141 gen_linktype(compiler_state_t *cstate, int proto) 3142 { 3143 struct block *b0, *b1, *b2; 3144 const char *description; 3145 3146 /* are we checking MPLS-encapsulated packets? */ 3147 if (cstate->label_stack_depth > 0) { 3148 switch (proto) { 3149 case ETHERTYPE_IP: 3150 case PPP_IP: 3151 /* FIXME add other L3 proto IDs */ 3152 return gen_mpls_linktype(cstate, Q_IP); 3153 3154 case ETHERTYPE_IPV6: 3155 case PPP_IPV6: 3156 /* FIXME add other L3 proto IDs */ 3157 return gen_mpls_linktype(cstate, Q_IPV6); 3158 3159 default: 3160 bpf_error(cstate, "unsupported protocol over mpls"); 3161 /*NOTREACHED*/ 3162 } 3163 } 3164 3165 switch (cstate->linktype) { 3166 3167 case DLT_EN10MB: 3168 case DLT_NETANALYZER: 3169 case DLT_NETANALYZER_TRANSPARENT: 3170 /* Geneve has an EtherType regardless of whether there is an 3171 * L2 header. */ 3172 if (!cstate->is_geneve) 3173 b0 = gen_prevlinkhdr_check(cstate); 3174 else 3175 b0 = NULL; 3176 3177 b1 = gen_ether_linktype(cstate, proto); 3178 if (b0 != NULL) 3179 gen_and(b0, b1); 3180 return b1; 3181 /*NOTREACHED*/ 3182 3183 case DLT_C_HDLC: 3184 switch (proto) { 3185 3186 case LLCSAP_ISONS: 3187 proto = (proto << 8 | LLCSAP_ISONS); 3188 /* fall through */ 3189 3190 default: 3191 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 3192 /*NOTREACHED*/ 3193 } 3194 3195 case DLT_IEEE802_11: 3196 case DLT_PRISM_HEADER: 3197 case DLT_IEEE802_11_RADIO_AVS: 3198 case DLT_IEEE802_11_RADIO: 3199 case DLT_PPI: 3200 /* 3201 * Check that we have a data frame. 3202 */ 3203 b0 = gen_check_802_11_data_frame(cstate); 3204 3205 /* 3206 * Now check for the specified link-layer type. 3207 */ 3208 b1 = gen_llc_linktype(cstate, proto); 3209 gen_and(b0, b1); 3210 return b1; 3211 /*NOTREACHED*/ 3212 3213 case DLT_FDDI: 3214 /* 3215 * XXX - check for LLC frames. 3216 */ 3217 return gen_llc_linktype(cstate, proto); 3218 /*NOTREACHED*/ 3219 3220 case DLT_IEEE802: 3221 /* 3222 * XXX - check for LLC PDUs, as per IEEE 802.5. 3223 */ 3224 return gen_llc_linktype(cstate, proto); 3225 /*NOTREACHED*/ 3226 3227 case DLT_ATM_RFC1483: 3228 case DLT_ATM_CLIP: 3229 case DLT_IP_OVER_FC: 3230 return gen_llc_linktype(cstate, proto); 3231 /*NOTREACHED*/ 3232 3233 case DLT_SUNATM: 3234 /* 3235 * Check for an LLC-encapsulated version of this protocol; 3236 * if we were checking for LANE, linktype would no longer 3237 * be DLT_SUNATM. 3238 * 3239 * Check for LLC encapsulation and then check the protocol. 3240 */ 3241 b0 = gen_atmfield_code_internal(cstate, A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 3242 b1 = gen_llc_linktype(cstate, proto); 3243 gen_and(b0, b1); 3244 return b1; 3245 /*NOTREACHED*/ 3246 3247 case DLT_LINUX_SLL: 3248 return gen_linux_sll_linktype(cstate, proto); 3249 /*NOTREACHED*/ 3250 3251 case DLT_SLIP: 3252 case DLT_SLIP_BSDOS: 3253 case DLT_RAW: 3254 /* 3255 * These types don't provide any type field; packets 3256 * are always IPv4 or IPv6. 3257 * 3258 * XXX - for IPv4, check for a version number of 4, and, 3259 * for IPv6, check for a version number of 6? 3260 */ 3261 switch (proto) { 3262 3263 case ETHERTYPE_IP: 3264 /* Check for a version number of 4. */ 3265 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, 0x40, 0xF0); 3266 3267 case ETHERTYPE_IPV6: 3268 /* Check for a version number of 6. */ 3269 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, 0x60, 0xF0); 3270 3271 default: 3272 return gen_false(cstate); /* always false */ 3273 } 3274 /*NOTREACHED*/ 3275 3276 case DLT_IPV4: 3277 /* 3278 * Raw IPv4, so no type field. 3279 */ 3280 if (proto == ETHERTYPE_IP) 3281 return gen_true(cstate); /* always true */ 3282 3283 /* Checking for something other than IPv4; always false */ 3284 return gen_false(cstate); 3285 /*NOTREACHED*/ 3286 3287 case DLT_IPV6: 3288 /* 3289 * Raw IPv6, so no type field. 3290 */ 3291 if (proto == ETHERTYPE_IPV6) 3292 return gen_true(cstate); /* always true */ 3293 3294 /* Checking for something other than IPv6; always false */ 3295 return gen_false(cstate); 3296 /*NOTREACHED*/ 3297 3298 case DLT_PPP: 3299 case DLT_PPP_PPPD: 3300 case DLT_PPP_SERIAL: 3301 case DLT_PPP_ETHER: 3302 /* 3303 * We use Ethernet protocol types inside libpcap; 3304 * map them to the corresponding PPP protocol types. 3305 */ 3306 proto = ethertype_to_ppptype(proto); 3307 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 3308 /*NOTREACHED*/ 3309 3310 case DLT_PPP_BSDOS: 3311 /* 3312 * We use Ethernet protocol types inside libpcap; 3313 * map them to the corresponding PPP protocol types. 3314 */ 3315 switch (proto) { 3316 3317 case ETHERTYPE_IP: 3318 /* 3319 * Also check for Van Jacobson-compressed IP. 3320 * XXX - do this for other forms of PPP? 3321 */ 3322 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_IP); 3323 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_VJC); 3324 gen_or(b0, b1); 3325 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_VJNC); 3326 gen_or(b1, b0); 3327 return b0; 3328 3329 default: 3330 proto = ethertype_to_ppptype(proto); 3331 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, 3332 (bpf_int32)proto); 3333 } 3334 /*NOTREACHED*/ 3335 3336 case DLT_NULL: 3337 case DLT_LOOP: 3338 case DLT_ENC: 3339 switch (proto) { 3340 3341 case ETHERTYPE_IP: 3342 return (gen_loopback_linktype(cstate, AF_INET)); 3343 3344 case ETHERTYPE_IPV6: 3345 /* 3346 * AF_ values may, unfortunately, be platform- 3347 * dependent; AF_INET isn't, because everybody 3348 * used 4.2BSD's value, but AF_INET6 is, because 3349 * 4.2BSD didn't have a value for it (given that 3350 * IPv6 didn't exist back in the early 1980's), 3351 * and they all picked their own values. 3352 * 3353 * This means that, if we're reading from a 3354 * savefile, we need to check for all the 3355 * possible values. 3356 * 3357 * If we're doing a live capture, we only need 3358 * to check for this platform's value; however, 3359 * Npcap uses 24, which isn't Windows's AF_INET6 3360 * value. (Given the multiple different values, 3361 * programs that read pcap files shouldn't be 3362 * checking for their platform's AF_INET6 value 3363 * anyway, they should check for all of the 3364 * possible values. and they might as well do 3365 * that even for live captures.) 3366 */ 3367 if (cstate->bpf_pcap->rfile != NULL) { 3368 /* 3369 * Savefile - check for all three 3370 * possible IPv6 values. 3371 */ 3372 b0 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_BSD); 3373 b1 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_FREEBSD); 3374 gen_or(b0, b1); 3375 b0 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_DARWIN); 3376 gen_or(b0, b1); 3377 return (b1); 3378 } else { 3379 /* 3380 * Live capture, so we only need to 3381 * check for the value used on this 3382 * platform. 3383 */ 3384 #ifdef _WIN32 3385 /* 3386 * Npcap doesn't use Windows's AF_INET6, 3387 * as that collides with AF_IPX on 3388 * some BSDs (both have the value 23). 3389 * Instead, it uses 24. 3390 */ 3391 return (gen_loopback_linktype(cstate, 24)); 3392 #else /* _WIN32 */ 3393 #ifdef AF_INET6 3394 return (gen_loopback_linktype(cstate, AF_INET6)); 3395 #else /* AF_INET6 */ 3396 /* 3397 * I guess this platform doesn't support 3398 * IPv6, so we just reject all packets. 3399 */ 3400 return gen_false(cstate); 3401 #endif /* AF_INET6 */ 3402 #endif /* _WIN32 */ 3403 } 3404 3405 default: 3406 /* 3407 * Not a type on which we support filtering. 3408 * XXX - support those that have AF_ values 3409 * #defined on this platform, at least? 3410 */ 3411 return gen_false(cstate); 3412 } 3413 3414 #ifdef HAVE_NET_PFVAR_H 3415 case DLT_PFLOG: 3416 /* 3417 * af field is host byte order in contrast to the rest of 3418 * the packet. 3419 */ 3420 if (proto == ETHERTYPE_IP) 3421 return (gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, af), 3422 BPF_B, (bpf_int32)AF_INET)); 3423 else if (proto == ETHERTYPE_IPV6) 3424 return (gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, af), 3425 BPF_B, (bpf_int32)AF_INET6)); 3426 else 3427 return gen_false(cstate); 3428 /*NOTREACHED*/ 3429 #endif /* HAVE_NET_PFVAR_H */ 3430 3431 case DLT_ARCNET: 3432 case DLT_ARCNET_LINUX: 3433 /* 3434 * XXX should we check for first fragment if the protocol 3435 * uses PHDS? 3436 */ 3437 switch (proto) { 3438 3439 default: 3440 return gen_false(cstate); 3441 3442 case ETHERTYPE_IPV6: 3443 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3444 (bpf_int32)ARCTYPE_INET6)); 3445 3446 case ETHERTYPE_IP: 3447 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3448 (bpf_int32)ARCTYPE_IP); 3449 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3450 (bpf_int32)ARCTYPE_IP_OLD); 3451 gen_or(b0, b1); 3452 return (b1); 3453 3454 case ETHERTYPE_ARP: 3455 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3456 (bpf_int32)ARCTYPE_ARP); 3457 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3458 (bpf_int32)ARCTYPE_ARP_OLD); 3459 gen_or(b0, b1); 3460 return (b1); 3461 3462 case ETHERTYPE_REVARP: 3463 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3464 (bpf_int32)ARCTYPE_REVARP)); 3465 3466 case ETHERTYPE_ATALK: 3467 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3468 (bpf_int32)ARCTYPE_ATALK)); 3469 } 3470 /*NOTREACHED*/ 3471 3472 case DLT_LTALK: 3473 switch (proto) { 3474 case ETHERTYPE_ATALK: 3475 return gen_true(cstate); 3476 default: 3477 return gen_false(cstate); 3478 } 3479 /*NOTREACHED*/ 3480 3481 case DLT_FRELAY: 3482 /* 3483 * XXX - assumes a 2-byte Frame Relay header with 3484 * DLCI and flags. What if the address is longer? 3485 */ 3486 switch (proto) { 3487 3488 case ETHERTYPE_IP: 3489 /* 3490 * Check for the special NLPID for IP. 3491 */ 3492 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0xcc); 3493 3494 case ETHERTYPE_IPV6: 3495 /* 3496 * Check for the special NLPID for IPv6. 3497 */ 3498 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0x8e); 3499 3500 case LLCSAP_ISONS: 3501 /* 3502 * Check for several OSI protocols. 3503 * 3504 * Frame Relay packets typically have an OSI 3505 * NLPID at the beginning; we check for each 3506 * of them. 3507 * 3508 * What we check for is the NLPID and a frame 3509 * control field of UI, i.e. 0x03 followed 3510 * by the NLPID. 3511 */ 3512 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO8473_CLNP); 3513 b1 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO9542_ESIS); 3514 b2 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO10589_ISIS); 3515 gen_or(b1, b2); 3516 gen_or(b0, b2); 3517 return b2; 3518 3519 default: 3520 return gen_false(cstate); 3521 } 3522 /*NOTREACHED*/ 3523 3524 case DLT_MFR: 3525 bpf_error(cstate, "Multi-link Frame Relay link-layer type filtering not implemented"); 3526 3527 case DLT_JUNIPER_MFR: 3528 case DLT_JUNIPER_MLFR: 3529 case DLT_JUNIPER_MLPPP: 3530 case DLT_JUNIPER_ATM1: 3531 case DLT_JUNIPER_ATM2: 3532 case DLT_JUNIPER_PPPOE: 3533 case DLT_JUNIPER_PPPOE_ATM: 3534 case DLT_JUNIPER_GGSN: 3535 case DLT_JUNIPER_ES: 3536 case DLT_JUNIPER_MONITOR: 3537 case DLT_JUNIPER_SERVICES: 3538 case DLT_JUNIPER_ETHER: 3539 case DLT_JUNIPER_PPP: 3540 case DLT_JUNIPER_FRELAY: 3541 case DLT_JUNIPER_CHDLC: 3542 case DLT_JUNIPER_VP: 3543 case DLT_JUNIPER_ST: 3544 case DLT_JUNIPER_ISM: 3545 case DLT_JUNIPER_VS: 3546 case DLT_JUNIPER_SRX_E2E: 3547 case DLT_JUNIPER_FIBRECHANNEL: 3548 case DLT_JUNIPER_ATM_CEMIC: 3549 3550 /* just lets verify the magic number for now - 3551 * on ATM we may have up to 6 different encapsulations on the wire 3552 * and need a lot of heuristics to figure out that the payload 3553 * might be; 3554 * 3555 * FIXME encapsulation specific BPF_ filters 3556 */ 3557 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */ 3558 3559 case DLT_BACNET_MS_TP: 3560 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_W, 0x55FF0000, 0xffff0000); 3561 3562 case DLT_IPNET: 3563 return gen_ipnet_linktype(cstate, proto); 3564 3565 case DLT_LINUX_IRDA: 3566 bpf_error(cstate, "IrDA link-layer type filtering not implemented"); 3567 3568 case DLT_DOCSIS: 3569 bpf_error(cstate, "DOCSIS link-layer type filtering not implemented"); 3570 3571 case DLT_MTP2: 3572 case DLT_MTP2_WITH_PHDR: 3573 bpf_error(cstate, "MTP2 link-layer type filtering not implemented"); 3574 3575 case DLT_ERF: 3576 bpf_error(cstate, "ERF link-layer type filtering not implemented"); 3577 3578 case DLT_PFSYNC: 3579 bpf_error(cstate, "PFSYNC link-layer type filtering not implemented"); 3580 3581 case DLT_LINUX_LAPD: 3582 bpf_error(cstate, "LAPD link-layer type filtering not implemented"); 3583 3584 case DLT_USB_FREEBSD: 3585 case DLT_USB_LINUX: 3586 case DLT_USB_LINUX_MMAPPED: 3587 case DLT_USBPCAP: 3588 bpf_error(cstate, "USB link-layer type filtering not implemented"); 3589 3590 case DLT_BLUETOOTH_HCI_H4: 3591 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR: 3592 bpf_error(cstate, "Bluetooth link-layer type filtering not implemented"); 3593 3594 case DLT_CAN20B: 3595 case DLT_CAN_SOCKETCAN: 3596 bpf_error(cstate, "CAN link-layer type filtering not implemented"); 3597 3598 case DLT_IEEE802_15_4: 3599 case DLT_IEEE802_15_4_LINUX: 3600 case DLT_IEEE802_15_4_NONASK_PHY: 3601 case DLT_IEEE802_15_4_NOFCS: 3602 bpf_error(cstate, "IEEE 802.15.4 link-layer type filtering not implemented"); 3603 3604 case DLT_IEEE802_16_MAC_CPS_RADIO: 3605 bpf_error(cstate, "IEEE 802.16 link-layer type filtering not implemented"); 3606 3607 case DLT_SITA: 3608 bpf_error(cstate, "SITA link-layer type filtering not implemented"); 3609 3610 case DLT_RAIF1: 3611 bpf_error(cstate, "RAIF1 link-layer type filtering not implemented"); 3612 3613 case DLT_IPMB_KONTRON: 3614 case DLT_IPMB_LINUX: 3615 bpf_error(cstate, "IPMB link-layer type filtering not implemented"); 3616 3617 case DLT_AX25_KISS: 3618 bpf_error(cstate, "AX.25 link-layer type filtering not implemented"); 3619 3620 case DLT_NFLOG: 3621 /* Using the fixed-size NFLOG header it is possible to tell only 3622 * the address family of the packet, other meaningful data is 3623 * either missing or behind TLVs. 3624 */ 3625 bpf_error(cstate, "NFLOG link-layer type filtering not implemented"); 3626 3627 default: 3628 /* 3629 * Does this link-layer header type have a field 3630 * indicating the type of the next protocol? If 3631 * so, off_linktype.constant_part will be the offset of that 3632 * field in the packet; if not, it will be OFFSET_NOT_SET. 3633 */ 3634 if (cstate->off_linktype.constant_part != OFFSET_NOT_SET) { 3635 /* 3636 * Yes; assume it's an Ethernet type. (If 3637 * it's not, it needs to be handled specially 3638 * above.) 3639 */ 3640 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 3641 /*NOTREACHED */ 3642 } else { 3643 /* 3644 * No; report an error. 3645 */ 3646 description = pcap_datalink_val_to_description_or_dlt(cstate->linktype); 3647 bpf_error(cstate, "%s link-layer type filtering not implemented", 3648 description); 3649 /*NOTREACHED */ 3650 } 3651 } 3652 } 3653 3654 /* 3655 * Check for an LLC SNAP packet with a given organization code and 3656 * protocol type; we check the entire contents of the 802.2 LLC and 3657 * snap headers, checking for DSAP and SSAP of SNAP and a control 3658 * field of 0x03 in the LLC header, and for the specified organization 3659 * code and protocol type in the SNAP header. 3660 */ 3661 static struct block * 3662 gen_snap(compiler_state_t *cstate, bpf_u_int32 orgcode, bpf_u_int32 ptype) 3663 { 3664 u_char snapblock[8]; 3665 3666 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */ 3667 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */ 3668 snapblock[2] = 0x03; /* control = UI */ 3669 snapblock[3] = (u_char)(orgcode >> 16); /* upper 8 bits of organization code */ 3670 snapblock[4] = (u_char)(orgcode >> 8); /* middle 8 bits of organization code */ 3671 snapblock[5] = (u_char)(orgcode >> 0); /* lower 8 bits of organization code */ 3672 snapblock[6] = (u_char)(ptype >> 8); /* upper 8 bits of protocol type */ 3673 snapblock[7] = (u_char)(ptype >> 0); /* lower 8 bits of protocol type */ 3674 return gen_bcmp(cstate, OR_LLC, 0, 8, snapblock); 3675 } 3676 3677 /* 3678 * Generate code to match frames with an LLC header. 3679 */ 3680 static struct block * 3681 gen_llc_internal(compiler_state_t *cstate) 3682 { 3683 struct block *b0, *b1; 3684 3685 switch (cstate->linktype) { 3686 3687 case DLT_EN10MB: 3688 /* 3689 * We check for an Ethernet type field less than 3690 * 1500, which means it's an 802.3 length field. 3691 */ 3692 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU); 3693 gen_not(b0); 3694 3695 /* 3696 * Now check for the purported DSAP and SSAP not being 3697 * 0xFF, to rule out NetWare-over-802.3. 3698 */ 3699 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_int32)0xFFFF); 3700 gen_not(b1); 3701 gen_and(b0, b1); 3702 return b1; 3703 3704 case DLT_SUNATM: 3705 /* 3706 * We check for LLC traffic. 3707 */ 3708 b0 = gen_atmtype_llc(cstate); 3709 return b0; 3710 3711 case DLT_IEEE802: /* Token Ring */ 3712 /* 3713 * XXX - check for LLC frames. 3714 */ 3715 return gen_true(cstate); 3716 3717 case DLT_FDDI: 3718 /* 3719 * XXX - check for LLC frames. 3720 */ 3721 return gen_true(cstate); 3722 3723 case DLT_ATM_RFC1483: 3724 /* 3725 * For LLC encapsulation, these are defined to have an 3726 * 802.2 LLC header. 3727 * 3728 * For VC encapsulation, they don't, but there's no 3729 * way to check for that; the protocol used on the VC 3730 * is negotiated out of band. 3731 */ 3732 return gen_true(cstate); 3733 3734 case DLT_IEEE802_11: 3735 case DLT_PRISM_HEADER: 3736 case DLT_IEEE802_11_RADIO: 3737 case DLT_IEEE802_11_RADIO_AVS: 3738 case DLT_PPI: 3739 /* 3740 * Check that we have a data frame. 3741 */ 3742 b0 = gen_check_802_11_data_frame(cstate); 3743 return b0; 3744 3745 default: 3746 bpf_error(cstate, "'llc' not supported for %s", 3747 pcap_datalink_val_to_description_or_dlt(cstate->linktype)); 3748 /*NOTREACHED*/ 3749 } 3750 } 3751 3752 struct block * 3753 gen_llc(compiler_state_t *cstate) 3754 { 3755 /* 3756 * Catch errors reported by us and routines below us, and return NULL 3757 * on an error. 3758 */ 3759 if (setjmp(cstate->top_ctx)) 3760 return (NULL); 3761 3762 return gen_llc_internal(cstate); 3763 } 3764 3765 struct block * 3766 gen_llc_i(compiler_state_t *cstate) 3767 { 3768 struct block *b0, *b1; 3769 struct slist *s; 3770 3771 /* 3772 * Catch errors reported by us and routines below us, and return NULL 3773 * on an error. 3774 */ 3775 if (setjmp(cstate->top_ctx)) 3776 return (NULL); 3777 3778 /* 3779 * Check whether this is an LLC frame. 3780 */ 3781 b0 = gen_llc_internal(cstate); 3782 3783 /* 3784 * Load the control byte and test the low-order bit; it must 3785 * be clear for I frames. 3786 */ 3787 s = gen_load_a(cstate, OR_LLC, 2, BPF_B); 3788 b1 = new_block(cstate, JMP(BPF_JSET)); 3789 b1->s.k = 0x01; 3790 b1->stmts = s; 3791 gen_not(b1); 3792 gen_and(b0, b1); 3793 return b1; 3794 } 3795 3796 struct block * 3797 gen_llc_s(compiler_state_t *cstate) 3798 { 3799 struct block *b0, *b1; 3800 3801 /* 3802 * Catch errors reported by us and routines below us, and return NULL 3803 * on an error. 3804 */ 3805 if (setjmp(cstate->top_ctx)) 3806 return (NULL); 3807 3808 /* 3809 * Check whether this is an LLC frame. 3810 */ 3811 b0 = gen_llc_internal(cstate); 3812 3813 /* 3814 * Now compare the low-order 2 bit of the control byte against 3815 * the appropriate value for S frames. 3816 */ 3817 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, LLC_S_FMT, 0x03); 3818 gen_and(b0, b1); 3819 return b1; 3820 } 3821 3822 struct block * 3823 gen_llc_u(compiler_state_t *cstate) 3824 { 3825 struct block *b0, *b1; 3826 3827 /* 3828 * Catch errors reported by us and routines below us, and return NULL 3829 * on an error. 3830 */ 3831 if (setjmp(cstate->top_ctx)) 3832 return (NULL); 3833 3834 /* 3835 * Check whether this is an LLC frame. 3836 */ 3837 b0 = gen_llc_internal(cstate); 3838 3839 /* 3840 * Now compare the low-order 2 bit of the control byte against 3841 * the appropriate value for U frames. 3842 */ 3843 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, LLC_U_FMT, 0x03); 3844 gen_and(b0, b1); 3845 return b1; 3846 } 3847 3848 struct block * 3849 gen_llc_s_subtype(compiler_state_t *cstate, bpf_u_int32 subtype) 3850 { 3851 struct block *b0, *b1; 3852 3853 /* 3854 * Catch errors reported by us and routines below us, and return NULL 3855 * on an error. 3856 */ 3857 if (setjmp(cstate->top_ctx)) 3858 return (NULL); 3859 3860 /* 3861 * Check whether this is an LLC frame. 3862 */ 3863 b0 = gen_llc_internal(cstate); 3864 3865 /* 3866 * Now check for an S frame with the appropriate type. 3867 */ 3868 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, subtype, LLC_S_CMD_MASK); 3869 gen_and(b0, b1); 3870 return b1; 3871 } 3872 3873 struct block * 3874 gen_llc_u_subtype(compiler_state_t *cstate, bpf_u_int32 subtype) 3875 { 3876 struct block *b0, *b1; 3877 3878 /* 3879 * Catch errors reported by us and routines below us, and return NULL 3880 * on an error. 3881 */ 3882 if (setjmp(cstate->top_ctx)) 3883 return (NULL); 3884 3885 /* 3886 * Check whether this is an LLC frame. 3887 */ 3888 b0 = gen_llc_internal(cstate); 3889 3890 /* 3891 * Now check for a U frame with the appropriate type. 3892 */ 3893 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, subtype, LLC_U_CMD_MASK); 3894 gen_and(b0, b1); 3895 return b1; 3896 } 3897 3898 /* 3899 * Generate code to match a particular packet type, for link-layer types 3900 * using 802.2 LLC headers. 3901 * 3902 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used 3903 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues. 3904 * 3905 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 3906 * value, if <= ETHERMTU. We use that to determine whether to 3907 * match the DSAP or both DSAP and LSAP or to check the OUI and 3908 * protocol ID in a SNAP header. 3909 */ 3910 static struct block * 3911 gen_llc_linktype(compiler_state_t *cstate, int proto) 3912 { 3913 /* 3914 * XXX - handle token-ring variable-length header. 3915 */ 3916 switch (proto) { 3917 3918 case LLCSAP_IP: 3919 case LLCSAP_ISONS: 3920 case LLCSAP_NETBEUI: 3921 /* 3922 * XXX - should we check both the DSAP and the 3923 * SSAP, like this, or should we check just the 3924 * DSAP, as we do for other SAP values? 3925 */ 3926 return gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_u_int32) 3927 ((proto << 8) | proto)); 3928 3929 case LLCSAP_IPX: 3930 /* 3931 * XXX - are there ever SNAP frames for IPX on 3932 * non-Ethernet 802.x networks? 3933 */ 3934 return gen_cmp(cstate, OR_LLC, 0, BPF_B, 3935 (bpf_int32)LLCSAP_IPX); 3936 3937 case ETHERTYPE_ATALK: 3938 /* 3939 * 802.2-encapsulated ETHERTYPE_ATALK packets are 3940 * SNAP packets with an organization code of 3941 * 0x080007 (Apple, for Appletalk) and a protocol 3942 * type of ETHERTYPE_ATALK (Appletalk). 3943 * 3944 * XXX - check for an organization code of 3945 * encapsulated Ethernet as well? 3946 */ 3947 return gen_snap(cstate, 0x080007, ETHERTYPE_ATALK); 3948 3949 default: 3950 /* 3951 * XXX - we don't have to check for IPX 802.3 3952 * here, but should we check for the IPX Ethertype? 3953 */ 3954 if (proto <= ETHERMTU) { 3955 /* 3956 * This is an LLC SAP value, so check 3957 * the DSAP. 3958 */ 3959 return gen_cmp(cstate, OR_LLC, 0, BPF_B, (bpf_int32)proto); 3960 } else { 3961 /* 3962 * This is an Ethernet type; we assume that it's 3963 * unlikely that it'll appear in the right place 3964 * at random, and therefore check only the 3965 * location that would hold the Ethernet type 3966 * in a SNAP frame with an organization code of 3967 * 0x000000 (encapsulated Ethernet). 3968 * 3969 * XXX - if we were to check for the SNAP DSAP and 3970 * LSAP, as per XXX, and were also to check for an 3971 * organization code of 0x000000 (encapsulated 3972 * Ethernet), we'd do 3973 * 3974 * return gen_snap(cstate, 0x000000, proto); 3975 * 3976 * here; for now, we don't, as per the above. 3977 * I don't know whether it's worth the extra CPU 3978 * time to do the right check or not. 3979 */ 3980 return gen_cmp(cstate, OR_LLC, 6, BPF_H, (bpf_int32)proto); 3981 } 3982 } 3983 } 3984 3985 static struct block * 3986 gen_hostop(compiler_state_t *cstate, bpf_u_int32 addr, bpf_u_int32 mask, 3987 int dir, int proto, u_int src_off, u_int dst_off) 3988 { 3989 struct block *b0, *b1; 3990 u_int offset; 3991 3992 switch (dir) { 3993 3994 case Q_SRC: 3995 offset = src_off; 3996 break; 3997 3998 case Q_DST: 3999 offset = dst_off; 4000 break; 4001 4002 case Q_AND: 4003 b0 = gen_hostop(cstate, addr, mask, Q_SRC, proto, src_off, dst_off); 4004 b1 = gen_hostop(cstate, addr, mask, Q_DST, proto, src_off, dst_off); 4005 gen_and(b0, b1); 4006 return b1; 4007 4008 case Q_DEFAULT: 4009 case Q_OR: 4010 b0 = gen_hostop(cstate, addr, mask, Q_SRC, proto, src_off, dst_off); 4011 b1 = gen_hostop(cstate, addr, mask, Q_DST, proto, src_off, dst_off); 4012 gen_or(b0, b1); 4013 return b1; 4014 4015 case Q_ADDR1: 4016 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 4017 /*NOTREACHED*/ 4018 4019 case Q_ADDR2: 4020 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 4021 /*NOTREACHED*/ 4022 4023 case Q_ADDR3: 4024 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 4025 /*NOTREACHED*/ 4026 4027 case Q_ADDR4: 4028 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 4029 /*NOTREACHED*/ 4030 4031 case Q_RA: 4032 bpf_error(cstate, "'ra' is not a valid qualifier for addresses other than 802.11 MAC addresses"); 4033 /*NOTREACHED*/ 4034 4035 case Q_TA: 4036 bpf_error(cstate, "'ta' is not a valid qualifier for addresses other than 802.11 MAC addresses"); 4037 /*NOTREACHED*/ 4038 4039 default: 4040 abort(); 4041 /*NOTREACHED*/ 4042 } 4043 b0 = gen_linktype(cstate, proto); 4044 b1 = gen_mcmp(cstate, OR_LINKPL, offset, BPF_W, (bpf_int32)addr, mask); 4045 gen_and(b0, b1); 4046 return b1; 4047 } 4048 4049 #ifdef INET6 4050 static struct block * 4051 gen_hostop6(compiler_state_t *cstate, struct in6_addr *addr, 4052 struct in6_addr *mask, int dir, int proto, u_int src_off, u_int dst_off) 4053 { 4054 struct block *b0, *b1; 4055 u_int offset; 4056 uint32_t *a, *m; 4057 4058 switch (dir) { 4059 4060 case Q_SRC: 4061 offset = src_off; 4062 break; 4063 4064 case Q_DST: 4065 offset = dst_off; 4066 break; 4067 4068 case Q_AND: 4069 b0 = gen_hostop6(cstate, addr, mask, Q_SRC, proto, src_off, dst_off); 4070 b1 = gen_hostop6(cstate, addr, mask, Q_DST, proto, src_off, dst_off); 4071 gen_and(b0, b1); 4072 return b1; 4073 4074 case Q_DEFAULT: 4075 case Q_OR: 4076 b0 = gen_hostop6(cstate, addr, mask, Q_SRC, proto, src_off, dst_off); 4077 b1 = gen_hostop6(cstate, addr, mask, Q_DST, proto, src_off, dst_off); 4078 gen_or(b0, b1); 4079 return b1; 4080 4081 case Q_ADDR1: 4082 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 4083 /*NOTREACHED*/ 4084 4085 case Q_ADDR2: 4086 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 4087 /*NOTREACHED*/ 4088 4089 case Q_ADDR3: 4090 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 4091 /*NOTREACHED*/ 4092 4093 case Q_ADDR4: 4094 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 4095 /*NOTREACHED*/ 4096 4097 case Q_RA: 4098 bpf_error(cstate, "'ra' is not a valid qualifier for addresses other than 802.11 MAC addresses"); 4099 /*NOTREACHED*/ 4100 4101 case Q_TA: 4102 bpf_error(cstate, "'ta' is not a valid qualifier for addresses other than 802.11 MAC addresses"); 4103 /*NOTREACHED*/ 4104 4105 default: 4106 abort(); 4107 /*NOTREACHED*/ 4108 } 4109 /* this order is important */ 4110 a = (uint32_t *)addr; 4111 m = (uint32_t *)mask; 4112 b1 = gen_mcmp(cstate, OR_LINKPL, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3])); 4113 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2])); 4114 gen_and(b0, b1); 4115 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1])); 4116 gen_and(b0, b1); 4117 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0])); 4118 gen_and(b0, b1); 4119 b0 = gen_linktype(cstate, proto); 4120 gen_and(b0, b1); 4121 return b1; 4122 } 4123 #endif 4124 4125 static struct block * 4126 gen_ehostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 4127 { 4128 register struct block *b0, *b1; 4129 4130 switch (dir) { 4131 case Q_SRC: 4132 return gen_bcmp(cstate, OR_LINKHDR, 6, 6, eaddr); 4133 4134 case Q_DST: 4135 return gen_bcmp(cstate, OR_LINKHDR, 0, 6, eaddr); 4136 4137 case Q_AND: 4138 b0 = gen_ehostop(cstate, eaddr, Q_SRC); 4139 b1 = gen_ehostop(cstate, eaddr, Q_DST); 4140 gen_and(b0, b1); 4141 return b1; 4142 4143 case Q_DEFAULT: 4144 case Q_OR: 4145 b0 = gen_ehostop(cstate, eaddr, Q_SRC); 4146 b1 = gen_ehostop(cstate, eaddr, Q_DST); 4147 gen_or(b0, b1); 4148 return b1; 4149 4150 case Q_ADDR1: 4151 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11 with 802.11 headers"); 4152 /*NOTREACHED*/ 4153 4154 case Q_ADDR2: 4155 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11 with 802.11 headers"); 4156 /*NOTREACHED*/ 4157 4158 case Q_ADDR3: 4159 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11 with 802.11 headers"); 4160 /*NOTREACHED*/ 4161 4162 case Q_ADDR4: 4163 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11 with 802.11 headers"); 4164 /*NOTREACHED*/ 4165 4166 case Q_RA: 4167 bpf_error(cstate, "'ra' is only supported on 802.11 with 802.11 headers"); 4168 /*NOTREACHED*/ 4169 4170 case Q_TA: 4171 bpf_error(cstate, "'ta' is only supported on 802.11 with 802.11 headers"); 4172 /*NOTREACHED*/ 4173 } 4174 abort(); 4175 /*NOTREACHED*/ 4176 } 4177 4178 /* 4179 * Like gen_ehostop, but for DLT_FDDI 4180 */ 4181 static struct block * 4182 gen_fhostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 4183 { 4184 struct block *b0, *b1; 4185 4186 switch (dir) { 4187 case Q_SRC: 4188 return gen_bcmp(cstate, OR_LINKHDR, 6 + 1 + cstate->pcap_fddipad, 6, eaddr); 4189 4190 case Q_DST: 4191 return gen_bcmp(cstate, OR_LINKHDR, 0 + 1 + cstate->pcap_fddipad, 6, eaddr); 4192 4193 case Q_AND: 4194 b0 = gen_fhostop(cstate, eaddr, Q_SRC); 4195 b1 = gen_fhostop(cstate, eaddr, Q_DST); 4196 gen_and(b0, b1); 4197 return b1; 4198 4199 case Q_DEFAULT: 4200 case Q_OR: 4201 b0 = gen_fhostop(cstate, eaddr, Q_SRC); 4202 b1 = gen_fhostop(cstate, eaddr, Q_DST); 4203 gen_or(b0, b1); 4204 return b1; 4205 4206 case Q_ADDR1: 4207 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11"); 4208 /*NOTREACHED*/ 4209 4210 case Q_ADDR2: 4211 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11"); 4212 /*NOTREACHED*/ 4213 4214 case Q_ADDR3: 4215 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11"); 4216 /*NOTREACHED*/ 4217 4218 case Q_ADDR4: 4219 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11"); 4220 /*NOTREACHED*/ 4221 4222 case Q_RA: 4223 bpf_error(cstate, "'ra' is only supported on 802.11"); 4224 /*NOTREACHED*/ 4225 4226 case Q_TA: 4227 bpf_error(cstate, "'ta' is only supported on 802.11"); 4228 /*NOTREACHED*/ 4229 } 4230 abort(); 4231 /*NOTREACHED*/ 4232 } 4233 4234 /* 4235 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring) 4236 */ 4237 static struct block * 4238 gen_thostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 4239 { 4240 register struct block *b0, *b1; 4241 4242 switch (dir) { 4243 case Q_SRC: 4244 return gen_bcmp(cstate, OR_LINKHDR, 8, 6, eaddr); 4245 4246 case Q_DST: 4247 return gen_bcmp(cstate, OR_LINKHDR, 2, 6, eaddr); 4248 4249 case Q_AND: 4250 b0 = gen_thostop(cstate, eaddr, Q_SRC); 4251 b1 = gen_thostop(cstate, eaddr, Q_DST); 4252 gen_and(b0, b1); 4253 return b1; 4254 4255 case Q_DEFAULT: 4256 case Q_OR: 4257 b0 = gen_thostop(cstate, eaddr, Q_SRC); 4258 b1 = gen_thostop(cstate, eaddr, Q_DST); 4259 gen_or(b0, b1); 4260 return b1; 4261 4262 case Q_ADDR1: 4263 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11"); 4264 /*NOTREACHED*/ 4265 4266 case Q_ADDR2: 4267 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11"); 4268 /*NOTREACHED*/ 4269 4270 case Q_ADDR3: 4271 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11"); 4272 /*NOTREACHED*/ 4273 4274 case Q_ADDR4: 4275 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11"); 4276 /*NOTREACHED*/ 4277 4278 case Q_RA: 4279 bpf_error(cstate, "'ra' is only supported on 802.11"); 4280 /*NOTREACHED*/ 4281 4282 case Q_TA: 4283 bpf_error(cstate, "'ta' is only supported on 802.11"); 4284 /*NOTREACHED*/ 4285 } 4286 abort(); 4287 /*NOTREACHED*/ 4288 } 4289 4290 /* 4291 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and 4292 * various 802.11 + radio headers. 4293 */ 4294 static struct block * 4295 gen_wlanhostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 4296 { 4297 register struct block *b0, *b1, *b2; 4298 register struct slist *s; 4299 4300 #ifdef ENABLE_WLAN_FILTERING_PATCH 4301 /* 4302 * TODO GV 20070613 4303 * We need to disable the optimizer because the optimizer is buggy 4304 * and wipes out some LD instructions generated by the below 4305 * code to validate the Frame Control bits 4306 */ 4307 cstate->no_optimize = 1; 4308 #endif /* ENABLE_WLAN_FILTERING_PATCH */ 4309 4310 switch (dir) { 4311 case Q_SRC: 4312 /* 4313 * Oh, yuk. 4314 * 4315 * For control frames, there is no SA. 4316 * 4317 * For management frames, SA is at an 4318 * offset of 10 from the beginning of 4319 * the packet. 4320 * 4321 * For data frames, SA is at an offset 4322 * of 10 from the beginning of the packet 4323 * if From DS is clear, at an offset of 4324 * 16 from the beginning of the packet 4325 * if From DS is set and To DS is clear, 4326 * and an offset of 24 from the beginning 4327 * of the packet if From DS is set and To DS 4328 * is set. 4329 */ 4330 4331 /* 4332 * Generate the tests to be done for data frames 4333 * with From DS set. 4334 * 4335 * First, check for To DS set, i.e. check "link[1] & 0x01". 4336 */ 4337 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4338 b1 = new_block(cstate, JMP(BPF_JSET)); 4339 b1->s.k = 0x01; /* To DS */ 4340 b1->stmts = s; 4341 4342 /* 4343 * If To DS is set, the SA is at 24. 4344 */ 4345 b0 = gen_bcmp(cstate, OR_LINKHDR, 24, 6, eaddr); 4346 gen_and(b1, b0); 4347 4348 /* 4349 * Now, check for To DS not set, i.e. check 4350 * "!(link[1] & 0x01)". 4351 */ 4352 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4353 b2 = new_block(cstate, JMP(BPF_JSET)); 4354 b2->s.k = 0x01; /* To DS */ 4355 b2->stmts = s; 4356 gen_not(b2); 4357 4358 /* 4359 * If To DS is not set, the SA is at 16. 4360 */ 4361 b1 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr); 4362 gen_and(b2, b1); 4363 4364 /* 4365 * Now OR together the last two checks. That gives 4366 * the complete set of checks for data frames with 4367 * From DS set. 4368 */ 4369 gen_or(b1, b0); 4370 4371 /* 4372 * Now check for From DS being set, and AND that with 4373 * the ORed-together checks. 4374 */ 4375 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4376 b1 = new_block(cstate, JMP(BPF_JSET)); 4377 b1->s.k = 0x02; /* From DS */ 4378 b1->stmts = s; 4379 gen_and(b1, b0); 4380 4381 /* 4382 * Now check for data frames with From DS not set. 4383 */ 4384 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4385 b2 = new_block(cstate, JMP(BPF_JSET)); 4386 b2->s.k = 0x02; /* From DS */ 4387 b2->stmts = s; 4388 gen_not(b2); 4389 4390 /* 4391 * If From DS isn't set, the SA is at 10. 4392 */ 4393 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr); 4394 gen_and(b2, b1); 4395 4396 /* 4397 * Now OR together the checks for data frames with 4398 * From DS not set and for data frames with From DS 4399 * set; that gives the checks done for data frames. 4400 */ 4401 gen_or(b1, b0); 4402 4403 /* 4404 * Now check for a data frame. 4405 * I.e, check "link[0] & 0x08". 4406 */ 4407 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4408 b1 = new_block(cstate, JMP(BPF_JSET)); 4409 b1->s.k = 0x08; 4410 b1->stmts = s; 4411 4412 /* 4413 * AND that with the checks done for data frames. 4414 */ 4415 gen_and(b1, b0); 4416 4417 /* 4418 * If the high-order bit of the type value is 0, this 4419 * is a management frame. 4420 * I.e, check "!(link[0] & 0x08)". 4421 */ 4422 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4423 b2 = new_block(cstate, JMP(BPF_JSET)); 4424 b2->s.k = 0x08; 4425 b2->stmts = s; 4426 gen_not(b2); 4427 4428 /* 4429 * For management frames, the SA is at 10. 4430 */ 4431 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr); 4432 gen_and(b2, b1); 4433 4434 /* 4435 * OR that with the checks done for data frames. 4436 * That gives the checks done for management and 4437 * data frames. 4438 */ 4439 gen_or(b1, b0); 4440 4441 /* 4442 * If the low-order bit of the type value is 1, 4443 * this is either a control frame or a frame 4444 * with a reserved type, and thus not a 4445 * frame with an SA. 4446 * 4447 * I.e., check "!(link[0] & 0x04)". 4448 */ 4449 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4450 b1 = new_block(cstate, JMP(BPF_JSET)); 4451 b1->s.k = 0x04; 4452 b1->stmts = s; 4453 gen_not(b1); 4454 4455 /* 4456 * AND that with the checks for data and management 4457 * frames. 4458 */ 4459 gen_and(b1, b0); 4460 return b0; 4461 4462 case Q_DST: 4463 /* 4464 * Oh, yuk. 4465 * 4466 * For control frames, there is no DA. 4467 * 4468 * For management frames, DA is at an 4469 * offset of 4 from the beginning of 4470 * the packet. 4471 * 4472 * For data frames, DA is at an offset 4473 * of 4 from the beginning of the packet 4474 * if To DS is clear and at an offset of 4475 * 16 from the beginning of the packet 4476 * if To DS is set. 4477 */ 4478 4479 /* 4480 * Generate the tests to be done for data frames. 4481 * 4482 * First, check for To DS set, i.e. "link[1] & 0x01". 4483 */ 4484 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4485 b1 = new_block(cstate, JMP(BPF_JSET)); 4486 b1->s.k = 0x01; /* To DS */ 4487 b1->stmts = s; 4488 4489 /* 4490 * If To DS is set, the DA is at 16. 4491 */ 4492 b0 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr); 4493 gen_and(b1, b0); 4494 4495 /* 4496 * Now, check for To DS not set, i.e. check 4497 * "!(link[1] & 0x01)". 4498 */ 4499 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4500 b2 = new_block(cstate, JMP(BPF_JSET)); 4501 b2->s.k = 0x01; /* To DS */ 4502 b2->stmts = s; 4503 gen_not(b2); 4504 4505 /* 4506 * If To DS is not set, the DA is at 4. 4507 */ 4508 b1 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr); 4509 gen_and(b2, b1); 4510 4511 /* 4512 * Now OR together the last two checks. That gives 4513 * the complete set of checks for data frames. 4514 */ 4515 gen_or(b1, b0); 4516 4517 /* 4518 * Now check for a data frame. 4519 * I.e, check "link[0] & 0x08". 4520 */ 4521 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4522 b1 = new_block(cstate, JMP(BPF_JSET)); 4523 b1->s.k = 0x08; 4524 b1->stmts = s; 4525 4526 /* 4527 * AND that with the checks done for data frames. 4528 */ 4529 gen_and(b1, b0); 4530 4531 /* 4532 * If the high-order bit of the type value is 0, this 4533 * is a management frame. 4534 * I.e, check "!(link[0] & 0x08)". 4535 */ 4536 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4537 b2 = new_block(cstate, JMP(BPF_JSET)); 4538 b2->s.k = 0x08; 4539 b2->stmts = s; 4540 gen_not(b2); 4541 4542 /* 4543 * For management frames, the DA is at 4. 4544 */ 4545 b1 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr); 4546 gen_and(b2, b1); 4547 4548 /* 4549 * OR that with the checks done for data frames. 4550 * That gives the checks done for management and 4551 * data frames. 4552 */ 4553 gen_or(b1, b0); 4554 4555 /* 4556 * If the low-order bit of the type value is 1, 4557 * this is either a control frame or a frame 4558 * with a reserved type, and thus not a 4559 * frame with an SA. 4560 * 4561 * I.e., check "!(link[0] & 0x04)". 4562 */ 4563 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4564 b1 = new_block(cstate, JMP(BPF_JSET)); 4565 b1->s.k = 0x04; 4566 b1->stmts = s; 4567 gen_not(b1); 4568 4569 /* 4570 * AND that with the checks for data and management 4571 * frames. 4572 */ 4573 gen_and(b1, b0); 4574 return b0; 4575 4576 case Q_AND: 4577 b0 = gen_wlanhostop(cstate, eaddr, Q_SRC); 4578 b1 = gen_wlanhostop(cstate, eaddr, Q_DST); 4579 gen_and(b0, b1); 4580 return b1; 4581 4582 case Q_DEFAULT: 4583 case Q_OR: 4584 b0 = gen_wlanhostop(cstate, eaddr, Q_SRC); 4585 b1 = gen_wlanhostop(cstate, eaddr, Q_DST); 4586 gen_or(b0, b1); 4587 return b1; 4588 4589 /* 4590 * XXX - add BSSID keyword? 4591 */ 4592 case Q_ADDR1: 4593 return (gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr)); 4594 4595 case Q_ADDR2: 4596 /* 4597 * Not present in CTS or ACK control frames. 4598 */ 4599 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4600 IEEE80211_FC0_TYPE_MASK); 4601 gen_not(b0); 4602 b1 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS, 4603 IEEE80211_FC0_SUBTYPE_MASK); 4604 gen_not(b1); 4605 b2 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK, 4606 IEEE80211_FC0_SUBTYPE_MASK); 4607 gen_not(b2); 4608 gen_and(b1, b2); 4609 gen_or(b0, b2); 4610 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr); 4611 gen_and(b2, b1); 4612 return b1; 4613 4614 case Q_ADDR3: 4615 /* 4616 * Not present in control frames. 4617 */ 4618 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4619 IEEE80211_FC0_TYPE_MASK); 4620 gen_not(b0); 4621 b1 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr); 4622 gen_and(b0, b1); 4623 return b1; 4624 4625 case Q_ADDR4: 4626 /* 4627 * Present only if the direction mask has both "From DS" 4628 * and "To DS" set. Neither control frames nor management 4629 * frames should have both of those set, so we don't 4630 * check the frame type. 4631 */ 4632 b0 = gen_mcmp(cstate, OR_LINKHDR, 1, BPF_B, 4633 IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK); 4634 b1 = gen_bcmp(cstate, OR_LINKHDR, 24, 6, eaddr); 4635 gen_and(b0, b1); 4636 return b1; 4637 4638 case Q_RA: 4639 /* 4640 * Not present in management frames; addr1 in other 4641 * frames. 4642 */ 4643 4644 /* 4645 * If the high-order bit of the type value is 0, this 4646 * is a management frame. 4647 * I.e, check "(link[0] & 0x08)". 4648 */ 4649 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4650 b1 = new_block(cstate, JMP(BPF_JSET)); 4651 b1->s.k = 0x08; 4652 b1->stmts = s; 4653 4654 /* 4655 * Check addr1. 4656 */ 4657 b0 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr); 4658 4659 /* 4660 * AND that with the check of addr1. 4661 */ 4662 gen_and(b1, b0); 4663 return (b0); 4664 4665 case Q_TA: 4666 /* 4667 * Not present in management frames; addr2, if present, 4668 * in other frames. 4669 */ 4670 4671 /* 4672 * Not present in CTS or ACK control frames. 4673 */ 4674 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4675 IEEE80211_FC0_TYPE_MASK); 4676 gen_not(b0); 4677 b1 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS, 4678 IEEE80211_FC0_SUBTYPE_MASK); 4679 gen_not(b1); 4680 b2 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK, 4681 IEEE80211_FC0_SUBTYPE_MASK); 4682 gen_not(b2); 4683 gen_and(b1, b2); 4684 gen_or(b0, b2); 4685 4686 /* 4687 * If the high-order bit of the type value is 0, this 4688 * is a management frame. 4689 * I.e, check "(link[0] & 0x08)". 4690 */ 4691 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4692 b1 = new_block(cstate, JMP(BPF_JSET)); 4693 b1->s.k = 0x08; 4694 b1->stmts = s; 4695 4696 /* 4697 * AND that with the check for frames other than 4698 * CTS and ACK frames. 4699 */ 4700 gen_and(b1, b2); 4701 4702 /* 4703 * Check addr2. 4704 */ 4705 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr); 4706 gen_and(b2, b1); 4707 return b1; 4708 } 4709 abort(); 4710 /*NOTREACHED*/ 4711 } 4712 4713 /* 4714 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel. 4715 * (We assume that the addresses are IEEE 48-bit MAC addresses, 4716 * as the RFC states.) 4717 */ 4718 static struct block * 4719 gen_ipfchostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 4720 { 4721 register struct block *b0, *b1; 4722 4723 switch (dir) { 4724 case Q_SRC: 4725 return gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr); 4726 4727 case Q_DST: 4728 return gen_bcmp(cstate, OR_LINKHDR, 2, 6, eaddr); 4729 4730 case Q_AND: 4731 b0 = gen_ipfchostop(cstate, eaddr, Q_SRC); 4732 b1 = gen_ipfchostop(cstate, eaddr, Q_DST); 4733 gen_and(b0, b1); 4734 return b1; 4735 4736 case Q_DEFAULT: 4737 case Q_OR: 4738 b0 = gen_ipfchostop(cstate, eaddr, Q_SRC); 4739 b1 = gen_ipfchostop(cstate, eaddr, Q_DST); 4740 gen_or(b0, b1); 4741 return b1; 4742 4743 case Q_ADDR1: 4744 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11"); 4745 /*NOTREACHED*/ 4746 4747 case Q_ADDR2: 4748 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11"); 4749 /*NOTREACHED*/ 4750 4751 case Q_ADDR3: 4752 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11"); 4753 /*NOTREACHED*/ 4754 4755 case Q_ADDR4: 4756 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11"); 4757 /*NOTREACHED*/ 4758 4759 case Q_RA: 4760 bpf_error(cstate, "'ra' is only supported on 802.11"); 4761 /*NOTREACHED*/ 4762 4763 case Q_TA: 4764 bpf_error(cstate, "'ta' is only supported on 802.11"); 4765 /*NOTREACHED*/ 4766 } 4767 abort(); 4768 /*NOTREACHED*/ 4769 } 4770 4771 /* 4772 * This is quite tricky because there may be pad bytes in front of the 4773 * DECNET header, and then there are two possible data packet formats that 4774 * carry both src and dst addresses, plus 5 packet types in a format that 4775 * carries only the src node, plus 2 types that use a different format and 4776 * also carry just the src node. 4777 * 4778 * Yuck. 4779 * 4780 * Instead of doing those all right, we just look for data packets with 4781 * 0 or 1 bytes of padding. If you want to look at other packets, that 4782 * will require a lot more hacking. 4783 * 4784 * To add support for filtering on DECNET "areas" (network numbers) 4785 * one would want to add a "mask" argument to this routine. That would 4786 * make the filter even more inefficient, although one could be clever 4787 * and not generate masking instructions if the mask is 0xFFFF. 4788 */ 4789 static struct block * 4790 gen_dnhostop(compiler_state_t *cstate, bpf_u_int32 addr, int dir) 4791 { 4792 struct block *b0, *b1, *b2, *tmp; 4793 u_int offset_lh; /* offset if long header is received */ 4794 u_int offset_sh; /* offset if short header is received */ 4795 4796 switch (dir) { 4797 4798 case Q_DST: 4799 offset_sh = 1; /* follows flags */ 4800 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */ 4801 break; 4802 4803 case Q_SRC: 4804 offset_sh = 3; /* follows flags, dstnode */ 4805 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */ 4806 break; 4807 4808 case Q_AND: 4809 /* Inefficient because we do our Calvinball dance twice */ 4810 b0 = gen_dnhostop(cstate, addr, Q_SRC); 4811 b1 = gen_dnhostop(cstate, addr, Q_DST); 4812 gen_and(b0, b1); 4813 return b1; 4814 4815 case Q_DEFAULT: 4816 case Q_OR: 4817 /* Inefficient because we do our Calvinball dance twice */ 4818 b0 = gen_dnhostop(cstate, addr, Q_SRC); 4819 b1 = gen_dnhostop(cstate, addr, Q_DST); 4820 gen_or(b0, b1); 4821 return b1; 4822 4823 case Q_ADDR1: 4824 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 4825 /*NOTREACHED*/ 4826 4827 case Q_ADDR2: 4828 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 4829 /*NOTREACHED*/ 4830 4831 case Q_ADDR3: 4832 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 4833 /*NOTREACHED*/ 4834 4835 case Q_ADDR4: 4836 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 4837 /*NOTREACHED*/ 4838 4839 case Q_RA: 4840 bpf_error(cstate, "'ra' is not a valid qualifier for addresses other than 802.11 MAC addresses"); 4841 /*NOTREACHED*/ 4842 4843 case Q_TA: 4844 bpf_error(cstate, "'ta' is not a valid qualifier for addresses other than 802.11 MAC addresses"); 4845 /*NOTREACHED*/ 4846 4847 default: 4848 abort(); 4849 /*NOTREACHED*/ 4850 } 4851 b0 = gen_linktype(cstate, ETHERTYPE_DN); 4852 /* Check for pad = 1, long header case */ 4853 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_H, 4854 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF)); 4855 b1 = gen_cmp(cstate, OR_LINKPL, 2 + 1 + offset_lh, 4856 BPF_H, (bpf_int32)ntohs((u_short)addr)); 4857 gen_and(tmp, b1); 4858 /* Check for pad = 0, long header case */ 4859 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7); 4860 b2 = gen_cmp(cstate, OR_LINKPL, 2 + offset_lh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4861 gen_and(tmp, b2); 4862 gen_or(b2, b1); 4863 /* Check for pad = 1, short header case */ 4864 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_H, 4865 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF)); 4866 b2 = gen_cmp(cstate, OR_LINKPL, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4867 gen_and(tmp, b2); 4868 gen_or(b2, b1); 4869 /* Check for pad = 0, short header case */ 4870 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7); 4871 b2 = gen_cmp(cstate, OR_LINKPL, 2 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4872 gen_and(tmp, b2); 4873 gen_or(b2, b1); 4874 4875 /* Combine with test for cstate->linktype */ 4876 gen_and(b0, b1); 4877 return b1; 4878 } 4879 4880 /* 4881 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets; 4882 * test the bottom-of-stack bit, and then check the version number 4883 * field in the IP header. 4884 */ 4885 static struct block * 4886 gen_mpls_linktype(compiler_state_t *cstate, int proto) 4887 { 4888 struct block *b0, *b1; 4889 4890 switch (proto) { 4891 4892 case Q_IP: 4893 /* match the bottom-of-stack bit */ 4894 b0 = gen_mcmp(cstate, OR_LINKPL, (u_int)-2, BPF_B, 0x01, 0x01); 4895 /* match the IPv4 version number */ 4896 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_B, 0x40, 0xf0); 4897 gen_and(b0, b1); 4898 return b1; 4899 4900 case Q_IPV6: 4901 /* match the bottom-of-stack bit */ 4902 b0 = gen_mcmp(cstate, OR_LINKPL, (u_int)-2, BPF_B, 0x01, 0x01); 4903 /* match the IPv4 version number */ 4904 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_B, 0x60, 0xf0); 4905 gen_and(b0, b1); 4906 return b1; 4907 4908 default: 4909 abort(); 4910 } 4911 } 4912 4913 static struct block * 4914 gen_host(compiler_state_t *cstate, bpf_u_int32 addr, bpf_u_int32 mask, 4915 int proto, int dir, int type) 4916 { 4917 struct block *b0, *b1; 4918 const char *typestr; 4919 4920 if (type == Q_NET) 4921 typestr = "net"; 4922 else 4923 typestr = "host"; 4924 4925 switch (proto) { 4926 4927 case Q_DEFAULT: 4928 b0 = gen_host(cstate, addr, mask, Q_IP, dir, type); 4929 /* 4930 * Only check for non-IPv4 addresses if we're not 4931 * checking MPLS-encapsulated packets. 4932 */ 4933 if (cstate->label_stack_depth == 0) { 4934 b1 = gen_host(cstate, addr, mask, Q_ARP, dir, type); 4935 gen_or(b0, b1); 4936 b0 = gen_host(cstate, addr, mask, Q_RARP, dir, type); 4937 gen_or(b1, b0); 4938 } 4939 return b0; 4940 4941 case Q_LINK: 4942 bpf_error(cstate, "link-layer modifier applied to %s", typestr); 4943 4944 case Q_IP: 4945 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_IP, 12, 16); 4946 4947 case Q_RARP: 4948 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_REVARP, 14, 24); 4949 4950 case Q_ARP: 4951 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_ARP, 14, 24); 4952 4953 case Q_SCTP: 4954 bpf_error(cstate, "'sctp' modifier applied to %s", typestr); 4955 4956 case Q_TCP: 4957 bpf_error(cstate, "'tcp' modifier applied to %s", typestr); 4958 4959 case Q_UDP: 4960 bpf_error(cstate, "'udp' modifier applied to %s", typestr); 4961 4962 case Q_ICMP: 4963 bpf_error(cstate, "'icmp' modifier applied to %s", typestr); 4964 4965 case Q_IGMP: 4966 bpf_error(cstate, "'igmp' modifier applied to %s", typestr); 4967 4968 case Q_IGRP: 4969 bpf_error(cstate, "'igrp' modifier applied to %s", typestr); 4970 4971 case Q_ATALK: 4972 bpf_error(cstate, "AppleTalk host filtering not implemented"); 4973 4974 case Q_DECNET: 4975 return gen_dnhostop(cstate, addr, dir); 4976 4977 case Q_LAT: 4978 bpf_error(cstate, "LAT host filtering not implemented"); 4979 4980 case Q_SCA: 4981 bpf_error(cstate, "SCA host filtering not implemented"); 4982 4983 case Q_MOPRC: 4984 bpf_error(cstate, "MOPRC host filtering not implemented"); 4985 4986 case Q_MOPDL: 4987 bpf_error(cstate, "MOPDL host filtering not implemented"); 4988 4989 case Q_IPV6: 4990 bpf_error(cstate, "'ip6' modifier applied to ip host"); 4991 4992 case Q_ICMPV6: 4993 bpf_error(cstate, "'icmp6' modifier applied to %s", typestr); 4994 4995 case Q_AH: 4996 bpf_error(cstate, "'ah' modifier applied to %s", typestr); 4997 4998 case Q_ESP: 4999 bpf_error(cstate, "'esp' modifier applied to %s", typestr); 5000 5001 case Q_PIM: 5002 bpf_error(cstate, "'pim' modifier applied to %s", typestr); 5003 5004 case Q_VRRP: 5005 bpf_error(cstate, "'vrrp' modifier applied to %s", typestr); 5006 5007 case Q_AARP: 5008 bpf_error(cstate, "AARP host filtering not implemented"); 5009 5010 case Q_ISO: 5011 bpf_error(cstate, "ISO host filtering not implemented"); 5012 5013 case Q_ESIS: 5014 bpf_error(cstate, "'esis' modifier applied to %s", typestr); 5015 5016 case Q_ISIS: 5017 bpf_error(cstate, "'isis' modifier applied to %s", typestr); 5018 5019 case Q_CLNP: 5020 bpf_error(cstate, "'clnp' modifier applied to %s", typestr); 5021 5022 case Q_STP: 5023 bpf_error(cstate, "'stp' modifier applied to %s", typestr); 5024 5025 case Q_IPX: 5026 bpf_error(cstate, "IPX host filtering not implemented"); 5027 5028 case Q_NETBEUI: 5029 bpf_error(cstate, "'netbeui' modifier applied to %s", typestr); 5030 5031 case Q_ISIS_L1: 5032 bpf_error(cstate, "'l1' modifier applied to %s", typestr); 5033 5034 case Q_ISIS_L2: 5035 bpf_error(cstate, "'l2' modifier applied to %s", typestr); 5036 5037 case Q_ISIS_IIH: 5038 bpf_error(cstate, "'iih' modifier applied to %s", typestr); 5039 5040 case Q_ISIS_SNP: 5041 bpf_error(cstate, "'snp' modifier applied to %s", typestr); 5042 5043 case Q_ISIS_CSNP: 5044 bpf_error(cstate, "'csnp' modifier applied to %s", typestr); 5045 5046 case Q_ISIS_PSNP: 5047 bpf_error(cstate, "'psnp' modifier applied to %s", typestr); 5048 5049 case Q_ISIS_LSP: 5050 bpf_error(cstate, "'lsp' modifier applied to %s", typestr); 5051 5052 case Q_RADIO: 5053 bpf_error(cstate, "'radio' modifier applied to %s", typestr); 5054 5055 case Q_CARP: 5056 bpf_error(cstate, "'carp' modifier applied to %s", typestr); 5057 5058 default: 5059 abort(); 5060 } 5061 /*NOTREACHED*/ 5062 } 5063 5064 #ifdef INET6 5065 static struct block * 5066 gen_host6(compiler_state_t *cstate, struct in6_addr *addr, 5067 struct in6_addr *mask, int proto, int dir, int type) 5068 { 5069 const char *typestr; 5070 5071 if (type == Q_NET) 5072 typestr = "net"; 5073 else 5074 typestr = "host"; 5075 5076 switch (proto) { 5077 5078 case Q_DEFAULT: 5079 return gen_host6(cstate, addr, mask, Q_IPV6, dir, type); 5080 5081 case Q_LINK: 5082 bpf_error(cstate, "link-layer modifier applied to ip6 %s", typestr); 5083 5084 case Q_IP: 5085 bpf_error(cstate, "'ip' modifier applied to ip6 %s", typestr); 5086 5087 case Q_RARP: 5088 bpf_error(cstate, "'rarp' modifier applied to ip6 %s", typestr); 5089 5090 case Q_ARP: 5091 bpf_error(cstate, "'arp' modifier applied to ip6 %s", typestr); 5092 5093 case Q_SCTP: 5094 bpf_error(cstate, "'sctp' modifier applied to ip6 %s", typestr); 5095 5096 case Q_TCP: 5097 bpf_error(cstate, "'tcp' modifier applied to ip6 %s", typestr); 5098 5099 case Q_UDP: 5100 bpf_error(cstate, "'udp' modifier applied to ip6 %s", typestr); 5101 5102 case Q_ICMP: 5103 bpf_error(cstate, "'icmp' modifier applied to ip6 %s", typestr); 5104 5105 case Q_IGMP: 5106 bpf_error(cstate, "'igmp' modifier applied to ip6 %s", typestr); 5107 5108 case Q_IGRP: 5109 bpf_error(cstate, "'igrp' modifier applied to ip6 %s", typestr); 5110 5111 case Q_ATALK: 5112 bpf_error(cstate, "AppleTalk modifier applied to ip6 %s", typestr); 5113 5114 case Q_DECNET: 5115 bpf_error(cstate, "'decnet' modifier applied to ip6 %s", typestr); 5116 5117 case Q_LAT: 5118 bpf_error(cstate, "'lat' modifier applied to ip6 %s", typestr); 5119 5120 case Q_SCA: 5121 bpf_error(cstate, "'sca' modifier applied to ip6 %s", typestr); 5122 5123 case Q_MOPRC: 5124 bpf_error(cstate, "'moprc' modifier applied to ip6 %s", typestr); 5125 5126 case Q_MOPDL: 5127 bpf_error(cstate, "'mopdl' modifier applied to ip6 %s", typestr); 5128 5129 case Q_IPV6: 5130 return gen_hostop6(cstate, addr, mask, dir, ETHERTYPE_IPV6, 8, 24); 5131 5132 case Q_ICMPV6: 5133 bpf_error(cstate, "'icmp6' modifier applied to ip6 %s", typestr); 5134 5135 case Q_AH: 5136 bpf_error(cstate, "'ah' modifier applied to ip6 %s", typestr); 5137 5138 case Q_ESP: 5139 bpf_error(cstate, "'esp' modifier applied to ip6 %s", typestr); 5140 5141 case Q_PIM: 5142 bpf_error(cstate, "'pim' modifier applied to ip6 %s", typestr); 5143 5144 case Q_VRRP: 5145 bpf_error(cstate, "'vrrp' modifier applied to ip6 %s", typestr); 5146 5147 case Q_AARP: 5148 bpf_error(cstate, "'aarp' modifier applied to ip6 %s", typestr); 5149 5150 case Q_ISO: 5151 bpf_error(cstate, "'iso' modifier applied to ip6 %s", typestr); 5152 5153 case Q_ESIS: 5154 bpf_error(cstate, "'esis' modifier applied to ip6 %s", typestr); 5155 5156 case Q_ISIS: 5157 bpf_error(cstate, "'isis' modifier applied to ip6 %s", typestr); 5158 5159 case Q_CLNP: 5160 bpf_error(cstate, "'clnp' modifier applied to ip6 %s", typestr); 5161 5162 case Q_STP: 5163 bpf_error(cstate, "'stp' modifier applied to ip6 %s", typestr); 5164 5165 case Q_IPX: 5166 bpf_error(cstate, "'ipx' modifier applied to ip6 %s", typestr); 5167 5168 case Q_NETBEUI: 5169 bpf_error(cstate, "'netbeui' modifier applied to ip6 %s", typestr); 5170 5171 case Q_ISIS_L1: 5172 bpf_error(cstate, "'l1' modifier applied to ip6 %s", typestr); 5173 5174 case Q_ISIS_L2: 5175 bpf_error(cstate, "'l2' modifier applied to ip6 %s", typestr); 5176 5177 case Q_ISIS_IIH: 5178 bpf_error(cstate, "'iih' modifier applied to ip6 %s", typestr); 5179 5180 case Q_ISIS_SNP: 5181 bpf_error(cstate, "'snp' modifier applied to ip6 %s", typestr); 5182 5183 case Q_ISIS_CSNP: 5184 bpf_error(cstate, "'csnp' modifier applied to ip6 %s", typestr); 5185 5186 case Q_ISIS_PSNP: 5187 bpf_error(cstate, "'psnp' modifier applied to ip6 %s", typestr); 5188 5189 case Q_ISIS_LSP: 5190 bpf_error(cstate, "'lsp' modifier applied to ip6 %s", typestr); 5191 5192 case Q_RADIO: 5193 bpf_error(cstate, "'radio' modifier applied to ip6 %s", typestr); 5194 5195 case Q_CARP: 5196 bpf_error(cstate, "'carp' modifier applied to ip6 %s", typestr); 5197 5198 default: 5199 abort(); 5200 } 5201 /*NOTREACHED*/ 5202 } 5203 #endif 5204 5205 #ifndef INET6 5206 static struct block * 5207 gen_gateway(compiler_state_t *cstate, const u_char *eaddr, 5208 struct addrinfo *alist, int proto, int dir) 5209 { 5210 struct block *b0, *b1, *tmp; 5211 struct addrinfo *ai; 5212 struct sockaddr_in *sin; 5213 5214 if (dir != 0) 5215 bpf_error(cstate, "direction applied to 'gateway'"); 5216 5217 switch (proto) { 5218 case Q_DEFAULT: 5219 case Q_IP: 5220 case Q_ARP: 5221 case Q_RARP: 5222 switch (cstate->linktype) { 5223 case DLT_EN10MB: 5224 case DLT_NETANALYZER: 5225 case DLT_NETANALYZER_TRANSPARENT: 5226 b1 = gen_prevlinkhdr_check(cstate); 5227 b0 = gen_ehostop(cstate, eaddr, Q_OR); 5228 if (b1 != NULL) 5229 gen_and(b1, b0); 5230 break; 5231 case DLT_FDDI: 5232 b0 = gen_fhostop(cstate, eaddr, Q_OR); 5233 break; 5234 case DLT_IEEE802: 5235 b0 = gen_thostop(cstate, eaddr, Q_OR); 5236 break; 5237 case DLT_IEEE802_11: 5238 case DLT_PRISM_HEADER: 5239 case DLT_IEEE802_11_RADIO_AVS: 5240 case DLT_IEEE802_11_RADIO: 5241 case DLT_PPI: 5242 b0 = gen_wlanhostop(cstate, eaddr, Q_OR); 5243 break; 5244 case DLT_SUNATM: 5245 /* 5246 * This is LLC-multiplexed traffic; if it were 5247 * LANE, cstate->linktype would have been set to 5248 * DLT_EN10MB. 5249 */ 5250 bpf_error(cstate, 5251 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 5252 break; 5253 case DLT_IP_OVER_FC: 5254 b0 = gen_ipfchostop(cstate, eaddr, Q_OR); 5255 break; 5256 default: 5257 bpf_error(cstate, 5258 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 5259 } 5260 b1 = NULL; 5261 for (ai = alist; ai != NULL; ai = ai->ai_next) { 5262 /* 5263 * Does it have an address? 5264 */ 5265 if (ai->ai_addr != NULL) { 5266 /* 5267 * Yes. Is it an IPv4 address? 5268 */ 5269 if (ai->ai_addr->sa_family == AF_INET) { 5270 /* 5271 * Generate an entry for it. 5272 */ 5273 sin = (struct sockaddr_in *)ai->ai_addr; 5274 tmp = gen_host(cstate, 5275 ntohl(sin->sin_addr.s_addr), 5276 0xffffffff, proto, Q_OR, Q_HOST); 5277 /* 5278 * Is it the *first* IPv4 address? 5279 */ 5280 if (b1 == NULL) { 5281 /* 5282 * Yes, so start with it. 5283 */ 5284 b1 = tmp; 5285 } else { 5286 /* 5287 * No, so OR it into the 5288 * existing set of 5289 * addresses. 5290 */ 5291 gen_or(b1, tmp); 5292 b1 = tmp; 5293 } 5294 } 5295 } 5296 } 5297 if (b1 == NULL) { 5298 /* 5299 * No IPv4 addresses found. 5300 */ 5301 return (NULL); 5302 } 5303 gen_not(b1); 5304 gen_and(b0, b1); 5305 return b1; 5306 } 5307 bpf_error(cstate, "illegal modifier of 'gateway'"); 5308 /*NOTREACHED*/ 5309 } 5310 #endif 5311 5312 static struct block * 5313 gen_proto_abbrev_internal(compiler_state_t *cstate, int proto) 5314 { 5315 struct block *b0; 5316 struct block *b1; 5317 5318 switch (proto) { 5319 5320 case Q_SCTP: 5321 b1 = gen_proto(cstate, IPPROTO_SCTP, Q_IP, Q_DEFAULT); 5322 b0 = gen_proto(cstate, IPPROTO_SCTP, Q_IPV6, Q_DEFAULT); 5323 gen_or(b0, b1); 5324 break; 5325 5326 case Q_TCP: 5327 b1 = gen_proto(cstate, IPPROTO_TCP, Q_IP, Q_DEFAULT); 5328 b0 = gen_proto(cstate, IPPROTO_TCP, Q_IPV6, Q_DEFAULT); 5329 gen_or(b0, b1); 5330 break; 5331 5332 case Q_UDP: 5333 b1 = gen_proto(cstate, IPPROTO_UDP, Q_IP, Q_DEFAULT); 5334 b0 = gen_proto(cstate, IPPROTO_UDP, Q_IPV6, Q_DEFAULT); 5335 gen_or(b0, b1); 5336 break; 5337 5338 case Q_ICMP: 5339 b1 = gen_proto(cstate, IPPROTO_ICMP, Q_IP, Q_DEFAULT); 5340 break; 5341 5342 #ifndef IPPROTO_IGMP 5343 #define IPPROTO_IGMP 2 5344 #endif 5345 5346 case Q_IGMP: 5347 b1 = gen_proto(cstate, IPPROTO_IGMP, Q_IP, Q_DEFAULT); 5348 break; 5349 5350 #ifndef IPPROTO_IGRP 5351 #define IPPROTO_IGRP 9 5352 #endif 5353 case Q_IGRP: 5354 b1 = gen_proto(cstate, IPPROTO_IGRP, Q_IP, Q_DEFAULT); 5355 break; 5356 5357 #ifndef IPPROTO_PIM 5358 #define IPPROTO_PIM 103 5359 #endif 5360 5361 case Q_PIM: 5362 b1 = gen_proto(cstate, IPPROTO_PIM, Q_IP, Q_DEFAULT); 5363 b0 = gen_proto(cstate, IPPROTO_PIM, Q_IPV6, Q_DEFAULT); 5364 gen_or(b0, b1); 5365 break; 5366 5367 #ifndef IPPROTO_VRRP 5368 #define IPPROTO_VRRP 112 5369 #endif 5370 5371 case Q_VRRP: 5372 b1 = gen_proto(cstate, IPPROTO_VRRP, Q_IP, Q_DEFAULT); 5373 break; 5374 5375 #ifndef IPPROTO_CARP 5376 #define IPPROTO_CARP 112 5377 #endif 5378 5379 case Q_CARP: 5380 b1 = gen_proto(cstate, IPPROTO_CARP, Q_IP, Q_DEFAULT); 5381 break; 5382 5383 case Q_IP: 5384 b1 = gen_linktype(cstate, ETHERTYPE_IP); 5385 break; 5386 5387 case Q_ARP: 5388 b1 = gen_linktype(cstate, ETHERTYPE_ARP); 5389 break; 5390 5391 case Q_RARP: 5392 b1 = gen_linktype(cstate, ETHERTYPE_REVARP); 5393 break; 5394 5395 case Q_LINK: 5396 bpf_error(cstate, "link layer applied in wrong context"); 5397 5398 case Q_ATALK: 5399 b1 = gen_linktype(cstate, ETHERTYPE_ATALK); 5400 break; 5401 5402 case Q_AARP: 5403 b1 = gen_linktype(cstate, ETHERTYPE_AARP); 5404 break; 5405 5406 case Q_DECNET: 5407 b1 = gen_linktype(cstate, ETHERTYPE_DN); 5408 break; 5409 5410 case Q_SCA: 5411 b1 = gen_linktype(cstate, ETHERTYPE_SCA); 5412 break; 5413 5414 case Q_LAT: 5415 b1 = gen_linktype(cstate, ETHERTYPE_LAT); 5416 break; 5417 5418 case Q_MOPDL: 5419 b1 = gen_linktype(cstate, ETHERTYPE_MOPDL); 5420 break; 5421 5422 case Q_MOPRC: 5423 b1 = gen_linktype(cstate, ETHERTYPE_MOPRC); 5424 break; 5425 5426 case Q_IPV6: 5427 b1 = gen_linktype(cstate, ETHERTYPE_IPV6); 5428 break; 5429 5430 #ifndef IPPROTO_ICMPV6 5431 #define IPPROTO_ICMPV6 58 5432 #endif 5433 case Q_ICMPV6: 5434 b1 = gen_proto(cstate, IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT); 5435 break; 5436 5437 #ifndef IPPROTO_AH 5438 #define IPPROTO_AH 51 5439 #endif 5440 case Q_AH: 5441 b1 = gen_proto(cstate, IPPROTO_AH, Q_IP, Q_DEFAULT); 5442 b0 = gen_proto(cstate, IPPROTO_AH, Q_IPV6, Q_DEFAULT); 5443 gen_or(b0, b1); 5444 break; 5445 5446 #ifndef IPPROTO_ESP 5447 #define IPPROTO_ESP 50 5448 #endif 5449 case Q_ESP: 5450 b1 = gen_proto(cstate, IPPROTO_ESP, Q_IP, Q_DEFAULT); 5451 b0 = gen_proto(cstate, IPPROTO_ESP, Q_IPV6, Q_DEFAULT); 5452 gen_or(b0, b1); 5453 break; 5454 5455 case Q_ISO: 5456 b1 = gen_linktype(cstate, LLCSAP_ISONS); 5457 break; 5458 5459 case Q_ESIS: 5460 b1 = gen_proto(cstate, ISO9542_ESIS, Q_ISO, Q_DEFAULT); 5461 break; 5462 5463 case Q_ISIS: 5464 b1 = gen_proto(cstate, ISO10589_ISIS, Q_ISO, Q_DEFAULT); 5465 break; 5466 5467 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */ 5468 b0 = gen_proto(cstate, ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 5469 b1 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 5470 gen_or(b0, b1); 5471 b0 = gen_proto(cstate, ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 5472 gen_or(b0, b1); 5473 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 5474 gen_or(b0, b1); 5475 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 5476 gen_or(b0, b1); 5477 break; 5478 5479 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */ 5480 b0 = gen_proto(cstate, ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 5481 b1 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 5482 gen_or(b0, b1); 5483 b0 = gen_proto(cstate, ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 5484 gen_or(b0, b1); 5485 b0 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 5486 gen_or(b0, b1); 5487 b0 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 5488 gen_or(b0, b1); 5489 break; 5490 5491 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */ 5492 b0 = gen_proto(cstate, ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 5493 b1 = gen_proto(cstate, ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 5494 gen_or(b0, b1); 5495 b0 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); 5496 gen_or(b0, b1); 5497 break; 5498 5499 case Q_ISIS_LSP: 5500 b0 = gen_proto(cstate, ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 5501 b1 = gen_proto(cstate, ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 5502 gen_or(b0, b1); 5503 break; 5504 5505 case Q_ISIS_SNP: 5506 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 5507 b1 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 5508 gen_or(b0, b1); 5509 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 5510 gen_or(b0, b1); 5511 b0 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 5512 gen_or(b0, b1); 5513 break; 5514 5515 case Q_ISIS_CSNP: 5516 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 5517 b1 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 5518 gen_or(b0, b1); 5519 break; 5520 5521 case Q_ISIS_PSNP: 5522 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 5523 b1 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 5524 gen_or(b0, b1); 5525 break; 5526 5527 case Q_CLNP: 5528 b1 = gen_proto(cstate, ISO8473_CLNP, Q_ISO, Q_DEFAULT); 5529 break; 5530 5531 case Q_STP: 5532 b1 = gen_linktype(cstate, LLCSAP_8021D); 5533 break; 5534 5535 case Q_IPX: 5536 b1 = gen_linktype(cstate, LLCSAP_IPX); 5537 break; 5538 5539 case Q_NETBEUI: 5540 b1 = gen_linktype(cstate, LLCSAP_NETBEUI); 5541 break; 5542 5543 case Q_RADIO: 5544 bpf_error(cstate, "'radio' is not a valid protocol type"); 5545 5546 default: 5547 abort(); 5548 } 5549 return b1; 5550 } 5551 5552 struct block * 5553 gen_proto_abbrev(compiler_state_t *cstate, int proto) 5554 { 5555 /* 5556 * Catch errors reported by us and routines below us, and return NULL 5557 * on an error. 5558 */ 5559 if (setjmp(cstate->top_ctx)) 5560 return (NULL); 5561 5562 return gen_proto_abbrev_internal(cstate, proto); 5563 } 5564 5565 static struct block * 5566 gen_ipfrag(compiler_state_t *cstate) 5567 { 5568 struct slist *s; 5569 struct block *b; 5570 5571 /* not IPv4 frag other than the first frag */ 5572 s = gen_load_a(cstate, OR_LINKPL, 6, BPF_H); 5573 b = new_block(cstate, JMP(BPF_JSET)); 5574 b->s.k = 0x1fff; 5575 b->stmts = s; 5576 gen_not(b); 5577 5578 return b; 5579 } 5580 5581 /* 5582 * Generate a comparison to a port value in the transport-layer header 5583 * at the specified offset from the beginning of that header. 5584 * 5585 * XXX - this handles a variable-length prefix preceding the link-layer 5586 * header, such as the radiotap or AVS radio prefix, but doesn't handle 5587 * variable-length link-layer headers (such as Token Ring or 802.11 5588 * headers). 5589 */ 5590 static struct block * 5591 gen_portatom(compiler_state_t *cstate, int off, bpf_int32 v) 5592 { 5593 return gen_cmp(cstate, OR_TRAN_IPV4, off, BPF_H, v); 5594 } 5595 5596 static struct block * 5597 gen_portatom6(compiler_state_t *cstate, int off, bpf_int32 v) 5598 { 5599 return gen_cmp(cstate, OR_TRAN_IPV6, off, BPF_H, v); 5600 } 5601 5602 struct block * 5603 gen_portop(compiler_state_t *cstate, int port, int proto, int dir) 5604 { 5605 struct block *b0, *b1, *tmp; 5606 5607 /* ip proto 'proto' and not a fragment other than the first fragment */ 5608 tmp = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, (bpf_int32)proto); 5609 b0 = gen_ipfrag(cstate); 5610 gen_and(tmp, b0); 5611 5612 switch (dir) { 5613 case Q_SRC: 5614 b1 = gen_portatom(cstate, 0, (bpf_int32)port); 5615 break; 5616 5617 case Q_DST: 5618 b1 = gen_portatom(cstate, 2, (bpf_int32)port); 5619 break; 5620 5621 case Q_AND: 5622 tmp = gen_portatom(cstate, 0, (bpf_int32)port); 5623 b1 = gen_portatom(cstate, 2, (bpf_int32)port); 5624 gen_and(tmp, b1); 5625 break; 5626 5627 case Q_DEFAULT: 5628 case Q_OR: 5629 tmp = gen_portatom(cstate, 0, (bpf_int32)port); 5630 b1 = gen_portatom(cstate, 2, (bpf_int32)port); 5631 gen_or(tmp, b1); 5632 break; 5633 5634 case Q_ADDR1: 5635 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for ports"); 5636 /*NOTREACHED*/ 5637 5638 case Q_ADDR2: 5639 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for ports"); 5640 /*NOTREACHED*/ 5641 5642 case Q_ADDR3: 5643 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for ports"); 5644 /*NOTREACHED*/ 5645 5646 case Q_ADDR4: 5647 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for ports"); 5648 /*NOTREACHED*/ 5649 5650 case Q_RA: 5651 bpf_error(cstate, "'ra' is not a valid qualifier for ports"); 5652 /*NOTREACHED*/ 5653 5654 case Q_TA: 5655 bpf_error(cstate, "'ta' is not a valid qualifier for ports"); 5656 /*NOTREACHED*/ 5657 5658 default: 5659 abort(); 5660 /*NOTREACHED*/ 5661 } 5662 gen_and(b0, b1); 5663 5664 return b1; 5665 } 5666 5667 static struct block * 5668 gen_port(compiler_state_t *cstate, int port, int ip_proto, int dir) 5669 { 5670 struct block *b0, *b1, *tmp; 5671 5672 /* 5673 * ether proto ip 5674 * 5675 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 5676 * not LLC encapsulation with LLCSAP_IP. 5677 * 5678 * For IEEE 802 networks - which includes 802.5 token ring 5679 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 5680 * says that SNAP encapsulation is used, not LLC encapsulation 5681 * with LLCSAP_IP. 5682 * 5683 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 5684 * RFC 2225 say that SNAP encapsulation is used, not LLC 5685 * encapsulation with LLCSAP_IP. 5686 * 5687 * So we always check for ETHERTYPE_IP. 5688 */ 5689 b0 = gen_linktype(cstate, ETHERTYPE_IP); 5690 5691 switch (ip_proto) { 5692 case IPPROTO_UDP: 5693 case IPPROTO_TCP: 5694 case IPPROTO_SCTP: 5695 b1 = gen_portop(cstate, port, ip_proto, dir); 5696 break; 5697 5698 case PROTO_UNDEF: 5699 tmp = gen_portop(cstate, port, IPPROTO_TCP, dir); 5700 b1 = gen_portop(cstate, port, IPPROTO_UDP, dir); 5701 gen_or(tmp, b1); 5702 tmp = gen_portop(cstate, port, IPPROTO_SCTP, dir); 5703 gen_or(tmp, b1); 5704 break; 5705 5706 default: 5707 abort(); 5708 } 5709 gen_and(b0, b1); 5710 return b1; 5711 } 5712 5713 struct block * 5714 gen_portop6(compiler_state_t *cstate, int port, int proto, int dir) 5715 { 5716 struct block *b0, *b1, *tmp; 5717 5718 /* ip6 proto 'proto' */ 5719 /* XXX - catch the first fragment of a fragmented packet? */ 5720 b0 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, (bpf_int32)proto); 5721 5722 switch (dir) { 5723 case Q_SRC: 5724 b1 = gen_portatom6(cstate, 0, (bpf_int32)port); 5725 break; 5726 5727 case Q_DST: 5728 b1 = gen_portatom6(cstate, 2, (bpf_int32)port); 5729 break; 5730 5731 case Q_AND: 5732 tmp = gen_portatom6(cstate, 0, (bpf_int32)port); 5733 b1 = gen_portatom6(cstate, 2, (bpf_int32)port); 5734 gen_and(tmp, b1); 5735 break; 5736 5737 case Q_DEFAULT: 5738 case Q_OR: 5739 tmp = gen_portatom6(cstate, 0, (bpf_int32)port); 5740 b1 = gen_portatom6(cstate, 2, (bpf_int32)port); 5741 gen_or(tmp, b1); 5742 break; 5743 5744 default: 5745 abort(); 5746 } 5747 gen_and(b0, b1); 5748 5749 return b1; 5750 } 5751 5752 static struct block * 5753 gen_port6(compiler_state_t *cstate, int port, int ip_proto, int dir) 5754 { 5755 struct block *b0, *b1, *tmp; 5756 5757 /* link proto ip6 */ 5758 b0 = gen_linktype(cstate, ETHERTYPE_IPV6); 5759 5760 switch (ip_proto) { 5761 case IPPROTO_UDP: 5762 case IPPROTO_TCP: 5763 case IPPROTO_SCTP: 5764 b1 = gen_portop6(cstate, port, ip_proto, dir); 5765 break; 5766 5767 case PROTO_UNDEF: 5768 tmp = gen_portop6(cstate, port, IPPROTO_TCP, dir); 5769 b1 = gen_portop6(cstate, port, IPPROTO_UDP, dir); 5770 gen_or(tmp, b1); 5771 tmp = gen_portop6(cstate, port, IPPROTO_SCTP, dir); 5772 gen_or(tmp, b1); 5773 break; 5774 5775 default: 5776 abort(); 5777 } 5778 gen_and(b0, b1); 5779 return b1; 5780 } 5781 5782 /* gen_portrange code */ 5783 static struct block * 5784 gen_portrangeatom(compiler_state_t *cstate, int off, bpf_int32 v1, 5785 bpf_int32 v2) 5786 { 5787 struct block *b1, *b2; 5788 5789 if (v1 > v2) { 5790 /* 5791 * Reverse the order of the ports, so v1 is the lower one. 5792 */ 5793 bpf_int32 vtemp; 5794 5795 vtemp = v1; 5796 v1 = v2; 5797 v2 = vtemp; 5798 } 5799 5800 b1 = gen_cmp_ge(cstate, OR_TRAN_IPV4, off, BPF_H, v1); 5801 b2 = gen_cmp_le(cstate, OR_TRAN_IPV4, off, BPF_H, v2); 5802 5803 gen_and(b1, b2); 5804 5805 return b2; 5806 } 5807 5808 struct block * 5809 gen_portrangeop(compiler_state_t *cstate, int port1, int port2, int proto, 5810 int dir) 5811 { 5812 struct block *b0, *b1, *tmp; 5813 5814 /* ip proto 'proto' and not a fragment other than the first fragment */ 5815 tmp = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, (bpf_int32)proto); 5816 b0 = gen_ipfrag(cstate); 5817 gen_and(tmp, b0); 5818 5819 switch (dir) { 5820 case Q_SRC: 5821 b1 = gen_portrangeatom(cstate, 0, (bpf_int32)port1, (bpf_int32)port2); 5822 break; 5823 5824 case Q_DST: 5825 b1 = gen_portrangeatom(cstate, 2, (bpf_int32)port1, (bpf_int32)port2); 5826 break; 5827 5828 case Q_AND: 5829 tmp = gen_portrangeatom(cstate, 0, (bpf_int32)port1, (bpf_int32)port2); 5830 b1 = gen_portrangeatom(cstate, 2, (bpf_int32)port1, (bpf_int32)port2); 5831 gen_and(tmp, b1); 5832 break; 5833 5834 case Q_DEFAULT: 5835 case Q_OR: 5836 tmp = gen_portrangeatom(cstate, 0, (bpf_int32)port1, (bpf_int32)port2); 5837 b1 = gen_portrangeatom(cstate, 2, (bpf_int32)port1, (bpf_int32)port2); 5838 gen_or(tmp, b1); 5839 break; 5840 5841 case Q_ADDR1: 5842 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for port ranges"); 5843 /*NOTREACHED*/ 5844 5845 case Q_ADDR2: 5846 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for port ranges"); 5847 /*NOTREACHED*/ 5848 5849 case Q_ADDR3: 5850 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for port ranges"); 5851 /*NOTREACHED*/ 5852 5853 case Q_ADDR4: 5854 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for port ranges"); 5855 /*NOTREACHED*/ 5856 5857 case Q_RA: 5858 bpf_error(cstate, "'ra' is not a valid qualifier for port ranges"); 5859 /*NOTREACHED*/ 5860 5861 case Q_TA: 5862 bpf_error(cstate, "'ta' is not a valid qualifier for port ranges"); 5863 /*NOTREACHED*/ 5864 5865 default: 5866 abort(); 5867 /*NOTREACHED*/ 5868 } 5869 gen_and(b0, b1); 5870 5871 return b1; 5872 } 5873 5874 static struct block * 5875 gen_portrange(compiler_state_t *cstate, int port1, int port2, int ip_proto, 5876 int dir) 5877 { 5878 struct block *b0, *b1, *tmp; 5879 5880 /* link proto ip */ 5881 b0 = gen_linktype(cstate, ETHERTYPE_IP); 5882 5883 switch (ip_proto) { 5884 case IPPROTO_UDP: 5885 case IPPROTO_TCP: 5886 case IPPROTO_SCTP: 5887 b1 = gen_portrangeop(cstate, port1, port2, ip_proto, dir); 5888 break; 5889 5890 case PROTO_UNDEF: 5891 tmp = gen_portrangeop(cstate, port1, port2, IPPROTO_TCP, dir); 5892 b1 = gen_portrangeop(cstate, port1, port2, IPPROTO_UDP, dir); 5893 gen_or(tmp, b1); 5894 tmp = gen_portrangeop(cstate, port1, port2, IPPROTO_SCTP, dir); 5895 gen_or(tmp, b1); 5896 break; 5897 5898 default: 5899 abort(); 5900 } 5901 gen_and(b0, b1); 5902 return b1; 5903 } 5904 5905 static struct block * 5906 gen_portrangeatom6(compiler_state_t *cstate, int off, bpf_int32 v1, 5907 bpf_int32 v2) 5908 { 5909 struct block *b1, *b2; 5910 5911 if (v1 > v2) { 5912 /* 5913 * Reverse the order of the ports, so v1 is the lower one. 5914 */ 5915 bpf_int32 vtemp; 5916 5917 vtemp = v1; 5918 v1 = v2; 5919 v2 = vtemp; 5920 } 5921 5922 b1 = gen_cmp_ge(cstate, OR_TRAN_IPV6, off, BPF_H, v1); 5923 b2 = gen_cmp_le(cstate, OR_TRAN_IPV6, off, BPF_H, v2); 5924 5925 gen_and(b1, b2); 5926 5927 return b2; 5928 } 5929 5930 struct block * 5931 gen_portrangeop6(compiler_state_t *cstate, int port1, int port2, int proto, 5932 int dir) 5933 { 5934 struct block *b0, *b1, *tmp; 5935 5936 /* ip6 proto 'proto' */ 5937 /* XXX - catch the first fragment of a fragmented packet? */ 5938 b0 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, (bpf_int32)proto); 5939 5940 switch (dir) { 5941 case Q_SRC: 5942 b1 = gen_portrangeatom6(cstate, 0, (bpf_int32)port1, (bpf_int32)port2); 5943 break; 5944 5945 case Q_DST: 5946 b1 = gen_portrangeatom6(cstate, 2, (bpf_int32)port1, (bpf_int32)port2); 5947 break; 5948 5949 case Q_AND: 5950 tmp = gen_portrangeatom6(cstate, 0, (bpf_int32)port1, (bpf_int32)port2); 5951 b1 = gen_portrangeatom6(cstate, 2, (bpf_int32)port1, (bpf_int32)port2); 5952 gen_and(tmp, b1); 5953 break; 5954 5955 case Q_DEFAULT: 5956 case Q_OR: 5957 tmp = gen_portrangeatom6(cstate, 0, (bpf_int32)port1, (bpf_int32)port2); 5958 b1 = gen_portrangeatom6(cstate, 2, (bpf_int32)port1, (bpf_int32)port2); 5959 gen_or(tmp, b1); 5960 break; 5961 5962 default: 5963 abort(); 5964 } 5965 gen_and(b0, b1); 5966 5967 return b1; 5968 } 5969 5970 static struct block * 5971 gen_portrange6(compiler_state_t *cstate, int port1, int port2, int ip_proto, 5972 int dir) 5973 { 5974 struct block *b0, *b1, *tmp; 5975 5976 /* link proto ip6 */ 5977 b0 = gen_linktype(cstate, ETHERTYPE_IPV6); 5978 5979 switch (ip_proto) { 5980 case IPPROTO_UDP: 5981 case IPPROTO_TCP: 5982 case IPPROTO_SCTP: 5983 b1 = gen_portrangeop6(cstate, port1, port2, ip_proto, dir); 5984 break; 5985 5986 case PROTO_UNDEF: 5987 tmp = gen_portrangeop6(cstate, port1, port2, IPPROTO_TCP, dir); 5988 b1 = gen_portrangeop6(cstate, port1, port2, IPPROTO_UDP, dir); 5989 gen_or(tmp, b1); 5990 tmp = gen_portrangeop6(cstate, port1, port2, IPPROTO_SCTP, dir); 5991 gen_or(tmp, b1); 5992 break; 5993 5994 default: 5995 abort(); 5996 } 5997 gen_and(b0, b1); 5998 return b1; 5999 } 6000 6001 static int 6002 lookup_proto(compiler_state_t *cstate, const char *name, int proto) 6003 { 6004 register int v; 6005 6006 switch (proto) { 6007 6008 case Q_DEFAULT: 6009 case Q_IP: 6010 case Q_IPV6: 6011 v = pcap_nametoproto(name); 6012 if (v == PROTO_UNDEF) 6013 bpf_error(cstate, "unknown ip proto '%s'", name); 6014 break; 6015 6016 case Q_LINK: 6017 /* XXX should look up h/w protocol type based on cstate->linktype */ 6018 v = pcap_nametoeproto(name); 6019 if (v == PROTO_UNDEF) { 6020 v = pcap_nametollc(name); 6021 if (v == PROTO_UNDEF) 6022 bpf_error(cstate, "unknown ether proto '%s'", name); 6023 } 6024 break; 6025 6026 case Q_ISO: 6027 if (strcmp(name, "esis") == 0) 6028 v = ISO9542_ESIS; 6029 else if (strcmp(name, "isis") == 0) 6030 v = ISO10589_ISIS; 6031 else if (strcmp(name, "clnp") == 0) 6032 v = ISO8473_CLNP; 6033 else 6034 bpf_error(cstate, "unknown osi proto '%s'", name); 6035 break; 6036 6037 default: 6038 v = PROTO_UNDEF; 6039 break; 6040 } 6041 return v; 6042 } 6043 6044 #if 0 6045 struct stmt * 6046 gen_joinsp(struct stmt **s, int n) 6047 { 6048 return NULL; 6049 } 6050 #endif 6051 6052 static struct block * 6053 gen_protochain(compiler_state_t *cstate, int v, int proto, int dir) 6054 { 6055 #ifdef NO_PROTOCHAIN 6056 return gen_proto(cstate, v, proto, dir); 6057 #else 6058 struct block *b0, *b; 6059 struct slist *s[100]; 6060 int fix2, fix3, fix4, fix5; 6061 int ahcheck, again, end; 6062 int i, max; 6063 int reg2 = alloc_reg(cstate); 6064 6065 memset(s, 0, sizeof(s)); 6066 fix3 = fix4 = fix5 = 0; 6067 6068 switch (proto) { 6069 case Q_IP: 6070 case Q_IPV6: 6071 break; 6072 case Q_DEFAULT: 6073 b0 = gen_protochain(cstate, v, Q_IP, dir); 6074 b = gen_protochain(cstate, v, Q_IPV6, dir); 6075 gen_or(b0, b); 6076 return b; 6077 default: 6078 bpf_error(cstate, "bad protocol applied for 'protochain'"); 6079 /*NOTREACHED*/ 6080 } 6081 6082 /* 6083 * We don't handle variable-length prefixes before the link-layer 6084 * header, or variable-length link-layer headers, here yet. 6085 * We might want to add BPF instructions to do the protochain 6086 * work, to simplify that and, on platforms that have a BPF 6087 * interpreter with the new instructions, let the filtering 6088 * be done in the kernel. (We already require a modified BPF 6089 * engine to do the protochain stuff, to support backward 6090 * branches, and backward branch support is unlikely to appear 6091 * in kernel BPF engines.) 6092 */ 6093 if (cstate->off_linkpl.is_variable) 6094 bpf_error(cstate, "'protochain' not supported with variable length headers"); 6095 6096 cstate->no_optimize = 1; /* this code is not compatible with optimizer yet */ 6097 6098 /* 6099 * s[0] is a dummy entry to protect other BPF insn from damage 6100 * by s[fix] = foo with uninitialized variable "fix". It is somewhat 6101 * hard to find interdependency made by jump table fixup. 6102 */ 6103 i = 0; 6104 s[i] = new_stmt(cstate, 0); /*dummy*/ 6105 i++; 6106 6107 switch (proto) { 6108 case Q_IP: 6109 b0 = gen_linktype(cstate, ETHERTYPE_IP); 6110 6111 /* A = ip->ip_p */ 6112 s[i] = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B); 6113 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 9; 6114 i++; 6115 /* X = ip->ip_hl << 2 */ 6116 s[i] = new_stmt(cstate, BPF_LDX|BPF_MSH|BPF_B); 6117 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 6118 i++; 6119 break; 6120 6121 case Q_IPV6: 6122 b0 = gen_linktype(cstate, ETHERTYPE_IPV6); 6123 6124 /* A = ip6->ip_nxt */ 6125 s[i] = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B); 6126 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 6; 6127 i++; 6128 /* X = sizeof(struct ip6_hdr) */ 6129 s[i] = new_stmt(cstate, BPF_LDX|BPF_IMM); 6130 s[i]->s.k = 40; 6131 i++; 6132 break; 6133 6134 default: 6135 bpf_error(cstate, "unsupported proto to gen_protochain"); 6136 /*NOTREACHED*/ 6137 } 6138 6139 /* again: if (A == v) goto end; else fall through; */ 6140 again = i; 6141 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 6142 s[i]->s.k = v; 6143 s[i]->s.jt = NULL; /*later*/ 6144 s[i]->s.jf = NULL; /*update in next stmt*/ 6145 fix5 = i; 6146 i++; 6147 6148 #ifndef IPPROTO_NONE 6149 #define IPPROTO_NONE 59 6150 #endif 6151 /* if (A == IPPROTO_NONE) goto end */ 6152 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 6153 s[i]->s.jt = NULL; /*later*/ 6154 s[i]->s.jf = NULL; /*update in next stmt*/ 6155 s[i]->s.k = IPPROTO_NONE; 6156 s[fix5]->s.jf = s[i]; 6157 fix2 = i; 6158 i++; 6159 6160 if (proto == Q_IPV6) { 6161 int v6start, v6end, v6advance, j; 6162 6163 v6start = i; 6164 /* if (A == IPPROTO_HOPOPTS) goto v6advance */ 6165 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 6166 s[i]->s.jt = NULL; /*later*/ 6167 s[i]->s.jf = NULL; /*update in next stmt*/ 6168 s[i]->s.k = IPPROTO_HOPOPTS; 6169 s[fix2]->s.jf = s[i]; 6170 i++; 6171 /* if (A == IPPROTO_DSTOPTS) goto v6advance */ 6172 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 6173 s[i]->s.jt = NULL; /*later*/ 6174 s[i]->s.jf = NULL; /*update in next stmt*/ 6175 s[i]->s.k = IPPROTO_DSTOPTS; 6176 i++; 6177 /* if (A == IPPROTO_ROUTING) goto v6advance */ 6178 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 6179 s[i]->s.jt = NULL; /*later*/ 6180 s[i]->s.jf = NULL; /*update in next stmt*/ 6181 s[i]->s.k = IPPROTO_ROUTING; 6182 i++; 6183 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */ 6184 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 6185 s[i]->s.jt = NULL; /*later*/ 6186 s[i]->s.jf = NULL; /*later*/ 6187 s[i]->s.k = IPPROTO_FRAGMENT; 6188 fix3 = i; 6189 v6end = i; 6190 i++; 6191 6192 /* v6advance: */ 6193 v6advance = i; 6194 6195 /* 6196 * in short, 6197 * A = P[X + packet head]; 6198 * X = X + (P[X + packet head + 1] + 1) * 8; 6199 */ 6200 /* A = P[X + packet head] */ 6201 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 6202 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 6203 i++; 6204 /* MEM[reg2] = A */ 6205 s[i] = new_stmt(cstate, BPF_ST); 6206 s[i]->s.k = reg2; 6207 i++; 6208 /* A = P[X + packet head + 1]; */ 6209 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 6210 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 1; 6211 i++; 6212 /* A += 1 */ 6213 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 6214 s[i]->s.k = 1; 6215 i++; 6216 /* A *= 8 */ 6217 s[i] = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K); 6218 s[i]->s.k = 8; 6219 i++; 6220 /* A += X */ 6221 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X); 6222 s[i]->s.k = 0; 6223 i++; 6224 /* X = A; */ 6225 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX); 6226 i++; 6227 /* A = MEM[reg2] */ 6228 s[i] = new_stmt(cstate, BPF_LD|BPF_MEM); 6229 s[i]->s.k = reg2; 6230 i++; 6231 6232 /* goto again; (must use BPF_JA for backward jump) */ 6233 s[i] = new_stmt(cstate, BPF_JMP|BPF_JA); 6234 s[i]->s.k = again - i - 1; 6235 s[i - 1]->s.jf = s[i]; 6236 i++; 6237 6238 /* fixup */ 6239 for (j = v6start; j <= v6end; j++) 6240 s[j]->s.jt = s[v6advance]; 6241 } else { 6242 /* nop */ 6243 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 6244 s[i]->s.k = 0; 6245 s[fix2]->s.jf = s[i]; 6246 i++; 6247 } 6248 6249 /* ahcheck: */ 6250 ahcheck = i; 6251 /* if (A == IPPROTO_AH) then fall through; else goto end; */ 6252 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 6253 s[i]->s.jt = NULL; /*later*/ 6254 s[i]->s.jf = NULL; /*later*/ 6255 s[i]->s.k = IPPROTO_AH; 6256 if (fix3) 6257 s[fix3]->s.jf = s[ahcheck]; 6258 fix4 = i; 6259 i++; 6260 6261 /* 6262 * in short, 6263 * A = P[X]; 6264 * X = X + (P[X + 1] + 2) * 4; 6265 */ 6266 /* A = X */ 6267 s[i - 1]->s.jt = s[i] = new_stmt(cstate, BPF_MISC|BPF_TXA); 6268 i++; 6269 /* A = P[X + packet head]; */ 6270 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 6271 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 6272 i++; 6273 /* MEM[reg2] = A */ 6274 s[i] = new_stmt(cstate, BPF_ST); 6275 s[i]->s.k = reg2; 6276 i++; 6277 /* A = X */ 6278 s[i - 1]->s.jt = s[i] = new_stmt(cstate, BPF_MISC|BPF_TXA); 6279 i++; 6280 /* A += 1 */ 6281 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 6282 s[i]->s.k = 1; 6283 i++; 6284 /* X = A */ 6285 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX); 6286 i++; 6287 /* A = P[X + packet head] */ 6288 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 6289 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 6290 i++; 6291 /* A += 2 */ 6292 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 6293 s[i]->s.k = 2; 6294 i++; 6295 /* A *= 4 */ 6296 s[i] = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K); 6297 s[i]->s.k = 4; 6298 i++; 6299 /* X = A; */ 6300 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX); 6301 i++; 6302 /* A = MEM[reg2] */ 6303 s[i] = new_stmt(cstate, BPF_LD|BPF_MEM); 6304 s[i]->s.k = reg2; 6305 i++; 6306 6307 /* goto again; (must use BPF_JA for backward jump) */ 6308 s[i] = new_stmt(cstate, BPF_JMP|BPF_JA); 6309 s[i]->s.k = again - i - 1; 6310 i++; 6311 6312 /* end: nop */ 6313 end = i; 6314 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 6315 s[i]->s.k = 0; 6316 s[fix2]->s.jt = s[end]; 6317 s[fix4]->s.jf = s[end]; 6318 s[fix5]->s.jt = s[end]; 6319 i++; 6320 6321 /* 6322 * make slist chain 6323 */ 6324 max = i; 6325 for (i = 0; i < max - 1; i++) 6326 s[i]->next = s[i + 1]; 6327 s[max - 1]->next = NULL; 6328 6329 /* 6330 * emit final check 6331 */ 6332 b = new_block(cstate, JMP(BPF_JEQ)); 6333 b->stmts = s[1]; /*remember, s[0] is dummy*/ 6334 b->s.k = v; 6335 6336 free_reg(cstate, reg2); 6337 6338 gen_and(b0, b); 6339 return b; 6340 #endif 6341 } 6342 6343 static struct block * 6344 gen_check_802_11_data_frame(compiler_state_t *cstate) 6345 { 6346 struct slist *s; 6347 struct block *b0, *b1; 6348 6349 /* 6350 * A data frame has the 0x08 bit (b3) in the frame control field set 6351 * and the 0x04 bit (b2) clear. 6352 */ 6353 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 6354 b0 = new_block(cstate, JMP(BPF_JSET)); 6355 b0->s.k = 0x08; 6356 b0->stmts = s; 6357 6358 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 6359 b1 = new_block(cstate, JMP(BPF_JSET)); 6360 b1->s.k = 0x04; 6361 b1->stmts = s; 6362 gen_not(b1); 6363 6364 gen_and(b1, b0); 6365 6366 return b0; 6367 } 6368 6369 /* 6370 * Generate code that checks whether the packet is a packet for protocol 6371 * <proto> and whether the type field in that protocol's header has 6372 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an 6373 * IP packet and checks the protocol number in the IP header against <v>. 6374 * 6375 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks 6376 * against Q_IP and Q_IPV6. 6377 */ 6378 static struct block * 6379 gen_proto(compiler_state_t *cstate, int v, int proto, int dir) 6380 { 6381 struct block *b0, *b1; 6382 #ifndef CHASE_CHAIN 6383 struct block *b2; 6384 #endif 6385 6386 if (dir != Q_DEFAULT) 6387 bpf_error(cstate, "direction applied to 'proto'"); 6388 6389 switch (proto) { 6390 case Q_DEFAULT: 6391 b0 = gen_proto(cstate, v, Q_IP, dir); 6392 b1 = gen_proto(cstate, v, Q_IPV6, dir); 6393 gen_or(b0, b1); 6394 return b1; 6395 6396 case Q_LINK: 6397 return gen_linktype(cstate, v); 6398 6399 case Q_IP: 6400 /* 6401 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 6402 * not LLC encapsulation with LLCSAP_IP. 6403 * 6404 * For IEEE 802 networks - which includes 802.5 token ring 6405 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 6406 * says that SNAP encapsulation is used, not LLC encapsulation 6407 * with LLCSAP_IP. 6408 * 6409 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 6410 * RFC 2225 say that SNAP encapsulation is used, not LLC 6411 * encapsulation with LLCSAP_IP. 6412 * 6413 * So we always check for ETHERTYPE_IP. 6414 */ 6415 b0 = gen_linktype(cstate, ETHERTYPE_IP); 6416 #ifndef CHASE_CHAIN 6417 b1 = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, (bpf_int32)v); 6418 #else 6419 b1 = gen_protochain(cstate, v, Q_IP); 6420 #endif 6421 gen_and(b0, b1); 6422 return b1; 6423 6424 case Q_ARP: 6425 bpf_error(cstate, "arp does not encapsulate another protocol"); 6426 /*NOTREACHED*/ 6427 6428 case Q_RARP: 6429 bpf_error(cstate, "rarp does not encapsulate another protocol"); 6430 /*NOTREACHED*/ 6431 6432 case Q_SCTP: 6433 bpf_error(cstate, "'sctp proto' is bogus"); 6434 /*NOTREACHED*/ 6435 6436 case Q_TCP: 6437 bpf_error(cstate, "'tcp proto' is bogus"); 6438 /*NOTREACHED*/ 6439 6440 case Q_UDP: 6441 bpf_error(cstate, "'udp proto' is bogus"); 6442 /*NOTREACHED*/ 6443 6444 case Q_ICMP: 6445 bpf_error(cstate, "'icmp proto' is bogus"); 6446 /*NOTREACHED*/ 6447 6448 case Q_IGMP: 6449 bpf_error(cstate, "'igmp proto' is bogus"); 6450 /*NOTREACHED*/ 6451 6452 case Q_IGRP: 6453 bpf_error(cstate, "'igrp proto' is bogus"); 6454 /*NOTREACHED*/ 6455 6456 case Q_ATALK: 6457 bpf_error(cstate, "AppleTalk encapsulation is not specifiable"); 6458 /*NOTREACHED*/ 6459 6460 case Q_DECNET: 6461 bpf_error(cstate, "DECNET encapsulation is not specifiable"); 6462 /*NOTREACHED*/ 6463 6464 case Q_LAT: 6465 bpf_error(cstate, "LAT does not encapsulate another protocol"); 6466 /*NOTREACHED*/ 6467 6468 case Q_SCA: 6469 bpf_error(cstate, "SCA does not encapsulate another protocol"); 6470 /*NOTREACHED*/ 6471 6472 case Q_MOPRC: 6473 bpf_error(cstate, "MOPRC does not encapsulate another protocol"); 6474 /*NOTREACHED*/ 6475 6476 case Q_MOPDL: 6477 bpf_error(cstate, "MOPDL does not encapsulate another protocol"); 6478 /*NOTREACHED*/ 6479 6480 case Q_IPV6: 6481 b0 = gen_linktype(cstate, ETHERTYPE_IPV6); 6482 #ifndef CHASE_CHAIN 6483 /* 6484 * Also check for a fragment header before the final 6485 * header. 6486 */ 6487 b2 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, IPPROTO_FRAGMENT); 6488 b1 = gen_cmp(cstate, OR_LINKPL, 40, BPF_B, (bpf_int32)v); 6489 gen_and(b2, b1); 6490 b2 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, (bpf_int32)v); 6491 gen_or(b2, b1); 6492 #else 6493 b1 = gen_protochain(cstate, v, Q_IPV6); 6494 #endif 6495 gen_and(b0, b1); 6496 return b1; 6497 6498 case Q_ICMPV6: 6499 bpf_error(cstate, "'icmp6 proto' is bogus"); 6500 /*NOTREACHED*/ 6501 6502 case Q_AH: 6503 bpf_error(cstate, "'ah proto' is bogus"); 6504 /*NOTREACHED*/ 6505 6506 case Q_ESP: 6507 bpf_error(cstate, "'ah proto' is bogus"); 6508 /*NOTREACHED*/ 6509 6510 case Q_PIM: 6511 bpf_error(cstate, "'pim proto' is bogus"); 6512 /*NOTREACHED*/ 6513 6514 case Q_VRRP: 6515 bpf_error(cstate, "'vrrp proto' is bogus"); 6516 /*NOTREACHED*/ 6517 6518 case Q_AARP: 6519 bpf_error(cstate, "'aarp proto' is bogus"); 6520 /*NOTREACHED*/ 6521 6522 case Q_ISO: 6523 switch (cstate->linktype) { 6524 6525 case DLT_FRELAY: 6526 /* 6527 * Frame Relay packets typically have an OSI 6528 * NLPID at the beginning; "gen_linktype(cstate, LLCSAP_ISONS)" 6529 * generates code to check for all the OSI 6530 * NLPIDs, so calling it and then adding a check 6531 * for the particular NLPID for which we're 6532 * looking is bogus, as we can just check for 6533 * the NLPID. 6534 * 6535 * What we check for is the NLPID and a frame 6536 * control field value of UI, i.e. 0x03 followed 6537 * by the NLPID. 6538 * 6539 * XXX - assumes a 2-byte Frame Relay header with 6540 * DLCI and flags. What if the address is longer? 6541 * 6542 * XXX - what about SNAP-encapsulated frames? 6543 */ 6544 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | v); 6545 /*NOTREACHED*/ 6546 6547 case DLT_C_HDLC: 6548 /* 6549 * Cisco uses an Ethertype lookalike - for OSI, 6550 * it's 0xfefe. 6551 */ 6552 b0 = gen_linktype(cstate, LLCSAP_ISONS<<8 | LLCSAP_ISONS); 6553 /* OSI in C-HDLC is stuffed with a fudge byte */ 6554 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 1, BPF_B, (long)v); 6555 gen_and(b0, b1); 6556 return b1; 6557 6558 default: 6559 b0 = gen_linktype(cstate, LLCSAP_ISONS); 6560 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 0, BPF_B, (long)v); 6561 gen_and(b0, b1); 6562 return b1; 6563 } 6564 6565 case Q_ESIS: 6566 bpf_error(cstate, "'esis proto' is bogus"); 6567 /*NOTREACHED*/ 6568 6569 case Q_ISIS: 6570 b0 = gen_proto(cstate, ISO10589_ISIS, Q_ISO, Q_DEFAULT); 6571 /* 6572 * 4 is the offset of the PDU type relative to the IS-IS 6573 * header. 6574 */ 6575 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 4, BPF_B, (long)v); 6576 gen_and(b0, b1); 6577 return b1; 6578 6579 case Q_CLNP: 6580 bpf_error(cstate, "'clnp proto' is not supported"); 6581 /*NOTREACHED*/ 6582 6583 case Q_STP: 6584 bpf_error(cstate, "'stp proto' is bogus"); 6585 /*NOTREACHED*/ 6586 6587 case Q_IPX: 6588 bpf_error(cstate, "'ipx proto' is bogus"); 6589 /*NOTREACHED*/ 6590 6591 case Q_NETBEUI: 6592 bpf_error(cstate, "'netbeui proto' is bogus"); 6593 /*NOTREACHED*/ 6594 6595 case Q_ISIS_L1: 6596 bpf_error(cstate, "'l1 proto' is bogus"); 6597 /*NOTREACHED*/ 6598 6599 case Q_ISIS_L2: 6600 bpf_error(cstate, "'l2 proto' is bogus"); 6601 /*NOTREACHED*/ 6602 6603 case Q_ISIS_IIH: 6604 bpf_error(cstate, "'iih proto' is bogus"); 6605 /*NOTREACHED*/ 6606 6607 case Q_ISIS_SNP: 6608 bpf_error(cstate, "'snp proto' is bogus"); 6609 /*NOTREACHED*/ 6610 6611 case Q_ISIS_CSNP: 6612 bpf_error(cstate, "'csnp proto' is bogus"); 6613 /*NOTREACHED*/ 6614 6615 case Q_ISIS_PSNP: 6616 bpf_error(cstate, "'psnp proto' is bogus"); 6617 /*NOTREACHED*/ 6618 6619 case Q_ISIS_LSP: 6620 bpf_error(cstate, "'lsp proto' is bogus"); 6621 /*NOTREACHED*/ 6622 6623 case Q_RADIO: 6624 bpf_error(cstate, "'radio proto' is bogus"); 6625 /*NOTREACHED*/ 6626 6627 case Q_CARP: 6628 bpf_error(cstate, "'carp proto' is bogus"); 6629 /*NOTREACHED*/ 6630 6631 default: 6632 abort(); 6633 /*NOTREACHED*/ 6634 } 6635 /*NOTREACHED*/ 6636 } 6637 6638 struct block * 6639 gen_scode(compiler_state_t *cstate, const char *name, struct qual q) 6640 { 6641 int proto = q.proto; 6642 int dir = q.dir; 6643 int tproto; 6644 u_char *eaddr; 6645 bpf_u_int32 mask, addr; 6646 struct addrinfo *res, *res0; 6647 struct sockaddr_in *sin4; 6648 #ifdef INET6 6649 int tproto6; 6650 struct sockaddr_in6 *sin6; 6651 struct in6_addr mask128; 6652 #endif /*INET6*/ 6653 struct block *b, *tmp; 6654 int port, real_proto; 6655 int port1, port2; 6656 6657 /* 6658 * Catch errors reported by us and routines below us, and return NULL 6659 * on an error. 6660 */ 6661 if (setjmp(cstate->top_ctx)) 6662 return (NULL); 6663 6664 switch (q.addr) { 6665 6666 case Q_NET: 6667 addr = pcap_nametonetaddr(name); 6668 if (addr == 0) 6669 bpf_error(cstate, "unknown network '%s'", name); 6670 /* Left justify network addr and calculate its network mask */ 6671 mask = 0xffffffff; 6672 while (addr && (addr & 0xff000000) == 0) { 6673 addr <<= 8; 6674 mask <<= 8; 6675 } 6676 return gen_host(cstate, addr, mask, proto, dir, q.addr); 6677 6678 case Q_DEFAULT: 6679 case Q_HOST: 6680 if (proto == Q_LINK) { 6681 switch (cstate->linktype) { 6682 6683 case DLT_EN10MB: 6684 case DLT_NETANALYZER: 6685 case DLT_NETANALYZER_TRANSPARENT: 6686 eaddr = pcap_ether_hostton(name); 6687 if (eaddr == NULL) 6688 bpf_error(cstate, 6689 "unknown ether host '%s'", name); 6690 tmp = gen_prevlinkhdr_check(cstate); 6691 b = gen_ehostop(cstate, eaddr, dir); 6692 if (tmp != NULL) 6693 gen_and(tmp, b); 6694 free(eaddr); 6695 return b; 6696 6697 case DLT_FDDI: 6698 eaddr = pcap_ether_hostton(name); 6699 if (eaddr == NULL) 6700 bpf_error(cstate, 6701 "unknown FDDI host '%s'", name); 6702 b = gen_fhostop(cstate, eaddr, dir); 6703 free(eaddr); 6704 return b; 6705 6706 case DLT_IEEE802: 6707 eaddr = pcap_ether_hostton(name); 6708 if (eaddr == NULL) 6709 bpf_error(cstate, 6710 "unknown token ring host '%s'", name); 6711 b = gen_thostop(cstate, eaddr, dir); 6712 free(eaddr); 6713 return b; 6714 6715 case DLT_IEEE802_11: 6716 case DLT_PRISM_HEADER: 6717 case DLT_IEEE802_11_RADIO_AVS: 6718 case DLT_IEEE802_11_RADIO: 6719 case DLT_PPI: 6720 eaddr = pcap_ether_hostton(name); 6721 if (eaddr == NULL) 6722 bpf_error(cstate, 6723 "unknown 802.11 host '%s'", name); 6724 b = gen_wlanhostop(cstate, eaddr, dir); 6725 free(eaddr); 6726 return b; 6727 6728 case DLT_IP_OVER_FC: 6729 eaddr = pcap_ether_hostton(name); 6730 if (eaddr == NULL) 6731 bpf_error(cstate, 6732 "unknown Fibre Channel host '%s'", name); 6733 b = gen_ipfchostop(cstate, eaddr, dir); 6734 free(eaddr); 6735 return b; 6736 } 6737 6738 bpf_error(cstate, "only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name"); 6739 } else if (proto == Q_DECNET) { 6740 unsigned short dn_addr; 6741 6742 if (!__pcap_nametodnaddr(name, &dn_addr)) { 6743 #ifdef DECNETLIB 6744 bpf_error(cstate, "unknown decnet host name '%s'\n", name); 6745 #else 6746 bpf_error(cstate, "decnet name support not included, '%s' cannot be translated\n", 6747 name); 6748 #endif 6749 } 6750 /* 6751 * I don't think DECNET hosts can be multihomed, so 6752 * there is no need to build up a list of addresses 6753 */ 6754 return (gen_host(cstate, dn_addr, 0, proto, dir, q.addr)); 6755 } else { 6756 #ifdef INET6 6757 memset(&mask128, 0xff, sizeof(mask128)); 6758 #endif 6759 res0 = res = pcap_nametoaddrinfo(name); 6760 if (res == NULL) 6761 bpf_error(cstate, "unknown host '%s'", name); 6762 cstate->ai = res; 6763 b = tmp = NULL; 6764 tproto = proto; 6765 #ifdef INET6 6766 tproto6 = proto; 6767 #endif 6768 if (cstate->off_linktype.constant_part == OFFSET_NOT_SET && 6769 tproto == Q_DEFAULT) { 6770 tproto = Q_IP; 6771 #ifdef INET6 6772 tproto6 = Q_IPV6; 6773 #endif 6774 } 6775 for (res = res0; res; res = res->ai_next) { 6776 switch (res->ai_family) { 6777 case AF_INET: 6778 #ifdef INET6 6779 if (tproto == Q_IPV6) 6780 continue; 6781 #endif 6782 6783 sin4 = (struct sockaddr_in *) 6784 res->ai_addr; 6785 tmp = gen_host(cstate, ntohl(sin4->sin_addr.s_addr), 6786 0xffffffff, tproto, dir, q.addr); 6787 break; 6788 #ifdef INET6 6789 case AF_INET6: 6790 if (tproto6 == Q_IP) 6791 continue; 6792 6793 sin6 = (struct sockaddr_in6 *) 6794 res->ai_addr; 6795 tmp = gen_host6(cstate, &sin6->sin6_addr, 6796 &mask128, tproto6, dir, q.addr); 6797 break; 6798 #endif 6799 default: 6800 continue; 6801 } 6802 if (b) 6803 gen_or(b, tmp); 6804 b = tmp; 6805 } 6806 cstate->ai = NULL; 6807 freeaddrinfo(res0); 6808 if (b == NULL) { 6809 bpf_error(cstate, "unknown host '%s'%s", name, 6810 (proto == Q_DEFAULT) 6811 ? "" 6812 : " for specified address family"); 6813 } 6814 return b; 6815 } 6816 6817 case Q_PORT: 6818 if (proto != Q_DEFAULT && 6819 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6820 bpf_error(cstate, "illegal qualifier of 'port'"); 6821 if (pcap_nametoport(name, &port, &real_proto) == 0) 6822 bpf_error(cstate, "unknown port '%s'", name); 6823 if (proto == Q_UDP) { 6824 if (real_proto == IPPROTO_TCP) 6825 bpf_error(cstate, "port '%s' is tcp", name); 6826 else if (real_proto == IPPROTO_SCTP) 6827 bpf_error(cstate, "port '%s' is sctp", name); 6828 else 6829 /* override PROTO_UNDEF */ 6830 real_proto = IPPROTO_UDP; 6831 } 6832 if (proto == Q_TCP) { 6833 if (real_proto == IPPROTO_UDP) 6834 bpf_error(cstate, "port '%s' is udp", name); 6835 6836 else if (real_proto == IPPROTO_SCTP) 6837 bpf_error(cstate, "port '%s' is sctp", name); 6838 else 6839 /* override PROTO_UNDEF */ 6840 real_proto = IPPROTO_TCP; 6841 } 6842 if (proto == Q_SCTP) { 6843 if (real_proto == IPPROTO_UDP) 6844 bpf_error(cstate, "port '%s' is udp", name); 6845 6846 else if (real_proto == IPPROTO_TCP) 6847 bpf_error(cstate, "port '%s' is tcp", name); 6848 else 6849 /* override PROTO_UNDEF */ 6850 real_proto = IPPROTO_SCTP; 6851 } 6852 if (port < 0) 6853 bpf_error(cstate, "illegal port number %d < 0", port); 6854 if (port > 65535) 6855 bpf_error(cstate, "illegal port number %d > 65535", port); 6856 b = gen_port(cstate, port, real_proto, dir); 6857 gen_or(gen_port6(cstate, port, real_proto, dir), b); 6858 return b; 6859 6860 case Q_PORTRANGE: 6861 if (proto != Q_DEFAULT && 6862 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6863 bpf_error(cstate, "illegal qualifier of 'portrange'"); 6864 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0) 6865 bpf_error(cstate, "unknown port in range '%s'", name); 6866 if (proto == Q_UDP) { 6867 if (real_proto == IPPROTO_TCP) 6868 bpf_error(cstate, "port in range '%s' is tcp", name); 6869 else if (real_proto == IPPROTO_SCTP) 6870 bpf_error(cstate, "port in range '%s' is sctp", name); 6871 else 6872 /* override PROTO_UNDEF */ 6873 real_proto = IPPROTO_UDP; 6874 } 6875 if (proto == Q_TCP) { 6876 if (real_proto == IPPROTO_UDP) 6877 bpf_error(cstate, "port in range '%s' is udp", name); 6878 else if (real_proto == IPPROTO_SCTP) 6879 bpf_error(cstate, "port in range '%s' is sctp", name); 6880 else 6881 /* override PROTO_UNDEF */ 6882 real_proto = IPPROTO_TCP; 6883 } 6884 if (proto == Q_SCTP) { 6885 if (real_proto == IPPROTO_UDP) 6886 bpf_error(cstate, "port in range '%s' is udp", name); 6887 else if (real_proto == IPPROTO_TCP) 6888 bpf_error(cstate, "port in range '%s' is tcp", name); 6889 else 6890 /* override PROTO_UNDEF */ 6891 real_proto = IPPROTO_SCTP; 6892 } 6893 if (port1 < 0) 6894 bpf_error(cstate, "illegal port number %d < 0", port1); 6895 if (port1 > 65535) 6896 bpf_error(cstate, "illegal port number %d > 65535", port1); 6897 if (port2 < 0) 6898 bpf_error(cstate, "illegal port number %d < 0", port2); 6899 if (port2 > 65535) 6900 bpf_error(cstate, "illegal port number %d > 65535", port2); 6901 6902 b = gen_portrange(cstate, port1, port2, real_proto, dir); 6903 gen_or(gen_portrange6(cstate, port1, port2, real_proto, dir), b); 6904 return b; 6905 6906 case Q_GATEWAY: 6907 #ifndef INET6 6908 eaddr = pcap_ether_hostton(name); 6909 if (eaddr == NULL) 6910 bpf_error(cstate, "unknown ether host: %s", name); 6911 6912 res = pcap_nametoaddrinfo(name); 6913 cstate->ai = res; 6914 if (res == NULL) 6915 bpf_error(cstate, "unknown host '%s'", name); 6916 b = gen_gateway(cstate, eaddr, res, proto, dir); 6917 cstate->ai = NULL; 6918 freeaddrinfo(res); 6919 if (b == NULL) 6920 bpf_error(cstate, "unknown host '%s'", name); 6921 return b; 6922 #else 6923 bpf_error(cstate, "'gateway' not supported in this configuration"); 6924 #endif /*INET6*/ 6925 6926 case Q_PROTO: 6927 real_proto = lookup_proto(cstate, name, proto); 6928 if (real_proto >= 0) 6929 return gen_proto(cstate, real_proto, proto, dir); 6930 else 6931 bpf_error(cstate, "unknown protocol: %s", name); 6932 6933 case Q_PROTOCHAIN: 6934 real_proto = lookup_proto(cstate, name, proto); 6935 if (real_proto >= 0) 6936 return gen_protochain(cstate, real_proto, proto, dir); 6937 else 6938 bpf_error(cstate, "unknown protocol: %s", name); 6939 6940 case Q_UNDEF: 6941 syntax(cstate); 6942 /*NOTREACHED*/ 6943 } 6944 abort(); 6945 /*NOTREACHED*/ 6946 } 6947 6948 struct block * 6949 gen_mcode(compiler_state_t *cstate, const char *s1, const char *s2, 6950 unsigned int masklen, struct qual q) 6951 { 6952 register int nlen, mlen; 6953 bpf_u_int32 n, m; 6954 6955 /* 6956 * Catch errors reported by us and routines below us, and return NULL 6957 * on an error. 6958 */ 6959 if (setjmp(cstate->top_ctx)) 6960 return (NULL); 6961 6962 nlen = __pcap_atoin(s1, &n); 6963 /* Promote short ipaddr */ 6964 n <<= 32 - nlen; 6965 6966 if (s2 != NULL) { 6967 mlen = __pcap_atoin(s2, &m); 6968 /* Promote short ipaddr */ 6969 m <<= 32 - mlen; 6970 if ((n & ~m) != 0) 6971 bpf_error(cstate, "non-network bits set in \"%s mask %s\"", 6972 s1, s2); 6973 } else { 6974 /* Convert mask len to mask */ 6975 if (masklen > 32) 6976 bpf_error(cstate, "mask length must be <= 32"); 6977 if (masklen == 0) { 6978 /* 6979 * X << 32 is not guaranteed by C to be 0; it's 6980 * undefined. 6981 */ 6982 m = 0; 6983 } else 6984 m = 0xffffffff << (32 - masklen); 6985 if ((n & ~m) != 0) 6986 bpf_error(cstate, "non-network bits set in \"%s/%d\"", 6987 s1, masklen); 6988 } 6989 6990 switch (q.addr) { 6991 6992 case Q_NET: 6993 return gen_host(cstate, n, m, q.proto, q.dir, q.addr); 6994 6995 default: 6996 bpf_error(cstate, "Mask syntax for networks only"); 6997 /*NOTREACHED*/ 6998 } 6999 /*NOTREACHED*/ 7000 } 7001 7002 struct block * 7003 gen_ncode(compiler_state_t *cstate, const char *s, bpf_u_int32 v, struct qual q) 7004 { 7005 bpf_u_int32 mask; 7006 int proto; 7007 int dir; 7008 register int vlen; 7009 7010 /* 7011 * Catch errors reported by us and routines below us, and return NULL 7012 * on an error. 7013 */ 7014 if (setjmp(cstate->top_ctx)) 7015 return (NULL); 7016 7017 proto = q.proto; 7018 dir = q.dir; 7019 if (s == NULL) 7020 vlen = 32; 7021 else if (q.proto == Q_DECNET) { 7022 vlen = __pcap_atodn(s, &v); 7023 if (vlen == 0) 7024 bpf_error(cstate, "malformed decnet address '%s'", s); 7025 } else 7026 vlen = __pcap_atoin(s, &v); 7027 7028 switch (q.addr) { 7029 7030 case Q_DEFAULT: 7031 case Q_HOST: 7032 case Q_NET: 7033 if (proto == Q_DECNET) 7034 return gen_host(cstate, v, 0, proto, dir, q.addr); 7035 else if (proto == Q_LINK) { 7036 bpf_error(cstate, "illegal link layer address"); 7037 } else { 7038 mask = 0xffffffff; 7039 if (s == NULL && q.addr == Q_NET) { 7040 /* Promote short net number */ 7041 while (v && (v & 0xff000000) == 0) { 7042 v <<= 8; 7043 mask <<= 8; 7044 } 7045 } else { 7046 /* Promote short ipaddr */ 7047 v <<= 32 - vlen; 7048 mask <<= 32 - vlen ; 7049 } 7050 return gen_host(cstate, v, mask, proto, dir, q.addr); 7051 } 7052 7053 case Q_PORT: 7054 if (proto == Q_UDP) 7055 proto = IPPROTO_UDP; 7056 else if (proto == Q_TCP) 7057 proto = IPPROTO_TCP; 7058 else if (proto == Q_SCTP) 7059 proto = IPPROTO_SCTP; 7060 else if (proto == Q_DEFAULT) 7061 proto = PROTO_UNDEF; 7062 else 7063 bpf_error(cstate, "illegal qualifier of 'port'"); 7064 7065 if (v > 65535) 7066 bpf_error(cstate, "illegal port number %u > 65535", v); 7067 7068 { 7069 struct block *b; 7070 b = gen_port(cstate, (int)v, proto, dir); 7071 gen_or(gen_port6(cstate, (int)v, proto, dir), b); 7072 return b; 7073 } 7074 7075 case Q_PORTRANGE: 7076 if (proto == Q_UDP) 7077 proto = IPPROTO_UDP; 7078 else if (proto == Q_TCP) 7079 proto = IPPROTO_TCP; 7080 else if (proto == Q_SCTP) 7081 proto = IPPROTO_SCTP; 7082 else if (proto == Q_DEFAULT) 7083 proto = PROTO_UNDEF; 7084 else 7085 bpf_error(cstate, "illegal qualifier of 'portrange'"); 7086 7087 if (v > 65535) 7088 bpf_error(cstate, "illegal port number %u > 65535", v); 7089 7090 { 7091 struct block *b; 7092 b = gen_portrange(cstate, (int)v, (int)v, proto, dir); 7093 gen_or(gen_portrange6(cstate, (int)v, (int)v, proto, dir), b); 7094 return b; 7095 } 7096 7097 case Q_GATEWAY: 7098 bpf_error(cstate, "'gateway' requires a name"); 7099 /*NOTREACHED*/ 7100 7101 case Q_PROTO: 7102 return gen_proto(cstate, (int)v, proto, dir); 7103 7104 case Q_PROTOCHAIN: 7105 return gen_protochain(cstate, (int)v, proto, dir); 7106 7107 case Q_UNDEF: 7108 syntax(cstate); 7109 /*NOTREACHED*/ 7110 7111 default: 7112 abort(); 7113 /*NOTREACHED*/ 7114 } 7115 /*NOTREACHED*/ 7116 } 7117 7118 #ifdef INET6 7119 struct block * 7120 gen_mcode6(compiler_state_t *cstate, const char *s1, const char *s2, 7121 unsigned int masklen, struct qual q) 7122 { 7123 struct addrinfo *res; 7124 struct in6_addr *addr; 7125 struct in6_addr mask; 7126 struct block *b; 7127 uint32_t *a, *m; 7128 7129 /* 7130 * Catch errors reported by us and routines below us, and return NULL 7131 * on an error. 7132 */ 7133 if (setjmp(cstate->top_ctx)) 7134 return (NULL); 7135 7136 if (s2) 7137 bpf_error(cstate, "no mask %s supported", s2); 7138 7139 res = pcap_nametoaddrinfo(s1); 7140 if (!res) 7141 bpf_error(cstate, "invalid ip6 address %s", s1); 7142 cstate->ai = res; 7143 if (res->ai_next) 7144 bpf_error(cstate, "%s resolved to multiple address", s1); 7145 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr; 7146 7147 if (sizeof(mask) * 8 < masklen) 7148 bpf_error(cstate, "mask length must be <= %u", (unsigned int)(sizeof(mask) * 8)); 7149 memset(&mask, 0, sizeof(mask)); 7150 memset(&mask, 0xff, masklen / 8); 7151 if (masklen % 8) { 7152 mask.s6_addr[masklen / 8] = 7153 (0xff << (8 - masklen % 8)) & 0xff; 7154 } 7155 7156 a = (uint32_t *)addr; 7157 m = (uint32_t *)&mask; 7158 if ((a[0] & ~m[0]) || (a[1] & ~m[1]) 7159 || (a[2] & ~m[2]) || (a[3] & ~m[3])) { 7160 bpf_error(cstate, "non-network bits set in \"%s/%d\"", s1, masklen); 7161 } 7162 7163 switch (q.addr) { 7164 7165 case Q_DEFAULT: 7166 case Q_HOST: 7167 if (masklen != 128) 7168 bpf_error(cstate, "Mask syntax for networks only"); 7169 /* FALLTHROUGH */ 7170 7171 case Q_NET: 7172 b = gen_host6(cstate, addr, &mask, q.proto, q.dir, q.addr); 7173 cstate->ai = NULL; 7174 freeaddrinfo(res); 7175 return b; 7176 7177 default: 7178 bpf_error(cstate, "invalid qualifier against IPv6 address"); 7179 /*NOTREACHED*/ 7180 } 7181 } 7182 #endif /*INET6*/ 7183 7184 struct block * 7185 gen_ecode(compiler_state_t *cstate, const char *s, struct qual q) 7186 { 7187 struct block *b, *tmp; 7188 7189 /* 7190 * Catch errors reported by us and routines below us, and return NULL 7191 * on an error. 7192 */ 7193 if (setjmp(cstate->top_ctx)) 7194 return (NULL); 7195 7196 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) { 7197 cstate->e = pcap_ether_aton(s); 7198 if (cstate->e == NULL) 7199 bpf_error(cstate, "malloc"); 7200 switch (cstate->linktype) { 7201 case DLT_EN10MB: 7202 case DLT_NETANALYZER: 7203 case DLT_NETANALYZER_TRANSPARENT: 7204 tmp = gen_prevlinkhdr_check(cstate); 7205 b = gen_ehostop(cstate, cstate->e, (int)q.dir); 7206 if (tmp != NULL) 7207 gen_and(tmp, b); 7208 break; 7209 case DLT_FDDI: 7210 b = gen_fhostop(cstate, cstate->e, (int)q.dir); 7211 break; 7212 case DLT_IEEE802: 7213 b = gen_thostop(cstate, cstate->e, (int)q.dir); 7214 break; 7215 case DLT_IEEE802_11: 7216 case DLT_PRISM_HEADER: 7217 case DLT_IEEE802_11_RADIO_AVS: 7218 case DLT_IEEE802_11_RADIO: 7219 case DLT_PPI: 7220 b = gen_wlanhostop(cstate, cstate->e, (int)q.dir); 7221 break; 7222 case DLT_IP_OVER_FC: 7223 b = gen_ipfchostop(cstate, cstate->e, (int)q.dir); 7224 break; 7225 default: 7226 free(cstate->e); 7227 cstate->e = NULL; 7228 bpf_error(cstate, "ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 7229 /*NOTREACHED*/ 7230 } 7231 free(cstate->e); 7232 cstate->e = NULL; 7233 return (b); 7234 } 7235 bpf_error(cstate, "ethernet address used in non-ether expression"); 7236 /*NOTREACHED*/ 7237 } 7238 7239 void 7240 sappend(struct slist *s0, struct slist *s1) 7241 { 7242 /* 7243 * This is definitely not the best way to do this, but the 7244 * lists will rarely get long. 7245 */ 7246 while (s0->next) 7247 s0 = s0->next; 7248 s0->next = s1; 7249 } 7250 7251 static struct slist * 7252 xfer_to_x(compiler_state_t *cstate, struct arth *a) 7253 { 7254 struct slist *s; 7255 7256 s = new_stmt(cstate, BPF_LDX|BPF_MEM); 7257 s->s.k = a->regno; 7258 return s; 7259 } 7260 7261 static struct slist * 7262 xfer_to_a(compiler_state_t *cstate, struct arth *a) 7263 { 7264 struct slist *s; 7265 7266 s = new_stmt(cstate, BPF_LD|BPF_MEM); 7267 s->s.k = a->regno; 7268 return s; 7269 } 7270 7271 /* 7272 * Modify "index" to use the value stored into its register as an 7273 * offset relative to the beginning of the header for the protocol 7274 * "proto", and allocate a register and put an item "size" bytes long 7275 * (1, 2, or 4) at that offset into that register, making it the register 7276 * for "index". 7277 */ 7278 static struct arth * 7279 gen_load_internal(compiler_state_t *cstate, int proto, struct arth *inst, int size) 7280 { 7281 struct slist *s, *tmp; 7282 struct block *b; 7283 int regno = alloc_reg(cstate); 7284 7285 free_reg(cstate, inst->regno); 7286 switch (size) { 7287 7288 default: 7289 bpf_error(cstate, "data size must be 1, 2, or 4"); 7290 7291 case 1: 7292 size = BPF_B; 7293 break; 7294 7295 case 2: 7296 size = BPF_H; 7297 break; 7298 7299 case 4: 7300 size = BPF_W; 7301 break; 7302 } 7303 switch (proto) { 7304 default: 7305 bpf_error(cstate, "unsupported index operation"); 7306 7307 case Q_RADIO: 7308 /* 7309 * The offset is relative to the beginning of the packet 7310 * data, if we have a radio header. (If we don't, this 7311 * is an error.) 7312 */ 7313 if (cstate->linktype != DLT_IEEE802_11_RADIO_AVS && 7314 cstate->linktype != DLT_IEEE802_11_RADIO && 7315 cstate->linktype != DLT_PRISM_HEADER) 7316 bpf_error(cstate, "radio information not present in capture"); 7317 7318 /* 7319 * Load into the X register the offset computed into the 7320 * register specified by "index". 7321 */ 7322 s = xfer_to_x(cstate, inst); 7323 7324 /* 7325 * Load the item at that offset. 7326 */ 7327 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size); 7328 sappend(s, tmp); 7329 sappend(inst->s, s); 7330 break; 7331 7332 case Q_LINK: 7333 /* 7334 * The offset is relative to the beginning of 7335 * the link-layer header. 7336 * 7337 * XXX - what about ATM LANE? Should the index be 7338 * relative to the beginning of the AAL5 frame, so 7339 * that 0 refers to the beginning of the LE Control 7340 * field, or relative to the beginning of the LAN 7341 * frame, so that 0 refers, for Ethernet LANE, to 7342 * the beginning of the destination address? 7343 */ 7344 s = gen_abs_offset_varpart(cstate, &cstate->off_linkhdr); 7345 7346 /* 7347 * If "s" is non-null, it has code to arrange that the 7348 * X register contains the length of the prefix preceding 7349 * the link-layer header. Add to it the offset computed 7350 * into the register specified by "index", and move that 7351 * into the X register. Otherwise, just load into the X 7352 * register the offset computed into the register specified 7353 * by "index". 7354 */ 7355 if (s != NULL) { 7356 sappend(s, xfer_to_a(cstate, inst)); 7357 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X)); 7358 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX)); 7359 } else 7360 s = xfer_to_x(cstate, inst); 7361 7362 /* 7363 * Load the item at the sum of the offset we've put in the 7364 * X register and the offset of the start of the link 7365 * layer header (which is 0 if the radio header is 7366 * variable-length; that header length is what we put 7367 * into the X register and then added to the index). 7368 */ 7369 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size); 7370 tmp->s.k = cstate->off_linkhdr.constant_part; 7371 sappend(s, tmp); 7372 sappend(inst->s, s); 7373 break; 7374 7375 case Q_IP: 7376 case Q_ARP: 7377 case Q_RARP: 7378 case Q_ATALK: 7379 case Q_DECNET: 7380 case Q_SCA: 7381 case Q_LAT: 7382 case Q_MOPRC: 7383 case Q_MOPDL: 7384 case Q_IPV6: 7385 /* 7386 * The offset is relative to the beginning of 7387 * the network-layer header. 7388 * XXX - are there any cases where we want 7389 * cstate->off_nl_nosnap? 7390 */ 7391 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl); 7392 7393 /* 7394 * If "s" is non-null, it has code to arrange that the 7395 * X register contains the variable part of the offset 7396 * of the link-layer payload. Add to it the offset 7397 * computed into the register specified by "index", 7398 * and move that into the X register. Otherwise, just 7399 * load into the X register the offset computed into 7400 * the register specified by "index". 7401 */ 7402 if (s != NULL) { 7403 sappend(s, xfer_to_a(cstate, inst)); 7404 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X)); 7405 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX)); 7406 } else 7407 s = xfer_to_x(cstate, inst); 7408 7409 /* 7410 * Load the item at the sum of the offset we've put in the 7411 * X register, the offset of the start of the network 7412 * layer header from the beginning of the link-layer 7413 * payload, and the constant part of the offset of the 7414 * start of the link-layer payload. 7415 */ 7416 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size); 7417 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 7418 sappend(s, tmp); 7419 sappend(inst->s, s); 7420 7421 /* 7422 * Do the computation only if the packet contains 7423 * the protocol in question. 7424 */ 7425 b = gen_proto_abbrev_internal(cstate, proto); 7426 if (inst->b) 7427 gen_and(inst->b, b); 7428 inst->b = b; 7429 break; 7430 7431 case Q_SCTP: 7432 case Q_TCP: 7433 case Q_UDP: 7434 case Q_ICMP: 7435 case Q_IGMP: 7436 case Q_IGRP: 7437 case Q_PIM: 7438 case Q_VRRP: 7439 case Q_CARP: 7440 /* 7441 * The offset is relative to the beginning of 7442 * the transport-layer header. 7443 * 7444 * Load the X register with the length of the IPv4 header 7445 * (plus the offset of the link-layer header, if it's 7446 * a variable-length header), in bytes. 7447 * 7448 * XXX - are there any cases where we want 7449 * cstate->off_nl_nosnap? 7450 * XXX - we should, if we're built with 7451 * IPv6 support, generate code to load either 7452 * IPv4, IPv6, or both, as appropriate. 7453 */ 7454 s = gen_loadx_iphdrlen(cstate); 7455 7456 /* 7457 * The X register now contains the sum of the variable 7458 * part of the offset of the link-layer payload and the 7459 * length of the network-layer header. 7460 * 7461 * Load into the A register the offset relative to 7462 * the beginning of the transport layer header, 7463 * add the X register to that, move that to the 7464 * X register, and load with an offset from the 7465 * X register equal to the sum of the constant part of 7466 * the offset of the link-layer payload and the offset, 7467 * relative to the beginning of the link-layer payload, 7468 * of the network-layer header. 7469 */ 7470 sappend(s, xfer_to_a(cstate, inst)); 7471 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X)); 7472 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX)); 7473 sappend(s, tmp = new_stmt(cstate, BPF_LD|BPF_IND|size)); 7474 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 7475 sappend(inst->s, s); 7476 7477 /* 7478 * Do the computation only if the packet contains 7479 * the protocol in question - which is true only 7480 * if this is an IP datagram and is the first or 7481 * only fragment of that datagram. 7482 */ 7483 gen_and(gen_proto_abbrev_internal(cstate, proto), b = gen_ipfrag(cstate)); 7484 if (inst->b) 7485 gen_and(inst->b, b); 7486 gen_and(gen_proto_abbrev_internal(cstate, Q_IP), b); 7487 inst->b = b; 7488 break; 7489 case Q_ICMPV6: 7490 /* 7491 * Do the computation only if the packet contains 7492 * the protocol in question. 7493 */ 7494 b = gen_proto_abbrev_internal(cstate, Q_IPV6); 7495 if (inst->b) { 7496 gen_and(inst->b, b); 7497 } 7498 inst->b = b; 7499 7500 /* 7501 * Check if we have an icmp6 next header 7502 */ 7503 b = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, 58); 7504 if (inst->b) { 7505 gen_and(inst->b, b); 7506 } 7507 inst->b = b; 7508 7509 7510 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl); 7511 /* 7512 * If "s" is non-null, it has code to arrange that the 7513 * X register contains the variable part of the offset 7514 * of the link-layer payload. Add to it the offset 7515 * computed into the register specified by "index", 7516 * and move that into the X register. Otherwise, just 7517 * load into the X register the offset computed into 7518 * the register specified by "index". 7519 */ 7520 if (s != NULL) { 7521 sappend(s, xfer_to_a(cstate, inst)); 7522 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X)); 7523 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX)); 7524 } else { 7525 s = xfer_to_x(cstate, inst); 7526 } 7527 7528 /* 7529 * Load the item at the sum of the offset we've put in the 7530 * X register, the offset of the start of the network 7531 * layer header from the beginning of the link-layer 7532 * payload, and the constant part of the offset of the 7533 * start of the link-layer payload. 7534 */ 7535 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size); 7536 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 40; 7537 7538 sappend(s, tmp); 7539 sappend(inst->s, s); 7540 7541 break; 7542 } 7543 inst->regno = regno; 7544 s = new_stmt(cstate, BPF_ST); 7545 s->s.k = regno; 7546 sappend(inst->s, s); 7547 7548 return inst; 7549 } 7550 7551 struct arth * 7552 gen_load(compiler_state_t *cstate, int proto, struct arth *inst, int size) 7553 { 7554 /* 7555 * Catch errors reported by us and routines below us, and return NULL 7556 * on an error. 7557 */ 7558 if (setjmp(cstate->top_ctx)) 7559 return (NULL); 7560 7561 return gen_load_internal(cstate, proto, inst, size); 7562 } 7563 7564 static struct block * 7565 gen_relation_internal(compiler_state_t *cstate, int code, struct arth *a0, 7566 struct arth *a1, int reversed) 7567 { 7568 struct slist *s0, *s1, *s2; 7569 struct block *b, *tmp; 7570 7571 s0 = xfer_to_x(cstate, a1); 7572 s1 = xfer_to_a(cstate, a0); 7573 if (code == BPF_JEQ) { 7574 s2 = new_stmt(cstate, BPF_ALU|BPF_SUB|BPF_X); 7575 b = new_block(cstate, JMP(code)); 7576 sappend(s1, s2); 7577 } 7578 else 7579 b = new_block(cstate, BPF_JMP|code|BPF_X); 7580 if (reversed) 7581 gen_not(b); 7582 7583 sappend(s0, s1); 7584 sappend(a1->s, s0); 7585 sappend(a0->s, a1->s); 7586 7587 b->stmts = a0->s; 7588 7589 free_reg(cstate, a0->regno); 7590 free_reg(cstate, a1->regno); 7591 7592 /* 'and' together protocol checks */ 7593 if (a0->b) { 7594 if (a1->b) { 7595 gen_and(a0->b, tmp = a1->b); 7596 } 7597 else 7598 tmp = a0->b; 7599 } else 7600 tmp = a1->b; 7601 7602 if (tmp) 7603 gen_and(tmp, b); 7604 7605 return b; 7606 } 7607 7608 struct block * 7609 gen_relation(compiler_state_t *cstate, int code, struct arth *a0, 7610 struct arth *a1, int reversed) 7611 { 7612 /* 7613 * Catch errors reported by us and routines below us, and return NULL 7614 * on an error. 7615 */ 7616 if (setjmp(cstate->top_ctx)) 7617 return (NULL); 7618 7619 return gen_relation_internal(cstate, code, a0, a1, reversed); 7620 } 7621 7622 struct arth * 7623 gen_loadlen(compiler_state_t *cstate) 7624 { 7625 int regno; 7626 struct arth *a; 7627 struct slist *s; 7628 7629 /* 7630 * Catch errors reported by us and routines below us, and return NULL 7631 * on an error. 7632 */ 7633 if (setjmp(cstate->top_ctx)) 7634 return (NULL); 7635 7636 regno = alloc_reg(cstate); 7637 a = (struct arth *)newchunk(cstate, sizeof(*a)); 7638 s = new_stmt(cstate, BPF_LD|BPF_LEN); 7639 s->next = new_stmt(cstate, BPF_ST); 7640 s->next->s.k = regno; 7641 a->s = s; 7642 a->regno = regno; 7643 7644 return a; 7645 } 7646 7647 static struct arth * 7648 gen_loadi_internal(compiler_state_t *cstate, int val) 7649 { 7650 struct arth *a; 7651 struct slist *s; 7652 int reg; 7653 7654 a = (struct arth *)newchunk(cstate, sizeof(*a)); 7655 7656 reg = alloc_reg(cstate); 7657 7658 s = new_stmt(cstate, BPF_LD|BPF_IMM); 7659 s->s.k = val; 7660 s->next = new_stmt(cstate, BPF_ST); 7661 s->next->s.k = reg; 7662 a->s = s; 7663 a->regno = reg; 7664 7665 return a; 7666 } 7667 7668 struct arth * 7669 gen_loadi(compiler_state_t *cstate, int val) 7670 { 7671 /* 7672 * Catch errors reported by us and routines below us, and return NULL 7673 * on an error. 7674 */ 7675 if (setjmp(cstate->top_ctx)) 7676 return (NULL); 7677 7678 return gen_loadi_internal(cstate, val); 7679 } 7680 7681 /* 7682 * The a_arg dance is to avoid annoying whining by compilers that 7683 * a might be clobbered by longjmp - yeah, it might, but *WHO CARES*? 7684 * It's not *used* after setjmp returns. 7685 */ 7686 struct arth * 7687 gen_neg(compiler_state_t *cstate, struct arth *a_arg) 7688 { 7689 struct arth * volatile a = a_arg; 7690 struct slist *s; 7691 7692 /* 7693 * Catch errors reported by us and routines below us, and return NULL 7694 * on an error. 7695 */ 7696 if (setjmp(cstate->top_ctx)) 7697 return (NULL); 7698 7699 s = xfer_to_a(cstate, a); 7700 sappend(a->s, s); 7701 s = new_stmt(cstate, BPF_ALU|BPF_NEG); 7702 s->s.k = 0; 7703 sappend(a->s, s); 7704 s = new_stmt(cstate, BPF_ST); 7705 s->s.k = a->regno; 7706 sappend(a->s, s); 7707 7708 return a; 7709 } 7710 7711 /* 7712 * The a0_arg dance is to avoid annoying whining by compilers that 7713 * a0 might be clobbered by longjmp - yeah, it might, but *WHO CARES*? 7714 * It's not *used* after setjmp returns. 7715 */ 7716 struct arth * 7717 gen_arth(compiler_state_t *cstate, int code, struct arth *a0_arg, 7718 struct arth *a1) 7719 { 7720 struct arth * volatile a0 = a0_arg; 7721 struct slist *s0, *s1, *s2; 7722 7723 /* 7724 * Catch errors reported by us and routines below us, and return NULL 7725 * on an error. 7726 */ 7727 if (setjmp(cstate->top_ctx)) 7728 return (NULL); 7729 7730 /* 7731 * Disallow division by, or modulus by, zero; we do this here 7732 * so that it gets done even if the optimizer is disabled. 7733 * 7734 * Also disallow shifts by a value greater than 31; we do this 7735 * here, for the same reason. 7736 */ 7737 if (code == BPF_DIV) { 7738 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k == 0) 7739 bpf_error(cstate, "division by zero"); 7740 } else if (code == BPF_MOD) { 7741 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k == 0) 7742 bpf_error(cstate, "modulus by zero"); 7743 } else if (code == BPF_LSH || code == BPF_RSH) { 7744 /* 7745 * XXX - we need to make up our minds as to what integers 7746 * are signed and what integers are unsigned in BPF programs 7747 * and in our IR. 7748 */ 7749 if (a1->s->s.code == (BPF_LD|BPF_IMM) && 7750 (a1->s->s.k < 0 || a1->s->s.k > 31)) 7751 bpf_error(cstate, "shift by more than 31 bits"); 7752 } 7753 s0 = xfer_to_x(cstate, a1); 7754 s1 = xfer_to_a(cstate, a0); 7755 s2 = new_stmt(cstate, BPF_ALU|BPF_X|code); 7756 7757 sappend(s1, s2); 7758 sappend(s0, s1); 7759 sappend(a1->s, s0); 7760 sappend(a0->s, a1->s); 7761 7762 free_reg(cstate, a0->regno); 7763 free_reg(cstate, a1->regno); 7764 7765 s0 = new_stmt(cstate, BPF_ST); 7766 a0->regno = s0->s.k = alloc_reg(cstate); 7767 sappend(a0->s, s0); 7768 7769 return a0; 7770 } 7771 7772 /* 7773 * Initialize the table of used registers and the current register. 7774 */ 7775 static void 7776 init_regs(compiler_state_t *cstate) 7777 { 7778 cstate->curreg = 0; 7779 memset(cstate->regused, 0, sizeof cstate->regused); 7780 } 7781 7782 /* 7783 * Return the next free register. 7784 */ 7785 static int 7786 alloc_reg(compiler_state_t *cstate) 7787 { 7788 int n = BPF_MEMWORDS; 7789 7790 while (--n >= 0) { 7791 if (cstate->regused[cstate->curreg]) 7792 cstate->curreg = (cstate->curreg + 1) % BPF_MEMWORDS; 7793 else { 7794 cstate->regused[cstate->curreg] = 1; 7795 return cstate->curreg; 7796 } 7797 } 7798 bpf_error(cstate, "too many registers needed to evaluate expression"); 7799 /*NOTREACHED*/ 7800 } 7801 7802 /* 7803 * Return a register to the table so it can 7804 * be used later. 7805 */ 7806 static void 7807 free_reg(compiler_state_t *cstate, int n) 7808 { 7809 cstate->regused[n] = 0; 7810 } 7811 7812 static struct block * 7813 gen_len(compiler_state_t *cstate, int jmp, int n) 7814 { 7815 struct slist *s; 7816 struct block *b; 7817 7818 s = new_stmt(cstate, BPF_LD|BPF_LEN); 7819 b = new_block(cstate, JMP(jmp)); 7820 b->stmts = s; 7821 b->s.k = n; 7822 7823 return b; 7824 } 7825 7826 struct block * 7827 gen_greater(compiler_state_t *cstate, int n) 7828 { 7829 /* 7830 * Catch errors reported by us and routines below us, and return NULL 7831 * on an error. 7832 */ 7833 if (setjmp(cstate->top_ctx)) 7834 return (NULL); 7835 7836 return gen_len(cstate, BPF_JGE, n); 7837 } 7838 7839 /* 7840 * Actually, this is less than or equal. 7841 */ 7842 struct block * 7843 gen_less(compiler_state_t *cstate, int n) 7844 { 7845 struct block *b; 7846 7847 /* 7848 * Catch errors reported by us and routines below us, and return NULL 7849 * on an error. 7850 */ 7851 if (setjmp(cstate->top_ctx)) 7852 return (NULL); 7853 7854 b = gen_len(cstate, BPF_JGT, n); 7855 gen_not(b); 7856 7857 return b; 7858 } 7859 7860 /* 7861 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to 7862 * the beginning of the link-layer header. 7863 * XXX - that means you can't test values in the radiotap header, but 7864 * as that header is difficult if not impossible to parse generally 7865 * without a loop, that might not be a severe problem. A new keyword 7866 * "radio" could be added for that, although what you'd really want 7867 * would be a way of testing particular radio header values, which 7868 * would generate code appropriate to the radio header in question. 7869 */ 7870 struct block * 7871 gen_byteop(compiler_state_t *cstate, int op, int idx, int val) 7872 { 7873 struct block *b; 7874 struct slist *s; 7875 7876 /* 7877 * Catch errors reported by us and routines below us, and return NULL 7878 * on an error. 7879 */ 7880 if (setjmp(cstate->top_ctx)) 7881 return (NULL); 7882 7883 switch (op) { 7884 default: 7885 abort(); 7886 7887 case '=': 7888 return gen_cmp(cstate, OR_LINKHDR, (u_int)idx, BPF_B, (bpf_int32)val); 7889 7890 case '<': 7891 b = gen_cmp_lt(cstate, OR_LINKHDR, (u_int)idx, BPF_B, (bpf_int32)val); 7892 return b; 7893 7894 case '>': 7895 b = gen_cmp_gt(cstate, OR_LINKHDR, (u_int)idx, BPF_B, (bpf_int32)val); 7896 return b; 7897 7898 case '|': 7899 s = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_K); 7900 break; 7901 7902 case '&': 7903 s = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K); 7904 break; 7905 } 7906 s->s.k = val; 7907 b = new_block(cstate, JMP(BPF_JEQ)); 7908 b->stmts = s; 7909 gen_not(b); 7910 7911 return b; 7912 } 7913 7914 static const u_char abroadcast[] = { 0x0 }; 7915 7916 struct block * 7917 gen_broadcast(compiler_state_t *cstate, int proto) 7918 { 7919 bpf_u_int32 hostmask; 7920 struct block *b0, *b1, *b2; 7921 static const u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; 7922 7923 /* 7924 * Catch errors reported by us and routines below us, and return NULL 7925 * on an error. 7926 */ 7927 if (setjmp(cstate->top_ctx)) 7928 return (NULL); 7929 7930 switch (proto) { 7931 7932 case Q_DEFAULT: 7933 case Q_LINK: 7934 switch (cstate->linktype) { 7935 case DLT_ARCNET: 7936 case DLT_ARCNET_LINUX: 7937 return gen_ahostop(cstate, abroadcast, Q_DST); 7938 case DLT_EN10MB: 7939 case DLT_NETANALYZER: 7940 case DLT_NETANALYZER_TRANSPARENT: 7941 b1 = gen_prevlinkhdr_check(cstate); 7942 b0 = gen_ehostop(cstate, ebroadcast, Q_DST); 7943 if (b1 != NULL) 7944 gen_and(b1, b0); 7945 return b0; 7946 case DLT_FDDI: 7947 return gen_fhostop(cstate, ebroadcast, Q_DST); 7948 case DLT_IEEE802: 7949 return gen_thostop(cstate, ebroadcast, Q_DST); 7950 case DLT_IEEE802_11: 7951 case DLT_PRISM_HEADER: 7952 case DLT_IEEE802_11_RADIO_AVS: 7953 case DLT_IEEE802_11_RADIO: 7954 case DLT_PPI: 7955 return gen_wlanhostop(cstate, ebroadcast, Q_DST); 7956 case DLT_IP_OVER_FC: 7957 return gen_ipfchostop(cstate, ebroadcast, Q_DST); 7958 default: 7959 bpf_error(cstate, "not a broadcast link"); 7960 } 7961 /*NOTREACHED*/ 7962 7963 case Q_IP: 7964 /* 7965 * We treat a netmask of PCAP_NETMASK_UNKNOWN (0xffffffff) 7966 * as an indication that we don't know the netmask, and fail 7967 * in that case. 7968 */ 7969 if (cstate->netmask == PCAP_NETMASK_UNKNOWN) 7970 bpf_error(cstate, "netmask not known, so 'ip broadcast' not supported"); 7971 b0 = gen_linktype(cstate, ETHERTYPE_IP); 7972 hostmask = ~cstate->netmask; 7973 b1 = gen_mcmp(cstate, OR_LINKPL, 16, BPF_W, (bpf_int32)0, hostmask); 7974 b2 = gen_mcmp(cstate, OR_LINKPL, 16, BPF_W, 7975 (bpf_int32)(~0 & hostmask), hostmask); 7976 gen_or(b1, b2); 7977 gen_and(b0, b2); 7978 return b2; 7979 } 7980 bpf_error(cstate, "only link-layer/IP broadcast filters supported"); 7981 /*NOTREACHED*/ 7982 } 7983 7984 /* 7985 * Generate code to test the low-order bit of a MAC address (that's 7986 * the bottom bit of the *first* byte). 7987 */ 7988 static struct block * 7989 gen_mac_multicast(compiler_state_t *cstate, int offset) 7990 { 7991 register struct block *b0; 7992 register struct slist *s; 7993 7994 /* link[offset] & 1 != 0 */ 7995 s = gen_load_a(cstate, OR_LINKHDR, offset, BPF_B); 7996 b0 = new_block(cstate, JMP(BPF_JSET)); 7997 b0->s.k = 1; 7998 b0->stmts = s; 7999 return b0; 8000 } 8001 8002 struct block * 8003 gen_multicast(compiler_state_t *cstate, int proto) 8004 { 8005 register struct block *b0, *b1, *b2; 8006 register struct slist *s; 8007 8008 /* 8009 * Catch errors reported by us and routines below us, and return NULL 8010 * on an error. 8011 */ 8012 if (setjmp(cstate->top_ctx)) 8013 return (NULL); 8014 8015 switch (proto) { 8016 8017 case Q_DEFAULT: 8018 case Q_LINK: 8019 switch (cstate->linktype) { 8020 case DLT_ARCNET: 8021 case DLT_ARCNET_LINUX: 8022 /* all ARCnet multicasts use the same address */ 8023 return gen_ahostop(cstate, abroadcast, Q_DST); 8024 case DLT_EN10MB: 8025 case DLT_NETANALYZER: 8026 case DLT_NETANALYZER_TRANSPARENT: 8027 b1 = gen_prevlinkhdr_check(cstate); 8028 /* ether[0] & 1 != 0 */ 8029 b0 = gen_mac_multicast(cstate, 0); 8030 if (b1 != NULL) 8031 gen_and(b1, b0); 8032 return b0; 8033 case DLT_FDDI: 8034 /* 8035 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX 8036 * 8037 * XXX - was that referring to bit-order issues? 8038 */ 8039 /* fddi[1] & 1 != 0 */ 8040 return gen_mac_multicast(cstate, 1); 8041 case DLT_IEEE802: 8042 /* tr[2] & 1 != 0 */ 8043 return gen_mac_multicast(cstate, 2); 8044 case DLT_IEEE802_11: 8045 case DLT_PRISM_HEADER: 8046 case DLT_IEEE802_11_RADIO_AVS: 8047 case DLT_IEEE802_11_RADIO: 8048 case DLT_PPI: 8049 /* 8050 * Oh, yuk. 8051 * 8052 * For control frames, there is no DA. 8053 * 8054 * For management frames, DA is at an 8055 * offset of 4 from the beginning of 8056 * the packet. 8057 * 8058 * For data frames, DA is at an offset 8059 * of 4 from the beginning of the packet 8060 * if To DS is clear and at an offset of 8061 * 16 from the beginning of the packet 8062 * if To DS is set. 8063 */ 8064 8065 /* 8066 * Generate the tests to be done for data frames. 8067 * 8068 * First, check for To DS set, i.e. "link[1] & 0x01". 8069 */ 8070 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 8071 b1 = new_block(cstate, JMP(BPF_JSET)); 8072 b1->s.k = 0x01; /* To DS */ 8073 b1->stmts = s; 8074 8075 /* 8076 * If To DS is set, the DA is at 16. 8077 */ 8078 b0 = gen_mac_multicast(cstate, 16); 8079 gen_and(b1, b0); 8080 8081 /* 8082 * Now, check for To DS not set, i.e. check 8083 * "!(link[1] & 0x01)". 8084 */ 8085 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 8086 b2 = new_block(cstate, JMP(BPF_JSET)); 8087 b2->s.k = 0x01; /* To DS */ 8088 b2->stmts = s; 8089 gen_not(b2); 8090 8091 /* 8092 * If To DS is not set, the DA is at 4. 8093 */ 8094 b1 = gen_mac_multicast(cstate, 4); 8095 gen_and(b2, b1); 8096 8097 /* 8098 * Now OR together the last two checks. That gives 8099 * the complete set of checks for data frames. 8100 */ 8101 gen_or(b1, b0); 8102 8103 /* 8104 * Now check for a data frame. 8105 * I.e, check "link[0] & 0x08". 8106 */ 8107 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 8108 b1 = new_block(cstate, JMP(BPF_JSET)); 8109 b1->s.k = 0x08; 8110 b1->stmts = s; 8111 8112 /* 8113 * AND that with the checks done for data frames. 8114 */ 8115 gen_and(b1, b0); 8116 8117 /* 8118 * If the high-order bit of the type value is 0, this 8119 * is a management frame. 8120 * I.e, check "!(link[0] & 0x08)". 8121 */ 8122 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 8123 b2 = new_block(cstate, JMP(BPF_JSET)); 8124 b2->s.k = 0x08; 8125 b2->stmts = s; 8126 gen_not(b2); 8127 8128 /* 8129 * For management frames, the DA is at 4. 8130 */ 8131 b1 = gen_mac_multicast(cstate, 4); 8132 gen_and(b2, b1); 8133 8134 /* 8135 * OR that with the checks done for data frames. 8136 * That gives the checks done for management and 8137 * data frames. 8138 */ 8139 gen_or(b1, b0); 8140 8141 /* 8142 * If the low-order bit of the type value is 1, 8143 * this is either a control frame or a frame 8144 * with a reserved type, and thus not a 8145 * frame with an SA. 8146 * 8147 * I.e., check "!(link[0] & 0x04)". 8148 */ 8149 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 8150 b1 = new_block(cstate, JMP(BPF_JSET)); 8151 b1->s.k = 0x04; 8152 b1->stmts = s; 8153 gen_not(b1); 8154 8155 /* 8156 * AND that with the checks for data and management 8157 * frames. 8158 */ 8159 gen_and(b1, b0); 8160 return b0; 8161 case DLT_IP_OVER_FC: 8162 b0 = gen_mac_multicast(cstate, 2); 8163 return b0; 8164 default: 8165 break; 8166 } 8167 /* Link not known to support multicasts */ 8168 break; 8169 8170 case Q_IP: 8171 b0 = gen_linktype(cstate, ETHERTYPE_IP); 8172 b1 = gen_cmp_ge(cstate, OR_LINKPL, 16, BPF_B, (bpf_int32)224); 8173 gen_and(b0, b1); 8174 return b1; 8175 8176 case Q_IPV6: 8177 b0 = gen_linktype(cstate, ETHERTYPE_IPV6); 8178 b1 = gen_cmp(cstate, OR_LINKPL, 24, BPF_B, (bpf_int32)255); 8179 gen_and(b0, b1); 8180 return b1; 8181 } 8182 bpf_error(cstate, "link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel"); 8183 /*NOTREACHED*/ 8184 } 8185 8186 /* 8187 * Filter on inbound (dir == 0) or outbound (dir == 1) traffic. 8188 * Outbound traffic is sent by this machine, while inbound traffic is 8189 * sent by a remote machine (and may include packets destined for a 8190 * unicast or multicast link-layer address we are not subscribing to). 8191 * These are the same definitions implemented by pcap_setdirection(). 8192 * Capturing only unicast traffic destined for this host is probably 8193 * better accomplished using a higher-layer filter. 8194 */ 8195 struct block * 8196 gen_inbound(compiler_state_t *cstate, int dir) 8197 { 8198 register struct block *b0; 8199 8200 /* 8201 * Catch errors reported by us and routines below us, and return NULL 8202 * on an error. 8203 */ 8204 if (setjmp(cstate->top_ctx)) 8205 return (NULL); 8206 8207 /* 8208 * Only some data link types support inbound/outbound qualifiers. 8209 */ 8210 switch (cstate->linktype) { 8211 case DLT_SLIP: 8212 b0 = gen_relation_internal(cstate, BPF_JEQ, 8213 gen_load_internal(cstate, Q_LINK, gen_loadi_internal(cstate, 0), 1), 8214 gen_loadi_internal(cstate, 0), 8215 dir); 8216 break; 8217 8218 case DLT_IPNET: 8219 if (dir) { 8220 /* match outgoing packets */ 8221 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, IPNET_OUTBOUND); 8222 } else { 8223 /* match incoming packets */ 8224 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, IPNET_INBOUND); 8225 } 8226 break; 8227 8228 case DLT_LINUX_SLL: 8229 /* match outgoing packets */ 8230 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_H, LINUX_SLL_OUTGOING); 8231 if (!dir) { 8232 /* to filter on inbound traffic, invert the match */ 8233 gen_not(b0); 8234 } 8235 break; 8236 8237 case DLT_LINUX_SLL2: 8238 /* match outgoing packets */ 8239 b0 = gen_cmp(cstate, OR_LINKHDR, 10, BPF_B, LINUX_SLL_OUTGOING); 8240 if (!dir) { 8241 /* to filter on inbound traffic, invert the match */ 8242 gen_not(b0); 8243 } 8244 break; 8245 8246 #ifdef HAVE_NET_PFVAR_H 8247 case DLT_PFLOG: 8248 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, dir), BPF_B, 8249 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT)); 8250 break; 8251 #endif 8252 8253 case DLT_PPP_PPPD: 8254 if (dir) { 8255 /* match outgoing packets */ 8256 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_B, PPP_PPPD_OUT); 8257 } else { 8258 /* match incoming packets */ 8259 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_B, PPP_PPPD_IN); 8260 } 8261 break; 8262 8263 case DLT_JUNIPER_MFR: 8264 case DLT_JUNIPER_MLFR: 8265 case DLT_JUNIPER_MLPPP: 8266 case DLT_JUNIPER_ATM1: 8267 case DLT_JUNIPER_ATM2: 8268 case DLT_JUNIPER_PPPOE: 8269 case DLT_JUNIPER_PPPOE_ATM: 8270 case DLT_JUNIPER_GGSN: 8271 case DLT_JUNIPER_ES: 8272 case DLT_JUNIPER_MONITOR: 8273 case DLT_JUNIPER_SERVICES: 8274 case DLT_JUNIPER_ETHER: 8275 case DLT_JUNIPER_PPP: 8276 case DLT_JUNIPER_FRELAY: 8277 case DLT_JUNIPER_CHDLC: 8278 case DLT_JUNIPER_VP: 8279 case DLT_JUNIPER_ST: 8280 case DLT_JUNIPER_ISM: 8281 case DLT_JUNIPER_VS: 8282 case DLT_JUNIPER_SRX_E2E: 8283 case DLT_JUNIPER_FIBRECHANNEL: 8284 case DLT_JUNIPER_ATM_CEMIC: 8285 8286 /* juniper flags (including direction) are stored 8287 * the byte after the 3-byte magic number */ 8288 if (dir) { 8289 /* match outgoing packets */ 8290 b0 = gen_mcmp(cstate, OR_LINKHDR, 3, BPF_B, 0, 0x01); 8291 } else { 8292 /* match incoming packets */ 8293 b0 = gen_mcmp(cstate, OR_LINKHDR, 3, BPF_B, 1, 0x01); 8294 } 8295 break; 8296 8297 default: 8298 /* 8299 * If we have packet meta-data indicating a direction, 8300 * and that metadata can be checked by BPF code, check 8301 * it. Otherwise, give up, as this link-layer type has 8302 * nothing in the packet data. 8303 * 8304 * Currently, the only platform where a BPF filter can 8305 * check that metadata is Linux with the in-kernel 8306 * BPF interpreter. If other packet capture mechanisms 8307 * and BPF filters also supported this, it would be 8308 * nice. It would be even better if they made that 8309 * metadata available so that we could provide it 8310 * with newer capture APIs, allowing it to be saved 8311 * in pcapng files. 8312 */ 8313 #if defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) 8314 /* 8315 * This is Linux with PF_PACKET support. 8316 * If this is a *live* capture, we can look at 8317 * special meta-data in the filter expression; 8318 * if it's a savefile, we can't. 8319 */ 8320 if (cstate->bpf_pcap->rfile != NULL) { 8321 /* We have a FILE *, so this is a savefile */ 8322 bpf_error(cstate, "inbound/outbound not supported on %s when reading savefiles", 8323 pcap_datalink_val_to_description_or_dlt(cstate->linktype)); 8324 b0 = NULL; 8325 /*NOTREACHED*/ 8326 } 8327 /* match outgoing packets */ 8328 b0 = gen_cmp(cstate, OR_LINKHDR, SKF_AD_OFF + SKF_AD_PKTTYPE, BPF_H, 8329 PACKET_OUTGOING); 8330 if (!dir) { 8331 /* to filter on inbound traffic, invert the match */ 8332 gen_not(b0); 8333 } 8334 #else /* defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */ 8335 bpf_error(cstate, "inbound/outbound not supported on %s", 8336 pcap_datalink_val_to_description_or_dlt(cstate->linktype)); 8337 /*NOTREACHED*/ 8338 #endif /* defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */ 8339 } 8340 return (b0); 8341 } 8342 8343 #ifdef HAVE_NET_PFVAR_H 8344 /* PF firewall log matched interface */ 8345 struct block * 8346 gen_pf_ifname(compiler_state_t *cstate, const char *ifname) 8347 { 8348 struct block *b0; 8349 u_int len, off; 8350 8351 /* 8352 * Catch errors reported by us and routines below us, and return NULL 8353 * on an error. 8354 */ 8355 if (setjmp(cstate->top_ctx)) 8356 return (NULL); 8357 8358 if (cstate->linktype != DLT_PFLOG) { 8359 bpf_error(cstate, "ifname supported only on PF linktype"); 8360 /*NOTREACHED*/ 8361 } 8362 len = sizeof(((struct pfloghdr *)0)->ifname); 8363 off = offsetof(struct pfloghdr, ifname); 8364 if (strlen(ifname) >= len) { 8365 bpf_error(cstate, "ifname interface names can only be %d characters", 8366 len-1); 8367 /*NOTREACHED*/ 8368 } 8369 b0 = gen_bcmp(cstate, OR_LINKHDR, off, (u_int)strlen(ifname), 8370 (const u_char *)ifname); 8371 return (b0); 8372 } 8373 8374 /* PF firewall log ruleset name */ 8375 struct block * 8376 gen_pf_ruleset(compiler_state_t *cstate, char *ruleset) 8377 { 8378 struct block *b0; 8379 8380 /* 8381 * Catch errors reported by us and routines below us, and return NULL 8382 * on an error. 8383 */ 8384 if (setjmp(cstate->top_ctx)) 8385 return (NULL); 8386 8387 if (cstate->linktype != DLT_PFLOG) { 8388 bpf_error(cstate, "ruleset supported only on PF linktype"); 8389 /*NOTREACHED*/ 8390 } 8391 8392 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) { 8393 bpf_error(cstate, "ruleset names can only be %ld characters", 8394 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1)); 8395 /*NOTREACHED*/ 8396 } 8397 8398 b0 = gen_bcmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, ruleset), 8399 (u_int)strlen(ruleset), (const u_char *)ruleset); 8400 return (b0); 8401 } 8402 8403 /* PF firewall log rule number */ 8404 struct block * 8405 gen_pf_rnr(compiler_state_t *cstate, int rnr) 8406 { 8407 struct block *b0; 8408 8409 /* 8410 * Catch errors reported by us and routines below us, and return NULL 8411 * on an error. 8412 */ 8413 if (setjmp(cstate->top_ctx)) 8414 return (NULL); 8415 8416 if (cstate->linktype != DLT_PFLOG) { 8417 bpf_error(cstate, "rnr supported only on PF linktype"); 8418 /*NOTREACHED*/ 8419 } 8420 8421 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, rulenr), BPF_W, 8422 (bpf_int32)rnr); 8423 return (b0); 8424 } 8425 8426 /* PF firewall log sub-rule number */ 8427 struct block * 8428 gen_pf_srnr(compiler_state_t *cstate, int srnr) 8429 { 8430 struct block *b0; 8431 8432 /* 8433 * Catch errors reported by us and routines below us, and return NULL 8434 * on an error. 8435 */ 8436 if (setjmp(cstate->top_ctx)) 8437 return (NULL); 8438 8439 if (cstate->linktype != DLT_PFLOG) { 8440 bpf_error(cstate, "srnr supported only on PF linktype"); 8441 /*NOTREACHED*/ 8442 } 8443 8444 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, subrulenr), BPF_W, 8445 (bpf_int32)srnr); 8446 return (b0); 8447 } 8448 8449 /* PF firewall log reason code */ 8450 struct block * 8451 gen_pf_reason(compiler_state_t *cstate, int reason) 8452 { 8453 struct block *b0; 8454 8455 /* 8456 * Catch errors reported by us and routines below us, and return NULL 8457 * on an error. 8458 */ 8459 if (setjmp(cstate->top_ctx)) 8460 return (NULL); 8461 8462 if (cstate->linktype != DLT_PFLOG) { 8463 bpf_error(cstate, "reason supported only on PF linktype"); 8464 /*NOTREACHED*/ 8465 } 8466 8467 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, reason), BPF_B, 8468 (bpf_int32)reason); 8469 return (b0); 8470 } 8471 8472 /* PF firewall log action */ 8473 struct block * 8474 gen_pf_action(compiler_state_t *cstate, int action) 8475 { 8476 struct block *b0; 8477 8478 /* 8479 * Catch errors reported by us and routines below us, and return NULL 8480 * on an error. 8481 */ 8482 if (setjmp(cstate->top_ctx)) 8483 return (NULL); 8484 8485 if (cstate->linktype != DLT_PFLOG) { 8486 bpf_error(cstate, "action supported only on PF linktype"); 8487 /*NOTREACHED*/ 8488 } 8489 8490 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, action), BPF_B, 8491 (bpf_int32)action); 8492 return (b0); 8493 } 8494 #else /* !HAVE_NET_PFVAR_H */ 8495 struct block * 8496 gen_pf_ifname(compiler_state_t *cstate, const char *ifname _U_) 8497 { 8498 /* 8499 * Catch errors reported by us and routines below us, and return NULL 8500 * on an error. 8501 */ 8502 if (setjmp(cstate->top_ctx)) 8503 return (NULL); 8504 8505 bpf_error(cstate, "libpcap was compiled without pf support"); 8506 /*NOTREACHED*/ 8507 } 8508 8509 struct block * 8510 gen_pf_ruleset(compiler_state_t *cstate, char *ruleset _U_) 8511 { 8512 /* 8513 * Catch errors reported by us and routines below us, and return NULL 8514 * on an error. 8515 */ 8516 if (setjmp(cstate->top_ctx)) 8517 return (NULL); 8518 8519 bpf_error(cstate, "libpcap was compiled on a machine without pf support"); 8520 /*NOTREACHED*/ 8521 } 8522 8523 struct block * 8524 gen_pf_rnr(compiler_state_t *cstate, int rnr _U_) 8525 { 8526 /* 8527 * Catch errors reported by us and routines below us, and return NULL 8528 * on an error. 8529 */ 8530 if (setjmp(cstate->top_ctx)) 8531 return (NULL); 8532 8533 bpf_error(cstate, "libpcap was compiled on a machine without pf support"); 8534 /*NOTREACHED*/ 8535 } 8536 8537 struct block * 8538 gen_pf_srnr(compiler_state_t *cstate, int srnr _U_) 8539 { 8540 /* 8541 * Catch errors reported by us and routines below us, and return NULL 8542 * on an error. 8543 */ 8544 if (setjmp(cstate->top_ctx)) 8545 return (NULL); 8546 8547 bpf_error(cstate, "libpcap was compiled on a machine without pf support"); 8548 /*NOTREACHED*/ 8549 } 8550 8551 struct block * 8552 gen_pf_reason(compiler_state_t *cstate, int reason _U_) 8553 { 8554 /* 8555 * Catch errors reported by us and routines below us, and return NULL 8556 * on an error. 8557 */ 8558 if (setjmp(cstate->top_ctx)) 8559 return (NULL); 8560 8561 bpf_error(cstate, "libpcap was compiled on a machine without pf support"); 8562 /*NOTREACHED*/ 8563 } 8564 8565 struct block * 8566 gen_pf_action(compiler_state_t *cstate, int action _U_) 8567 { 8568 /* 8569 * Catch errors reported by us and routines below us, and return NULL 8570 * on an error. 8571 */ 8572 if (setjmp(cstate->top_ctx)) 8573 return (NULL); 8574 8575 bpf_error(cstate, "libpcap was compiled on a machine without pf support"); 8576 /*NOTREACHED*/ 8577 } 8578 #endif /* HAVE_NET_PFVAR_H */ 8579 8580 /* IEEE 802.11 wireless header */ 8581 struct block * 8582 gen_p80211_type(compiler_state_t *cstate, int type, int mask) 8583 { 8584 struct block *b0; 8585 8586 /* 8587 * Catch errors reported by us and routines below us, and return NULL 8588 * on an error. 8589 */ 8590 if (setjmp(cstate->top_ctx)) 8591 return (NULL); 8592 8593 switch (cstate->linktype) { 8594 8595 case DLT_IEEE802_11: 8596 case DLT_PRISM_HEADER: 8597 case DLT_IEEE802_11_RADIO_AVS: 8598 case DLT_IEEE802_11_RADIO: 8599 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, (bpf_int32)type, 8600 (bpf_int32)mask); 8601 break; 8602 8603 default: 8604 bpf_error(cstate, "802.11 link-layer types supported only on 802.11"); 8605 /*NOTREACHED*/ 8606 } 8607 8608 return (b0); 8609 } 8610 8611 struct block * 8612 gen_p80211_fcdir(compiler_state_t *cstate, int fcdir) 8613 { 8614 struct block *b0; 8615 8616 /* 8617 * Catch errors reported by us and routines below us, and return NULL 8618 * on an error. 8619 */ 8620 if (setjmp(cstate->top_ctx)) 8621 return (NULL); 8622 8623 switch (cstate->linktype) { 8624 8625 case DLT_IEEE802_11: 8626 case DLT_PRISM_HEADER: 8627 case DLT_IEEE802_11_RADIO_AVS: 8628 case DLT_IEEE802_11_RADIO: 8629 break; 8630 8631 default: 8632 bpf_error(cstate, "frame direction supported only with 802.11 headers"); 8633 /*NOTREACHED*/ 8634 } 8635 8636 b0 = gen_mcmp(cstate, OR_LINKHDR, 1, BPF_B, (bpf_int32)fcdir, 8637 (bpf_u_int32)IEEE80211_FC1_DIR_MASK); 8638 8639 return (b0); 8640 } 8641 8642 struct block * 8643 gen_acode(compiler_state_t *cstate, const char *s, struct qual q) 8644 { 8645 struct block *b; 8646 8647 /* 8648 * Catch errors reported by us and routines below us, and return NULL 8649 * on an error. 8650 */ 8651 if (setjmp(cstate->top_ctx)) 8652 return (NULL); 8653 8654 switch (cstate->linktype) { 8655 8656 case DLT_ARCNET: 8657 case DLT_ARCNET_LINUX: 8658 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && 8659 q.proto == Q_LINK) { 8660 cstate->e = pcap_ether_aton(s); 8661 if (cstate->e == NULL) 8662 bpf_error(cstate, "malloc"); 8663 b = gen_ahostop(cstate, cstate->e, (int)q.dir); 8664 free(cstate->e); 8665 cstate->e = NULL; 8666 return (b); 8667 } else 8668 bpf_error(cstate, "ARCnet address used in non-arc expression"); 8669 /*NOTREACHED*/ 8670 8671 default: 8672 bpf_error(cstate, "aid supported only on ARCnet"); 8673 /*NOTREACHED*/ 8674 } 8675 } 8676 8677 static struct block * 8678 gen_ahostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 8679 { 8680 register struct block *b0, *b1; 8681 8682 switch (dir) { 8683 /* src comes first, different from Ethernet */ 8684 case Q_SRC: 8685 return gen_bcmp(cstate, OR_LINKHDR, 0, 1, eaddr); 8686 8687 case Q_DST: 8688 return gen_bcmp(cstate, OR_LINKHDR, 1, 1, eaddr); 8689 8690 case Q_AND: 8691 b0 = gen_ahostop(cstate, eaddr, Q_SRC); 8692 b1 = gen_ahostop(cstate, eaddr, Q_DST); 8693 gen_and(b0, b1); 8694 return b1; 8695 8696 case Q_DEFAULT: 8697 case Q_OR: 8698 b0 = gen_ahostop(cstate, eaddr, Q_SRC); 8699 b1 = gen_ahostop(cstate, eaddr, Q_DST); 8700 gen_or(b0, b1); 8701 return b1; 8702 8703 case Q_ADDR1: 8704 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11"); 8705 /*NOTREACHED*/ 8706 8707 case Q_ADDR2: 8708 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11"); 8709 /*NOTREACHED*/ 8710 8711 case Q_ADDR3: 8712 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11"); 8713 /*NOTREACHED*/ 8714 8715 case Q_ADDR4: 8716 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11"); 8717 /*NOTREACHED*/ 8718 8719 case Q_RA: 8720 bpf_error(cstate, "'ra' is only supported on 802.11"); 8721 /*NOTREACHED*/ 8722 8723 case Q_TA: 8724 bpf_error(cstate, "'ta' is only supported on 802.11"); 8725 /*NOTREACHED*/ 8726 } 8727 abort(); 8728 /*NOTREACHED*/ 8729 } 8730 8731 static struct block * 8732 gen_vlan_tpid_test(compiler_state_t *cstate) 8733 { 8734 struct block *b0, *b1; 8735 8736 /* check for VLAN, including QinQ */ 8737 b0 = gen_linktype(cstate, ETHERTYPE_8021Q); 8738 b1 = gen_linktype(cstate, ETHERTYPE_8021AD); 8739 gen_or(b0,b1); 8740 b0 = b1; 8741 b1 = gen_linktype(cstate, ETHERTYPE_8021QINQ); 8742 gen_or(b0,b1); 8743 8744 return b1; 8745 } 8746 8747 static struct block * 8748 gen_vlan_vid_test(compiler_state_t *cstate, bpf_u_int32 vlan_num) 8749 { 8750 if (vlan_num > 0x0fff) { 8751 bpf_error(cstate, "VLAN tag %u greater than maximum %u", 8752 vlan_num, 0x0fff); 8753 } 8754 return gen_mcmp(cstate, OR_LINKPL, 0, BPF_H, (bpf_int32)vlan_num, 0x0fff); 8755 } 8756 8757 static struct block * 8758 gen_vlan_no_bpf_extensions(compiler_state_t *cstate, bpf_u_int32 vlan_num, 8759 int has_vlan_tag) 8760 { 8761 struct block *b0, *b1; 8762 8763 b0 = gen_vlan_tpid_test(cstate); 8764 8765 if (has_vlan_tag) { 8766 b1 = gen_vlan_vid_test(cstate, vlan_num); 8767 gen_and(b0, b1); 8768 b0 = b1; 8769 } 8770 8771 /* 8772 * Both payload and link header type follow the VLAN tags so that 8773 * both need to be updated. 8774 */ 8775 cstate->off_linkpl.constant_part += 4; 8776 cstate->off_linktype.constant_part += 4; 8777 8778 return b0; 8779 } 8780 8781 #if defined(SKF_AD_VLAN_TAG_PRESENT) 8782 /* add v to variable part of off */ 8783 static void 8784 gen_vlan_vloffset_add(compiler_state_t *cstate, bpf_abs_offset *off, int v, struct slist *s) 8785 { 8786 struct slist *s2; 8787 8788 if (!off->is_variable) 8789 off->is_variable = 1; 8790 if (off->reg == -1) 8791 off->reg = alloc_reg(cstate); 8792 8793 s2 = new_stmt(cstate, BPF_LD|BPF_MEM); 8794 s2->s.k = off->reg; 8795 sappend(s, s2); 8796 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM); 8797 s2->s.k = v; 8798 sappend(s, s2); 8799 s2 = new_stmt(cstate, BPF_ST); 8800 s2->s.k = off->reg; 8801 sappend(s, s2); 8802 } 8803 8804 /* 8805 * patch block b_tpid (VLAN TPID test) to update variable parts of link payload 8806 * and link type offsets first 8807 */ 8808 static void 8809 gen_vlan_patch_tpid_test(compiler_state_t *cstate, struct block *b_tpid) 8810 { 8811 struct slist s; 8812 8813 /* offset determined at run time, shift variable part */ 8814 s.next = NULL; 8815 cstate->is_vlan_vloffset = 1; 8816 gen_vlan_vloffset_add(cstate, &cstate->off_linkpl, 4, &s); 8817 gen_vlan_vloffset_add(cstate, &cstate->off_linktype, 4, &s); 8818 8819 /* we get a pointer to a chain of or-ed blocks, patch first of them */ 8820 sappend(s.next, b_tpid->head->stmts); 8821 b_tpid->head->stmts = s.next; 8822 } 8823 8824 /* 8825 * patch block b_vid (VLAN id test) to load VID value either from packet 8826 * metadata (using BPF extensions) if SKF_AD_VLAN_TAG_PRESENT is true 8827 */ 8828 static void 8829 gen_vlan_patch_vid_test(compiler_state_t *cstate, struct block *b_vid) 8830 { 8831 struct slist *s, *s2, *sjeq; 8832 unsigned cnt; 8833 8834 s = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 8835 s->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT; 8836 8837 /* true -> next instructions, false -> beginning of b_vid */ 8838 sjeq = new_stmt(cstate, JMP(BPF_JEQ)); 8839 sjeq->s.k = 1; 8840 sjeq->s.jf = b_vid->stmts; 8841 sappend(s, sjeq); 8842 8843 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 8844 s2->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG; 8845 sappend(s, s2); 8846 sjeq->s.jt = s2; 8847 8848 /* Jump to the test in b_vid. We need to jump one instruction before 8849 * the end of the b_vid block so that we only skip loading the TCI 8850 * from packet data and not the 'and' instruction extractging VID. 8851 */ 8852 cnt = 0; 8853 for (s2 = b_vid->stmts; s2; s2 = s2->next) 8854 cnt++; 8855 s2 = new_stmt(cstate, JMP(BPF_JA)); 8856 s2->s.k = cnt - 1; 8857 sappend(s, s2); 8858 8859 /* insert our statements at the beginning of b_vid */ 8860 sappend(s, b_vid->stmts); 8861 b_vid->stmts = s; 8862 } 8863 8864 /* 8865 * Generate check for "vlan" or "vlan <id>" on systems with support for BPF 8866 * extensions. Even if kernel supports VLAN BPF extensions, (outermost) VLAN 8867 * tag can be either in metadata or in packet data; therefore if the 8868 * SKF_AD_VLAN_TAG_PRESENT test is negative, we need to check link 8869 * header for VLAN tag. As the decision is done at run time, we need 8870 * update variable part of the offsets 8871 */ 8872 static struct block * 8873 gen_vlan_bpf_extensions(compiler_state_t *cstate, bpf_u_int32 vlan_num, 8874 int has_vlan_tag) 8875 { 8876 struct block *b0, *b_tpid, *b_vid = NULL; 8877 struct slist *s; 8878 8879 /* generate new filter code based on extracting packet 8880 * metadata */ 8881 s = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 8882 s->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT; 8883 8884 b0 = new_block(cstate, JMP(BPF_JEQ)); 8885 b0->stmts = s; 8886 b0->s.k = 1; 8887 8888 /* 8889 * This is tricky. We need to insert the statements updating variable 8890 * parts of offsets before the the traditional TPID and VID tests so 8891 * that they are called whenever SKF_AD_VLAN_TAG_PRESENT fails but 8892 * we do not want this update to affect those checks. That's why we 8893 * generate both test blocks first and insert the statements updating 8894 * variable parts of both offsets after that. This wouldn't work if 8895 * there already were variable length link header when entering this 8896 * function but gen_vlan_bpf_extensions() isn't called in that case. 8897 */ 8898 b_tpid = gen_vlan_tpid_test(cstate); 8899 if (has_vlan_tag) 8900 b_vid = gen_vlan_vid_test(cstate, vlan_num); 8901 8902 gen_vlan_patch_tpid_test(cstate, b_tpid); 8903 gen_or(b0, b_tpid); 8904 b0 = b_tpid; 8905 8906 if (has_vlan_tag) { 8907 gen_vlan_patch_vid_test(cstate, b_vid); 8908 gen_and(b0, b_vid); 8909 b0 = b_vid; 8910 } 8911 8912 return b0; 8913 } 8914 #endif 8915 8916 /* 8917 * support IEEE 802.1Q VLAN trunk over ethernet 8918 */ 8919 struct block * 8920 gen_vlan(compiler_state_t *cstate, bpf_u_int32 vlan_num, int has_vlan_tag) 8921 { 8922 struct block *b0; 8923 8924 /* 8925 * Catch errors reported by us and routines below us, and return NULL 8926 * on an error. 8927 */ 8928 if (setjmp(cstate->top_ctx)) 8929 return (NULL); 8930 8931 /* can't check for VLAN-encapsulated packets inside MPLS */ 8932 if (cstate->label_stack_depth > 0) 8933 bpf_error(cstate, "no VLAN match after MPLS"); 8934 8935 /* 8936 * Check for a VLAN packet, and then change the offsets to point 8937 * to the type and data fields within the VLAN packet. Just 8938 * increment the offsets, so that we can support a hierarchy, e.g. 8939 * "vlan 300 && vlan 200" to capture VLAN 200 encapsulated within 8940 * VLAN 100. 8941 * 8942 * XXX - this is a bit of a kludge. If we were to split the 8943 * compiler into a parser that parses an expression and 8944 * generates an expression tree, and a code generator that 8945 * takes an expression tree (which could come from our 8946 * parser or from some other parser) and generates BPF code, 8947 * we could perhaps make the offsets parameters of routines 8948 * and, in the handler for an "AND" node, pass to subnodes 8949 * other than the VLAN node the adjusted offsets. 8950 * 8951 * This would mean that "vlan" would, instead of changing the 8952 * behavior of *all* tests after it, change only the behavior 8953 * of tests ANDed with it. That would change the documented 8954 * semantics of "vlan", which might break some expressions. 8955 * However, it would mean that "(vlan and ip) or ip" would check 8956 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 8957 * checking only for VLAN-encapsulated IP, so that could still 8958 * be considered worth doing; it wouldn't break expressions 8959 * that are of the form "vlan and ..." or "vlan N and ...", 8960 * which I suspect are the most common expressions involving 8961 * "vlan". "vlan or ..." doesn't necessarily do what the user 8962 * would really want, now, as all the "or ..." tests would 8963 * be done assuming a VLAN, even though the "or" could be viewed 8964 * as meaning "or, if this isn't a VLAN packet...". 8965 */ 8966 switch (cstate->linktype) { 8967 8968 case DLT_EN10MB: 8969 case DLT_NETANALYZER: 8970 case DLT_NETANALYZER_TRANSPARENT: 8971 #if defined(SKF_AD_VLAN_TAG_PRESENT) 8972 /* Verify that this is the outer part of the packet and 8973 * not encapsulated somehow. */ 8974 if (cstate->vlan_stack_depth == 0 && !cstate->off_linkhdr.is_variable && 8975 cstate->off_linkhdr.constant_part == 8976 cstate->off_outermostlinkhdr.constant_part) { 8977 /* 8978 * Do we need special VLAN handling? 8979 */ 8980 if (cstate->bpf_pcap->bpf_codegen_flags & BPF_SPECIAL_VLAN_HANDLING) 8981 b0 = gen_vlan_bpf_extensions(cstate, vlan_num, 8982 has_vlan_tag); 8983 else 8984 b0 = gen_vlan_no_bpf_extensions(cstate, 8985 vlan_num, has_vlan_tag); 8986 } else 8987 #endif 8988 b0 = gen_vlan_no_bpf_extensions(cstate, vlan_num, 8989 has_vlan_tag); 8990 break; 8991 8992 case DLT_IEEE802_11: 8993 case DLT_PRISM_HEADER: 8994 case DLT_IEEE802_11_RADIO_AVS: 8995 case DLT_IEEE802_11_RADIO: 8996 b0 = gen_vlan_no_bpf_extensions(cstate, vlan_num, has_vlan_tag); 8997 break; 8998 8999 default: 9000 bpf_error(cstate, "no VLAN support for %s", 9001 pcap_datalink_val_to_description_or_dlt(cstate->linktype)); 9002 /*NOTREACHED*/ 9003 } 9004 9005 cstate->vlan_stack_depth++; 9006 9007 return (b0); 9008 } 9009 9010 /* 9011 * support for MPLS 9012 * 9013 * The label_num_arg dance is to avoid annoying whining by compilers that 9014 * label_num might be clobbered by longjmp - yeah, it might, but *WHO CARES*? 9015 * It's not *used* after setjmp returns. 9016 */ 9017 struct block * 9018 gen_mpls(compiler_state_t *cstate, bpf_u_int32 label_num_arg, 9019 int has_label_num) 9020 { 9021 volatile bpf_u_int32 label_num = label_num_arg; 9022 struct block *b0, *b1; 9023 9024 /* 9025 * Catch errors reported by us and routines below us, and return NULL 9026 * on an error. 9027 */ 9028 if (setjmp(cstate->top_ctx)) 9029 return (NULL); 9030 9031 if (cstate->label_stack_depth > 0) { 9032 /* just match the bottom-of-stack bit clear */ 9033 b0 = gen_mcmp(cstate, OR_PREVMPLSHDR, 2, BPF_B, 0, 0x01); 9034 } else { 9035 /* 9036 * We're not in an MPLS stack yet, so check the link-layer 9037 * type against MPLS. 9038 */ 9039 switch (cstate->linktype) { 9040 9041 case DLT_C_HDLC: /* fall through */ 9042 case DLT_EN10MB: 9043 case DLT_NETANALYZER: 9044 case DLT_NETANALYZER_TRANSPARENT: 9045 b0 = gen_linktype(cstate, ETHERTYPE_MPLS); 9046 break; 9047 9048 case DLT_PPP: 9049 b0 = gen_linktype(cstate, PPP_MPLS_UCAST); 9050 break; 9051 9052 /* FIXME add other DLT_s ... 9053 * for Frame-Relay/and ATM this may get messy due to SNAP headers 9054 * leave it for now */ 9055 9056 default: 9057 bpf_error(cstate, "no MPLS support for %s", 9058 pcap_datalink_val_to_description_or_dlt(cstate->linktype)); 9059 /*NOTREACHED*/ 9060 } 9061 } 9062 9063 /* If a specific MPLS label is requested, check it */ 9064 if (has_label_num) { 9065 if (label_num > 0xFFFFF) { 9066 bpf_error(cstate, "MPLS label %u greater than maximum %u", 9067 label_num, 0xFFFFF); 9068 } 9069 label_num = label_num << 12; /* label is shifted 12 bits on the wire */ 9070 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_W, (bpf_int32)label_num, 9071 0xfffff000); /* only compare the first 20 bits */ 9072 gen_and(b0, b1); 9073 b0 = b1; 9074 } 9075 9076 /* 9077 * Change the offsets to point to the type and data fields within 9078 * the MPLS packet. Just increment the offsets, so that we 9079 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to 9080 * capture packets with an outer label of 100000 and an inner 9081 * label of 1024. 9082 * 9083 * Increment the MPLS stack depth as well; this indicates that 9084 * we're checking MPLS-encapsulated headers, to make sure higher 9085 * level code generators don't try to match against IP-related 9086 * protocols such as Q_ARP, Q_RARP etc. 9087 * 9088 * XXX - this is a bit of a kludge. See comments in gen_vlan(). 9089 */ 9090 cstate->off_nl_nosnap += 4; 9091 cstate->off_nl += 4; 9092 cstate->label_stack_depth++; 9093 return (b0); 9094 } 9095 9096 /* 9097 * Support PPPOE discovery and session. 9098 */ 9099 struct block * 9100 gen_pppoed(compiler_state_t *cstate) 9101 { 9102 /* 9103 * Catch errors reported by us and routines below us, and return NULL 9104 * on an error. 9105 */ 9106 if (setjmp(cstate->top_ctx)) 9107 return (NULL); 9108 9109 /* check for PPPoE discovery */ 9110 return gen_linktype(cstate, (bpf_int32)ETHERTYPE_PPPOED); 9111 } 9112 9113 struct block * 9114 gen_pppoes(compiler_state_t *cstate, bpf_u_int32 sess_num, int has_sess_num) 9115 { 9116 struct block *b0, *b1; 9117 9118 /* 9119 * Catch errors reported by us and routines below us, and return NULL 9120 * on an error. 9121 */ 9122 if (setjmp(cstate->top_ctx)) 9123 return (NULL); 9124 9125 /* 9126 * Test against the PPPoE session link-layer type. 9127 */ 9128 b0 = gen_linktype(cstate, (bpf_int32)ETHERTYPE_PPPOES); 9129 9130 /* If a specific session is requested, check PPPoE session id */ 9131 if (has_sess_num) { 9132 if (sess_num > 0x0000ffff) { 9133 bpf_error(cstate, "PPPoE session number %u greater than maximum %u", 9134 sess_num, 0x0000ffff); 9135 } 9136 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_W, 9137 (bpf_int32)sess_num, 0x0000ffff); 9138 gen_and(b0, b1); 9139 b0 = b1; 9140 } 9141 9142 /* 9143 * Change the offsets to point to the type and data fields within 9144 * the PPP packet, and note that this is PPPoE rather than 9145 * raw PPP. 9146 * 9147 * XXX - this is a bit of a kludge. See the comments in 9148 * gen_vlan(). 9149 * 9150 * The "network-layer" protocol is PPPoE, which has a 6-byte 9151 * PPPoE header, followed by a PPP packet. 9152 * 9153 * There is no HDLC encapsulation for the PPP packet (it's 9154 * encapsulated in PPPoES instead), so the link-layer type 9155 * starts at the first byte of the PPP packet. For PPPoE, 9156 * that offset is relative to the beginning of the total 9157 * link-layer payload, including any 802.2 LLC header, so 9158 * it's 6 bytes past cstate->off_nl. 9159 */ 9160 PUSH_LINKHDR(cstate, DLT_PPP, cstate->off_linkpl.is_variable, 9161 cstate->off_linkpl.constant_part + cstate->off_nl + 6, /* 6 bytes past the PPPoE header */ 9162 cstate->off_linkpl.reg); 9163 9164 cstate->off_linktype = cstate->off_linkhdr; 9165 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 2; 9166 9167 cstate->off_nl = 0; 9168 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 9169 9170 return b0; 9171 } 9172 9173 /* Check that this is Geneve and the VNI is correct if 9174 * specified. Parameterized to handle both IPv4 and IPv6. */ 9175 static struct block * 9176 gen_geneve_check(compiler_state_t *cstate, 9177 struct block *(*gen_portfn)(compiler_state_t *, int, int, int), 9178 enum e_offrel offrel, bpf_u_int32 vni, int has_vni) 9179 { 9180 struct block *b0, *b1; 9181 9182 b0 = gen_portfn(cstate, GENEVE_PORT, IPPROTO_UDP, Q_DST); 9183 9184 /* Check that we are operating on version 0. Otherwise, we 9185 * can't decode the rest of the fields. The version is 2 bits 9186 * in the first byte of the Geneve header. */ 9187 b1 = gen_mcmp(cstate, offrel, 8, BPF_B, (bpf_int32)0, 0xc0); 9188 gen_and(b0, b1); 9189 b0 = b1; 9190 9191 if (has_vni) { 9192 if (vni > 0xffffff) { 9193 bpf_error(cstate, "Geneve VNI %u greater than maximum %u", 9194 vni, 0xffffff); 9195 } 9196 vni <<= 8; /* VNI is in the upper 3 bytes */ 9197 b1 = gen_mcmp(cstate, offrel, 12, BPF_W, (bpf_int32)vni, 9198 0xffffff00); 9199 gen_and(b0, b1); 9200 b0 = b1; 9201 } 9202 9203 return b0; 9204 } 9205 9206 /* The IPv4 and IPv6 Geneve checks need to do two things: 9207 * - Verify that this actually is Geneve with the right VNI. 9208 * - Place the IP header length (plus variable link prefix if 9209 * needed) into register A to be used later to compute 9210 * the inner packet offsets. */ 9211 static struct block * 9212 gen_geneve4(compiler_state_t *cstate, bpf_u_int32 vni, int has_vni) 9213 { 9214 struct block *b0, *b1; 9215 struct slist *s, *s1; 9216 9217 b0 = gen_geneve_check(cstate, gen_port, OR_TRAN_IPV4, vni, has_vni); 9218 9219 /* Load the IP header length into A. */ 9220 s = gen_loadx_iphdrlen(cstate); 9221 9222 s1 = new_stmt(cstate, BPF_MISC|BPF_TXA); 9223 sappend(s, s1); 9224 9225 /* Forcibly append these statements to the true condition 9226 * of the protocol check by creating a new block that is 9227 * always true and ANDing them. */ 9228 b1 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X); 9229 b1->stmts = s; 9230 b1->s.k = 0; 9231 9232 gen_and(b0, b1); 9233 9234 return b1; 9235 } 9236 9237 static struct block * 9238 gen_geneve6(compiler_state_t *cstate, bpf_u_int32 vni, int has_vni) 9239 { 9240 struct block *b0, *b1; 9241 struct slist *s, *s1; 9242 9243 b0 = gen_geneve_check(cstate, gen_port6, OR_TRAN_IPV6, vni, has_vni); 9244 9245 /* Load the IP header length. We need to account for a 9246 * variable length link prefix if there is one. */ 9247 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl); 9248 if (s) { 9249 s1 = new_stmt(cstate, BPF_LD|BPF_IMM); 9250 s1->s.k = 40; 9251 sappend(s, s1); 9252 9253 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X); 9254 s1->s.k = 0; 9255 sappend(s, s1); 9256 } else { 9257 s = new_stmt(cstate, BPF_LD|BPF_IMM); 9258 s->s.k = 40; 9259 } 9260 9261 /* Forcibly append these statements to the true condition 9262 * of the protocol check by creating a new block that is 9263 * always true and ANDing them. */ 9264 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX); 9265 sappend(s, s1); 9266 9267 b1 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X); 9268 b1->stmts = s; 9269 b1->s.k = 0; 9270 9271 gen_and(b0, b1); 9272 9273 return b1; 9274 } 9275 9276 /* We need to store three values based on the Geneve header:: 9277 * - The offset of the linktype. 9278 * - The offset of the end of the Geneve header. 9279 * - The offset of the end of the encapsulated MAC header. */ 9280 static struct slist * 9281 gen_geneve_offsets(compiler_state_t *cstate) 9282 { 9283 struct slist *s, *s1, *s_proto; 9284 9285 /* First we need to calculate the offset of the Geneve header 9286 * itself. This is composed of the IP header previously calculated 9287 * (include any variable link prefix) and stored in A plus the 9288 * fixed sized headers (fixed link prefix, MAC length, and UDP 9289 * header). */ 9290 s = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 9291 s->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 8; 9292 9293 /* Stash this in X since we'll need it later. */ 9294 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX); 9295 sappend(s, s1); 9296 9297 /* The EtherType in Geneve is 2 bytes in. Calculate this and 9298 * store it. */ 9299 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 9300 s1->s.k = 2; 9301 sappend(s, s1); 9302 9303 cstate->off_linktype.reg = alloc_reg(cstate); 9304 cstate->off_linktype.is_variable = 1; 9305 cstate->off_linktype.constant_part = 0; 9306 9307 s1 = new_stmt(cstate, BPF_ST); 9308 s1->s.k = cstate->off_linktype.reg; 9309 sappend(s, s1); 9310 9311 /* Load the Geneve option length and mask and shift to get the 9312 * number of bytes. It is stored in the first byte of the Geneve 9313 * header. */ 9314 s1 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 9315 s1->s.k = 0; 9316 sappend(s, s1); 9317 9318 s1 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K); 9319 s1->s.k = 0x3f; 9320 sappend(s, s1); 9321 9322 s1 = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K); 9323 s1->s.k = 4; 9324 sappend(s, s1); 9325 9326 /* Add in the rest of the Geneve base header. */ 9327 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 9328 s1->s.k = 8; 9329 sappend(s, s1); 9330 9331 /* Add the Geneve header length to its offset and store. */ 9332 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X); 9333 s1->s.k = 0; 9334 sappend(s, s1); 9335 9336 /* Set the encapsulated type as Ethernet. Even though we may 9337 * not actually have Ethernet inside there are two reasons this 9338 * is useful: 9339 * - The linktype field is always in EtherType format regardless 9340 * of whether it is in Geneve or an inner Ethernet frame. 9341 * - The only link layer that we have specific support for is 9342 * Ethernet. We will confirm that the packet actually is 9343 * Ethernet at runtime before executing these checks. */ 9344 PUSH_LINKHDR(cstate, DLT_EN10MB, 1, 0, alloc_reg(cstate)); 9345 9346 s1 = new_stmt(cstate, BPF_ST); 9347 s1->s.k = cstate->off_linkhdr.reg; 9348 sappend(s, s1); 9349 9350 /* Calculate whether we have an Ethernet header or just raw IP/ 9351 * MPLS/etc. If we have Ethernet, advance the end of the MAC offset 9352 * and linktype by 14 bytes so that the network header can be found 9353 * seamlessly. Otherwise, keep what we've calculated already. */ 9354 9355 /* We have a bare jmp so we can't use the optimizer. */ 9356 cstate->no_optimize = 1; 9357 9358 /* Load the EtherType in the Geneve header, 2 bytes in. */ 9359 s1 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_H); 9360 s1->s.k = 2; 9361 sappend(s, s1); 9362 9363 /* Load X with the end of the Geneve header. */ 9364 s1 = new_stmt(cstate, BPF_LDX|BPF_MEM); 9365 s1->s.k = cstate->off_linkhdr.reg; 9366 sappend(s, s1); 9367 9368 /* Check if the EtherType is Transparent Ethernet Bridging. At the 9369 * end of this check, we should have the total length in X. In 9370 * the non-Ethernet case, it's already there. */ 9371 s_proto = new_stmt(cstate, JMP(BPF_JEQ)); 9372 s_proto->s.k = ETHERTYPE_TEB; 9373 sappend(s, s_proto); 9374 9375 s1 = new_stmt(cstate, BPF_MISC|BPF_TXA); 9376 sappend(s, s1); 9377 s_proto->s.jt = s1; 9378 9379 /* Since this is Ethernet, use the EtherType of the payload 9380 * directly as the linktype. Overwrite what we already have. */ 9381 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 9382 s1->s.k = 12; 9383 sappend(s, s1); 9384 9385 s1 = new_stmt(cstate, BPF_ST); 9386 s1->s.k = cstate->off_linktype.reg; 9387 sappend(s, s1); 9388 9389 /* Advance two bytes further to get the end of the Ethernet 9390 * header. */ 9391 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 9392 s1->s.k = 2; 9393 sappend(s, s1); 9394 9395 /* Move the result to X. */ 9396 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX); 9397 sappend(s, s1); 9398 9399 /* Store the final result of our linkpl calculation. */ 9400 cstate->off_linkpl.reg = alloc_reg(cstate); 9401 cstate->off_linkpl.is_variable = 1; 9402 cstate->off_linkpl.constant_part = 0; 9403 9404 s1 = new_stmt(cstate, BPF_STX); 9405 s1->s.k = cstate->off_linkpl.reg; 9406 sappend(s, s1); 9407 s_proto->s.jf = s1; 9408 9409 cstate->off_nl = 0; 9410 9411 return s; 9412 } 9413 9414 /* Check to see if this is a Geneve packet. */ 9415 struct block * 9416 gen_geneve(compiler_state_t *cstate, bpf_u_int32 vni, int has_vni) 9417 { 9418 struct block *b0, *b1; 9419 struct slist *s; 9420 9421 /* 9422 * Catch errors reported by us and routines below us, and return NULL 9423 * on an error. 9424 */ 9425 if (setjmp(cstate->top_ctx)) 9426 return (NULL); 9427 9428 b0 = gen_geneve4(cstate, vni, has_vni); 9429 b1 = gen_geneve6(cstate, vni, has_vni); 9430 9431 gen_or(b0, b1); 9432 b0 = b1; 9433 9434 /* Later filters should act on the payload of the Geneve frame, 9435 * update all of the header pointers. Attach this code so that 9436 * it gets executed in the event that the Geneve filter matches. */ 9437 s = gen_geneve_offsets(cstate); 9438 9439 b1 = gen_true(cstate); 9440 sappend(s, b1->stmts); 9441 b1->stmts = s; 9442 9443 gen_and(b0, b1); 9444 9445 cstate->is_geneve = 1; 9446 9447 return b1; 9448 } 9449 9450 /* Check that the encapsulated frame has a link layer header 9451 * for Ethernet filters. */ 9452 static struct block * 9453 gen_geneve_ll_check(compiler_state_t *cstate) 9454 { 9455 struct block *b0; 9456 struct slist *s, *s1; 9457 9458 /* The easiest way to see if there is a link layer present 9459 * is to check if the link layer header and payload are not 9460 * the same. */ 9461 9462 /* Geneve always generates pure variable offsets so we can 9463 * compare only the registers. */ 9464 s = new_stmt(cstate, BPF_LD|BPF_MEM); 9465 s->s.k = cstate->off_linkhdr.reg; 9466 9467 s1 = new_stmt(cstate, BPF_LDX|BPF_MEM); 9468 s1->s.k = cstate->off_linkpl.reg; 9469 sappend(s, s1); 9470 9471 b0 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X); 9472 b0->stmts = s; 9473 b0->s.k = 0; 9474 gen_not(b0); 9475 9476 return b0; 9477 } 9478 9479 static struct block * 9480 gen_atmfield_code_internal(compiler_state_t *cstate, int atmfield, 9481 bpf_int32 jvalue, bpf_u_int32 jtype, int reverse) 9482 { 9483 struct block *b0; 9484 9485 switch (atmfield) { 9486 9487 case A_VPI: 9488 if (!cstate->is_atm) 9489 bpf_error(cstate, "'vpi' supported only on raw ATM"); 9490 if (cstate->off_vpi == OFFSET_NOT_SET) 9491 abort(); 9492 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_vpi, BPF_B, 0xffffffff, jtype, 9493 reverse, jvalue); 9494 break; 9495 9496 case A_VCI: 9497 if (!cstate->is_atm) 9498 bpf_error(cstate, "'vci' supported only on raw ATM"); 9499 if (cstate->off_vci == OFFSET_NOT_SET) 9500 abort(); 9501 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_vci, BPF_H, 0xffffffff, jtype, 9502 reverse, jvalue); 9503 break; 9504 9505 case A_PROTOTYPE: 9506 if (cstate->off_proto == OFFSET_NOT_SET) 9507 abort(); /* XXX - this isn't on FreeBSD */ 9508 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_proto, BPF_B, 0x0f, jtype, 9509 reverse, jvalue); 9510 break; 9511 9512 case A_MSGTYPE: 9513 if (cstate->off_payload == OFFSET_NOT_SET) 9514 abort(); 9515 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_payload + MSG_TYPE_POS, BPF_B, 9516 0xffffffff, jtype, reverse, jvalue); 9517 break; 9518 9519 case A_CALLREFTYPE: 9520 if (!cstate->is_atm) 9521 bpf_error(cstate, "'callref' supported only on raw ATM"); 9522 if (cstate->off_proto == OFFSET_NOT_SET) 9523 abort(); 9524 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_proto, BPF_B, 0xffffffff, 9525 jtype, reverse, jvalue); 9526 break; 9527 9528 default: 9529 abort(); 9530 } 9531 return b0; 9532 } 9533 9534 static struct block * 9535 gen_atmtype_metac(compiler_state_t *cstate) 9536 { 9537 struct block *b0, *b1; 9538 9539 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0); 9540 b1 = gen_atmfield_code_internal(cstate, A_VCI, 1, BPF_JEQ, 0); 9541 gen_and(b0, b1); 9542 return b1; 9543 } 9544 9545 static struct block * 9546 gen_atmtype_sc(compiler_state_t *cstate) 9547 { 9548 struct block *b0, *b1; 9549 9550 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0); 9551 b1 = gen_atmfield_code_internal(cstate, A_VCI, 5, BPF_JEQ, 0); 9552 gen_and(b0, b1); 9553 return b1; 9554 } 9555 9556 static struct block * 9557 gen_atmtype_llc(compiler_state_t *cstate) 9558 { 9559 struct block *b0; 9560 9561 b0 = gen_atmfield_code_internal(cstate, A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 9562 cstate->linktype = cstate->prevlinktype; 9563 return b0; 9564 } 9565 9566 struct block * 9567 gen_atmfield_code(compiler_state_t *cstate, int atmfield, 9568 bpf_int32 jvalue, bpf_u_int32 jtype, int reverse) 9569 { 9570 /* 9571 * Catch errors reported by us and routines below us, and return NULL 9572 * on an error. 9573 */ 9574 if (setjmp(cstate->top_ctx)) 9575 return (NULL); 9576 9577 return gen_atmfield_code_internal(cstate, atmfield, jvalue, jtype, 9578 reverse); 9579 } 9580 9581 struct block * 9582 gen_atmtype_abbrev(compiler_state_t *cstate, int type) 9583 { 9584 struct block *b0, *b1; 9585 9586 /* 9587 * Catch errors reported by us and routines below us, and return NULL 9588 * on an error. 9589 */ 9590 if (setjmp(cstate->top_ctx)) 9591 return (NULL); 9592 9593 switch (type) { 9594 9595 case A_METAC: 9596 /* Get all packets in Meta signalling Circuit */ 9597 if (!cstate->is_atm) 9598 bpf_error(cstate, "'metac' supported only on raw ATM"); 9599 b1 = gen_atmtype_metac(cstate); 9600 break; 9601 9602 case A_BCC: 9603 /* Get all packets in Broadcast Circuit*/ 9604 if (!cstate->is_atm) 9605 bpf_error(cstate, "'bcc' supported only on raw ATM"); 9606 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0); 9607 b1 = gen_atmfield_code_internal(cstate, A_VCI, 2, BPF_JEQ, 0); 9608 gen_and(b0, b1); 9609 break; 9610 9611 case A_OAMF4SC: 9612 /* Get all cells in Segment OAM F4 circuit*/ 9613 if (!cstate->is_atm) 9614 bpf_error(cstate, "'oam4sc' supported only on raw ATM"); 9615 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0); 9616 b1 = gen_atmfield_code_internal(cstate, A_VCI, 3, BPF_JEQ, 0); 9617 gen_and(b0, b1); 9618 break; 9619 9620 case A_OAMF4EC: 9621 /* Get all cells in End-to-End OAM F4 Circuit*/ 9622 if (!cstate->is_atm) 9623 bpf_error(cstate, "'oam4ec' supported only on raw ATM"); 9624 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0); 9625 b1 = gen_atmfield_code_internal(cstate, A_VCI, 4, BPF_JEQ, 0); 9626 gen_and(b0, b1); 9627 break; 9628 9629 case A_SC: 9630 /* Get all packets in connection Signalling Circuit */ 9631 if (!cstate->is_atm) 9632 bpf_error(cstate, "'sc' supported only on raw ATM"); 9633 b1 = gen_atmtype_sc(cstate); 9634 break; 9635 9636 case A_ILMIC: 9637 /* Get all packets in ILMI Circuit */ 9638 if (!cstate->is_atm) 9639 bpf_error(cstate, "'ilmic' supported only on raw ATM"); 9640 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0); 9641 b1 = gen_atmfield_code_internal(cstate, A_VCI, 16, BPF_JEQ, 0); 9642 gen_and(b0, b1); 9643 break; 9644 9645 case A_LANE: 9646 /* Get all LANE packets */ 9647 if (!cstate->is_atm) 9648 bpf_error(cstate, "'lane' supported only on raw ATM"); 9649 b1 = gen_atmfield_code_internal(cstate, A_PROTOTYPE, PT_LANE, BPF_JEQ, 0); 9650 9651 /* 9652 * Arrange that all subsequent tests assume LANE 9653 * rather than LLC-encapsulated packets, and set 9654 * the offsets appropriately for LANE-encapsulated 9655 * Ethernet. 9656 * 9657 * We assume LANE means Ethernet, not Token Ring. 9658 */ 9659 PUSH_LINKHDR(cstate, DLT_EN10MB, 0, 9660 cstate->off_payload + 2, /* Ethernet header */ 9661 -1); 9662 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12; 9663 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* Ethernet */ 9664 cstate->off_nl = 0; /* Ethernet II */ 9665 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */ 9666 break; 9667 9668 case A_LLC: 9669 /* Get all LLC-encapsulated packets */ 9670 if (!cstate->is_atm) 9671 bpf_error(cstate, "'llc' supported only on raw ATM"); 9672 b1 = gen_atmtype_llc(cstate); 9673 break; 9674 9675 default: 9676 abort(); 9677 } 9678 return b1; 9679 } 9680 9681 /* 9682 * Filtering for MTP2 messages based on li value 9683 * FISU, length is null 9684 * LSSU, length is 1 or 2 9685 * MSU, length is 3 or more 9686 * For MTP2_HSL, sequences are on 2 bytes, and length on 9 bits 9687 */ 9688 struct block * 9689 gen_mtp2type_abbrev(compiler_state_t *cstate, int type) 9690 { 9691 struct block *b0, *b1; 9692 9693 /* 9694 * Catch errors reported by us and routines below us, and return NULL 9695 * on an error. 9696 */ 9697 if (setjmp(cstate->top_ctx)) 9698 return (NULL); 9699 9700 switch (type) { 9701 9702 case M_FISU: 9703 if ( (cstate->linktype != DLT_MTP2) && 9704 (cstate->linktype != DLT_ERF) && 9705 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 9706 bpf_error(cstate, "'fisu' supported only on MTP2"); 9707 /* gen_ncmp(cstate, offrel, offset, size, mask, jtype, reverse, value) */ 9708 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 0x3f, BPF_JEQ, 0, 0); 9709 break; 9710 9711 case M_LSSU: 9712 if ( (cstate->linktype != DLT_MTP2) && 9713 (cstate->linktype != DLT_ERF) && 9714 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 9715 bpf_error(cstate, "'lssu' supported only on MTP2"); 9716 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 0x3f, BPF_JGT, 1, 2); 9717 b1 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 0x3f, BPF_JGT, 0, 0); 9718 gen_and(b1, b0); 9719 break; 9720 9721 case M_MSU: 9722 if ( (cstate->linktype != DLT_MTP2) && 9723 (cstate->linktype != DLT_ERF) && 9724 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 9725 bpf_error(cstate, "'msu' supported only on MTP2"); 9726 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 0x3f, BPF_JGT, 0, 2); 9727 break; 9728 9729 case MH_FISU: 9730 if ( (cstate->linktype != DLT_MTP2) && 9731 (cstate->linktype != DLT_ERF) && 9732 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 9733 bpf_error(cstate, "'hfisu' supported only on MTP2_HSL"); 9734 /* gen_ncmp(cstate, offrel, offset, size, mask, jtype, reverse, value) */ 9735 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 0xff80, BPF_JEQ, 0, 0); 9736 break; 9737 9738 case MH_LSSU: 9739 if ( (cstate->linktype != DLT_MTP2) && 9740 (cstate->linktype != DLT_ERF) && 9741 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 9742 bpf_error(cstate, "'hlssu' supported only on MTP2_HSL"); 9743 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 0xff80, BPF_JGT, 1, 0x0100); 9744 b1 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 0xff80, BPF_JGT, 0, 0); 9745 gen_and(b1, b0); 9746 break; 9747 9748 case MH_MSU: 9749 if ( (cstate->linktype != DLT_MTP2) && 9750 (cstate->linktype != DLT_ERF) && 9751 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 9752 bpf_error(cstate, "'hmsu' supported only on MTP2_HSL"); 9753 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 0xff80, BPF_JGT, 0, 0x0100); 9754 break; 9755 9756 default: 9757 abort(); 9758 } 9759 return b0; 9760 } 9761 9762 /* 9763 * The jvalue_arg dance is to avoid annoying whining by compilers that 9764 * jvalue might be clobbered by longjmp - yeah, it might, but *WHO CARES*? 9765 * It's not *used* after setjmp returns. 9766 */ 9767 struct block * 9768 gen_mtp3field_code(compiler_state_t *cstate, int mtp3field, 9769 bpf_u_int32 jvalue_arg, bpf_u_int32 jtype, int reverse) 9770 { 9771 volatile bpf_u_int32 jvalue = jvalue_arg; 9772 struct block *b0; 9773 bpf_u_int32 val1 , val2 , val3; 9774 u_int newoff_sio; 9775 u_int newoff_opc; 9776 u_int newoff_dpc; 9777 u_int newoff_sls; 9778 9779 /* 9780 * Catch errors reported by us and routines below us, and return NULL 9781 * on an error. 9782 */ 9783 if (setjmp(cstate->top_ctx)) 9784 return (NULL); 9785 9786 newoff_sio = cstate->off_sio; 9787 newoff_opc = cstate->off_opc; 9788 newoff_dpc = cstate->off_dpc; 9789 newoff_sls = cstate->off_sls; 9790 switch (mtp3field) { 9791 9792 case MH_SIO: 9793 newoff_sio += 3; /* offset for MTP2_HSL */ 9794 /* FALLTHROUGH */ 9795 9796 case M_SIO: 9797 if (cstate->off_sio == OFFSET_NOT_SET) 9798 bpf_error(cstate, "'sio' supported only on SS7"); 9799 /* sio coded on 1 byte so max value 255 */ 9800 if(jvalue > 255) 9801 bpf_error(cstate, "sio value %u too big; max value = 255", 9802 jvalue); 9803 b0 = gen_ncmp(cstate, OR_PACKET, newoff_sio, BPF_B, 0xffffffff, 9804 (u_int)jtype, reverse, (u_int)jvalue); 9805 break; 9806 9807 case MH_OPC: 9808 newoff_opc += 3; 9809 9810 /* FALLTHROUGH */ 9811 case M_OPC: 9812 if (cstate->off_opc == OFFSET_NOT_SET) 9813 bpf_error(cstate, "'opc' supported only on SS7"); 9814 /* opc coded on 14 bits so max value 16383 */ 9815 if (jvalue > 16383) 9816 bpf_error(cstate, "opc value %u too big; max value = 16383", 9817 jvalue); 9818 /* the following instructions are made to convert jvalue 9819 * to the form used to write opc in an ss7 message*/ 9820 val1 = jvalue & 0x00003c00; 9821 val1 = val1 >>10; 9822 val2 = jvalue & 0x000003fc; 9823 val2 = val2 <<6; 9824 val3 = jvalue & 0x00000003; 9825 val3 = val3 <<22; 9826 jvalue = val1 + val2 + val3; 9827 b0 = gen_ncmp(cstate, OR_PACKET, newoff_opc, BPF_W, 0x00c0ff0f, 9828 (u_int)jtype, reverse, (u_int)jvalue); 9829 break; 9830 9831 case MH_DPC: 9832 newoff_dpc += 3; 9833 /* FALLTHROUGH */ 9834 9835 case M_DPC: 9836 if (cstate->off_dpc == OFFSET_NOT_SET) 9837 bpf_error(cstate, "'dpc' supported only on SS7"); 9838 /* dpc coded on 14 bits so max value 16383 */ 9839 if (jvalue > 16383) 9840 bpf_error(cstate, "dpc value %u too big; max value = 16383", 9841 jvalue); 9842 /* the following instructions are made to convert jvalue 9843 * to the forme used to write dpc in an ss7 message*/ 9844 val1 = jvalue & 0x000000ff; 9845 val1 = val1 << 24; 9846 val2 = jvalue & 0x00003f00; 9847 val2 = val2 << 8; 9848 jvalue = val1 + val2; 9849 b0 = gen_ncmp(cstate, OR_PACKET, newoff_dpc, BPF_W, 0xff3f0000, 9850 (u_int)jtype, reverse, (u_int)jvalue); 9851 break; 9852 9853 case MH_SLS: 9854 newoff_sls += 3; 9855 /* FALLTHROUGH */ 9856 9857 case M_SLS: 9858 if (cstate->off_sls == OFFSET_NOT_SET) 9859 bpf_error(cstate, "'sls' supported only on SS7"); 9860 /* sls coded on 4 bits so max value 15 */ 9861 if (jvalue > 15) 9862 bpf_error(cstate, "sls value %u too big; max value = 15", 9863 jvalue); 9864 /* the following instruction is made to convert jvalue 9865 * to the forme used to write sls in an ss7 message*/ 9866 jvalue = jvalue << 4; 9867 b0 = gen_ncmp(cstate, OR_PACKET, newoff_sls, BPF_B, 0xf0, 9868 (u_int)jtype,reverse, (u_int)jvalue); 9869 break; 9870 9871 default: 9872 abort(); 9873 } 9874 return b0; 9875 } 9876 9877 static struct block * 9878 gen_msg_abbrev(compiler_state_t *cstate, int type) 9879 { 9880 struct block *b1; 9881 9882 /* 9883 * Q.2931 signalling protocol messages for handling virtual circuits 9884 * establishment and teardown 9885 */ 9886 switch (type) { 9887 9888 case A_SETUP: 9889 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, SETUP, BPF_JEQ, 0); 9890 break; 9891 9892 case A_CALLPROCEED: 9893 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0); 9894 break; 9895 9896 case A_CONNECT: 9897 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, CONNECT, BPF_JEQ, 0); 9898 break; 9899 9900 case A_CONNECTACK: 9901 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0); 9902 break; 9903 9904 case A_RELEASE: 9905 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, RELEASE, BPF_JEQ, 0); 9906 break; 9907 9908 case A_RELEASE_DONE: 9909 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0); 9910 break; 9911 9912 default: 9913 abort(); 9914 } 9915 return b1; 9916 } 9917 9918 struct block * 9919 gen_atmmulti_abbrev(compiler_state_t *cstate, int type) 9920 { 9921 struct block *b0, *b1; 9922 9923 /* 9924 * Catch errors reported by us and routines below us, and return NULL 9925 * on an error. 9926 */ 9927 if (setjmp(cstate->top_ctx)) 9928 return (NULL); 9929 9930 switch (type) { 9931 9932 case A_OAM: 9933 if (!cstate->is_atm) 9934 bpf_error(cstate, "'oam' supported only on raw ATM"); 9935 /* OAM F4 type */ 9936 b0 = gen_atmfield_code_internal(cstate, A_VCI, 3, BPF_JEQ, 0); 9937 b1 = gen_atmfield_code_internal(cstate, A_VCI, 4, BPF_JEQ, 0); 9938 gen_or(b0, b1); 9939 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0); 9940 gen_and(b0, b1); 9941 break; 9942 9943 case A_OAMF4: 9944 if (!cstate->is_atm) 9945 bpf_error(cstate, "'oamf4' supported only on raw ATM"); 9946 /* OAM F4 type */ 9947 b0 = gen_atmfield_code_internal(cstate, A_VCI, 3, BPF_JEQ, 0); 9948 b1 = gen_atmfield_code_internal(cstate, A_VCI, 4, BPF_JEQ, 0); 9949 gen_or(b0, b1); 9950 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0); 9951 gen_and(b0, b1); 9952 break; 9953 9954 case A_CONNECTMSG: 9955 /* 9956 * Get Q.2931 signalling messages for switched 9957 * virtual connection 9958 */ 9959 if (!cstate->is_atm) 9960 bpf_error(cstate, "'connectmsg' supported only on raw ATM"); 9961 b0 = gen_msg_abbrev(cstate, A_SETUP); 9962 b1 = gen_msg_abbrev(cstate, A_CALLPROCEED); 9963 gen_or(b0, b1); 9964 b0 = gen_msg_abbrev(cstate, A_CONNECT); 9965 gen_or(b0, b1); 9966 b0 = gen_msg_abbrev(cstate, A_CONNECTACK); 9967 gen_or(b0, b1); 9968 b0 = gen_msg_abbrev(cstate, A_RELEASE); 9969 gen_or(b0, b1); 9970 b0 = gen_msg_abbrev(cstate, A_RELEASE_DONE); 9971 gen_or(b0, b1); 9972 b0 = gen_atmtype_sc(cstate); 9973 gen_and(b0, b1); 9974 break; 9975 9976 case A_METACONNECT: 9977 if (!cstate->is_atm) 9978 bpf_error(cstate, "'metaconnect' supported only on raw ATM"); 9979 b0 = gen_msg_abbrev(cstate, A_SETUP); 9980 b1 = gen_msg_abbrev(cstate, A_CALLPROCEED); 9981 gen_or(b0, b1); 9982 b0 = gen_msg_abbrev(cstate, A_CONNECT); 9983 gen_or(b0, b1); 9984 b0 = gen_msg_abbrev(cstate, A_RELEASE); 9985 gen_or(b0, b1); 9986 b0 = gen_msg_abbrev(cstate, A_RELEASE_DONE); 9987 gen_or(b0, b1); 9988 b0 = gen_atmtype_metac(cstate); 9989 gen_and(b0, b1); 9990 break; 9991 9992 default: 9993 abort(); 9994 } 9995 return b1; 9996 } 9997