1 /* $NetBSD: gencode.c,v 1.5 2013/04/06 17:29:53 christos Exp $ */ 2 3 /*#define CHASE_CHAIN*/ 4 /* 5 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998 6 * The Regents of the University of California. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that: (1) source code distributions 10 * retain the above copyright notice and this paragraph in its entirety, (2) 11 * distributions including binary code include the above copyright notice and 12 * this paragraph in its entirety in the documentation or other materials 13 * provided with the distribution, and (3) all advertising materials mentioning 14 * features or use of this software display the following acknowledgement: 15 * ``This product includes software developed by the University of California, 16 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 17 * the University nor the names of its contributors may be used to endorse 18 * or promote products derived from this software without specific prior 19 * written permission. 20 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 21 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 22 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 23 */ 24 #ifndef lint 25 static const char rcsid[] _U_ = 26 "@(#) Header: /tcpdump/master/libpcap/gencode.c,v 1.309 2008-12-23 20:13:29 guy Exp (LBL)"; 27 #endif 28 29 #ifdef HAVE_CONFIG_H 30 #include "config.h" 31 #endif 32 33 #ifdef WIN32 34 #include <pcap-stdinc.h> 35 #else /* WIN32 */ 36 #if HAVE_INTTYPES_H 37 #include <inttypes.h> 38 #elif HAVE_STDINT_H 39 #include <stdint.h> 40 #endif 41 #ifdef HAVE_SYS_BITYPES_H 42 #include <sys/bitypes.h> 43 #endif 44 #include <sys/types.h> 45 #include <sys/socket.h> 46 #endif /* WIN32 */ 47 48 /* 49 * XXX - why was this included even on UNIX? 50 */ 51 #ifdef __MINGW32__ 52 #include "ip6_misc.h" 53 #endif 54 55 #ifndef WIN32 56 57 #ifdef __NetBSD__ 58 #include <sys/param.h> 59 #include <net/dlt.h> 60 #endif 61 62 #include <netinet/in.h> 63 #include <arpa/inet.h> 64 65 #endif /* WIN32 */ 66 67 #include <stdlib.h> 68 #include <string.h> 69 #include <memory.h> 70 #include <setjmp.h> 71 #include <stdarg.h> 72 73 #ifdef MSDOS 74 #include "pcap-dos.h" 75 #endif 76 77 #include "pcap-int.h" 78 79 #include "ethertype.h" 80 #include "nlpid.h" 81 #include "llc.h" 82 #include "gencode.h" 83 #include "ieee80211.h" 84 #include "atmuni31.h" 85 #include "sunatmpos.h" 86 #include "ppp.h" 87 #include "pcap/sll.h" 88 #include "pcap/ipnet.h" 89 #include "arcnet.h" 90 #if defined(PF_PACKET) && defined(SO_ATTACH_FILTER) 91 #include <linux/types.h> 92 #include <linux/if_packet.h> 93 #include <linux/filter.h> 94 #endif 95 #ifdef HAVE_NET_PFVAR_H 96 #include <sys/socket.h> 97 #include <net/if.h> 98 #include <net/pfvar.h> 99 #include <net/if_pflog.h> 100 #endif 101 #ifndef offsetof 102 #define offsetof(s, e) ((size_t)&((s *)0)->e) 103 #endif 104 #ifdef INET6 105 #ifndef WIN32 106 #include <netdb.h> /* for "struct addrinfo" */ 107 #endif /* WIN32 */ 108 #endif /*INET6*/ 109 #include <pcap/namedb.h> 110 111 #define ETHERMTU 1500 112 113 #ifndef IPPROTO_SCTP 114 #define IPPROTO_SCTP 132 115 #endif 116 117 #ifdef HAVE_OS_PROTO_H 118 #include "os-proto.h" 119 #endif 120 121 #define JMP(c) ((c)|BPF_JMP|BPF_K) 122 123 /* Locals */ 124 static jmp_buf top_ctx; 125 static pcap_t *bpf_pcap; 126 127 /* Hack for updating VLAN, MPLS, and PPPoE offsets. */ 128 #ifdef WIN32 129 static u_int orig_linktype = (u_int)-1, orig_nl = (u_int)-1, label_stack_depth = (u_int)-1; 130 #else 131 static u_int orig_linktype = -1U, orig_nl = -1U, label_stack_depth = -1U; 132 #endif 133 134 /* XXX */ 135 #ifdef PCAP_FDDIPAD 136 static int pcap_fddipad; 137 #endif 138 139 /* VARARGS */ 140 void 141 bpf_error(const char *fmt, ...) 142 { 143 va_list ap; 144 145 va_start(ap, fmt); 146 if (bpf_pcap != NULL) 147 (void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE, 148 fmt, ap); 149 va_end(ap); 150 longjmp(top_ctx, 1); 151 /* NOTREACHED */ 152 } 153 154 static void init_linktype(pcap_t *); 155 156 static void init_regs(void); 157 static int alloc_reg(void); 158 static void free_reg(int); 159 160 static struct block *root; 161 162 /* 163 * Value passed to gen_load_a() to indicate what the offset argument 164 * is relative to. 165 */ 166 enum e_offrel { 167 OR_PACKET, /* relative to the beginning of the packet */ 168 OR_LINK, /* relative to the beginning of the link-layer header */ 169 OR_MACPL, /* relative to the end of the MAC-layer header */ 170 OR_NET, /* relative to the network-layer header */ 171 OR_NET_NOSNAP, /* relative to the network-layer header, with no SNAP header at the link layer */ 172 OR_TRAN_IPV4, /* relative to the transport-layer header, with IPv4 network layer */ 173 OR_TRAN_IPV6 /* relative to the transport-layer header, with IPv6 network layer */ 174 }; 175 176 #ifdef INET6 177 /* 178 * As errors are handled by a longjmp, anything allocated must be freed 179 * in the longjmp handler, so it must be reachable from that handler. 180 * One thing that's allocated is the result of pcap_nametoaddrinfo(); 181 * it must be freed with freeaddrinfo(). This variable points to any 182 * addrinfo structure that would need to be freed. 183 */ 184 static struct addrinfo *ai; 185 #endif 186 187 /* 188 * We divy out chunks of memory rather than call malloc each time so 189 * we don't have to worry about leaking memory. It's probably 190 * not a big deal if all this memory was wasted but if this ever 191 * goes into a library that would probably not be a good idea. 192 * 193 * XXX - this *is* in a library.... 194 */ 195 #define NCHUNKS 16 196 #define CHUNK0SIZE 1024 197 struct chunk { 198 u_int n_left; 199 void *m; 200 }; 201 202 static struct chunk chunks[NCHUNKS]; 203 static int cur_chunk; 204 205 static void *newchunk(u_int); 206 static void freechunks(void); 207 static inline struct block *new_block(int); 208 static inline struct slist *new_stmt(int); 209 static struct block *gen_retblk(int); 210 static inline void syntax(void); 211 212 static void backpatch(struct block *, struct block *); 213 static void merge(struct block *, struct block *); 214 static struct block *gen_cmp(enum e_offrel, u_int, u_int, bpf_int32); 215 static struct block *gen_cmp_gt(enum e_offrel, u_int, u_int, bpf_int32); 216 static struct block *gen_cmp_ge(enum e_offrel, u_int, u_int, bpf_int32); 217 static struct block *gen_cmp_lt(enum e_offrel, u_int, u_int, bpf_int32); 218 static struct block *gen_cmp_le(enum e_offrel, u_int, u_int, bpf_int32); 219 static struct block *gen_mcmp(enum e_offrel, u_int, u_int, bpf_int32, 220 bpf_u_int32); 221 static struct block *gen_bcmp(enum e_offrel, u_int, u_int, const u_char *); 222 static struct block *gen_ncmp(enum e_offrel, bpf_u_int32, bpf_u_int32, 223 bpf_u_int32, bpf_u_int32, int, bpf_int32); 224 static struct slist *gen_load_llrel(u_int, u_int); 225 static struct slist *gen_load_macplrel(u_int, u_int); 226 static struct slist *gen_load_a(enum e_offrel, u_int, u_int); 227 static struct slist *gen_loadx_iphdrlen(void); 228 static struct block *gen_uncond(int); 229 static inline struct block *gen_true(void); 230 static inline struct block *gen_false(void); 231 static struct block *gen_ether_linktype(int); 232 static struct block *gen_ipnet_linktype(int); 233 static struct block *gen_linux_sll_linktype(int); 234 static struct slist *gen_load_prism_llprefixlen(void); 235 static struct slist *gen_load_avs_llprefixlen(void); 236 static struct slist *gen_load_radiotap_llprefixlen(void); 237 static struct slist *gen_load_ppi_llprefixlen(void); 238 static void insert_compute_vloffsets(struct block *); 239 static struct slist *gen_llprefixlen(void); 240 static struct slist *gen_off_macpl(void); 241 static int ethertype_to_ppptype(int); 242 static struct block *gen_linktype(int); 243 static struct block *gen_snap(bpf_u_int32, bpf_u_int32); 244 static struct block *gen_llc_linktype(int); 245 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int); 246 #ifdef INET6 247 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int); 248 #endif 249 static struct block *gen_ahostop(const u_char *, int); 250 static struct block *gen_ehostop(const u_char *, int); 251 static struct block *gen_fhostop(const u_char *, int); 252 static struct block *gen_thostop(const u_char *, int); 253 static struct block *gen_wlanhostop(const u_char *, int); 254 static struct block *gen_ipfchostop(const u_char *, int); 255 static struct block *gen_dnhostop(bpf_u_int32, int); 256 static struct block *gen_mpls_linktype(int); 257 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int, int); 258 #ifdef INET6 259 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int, int); 260 #endif 261 #ifndef INET6 262 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int); 263 #endif 264 static struct block *gen_ipfrag(void); 265 static struct block *gen_portatom(int, bpf_int32); 266 static struct block *gen_portrangeatom(int, bpf_int32, bpf_int32); 267 #ifdef INET6 268 static struct block *gen_portatom6(int, bpf_int32); 269 static struct block *gen_portrangeatom6(int, bpf_int32, bpf_int32); 270 #endif 271 struct block *gen_portop(int, int, int); 272 static struct block *gen_port(int, int, int); 273 struct block *gen_portrangeop(int, int, int, int); 274 static struct block *gen_portrange(int, int, int, int); 275 #ifdef INET6 276 struct block *gen_portop6(int, int, int); 277 static struct block *gen_port6(int, int, int); 278 struct block *gen_portrangeop6(int, int, int, int); 279 static struct block *gen_portrange6(int, int, int, int); 280 #endif 281 static int lookup_proto(const char *, int); 282 static struct block *gen_protochain(int, int, int); 283 static struct block *gen_proto(int, int, int); 284 static struct slist *xfer_to_x(struct arth *); 285 static struct slist *xfer_to_a(struct arth *); 286 static struct block *gen_mac_multicast(int); 287 static struct block *gen_len(int, int); 288 static struct block *gen_check_802_11_data_frame(void); 289 290 static struct block *gen_ppi_dlt_check(void); 291 static struct block *gen_msg_abbrev(int type); 292 293 static void * 294 newchunk(n) 295 u_int n; 296 { 297 struct chunk *cp; 298 int k; 299 size_t size; 300 301 #ifndef __NetBSD__ 302 /* XXX Round up to nearest long. */ 303 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1); 304 #else 305 /* XXX Round up to structure boundary. */ 306 n = ALIGN(n); 307 #endif 308 309 cp = &chunks[cur_chunk]; 310 if (n > cp->n_left) { 311 ++cp, k = ++cur_chunk; 312 if (k >= NCHUNKS) 313 bpf_error("out of memory"); 314 size = CHUNK0SIZE << k; 315 cp->m = (void *)malloc(size); 316 if (cp->m == NULL) 317 bpf_error("out of memory"); 318 memset((char *)cp->m, 0, size); 319 cp->n_left = size; 320 if (n > size) 321 bpf_error("out of memory"); 322 } 323 cp->n_left -= n; 324 return (void *)((char *)cp->m + cp->n_left); 325 } 326 327 static void 328 freechunks() 329 { 330 int i; 331 332 cur_chunk = 0; 333 for (i = 0; i < NCHUNKS; ++i) 334 if (chunks[i].m != NULL) { 335 free(chunks[i].m); 336 chunks[i].m = NULL; 337 } 338 } 339 340 /* 341 * A strdup whose allocations are freed after code generation is over. 342 */ 343 char * 344 sdup(s) 345 register const char *s; 346 { 347 int n = strlen(s) + 1; 348 char *cp = newchunk(n); 349 350 strlcpy(cp, s, n); 351 return (cp); 352 } 353 354 static inline struct block * 355 new_block(code) 356 int code; 357 { 358 struct block *p; 359 360 p = (struct block *)newchunk(sizeof(*p)); 361 p->s.code = code; 362 p->head = p; 363 364 return p; 365 } 366 367 static inline struct slist * 368 new_stmt(code) 369 int code; 370 { 371 struct slist *p; 372 373 p = (struct slist *)newchunk(sizeof(*p)); 374 p->s.code = code; 375 376 return p; 377 } 378 379 static struct block * 380 gen_retblk(v) 381 int v; 382 { 383 struct block *b = new_block(BPF_RET|BPF_K); 384 385 b->s.k = v; 386 return b; 387 } 388 389 __dead static inline void 390 syntax(void) 391 { 392 bpf_error("syntax error in filter expression"); 393 } 394 395 static bpf_u_int32 netmask; 396 static int snaplen; 397 int no_optimize; 398 #ifdef WIN32 399 static int 400 pcap_compile_unsafe(pcap_t *p, struct bpf_program *program, 401 const char *buf, int optimize, bpf_u_int32 mask); 402 403 int 404 pcap_compile(pcap_t *p, struct bpf_program *program, 405 const char *buf, int optimize, bpf_u_int32 mask) 406 { 407 int result; 408 409 EnterCriticalSection(&g_PcapCompileCriticalSection); 410 411 result = pcap_compile_unsafe(p, program, buf, optimize, mask); 412 413 LeaveCriticalSection(&g_PcapCompileCriticalSection); 414 415 return result; 416 } 417 418 static int 419 pcap_compile_unsafe(pcap_t *p, struct bpf_program *program, 420 const char *buf, int optimize, bpf_u_int32 mask) 421 #else /* WIN32 */ 422 int 423 pcap_compile(pcap_t *p, struct bpf_program *program, 424 const char *buf, int optimize, bpf_u_int32 mask) 425 #endif /* WIN32 */ 426 { 427 extern int n_errors; 428 const char * volatile xbuf = buf; 429 u_int len; 430 431 no_optimize = 0; 432 n_errors = 0; 433 root = NULL; 434 bpf_pcap = p; 435 init_regs(); 436 if (setjmp(top_ctx)) { 437 #ifdef INET6 438 if (ai != NULL) { 439 freeaddrinfo(ai); 440 ai = NULL; 441 } 442 #endif 443 lex_cleanup(); 444 freechunks(); 445 return (-1); 446 } 447 448 netmask = mask; 449 450 snaplen = pcap_snapshot(p); 451 if (snaplen == 0) { 452 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 453 "snaplen of 0 rejects all packets"); 454 return -1; 455 } 456 457 lex_init(xbuf ? xbuf : ""); 458 init_linktype(p); 459 (void)pcap_parse(); 460 461 if (n_errors) 462 syntax(); 463 464 if (root == NULL) 465 root = gen_retblk(snaplen); 466 467 if (optimize && !no_optimize) { 468 bpf_optimize(&root); 469 if (root == NULL || 470 (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0)) 471 bpf_error("expression rejects all packets"); 472 } 473 program->bf_insns = icode_to_fcode(root, &len); 474 program->bf_len = len; 475 476 lex_cleanup(); 477 freechunks(); 478 return (0); 479 } 480 481 /* 482 * entry point for using the compiler with no pcap open 483 * pass in all the stuff that is needed explicitly instead. 484 */ 485 int 486 pcap_compile_nopcap(int snaplen_arg, int linktype_arg, 487 struct bpf_program *program, 488 const char *buf, int optimize, bpf_u_int32 mask) 489 { 490 pcap_t *p; 491 int ret; 492 493 p = pcap_open_dead(linktype_arg, snaplen_arg); 494 if (p == NULL) 495 return (-1); 496 ret = pcap_compile(p, program, buf, optimize, mask); 497 pcap_close(p); 498 return (ret); 499 } 500 501 /* 502 * Clean up a "struct bpf_program" by freeing all the memory allocated 503 * in it. 504 */ 505 void 506 pcap_freecode(struct bpf_program *program) 507 { 508 program->bf_len = 0; 509 if (program->bf_insns != NULL) { 510 free((char *)program->bf_insns); 511 program->bf_insns = NULL; 512 } 513 } 514 515 /* 516 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates 517 * which of the jt and jf fields has been resolved and which is a pointer 518 * back to another unresolved block (or nil). At least one of the fields 519 * in each block is already resolved. 520 */ 521 static void 522 backpatch(list, target) 523 struct block *list, *target; 524 { 525 struct block *next; 526 527 while (list) { 528 if (!list->sense) { 529 next = JT(list); 530 JT(list) = target; 531 } else { 532 next = JF(list); 533 JF(list) = target; 534 } 535 list = next; 536 } 537 } 538 539 /* 540 * Merge the lists in b0 and b1, using the 'sense' field to indicate 541 * which of jt and jf is the link. 542 */ 543 static void 544 merge(b0, b1) 545 struct block *b0, *b1; 546 { 547 register struct block **p = &b0; 548 549 /* Find end of list. */ 550 while (*p) 551 p = !((*p)->sense) ? &JT(*p) : &JF(*p); 552 553 /* Concatenate the lists. */ 554 *p = b1; 555 } 556 557 void 558 finish_parse(p) 559 struct block *p; 560 { 561 struct block *ppi_dlt_check; 562 563 /* 564 * Insert before the statements of the first (root) block any 565 * statements needed to load the lengths of any variable-length 566 * headers into registers. 567 * 568 * XXX - a fancier strategy would be to insert those before the 569 * statements of all blocks that use those lengths and that 570 * have no predecessors that use them, so that we only compute 571 * the lengths if we need them. There might be even better 572 * approaches than that. 573 * 574 * However, those strategies would be more complicated, and 575 * as we don't generate code to compute a length if the 576 * program has no tests that use the length, and as most 577 * tests will probably use those lengths, we would just 578 * postpone computing the lengths so that it's not done 579 * for tests that fail early, and it's not clear that's 580 * worth the effort. 581 */ 582 insert_compute_vloffsets(p->head); 583 584 /* 585 * For DLT_PPI captures, generate a check of the per-packet 586 * DLT value to make sure it's DLT_IEEE802_11. 587 */ 588 ppi_dlt_check = gen_ppi_dlt_check(); 589 if (ppi_dlt_check != NULL) 590 gen_and(ppi_dlt_check, p); 591 592 backpatch(p, gen_retblk(snaplen)); 593 p->sense = !p->sense; 594 backpatch(p, gen_retblk(0)); 595 root = p->head; 596 } 597 598 void 599 gen_and(b0, b1) 600 struct block *b0, *b1; 601 { 602 backpatch(b0, b1->head); 603 b0->sense = !b0->sense; 604 b1->sense = !b1->sense; 605 merge(b1, b0); 606 b1->sense = !b1->sense; 607 b1->head = b0->head; 608 } 609 610 void 611 gen_or(b0, b1) 612 struct block *b0, *b1; 613 { 614 b0->sense = !b0->sense; 615 backpatch(b0, b1->head); 616 b0->sense = !b0->sense; 617 merge(b1, b0); 618 b1->head = b0->head; 619 } 620 621 void 622 gen_not(b) 623 struct block *b; 624 { 625 b->sense = !b->sense; 626 } 627 628 static struct block * 629 gen_cmp(offrel, offset, size, v) 630 enum e_offrel offrel; 631 u_int offset, size; 632 bpf_int32 v; 633 { 634 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v); 635 } 636 637 static struct block * 638 gen_cmp_gt(offrel, offset, size, v) 639 enum e_offrel offrel; 640 u_int offset, size; 641 bpf_int32 v; 642 { 643 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 0, v); 644 } 645 646 static struct block * 647 gen_cmp_ge(offrel, offset, size, v) 648 enum e_offrel offrel; 649 u_int offset, size; 650 bpf_int32 v; 651 { 652 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 0, v); 653 } 654 655 static struct block * 656 gen_cmp_lt(offrel, offset, size, v) 657 enum e_offrel offrel; 658 u_int offset, size; 659 bpf_int32 v; 660 { 661 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 1, v); 662 } 663 664 static struct block * 665 gen_cmp_le(offrel, offset, size, v) 666 enum e_offrel offrel; 667 u_int offset, size; 668 bpf_int32 v; 669 { 670 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 1, v); 671 } 672 673 static struct block * 674 gen_mcmp(offrel, offset, size, v, mask) 675 enum e_offrel offrel; 676 u_int offset, size; 677 bpf_int32 v; 678 bpf_u_int32 mask; 679 { 680 return gen_ncmp(offrel, offset, size, mask, BPF_JEQ, 0, v); 681 } 682 683 static struct block * 684 gen_bcmp(offrel, offset, size, v) 685 enum e_offrel offrel; 686 register u_int offset, size; 687 register const u_char *v; 688 { 689 register struct block *b, *tmp; 690 691 b = NULL; 692 while (size >= 4) { 693 register const u_char *p = &v[size - 4]; 694 bpf_int32 w = ((bpf_int32)p[0] << 24) | 695 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3]; 696 697 tmp = gen_cmp(offrel, offset + size - 4, BPF_W, w); 698 if (b != NULL) 699 gen_and(b, tmp); 700 b = tmp; 701 size -= 4; 702 } 703 while (size >= 2) { 704 register const u_char *p = &v[size - 2]; 705 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1]; 706 707 tmp = gen_cmp(offrel, offset + size - 2, BPF_H, w); 708 if (b != NULL) 709 gen_and(b, tmp); 710 b = tmp; 711 size -= 2; 712 } 713 if (size > 0) { 714 tmp = gen_cmp(offrel, offset, BPF_B, (bpf_int32)v[0]); 715 if (b != NULL) 716 gen_and(b, tmp); 717 b = tmp; 718 } 719 return b; 720 } 721 722 /* 723 * AND the field of size "size" at offset "offset" relative to the header 724 * specified by "offrel" with "mask", and compare it with the value "v" 725 * with the test specified by "jtype"; if "reverse" is true, the test 726 * should test the opposite of "jtype". 727 */ 728 static struct block * 729 gen_ncmp(offrel, offset, size, mask, jtype, reverse, v) 730 enum e_offrel offrel; 731 bpf_int32 v; 732 bpf_u_int32 offset, size, mask, jtype; 733 int reverse; 734 { 735 struct slist *s, *s2; 736 struct block *b; 737 738 s = gen_load_a(offrel, offset, size); 739 740 if (mask != 0xffffffff) { 741 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 742 s2->s.k = mask; 743 sappend(s, s2); 744 } 745 746 b = new_block(JMP(jtype)); 747 b->stmts = s; 748 b->s.k = v; 749 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE)) 750 gen_not(b); 751 return b; 752 } 753 754 /* 755 * Various code constructs need to know the layout of the data link 756 * layer. These variables give the necessary offsets from the beginning 757 * of the packet data. 758 */ 759 760 /* 761 * This is the offset of the beginning of the link-layer header from 762 * the beginning of the raw packet data. 763 * 764 * It's usually 0, except for 802.11 with a fixed-length radio header. 765 * (For 802.11 with a variable-length radio header, we have to generate 766 * code to compute that offset; off_ll is 0 in that case.) 767 */ 768 static u_int off_ll; 769 770 /* 771 * If there's a variable-length header preceding the link-layer header, 772 * "reg_off_ll" is the register number for a register containing the 773 * length of that header, and therefore the offset of the link-layer 774 * header from the beginning of the raw packet data. Otherwise, 775 * "reg_off_ll" is -1. 776 */ 777 static int reg_off_ll; 778 779 /* 780 * This is the offset of the beginning of the MAC-layer header from 781 * the beginning of the link-layer header. 782 * It's usually 0, except for ATM LANE, where it's the offset, relative 783 * to the beginning of the raw packet data, of the Ethernet header, and 784 * for Ethernet with various additional information. 785 */ 786 static u_int off_mac; 787 788 /* 789 * This is the offset of the beginning of the MAC-layer payload, 790 * from the beginning of the raw packet data. 791 * 792 * I.e., it's the sum of the length of the link-layer header (without, 793 * for example, any 802.2 LLC header, so it's the MAC-layer 794 * portion of that header), plus any prefix preceding the 795 * link-layer header. 796 */ 797 static u_int off_macpl; 798 799 /* 800 * This is 1 if the offset of the beginning of the MAC-layer payload 801 * from the beginning of the link-layer header is variable-length. 802 */ 803 static int off_macpl_is_variable; 804 805 /* 806 * If the link layer has variable_length headers, "reg_off_macpl" 807 * is the register number for a register containing the length of the 808 * link-layer header plus the length of any variable-length header 809 * preceding the link-layer header. Otherwise, "reg_off_macpl" 810 * is -1. 811 */ 812 static int reg_off_macpl; 813 814 /* 815 * "off_linktype" is the offset to information in the link-layer header 816 * giving the packet type. This offset is relative to the beginning 817 * of the link-layer header (i.e., it doesn't include off_ll). 818 * 819 * For Ethernet, it's the offset of the Ethernet type field. 820 * 821 * For link-layer types that always use 802.2 headers, it's the 822 * offset of the LLC header. 823 * 824 * For PPP, it's the offset of the PPP type field. 825 * 826 * For Cisco HDLC, it's the offset of the CHDLC type field. 827 * 828 * For BSD loopback, it's the offset of the AF_ value. 829 * 830 * For Linux cooked sockets, it's the offset of the type field. 831 * 832 * It's set to -1 for no encapsulation, in which case, IP is assumed. 833 */ 834 static u_int off_linktype; 835 836 /* 837 * TRUE if "pppoes" appeared in the filter; it causes link-layer type 838 * checks to check the PPP header, assumed to follow a LAN-style link- 839 * layer header and a PPPoE session header. 840 */ 841 static int is_pppoes = 0; 842 843 /* 844 * TRUE if the link layer includes an ATM pseudo-header. 845 */ 846 static int is_atm = 0; 847 848 /* 849 * TRUE if "lane" appeared in the filter; it causes us to generate 850 * code that assumes LANE rather than LLC-encapsulated traffic in SunATM. 851 */ 852 static int is_lane = 0; 853 854 /* 855 * These are offsets for the ATM pseudo-header. 856 */ 857 static u_int off_vpi; 858 static u_int off_vci; 859 static u_int off_proto; 860 861 /* 862 * These are offsets for the MTP2 fields. 863 */ 864 static u_int off_li; 865 866 /* 867 * These are offsets for the MTP3 fields. 868 */ 869 static u_int off_sio; 870 static u_int off_opc; 871 static u_int off_dpc; 872 static u_int off_sls; 873 874 /* 875 * This is the offset of the first byte after the ATM pseudo_header, 876 * or -1 if there is no ATM pseudo-header. 877 */ 878 static u_int off_payload; 879 880 /* 881 * These are offsets to the beginning of the network-layer header. 882 * They are relative to the beginning of the MAC-layer payload (i.e., 883 * they don't include off_ll or off_macpl). 884 * 885 * If the link layer never uses 802.2 LLC: 886 * 887 * "off_nl" and "off_nl_nosnap" are the same. 888 * 889 * If the link layer always uses 802.2 LLC: 890 * 891 * "off_nl" is the offset if there's a SNAP header following 892 * the 802.2 header; 893 * 894 * "off_nl_nosnap" is the offset if there's no SNAP header. 895 * 896 * If the link layer is Ethernet: 897 * 898 * "off_nl" is the offset if the packet is an Ethernet II packet 899 * (we assume no 802.3+802.2+SNAP); 900 * 901 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet 902 * with an 802.2 header following it. 903 */ 904 static u_int off_nl; 905 static u_int off_nl_nosnap; 906 907 static int linktype; 908 909 static void 910 init_linktype(p) 911 pcap_t *p; 912 { 913 linktype = pcap_datalink(p); 914 #ifdef PCAP_FDDIPAD 915 pcap_fddipad = p->fddipad; 916 #endif 917 918 /* 919 * Assume it's not raw ATM with a pseudo-header, for now. 920 */ 921 off_mac = 0; 922 is_atm = 0; 923 is_lane = 0; 924 off_vpi = -1; 925 off_vci = -1; 926 off_proto = -1; 927 off_payload = -1; 928 929 /* 930 * And that we're not doing PPPoE. 931 */ 932 is_pppoes = 0; 933 934 /* 935 * And assume we're not doing SS7. 936 */ 937 off_li = -1; 938 off_sio = -1; 939 off_opc = -1; 940 off_dpc = -1; 941 off_sls = -1; 942 943 /* 944 * Also assume it's not 802.11. 945 */ 946 off_ll = 0; 947 off_macpl = 0; 948 off_macpl_is_variable = 0; 949 950 orig_linktype = -1; 951 orig_nl = -1; 952 label_stack_depth = 0; 953 954 reg_off_ll = -1; 955 reg_off_macpl = -1; 956 957 switch (linktype) { 958 959 case DLT_ARCNET: 960 off_linktype = 2; 961 off_macpl = 6; 962 off_nl = 0; /* XXX in reality, variable! */ 963 off_nl_nosnap = 0; /* no 802.2 LLC */ 964 return; 965 966 case DLT_ARCNET_LINUX: 967 off_linktype = 4; 968 off_macpl = 8; 969 off_nl = 0; /* XXX in reality, variable! */ 970 off_nl_nosnap = 0; /* no 802.2 LLC */ 971 return; 972 973 case DLT_EN10MB: 974 off_linktype = 12; 975 off_macpl = 14; /* Ethernet header length */ 976 off_nl = 0; /* Ethernet II */ 977 off_nl_nosnap = 3; /* 802.3+802.2 */ 978 return; 979 980 case DLT_SLIP: 981 /* 982 * SLIP doesn't have a link level type. The 16 byte 983 * header is hacked into our SLIP driver. 984 */ 985 off_linktype = -1; 986 off_macpl = 16; 987 off_nl = 0; 988 off_nl_nosnap = 0; /* no 802.2 LLC */ 989 return; 990 991 case DLT_SLIP_BSDOS: 992 /* XXX this may be the same as the DLT_PPP_BSDOS case */ 993 off_linktype = -1; 994 /* XXX end */ 995 off_macpl = 24; 996 off_nl = 0; 997 off_nl_nosnap = 0; /* no 802.2 LLC */ 998 return; 999 1000 case DLT_NULL: 1001 case DLT_LOOP: 1002 off_linktype = 0; 1003 off_macpl = 4; 1004 off_nl = 0; 1005 off_nl_nosnap = 0; /* no 802.2 LLC */ 1006 return; 1007 1008 case DLT_ENC: 1009 off_linktype = 0; 1010 off_macpl = 12; 1011 off_nl = 0; 1012 off_nl_nosnap = 0; /* no 802.2 LLC */ 1013 return; 1014 1015 case DLT_PPP: 1016 case DLT_PPP_PPPD: 1017 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */ 1018 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */ 1019 off_linktype = 2; 1020 off_macpl = 4; 1021 off_nl = 0; 1022 off_nl_nosnap = 0; /* no 802.2 LLC */ 1023 return; 1024 1025 case DLT_PPP_ETHER: 1026 /* 1027 * This does no include the Ethernet header, and 1028 * only covers session state. 1029 */ 1030 off_linktype = 6; 1031 off_macpl = 8; 1032 off_nl = 0; 1033 off_nl_nosnap = 0; /* no 802.2 LLC */ 1034 return; 1035 1036 case DLT_PPP_BSDOS: 1037 off_linktype = 5; 1038 off_macpl = 24; 1039 off_nl = 0; 1040 off_nl_nosnap = 0; /* no 802.2 LLC */ 1041 return; 1042 1043 case DLT_FDDI: 1044 /* 1045 * FDDI doesn't really have a link-level type field. 1046 * We set "off_linktype" to the offset of the LLC header. 1047 * 1048 * To check for Ethernet types, we assume that SSAP = SNAP 1049 * is being used and pick out the encapsulated Ethernet type. 1050 * XXX - should we generate code to check for SNAP? 1051 */ 1052 off_linktype = 13; 1053 #ifdef PCAP_FDDIPAD 1054 off_linktype += pcap_fddipad; 1055 #endif 1056 off_macpl = 13; /* FDDI MAC header length */ 1057 #ifdef PCAP_FDDIPAD 1058 off_macpl += pcap_fddipad; 1059 #endif 1060 off_nl = 8; /* 802.2+SNAP */ 1061 off_nl_nosnap = 3; /* 802.2 */ 1062 return; 1063 1064 case DLT_IEEE802: 1065 /* 1066 * Token Ring doesn't really have a link-level type field. 1067 * We set "off_linktype" to the offset of the LLC header. 1068 * 1069 * To check for Ethernet types, we assume that SSAP = SNAP 1070 * is being used and pick out the encapsulated Ethernet type. 1071 * XXX - should we generate code to check for SNAP? 1072 * 1073 * XXX - the header is actually variable-length. 1074 * Some various Linux patched versions gave 38 1075 * as "off_linktype" and 40 as "off_nl"; however, 1076 * if a token ring packet has *no* routing 1077 * information, i.e. is not source-routed, the correct 1078 * values are 20 and 22, as they are in the vanilla code. 1079 * 1080 * A packet is source-routed iff the uppermost bit 1081 * of the first byte of the source address, at an 1082 * offset of 8, has the uppermost bit set. If the 1083 * packet is source-routed, the total number of bytes 1084 * of routing information is 2 plus bits 0x1F00 of 1085 * the 16-bit value at an offset of 14 (shifted right 1086 * 8 - figure out which byte that is). 1087 */ 1088 off_linktype = 14; 1089 off_macpl = 14; /* Token Ring MAC header length */ 1090 off_nl = 8; /* 802.2+SNAP */ 1091 off_nl_nosnap = 3; /* 802.2 */ 1092 return; 1093 1094 case DLT_IEEE802_11: 1095 case DLT_PRISM_HEADER: 1096 case DLT_IEEE802_11_RADIO_AVS: 1097 case DLT_IEEE802_11_RADIO: 1098 /* 1099 * 802.11 doesn't really have a link-level type field. 1100 * We set "off_linktype" to the offset of the LLC header. 1101 * 1102 * To check for Ethernet types, we assume that SSAP = SNAP 1103 * is being used and pick out the encapsulated Ethernet type. 1104 * XXX - should we generate code to check for SNAP? 1105 * 1106 * We also handle variable-length radio headers here. 1107 * The Prism header is in theory variable-length, but in 1108 * practice it's always 144 bytes long. However, some 1109 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but 1110 * sometimes or always supply an AVS header, so we 1111 * have to check whether the radio header is a Prism 1112 * header or an AVS header, so, in practice, it's 1113 * variable-length. 1114 */ 1115 off_linktype = 24; 1116 off_macpl = 0; /* link-layer header is variable-length */ 1117 off_macpl_is_variable = 1; 1118 off_nl = 8; /* 802.2+SNAP */ 1119 off_nl_nosnap = 3; /* 802.2 */ 1120 return; 1121 1122 case DLT_PPI: 1123 /* 1124 * At the moment we treat PPI the same way that we treat 1125 * normal Radiotap encoded packets. The difference is in 1126 * the function that generates the code at the beginning 1127 * to compute the header length. Since this code generator 1128 * of PPI supports bare 802.11 encapsulation only (i.e. 1129 * the encapsulated DLT should be DLT_IEEE802_11) we 1130 * generate code to check for this too. 1131 */ 1132 off_linktype = 24; 1133 off_macpl = 0; /* link-layer header is variable-length */ 1134 off_macpl_is_variable = 1; 1135 off_nl = 8; /* 802.2+SNAP */ 1136 off_nl_nosnap = 3; /* 802.2 */ 1137 return; 1138 1139 case DLT_ATM_RFC1483: 1140 case DLT_ATM_CLIP: /* Linux ATM defines this */ 1141 /* 1142 * assume routed, non-ISO PDUs 1143 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00) 1144 * 1145 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS, 1146 * or PPP with the PPP NLPID (e.g., PPPoA)? The 1147 * latter would presumably be treated the way PPPoE 1148 * should be, so you can do "pppoe and udp port 2049" 1149 * or "pppoa and tcp port 80" and have it check for 1150 * PPPo{A,E} and a PPP protocol of IP and.... 1151 */ 1152 off_linktype = 0; 1153 off_macpl = 0; /* packet begins with LLC header */ 1154 off_nl = 8; /* 802.2+SNAP */ 1155 off_nl_nosnap = 3; /* 802.2 */ 1156 return; 1157 1158 case DLT_SUNATM: 1159 /* 1160 * Full Frontal ATM; you get AALn PDUs with an ATM 1161 * pseudo-header. 1162 */ 1163 is_atm = 1; 1164 off_vpi = SUNATM_VPI_POS; 1165 off_vci = SUNATM_VCI_POS; 1166 off_proto = PROTO_POS; 1167 off_mac = -1; /* assume LLC-encapsulated, so no MAC-layer header */ 1168 off_payload = SUNATM_PKT_BEGIN_POS; 1169 off_linktype = off_payload; 1170 off_macpl = off_payload; /* if LLC-encapsulated */ 1171 off_nl = 8; /* 802.2+SNAP */ 1172 off_nl_nosnap = 3; /* 802.2 */ 1173 return; 1174 1175 case DLT_RAW: 1176 case DLT_IPV4: 1177 case DLT_IPV6: 1178 off_linktype = -1; 1179 off_macpl = 0; 1180 off_nl = 0; 1181 off_nl_nosnap = 0; /* no 802.2 LLC */ 1182 return; 1183 1184 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */ 1185 off_linktype = 14; 1186 off_macpl = 16; 1187 off_nl = 0; 1188 off_nl_nosnap = 0; /* no 802.2 LLC */ 1189 return; 1190 1191 case DLT_LTALK: 1192 /* 1193 * LocalTalk does have a 1-byte type field in the LLAP header, 1194 * but really it just indicates whether there is a "short" or 1195 * "long" DDP packet following. 1196 */ 1197 off_linktype = -1; 1198 off_macpl = 0; 1199 off_nl = 0; 1200 off_nl_nosnap = 0; /* no 802.2 LLC */ 1201 return; 1202 1203 case DLT_IP_OVER_FC: 1204 /* 1205 * RFC 2625 IP-over-Fibre-Channel doesn't really have a 1206 * link-level type field. We set "off_linktype" to the 1207 * offset of the LLC header. 1208 * 1209 * To check for Ethernet types, we assume that SSAP = SNAP 1210 * is being used and pick out the encapsulated Ethernet type. 1211 * XXX - should we generate code to check for SNAP? RFC 1212 * 2625 says SNAP should be used. 1213 */ 1214 off_linktype = 16; 1215 off_macpl = 16; 1216 off_nl = 8; /* 802.2+SNAP */ 1217 off_nl_nosnap = 3; /* 802.2 */ 1218 return; 1219 1220 case DLT_FRELAY: 1221 /* 1222 * XXX - we should set this to handle SNAP-encapsulated 1223 * frames (NLPID of 0x80). 1224 */ 1225 off_linktype = -1; 1226 off_macpl = 0; 1227 off_nl = 0; 1228 off_nl_nosnap = 0; /* no 802.2 LLC */ 1229 return; 1230 1231 /* 1232 * the only BPF-interesting FRF.16 frames are non-control frames; 1233 * Frame Relay has a variable length link-layer 1234 * so lets start with offset 4 for now and increments later on (FIXME); 1235 */ 1236 case DLT_MFR: 1237 off_linktype = -1; 1238 off_macpl = 0; 1239 off_nl = 4; 1240 off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */ 1241 return; 1242 1243 case DLT_APPLE_IP_OVER_IEEE1394: 1244 off_linktype = 16; 1245 off_macpl = 18; 1246 off_nl = 0; 1247 off_nl_nosnap = 0; /* no 802.2 LLC */ 1248 return; 1249 1250 case DLT_SYMANTEC_FIREWALL: 1251 off_linktype = 6; 1252 off_macpl = 44; 1253 off_nl = 0; /* Ethernet II */ 1254 off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */ 1255 return; 1256 1257 #ifdef HAVE_NET_PFVAR_H 1258 case DLT_PFLOG: 1259 off_linktype = 0; 1260 off_macpl = PFLOG_HDRLEN; 1261 off_nl = 0; 1262 off_nl_nosnap = 0; /* no 802.2 LLC */ 1263 return; 1264 #endif 1265 1266 case DLT_JUNIPER_MFR: 1267 case DLT_JUNIPER_MLFR: 1268 case DLT_JUNIPER_MLPPP: 1269 case DLT_JUNIPER_PPP: 1270 case DLT_JUNIPER_CHDLC: 1271 case DLT_JUNIPER_FRELAY: 1272 off_linktype = 4; 1273 off_macpl = 4; 1274 off_nl = 0; 1275 off_nl_nosnap = -1; /* no 802.2 LLC */ 1276 return; 1277 1278 case DLT_JUNIPER_ATM1: 1279 off_linktype = 4; /* in reality variable between 4-8 */ 1280 off_macpl = 4; /* in reality variable between 4-8 */ 1281 off_nl = 0; 1282 off_nl_nosnap = 10; 1283 return; 1284 1285 case DLT_JUNIPER_ATM2: 1286 off_linktype = 8; /* in reality variable between 8-12 */ 1287 off_macpl = 8; /* in reality variable between 8-12 */ 1288 off_nl = 0; 1289 off_nl_nosnap = 10; 1290 return; 1291 1292 /* frames captured on a Juniper PPPoE service PIC 1293 * contain raw ethernet frames */ 1294 case DLT_JUNIPER_PPPOE: 1295 case DLT_JUNIPER_ETHER: 1296 off_macpl = 14; 1297 off_linktype = 16; 1298 off_nl = 18; /* Ethernet II */ 1299 off_nl_nosnap = 21; /* 802.3+802.2 */ 1300 return; 1301 1302 case DLT_JUNIPER_PPPOE_ATM: 1303 off_linktype = 4; 1304 off_macpl = 6; 1305 off_nl = 0; 1306 off_nl_nosnap = -1; /* no 802.2 LLC */ 1307 return; 1308 1309 case DLT_JUNIPER_GGSN: 1310 off_linktype = 6; 1311 off_macpl = 12; 1312 off_nl = 0; 1313 off_nl_nosnap = -1; /* no 802.2 LLC */ 1314 return; 1315 1316 case DLT_JUNIPER_ES: 1317 off_linktype = 6; 1318 off_macpl = -1; /* not really a network layer but raw IP addresses */ 1319 off_nl = -1; /* not really a network layer but raw IP addresses */ 1320 off_nl_nosnap = -1; /* no 802.2 LLC */ 1321 return; 1322 1323 case DLT_JUNIPER_MONITOR: 1324 off_linktype = 12; 1325 off_macpl = 12; 1326 off_nl = 0; /* raw IP/IP6 header */ 1327 off_nl_nosnap = -1; /* no 802.2 LLC */ 1328 return; 1329 1330 case DLT_JUNIPER_SERVICES: 1331 off_linktype = 12; 1332 off_macpl = -1; /* L3 proto location dep. on cookie type */ 1333 off_nl = -1; /* L3 proto location dep. on cookie type */ 1334 off_nl_nosnap = -1; /* no 802.2 LLC */ 1335 return; 1336 1337 case DLT_JUNIPER_VP: 1338 off_linktype = 18; 1339 off_macpl = -1; 1340 off_nl = -1; 1341 off_nl_nosnap = -1; 1342 return; 1343 1344 case DLT_JUNIPER_ST: 1345 off_linktype = 18; 1346 off_macpl = -1; 1347 off_nl = -1; 1348 off_nl_nosnap = -1; 1349 return; 1350 1351 case DLT_JUNIPER_ISM: 1352 off_linktype = 8; 1353 off_macpl = -1; 1354 off_nl = -1; 1355 off_nl_nosnap = -1; 1356 return; 1357 1358 case DLT_JUNIPER_VS: 1359 case DLT_JUNIPER_SRX_E2E: 1360 case DLT_JUNIPER_FIBRECHANNEL: 1361 case DLT_JUNIPER_ATM_CEMIC: 1362 off_linktype = 8; 1363 off_macpl = -1; 1364 off_nl = -1; 1365 off_nl_nosnap = -1; 1366 return; 1367 1368 case DLT_MTP2: 1369 off_li = 2; 1370 off_sio = 3; 1371 off_opc = 4; 1372 off_dpc = 4; 1373 off_sls = 7; 1374 off_linktype = -1; 1375 off_macpl = -1; 1376 off_nl = -1; 1377 off_nl_nosnap = -1; 1378 return; 1379 1380 case DLT_MTP2_WITH_PHDR: 1381 off_li = 6; 1382 off_sio = 7; 1383 off_opc = 8; 1384 off_dpc = 8; 1385 off_sls = 11; 1386 off_linktype = -1; 1387 off_macpl = -1; 1388 off_nl = -1; 1389 off_nl_nosnap = -1; 1390 return; 1391 1392 case DLT_ERF: 1393 off_li = 22; 1394 off_sio = 23; 1395 off_opc = 24; 1396 off_dpc = 24; 1397 off_sls = 27; 1398 off_linktype = -1; 1399 off_macpl = -1; 1400 off_nl = -1; 1401 off_nl_nosnap = -1; 1402 return; 1403 1404 case DLT_PFSYNC: 1405 off_linktype = -1; 1406 off_macpl = 4; 1407 off_nl = 0; 1408 off_nl_nosnap = 0; 1409 return; 1410 1411 case DLT_AX25_KISS: 1412 /* 1413 * Currently, only raw "link[N:M]" filtering is supported. 1414 */ 1415 off_linktype = -1; /* variable, min 15, max 71 steps of 7 */ 1416 off_macpl = -1; 1417 off_nl = -1; /* variable, min 16, max 71 steps of 7 */ 1418 off_nl_nosnap = -1; /* no 802.2 LLC */ 1419 off_mac = 1; /* step over the kiss length byte */ 1420 return; 1421 1422 case DLT_IPNET: 1423 off_linktype = 1; 1424 off_macpl = 24; /* ipnet header length */ 1425 off_nl = 0; 1426 off_nl_nosnap = -1; 1427 return; 1428 1429 case DLT_NETANALYZER: 1430 off_mac = 4; /* MAC header is past 4-byte pseudo-header */ 1431 off_linktype = 16; /* includes 4-byte pseudo-header */ 1432 off_macpl = 18; /* pseudo-header+Ethernet header length */ 1433 off_nl = 0; /* Ethernet II */ 1434 off_nl_nosnap = 3; /* 802.3+802.2 */ 1435 return; 1436 1437 case DLT_NETANALYZER_TRANSPARENT: 1438 off_mac = 12; /* MAC header is past 4-byte pseudo-header, preamble, and SFD */ 1439 off_linktype = 24; /* includes 4-byte pseudo-header+preamble+SFD */ 1440 off_macpl = 26; /* pseudo-header+preamble+SFD+Ethernet header length */ 1441 off_nl = 0; /* Ethernet II */ 1442 off_nl_nosnap = 3; /* 802.3+802.2 */ 1443 return; 1444 1445 default: 1446 /* 1447 * For values in the range in which we've assigned new 1448 * DLT_ values, only raw "link[N:M]" filtering is supported. 1449 */ 1450 if (linktype >= DLT_MATCHING_MIN && 1451 linktype <= DLT_MATCHING_MAX) { 1452 off_linktype = -1; 1453 off_macpl = -1; 1454 off_nl = -1; 1455 off_nl_nosnap = -1; 1456 return; 1457 } 1458 1459 } 1460 bpf_error("unknown data link type %d", linktype); 1461 /* NOTREACHED */ 1462 } 1463 1464 /* 1465 * Load a value relative to the beginning of the link-layer header. 1466 * The link-layer header doesn't necessarily begin at the beginning 1467 * of the packet data; there might be a variable-length prefix containing 1468 * radio information. 1469 */ 1470 static struct slist * 1471 gen_load_llrel(offset, size) 1472 u_int offset, size; 1473 { 1474 struct slist *s, *s2; 1475 1476 s = gen_llprefixlen(); 1477 1478 /* 1479 * If "s" is non-null, it has code to arrange that the X register 1480 * contains the length of the prefix preceding the link-layer 1481 * header. 1482 * 1483 * Otherwise, the length of the prefix preceding the link-layer 1484 * header is "off_ll". 1485 */ 1486 if (s != NULL) { 1487 /* 1488 * There's a variable-length prefix preceding the 1489 * link-layer header. "s" points to a list of statements 1490 * that put the length of that prefix into the X register. 1491 * do an indirect load, to use the X register as an offset. 1492 */ 1493 s2 = new_stmt(BPF_LD|BPF_IND|size); 1494 s2->s.k = offset; 1495 sappend(s, s2); 1496 } else { 1497 /* 1498 * There is no variable-length header preceding the 1499 * link-layer header; add in off_ll, which, if there's 1500 * a fixed-length header preceding the link-layer header, 1501 * is the length of that header. 1502 */ 1503 s = new_stmt(BPF_LD|BPF_ABS|size); 1504 s->s.k = offset + off_ll; 1505 } 1506 return s; 1507 } 1508 1509 /* 1510 * Load a value relative to the beginning of the MAC-layer payload. 1511 */ 1512 static struct slist * 1513 gen_load_macplrel(offset, size) 1514 u_int offset, size; 1515 { 1516 struct slist *s, *s2; 1517 1518 s = gen_off_macpl(); 1519 1520 /* 1521 * If s is non-null, the offset of the MAC-layer payload is 1522 * variable, and s points to a list of instructions that 1523 * arrange that the X register contains that offset. 1524 * 1525 * Otherwise, the offset of the MAC-layer payload is constant, 1526 * and is in off_macpl. 1527 */ 1528 if (s != NULL) { 1529 /* 1530 * The offset of the MAC-layer payload is in the X 1531 * register. Do an indirect load, to use the X register 1532 * as an offset. 1533 */ 1534 s2 = new_stmt(BPF_LD|BPF_IND|size); 1535 s2->s.k = offset; 1536 sappend(s, s2); 1537 } else { 1538 /* 1539 * The offset of the MAC-layer payload is constant, 1540 * and is in off_macpl; load the value at that offset 1541 * plus the specified offset. 1542 */ 1543 s = new_stmt(BPF_LD|BPF_ABS|size); 1544 s->s.k = off_macpl + offset; 1545 } 1546 return s; 1547 } 1548 1549 /* 1550 * Load a value relative to the beginning of the specified header. 1551 */ 1552 static struct slist * 1553 gen_load_a(offrel, offset, size) 1554 enum e_offrel offrel; 1555 u_int offset, size; 1556 { 1557 struct slist *s, *s2; 1558 1559 switch (offrel) { 1560 1561 case OR_PACKET: 1562 s = new_stmt(BPF_LD|BPF_ABS|size); 1563 s->s.k = offset; 1564 break; 1565 1566 case OR_LINK: 1567 s = gen_load_llrel(offset, size); 1568 break; 1569 1570 case OR_MACPL: 1571 s = gen_load_macplrel(offset, size); 1572 break; 1573 1574 case OR_NET: 1575 s = gen_load_macplrel(off_nl + offset, size); 1576 break; 1577 1578 case OR_NET_NOSNAP: 1579 s = gen_load_macplrel(off_nl_nosnap + offset, size); 1580 break; 1581 1582 case OR_TRAN_IPV4: 1583 /* 1584 * Load the X register with the length of the IPv4 header 1585 * (plus the offset of the link-layer header, if it's 1586 * preceded by a variable-length header such as a radio 1587 * header), in bytes. 1588 */ 1589 s = gen_loadx_iphdrlen(); 1590 1591 /* 1592 * Load the item at {offset of the MAC-layer payload} + 1593 * {offset, relative to the start of the MAC-layer 1594 * paylod, of the IPv4 header} + {length of the IPv4 header} + 1595 * {specified offset}. 1596 * 1597 * (If the offset of the MAC-layer payload is variable, 1598 * it's included in the value in the X register, and 1599 * off_macpl is 0.) 1600 */ 1601 s2 = new_stmt(BPF_LD|BPF_IND|size); 1602 s2->s.k = off_macpl + off_nl + offset; 1603 sappend(s, s2); 1604 break; 1605 1606 case OR_TRAN_IPV6: 1607 s = gen_load_macplrel(off_nl + 40 + offset, size); 1608 break; 1609 1610 default: 1611 abort(); 1612 return NULL; 1613 } 1614 return s; 1615 } 1616 1617 /* 1618 * Generate code to load into the X register the sum of the length of 1619 * the IPv4 header and any variable-length header preceding the link-layer 1620 * header. 1621 */ 1622 static struct slist * 1623 gen_loadx_iphdrlen() 1624 { 1625 struct slist *s, *s2; 1626 1627 s = gen_off_macpl(); 1628 if (s != NULL) { 1629 /* 1630 * There's a variable-length prefix preceding the 1631 * link-layer header, or the link-layer header is itself 1632 * variable-length. "s" points to a list of statements 1633 * that put the offset of the MAC-layer payload into 1634 * the X register. 1635 * 1636 * The 4*([k]&0xf) addressing mode can't be used, as we 1637 * don't have a constant offset, so we have to load the 1638 * value in question into the A register and add to it 1639 * the value from the X register. 1640 */ 1641 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B); 1642 s2->s.k = off_nl; 1643 sappend(s, s2); 1644 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 1645 s2->s.k = 0xf; 1646 sappend(s, s2); 1647 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 1648 s2->s.k = 2; 1649 sappend(s, s2); 1650 1651 /* 1652 * The A register now contains the length of the 1653 * IP header. We need to add to it the offset of 1654 * the MAC-layer payload, which is still in the X 1655 * register, and move the result into the X register. 1656 */ 1657 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 1658 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 1659 } else { 1660 /* 1661 * There is no variable-length header preceding the 1662 * link-layer header, and the link-layer header is 1663 * fixed-length; load the length of the IPv4 header, 1664 * which is at an offset of off_nl from the beginning 1665 * of the MAC-layer payload, and thus at an offset 1666 * of off_mac_pl + off_nl from the beginning of the 1667 * raw packet data. 1668 */ 1669 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B); 1670 s->s.k = off_macpl + off_nl; 1671 } 1672 return s; 1673 } 1674 1675 static struct block * 1676 gen_uncond(rsense) 1677 int rsense; 1678 { 1679 struct block *b; 1680 struct slist *s; 1681 1682 s = new_stmt(BPF_LD|BPF_IMM); 1683 s->s.k = !rsense; 1684 b = new_block(JMP(BPF_JEQ)); 1685 b->stmts = s; 1686 1687 return b; 1688 } 1689 1690 static inline struct block * 1691 gen_true() 1692 { 1693 return gen_uncond(1); 1694 } 1695 1696 static inline struct block * 1697 gen_false() 1698 { 1699 return gen_uncond(0); 1700 } 1701 1702 /* 1703 * Byte-swap a 32-bit number. 1704 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on 1705 * big-endian platforms.) 1706 */ 1707 #define SWAPLONG(y) \ 1708 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff)) 1709 1710 /* 1711 * Generate code to match a particular packet type. 1712 * 1713 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1714 * value, if <= ETHERMTU. We use that to determine whether to 1715 * match the type/length field or to check the type/length field for 1716 * a value <= ETHERMTU to see whether it's a type field and then do 1717 * the appropriate test. 1718 */ 1719 static struct block * 1720 gen_ether_linktype(proto) 1721 register int proto; 1722 { 1723 struct block *b0, *b1; 1724 1725 switch (proto) { 1726 1727 case LLCSAP_ISONS: 1728 case LLCSAP_IP: 1729 case LLCSAP_NETBEUI: 1730 /* 1731 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1732 * so we check the DSAP and SSAP. 1733 * 1734 * LLCSAP_IP checks for IP-over-802.2, rather 1735 * than IP-over-Ethernet or IP-over-SNAP. 1736 * 1737 * XXX - should we check both the DSAP and the 1738 * SSAP, like this, or should we check just the 1739 * DSAP, as we do for other types <= ETHERMTU 1740 * (i.e., other SAP values)? 1741 */ 1742 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1743 gen_not(b0); 1744 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32) 1745 ((proto << 8) | proto)); 1746 gen_and(b0, b1); 1747 return b1; 1748 1749 case LLCSAP_IPX: 1750 /* 1751 * Check for; 1752 * 1753 * Ethernet_II frames, which are Ethernet 1754 * frames with a frame type of ETHERTYPE_IPX; 1755 * 1756 * Ethernet_802.3 frames, which are 802.3 1757 * frames (i.e., the type/length field is 1758 * a length field, <= ETHERMTU, rather than 1759 * a type field) with the first two bytes 1760 * after the Ethernet/802.3 header being 1761 * 0xFFFF; 1762 * 1763 * Ethernet_802.2 frames, which are 802.3 1764 * frames with an 802.2 LLC header and 1765 * with the IPX LSAP as the DSAP in the LLC 1766 * header; 1767 * 1768 * Ethernet_SNAP frames, which are 802.3 1769 * frames with an LLC header and a SNAP 1770 * header and with an OUI of 0x000000 1771 * (encapsulated Ethernet) and a protocol 1772 * ID of ETHERTYPE_IPX in the SNAP header. 1773 * 1774 * XXX - should we generate the same code both 1775 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX? 1776 */ 1777 1778 /* 1779 * This generates code to check both for the 1780 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3. 1781 */ 1782 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX); 1783 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)0xFFFF); 1784 gen_or(b0, b1); 1785 1786 /* 1787 * Now we add code to check for SNAP frames with 1788 * ETHERTYPE_IPX, i.e. Ethernet_SNAP. 1789 */ 1790 b0 = gen_snap(0x000000, ETHERTYPE_IPX); 1791 gen_or(b0, b1); 1792 1793 /* 1794 * Now we generate code to check for 802.3 1795 * frames in general. 1796 */ 1797 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1798 gen_not(b0); 1799 1800 /* 1801 * Now add the check for 802.3 frames before the 1802 * check for Ethernet_802.2 and Ethernet_802.3, 1803 * as those checks should only be done on 802.3 1804 * frames, not on Ethernet frames. 1805 */ 1806 gen_and(b0, b1); 1807 1808 /* 1809 * Now add the check for Ethernet_II frames, and 1810 * do that before checking for the other frame 1811 * types. 1812 */ 1813 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 1814 (bpf_int32)ETHERTYPE_IPX); 1815 gen_or(b0, b1); 1816 return b1; 1817 1818 case ETHERTYPE_ATALK: 1819 case ETHERTYPE_AARP: 1820 /* 1821 * EtherTalk (AppleTalk protocols on Ethernet link 1822 * layer) may use 802.2 encapsulation. 1823 */ 1824 1825 /* 1826 * Check for 802.2 encapsulation (EtherTalk phase 2?); 1827 * we check for an Ethernet type field less than 1828 * 1500, which means it's an 802.3 length field. 1829 */ 1830 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1831 gen_not(b0); 1832 1833 /* 1834 * 802.2-encapsulated ETHERTYPE_ATALK packets are 1835 * SNAP packets with an organization code of 1836 * 0x080007 (Apple, for Appletalk) and a protocol 1837 * type of ETHERTYPE_ATALK (Appletalk). 1838 * 1839 * 802.2-encapsulated ETHERTYPE_AARP packets are 1840 * SNAP packets with an organization code of 1841 * 0x000000 (encapsulated Ethernet) and a protocol 1842 * type of ETHERTYPE_AARP (Appletalk ARP). 1843 */ 1844 if (proto == ETHERTYPE_ATALK) 1845 b1 = gen_snap(0x080007, ETHERTYPE_ATALK); 1846 else /* proto == ETHERTYPE_AARP */ 1847 b1 = gen_snap(0x000000, ETHERTYPE_AARP); 1848 gen_and(b0, b1); 1849 1850 /* 1851 * Check for Ethernet encapsulation (Ethertalk 1852 * phase 1?); we just check for the Ethernet 1853 * protocol type. 1854 */ 1855 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 1856 1857 gen_or(b0, b1); 1858 return b1; 1859 1860 default: 1861 if (proto <= ETHERMTU) { 1862 /* 1863 * This is an LLC SAP value, so the frames 1864 * that match would be 802.2 frames. 1865 * Check that the frame is an 802.2 frame 1866 * (i.e., that the length/type field is 1867 * a length field, <= ETHERMTU) and 1868 * then check the DSAP. 1869 */ 1870 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1871 gen_not(b0); 1872 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B, 1873 (bpf_int32)proto); 1874 gen_and(b0, b1); 1875 return b1; 1876 } else { 1877 /* 1878 * This is an Ethernet type, so compare 1879 * the length/type field with it (if 1880 * the frame is an 802.2 frame, the length 1881 * field will be <= ETHERMTU, and, as 1882 * "proto" is > ETHERMTU, this test 1883 * will fail and the frame won't match, 1884 * which is what we want). 1885 */ 1886 return gen_cmp(OR_LINK, off_linktype, BPF_H, 1887 (bpf_int32)proto); 1888 } 1889 } 1890 } 1891 1892 /* 1893 * "proto" is an Ethernet type value and for IPNET, if it is not IPv4 1894 * or IPv6 then we have an error. 1895 */ 1896 static struct block * 1897 gen_ipnet_linktype(proto) 1898 register int proto; 1899 { 1900 switch (proto) { 1901 1902 case ETHERTYPE_IP: 1903 return gen_cmp(OR_LINK, off_linktype, BPF_B, 1904 (bpf_int32)IPH_AF_INET); 1905 /* NOTREACHED */ 1906 1907 case ETHERTYPE_IPV6: 1908 return gen_cmp(OR_LINK, off_linktype, BPF_B, 1909 (bpf_int32)IPH_AF_INET6); 1910 /* NOTREACHED */ 1911 1912 default: 1913 break; 1914 } 1915 1916 return gen_false(); 1917 } 1918 1919 /* 1920 * Generate code to match a particular packet type. 1921 * 1922 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1923 * value, if <= ETHERMTU. We use that to determine whether to 1924 * match the type field or to check the type field for the special 1925 * LINUX_SLL_P_802_2 value and then do the appropriate test. 1926 */ 1927 static struct block * 1928 gen_linux_sll_linktype(proto) 1929 register int proto; 1930 { 1931 struct block *b0, *b1; 1932 1933 switch (proto) { 1934 1935 case LLCSAP_ISONS: 1936 case LLCSAP_IP: 1937 case LLCSAP_NETBEUI: 1938 /* 1939 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1940 * so we check the DSAP and SSAP. 1941 * 1942 * LLCSAP_IP checks for IP-over-802.2, rather 1943 * than IP-over-Ethernet or IP-over-SNAP. 1944 * 1945 * XXX - should we check both the DSAP and the 1946 * SSAP, like this, or should we check just the 1947 * DSAP, as we do for other types <= ETHERMTU 1948 * (i.e., other SAP values)? 1949 */ 1950 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 1951 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32) 1952 ((proto << 8) | proto)); 1953 gen_and(b0, b1); 1954 return b1; 1955 1956 case LLCSAP_IPX: 1957 /* 1958 * Ethernet_II frames, which are Ethernet 1959 * frames with a frame type of ETHERTYPE_IPX; 1960 * 1961 * Ethernet_802.3 frames, which have a frame 1962 * type of LINUX_SLL_P_802_3; 1963 * 1964 * Ethernet_802.2 frames, which are 802.3 1965 * frames with an 802.2 LLC header (i.e, have 1966 * a frame type of LINUX_SLL_P_802_2) and 1967 * with the IPX LSAP as the DSAP in the LLC 1968 * header; 1969 * 1970 * Ethernet_SNAP frames, which are 802.3 1971 * frames with an LLC header and a SNAP 1972 * header and with an OUI of 0x000000 1973 * (encapsulated Ethernet) and a protocol 1974 * ID of ETHERTYPE_IPX in the SNAP header. 1975 * 1976 * First, do the checks on LINUX_SLL_P_802_2 1977 * frames; generate the check for either 1978 * Ethernet_802.2 or Ethernet_SNAP frames, and 1979 * then put a check for LINUX_SLL_P_802_2 frames 1980 * before it. 1981 */ 1982 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX); 1983 b1 = gen_snap(0x000000, ETHERTYPE_IPX); 1984 gen_or(b0, b1); 1985 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 1986 gen_and(b0, b1); 1987 1988 /* 1989 * Now check for 802.3 frames and OR that with 1990 * the previous test. 1991 */ 1992 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_3); 1993 gen_or(b0, b1); 1994 1995 /* 1996 * Now add the check for Ethernet_II frames, and 1997 * do that before checking for the other frame 1998 * types. 1999 */ 2000 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 2001 (bpf_int32)ETHERTYPE_IPX); 2002 gen_or(b0, b1); 2003 return b1; 2004 2005 case ETHERTYPE_ATALK: 2006 case ETHERTYPE_AARP: 2007 /* 2008 * EtherTalk (AppleTalk protocols on Ethernet link 2009 * layer) may use 802.2 encapsulation. 2010 */ 2011 2012 /* 2013 * Check for 802.2 encapsulation (EtherTalk phase 2?); 2014 * we check for the 802.2 protocol type in the 2015 * "Ethernet type" field. 2016 */ 2017 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 2018 2019 /* 2020 * 802.2-encapsulated ETHERTYPE_ATALK packets are 2021 * SNAP packets with an organization code of 2022 * 0x080007 (Apple, for Appletalk) and a protocol 2023 * type of ETHERTYPE_ATALK (Appletalk). 2024 * 2025 * 802.2-encapsulated ETHERTYPE_AARP packets are 2026 * SNAP packets with an organization code of 2027 * 0x000000 (encapsulated Ethernet) and a protocol 2028 * type of ETHERTYPE_AARP (Appletalk ARP). 2029 */ 2030 if (proto == ETHERTYPE_ATALK) 2031 b1 = gen_snap(0x080007, ETHERTYPE_ATALK); 2032 else /* proto == ETHERTYPE_AARP */ 2033 b1 = gen_snap(0x000000, ETHERTYPE_AARP); 2034 gen_and(b0, b1); 2035 2036 /* 2037 * Check for Ethernet encapsulation (Ethertalk 2038 * phase 1?); we just check for the Ethernet 2039 * protocol type. 2040 */ 2041 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 2042 2043 gen_or(b0, b1); 2044 return b1; 2045 2046 default: 2047 if (proto <= ETHERMTU) { 2048 /* 2049 * This is an LLC SAP value, so the frames 2050 * that match would be 802.2 frames. 2051 * Check for the 802.2 protocol type 2052 * in the "Ethernet type" field, and 2053 * then check the DSAP. 2054 */ 2055 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 2056 LINUX_SLL_P_802_2); 2057 b1 = gen_cmp(OR_LINK, off_macpl, BPF_B, 2058 (bpf_int32)proto); 2059 gen_and(b0, b1); 2060 return b1; 2061 } else { 2062 /* 2063 * This is an Ethernet type, so compare 2064 * the length/type field with it (if 2065 * the frame is an 802.2 frame, the length 2066 * field will be <= ETHERMTU, and, as 2067 * "proto" is > ETHERMTU, this test 2068 * will fail and the frame won't match, 2069 * which is what we want). 2070 */ 2071 return gen_cmp(OR_LINK, off_linktype, BPF_H, 2072 (bpf_int32)proto); 2073 } 2074 } 2075 } 2076 2077 static struct slist * 2078 gen_load_prism_llprefixlen() 2079 { 2080 struct slist *s1, *s2; 2081 struct slist *sjeq_avs_cookie; 2082 struct slist *sjcommon; 2083 2084 /* 2085 * This code is not compatible with the optimizer, as 2086 * we are generating jmp instructions within a normal 2087 * slist of instructions 2088 */ 2089 no_optimize = 1; 2090 2091 /* 2092 * Generate code to load the length of the radio header into 2093 * the register assigned to hold that length, if one has been 2094 * assigned. (If one hasn't been assigned, no code we've 2095 * generated uses that prefix, so we don't need to generate any 2096 * code to load it.) 2097 * 2098 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes 2099 * or always use the AVS header rather than the Prism header. 2100 * We load a 4-byte big-endian value at the beginning of the 2101 * raw packet data, and see whether, when masked with 0xFFFFF000, 2102 * it's equal to 0x80211000. If so, that indicates that it's 2103 * an AVS header (the masked-out bits are the version number). 2104 * Otherwise, it's a Prism header. 2105 * 2106 * XXX - the Prism header is also, in theory, variable-length, 2107 * but no known software generates headers that aren't 144 2108 * bytes long. 2109 */ 2110 if (reg_off_ll != -1) { 2111 /* 2112 * Load the cookie. 2113 */ 2114 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2115 s1->s.k = 0; 2116 2117 /* 2118 * AND it with 0xFFFFF000. 2119 */ 2120 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 2121 s2->s.k = 0xFFFFF000; 2122 sappend(s1, s2); 2123 2124 /* 2125 * Compare with 0x80211000. 2126 */ 2127 sjeq_avs_cookie = new_stmt(JMP(BPF_JEQ)); 2128 sjeq_avs_cookie->s.k = 0x80211000; 2129 sappend(s1, sjeq_avs_cookie); 2130 2131 /* 2132 * If it's AVS: 2133 * 2134 * The 4 bytes at an offset of 4 from the beginning of 2135 * the AVS header are the length of the AVS header. 2136 * That field is big-endian. 2137 */ 2138 s2 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2139 s2->s.k = 4; 2140 sappend(s1, s2); 2141 sjeq_avs_cookie->s.jt = s2; 2142 2143 /* 2144 * Now jump to the code to allocate a register 2145 * into which to save the header length and 2146 * store the length there. (The "jump always" 2147 * instruction needs to have the k field set; 2148 * it's added to the PC, so, as we're jumping 2149 * over a single instruction, it should be 1.) 2150 */ 2151 sjcommon = new_stmt(JMP(BPF_JA)); 2152 sjcommon->s.k = 1; 2153 sappend(s1, sjcommon); 2154 2155 /* 2156 * Now for the code that handles the Prism header. 2157 * Just load the length of the Prism header (144) 2158 * into the A register. Have the test for an AVS 2159 * header branch here if we don't have an AVS header. 2160 */ 2161 s2 = new_stmt(BPF_LD|BPF_W|BPF_IMM); 2162 s2->s.k = 144; 2163 sappend(s1, s2); 2164 sjeq_avs_cookie->s.jf = s2; 2165 2166 /* 2167 * Now allocate a register to hold that value and store 2168 * it. The code for the AVS header will jump here after 2169 * loading the length of the AVS header. 2170 */ 2171 s2 = new_stmt(BPF_ST); 2172 s2->s.k = reg_off_ll; 2173 sappend(s1, s2); 2174 sjcommon->s.jf = s2; 2175 2176 /* 2177 * Now move it into the X register. 2178 */ 2179 s2 = new_stmt(BPF_MISC|BPF_TAX); 2180 sappend(s1, s2); 2181 2182 return (s1); 2183 } else 2184 return (NULL); 2185 } 2186 2187 static struct slist * 2188 gen_load_avs_llprefixlen() 2189 { 2190 struct slist *s1, *s2; 2191 2192 /* 2193 * Generate code to load the length of the AVS header into 2194 * the register assigned to hold that length, if one has been 2195 * assigned. (If one hasn't been assigned, no code we've 2196 * generated uses that prefix, so we don't need to generate any 2197 * code to load it.) 2198 */ 2199 if (reg_off_ll != -1) { 2200 /* 2201 * The 4 bytes at an offset of 4 from the beginning of 2202 * the AVS header are the length of the AVS header. 2203 * That field is big-endian. 2204 */ 2205 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2206 s1->s.k = 4; 2207 2208 /* 2209 * Now allocate a register to hold that value and store 2210 * it. 2211 */ 2212 s2 = new_stmt(BPF_ST); 2213 s2->s.k = reg_off_ll; 2214 sappend(s1, s2); 2215 2216 /* 2217 * Now move it into the X register. 2218 */ 2219 s2 = new_stmt(BPF_MISC|BPF_TAX); 2220 sappend(s1, s2); 2221 2222 return (s1); 2223 } else 2224 return (NULL); 2225 } 2226 2227 static struct slist * 2228 gen_load_radiotap_llprefixlen() 2229 { 2230 struct slist *s1, *s2; 2231 2232 /* 2233 * Generate code to load the length of the radiotap header into 2234 * the register assigned to hold that length, if one has been 2235 * assigned. (If one hasn't been assigned, no code we've 2236 * generated uses that prefix, so we don't need to generate any 2237 * code to load it.) 2238 */ 2239 if (reg_off_ll != -1) { 2240 /* 2241 * The 2 bytes at offsets of 2 and 3 from the beginning 2242 * of the radiotap header are the length of the radiotap 2243 * header; unfortunately, it's little-endian, so we have 2244 * to load it a byte at a time and construct the value. 2245 */ 2246 2247 /* 2248 * Load the high-order byte, at an offset of 3, shift it 2249 * left a byte, and put the result in the X register. 2250 */ 2251 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2252 s1->s.k = 3; 2253 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 2254 sappend(s1, s2); 2255 s2->s.k = 8; 2256 s2 = new_stmt(BPF_MISC|BPF_TAX); 2257 sappend(s1, s2); 2258 2259 /* 2260 * Load the next byte, at an offset of 2, and OR the 2261 * value from the X register into it. 2262 */ 2263 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2264 sappend(s1, s2); 2265 s2->s.k = 2; 2266 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X); 2267 sappend(s1, s2); 2268 2269 /* 2270 * Now allocate a register to hold that value and store 2271 * it. 2272 */ 2273 s2 = new_stmt(BPF_ST); 2274 s2->s.k = reg_off_ll; 2275 sappend(s1, s2); 2276 2277 /* 2278 * Now move it into the X register. 2279 */ 2280 s2 = new_stmt(BPF_MISC|BPF_TAX); 2281 sappend(s1, s2); 2282 2283 return (s1); 2284 } else 2285 return (NULL); 2286 } 2287 2288 /* 2289 * At the moment we treat PPI as normal Radiotap encoded 2290 * packets. The difference is in the function that generates 2291 * the code at the beginning to compute the header length. 2292 * Since this code generator of PPI supports bare 802.11 2293 * encapsulation only (i.e. the encapsulated DLT should be 2294 * DLT_IEEE802_11) we generate code to check for this too; 2295 * that's done in finish_parse(). 2296 */ 2297 static struct slist * 2298 gen_load_ppi_llprefixlen() 2299 { 2300 struct slist *s1, *s2; 2301 2302 /* 2303 * Generate code to load the length of the radiotap header 2304 * into the register assigned to hold that length, if one has 2305 * been assigned. 2306 */ 2307 if (reg_off_ll != -1) { 2308 /* 2309 * The 2 bytes at offsets of 2 and 3 from the beginning 2310 * of the radiotap header are the length of the radiotap 2311 * header; unfortunately, it's little-endian, so we have 2312 * to load it a byte at a time and construct the value. 2313 */ 2314 2315 /* 2316 * Load the high-order byte, at an offset of 3, shift it 2317 * left a byte, and put the result in the X register. 2318 */ 2319 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2320 s1->s.k = 3; 2321 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 2322 sappend(s1, s2); 2323 s2->s.k = 8; 2324 s2 = new_stmt(BPF_MISC|BPF_TAX); 2325 sappend(s1, s2); 2326 2327 /* 2328 * Load the next byte, at an offset of 2, and OR the 2329 * value from the X register into it. 2330 */ 2331 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2332 sappend(s1, s2); 2333 s2->s.k = 2; 2334 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X); 2335 sappend(s1, s2); 2336 2337 /* 2338 * Now allocate a register to hold that value and store 2339 * it. 2340 */ 2341 s2 = new_stmt(BPF_ST); 2342 s2->s.k = reg_off_ll; 2343 sappend(s1, s2); 2344 2345 /* 2346 * Now move it into the X register. 2347 */ 2348 s2 = new_stmt(BPF_MISC|BPF_TAX); 2349 sappend(s1, s2); 2350 2351 return (s1); 2352 } else 2353 return (NULL); 2354 } 2355 2356 /* 2357 * Load a value relative to the beginning of the link-layer header after the 802.11 2358 * header, i.e. LLC_SNAP. 2359 * The link-layer header doesn't necessarily begin at the beginning 2360 * of the packet data; there might be a variable-length prefix containing 2361 * radio information. 2362 */ 2363 static struct slist * 2364 gen_load_802_11_header_len(struct slist *s, struct slist *snext) 2365 { 2366 struct slist *s2; 2367 struct slist *sjset_data_frame_1; 2368 struct slist *sjset_data_frame_2; 2369 struct slist *sjset_qos; 2370 struct slist *sjset_radiotap_flags; 2371 struct slist *sjset_radiotap_tsft; 2372 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad; 2373 struct slist *s_roundup; 2374 2375 if (reg_off_macpl == -1) { 2376 /* 2377 * No register has been assigned to the offset of 2378 * the MAC-layer payload, which means nobody needs 2379 * it; don't bother computing it - just return 2380 * what we already have. 2381 */ 2382 return (s); 2383 } 2384 2385 /* 2386 * This code is not compatible with the optimizer, as 2387 * we are generating jmp instructions within a normal 2388 * slist of instructions 2389 */ 2390 no_optimize = 1; 2391 2392 /* 2393 * If "s" is non-null, it has code to arrange that the X register 2394 * contains the length of the prefix preceding the link-layer 2395 * header. 2396 * 2397 * Otherwise, the length of the prefix preceding the link-layer 2398 * header is "off_ll". 2399 */ 2400 if (s == NULL) { 2401 /* 2402 * There is no variable-length header preceding the 2403 * link-layer header. 2404 * 2405 * Load the length of the fixed-length prefix preceding 2406 * the link-layer header (if any) into the X register, 2407 * and store it in the reg_off_macpl register. 2408 * That length is off_ll. 2409 */ 2410 s = new_stmt(BPF_LDX|BPF_IMM); 2411 s->s.k = off_ll; 2412 } 2413 2414 /* 2415 * The X register contains the offset of the beginning of the 2416 * link-layer header; add 24, which is the minimum length 2417 * of the MAC header for a data frame, to that, and store it 2418 * in reg_off_macpl, and then load the Frame Control field, 2419 * which is at the offset in the X register, with an indexed load. 2420 */ 2421 s2 = new_stmt(BPF_MISC|BPF_TXA); 2422 sappend(s, s2); 2423 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 2424 s2->s.k = 24; 2425 sappend(s, s2); 2426 s2 = new_stmt(BPF_ST); 2427 s2->s.k = reg_off_macpl; 2428 sappend(s, s2); 2429 2430 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B); 2431 s2->s.k = 0; 2432 sappend(s, s2); 2433 2434 /* 2435 * Check the Frame Control field to see if this is a data frame; 2436 * a data frame has the 0x08 bit (b3) in that field set and the 2437 * 0x04 bit (b2) clear. 2438 */ 2439 sjset_data_frame_1 = new_stmt(JMP(BPF_JSET)); 2440 sjset_data_frame_1->s.k = 0x08; 2441 sappend(s, sjset_data_frame_1); 2442 2443 /* 2444 * If b3 is set, test b2, otherwise go to the first statement of 2445 * the rest of the program. 2446 */ 2447 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(JMP(BPF_JSET)); 2448 sjset_data_frame_2->s.k = 0x04; 2449 sappend(s, sjset_data_frame_2); 2450 sjset_data_frame_1->s.jf = snext; 2451 2452 /* 2453 * If b2 is not set, this is a data frame; test the QoS bit. 2454 * Otherwise, go to the first statement of the rest of the 2455 * program. 2456 */ 2457 sjset_data_frame_2->s.jt = snext; 2458 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(JMP(BPF_JSET)); 2459 sjset_qos->s.k = 0x80; /* QoS bit */ 2460 sappend(s, sjset_qos); 2461 2462 /* 2463 * If it's set, add 2 to reg_off_macpl, to skip the QoS 2464 * field. 2465 * Otherwise, go to the first statement of the rest of the 2466 * program. 2467 */ 2468 sjset_qos->s.jt = s2 = new_stmt(BPF_LD|BPF_MEM); 2469 s2->s.k = reg_off_macpl; 2470 sappend(s, s2); 2471 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM); 2472 s2->s.k = 2; 2473 sappend(s, s2); 2474 s2 = new_stmt(BPF_ST); 2475 s2->s.k = reg_off_macpl; 2476 sappend(s, s2); 2477 2478 /* 2479 * If we have a radiotap header, look at it to see whether 2480 * there's Atheros padding between the MAC-layer header 2481 * and the payload. 2482 * 2483 * Note: all of the fields in the radiotap header are 2484 * little-endian, so we byte-swap all of the values 2485 * we test against, as they will be loaded as big-endian 2486 * values. 2487 */ 2488 if (linktype == DLT_IEEE802_11_RADIO) { 2489 /* 2490 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set 2491 * in the presence flag? 2492 */ 2493 sjset_qos->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_W); 2494 s2->s.k = 4; 2495 sappend(s, s2); 2496 2497 sjset_radiotap_flags = new_stmt(JMP(BPF_JSET)); 2498 sjset_radiotap_flags->s.k = SWAPLONG(0x00000002); 2499 sappend(s, sjset_radiotap_flags); 2500 2501 /* 2502 * If not, skip all of this. 2503 */ 2504 sjset_radiotap_flags->s.jf = snext; 2505 2506 /* 2507 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set? 2508 */ 2509 sjset_radiotap_tsft = sjset_radiotap_flags->s.jt = 2510 new_stmt(JMP(BPF_JSET)); 2511 sjset_radiotap_tsft->s.k = SWAPLONG(0x00000001); 2512 sappend(s, sjset_radiotap_tsft); 2513 2514 /* 2515 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is 2516 * at an offset of 16 from the beginning of the raw packet 2517 * data (8 bytes for the radiotap header and 8 bytes for 2518 * the TSFT field). 2519 * 2520 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2521 * is set. 2522 */ 2523 sjset_radiotap_tsft->s.jt = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B); 2524 s2->s.k = 16; 2525 sappend(s, s2); 2526 2527 sjset_tsft_datapad = new_stmt(JMP(BPF_JSET)); 2528 sjset_tsft_datapad->s.k = 0x20; 2529 sappend(s, sjset_tsft_datapad); 2530 2531 /* 2532 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is 2533 * at an offset of 8 from the beginning of the raw packet 2534 * data (8 bytes for the radiotap header). 2535 * 2536 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2537 * is set. 2538 */ 2539 sjset_radiotap_tsft->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B); 2540 s2->s.k = 8; 2541 sappend(s, s2); 2542 2543 sjset_notsft_datapad = new_stmt(JMP(BPF_JSET)); 2544 sjset_notsft_datapad->s.k = 0x20; 2545 sappend(s, sjset_notsft_datapad); 2546 2547 /* 2548 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is 2549 * set, round the length of the 802.11 header to 2550 * a multiple of 4. Do that by adding 3 and then 2551 * dividing by and multiplying by 4, which we do by 2552 * ANDing with ~3. 2553 */ 2554 s_roundup = new_stmt(BPF_LD|BPF_MEM); 2555 s_roundup->s.k = reg_off_macpl; 2556 sappend(s, s_roundup); 2557 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM); 2558 s2->s.k = 3; 2559 sappend(s, s2); 2560 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_IMM); 2561 s2->s.k = ~3; 2562 sappend(s, s2); 2563 s2 = new_stmt(BPF_ST); 2564 s2->s.k = reg_off_macpl; 2565 sappend(s, s2); 2566 2567 sjset_tsft_datapad->s.jt = s_roundup; 2568 sjset_tsft_datapad->s.jf = snext; 2569 sjset_notsft_datapad->s.jt = s_roundup; 2570 sjset_notsft_datapad->s.jf = snext; 2571 } else 2572 sjset_qos->s.jf = snext; 2573 2574 return s; 2575 } 2576 2577 static void 2578 insert_compute_vloffsets(b) 2579 struct block *b; 2580 { 2581 struct slist *s; 2582 2583 /* 2584 * For link-layer types that have a variable-length header 2585 * preceding the link-layer header, generate code to load 2586 * the offset of the link-layer header into the register 2587 * assigned to that offset, if any. 2588 */ 2589 switch (linktype) { 2590 2591 case DLT_PRISM_HEADER: 2592 s = gen_load_prism_llprefixlen(); 2593 break; 2594 2595 case DLT_IEEE802_11_RADIO_AVS: 2596 s = gen_load_avs_llprefixlen(); 2597 break; 2598 2599 case DLT_IEEE802_11_RADIO: 2600 s = gen_load_radiotap_llprefixlen(); 2601 break; 2602 2603 case DLT_PPI: 2604 s = gen_load_ppi_llprefixlen(); 2605 break; 2606 2607 default: 2608 s = NULL; 2609 break; 2610 } 2611 2612 /* 2613 * For link-layer types that have a variable-length link-layer 2614 * header, generate code to load the offset of the MAC-layer 2615 * payload into the register assigned to that offset, if any. 2616 */ 2617 switch (linktype) { 2618 2619 case DLT_IEEE802_11: 2620 case DLT_PRISM_HEADER: 2621 case DLT_IEEE802_11_RADIO_AVS: 2622 case DLT_IEEE802_11_RADIO: 2623 case DLT_PPI: 2624 s = gen_load_802_11_header_len(s, b->stmts); 2625 break; 2626 } 2627 2628 /* 2629 * If we have any offset-loading code, append all the 2630 * existing statements in the block to those statements, 2631 * and make the resulting list the list of statements 2632 * for the block. 2633 */ 2634 if (s != NULL) { 2635 sappend(s, b->stmts); 2636 b->stmts = s; 2637 } 2638 } 2639 2640 static struct block * 2641 gen_ppi_dlt_check(void) 2642 { 2643 struct slist *s_load_dlt; 2644 struct block *b; 2645 2646 if (linktype == DLT_PPI) 2647 { 2648 /* Create the statements that check for the DLT 2649 */ 2650 s_load_dlt = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2651 s_load_dlt->s.k = 4; 2652 2653 b = new_block(JMP(BPF_JEQ)); 2654 2655 b->stmts = s_load_dlt; 2656 b->s.k = SWAPLONG(DLT_IEEE802_11); 2657 } 2658 else 2659 { 2660 b = NULL; 2661 } 2662 2663 return b; 2664 } 2665 2666 static struct slist * 2667 gen_prism_llprefixlen(void) 2668 { 2669 struct slist *s; 2670 2671 if (reg_off_ll == -1) { 2672 /* 2673 * We haven't yet assigned a register for the length 2674 * of the radio header; allocate one. 2675 */ 2676 reg_off_ll = alloc_reg(); 2677 } 2678 2679 /* 2680 * Load the register containing the radio length 2681 * into the X register. 2682 */ 2683 s = new_stmt(BPF_LDX|BPF_MEM); 2684 s->s.k = reg_off_ll; 2685 return s; 2686 } 2687 2688 static struct slist * 2689 gen_avs_llprefixlen(void) 2690 { 2691 struct slist *s; 2692 2693 if (reg_off_ll == -1) { 2694 /* 2695 * We haven't yet assigned a register for the length 2696 * of the AVS header; allocate one. 2697 */ 2698 reg_off_ll = alloc_reg(); 2699 } 2700 2701 /* 2702 * Load the register containing the AVS length 2703 * into the X register. 2704 */ 2705 s = new_stmt(BPF_LDX|BPF_MEM); 2706 s->s.k = reg_off_ll; 2707 return s; 2708 } 2709 2710 static struct slist * 2711 gen_radiotap_llprefixlen(void) 2712 { 2713 struct slist *s; 2714 2715 if (reg_off_ll == -1) { 2716 /* 2717 * We haven't yet assigned a register for the length 2718 * of the radiotap header; allocate one. 2719 */ 2720 reg_off_ll = alloc_reg(); 2721 } 2722 2723 /* 2724 * Load the register containing the radiotap length 2725 * into the X register. 2726 */ 2727 s = new_stmt(BPF_LDX|BPF_MEM); 2728 s->s.k = reg_off_ll; 2729 return s; 2730 } 2731 2732 /* 2733 * At the moment we treat PPI as normal Radiotap encoded 2734 * packets. The difference is in the function that generates 2735 * the code at the beginning to compute the header length. 2736 * Since this code generator of PPI supports bare 802.11 2737 * encapsulation only (i.e. the encapsulated DLT should be 2738 * DLT_IEEE802_11) we generate code to check for this too. 2739 */ 2740 static struct slist * 2741 gen_ppi_llprefixlen(void) 2742 { 2743 struct slist *s; 2744 2745 if (reg_off_ll == -1) { 2746 /* 2747 * We haven't yet assigned a register for the length 2748 * of the radiotap header; allocate one. 2749 */ 2750 reg_off_ll = alloc_reg(); 2751 } 2752 2753 /* 2754 * Load the register containing the PPI length 2755 * into the X register. 2756 */ 2757 s = new_stmt(BPF_LDX|BPF_MEM); 2758 s->s.k = reg_off_ll; 2759 return s; 2760 } 2761 2762 /* 2763 * Generate code to compute the link-layer header length, if necessary, 2764 * putting it into the X register, and to return either a pointer to a 2765 * "struct slist" for the list of statements in that code, or NULL if 2766 * no code is necessary. 2767 */ 2768 static struct slist * 2769 gen_llprefixlen(void) 2770 { 2771 switch (linktype) { 2772 2773 case DLT_PRISM_HEADER: 2774 return gen_prism_llprefixlen(); 2775 2776 case DLT_IEEE802_11_RADIO_AVS: 2777 return gen_avs_llprefixlen(); 2778 2779 case DLT_IEEE802_11_RADIO: 2780 return gen_radiotap_llprefixlen(); 2781 2782 case DLT_PPI: 2783 return gen_ppi_llprefixlen(); 2784 2785 default: 2786 return NULL; 2787 } 2788 } 2789 2790 /* 2791 * Generate code to load the register containing the offset of the 2792 * MAC-layer payload into the X register; if no register for that offset 2793 * has been allocated, allocate it first. 2794 */ 2795 static struct slist * 2796 gen_off_macpl(void) 2797 { 2798 struct slist *s; 2799 2800 if (off_macpl_is_variable) { 2801 if (reg_off_macpl == -1) { 2802 /* 2803 * We haven't yet assigned a register for the offset 2804 * of the MAC-layer payload; allocate one. 2805 */ 2806 reg_off_macpl = alloc_reg(); 2807 } 2808 2809 /* 2810 * Load the register containing the offset of the MAC-layer 2811 * payload into the X register. 2812 */ 2813 s = new_stmt(BPF_LDX|BPF_MEM); 2814 s->s.k = reg_off_macpl; 2815 return s; 2816 } else { 2817 /* 2818 * That offset isn't variable, so we don't need to 2819 * generate any code. 2820 */ 2821 return NULL; 2822 } 2823 } 2824 2825 /* 2826 * Map an Ethernet type to the equivalent PPP type. 2827 */ 2828 static int 2829 ethertype_to_ppptype(proto) 2830 int proto; 2831 { 2832 switch (proto) { 2833 2834 case ETHERTYPE_IP: 2835 proto = PPP_IP; 2836 break; 2837 2838 #ifdef INET6 2839 case ETHERTYPE_IPV6: 2840 proto = PPP_IPV6; 2841 break; 2842 #endif 2843 2844 case ETHERTYPE_DN: 2845 proto = PPP_DECNET; 2846 break; 2847 2848 case ETHERTYPE_ATALK: 2849 proto = PPP_APPLE; 2850 break; 2851 2852 case ETHERTYPE_NS: 2853 proto = PPP_NS; 2854 break; 2855 2856 case LLCSAP_ISONS: 2857 proto = PPP_OSI; 2858 break; 2859 2860 case LLCSAP_8021D: 2861 /* 2862 * I'm assuming the "Bridging PDU"s that go 2863 * over PPP are Spanning Tree Protocol 2864 * Bridging PDUs. 2865 */ 2866 proto = PPP_BRPDU; 2867 break; 2868 2869 case LLCSAP_IPX: 2870 proto = PPP_IPX; 2871 break; 2872 } 2873 return (proto); 2874 } 2875 2876 /* 2877 * Generate code to match a particular packet type by matching the 2878 * link-layer type field or fields in the 802.2 LLC header. 2879 * 2880 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 2881 * value, if <= ETHERMTU. 2882 */ 2883 static struct block * 2884 gen_linktype(proto) 2885 register int proto; 2886 { 2887 struct block *b0, *b1, *b2; 2888 2889 /* are we checking MPLS-encapsulated packets? */ 2890 if (label_stack_depth > 0) { 2891 switch (proto) { 2892 case ETHERTYPE_IP: 2893 case PPP_IP: 2894 /* FIXME add other L3 proto IDs */ 2895 return gen_mpls_linktype(Q_IP); 2896 2897 case ETHERTYPE_IPV6: 2898 case PPP_IPV6: 2899 /* FIXME add other L3 proto IDs */ 2900 return gen_mpls_linktype(Q_IPV6); 2901 2902 default: 2903 bpf_error("unsupported protocol over mpls"); 2904 /* NOTREACHED */ 2905 } 2906 } 2907 2908 /* 2909 * Are we testing PPPoE packets? 2910 */ 2911 if (is_pppoes) { 2912 /* 2913 * The PPPoE session header is part of the 2914 * MAC-layer payload, so all references 2915 * should be relative to the beginning of 2916 * that payload. 2917 */ 2918 2919 /* 2920 * We use Ethernet protocol types inside libpcap; 2921 * map them to the corresponding PPP protocol types. 2922 */ 2923 proto = ethertype_to_ppptype(proto); 2924 return gen_cmp(OR_MACPL, off_linktype, BPF_H, (bpf_int32)proto); 2925 } 2926 2927 switch (linktype) { 2928 2929 case DLT_EN10MB: 2930 case DLT_NETANALYZER: 2931 case DLT_NETANALYZER_TRANSPARENT: 2932 return gen_ether_linktype(proto); 2933 /*NOTREACHED*/ 2934 break; 2935 2936 case DLT_C_HDLC: 2937 switch (proto) { 2938 2939 case LLCSAP_ISONS: 2940 proto = (proto << 8 | LLCSAP_ISONS); 2941 /* fall through */ 2942 2943 default: 2944 return gen_cmp(OR_LINK, off_linktype, BPF_H, 2945 (bpf_int32)proto); 2946 /*NOTREACHED*/ 2947 break; 2948 } 2949 break; 2950 2951 case DLT_IEEE802_11: 2952 case DLT_PRISM_HEADER: 2953 case DLT_IEEE802_11_RADIO_AVS: 2954 case DLT_IEEE802_11_RADIO: 2955 case DLT_PPI: 2956 /* 2957 * Check that we have a data frame. 2958 */ 2959 b0 = gen_check_802_11_data_frame(); 2960 2961 /* 2962 * Now check for the specified link-layer type. 2963 */ 2964 b1 = gen_llc_linktype(proto); 2965 gen_and(b0, b1); 2966 return b1; 2967 /*NOTREACHED*/ 2968 break; 2969 2970 case DLT_FDDI: 2971 /* 2972 * XXX - check for asynchronous frames, as per RFC 1103. 2973 */ 2974 return gen_llc_linktype(proto); 2975 /*NOTREACHED*/ 2976 break; 2977 2978 case DLT_IEEE802: 2979 /* 2980 * XXX - check for LLC PDUs, as per IEEE 802.5. 2981 */ 2982 return gen_llc_linktype(proto); 2983 /*NOTREACHED*/ 2984 break; 2985 2986 case DLT_ATM_RFC1483: 2987 case DLT_ATM_CLIP: 2988 case DLT_IP_OVER_FC: 2989 return gen_llc_linktype(proto); 2990 /*NOTREACHED*/ 2991 break; 2992 2993 case DLT_SUNATM: 2994 /* 2995 * If "is_lane" is set, check for a LANE-encapsulated 2996 * version of this protocol, otherwise check for an 2997 * LLC-encapsulated version of this protocol. 2998 * 2999 * We assume LANE means Ethernet, not Token Ring. 3000 */ 3001 if (is_lane) { 3002 /* 3003 * Check that the packet doesn't begin with an 3004 * LE Control marker. (We've already generated 3005 * a test for LANE.) 3006 */ 3007 b0 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 3008 0xFF00); 3009 gen_not(b0); 3010 3011 /* 3012 * Now generate an Ethernet test. 3013 */ 3014 b1 = gen_ether_linktype(proto); 3015 gen_and(b0, b1); 3016 return b1; 3017 } else { 3018 /* 3019 * Check for LLC encapsulation and then check the 3020 * protocol. 3021 */ 3022 b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 3023 b1 = gen_llc_linktype(proto); 3024 gen_and(b0, b1); 3025 return b1; 3026 } 3027 /*NOTREACHED*/ 3028 break; 3029 3030 case DLT_LINUX_SLL: 3031 return gen_linux_sll_linktype(proto); 3032 /*NOTREACHED*/ 3033 break; 3034 3035 case DLT_SLIP: 3036 case DLT_SLIP_BSDOS: 3037 case DLT_RAW: 3038 /* 3039 * These types don't provide any type field; packets 3040 * are always IPv4 or IPv6. 3041 * 3042 * XXX - for IPv4, check for a version number of 4, and, 3043 * for IPv6, check for a version number of 6? 3044 */ 3045 switch (proto) { 3046 3047 case ETHERTYPE_IP: 3048 /* Check for a version number of 4. */ 3049 return gen_mcmp(OR_LINK, 0, BPF_B, 0x40, 0xF0); 3050 #ifdef INET6 3051 case ETHERTYPE_IPV6: 3052 /* Check for a version number of 6. */ 3053 return gen_mcmp(OR_LINK, 0, BPF_B, 0x60, 0xF0); 3054 #endif 3055 3056 default: 3057 return gen_false(); /* always false */ 3058 } 3059 /*NOTREACHED*/ 3060 break; 3061 3062 case DLT_IPV4: 3063 /* 3064 * Raw IPv4, so no type field. 3065 */ 3066 if (proto == ETHERTYPE_IP) 3067 return gen_true(); /* always true */ 3068 3069 /* Checking for something other than IPv4; always false */ 3070 return gen_false(); 3071 /*NOTREACHED*/ 3072 break; 3073 3074 case DLT_IPV6: 3075 /* 3076 * Raw IPv6, so no type field. 3077 */ 3078 #ifdef INET6 3079 if (proto == ETHERTYPE_IPV6) 3080 return gen_true(); /* always true */ 3081 #endif 3082 3083 /* Checking for something other than IPv6; always false */ 3084 return gen_false(); 3085 /*NOTREACHED*/ 3086 break; 3087 3088 case DLT_PPP: 3089 case DLT_PPP_PPPD: 3090 case DLT_PPP_SERIAL: 3091 case DLT_PPP_ETHER: 3092 /* 3093 * We use Ethernet protocol types inside libpcap; 3094 * map them to the corresponding PPP protocol types. 3095 */ 3096 proto = ethertype_to_ppptype(proto); 3097 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 3098 /*NOTREACHED*/ 3099 break; 3100 3101 case DLT_PPP_BSDOS: 3102 /* 3103 * We use Ethernet protocol types inside libpcap; 3104 * map them to the corresponding PPP protocol types. 3105 */ 3106 switch (proto) { 3107 3108 case ETHERTYPE_IP: 3109 /* 3110 * Also check for Van Jacobson-compressed IP. 3111 * XXX - do this for other forms of PPP? 3112 */ 3113 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_IP); 3114 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJC); 3115 gen_or(b0, b1); 3116 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJNC); 3117 gen_or(b1, b0); 3118 return b0; 3119 3120 default: 3121 proto = ethertype_to_ppptype(proto); 3122 return gen_cmp(OR_LINK, off_linktype, BPF_H, 3123 (bpf_int32)proto); 3124 } 3125 /*NOTREACHED*/ 3126 break; 3127 3128 case DLT_NULL: 3129 case DLT_LOOP: 3130 case DLT_ENC: 3131 /* 3132 * For DLT_NULL, the link-layer header is a 32-bit 3133 * word containing an AF_ value in *host* byte order, 3134 * and for DLT_ENC, the link-layer header begins 3135 * with a 32-bit work containing an AF_ value in 3136 * host byte order. 3137 * 3138 * In addition, if we're reading a saved capture file, 3139 * the host byte order in the capture may not be the 3140 * same as the host byte order on this machine. 3141 * 3142 * For DLT_LOOP, the link-layer header is a 32-bit 3143 * word containing an AF_ value in *network* byte order. 3144 * 3145 * XXX - AF_ values may, unfortunately, be platform- 3146 * dependent; for example, FreeBSD's AF_INET6 is 24 3147 * whilst NetBSD's and OpenBSD's is 26. 3148 * 3149 * This means that, when reading a capture file, just 3150 * checking for our AF_INET6 value won't work if the 3151 * capture file came from another OS. 3152 */ 3153 switch (proto) { 3154 3155 case ETHERTYPE_IP: 3156 proto = AF_INET; 3157 break; 3158 3159 #ifdef INET6 3160 case ETHERTYPE_IPV6: 3161 proto = AF_INET6; 3162 break; 3163 #endif 3164 3165 default: 3166 /* 3167 * Not a type on which we support filtering. 3168 * XXX - support those that have AF_ values 3169 * #defined on this platform, at least? 3170 */ 3171 return gen_false(); 3172 } 3173 3174 if (linktype == DLT_NULL || linktype == DLT_ENC) { 3175 /* 3176 * The AF_ value is in host byte order, but 3177 * the BPF interpreter will convert it to 3178 * network byte order. 3179 * 3180 * If this is a save file, and it's from a 3181 * machine with the opposite byte order to 3182 * ours, we byte-swap the AF_ value. 3183 * 3184 * Then we run it through "htonl()", and 3185 * generate code to compare against the result. 3186 */ 3187 if (bpf_pcap->sf.rfile != NULL && 3188 bpf_pcap->sf.swapped) 3189 proto = SWAPLONG(proto); 3190 proto = htonl(proto); 3191 } 3192 return (gen_cmp(OR_LINK, 0, BPF_W, (bpf_int32)proto)); 3193 3194 #ifdef HAVE_NET_PFVAR_H 3195 case DLT_PFLOG: 3196 /* 3197 * af field is host byte order in contrast to the rest of 3198 * the packet. 3199 */ 3200 if (proto == ETHERTYPE_IP) 3201 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af), 3202 BPF_B, (bpf_int32)AF_INET)); 3203 #ifdef INET6 3204 else if (proto == ETHERTYPE_IPV6) 3205 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af), 3206 BPF_B, (bpf_int32)AF_INET6)); 3207 #endif /* INET6 */ 3208 else 3209 return gen_false(); 3210 /*NOTREACHED*/ 3211 break; 3212 #endif /* HAVE_NET_PFVAR_H */ 3213 3214 case DLT_ARCNET: 3215 case DLT_ARCNET_LINUX: 3216 /* 3217 * XXX should we check for first fragment if the protocol 3218 * uses PHDS? 3219 */ 3220 switch (proto) { 3221 3222 default: 3223 return gen_false(); 3224 3225 #ifdef INET6 3226 case ETHERTYPE_IPV6: 3227 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 3228 (bpf_int32)ARCTYPE_INET6)); 3229 #endif /* INET6 */ 3230 3231 case ETHERTYPE_IP: 3232 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3233 (bpf_int32)ARCTYPE_IP); 3234 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3235 (bpf_int32)ARCTYPE_IP_OLD); 3236 gen_or(b0, b1); 3237 return (b1); 3238 3239 case ETHERTYPE_ARP: 3240 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3241 (bpf_int32)ARCTYPE_ARP); 3242 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3243 (bpf_int32)ARCTYPE_ARP_OLD); 3244 gen_or(b0, b1); 3245 return (b1); 3246 3247 case ETHERTYPE_REVARP: 3248 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 3249 (bpf_int32)ARCTYPE_REVARP)); 3250 3251 case ETHERTYPE_ATALK: 3252 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 3253 (bpf_int32)ARCTYPE_ATALK)); 3254 } 3255 /*NOTREACHED*/ 3256 break; 3257 3258 case DLT_LTALK: 3259 switch (proto) { 3260 case ETHERTYPE_ATALK: 3261 return gen_true(); 3262 default: 3263 return gen_false(); 3264 } 3265 /*NOTREACHED*/ 3266 break; 3267 3268 case DLT_FRELAY: 3269 /* 3270 * XXX - assumes a 2-byte Frame Relay header with 3271 * DLCI and flags. What if the address is longer? 3272 */ 3273 switch (proto) { 3274 3275 case ETHERTYPE_IP: 3276 /* 3277 * Check for the special NLPID for IP. 3278 */ 3279 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0xcc); 3280 3281 #ifdef INET6 3282 case ETHERTYPE_IPV6: 3283 /* 3284 * Check for the special NLPID for IPv6. 3285 */ 3286 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0x8e); 3287 #endif 3288 3289 case LLCSAP_ISONS: 3290 /* 3291 * Check for several OSI protocols. 3292 * 3293 * Frame Relay packets typically have an OSI 3294 * NLPID at the beginning; we check for each 3295 * of them. 3296 * 3297 * What we check for is the NLPID and a frame 3298 * control field of UI, i.e. 0x03 followed 3299 * by the NLPID. 3300 */ 3301 b0 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO8473_CLNP); 3302 b1 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO9542_ESIS); 3303 b2 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO10589_ISIS); 3304 gen_or(b1, b2); 3305 gen_or(b0, b2); 3306 return b2; 3307 3308 default: 3309 return gen_false(); 3310 } 3311 /*NOTREACHED*/ 3312 break; 3313 3314 case DLT_MFR: 3315 bpf_error("Multi-link Frame Relay link-layer type filtering not implemented"); 3316 3317 case DLT_JUNIPER_MFR: 3318 case DLT_JUNIPER_MLFR: 3319 case DLT_JUNIPER_MLPPP: 3320 case DLT_JUNIPER_ATM1: 3321 case DLT_JUNIPER_ATM2: 3322 case DLT_JUNIPER_PPPOE: 3323 case DLT_JUNIPER_PPPOE_ATM: 3324 case DLT_JUNIPER_GGSN: 3325 case DLT_JUNIPER_ES: 3326 case DLT_JUNIPER_MONITOR: 3327 case DLT_JUNIPER_SERVICES: 3328 case DLT_JUNIPER_ETHER: 3329 case DLT_JUNIPER_PPP: 3330 case DLT_JUNIPER_FRELAY: 3331 case DLT_JUNIPER_CHDLC: 3332 case DLT_JUNIPER_VP: 3333 case DLT_JUNIPER_ST: 3334 case DLT_JUNIPER_ISM: 3335 case DLT_JUNIPER_VS: 3336 case DLT_JUNIPER_SRX_E2E: 3337 case DLT_JUNIPER_FIBRECHANNEL: 3338 case DLT_JUNIPER_ATM_CEMIC: 3339 3340 /* just lets verify the magic number for now - 3341 * on ATM we may have up to 6 different encapsulations on the wire 3342 * and need a lot of heuristics to figure out that the payload 3343 * might be; 3344 * 3345 * FIXME encapsulation specific BPF_ filters 3346 */ 3347 return gen_mcmp(OR_LINK, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */ 3348 3349 case DLT_IPNET: 3350 return gen_ipnet_linktype(proto); 3351 3352 case DLT_LINUX_IRDA: 3353 bpf_error("IrDA link-layer type filtering not implemented"); 3354 3355 case DLT_DOCSIS: 3356 bpf_error("DOCSIS link-layer type filtering not implemented"); 3357 3358 case DLT_MTP2: 3359 case DLT_MTP2_WITH_PHDR: 3360 bpf_error("MTP2 link-layer type filtering not implemented"); 3361 3362 case DLT_ERF: 3363 bpf_error("ERF link-layer type filtering not implemented"); 3364 3365 case DLT_PFSYNC: 3366 bpf_error("PFSYNC link-layer type filtering not implemented"); 3367 3368 case DLT_LINUX_LAPD: 3369 bpf_error("LAPD link-layer type filtering not implemented"); 3370 3371 case DLT_USB: 3372 case DLT_USB_LINUX: 3373 case DLT_USB_LINUX_MMAPPED: 3374 bpf_error("USB link-layer type filtering not implemented"); 3375 3376 case DLT_BLUETOOTH_HCI_H4: 3377 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR: 3378 bpf_error("Bluetooth link-layer type filtering not implemented"); 3379 3380 case DLT_CAN20B: 3381 case DLT_CAN_SOCKETCAN: 3382 bpf_error("CAN link-layer type filtering not implemented"); 3383 3384 case DLT_IEEE802_15_4: 3385 case DLT_IEEE802_15_4_LINUX: 3386 case DLT_IEEE802_15_4_NONASK_PHY: 3387 case DLT_IEEE802_15_4_NOFCS: 3388 bpf_error("IEEE 802.15.4 link-layer type filtering not implemented"); 3389 3390 case DLT_IEEE802_16_MAC_CPS_RADIO: 3391 bpf_error("IEEE 802.16 link-layer type filtering not implemented"); 3392 3393 case DLT_SITA: 3394 bpf_error("SITA link-layer type filtering not implemented"); 3395 3396 case DLT_RAIF1: 3397 bpf_error("RAIF1 link-layer type filtering not implemented"); 3398 3399 case DLT_IPMB: 3400 bpf_error("IPMB link-layer type filtering not implemented"); 3401 3402 case DLT_AX25_KISS: 3403 bpf_error("AX.25 link-layer type filtering not implemented"); 3404 } 3405 3406 /* 3407 * All the types that have no encapsulation should either be 3408 * handled as DLT_SLIP, DLT_SLIP_BSDOS, and DLT_RAW are, if 3409 * all packets are IP packets, or should be handled in some 3410 * special case, if none of them are (if some are and some 3411 * aren't, the lack of encapsulation is a problem, as we'd 3412 * have to find some other way of determining the packet type). 3413 * 3414 * Therefore, if "off_linktype" is -1, there's an error. 3415 */ 3416 if (off_linktype == (u_int)-1) 3417 abort(); 3418 3419 /* 3420 * Any type not handled above should always have an Ethernet 3421 * type at an offset of "off_linktype". 3422 */ 3423 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 3424 } 3425 3426 /* 3427 * Check for an LLC SNAP packet with a given organization code and 3428 * protocol type; we check the entire contents of the 802.2 LLC and 3429 * snap headers, checking for DSAP and SSAP of SNAP and a control 3430 * field of 0x03 in the LLC header, and for the specified organization 3431 * code and protocol type in the SNAP header. 3432 */ 3433 static struct block * 3434 gen_snap(orgcode, ptype) 3435 bpf_u_int32 orgcode; 3436 bpf_u_int32 ptype; 3437 { 3438 u_char snapblock[8]; 3439 3440 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */ 3441 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */ 3442 snapblock[2] = 0x03; /* control = UI */ 3443 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */ 3444 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */ 3445 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */ 3446 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */ 3447 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */ 3448 return gen_bcmp(OR_MACPL, 0, 8, snapblock); 3449 } 3450 3451 /* 3452 * Generate code to match a particular packet type, for link-layer types 3453 * using 802.2 LLC headers. 3454 * 3455 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used 3456 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues. 3457 * 3458 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 3459 * value, if <= ETHERMTU. We use that to determine whether to 3460 * match the DSAP or both DSAP and LSAP or to check the OUI and 3461 * protocol ID in a SNAP header. 3462 */ 3463 static struct block * 3464 gen_llc_linktype(proto) 3465 int proto; 3466 { 3467 /* 3468 * XXX - handle token-ring variable-length header. 3469 */ 3470 switch (proto) { 3471 3472 case LLCSAP_IP: 3473 case LLCSAP_ISONS: 3474 case LLCSAP_NETBEUI: 3475 /* 3476 * XXX - should we check both the DSAP and the 3477 * SSAP, like this, or should we check just the 3478 * DSAP, as we do for other types <= ETHERMTU 3479 * (i.e., other SAP values)? 3480 */ 3481 return gen_cmp(OR_MACPL, 0, BPF_H, (bpf_u_int32) 3482 ((proto << 8) | proto)); 3483 3484 case LLCSAP_IPX: 3485 /* 3486 * XXX - are there ever SNAP frames for IPX on 3487 * non-Ethernet 802.x networks? 3488 */ 3489 return gen_cmp(OR_MACPL, 0, BPF_B, 3490 (bpf_int32)LLCSAP_IPX); 3491 3492 case ETHERTYPE_ATALK: 3493 /* 3494 * 802.2-encapsulated ETHERTYPE_ATALK packets are 3495 * SNAP packets with an organization code of 3496 * 0x080007 (Apple, for Appletalk) and a protocol 3497 * type of ETHERTYPE_ATALK (Appletalk). 3498 * 3499 * XXX - check for an organization code of 3500 * encapsulated Ethernet as well? 3501 */ 3502 return gen_snap(0x080007, ETHERTYPE_ATALK); 3503 3504 default: 3505 /* 3506 * XXX - we don't have to check for IPX 802.3 3507 * here, but should we check for the IPX Ethertype? 3508 */ 3509 if (proto <= ETHERMTU) { 3510 /* 3511 * This is an LLC SAP value, so check 3512 * the DSAP. 3513 */ 3514 return gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)proto); 3515 } else { 3516 /* 3517 * This is an Ethernet type; we assume that it's 3518 * unlikely that it'll appear in the right place 3519 * at random, and therefore check only the 3520 * location that would hold the Ethernet type 3521 * in a SNAP frame with an organization code of 3522 * 0x000000 (encapsulated Ethernet). 3523 * 3524 * XXX - if we were to check for the SNAP DSAP and 3525 * LSAP, as per XXX, and were also to check for an 3526 * organization code of 0x000000 (encapsulated 3527 * Ethernet), we'd do 3528 * 3529 * return gen_snap(0x000000, proto); 3530 * 3531 * here; for now, we don't, as per the above. 3532 * I don't know whether it's worth the extra CPU 3533 * time to do the right check or not. 3534 */ 3535 return gen_cmp(OR_MACPL, 6, BPF_H, (bpf_int32)proto); 3536 } 3537 } 3538 } 3539 3540 static struct block * 3541 gen_hostop(addr, mask, dir, proto, src_off, dst_off) 3542 bpf_u_int32 addr; 3543 bpf_u_int32 mask; 3544 int dir, proto; 3545 u_int src_off, dst_off; 3546 { 3547 struct block *b0, *b1; 3548 u_int offset; 3549 3550 switch (dir) { 3551 3552 case Q_SRC: 3553 offset = src_off; 3554 break; 3555 3556 case Q_DST: 3557 offset = dst_off; 3558 break; 3559 3560 case Q_AND: 3561 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off); 3562 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off); 3563 gen_and(b0, b1); 3564 return b1; 3565 3566 case Q_OR: 3567 case Q_DEFAULT: 3568 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off); 3569 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off); 3570 gen_or(b0, b1); 3571 return b1; 3572 3573 default: 3574 abort(); 3575 } 3576 b0 = gen_linktype(proto); 3577 b1 = gen_mcmp(OR_NET, offset, BPF_W, (bpf_int32)addr, mask); 3578 gen_and(b0, b1); 3579 return b1; 3580 } 3581 3582 #ifdef INET6 3583 static struct block * 3584 gen_hostop6(addr, mask, dir, proto, src_off, dst_off) 3585 struct in6_addr *addr; 3586 struct in6_addr *mask; 3587 int dir, proto; 3588 u_int src_off, dst_off; 3589 { 3590 struct block *b0, *b1; 3591 u_int offset; 3592 u_int32_t *a, *m; 3593 3594 switch (dir) { 3595 3596 case Q_SRC: 3597 offset = src_off; 3598 break; 3599 3600 case Q_DST: 3601 offset = dst_off; 3602 break; 3603 3604 case Q_AND: 3605 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off); 3606 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off); 3607 gen_and(b0, b1); 3608 return b1; 3609 3610 case Q_OR: 3611 case Q_DEFAULT: 3612 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off); 3613 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off); 3614 gen_or(b0, b1); 3615 return b1; 3616 3617 default: 3618 abort(); 3619 } 3620 /* this order is important */ 3621 a = (u_int32_t *)addr; 3622 m = (u_int32_t *)mask; 3623 b1 = gen_mcmp(OR_NET, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3])); 3624 b0 = gen_mcmp(OR_NET, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2])); 3625 gen_and(b0, b1); 3626 b0 = gen_mcmp(OR_NET, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1])); 3627 gen_and(b0, b1); 3628 b0 = gen_mcmp(OR_NET, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0])); 3629 gen_and(b0, b1); 3630 b0 = gen_linktype(proto); 3631 gen_and(b0, b1); 3632 return b1; 3633 } 3634 #endif /*INET6*/ 3635 3636 static struct block * 3637 gen_ehostop(eaddr, dir) 3638 register const u_char *eaddr; 3639 register int dir; 3640 { 3641 register struct block *b0, *b1; 3642 3643 switch (dir) { 3644 case Q_SRC: 3645 return gen_bcmp(OR_LINK, off_mac + 6, 6, eaddr); 3646 3647 case Q_DST: 3648 return gen_bcmp(OR_LINK, off_mac + 0, 6, eaddr); 3649 3650 case Q_AND: 3651 b0 = gen_ehostop(eaddr, Q_SRC); 3652 b1 = gen_ehostop(eaddr, Q_DST); 3653 gen_and(b0, b1); 3654 return b1; 3655 3656 case Q_DEFAULT: 3657 case Q_OR: 3658 b0 = gen_ehostop(eaddr, Q_SRC); 3659 b1 = gen_ehostop(eaddr, Q_DST); 3660 gen_or(b0, b1); 3661 return b1; 3662 3663 case Q_ADDR1: 3664 bpf_error("'addr1' is only supported on 802.11 with 802.11 headers"); 3665 break; 3666 3667 case Q_ADDR2: 3668 bpf_error("'addr2' is only supported on 802.11 with 802.11 headers"); 3669 break; 3670 3671 case Q_ADDR3: 3672 bpf_error("'addr3' is only supported on 802.11 with 802.11 headers"); 3673 break; 3674 3675 case Q_ADDR4: 3676 bpf_error("'addr4' is only supported on 802.11 with 802.11 headers"); 3677 break; 3678 3679 case Q_RA: 3680 bpf_error("'ra' is only supported on 802.11 with 802.11 headers"); 3681 break; 3682 3683 case Q_TA: 3684 bpf_error("'ta' is only supported on 802.11 with 802.11 headers"); 3685 break; 3686 } 3687 abort(); 3688 /* NOTREACHED */ 3689 } 3690 3691 /* 3692 * Like gen_ehostop, but for DLT_FDDI 3693 */ 3694 static struct block * 3695 gen_fhostop(eaddr, dir) 3696 register const u_char *eaddr; 3697 register int dir; 3698 { 3699 struct block *b0, *b1; 3700 3701 switch (dir) { 3702 case Q_SRC: 3703 #ifdef PCAP_FDDIPAD 3704 return gen_bcmp(OR_LINK, 6 + 1 + pcap_fddipad, 6, eaddr); 3705 #else 3706 return gen_bcmp(OR_LINK, 6 + 1, 6, eaddr); 3707 #endif 3708 3709 case Q_DST: 3710 #ifdef PCAP_FDDIPAD 3711 return gen_bcmp(OR_LINK, 0 + 1 + pcap_fddipad, 6, eaddr); 3712 #else 3713 return gen_bcmp(OR_LINK, 0 + 1, 6, eaddr); 3714 #endif 3715 3716 case Q_AND: 3717 b0 = gen_fhostop(eaddr, Q_SRC); 3718 b1 = gen_fhostop(eaddr, Q_DST); 3719 gen_and(b0, b1); 3720 return b1; 3721 3722 case Q_DEFAULT: 3723 case Q_OR: 3724 b0 = gen_fhostop(eaddr, Q_SRC); 3725 b1 = gen_fhostop(eaddr, Q_DST); 3726 gen_or(b0, b1); 3727 return b1; 3728 3729 case Q_ADDR1: 3730 bpf_error("'addr1' is only supported on 802.11"); 3731 break; 3732 3733 case Q_ADDR2: 3734 bpf_error("'addr2' is only supported on 802.11"); 3735 break; 3736 3737 case Q_ADDR3: 3738 bpf_error("'addr3' is only supported on 802.11"); 3739 break; 3740 3741 case Q_ADDR4: 3742 bpf_error("'addr4' is only supported on 802.11"); 3743 break; 3744 3745 case Q_RA: 3746 bpf_error("'ra' is only supported on 802.11"); 3747 break; 3748 3749 case Q_TA: 3750 bpf_error("'ta' is only supported on 802.11"); 3751 break; 3752 } 3753 abort(); 3754 /* NOTREACHED */ 3755 } 3756 3757 /* 3758 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring) 3759 */ 3760 static struct block * 3761 gen_thostop(eaddr, dir) 3762 register const u_char *eaddr; 3763 register int dir; 3764 { 3765 register struct block *b0, *b1; 3766 3767 switch (dir) { 3768 case Q_SRC: 3769 return gen_bcmp(OR_LINK, 8, 6, eaddr); 3770 3771 case Q_DST: 3772 return gen_bcmp(OR_LINK, 2, 6, eaddr); 3773 3774 case Q_AND: 3775 b0 = gen_thostop(eaddr, Q_SRC); 3776 b1 = gen_thostop(eaddr, Q_DST); 3777 gen_and(b0, b1); 3778 return b1; 3779 3780 case Q_DEFAULT: 3781 case Q_OR: 3782 b0 = gen_thostop(eaddr, Q_SRC); 3783 b1 = gen_thostop(eaddr, Q_DST); 3784 gen_or(b0, b1); 3785 return b1; 3786 3787 case Q_ADDR1: 3788 bpf_error("'addr1' is only supported on 802.11"); 3789 break; 3790 3791 case Q_ADDR2: 3792 bpf_error("'addr2' is only supported on 802.11"); 3793 break; 3794 3795 case Q_ADDR3: 3796 bpf_error("'addr3' is only supported on 802.11"); 3797 break; 3798 3799 case Q_ADDR4: 3800 bpf_error("'addr4' is only supported on 802.11"); 3801 break; 3802 3803 case Q_RA: 3804 bpf_error("'ra' is only supported on 802.11"); 3805 break; 3806 3807 case Q_TA: 3808 bpf_error("'ta' is only supported on 802.11"); 3809 break; 3810 } 3811 abort(); 3812 /* NOTREACHED */ 3813 } 3814 3815 /* 3816 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and 3817 * various 802.11 + radio headers. 3818 */ 3819 static struct block * 3820 gen_wlanhostop(eaddr, dir) 3821 register const u_char *eaddr; 3822 register int dir; 3823 { 3824 register struct block *b0, *b1, *b2; 3825 register struct slist *s; 3826 3827 #ifdef ENABLE_WLAN_FILTERING_PATCH 3828 /* 3829 * TODO GV 20070613 3830 * We need to disable the optimizer because the optimizer is buggy 3831 * and wipes out some LD instructions generated by the below 3832 * code to validate the Frame Control bits 3833 */ 3834 no_optimize = 1; 3835 #endif /* ENABLE_WLAN_FILTERING_PATCH */ 3836 3837 switch (dir) { 3838 case Q_SRC: 3839 /* 3840 * Oh, yuk. 3841 * 3842 * For control frames, there is no SA. 3843 * 3844 * For management frames, SA is at an 3845 * offset of 10 from the beginning of 3846 * the packet. 3847 * 3848 * For data frames, SA is at an offset 3849 * of 10 from the beginning of the packet 3850 * if From DS is clear, at an offset of 3851 * 16 from the beginning of the packet 3852 * if From DS is set and To DS is clear, 3853 * and an offset of 24 from the beginning 3854 * of the packet if From DS is set and To DS 3855 * is set. 3856 */ 3857 3858 /* 3859 * Generate the tests to be done for data frames 3860 * with From DS set. 3861 * 3862 * First, check for To DS set, i.e. check "link[1] & 0x01". 3863 */ 3864 s = gen_load_a(OR_LINK, 1, BPF_B); 3865 b1 = new_block(JMP(BPF_JSET)); 3866 b1->s.k = 0x01; /* To DS */ 3867 b1->stmts = s; 3868 3869 /* 3870 * If To DS is set, the SA is at 24. 3871 */ 3872 b0 = gen_bcmp(OR_LINK, 24, 6, eaddr); 3873 gen_and(b1, b0); 3874 3875 /* 3876 * Now, check for To DS not set, i.e. check 3877 * "!(link[1] & 0x01)". 3878 */ 3879 s = gen_load_a(OR_LINK, 1, BPF_B); 3880 b2 = new_block(JMP(BPF_JSET)); 3881 b2->s.k = 0x01; /* To DS */ 3882 b2->stmts = s; 3883 gen_not(b2); 3884 3885 /* 3886 * If To DS is not set, the SA is at 16. 3887 */ 3888 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr); 3889 gen_and(b2, b1); 3890 3891 /* 3892 * Now OR together the last two checks. That gives 3893 * the complete set of checks for data frames with 3894 * From DS set. 3895 */ 3896 gen_or(b1, b0); 3897 3898 /* 3899 * Now check for From DS being set, and AND that with 3900 * the ORed-together checks. 3901 */ 3902 s = gen_load_a(OR_LINK, 1, BPF_B); 3903 b1 = new_block(JMP(BPF_JSET)); 3904 b1->s.k = 0x02; /* From DS */ 3905 b1->stmts = s; 3906 gen_and(b1, b0); 3907 3908 /* 3909 * Now check for data frames with From DS not set. 3910 */ 3911 s = gen_load_a(OR_LINK, 1, BPF_B); 3912 b2 = new_block(JMP(BPF_JSET)); 3913 b2->s.k = 0x02; /* From DS */ 3914 b2->stmts = s; 3915 gen_not(b2); 3916 3917 /* 3918 * If From DS isn't set, the SA is at 10. 3919 */ 3920 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 3921 gen_and(b2, b1); 3922 3923 /* 3924 * Now OR together the checks for data frames with 3925 * From DS not set and for data frames with From DS 3926 * set; that gives the checks done for data frames. 3927 */ 3928 gen_or(b1, b0); 3929 3930 /* 3931 * Now check for a data frame. 3932 * I.e, check "link[0] & 0x08". 3933 */ 3934 s = gen_load_a(OR_LINK, 0, BPF_B); 3935 b1 = new_block(JMP(BPF_JSET)); 3936 b1->s.k = 0x08; 3937 b1->stmts = s; 3938 3939 /* 3940 * AND that with the checks done for data frames. 3941 */ 3942 gen_and(b1, b0); 3943 3944 /* 3945 * If the high-order bit of the type value is 0, this 3946 * is a management frame. 3947 * I.e, check "!(link[0] & 0x08)". 3948 */ 3949 s = gen_load_a(OR_LINK, 0, BPF_B); 3950 b2 = new_block(JMP(BPF_JSET)); 3951 b2->s.k = 0x08; 3952 b2->stmts = s; 3953 gen_not(b2); 3954 3955 /* 3956 * For management frames, the SA is at 10. 3957 */ 3958 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 3959 gen_and(b2, b1); 3960 3961 /* 3962 * OR that with the checks done for data frames. 3963 * That gives the checks done for management and 3964 * data frames. 3965 */ 3966 gen_or(b1, b0); 3967 3968 /* 3969 * If the low-order bit of the type value is 1, 3970 * this is either a control frame or a frame 3971 * with a reserved type, and thus not a 3972 * frame with an SA. 3973 * 3974 * I.e., check "!(link[0] & 0x04)". 3975 */ 3976 s = gen_load_a(OR_LINK, 0, BPF_B); 3977 b1 = new_block(JMP(BPF_JSET)); 3978 b1->s.k = 0x04; 3979 b1->stmts = s; 3980 gen_not(b1); 3981 3982 /* 3983 * AND that with the checks for data and management 3984 * frames. 3985 */ 3986 gen_and(b1, b0); 3987 return b0; 3988 3989 case Q_DST: 3990 /* 3991 * Oh, yuk. 3992 * 3993 * For control frames, there is no DA. 3994 * 3995 * For management frames, DA is at an 3996 * offset of 4 from the beginning of 3997 * the packet. 3998 * 3999 * For data frames, DA is at an offset 4000 * of 4 from the beginning of the packet 4001 * if To DS is clear and at an offset of 4002 * 16 from the beginning of the packet 4003 * if To DS is set. 4004 */ 4005 4006 /* 4007 * Generate the tests to be done for data frames. 4008 * 4009 * First, check for To DS set, i.e. "link[1] & 0x01". 4010 */ 4011 s = gen_load_a(OR_LINK, 1, BPF_B); 4012 b1 = new_block(JMP(BPF_JSET)); 4013 b1->s.k = 0x01; /* To DS */ 4014 b1->stmts = s; 4015 4016 /* 4017 * If To DS is set, the DA is at 16. 4018 */ 4019 b0 = gen_bcmp(OR_LINK, 16, 6, eaddr); 4020 gen_and(b1, b0); 4021 4022 /* 4023 * Now, check for To DS not set, i.e. check 4024 * "!(link[1] & 0x01)". 4025 */ 4026 s = gen_load_a(OR_LINK, 1, BPF_B); 4027 b2 = new_block(JMP(BPF_JSET)); 4028 b2->s.k = 0x01; /* To DS */ 4029 b2->stmts = s; 4030 gen_not(b2); 4031 4032 /* 4033 * If To DS is not set, the DA is at 4. 4034 */ 4035 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr); 4036 gen_and(b2, b1); 4037 4038 /* 4039 * Now OR together the last two checks. That gives 4040 * the complete set of checks for data frames. 4041 */ 4042 gen_or(b1, b0); 4043 4044 /* 4045 * Now check for a data frame. 4046 * I.e, check "link[0] & 0x08". 4047 */ 4048 s = gen_load_a(OR_LINK, 0, BPF_B); 4049 b1 = new_block(JMP(BPF_JSET)); 4050 b1->s.k = 0x08; 4051 b1->stmts = s; 4052 4053 /* 4054 * AND that with the checks done for data frames. 4055 */ 4056 gen_and(b1, b0); 4057 4058 /* 4059 * If the high-order bit of the type value is 0, this 4060 * is a management frame. 4061 * I.e, check "!(link[0] & 0x08)". 4062 */ 4063 s = gen_load_a(OR_LINK, 0, BPF_B); 4064 b2 = new_block(JMP(BPF_JSET)); 4065 b2->s.k = 0x08; 4066 b2->stmts = s; 4067 gen_not(b2); 4068 4069 /* 4070 * For management frames, the DA is at 4. 4071 */ 4072 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr); 4073 gen_and(b2, b1); 4074 4075 /* 4076 * OR that with the checks done for data frames. 4077 * That gives the checks done for management and 4078 * data frames. 4079 */ 4080 gen_or(b1, b0); 4081 4082 /* 4083 * If the low-order bit of the type value is 1, 4084 * this is either a control frame or a frame 4085 * with a reserved type, and thus not a 4086 * frame with an SA. 4087 * 4088 * I.e., check "!(link[0] & 0x04)". 4089 */ 4090 s = gen_load_a(OR_LINK, 0, BPF_B); 4091 b1 = new_block(JMP(BPF_JSET)); 4092 b1->s.k = 0x04; 4093 b1->stmts = s; 4094 gen_not(b1); 4095 4096 /* 4097 * AND that with the checks for data and management 4098 * frames. 4099 */ 4100 gen_and(b1, b0); 4101 return b0; 4102 4103 case Q_RA: 4104 /* 4105 * Not present in management frames; addr1 in other 4106 * frames. 4107 */ 4108 4109 /* 4110 * If the high-order bit of the type value is 0, this 4111 * is a management frame. 4112 * I.e, check "(link[0] & 0x08)". 4113 */ 4114 s = gen_load_a(OR_LINK, 0, BPF_B); 4115 b1 = new_block(JMP(BPF_JSET)); 4116 b1->s.k = 0x08; 4117 b1->stmts = s; 4118 4119 /* 4120 * Check addr1. 4121 */ 4122 b0 = gen_bcmp(OR_LINK, 4, 6, eaddr); 4123 4124 /* 4125 * AND that with the check of addr1. 4126 */ 4127 gen_and(b1, b0); 4128 return (b0); 4129 4130 case Q_TA: 4131 /* 4132 * Not present in management frames; addr2, if present, 4133 * in other frames. 4134 */ 4135 4136 /* 4137 * Not present in CTS or ACK control frames. 4138 */ 4139 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4140 IEEE80211_FC0_TYPE_MASK); 4141 gen_not(b0); 4142 b1 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS, 4143 IEEE80211_FC0_SUBTYPE_MASK); 4144 gen_not(b1); 4145 b2 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK, 4146 IEEE80211_FC0_SUBTYPE_MASK); 4147 gen_not(b2); 4148 gen_and(b1, b2); 4149 gen_or(b0, b2); 4150 4151 /* 4152 * If the high-order bit of the type value is 0, this 4153 * is a management frame. 4154 * I.e, check "(link[0] & 0x08)". 4155 */ 4156 s = gen_load_a(OR_LINK, 0, BPF_B); 4157 b1 = new_block(JMP(BPF_JSET)); 4158 b1->s.k = 0x08; 4159 b1->stmts = s; 4160 4161 /* 4162 * AND that with the check for frames other than 4163 * CTS and ACK frames. 4164 */ 4165 gen_and(b1, b2); 4166 4167 /* 4168 * Check addr2. 4169 */ 4170 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 4171 gen_and(b2, b1); 4172 return b1; 4173 4174 /* 4175 * XXX - add BSSID keyword? 4176 */ 4177 case Q_ADDR1: 4178 return (gen_bcmp(OR_LINK, 4, 6, eaddr)); 4179 4180 case Q_ADDR2: 4181 /* 4182 * Not present in CTS or ACK control frames. 4183 */ 4184 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4185 IEEE80211_FC0_TYPE_MASK); 4186 gen_not(b0); 4187 b1 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS, 4188 IEEE80211_FC0_SUBTYPE_MASK); 4189 gen_not(b1); 4190 b2 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK, 4191 IEEE80211_FC0_SUBTYPE_MASK); 4192 gen_not(b2); 4193 gen_and(b1, b2); 4194 gen_or(b0, b2); 4195 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 4196 gen_and(b2, b1); 4197 return b1; 4198 4199 case Q_ADDR3: 4200 /* 4201 * Not present in control frames. 4202 */ 4203 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4204 IEEE80211_FC0_TYPE_MASK); 4205 gen_not(b0); 4206 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr); 4207 gen_and(b0, b1); 4208 return b1; 4209 4210 case Q_ADDR4: 4211 /* 4212 * Present only if the direction mask has both "From DS" 4213 * and "To DS" set. Neither control frames nor management 4214 * frames should have both of those set, so we don't 4215 * check the frame type. 4216 */ 4217 b0 = gen_mcmp(OR_LINK, 1, BPF_B, 4218 IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK); 4219 b1 = gen_bcmp(OR_LINK, 24, 6, eaddr); 4220 gen_and(b0, b1); 4221 return b1; 4222 4223 case Q_AND: 4224 b0 = gen_wlanhostop(eaddr, Q_SRC); 4225 b1 = gen_wlanhostop(eaddr, Q_DST); 4226 gen_and(b0, b1); 4227 return b1; 4228 4229 case Q_DEFAULT: 4230 case Q_OR: 4231 b0 = gen_wlanhostop(eaddr, Q_SRC); 4232 b1 = gen_wlanhostop(eaddr, Q_DST); 4233 gen_or(b0, b1); 4234 return b1; 4235 } 4236 abort(); 4237 /* NOTREACHED */ 4238 } 4239 4240 /* 4241 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel. 4242 * (We assume that the addresses are IEEE 48-bit MAC addresses, 4243 * as the RFC states.) 4244 */ 4245 static struct block * 4246 gen_ipfchostop(eaddr, dir) 4247 register const u_char *eaddr; 4248 register int dir; 4249 { 4250 register struct block *b0, *b1; 4251 4252 switch (dir) { 4253 case Q_SRC: 4254 return gen_bcmp(OR_LINK, 10, 6, eaddr); 4255 4256 case Q_DST: 4257 return gen_bcmp(OR_LINK, 2, 6, eaddr); 4258 4259 case Q_AND: 4260 b0 = gen_ipfchostop(eaddr, Q_SRC); 4261 b1 = gen_ipfchostop(eaddr, Q_DST); 4262 gen_and(b0, b1); 4263 return b1; 4264 4265 case Q_DEFAULT: 4266 case Q_OR: 4267 b0 = gen_ipfchostop(eaddr, Q_SRC); 4268 b1 = gen_ipfchostop(eaddr, Q_DST); 4269 gen_or(b0, b1); 4270 return b1; 4271 4272 case Q_ADDR1: 4273 bpf_error("'addr1' is only supported on 802.11"); 4274 break; 4275 4276 case Q_ADDR2: 4277 bpf_error("'addr2' is only supported on 802.11"); 4278 break; 4279 4280 case Q_ADDR3: 4281 bpf_error("'addr3' is only supported on 802.11"); 4282 break; 4283 4284 case Q_ADDR4: 4285 bpf_error("'addr4' is only supported on 802.11"); 4286 break; 4287 4288 case Q_RA: 4289 bpf_error("'ra' is only supported on 802.11"); 4290 break; 4291 4292 case Q_TA: 4293 bpf_error("'ta' is only supported on 802.11"); 4294 break; 4295 } 4296 abort(); 4297 /* NOTREACHED */ 4298 } 4299 4300 /* 4301 * This is quite tricky because there may be pad bytes in front of the 4302 * DECNET header, and then there are two possible data packet formats that 4303 * carry both src and dst addresses, plus 5 packet types in a format that 4304 * carries only the src node, plus 2 types that use a different format and 4305 * also carry just the src node. 4306 * 4307 * Yuck. 4308 * 4309 * Instead of doing those all right, we just look for data packets with 4310 * 0 or 1 bytes of padding. If you want to look at other packets, that 4311 * will require a lot more hacking. 4312 * 4313 * To add support for filtering on DECNET "areas" (network numbers) 4314 * one would want to add a "mask" argument to this routine. That would 4315 * make the filter even more inefficient, although one could be clever 4316 * and not generate masking instructions if the mask is 0xFFFF. 4317 */ 4318 static struct block * 4319 gen_dnhostop(addr, dir) 4320 bpf_u_int32 addr; 4321 int dir; 4322 { 4323 struct block *b0, *b1, *b2, *tmp; 4324 u_int offset_lh; /* offset if long header is received */ 4325 u_int offset_sh; /* offset if short header is received */ 4326 4327 switch (dir) { 4328 4329 case Q_DST: 4330 offset_sh = 1; /* follows flags */ 4331 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */ 4332 break; 4333 4334 case Q_SRC: 4335 offset_sh = 3; /* follows flags, dstnode */ 4336 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */ 4337 break; 4338 4339 case Q_AND: 4340 /* Inefficient because we do our Calvinball dance twice */ 4341 b0 = gen_dnhostop(addr, Q_SRC); 4342 b1 = gen_dnhostop(addr, Q_DST); 4343 gen_and(b0, b1); 4344 return b1; 4345 4346 case Q_OR: 4347 case Q_DEFAULT: 4348 /* Inefficient because we do our Calvinball dance twice */ 4349 b0 = gen_dnhostop(addr, Q_SRC); 4350 b1 = gen_dnhostop(addr, Q_DST); 4351 gen_or(b0, b1); 4352 return b1; 4353 4354 case Q_ISO: 4355 bpf_error("ISO host filtering not implemented"); 4356 4357 default: 4358 abort(); 4359 } 4360 b0 = gen_linktype(ETHERTYPE_DN); 4361 /* Check for pad = 1, long header case */ 4362 tmp = gen_mcmp(OR_NET, 2, BPF_H, 4363 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF)); 4364 b1 = gen_cmp(OR_NET, 2 + 1 + offset_lh, 4365 BPF_H, (bpf_int32)ntohs((u_short)addr)); 4366 gen_and(tmp, b1); 4367 /* Check for pad = 0, long header case */ 4368 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7); 4369 b2 = gen_cmp(OR_NET, 2 + offset_lh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4370 gen_and(tmp, b2); 4371 gen_or(b2, b1); 4372 /* Check for pad = 1, short header case */ 4373 tmp = gen_mcmp(OR_NET, 2, BPF_H, 4374 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF)); 4375 b2 = gen_cmp(OR_NET, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4376 gen_and(tmp, b2); 4377 gen_or(b2, b1); 4378 /* Check for pad = 0, short header case */ 4379 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7); 4380 b2 = gen_cmp(OR_NET, 2 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4381 gen_and(tmp, b2); 4382 gen_or(b2, b1); 4383 4384 /* Combine with test for linktype */ 4385 gen_and(b0, b1); 4386 return b1; 4387 } 4388 4389 /* 4390 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets; 4391 * test the bottom-of-stack bit, and then check the version number 4392 * field in the IP header. 4393 */ 4394 static struct block * 4395 gen_mpls_linktype(proto) 4396 int proto; 4397 { 4398 struct block *b0, *b1; 4399 4400 switch (proto) { 4401 4402 case Q_IP: 4403 /* match the bottom-of-stack bit */ 4404 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01); 4405 /* match the IPv4 version number */ 4406 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x40, 0xf0); 4407 gen_and(b0, b1); 4408 return b1; 4409 4410 case Q_IPV6: 4411 /* match the bottom-of-stack bit */ 4412 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01); 4413 /* match the IPv4 version number */ 4414 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x60, 0xf0); 4415 gen_and(b0, b1); 4416 return b1; 4417 4418 default: 4419 abort(); 4420 } 4421 } 4422 4423 static struct block * 4424 gen_host(addr, mask, proto, dir, type) 4425 bpf_u_int32 addr; 4426 bpf_u_int32 mask; 4427 int proto; 4428 int dir; 4429 int type; 4430 { 4431 struct block *b0, *b1; 4432 const char *typestr; 4433 4434 if (type == Q_NET) 4435 typestr = "net"; 4436 else 4437 typestr = "host"; 4438 4439 switch (proto) { 4440 4441 case Q_DEFAULT: 4442 b0 = gen_host(addr, mask, Q_IP, dir, type); 4443 /* 4444 * Only check for non-IPv4 addresses if we're not 4445 * checking MPLS-encapsulated packets. 4446 */ 4447 if (label_stack_depth == 0) { 4448 b1 = gen_host(addr, mask, Q_ARP, dir, type); 4449 gen_or(b0, b1); 4450 b0 = gen_host(addr, mask, Q_RARP, dir, type); 4451 gen_or(b1, b0); 4452 } 4453 return b0; 4454 4455 case Q_IP: 4456 return gen_hostop(addr, mask, dir, ETHERTYPE_IP, 12, 16); 4457 4458 case Q_RARP: 4459 return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP, 14, 24); 4460 4461 case Q_ARP: 4462 return gen_hostop(addr, mask, dir, ETHERTYPE_ARP, 14, 24); 4463 4464 case Q_TCP: 4465 bpf_error("'tcp' modifier applied to %s", typestr); 4466 4467 case Q_SCTP: 4468 bpf_error("'sctp' modifier applied to %s", typestr); 4469 4470 case Q_UDP: 4471 bpf_error("'udp' modifier applied to %s", typestr); 4472 4473 case Q_ICMP: 4474 bpf_error("'icmp' modifier applied to %s", typestr); 4475 4476 case Q_IGMP: 4477 bpf_error("'igmp' modifier applied to %s", typestr); 4478 4479 case Q_IGRP: 4480 bpf_error("'igrp' modifier applied to %s", typestr); 4481 4482 case Q_PIM: 4483 bpf_error("'pim' modifier applied to %s", typestr); 4484 4485 case Q_VRRP: 4486 bpf_error("'vrrp' modifier applied to %s", typestr); 4487 4488 case Q_CARP: 4489 bpf_error("'carp' modifier applied to %s", typestr); 4490 4491 case Q_ATALK: 4492 bpf_error("ATALK host filtering not implemented"); 4493 4494 case Q_AARP: 4495 bpf_error("AARP host filtering not implemented"); 4496 4497 case Q_DECNET: 4498 return gen_dnhostop(addr, dir); 4499 4500 case Q_SCA: 4501 bpf_error("SCA host filtering not implemented"); 4502 4503 case Q_LAT: 4504 bpf_error("LAT host filtering not implemented"); 4505 4506 case Q_MOPDL: 4507 bpf_error("MOPDL host filtering not implemented"); 4508 4509 case Q_MOPRC: 4510 bpf_error("MOPRC host filtering not implemented"); 4511 4512 #ifdef INET6 4513 case Q_IPV6: 4514 bpf_error("'ip6' modifier applied to ip host"); 4515 4516 case Q_ICMPV6: 4517 bpf_error("'icmp6' modifier applied to %s", typestr); 4518 #endif /* INET6 */ 4519 4520 case Q_AH: 4521 bpf_error("'ah' modifier applied to %s", typestr); 4522 4523 case Q_ESP: 4524 bpf_error("'esp' modifier applied to %s", typestr); 4525 4526 case Q_ISO: 4527 bpf_error("ISO host filtering not implemented"); 4528 4529 case Q_ESIS: 4530 bpf_error("'esis' modifier applied to %s", typestr); 4531 4532 case Q_ISIS: 4533 bpf_error("'isis' modifier applied to %s", typestr); 4534 4535 case Q_CLNP: 4536 bpf_error("'clnp' modifier applied to %s", typestr); 4537 4538 case Q_STP: 4539 bpf_error("'stp' modifier applied to %s", typestr); 4540 4541 case Q_IPX: 4542 bpf_error("IPX host filtering not implemented"); 4543 4544 case Q_NETBEUI: 4545 bpf_error("'netbeui' modifier applied to %s", typestr); 4546 4547 case Q_RADIO: 4548 bpf_error("'radio' modifier applied to %s", typestr); 4549 4550 default: 4551 abort(); 4552 } 4553 /* NOTREACHED */ 4554 } 4555 4556 #ifdef INET6 4557 static struct block * 4558 gen_host6(addr, mask, proto, dir, type) 4559 struct in6_addr *addr; 4560 struct in6_addr *mask; 4561 int proto; 4562 int dir; 4563 int type; 4564 { 4565 const char *typestr; 4566 4567 if (type == Q_NET) 4568 typestr = "net"; 4569 else 4570 typestr = "host"; 4571 4572 switch (proto) { 4573 4574 case Q_DEFAULT: 4575 return gen_host6(addr, mask, Q_IPV6, dir, type); 4576 4577 case Q_IP: 4578 bpf_error("'ip' modifier applied to ip6 %s", typestr); 4579 4580 case Q_RARP: 4581 bpf_error("'rarp' modifier applied to ip6 %s", typestr); 4582 4583 case Q_ARP: 4584 bpf_error("'arp' modifier applied to ip6 %s", typestr); 4585 4586 case Q_SCTP: 4587 bpf_error("'sctp' modifier applied to %s", typestr); 4588 4589 case Q_TCP: 4590 bpf_error("'tcp' modifier applied to %s", typestr); 4591 4592 case Q_UDP: 4593 bpf_error("'udp' modifier applied to %s", typestr); 4594 4595 case Q_ICMP: 4596 bpf_error("'icmp' modifier applied to %s", typestr); 4597 4598 case Q_IGMP: 4599 bpf_error("'igmp' modifier applied to %s", typestr); 4600 4601 case Q_IGRP: 4602 bpf_error("'igrp' modifier applied to %s", typestr); 4603 4604 case Q_PIM: 4605 bpf_error("'pim' modifier applied to %s", typestr); 4606 4607 case Q_VRRP: 4608 bpf_error("'vrrp' modifier applied to %s", typestr); 4609 4610 case Q_CARP: 4611 bpf_error("'carp' modifier applied to %s", typestr); 4612 4613 case Q_ATALK: 4614 bpf_error("ATALK host filtering not implemented"); 4615 4616 case Q_AARP: 4617 bpf_error("AARP host filtering not implemented"); 4618 4619 case Q_DECNET: 4620 bpf_error("'decnet' modifier applied to ip6 %s", typestr); 4621 4622 case Q_SCA: 4623 bpf_error("SCA host filtering not implemented"); 4624 4625 case Q_LAT: 4626 bpf_error("LAT host filtering not implemented"); 4627 4628 case Q_MOPDL: 4629 bpf_error("MOPDL host filtering not implemented"); 4630 4631 case Q_MOPRC: 4632 bpf_error("MOPRC host filtering not implemented"); 4633 4634 case Q_IPV6: 4635 return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6, 8, 24); 4636 4637 case Q_ICMPV6: 4638 bpf_error("'icmp6' modifier applied to %s", typestr); 4639 4640 case Q_AH: 4641 bpf_error("'ah' modifier applied to %s", typestr); 4642 4643 case Q_ESP: 4644 bpf_error("'esp' modifier applied to %s", typestr); 4645 4646 case Q_ISO: 4647 bpf_error("ISO host filtering not implemented"); 4648 4649 case Q_ESIS: 4650 bpf_error("'esis' modifier applied to %s", typestr); 4651 4652 case Q_ISIS: 4653 bpf_error("'isis' modifier applied to %s", typestr); 4654 4655 case Q_CLNP: 4656 bpf_error("'clnp' modifier applied to %s", typestr); 4657 4658 case Q_STP: 4659 bpf_error("'stp' modifier applied to %s", typestr); 4660 4661 case Q_IPX: 4662 bpf_error("IPX host filtering not implemented"); 4663 4664 case Q_NETBEUI: 4665 bpf_error("'netbeui' modifier applied to %s", typestr); 4666 4667 case Q_RADIO: 4668 bpf_error("'radio' modifier applied to %s", typestr); 4669 4670 default: 4671 abort(); 4672 } 4673 /* NOTREACHED */ 4674 } 4675 #endif /*INET6*/ 4676 4677 #ifndef INET6 4678 static struct block * 4679 gen_gateway(eaddr, alist, proto, dir) 4680 const u_char *eaddr; 4681 bpf_u_int32 **alist; 4682 int proto; 4683 int dir; 4684 { 4685 struct block *b0, *b1, *tmp; 4686 4687 if (dir != 0) 4688 bpf_error("direction applied to 'gateway'"); 4689 4690 switch (proto) { 4691 case Q_DEFAULT: 4692 case Q_IP: 4693 case Q_ARP: 4694 case Q_RARP: 4695 switch (linktype) { 4696 case DLT_EN10MB: 4697 case DLT_NETANALYZER: 4698 case DLT_NETANALYZER_TRANSPARENT: 4699 b0 = gen_ehostop(eaddr, Q_OR); 4700 break; 4701 case DLT_FDDI: 4702 b0 = gen_fhostop(eaddr, Q_OR); 4703 break; 4704 case DLT_IEEE802: 4705 b0 = gen_thostop(eaddr, Q_OR); 4706 break; 4707 case DLT_IEEE802_11: 4708 case DLT_PRISM_HEADER: 4709 case DLT_IEEE802_11_RADIO_AVS: 4710 case DLT_IEEE802_11_RADIO: 4711 case DLT_PPI: 4712 b0 = gen_wlanhostop(eaddr, Q_OR); 4713 break; 4714 case DLT_SUNATM: 4715 if (!is_lane) 4716 bpf_error( 4717 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 4718 /* 4719 * Check that the packet doesn't begin with an 4720 * LE Control marker. (We've already generated 4721 * a test for LANE.) 4722 */ 4723 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 4724 BPF_H, 0xFF00); 4725 gen_not(b1); 4726 4727 /* 4728 * Now check the MAC address. 4729 */ 4730 b0 = gen_ehostop(eaddr, Q_OR); 4731 gen_and(b1, b0); 4732 break; 4733 case DLT_IP_OVER_FC: 4734 b0 = gen_ipfchostop(eaddr, Q_OR); 4735 break; 4736 default: 4737 bpf_error( 4738 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 4739 } 4740 b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR, Q_HOST); 4741 while (*alist) { 4742 tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR, 4743 Q_HOST); 4744 gen_or(b1, tmp); 4745 b1 = tmp; 4746 } 4747 gen_not(b1); 4748 gen_and(b0, b1); 4749 return b1; 4750 } 4751 bpf_error("illegal modifier of 'gateway'"); 4752 /* NOTREACHED */ 4753 } 4754 #endif 4755 4756 struct block * 4757 gen_proto_abbrev(proto) 4758 int proto; 4759 { 4760 struct block *b0; 4761 struct block *b1; 4762 4763 switch (proto) { 4764 4765 case Q_SCTP: 4766 b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT); 4767 #ifdef INET6 4768 b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT); 4769 gen_or(b0, b1); 4770 #endif 4771 break; 4772 4773 case Q_TCP: 4774 b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT); 4775 #ifdef INET6 4776 b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT); 4777 gen_or(b0, b1); 4778 #endif 4779 break; 4780 4781 case Q_UDP: 4782 b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT); 4783 #ifdef INET6 4784 b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT); 4785 gen_or(b0, b1); 4786 #endif 4787 break; 4788 4789 case Q_ICMP: 4790 b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT); 4791 break; 4792 4793 #ifndef IPPROTO_IGMP 4794 #define IPPROTO_IGMP 2 4795 #endif 4796 4797 case Q_IGMP: 4798 b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT); 4799 break; 4800 4801 #ifndef IPPROTO_IGRP 4802 #define IPPROTO_IGRP 9 4803 #endif 4804 case Q_IGRP: 4805 b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT); 4806 break; 4807 4808 #ifndef IPPROTO_PIM 4809 #define IPPROTO_PIM 103 4810 #endif 4811 4812 case Q_PIM: 4813 b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT); 4814 #ifdef INET6 4815 b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT); 4816 gen_or(b0, b1); 4817 #endif 4818 break; 4819 4820 #ifndef IPPROTO_VRRP 4821 #define IPPROTO_VRRP 112 4822 #endif 4823 4824 case Q_VRRP: 4825 b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT); 4826 break; 4827 4828 #ifndef IPPROTO_CARP 4829 #define IPPROTO_CARP 112 4830 #endif 4831 4832 case Q_CARP: 4833 b1 = gen_proto(IPPROTO_CARP, Q_IP, Q_DEFAULT); 4834 break; 4835 4836 case Q_IP: 4837 b1 = gen_linktype(ETHERTYPE_IP); 4838 break; 4839 4840 case Q_ARP: 4841 b1 = gen_linktype(ETHERTYPE_ARP); 4842 break; 4843 4844 case Q_RARP: 4845 b1 = gen_linktype(ETHERTYPE_REVARP); 4846 break; 4847 4848 case Q_LINK: 4849 bpf_error("link layer applied in wrong context"); 4850 4851 case Q_ATALK: 4852 b1 = gen_linktype(ETHERTYPE_ATALK); 4853 break; 4854 4855 case Q_AARP: 4856 b1 = gen_linktype(ETHERTYPE_AARP); 4857 break; 4858 4859 case Q_DECNET: 4860 b1 = gen_linktype(ETHERTYPE_DN); 4861 break; 4862 4863 case Q_SCA: 4864 b1 = gen_linktype(ETHERTYPE_SCA); 4865 break; 4866 4867 case Q_LAT: 4868 b1 = gen_linktype(ETHERTYPE_LAT); 4869 break; 4870 4871 case Q_MOPDL: 4872 b1 = gen_linktype(ETHERTYPE_MOPDL); 4873 break; 4874 4875 case Q_MOPRC: 4876 b1 = gen_linktype(ETHERTYPE_MOPRC); 4877 break; 4878 4879 #ifdef INET6 4880 case Q_IPV6: 4881 b1 = gen_linktype(ETHERTYPE_IPV6); 4882 break; 4883 4884 #ifndef IPPROTO_ICMPV6 4885 #define IPPROTO_ICMPV6 58 4886 #endif 4887 case Q_ICMPV6: 4888 b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT); 4889 break; 4890 #endif /* INET6 */ 4891 4892 #ifndef IPPROTO_AH 4893 #define IPPROTO_AH 51 4894 #endif 4895 case Q_AH: 4896 b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT); 4897 #ifdef INET6 4898 b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT); 4899 gen_or(b0, b1); 4900 #endif 4901 break; 4902 4903 #ifndef IPPROTO_ESP 4904 #define IPPROTO_ESP 50 4905 #endif 4906 case Q_ESP: 4907 b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT); 4908 #ifdef INET6 4909 b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT); 4910 gen_or(b0, b1); 4911 #endif 4912 break; 4913 4914 case Q_ISO: 4915 b1 = gen_linktype(LLCSAP_ISONS); 4916 break; 4917 4918 case Q_ESIS: 4919 b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT); 4920 break; 4921 4922 case Q_ISIS: 4923 b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT); 4924 break; 4925 4926 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */ 4927 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 4928 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 4929 gen_or(b0, b1); 4930 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 4931 gen_or(b0, b1); 4932 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 4933 gen_or(b0, b1); 4934 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 4935 gen_or(b0, b1); 4936 break; 4937 4938 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */ 4939 b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 4940 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 4941 gen_or(b0, b1); 4942 b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 4943 gen_or(b0, b1); 4944 b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 4945 gen_or(b0, b1); 4946 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 4947 gen_or(b0, b1); 4948 break; 4949 4950 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */ 4951 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 4952 b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 4953 gen_or(b0, b1); 4954 b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); 4955 gen_or(b0, b1); 4956 break; 4957 4958 case Q_ISIS_LSP: 4959 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 4960 b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 4961 gen_or(b0, b1); 4962 break; 4963 4964 case Q_ISIS_SNP: 4965 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 4966 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 4967 gen_or(b0, b1); 4968 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 4969 gen_or(b0, b1); 4970 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 4971 gen_or(b0, b1); 4972 break; 4973 4974 case Q_ISIS_CSNP: 4975 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 4976 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 4977 gen_or(b0, b1); 4978 break; 4979 4980 case Q_ISIS_PSNP: 4981 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 4982 b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 4983 gen_or(b0, b1); 4984 break; 4985 4986 case Q_CLNP: 4987 b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT); 4988 break; 4989 4990 case Q_STP: 4991 b1 = gen_linktype(LLCSAP_8021D); 4992 break; 4993 4994 case Q_IPX: 4995 b1 = gen_linktype(LLCSAP_IPX); 4996 break; 4997 4998 case Q_NETBEUI: 4999 b1 = gen_linktype(LLCSAP_NETBEUI); 5000 break; 5001 5002 case Q_RADIO: 5003 bpf_error("'radio' is not a valid protocol type"); 5004 5005 default: 5006 abort(); 5007 } 5008 return b1; 5009 } 5010 5011 static struct block * 5012 gen_ipfrag() 5013 { 5014 struct slist *s; 5015 struct block *b; 5016 5017 /* not IPv4 frag other than the first frag */ 5018 s = gen_load_a(OR_NET, 6, BPF_H); 5019 b = new_block(JMP(BPF_JSET)); 5020 b->s.k = 0x1fff; 5021 b->stmts = s; 5022 gen_not(b); 5023 5024 return b; 5025 } 5026 5027 /* 5028 * Generate a comparison to a port value in the transport-layer header 5029 * at the specified offset from the beginning of that header. 5030 * 5031 * XXX - this handles a variable-length prefix preceding the link-layer 5032 * header, such as the radiotap or AVS radio prefix, but doesn't handle 5033 * variable-length link-layer headers (such as Token Ring or 802.11 5034 * headers). 5035 */ 5036 static struct block * 5037 gen_portatom(off, v) 5038 int off; 5039 bpf_int32 v; 5040 { 5041 return gen_cmp(OR_TRAN_IPV4, off, BPF_H, v); 5042 } 5043 5044 #ifdef INET6 5045 static struct block * 5046 gen_portatom6(off, v) 5047 int off; 5048 bpf_int32 v; 5049 { 5050 return gen_cmp(OR_TRAN_IPV6, off, BPF_H, v); 5051 } 5052 #endif/*INET6*/ 5053 5054 struct block * 5055 gen_portop(port, proto, dir) 5056 int port, proto, dir; 5057 { 5058 struct block *b0, *b1, *tmp; 5059 5060 /* ip proto 'proto' and not a fragment other than the first fragment */ 5061 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto); 5062 b0 = gen_ipfrag(); 5063 gen_and(tmp, b0); 5064 5065 switch (dir) { 5066 case Q_SRC: 5067 b1 = gen_portatom(0, (bpf_int32)port); 5068 break; 5069 5070 case Q_DST: 5071 b1 = gen_portatom(2, (bpf_int32)port); 5072 break; 5073 5074 case Q_OR: 5075 case Q_DEFAULT: 5076 tmp = gen_portatom(0, (bpf_int32)port); 5077 b1 = gen_portatom(2, (bpf_int32)port); 5078 gen_or(tmp, b1); 5079 break; 5080 5081 case Q_AND: 5082 tmp = gen_portatom(0, (bpf_int32)port); 5083 b1 = gen_portatom(2, (bpf_int32)port); 5084 gen_and(tmp, b1); 5085 break; 5086 5087 default: 5088 abort(); 5089 } 5090 gen_and(b0, b1); 5091 5092 return b1; 5093 } 5094 5095 static struct block * 5096 gen_port(port, ip_proto, dir) 5097 int port; 5098 int ip_proto; 5099 int dir; 5100 { 5101 struct block *b0, *b1, *tmp; 5102 5103 /* 5104 * ether proto ip 5105 * 5106 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 5107 * not LLC encapsulation with LLCSAP_IP. 5108 * 5109 * For IEEE 802 networks - which includes 802.5 token ring 5110 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 5111 * says that SNAP encapsulation is used, not LLC encapsulation 5112 * with LLCSAP_IP. 5113 * 5114 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 5115 * RFC 2225 say that SNAP encapsulation is used, not LLC 5116 * encapsulation with LLCSAP_IP. 5117 * 5118 * So we always check for ETHERTYPE_IP. 5119 */ 5120 b0 = gen_linktype(ETHERTYPE_IP); 5121 5122 switch (ip_proto) { 5123 case IPPROTO_UDP: 5124 case IPPROTO_TCP: 5125 case IPPROTO_SCTP: 5126 b1 = gen_portop(port, ip_proto, dir); 5127 break; 5128 5129 case PROTO_UNDEF: 5130 tmp = gen_portop(port, IPPROTO_TCP, dir); 5131 b1 = gen_portop(port, IPPROTO_UDP, dir); 5132 gen_or(tmp, b1); 5133 tmp = gen_portop(port, IPPROTO_SCTP, dir); 5134 gen_or(tmp, b1); 5135 break; 5136 5137 default: 5138 abort(); 5139 } 5140 gen_and(b0, b1); 5141 return b1; 5142 } 5143 5144 #ifdef INET6 5145 struct block * 5146 gen_portop6(port, proto, dir) 5147 int port, proto, dir; 5148 { 5149 struct block *b0, *b1, *tmp; 5150 5151 /* ip6 proto 'proto' */ 5152 /* XXX - catch the first fragment of a fragmented packet? */ 5153 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto); 5154 5155 switch (dir) { 5156 case Q_SRC: 5157 b1 = gen_portatom6(0, (bpf_int32)port); 5158 break; 5159 5160 case Q_DST: 5161 b1 = gen_portatom6(2, (bpf_int32)port); 5162 break; 5163 5164 case Q_OR: 5165 case Q_DEFAULT: 5166 tmp = gen_portatom6(0, (bpf_int32)port); 5167 b1 = gen_portatom6(2, (bpf_int32)port); 5168 gen_or(tmp, b1); 5169 break; 5170 5171 case Q_AND: 5172 tmp = gen_portatom6(0, (bpf_int32)port); 5173 b1 = gen_portatom6(2, (bpf_int32)port); 5174 gen_and(tmp, b1); 5175 break; 5176 5177 default: 5178 abort(); 5179 } 5180 gen_and(b0, b1); 5181 5182 return b1; 5183 } 5184 5185 static struct block * 5186 gen_port6(port, ip_proto, dir) 5187 int port; 5188 int ip_proto; 5189 int dir; 5190 { 5191 struct block *b0, *b1, *tmp; 5192 5193 /* link proto ip6 */ 5194 b0 = gen_linktype(ETHERTYPE_IPV6); 5195 5196 switch (ip_proto) { 5197 case IPPROTO_UDP: 5198 case IPPROTO_TCP: 5199 case IPPROTO_SCTP: 5200 b1 = gen_portop6(port, ip_proto, dir); 5201 break; 5202 5203 case PROTO_UNDEF: 5204 tmp = gen_portop6(port, IPPROTO_TCP, dir); 5205 b1 = gen_portop6(port, IPPROTO_UDP, dir); 5206 gen_or(tmp, b1); 5207 tmp = gen_portop6(port, IPPROTO_SCTP, dir); 5208 gen_or(tmp, b1); 5209 break; 5210 5211 default: 5212 abort(); 5213 } 5214 gen_and(b0, b1); 5215 return b1; 5216 } 5217 #endif /* INET6 */ 5218 5219 /* gen_portrange code */ 5220 static struct block * 5221 gen_portrangeatom(off, v1, v2) 5222 int off; 5223 bpf_int32 v1, v2; 5224 { 5225 struct block *b1, *b2; 5226 5227 if (v1 > v2) { 5228 /* 5229 * Reverse the order of the ports, so v1 is the lower one. 5230 */ 5231 bpf_int32 vtemp; 5232 5233 vtemp = v1; 5234 v1 = v2; 5235 v2 = vtemp; 5236 } 5237 5238 b1 = gen_cmp_ge(OR_TRAN_IPV4, off, BPF_H, v1); 5239 b2 = gen_cmp_le(OR_TRAN_IPV4, off, BPF_H, v2); 5240 5241 gen_and(b1, b2); 5242 5243 return b2; 5244 } 5245 5246 struct block * 5247 gen_portrangeop(port1, port2, proto, dir) 5248 int port1, port2; 5249 int proto; 5250 int dir; 5251 { 5252 struct block *b0, *b1, *tmp; 5253 5254 /* ip proto 'proto' and not a fragment other than the first fragment */ 5255 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto); 5256 b0 = gen_ipfrag(); 5257 gen_and(tmp, b0); 5258 5259 switch (dir) { 5260 case Q_SRC: 5261 b1 = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5262 break; 5263 5264 case Q_DST: 5265 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5266 break; 5267 5268 case Q_OR: 5269 case Q_DEFAULT: 5270 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5271 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5272 gen_or(tmp, b1); 5273 break; 5274 5275 case Q_AND: 5276 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5277 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5278 gen_and(tmp, b1); 5279 break; 5280 5281 default: 5282 abort(); 5283 } 5284 gen_and(b0, b1); 5285 5286 return b1; 5287 } 5288 5289 static struct block * 5290 gen_portrange(port1, port2, ip_proto, dir) 5291 int port1, port2; 5292 int ip_proto; 5293 int dir; 5294 { 5295 struct block *b0, *b1, *tmp; 5296 5297 /* link proto ip */ 5298 b0 = gen_linktype(ETHERTYPE_IP); 5299 5300 switch (ip_proto) { 5301 case IPPROTO_UDP: 5302 case IPPROTO_TCP: 5303 case IPPROTO_SCTP: 5304 b1 = gen_portrangeop(port1, port2, ip_proto, dir); 5305 break; 5306 5307 case PROTO_UNDEF: 5308 tmp = gen_portrangeop(port1, port2, IPPROTO_TCP, dir); 5309 b1 = gen_portrangeop(port1, port2, IPPROTO_UDP, dir); 5310 gen_or(tmp, b1); 5311 tmp = gen_portrangeop(port1, port2, IPPROTO_SCTP, dir); 5312 gen_or(tmp, b1); 5313 break; 5314 5315 default: 5316 abort(); 5317 } 5318 gen_and(b0, b1); 5319 return b1; 5320 } 5321 5322 #ifdef INET6 5323 static struct block * 5324 gen_portrangeatom6(off, v1, v2) 5325 int off; 5326 bpf_int32 v1, v2; 5327 { 5328 struct block *b1, *b2; 5329 5330 if (v1 > v2) { 5331 /* 5332 * Reverse the order of the ports, so v1 is the lower one. 5333 */ 5334 bpf_int32 vtemp; 5335 5336 vtemp = v1; 5337 v1 = v2; 5338 v2 = vtemp; 5339 } 5340 5341 b1 = gen_cmp_ge(OR_TRAN_IPV6, off, BPF_H, v1); 5342 b2 = gen_cmp_le(OR_TRAN_IPV6, off, BPF_H, v2); 5343 5344 gen_and(b1, b2); 5345 5346 return b2; 5347 } 5348 5349 struct block * 5350 gen_portrangeop6(port1, port2, proto, dir) 5351 int port1, port2; 5352 int proto; 5353 int dir; 5354 { 5355 struct block *b0, *b1, *tmp; 5356 5357 /* ip6 proto 'proto' */ 5358 /* XXX - catch the first fragment of a fragmented packet? */ 5359 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto); 5360 5361 switch (dir) { 5362 case Q_SRC: 5363 b1 = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5364 break; 5365 5366 case Q_DST: 5367 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5368 break; 5369 5370 case Q_OR: 5371 case Q_DEFAULT: 5372 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5373 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5374 gen_or(tmp, b1); 5375 break; 5376 5377 case Q_AND: 5378 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5379 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5380 gen_and(tmp, b1); 5381 break; 5382 5383 default: 5384 abort(); 5385 } 5386 gen_and(b0, b1); 5387 5388 return b1; 5389 } 5390 5391 static struct block * 5392 gen_portrange6(port1, port2, ip_proto, dir) 5393 int port1, port2; 5394 int ip_proto; 5395 int dir; 5396 { 5397 struct block *b0, *b1, *tmp; 5398 5399 /* link proto ip6 */ 5400 b0 = gen_linktype(ETHERTYPE_IPV6); 5401 5402 switch (ip_proto) { 5403 case IPPROTO_UDP: 5404 case IPPROTO_TCP: 5405 case IPPROTO_SCTP: 5406 b1 = gen_portrangeop6(port1, port2, ip_proto, dir); 5407 break; 5408 5409 case PROTO_UNDEF: 5410 tmp = gen_portrangeop6(port1, port2, IPPROTO_TCP, dir); 5411 b1 = gen_portrangeop6(port1, port2, IPPROTO_UDP, dir); 5412 gen_or(tmp, b1); 5413 tmp = gen_portrangeop6(port1, port2, IPPROTO_SCTP, dir); 5414 gen_or(tmp, b1); 5415 break; 5416 5417 default: 5418 abort(); 5419 } 5420 gen_and(b0, b1); 5421 return b1; 5422 } 5423 #endif /* INET6 */ 5424 5425 static int 5426 lookup_proto(name, proto) 5427 register const char *name; 5428 register int proto; 5429 { 5430 register int v; 5431 5432 switch (proto) { 5433 5434 case Q_DEFAULT: 5435 case Q_IP: 5436 case Q_IPV6: 5437 v = pcap_nametoproto(name); 5438 if (v == PROTO_UNDEF) 5439 bpf_error("unknown ip proto '%s'", name); 5440 break; 5441 5442 case Q_LINK: 5443 /* XXX should look up h/w protocol type based on linktype */ 5444 v = pcap_nametoeproto(name); 5445 if (v == PROTO_UNDEF) { 5446 v = pcap_nametollc(name); 5447 if (v == PROTO_UNDEF) 5448 bpf_error("unknown ether proto '%s'", name); 5449 } 5450 break; 5451 5452 case Q_ISO: 5453 if (strcmp(name, "esis") == 0) 5454 v = ISO9542_ESIS; 5455 else if (strcmp(name, "isis") == 0) 5456 v = ISO10589_ISIS; 5457 else if (strcmp(name, "clnp") == 0) 5458 v = ISO8473_CLNP; 5459 else 5460 bpf_error("unknown osi proto '%s'", name); 5461 break; 5462 5463 default: 5464 v = PROTO_UNDEF; 5465 break; 5466 } 5467 return v; 5468 } 5469 5470 #if 0 5471 struct stmt * 5472 gen_joinsp(s, n) 5473 struct stmt **s; 5474 int n; 5475 { 5476 return NULL; 5477 } 5478 #endif 5479 5480 static struct block * 5481 gen_protochain(v, proto, dir) 5482 int v; 5483 int proto; 5484 int dir; 5485 { 5486 #ifdef NO_PROTOCHAIN 5487 return gen_proto(v, proto, dir); 5488 #else 5489 struct block *b0, *b; 5490 struct slist *s[100]; 5491 int fix2, fix3, fix4, fix5; 5492 int ahcheck, again, end; 5493 int i, max; 5494 int reg2 = alloc_reg(); 5495 5496 memset(s, 0, sizeof(s)); 5497 fix2 = fix3 = fix4 = fix5 = 0; 5498 5499 switch (proto) { 5500 case Q_IP: 5501 case Q_IPV6: 5502 break; 5503 case Q_DEFAULT: 5504 b0 = gen_protochain(v, Q_IP, dir); 5505 b = gen_protochain(v, Q_IPV6, dir); 5506 gen_or(b0, b); 5507 return b; 5508 default: 5509 bpf_error("bad protocol applied for 'protochain'"); 5510 /*NOTREACHED*/ 5511 } 5512 5513 /* 5514 * We don't handle variable-length prefixes before the link-layer 5515 * header, or variable-length link-layer headers, here yet. 5516 * We might want to add BPF instructions to do the protochain 5517 * work, to simplify that and, on platforms that have a BPF 5518 * interpreter with the new instructions, let the filtering 5519 * be done in the kernel. (We already require a modified BPF 5520 * engine to do the protochain stuff, to support backward 5521 * branches, and backward branch support is unlikely to appear 5522 * in kernel BPF engines.) 5523 */ 5524 switch (linktype) { 5525 5526 case DLT_IEEE802_11: 5527 case DLT_PRISM_HEADER: 5528 case DLT_IEEE802_11_RADIO_AVS: 5529 case DLT_IEEE802_11_RADIO: 5530 case DLT_PPI: 5531 bpf_error("'protochain' not supported with 802.11"); 5532 } 5533 5534 no_optimize = 1; /*this code is not compatible with optimzer yet */ 5535 5536 /* 5537 * s[0] is a dummy entry to protect other BPF insn from damage 5538 * by s[fix] = foo with uninitialized variable "fix". It is somewhat 5539 * hard to find interdependency made by jump table fixup. 5540 */ 5541 i = 0; 5542 s[i] = new_stmt(0); /*dummy*/ 5543 i++; 5544 5545 switch (proto) { 5546 case Q_IP: 5547 b0 = gen_linktype(ETHERTYPE_IP); 5548 5549 /* A = ip->ip_p */ 5550 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B); 5551 s[i]->s.k = off_macpl + off_nl + 9; 5552 i++; 5553 /* X = ip->ip_hl << 2 */ 5554 s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B); 5555 s[i]->s.k = off_macpl + off_nl; 5556 i++; 5557 break; 5558 #ifdef INET6 5559 case Q_IPV6: 5560 b0 = gen_linktype(ETHERTYPE_IPV6); 5561 5562 /* A = ip6->ip_nxt */ 5563 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B); 5564 s[i]->s.k = off_macpl + off_nl + 6; 5565 i++; 5566 /* X = sizeof(struct ip6_hdr) */ 5567 s[i] = new_stmt(BPF_LDX|BPF_IMM); 5568 s[i]->s.k = 40; 5569 i++; 5570 break; 5571 #endif 5572 default: 5573 bpf_error("unsupported proto to gen_protochain"); 5574 /*NOTREACHED*/ 5575 } 5576 5577 /* again: if (A == v) goto end; else fall through; */ 5578 again = i; 5579 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5580 s[i]->s.k = v; 5581 s[i]->s.jt = NULL; /*later*/ 5582 s[i]->s.jf = NULL; /*update in next stmt*/ 5583 fix5 = i; 5584 i++; 5585 5586 #ifndef IPPROTO_NONE 5587 #define IPPROTO_NONE 59 5588 #endif 5589 /* if (A == IPPROTO_NONE) goto end */ 5590 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5591 s[i]->s.jt = NULL; /*later*/ 5592 s[i]->s.jf = NULL; /*update in next stmt*/ 5593 s[i]->s.k = IPPROTO_NONE; 5594 s[fix5]->s.jf = s[i]; 5595 fix2 = i; 5596 i++; 5597 5598 #ifdef INET6 5599 if (proto == Q_IPV6) { 5600 int v6start, v6end, v6advance, j; 5601 5602 v6start = i; 5603 /* if (A == IPPROTO_HOPOPTS) goto v6advance */ 5604 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5605 s[i]->s.jt = NULL; /*later*/ 5606 s[i]->s.jf = NULL; /*update in next stmt*/ 5607 s[i]->s.k = IPPROTO_HOPOPTS; 5608 s[fix2]->s.jf = s[i]; 5609 i++; 5610 /* if (A == IPPROTO_DSTOPTS) goto v6advance */ 5611 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5612 s[i]->s.jt = NULL; /*later*/ 5613 s[i]->s.jf = NULL; /*update in next stmt*/ 5614 s[i]->s.k = IPPROTO_DSTOPTS; 5615 i++; 5616 /* if (A == IPPROTO_ROUTING) goto v6advance */ 5617 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5618 s[i]->s.jt = NULL; /*later*/ 5619 s[i]->s.jf = NULL; /*update in next stmt*/ 5620 s[i]->s.k = IPPROTO_ROUTING; 5621 i++; 5622 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */ 5623 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5624 s[i]->s.jt = NULL; /*later*/ 5625 s[i]->s.jf = NULL; /*later*/ 5626 s[i]->s.k = IPPROTO_FRAGMENT; 5627 fix3 = i; 5628 v6end = i; 5629 i++; 5630 5631 /* v6advance: */ 5632 v6advance = i; 5633 5634 /* 5635 * in short, 5636 * A = P[X + packet head]; 5637 * X = X + (P[X + packet head + 1] + 1) * 8; 5638 */ 5639 /* A = P[X + packet head] */ 5640 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5641 s[i]->s.k = off_macpl + off_nl; 5642 i++; 5643 /* MEM[reg2] = A */ 5644 s[i] = new_stmt(BPF_ST); 5645 s[i]->s.k = reg2; 5646 i++; 5647 /* A = P[X + packet head + 1]; */ 5648 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5649 s[i]->s.k = off_macpl + off_nl + 1; 5650 i++; 5651 /* A += 1 */ 5652 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5653 s[i]->s.k = 1; 5654 i++; 5655 /* A *= 8 */ 5656 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K); 5657 s[i]->s.k = 8; 5658 i++; 5659 /* A += X */ 5660 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_X); 5661 s[i]->s.k = 0; 5662 i++; 5663 /* X = A; */ 5664 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5665 i++; 5666 /* A = MEM[reg2] */ 5667 s[i] = new_stmt(BPF_LD|BPF_MEM); 5668 s[i]->s.k = reg2; 5669 i++; 5670 5671 /* goto again; (must use BPF_JA for backward jump) */ 5672 s[i] = new_stmt(BPF_JMP|BPF_JA); 5673 s[i]->s.k = again - i - 1; 5674 s[i - 1]->s.jf = s[i]; 5675 i++; 5676 5677 /* fixup */ 5678 for (j = v6start; j <= v6end; j++) 5679 s[j]->s.jt = s[v6advance]; 5680 } else 5681 #endif 5682 { 5683 /* nop */ 5684 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5685 s[i]->s.k = 0; 5686 s[fix2]->s.jf = s[i]; 5687 i++; 5688 } 5689 5690 /* ahcheck: */ 5691 ahcheck = i; 5692 /* if (A == IPPROTO_AH) then fall through; else goto end; */ 5693 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5694 s[i]->s.jt = NULL; /*later*/ 5695 s[i]->s.jf = NULL; /*later*/ 5696 s[i]->s.k = IPPROTO_AH; 5697 if (fix3) 5698 s[fix3]->s.jf = s[ahcheck]; 5699 fix4 = i; 5700 i++; 5701 5702 /* 5703 * in short, 5704 * A = P[X]; 5705 * X = X + (P[X + 1] + 2) * 4; 5706 */ 5707 /* A = X */ 5708 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA); 5709 i++; 5710 /* A = P[X + packet head]; */ 5711 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5712 s[i]->s.k = off_macpl + off_nl; 5713 i++; 5714 /* MEM[reg2] = A */ 5715 s[i] = new_stmt(BPF_ST); 5716 s[i]->s.k = reg2; 5717 i++; 5718 /* A = X */ 5719 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA); 5720 i++; 5721 /* A += 1 */ 5722 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5723 s[i]->s.k = 1; 5724 i++; 5725 /* X = A */ 5726 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5727 i++; 5728 /* A = P[X + packet head] */ 5729 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5730 s[i]->s.k = off_macpl + off_nl; 5731 i++; 5732 /* A += 2 */ 5733 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5734 s[i]->s.k = 2; 5735 i++; 5736 /* A *= 4 */ 5737 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K); 5738 s[i]->s.k = 4; 5739 i++; 5740 /* X = A; */ 5741 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5742 i++; 5743 /* A = MEM[reg2] */ 5744 s[i] = new_stmt(BPF_LD|BPF_MEM); 5745 s[i]->s.k = reg2; 5746 i++; 5747 5748 /* goto again; (must use BPF_JA for backward jump) */ 5749 s[i] = new_stmt(BPF_JMP|BPF_JA); 5750 s[i]->s.k = again - i - 1; 5751 i++; 5752 5753 /* end: nop */ 5754 end = i; 5755 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5756 s[i]->s.k = 0; 5757 s[fix2]->s.jt = s[end]; 5758 s[fix4]->s.jf = s[end]; 5759 s[fix5]->s.jt = s[end]; 5760 i++; 5761 5762 /* 5763 * make slist chain 5764 */ 5765 max = i; 5766 for (i = 0; i < max - 1; i++) 5767 s[i]->next = s[i + 1]; 5768 s[max - 1]->next = NULL; 5769 5770 /* 5771 * emit final check 5772 */ 5773 b = new_block(JMP(BPF_JEQ)); 5774 b->stmts = s[1]; /*remember, s[0] is dummy*/ 5775 b->s.k = v; 5776 5777 free_reg(reg2); 5778 5779 gen_and(b0, b); 5780 return b; 5781 #endif 5782 } 5783 5784 static struct block * 5785 gen_check_802_11_data_frame() 5786 { 5787 struct slist *s; 5788 struct block *b0, *b1; 5789 5790 /* 5791 * A data frame has the 0x08 bit (b3) in the frame control field set 5792 * and the 0x04 bit (b2) clear. 5793 */ 5794 s = gen_load_a(OR_LINK, 0, BPF_B); 5795 b0 = new_block(JMP(BPF_JSET)); 5796 b0->s.k = 0x08; 5797 b0->stmts = s; 5798 5799 s = gen_load_a(OR_LINK, 0, BPF_B); 5800 b1 = new_block(JMP(BPF_JSET)); 5801 b1->s.k = 0x04; 5802 b1->stmts = s; 5803 gen_not(b1); 5804 5805 gen_and(b1, b0); 5806 5807 return b0; 5808 } 5809 5810 /* 5811 * Generate code that checks whether the packet is a packet for protocol 5812 * <proto> and whether the type field in that protocol's header has 5813 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an 5814 * IP packet and checks the protocol number in the IP header against <v>. 5815 * 5816 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks 5817 * against Q_IP and Q_IPV6. 5818 */ 5819 static struct block * 5820 gen_proto(v, proto, dir) 5821 int v; 5822 int proto; 5823 int dir; 5824 { 5825 struct block *b0, *b1; 5826 #ifdef INET6 5827 #ifndef CHASE_CHAIN 5828 struct block *b2; 5829 #endif 5830 #endif 5831 5832 if (dir != Q_DEFAULT) 5833 bpf_error("direction applied to 'proto'"); 5834 5835 switch (proto) { 5836 case Q_DEFAULT: 5837 #ifdef INET6 5838 b0 = gen_proto(v, Q_IP, dir); 5839 b1 = gen_proto(v, Q_IPV6, dir); 5840 gen_or(b0, b1); 5841 return b1; 5842 #else 5843 /*FALLTHROUGH*/ 5844 #endif 5845 case Q_IP: 5846 /* 5847 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 5848 * not LLC encapsulation with LLCSAP_IP. 5849 * 5850 * For IEEE 802 networks - which includes 802.5 token ring 5851 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 5852 * says that SNAP encapsulation is used, not LLC encapsulation 5853 * with LLCSAP_IP. 5854 * 5855 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 5856 * RFC 2225 say that SNAP encapsulation is used, not LLC 5857 * encapsulation with LLCSAP_IP. 5858 * 5859 * So we always check for ETHERTYPE_IP. 5860 */ 5861 b0 = gen_linktype(ETHERTYPE_IP); 5862 #ifndef CHASE_CHAIN 5863 b1 = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)v); 5864 #else 5865 b1 = gen_protochain(v, Q_IP); 5866 #endif 5867 gen_and(b0, b1); 5868 return b1; 5869 5870 case Q_ISO: 5871 switch (linktype) { 5872 5873 case DLT_FRELAY: 5874 /* 5875 * Frame Relay packets typically have an OSI 5876 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)" 5877 * generates code to check for all the OSI 5878 * NLPIDs, so calling it and then adding a check 5879 * for the particular NLPID for which we're 5880 * looking is bogus, as we can just check for 5881 * the NLPID. 5882 * 5883 * What we check for is the NLPID and a frame 5884 * control field value of UI, i.e. 0x03 followed 5885 * by the NLPID. 5886 * 5887 * XXX - assumes a 2-byte Frame Relay header with 5888 * DLCI and flags. What if the address is longer? 5889 * 5890 * XXX - what about SNAP-encapsulated frames? 5891 */ 5892 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | v); 5893 /*NOTREACHED*/ 5894 break; 5895 5896 case DLT_C_HDLC: 5897 /* 5898 * Cisco uses an Ethertype lookalike - for OSI, 5899 * it's 0xfefe. 5900 */ 5901 b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS); 5902 /* OSI in C-HDLC is stuffed with a fudge byte */ 5903 b1 = gen_cmp(OR_NET_NOSNAP, 1, BPF_B, (long)v); 5904 gen_and(b0, b1); 5905 return b1; 5906 5907 default: 5908 b0 = gen_linktype(LLCSAP_ISONS); 5909 b1 = gen_cmp(OR_NET_NOSNAP, 0, BPF_B, (long)v); 5910 gen_and(b0, b1); 5911 return b1; 5912 } 5913 5914 case Q_ISIS: 5915 b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT); 5916 /* 5917 * 4 is the offset of the PDU type relative to the IS-IS 5918 * header. 5919 */ 5920 b1 = gen_cmp(OR_NET_NOSNAP, 4, BPF_B, (long)v); 5921 gen_and(b0, b1); 5922 return b1; 5923 5924 case Q_ARP: 5925 bpf_error("arp does not encapsulate another protocol"); 5926 /* NOTREACHED */ 5927 5928 case Q_RARP: 5929 bpf_error("rarp does not encapsulate another protocol"); 5930 /* NOTREACHED */ 5931 5932 case Q_ATALK: 5933 bpf_error("atalk encapsulation is not specifiable"); 5934 /* NOTREACHED */ 5935 5936 case Q_DECNET: 5937 bpf_error("decnet encapsulation is not specifiable"); 5938 /* NOTREACHED */ 5939 5940 case Q_SCA: 5941 bpf_error("sca does not encapsulate another protocol"); 5942 /* NOTREACHED */ 5943 5944 case Q_LAT: 5945 bpf_error("lat does not encapsulate another protocol"); 5946 /* NOTREACHED */ 5947 5948 case Q_MOPRC: 5949 bpf_error("moprc does not encapsulate another protocol"); 5950 /* NOTREACHED */ 5951 5952 case Q_MOPDL: 5953 bpf_error("mopdl does not encapsulate another protocol"); 5954 /* NOTREACHED */ 5955 5956 case Q_LINK: 5957 return gen_linktype(v); 5958 5959 case Q_UDP: 5960 bpf_error("'udp proto' is bogus"); 5961 /* NOTREACHED */ 5962 5963 case Q_TCP: 5964 bpf_error("'tcp proto' is bogus"); 5965 /* NOTREACHED */ 5966 5967 case Q_SCTP: 5968 bpf_error("'sctp proto' is bogus"); 5969 /* NOTREACHED */ 5970 5971 case Q_ICMP: 5972 bpf_error("'icmp proto' is bogus"); 5973 /* NOTREACHED */ 5974 5975 case Q_IGMP: 5976 bpf_error("'igmp proto' is bogus"); 5977 /* NOTREACHED */ 5978 5979 case Q_IGRP: 5980 bpf_error("'igrp proto' is bogus"); 5981 /* NOTREACHED */ 5982 5983 case Q_PIM: 5984 bpf_error("'pim proto' is bogus"); 5985 /* NOTREACHED */ 5986 5987 case Q_VRRP: 5988 bpf_error("'vrrp proto' is bogus"); 5989 /* NOTREACHED */ 5990 5991 case Q_CARP: 5992 bpf_error("'carp proto' is bogus"); 5993 /* NOTREACHED */ 5994 5995 #ifdef INET6 5996 case Q_IPV6: 5997 b0 = gen_linktype(ETHERTYPE_IPV6); 5998 #ifndef CHASE_CHAIN 5999 /* 6000 * Also check for a fragment header before the final 6001 * header. 6002 */ 6003 b2 = gen_cmp(OR_NET, 6, BPF_B, IPPROTO_FRAGMENT); 6004 b1 = gen_cmp(OR_NET, 40, BPF_B, (bpf_int32)v); 6005 gen_and(b2, b1); 6006 b2 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)v); 6007 gen_or(b2, b1); 6008 #else 6009 b1 = gen_protochain(v, Q_IPV6); 6010 #endif 6011 gen_and(b0, b1); 6012 return b1; 6013 6014 case Q_ICMPV6: 6015 bpf_error("'icmp6 proto' is bogus"); 6016 #endif /* INET6 */ 6017 6018 case Q_AH: 6019 bpf_error("'ah proto' is bogus"); 6020 6021 case Q_ESP: 6022 bpf_error("'ah proto' is bogus"); 6023 6024 case Q_STP: 6025 bpf_error("'stp proto' is bogus"); 6026 6027 case Q_IPX: 6028 bpf_error("'ipx proto' is bogus"); 6029 6030 case Q_NETBEUI: 6031 bpf_error("'netbeui proto' is bogus"); 6032 6033 case Q_RADIO: 6034 bpf_error("'radio proto' is bogus"); 6035 6036 default: 6037 abort(); 6038 /* NOTREACHED */ 6039 } 6040 /* NOTREACHED */ 6041 } 6042 6043 struct block * 6044 gen_scode(name, q) 6045 register const char *name; 6046 struct qual q; 6047 { 6048 int proto = q.proto; 6049 int dir = q.dir; 6050 int tproto; 6051 u_char *eaddr; 6052 bpf_u_int32 mask, addr; 6053 #ifndef INET6 6054 bpf_u_int32 **alist; 6055 #else 6056 int tproto6; 6057 struct sockaddr_in *sin4; 6058 struct sockaddr_in6 *sin6; 6059 struct addrinfo *res, *res0; 6060 struct in6_addr mask128; 6061 #endif /*INET6*/ 6062 struct block *b, *tmp; 6063 int port, real_proto; 6064 int port1, port2; 6065 6066 switch (q.addr) { 6067 6068 case Q_NET: 6069 addr = pcap_nametonetaddr(name); 6070 if (addr == 0) 6071 bpf_error("unknown network '%s'", name); 6072 /* Left justify network addr and calculate its network mask */ 6073 mask = 0xffffffff; 6074 while (addr && (addr & 0xff000000) == 0) { 6075 addr <<= 8; 6076 mask <<= 8; 6077 } 6078 return gen_host(addr, mask, proto, dir, q.addr); 6079 6080 case Q_DEFAULT: 6081 case Q_HOST: 6082 if (proto == Q_LINK) { 6083 switch (linktype) { 6084 6085 case DLT_EN10MB: 6086 case DLT_NETANALYZER: 6087 case DLT_NETANALYZER_TRANSPARENT: 6088 eaddr = pcap_ether_hostton(name); 6089 if (eaddr == NULL) 6090 bpf_error( 6091 "unknown ether host '%s'", name); 6092 b = gen_ehostop(eaddr, dir); 6093 free(eaddr); 6094 return b; 6095 6096 case DLT_FDDI: 6097 eaddr = pcap_ether_hostton(name); 6098 if (eaddr == NULL) 6099 bpf_error( 6100 "unknown FDDI host '%s'", name); 6101 b = gen_fhostop(eaddr, dir); 6102 free(eaddr); 6103 return b; 6104 6105 case DLT_IEEE802: 6106 eaddr = pcap_ether_hostton(name); 6107 if (eaddr == NULL) 6108 bpf_error( 6109 "unknown token ring host '%s'", name); 6110 b = gen_thostop(eaddr, dir); 6111 free(eaddr); 6112 return b; 6113 6114 case DLT_IEEE802_11: 6115 case DLT_PRISM_HEADER: 6116 case DLT_IEEE802_11_RADIO_AVS: 6117 case DLT_IEEE802_11_RADIO: 6118 case DLT_PPI: 6119 eaddr = pcap_ether_hostton(name); 6120 if (eaddr == NULL) 6121 bpf_error( 6122 "unknown 802.11 host '%s'", name); 6123 b = gen_wlanhostop(eaddr, dir); 6124 free(eaddr); 6125 return b; 6126 6127 case DLT_IP_OVER_FC: 6128 eaddr = pcap_ether_hostton(name); 6129 if (eaddr == NULL) 6130 bpf_error( 6131 "unknown Fibre Channel host '%s'", name); 6132 b = gen_ipfchostop(eaddr, dir); 6133 free(eaddr); 6134 return b; 6135 6136 case DLT_SUNATM: 6137 if (!is_lane) 6138 break; 6139 6140 /* 6141 * Check that the packet doesn't begin 6142 * with an LE Control marker. (We've 6143 * already generated a test for LANE.) 6144 */ 6145 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 6146 BPF_H, 0xFF00); 6147 gen_not(tmp); 6148 6149 eaddr = pcap_ether_hostton(name); 6150 if (eaddr == NULL) 6151 bpf_error( 6152 "unknown ether host '%s'", name); 6153 b = gen_ehostop(eaddr, dir); 6154 gen_and(tmp, b); 6155 free(eaddr); 6156 return b; 6157 } 6158 6159 bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name"); 6160 } else if (proto == Q_DECNET) { 6161 unsigned short dn_addr = __pcap_nametodnaddr(name); 6162 /* 6163 * I don't think DECNET hosts can be multihomed, so 6164 * there is no need to build up a list of addresses 6165 */ 6166 return (gen_host(dn_addr, 0, proto, dir, q.addr)); 6167 } else { 6168 #ifndef INET6 6169 alist = pcap_nametoaddr(name); 6170 if (alist == NULL || *alist == NULL) 6171 bpf_error("unknown host '%s'", name); 6172 tproto = proto; 6173 if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT) 6174 tproto = Q_IP; 6175 b = gen_host(**alist++, 0xffffffff, tproto, dir, q.addr); 6176 while (*alist) { 6177 tmp = gen_host(**alist++, 0xffffffff, 6178 tproto, dir, q.addr); 6179 gen_or(b, tmp); 6180 b = tmp; 6181 } 6182 return b; 6183 #else 6184 memset(&mask128, 0xff, sizeof(mask128)); 6185 res0 = res = pcap_nametoaddrinfo(name); 6186 if (res == NULL) 6187 bpf_error("unknown host '%s'", name); 6188 ai = res; 6189 b = tmp = NULL; 6190 tproto = tproto6 = proto; 6191 if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT) { 6192 tproto = Q_IP; 6193 tproto6 = Q_IPV6; 6194 } 6195 for (res = res0; res; res = res->ai_next) { 6196 switch (res->ai_family) { 6197 case AF_INET: 6198 if (tproto == Q_IPV6) 6199 continue; 6200 6201 sin4 = (struct sockaddr_in *) 6202 res->ai_addr; 6203 tmp = gen_host(ntohl(sin4->sin_addr.s_addr), 6204 0xffffffff, tproto, dir, q.addr); 6205 break; 6206 case AF_INET6: 6207 if (tproto6 == Q_IP) 6208 continue; 6209 6210 sin6 = (struct sockaddr_in6 *) 6211 res->ai_addr; 6212 tmp = gen_host6(&sin6->sin6_addr, 6213 &mask128, tproto6, dir, q.addr); 6214 break; 6215 default: 6216 continue; 6217 } 6218 if (b) 6219 gen_or(b, tmp); 6220 b = tmp; 6221 } 6222 ai = NULL; 6223 freeaddrinfo(res0); 6224 if (b == NULL) { 6225 bpf_error("unknown host '%s'%s", name, 6226 (proto == Q_DEFAULT) 6227 ? "" 6228 : " for specified address family"); 6229 } 6230 return b; 6231 #endif /*INET6*/ 6232 } 6233 6234 case Q_PORT: 6235 if (proto != Q_DEFAULT && 6236 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6237 bpf_error("illegal qualifier of 'port'"); 6238 if (pcap_nametoport(name, &port, &real_proto) == 0) 6239 bpf_error("unknown port '%s'", name); 6240 if (proto == Q_UDP) { 6241 if (real_proto == IPPROTO_TCP) 6242 bpf_error("port '%s' is tcp", name); 6243 else if (real_proto == IPPROTO_SCTP) 6244 bpf_error("port '%s' is sctp", name); 6245 else 6246 /* override PROTO_UNDEF */ 6247 real_proto = IPPROTO_UDP; 6248 } 6249 if (proto == Q_TCP) { 6250 if (real_proto == IPPROTO_UDP) 6251 bpf_error("port '%s' is udp", name); 6252 6253 else if (real_proto == IPPROTO_SCTP) 6254 bpf_error("port '%s' is sctp", name); 6255 else 6256 /* override PROTO_UNDEF */ 6257 real_proto = IPPROTO_TCP; 6258 } 6259 if (proto == Q_SCTP) { 6260 if (real_proto == IPPROTO_UDP) 6261 bpf_error("port '%s' is udp", name); 6262 6263 else if (real_proto == IPPROTO_TCP) 6264 bpf_error("port '%s' is tcp", name); 6265 else 6266 /* override PROTO_UNDEF */ 6267 real_proto = IPPROTO_SCTP; 6268 } 6269 if (port < 0) 6270 bpf_error("illegal port number %d < 0", port); 6271 if (port > 65535) 6272 bpf_error("illegal port number %d > 65535", port); 6273 #ifndef INET6 6274 return gen_port(port, real_proto, dir); 6275 #else 6276 b = gen_port(port, real_proto, dir); 6277 gen_or(gen_port6(port, real_proto, dir), b); 6278 return b; 6279 #endif /* INET6 */ 6280 6281 case Q_PORTRANGE: 6282 if (proto != Q_DEFAULT && 6283 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6284 bpf_error("illegal qualifier of 'portrange'"); 6285 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0) 6286 bpf_error("unknown port in range '%s'", name); 6287 if (proto == Q_UDP) { 6288 if (real_proto == IPPROTO_TCP) 6289 bpf_error("port in range '%s' is tcp", name); 6290 else if (real_proto == IPPROTO_SCTP) 6291 bpf_error("port in range '%s' is sctp", name); 6292 else 6293 /* override PROTO_UNDEF */ 6294 real_proto = IPPROTO_UDP; 6295 } 6296 if (proto == Q_TCP) { 6297 if (real_proto == IPPROTO_UDP) 6298 bpf_error("port in range '%s' is udp", name); 6299 else if (real_proto == IPPROTO_SCTP) 6300 bpf_error("port in range '%s' is sctp", name); 6301 else 6302 /* override PROTO_UNDEF */ 6303 real_proto = IPPROTO_TCP; 6304 } 6305 if (proto == Q_SCTP) { 6306 if (real_proto == IPPROTO_UDP) 6307 bpf_error("port in range '%s' is udp", name); 6308 else if (real_proto == IPPROTO_TCP) 6309 bpf_error("port in range '%s' is tcp", name); 6310 else 6311 /* override PROTO_UNDEF */ 6312 real_proto = IPPROTO_SCTP; 6313 } 6314 if (port1 < 0) 6315 bpf_error("illegal port number %d < 0", port1); 6316 if (port1 > 65535) 6317 bpf_error("illegal port number %d > 65535", port1); 6318 if (port2 < 0) 6319 bpf_error("illegal port number %d < 0", port2); 6320 if (port2 > 65535) 6321 bpf_error("illegal port number %d > 65535", port2); 6322 6323 #ifndef INET6 6324 return gen_portrange(port1, port2, real_proto, dir); 6325 #else 6326 b = gen_portrange(port1, port2, real_proto, dir); 6327 gen_or(gen_portrange6(port1, port2, real_proto, dir), b); 6328 return b; 6329 #endif /* INET6 */ 6330 6331 case Q_GATEWAY: 6332 #ifndef INET6 6333 eaddr = pcap_ether_hostton(name); 6334 if (eaddr == NULL) 6335 bpf_error("unknown ether host: %s", name); 6336 6337 alist = pcap_nametoaddr(name); 6338 if (alist == NULL || *alist == NULL) 6339 bpf_error("unknown host '%s'", name); 6340 b = gen_gateway(eaddr, alist, proto, dir); 6341 free(eaddr); 6342 return b; 6343 #else 6344 bpf_error("'gateway' not supported in this configuration"); 6345 #endif /*INET6*/ 6346 6347 case Q_PROTO: 6348 real_proto = lookup_proto(name, proto); 6349 if (real_proto >= 0) 6350 return gen_proto(real_proto, proto, dir); 6351 else 6352 bpf_error("unknown protocol: %s", name); 6353 6354 case Q_PROTOCHAIN: 6355 real_proto = lookup_proto(name, proto); 6356 if (real_proto >= 0) 6357 return gen_protochain(real_proto, proto, dir); 6358 else 6359 bpf_error("unknown protocol: %s", name); 6360 6361 case Q_UNDEF: 6362 syntax(); 6363 /* NOTREACHED */ 6364 } 6365 abort(); 6366 /* NOTREACHED */ 6367 } 6368 6369 struct block * 6370 gen_mcode(s1, s2, masklen, q) 6371 register const char *s1, *s2; 6372 register int masklen; 6373 struct qual q; 6374 { 6375 register int nlen, mlen; 6376 bpf_u_int32 n, m; 6377 6378 nlen = __pcap_atoin(s1, &n); 6379 /* Promote short ipaddr */ 6380 n <<= 32 - nlen; 6381 6382 if (s2 != NULL) { 6383 mlen = __pcap_atoin(s2, &m); 6384 /* Promote short ipaddr */ 6385 m <<= 32 - mlen; 6386 if ((n & ~m) != 0) 6387 bpf_error("non-network bits set in \"%s mask %s\"", 6388 s1, s2); 6389 } else { 6390 /* Convert mask len to mask */ 6391 if (masklen > 32) 6392 bpf_error("mask length must be <= 32"); 6393 if (masklen == 0) { 6394 /* 6395 * X << 32 is not guaranteed by C to be 0; it's 6396 * undefined. 6397 */ 6398 m = 0; 6399 } else 6400 m = 0xffffffff << (32 - masklen); 6401 if ((n & ~m) != 0) 6402 bpf_error("non-network bits set in \"%s/%d\"", 6403 s1, masklen); 6404 } 6405 6406 switch (q.addr) { 6407 6408 case Q_NET: 6409 return gen_host(n, m, q.proto, q.dir, q.addr); 6410 6411 default: 6412 bpf_error("Mask syntax for networks only"); 6413 /* NOTREACHED */ 6414 } 6415 /* NOTREACHED */ 6416 return NULL; 6417 } 6418 6419 struct block * 6420 gen_ncode(s, v, q) 6421 register const char *s; 6422 bpf_u_int32 v; 6423 struct qual q; 6424 { 6425 bpf_u_int32 mask; 6426 int proto = q.proto; 6427 int dir = q.dir; 6428 register int vlen; 6429 6430 if (s == NULL) 6431 vlen = 32; 6432 else if (q.proto == Q_DECNET) 6433 vlen = __pcap_atodn(s, &v); 6434 else 6435 vlen = __pcap_atoin(s, &v); 6436 6437 switch (q.addr) { 6438 6439 case Q_DEFAULT: 6440 case Q_HOST: 6441 case Q_NET: 6442 if (proto == Q_DECNET) 6443 return gen_host(v, 0, proto, dir, q.addr); 6444 else if (proto == Q_LINK) { 6445 bpf_error("illegal link layer address"); 6446 } else { 6447 mask = 0xffffffff; 6448 if (s == NULL && q.addr == Q_NET) { 6449 /* Promote short net number */ 6450 while (v && (v & 0xff000000) == 0) { 6451 v <<= 8; 6452 mask <<= 8; 6453 } 6454 } else { 6455 /* Promote short ipaddr */ 6456 v <<= 32 - vlen; 6457 mask <<= 32 - vlen; 6458 } 6459 return gen_host(v, mask, proto, dir, q.addr); 6460 } 6461 6462 case Q_PORT: 6463 if (proto == Q_UDP) 6464 proto = IPPROTO_UDP; 6465 else if (proto == Q_TCP) 6466 proto = IPPROTO_TCP; 6467 else if (proto == Q_SCTP) 6468 proto = IPPROTO_SCTP; 6469 else if (proto == Q_DEFAULT) 6470 proto = PROTO_UNDEF; 6471 else 6472 bpf_error("illegal qualifier of 'port'"); 6473 6474 if (v > 65535) 6475 bpf_error("illegal port number %u > 65535", v); 6476 6477 #ifndef INET6 6478 return gen_port((int)v, proto, dir); 6479 #else 6480 { 6481 struct block *b; 6482 b = gen_port((int)v, proto, dir); 6483 gen_or(gen_port6((int)v, proto, dir), b); 6484 return b; 6485 } 6486 #endif /* INET6 */ 6487 6488 case Q_PORTRANGE: 6489 if (proto == Q_UDP) 6490 proto = IPPROTO_UDP; 6491 else if (proto == Q_TCP) 6492 proto = IPPROTO_TCP; 6493 else if (proto == Q_SCTP) 6494 proto = IPPROTO_SCTP; 6495 else if (proto == Q_DEFAULT) 6496 proto = PROTO_UNDEF; 6497 else 6498 bpf_error("illegal qualifier of 'portrange'"); 6499 6500 if (v > 65535) 6501 bpf_error("illegal port number %u > 65535", v); 6502 6503 #ifndef INET6 6504 return gen_portrange((int)v, (int)v, proto, dir); 6505 #else 6506 { 6507 struct block *b; 6508 b = gen_portrange((int)v, (int)v, proto, dir); 6509 gen_or(gen_portrange6((int)v, (int)v, proto, dir), b); 6510 return b; 6511 } 6512 #endif /* INET6 */ 6513 6514 case Q_GATEWAY: 6515 bpf_error("'gateway' requires a name"); 6516 /* NOTREACHED */ 6517 6518 case Q_PROTO: 6519 return gen_proto((int)v, proto, dir); 6520 6521 case Q_PROTOCHAIN: 6522 return gen_protochain((int)v, proto, dir); 6523 6524 case Q_UNDEF: 6525 syntax(); 6526 /* NOTREACHED */ 6527 6528 default: 6529 abort(); 6530 /* NOTREACHED */ 6531 } 6532 /* NOTREACHED */ 6533 } 6534 6535 #ifdef INET6 6536 struct block * 6537 gen_mcode6(s1, s2, masklen, q) 6538 register const char *s1, *s2; 6539 register int masklen; 6540 struct qual q; 6541 { 6542 struct addrinfo *res; 6543 struct in6_addr *addr; 6544 struct in6_addr mask; 6545 struct block *b; 6546 u_int32_t *a, *m; 6547 6548 if (s2) 6549 bpf_error("no mask %s supported", s2); 6550 6551 res = pcap_nametoaddrinfo(s1); 6552 if (!res) 6553 bpf_error("invalid ip6 address %s", s1); 6554 ai = res; 6555 if (res->ai_next) 6556 bpf_error("%s resolved to multiple address", s1); 6557 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr; 6558 6559 if ((int)sizeof(mask) * 8 < masklen) 6560 bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8)); 6561 memset(&mask, 0, sizeof(mask)); 6562 memset(&mask, 0xff, masklen / 8); 6563 if (masklen % 8) { 6564 mask.s6_addr[masklen / 8] = 6565 (0xff << (8 - masklen % 8)) & 0xff; 6566 } 6567 6568 a = (u_int32_t *)addr; 6569 m = (u_int32_t *)&mask; 6570 if ((a[0] & ~m[0]) || (a[1] & ~m[1]) 6571 || (a[2] & ~m[2]) || (a[3] & ~m[3])) { 6572 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen); 6573 } 6574 6575 switch (q.addr) { 6576 6577 case Q_DEFAULT: 6578 case Q_HOST: 6579 if (masklen != 128) 6580 bpf_error("Mask syntax for networks only"); 6581 /* FALLTHROUGH */ 6582 6583 case Q_NET: 6584 b = gen_host6(addr, &mask, q.proto, q.dir, q.addr); 6585 ai = NULL; 6586 freeaddrinfo(res); 6587 return b; 6588 6589 default: 6590 bpf_error("invalid qualifier against IPv6 address"); 6591 /* NOTREACHED */ 6592 } 6593 return NULL; 6594 } 6595 #endif /*INET6*/ 6596 6597 struct block * 6598 gen_ecode(eaddr, q) 6599 register const u_char *eaddr; 6600 struct qual q; 6601 { 6602 struct block *b, *tmp; 6603 6604 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) { 6605 switch (linktype) { 6606 case DLT_EN10MB: 6607 case DLT_NETANALYZER: 6608 case DLT_NETANALYZER_TRANSPARENT: 6609 return gen_ehostop(eaddr, (int)q.dir); 6610 case DLT_FDDI: 6611 return gen_fhostop(eaddr, (int)q.dir); 6612 case DLT_IEEE802: 6613 return gen_thostop(eaddr, (int)q.dir); 6614 case DLT_IEEE802_11: 6615 case DLT_PRISM_HEADER: 6616 case DLT_IEEE802_11_RADIO_AVS: 6617 case DLT_IEEE802_11_RADIO: 6618 case DLT_PPI: 6619 return gen_wlanhostop(eaddr, (int)q.dir); 6620 case DLT_SUNATM: 6621 if (is_lane) { 6622 /* 6623 * Check that the packet doesn't begin with an 6624 * LE Control marker. (We've already generated 6625 * a test for LANE.) 6626 */ 6627 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 6628 0xFF00); 6629 gen_not(tmp); 6630 6631 /* 6632 * Now check the MAC address. 6633 */ 6634 b = gen_ehostop(eaddr, (int)q.dir); 6635 gen_and(tmp, b); 6636 return b; 6637 } 6638 break; 6639 case DLT_IP_OVER_FC: 6640 return gen_ipfchostop(eaddr, (int)q.dir); 6641 default: 6642 bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 6643 break; 6644 } 6645 } 6646 bpf_error("ethernet address used in non-ether expression"); 6647 /* NOTREACHED */ 6648 return NULL; 6649 } 6650 6651 void 6652 sappend(s0, s1) 6653 struct slist *s0, *s1; 6654 { 6655 /* 6656 * This is definitely not the best way to do this, but the 6657 * lists will rarely get long. 6658 */ 6659 while (s0->next) 6660 s0 = s0->next; 6661 s0->next = s1; 6662 } 6663 6664 static struct slist * 6665 xfer_to_x(a) 6666 struct arth *a; 6667 { 6668 struct slist *s; 6669 6670 s = new_stmt(BPF_LDX|BPF_MEM); 6671 s->s.k = a->regno; 6672 return s; 6673 } 6674 6675 static struct slist * 6676 xfer_to_a(a) 6677 struct arth *a; 6678 { 6679 struct slist *s; 6680 6681 s = new_stmt(BPF_LD|BPF_MEM); 6682 s->s.k = a->regno; 6683 return s; 6684 } 6685 6686 /* 6687 * Modify "index" to use the value stored into its register as an 6688 * offset relative to the beginning of the header for the protocol 6689 * "proto", and allocate a register and put an item "size" bytes long 6690 * (1, 2, or 4) at that offset into that register, making it the register 6691 * for "index". 6692 */ 6693 struct arth * 6694 gen_load(proto, inst, size) 6695 int proto; 6696 struct arth *inst; 6697 int size; 6698 { 6699 struct slist *s, *tmp; 6700 struct block *b; 6701 int regno = alloc_reg(); 6702 6703 free_reg(inst->regno); 6704 switch (size) { 6705 6706 default: 6707 bpf_error("data size must be 1, 2, or 4"); 6708 6709 case 1: 6710 size = BPF_B; 6711 break; 6712 6713 case 2: 6714 size = BPF_H; 6715 break; 6716 6717 case 4: 6718 size = BPF_W; 6719 break; 6720 } 6721 switch (proto) { 6722 default: 6723 bpf_error("unsupported index operation"); 6724 6725 case Q_RADIO: 6726 /* 6727 * The offset is relative to the beginning of the packet 6728 * data, if we have a radio header. (If we don't, this 6729 * is an error.) 6730 */ 6731 if (linktype != DLT_IEEE802_11_RADIO_AVS && 6732 linktype != DLT_IEEE802_11_RADIO && 6733 linktype != DLT_PRISM_HEADER) 6734 bpf_error("radio information not present in capture"); 6735 6736 /* 6737 * Load into the X register the offset computed into the 6738 * register specified by "index". 6739 */ 6740 s = xfer_to_x(inst); 6741 6742 /* 6743 * Load the item at that offset. 6744 */ 6745 tmp = new_stmt(BPF_LD|BPF_IND|size); 6746 sappend(s, tmp); 6747 sappend(inst->s, s); 6748 break; 6749 6750 case Q_LINK: 6751 /* 6752 * The offset is relative to the beginning of 6753 * the link-layer header. 6754 * 6755 * XXX - what about ATM LANE? Should the index be 6756 * relative to the beginning of the AAL5 frame, so 6757 * that 0 refers to the beginning of the LE Control 6758 * field, or relative to the beginning of the LAN 6759 * frame, so that 0 refers, for Ethernet LANE, to 6760 * the beginning of the destination address? 6761 */ 6762 s = gen_llprefixlen(); 6763 6764 /* 6765 * If "s" is non-null, it has code to arrange that the 6766 * X register contains the length of the prefix preceding 6767 * the link-layer header. Add to it the offset computed 6768 * into the register specified by "index", and move that 6769 * into the X register. Otherwise, just load into the X 6770 * register the offset computed into the register specified 6771 * by "index". 6772 */ 6773 if (s != NULL) { 6774 sappend(s, xfer_to_a(inst)); 6775 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 6776 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 6777 } else 6778 s = xfer_to_x(inst); 6779 6780 /* 6781 * Load the item at the sum of the offset we've put in the 6782 * X register and the offset of the start of the link 6783 * layer header (which is 0 if the radio header is 6784 * variable-length; that header length is what we put 6785 * into the X register and then added to the index). 6786 */ 6787 tmp = new_stmt(BPF_LD|BPF_IND|size); 6788 tmp->s.k = off_ll; 6789 sappend(s, tmp); 6790 sappend(inst->s, s); 6791 break; 6792 6793 case Q_IP: 6794 case Q_ARP: 6795 case Q_RARP: 6796 case Q_ATALK: 6797 case Q_DECNET: 6798 case Q_SCA: 6799 case Q_LAT: 6800 case Q_MOPRC: 6801 case Q_MOPDL: 6802 #ifdef INET6 6803 case Q_IPV6: 6804 #endif 6805 /* 6806 * The offset is relative to the beginning of 6807 * the network-layer header. 6808 * XXX - are there any cases where we want 6809 * off_nl_nosnap? 6810 */ 6811 s = gen_off_macpl(); 6812 6813 /* 6814 * If "s" is non-null, it has code to arrange that the 6815 * X register contains the offset of the MAC-layer 6816 * payload. Add to it the offset computed into the 6817 * register specified by "index", and move that into 6818 * the X register. Otherwise, just load into the X 6819 * register the offset computed into the register specified 6820 * by "index". 6821 */ 6822 if (s != NULL) { 6823 sappend(s, xfer_to_a(inst)); 6824 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 6825 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 6826 } else 6827 s = xfer_to_x(inst); 6828 6829 /* 6830 * Load the item at the sum of the offset we've put in the 6831 * X register, the offset of the start of the network 6832 * layer header from the beginning of the MAC-layer 6833 * payload, and the purported offset of the start of the 6834 * MAC-layer payload (which might be 0 if there's a 6835 * variable-length prefix before the link-layer header 6836 * or the link-layer header itself is variable-length; 6837 * the variable-length offset of the start of the 6838 * MAC-layer payload is what we put into the X register 6839 * and then added to the index). 6840 */ 6841 tmp = new_stmt(BPF_LD|BPF_IND|size); 6842 tmp->s.k = off_macpl + off_nl; 6843 sappend(s, tmp); 6844 sappend(inst->s, s); 6845 6846 /* 6847 * Do the computation only if the packet contains 6848 * the protocol in question. 6849 */ 6850 b = gen_proto_abbrev(proto); 6851 if (inst->b) 6852 gen_and(inst->b, b); 6853 inst->b = b; 6854 break; 6855 6856 case Q_SCTP: 6857 case Q_TCP: 6858 case Q_UDP: 6859 case Q_ICMP: 6860 case Q_IGMP: 6861 case Q_IGRP: 6862 case Q_PIM: 6863 case Q_VRRP: 6864 case Q_CARP: 6865 /* 6866 * The offset is relative to the beginning of 6867 * the transport-layer header. 6868 * 6869 * Load the X register with the length of the IPv4 header 6870 * (plus the offset of the link-layer header, if it's 6871 * a variable-length header), in bytes. 6872 * 6873 * XXX - are there any cases where we want 6874 * off_nl_nosnap? 6875 * XXX - we should, if we're built with 6876 * IPv6 support, generate code to load either 6877 * IPv4, IPv6, or both, as appropriate. 6878 */ 6879 s = gen_loadx_iphdrlen(); 6880 6881 /* 6882 * The X register now contains the sum of the length 6883 * of any variable-length header preceding the link-layer 6884 * header, any variable-length link-layer header, and the 6885 * length of the network-layer header. 6886 * 6887 * Load into the A register the offset relative to 6888 * the beginning of the transport layer header, 6889 * add the X register to that, move that to the 6890 * X register, and load with an offset from the 6891 * X register equal to the offset of the network 6892 * layer header relative to the beginning of 6893 * the MAC-layer payload plus the fixed-length 6894 * portion of the offset of the MAC-layer payload 6895 * from the beginning of the raw packet data. 6896 */ 6897 sappend(s, xfer_to_a(inst)); 6898 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 6899 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 6900 sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size)); 6901 tmp->s.k = off_macpl + off_nl; 6902 sappend(inst->s, s); 6903 6904 /* 6905 * Do the computation only if the packet contains 6906 * the protocol in question - which is true only 6907 * if this is an IP datagram and is the first or 6908 * only fragment of that datagram. 6909 */ 6910 gen_and(gen_proto_abbrev(proto), b = gen_ipfrag()); 6911 if (inst->b) 6912 gen_and(inst->b, b); 6913 #ifdef INET6 6914 gen_and(gen_proto_abbrev(Q_IP), b); 6915 #endif 6916 inst->b = b; 6917 break; 6918 #ifdef INET6 6919 case Q_ICMPV6: 6920 bpf_error("IPv6 upper-layer protocol is not supported by proto[x]"); 6921 /*NOTREACHED*/ 6922 #endif 6923 } 6924 inst->regno = regno; 6925 s = new_stmt(BPF_ST); 6926 s->s.k = regno; 6927 sappend(inst->s, s); 6928 6929 return inst; 6930 } 6931 6932 struct block * 6933 gen_relation(code, a0, a1, reversed) 6934 int code; 6935 struct arth *a0, *a1; 6936 int reversed; 6937 { 6938 struct slist *s0, *s1, *s2; 6939 struct block *b, *tmp; 6940 6941 s0 = xfer_to_x(a1); 6942 s1 = xfer_to_a(a0); 6943 if (code == BPF_JEQ) { 6944 s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X); 6945 b = new_block(JMP(code)); 6946 sappend(s1, s2); 6947 } 6948 else 6949 b = new_block(BPF_JMP|code|BPF_X); 6950 if (reversed) 6951 gen_not(b); 6952 6953 sappend(s0, s1); 6954 sappend(a1->s, s0); 6955 sappend(a0->s, a1->s); 6956 6957 b->stmts = a0->s; 6958 6959 free_reg(a0->regno); 6960 free_reg(a1->regno); 6961 6962 /* 'and' together protocol checks */ 6963 if (a0->b) { 6964 if (a1->b) { 6965 gen_and(a0->b, tmp = a1->b); 6966 } 6967 else 6968 tmp = a0->b; 6969 } else 6970 tmp = a1->b; 6971 6972 if (tmp) 6973 gen_and(tmp, b); 6974 6975 return b; 6976 } 6977 6978 struct arth * 6979 gen_loadlen() 6980 { 6981 int regno = alloc_reg(); 6982 struct arth *a = (struct arth *)newchunk(sizeof(*a)); 6983 struct slist *s; 6984 6985 s = new_stmt(BPF_LD|BPF_LEN); 6986 s->next = new_stmt(BPF_ST); 6987 s->next->s.k = regno; 6988 a->s = s; 6989 a->regno = regno; 6990 6991 return a; 6992 } 6993 6994 struct arth * 6995 gen_loadi(val) 6996 int val; 6997 { 6998 struct arth *a; 6999 struct slist *s; 7000 int reg; 7001 7002 a = (struct arth *)newchunk(sizeof(*a)); 7003 7004 reg = alloc_reg(); 7005 7006 s = new_stmt(BPF_LD|BPF_IMM); 7007 s->s.k = val; 7008 s->next = new_stmt(BPF_ST); 7009 s->next->s.k = reg; 7010 a->s = s; 7011 a->regno = reg; 7012 7013 return a; 7014 } 7015 7016 struct arth * 7017 gen_neg(a) 7018 struct arth *a; 7019 { 7020 struct slist *s; 7021 7022 s = xfer_to_a(a); 7023 sappend(a->s, s); 7024 s = new_stmt(BPF_ALU|BPF_NEG); 7025 s->s.k = 0; 7026 sappend(a->s, s); 7027 s = new_stmt(BPF_ST); 7028 s->s.k = a->regno; 7029 sappend(a->s, s); 7030 7031 return a; 7032 } 7033 7034 struct arth * 7035 gen_arth(code, a0, a1) 7036 int code; 7037 struct arth *a0, *a1; 7038 { 7039 struct slist *s0, *s1, *s2; 7040 7041 s0 = xfer_to_x(a1); 7042 s1 = xfer_to_a(a0); 7043 s2 = new_stmt(BPF_ALU|BPF_X|code); 7044 7045 sappend(s1, s2); 7046 sappend(s0, s1); 7047 sappend(a1->s, s0); 7048 sappend(a0->s, a1->s); 7049 7050 free_reg(a0->regno); 7051 free_reg(a1->regno); 7052 7053 s0 = new_stmt(BPF_ST); 7054 a0->regno = s0->s.k = alloc_reg(); 7055 sappend(a0->s, s0); 7056 7057 return a0; 7058 } 7059 7060 /* 7061 * Here we handle simple allocation of the scratch registers. 7062 * If too many registers are alloc'd, the allocator punts. 7063 */ 7064 static int regused[BPF_MEMWORDS]; 7065 static int curreg; 7066 7067 /* 7068 * Initialize the table of used registers and the current register. 7069 */ 7070 static void 7071 init_regs() 7072 { 7073 curreg = 0; 7074 memset(regused, 0, sizeof regused); 7075 } 7076 7077 /* 7078 * Return the next free register. 7079 */ 7080 static int 7081 alloc_reg() 7082 { 7083 int n = BPF_MEMWORDS; 7084 7085 while (--n >= 0) { 7086 if (regused[curreg]) 7087 curreg = (curreg + 1) % BPF_MEMWORDS; 7088 else { 7089 regused[curreg] = 1; 7090 return curreg; 7091 } 7092 } 7093 bpf_error("too many registers needed to evaluate expression"); 7094 /* NOTREACHED */ 7095 return 0; 7096 } 7097 7098 /* 7099 * Return a register to the table so it can 7100 * be used later. 7101 */ 7102 static void 7103 free_reg(n) 7104 int n; 7105 { 7106 regused[n] = 0; 7107 } 7108 7109 static struct block * 7110 gen_len(jmp, n) 7111 int jmp, n; 7112 { 7113 struct slist *s; 7114 struct block *b; 7115 7116 s = new_stmt(BPF_LD|BPF_LEN); 7117 b = new_block(JMP(jmp)); 7118 b->stmts = s; 7119 b->s.k = n; 7120 7121 return b; 7122 } 7123 7124 struct block * 7125 gen_greater(n) 7126 int n; 7127 { 7128 return gen_len(BPF_JGE, n); 7129 } 7130 7131 /* 7132 * Actually, this is less than or equal. 7133 */ 7134 struct block * 7135 gen_less(n) 7136 int n; 7137 { 7138 struct block *b; 7139 7140 b = gen_len(BPF_JGT, n); 7141 gen_not(b); 7142 7143 return b; 7144 } 7145 7146 /* 7147 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to 7148 * the beginning of the link-layer header. 7149 * XXX - that means you can't test values in the radiotap header, but 7150 * as that header is difficult if not impossible to parse generally 7151 * without a loop, that might not be a severe problem. A new keyword 7152 * "radio" could be added for that, although what you'd really want 7153 * would be a way of testing particular radio header values, which 7154 * would generate code appropriate to the radio header in question. 7155 */ 7156 struct block * 7157 gen_byteop(op, idx, val) 7158 int op, idx, val; 7159 { 7160 struct block *b; 7161 struct slist *s; 7162 7163 switch (op) { 7164 default: 7165 abort(); 7166 7167 case '=': 7168 return gen_cmp(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 7169 7170 case '<': 7171 b = gen_cmp_lt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 7172 return b; 7173 7174 case '>': 7175 b = gen_cmp_gt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 7176 return b; 7177 7178 case '|': 7179 s = new_stmt(BPF_ALU|BPF_OR|BPF_K); 7180 break; 7181 7182 case '&': 7183 s = new_stmt(BPF_ALU|BPF_AND|BPF_K); 7184 break; 7185 } 7186 s->s.k = val; 7187 b = new_block(JMP(BPF_JEQ)); 7188 b->stmts = s; 7189 gen_not(b); 7190 7191 return b; 7192 } 7193 7194 static u_char abroadcast[] = { 0x0 }; 7195 7196 struct block * 7197 gen_broadcast(proto) 7198 int proto; 7199 { 7200 bpf_u_int32 hostmask; 7201 struct block *b0, *b1, *b2; 7202 static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; 7203 7204 switch (proto) { 7205 7206 case Q_DEFAULT: 7207 case Q_LINK: 7208 switch (linktype) { 7209 case DLT_ARCNET: 7210 case DLT_ARCNET_LINUX: 7211 return gen_ahostop(abroadcast, Q_DST); 7212 case DLT_EN10MB: 7213 case DLT_NETANALYZER: 7214 case DLT_NETANALYZER_TRANSPARENT: 7215 return gen_ehostop(ebroadcast, Q_DST); 7216 case DLT_FDDI: 7217 return gen_fhostop(ebroadcast, Q_DST); 7218 case DLT_IEEE802: 7219 return gen_thostop(ebroadcast, Q_DST); 7220 case DLT_IEEE802_11: 7221 case DLT_PRISM_HEADER: 7222 case DLT_IEEE802_11_RADIO_AVS: 7223 case DLT_IEEE802_11_RADIO: 7224 case DLT_PPI: 7225 return gen_wlanhostop(ebroadcast, Q_DST); 7226 case DLT_IP_OVER_FC: 7227 return gen_ipfchostop(ebroadcast, Q_DST); 7228 case DLT_SUNATM: 7229 if (is_lane) { 7230 /* 7231 * Check that the packet doesn't begin with an 7232 * LE Control marker. (We've already generated 7233 * a test for LANE.) 7234 */ 7235 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 7236 BPF_H, 0xFF00); 7237 gen_not(b1); 7238 7239 /* 7240 * Now check the MAC address. 7241 */ 7242 b0 = gen_ehostop(ebroadcast, Q_DST); 7243 gen_and(b1, b0); 7244 return b0; 7245 } 7246 break; 7247 default: 7248 bpf_error("not a broadcast link"); 7249 } 7250 break; 7251 7252 case Q_IP: 7253 /* 7254 * We treat a netmask of PCAP_NETMASK_UNKNOWN (0xffffffff) 7255 * as an indication that we don't know the netmask, and fail 7256 * in that case. 7257 */ 7258 if (netmask == PCAP_NETMASK_UNKNOWN) 7259 bpf_error("netmask not known, so 'ip broadcast' not supported"); 7260 b0 = gen_linktype(ETHERTYPE_IP); 7261 hostmask = ~netmask; 7262 b1 = gen_mcmp(OR_NET, 16, BPF_W, (bpf_int32)0, hostmask); 7263 b2 = gen_mcmp(OR_NET, 16, BPF_W, 7264 (bpf_int32)(~0 & hostmask), hostmask); 7265 gen_or(b1, b2); 7266 gen_and(b0, b2); 7267 return b2; 7268 } 7269 bpf_error("only link-layer/IP broadcast filters supported"); 7270 /* NOTREACHED */ 7271 return NULL; 7272 } 7273 7274 /* 7275 * Generate code to test the low-order bit of a MAC address (that's 7276 * the bottom bit of the *first* byte). 7277 */ 7278 static struct block * 7279 gen_mac_multicast(offset) 7280 int offset; 7281 { 7282 register struct block *b0; 7283 register struct slist *s; 7284 7285 /* link[offset] & 1 != 0 */ 7286 s = gen_load_a(OR_LINK, offset, BPF_B); 7287 b0 = new_block(JMP(BPF_JSET)); 7288 b0->s.k = 1; 7289 b0->stmts = s; 7290 return b0; 7291 } 7292 7293 struct block * 7294 gen_multicast(proto) 7295 int proto; 7296 { 7297 register struct block *b0, *b1, *b2; 7298 register struct slist *s; 7299 7300 switch (proto) { 7301 7302 case Q_DEFAULT: 7303 case Q_LINK: 7304 switch (linktype) { 7305 case DLT_ARCNET: 7306 case DLT_ARCNET_LINUX: 7307 /* all ARCnet multicasts use the same address */ 7308 return gen_ahostop(abroadcast, Q_DST); 7309 case DLT_EN10MB: 7310 case DLT_NETANALYZER: 7311 case DLT_NETANALYZER_TRANSPARENT: 7312 /* ether[0] & 1 != 0 */ 7313 return gen_mac_multicast(0); 7314 case DLT_FDDI: 7315 /* 7316 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX 7317 * 7318 * XXX - was that referring to bit-order issues? 7319 */ 7320 /* fddi[1] & 1 != 0 */ 7321 return gen_mac_multicast(1); 7322 case DLT_IEEE802: 7323 /* tr[2] & 1 != 0 */ 7324 return gen_mac_multicast(2); 7325 case DLT_IEEE802_11: 7326 case DLT_PRISM_HEADER: 7327 case DLT_IEEE802_11_RADIO_AVS: 7328 case DLT_IEEE802_11_RADIO: 7329 case DLT_PPI: 7330 /* 7331 * Oh, yuk. 7332 * 7333 * For control frames, there is no DA. 7334 * 7335 * For management frames, DA is at an 7336 * offset of 4 from the beginning of 7337 * the packet. 7338 * 7339 * For data frames, DA is at an offset 7340 * of 4 from the beginning of the packet 7341 * if To DS is clear and at an offset of 7342 * 16 from the beginning of the packet 7343 * if To DS is set. 7344 */ 7345 7346 /* 7347 * Generate the tests to be done for data frames. 7348 * 7349 * First, check for To DS set, i.e. "link[1] & 0x01". 7350 */ 7351 s = gen_load_a(OR_LINK, 1, BPF_B); 7352 b1 = new_block(JMP(BPF_JSET)); 7353 b1->s.k = 0x01; /* To DS */ 7354 b1->stmts = s; 7355 7356 /* 7357 * If To DS is set, the DA is at 16. 7358 */ 7359 b0 = gen_mac_multicast(16); 7360 gen_and(b1, b0); 7361 7362 /* 7363 * Now, check for To DS not set, i.e. check 7364 * "!(link[1] & 0x01)". 7365 */ 7366 s = gen_load_a(OR_LINK, 1, BPF_B); 7367 b2 = new_block(JMP(BPF_JSET)); 7368 b2->s.k = 0x01; /* To DS */ 7369 b2->stmts = s; 7370 gen_not(b2); 7371 7372 /* 7373 * If To DS is not set, the DA is at 4. 7374 */ 7375 b1 = gen_mac_multicast(4); 7376 gen_and(b2, b1); 7377 7378 /* 7379 * Now OR together the last two checks. That gives 7380 * the complete set of checks for data frames. 7381 */ 7382 gen_or(b1, b0); 7383 7384 /* 7385 * Now check for a data frame. 7386 * I.e, check "link[0] & 0x08". 7387 */ 7388 s = gen_load_a(OR_LINK, 0, BPF_B); 7389 b1 = new_block(JMP(BPF_JSET)); 7390 b1->s.k = 0x08; 7391 b1->stmts = s; 7392 7393 /* 7394 * AND that with the checks done for data frames. 7395 */ 7396 gen_and(b1, b0); 7397 7398 /* 7399 * If the high-order bit of the type value is 0, this 7400 * is a management frame. 7401 * I.e, check "!(link[0] & 0x08)". 7402 */ 7403 s = gen_load_a(OR_LINK, 0, BPF_B); 7404 b2 = new_block(JMP(BPF_JSET)); 7405 b2->s.k = 0x08; 7406 b2->stmts = s; 7407 gen_not(b2); 7408 7409 /* 7410 * For management frames, the DA is at 4. 7411 */ 7412 b1 = gen_mac_multicast(4); 7413 gen_and(b2, b1); 7414 7415 /* 7416 * OR that with the checks done for data frames. 7417 * That gives the checks done for management and 7418 * data frames. 7419 */ 7420 gen_or(b1, b0); 7421 7422 /* 7423 * If the low-order bit of the type value is 1, 7424 * this is either a control frame or a frame 7425 * with a reserved type, and thus not a 7426 * frame with an SA. 7427 * 7428 * I.e., check "!(link[0] & 0x04)". 7429 */ 7430 s = gen_load_a(OR_LINK, 0, BPF_B); 7431 b1 = new_block(JMP(BPF_JSET)); 7432 b1->s.k = 0x04; 7433 b1->stmts = s; 7434 gen_not(b1); 7435 7436 /* 7437 * AND that with the checks for data and management 7438 * frames. 7439 */ 7440 gen_and(b1, b0); 7441 return b0; 7442 case DLT_IP_OVER_FC: 7443 b0 = gen_mac_multicast(2); 7444 return b0; 7445 case DLT_SUNATM: 7446 if (is_lane) { 7447 /* 7448 * Check that the packet doesn't begin with an 7449 * LE Control marker. (We've already generated 7450 * a test for LANE.) 7451 */ 7452 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 7453 BPF_H, 0xFF00); 7454 gen_not(b1); 7455 7456 /* ether[off_mac] & 1 != 0 */ 7457 b0 = gen_mac_multicast(off_mac); 7458 gen_and(b1, b0); 7459 return b0; 7460 } 7461 break; 7462 default: 7463 break; 7464 } 7465 /* Link not known to support multicasts */ 7466 break; 7467 7468 case Q_IP: 7469 b0 = gen_linktype(ETHERTYPE_IP); 7470 b1 = gen_cmp_ge(OR_NET, 16, BPF_B, (bpf_int32)224); 7471 gen_and(b0, b1); 7472 return b1; 7473 7474 #ifdef INET6 7475 case Q_IPV6: 7476 b0 = gen_linktype(ETHERTYPE_IPV6); 7477 b1 = gen_cmp(OR_NET, 24, BPF_B, (bpf_int32)255); 7478 gen_and(b0, b1); 7479 return b1; 7480 #endif /* INET6 */ 7481 } 7482 bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel"); 7483 /* NOTREACHED */ 7484 return NULL; 7485 } 7486 7487 /* 7488 * Filter on inbound (dir == 0) or outbound (dir == 1) traffic. 7489 * Outbound traffic is sent by this machine, while inbound traffic is 7490 * sent by a remote machine (and may include packets destined for a 7491 * unicast or multicast link-layer address we are not subscribing to). 7492 * These are the same definitions implemented by pcap_setdirection(). 7493 * Capturing only unicast traffic destined for this host is probably 7494 * better accomplished using a higher-layer filter. 7495 */ 7496 struct block * 7497 gen_inbound(dir) 7498 int dir; 7499 { 7500 register struct block *b0; 7501 7502 /* 7503 * Only some data link types support inbound/outbound qualifiers. 7504 */ 7505 switch (linktype) { 7506 case DLT_SLIP: 7507 b0 = gen_relation(BPF_JEQ, 7508 gen_load(Q_LINK, gen_loadi(0), 1), 7509 gen_loadi(0), 7510 dir); 7511 break; 7512 7513 case DLT_IPNET: 7514 if (dir) { 7515 /* match outgoing packets */ 7516 b0 = gen_cmp(OR_LINK, 2, BPF_H, IPNET_OUTBOUND); 7517 } else { 7518 /* match incoming packets */ 7519 b0 = gen_cmp(OR_LINK, 2, BPF_H, IPNET_INBOUND); 7520 } 7521 break; 7522 7523 case DLT_LINUX_SLL: 7524 /* match outgoing packets */ 7525 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_OUTGOING); 7526 if (!dir) { 7527 /* to filter on inbound traffic, invert the match */ 7528 gen_not(b0); 7529 } 7530 break; 7531 7532 #ifdef HAVE_NET_PFVAR_H 7533 case DLT_PFLOG: 7534 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, dir), BPF_B, 7535 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT)); 7536 break; 7537 #endif 7538 7539 case DLT_PPP_PPPD: 7540 if (dir) { 7541 /* match outgoing packets */ 7542 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_OUT); 7543 } else { 7544 /* match incoming packets */ 7545 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_IN); 7546 } 7547 break; 7548 7549 case DLT_JUNIPER_MFR: 7550 case DLT_JUNIPER_MLFR: 7551 case DLT_JUNIPER_MLPPP: 7552 case DLT_JUNIPER_ATM1: 7553 case DLT_JUNIPER_ATM2: 7554 case DLT_JUNIPER_PPPOE: 7555 case DLT_JUNIPER_PPPOE_ATM: 7556 case DLT_JUNIPER_GGSN: 7557 case DLT_JUNIPER_ES: 7558 case DLT_JUNIPER_MONITOR: 7559 case DLT_JUNIPER_SERVICES: 7560 case DLT_JUNIPER_ETHER: 7561 case DLT_JUNIPER_PPP: 7562 case DLT_JUNIPER_FRELAY: 7563 case DLT_JUNIPER_CHDLC: 7564 case DLT_JUNIPER_VP: 7565 case DLT_JUNIPER_ST: 7566 case DLT_JUNIPER_ISM: 7567 case DLT_JUNIPER_VS: 7568 case DLT_JUNIPER_SRX_E2E: 7569 case DLT_JUNIPER_FIBRECHANNEL: 7570 case DLT_JUNIPER_ATM_CEMIC: 7571 7572 /* juniper flags (including direction) are stored 7573 * the byte after the 3-byte magic number */ 7574 if (dir) { 7575 /* match outgoing packets */ 7576 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 0, 0x01); 7577 } else { 7578 /* match incoming packets */ 7579 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 1, 0x01); 7580 } 7581 break; 7582 7583 default: 7584 /* 7585 * If we have packet meta-data indicating a direction, 7586 * check it, otherwise give up as this link-layer type 7587 * has nothing in the packet data. 7588 */ 7589 #if defined(PF_PACKET) && defined(SO_ATTACH_FILTER) 7590 /* 7591 * We infer that this is Linux with PF_PACKET support. 7592 * If this is a *live* capture, we can look at 7593 * special meta-data in the filter expression; 7594 * if it's a savefile, we can't. 7595 */ 7596 if (bpf_pcap->sf.rfile != NULL) { 7597 /* We have a FILE *, so this is a savefile */ 7598 bpf_error("inbound/outbound not supported on linktype %d when reading savefiles", 7599 linktype); 7600 b0 = NULL; 7601 /* NOTREACHED */ 7602 } 7603 /* match outgoing packets */ 7604 b0 = gen_cmp(OR_LINK, SKF_AD_OFF + SKF_AD_PKTTYPE, BPF_H, 7605 PACKET_OUTGOING); 7606 if (!dir) { 7607 /* to filter on inbound traffic, invert the match */ 7608 gen_not(b0); 7609 } 7610 #else /* defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */ 7611 bpf_error("inbound/outbound not supported on linktype %d", 7612 linktype); 7613 b0 = NULL; 7614 /* NOTREACHED */ 7615 #endif /* defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */ 7616 } 7617 return (b0); 7618 } 7619 7620 #ifdef HAVE_NET_PFVAR_H 7621 /* PF firewall log matched interface */ 7622 struct block * 7623 gen_pf_ifname(const char *ifname) 7624 { 7625 struct block *b0; 7626 u_int len, off; 7627 7628 if (linktype != DLT_PFLOG) { 7629 bpf_error("ifname supported only on PF linktype"); 7630 /* NOTREACHED */ 7631 } 7632 len = sizeof(((struct pfloghdr *)0)->ifname); 7633 off = offsetof(struct pfloghdr, ifname); 7634 if (strlen(ifname) >= len) { 7635 bpf_error("ifname interface names can only be %d characters", 7636 len-1); 7637 /* NOTREACHED */ 7638 } 7639 b0 = gen_bcmp(OR_LINK, off, strlen(ifname), (const u_char *)ifname); 7640 return (b0); 7641 } 7642 7643 /* PF firewall log ruleset name */ 7644 struct block * 7645 gen_pf_ruleset(char *ruleset) 7646 { 7647 struct block *b0; 7648 7649 if (linktype != DLT_PFLOG) { 7650 bpf_error("ruleset supported only on PF linktype"); 7651 /* NOTREACHED */ 7652 } 7653 7654 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) { 7655 bpf_error("ruleset names can only be %ld characters", 7656 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1)); 7657 /* NOTREACHED */ 7658 } 7659 7660 b0 = gen_bcmp(OR_LINK, offsetof(struct pfloghdr, ruleset), 7661 strlen(ruleset), (const u_char *)ruleset); 7662 return (b0); 7663 } 7664 7665 /* PF firewall log rule number */ 7666 struct block * 7667 gen_pf_rnr(int rnr) 7668 { 7669 struct block *b0; 7670 7671 if (linktype != DLT_PFLOG) { 7672 bpf_error("rnr supported only on PF linktype"); 7673 /* NOTREACHED */ 7674 } 7675 7676 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, rulenr), BPF_W, 7677 (bpf_int32)rnr); 7678 return (b0); 7679 } 7680 7681 /* PF firewall log sub-rule number */ 7682 struct block * 7683 gen_pf_srnr(int srnr) 7684 { 7685 struct block *b0; 7686 7687 if (linktype != DLT_PFLOG) { 7688 bpf_error("srnr supported only on PF linktype"); 7689 /* NOTREACHED */ 7690 } 7691 7692 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, subrulenr), BPF_W, 7693 (bpf_int32)srnr); 7694 return (b0); 7695 } 7696 7697 /* PF firewall log reason code */ 7698 struct block * 7699 gen_pf_reason(int reason) 7700 { 7701 struct block *b0; 7702 7703 if (linktype != DLT_PFLOG) { 7704 bpf_error("reason supported only on PF linktype"); 7705 /* NOTREACHED */ 7706 } 7707 7708 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, reason), BPF_B, 7709 (bpf_int32)reason); 7710 return (b0); 7711 } 7712 7713 /* PF firewall log action */ 7714 struct block * 7715 gen_pf_action(int action) 7716 { 7717 struct block *b0; 7718 7719 if (linktype != DLT_PFLOG) { 7720 bpf_error("action supported only on PF linktype"); 7721 /* NOTREACHED */ 7722 } 7723 7724 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, action), BPF_B, 7725 (bpf_int32)action); 7726 return (b0); 7727 } 7728 #else /* !HAVE_NET_PFVAR_H */ 7729 struct block * 7730 gen_pf_ifname(const char *ifname) 7731 { 7732 bpf_error("libpcap was compiled without pf support"); 7733 /* NOTREACHED */ 7734 return (NULL); 7735 } 7736 7737 struct block * 7738 gen_pf_ruleset(char *ruleset) 7739 { 7740 bpf_error("libpcap was compiled on a machine without pf support"); 7741 /* NOTREACHED */ 7742 return (NULL); 7743 } 7744 7745 struct block * 7746 gen_pf_rnr(int rnr) 7747 { 7748 bpf_error("libpcap was compiled on a machine without pf support"); 7749 /* NOTREACHED */ 7750 return (NULL); 7751 } 7752 7753 struct block * 7754 gen_pf_srnr(int srnr) 7755 { 7756 bpf_error("libpcap was compiled on a machine without pf support"); 7757 /* NOTREACHED */ 7758 return (NULL); 7759 } 7760 7761 struct block * 7762 gen_pf_reason(int reason) 7763 { 7764 bpf_error("libpcap was compiled on a machine without pf support"); 7765 /* NOTREACHED */ 7766 return (NULL); 7767 } 7768 7769 struct block * 7770 gen_pf_action(int action) 7771 { 7772 bpf_error("libpcap was compiled on a machine without pf support"); 7773 /* NOTREACHED */ 7774 return (NULL); 7775 } 7776 #endif /* HAVE_NET_PFVAR_H */ 7777 7778 /* IEEE 802.11 wireless header */ 7779 struct block * 7780 gen_p80211_type(int type, int mask) 7781 { 7782 struct block *b0; 7783 7784 switch (linktype) { 7785 7786 case DLT_IEEE802_11: 7787 case DLT_PRISM_HEADER: 7788 case DLT_IEEE802_11_RADIO_AVS: 7789 case DLT_IEEE802_11_RADIO: 7790 b0 = gen_mcmp(OR_LINK, 0, BPF_B, (bpf_int32)type, 7791 (bpf_int32)mask); 7792 break; 7793 7794 default: 7795 bpf_error("802.11 link-layer types supported only on 802.11"); 7796 /* NOTREACHED */ 7797 } 7798 7799 return (b0); 7800 } 7801 7802 struct block * 7803 gen_p80211_fcdir(int fcdir) 7804 { 7805 struct block *b0; 7806 7807 switch (linktype) { 7808 7809 case DLT_IEEE802_11: 7810 case DLT_PRISM_HEADER: 7811 case DLT_IEEE802_11_RADIO_AVS: 7812 case DLT_IEEE802_11_RADIO: 7813 break; 7814 7815 default: 7816 bpf_error("frame direction supported only with 802.11 headers"); 7817 /* NOTREACHED */ 7818 } 7819 7820 b0 = gen_mcmp(OR_LINK, 1, BPF_B, (bpf_int32)fcdir, 7821 (bpf_u_int32)IEEE80211_FC1_DIR_MASK); 7822 7823 return (b0); 7824 } 7825 7826 struct block * 7827 gen_acode(eaddr, q) 7828 register const u_char *eaddr; 7829 struct qual q; 7830 { 7831 switch (linktype) { 7832 7833 case DLT_ARCNET: 7834 case DLT_ARCNET_LINUX: 7835 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && 7836 q.proto == Q_LINK) 7837 return (gen_ahostop(eaddr, (int)q.dir)); 7838 else { 7839 bpf_error("ARCnet address used in non-arc expression"); 7840 /* NOTREACHED */ 7841 } 7842 break; 7843 7844 default: 7845 bpf_error("aid supported only on ARCnet"); 7846 /* NOTREACHED */ 7847 } 7848 bpf_error("ARCnet address used in non-arc expression"); 7849 /* NOTREACHED */ 7850 return NULL; 7851 } 7852 7853 static struct block * 7854 gen_ahostop(eaddr, dir) 7855 register const u_char *eaddr; 7856 register int dir; 7857 { 7858 register struct block *b0, *b1; 7859 7860 switch (dir) { 7861 /* src comes first, different from Ethernet */ 7862 case Q_SRC: 7863 return gen_bcmp(OR_LINK, 0, 1, eaddr); 7864 7865 case Q_DST: 7866 return gen_bcmp(OR_LINK, 1, 1, eaddr); 7867 7868 case Q_AND: 7869 b0 = gen_ahostop(eaddr, Q_SRC); 7870 b1 = gen_ahostop(eaddr, Q_DST); 7871 gen_and(b0, b1); 7872 return b1; 7873 7874 case Q_DEFAULT: 7875 case Q_OR: 7876 b0 = gen_ahostop(eaddr, Q_SRC); 7877 b1 = gen_ahostop(eaddr, Q_DST); 7878 gen_or(b0, b1); 7879 return b1; 7880 7881 case Q_ADDR1: 7882 bpf_error("'addr1' is only supported on 802.11"); 7883 break; 7884 7885 case Q_ADDR2: 7886 bpf_error("'addr2' is only supported on 802.11"); 7887 break; 7888 7889 case Q_ADDR3: 7890 bpf_error("'addr3' is only supported on 802.11"); 7891 break; 7892 7893 case Q_ADDR4: 7894 bpf_error("'addr4' is only supported on 802.11"); 7895 break; 7896 7897 case Q_RA: 7898 bpf_error("'ra' is only supported on 802.11"); 7899 break; 7900 7901 case Q_TA: 7902 bpf_error("'ta' is only supported on 802.11"); 7903 break; 7904 } 7905 abort(); 7906 /* NOTREACHED */ 7907 } 7908 7909 /* 7910 * support IEEE 802.1Q VLAN trunk over ethernet 7911 */ 7912 struct block * 7913 gen_vlan(vlan_num) 7914 int vlan_num; 7915 { 7916 struct block *b0, *b1; 7917 7918 /* can't check for VLAN-encapsulated packets inside MPLS */ 7919 if (label_stack_depth > 0) 7920 bpf_error("no VLAN match after MPLS"); 7921 7922 /* 7923 * Check for a VLAN packet, and then change the offsets to point 7924 * to the type and data fields within the VLAN packet. Just 7925 * increment the offsets, so that we can support a hierarchy, e.g. 7926 * "vlan 300 && vlan 200" to capture VLAN 200 encapsulated within 7927 * VLAN 100. 7928 * 7929 * XXX - this is a bit of a kludge. If we were to split the 7930 * compiler into a parser that parses an expression and 7931 * generates an expression tree, and a code generator that 7932 * takes an expression tree (which could come from our 7933 * parser or from some other parser) and generates BPF code, 7934 * we could perhaps make the offsets parameters of routines 7935 * and, in the handler for an "AND" node, pass to subnodes 7936 * other than the VLAN node the adjusted offsets. 7937 * 7938 * This would mean that "vlan" would, instead of changing the 7939 * behavior of *all* tests after it, change only the behavior 7940 * of tests ANDed with it. That would change the documented 7941 * semantics of "vlan", which might break some expressions. 7942 * However, it would mean that "(vlan and ip) or ip" would check 7943 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 7944 * checking only for VLAN-encapsulated IP, so that could still 7945 * be considered worth doing; it wouldn't break expressions 7946 * that are of the form "vlan and ..." or "vlan N and ...", 7947 * which I suspect are the most common expressions involving 7948 * "vlan". "vlan or ..." doesn't necessarily do what the user 7949 * would really want, now, as all the "or ..." tests would 7950 * be done assuming a VLAN, even though the "or" could be viewed 7951 * as meaning "or, if this isn't a VLAN packet...". 7952 */ 7953 orig_nl = off_nl; 7954 7955 switch (linktype) { 7956 7957 case DLT_EN10MB: 7958 case DLT_NETANALYZER: 7959 case DLT_NETANALYZER_TRANSPARENT: 7960 /* check for VLAN, including QinQ */ 7961 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 7962 (bpf_int32)ETHERTYPE_8021Q); 7963 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, 7964 (bpf_int32)ETHERTYPE_8021QINQ); 7965 gen_or(b0,b1); 7966 b0 = b1; 7967 7968 /* If a specific VLAN is requested, check VLAN id */ 7969 if (vlan_num >= 0) { 7970 b1 = gen_mcmp(OR_MACPL, 0, BPF_H, 7971 (bpf_int32)vlan_num, 0x0fff); 7972 gen_and(b0, b1); 7973 b0 = b1; 7974 } 7975 7976 off_macpl += 4; 7977 off_linktype += 4; 7978 #if 0 7979 off_nl_nosnap += 4; 7980 off_nl += 4; 7981 #endif 7982 break; 7983 7984 default: 7985 bpf_error("no VLAN support for data link type %d", 7986 linktype); 7987 /*NOTREACHED*/ 7988 } 7989 7990 return (b0); 7991 } 7992 7993 /* 7994 * support for MPLS 7995 */ 7996 struct block * 7997 gen_mpls(label_num) 7998 int label_num; 7999 { 8000 struct block *b0,*b1; 8001 8002 /* 8003 * Change the offsets to point to the type and data fields within 8004 * the MPLS packet. Just increment the offsets, so that we 8005 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to 8006 * capture packets with an outer label of 100000 and an inner 8007 * label of 1024. 8008 * 8009 * XXX - this is a bit of a kludge. See comments in gen_vlan(). 8010 */ 8011 orig_nl = off_nl; 8012 8013 if (label_stack_depth > 0) { 8014 /* just match the bottom-of-stack bit clear */ 8015 b0 = gen_mcmp(OR_MACPL, orig_nl-2, BPF_B, 0, 0x01); 8016 } else { 8017 /* 8018 * Indicate that we're checking MPLS-encapsulated headers, 8019 * to make sure higher level code generators don't try to 8020 * match against IP-related protocols such as Q_ARP, Q_RARP 8021 * etc. 8022 */ 8023 switch (linktype) { 8024 8025 case DLT_C_HDLC: /* fall through */ 8026 case DLT_EN10MB: 8027 case DLT_NETANALYZER: 8028 case DLT_NETANALYZER_TRANSPARENT: 8029 b0 = gen_linktype(ETHERTYPE_MPLS); 8030 break; 8031 8032 case DLT_PPP: 8033 b0 = gen_linktype(PPP_MPLS_UCAST); 8034 break; 8035 8036 /* FIXME add other DLT_s ... 8037 * for Frame-Relay/and ATM this may get messy due to SNAP headers 8038 * leave it for now */ 8039 8040 default: 8041 bpf_error("no MPLS support for data link type %d", 8042 linktype); 8043 b0 = NULL; 8044 /*NOTREACHED*/ 8045 break; 8046 } 8047 } 8048 8049 /* If a specific MPLS label is requested, check it */ 8050 if (label_num >= 0) { 8051 label_num = label_num << 12; /* label is shifted 12 bits on the wire */ 8052 b1 = gen_mcmp(OR_MACPL, orig_nl, BPF_W, (bpf_int32)label_num, 8053 0xfffff000); /* only compare the first 20 bits */ 8054 gen_and(b0, b1); 8055 b0 = b1; 8056 } 8057 8058 off_nl_nosnap += 4; 8059 off_nl += 4; 8060 label_stack_depth++; 8061 return (b0); 8062 } 8063 8064 /* 8065 * Support PPPOE discovery and session. 8066 */ 8067 struct block * 8068 gen_pppoed() 8069 { 8070 /* check for PPPoE discovery */ 8071 return gen_linktype((bpf_int32)ETHERTYPE_PPPOED); 8072 } 8073 8074 struct block * 8075 gen_pppoes() 8076 { 8077 struct block *b0; 8078 8079 /* 8080 * Test against the PPPoE session link-layer type. 8081 */ 8082 b0 = gen_linktype((bpf_int32)ETHERTYPE_PPPOES); 8083 8084 /* 8085 * Change the offsets to point to the type and data fields within 8086 * the PPP packet, and note that this is PPPoE rather than 8087 * raw PPP. 8088 * 8089 * XXX - this is a bit of a kludge. If we were to split the 8090 * compiler into a parser that parses an expression and 8091 * generates an expression tree, and a code generator that 8092 * takes an expression tree (which could come from our 8093 * parser or from some other parser) and generates BPF code, 8094 * we could perhaps make the offsets parameters of routines 8095 * and, in the handler for an "AND" node, pass to subnodes 8096 * other than the PPPoE node the adjusted offsets. 8097 * 8098 * This would mean that "pppoes" would, instead of changing the 8099 * behavior of *all* tests after it, change only the behavior 8100 * of tests ANDed with it. That would change the documented 8101 * semantics of "pppoes", which might break some expressions. 8102 * However, it would mean that "(pppoes and ip) or ip" would check 8103 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 8104 * checking only for VLAN-encapsulated IP, so that could still 8105 * be considered worth doing; it wouldn't break expressions 8106 * that are of the form "pppoes and ..." which I suspect are the 8107 * most common expressions involving "pppoes". "pppoes or ..." 8108 * doesn't necessarily do what the user would really want, now, 8109 * as all the "or ..." tests would be done assuming PPPoE, even 8110 * though the "or" could be viewed as meaning "or, if this isn't 8111 * a PPPoE packet...". 8112 */ 8113 orig_linktype = off_linktype; /* save original values */ 8114 orig_nl = off_nl; 8115 is_pppoes = 1; 8116 8117 /* 8118 * The "network-layer" protocol is PPPoE, which has a 6-byte 8119 * PPPoE header, followed by a PPP packet. 8120 * 8121 * There is no HDLC encapsulation for the PPP packet (it's 8122 * encapsulated in PPPoES instead), so the link-layer type 8123 * starts at the first byte of the PPP packet. For PPPoE, 8124 * that offset is relative to the beginning of the total 8125 * link-layer payload, including any 802.2 LLC header, so 8126 * it's 6 bytes past off_nl. 8127 */ 8128 off_linktype = off_nl + 6; 8129 8130 /* 8131 * The network-layer offsets are relative to the beginning 8132 * of the MAC-layer payload; that's past the 6-byte 8133 * PPPoE header and the 2-byte PPP header. 8134 */ 8135 off_nl = 6+2; 8136 off_nl_nosnap = 6+2; 8137 8138 return b0; 8139 } 8140 8141 struct block * 8142 gen_atmfield_code(atmfield, jvalue, jtype, reverse) 8143 int atmfield; 8144 bpf_int32 jvalue; 8145 bpf_u_int32 jtype; 8146 int reverse; 8147 { 8148 struct block *b0; 8149 8150 switch (atmfield) { 8151 8152 case A_VPI: 8153 if (!is_atm) 8154 bpf_error("'vpi' supported only on raw ATM"); 8155 if (off_vpi == (u_int)-1) 8156 abort(); 8157 b0 = gen_ncmp(OR_LINK, off_vpi, BPF_B, 0xffffffff, jtype, 8158 reverse, jvalue); 8159 break; 8160 8161 case A_VCI: 8162 if (!is_atm) 8163 bpf_error("'vci' supported only on raw ATM"); 8164 if (off_vci == (u_int)-1) 8165 abort(); 8166 b0 = gen_ncmp(OR_LINK, off_vci, BPF_H, 0xffffffff, jtype, 8167 reverse, jvalue); 8168 break; 8169 8170 case A_PROTOTYPE: 8171 if (off_proto == (u_int)-1) 8172 abort(); /* XXX - this isn't on FreeBSD */ 8173 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0x0f, jtype, 8174 reverse, jvalue); 8175 break; 8176 8177 case A_MSGTYPE: 8178 if (off_payload == (u_int)-1) 8179 abort(); 8180 b0 = gen_ncmp(OR_LINK, off_payload + MSG_TYPE_POS, BPF_B, 8181 0xffffffff, jtype, reverse, jvalue); 8182 break; 8183 8184 case A_CALLREFTYPE: 8185 if (!is_atm) 8186 bpf_error("'callref' supported only on raw ATM"); 8187 if (off_proto == (u_int)-1) 8188 abort(); 8189 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0xffffffff, 8190 jtype, reverse, jvalue); 8191 break; 8192 8193 default: 8194 abort(); 8195 } 8196 return b0; 8197 } 8198 8199 struct block * 8200 gen_atmtype_abbrev(type) 8201 int type; 8202 { 8203 struct block *b0, *b1; 8204 8205 switch (type) { 8206 8207 case A_METAC: 8208 /* Get all packets in Meta signalling Circuit */ 8209 if (!is_atm) 8210 bpf_error("'metac' supported only on raw ATM"); 8211 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8212 b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0); 8213 gen_and(b0, b1); 8214 break; 8215 8216 case A_BCC: 8217 /* Get all packets in Broadcast Circuit*/ 8218 if (!is_atm) 8219 bpf_error("'bcc' supported only on raw ATM"); 8220 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8221 b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0); 8222 gen_and(b0, b1); 8223 break; 8224 8225 case A_OAMF4SC: 8226 /* Get all cells in Segment OAM F4 circuit*/ 8227 if (!is_atm) 8228 bpf_error("'oam4sc' supported only on raw ATM"); 8229 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8230 b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0); 8231 gen_and(b0, b1); 8232 break; 8233 8234 case A_OAMF4EC: 8235 /* Get all cells in End-to-End OAM F4 Circuit*/ 8236 if (!is_atm) 8237 bpf_error("'oam4ec' supported only on raw ATM"); 8238 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8239 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0); 8240 gen_and(b0, b1); 8241 break; 8242 8243 case A_SC: 8244 /* Get all packets in connection Signalling Circuit */ 8245 if (!is_atm) 8246 bpf_error("'sc' supported only on raw ATM"); 8247 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8248 b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0); 8249 gen_and(b0, b1); 8250 break; 8251 8252 case A_ILMIC: 8253 /* Get all packets in ILMI Circuit */ 8254 if (!is_atm) 8255 bpf_error("'ilmic' supported only on raw ATM"); 8256 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8257 b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0); 8258 gen_and(b0, b1); 8259 break; 8260 8261 case A_LANE: 8262 /* Get all LANE packets */ 8263 if (!is_atm) 8264 bpf_error("'lane' supported only on raw ATM"); 8265 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0); 8266 8267 /* 8268 * Arrange that all subsequent tests assume LANE 8269 * rather than LLC-encapsulated packets, and set 8270 * the offsets appropriately for LANE-encapsulated 8271 * Ethernet. 8272 * 8273 * "off_mac" is the offset of the Ethernet header, 8274 * which is 2 bytes past the ATM pseudo-header 8275 * (skipping the pseudo-header and 2-byte LE Client 8276 * field). The other offsets are Ethernet offsets 8277 * relative to "off_mac". 8278 */ 8279 is_lane = 1; 8280 off_mac = off_payload + 2; /* MAC header */ 8281 off_linktype = off_mac + 12; 8282 off_macpl = off_mac + 14; /* Ethernet */ 8283 off_nl = 0; /* Ethernet II */ 8284 off_nl_nosnap = 3; /* 802.3+802.2 */ 8285 break; 8286 8287 case A_LLC: 8288 /* Get all LLC-encapsulated packets */ 8289 if (!is_atm) 8290 bpf_error("'llc' supported only on raw ATM"); 8291 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 8292 is_lane = 0; 8293 break; 8294 8295 default: 8296 abort(); 8297 } 8298 return b1; 8299 } 8300 8301 /* 8302 * Filtering for MTP2 messages based on li value 8303 * FISU, length is null 8304 * LSSU, length is 1 or 2 8305 * MSU, length is 3 or more 8306 */ 8307 struct block * 8308 gen_mtp2type_abbrev(type) 8309 int type; 8310 { 8311 struct block *b0, *b1; 8312 8313 switch (type) { 8314 8315 case M_FISU: 8316 if ( (linktype != DLT_MTP2) && 8317 (linktype != DLT_ERF) && 8318 (linktype != DLT_MTP2_WITH_PHDR) ) 8319 bpf_error("'fisu' supported only on MTP2"); 8320 /* gen_ncmp(offrel, offset, size, mask, jtype, reverse, value) */ 8321 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JEQ, 0, 0); 8322 break; 8323 8324 case M_LSSU: 8325 if ( (linktype != DLT_MTP2) && 8326 (linktype != DLT_ERF) && 8327 (linktype != DLT_MTP2_WITH_PHDR) ) 8328 bpf_error("'lssu' supported only on MTP2"); 8329 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 1, 2); 8330 b1 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 0); 8331 gen_and(b1, b0); 8332 break; 8333 8334 case M_MSU: 8335 if ( (linktype != DLT_MTP2) && 8336 (linktype != DLT_ERF) && 8337 (linktype != DLT_MTP2_WITH_PHDR) ) 8338 bpf_error("'msu' supported only on MTP2"); 8339 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 2); 8340 break; 8341 8342 default: 8343 abort(); 8344 } 8345 return b0; 8346 } 8347 8348 struct block * 8349 gen_mtp3field_code(mtp3field, jvalue, jtype, reverse) 8350 int mtp3field; 8351 bpf_u_int32 jvalue; 8352 bpf_u_int32 jtype; 8353 int reverse; 8354 { 8355 struct block *b0; 8356 bpf_u_int32 val1 , val2 , val3; 8357 8358 switch (mtp3field) { 8359 8360 case M_SIO: 8361 if (off_sio == (u_int)-1) 8362 bpf_error("'sio' supported only on SS7"); 8363 /* sio coded on 1 byte so max value 255 */ 8364 if(jvalue > 255) 8365 bpf_error("sio value %u too big; max value = 255", 8366 jvalue); 8367 b0 = gen_ncmp(OR_PACKET, off_sio, BPF_B, 0xffffffff, 8368 (u_int)jtype, reverse, (u_int)jvalue); 8369 break; 8370 8371 case M_OPC: 8372 if (off_opc == (u_int)-1) 8373 bpf_error("'opc' supported only on SS7"); 8374 /* opc coded on 14 bits so max value 16383 */ 8375 if (jvalue > 16383) 8376 bpf_error("opc value %u too big; max value = 16383", 8377 jvalue); 8378 /* the following instructions are made to convert jvalue 8379 * to the form used to write opc in an ss7 message*/ 8380 val1 = jvalue & 0x00003c00; 8381 val1 = val1 >>10; 8382 val2 = jvalue & 0x000003fc; 8383 val2 = val2 <<6; 8384 val3 = jvalue & 0x00000003; 8385 val3 = val3 <<22; 8386 jvalue = val1 + val2 + val3; 8387 b0 = gen_ncmp(OR_PACKET, off_opc, BPF_W, 0x00c0ff0f, 8388 (u_int)jtype, reverse, (u_int)jvalue); 8389 break; 8390 8391 case M_DPC: 8392 if (off_dpc == (u_int)-1) 8393 bpf_error("'dpc' supported only on SS7"); 8394 /* dpc coded on 14 bits so max value 16383 */ 8395 if (jvalue > 16383) 8396 bpf_error("dpc value %u too big; max value = 16383", 8397 jvalue); 8398 /* the following instructions are made to convert jvalue 8399 * to the forme used to write dpc in an ss7 message*/ 8400 val1 = jvalue & 0x000000ff; 8401 val1 = val1 << 24; 8402 val2 = jvalue & 0x00003f00; 8403 val2 = val2 << 8; 8404 jvalue = val1 + val2; 8405 b0 = gen_ncmp(OR_PACKET, off_dpc, BPF_W, 0xff3f0000, 8406 (u_int)jtype, reverse, (u_int)jvalue); 8407 break; 8408 8409 case M_SLS: 8410 if (off_sls == (u_int)-1) 8411 bpf_error("'sls' supported only on SS7"); 8412 /* sls coded on 4 bits so max value 15 */ 8413 if (jvalue > 15) 8414 bpf_error("sls value %u too big; max value = 15", 8415 jvalue); 8416 /* the following instruction is made to convert jvalue 8417 * to the forme used to write sls in an ss7 message*/ 8418 jvalue = jvalue << 4; 8419 b0 = gen_ncmp(OR_PACKET, off_sls, BPF_B, 0xf0, 8420 (u_int)jtype,reverse, (u_int)jvalue); 8421 break; 8422 8423 default: 8424 abort(); 8425 } 8426 return b0; 8427 } 8428 8429 static struct block * 8430 gen_msg_abbrev(type) 8431 int type; 8432 { 8433 struct block *b1; 8434 8435 /* 8436 * Q.2931 signalling protocol messages for handling virtual circuits 8437 * establishment and teardown 8438 */ 8439 switch (type) { 8440 8441 case A_SETUP: 8442 b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0); 8443 break; 8444 8445 case A_CALLPROCEED: 8446 b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0); 8447 break; 8448 8449 case A_CONNECT: 8450 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0); 8451 break; 8452 8453 case A_CONNECTACK: 8454 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0); 8455 break; 8456 8457 case A_RELEASE: 8458 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0); 8459 break; 8460 8461 case A_RELEASE_DONE: 8462 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0); 8463 break; 8464 8465 default: 8466 abort(); 8467 } 8468 return b1; 8469 } 8470 8471 struct block * 8472 gen_atmmulti_abbrev(type) 8473 int type; 8474 { 8475 struct block *b0, *b1; 8476 8477 switch (type) { 8478 8479 case A_OAM: 8480 if (!is_atm) 8481 bpf_error("'oam' supported only on raw ATM"); 8482 b1 = gen_atmmulti_abbrev(A_OAMF4); 8483 break; 8484 8485 case A_OAMF4: 8486 if (!is_atm) 8487 bpf_error("'oamf4' supported only on raw ATM"); 8488 /* OAM F4 type */ 8489 b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0); 8490 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0); 8491 gen_or(b0, b1); 8492 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8493 gen_and(b0, b1); 8494 break; 8495 8496 case A_CONNECTMSG: 8497 /* 8498 * Get Q.2931 signalling messages for switched 8499 * virtual connection 8500 */ 8501 if (!is_atm) 8502 bpf_error("'connectmsg' supported only on raw ATM"); 8503 b0 = gen_msg_abbrev(A_SETUP); 8504 b1 = gen_msg_abbrev(A_CALLPROCEED); 8505 gen_or(b0, b1); 8506 b0 = gen_msg_abbrev(A_CONNECT); 8507 gen_or(b0, b1); 8508 b0 = gen_msg_abbrev(A_CONNECTACK); 8509 gen_or(b0, b1); 8510 b0 = gen_msg_abbrev(A_RELEASE); 8511 gen_or(b0, b1); 8512 b0 = gen_msg_abbrev(A_RELEASE_DONE); 8513 gen_or(b0, b1); 8514 b0 = gen_atmtype_abbrev(A_SC); 8515 gen_and(b0, b1); 8516 break; 8517 8518 case A_METACONNECT: 8519 if (!is_atm) 8520 bpf_error("'metaconnect' supported only on raw ATM"); 8521 b0 = gen_msg_abbrev(A_SETUP); 8522 b1 = gen_msg_abbrev(A_CALLPROCEED); 8523 gen_or(b0, b1); 8524 b0 = gen_msg_abbrev(A_CONNECT); 8525 gen_or(b0, b1); 8526 b0 = gen_msg_abbrev(A_RELEASE); 8527 gen_or(b0, b1); 8528 b0 = gen_msg_abbrev(A_RELEASE_DONE); 8529 gen_or(b0, b1); 8530 b0 = gen_atmtype_abbrev(A_METAC); 8531 gen_and(b0, b1); 8532 break; 8533 8534 default: 8535 abort(); 8536 } 8537 return b1; 8538 } 8539