1 /* $NetBSD: gencode.c,v 1.8 2015/03/31 21:39:42 christos Exp $ */ 2 3 /*#define CHASE_CHAIN*/ 4 /* 5 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998 6 * The Regents of the University of California. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that: (1) source code distributions 10 * retain the above copyright notice and this paragraph in its entirety, (2) 11 * distributions including binary code include the above copyright notice and 12 * this paragraph in its entirety in the documentation or other materials 13 * provided with the distribution, and (3) all advertising materials mentioning 14 * features or use of this software display the following acknowledgement: 15 * ``This product includes software developed by the University of California, 16 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 17 * the University nor the names of its contributors may be used to endorse 18 * or promote products derived from this software without specific prior 19 * written permission. 20 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 21 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 22 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 23 */ 24 25 #include <sys/cdefs.h> 26 __RCSID("$NetBSD: gencode.c,v 1.8 2015/03/31 21:39:42 christos Exp $"); 27 28 #ifdef HAVE_CONFIG_H 29 #include "config.h" 30 #endif 31 32 #ifdef WIN32 33 #include <pcap-stdinc.h> 34 #else /* WIN32 */ 35 #if HAVE_INTTYPES_H 36 #include <inttypes.h> 37 #elif HAVE_STDINT_H 38 #include <stdint.h> 39 #endif 40 #ifdef HAVE_SYS_BITYPES_H 41 #include <sys/bitypes.h> 42 #endif 43 #include <sys/types.h> 44 #include <sys/socket.h> 45 #endif /* WIN32 */ 46 47 /* 48 * XXX - why was this included even on UNIX? 49 */ 50 #ifdef __MINGW32__ 51 #include "ip6_misc.h" 52 #endif 53 54 #ifndef WIN32 55 56 #ifdef __NetBSD__ 57 #include <sys/param.h> 58 #include <net/dlt.h> 59 #endif 60 61 #include <netinet/in.h> 62 #include <arpa/inet.h> 63 64 #endif /* WIN32 */ 65 66 #include <stdlib.h> 67 #include <string.h> 68 #include <memory.h> 69 #include <setjmp.h> 70 #include <stdarg.h> 71 72 #ifdef MSDOS 73 #include "pcap-dos.h" 74 #endif 75 76 #include "pcap-int.h" 77 78 #include "ethertype.h" 79 #include "nlpid.h" 80 #include "llc.h" 81 #include "gencode.h" 82 #include "ieee80211.h" 83 #include "atmuni31.h" 84 #include "sunatmpos.h" 85 #include "ppp.h" 86 #include "pcap/sll.h" 87 #include "pcap/ipnet.h" 88 #include "arcnet.h" 89 #if defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) 90 #include <linux/types.h> 91 #include <linux/if_packet.h> 92 #include <linux/filter.h> 93 #endif 94 #ifdef HAVE_NET_PFVAR_H 95 #include <sys/socket.h> 96 #include <net/if.h> 97 #include <net/pfvar.h> 98 #include <net/if_pflog.h> 99 #endif 100 #ifndef offsetof 101 #define offsetof(s, e) ((size_t)&((s *)0)->e) 102 #endif 103 #ifdef INET6 104 #ifndef WIN32 105 #include <netdb.h> /* for "struct addrinfo" */ 106 #endif /* WIN32 */ 107 #endif /*INET6*/ 108 #include <pcap/namedb.h> 109 110 #define ETHERMTU 1500 111 112 #ifndef ETHERTYPE_TEB 113 #define ETHERTYPE_TEB 0x6558 114 #endif 115 116 #ifndef IPPROTO_HOPOPTS 117 #define IPPROTO_HOPOPTS 0 118 #endif 119 #ifndef IPPROTO_ROUTING 120 #define IPPROTO_ROUTING 43 121 #endif 122 #ifndef IPPROTO_FRAGMENT 123 #define IPPROTO_FRAGMENT 44 124 #endif 125 #ifndef IPPROTO_DSTOPTS 126 #define IPPROTO_DSTOPTS 60 127 #endif 128 #ifndef IPPROTO_SCTP 129 #define IPPROTO_SCTP 132 130 #endif 131 132 #define GENEVE_PORT 6081 133 134 #ifdef HAVE_OS_PROTO_H 135 #include "os-proto.h" 136 #endif 137 138 #define JMP(c) ((c)|BPF_JMP|BPF_K) 139 140 /* Locals */ 141 static jmp_buf top_ctx; 142 static pcap_t *bpf_pcap; 143 144 /* Hack for handling VLAN and MPLS stacks. */ 145 #ifdef WIN32 146 static u_int label_stack_depth = (u_int)-1, vlan_stack_depth = (u_int)-1; 147 #else 148 static u_int label_stack_depth = -1U, vlan_stack_depth = -1U; 149 #endif 150 151 /* XXX */ 152 static int pcap_fddipad; 153 154 /* VARARGS */ 155 void 156 bpf_error(const char *fmt, ...) 157 { 158 va_list ap; 159 160 va_start(ap, fmt); 161 if (bpf_pcap != NULL) 162 (void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE, 163 fmt, ap); 164 va_end(ap); 165 longjmp(top_ctx, 1); 166 /* NOTREACHED */ 167 } 168 169 static void init_linktype(pcap_t *); 170 171 static void init_regs(void); 172 static int alloc_reg(void); 173 static void free_reg(int); 174 175 static struct block *root; 176 177 /* 178 * Absolute offsets, which are offsets from the beginning of the raw 179 * packet data, are, in the general case, the sum of a variable value 180 * and a constant value; the variable value may be absent, in which 181 * case the offset is only the constant value, and the constant value 182 * may be zero, in which case the offset is only the variable value. 183 * 184 * bpf_abs_offset is a structure containing all that information: 185 * 186 * is_variable is 1 if there's a variable part. 187 * 188 * constant_part is the constant part of the value, possibly zero; 189 * 190 * if is_variable is 1, reg is the register number for a register 191 * containing the variable value if the register has been assigned, 192 * and -1 otherwise. 193 */ 194 typedef struct { 195 int is_variable; 196 u_int constant_part; 197 int reg; 198 } bpf_abs_offset; 199 200 /* 201 * Value passed to gen_load_a() to indicate what the offset argument 202 * is relative to the beginning of. 203 */ 204 enum e_offrel { 205 OR_PACKET, /* full packet data */ 206 OR_LINKHDR, /* link-layer header */ 207 OR_PREVLINKHDR, /* previous link-layer header */ 208 OR_LLC, /* 802.2 LLC header */ 209 OR_PREVMPLSHDR, /* previous MPLS header */ 210 OR_LINKTYPE, /* link-layer type */ 211 OR_LINKPL, /* link-layer payload */ 212 OR_LINKPL_NOSNAP, /* link-layer payload, with no SNAP header at the link layer */ 213 OR_TRAN_IPV4, /* transport-layer header, with IPv4 network layer */ 214 OR_TRAN_IPV6 /* transport-layer header, with IPv6 network layer */ 215 }; 216 217 #ifdef INET6 218 /* 219 * As errors are handled by a longjmp, anything allocated must be freed 220 * in the longjmp handler, so it must be reachable from that handler. 221 * One thing that's allocated is the result of pcap_nametoaddrinfo(); 222 * it must be freed with freeaddrinfo(). This variable points to any 223 * addrinfo structure that would need to be freed. 224 */ 225 static struct addrinfo *ai; 226 #endif 227 228 /* 229 * We divy out chunks of memory rather than call malloc each time so 230 * we don't have to worry about leaking memory. It's probably 231 * not a big deal if all this memory was wasted but if this ever 232 * goes into a library that would probably not be a good idea. 233 * 234 * XXX - this *is* in a library.... 235 */ 236 #define NCHUNKS 16 237 #define CHUNK0SIZE 1024 238 struct chunk { 239 u_int n_left; 240 void *m; 241 }; 242 243 static struct chunk chunks[NCHUNKS]; 244 static int cur_chunk; 245 246 static void *newchunk(u_int); 247 static void freechunks(void); 248 static inline struct block *new_block(int); 249 static inline struct slist *new_stmt(int); 250 static struct block *gen_retblk(int); 251 static inline void syntax(void); 252 253 static void backpatch(struct block *, struct block *); 254 static void merge(struct block *, struct block *); 255 static struct block *gen_cmp(enum e_offrel, u_int, u_int, bpf_int32); 256 static struct block *gen_cmp_gt(enum e_offrel, u_int, u_int, bpf_int32); 257 static struct block *gen_cmp_ge(enum e_offrel, u_int, u_int, bpf_int32); 258 static struct block *gen_cmp_lt(enum e_offrel, u_int, u_int, bpf_int32); 259 static struct block *gen_cmp_le(enum e_offrel, u_int, u_int, bpf_int32); 260 static struct block *gen_mcmp(enum e_offrel, u_int, u_int, bpf_int32, 261 bpf_u_int32); 262 static struct block *gen_bcmp(enum e_offrel, u_int, u_int, const u_char *); 263 static struct block *gen_ncmp(enum e_offrel, bpf_u_int32, bpf_u_int32, 264 bpf_u_int32, bpf_u_int32, int, bpf_int32); 265 static struct slist *gen_load_absoffsetrel(bpf_abs_offset *, u_int, u_int); 266 static struct slist *gen_load_a(enum e_offrel, u_int, u_int); 267 static struct slist *gen_loadx_iphdrlen(void); 268 static struct block *gen_uncond(int); 269 static inline struct block *gen_true(void); 270 static inline struct block *gen_false(void); 271 static struct block *gen_ether_linktype(int); 272 static struct block *gen_ipnet_linktype(int); 273 static struct block *gen_linux_sll_linktype(int); 274 static struct slist *gen_load_prism_llprefixlen(void); 275 static struct slist *gen_load_avs_llprefixlen(void); 276 static struct slist *gen_load_radiotap_llprefixlen(void); 277 static struct slist *gen_load_ppi_llprefixlen(void); 278 static void insert_compute_vloffsets(struct block *); 279 static struct slist *gen_abs_offset_varpart(bpf_abs_offset *); 280 static int ethertype_to_ppptype(int); 281 static struct block *gen_linktype(int); 282 static struct block *gen_snap(bpf_u_int32, bpf_u_int32); 283 static struct block *gen_llc_linktype(int); 284 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int); 285 #ifdef INET6 286 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int); 287 #endif 288 static struct block *gen_ahostop(const u_char *, int); 289 static struct block *gen_ehostop(const u_char *, int); 290 static struct block *gen_fhostop(const u_char *, int); 291 static struct block *gen_thostop(const u_char *, int); 292 static struct block *gen_wlanhostop(const u_char *, int); 293 static struct block *gen_ipfchostop(const u_char *, int); 294 static struct block *gen_dnhostop(bpf_u_int32, int); 295 static struct block *gen_mpls_linktype(int); 296 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int, int); 297 #ifdef INET6 298 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int, int); 299 #endif 300 #ifndef INET6 301 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int); 302 #endif 303 static struct block *gen_ipfrag(void); 304 static struct block *gen_portatom(int, bpf_int32); 305 static struct block *gen_portrangeatom(int, bpf_int32, bpf_int32); 306 static struct block *gen_portatom6(int, bpf_int32); 307 static struct block *gen_portrangeatom6(int, bpf_int32, bpf_int32); 308 struct block *gen_portop(int, int, int); 309 static struct block *gen_port(int, int, int); 310 struct block *gen_portrangeop(int, int, int, int); 311 static struct block *gen_portrange(int, int, int, int); 312 struct block *gen_portop6(int, int, int); 313 static struct block *gen_port6(int, int, int); 314 struct block *gen_portrangeop6(int, int, int, int); 315 static struct block *gen_portrange6(int, int, int, int); 316 static int lookup_proto(const char *, int); 317 static struct block *gen_protochain(int, int, int); 318 static struct block *gen_proto(int, int, int); 319 static struct slist *xfer_to_x(struct arth *); 320 static struct slist *xfer_to_a(struct arth *); 321 static struct block *gen_mac_multicast(int); 322 static struct block *gen_len(int, int); 323 static struct block *gen_check_802_11_data_frame(void); 324 static struct block *gen_geneve_ll_check(void); 325 326 static struct block *gen_ppi_dlt_check(void); 327 static struct block *gen_msg_abbrev(int type); 328 329 static void * 330 newchunk(n) 331 u_int n; 332 { 333 struct chunk *cp; 334 int k; 335 size_t size; 336 337 #ifndef __NetBSD__ 338 /* XXX Round up to nearest long. */ 339 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1); 340 #else 341 /* XXX Round up to structure boundary. */ 342 n = ALIGN(n); 343 #endif 344 345 cp = &chunks[cur_chunk]; 346 if (n > cp->n_left) { 347 ++cp, k = ++cur_chunk; 348 if (k >= NCHUNKS) 349 bpf_error("out of memory"); 350 size = CHUNK0SIZE << k; 351 cp->m = (void *)malloc(size); 352 if (cp->m == NULL) 353 bpf_error("out of memory"); 354 memset((char *)cp->m, 0, size); 355 cp->n_left = size; 356 if (n > size) 357 bpf_error("out of memory"); 358 } 359 cp->n_left -= n; 360 return (void *)((char *)cp->m + cp->n_left); 361 } 362 363 static void 364 freechunks() 365 { 366 int i; 367 368 cur_chunk = 0; 369 for (i = 0; i < NCHUNKS; ++i) 370 if (chunks[i].m != NULL) { 371 free(chunks[i].m); 372 chunks[i].m = NULL; 373 } 374 } 375 376 /* 377 * A strdup whose allocations are freed after code generation is over. 378 */ 379 char * 380 sdup(s) 381 register const char *s; 382 { 383 int n = strlen(s) + 1; 384 char *cp = newchunk(n); 385 386 strlcpy(cp, s, n); 387 return (cp); 388 } 389 390 static inline struct block * 391 new_block(code) 392 int code; 393 { 394 struct block *p; 395 396 p = (struct block *)newchunk(sizeof(*p)); 397 p->s.code = code; 398 p->head = p; 399 400 return p; 401 } 402 403 static inline struct slist * 404 new_stmt(code) 405 int code; 406 { 407 struct slist *p; 408 409 p = (struct slist *)newchunk(sizeof(*p)); 410 p->s.code = code; 411 412 return p; 413 } 414 415 static struct block * 416 gen_retblk(v) 417 int v; 418 { 419 struct block *b = new_block(BPF_RET|BPF_K); 420 421 b->s.k = v; 422 return b; 423 } 424 425 __dead static inline void 426 syntax(void) 427 { 428 bpf_error("syntax error in filter expression"); 429 } 430 431 static bpf_u_int32 netmask; 432 static int snaplen; 433 int no_optimize; 434 435 int 436 pcap_compile(pcap_t *p, struct bpf_program *program, 437 const char *buf, int optimize, bpf_u_int32 mask) 438 { 439 extern int n_errors; 440 const char * volatile xbuf = buf; 441 u_int len; 442 int rc; 443 444 /* 445 * XXX - single-thread this code path with pthread calls on 446 * UN*X, if the platform supports pthreads? If that requires 447 * a separate -lpthread, we might not want to do that. 448 */ 449 #ifdef WIN32 450 extern int wsockinit (void); 451 static int done = 0; 452 453 if (!done) 454 wsockinit(); 455 done = 1; 456 EnterCriticalSection(&g_PcapCompileCriticalSection); 457 #endif 458 459 /* 460 * If this pcap_t hasn't been activated, it doesn't have a 461 * link-layer type, so we can't use it. 462 */ 463 if (!p->activated) { 464 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 465 "not-yet-activated pcap_t passed to pcap_compile"); 466 rc = -1; 467 goto quit; 468 } 469 no_optimize = 0; 470 n_errors = 0; 471 root = NULL; 472 bpf_pcap = p; 473 init_regs(); 474 475 if (setjmp(top_ctx)) { 476 #ifdef INET6 477 if (ai != NULL) { 478 freeaddrinfo(ai); 479 ai = NULL; 480 } 481 #endif 482 lex_cleanup(); 483 freechunks(); 484 rc = -1; 485 goto quit; 486 } 487 488 netmask = mask; 489 490 snaplen = pcap_snapshot(p); 491 if (snaplen == 0) { 492 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 493 "snaplen of 0 rejects all packets"); 494 rc = -1; 495 goto quit; 496 } 497 498 lex_init(xbuf ? xbuf : ""); 499 init_linktype(p); 500 (void)pcap_parse(); 501 502 if (n_errors) 503 syntax(); 504 505 if (root == NULL) 506 root = gen_retblk(snaplen); 507 508 if (optimize && !no_optimize) { 509 bpf_optimize(&root); 510 if (root == NULL || 511 (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0)) 512 bpf_error("expression rejects all packets"); 513 } 514 program->bf_insns = icode_to_fcode(root, &len); 515 program->bf_len = len; 516 517 lex_cleanup(); 518 freechunks(); 519 520 rc = 0; /* We're all okay */ 521 522 quit: 523 524 #ifdef WIN32 525 LeaveCriticalSection(&g_PcapCompileCriticalSection); 526 #endif 527 528 return (rc); 529 } 530 531 /* 532 * entry point for using the compiler with no pcap open 533 * pass in all the stuff that is needed explicitly instead. 534 */ 535 int 536 pcap_compile_nopcap(int snaplen_arg, int linktype_arg, 537 struct bpf_program *program, 538 const char *buf, int optimize, bpf_u_int32 mask) 539 { 540 pcap_t *p; 541 int ret; 542 543 p = pcap_open_dead(linktype_arg, snaplen_arg); 544 if (p == NULL) 545 return (-1); 546 ret = pcap_compile(p, program, buf, optimize, mask); 547 pcap_close(p); 548 return (ret); 549 } 550 551 /* 552 * Clean up a "struct bpf_program" by freeing all the memory allocated 553 * in it. 554 */ 555 void 556 pcap_freecode(struct bpf_program *program) 557 { 558 program->bf_len = 0; 559 if (program->bf_insns != NULL) { 560 free((char *)program->bf_insns); 561 program->bf_insns = NULL; 562 } 563 } 564 565 /* 566 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates 567 * which of the jt and jf fields has been resolved and which is a pointer 568 * back to another unresolved block (or nil). At least one of the fields 569 * in each block is already resolved. 570 */ 571 static void 572 backpatch(list, target) 573 struct block *list, *target; 574 { 575 struct block *next; 576 577 while (list) { 578 if (!list->sense) { 579 next = JT(list); 580 JT(list) = target; 581 } else { 582 next = JF(list); 583 JF(list) = target; 584 } 585 list = next; 586 } 587 } 588 589 /* 590 * Merge the lists in b0 and b1, using the 'sense' field to indicate 591 * which of jt and jf is the link. 592 */ 593 static void 594 merge(b0, b1) 595 struct block *b0, *b1; 596 { 597 register struct block **p = &b0; 598 599 /* Find end of list. */ 600 while (*p) 601 p = !((*p)->sense) ? &JT(*p) : &JF(*p); 602 603 /* Concatenate the lists. */ 604 *p = b1; 605 } 606 607 void 608 finish_parse(p) 609 struct block *p; 610 { 611 struct block *ppi_dlt_check; 612 613 /* 614 * Insert before the statements of the first (root) block any 615 * statements needed to load the lengths of any variable-length 616 * headers into registers. 617 * 618 * XXX - a fancier strategy would be to insert those before the 619 * statements of all blocks that use those lengths and that 620 * have no predecessors that use them, so that we only compute 621 * the lengths if we need them. There might be even better 622 * approaches than that. 623 * 624 * However, those strategies would be more complicated, and 625 * as we don't generate code to compute a length if the 626 * program has no tests that use the length, and as most 627 * tests will probably use those lengths, we would just 628 * postpone computing the lengths so that it's not done 629 * for tests that fail early, and it's not clear that's 630 * worth the effort. 631 */ 632 insert_compute_vloffsets(p->head); 633 634 /* 635 * For DLT_PPI captures, generate a check of the per-packet 636 * DLT value to make sure it's DLT_IEEE802_11. 637 */ 638 ppi_dlt_check = gen_ppi_dlt_check(); 639 if (ppi_dlt_check != NULL) 640 gen_and(ppi_dlt_check, p); 641 642 backpatch(p, gen_retblk(snaplen)); 643 p->sense = !p->sense; 644 backpatch(p, gen_retblk(0)); 645 root = p->head; 646 } 647 648 void 649 gen_and(b0, b1) 650 struct block *b0, *b1; 651 { 652 backpatch(b0, b1->head); 653 b0->sense = !b0->sense; 654 b1->sense = !b1->sense; 655 merge(b1, b0); 656 b1->sense = !b1->sense; 657 b1->head = b0->head; 658 } 659 660 void 661 gen_or(b0, b1) 662 struct block *b0, *b1; 663 { 664 b0->sense = !b0->sense; 665 backpatch(b0, b1->head); 666 b0->sense = !b0->sense; 667 merge(b1, b0); 668 b1->head = b0->head; 669 } 670 671 void 672 gen_not(b) 673 struct block *b; 674 { 675 b->sense = !b->sense; 676 } 677 678 static struct block * 679 gen_cmp(offrel, offset, size, v) 680 enum e_offrel offrel; 681 u_int offset, size; 682 bpf_int32 v; 683 { 684 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v); 685 } 686 687 static struct block * 688 gen_cmp_gt(offrel, offset, size, v) 689 enum e_offrel offrel; 690 u_int offset, size; 691 bpf_int32 v; 692 { 693 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 0, v); 694 } 695 696 static struct block * 697 gen_cmp_ge(offrel, offset, size, v) 698 enum e_offrel offrel; 699 u_int offset, size; 700 bpf_int32 v; 701 { 702 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 0, v); 703 } 704 705 static struct block * 706 gen_cmp_lt(offrel, offset, size, v) 707 enum e_offrel offrel; 708 u_int offset, size; 709 bpf_int32 v; 710 { 711 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 1, v); 712 } 713 714 static struct block * 715 gen_cmp_le(offrel, offset, size, v) 716 enum e_offrel offrel; 717 u_int offset, size; 718 bpf_int32 v; 719 { 720 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 1, v); 721 } 722 723 static struct block * 724 gen_mcmp(offrel, offset, size, v, mask) 725 enum e_offrel offrel; 726 u_int offset, size; 727 bpf_int32 v; 728 bpf_u_int32 mask; 729 { 730 return gen_ncmp(offrel, offset, size, mask, BPF_JEQ, 0, v); 731 } 732 733 static struct block * 734 gen_bcmp(offrel, offset, size, v) 735 enum e_offrel offrel; 736 register u_int offset, size; 737 register const u_char *v; 738 { 739 register struct block *b, *tmp; 740 741 b = NULL; 742 while (size >= 4) { 743 register const u_char *p = &v[size - 4]; 744 bpf_int32 w = ((bpf_int32)p[0] << 24) | 745 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3]; 746 747 tmp = gen_cmp(offrel, offset + size - 4, BPF_W, w); 748 if (b != NULL) 749 gen_and(b, tmp); 750 b = tmp; 751 size -= 4; 752 } 753 while (size >= 2) { 754 register const u_char *p = &v[size - 2]; 755 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1]; 756 757 tmp = gen_cmp(offrel, offset + size - 2, BPF_H, w); 758 if (b != NULL) 759 gen_and(b, tmp); 760 b = tmp; 761 size -= 2; 762 } 763 if (size > 0) { 764 tmp = gen_cmp(offrel, offset, BPF_B, (bpf_int32)v[0]); 765 if (b != NULL) 766 gen_and(b, tmp); 767 b = tmp; 768 } 769 return b; 770 } 771 772 /* 773 * AND the field of size "size" at offset "offset" relative to the header 774 * specified by "offrel" with "mask", and compare it with the value "v" 775 * with the test specified by "jtype"; if "reverse" is true, the test 776 * should test the opposite of "jtype". 777 */ 778 static struct block * 779 gen_ncmp(offrel, offset, size, mask, jtype, reverse, v) 780 enum e_offrel offrel; 781 bpf_int32 v; 782 bpf_u_int32 offset, size, mask, jtype; 783 int reverse; 784 { 785 struct slist *s, *s2; 786 struct block *b; 787 788 s = gen_load_a(offrel, offset, size); 789 790 if (mask != 0xffffffff) { 791 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 792 s2->s.k = mask; 793 sappend(s, s2); 794 } 795 796 b = new_block(JMP(jtype)); 797 b->stmts = s; 798 b->s.k = v; 799 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE)) 800 gen_not(b); 801 return b; 802 } 803 804 /* 805 * Various code constructs need to know the layout of the packet. 806 * These variables give the necessary offsets from the beginning 807 * of the packet data. 808 */ 809 810 /* 811 * Absolute offset of the beginning of the link-layer header. 812 */ 813 static bpf_abs_offset off_linkhdr; 814 815 /* 816 * If we're checking a link-layer header for a packet encapsulated in 817 * another protocol layer, this is the equivalent information for the 818 * previous layers' link-layer header from the beginning of the raw 819 * packet data. 820 */ 821 static bpf_abs_offset off_prevlinkhdr; 822 823 /* 824 * This is the equivalent information for the outermost layers' link-layer 825 * header. 826 */ 827 static bpf_abs_offset off_outermostlinkhdr; 828 829 /* 830 * "Push" the current value of the link-layer header type and link-layer 831 * header offset onto a "stack", and set a new value. (It's not a 832 * full-blown stack; we keep only the top two items.) 833 */ 834 #define PUSH_LINKHDR(new_linktype, new_is_variable, new_constant_part, new_reg) \ 835 { \ 836 prevlinktype = new_linktype; \ 837 off_prevlinkhdr = off_linkhdr; \ 838 linktype = new_linktype; \ 839 off_linkhdr.is_variable = new_is_variable; \ 840 off_linkhdr.constant_part = new_constant_part; \ 841 off_linkhdr.reg = new_reg; \ 842 is_geneve = 0; \ 843 } 844 845 /* 846 * Absolute offset of the beginning of the link-layer payload. 847 */ 848 static bpf_abs_offset off_linkpl; 849 850 /* 851 * "off_linktype" is the offset to information in the link-layer header 852 * giving the packet type. This is an absolute offset from the beginning 853 * of the packet. 854 * 855 * For Ethernet, it's the offset of the Ethernet type field; this 856 * means that it must have a value that skips VLAN tags. 857 * 858 * For link-layer types that always use 802.2 headers, it's the 859 * offset of the LLC header; this means that it must have a value 860 * that skips VLAN tags. 861 * 862 * For PPP, it's the offset of the PPP type field. 863 * 864 * For Cisco HDLC, it's the offset of the CHDLC type field. 865 * 866 * For BSD loopback, it's the offset of the AF_ value. 867 * 868 * For Linux cooked sockets, it's the offset of the type field. 869 * 870 * off_linktype.constant_part is set to -1 for no encapsulation, 871 * in which case, IP is assumed. 872 */ 873 static bpf_abs_offset off_linktype; 874 875 /* 876 * TRUE if the link layer includes an ATM pseudo-header. 877 */ 878 static int is_atm = 0; 879 880 /* 881 * TRUE if "geneve" appeared in the filter; it causes us to generate 882 * code that checks for a Geneve header and assume that later filters 883 * apply to the encapsulated payload. 884 */ 885 static int is_geneve = 0; 886 887 /* 888 * These are offsets for the ATM pseudo-header. 889 */ 890 static u_int off_vpi; 891 static u_int off_vci; 892 static u_int off_proto; 893 894 /* 895 * These are offsets for the MTP2 fields. 896 */ 897 static u_int off_li; 898 static u_int off_li_hsl; 899 900 /* 901 * These are offsets for the MTP3 fields. 902 */ 903 static u_int off_sio; 904 static u_int off_opc; 905 static u_int off_dpc; 906 static u_int off_sls; 907 908 /* 909 * This is the offset of the first byte after the ATM pseudo_header, 910 * or -1 if there is no ATM pseudo-header. 911 */ 912 static u_int off_payload; 913 914 /* 915 * These are offsets to the beginning of the network-layer header. 916 * They are relative to the beginning of the link-layer payload (i.e., 917 * they don't include off_linkhdr.constant_part or off_linkpl.constant_part). 918 * 919 * If the link layer never uses 802.2 LLC: 920 * 921 * "off_nl" and "off_nl_nosnap" are the same. 922 * 923 * If the link layer always uses 802.2 LLC: 924 * 925 * "off_nl" is the offset if there's a SNAP header following 926 * the 802.2 header; 927 * 928 * "off_nl_nosnap" is the offset if there's no SNAP header. 929 * 930 * If the link layer is Ethernet: 931 * 932 * "off_nl" is the offset if the packet is an Ethernet II packet 933 * (we assume no 802.3+802.2+SNAP); 934 * 935 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet 936 * with an 802.2 header following it. 937 */ 938 static u_int off_nl; 939 static u_int off_nl_nosnap; 940 941 static int linktype; 942 static int prevlinktype; 943 static int outermostlinktype; 944 945 static void 946 init_linktype(p) 947 pcap_t *p; 948 { 949 pcap_fddipad = p->fddipad; 950 951 /* 952 * We start out with only one link-layer header. 953 */ 954 outermostlinktype = pcap_datalink(p); 955 off_outermostlinkhdr.constant_part = 0; 956 off_outermostlinkhdr.is_variable = 0; 957 off_outermostlinkhdr.reg = -1; 958 959 prevlinktype = outermostlinktype; 960 off_prevlinkhdr.constant_part = 0; 961 off_prevlinkhdr.is_variable = 0; 962 off_prevlinkhdr.reg = -1; 963 964 linktype = outermostlinktype; 965 off_linkhdr.constant_part = 0; 966 off_linkhdr.is_variable = 0; 967 off_linkhdr.reg = -1; 968 969 /* 970 * XXX 971 */ 972 off_linkpl.constant_part = 0; 973 off_linkpl.is_variable = 0; 974 off_linkpl.reg = -1; 975 976 off_linktype.constant_part = 0; 977 off_linktype.is_variable = 0; 978 off_linktype.reg = -1; 979 980 /* 981 * Assume it's not raw ATM with a pseudo-header, for now. 982 */ 983 is_atm = 0; 984 off_vpi = -1; 985 off_vci = -1; 986 off_proto = -1; 987 off_payload = -1; 988 989 /* 990 * And not Geneve. 991 */ 992 is_geneve = 0; 993 994 /* 995 * And assume we're not doing SS7. 996 */ 997 off_li = -1; 998 off_li_hsl = -1; 999 off_sio = -1; 1000 off_opc = -1; 1001 off_dpc = -1; 1002 off_sls = -1; 1003 1004 label_stack_depth = 0; 1005 vlan_stack_depth = 0; 1006 1007 switch (linktype) { 1008 1009 case DLT_ARCNET: 1010 off_linktype.constant_part = 2; 1011 off_linkpl.constant_part = 6; 1012 off_nl = 0; /* XXX in reality, variable! */ 1013 off_nl_nosnap = 0; /* no 802.2 LLC */ 1014 break; 1015 1016 case DLT_ARCNET_LINUX: 1017 off_linktype.constant_part = 4; 1018 off_linkpl.constant_part = 8; 1019 off_nl = 0; /* XXX in reality, variable! */ 1020 off_nl_nosnap = 0; /* no 802.2 LLC */ 1021 break; 1022 1023 case DLT_EN10MB: 1024 off_linktype.constant_part = 12; 1025 off_linkpl.constant_part = 14; /* Ethernet header length */ 1026 off_nl = 0; /* Ethernet II */ 1027 off_nl_nosnap = 3; /* 802.3+802.2 */ 1028 break; 1029 1030 case DLT_SLIP: 1031 /* 1032 * SLIP doesn't have a link level type. The 16 byte 1033 * header is hacked into our SLIP driver. 1034 */ 1035 off_linktype.constant_part = -1; 1036 off_linkpl.constant_part = 16; 1037 off_nl = 0; 1038 off_nl_nosnap = 0; /* no 802.2 LLC */ 1039 break; 1040 1041 case DLT_SLIP_BSDOS: 1042 /* XXX this may be the same as the DLT_PPP_BSDOS case */ 1043 off_linktype.constant_part = -1; 1044 /* XXX end */ 1045 off_linkpl.constant_part = 24; 1046 off_nl = 0; 1047 off_nl_nosnap = 0; /* no 802.2 LLC */ 1048 break; 1049 1050 case DLT_NULL: 1051 case DLT_LOOP: 1052 off_linktype.constant_part = 0; 1053 off_linkpl.constant_part = 4; 1054 off_nl = 0; 1055 off_nl_nosnap = 0; /* no 802.2 LLC */ 1056 break; 1057 1058 case DLT_ENC: 1059 off_linktype.constant_part = 0; 1060 off_linkpl.constant_part = 12; 1061 off_nl = 0; 1062 off_nl_nosnap = 0; /* no 802.2 LLC */ 1063 break; 1064 1065 case DLT_PPP: 1066 case DLT_PPP_PPPD: 1067 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */ 1068 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */ 1069 off_linktype.constant_part = 2; /* skip HDLC-like framing */ 1070 off_linkpl.constant_part = 4; /* skip HDLC-like framing and protocol field */ 1071 off_nl = 0; 1072 off_nl_nosnap = 0; /* no 802.2 LLC */ 1073 break; 1074 1075 case DLT_PPP_ETHER: 1076 /* 1077 * This does no include the Ethernet header, and 1078 * only covers session state. 1079 */ 1080 off_linktype.constant_part = 6; 1081 off_linkpl.constant_part = 8; 1082 off_nl = 0; 1083 off_nl_nosnap = 0; /* no 802.2 LLC */ 1084 break; 1085 1086 case DLT_PPP_BSDOS: 1087 off_linktype.constant_part = 5; 1088 off_linkpl.constant_part = 24; 1089 off_nl = 0; 1090 off_nl_nosnap = 0; /* no 802.2 LLC */ 1091 break; 1092 1093 case DLT_FDDI: 1094 /* 1095 * FDDI doesn't really have a link-level type field. 1096 * We set "off_linktype" to the offset of the LLC header. 1097 * 1098 * To check for Ethernet types, we assume that SSAP = SNAP 1099 * is being used and pick out the encapsulated Ethernet type. 1100 * XXX - should we generate code to check for SNAP? 1101 */ 1102 off_linktype.constant_part = 13; 1103 off_linktype.constant_part += pcap_fddipad; 1104 off_linkpl.constant_part = 13; /* FDDI MAC header length */ 1105 off_linkpl.constant_part += pcap_fddipad; 1106 off_nl = 8; /* 802.2+SNAP */ 1107 off_nl_nosnap = 3; /* 802.2 */ 1108 break; 1109 1110 case DLT_IEEE802: 1111 /* 1112 * Token Ring doesn't really have a link-level type field. 1113 * We set "off_linktype" to the offset of the LLC header. 1114 * 1115 * To check for Ethernet types, we assume that SSAP = SNAP 1116 * is being used and pick out the encapsulated Ethernet type. 1117 * XXX - should we generate code to check for SNAP? 1118 * 1119 * XXX - the header is actually variable-length. 1120 * Some various Linux patched versions gave 38 1121 * as "off_linktype" and 40 as "off_nl"; however, 1122 * if a token ring packet has *no* routing 1123 * information, i.e. is not source-routed, the correct 1124 * values are 20 and 22, as they are in the vanilla code. 1125 * 1126 * A packet is source-routed iff the uppermost bit 1127 * of the first byte of the source address, at an 1128 * offset of 8, has the uppermost bit set. If the 1129 * packet is source-routed, the total number of bytes 1130 * of routing information is 2 plus bits 0x1F00 of 1131 * the 16-bit value at an offset of 14 (shifted right 1132 * 8 - figure out which byte that is). 1133 */ 1134 off_linktype.constant_part = 14; 1135 off_linkpl.constant_part = 14; /* Token Ring MAC header length */ 1136 off_nl = 8; /* 802.2+SNAP */ 1137 off_nl_nosnap = 3; /* 802.2 */ 1138 break; 1139 1140 case DLT_PRISM_HEADER: 1141 case DLT_IEEE802_11_RADIO_AVS: 1142 case DLT_IEEE802_11_RADIO: 1143 off_linkhdr.is_variable = 1; 1144 /* Fall through, 802.11 doesn't have a variable link 1145 * prefix but is otherwise the same. */ 1146 1147 case DLT_IEEE802_11: 1148 /* 1149 * 802.11 doesn't really have a link-level type field. 1150 * We set "off_linktype.constant_part" to the offset of 1151 * the LLC header. 1152 * 1153 * To check for Ethernet types, we assume that SSAP = SNAP 1154 * is being used and pick out the encapsulated Ethernet type. 1155 * XXX - should we generate code to check for SNAP? 1156 * 1157 * We also handle variable-length radio headers here. 1158 * The Prism header is in theory variable-length, but in 1159 * practice it's always 144 bytes long. However, some 1160 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but 1161 * sometimes or always supply an AVS header, so we 1162 * have to check whether the radio header is a Prism 1163 * header or an AVS header, so, in practice, it's 1164 * variable-length. 1165 */ 1166 off_linktype.constant_part = 24; 1167 off_linkpl.constant_part = 0; /* link-layer header is variable-length */ 1168 off_linkpl.is_variable = 1; 1169 off_nl = 8; /* 802.2+SNAP */ 1170 off_nl_nosnap = 3; /* 802.2 */ 1171 break; 1172 1173 case DLT_PPI: 1174 /* 1175 * At the moment we treat PPI the same way that we treat 1176 * normal Radiotap encoded packets. The difference is in 1177 * the function that generates the code at the beginning 1178 * to compute the header length. Since this code generator 1179 * of PPI supports bare 802.11 encapsulation only (i.e. 1180 * the encapsulated DLT should be DLT_IEEE802_11) we 1181 * generate code to check for this too. 1182 */ 1183 off_linktype.constant_part = 24; 1184 off_linkpl.constant_part = 0; /* link-layer header is variable-length */ 1185 off_linkpl.is_variable = 1; 1186 off_linkhdr.is_variable = 1; 1187 off_nl = 8; /* 802.2+SNAP */ 1188 off_nl_nosnap = 3; /* 802.2 */ 1189 break; 1190 1191 case DLT_ATM_RFC1483: 1192 case DLT_ATM_CLIP: /* Linux ATM defines this */ 1193 /* 1194 * assume routed, non-ISO PDUs 1195 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00) 1196 * 1197 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS, 1198 * or PPP with the PPP NLPID (e.g., PPPoA)? The 1199 * latter would presumably be treated the way PPPoE 1200 * should be, so you can do "pppoe and udp port 2049" 1201 * or "pppoa and tcp port 80" and have it check for 1202 * PPPo{A,E} and a PPP protocol of IP and.... 1203 */ 1204 off_linktype.constant_part = 0; 1205 off_linkpl.constant_part = 0; /* packet begins with LLC header */ 1206 off_nl = 8; /* 802.2+SNAP */ 1207 off_nl_nosnap = 3; /* 802.2 */ 1208 break; 1209 1210 case DLT_SUNATM: 1211 /* 1212 * Full Frontal ATM; you get AALn PDUs with an ATM 1213 * pseudo-header. 1214 */ 1215 is_atm = 1; 1216 off_vpi = SUNATM_VPI_POS; 1217 off_vci = SUNATM_VCI_POS; 1218 off_proto = PROTO_POS; 1219 off_payload = SUNATM_PKT_BEGIN_POS; 1220 off_linktype.constant_part = off_payload; 1221 off_linkpl.constant_part = off_payload; /* if LLC-encapsulated */ 1222 off_nl = 8; /* 802.2+SNAP */ 1223 off_nl_nosnap = 3; /* 802.2 */ 1224 break; 1225 1226 case DLT_RAW: 1227 case DLT_IPV4: 1228 case DLT_IPV6: 1229 off_linktype.constant_part = -1; 1230 off_linkpl.constant_part = 0; 1231 off_nl = 0; 1232 off_nl_nosnap = 0; /* no 802.2 LLC */ 1233 break; 1234 1235 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */ 1236 off_linktype.constant_part = 14; 1237 off_linkpl.constant_part = 16; 1238 off_nl = 0; 1239 off_nl_nosnap = 0; /* no 802.2 LLC */ 1240 break; 1241 1242 case DLT_LTALK: 1243 /* 1244 * LocalTalk does have a 1-byte type field in the LLAP header, 1245 * but really it just indicates whether there is a "short" or 1246 * "long" DDP packet following. 1247 */ 1248 off_linktype.constant_part = -1; 1249 off_linkpl.constant_part = 0; 1250 off_nl = 0; 1251 off_nl_nosnap = 0; /* no 802.2 LLC */ 1252 break; 1253 1254 case DLT_IP_OVER_FC: 1255 /* 1256 * RFC 2625 IP-over-Fibre-Channel doesn't really have a 1257 * link-level type field. We set "off_linktype" to the 1258 * offset of the LLC header. 1259 * 1260 * To check for Ethernet types, we assume that SSAP = SNAP 1261 * is being used and pick out the encapsulated Ethernet type. 1262 * XXX - should we generate code to check for SNAP? RFC 1263 * 2625 says SNAP should be used. 1264 */ 1265 off_linktype.constant_part = 16; 1266 off_linkpl.constant_part = 16; 1267 off_nl = 8; /* 802.2+SNAP */ 1268 off_nl_nosnap = 3; /* 802.2 */ 1269 break; 1270 1271 case DLT_FRELAY: 1272 /* 1273 * XXX - we should set this to handle SNAP-encapsulated 1274 * frames (NLPID of 0x80). 1275 */ 1276 off_linktype.constant_part = -1; 1277 off_linkpl.constant_part = 0; 1278 off_nl = 0; 1279 off_nl_nosnap = 0; /* no 802.2 LLC */ 1280 break; 1281 1282 /* 1283 * the only BPF-interesting FRF.16 frames are non-control frames; 1284 * Frame Relay has a variable length link-layer 1285 * so lets start with offset 4 for now and increments later on (FIXME); 1286 */ 1287 case DLT_MFR: 1288 off_linktype.constant_part = -1; 1289 off_linkpl.constant_part = 0; 1290 off_nl = 4; 1291 off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */ 1292 break; 1293 1294 case DLT_APPLE_IP_OVER_IEEE1394: 1295 off_linktype.constant_part = 16; 1296 off_linkpl.constant_part = 18; 1297 off_nl = 0; 1298 off_nl_nosnap = 0; /* no 802.2 LLC */ 1299 break; 1300 1301 case DLT_SYMANTEC_FIREWALL: 1302 off_linktype.constant_part = 6; 1303 off_linkpl.constant_part = 44; 1304 off_nl = 0; /* Ethernet II */ 1305 off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */ 1306 break; 1307 1308 #ifdef HAVE_NET_PFVAR_H 1309 case DLT_PFLOG: 1310 off_linktype.constant_part = 0; 1311 off_linkpl.constant_part = PFLOG_HDRLEN; 1312 off_nl = 0; 1313 off_nl_nosnap = 0; /* no 802.2 LLC */ 1314 break; 1315 #endif 1316 1317 case DLT_JUNIPER_MFR: 1318 case DLT_JUNIPER_MLFR: 1319 case DLT_JUNIPER_MLPPP: 1320 case DLT_JUNIPER_PPP: 1321 case DLT_JUNIPER_CHDLC: 1322 case DLT_JUNIPER_FRELAY: 1323 off_linktype.constant_part = 4; 1324 off_linkpl.constant_part = 4; 1325 off_nl = 0; 1326 off_nl_nosnap = -1; /* no 802.2 LLC */ 1327 break; 1328 1329 case DLT_JUNIPER_ATM1: 1330 off_linktype.constant_part = 4; /* in reality variable between 4-8 */ 1331 off_linkpl.constant_part = 4; /* in reality variable between 4-8 */ 1332 off_nl = 0; 1333 off_nl_nosnap = 10; 1334 break; 1335 1336 case DLT_JUNIPER_ATM2: 1337 off_linktype.constant_part = 8; /* in reality variable between 8-12 */ 1338 off_linkpl.constant_part = 8; /* in reality variable between 8-12 */ 1339 off_nl = 0; 1340 off_nl_nosnap = 10; 1341 break; 1342 1343 /* frames captured on a Juniper PPPoE service PIC 1344 * contain raw ethernet frames */ 1345 case DLT_JUNIPER_PPPOE: 1346 case DLT_JUNIPER_ETHER: 1347 off_linkpl.constant_part = 14; 1348 off_linktype.constant_part = 16; 1349 off_nl = 18; /* Ethernet II */ 1350 off_nl_nosnap = 21; /* 802.3+802.2 */ 1351 break; 1352 1353 case DLT_JUNIPER_PPPOE_ATM: 1354 off_linktype.constant_part = 4; 1355 off_linkpl.constant_part = 6; 1356 off_nl = 0; 1357 off_nl_nosnap = -1; /* no 802.2 LLC */ 1358 break; 1359 1360 case DLT_JUNIPER_GGSN: 1361 off_linktype.constant_part = 6; 1362 off_linkpl.constant_part = 12; 1363 off_nl = 0; 1364 off_nl_nosnap = -1; /* no 802.2 LLC */ 1365 break; 1366 1367 case DLT_JUNIPER_ES: 1368 off_linktype.constant_part = 6; 1369 off_linkpl.constant_part = -1; /* not really a network layer but raw IP addresses */ 1370 off_nl = -1; /* not really a network layer but raw IP addresses */ 1371 off_nl_nosnap = -1; /* no 802.2 LLC */ 1372 break; 1373 1374 case DLT_JUNIPER_MONITOR: 1375 off_linktype.constant_part = 12; 1376 off_linkpl.constant_part = 12; 1377 off_nl = 0; /* raw IP/IP6 header */ 1378 off_nl_nosnap = -1; /* no 802.2 LLC */ 1379 break; 1380 1381 case DLT_BACNET_MS_TP: 1382 off_linktype.constant_part = -1; 1383 off_linkpl.constant_part = -1; 1384 off_nl = -1; 1385 off_nl_nosnap = -1; 1386 break; 1387 1388 case DLT_JUNIPER_SERVICES: 1389 off_linktype.constant_part = 12; 1390 off_linkpl.constant_part = -1; /* L3 proto location dep. on cookie type */ 1391 off_nl = -1; /* L3 proto location dep. on cookie type */ 1392 off_nl_nosnap = -1; /* no 802.2 LLC */ 1393 break; 1394 1395 case DLT_JUNIPER_VP: 1396 off_linktype.constant_part = 18; 1397 off_linkpl.constant_part = -1; 1398 off_nl = -1; 1399 off_nl_nosnap = -1; 1400 break; 1401 1402 case DLT_JUNIPER_ST: 1403 off_linktype.constant_part = 18; 1404 off_linkpl.constant_part = -1; 1405 off_nl = -1; 1406 off_nl_nosnap = -1; 1407 break; 1408 1409 case DLT_JUNIPER_ISM: 1410 off_linktype.constant_part = 8; 1411 off_linkpl.constant_part = -1; 1412 off_nl = -1; 1413 off_nl_nosnap = -1; 1414 break; 1415 1416 case DLT_JUNIPER_VS: 1417 case DLT_JUNIPER_SRX_E2E: 1418 case DLT_JUNIPER_FIBRECHANNEL: 1419 case DLT_JUNIPER_ATM_CEMIC: 1420 off_linktype.constant_part = 8; 1421 off_linkpl.constant_part = -1; 1422 off_nl = -1; 1423 off_nl_nosnap = -1; 1424 break; 1425 1426 case DLT_MTP2: 1427 off_li = 2; 1428 off_li_hsl = 4; 1429 off_sio = 3; 1430 off_opc = 4; 1431 off_dpc = 4; 1432 off_sls = 7; 1433 off_linktype.constant_part = -1; 1434 off_linkpl.constant_part = -1; 1435 off_nl = -1; 1436 off_nl_nosnap = -1; 1437 break; 1438 1439 case DLT_MTP2_WITH_PHDR: 1440 off_li = 6; 1441 off_li_hsl = 8; 1442 off_sio = 7; 1443 off_opc = 8; 1444 off_dpc = 8; 1445 off_sls = 11; 1446 off_linktype.constant_part = -1; 1447 off_linkpl.constant_part = -1; 1448 off_nl = -1; 1449 off_nl_nosnap = -1; 1450 break; 1451 1452 case DLT_ERF: 1453 off_li = 22; 1454 off_li_hsl = 24; 1455 off_sio = 23; 1456 off_opc = 24; 1457 off_dpc = 24; 1458 off_sls = 27; 1459 off_linktype.constant_part = -1; 1460 off_linkpl.constant_part = -1; 1461 off_nl = -1; 1462 off_nl_nosnap = -1; 1463 break; 1464 1465 case DLT_PFSYNC: 1466 off_linktype.constant_part = -1; 1467 off_linkpl.constant_part = 4; 1468 off_nl = 0; 1469 off_nl_nosnap = 0; 1470 break; 1471 1472 case DLT_AX25_KISS: 1473 /* 1474 * Currently, only raw "link[N:M]" filtering is supported. 1475 */ 1476 off_linktype.constant_part = -1; /* variable, min 15, max 71 steps of 7 */ 1477 off_linkpl.constant_part = -1; 1478 off_nl = -1; /* variable, min 16, max 71 steps of 7 */ 1479 off_nl_nosnap = -1; /* no 802.2 LLC */ 1480 break; 1481 1482 case DLT_IPNET: 1483 off_linktype.constant_part = 1; 1484 off_linkpl.constant_part = 24; /* ipnet header length */ 1485 off_nl = 0; 1486 off_nl_nosnap = -1; 1487 break; 1488 1489 case DLT_NETANALYZER: 1490 off_linkhdr.constant_part = 4; /* Ethernet header is past 4-byte pseudo-header */ 1491 off_linktype.constant_part = off_linkhdr.constant_part + 12; 1492 off_linkpl.constant_part = off_linkhdr.constant_part + 14; /* pseudo-header+Ethernet header length */ 1493 off_nl = 0; /* Ethernet II */ 1494 off_nl_nosnap = 3; /* 802.3+802.2 */ 1495 break; 1496 1497 case DLT_NETANALYZER_TRANSPARENT: 1498 off_linkhdr.constant_part = 12; /* MAC header is past 4-byte pseudo-header, preamble, and SFD */ 1499 off_linktype.constant_part = off_linkhdr.constant_part + 12; 1500 off_linkpl.constant_part = off_linkhdr.constant_part + 14; /* pseudo-header+preamble+SFD+Ethernet header length */ 1501 off_nl = 0; /* Ethernet II */ 1502 off_nl_nosnap = 3; /* 802.3+802.2 */ 1503 break; 1504 1505 default: 1506 /* 1507 * For values in the range in which we've assigned new 1508 * DLT_ values, only raw "link[N:M]" filtering is supported. 1509 */ 1510 if (linktype >= DLT_MATCHING_MIN && 1511 linktype <= DLT_MATCHING_MAX) { 1512 off_linktype.constant_part = -1; 1513 off_linkpl.constant_part = -1; 1514 off_nl = -1; 1515 off_nl_nosnap = -1; 1516 } else { 1517 bpf_error("unknown data link type %d", linktype); 1518 } 1519 break; 1520 } 1521 1522 off_outermostlinkhdr = off_prevlinkhdr = off_linkhdr; 1523 } 1524 1525 /* 1526 * Load a value relative to the specified absolute offset. 1527 */ 1528 static struct slist * 1529 gen_load_absoffsetrel(bpf_abs_offset *abs_offset, u_int offset, u_int size) 1530 { 1531 struct slist *s, *s2; 1532 1533 s = gen_abs_offset_varpart(abs_offset); 1534 1535 /* 1536 * If "s" is non-null, it has code to arrange that the X register 1537 * contains the variable part of the absolute offset, so we 1538 * generate a load relative to that, with an offset of 1539 * abs_offset->constant_part + offset. 1540 * 1541 * Otherwise, we can do an absolute load with an offset of 1542 * abs_offset->constant_part + offset. 1543 */ 1544 if (s != NULL) { 1545 /* 1546 * "s" points to a list of statements that puts the 1547 * variable part of the absolute offset into the X register. 1548 * Do an indirect load, to use the X register as an offset. 1549 */ 1550 s2 = new_stmt(BPF_LD|BPF_IND|size); 1551 s2->s.k = abs_offset->constant_part + offset; 1552 sappend(s, s2); 1553 } else { 1554 /* 1555 * There is no variable part of the absolute offset, so 1556 * just do an absolute load. 1557 */ 1558 s = new_stmt(BPF_LD|BPF_ABS|size); 1559 s->s.k = abs_offset->constant_part + offset; 1560 } 1561 return s; 1562 } 1563 1564 /* 1565 * Load a value relative to the beginning of the specified header. 1566 */ 1567 static struct slist * 1568 gen_load_a(offrel, offset, size) 1569 enum e_offrel offrel; 1570 u_int offset, size; 1571 { 1572 struct slist *s, *s2; 1573 1574 switch (offrel) { 1575 1576 case OR_PACKET: 1577 s = new_stmt(BPF_LD|BPF_ABS|size); 1578 s->s.k = offset; 1579 break; 1580 1581 case OR_LINKHDR: 1582 s = gen_load_absoffsetrel(&off_linkhdr, offset, size); 1583 break; 1584 1585 case OR_PREVLINKHDR: 1586 s = gen_load_absoffsetrel(&off_prevlinkhdr, offset, size); 1587 break; 1588 1589 case OR_LLC: 1590 s = gen_load_absoffsetrel(&off_linkpl, offset, size); 1591 break; 1592 1593 case OR_PREVMPLSHDR: 1594 s = gen_load_absoffsetrel(&off_linkpl, off_nl - 4 + offset, size); 1595 break; 1596 1597 case OR_LINKPL: 1598 s = gen_load_absoffsetrel(&off_linkpl, off_nl + offset, size); 1599 break; 1600 1601 case OR_LINKPL_NOSNAP: 1602 s = gen_load_absoffsetrel(&off_linkpl, off_nl_nosnap + offset, size); 1603 break; 1604 1605 case OR_LINKTYPE: 1606 s = gen_load_absoffsetrel(&off_linktype, offset, size); 1607 break; 1608 1609 case OR_TRAN_IPV4: 1610 /* 1611 * Load the X register with the length of the IPv4 header 1612 * (plus the offset of the link-layer header, if it's 1613 * preceded by a variable-length header such as a radio 1614 * header), in bytes. 1615 */ 1616 s = gen_loadx_iphdrlen(); 1617 1618 /* 1619 * Load the item at {offset of the link-layer payload} + 1620 * {offset, relative to the start of the link-layer 1621 * paylod, of the IPv4 header} + {length of the IPv4 header} + 1622 * {specified offset}. 1623 * 1624 * If the offset of the link-layer payload is variable, 1625 * the variable part of that offset is included in the 1626 * value in the X register, and we include the constant 1627 * part in the offset of the load. 1628 */ 1629 s2 = new_stmt(BPF_LD|BPF_IND|size); 1630 s2->s.k = off_linkpl.constant_part + off_nl + offset; 1631 sappend(s, s2); 1632 break; 1633 1634 case OR_TRAN_IPV6: 1635 s = gen_load_absoffsetrel(&off_linkpl, off_nl + 40 + offset, size); 1636 break; 1637 1638 default: 1639 abort(); 1640 return NULL; 1641 } 1642 return s; 1643 } 1644 1645 /* 1646 * Generate code to load into the X register the sum of the length of 1647 * the IPv4 header and the variable part of the offset of the link-layer 1648 * payload. 1649 */ 1650 static struct slist * 1651 gen_loadx_iphdrlen() 1652 { 1653 struct slist *s, *s2; 1654 1655 s = gen_abs_offset_varpart(&off_linkpl); 1656 if (s != NULL) { 1657 /* 1658 * The offset of the link-layer payload has a variable 1659 * part. "s" points to a list of statements that put 1660 * the variable part of that offset into the X register. 1661 * 1662 * The 4*([k]&0xf) addressing mode can't be used, as we 1663 * don't have a constant offset, so we have to load the 1664 * value in question into the A register and add to it 1665 * the value from the X register. 1666 */ 1667 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B); 1668 s2->s.k = off_linkpl.constant_part + off_nl; 1669 sappend(s, s2); 1670 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 1671 s2->s.k = 0xf; 1672 sappend(s, s2); 1673 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 1674 s2->s.k = 2; 1675 sappend(s, s2); 1676 1677 /* 1678 * The A register now contains the length of the IP header. 1679 * We need to add to it the variable part of the offset of 1680 * the link-layer payload, which is still in the X 1681 * register, and move the result into the X register. 1682 */ 1683 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 1684 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 1685 } else { 1686 /* 1687 * The offset of the link-layer payload is a constant, 1688 * so no code was generated to load the (non-existent) 1689 * variable part of that offset. 1690 * 1691 * This means we can use the 4*([k]&0xf) addressing 1692 * mode. Load the length of the IPv4 header, which 1693 * is at an offset of off_nl from the beginning of 1694 * the link-layer payload, and thus at an offset of 1695 * off_linkpl.constant_part + off_nl from the beginning 1696 * of the raw packet data, using that addressing mode. 1697 */ 1698 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B); 1699 s->s.k = off_linkpl.constant_part + off_nl; 1700 } 1701 return s; 1702 } 1703 1704 static struct block * 1705 gen_uncond(rsense) 1706 int rsense; 1707 { 1708 struct block *b; 1709 struct slist *s; 1710 1711 s = new_stmt(BPF_LD|BPF_IMM); 1712 s->s.k = !rsense; 1713 b = new_block(JMP(BPF_JEQ)); 1714 b->stmts = s; 1715 1716 return b; 1717 } 1718 1719 static inline struct block * 1720 gen_true() 1721 { 1722 return gen_uncond(1); 1723 } 1724 1725 static inline struct block * 1726 gen_false() 1727 { 1728 return gen_uncond(0); 1729 } 1730 1731 /* 1732 * Byte-swap a 32-bit number. 1733 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on 1734 * big-endian platforms.) 1735 */ 1736 #define SWAPLONG(y) \ 1737 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff)) 1738 1739 /* 1740 * Generate code to match a particular packet type. 1741 * 1742 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1743 * value, if <= ETHERMTU. We use that to determine whether to 1744 * match the type/length field or to check the type/length field for 1745 * a value <= ETHERMTU to see whether it's a type field and then do 1746 * the appropriate test. 1747 */ 1748 static struct block * 1749 gen_ether_linktype(proto) 1750 register int proto; 1751 { 1752 struct block *b0, *b1; 1753 1754 switch (proto) { 1755 1756 case LLCSAP_ISONS: 1757 case LLCSAP_IP: 1758 case LLCSAP_NETBEUI: 1759 /* 1760 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1761 * so we check the DSAP and SSAP. 1762 * 1763 * LLCSAP_IP checks for IP-over-802.2, rather 1764 * than IP-over-Ethernet or IP-over-SNAP. 1765 * 1766 * XXX - should we check both the DSAP and the 1767 * SSAP, like this, or should we check just the 1768 * DSAP, as we do for other types <= ETHERMTU 1769 * (i.e., other SAP values)? 1770 */ 1771 b0 = gen_cmp_gt(OR_LINKTYPE, 0, BPF_H, ETHERMTU); 1772 gen_not(b0); 1773 b1 = gen_cmp(OR_LLC, 0, BPF_H, (bpf_int32) 1774 ((proto << 8) | proto)); 1775 gen_and(b0, b1); 1776 return b1; 1777 1778 case LLCSAP_IPX: 1779 /* 1780 * Check for; 1781 * 1782 * Ethernet_II frames, which are Ethernet 1783 * frames with a frame type of ETHERTYPE_IPX; 1784 * 1785 * Ethernet_802.3 frames, which are 802.3 1786 * frames (i.e., the type/length field is 1787 * a length field, <= ETHERMTU, rather than 1788 * a type field) with the first two bytes 1789 * after the Ethernet/802.3 header being 1790 * 0xFFFF; 1791 * 1792 * Ethernet_802.2 frames, which are 802.3 1793 * frames with an 802.2 LLC header and 1794 * with the IPX LSAP as the DSAP in the LLC 1795 * header; 1796 * 1797 * Ethernet_SNAP frames, which are 802.3 1798 * frames with an LLC header and a SNAP 1799 * header and with an OUI of 0x000000 1800 * (encapsulated Ethernet) and a protocol 1801 * ID of ETHERTYPE_IPX in the SNAP header. 1802 * 1803 * XXX - should we generate the same code both 1804 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX? 1805 */ 1806 1807 /* 1808 * This generates code to check both for the 1809 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3. 1810 */ 1811 b0 = gen_cmp(OR_LLC, 0, BPF_B, (bpf_int32)LLCSAP_IPX); 1812 b1 = gen_cmp(OR_LLC, 0, BPF_H, (bpf_int32)0xFFFF); 1813 gen_or(b0, b1); 1814 1815 /* 1816 * Now we add code to check for SNAP frames with 1817 * ETHERTYPE_IPX, i.e. Ethernet_SNAP. 1818 */ 1819 b0 = gen_snap(0x000000, ETHERTYPE_IPX); 1820 gen_or(b0, b1); 1821 1822 /* 1823 * Now we generate code to check for 802.3 1824 * frames in general. 1825 */ 1826 b0 = gen_cmp_gt(OR_LINKTYPE, 0, BPF_H, ETHERMTU); 1827 gen_not(b0); 1828 1829 /* 1830 * Now add the check for 802.3 frames before the 1831 * check for Ethernet_802.2 and Ethernet_802.3, 1832 * as those checks should only be done on 802.3 1833 * frames, not on Ethernet frames. 1834 */ 1835 gen_and(b0, b1); 1836 1837 /* 1838 * Now add the check for Ethernet_II frames, and 1839 * do that before checking for the other frame 1840 * types. 1841 */ 1842 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_H, (bpf_int32)ETHERTYPE_IPX); 1843 gen_or(b0, b1); 1844 return b1; 1845 1846 case ETHERTYPE_ATALK: 1847 case ETHERTYPE_AARP: 1848 /* 1849 * EtherTalk (AppleTalk protocols on Ethernet link 1850 * layer) may use 802.2 encapsulation. 1851 */ 1852 1853 /* 1854 * Check for 802.2 encapsulation (EtherTalk phase 2?); 1855 * we check for an Ethernet type field less than 1856 * 1500, which means it's an 802.3 length field. 1857 */ 1858 b0 = gen_cmp_gt(OR_LINKTYPE, 0, BPF_H, ETHERMTU); 1859 gen_not(b0); 1860 1861 /* 1862 * 802.2-encapsulated ETHERTYPE_ATALK packets are 1863 * SNAP packets with an organization code of 1864 * 0x080007 (Apple, for Appletalk) and a protocol 1865 * type of ETHERTYPE_ATALK (Appletalk). 1866 * 1867 * 802.2-encapsulated ETHERTYPE_AARP packets are 1868 * SNAP packets with an organization code of 1869 * 0x000000 (encapsulated Ethernet) and a protocol 1870 * type of ETHERTYPE_AARP (Appletalk ARP). 1871 */ 1872 if (proto == ETHERTYPE_ATALK) 1873 b1 = gen_snap(0x080007, ETHERTYPE_ATALK); 1874 else /* proto == ETHERTYPE_AARP */ 1875 b1 = gen_snap(0x000000, ETHERTYPE_AARP); 1876 gen_and(b0, b1); 1877 1878 /* 1879 * Check for Ethernet encapsulation (Ethertalk 1880 * phase 1?); we just check for the Ethernet 1881 * protocol type. 1882 */ 1883 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 1884 1885 gen_or(b0, b1); 1886 return b1; 1887 1888 default: 1889 if (proto <= ETHERMTU) { 1890 /* 1891 * This is an LLC SAP value, so the frames 1892 * that match would be 802.2 frames. 1893 * Check that the frame is an 802.2 frame 1894 * (i.e., that the length/type field is 1895 * a length field, <= ETHERMTU) and 1896 * then check the DSAP. 1897 */ 1898 b0 = gen_cmp_gt(OR_LINKTYPE, 0, BPF_H, ETHERMTU); 1899 gen_not(b0); 1900 b1 = gen_cmp(OR_LINKTYPE, 2, BPF_B, (bpf_int32)proto); 1901 gen_and(b0, b1); 1902 return b1; 1903 } else { 1904 /* 1905 * This is an Ethernet type, so compare 1906 * the length/type field with it (if 1907 * the frame is an 802.2 frame, the length 1908 * field will be <= ETHERMTU, and, as 1909 * "proto" is > ETHERMTU, this test 1910 * will fail and the frame won't match, 1911 * which is what we want). 1912 */ 1913 return gen_cmp(OR_LINKTYPE, 0, BPF_H, 1914 (bpf_int32)proto); 1915 } 1916 } 1917 } 1918 1919 /* 1920 * "proto" is an Ethernet type value and for IPNET, if it is not IPv4 1921 * or IPv6 then we have an error. 1922 */ 1923 static struct block * 1924 gen_ipnet_linktype(proto) 1925 register int proto; 1926 { 1927 switch (proto) { 1928 1929 case ETHERTYPE_IP: 1930 return gen_cmp(OR_LINKTYPE, 0, BPF_B, (bpf_int32)IPH_AF_INET); 1931 /* NOTREACHED */ 1932 1933 case ETHERTYPE_IPV6: 1934 return gen_cmp(OR_LINKTYPE, 0, BPF_B, 1935 (bpf_int32)IPH_AF_INET6); 1936 /* NOTREACHED */ 1937 1938 default: 1939 break; 1940 } 1941 1942 return gen_false(); 1943 } 1944 1945 /* 1946 * Generate code to match a particular packet type. 1947 * 1948 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1949 * value, if <= ETHERMTU. We use that to determine whether to 1950 * match the type field or to check the type field for the special 1951 * LINUX_SLL_P_802_2 value and then do the appropriate test. 1952 */ 1953 static struct block * 1954 gen_linux_sll_linktype(proto) 1955 register int proto; 1956 { 1957 struct block *b0, *b1; 1958 1959 switch (proto) { 1960 1961 case LLCSAP_ISONS: 1962 case LLCSAP_IP: 1963 case LLCSAP_NETBEUI: 1964 /* 1965 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1966 * so we check the DSAP and SSAP. 1967 * 1968 * LLCSAP_IP checks for IP-over-802.2, rather 1969 * than IP-over-Ethernet or IP-over-SNAP. 1970 * 1971 * XXX - should we check both the DSAP and the 1972 * SSAP, like this, or should we check just the 1973 * DSAP, as we do for other types <= ETHERMTU 1974 * (i.e., other SAP values)? 1975 */ 1976 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2); 1977 b1 = gen_cmp(OR_LLC, 0, BPF_H, (bpf_int32) 1978 ((proto << 8) | proto)); 1979 gen_and(b0, b1); 1980 return b1; 1981 1982 case LLCSAP_IPX: 1983 /* 1984 * Ethernet_II frames, which are Ethernet 1985 * frames with a frame type of ETHERTYPE_IPX; 1986 * 1987 * Ethernet_802.3 frames, which have a frame 1988 * type of LINUX_SLL_P_802_3; 1989 * 1990 * Ethernet_802.2 frames, which are 802.3 1991 * frames with an 802.2 LLC header (i.e, have 1992 * a frame type of LINUX_SLL_P_802_2) and 1993 * with the IPX LSAP as the DSAP in the LLC 1994 * header; 1995 * 1996 * Ethernet_SNAP frames, which are 802.3 1997 * frames with an LLC header and a SNAP 1998 * header and with an OUI of 0x000000 1999 * (encapsulated Ethernet) and a protocol 2000 * ID of ETHERTYPE_IPX in the SNAP header. 2001 * 2002 * First, do the checks on LINUX_SLL_P_802_2 2003 * frames; generate the check for either 2004 * Ethernet_802.2 or Ethernet_SNAP frames, and 2005 * then put a check for LINUX_SLL_P_802_2 frames 2006 * before it. 2007 */ 2008 b0 = gen_cmp(OR_LLC, 0, BPF_B, (bpf_int32)LLCSAP_IPX); 2009 b1 = gen_snap(0x000000, ETHERTYPE_IPX); 2010 gen_or(b0, b1); 2011 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2); 2012 gen_and(b0, b1); 2013 2014 /* 2015 * Now check for 802.3 frames and OR that with 2016 * the previous test. 2017 */ 2018 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_3); 2019 gen_or(b0, b1); 2020 2021 /* 2022 * Now add the check for Ethernet_II frames, and 2023 * do that before checking for the other frame 2024 * types. 2025 */ 2026 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_H, (bpf_int32)ETHERTYPE_IPX); 2027 gen_or(b0, b1); 2028 return b1; 2029 2030 case ETHERTYPE_ATALK: 2031 case ETHERTYPE_AARP: 2032 /* 2033 * EtherTalk (AppleTalk protocols on Ethernet link 2034 * layer) may use 802.2 encapsulation. 2035 */ 2036 2037 /* 2038 * Check for 802.2 encapsulation (EtherTalk phase 2?); 2039 * we check for the 802.2 protocol type in the 2040 * "Ethernet type" field. 2041 */ 2042 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2); 2043 2044 /* 2045 * 802.2-encapsulated ETHERTYPE_ATALK packets are 2046 * SNAP packets with an organization code of 2047 * 0x080007 (Apple, for Appletalk) and a protocol 2048 * type of ETHERTYPE_ATALK (Appletalk). 2049 * 2050 * 802.2-encapsulated ETHERTYPE_AARP packets are 2051 * SNAP packets with an organization code of 2052 * 0x000000 (encapsulated Ethernet) and a protocol 2053 * type of ETHERTYPE_AARP (Appletalk ARP). 2054 */ 2055 if (proto == ETHERTYPE_ATALK) 2056 b1 = gen_snap(0x080007, ETHERTYPE_ATALK); 2057 else /* proto == ETHERTYPE_AARP */ 2058 b1 = gen_snap(0x000000, ETHERTYPE_AARP); 2059 gen_and(b0, b1); 2060 2061 /* 2062 * Check for Ethernet encapsulation (Ethertalk 2063 * phase 1?); we just check for the Ethernet 2064 * protocol type. 2065 */ 2066 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 2067 2068 gen_or(b0, b1); 2069 return b1; 2070 2071 default: 2072 if (proto <= ETHERMTU) { 2073 /* 2074 * This is an LLC SAP value, so the frames 2075 * that match would be 802.2 frames. 2076 * Check for the 802.2 protocol type 2077 * in the "Ethernet type" field, and 2078 * then check the DSAP. 2079 */ 2080 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2); 2081 b1 = gen_cmp(OR_LINKHDR, off_linkpl.constant_part, BPF_B, 2082 (bpf_int32)proto); 2083 gen_and(b0, b1); 2084 return b1; 2085 } else { 2086 /* 2087 * This is an Ethernet type, so compare 2088 * the length/type field with it (if 2089 * the frame is an 802.2 frame, the length 2090 * field will be <= ETHERMTU, and, as 2091 * "proto" is > ETHERMTU, this test 2092 * will fail and the frame won't match, 2093 * which is what we want). 2094 */ 2095 return gen_cmp(OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 2096 } 2097 } 2098 } 2099 2100 static struct slist * 2101 gen_load_prism_llprefixlen() 2102 { 2103 struct slist *s1, *s2; 2104 struct slist *sjeq_avs_cookie; 2105 struct slist *sjcommon; 2106 2107 /* 2108 * This code is not compatible with the optimizer, as 2109 * we are generating jmp instructions within a normal 2110 * slist of instructions 2111 */ 2112 no_optimize = 1; 2113 2114 /* 2115 * Generate code to load the length of the radio header into 2116 * the register assigned to hold that length, if one has been 2117 * assigned. (If one hasn't been assigned, no code we've 2118 * generated uses that prefix, so we don't need to generate any 2119 * code to load it.) 2120 * 2121 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes 2122 * or always use the AVS header rather than the Prism header. 2123 * We load a 4-byte big-endian value at the beginning of the 2124 * raw packet data, and see whether, when masked with 0xFFFFF000, 2125 * it's equal to 0x80211000. If so, that indicates that it's 2126 * an AVS header (the masked-out bits are the version number). 2127 * Otherwise, it's a Prism header. 2128 * 2129 * XXX - the Prism header is also, in theory, variable-length, 2130 * but no known software generates headers that aren't 144 2131 * bytes long. 2132 */ 2133 if (off_linkhdr.reg != -1) { 2134 /* 2135 * Load the cookie. 2136 */ 2137 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2138 s1->s.k = 0; 2139 2140 /* 2141 * AND it with 0xFFFFF000. 2142 */ 2143 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 2144 s2->s.k = 0xFFFFF000; 2145 sappend(s1, s2); 2146 2147 /* 2148 * Compare with 0x80211000. 2149 */ 2150 sjeq_avs_cookie = new_stmt(JMP(BPF_JEQ)); 2151 sjeq_avs_cookie->s.k = 0x80211000; 2152 sappend(s1, sjeq_avs_cookie); 2153 2154 /* 2155 * If it's AVS: 2156 * 2157 * The 4 bytes at an offset of 4 from the beginning of 2158 * the AVS header are the length of the AVS header. 2159 * That field is big-endian. 2160 */ 2161 s2 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2162 s2->s.k = 4; 2163 sappend(s1, s2); 2164 sjeq_avs_cookie->s.jt = s2; 2165 2166 /* 2167 * Now jump to the code to allocate a register 2168 * into which to save the header length and 2169 * store the length there. (The "jump always" 2170 * instruction needs to have the k field set; 2171 * it's added to the PC, so, as we're jumping 2172 * over a single instruction, it should be 1.) 2173 */ 2174 sjcommon = new_stmt(JMP(BPF_JA)); 2175 sjcommon->s.k = 1; 2176 sappend(s1, sjcommon); 2177 2178 /* 2179 * Now for the code that handles the Prism header. 2180 * Just load the length of the Prism header (144) 2181 * into the A register. Have the test for an AVS 2182 * header branch here if we don't have an AVS header. 2183 */ 2184 s2 = new_stmt(BPF_LD|BPF_W|BPF_IMM); 2185 s2->s.k = 144; 2186 sappend(s1, s2); 2187 sjeq_avs_cookie->s.jf = s2; 2188 2189 /* 2190 * Now allocate a register to hold that value and store 2191 * it. The code for the AVS header will jump here after 2192 * loading the length of the AVS header. 2193 */ 2194 s2 = new_stmt(BPF_ST); 2195 s2->s.k = off_linkhdr.reg; 2196 sappend(s1, s2); 2197 sjcommon->s.jf = s2; 2198 2199 /* 2200 * Now move it into the X register. 2201 */ 2202 s2 = new_stmt(BPF_MISC|BPF_TAX); 2203 sappend(s1, s2); 2204 2205 return (s1); 2206 } else 2207 return (NULL); 2208 } 2209 2210 static struct slist * 2211 gen_load_avs_llprefixlen() 2212 { 2213 struct slist *s1, *s2; 2214 2215 /* 2216 * Generate code to load the length of the AVS header into 2217 * the register assigned to hold that length, if one has been 2218 * assigned. (If one hasn't been assigned, no code we've 2219 * generated uses that prefix, so we don't need to generate any 2220 * code to load it.) 2221 */ 2222 if (off_linkhdr.reg != -1) { 2223 /* 2224 * The 4 bytes at an offset of 4 from the beginning of 2225 * the AVS header are the length of the AVS header. 2226 * That field is big-endian. 2227 */ 2228 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2229 s1->s.k = 4; 2230 2231 /* 2232 * Now allocate a register to hold that value and store 2233 * it. 2234 */ 2235 s2 = new_stmt(BPF_ST); 2236 s2->s.k = off_linkhdr.reg; 2237 sappend(s1, s2); 2238 2239 /* 2240 * Now move it into the X register. 2241 */ 2242 s2 = new_stmt(BPF_MISC|BPF_TAX); 2243 sappend(s1, s2); 2244 2245 return (s1); 2246 } else 2247 return (NULL); 2248 } 2249 2250 static struct slist * 2251 gen_load_radiotap_llprefixlen() 2252 { 2253 struct slist *s1, *s2; 2254 2255 /* 2256 * Generate code to load the length of the radiotap header into 2257 * the register assigned to hold that length, if one has been 2258 * assigned. (If one hasn't been assigned, no code we've 2259 * generated uses that prefix, so we don't need to generate any 2260 * code to load it.) 2261 */ 2262 if (off_linkhdr.reg != -1) { 2263 /* 2264 * The 2 bytes at offsets of 2 and 3 from the beginning 2265 * of the radiotap header are the length of the radiotap 2266 * header; unfortunately, it's little-endian, so we have 2267 * to load it a byte at a time and construct the value. 2268 */ 2269 2270 /* 2271 * Load the high-order byte, at an offset of 3, shift it 2272 * left a byte, and put the result in the X register. 2273 */ 2274 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2275 s1->s.k = 3; 2276 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 2277 sappend(s1, s2); 2278 s2->s.k = 8; 2279 s2 = new_stmt(BPF_MISC|BPF_TAX); 2280 sappend(s1, s2); 2281 2282 /* 2283 * Load the next byte, at an offset of 2, and OR the 2284 * value from the X register into it. 2285 */ 2286 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2287 sappend(s1, s2); 2288 s2->s.k = 2; 2289 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X); 2290 sappend(s1, s2); 2291 2292 /* 2293 * Now allocate a register to hold that value and store 2294 * it. 2295 */ 2296 s2 = new_stmt(BPF_ST); 2297 s2->s.k = off_linkhdr.reg; 2298 sappend(s1, s2); 2299 2300 /* 2301 * Now move it into the X register. 2302 */ 2303 s2 = new_stmt(BPF_MISC|BPF_TAX); 2304 sappend(s1, s2); 2305 2306 return (s1); 2307 } else 2308 return (NULL); 2309 } 2310 2311 /* 2312 * At the moment we treat PPI as normal Radiotap encoded 2313 * packets. The difference is in the function that generates 2314 * the code at the beginning to compute the header length. 2315 * Since this code generator of PPI supports bare 802.11 2316 * encapsulation only (i.e. the encapsulated DLT should be 2317 * DLT_IEEE802_11) we generate code to check for this too; 2318 * that's done in finish_parse(). 2319 */ 2320 static struct slist * 2321 gen_load_ppi_llprefixlen() 2322 { 2323 struct slist *s1, *s2; 2324 2325 /* 2326 * Generate code to load the length of the radiotap header 2327 * into the register assigned to hold that length, if one has 2328 * been assigned. 2329 */ 2330 if (off_linkhdr.reg != -1) { 2331 /* 2332 * The 2 bytes at offsets of 2 and 3 from the beginning 2333 * of the radiotap header are the length of the radiotap 2334 * header; unfortunately, it's little-endian, so we have 2335 * to load it a byte at a time and construct the value. 2336 */ 2337 2338 /* 2339 * Load the high-order byte, at an offset of 3, shift it 2340 * left a byte, and put the result in the X register. 2341 */ 2342 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2343 s1->s.k = 3; 2344 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 2345 sappend(s1, s2); 2346 s2->s.k = 8; 2347 s2 = new_stmt(BPF_MISC|BPF_TAX); 2348 sappend(s1, s2); 2349 2350 /* 2351 * Load the next byte, at an offset of 2, and OR the 2352 * value from the X register into it. 2353 */ 2354 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2355 sappend(s1, s2); 2356 s2->s.k = 2; 2357 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X); 2358 sappend(s1, s2); 2359 2360 /* 2361 * Now allocate a register to hold that value and store 2362 * it. 2363 */ 2364 s2 = new_stmt(BPF_ST); 2365 s2->s.k = off_linkhdr.reg; 2366 sappend(s1, s2); 2367 2368 /* 2369 * Now move it into the X register. 2370 */ 2371 s2 = new_stmt(BPF_MISC|BPF_TAX); 2372 sappend(s1, s2); 2373 2374 return (s1); 2375 } else 2376 return (NULL); 2377 } 2378 2379 /* 2380 * Load a value relative to the beginning of the link-layer header after the 802.11 2381 * header, i.e. LLC_SNAP. 2382 * The link-layer header doesn't necessarily begin at the beginning 2383 * of the packet data; there might be a variable-length prefix containing 2384 * radio information. 2385 */ 2386 static struct slist * 2387 gen_load_802_11_header_len(struct slist *s, struct slist *snext) 2388 { 2389 struct slist *s2; 2390 struct slist *sjset_data_frame_1; 2391 struct slist *sjset_data_frame_2; 2392 struct slist *sjset_qos; 2393 struct slist *sjset_radiotap_flags; 2394 struct slist *sjset_radiotap_tsft; 2395 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad; 2396 struct slist *s_roundup; 2397 2398 if (off_linkpl.reg == -1) { 2399 /* 2400 * No register has been assigned to the offset of 2401 * the link-layer payload, which means nobody needs 2402 * it; don't bother computing it - just return 2403 * what we already have. 2404 */ 2405 return (s); 2406 } 2407 2408 /* 2409 * This code is not compatible with the optimizer, as 2410 * we are generating jmp instructions within a normal 2411 * slist of instructions 2412 */ 2413 no_optimize = 1; 2414 2415 /* 2416 * If "s" is non-null, it has code to arrange that the X register 2417 * contains the length of the prefix preceding the link-layer 2418 * header. 2419 * 2420 * Otherwise, the length of the prefix preceding the link-layer 2421 * header is "off_outermostlinkhdr.constant_part". 2422 */ 2423 if (s == NULL) { 2424 /* 2425 * There is no variable-length header preceding the 2426 * link-layer header. 2427 * 2428 * Load the length of the fixed-length prefix preceding 2429 * the link-layer header (if any) into the X register, 2430 * and store it in the off_linkpl.reg register. 2431 * That length is off_outermostlinkhdr.constant_part. 2432 */ 2433 s = new_stmt(BPF_LDX|BPF_IMM); 2434 s->s.k = off_outermostlinkhdr.constant_part; 2435 } 2436 2437 /* 2438 * The X register contains the offset of the beginning of the 2439 * link-layer header; add 24, which is the minimum length 2440 * of the MAC header for a data frame, to that, and store it 2441 * in off_linkpl.reg, and then load the Frame Control field, 2442 * which is at the offset in the X register, with an indexed load. 2443 */ 2444 s2 = new_stmt(BPF_MISC|BPF_TXA); 2445 sappend(s, s2); 2446 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 2447 s2->s.k = 24; 2448 sappend(s, s2); 2449 s2 = new_stmt(BPF_ST); 2450 s2->s.k = off_linkpl.reg; 2451 sappend(s, s2); 2452 2453 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B); 2454 s2->s.k = 0; 2455 sappend(s, s2); 2456 2457 /* 2458 * Check the Frame Control field to see if this is a data frame; 2459 * a data frame has the 0x08 bit (b3) in that field set and the 2460 * 0x04 bit (b2) clear. 2461 */ 2462 sjset_data_frame_1 = new_stmt(JMP(BPF_JSET)); 2463 sjset_data_frame_1->s.k = 0x08; 2464 sappend(s, sjset_data_frame_1); 2465 2466 /* 2467 * If b3 is set, test b2, otherwise go to the first statement of 2468 * the rest of the program. 2469 */ 2470 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(JMP(BPF_JSET)); 2471 sjset_data_frame_2->s.k = 0x04; 2472 sappend(s, sjset_data_frame_2); 2473 sjset_data_frame_1->s.jf = snext; 2474 2475 /* 2476 * If b2 is not set, this is a data frame; test the QoS bit. 2477 * Otherwise, go to the first statement of the rest of the 2478 * program. 2479 */ 2480 sjset_data_frame_2->s.jt = snext; 2481 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(JMP(BPF_JSET)); 2482 sjset_qos->s.k = 0x80; /* QoS bit */ 2483 sappend(s, sjset_qos); 2484 2485 /* 2486 * If it's set, add 2 to off_linkpl.reg, to skip the QoS 2487 * field. 2488 * Otherwise, go to the first statement of the rest of the 2489 * program. 2490 */ 2491 sjset_qos->s.jt = s2 = new_stmt(BPF_LD|BPF_MEM); 2492 s2->s.k = off_linkpl.reg; 2493 sappend(s, s2); 2494 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM); 2495 s2->s.k = 2; 2496 sappend(s, s2); 2497 s2 = new_stmt(BPF_ST); 2498 s2->s.k = off_linkpl.reg; 2499 sappend(s, s2); 2500 2501 /* 2502 * If we have a radiotap header, look at it to see whether 2503 * there's Atheros padding between the MAC-layer header 2504 * and the payload. 2505 * 2506 * Note: all of the fields in the radiotap header are 2507 * little-endian, so we byte-swap all of the values 2508 * we test against, as they will be loaded as big-endian 2509 * values. 2510 */ 2511 if (linktype == DLT_IEEE802_11_RADIO) { 2512 /* 2513 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set 2514 * in the presence flag? 2515 */ 2516 sjset_qos->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_W); 2517 s2->s.k = 4; 2518 sappend(s, s2); 2519 2520 sjset_radiotap_flags = new_stmt(JMP(BPF_JSET)); 2521 sjset_radiotap_flags->s.k = SWAPLONG(0x00000002); 2522 sappend(s, sjset_radiotap_flags); 2523 2524 /* 2525 * If not, skip all of this. 2526 */ 2527 sjset_radiotap_flags->s.jf = snext; 2528 2529 /* 2530 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set? 2531 */ 2532 sjset_radiotap_tsft = sjset_radiotap_flags->s.jt = 2533 new_stmt(JMP(BPF_JSET)); 2534 sjset_radiotap_tsft->s.k = SWAPLONG(0x00000001); 2535 sappend(s, sjset_radiotap_tsft); 2536 2537 /* 2538 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is 2539 * at an offset of 16 from the beginning of the raw packet 2540 * data (8 bytes for the radiotap header and 8 bytes for 2541 * the TSFT field). 2542 * 2543 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2544 * is set. 2545 */ 2546 sjset_radiotap_tsft->s.jt = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B); 2547 s2->s.k = 16; 2548 sappend(s, s2); 2549 2550 sjset_tsft_datapad = new_stmt(JMP(BPF_JSET)); 2551 sjset_tsft_datapad->s.k = 0x20; 2552 sappend(s, sjset_tsft_datapad); 2553 2554 /* 2555 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is 2556 * at an offset of 8 from the beginning of the raw packet 2557 * data (8 bytes for the radiotap header). 2558 * 2559 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2560 * is set. 2561 */ 2562 sjset_radiotap_tsft->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B); 2563 s2->s.k = 8; 2564 sappend(s, s2); 2565 2566 sjset_notsft_datapad = new_stmt(JMP(BPF_JSET)); 2567 sjset_notsft_datapad->s.k = 0x20; 2568 sappend(s, sjset_notsft_datapad); 2569 2570 /* 2571 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is 2572 * set, round the length of the 802.11 header to 2573 * a multiple of 4. Do that by adding 3 and then 2574 * dividing by and multiplying by 4, which we do by 2575 * ANDing with ~3. 2576 */ 2577 s_roundup = new_stmt(BPF_LD|BPF_MEM); 2578 s_roundup->s.k = off_linkpl.reg; 2579 sappend(s, s_roundup); 2580 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM); 2581 s2->s.k = 3; 2582 sappend(s, s2); 2583 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_IMM); 2584 s2->s.k = ~3; 2585 sappend(s, s2); 2586 s2 = new_stmt(BPF_ST); 2587 s2->s.k = off_linkpl.reg; 2588 sappend(s, s2); 2589 2590 sjset_tsft_datapad->s.jt = s_roundup; 2591 sjset_tsft_datapad->s.jf = snext; 2592 sjset_notsft_datapad->s.jt = s_roundup; 2593 sjset_notsft_datapad->s.jf = snext; 2594 } else 2595 sjset_qos->s.jf = snext; 2596 2597 return s; 2598 } 2599 2600 static void 2601 insert_compute_vloffsets(b) 2602 struct block *b; 2603 { 2604 struct slist *s; 2605 2606 /* There is an implicit dependency between the link 2607 * payload and link header since the payload computation 2608 * includes the variable part of the header. Therefore, 2609 * if nobody else has allocated a register for the link 2610 * header and we need it, do it now. */ 2611 if (off_linkpl.reg != -1 && off_linkhdr.is_variable && 2612 off_linkhdr.reg == -1) 2613 off_linkhdr.reg = alloc_reg(); 2614 2615 /* 2616 * For link-layer types that have a variable-length header 2617 * preceding the link-layer header, generate code to load 2618 * the offset of the link-layer header into the register 2619 * assigned to that offset, if any. 2620 * 2621 * XXX - this, and the next switch statement, won't handle 2622 * encapsulation of 802.11 or 802.11+radio information in 2623 * some other protocol stack. That's significantly more 2624 * complicated. 2625 */ 2626 switch (outermostlinktype) { 2627 2628 case DLT_PRISM_HEADER: 2629 s = gen_load_prism_llprefixlen(); 2630 break; 2631 2632 case DLT_IEEE802_11_RADIO_AVS: 2633 s = gen_load_avs_llprefixlen(); 2634 break; 2635 2636 case DLT_IEEE802_11_RADIO: 2637 s = gen_load_radiotap_llprefixlen(); 2638 break; 2639 2640 case DLT_PPI: 2641 s = gen_load_ppi_llprefixlen(); 2642 break; 2643 2644 default: 2645 s = NULL; 2646 break; 2647 } 2648 2649 /* 2650 * For link-layer types that have a variable-length link-layer 2651 * header, generate code to load the offset of the link-layer 2652 * payload into the register assigned to that offset, if any. 2653 */ 2654 switch (outermostlinktype) { 2655 2656 case DLT_IEEE802_11: 2657 case DLT_PRISM_HEADER: 2658 case DLT_IEEE802_11_RADIO_AVS: 2659 case DLT_IEEE802_11_RADIO: 2660 case DLT_PPI: 2661 s = gen_load_802_11_header_len(s, b->stmts); 2662 break; 2663 } 2664 2665 /* 2666 * If we have any offset-loading code, append all the 2667 * existing statements in the block to those statements, 2668 * and make the resulting list the list of statements 2669 * for the block. 2670 */ 2671 if (s != NULL) { 2672 sappend(s, b->stmts); 2673 b->stmts = s; 2674 } 2675 } 2676 2677 static struct block * 2678 gen_ppi_dlt_check(void) 2679 { 2680 struct slist *s_load_dlt; 2681 struct block *b; 2682 2683 if (linktype == DLT_PPI) 2684 { 2685 /* Create the statements that check for the DLT 2686 */ 2687 s_load_dlt = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2688 s_load_dlt->s.k = 4; 2689 2690 b = new_block(JMP(BPF_JEQ)); 2691 2692 b->stmts = s_load_dlt; 2693 b->s.k = SWAPLONG(DLT_IEEE802_11); 2694 } 2695 else 2696 { 2697 b = NULL; 2698 } 2699 2700 return b; 2701 } 2702 2703 /* 2704 * Take an absolute offset, and: 2705 * 2706 * if it has no variable part, return NULL; 2707 * 2708 * if it has a variable part, generate code to load the register 2709 * containing that variable part into the X register, returning 2710 * a pointer to that code - if no register for that offset has 2711 * been allocated, allocate it first. 2712 * 2713 * (The code to set that register will be generated later, but will 2714 * be placed earlier in the code sequence.) 2715 */ 2716 static struct slist * 2717 gen_abs_offset_varpart(bpf_abs_offset *off) 2718 { 2719 struct slist *s; 2720 2721 if (off->is_variable) { 2722 if (off->reg == -1) { 2723 /* 2724 * We haven't yet assigned a register for the 2725 * variable part of the offset of the link-layer 2726 * header; allocate one. 2727 */ 2728 off->reg = alloc_reg(); 2729 } 2730 2731 /* 2732 * Load the register containing the variable part of the 2733 * offset of the link-layer header into the X register. 2734 */ 2735 s = new_stmt(BPF_LDX|BPF_MEM); 2736 s->s.k = off->reg; 2737 return s; 2738 } else { 2739 /* 2740 * That offset isn't variable, there's no variable part, 2741 * so we don't need to generate any code. 2742 */ 2743 return NULL; 2744 } 2745 } 2746 2747 /* 2748 * Map an Ethernet type to the equivalent PPP type. 2749 */ 2750 static int 2751 ethertype_to_ppptype(proto) 2752 int proto; 2753 { 2754 switch (proto) { 2755 2756 case ETHERTYPE_IP: 2757 proto = PPP_IP; 2758 break; 2759 2760 case ETHERTYPE_IPV6: 2761 proto = PPP_IPV6; 2762 break; 2763 2764 case ETHERTYPE_DN: 2765 proto = PPP_DECNET; 2766 break; 2767 2768 case ETHERTYPE_ATALK: 2769 proto = PPP_APPLE; 2770 break; 2771 2772 case ETHERTYPE_NS: 2773 proto = PPP_NS; 2774 break; 2775 2776 case LLCSAP_ISONS: 2777 proto = PPP_OSI; 2778 break; 2779 2780 case LLCSAP_8021D: 2781 /* 2782 * I'm assuming the "Bridging PDU"s that go 2783 * over PPP are Spanning Tree Protocol 2784 * Bridging PDUs. 2785 */ 2786 proto = PPP_BRPDU; 2787 break; 2788 2789 case LLCSAP_IPX: 2790 proto = PPP_IPX; 2791 break; 2792 } 2793 return (proto); 2794 } 2795 2796 /* 2797 * Generate any tests that, for encapsulation of a link-layer packet 2798 * inside another protocol stack, need to be done to check for those 2799 * link-layer packets (and that haven't already been done by a check 2800 * for that encapsulation). 2801 */ 2802 static struct block * 2803 gen_prevlinkhdr_check(void) 2804 { 2805 struct block *b0; 2806 2807 if (is_geneve) 2808 return gen_geneve_ll_check(); 2809 2810 switch (prevlinktype) { 2811 2812 case DLT_SUNATM: 2813 /* 2814 * This is LANE-encapsulated Ethernet; check that the LANE 2815 * packet doesn't begin with an LE Control marker, i.e. 2816 * that it's data, not a control message. 2817 * 2818 * (We've already generated a test for LANE.) 2819 */ 2820 b0 = gen_cmp(OR_PREVLINKHDR, SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00); 2821 gen_not(b0); 2822 return b0; 2823 2824 default: 2825 /* 2826 * No such tests are necessary. 2827 */ 2828 return NULL; 2829 } 2830 /*NOTREACHED*/ 2831 } 2832 2833 /* 2834 * Generate code to match a particular packet type by matching the 2835 * link-layer type field or fields in the 802.2 LLC header. 2836 * 2837 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 2838 * value, if <= ETHERMTU. 2839 */ 2840 static struct block * 2841 gen_linktype(proto) 2842 register int proto; 2843 { 2844 struct block *b0, *b1, *b2; 2845 const char *description; 2846 2847 /* are we checking MPLS-encapsulated packets? */ 2848 if (label_stack_depth > 0) { 2849 switch (proto) { 2850 case ETHERTYPE_IP: 2851 case PPP_IP: 2852 /* FIXME add other L3 proto IDs */ 2853 return gen_mpls_linktype(Q_IP); 2854 2855 case ETHERTYPE_IPV6: 2856 case PPP_IPV6: 2857 /* FIXME add other L3 proto IDs */ 2858 return gen_mpls_linktype(Q_IPV6); 2859 2860 default: 2861 bpf_error("unsupported protocol over mpls"); 2862 /* NOTREACHED */ 2863 } 2864 } 2865 2866 switch (linktype) { 2867 2868 case DLT_EN10MB: 2869 case DLT_NETANALYZER: 2870 case DLT_NETANALYZER_TRANSPARENT: 2871 /* Geneve has an EtherType regardless of whether there is an 2872 * L2 header. */ 2873 if (!is_geneve) 2874 b0 = gen_prevlinkhdr_check(); 2875 else 2876 b0 = NULL; 2877 2878 b1 = gen_ether_linktype(proto); 2879 if (b0 != NULL) 2880 gen_and(b0, b1); 2881 return b1; 2882 /*NOTREACHED*/ 2883 break; 2884 2885 case DLT_C_HDLC: 2886 switch (proto) { 2887 2888 case LLCSAP_ISONS: 2889 proto = (proto << 8 | LLCSAP_ISONS); 2890 /* fall through */ 2891 2892 default: 2893 return gen_cmp(OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 2894 /*NOTREACHED*/ 2895 break; 2896 } 2897 break; 2898 2899 case DLT_IEEE802_11: 2900 case DLT_PRISM_HEADER: 2901 case DLT_IEEE802_11_RADIO_AVS: 2902 case DLT_IEEE802_11_RADIO: 2903 case DLT_PPI: 2904 /* 2905 * Check that we have a data frame. 2906 */ 2907 b0 = gen_check_802_11_data_frame(); 2908 2909 /* 2910 * Now check for the specified link-layer type. 2911 */ 2912 b1 = gen_llc_linktype(proto); 2913 gen_and(b0, b1); 2914 return b1; 2915 /*NOTREACHED*/ 2916 break; 2917 2918 case DLT_FDDI: 2919 /* 2920 * XXX - check for LLC frames. 2921 */ 2922 return gen_llc_linktype(proto); 2923 /*NOTREACHED*/ 2924 break; 2925 2926 case DLT_IEEE802: 2927 /* 2928 * XXX - check for LLC PDUs, as per IEEE 802.5. 2929 */ 2930 return gen_llc_linktype(proto); 2931 /*NOTREACHED*/ 2932 break; 2933 2934 case DLT_ATM_RFC1483: 2935 case DLT_ATM_CLIP: 2936 case DLT_IP_OVER_FC: 2937 return gen_llc_linktype(proto); 2938 /*NOTREACHED*/ 2939 break; 2940 2941 case DLT_SUNATM: 2942 /* 2943 * Check for an LLC-encapsulated version of this protocol; 2944 * if we were checking for LANE, linktype would no longer 2945 * be DLT_SUNATM. 2946 * 2947 * Check for LLC encapsulation and then check the protocol. 2948 */ 2949 b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 2950 b1 = gen_llc_linktype(proto); 2951 gen_and(b0, b1); 2952 return b1; 2953 /*NOTREACHED*/ 2954 break; 2955 2956 case DLT_LINUX_SLL: 2957 return gen_linux_sll_linktype(proto); 2958 /*NOTREACHED*/ 2959 break; 2960 2961 case DLT_SLIP: 2962 case DLT_SLIP_BSDOS: 2963 case DLT_RAW: 2964 /* 2965 * These types don't provide any type field; packets 2966 * are always IPv4 or IPv6. 2967 * 2968 * XXX - for IPv4, check for a version number of 4, and, 2969 * for IPv6, check for a version number of 6? 2970 */ 2971 switch (proto) { 2972 2973 case ETHERTYPE_IP: 2974 /* Check for a version number of 4. */ 2975 return gen_mcmp(OR_LINKHDR, 0, BPF_B, 0x40, 0xF0); 2976 2977 case ETHERTYPE_IPV6: 2978 /* Check for a version number of 6. */ 2979 return gen_mcmp(OR_LINKHDR, 0, BPF_B, 0x60, 0xF0); 2980 2981 default: 2982 return gen_false(); /* always false */ 2983 } 2984 /*NOTREACHED*/ 2985 break; 2986 2987 case DLT_IPV4: 2988 /* 2989 * Raw IPv4, so no type field. 2990 */ 2991 if (proto == ETHERTYPE_IP) 2992 return gen_true(); /* always true */ 2993 2994 /* Checking for something other than IPv4; always false */ 2995 return gen_false(); 2996 /*NOTREACHED*/ 2997 break; 2998 2999 case DLT_IPV6: 3000 /* 3001 * Raw IPv6, so no type field. 3002 */ 3003 if (proto == ETHERTYPE_IPV6) 3004 return gen_true(); /* always true */ 3005 3006 /* Checking for something other than IPv6; always false */ 3007 return gen_false(); 3008 /*NOTREACHED*/ 3009 break; 3010 3011 case DLT_PPP: 3012 case DLT_PPP_PPPD: 3013 case DLT_PPP_SERIAL: 3014 case DLT_PPP_ETHER: 3015 /* 3016 * We use Ethernet protocol types inside libpcap; 3017 * map them to the corresponding PPP protocol types. 3018 */ 3019 proto = ethertype_to_ppptype(proto); 3020 return gen_cmp(OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 3021 /*NOTREACHED*/ 3022 break; 3023 3024 case DLT_PPP_BSDOS: 3025 /* 3026 * We use Ethernet protocol types inside libpcap; 3027 * map them to the corresponding PPP protocol types. 3028 */ 3029 switch (proto) { 3030 3031 case ETHERTYPE_IP: 3032 /* 3033 * Also check for Van Jacobson-compressed IP. 3034 * XXX - do this for other forms of PPP? 3035 */ 3036 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_H, PPP_IP); 3037 b1 = gen_cmp(OR_LINKTYPE, 0, BPF_H, PPP_VJC); 3038 gen_or(b0, b1); 3039 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_H, PPP_VJNC); 3040 gen_or(b1, b0); 3041 return b0; 3042 3043 default: 3044 proto = ethertype_to_ppptype(proto); 3045 return gen_cmp(OR_LINKTYPE, 0, BPF_H, 3046 (bpf_int32)proto); 3047 } 3048 /*NOTREACHED*/ 3049 break; 3050 3051 case DLT_NULL: 3052 case DLT_LOOP: 3053 case DLT_ENC: 3054 /* 3055 * For DLT_NULL, the link-layer header is a 32-bit 3056 * word containing an AF_ value in *host* byte order, 3057 * and for DLT_ENC, the link-layer header begins 3058 * with a 32-bit work containing an AF_ value in 3059 * host byte order. 3060 * 3061 * In addition, if we're reading a saved capture file, 3062 * the host byte order in the capture may not be the 3063 * same as the host byte order on this machine. 3064 * 3065 * For DLT_LOOP, the link-layer header is a 32-bit 3066 * word containing an AF_ value in *network* byte order. 3067 * 3068 * XXX - AF_ values may, unfortunately, be platform- 3069 * dependent; for example, FreeBSD's AF_INET6 is 24 3070 * whilst NetBSD's and OpenBSD's is 26. 3071 * 3072 * This means that, when reading a capture file, just 3073 * checking for our AF_INET6 value won't work if the 3074 * capture file came from another OS. 3075 */ 3076 switch (proto) { 3077 3078 case ETHERTYPE_IP: 3079 proto = AF_INET; 3080 break; 3081 3082 #ifdef INET6 3083 case ETHERTYPE_IPV6: 3084 proto = AF_INET6; 3085 break; 3086 #endif 3087 3088 default: 3089 /* 3090 * Not a type on which we support filtering. 3091 * XXX - support those that have AF_ values 3092 * #defined on this platform, at least? 3093 */ 3094 return gen_false(); 3095 } 3096 3097 if (linktype == DLT_NULL || linktype == DLT_ENC) { 3098 /* 3099 * The AF_ value is in host byte order, but 3100 * the BPF interpreter will convert it to 3101 * network byte order. 3102 * 3103 * If this is a save file, and it's from a 3104 * machine with the opposite byte order to 3105 * ours, we byte-swap the AF_ value. 3106 * 3107 * Then we run it through "htonl()", and 3108 * generate code to compare against the result. 3109 */ 3110 if (bpf_pcap->rfile != NULL && bpf_pcap->swapped) 3111 proto = SWAPLONG(proto); 3112 proto = htonl(proto); 3113 } 3114 return (gen_cmp(OR_LINKHDR, 0, BPF_W, (bpf_int32)proto)); 3115 3116 #ifdef HAVE_NET_PFVAR_H 3117 case DLT_PFLOG: 3118 /* 3119 * af field is host byte order in contrast to the rest of 3120 * the packet. 3121 */ 3122 if (proto == ETHERTYPE_IP) 3123 return (gen_cmp(OR_LINKHDR, offsetof(struct pfloghdr, af), 3124 BPF_B, (bpf_int32)AF_INET)); 3125 else if (proto == ETHERTYPE_IPV6) 3126 return (gen_cmp(OR_LINKHDR, offsetof(struct pfloghdr, af), 3127 BPF_B, (bpf_int32)AF_INET6)); 3128 else 3129 return gen_false(); 3130 /*NOTREACHED*/ 3131 break; 3132 #endif /* HAVE_NET_PFVAR_H */ 3133 3134 case DLT_ARCNET: 3135 case DLT_ARCNET_LINUX: 3136 /* 3137 * XXX should we check for first fragment if the protocol 3138 * uses PHDS? 3139 */ 3140 switch (proto) { 3141 3142 default: 3143 return gen_false(); 3144 3145 case ETHERTYPE_IPV6: 3146 return (gen_cmp(OR_LINKTYPE, 0, BPF_B, 3147 (bpf_int32)ARCTYPE_INET6)); 3148 3149 case ETHERTYPE_IP: 3150 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_B, 3151 (bpf_int32)ARCTYPE_IP); 3152 b1 = gen_cmp(OR_LINKTYPE, 0, BPF_B, 3153 (bpf_int32)ARCTYPE_IP_OLD); 3154 gen_or(b0, b1); 3155 return (b1); 3156 3157 case ETHERTYPE_ARP: 3158 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_B, 3159 (bpf_int32)ARCTYPE_ARP); 3160 b1 = gen_cmp(OR_LINKTYPE, 0, BPF_B, 3161 (bpf_int32)ARCTYPE_ARP_OLD); 3162 gen_or(b0, b1); 3163 return (b1); 3164 3165 case ETHERTYPE_REVARP: 3166 return (gen_cmp(OR_LINKTYPE, 0, BPF_B, 3167 (bpf_int32)ARCTYPE_REVARP)); 3168 3169 case ETHERTYPE_ATALK: 3170 return (gen_cmp(OR_LINKTYPE, 0, BPF_B, 3171 (bpf_int32)ARCTYPE_ATALK)); 3172 } 3173 /*NOTREACHED*/ 3174 break; 3175 3176 case DLT_LTALK: 3177 switch (proto) { 3178 case ETHERTYPE_ATALK: 3179 return gen_true(); 3180 default: 3181 return gen_false(); 3182 } 3183 /*NOTREACHED*/ 3184 break; 3185 3186 case DLT_FRELAY: 3187 /* 3188 * XXX - assumes a 2-byte Frame Relay header with 3189 * DLCI and flags. What if the address is longer? 3190 */ 3191 switch (proto) { 3192 3193 case ETHERTYPE_IP: 3194 /* 3195 * Check for the special NLPID for IP. 3196 */ 3197 return gen_cmp(OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0xcc); 3198 3199 case ETHERTYPE_IPV6: 3200 /* 3201 * Check for the special NLPID for IPv6. 3202 */ 3203 return gen_cmp(OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0x8e); 3204 3205 case LLCSAP_ISONS: 3206 /* 3207 * Check for several OSI protocols. 3208 * 3209 * Frame Relay packets typically have an OSI 3210 * NLPID at the beginning; we check for each 3211 * of them. 3212 * 3213 * What we check for is the NLPID and a frame 3214 * control field of UI, i.e. 0x03 followed 3215 * by the NLPID. 3216 */ 3217 b0 = gen_cmp(OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO8473_CLNP); 3218 b1 = gen_cmp(OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO9542_ESIS); 3219 b2 = gen_cmp(OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO10589_ISIS); 3220 gen_or(b1, b2); 3221 gen_or(b0, b2); 3222 return b2; 3223 3224 default: 3225 return gen_false(); 3226 } 3227 /*NOTREACHED*/ 3228 break; 3229 3230 case DLT_MFR: 3231 bpf_error("Multi-link Frame Relay link-layer type filtering not implemented"); 3232 3233 case DLT_JUNIPER_MFR: 3234 case DLT_JUNIPER_MLFR: 3235 case DLT_JUNIPER_MLPPP: 3236 case DLT_JUNIPER_ATM1: 3237 case DLT_JUNIPER_ATM2: 3238 case DLT_JUNIPER_PPPOE: 3239 case DLT_JUNIPER_PPPOE_ATM: 3240 case DLT_JUNIPER_GGSN: 3241 case DLT_JUNIPER_ES: 3242 case DLT_JUNIPER_MONITOR: 3243 case DLT_JUNIPER_SERVICES: 3244 case DLT_JUNIPER_ETHER: 3245 case DLT_JUNIPER_PPP: 3246 case DLT_JUNIPER_FRELAY: 3247 case DLT_JUNIPER_CHDLC: 3248 case DLT_JUNIPER_VP: 3249 case DLT_JUNIPER_ST: 3250 case DLT_JUNIPER_ISM: 3251 case DLT_JUNIPER_VS: 3252 case DLT_JUNIPER_SRX_E2E: 3253 case DLT_JUNIPER_FIBRECHANNEL: 3254 case DLT_JUNIPER_ATM_CEMIC: 3255 3256 /* just lets verify the magic number for now - 3257 * on ATM we may have up to 6 different encapsulations on the wire 3258 * and need a lot of heuristics to figure out that the payload 3259 * might be; 3260 * 3261 * FIXME encapsulation specific BPF_ filters 3262 */ 3263 return gen_mcmp(OR_LINKHDR, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */ 3264 3265 case DLT_BACNET_MS_TP: 3266 return gen_mcmp(OR_LINKHDR, 0, BPF_W, 0x55FF0000, 0xffff0000); 3267 3268 case DLT_IPNET: 3269 return gen_ipnet_linktype(proto); 3270 3271 case DLT_LINUX_IRDA: 3272 bpf_error("IrDA link-layer type filtering not implemented"); 3273 3274 case DLT_DOCSIS: 3275 bpf_error("DOCSIS link-layer type filtering not implemented"); 3276 3277 case DLT_MTP2: 3278 case DLT_MTP2_WITH_PHDR: 3279 bpf_error("MTP2 link-layer type filtering not implemented"); 3280 3281 case DLT_ERF: 3282 bpf_error("ERF link-layer type filtering not implemented"); 3283 3284 case DLT_PFSYNC: 3285 bpf_error("PFSYNC link-layer type filtering not implemented"); 3286 3287 case DLT_LINUX_LAPD: 3288 bpf_error("LAPD link-layer type filtering not implemented"); 3289 3290 case DLT_USB: 3291 case DLT_USB_LINUX: 3292 case DLT_USB_LINUX_MMAPPED: 3293 bpf_error("USB link-layer type filtering not implemented"); 3294 3295 case DLT_BLUETOOTH_HCI_H4: 3296 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR: 3297 bpf_error("Bluetooth link-layer type filtering not implemented"); 3298 3299 case DLT_CAN20B: 3300 case DLT_CAN_SOCKETCAN: 3301 bpf_error("CAN link-layer type filtering not implemented"); 3302 3303 case DLT_IEEE802_15_4: 3304 case DLT_IEEE802_15_4_LINUX: 3305 case DLT_IEEE802_15_4_NONASK_PHY: 3306 case DLT_IEEE802_15_4_NOFCS: 3307 bpf_error("IEEE 802.15.4 link-layer type filtering not implemented"); 3308 3309 case DLT_IEEE802_16_MAC_CPS_RADIO: 3310 bpf_error("IEEE 802.16 link-layer type filtering not implemented"); 3311 3312 case DLT_SITA: 3313 bpf_error("SITA link-layer type filtering not implemented"); 3314 3315 case DLT_RAIF1: 3316 bpf_error("RAIF1 link-layer type filtering not implemented"); 3317 3318 case DLT_IPMB: 3319 bpf_error("IPMB link-layer type filtering not implemented"); 3320 3321 case DLT_AX25_KISS: 3322 bpf_error("AX.25 link-layer type filtering not implemented"); 3323 3324 case DLT_NFLOG: 3325 /* Using the fixed-size NFLOG header it is possible to tell only 3326 * the address family of the packet, other meaningful data is 3327 * either missing or behind TLVs. 3328 */ 3329 bpf_error("NFLOG link-layer type filtering not implemented"); 3330 3331 default: 3332 /* 3333 * Does this link-layer header type have a field 3334 * indicating the type of the next protocol? If 3335 * so, off_linktype.constant_part will be the offset of that 3336 * field in the packet; if not, it will be -1. 3337 */ 3338 if (off_linktype.constant_part != (u_int)-1) { 3339 /* 3340 * Yes; assume it's an Ethernet type. (If 3341 * it's not, it needs to be handled specially 3342 * above.) 3343 */ 3344 return gen_cmp(OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 3345 } else { 3346 /* 3347 * No; report an error. 3348 */ 3349 description = pcap_datalink_val_to_description(linktype); 3350 if (description != NULL) { 3351 bpf_error("%s link-layer type filtering not implemented", 3352 description); 3353 } else { 3354 bpf_error("DLT %u link-layer type filtering not implemented", 3355 linktype); 3356 } 3357 } 3358 break; 3359 } 3360 } 3361 3362 /* 3363 * Check for an LLC SNAP packet with a given organization code and 3364 * protocol type; we check the entire contents of the 802.2 LLC and 3365 * snap headers, checking for DSAP and SSAP of SNAP and a control 3366 * field of 0x03 in the LLC header, and for the specified organization 3367 * code and protocol type in the SNAP header. 3368 */ 3369 static struct block * 3370 gen_snap(orgcode, ptype) 3371 bpf_u_int32 orgcode; 3372 bpf_u_int32 ptype; 3373 { 3374 u_char snapblock[8]; 3375 3376 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */ 3377 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */ 3378 snapblock[2] = 0x03; /* control = UI */ 3379 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */ 3380 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */ 3381 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */ 3382 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */ 3383 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */ 3384 return gen_bcmp(OR_LLC, 0, 8, snapblock); 3385 } 3386 3387 /* 3388 * Generate code to match frames with an LLC header. 3389 */ 3390 struct block * 3391 gen_llc(void) 3392 { 3393 struct block *b0, *b1; 3394 3395 switch (linktype) { 3396 3397 case DLT_EN10MB: 3398 /* 3399 * We check for an Ethernet type field less than 3400 * 1500, which means it's an 802.3 length field. 3401 */ 3402 b0 = gen_cmp_gt(OR_LINKTYPE, 0, BPF_H, ETHERMTU); 3403 gen_not(b0); 3404 3405 /* 3406 * Now check for the purported DSAP and SSAP not being 3407 * 0xFF, to rule out NetWare-over-802.3. 3408 */ 3409 b1 = gen_cmp(OR_LLC, 0, BPF_H, (bpf_int32)0xFFFF); 3410 gen_not(b1); 3411 gen_and(b0, b1); 3412 return b1; 3413 3414 case DLT_SUNATM: 3415 /* 3416 * We check for LLC traffic. 3417 */ 3418 b0 = gen_atmtype_abbrev(A_LLC); 3419 return b0; 3420 3421 case DLT_IEEE802: /* Token Ring */ 3422 /* 3423 * XXX - check for LLC frames. 3424 */ 3425 return gen_true(); 3426 3427 case DLT_FDDI: 3428 /* 3429 * XXX - check for LLC frames. 3430 */ 3431 return gen_true(); 3432 3433 case DLT_ATM_RFC1483: 3434 /* 3435 * For LLC encapsulation, these are defined to have an 3436 * 802.2 LLC header. 3437 * 3438 * For VC encapsulation, they don't, but there's no 3439 * way to check for that; the protocol used on the VC 3440 * is negotiated out of band. 3441 */ 3442 return gen_true(); 3443 3444 case DLT_IEEE802_11: 3445 case DLT_PRISM_HEADER: 3446 case DLT_IEEE802_11_RADIO: 3447 case DLT_IEEE802_11_RADIO_AVS: 3448 case DLT_PPI: 3449 /* 3450 * Check that we have a data frame. 3451 */ 3452 b0 = gen_check_802_11_data_frame(); 3453 return b0; 3454 3455 default: 3456 bpf_error("'llc' not supported for linktype %d", linktype); 3457 /* NOTREACHED */ 3458 } 3459 } 3460 3461 struct block * 3462 gen_llc_i(void) 3463 { 3464 struct block *b0, *b1; 3465 struct slist *s; 3466 3467 /* 3468 * Check whether this is an LLC frame. 3469 */ 3470 b0 = gen_llc(); 3471 3472 /* 3473 * Load the control byte and test the low-order bit; it must 3474 * be clear for I frames. 3475 */ 3476 s = gen_load_a(OR_LLC, 2, BPF_B); 3477 b1 = new_block(JMP(BPF_JSET)); 3478 b1->s.k = 0x01; 3479 b1->stmts = s; 3480 gen_not(b1); 3481 gen_and(b0, b1); 3482 return b1; 3483 } 3484 3485 struct block * 3486 gen_llc_s(void) 3487 { 3488 struct block *b0, *b1; 3489 3490 /* 3491 * Check whether this is an LLC frame. 3492 */ 3493 b0 = gen_llc(); 3494 3495 /* 3496 * Now compare the low-order 2 bit of the control byte against 3497 * the appropriate value for S frames. 3498 */ 3499 b1 = gen_mcmp(OR_LLC, 2, BPF_B, LLC_S_FMT, 0x03); 3500 gen_and(b0, b1); 3501 return b1; 3502 } 3503 3504 struct block * 3505 gen_llc_u(void) 3506 { 3507 struct block *b0, *b1; 3508 3509 /* 3510 * Check whether this is an LLC frame. 3511 */ 3512 b0 = gen_llc(); 3513 3514 /* 3515 * Now compare the low-order 2 bit of the control byte against 3516 * the appropriate value for U frames. 3517 */ 3518 b1 = gen_mcmp(OR_LLC, 2, BPF_B, LLC_U_FMT, 0x03); 3519 gen_and(b0, b1); 3520 return b1; 3521 } 3522 3523 struct block * 3524 gen_llc_s_subtype(bpf_u_int32 subtype) 3525 { 3526 struct block *b0, *b1; 3527 3528 /* 3529 * Check whether this is an LLC frame. 3530 */ 3531 b0 = gen_llc(); 3532 3533 /* 3534 * Now check for an S frame with the appropriate type. 3535 */ 3536 b1 = gen_mcmp(OR_LLC, 2, BPF_B, subtype, LLC_S_CMD_MASK); 3537 gen_and(b0, b1); 3538 return b1; 3539 } 3540 3541 struct block * 3542 gen_llc_u_subtype(bpf_u_int32 subtype) 3543 { 3544 struct block *b0, *b1; 3545 3546 /* 3547 * Check whether this is an LLC frame. 3548 */ 3549 b0 = gen_llc(); 3550 3551 /* 3552 * Now check for a U frame with the appropriate type. 3553 */ 3554 b1 = gen_mcmp(OR_LLC, 2, BPF_B, subtype, LLC_U_CMD_MASK); 3555 gen_and(b0, b1); 3556 return b1; 3557 } 3558 3559 /* 3560 * Generate code to match a particular packet type, for link-layer types 3561 * using 802.2 LLC headers. 3562 * 3563 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used 3564 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues. 3565 * 3566 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 3567 * value, if <= ETHERMTU. We use that to determine whether to 3568 * match the DSAP or both DSAP and LSAP or to check the OUI and 3569 * protocol ID in a SNAP header. 3570 */ 3571 static struct block * 3572 gen_llc_linktype(proto) 3573 int proto; 3574 { 3575 /* 3576 * XXX - handle token-ring variable-length header. 3577 */ 3578 switch (proto) { 3579 3580 case LLCSAP_IP: 3581 case LLCSAP_ISONS: 3582 case LLCSAP_NETBEUI: 3583 /* 3584 * XXX - should we check both the DSAP and the 3585 * SSAP, like this, or should we check just the 3586 * DSAP, as we do for other SAP values? 3587 */ 3588 return gen_cmp(OR_LLC, 0, BPF_H, (bpf_u_int32) 3589 ((proto << 8) | proto)); 3590 3591 case LLCSAP_IPX: 3592 /* 3593 * XXX - are there ever SNAP frames for IPX on 3594 * non-Ethernet 802.x networks? 3595 */ 3596 return gen_cmp(OR_LLC, 0, BPF_B, 3597 (bpf_int32)LLCSAP_IPX); 3598 3599 case ETHERTYPE_ATALK: 3600 /* 3601 * 802.2-encapsulated ETHERTYPE_ATALK packets are 3602 * SNAP packets with an organization code of 3603 * 0x080007 (Apple, for Appletalk) and a protocol 3604 * type of ETHERTYPE_ATALK (Appletalk). 3605 * 3606 * XXX - check for an organization code of 3607 * encapsulated Ethernet as well? 3608 */ 3609 return gen_snap(0x080007, ETHERTYPE_ATALK); 3610 3611 default: 3612 /* 3613 * XXX - we don't have to check for IPX 802.3 3614 * here, but should we check for the IPX Ethertype? 3615 */ 3616 if (proto <= ETHERMTU) { 3617 /* 3618 * This is an LLC SAP value, so check 3619 * the DSAP. 3620 */ 3621 return gen_cmp(OR_LLC, 0, BPF_B, (bpf_int32)proto); 3622 } else { 3623 /* 3624 * This is an Ethernet type; we assume that it's 3625 * unlikely that it'll appear in the right place 3626 * at random, and therefore check only the 3627 * location that would hold the Ethernet type 3628 * in a SNAP frame with an organization code of 3629 * 0x000000 (encapsulated Ethernet). 3630 * 3631 * XXX - if we were to check for the SNAP DSAP and 3632 * LSAP, as per XXX, and were also to check for an 3633 * organization code of 0x000000 (encapsulated 3634 * Ethernet), we'd do 3635 * 3636 * return gen_snap(0x000000, proto); 3637 * 3638 * here; for now, we don't, as per the above. 3639 * I don't know whether it's worth the extra CPU 3640 * time to do the right check or not. 3641 */ 3642 return gen_cmp(OR_LLC, 6, BPF_H, (bpf_int32)proto); 3643 } 3644 } 3645 } 3646 3647 static struct block * 3648 gen_hostop(addr, mask, dir, proto, src_off, dst_off) 3649 bpf_u_int32 addr; 3650 bpf_u_int32 mask; 3651 int dir, proto; 3652 u_int src_off, dst_off; 3653 { 3654 struct block *b0, *b1; 3655 u_int offset; 3656 3657 switch (dir) { 3658 3659 case Q_SRC: 3660 offset = src_off; 3661 break; 3662 3663 case Q_DST: 3664 offset = dst_off; 3665 break; 3666 3667 case Q_AND: 3668 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off); 3669 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off); 3670 gen_and(b0, b1); 3671 return b1; 3672 3673 case Q_OR: 3674 case Q_DEFAULT: 3675 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off); 3676 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off); 3677 gen_or(b0, b1); 3678 return b1; 3679 3680 default: 3681 abort(); 3682 } 3683 b0 = gen_linktype(proto); 3684 b1 = gen_mcmp(OR_LINKPL, offset, BPF_W, (bpf_int32)addr, mask); 3685 gen_and(b0, b1); 3686 return b1; 3687 } 3688 3689 #ifdef INET6 3690 static struct block * 3691 gen_hostop6(addr, mask, dir, proto, src_off, dst_off) 3692 struct in6_addr *addr; 3693 struct in6_addr *mask; 3694 int dir, proto; 3695 u_int src_off, dst_off; 3696 { 3697 struct block *b0, *b1; 3698 u_int offset; 3699 u_int32_t *a, *m; 3700 3701 switch (dir) { 3702 3703 case Q_SRC: 3704 offset = src_off; 3705 break; 3706 3707 case Q_DST: 3708 offset = dst_off; 3709 break; 3710 3711 case Q_AND: 3712 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off); 3713 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off); 3714 gen_and(b0, b1); 3715 return b1; 3716 3717 case Q_OR: 3718 case Q_DEFAULT: 3719 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off); 3720 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off); 3721 gen_or(b0, b1); 3722 return b1; 3723 3724 default: 3725 abort(); 3726 } 3727 /* this order is important */ 3728 a = (u_int32_t *)addr; 3729 m = (u_int32_t *)mask; 3730 b1 = gen_mcmp(OR_LINKPL, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3])); 3731 b0 = gen_mcmp(OR_LINKPL, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2])); 3732 gen_and(b0, b1); 3733 b0 = gen_mcmp(OR_LINKPL, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1])); 3734 gen_and(b0, b1); 3735 b0 = gen_mcmp(OR_LINKPL, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0])); 3736 gen_and(b0, b1); 3737 b0 = gen_linktype(proto); 3738 gen_and(b0, b1); 3739 return b1; 3740 } 3741 #endif 3742 3743 static struct block * 3744 gen_ehostop(eaddr, dir) 3745 register const u_char *eaddr; 3746 register int dir; 3747 { 3748 register struct block *b0, *b1; 3749 3750 switch (dir) { 3751 case Q_SRC: 3752 return gen_bcmp(OR_LINKHDR, 6, 6, eaddr); 3753 3754 case Q_DST: 3755 return gen_bcmp(OR_LINKHDR, 0, 6, eaddr); 3756 3757 case Q_AND: 3758 b0 = gen_ehostop(eaddr, Q_SRC); 3759 b1 = gen_ehostop(eaddr, Q_DST); 3760 gen_and(b0, b1); 3761 return b1; 3762 3763 case Q_DEFAULT: 3764 case Q_OR: 3765 b0 = gen_ehostop(eaddr, Q_SRC); 3766 b1 = gen_ehostop(eaddr, Q_DST); 3767 gen_or(b0, b1); 3768 return b1; 3769 3770 case Q_ADDR1: 3771 bpf_error("'addr1' is only supported on 802.11 with 802.11 headers"); 3772 break; 3773 3774 case Q_ADDR2: 3775 bpf_error("'addr2' is only supported on 802.11 with 802.11 headers"); 3776 break; 3777 3778 case Q_ADDR3: 3779 bpf_error("'addr3' is only supported on 802.11 with 802.11 headers"); 3780 break; 3781 3782 case Q_ADDR4: 3783 bpf_error("'addr4' is only supported on 802.11 with 802.11 headers"); 3784 break; 3785 3786 case Q_RA: 3787 bpf_error("'ra' is only supported on 802.11 with 802.11 headers"); 3788 break; 3789 3790 case Q_TA: 3791 bpf_error("'ta' is only supported on 802.11 with 802.11 headers"); 3792 break; 3793 } 3794 abort(); 3795 /* NOTREACHED */ 3796 } 3797 3798 /* 3799 * Like gen_ehostop, but for DLT_FDDI 3800 */ 3801 static struct block * 3802 gen_fhostop(eaddr, dir) 3803 register const u_char *eaddr; 3804 register int dir; 3805 { 3806 struct block *b0, *b1; 3807 3808 switch (dir) { 3809 case Q_SRC: 3810 return gen_bcmp(OR_LINKHDR, 6 + 1 + pcap_fddipad, 6, eaddr); 3811 3812 case Q_DST: 3813 return gen_bcmp(OR_LINKHDR, 0 + 1 + pcap_fddipad, 6, eaddr); 3814 3815 case Q_AND: 3816 b0 = gen_fhostop(eaddr, Q_SRC); 3817 b1 = gen_fhostop(eaddr, Q_DST); 3818 gen_and(b0, b1); 3819 return b1; 3820 3821 case Q_DEFAULT: 3822 case Q_OR: 3823 b0 = gen_fhostop(eaddr, Q_SRC); 3824 b1 = gen_fhostop(eaddr, Q_DST); 3825 gen_or(b0, b1); 3826 return b1; 3827 3828 case Q_ADDR1: 3829 bpf_error("'addr1' is only supported on 802.11"); 3830 break; 3831 3832 case Q_ADDR2: 3833 bpf_error("'addr2' is only supported on 802.11"); 3834 break; 3835 3836 case Q_ADDR3: 3837 bpf_error("'addr3' is only supported on 802.11"); 3838 break; 3839 3840 case Q_ADDR4: 3841 bpf_error("'addr4' is only supported on 802.11"); 3842 break; 3843 3844 case Q_RA: 3845 bpf_error("'ra' is only supported on 802.11"); 3846 break; 3847 3848 case Q_TA: 3849 bpf_error("'ta' is only supported on 802.11"); 3850 break; 3851 } 3852 abort(); 3853 /* NOTREACHED */ 3854 } 3855 3856 /* 3857 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring) 3858 */ 3859 static struct block * 3860 gen_thostop(eaddr, dir) 3861 register const u_char *eaddr; 3862 register int dir; 3863 { 3864 register struct block *b0, *b1; 3865 3866 switch (dir) { 3867 case Q_SRC: 3868 return gen_bcmp(OR_LINKHDR, 8, 6, eaddr); 3869 3870 case Q_DST: 3871 return gen_bcmp(OR_LINKHDR, 2, 6, eaddr); 3872 3873 case Q_AND: 3874 b0 = gen_thostop(eaddr, Q_SRC); 3875 b1 = gen_thostop(eaddr, Q_DST); 3876 gen_and(b0, b1); 3877 return b1; 3878 3879 case Q_DEFAULT: 3880 case Q_OR: 3881 b0 = gen_thostop(eaddr, Q_SRC); 3882 b1 = gen_thostop(eaddr, Q_DST); 3883 gen_or(b0, b1); 3884 return b1; 3885 3886 case Q_ADDR1: 3887 bpf_error("'addr1' is only supported on 802.11"); 3888 break; 3889 3890 case Q_ADDR2: 3891 bpf_error("'addr2' is only supported on 802.11"); 3892 break; 3893 3894 case Q_ADDR3: 3895 bpf_error("'addr3' is only supported on 802.11"); 3896 break; 3897 3898 case Q_ADDR4: 3899 bpf_error("'addr4' is only supported on 802.11"); 3900 break; 3901 3902 case Q_RA: 3903 bpf_error("'ra' is only supported on 802.11"); 3904 break; 3905 3906 case Q_TA: 3907 bpf_error("'ta' is only supported on 802.11"); 3908 break; 3909 } 3910 abort(); 3911 /* NOTREACHED */ 3912 } 3913 3914 /* 3915 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and 3916 * various 802.11 + radio headers. 3917 */ 3918 static struct block * 3919 gen_wlanhostop(eaddr, dir) 3920 register const u_char *eaddr; 3921 register int dir; 3922 { 3923 register struct block *b0, *b1, *b2; 3924 register struct slist *s; 3925 3926 #ifdef ENABLE_WLAN_FILTERING_PATCH 3927 /* 3928 * TODO GV 20070613 3929 * We need to disable the optimizer because the optimizer is buggy 3930 * and wipes out some LD instructions generated by the below 3931 * code to validate the Frame Control bits 3932 */ 3933 no_optimize = 1; 3934 #endif /* ENABLE_WLAN_FILTERING_PATCH */ 3935 3936 switch (dir) { 3937 case Q_SRC: 3938 /* 3939 * Oh, yuk. 3940 * 3941 * For control frames, there is no SA. 3942 * 3943 * For management frames, SA is at an 3944 * offset of 10 from the beginning of 3945 * the packet. 3946 * 3947 * For data frames, SA is at an offset 3948 * of 10 from the beginning of the packet 3949 * if From DS is clear, at an offset of 3950 * 16 from the beginning of the packet 3951 * if From DS is set and To DS is clear, 3952 * and an offset of 24 from the beginning 3953 * of the packet if From DS is set and To DS 3954 * is set. 3955 */ 3956 3957 /* 3958 * Generate the tests to be done for data frames 3959 * with From DS set. 3960 * 3961 * First, check for To DS set, i.e. check "link[1] & 0x01". 3962 */ 3963 s = gen_load_a(OR_LINKHDR, 1, BPF_B); 3964 b1 = new_block(JMP(BPF_JSET)); 3965 b1->s.k = 0x01; /* To DS */ 3966 b1->stmts = s; 3967 3968 /* 3969 * If To DS is set, the SA is at 24. 3970 */ 3971 b0 = gen_bcmp(OR_LINKHDR, 24, 6, eaddr); 3972 gen_and(b1, b0); 3973 3974 /* 3975 * Now, check for To DS not set, i.e. check 3976 * "!(link[1] & 0x01)". 3977 */ 3978 s = gen_load_a(OR_LINKHDR, 1, BPF_B); 3979 b2 = new_block(JMP(BPF_JSET)); 3980 b2->s.k = 0x01; /* To DS */ 3981 b2->stmts = s; 3982 gen_not(b2); 3983 3984 /* 3985 * If To DS is not set, the SA is at 16. 3986 */ 3987 b1 = gen_bcmp(OR_LINKHDR, 16, 6, eaddr); 3988 gen_and(b2, b1); 3989 3990 /* 3991 * Now OR together the last two checks. That gives 3992 * the complete set of checks for data frames with 3993 * From DS set. 3994 */ 3995 gen_or(b1, b0); 3996 3997 /* 3998 * Now check for From DS being set, and AND that with 3999 * the ORed-together checks. 4000 */ 4001 s = gen_load_a(OR_LINKHDR, 1, BPF_B); 4002 b1 = new_block(JMP(BPF_JSET)); 4003 b1->s.k = 0x02; /* From DS */ 4004 b1->stmts = s; 4005 gen_and(b1, b0); 4006 4007 /* 4008 * Now check for data frames with From DS not set. 4009 */ 4010 s = gen_load_a(OR_LINKHDR, 1, BPF_B); 4011 b2 = new_block(JMP(BPF_JSET)); 4012 b2->s.k = 0x02; /* From DS */ 4013 b2->stmts = s; 4014 gen_not(b2); 4015 4016 /* 4017 * If From DS isn't set, the SA is at 10. 4018 */ 4019 b1 = gen_bcmp(OR_LINKHDR, 10, 6, eaddr); 4020 gen_and(b2, b1); 4021 4022 /* 4023 * Now OR together the checks for data frames with 4024 * From DS not set and for data frames with From DS 4025 * set; that gives the checks done for data frames. 4026 */ 4027 gen_or(b1, b0); 4028 4029 /* 4030 * Now check for a data frame. 4031 * I.e, check "link[0] & 0x08". 4032 */ 4033 s = gen_load_a(OR_LINKHDR, 0, BPF_B); 4034 b1 = new_block(JMP(BPF_JSET)); 4035 b1->s.k = 0x08; 4036 b1->stmts = s; 4037 4038 /* 4039 * AND that with the checks done for data frames. 4040 */ 4041 gen_and(b1, b0); 4042 4043 /* 4044 * If the high-order bit of the type value is 0, this 4045 * is a management frame. 4046 * I.e, check "!(link[0] & 0x08)". 4047 */ 4048 s = gen_load_a(OR_LINKHDR, 0, BPF_B); 4049 b2 = new_block(JMP(BPF_JSET)); 4050 b2->s.k = 0x08; 4051 b2->stmts = s; 4052 gen_not(b2); 4053 4054 /* 4055 * For management frames, the SA is at 10. 4056 */ 4057 b1 = gen_bcmp(OR_LINKHDR, 10, 6, eaddr); 4058 gen_and(b2, b1); 4059 4060 /* 4061 * OR that with the checks done for data frames. 4062 * That gives the checks done for management and 4063 * data frames. 4064 */ 4065 gen_or(b1, b0); 4066 4067 /* 4068 * If the low-order bit of the type value is 1, 4069 * this is either a control frame or a frame 4070 * with a reserved type, and thus not a 4071 * frame with an SA. 4072 * 4073 * I.e., check "!(link[0] & 0x04)". 4074 */ 4075 s = gen_load_a(OR_LINKHDR, 0, BPF_B); 4076 b1 = new_block(JMP(BPF_JSET)); 4077 b1->s.k = 0x04; 4078 b1->stmts = s; 4079 gen_not(b1); 4080 4081 /* 4082 * AND that with the checks for data and management 4083 * frames. 4084 */ 4085 gen_and(b1, b0); 4086 return b0; 4087 4088 case Q_DST: 4089 /* 4090 * Oh, yuk. 4091 * 4092 * For control frames, there is no DA. 4093 * 4094 * For management frames, DA is at an 4095 * offset of 4 from the beginning of 4096 * the packet. 4097 * 4098 * For data frames, DA is at an offset 4099 * of 4 from the beginning of the packet 4100 * if To DS is clear and at an offset of 4101 * 16 from the beginning of the packet 4102 * if To DS is set. 4103 */ 4104 4105 /* 4106 * Generate the tests to be done for data frames. 4107 * 4108 * First, check for To DS set, i.e. "link[1] & 0x01". 4109 */ 4110 s = gen_load_a(OR_LINKHDR, 1, BPF_B); 4111 b1 = new_block(JMP(BPF_JSET)); 4112 b1->s.k = 0x01; /* To DS */ 4113 b1->stmts = s; 4114 4115 /* 4116 * If To DS is set, the DA is at 16. 4117 */ 4118 b0 = gen_bcmp(OR_LINKHDR, 16, 6, eaddr); 4119 gen_and(b1, b0); 4120 4121 /* 4122 * Now, check for To DS not set, i.e. check 4123 * "!(link[1] & 0x01)". 4124 */ 4125 s = gen_load_a(OR_LINKHDR, 1, BPF_B); 4126 b2 = new_block(JMP(BPF_JSET)); 4127 b2->s.k = 0x01; /* To DS */ 4128 b2->stmts = s; 4129 gen_not(b2); 4130 4131 /* 4132 * If To DS is not set, the DA is at 4. 4133 */ 4134 b1 = gen_bcmp(OR_LINKHDR, 4, 6, eaddr); 4135 gen_and(b2, b1); 4136 4137 /* 4138 * Now OR together the last two checks. That gives 4139 * the complete set of checks for data frames. 4140 */ 4141 gen_or(b1, b0); 4142 4143 /* 4144 * Now check for a data frame. 4145 * I.e, check "link[0] & 0x08". 4146 */ 4147 s = gen_load_a(OR_LINKHDR, 0, BPF_B); 4148 b1 = new_block(JMP(BPF_JSET)); 4149 b1->s.k = 0x08; 4150 b1->stmts = s; 4151 4152 /* 4153 * AND that with the checks done for data frames. 4154 */ 4155 gen_and(b1, b0); 4156 4157 /* 4158 * If the high-order bit of the type value is 0, this 4159 * is a management frame. 4160 * I.e, check "!(link[0] & 0x08)". 4161 */ 4162 s = gen_load_a(OR_LINKHDR, 0, BPF_B); 4163 b2 = new_block(JMP(BPF_JSET)); 4164 b2->s.k = 0x08; 4165 b2->stmts = s; 4166 gen_not(b2); 4167 4168 /* 4169 * For management frames, the DA is at 4. 4170 */ 4171 b1 = gen_bcmp(OR_LINKHDR, 4, 6, eaddr); 4172 gen_and(b2, b1); 4173 4174 /* 4175 * OR that with the checks done for data frames. 4176 * That gives the checks done for management and 4177 * data frames. 4178 */ 4179 gen_or(b1, b0); 4180 4181 /* 4182 * If the low-order bit of the type value is 1, 4183 * this is either a control frame or a frame 4184 * with a reserved type, and thus not a 4185 * frame with an SA. 4186 * 4187 * I.e., check "!(link[0] & 0x04)". 4188 */ 4189 s = gen_load_a(OR_LINKHDR, 0, BPF_B); 4190 b1 = new_block(JMP(BPF_JSET)); 4191 b1->s.k = 0x04; 4192 b1->stmts = s; 4193 gen_not(b1); 4194 4195 /* 4196 * AND that with the checks for data and management 4197 * frames. 4198 */ 4199 gen_and(b1, b0); 4200 return b0; 4201 4202 case Q_RA: 4203 /* 4204 * Not present in management frames; addr1 in other 4205 * frames. 4206 */ 4207 4208 /* 4209 * If the high-order bit of the type value is 0, this 4210 * is a management frame. 4211 * I.e, check "(link[0] & 0x08)". 4212 */ 4213 s = gen_load_a(OR_LINKHDR, 0, BPF_B); 4214 b1 = new_block(JMP(BPF_JSET)); 4215 b1->s.k = 0x08; 4216 b1->stmts = s; 4217 4218 /* 4219 * Check addr1. 4220 */ 4221 b0 = gen_bcmp(OR_LINKHDR, 4, 6, eaddr); 4222 4223 /* 4224 * AND that with the check of addr1. 4225 */ 4226 gen_and(b1, b0); 4227 return (b0); 4228 4229 case Q_TA: 4230 /* 4231 * Not present in management frames; addr2, if present, 4232 * in other frames. 4233 */ 4234 4235 /* 4236 * Not present in CTS or ACK control frames. 4237 */ 4238 b0 = gen_mcmp(OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4239 IEEE80211_FC0_TYPE_MASK); 4240 gen_not(b0); 4241 b1 = gen_mcmp(OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS, 4242 IEEE80211_FC0_SUBTYPE_MASK); 4243 gen_not(b1); 4244 b2 = gen_mcmp(OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK, 4245 IEEE80211_FC0_SUBTYPE_MASK); 4246 gen_not(b2); 4247 gen_and(b1, b2); 4248 gen_or(b0, b2); 4249 4250 /* 4251 * If the high-order bit of the type value is 0, this 4252 * is a management frame. 4253 * I.e, check "(link[0] & 0x08)". 4254 */ 4255 s = gen_load_a(OR_LINKHDR, 0, BPF_B); 4256 b1 = new_block(JMP(BPF_JSET)); 4257 b1->s.k = 0x08; 4258 b1->stmts = s; 4259 4260 /* 4261 * AND that with the check for frames other than 4262 * CTS and ACK frames. 4263 */ 4264 gen_and(b1, b2); 4265 4266 /* 4267 * Check addr2. 4268 */ 4269 b1 = gen_bcmp(OR_LINKHDR, 10, 6, eaddr); 4270 gen_and(b2, b1); 4271 return b1; 4272 4273 /* 4274 * XXX - add BSSID keyword? 4275 */ 4276 case Q_ADDR1: 4277 return (gen_bcmp(OR_LINKHDR, 4, 6, eaddr)); 4278 4279 case Q_ADDR2: 4280 /* 4281 * Not present in CTS or ACK control frames. 4282 */ 4283 b0 = gen_mcmp(OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4284 IEEE80211_FC0_TYPE_MASK); 4285 gen_not(b0); 4286 b1 = gen_mcmp(OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS, 4287 IEEE80211_FC0_SUBTYPE_MASK); 4288 gen_not(b1); 4289 b2 = gen_mcmp(OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK, 4290 IEEE80211_FC0_SUBTYPE_MASK); 4291 gen_not(b2); 4292 gen_and(b1, b2); 4293 gen_or(b0, b2); 4294 b1 = gen_bcmp(OR_LINKHDR, 10, 6, eaddr); 4295 gen_and(b2, b1); 4296 return b1; 4297 4298 case Q_ADDR3: 4299 /* 4300 * Not present in control frames. 4301 */ 4302 b0 = gen_mcmp(OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4303 IEEE80211_FC0_TYPE_MASK); 4304 gen_not(b0); 4305 b1 = gen_bcmp(OR_LINKHDR, 16, 6, eaddr); 4306 gen_and(b0, b1); 4307 return b1; 4308 4309 case Q_ADDR4: 4310 /* 4311 * Present only if the direction mask has both "From DS" 4312 * and "To DS" set. Neither control frames nor management 4313 * frames should have both of those set, so we don't 4314 * check the frame type. 4315 */ 4316 b0 = gen_mcmp(OR_LINKHDR, 1, BPF_B, 4317 IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK); 4318 b1 = gen_bcmp(OR_LINKHDR, 24, 6, eaddr); 4319 gen_and(b0, b1); 4320 return b1; 4321 4322 case Q_AND: 4323 b0 = gen_wlanhostop(eaddr, Q_SRC); 4324 b1 = gen_wlanhostop(eaddr, Q_DST); 4325 gen_and(b0, b1); 4326 return b1; 4327 4328 case Q_DEFAULT: 4329 case Q_OR: 4330 b0 = gen_wlanhostop(eaddr, Q_SRC); 4331 b1 = gen_wlanhostop(eaddr, Q_DST); 4332 gen_or(b0, b1); 4333 return b1; 4334 } 4335 abort(); 4336 /* NOTREACHED */ 4337 } 4338 4339 /* 4340 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel. 4341 * (We assume that the addresses are IEEE 48-bit MAC addresses, 4342 * as the RFC states.) 4343 */ 4344 static struct block * 4345 gen_ipfchostop(eaddr, dir) 4346 register const u_char *eaddr; 4347 register int dir; 4348 { 4349 register struct block *b0, *b1; 4350 4351 switch (dir) { 4352 case Q_SRC: 4353 return gen_bcmp(OR_LINKHDR, 10, 6, eaddr); 4354 4355 case Q_DST: 4356 return gen_bcmp(OR_LINKHDR, 2, 6, eaddr); 4357 4358 case Q_AND: 4359 b0 = gen_ipfchostop(eaddr, Q_SRC); 4360 b1 = gen_ipfchostop(eaddr, Q_DST); 4361 gen_and(b0, b1); 4362 return b1; 4363 4364 case Q_DEFAULT: 4365 case Q_OR: 4366 b0 = gen_ipfchostop(eaddr, Q_SRC); 4367 b1 = gen_ipfchostop(eaddr, Q_DST); 4368 gen_or(b0, b1); 4369 return b1; 4370 4371 case Q_ADDR1: 4372 bpf_error("'addr1' is only supported on 802.11"); 4373 break; 4374 4375 case Q_ADDR2: 4376 bpf_error("'addr2' is only supported on 802.11"); 4377 break; 4378 4379 case Q_ADDR3: 4380 bpf_error("'addr3' is only supported on 802.11"); 4381 break; 4382 4383 case Q_ADDR4: 4384 bpf_error("'addr4' is only supported on 802.11"); 4385 break; 4386 4387 case Q_RA: 4388 bpf_error("'ra' is only supported on 802.11"); 4389 break; 4390 4391 case Q_TA: 4392 bpf_error("'ta' is only supported on 802.11"); 4393 break; 4394 } 4395 abort(); 4396 /* NOTREACHED */ 4397 } 4398 4399 /* 4400 * This is quite tricky because there may be pad bytes in front of the 4401 * DECNET header, and then there are two possible data packet formats that 4402 * carry both src and dst addresses, plus 5 packet types in a format that 4403 * carries only the src node, plus 2 types that use a different format and 4404 * also carry just the src node. 4405 * 4406 * Yuck. 4407 * 4408 * Instead of doing those all right, we just look for data packets with 4409 * 0 or 1 bytes of padding. If you want to look at other packets, that 4410 * will require a lot more hacking. 4411 * 4412 * To add support for filtering on DECNET "areas" (network numbers) 4413 * one would want to add a "mask" argument to this routine. That would 4414 * make the filter even more inefficient, although one could be clever 4415 * and not generate masking instructions if the mask is 0xFFFF. 4416 */ 4417 static struct block * 4418 gen_dnhostop(addr, dir) 4419 bpf_u_int32 addr; 4420 int dir; 4421 { 4422 struct block *b0, *b1, *b2, *tmp; 4423 u_int offset_lh; /* offset if long header is received */ 4424 u_int offset_sh; /* offset if short header is received */ 4425 4426 switch (dir) { 4427 4428 case Q_DST: 4429 offset_sh = 1; /* follows flags */ 4430 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */ 4431 break; 4432 4433 case Q_SRC: 4434 offset_sh = 3; /* follows flags, dstnode */ 4435 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */ 4436 break; 4437 4438 case Q_AND: 4439 /* Inefficient because we do our Calvinball dance twice */ 4440 b0 = gen_dnhostop(addr, Q_SRC); 4441 b1 = gen_dnhostop(addr, Q_DST); 4442 gen_and(b0, b1); 4443 return b1; 4444 4445 case Q_OR: 4446 case Q_DEFAULT: 4447 /* Inefficient because we do our Calvinball dance twice */ 4448 b0 = gen_dnhostop(addr, Q_SRC); 4449 b1 = gen_dnhostop(addr, Q_DST); 4450 gen_or(b0, b1); 4451 return b1; 4452 4453 case Q_ISO: 4454 bpf_error("ISO host filtering not implemented"); 4455 4456 default: 4457 abort(); 4458 } 4459 b0 = gen_linktype(ETHERTYPE_DN); 4460 /* Check for pad = 1, long header case */ 4461 tmp = gen_mcmp(OR_LINKPL, 2, BPF_H, 4462 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF)); 4463 b1 = gen_cmp(OR_LINKPL, 2 + 1 + offset_lh, 4464 BPF_H, (bpf_int32)ntohs((u_short)addr)); 4465 gen_and(tmp, b1); 4466 /* Check for pad = 0, long header case */ 4467 tmp = gen_mcmp(OR_LINKPL, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7); 4468 b2 = gen_cmp(OR_LINKPL, 2 + offset_lh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4469 gen_and(tmp, b2); 4470 gen_or(b2, b1); 4471 /* Check for pad = 1, short header case */ 4472 tmp = gen_mcmp(OR_LINKPL, 2, BPF_H, 4473 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF)); 4474 b2 = gen_cmp(OR_LINKPL, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4475 gen_and(tmp, b2); 4476 gen_or(b2, b1); 4477 /* Check for pad = 0, short header case */ 4478 tmp = gen_mcmp(OR_LINKPL, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7); 4479 b2 = gen_cmp(OR_LINKPL, 2 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4480 gen_and(tmp, b2); 4481 gen_or(b2, b1); 4482 4483 /* Combine with test for linktype */ 4484 gen_and(b0, b1); 4485 return b1; 4486 } 4487 4488 /* 4489 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets; 4490 * test the bottom-of-stack bit, and then check the version number 4491 * field in the IP header. 4492 */ 4493 static struct block * 4494 gen_mpls_linktype(proto) 4495 int proto; 4496 { 4497 struct block *b0, *b1; 4498 4499 switch (proto) { 4500 4501 case Q_IP: 4502 /* match the bottom-of-stack bit */ 4503 b0 = gen_mcmp(OR_LINKPL, -2, BPF_B, 0x01, 0x01); 4504 /* match the IPv4 version number */ 4505 b1 = gen_mcmp(OR_LINKPL, 0, BPF_B, 0x40, 0xf0); 4506 gen_and(b0, b1); 4507 return b1; 4508 4509 case Q_IPV6: 4510 /* match the bottom-of-stack bit */ 4511 b0 = gen_mcmp(OR_LINKPL, -2, BPF_B, 0x01, 0x01); 4512 /* match the IPv4 version number */ 4513 b1 = gen_mcmp(OR_LINKPL, 0, BPF_B, 0x60, 0xf0); 4514 gen_and(b0, b1); 4515 return b1; 4516 4517 default: 4518 abort(); 4519 } 4520 } 4521 4522 static struct block * 4523 gen_host(addr, mask, proto, dir, type) 4524 bpf_u_int32 addr; 4525 bpf_u_int32 mask; 4526 int proto; 4527 int dir; 4528 int type; 4529 { 4530 struct block *b0, *b1; 4531 const char *typestr; 4532 4533 if (type == Q_NET) 4534 typestr = "net"; 4535 else 4536 typestr = "host"; 4537 4538 switch (proto) { 4539 4540 case Q_DEFAULT: 4541 b0 = gen_host(addr, mask, Q_IP, dir, type); 4542 /* 4543 * Only check for non-IPv4 addresses if we're not 4544 * checking MPLS-encapsulated packets. 4545 */ 4546 if (label_stack_depth == 0) { 4547 b1 = gen_host(addr, mask, Q_ARP, dir, type); 4548 gen_or(b0, b1); 4549 b0 = gen_host(addr, mask, Q_RARP, dir, type); 4550 gen_or(b1, b0); 4551 } 4552 return b0; 4553 4554 case Q_IP: 4555 return gen_hostop(addr, mask, dir, ETHERTYPE_IP, 12, 16); 4556 4557 case Q_RARP: 4558 return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP, 14, 24); 4559 4560 case Q_ARP: 4561 return gen_hostop(addr, mask, dir, ETHERTYPE_ARP, 14, 24); 4562 4563 case Q_TCP: 4564 bpf_error("'tcp' modifier applied to %s", typestr); 4565 4566 case Q_SCTP: 4567 bpf_error("'sctp' modifier applied to %s", typestr); 4568 4569 case Q_UDP: 4570 bpf_error("'udp' modifier applied to %s", typestr); 4571 4572 case Q_ICMP: 4573 bpf_error("'icmp' modifier applied to %s", typestr); 4574 4575 case Q_IGMP: 4576 bpf_error("'igmp' modifier applied to %s", typestr); 4577 4578 case Q_IGRP: 4579 bpf_error("'igrp' modifier applied to %s", typestr); 4580 4581 case Q_PIM: 4582 bpf_error("'pim' modifier applied to %s", typestr); 4583 4584 case Q_VRRP: 4585 bpf_error("'vrrp' modifier applied to %s", typestr); 4586 4587 case Q_CARP: 4588 bpf_error("'carp' modifier applied to %s", typestr); 4589 4590 case Q_ATALK: 4591 bpf_error("ATALK host filtering not implemented"); 4592 4593 case Q_AARP: 4594 bpf_error("AARP host filtering not implemented"); 4595 4596 case Q_DECNET: 4597 return gen_dnhostop(addr, dir); 4598 4599 case Q_SCA: 4600 bpf_error("SCA host filtering not implemented"); 4601 4602 case Q_LAT: 4603 bpf_error("LAT host filtering not implemented"); 4604 4605 case Q_MOPDL: 4606 bpf_error("MOPDL host filtering not implemented"); 4607 4608 case Q_MOPRC: 4609 bpf_error("MOPRC host filtering not implemented"); 4610 4611 case Q_IPV6: 4612 bpf_error("'ip6' modifier applied to ip host"); 4613 4614 case Q_ICMPV6: 4615 bpf_error("'icmp6' modifier applied to %s", typestr); 4616 4617 case Q_AH: 4618 bpf_error("'ah' modifier applied to %s", typestr); 4619 4620 case Q_ESP: 4621 bpf_error("'esp' modifier applied to %s", typestr); 4622 4623 case Q_ISO: 4624 bpf_error("ISO host filtering not implemented"); 4625 4626 case Q_ESIS: 4627 bpf_error("'esis' modifier applied to %s", typestr); 4628 4629 case Q_ISIS: 4630 bpf_error("'isis' modifier applied to %s", typestr); 4631 4632 case Q_CLNP: 4633 bpf_error("'clnp' modifier applied to %s", typestr); 4634 4635 case Q_STP: 4636 bpf_error("'stp' modifier applied to %s", typestr); 4637 4638 case Q_IPX: 4639 bpf_error("IPX host filtering not implemented"); 4640 4641 case Q_NETBEUI: 4642 bpf_error("'netbeui' modifier applied to %s", typestr); 4643 4644 case Q_RADIO: 4645 bpf_error("'radio' modifier applied to %s", typestr); 4646 4647 default: 4648 abort(); 4649 } 4650 /* NOTREACHED */ 4651 } 4652 4653 #ifdef INET6 4654 static struct block * 4655 gen_host6(addr, mask, proto, dir, type) 4656 struct in6_addr *addr; 4657 struct in6_addr *mask; 4658 int proto; 4659 int dir; 4660 int type; 4661 { 4662 const char *typestr; 4663 4664 if (type == Q_NET) 4665 typestr = "net"; 4666 else 4667 typestr = "host"; 4668 4669 switch (proto) { 4670 4671 case Q_DEFAULT: 4672 return gen_host6(addr, mask, Q_IPV6, dir, type); 4673 4674 case Q_LINK: 4675 bpf_error("link-layer modifier applied to ip6 %s", typestr); 4676 4677 case Q_IP: 4678 bpf_error("'ip' modifier applied to ip6 %s", typestr); 4679 4680 case Q_RARP: 4681 bpf_error("'rarp' modifier applied to ip6 %s", typestr); 4682 4683 case Q_ARP: 4684 bpf_error("'arp' modifier applied to ip6 %s", typestr); 4685 4686 case Q_SCTP: 4687 bpf_error("'sctp' modifier applied to %s", typestr); 4688 4689 case Q_TCP: 4690 bpf_error("'tcp' modifier applied to %s", typestr); 4691 4692 case Q_UDP: 4693 bpf_error("'udp' modifier applied to %s", typestr); 4694 4695 case Q_ICMP: 4696 bpf_error("'icmp' modifier applied to %s", typestr); 4697 4698 case Q_IGMP: 4699 bpf_error("'igmp' modifier applied to %s", typestr); 4700 4701 case Q_IGRP: 4702 bpf_error("'igrp' modifier applied to %s", typestr); 4703 4704 case Q_PIM: 4705 bpf_error("'pim' modifier applied to %s", typestr); 4706 4707 case Q_VRRP: 4708 bpf_error("'vrrp' modifier applied to %s", typestr); 4709 4710 case Q_CARP: 4711 bpf_error("'carp' modifier applied to %s", typestr); 4712 4713 case Q_ATALK: 4714 bpf_error("ATALK host filtering not implemented"); 4715 4716 case Q_AARP: 4717 bpf_error("AARP host filtering not implemented"); 4718 4719 case Q_DECNET: 4720 bpf_error("'decnet' modifier applied to ip6 %s", typestr); 4721 4722 case Q_SCA: 4723 bpf_error("SCA host filtering not implemented"); 4724 4725 case Q_LAT: 4726 bpf_error("LAT host filtering not implemented"); 4727 4728 case Q_MOPDL: 4729 bpf_error("MOPDL host filtering not implemented"); 4730 4731 case Q_MOPRC: 4732 bpf_error("MOPRC host filtering not implemented"); 4733 4734 case Q_IPV6: 4735 return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6, 8, 24); 4736 4737 case Q_ICMPV6: 4738 bpf_error("'icmp6' modifier applied to %s", typestr); 4739 4740 case Q_AH: 4741 bpf_error("'ah' modifier applied to %s", typestr); 4742 4743 case Q_ESP: 4744 bpf_error("'esp' modifier applied to %s", typestr); 4745 4746 case Q_ISO: 4747 bpf_error("ISO host filtering not implemented"); 4748 4749 case Q_ESIS: 4750 bpf_error("'esis' modifier applied to %s", typestr); 4751 4752 case Q_ISIS: 4753 bpf_error("'isis' modifier applied to %s", typestr); 4754 4755 case Q_CLNP: 4756 bpf_error("'clnp' modifier applied to %s", typestr); 4757 4758 case Q_STP: 4759 bpf_error("'stp' modifier applied to %s", typestr); 4760 4761 case Q_IPX: 4762 bpf_error("IPX host filtering not implemented"); 4763 4764 case Q_NETBEUI: 4765 bpf_error("'netbeui' modifier applied to %s", typestr); 4766 4767 case Q_RADIO: 4768 bpf_error("'radio' modifier applied to %s", typestr); 4769 4770 default: 4771 abort(); 4772 } 4773 /* NOTREACHED */ 4774 } 4775 #endif 4776 4777 #ifndef INET6 4778 static struct block * 4779 gen_gateway(eaddr, alist, proto, dir) 4780 const u_char *eaddr; 4781 bpf_u_int32 **alist; 4782 int proto; 4783 int dir; 4784 { 4785 struct block *b0, *b1, *tmp; 4786 4787 if (dir != 0) 4788 bpf_error("direction applied to 'gateway'"); 4789 4790 switch (proto) { 4791 case Q_DEFAULT: 4792 case Q_IP: 4793 case Q_ARP: 4794 case Q_RARP: 4795 switch (linktype) { 4796 case DLT_EN10MB: 4797 case DLT_NETANALYZER: 4798 case DLT_NETANALYZER_TRANSPARENT: 4799 b1 = gen_prevlinkhdr_check(); 4800 b0 = gen_ehostop(eaddr, Q_OR); 4801 if (b1 != NULL) 4802 gen_and(b1, b0); 4803 break; 4804 case DLT_FDDI: 4805 b0 = gen_fhostop(eaddr, Q_OR); 4806 break; 4807 case DLT_IEEE802: 4808 b0 = gen_thostop(eaddr, Q_OR); 4809 break; 4810 case DLT_IEEE802_11: 4811 case DLT_PRISM_HEADER: 4812 case DLT_IEEE802_11_RADIO_AVS: 4813 case DLT_IEEE802_11_RADIO: 4814 case DLT_PPI: 4815 b0 = gen_wlanhostop(eaddr, Q_OR); 4816 break; 4817 case DLT_SUNATM: 4818 /* 4819 * This is LLC-multiplexed traffic; if it were 4820 * LANE, linktype would have been set to 4821 * DLT_EN10MB. 4822 */ 4823 bpf_error( 4824 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 4825 break; 4826 case DLT_IP_OVER_FC: 4827 b0 = gen_ipfchostop(eaddr, Q_OR); 4828 break; 4829 default: 4830 bpf_error( 4831 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 4832 } 4833 b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR, Q_HOST); 4834 while (*alist) { 4835 tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR, 4836 Q_HOST); 4837 gen_or(b1, tmp); 4838 b1 = tmp; 4839 } 4840 gen_not(b1); 4841 gen_and(b0, b1); 4842 return b1; 4843 } 4844 bpf_error("illegal modifier of 'gateway'"); 4845 /* NOTREACHED */ 4846 } 4847 #endif 4848 4849 struct block * 4850 gen_proto_abbrev(proto) 4851 int proto; 4852 { 4853 struct block *b0; 4854 struct block *b1; 4855 4856 switch (proto) { 4857 4858 case Q_SCTP: 4859 b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT); 4860 b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT); 4861 gen_or(b0, b1); 4862 break; 4863 4864 case Q_TCP: 4865 b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT); 4866 b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT); 4867 gen_or(b0, b1); 4868 break; 4869 4870 case Q_UDP: 4871 b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT); 4872 b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT); 4873 gen_or(b0, b1); 4874 break; 4875 4876 case Q_ICMP: 4877 b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT); 4878 break; 4879 4880 #ifndef IPPROTO_IGMP 4881 #define IPPROTO_IGMP 2 4882 #endif 4883 4884 case Q_IGMP: 4885 b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT); 4886 break; 4887 4888 #ifndef IPPROTO_IGRP 4889 #define IPPROTO_IGRP 9 4890 #endif 4891 case Q_IGRP: 4892 b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT); 4893 break; 4894 4895 #ifndef IPPROTO_PIM 4896 #define IPPROTO_PIM 103 4897 #endif 4898 4899 case Q_PIM: 4900 b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT); 4901 b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT); 4902 gen_or(b0, b1); 4903 break; 4904 4905 #ifndef IPPROTO_VRRP 4906 #define IPPROTO_VRRP 112 4907 #endif 4908 4909 case Q_VRRP: 4910 b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT); 4911 break; 4912 4913 #ifndef IPPROTO_CARP 4914 #define IPPROTO_CARP 112 4915 #endif 4916 4917 case Q_CARP: 4918 b1 = gen_proto(IPPROTO_CARP, Q_IP, Q_DEFAULT); 4919 break; 4920 4921 case Q_IP: 4922 b1 = gen_linktype(ETHERTYPE_IP); 4923 break; 4924 4925 case Q_ARP: 4926 b1 = gen_linktype(ETHERTYPE_ARP); 4927 break; 4928 4929 case Q_RARP: 4930 b1 = gen_linktype(ETHERTYPE_REVARP); 4931 break; 4932 4933 case Q_LINK: 4934 bpf_error("link layer applied in wrong context"); 4935 4936 case Q_ATALK: 4937 b1 = gen_linktype(ETHERTYPE_ATALK); 4938 break; 4939 4940 case Q_AARP: 4941 b1 = gen_linktype(ETHERTYPE_AARP); 4942 break; 4943 4944 case Q_DECNET: 4945 b1 = gen_linktype(ETHERTYPE_DN); 4946 break; 4947 4948 case Q_SCA: 4949 b1 = gen_linktype(ETHERTYPE_SCA); 4950 break; 4951 4952 case Q_LAT: 4953 b1 = gen_linktype(ETHERTYPE_LAT); 4954 break; 4955 4956 case Q_MOPDL: 4957 b1 = gen_linktype(ETHERTYPE_MOPDL); 4958 break; 4959 4960 case Q_MOPRC: 4961 b1 = gen_linktype(ETHERTYPE_MOPRC); 4962 break; 4963 4964 case Q_IPV6: 4965 b1 = gen_linktype(ETHERTYPE_IPV6); 4966 break; 4967 4968 #ifndef IPPROTO_ICMPV6 4969 #define IPPROTO_ICMPV6 58 4970 #endif 4971 case Q_ICMPV6: 4972 b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT); 4973 break; 4974 4975 #ifndef IPPROTO_AH 4976 #define IPPROTO_AH 51 4977 #endif 4978 case Q_AH: 4979 b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT); 4980 b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT); 4981 gen_or(b0, b1); 4982 break; 4983 4984 #ifndef IPPROTO_ESP 4985 #define IPPROTO_ESP 50 4986 #endif 4987 case Q_ESP: 4988 b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT); 4989 b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT); 4990 gen_or(b0, b1); 4991 break; 4992 4993 case Q_ISO: 4994 b1 = gen_linktype(LLCSAP_ISONS); 4995 break; 4996 4997 case Q_ESIS: 4998 b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT); 4999 break; 5000 5001 case Q_ISIS: 5002 b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT); 5003 break; 5004 5005 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */ 5006 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 5007 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 5008 gen_or(b0, b1); 5009 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 5010 gen_or(b0, b1); 5011 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 5012 gen_or(b0, b1); 5013 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 5014 gen_or(b0, b1); 5015 break; 5016 5017 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */ 5018 b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 5019 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 5020 gen_or(b0, b1); 5021 b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 5022 gen_or(b0, b1); 5023 b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 5024 gen_or(b0, b1); 5025 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 5026 gen_or(b0, b1); 5027 break; 5028 5029 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */ 5030 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 5031 b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 5032 gen_or(b0, b1); 5033 b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); 5034 gen_or(b0, b1); 5035 break; 5036 5037 case Q_ISIS_LSP: 5038 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 5039 b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 5040 gen_or(b0, b1); 5041 break; 5042 5043 case Q_ISIS_SNP: 5044 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 5045 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 5046 gen_or(b0, b1); 5047 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 5048 gen_or(b0, b1); 5049 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 5050 gen_or(b0, b1); 5051 break; 5052 5053 case Q_ISIS_CSNP: 5054 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 5055 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 5056 gen_or(b0, b1); 5057 break; 5058 5059 case Q_ISIS_PSNP: 5060 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 5061 b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 5062 gen_or(b0, b1); 5063 break; 5064 5065 case Q_CLNP: 5066 b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT); 5067 break; 5068 5069 case Q_STP: 5070 b1 = gen_linktype(LLCSAP_8021D); 5071 break; 5072 5073 case Q_IPX: 5074 b1 = gen_linktype(LLCSAP_IPX); 5075 break; 5076 5077 case Q_NETBEUI: 5078 b1 = gen_linktype(LLCSAP_NETBEUI); 5079 break; 5080 5081 case Q_RADIO: 5082 bpf_error("'radio' is not a valid protocol type"); 5083 5084 default: 5085 abort(); 5086 } 5087 return b1; 5088 } 5089 5090 static struct block * 5091 gen_ipfrag() 5092 { 5093 struct slist *s; 5094 struct block *b; 5095 5096 /* not IPv4 frag other than the first frag */ 5097 s = gen_load_a(OR_LINKPL, 6, BPF_H); 5098 b = new_block(JMP(BPF_JSET)); 5099 b->s.k = 0x1fff; 5100 b->stmts = s; 5101 gen_not(b); 5102 5103 return b; 5104 } 5105 5106 /* 5107 * Generate a comparison to a port value in the transport-layer header 5108 * at the specified offset from the beginning of that header. 5109 * 5110 * XXX - this handles a variable-length prefix preceding the link-layer 5111 * header, such as the radiotap or AVS radio prefix, but doesn't handle 5112 * variable-length link-layer headers (such as Token Ring or 802.11 5113 * headers). 5114 */ 5115 static struct block * 5116 gen_portatom(off, v) 5117 int off; 5118 bpf_int32 v; 5119 { 5120 return gen_cmp(OR_TRAN_IPV4, off, BPF_H, v); 5121 } 5122 5123 static struct block * 5124 gen_portatom6(off, v) 5125 int off; 5126 bpf_int32 v; 5127 { 5128 return gen_cmp(OR_TRAN_IPV6, off, BPF_H, v); 5129 } 5130 5131 struct block * 5132 gen_portop(port, proto, dir) 5133 int port, proto, dir; 5134 { 5135 struct block *b0, *b1, *tmp; 5136 5137 /* ip proto 'proto' and not a fragment other than the first fragment */ 5138 tmp = gen_cmp(OR_LINKPL, 9, BPF_B, (bpf_int32)proto); 5139 b0 = gen_ipfrag(); 5140 gen_and(tmp, b0); 5141 5142 switch (dir) { 5143 case Q_SRC: 5144 b1 = gen_portatom(0, (bpf_int32)port); 5145 break; 5146 5147 case Q_DST: 5148 b1 = gen_portatom(2, (bpf_int32)port); 5149 break; 5150 5151 case Q_OR: 5152 case Q_DEFAULT: 5153 tmp = gen_portatom(0, (bpf_int32)port); 5154 b1 = gen_portatom(2, (bpf_int32)port); 5155 gen_or(tmp, b1); 5156 break; 5157 5158 case Q_AND: 5159 tmp = gen_portatom(0, (bpf_int32)port); 5160 b1 = gen_portatom(2, (bpf_int32)port); 5161 gen_and(tmp, b1); 5162 break; 5163 5164 default: 5165 abort(); 5166 } 5167 gen_and(b0, b1); 5168 5169 return b1; 5170 } 5171 5172 static struct block * 5173 gen_port(port, ip_proto, dir) 5174 int port; 5175 int ip_proto; 5176 int dir; 5177 { 5178 struct block *b0, *b1, *tmp; 5179 5180 /* 5181 * ether proto ip 5182 * 5183 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 5184 * not LLC encapsulation with LLCSAP_IP. 5185 * 5186 * For IEEE 802 networks - which includes 802.5 token ring 5187 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 5188 * says that SNAP encapsulation is used, not LLC encapsulation 5189 * with LLCSAP_IP. 5190 * 5191 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 5192 * RFC 2225 say that SNAP encapsulation is used, not LLC 5193 * encapsulation with LLCSAP_IP. 5194 * 5195 * So we always check for ETHERTYPE_IP. 5196 */ 5197 b0 = gen_linktype(ETHERTYPE_IP); 5198 5199 switch (ip_proto) { 5200 case IPPROTO_UDP: 5201 case IPPROTO_TCP: 5202 case IPPROTO_SCTP: 5203 b1 = gen_portop(port, ip_proto, dir); 5204 break; 5205 5206 case PROTO_UNDEF: 5207 tmp = gen_portop(port, IPPROTO_TCP, dir); 5208 b1 = gen_portop(port, IPPROTO_UDP, dir); 5209 gen_or(tmp, b1); 5210 tmp = gen_portop(port, IPPROTO_SCTP, dir); 5211 gen_or(tmp, b1); 5212 break; 5213 5214 default: 5215 abort(); 5216 } 5217 gen_and(b0, b1); 5218 return b1; 5219 } 5220 5221 struct block * 5222 gen_portop6(port, proto, dir) 5223 int port, proto, dir; 5224 { 5225 struct block *b0, *b1, *tmp; 5226 5227 /* ip6 proto 'proto' */ 5228 /* XXX - catch the first fragment of a fragmented packet? */ 5229 b0 = gen_cmp(OR_LINKPL, 6, BPF_B, (bpf_int32)proto); 5230 5231 switch (dir) { 5232 case Q_SRC: 5233 b1 = gen_portatom6(0, (bpf_int32)port); 5234 break; 5235 5236 case Q_DST: 5237 b1 = gen_portatom6(2, (bpf_int32)port); 5238 break; 5239 5240 case Q_OR: 5241 case Q_DEFAULT: 5242 tmp = gen_portatom6(0, (bpf_int32)port); 5243 b1 = gen_portatom6(2, (bpf_int32)port); 5244 gen_or(tmp, b1); 5245 break; 5246 5247 case Q_AND: 5248 tmp = gen_portatom6(0, (bpf_int32)port); 5249 b1 = gen_portatom6(2, (bpf_int32)port); 5250 gen_and(tmp, b1); 5251 break; 5252 5253 default: 5254 abort(); 5255 } 5256 gen_and(b0, b1); 5257 5258 return b1; 5259 } 5260 5261 static struct block * 5262 gen_port6(port, ip_proto, dir) 5263 int port; 5264 int ip_proto; 5265 int dir; 5266 { 5267 struct block *b0, *b1, *tmp; 5268 5269 /* link proto ip6 */ 5270 b0 = gen_linktype(ETHERTYPE_IPV6); 5271 5272 switch (ip_proto) { 5273 case IPPROTO_UDP: 5274 case IPPROTO_TCP: 5275 case IPPROTO_SCTP: 5276 b1 = gen_portop6(port, ip_proto, dir); 5277 break; 5278 5279 case PROTO_UNDEF: 5280 tmp = gen_portop6(port, IPPROTO_TCP, dir); 5281 b1 = gen_portop6(port, IPPROTO_UDP, dir); 5282 gen_or(tmp, b1); 5283 tmp = gen_portop6(port, IPPROTO_SCTP, dir); 5284 gen_or(tmp, b1); 5285 break; 5286 5287 default: 5288 abort(); 5289 } 5290 gen_and(b0, b1); 5291 return b1; 5292 } 5293 5294 /* gen_portrange code */ 5295 static struct block * 5296 gen_portrangeatom(off, v1, v2) 5297 int off; 5298 bpf_int32 v1, v2; 5299 { 5300 struct block *b1, *b2; 5301 5302 if (v1 > v2) { 5303 /* 5304 * Reverse the order of the ports, so v1 is the lower one. 5305 */ 5306 bpf_int32 vtemp; 5307 5308 vtemp = v1; 5309 v1 = v2; 5310 v2 = vtemp; 5311 } 5312 5313 b1 = gen_cmp_ge(OR_TRAN_IPV4, off, BPF_H, v1); 5314 b2 = gen_cmp_le(OR_TRAN_IPV4, off, BPF_H, v2); 5315 5316 gen_and(b1, b2); 5317 5318 return b2; 5319 } 5320 5321 struct block * 5322 gen_portrangeop(port1, port2, proto, dir) 5323 int port1, port2; 5324 int proto; 5325 int dir; 5326 { 5327 struct block *b0, *b1, *tmp; 5328 5329 /* ip proto 'proto' and not a fragment other than the first fragment */ 5330 tmp = gen_cmp(OR_LINKPL, 9, BPF_B, (bpf_int32)proto); 5331 b0 = gen_ipfrag(); 5332 gen_and(tmp, b0); 5333 5334 switch (dir) { 5335 case Q_SRC: 5336 b1 = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5337 break; 5338 5339 case Q_DST: 5340 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5341 break; 5342 5343 case Q_OR: 5344 case Q_DEFAULT: 5345 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5346 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5347 gen_or(tmp, b1); 5348 break; 5349 5350 case Q_AND: 5351 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5352 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5353 gen_and(tmp, b1); 5354 break; 5355 5356 default: 5357 abort(); 5358 } 5359 gen_and(b0, b1); 5360 5361 return b1; 5362 } 5363 5364 static struct block * 5365 gen_portrange(port1, port2, ip_proto, dir) 5366 int port1, port2; 5367 int ip_proto; 5368 int dir; 5369 { 5370 struct block *b0, *b1, *tmp; 5371 5372 /* link proto ip */ 5373 b0 = gen_linktype(ETHERTYPE_IP); 5374 5375 switch (ip_proto) { 5376 case IPPROTO_UDP: 5377 case IPPROTO_TCP: 5378 case IPPROTO_SCTP: 5379 b1 = gen_portrangeop(port1, port2, ip_proto, dir); 5380 break; 5381 5382 case PROTO_UNDEF: 5383 tmp = gen_portrangeop(port1, port2, IPPROTO_TCP, dir); 5384 b1 = gen_portrangeop(port1, port2, IPPROTO_UDP, dir); 5385 gen_or(tmp, b1); 5386 tmp = gen_portrangeop(port1, port2, IPPROTO_SCTP, dir); 5387 gen_or(tmp, b1); 5388 break; 5389 5390 default: 5391 abort(); 5392 } 5393 gen_and(b0, b1); 5394 return b1; 5395 } 5396 5397 static struct block * 5398 gen_portrangeatom6(off, v1, v2) 5399 int off; 5400 bpf_int32 v1, v2; 5401 { 5402 struct block *b1, *b2; 5403 5404 if (v1 > v2) { 5405 /* 5406 * Reverse the order of the ports, so v1 is the lower one. 5407 */ 5408 bpf_int32 vtemp; 5409 5410 vtemp = v1; 5411 v1 = v2; 5412 v2 = vtemp; 5413 } 5414 5415 b1 = gen_cmp_ge(OR_TRAN_IPV6, off, BPF_H, v1); 5416 b2 = gen_cmp_le(OR_TRAN_IPV6, off, BPF_H, v2); 5417 5418 gen_and(b1, b2); 5419 5420 return b2; 5421 } 5422 5423 struct block * 5424 gen_portrangeop6(port1, port2, proto, dir) 5425 int port1, port2; 5426 int proto; 5427 int dir; 5428 { 5429 struct block *b0, *b1, *tmp; 5430 5431 /* ip6 proto 'proto' */ 5432 /* XXX - catch the first fragment of a fragmented packet? */ 5433 b0 = gen_cmp(OR_LINKPL, 6, BPF_B, (bpf_int32)proto); 5434 5435 switch (dir) { 5436 case Q_SRC: 5437 b1 = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5438 break; 5439 5440 case Q_DST: 5441 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5442 break; 5443 5444 case Q_OR: 5445 case Q_DEFAULT: 5446 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5447 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5448 gen_or(tmp, b1); 5449 break; 5450 5451 case Q_AND: 5452 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5453 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5454 gen_and(tmp, b1); 5455 break; 5456 5457 default: 5458 abort(); 5459 } 5460 gen_and(b0, b1); 5461 5462 return b1; 5463 } 5464 5465 static struct block * 5466 gen_portrange6(port1, port2, ip_proto, dir) 5467 int port1, port2; 5468 int ip_proto; 5469 int dir; 5470 { 5471 struct block *b0, *b1, *tmp; 5472 5473 /* link proto ip6 */ 5474 b0 = gen_linktype(ETHERTYPE_IPV6); 5475 5476 switch (ip_proto) { 5477 case IPPROTO_UDP: 5478 case IPPROTO_TCP: 5479 case IPPROTO_SCTP: 5480 b1 = gen_portrangeop6(port1, port2, ip_proto, dir); 5481 break; 5482 5483 case PROTO_UNDEF: 5484 tmp = gen_portrangeop6(port1, port2, IPPROTO_TCP, dir); 5485 b1 = gen_portrangeop6(port1, port2, IPPROTO_UDP, dir); 5486 gen_or(tmp, b1); 5487 tmp = gen_portrangeop6(port1, port2, IPPROTO_SCTP, dir); 5488 gen_or(tmp, b1); 5489 break; 5490 5491 default: 5492 abort(); 5493 } 5494 gen_and(b0, b1); 5495 return b1; 5496 } 5497 5498 static int 5499 lookup_proto(name, proto) 5500 register const char *name; 5501 register int proto; 5502 { 5503 register int v; 5504 5505 switch (proto) { 5506 5507 case Q_DEFAULT: 5508 case Q_IP: 5509 case Q_IPV6: 5510 v = pcap_nametoproto(name); 5511 if (v == PROTO_UNDEF) 5512 bpf_error("unknown ip proto '%s'", name); 5513 break; 5514 5515 case Q_LINK: 5516 /* XXX should look up h/w protocol type based on linktype */ 5517 v = pcap_nametoeproto(name); 5518 if (v == PROTO_UNDEF) { 5519 v = pcap_nametollc(name); 5520 if (v == PROTO_UNDEF) 5521 bpf_error("unknown ether proto '%s'", name); 5522 } 5523 break; 5524 5525 case Q_ISO: 5526 if (strcmp(name, "esis") == 0) 5527 v = ISO9542_ESIS; 5528 else if (strcmp(name, "isis") == 0) 5529 v = ISO10589_ISIS; 5530 else if (strcmp(name, "clnp") == 0) 5531 v = ISO8473_CLNP; 5532 else 5533 bpf_error("unknown osi proto '%s'", name); 5534 break; 5535 5536 default: 5537 v = PROTO_UNDEF; 5538 break; 5539 } 5540 return v; 5541 } 5542 5543 #if 0 5544 struct stmt * 5545 gen_joinsp(s, n) 5546 struct stmt **s; 5547 int n; 5548 { 5549 return NULL; 5550 } 5551 #endif 5552 5553 static struct block * 5554 gen_protochain(v, proto, dir) 5555 int v; 5556 int proto; 5557 int dir; 5558 { 5559 #ifdef NO_PROTOCHAIN 5560 return gen_proto(v, proto, dir); 5561 #else 5562 struct block *b0, *b; 5563 struct slist *s[100]; 5564 int fix2, fix3, fix4, fix5; 5565 int ahcheck, again, end; 5566 int i, max; 5567 int reg2 = alloc_reg(); 5568 5569 memset(s, 0, sizeof(s)); 5570 fix2 = fix3 = fix4 = fix5 = 0; 5571 5572 switch (proto) { 5573 case Q_IP: 5574 case Q_IPV6: 5575 break; 5576 case Q_DEFAULT: 5577 b0 = gen_protochain(v, Q_IP, dir); 5578 b = gen_protochain(v, Q_IPV6, dir); 5579 gen_or(b0, b); 5580 return b; 5581 default: 5582 bpf_error("bad protocol applied for 'protochain'"); 5583 /*NOTREACHED*/ 5584 } 5585 5586 /* 5587 * We don't handle variable-length prefixes before the link-layer 5588 * header, or variable-length link-layer headers, here yet. 5589 * We might want to add BPF instructions to do the protochain 5590 * work, to simplify that and, on platforms that have a BPF 5591 * interpreter with the new instructions, let the filtering 5592 * be done in the kernel. (We already require a modified BPF 5593 * engine to do the protochain stuff, to support backward 5594 * branches, and backward branch support is unlikely to appear 5595 * in kernel BPF engines.) 5596 */ 5597 if (off_linkpl.is_variable) 5598 bpf_error("'protochain' not supported with variable length headers"); 5599 5600 no_optimize = 1; /*this code is not compatible with optimzer yet */ 5601 5602 /* 5603 * s[0] is a dummy entry to protect other BPF insn from damage 5604 * by s[fix] = foo with uninitialized variable "fix". It is somewhat 5605 * hard to find interdependency made by jump table fixup. 5606 */ 5607 i = 0; 5608 s[i] = new_stmt(0); /*dummy*/ 5609 i++; 5610 5611 switch (proto) { 5612 case Q_IP: 5613 b0 = gen_linktype(ETHERTYPE_IP); 5614 5615 /* A = ip->ip_p */ 5616 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B); 5617 s[i]->s.k = off_linkpl.constant_part + off_nl + 9; 5618 i++; 5619 /* X = ip->ip_hl << 2 */ 5620 s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B); 5621 s[i]->s.k = off_linkpl.constant_part + off_nl; 5622 i++; 5623 break; 5624 5625 case Q_IPV6: 5626 b0 = gen_linktype(ETHERTYPE_IPV6); 5627 5628 /* A = ip6->ip_nxt */ 5629 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B); 5630 s[i]->s.k = off_linkpl.constant_part + off_nl + 6; 5631 i++; 5632 /* X = sizeof(struct ip6_hdr) */ 5633 s[i] = new_stmt(BPF_LDX|BPF_IMM); 5634 s[i]->s.k = 40; 5635 i++; 5636 break; 5637 5638 default: 5639 bpf_error("unsupported proto to gen_protochain"); 5640 /*NOTREACHED*/ 5641 } 5642 5643 /* again: if (A == v) goto end; else fall through; */ 5644 again = i; 5645 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5646 s[i]->s.k = v; 5647 s[i]->s.jt = NULL; /*later*/ 5648 s[i]->s.jf = NULL; /*update in next stmt*/ 5649 fix5 = i; 5650 i++; 5651 5652 #ifndef IPPROTO_NONE 5653 #define IPPROTO_NONE 59 5654 #endif 5655 /* if (A == IPPROTO_NONE) goto end */ 5656 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5657 s[i]->s.jt = NULL; /*later*/ 5658 s[i]->s.jf = NULL; /*update in next stmt*/ 5659 s[i]->s.k = IPPROTO_NONE; 5660 s[fix5]->s.jf = s[i]; 5661 fix2 = i; 5662 i++; 5663 5664 if (proto == Q_IPV6) { 5665 int v6start, v6end, v6advance, j; 5666 5667 v6start = i; 5668 /* if (A == IPPROTO_HOPOPTS) goto v6advance */ 5669 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5670 s[i]->s.jt = NULL; /*later*/ 5671 s[i]->s.jf = NULL; /*update in next stmt*/ 5672 s[i]->s.k = IPPROTO_HOPOPTS; 5673 s[fix2]->s.jf = s[i]; 5674 i++; 5675 /* if (A == IPPROTO_DSTOPTS) goto v6advance */ 5676 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5677 s[i]->s.jt = NULL; /*later*/ 5678 s[i]->s.jf = NULL; /*update in next stmt*/ 5679 s[i]->s.k = IPPROTO_DSTOPTS; 5680 i++; 5681 /* if (A == IPPROTO_ROUTING) goto v6advance */ 5682 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5683 s[i]->s.jt = NULL; /*later*/ 5684 s[i]->s.jf = NULL; /*update in next stmt*/ 5685 s[i]->s.k = IPPROTO_ROUTING; 5686 i++; 5687 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */ 5688 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5689 s[i]->s.jt = NULL; /*later*/ 5690 s[i]->s.jf = NULL; /*later*/ 5691 s[i]->s.k = IPPROTO_FRAGMENT; 5692 fix3 = i; 5693 v6end = i; 5694 i++; 5695 5696 /* v6advance: */ 5697 v6advance = i; 5698 5699 /* 5700 * in short, 5701 * A = P[X + packet head]; 5702 * X = X + (P[X + packet head + 1] + 1) * 8; 5703 */ 5704 /* A = P[X + packet head] */ 5705 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5706 s[i]->s.k = off_linkpl.constant_part + off_nl; 5707 i++; 5708 /* MEM[reg2] = A */ 5709 s[i] = new_stmt(BPF_ST); 5710 s[i]->s.k = reg2; 5711 i++; 5712 /* A = P[X + packet head + 1]; */ 5713 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5714 s[i]->s.k = off_linkpl.constant_part + off_nl + 1; 5715 i++; 5716 /* A += 1 */ 5717 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5718 s[i]->s.k = 1; 5719 i++; 5720 /* A *= 8 */ 5721 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K); 5722 s[i]->s.k = 8; 5723 i++; 5724 /* A += X */ 5725 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_X); 5726 s[i]->s.k = 0; 5727 i++; 5728 /* X = A; */ 5729 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5730 i++; 5731 /* A = MEM[reg2] */ 5732 s[i] = new_stmt(BPF_LD|BPF_MEM); 5733 s[i]->s.k = reg2; 5734 i++; 5735 5736 /* goto again; (must use BPF_JA for backward jump) */ 5737 s[i] = new_stmt(BPF_JMP|BPF_JA); 5738 s[i]->s.k = again - i - 1; 5739 s[i - 1]->s.jf = s[i]; 5740 i++; 5741 5742 /* fixup */ 5743 for (j = v6start; j <= v6end; j++) 5744 s[j]->s.jt = s[v6advance]; 5745 } else { 5746 /* nop */ 5747 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5748 s[i]->s.k = 0; 5749 s[fix2]->s.jf = s[i]; 5750 i++; 5751 } 5752 5753 /* ahcheck: */ 5754 ahcheck = i; 5755 /* if (A == IPPROTO_AH) then fall through; else goto end; */ 5756 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5757 s[i]->s.jt = NULL; /*later*/ 5758 s[i]->s.jf = NULL; /*later*/ 5759 s[i]->s.k = IPPROTO_AH; 5760 if (fix3) 5761 s[fix3]->s.jf = s[ahcheck]; 5762 fix4 = i; 5763 i++; 5764 5765 /* 5766 * in short, 5767 * A = P[X]; 5768 * X = X + (P[X + 1] + 2) * 4; 5769 */ 5770 /* A = X */ 5771 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA); 5772 i++; 5773 /* A = P[X + packet head]; */ 5774 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5775 s[i]->s.k = off_linkpl.constant_part + off_nl; 5776 i++; 5777 /* MEM[reg2] = A */ 5778 s[i] = new_stmt(BPF_ST); 5779 s[i]->s.k = reg2; 5780 i++; 5781 /* A = X */ 5782 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA); 5783 i++; 5784 /* A += 1 */ 5785 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5786 s[i]->s.k = 1; 5787 i++; 5788 /* X = A */ 5789 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5790 i++; 5791 /* A = P[X + packet head] */ 5792 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5793 s[i]->s.k = off_linkpl.constant_part + off_nl; 5794 i++; 5795 /* A += 2 */ 5796 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5797 s[i]->s.k = 2; 5798 i++; 5799 /* A *= 4 */ 5800 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K); 5801 s[i]->s.k = 4; 5802 i++; 5803 /* X = A; */ 5804 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5805 i++; 5806 /* A = MEM[reg2] */ 5807 s[i] = new_stmt(BPF_LD|BPF_MEM); 5808 s[i]->s.k = reg2; 5809 i++; 5810 5811 /* goto again; (must use BPF_JA for backward jump) */ 5812 s[i] = new_stmt(BPF_JMP|BPF_JA); 5813 s[i]->s.k = again - i - 1; 5814 i++; 5815 5816 /* end: nop */ 5817 end = i; 5818 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5819 s[i]->s.k = 0; 5820 s[fix2]->s.jt = s[end]; 5821 s[fix4]->s.jf = s[end]; 5822 s[fix5]->s.jt = s[end]; 5823 i++; 5824 5825 /* 5826 * make slist chain 5827 */ 5828 max = i; 5829 for (i = 0; i < max - 1; i++) 5830 s[i]->next = s[i + 1]; 5831 s[max - 1]->next = NULL; 5832 5833 /* 5834 * emit final check 5835 */ 5836 b = new_block(JMP(BPF_JEQ)); 5837 b->stmts = s[1]; /*remember, s[0] is dummy*/ 5838 b->s.k = v; 5839 5840 free_reg(reg2); 5841 5842 gen_and(b0, b); 5843 return b; 5844 #endif 5845 } 5846 5847 static struct block * 5848 gen_check_802_11_data_frame() 5849 { 5850 struct slist *s; 5851 struct block *b0, *b1; 5852 5853 /* 5854 * A data frame has the 0x08 bit (b3) in the frame control field set 5855 * and the 0x04 bit (b2) clear. 5856 */ 5857 s = gen_load_a(OR_LINKHDR, 0, BPF_B); 5858 b0 = new_block(JMP(BPF_JSET)); 5859 b0->s.k = 0x08; 5860 b0->stmts = s; 5861 5862 s = gen_load_a(OR_LINKHDR, 0, BPF_B); 5863 b1 = new_block(JMP(BPF_JSET)); 5864 b1->s.k = 0x04; 5865 b1->stmts = s; 5866 gen_not(b1); 5867 5868 gen_and(b1, b0); 5869 5870 return b0; 5871 } 5872 5873 /* 5874 * Generate code that checks whether the packet is a packet for protocol 5875 * <proto> and whether the type field in that protocol's header has 5876 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an 5877 * IP packet and checks the protocol number in the IP header against <v>. 5878 * 5879 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks 5880 * against Q_IP and Q_IPV6. 5881 */ 5882 static struct block * 5883 gen_proto(v, proto, dir) 5884 int v; 5885 int proto; 5886 int dir; 5887 { 5888 struct block *b0, *b1; 5889 #ifndef CHASE_CHAIN 5890 struct block *b2; 5891 #endif 5892 5893 if (dir != Q_DEFAULT) 5894 bpf_error("direction applied to 'proto'"); 5895 5896 switch (proto) { 5897 case Q_DEFAULT: 5898 b0 = gen_proto(v, Q_IP, dir); 5899 b1 = gen_proto(v, Q_IPV6, dir); 5900 gen_or(b0, b1); 5901 return b1; 5902 5903 case Q_IP: 5904 /* 5905 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 5906 * not LLC encapsulation with LLCSAP_IP. 5907 * 5908 * For IEEE 802 networks - which includes 802.5 token ring 5909 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 5910 * says that SNAP encapsulation is used, not LLC encapsulation 5911 * with LLCSAP_IP. 5912 * 5913 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 5914 * RFC 2225 say that SNAP encapsulation is used, not LLC 5915 * encapsulation with LLCSAP_IP. 5916 * 5917 * So we always check for ETHERTYPE_IP. 5918 */ 5919 b0 = gen_linktype(ETHERTYPE_IP); 5920 #ifndef CHASE_CHAIN 5921 b1 = gen_cmp(OR_LINKPL, 9, BPF_B, (bpf_int32)v); 5922 #else 5923 b1 = gen_protochain(v, Q_IP); 5924 #endif 5925 gen_and(b0, b1); 5926 return b1; 5927 5928 case Q_ISO: 5929 switch (linktype) { 5930 5931 case DLT_FRELAY: 5932 /* 5933 * Frame Relay packets typically have an OSI 5934 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)" 5935 * generates code to check for all the OSI 5936 * NLPIDs, so calling it and then adding a check 5937 * for the particular NLPID for which we're 5938 * looking is bogus, as we can just check for 5939 * the NLPID. 5940 * 5941 * What we check for is the NLPID and a frame 5942 * control field value of UI, i.e. 0x03 followed 5943 * by the NLPID. 5944 * 5945 * XXX - assumes a 2-byte Frame Relay header with 5946 * DLCI and flags. What if the address is longer? 5947 * 5948 * XXX - what about SNAP-encapsulated frames? 5949 */ 5950 return gen_cmp(OR_LINKHDR, 2, BPF_H, (0x03<<8) | v); 5951 /*NOTREACHED*/ 5952 break; 5953 5954 case DLT_C_HDLC: 5955 /* 5956 * Cisco uses an Ethertype lookalike - for OSI, 5957 * it's 0xfefe. 5958 */ 5959 b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS); 5960 /* OSI in C-HDLC is stuffed with a fudge byte */ 5961 b1 = gen_cmp(OR_LINKPL_NOSNAP, 1, BPF_B, (long)v); 5962 gen_and(b0, b1); 5963 return b1; 5964 5965 default: 5966 b0 = gen_linktype(LLCSAP_ISONS); 5967 b1 = gen_cmp(OR_LINKPL_NOSNAP, 0, BPF_B, (long)v); 5968 gen_and(b0, b1); 5969 return b1; 5970 } 5971 5972 case Q_ISIS: 5973 b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT); 5974 /* 5975 * 4 is the offset of the PDU type relative to the IS-IS 5976 * header. 5977 */ 5978 b1 = gen_cmp(OR_LINKPL_NOSNAP, 4, BPF_B, (long)v); 5979 gen_and(b0, b1); 5980 return b1; 5981 5982 case Q_ARP: 5983 bpf_error("arp does not encapsulate another protocol"); 5984 /* NOTREACHED */ 5985 5986 case Q_RARP: 5987 bpf_error("rarp does not encapsulate another protocol"); 5988 /* NOTREACHED */ 5989 5990 case Q_ATALK: 5991 bpf_error("atalk encapsulation is not specifiable"); 5992 /* NOTREACHED */ 5993 5994 case Q_DECNET: 5995 bpf_error("decnet encapsulation is not specifiable"); 5996 /* NOTREACHED */ 5997 5998 case Q_SCA: 5999 bpf_error("sca does not encapsulate another protocol"); 6000 /* NOTREACHED */ 6001 6002 case Q_LAT: 6003 bpf_error("lat does not encapsulate another protocol"); 6004 /* NOTREACHED */ 6005 6006 case Q_MOPRC: 6007 bpf_error("moprc does not encapsulate another protocol"); 6008 /* NOTREACHED */ 6009 6010 case Q_MOPDL: 6011 bpf_error("mopdl does not encapsulate another protocol"); 6012 /* NOTREACHED */ 6013 6014 case Q_LINK: 6015 return gen_linktype(v); 6016 6017 case Q_UDP: 6018 bpf_error("'udp proto' is bogus"); 6019 /* NOTREACHED */ 6020 6021 case Q_TCP: 6022 bpf_error("'tcp proto' is bogus"); 6023 /* NOTREACHED */ 6024 6025 case Q_SCTP: 6026 bpf_error("'sctp proto' is bogus"); 6027 /* NOTREACHED */ 6028 6029 case Q_ICMP: 6030 bpf_error("'icmp proto' is bogus"); 6031 /* NOTREACHED */ 6032 6033 case Q_IGMP: 6034 bpf_error("'igmp proto' is bogus"); 6035 /* NOTREACHED */ 6036 6037 case Q_IGRP: 6038 bpf_error("'igrp proto' is bogus"); 6039 /* NOTREACHED */ 6040 6041 case Q_PIM: 6042 bpf_error("'pim proto' is bogus"); 6043 /* NOTREACHED */ 6044 6045 case Q_VRRP: 6046 bpf_error("'vrrp proto' is bogus"); 6047 /* NOTREACHED */ 6048 6049 case Q_CARP: 6050 bpf_error("'carp proto' is bogus"); 6051 /* NOTREACHED */ 6052 6053 case Q_IPV6: 6054 b0 = gen_linktype(ETHERTYPE_IPV6); 6055 #ifndef CHASE_CHAIN 6056 /* 6057 * Also check for a fragment header before the final 6058 * header. 6059 */ 6060 b2 = gen_cmp(OR_LINKPL, 6, BPF_B, IPPROTO_FRAGMENT); 6061 b1 = gen_cmp(OR_LINKPL, 40, BPF_B, (bpf_int32)v); 6062 gen_and(b2, b1); 6063 b2 = gen_cmp(OR_LINKPL, 6, BPF_B, (bpf_int32)v); 6064 gen_or(b2, b1); 6065 #else 6066 b1 = gen_protochain(v, Q_IPV6); 6067 #endif 6068 gen_and(b0, b1); 6069 return b1; 6070 6071 case Q_ICMPV6: 6072 bpf_error("'icmp6 proto' is bogus"); 6073 6074 case Q_AH: 6075 bpf_error("'ah proto' is bogus"); 6076 6077 case Q_ESP: 6078 bpf_error("'ah proto' is bogus"); 6079 6080 case Q_STP: 6081 bpf_error("'stp proto' is bogus"); 6082 6083 case Q_IPX: 6084 bpf_error("'ipx proto' is bogus"); 6085 6086 case Q_NETBEUI: 6087 bpf_error("'netbeui proto' is bogus"); 6088 6089 case Q_RADIO: 6090 bpf_error("'radio proto' is bogus"); 6091 6092 default: 6093 abort(); 6094 /* NOTREACHED */ 6095 } 6096 /* NOTREACHED */ 6097 } 6098 6099 struct block * 6100 gen_scode(name, q) 6101 register const char *name; 6102 struct qual q; 6103 { 6104 int proto = q.proto; 6105 int dir = q.dir; 6106 int tproto; 6107 u_char *eaddr; 6108 bpf_u_int32 mask, addr; 6109 #ifndef INET6 6110 bpf_u_int32 **alist; 6111 #else 6112 int tproto6; 6113 struct sockaddr_in *sin4; 6114 struct sockaddr_in6 *sin6; 6115 struct addrinfo *res, *res0; 6116 struct in6_addr mask128; 6117 #endif /*INET6*/ 6118 struct block *b, *tmp; 6119 int port, real_proto; 6120 int port1, port2; 6121 6122 switch (q.addr) { 6123 6124 case Q_NET: 6125 addr = pcap_nametonetaddr(name); 6126 if (addr == 0) 6127 bpf_error("unknown network '%s'", name); 6128 /* Left justify network addr and calculate its network mask */ 6129 mask = 0xffffffff; 6130 while (addr && (addr & 0xff000000) == 0) { 6131 addr <<= 8; 6132 mask <<= 8; 6133 } 6134 return gen_host(addr, mask, proto, dir, q.addr); 6135 6136 case Q_DEFAULT: 6137 case Q_HOST: 6138 if (proto == Q_LINK) { 6139 switch (linktype) { 6140 6141 case DLT_EN10MB: 6142 case DLT_NETANALYZER: 6143 case DLT_NETANALYZER_TRANSPARENT: 6144 eaddr = pcap_ether_hostton(name); 6145 if (eaddr == NULL) 6146 bpf_error( 6147 "unknown ether host '%s'", name); 6148 tmp = gen_prevlinkhdr_check(); 6149 b = gen_ehostop(eaddr, dir); 6150 if (tmp != NULL) 6151 gen_and(tmp, b); 6152 free(eaddr); 6153 return b; 6154 6155 case DLT_FDDI: 6156 eaddr = pcap_ether_hostton(name); 6157 if (eaddr == NULL) 6158 bpf_error( 6159 "unknown FDDI host '%s'", name); 6160 b = gen_fhostop(eaddr, dir); 6161 free(eaddr); 6162 return b; 6163 6164 case DLT_IEEE802: 6165 eaddr = pcap_ether_hostton(name); 6166 if (eaddr == NULL) 6167 bpf_error( 6168 "unknown token ring host '%s'", name); 6169 b = gen_thostop(eaddr, dir); 6170 free(eaddr); 6171 return b; 6172 6173 case DLT_IEEE802_11: 6174 case DLT_PRISM_HEADER: 6175 case DLT_IEEE802_11_RADIO_AVS: 6176 case DLT_IEEE802_11_RADIO: 6177 case DLT_PPI: 6178 eaddr = pcap_ether_hostton(name); 6179 if (eaddr == NULL) 6180 bpf_error( 6181 "unknown 802.11 host '%s'", name); 6182 b = gen_wlanhostop(eaddr, dir); 6183 free(eaddr); 6184 return b; 6185 6186 case DLT_IP_OVER_FC: 6187 eaddr = pcap_ether_hostton(name); 6188 if (eaddr == NULL) 6189 bpf_error( 6190 "unknown Fibre Channel host '%s'", name); 6191 b = gen_ipfchostop(eaddr, dir); 6192 free(eaddr); 6193 return b; 6194 } 6195 6196 bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name"); 6197 } else if (proto == Q_DECNET) { 6198 unsigned short dn_addr = __pcap_nametodnaddr(name); 6199 /* 6200 * I don't think DECNET hosts can be multihomed, so 6201 * there is no need to build up a list of addresses 6202 */ 6203 return (gen_host(dn_addr, 0, proto, dir, q.addr)); 6204 } else { 6205 #ifndef INET6 6206 alist = pcap_nametoaddr(name); 6207 if (alist == NULL || *alist == NULL) 6208 bpf_error("unknown host '%s'", name); 6209 tproto = proto; 6210 if (off_linktype.constant_part == (u_int)-1 && 6211 tproto == Q_DEFAULT) 6212 tproto = Q_IP; 6213 b = gen_host(**alist++, 0xffffffff, tproto, dir, q.addr); 6214 while (*alist) { 6215 tmp = gen_host(**alist++, 0xffffffff, 6216 tproto, dir, q.addr); 6217 gen_or(b, tmp); 6218 b = tmp; 6219 } 6220 return b; 6221 #else 6222 memset(&mask128, 0xff, sizeof(mask128)); 6223 res0 = res = pcap_nametoaddrinfo(name); 6224 if (res == NULL) 6225 bpf_error("unknown host '%s'", name); 6226 ai = res; 6227 b = tmp = NULL; 6228 tproto = tproto6 = proto; 6229 if (off_linktype.constant_part == (u_int)-1 && 6230 tproto == Q_DEFAULT) { 6231 tproto = Q_IP; 6232 tproto6 = Q_IPV6; 6233 } 6234 for (res = res0; res; res = res->ai_next) { 6235 switch (res->ai_family) { 6236 case AF_INET: 6237 if (tproto == Q_IPV6) 6238 continue; 6239 6240 sin4 = (struct sockaddr_in *) 6241 res->ai_addr; 6242 tmp = gen_host(ntohl(sin4->sin_addr.s_addr), 6243 0xffffffff, tproto, dir, q.addr); 6244 break; 6245 case AF_INET6: 6246 if (tproto6 == Q_IP) 6247 continue; 6248 6249 sin6 = (struct sockaddr_in6 *) 6250 res->ai_addr; 6251 tmp = gen_host6(&sin6->sin6_addr, 6252 &mask128, tproto6, dir, q.addr); 6253 break; 6254 default: 6255 continue; 6256 } 6257 if (b) 6258 gen_or(b, tmp); 6259 b = tmp; 6260 } 6261 ai = NULL; 6262 freeaddrinfo(res0); 6263 if (b == NULL) { 6264 bpf_error("unknown host '%s'%s", name, 6265 (proto == Q_DEFAULT) 6266 ? "" 6267 : " for specified address family"); 6268 } 6269 return b; 6270 #endif /*INET6*/ 6271 } 6272 6273 case Q_PORT: 6274 if (proto != Q_DEFAULT && 6275 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6276 bpf_error("illegal qualifier of 'port'"); 6277 if (pcap_nametoport(name, &port, &real_proto) == 0) 6278 bpf_error("unknown port '%s'", name); 6279 if (proto == Q_UDP) { 6280 if (real_proto == IPPROTO_TCP) 6281 bpf_error("port '%s' is tcp", name); 6282 else if (real_proto == IPPROTO_SCTP) 6283 bpf_error("port '%s' is sctp", name); 6284 else 6285 /* override PROTO_UNDEF */ 6286 real_proto = IPPROTO_UDP; 6287 } 6288 if (proto == Q_TCP) { 6289 if (real_proto == IPPROTO_UDP) 6290 bpf_error("port '%s' is udp", name); 6291 6292 else if (real_proto == IPPROTO_SCTP) 6293 bpf_error("port '%s' is sctp", name); 6294 else 6295 /* override PROTO_UNDEF */ 6296 real_proto = IPPROTO_TCP; 6297 } 6298 if (proto == Q_SCTP) { 6299 if (real_proto == IPPROTO_UDP) 6300 bpf_error("port '%s' is udp", name); 6301 6302 else if (real_proto == IPPROTO_TCP) 6303 bpf_error("port '%s' is tcp", name); 6304 else 6305 /* override PROTO_UNDEF */ 6306 real_proto = IPPROTO_SCTP; 6307 } 6308 if (port < 0) 6309 bpf_error("illegal port number %d < 0", port); 6310 if (port > 65535) 6311 bpf_error("illegal port number %d > 65535", port); 6312 b = gen_port(port, real_proto, dir); 6313 gen_or(gen_port6(port, real_proto, dir), b); 6314 return b; 6315 6316 case Q_PORTRANGE: 6317 if (proto != Q_DEFAULT && 6318 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6319 bpf_error("illegal qualifier of 'portrange'"); 6320 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0) 6321 bpf_error("unknown port in range '%s'", name); 6322 if (proto == Q_UDP) { 6323 if (real_proto == IPPROTO_TCP) 6324 bpf_error("port in range '%s' is tcp", name); 6325 else if (real_proto == IPPROTO_SCTP) 6326 bpf_error("port in range '%s' is sctp", name); 6327 else 6328 /* override PROTO_UNDEF */ 6329 real_proto = IPPROTO_UDP; 6330 } 6331 if (proto == Q_TCP) { 6332 if (real_proto == IPPROTO_UDP) 6333 bpf_error("port in range '%s' is udp", name); 6334 else if (real_proto == IPPROTO_SCTP) 6335 bpf_error("port in range '%s' is sctp", name); 6336 else 6337 /* override PROTO_UNDEF */ 6338 real_proto = IPPROTO_TCP; 6339 } 6340 if (proto == Q_SCTP) { 6341 if (real_proto == IPPROTO_UDP) 6342 bpf_error("port in range '%s' is udp", name); 6343 else if (real_proto == IPPROTO_TCP) 6344 bpf_error("port in range '%s' is tcp", name); 6345 else 6346 /* override PROTO_UNDEF */ 6347 real_proto = IPPROTO_SCTP; 6348 } 6349 if (port1 < 0) 6350 bpf_error("illegal port number %d < 0", port1); 6351 if (port1 > 65535) 6352 bpf_error("illegal port number %d > 65535", port1); 6353 if (port2 < 0) 6354 bpf_error("illegal port number %d < 0", port2); 6355 if (port2 > 65535) 6356 bpf_error("illegal port number %d > 65535", port2); 6357 6358 b = gen_portrange(port1, port2, real_proto, dir); 6359 gen_or(gen_portrange6(port1, port2, real_proto, dir), b); 6360 return b; 6361 6362 case Q_GATEWAY: 6363 #ifndef INET6 6364 eaddr = pcap_ether_hostton(name); 6365 if (eaddr == NULL) 6366 bpf_error("unknown ether host: %s", name); 6367 6368 alist = pcap_nametoaddr(name); 6369 if (alist == NULL || *alist == NULL) 6370 bpf_error("unknown host '%s'", name); 6371 b = gen_gateway(eaddr, alist, proto, dir); 6372 free(eaddr); 6373 return b; 6374 #else 6375 bpf_error("'gateway' not supported in this configuration"); 6376 #endif /*INET6*/ 6377 6378 case Q_PROTO: 6379 real_proto = lookup_proto(name, proto); 6380 if (real_proto >= 0) 6381 return gen_proto(real_proto, proto, dir); 6382 else 6383 bpf_error("unknown protocol: %s", name); 6384 6385 case Q_PROTOCHAIN: 6386 real_proto = lookup_proto(name, proto); 6387 if (real_proto >= 0) 6388 return gen_protochain(real_proto, proto, dir); 6389 else 6390 bpf_error("unknown protocol: %s", name); 6391 6392 case Q_UNDEF: 6393 syntax(); 6394 /* NOTREACHED */ 6395 } 6396 abort(); 6397 /* NOTREACHED */ 6398 } 6399 6400 struct block * 6401 gen_mcode(s1, s2, masklen, q) 6402 register const char *s1, *s2; 6403 register unsigned int masklen; 6404 struct qual q; 6405 { 6406 register int nlen, mlen; 6407 bpf_u_int32 n, m; 6408 6409 nlen = __pcap_atoin(s1, &n); 6410 /* Promote short ipaddr */ 6411 n <<= 32 - nlen; 6412 6413 if (s2 != NULL) { 6414 mlen = __pcap_atoin(s2, &m); 6415 /* Promote short ipaddr */ 6416 m <<= 32 - mlen; 6417 if ((n & ~m) != 0) 6418 bpf_error("non-network bits set in \"%s mask %s\"", 6419 s1, s2); 6420 } else { 6421 /* Convert mask len to mask */ 6422 if (masklen > 32) 6423 bpf_error("mask length must be <= 32"); 6424 if (masklen == 0) { 6425 /* 6426 * X << 32 is not guaranteed by C to be 0; it's 6427 * undefined. 6428 */ 6429 m = 0; 6430 } else 6431 m = 0xffffffff << (32 - masklen); 6432 if ((n & ~m) != 0) 6433 bpf_error("non-network bits set in \"%s/%d\"", 6434 s1, masklen); 6435 } 6436 6437 switch (q.addr) { 6438 6439 case Q_NET: 6440 return gen_host(n, m, q.proto, q.dir, q.addr); 6441 6442 default: 6443 bpf_error("Mask syntax for networks only"); 6444 /* NOTREACHED */ 6445 } 6446 /* NOTREACHED */ 6447 return NULL; 6448 } 6449 6450 struct block * 6451 gen_ncode(s, v, q) 6452 register const char *s; 6453 bpf_u_int32 v; 6454 struct qual q; 6455 { 6456 bpf_u_int32 mask; 6457 int proto = q.proto; 6458 int dir = q.dir; 6459 register int vlen; 6460 6461 if (s == NULL) 6462 vlen = 32; 6463 else if (q.proto == Q_DECNET) 6464 vlen = __pcap_atodn(s, &v); 6465 else 6466 vlen = __pcap_atoin(s, &v); 6467 6468 switch (q.addr) { 6469 6470 case Q_DEFAULT: 6471 case Q_HOST: 6472 case Q_NET: 6473 if (proto == Q_DECNET) 6474 return gen_host(v, 0, proto, dir, q.addr); 6475 else if (proto == Q_LINK) { 6476 bpf_error("illegal link layer address"); 6477 } else { 6478 mask = 0xffffffff; 6479 if (s == NULL && q.addr == Q_NET) { 6480 /* Promote short net number */ 6481 while (v && (v & 0xff000000) == 0) { 6482 v <<= 8; 6483 mask <<= 8; 6484 } 6485 } else { 6486 /* Promote short ipaddr */ 6487 v <<= 32 - vlen; 6488 mask <<= 32 - vlen; 6489 } 6490 return gen_host(v, mask, proto, dir, q.addr); 6491 } 6492 6493 case Q_PORT: 6494 if (proto == Q_UDP) 6495 proto = IPPROTO_UDP; 6496 else if (proto == Q_TCP) 6497 proto = IPPROTO_TCP; 6498 else if (proto == Q_SCTP) 6499 proto = IPPROTO_SCTP; 6500 else if (proto == Q_DEFAULT) 6501 proto = PROTO_UNDEF; 6502 else 6503 bpf_error("illegal qualifier of 'port'"); 6504 6505 if (v > 65535) 6506 bpf_error("illegal port number %u > 65535", v); 6507 6508 { 6509 struct block *b; 6510 b = gen_port((int)v, proto, dir); 6511 gen_or(gen_port6((int)v, proto, dir), b); 6512 return b; 6513 } 6514 6515 case Q_PORTRANGE: 6516 if (proto == Q_UDP) 6517 proto = IPPROTO_UDP; 6518 else if (proto == Q_TCP) 6519 proto = IPPROTO_TCP; 6520 else if (proto == Q_SCTP) 6521 proto = IPPROTO_SCTP; 6522 else if (proto == Q_DEFAULT) 6523 proto = PROTO_UNDEF; 6524 else 6525 bpf_error("illegal qualifier of 'portrange'"); 6526 6527 if (v > 65535) 6528 bpf_error("illegal port number %u > 65535", v); 6529 6530 { 6531 struct block *b; 6532 b = gen_portrange((int)v, (int)v, proto, dir); 6533 gen_or(gen_portrange6((int)v, (int)v, proto, dir), b); 6534 return b; 6535 } 6536 6537 case Q_GATEWAY: 6538 bpf_error("'gateway' requires a name"); 6539 /* NOTREACHED */ 6540 6541 case Q_PROTO: 6542 return gen_proto((int)v, proto, dir); 6543 6544 case Q_PROTOCHAIN: 6545 return gen_protochain((int)v, proto, dir); 6546 6547 case Q_UNDEF: 6548 syntax(); 6549 /* NOTREACHED */ 6550 6551 default: 6552 abort(); 6553 /* NOTREACHED */ 6554 } 6555 /* NOTREACHED */ 6556 } 6557 6558 #ifdef INET6 6559 struct block * 6560 gen_mcode6(s1, s2, masklen, q) 6561 register const char *s1, *s2; 6562 register unsigned int masklen; 6563 struct qual q; 6564 { 6565 struct addrinfo *res; 6566 struct in6_addr *addr; 6567 struct in6_addr mask; 6568 struct block *b; 6569 u_int32_t *a, *m; 6570 6571 if (s2) 6572 bpf_error("no mask %s supported", s2); 6573 6574 res = pcap_nametoaddrinfo(s1); 6575 if (!res) 6576 bpf_error("invalid ip6 address %s", s1); 6577 ai = res; 6578 if (res->ai_next) 6579 bpf_error("%s resolved to multiple address", s1); 6580 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr; 6581 6582 if ((int)sizeof(mask) * 8 < masklen) 6583 bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8)); 6584 memset(&mask, 0, sizeof(mask)); 6585 memset(&mask, 0xff, masklen / 8); 6586 if (masklen % 8) { 6587 mask.s6_addr[masklen / 8] = 6588 (0xff << (8 - masklen % 8)) & 0xff; 6589 } 6590 6591 a = (u_int32_t *)addr; 6592 m = (u_int32_t *)&mask; 6593 if ((a[0] & ~m[0]) || (a[1] & ~m[1]) 6594 || (a[2] & ~m[2]) || (a[3] & ~m[3])) { 6595 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen); 6596 } 6597 6598 switch (q.addr) { 6599 6600 case Q_DEFAULT: 6601 case Q_HOST: 6602 if (masklen != 128) 6603 bpf_error("Mask syntax for networks only"); 6604 /* FALLTHROUGH */ 6605 6606 case Q_NET: 6607 b = gen_host6(addr, &mask, q.proto, q.dir, q.addr); 6608 ai = NULL; 6609 freeaddrinfo(res); 6610 return b; 6611 6612 default: 6613 bpf_error("invalid qualifier against IPv6 address"); 6614 /* NOTREACHED */ 6615 } 6616 return NULL; 6617 } 6618 #endif /*INET6*/ 6619 6620 struct block * 6621 gen_ecode(eaddr, q) 6622 register const u_char *eaddr; 6623 struct qual q; 6624 { 6625 struct block *b, *tmp; 6626 6627 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) { 6628 switch (linktype) { 6629 case DLT_EN10MB: 6630 case DLT_NETANALYZER: 6631 case DLT_NETANALYZER_TRANSPARENT: 6632 tmp = gen_prevlinkhdr_check(); 6633 b = gen_ehostop(eaddr, (int)q.dir); 6634 if (tmp != NULL) 6635 gen_and(tmp, b); 6636 return b; 6637 case DLT_FDDI: 6638 return gen_fhostop(eaddr, (int)q.dir); 6639 case DLT_IEEE802: 6640 return gen_thostop(eaddr, (int)q.dir); 6641 case DLT_IEEE802_11: 6642 case DLT_PRISM_HEADER: 6643 case DLT_IEEE802_11_RADIO_AVS: 6644 case DLT_IEEE802_11_RADIO: 6645 case DLT_PPI: 6646 return gen_wlanhostop(eaddr, (int)q.dir); 6647 case DLT_IP_OVER_FC: 6648 return gen_ipfchostop(eaddr, (int)q.dir); 6649 default: 6650 bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 6651 break; 6652 } 6653 } 6654 bpf_error("ethernet address used in non-ether expression"); 6655 /* NOTREACHED */ 6656 return NULL; 6657 } 6658 6659 void 6660 sappend(s0, s1) 6661 struct slist *s0, *s1; 6662 { 6663 /* 6664 * This is definitely not the best way to do this, but the 6665 * lists will rarely get long. 6666 */ 6667 while (s0->next) 6668 s0 = s0->next; 6669 s0->next = s1; 6670 } 6671 6672 static struct slist * 6673 xfer_to_x(a) 6674 struct arth *a; 6675 { 6676 struct slist *s; 6677 6678 s = new_stmt(BPF_LDX|BPF_MEM); 6679 s->s.k = a->regno; 6680 return s; 6681 } 6682 6683 static struct slist * 6684 xfer_to_a(a) 6685 struct arth *a; 6686 { 6687 struct slist *s; 6688 6689 s = new_stmt(BPF_LD|BPF_MEM); 6690 s->s.k = a->regno; 6691 return s; 6692 } 6693 6694 /* 6695 * Modify "index" to use the value stored into its register as an 6696 * offset relative to the beginning of the header for the protocol 6697 * "proto", and allocate a register and put an item "size" bytes long 6698 * (1, 2, or 4) at that offset into that register, making it the register 6699 * for "index". 6700 */ 6701 struct arth * 6702 gen_load(proto, inst, size) 6703 int proto; 6704 struct arth *inst; 6705 int size; 6706 { 6707 struct slist *s, *tmp; 6708 struct block *b; 6709 int regno = alloc_reg(); 6710 6711 free_reg(inst->regno); 6712 switch (size) { 6713 6714 default: 6715 bpf_error("data size must be 1, 2, or 4"); 6716 6717 case 1: 6718 size = BPF_B; 6719 break; 6720 6721 case 2: 6722 size = BPF_H; 6723 break; 6724 6725 case 4: 6726 size = BPF_W; 6727 break; 6728 } 6729 switch (proto) { 6730 default: 6731 bpf_error("unsupported index operation"); 6732 6733 case Q_RADIO: 6734 /* 6735 * The offset is relative to the beginning of the packet 6736 * data, if we have a radio header. (If we don't, this 6737 * is an error.) 6738 */ 6739 if (linktype != DLT_IEEE802_11_RADIO_AVS && 6740 linktype != DLT_IEEE802_11_RADIO && 6741 linktype != DLT_PRISM_HEADER) 6742 bpf_error("radio information not present in capture"); 6743 6744 /* 6745 * Load into the X register the offset computed into the 6746 * register specified by "index". 6747 */ 6748 s = xfer_to_x(inst); 6749 6750 /* 6751 * Load the item at that offset. 6752 */ 6753 tmp = new_stmt(BPF_LD|BPF_IND|size); 6754 sappend(s, tmp); 6755 sappend(inst->s, s); 6756 break; 6757 6758 case Q_LINK: 6759 /* 6760 * The offset is relative to the beginning of 6761 * the link-layer header. 6762 * 6763 * XXX - what about ATM LANE? Should the index be 6764 * relative to the beginning of the AAL5 frame, so 6765 * that 0 refers to the beginning of the LE Control 6766 * field, or relative to the beginning of the LAN 6767 * frame, so that 0 refers, for Ethernet LANE, to 6768 * the beginning of the destination address? 6769 */ 6770 s = gen_abs_offset_varpart(&off_linkhdr); 6771 6772 /* 6773 * If "s" is non-null, it has code to arrange that the 6774 * X register contains the length of the prefix preceding 6775 * the link-layer header. Add to it the offset computed 6776 * into the register specified by "index", and move that 6777 * into the X register. Otherwise, just load into the X 6778 * register the offset computed into the register specified 6779 * by "index". 6780 */ 6781 if (s != NULL) { 6782 sappend(s, xfer_to_a(inst)); 6783 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 6784 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 6785 } else 6786 s = xfer_to_x(inst); 6787 6788 /* 6789 * Load the item at the sum of the offset we've put in the 6790 * X register and the offset of the start of the link 6791 * layer header (which is 0 if the radio header is 6792 * variable-length; that header length is what we put 6793 * into the X register and then added to the index). 6794 */ 6795 tmp = new_stmt(BPF_LD|BPF_IND|size); 6796 tmp->s.k = off_linkhdr.constant_part; 6797 sappend(s, tmp); 6798 sappend(inst->s, s); 6799 break; 6800 6801 case Q_IP: 6802 case Q_ARP: 6803 case Q_RARP: 6804 case Q_ATALK: 6805 case Q_DECNET: 6806 case Q_SCA: 6807 case Q_LAT: 6808 case Q_MOPRC: 6809 case Q_MOPDL: 6810 case Q_IPV6: 6811 /* 6812 * The offset is relative to the beginning of 6813 * the network-layer header. 6814 * XXX - are there any cases where we want 6815 * off_nl_nosnap? 6816 */ 6817 s = gen_abs_offset_varpart(&off_linkpl); 6818 6819 /* 6820 * If "s" is non-null, it has code to arrange that the 6821 * X register contains the variable part of the offset 6822 * of the link-layer payload. Add to it the offset 6823 * computed into the register specified by "index", 6824 * and move that into the X register. Otherwise, just 6825 * load into the X register the offset computed into 6826 * the register specified by "index". 6827 */ 6828 if (s != NULL) { 6829 sappend(s, xfer_to_a(inst)); 6830 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 6831 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 6832 } else 6833 s = xfer_to_x(inst); 6834 6835 /* 6836 * Load the item at the sum of the offset we've put in the 6837 * X register, the offset of the start of the network 6838 * layer header from the beginning of the link-layer 6839 * payload, and the constant part of the offset of the 6840 * start of the link-layer payload. 6841 */ 6842 tmp = new_stmt(BPF_LD|BPF_IND|size); 6843 tmp->s.k = off_linkpl.constant_part + off_nl; 6844 sappend(s, tmp); 6845 sappend(inst->s, s); 6846 6847 /* 6848 * Do the computation only if the packet contains 6849 * the protocol in question. 6850 */ 6851 b = gen_proto_abbrev(proto); 6852 if (inst->b) 6853 gen_and(inst->b, b); 6854 inst->b = b; 6855 break; 6856 6857 case Q_SCTP: 6858 case Q_TCP: 6859 case Q_UDP: 6860 case Q_ICMP: 6861 case Q_IGMP: 6862 case Q_IGRP: 6863 case Q_PIM: 6864 case Q_VRRP: 6865 case Q_CARP: 6866 /* 6867 * The offset is relative to the beginning of 6868 * the transport-layer header. 6869 * 6870 * Load the X register with the length of the IPv4 header 6871 * (plus the offset of the link-layer header, if it's 6872 * a variable-length header), in bytes. 6873 * 6874 * XXX - are there any cases where we want 6875 * off_nl_nosnap? 6876 * XXX - we should, if we're built with 6877 * IPv6 support, generate code to load either 6878 * IPv4, IPv6, or both, as appropriate. 6879 */ 6880 s = gen_loadx_iphdrlen(); 6881 6882 /* 6883 * The X register now contains the sum of the variable 6884 * part of the offset of the link-layer payload and the 6885 * length of the network-layer header. 6886 * 6887 * Load into the A register the offset relative to 6888 * the beginning of the transport layer header, 6889 * add the X register to that, move that to the 6890 * X register, and load with an offset from the 6891 * X register equal to the sum of the constant part of 6892 * the offset of the link-layer payload and the offset, 6893 * relative to the beginning of the link-layer payload, 6894 * of the network-layer header. 6895 */ 6896 sappend(s, xfer_to_a(inst)); 6897 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 6898 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 6899 sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size)); 6900 tmp->s.k = off_linkpl.constant_part + off_nl; 6901 sappend(inst->s, s); 6902 6903 /* 6904 * Do the computation only if the packet contains 6905 * the protocol in question - which is true only 6906 * if this is an IP datagram and is the first or 6907 * only fragment of that datagram. 6908 */ 6909 gen_and(gen_proto_abbrev(proto), b = gen_ipfrag()); 6910 if (inst->b) 6911 gen_and(inst->b, b); 6912 gen_and(gen_proto_abbrev(Q_IP), b); 6913 inst->b = b; 6914 break; 6915 case Q_ICMPV6: 6916 bpf_error("IPv6 upper-layer protocol is not supported by proto[x]"); 6917 /*NOTREACHED*/ 6918 } 6919 inst->regno = regno; 6920 s = new_stmt(BPF_ST); 6921 s->s.k = regno; 6922 sappend(inst->s, s); 6923 6924 return inst; 6925 } 6926 6927 struct block * 6928 gen_relation(code, a0, a1, reversed) 6929 int code; 6930 struct arth *a0, *a1; 6931 int reversed; 6932 { 6933 struct slist *s0, *s1, *s2; 6934 struct block *b, *tmp; 6935 6936 s0 = xfer_to_x(a1); 6937 s1 = xfer_to_a(a0); 6938 if (code == BPF_JEQ) { 6939 s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X); 6940 b = new_block(JMP(code)); 6941 sappend(s1, s2); 6942 } 6943 else 6944 b = new_block(BPF_JMP|code|BPF_X); 6945 if (reversed) 6946 gen_not(b); 6947 6948 sappend(s0, s1); 6949 sappend(a1->s, s0); 6950 sappend(a0->s, a1->s); 6951 6952 b->stmts = a0->s; 6953 6954 free_reg(a0->regno); 6955 free_reg(a1->regno); 6956 6957 /* 'and' together protocol checks */ 6958 if (a0->b) { 6959 if (a1->b) { 6960 gen_and(a0->b, tmp = a1->b); 6961 } 6962 else 6963 tmp = a0->b; 6964 } else 6965 tmp = a1->b; 6966 6967 if (tmp) 6968 gen_and(tmp, b); 6969 6970 return b; 6971 } 6972 6973 struct arth * 6974 gen_loadlen() 6975 { 6976 int regno = alloc_reg(); 6977 struct arth *a = (struct arth *)newchunk(sizeof(*a)); 6978 struct slist *s; 6979 6980 s = new_stmt(BPF_LD|BPF_LEN); 6981 s->next = new_stmt(BPF_ST); 6982 s->next->s.k = regno; 6983 a->s = s; 6984 a->regno = regno; 6985 6986 return a; 6987 } 6988 6989 struct arth * 6990 gen_loadi(val) 6991 int val; 6992 { 6993 struct arth *a; 6994 struct slist *s; 6995 int reg; 6996 6997 a = (struct arth *)newchunk(sizeof(*a)); 6998 6999 reg = alloc_reg(); 7000 7001 s = new_stmt(BPF_LD|BPF_IMM); 7002 s->s.k = val; 7003 s->next = new_stmt(BPF_ST); 7004 s->next->s.k = reg; 7005 a->s = s; 7006 a->regno = reg; 7007 7008 return a; 7009 } 7010 7011 struct arth * 7012 gen_neg(a) 7013 struct arth *a; 7014 { 7015 struct slist *s; 7016 7017 s = xfer_to_a(a); 7018 sappend(a->s, s); 7019 s = new_stmt(BPF_ALU|BPF_NEG); 7020 s->s.k = 0; 7021 sappend(a->s, s); 7022 s = new_stmt(BPF_ST); 7023 s->s.k = a->regno; 7024 sappend(a->s, s); 7025 7026 return a; 7027 } 7028 7029 struct arth * 7030 gen_arth(code, a0, a1) 7031 int code; 7032 struct arth *a0, *a1; 7033 { 7034 struct slist *s0, *s1, *s2; 7035 7036 s0 = xfer_to_x(a1); 7037 s1 = xfer_to_a(a0); 7038 s2 = new_stmt(BPF_ALU|BPF_X|code); 7039 7040 sappend(s1, s2); 7041 sappend(s0, s1); 7042 sappend(a1->s, s0); 7043 sappend(a0->s, a1->s); 7044 7045 free_reg(a0->regno); 7046 free_reg(a1->regno); 7047 7048 s0 = new_stmt(BPF_ST); 7049 a0->regno = s0->s.k = alloc_reg(); 7050 sappend(a0->s, s0); 7051 7052 return a0; 7053 } 7054 7055 /* 7056 * Here we handle simple allocation of the scratch registers. 7057 * If too many registers are alloc'd, the allocator punts. 7058 */ 7059 static int regused[BPF_MEMWORDS]; 7060 static int curreg; 7061 7062 /* 7063 * Initialize the table of used registers and the current register. 7064 */ 7065 static void 7066 init_regs() 7067 { 7068 curreg = 0; 7069 memset(regused, 0, sizeof regused); 7070 } 7071 7072 /* 7073 * Return the next free register. 7074 */ 7075 static int 7076 alloc_reg() 7077 { 7078 int n = BPF_MEMWORDS; 7079 7080 while (--n >= 0) { 7081 if (regused[curreg]) 7082 curreg = (curreg + 1) % BPF_MEMWORDS; 7083 else { 7084 regused[curreg] = 1; 7085 return curreg; 7086 } 7087 } 7088 bpf_error("too many registers needed to evaluate expression"); 7089 /* NOTREACHED */ 7090 return 0; 7091 } 7092 7093 /* 7094 * Return a register to the table so it can 7095 * be used later. 7096 */ 7097 static void 7098 free_reg(n) 7099 int n; 7100 { 7101 regused[n] = 0; 7102 } 7103 7104 static struct block * 7105 gen_len(jmp, n) 7106 int jmp, n; 7107 { 7108 struct slist *s; 7109 struct block *b; 7110 7111 s = new_stmt(BPF_LD|BPF_LEN); 7112 b = new_block(JMP(jmp)); 7113 b->stmts = s; 7114 b->s.k = n; 7115 7116 return b; 7117 } 7118 7119 struct block * 7120 gen_greater(n) 7121 int n; 7122 { 7123 return gen_len(BPF_JGE, n); 7124 } 7125 7126 /* 7127 * Actually, this is less than or equal. 7128 */ 7129 struct block * 7130 gen_less(n) 7131 int n; 7132 { 7133 struct block *b; 7134 7135 b = gen_len(BPF_JGT, n); 7136 gen_not(b); 7137 7138 return b; 7139 } 7140 7141 /* 7142 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to 7143 * the beginning of the link-layer header. 7144 * XXX - that means you can't test values in the radiotap header, but 7145 * as that header is difficult if not impossible to parse generally 7146 * without a loop, that might not be a severe problem. A new keyword 7147 * "radio" could be added for that, although what you'd really want 7148 * would be a way of testing particular radio header values, which 7149 * would generate code appropriate to the radio header in question. 7150 */ 7151 struct block * 7152 gen_byteop(op, idx, val) 7153 int op, idx, val; 7154 { 7155 struct block *b; 7156 struct slist *s; 7157 7158 switch (op) { 7159 default: 7160 abort(); 7161 7162 case '=': 7163 return gen_cmp(OR_LINKHDR, (u_int)idx, BPF_B, (bpf_int32)val); 7164 7165 case '<': 7166 b = gen_cmp_lt(OR_LINKHDR, (u_int)idx, BPF_B, (bpf_int32)val); 7167 return b; 7168 7169 case '>': 7170 b = gen_cmp_gt(OR_LINKHDR, (u_int)idx, BPF_B, (bpf_int32)val); 7171 return b; 7172 7173 case '|': 7174 s = new_stmt(BPF_ALU|BPF_OR|BPF_K); 7175 break; 7176 7177 case '&': 7178 s = new_stmt(BPF_ALU|BPF_AND|BPF_K); 7179 break; 7180 } 7181 s->s.k = val; 7182 b = new_block(JMP(BPF_JEQ)); 7183 b->stmts = s; 7184 gen_not(b); 7185 7186 return b; 7187 } 7188 7189 static u_char abroadcast[] = { 0x0 }; 7190 7191 struct block * 7192 gen_broadcast(proto) 7193 int proto; 7194 { 7195 bpf_u_int32 hostmask; 7196 struct block *b0, *b1, *b2; 7197 static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; 7198 7199 switch (proto) { 7200 7201 case Q_DEFAULT: 7202 case Q_LINK: 7203 switch (linktype) { 7204 case DLT_ARCNET: 7205 case DLT_ARCNET_LINUX: 7206 return gen_ahostop(abroadcast, Q_DST); 7207 case DLT_EN10MB: 7208 case DLT_NETANALYZER: 7209 case DLT_NETANALYZER_TRANSPARENT: 7210 b1 = gen_prevlinkhdr_check(); 7211 b0 = gen_ehostop(ebroadcast, Q_DST); 7212 if (b1 != NULL) 7213 gen_and(b1, b0); 7214 return b0; 7215 case DLT_FDDI: 7216 return gen_fhostop(ebroadcast, Q_DST); 7217 case DLT_IEEE802: 7218 return gen_thostop(ebroadcast, Q_DST); 7219 case DLT_IEEE802_11: 7220 case DLT_PRISM_HEADER: 7221 case DLT_IEEE802_11_RADIO_AVS: 7222 case DLT_IEEE802_11_RADIO: 7223 case DLT_PPI: 7224 return gen_wlanhostop(ebroadcast, Q_DST); 7225 case DLT_IP_OVER_FC: 7226 return gen_ipfchostop(ebroadcast, Q_DST); 7227 default: 7228 bpf_error("not a broadcast link"); 7229 } 7230 break; 7231 7232 case Q_IP: 7233 /* 7234 * We treat a netmask of PCAP_NETMASK_UNKNOWN (0xffffffff) 7235 * as an indication that we don't know the netmask, and fail 7236 * in that case. 7237 */ 7238 if (netmask == PCAP_NETMASK_UNKNOWN) 7239 bpf_error("netmask not known, so 'ip broadcast' not supported"); 7240 b0 = gen_linktype(ETHERTYPE_IP); 7241 hostmask = ~netmask; 7242 b1 = gen_mcmp(OR_LINKPL, 16, BPF_W, (bpf_int32)0, hostmask); 7243 b2 = gen_mcmp(OR_LINKPL, 16, BPF_W, 7244 (bpf_int32)(~0 & hostmask), hostmask); 7245 gen_or(b1, b2); 7246 gen_and(b0, b2); 7247 return b2; 7248 } 7249 bpf_error("only link-layer/IP broadcast filters supported"); 7250 /* NOTREACHED */ 7251 return NULL; 7252 } 7253 7254 /* 7255 * Generate code to test the low-order bit of a MAC address (that's 7256 * the bottom bit of the *first* byte). 7257 */ 7258 static struct block * 7259 gen_mac_multicast(offset) 7260 int offset; 7261 { 7262 register struct block *b0; 7263 register struct slist *s; 7264 7265 /* link[offset] & 1 != 0 */ 7266 s = gen_load_a(OR_LINKHDR, offset, BPF_B); 7267 b0 = new_block(JMP(BPF_JSET)); 7268 b0->s.k = 1; 7269 b0->stmts = s; 7270 return b0; 7271 } 7272 7273 struct block * 7274 gen_multicast(proto) 7275 int proto; 7276 { 7277 register struct block *b0, *b1, *b2; 7278 register struct slist *s; 7279 7280 switch (proto) { 7281 7282 case Q_DEFAULT: 7283 case Q_LINK: 7284 switch (linktype) { 7285 case DLT_ARCNET: 7286 case DLT_ARCNET_LINUX: 7287 /* all ARCnet multicasts use the same address */ 7288 return gen_ahostop(abroadcast, Q_DST); 7289 case DLT_EN10MB: 7290 case DLT_NETANALYZER: 7291 case DLT_NETANALYZER_TRANSPARENT: 7292 b1 = gen_prevlinkhdr_check(); 7293 /* ether[0] & 1 != 0 */ 7294 b0 = gen_mac_multicast(0); 7295 if (b1 != NULL) 7296 gen_and(b1, b0); 7297 return b0; 7298 case DLT_FDDI: 7299 /* 7300 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX 7301 * 7302 * XXX - was that referring to bit-order issues? 7303 */ 7304 /* fddi[1] & 1 != 0 */ 7305 return gen_mac_multicast(1); 7306 case DLT_IEEE802: 7307 /* tr[2] & 1 != 0 */ 7308 return gen_mac_multicast(2); 7309 case DLT_IEEE802_11: 7310 case DLT_PRISM_HEADER: 7311 case DLT_IEEE802_11_RADIO_AVS: 7312 case DLT_IEEE802_11_RADIO: 7313 case DLT_PPI: 7314 /* 7315 * Oh, yuk. 7316 * 7317 * For control frames, there is no DA. 7318 * 7319 * For management frames, DA is at an 7320 * offset of 4 from the beginning of 7321 * the packet. 7322 * 7323 * For data frames, DA is at an offset 7324 * of 4 from the beginning of the packet 7325 * if To DS is clear and at an offset of 7326 * 16 from the beginning of the packet 7327 * if To DS is set. 7328 */ 7329 7330 /* 7331 * Generate the tests to be done for data frames. 7332 * 7333 * First, check for To DS set, i.e. "link[1] & 0x01". 7334 */ 7335 s = gen_load_a(OR_LINKHDR, 1, BPF_B); 7336 b1 = new_block(JMP(BPF_JSET)); 7337 b1->s.k = 0x01; /* To DS */ 7338 b1->stmts = s; 7339 7340 /* 7341 * If To DS is set, the DA is at 16. 7342 */ 7343 b0 = gen_mac_multicast(16); 7344 gen_and(b1, b0); 7345 7346 /* 7347 * Now, check for To DS not set, i.e. check 7348 * "!(link[1] & 0x01)". 7349 */ 7350 s = gen_load_a(OR_LINKHDR, 1, BPF_B); 7351 b2 = new_block(JMP(BPF_JSET)); 7352 b2->s.k = 0x01; /* To DS */ 7353 b2->stmts = s; 7354 gen_not(b2); 7355 7356 /* 7357 * If To DS is not set, the DA is at 4. 7358 */ 7359 b1 = gen_mac_multicast(4); 7360 gen_and(b2, b1); 7361 7362 /* 7363 * Now OR together the last two checks. That gives 7364 * the complete set of checks for data frames. 7365 */ 7366 gen_or(b1, b0); 7367 7368 /* 7369 * Now check for a data frame. 7370 * I.e, check "link[0] & 0x08". 7371 */ 7372 s = gen_load_a(OR_LINKHDR, 0, BPF_B); 7373 b1 = new_block(JMP(BPF_JSET)); 7374 b1->s.k = 0x08; 7375 b1->stmts = s; 7376 7377 /* 7378 * AND that with the checks done for data frames. 7379 */ 7380 gen_and(b1, b0); 7381 7382 /* 7383 * If the high-order bit of the type value is 0, this 7384 * is a management frame. 7385 * I.e, check "!(link[0] & 0x08)". 7386 */ 7387 s = gen_load_a(OR_LINKHDR, 0, BPF_B); 7388 b2 = new_block(JMP(BPF_JSET)); 7389 b2->s.k = 0x08; 7390 b2->stmts = s; 7391 gen_not(b2); 7392 7393 /* 7394 * For management frames, the DA is at 4. 7395 */ 7396 b1 = gen_mac_multicast(4); 7397 gen_and(b2, b1); 7398 7399 /* 7400 * OR that with the checks done for data frames. 7401 * That gives the checks done for management and 7402 * data frames. 7403 */ 7404 gen_or(b1, b0); 7405 7406 /* 7407 * If the low-order bit of the type value is 1, 7408 * this is either a control frame or a frame 7409 * with a reserved type, and thus not a 7410 * frame with an SA. 7411 * 7412 * I.e., check "!(link[0] & 0x04)". 7413 */ 7414 s = gen_load_a(OR_LINKHDR, 0, BPF_B); 7415 b1 = new_block(JMP(BPF_JSET)); 7416 b1->s.k = 0x04; 7417 b1->stmts = s; 7418 gen_not(b1); 7419 7420 /* 7421 * AND that with the checks for data and management 7422 * frames. 7423 */ 7424 gen_and(b1, b0); 7425 return b0; 7426 case DLT_IP_OVER_FC: 7427 b0 = gen_mac_multicast(2); 7428 return b0; 7429 default: 7430 break; 7431 } 7432 /* Link not known to support multicasts */ 7433 break; 7434 7435 case Q_IP: 7436 b0 = gen_linktype(ETHERTYPE_IP); 7437 b1 = gen_cmp_ge(OR_LINKPL, 16, BPF_B, (bpf_int32)224); 7438 gen_and(b0, b1); 7439 return b1; 7440 7441 case Q_IPV6: 7442 b0 = gen_linktype(ETHERTYPE_IPV6); 7443 b1 = gen_cmp(OR_LINKPL, 24, BPF_B, (bpf_int32)255); 7444 gen_and(b0, b1); 7445 return b1; 7446 } 7447 bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel"); 7448 /* NOTREACHED */ 7449 return NULL; 7450 } 7451 7452 /* 7453 * Filter on inbound (dir == 0) or outbound (dir == 1) traffic. 7454 * Outbound traffic is sent by this machine, while inbound traffic is 7455 * sent by a remote machine (and may include packets destined for a 7456 * unicast or multicast link-layer address we are not subscribing to). 7457 * These are the same definitions implemented by pcap_setdirection(). 7458 * Capturing only unicast traffic destined for this host is probably 7459 * better accomplished using a higher-layer filter. 7460 */ 7461 struct block * 7462 gen_inbound(dir) 7463 int dir; 7464 { 7465 register struct block *b0; 7466 7467 /* 7468 * Only some data link types support inbound/outbound qualifiers. 7469 */ 7470 switch (linktype) { 7471 case DLT_SLIP: 7472 b0 = gen_relation(BPF_JEQ, 7473 gen_load(Q_LINK, gen_loadi(0), 1), 7474 gen_loadi(0), 7475 dir); 7476 break; 7477 7478 case DLT_IPNET: 7479 if (dir) { 7480 /* match outgoing packets */ 7481 b0 = gen_cmp(OR_LINKHDR, 2, BPF_H, IPNET_OUTBOUND); 7482 } else { 7483 /* match incoming packets */ 7484 b0 = gen_cmp(OR_LINKHDR, 2, BPF_H, IPNET_INBOUND); 7485 } 7486 break; 7487 7488 case DLT_LINUX_SLL: 7489 /* match outgoing packets */ 7490 b0 = gen_cmp(OR_LINKHDR, 0, BPF_H, LINUX_SLL_OUTGOING); 7491 if (!dir) { 7492 /* to filter on inbound traffic, invert the match */ 7493 gen_not(b0); 7494 } 7495 break; 7496 7497 #ifdef HAVE_NET_PFVAR_H 7498 case DLT_PFLOG: 7499 b0 = gen_cmp(OR_LINKHDR, offsetof(struct pfloghdr, dir), BPF_B, 7500 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT)); 7501 break; 7502 #endif 7503 7504 case DLT_PPP_PPPD: 7505 if (dir) { 7506 /* match outgoing packets */ 7507 b0 = gen_cmp(OR_LINKHDR, 0, BPF_B, PPP_PPPD_OUT); 7508 } else { 7509 /* match incoming packets */ 7510 b0 = gen_cmp(OR_LINKHDR, 0, BPF_B, PPP_PPPD_IN); 7511 } 7512 break; 7513 7514 case DLT_JUNIPER_MFR: 7515 case DLT_JUNIPER_MLFR: 7516 case DLT_JUNIPER_MLPPP: 7517 case DLT_JUNIPER_ATM1: 7518 case DLT_JUNIPER_ATM2: 7519 case DLT_JUNIPER_PPPOE: 7520 case DLT_JUNIPER_PPPOE_ATM: 7521 case DLT_JUNIPER_GGSN: 7522 case DLT_JUNIPER_ES: 7523 case DLT_JUNIPER_MONITOR: 7524 case DLT_JUNIPER_SERVICES: 7525 case DLT_JUNIPER_ETHER: 7526 case DLT_JUNIPER_PPP: 7527 case DLT_JUNIPER_FRELAY: 7528 case DLT_JUNIPER_CHDLC: 7529 case DLT_JUNIPER_VP: 7530 case DLT_JUNIPER_ST: 7531 case DLT_JUNIPER_ISM: 7532 case DLT_JUNIPER_VS: 7533 case DLT_JUNIPER_SRX_E2E: 7534 case DLT_JUNIPER_FIBRECHANNEL: 7535 case DLT_JUNIPER_ATM_CEMIC: 7536 7537 /* juniper flags (including direction) are stored 7538 * the byte after the 3-byte magic number */ 7539 if (dir) { 7540 /* match outgoing packets */ 7541 b0 = gen_mcmp(OR_LINKHDR, 3, BPF_B, 0, 0x01); 7542 } else { 7543 /* match incoming packets */ 7544 b0 = gen_mcmp(OR_LINKHDR, 3, BPF_B, 1, 0x01); 7545 } 7546 break; 7547 7548 default: 7549 /* 7550 * If we have packet meta-data indicating a direction, 7551 * check it, otherwise give up as this link-layer type 7552 * has nothing in the packet data. 7553 */ 7554 #if defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) 7555 /* 7556 * This is Linux with PF_PACKET support. 7557 * If this is a *live* capture, we can look at 7558 * special meta-data in the filter expression; 7559 * if it's a savefile, we can't. 7560 */ 7561 if (bpf_pcap->rfile != NULL) { 7562 /* We have a FILE *, so this is a savefile */ 7563 bpf_error("inbound/outbound not supported on linktype %d when reading savefiles", 7564 linktype); 7565 b0 = NULL; 7566 /* NOTREACHED */ 7567 } 7568 /* match outgoing packets */ 7569 b0 = gen_cmp(OR_LINKHDR, SKF_AD_OFF + SKF_AD_PKTTYPE, BPF_H, 7570 PACKET_OUTGOING); 7571 if (!dir) { 7572 /* to filter on inbound traffic, invert the match */ 7573 gen_not(b0); 7574 } 7575 #else /* defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */ 7576 bpf_error("inbound/outbound not supported on linktype %d", 7577 linktype); 7578 b0 = NULL; 7579 /* NOTREACHED */ 7580 #endif /* defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */ 7581 } 7582 return (b0); 7583 } 7584 7585 #ifdef HAVE_NET_PFVAR_H 7586 /* PF firewall log matched interface */ 7587 struct block * 7588 gen_pf_ifname(const char *ifname) 7589 { 7590 struct block *b0; 7591 u_int len, off; 7592 7593 if (linktype != DLT_PFLOG) { 7594 bpf_error("ifname supported only on PF linktype"); 7595 /* NOTREACHED */ 7596 } 7597 len = sizeof(((struct pfloghdr *)0)->ifname); 7598 off = offsetof(struct pfloghdr, ifname); 7599 if (strlen(ifname) >= len) { 7600 bpf_error("ifname interface names can only be %d characters", 7601 len-1); 7602 /* NOTREACHED */ 7603 } 7604 b0 = gen_bcmp(OR_LINKHDR, off, strlen(ifname), (const u_char *)ifname); 7605 return (b0); 7606 } 7607 7608 /* PF firewall log ruleset name */ 7609 struct block * 7610 gen_pf_ruleset(char *ruleset) 7611 { 7612 struct block *b0; 7613 7614 if (linktype != DLT_PFLOG) { 7615 bpf_error("ruleset supported only on PF linktype"); 7616 /* NOTREACHED */ 7617 } 7618 7619 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) { 7620 bpf_error("ruleset names can only be %ld characters", 7621 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1)); 7622 /* NOTREACHED */ 7623 } 7624 7625 b0 = gen_bcmp(OR_LINKHDR, offsetof(struct pfloghdr, ruleset), 7626 strlen(ruleset), (const u_char *)ruleset); 7627 return (b0); 7628 } 7629 7630 /* PF firewall log rule number */ 7631 struct block * 7632 gen_pf_rnr(int rnr) 7633 { 7634 struct block *b0; 7635 7636 if (linktype != DLT_PFLOG) { 7637 bpf_error("rnr supported only on PF linktype"); 7638 /* NOTREACHED */ 7639 } 7640 7641 b0 = gen_cmp(OR_LINKHDR, offsetof(struct pfloghdr, rulenr), BPF_W, 7642 (bpf_int32)rnr); 7643 return (b0); 7644 } 7645 7646 /* PF firewall log sub-rule number */ 7647 struct block * 7648 gen_pf_srnr(int srnr) 7649 { 7650 struct block *b0; 7651 7652 if (linktype != DLT_PFLOG) { 7653 bpf_error("srnr supported only on PF linktype"); 7654 /* NOTREACHED */ 7655 } 7656 7657 b0 = gen_cmp(OR_LINKHDR, offsetof(struct pfloghdr, subrulenr), BPF_W, 7658 (bpf_int32)srnr); 7659 return (b0); 7660 } 7661 7662 /* PF firewall log reason code */ 7663 struct block * 7664 gen_pf_reason(int reason) 7665 { 7666 struct block *b0; 7667 7668 if (linktype != DLT_PFLOG) { 7669 bpf_error("reason supported only on PF linktype"); 7670 /* NOTREACHED */ 7671 } 7672 7673 b0 = gen_cmp(OR_LINKHDR, offsetof(struct pfloghdr, reason), BPF_B, 7674 (bpf_int32)reason); 7675 return (b0); 7676 } 7677 7678 /* PF firewall log action */ 7679 struct block * 7680 gen_pf_action(int action) 7681 { 7682 struct block *b0; 7683 7684 if (linktype != DLT_PFLOG) { 7685 bpf_error("action supported only on PF linktype"); 7686 /* NOTREACHED */ 7687 } 7688 7689 b0 = gen_cmp(OR_LINKHDR, offsetof(struct pfloghdr, action), BPF_B, 7690 (bpf_int32)action); 7691 return (b0); 7692 } 7693 #else /* !HAVE_NET_PFVAR_H */ 7694 struct block * 7695 gen_pf_ifname(const char *ifname) 7696 { 7697 bpf_error("libpcap was compiled without pf support"); 7698 /* NOTREACHED */ 7699 return (NULL); 7700 } 7701 7702 struct block * 7703 gen_pf_ruleset(char *ruleset) 7704 { 7705 bpf_error("libpcap was compiled on a machine without pf support"); 7706 /* NOTREACHED */ 7707 return (NULL); 7708 } 7709 7710 struct block * 7711 gen_pf_rnr(int rnr) 7712 { 7713 bpf_error("libpcap was compiled on a machine without pf support"); 7714 /* NOTREACHED */ 7715 return (NULL); 7716 } 7717 7718 struct block * 7719 gen_pf_srnr(int srnr) 7720 { 7721 bpf_error("libpcap was compiled on a machine without pf support"); 7722 /* NOTREACHED */ 7723 return (NULL); 7724 } 7725 7726 struct block * 7727 gen_pf_reason(int reason) 7728 { 7729 bpf_error("libpcap was compiled on a machine without pf support"); 7730 /* NOTREACHED */ 7731 return (NULL); 7732 } 7733 7734 struct block * 7735 gen_pf_action(int action) 7736 { 7737 bpf_error("libpcap was compiled on a machine without pf support"); 7738 /* NOTREACHED */ 7739 return (NULL); 7740 } 7741 #endif /* HAVE_NET_PFVAR_H */ 7742 7743 /* IEEE 802.11 wireless header */ 7744 struct block * 7745 gen_p80211_type(int type, int mask) 7746 { 7747 struct block *b0; 7748 7749 switch (linktype) { 7750 7751 case DLT_IEEE802_11: 7752 case DLT_PRISM_HEADER: 7753 case DLT_IEEE802_11_RADIO_AVS: 7754 case DLT_IEEE802_11_RADIO: 7755 b0 = gen_mcmp(OR_LINKHDR, 0, BPF_B, (bpf_int32)type, 7756 (bpf_int32)mask); 7757 break; 7758 7759 default: 7760 bpf_error("802.11 link-layer types supported only on 802.11"); 7761 /* NOTREACHED */ 7762 } 7763 7764 return (b0); 7765 } 7766 7767 struct block * 7768 gen_p80211_fcdir(int fcdir) 7769 { 7770 struct block *b0; 7771 7772 switch (linktype) { 7773 7774 case DLT_IEEE802_11: 7775 case DLT_PRISM_HEADER: 7776 case DLT_IEEE802_11_RADIO_AVS: 7777 case DLT_IEEE802_11_RADIO: 7778 break; 7779 7780 default: 7781 bpf_error("frame direction supported only with 802.11 headers"); 7782 /* NOTREACHED */ 7783 } 7784 7785 b0 = gen_mcmp(OR_LINKHDR, 1, BPF_B, (bpf_int32)fcdir, 7786 (bpf_u_int32)IEEE80211_FC1_DIR_MASK); 7787 7788 return (b0); 7789 } 7790 7791 struct block * 7792 gen_acode(eaddr, q) 7793 register const u_char *eaddr; 7794 struct qual q; 7795 { 7796 switch (linktype) { 7797 7798 case DLT_ARCNET: 7799 case DLT_ARCNET_LINUX: 7800 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && 7801 q.proto == Q_LINK) 7802 return (gen_ahostop(eaddr, (int)q.dir)); 7803 else { 7804 bpf_error("ARCnet address used in non-arc expression"); 7805 /* NOTREACHED */ 7806 } 7807 break; 7808 7809 default: 7810 bpf_error("aid supported only on ARCnet"); 7811 /* NOTREACHED */ 7812 } 7813 bpf_error("ARCnet address used in non-arc expression"); 7814 /* NOTREACHED */ 7815 return NULL; 7816 } 7817 7818 static struct block * 7819 gen_ahostop(eaddr, dir) 7820 register const u_char *eaddr; 7821 register int dir; 7822 { 7823 register struct block *b0, *b1; 7824 7825 switch (dir) { 7826 /* src comes first, different from Ethernet */ 7827 case Q_SRC: 7828 return gen_bcmp(OR_LINKHDR, 0, 1, eaddr); 7829 7830 case Q_DST: 7831 return gen_bcmp(OR_LINKHDR, 1, 1, eaddr); 7832 7833 case Q_AND: 7834 b0 = gen_ahostop(eaddr, Q_SRC); 7835 b1 = gen_ahostop(eaddr, Q_DST); 7836 gen_and(b0, b1); 7837 return b1; 7838 7839 case Q_DEFAULT: 7840 case Q_OR: 7841 b0 = gen_ahostop(eaddr, Q_SRC); 7842 b1 = gen_ahostop(eaddr, Q_DST); 7843 gen_or(b0, b1); 7844 return b1; 7845 7846 case Q_ADDR1: 7847 bpf_error("'addr1' is only supported on 802.11"); 7848 break; 7849 7850 case Q_ADDR2: 7851 bpf_error("'addr2' is only supported on 802.11"); 7852 break; 7853 7854 case Q_ADDR3: 7855 bpf_error("'addr3' is only supported on 802.11"); 7856 break; 7857 7858 case Q_ADDR4: 7859 bpf_error("'addr4' is only supported on 802.11"); 7860 break; 7861 7862 case Q_RA: 7863 bpf_error("'ra' is only supported on 802.11"); 7864 break; 7865 7866 case Q_TA: 7867 bpf_error("'ta' is only supported on 802.11"); 7868 break; 7869 } 7870 abort(); 7871 /* NOTREACHED */ 7872 } 7873 7874 #if defined(SKF_AD_VLAN_TAG) && defined(SKF_AD_VLAN_TAG_PRESENT) 7875 static struct block * 7876 gen_vlan_bpf_extensions(int vlan_num) 7877 { 7878 struct block *b0, *b1; 7879 struct slist *s; 7880 7881 /* generate new filter code based on extracting packet 7882 * metadata */ 7883 s = new_stmt(BPF_LD|BPF_B|BPF_ABS); 7884 s->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT; 7885 7886 b0 = new_block(JMP(BPF_JEQ)); 7887 b0->stmts = s; 7888 b0->s.k = 1; 7889 7890 if (vlan_num >= 0) { 7891 s = new_stmt(BPF_LD|BPF_B|BPF_ABS); 7892 s->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG; 7893 7894 b1 = new_block(JMP(BPF_JEQ)); 7895 b1->stmts = s; 7896 b1->s.k = (bpf_int32) vlan_num; 7897 7898 gen_and(b0,b1); 7899 b0 = b1; 7900 } 7901 7902 return b0; 7903 } 7904 #endif 7905 7906 static struct block * 7907 gen_vlan_no_bpf_extensions(int vlan_num) 7908 { 7909 struct block *b0, *b1; 7910 7911 /* check for VLAN, including QinQ */ 7912 b0 = gen_linktype(ETHERTYPE_8021Q); 7913 b1 = gen_linktype(ETHERTYPE_8021QINQ); 7914 gen_or(b0,b1); 7915 b0 = b1; 7916 7917 /* If a specific VLAN is requested, check VLAN id */ 7918 if (vlan_num >= 0) { 7919 b1 = gen_mcmp(OR_LINKPL, 0, BPF_H, 7920 (bpf_int32)vlan_num, 0x0fff); 7921 gen_and(b0, b1); 7922 b0 = b1; 7923 } 7924 7925 /* 7926 * The payload follows the full header, including the 7927 * VLAN tags, so skip past this VLAN tag. 7928 */ 7929 off_linkpl.constant_part += 4; 7930 7931 /* 7932 * The link-layer type information follows the VLAN tags, so 7933 * skip past this VLAN tag. 7934 */ 7935 off_linktype.constant_part += 4; 7936 7937 return b0; 7938 } 7939 7940 /* 7941 * support IEEE 802.1Q VLAN trunk over ethernet 7942 */ 7943 struct block * 7944 gen_vlan(vlan_num) 7945 int vlan_num; 7946 { 7947 struct block *b0; 7948 7949 /* can't check for VLAN-encapsulated packets inside MPLS */ 7950 if (label_stack_depth > 0) 7951 bpf_error("no VLAN match after MPLS"); 7952 7953 /* 7954 * Check for a VLAN packet, and then change the offsets to point 7955 * to the type and data fields within the VLAN packet. Just 7956 * increment the offsets, so that we can support a hierarchy, e.g. 7957 * "vlan 300 && vlan 200" to capture VLAN 200 encapsulated within 7958 * VLAN 100. 7959 * 7960 * XXX - this is a bit of a kludge. If we were to split the 7961 * compiler into a parser that parses an expression and 7962 * generates an expression tree, and a code generator that 7963 * takes an expression tree (which could come from our 7964 * parser or from some other parser) and generates BPF code, 7965 * we could perhaps make the offsets parameters of routines 7966 * and, in the handler for an "AND" node, pass to subnodes 7967 * other than the VLAN node the adjusted offsets. 7968 * 7969 * This would mean that "vlan" would, instead of changing the 7970 * behavior of *all* tests after it, change only the behavior 7971 * of tests ANDed with it. That would change the documented 7972 * semantics of "vlan", which might break some expressions. 7973 * However, it would mean that "(vlan and ip) or ip" would check 7974 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 7975 * checking only for VLAN-encapsulated IP, so that could still 7976 * be considered worth doing; it wouldn't break expressions 7977 * that are of the form "vlan and ..." or "vlan N and ...", 7978 * which I suspect are the most common expressions involving 7979 * "vlan". "vlan or ..." doesn't necessarily do what the user 7980 * would really want, now, as all the "or ..." tests would 7981 * be done assuming a VLAN, even though the "or" could be viewed 7982 * as meaning "or, if this isn't a VLAN packet...". 7983 */ 7984 switch (linktype) { 7985 7986 case DLT_EN10MB: 7987 case DLT_NETANALYZER: 7988 case DLT_NETANALYZER_TRANSPARENT: 7989 #if defined(SKF_AD_VLAN_TAG) && defined(SKF_AD_VLAN_TAG_PRESENT) 7990 /* Verify that this is the outer part of the packet and 7991 * not encapsulated somehow. */ 7992 if (vlan_stack_depth == 0 && !off_linkhdr.is_variable && 7993 off_linkhdr.constant_part == 7994 off_outermostlinkhdr.constant_part) { 7995 /* 7996 * Do we need special VLAN handling? 7997 */ 7998 if (bpf_pcap->bpf_codegen_flags & BPF_SPECIAL_VLAN_HANDLING) 7999 b0 = gen_vlan_bpf_extensions(vlan_num); 8000 else 8001 b0 = gen_vlan_no_bpf_extensions(vlan_num); 8002 } else 8003 #endif 8004 b0 = gen_vlan_no_bpf_extensions(vlan_num); 8005 break; 8006 8007 case DLT_IEEE802_11: 8008 case DLT_PRISM_HEADER: 8009 case DLT_IEEE802_11_RADIO_AVS: 8010 case DLT_IEEE802_11_RADIO: 8011 b0 = gen_vlan_no_bpf_extensions(vlan_num); 8012 break; 8013 8014 default: 8015 bpf_error("no VLAN support for data link type %d", 8016 linktype); 8017 /*NOTREACHED*/ 8018 } 8019 8020 vlan_stack_depth++; 8021 8022 return (b0); 8023 } 8024 8025 /* 8026 * support for MPLS 8027 */ 8028 struct block * 8029 gen_mpls(label_num) 8030 int label_num; 8031 { 8032 struct block *b0, *b1; 8033 8034 if (label_stack_depth > 0) { 8035 /* just match the bottom-of-stack bit clear */ 8036 b0 = gen_mcmp(OR_PREVMPLSHDR, 2, BPF_B, 0, 0x01); 8037 } else { 8038 /* 8039 * We're not in an MPLS stack yet, so check the link-layer 8040 * type against MPLS. 8041 */ 8042 switch (linktype) { 8043 8044 case DLT_C_HDLC: /* fall through */ 8045 case DLT_EN10MB: 8046 case DLT_NETANALYZER: 8047 case DLT_NETANALYZER_TRANSPARENT: 8048 b0 = gen_linktype(ETHERTYPE_MPLS); 8049 break; 8050 8051 case DLT_PPP: 8052 b0 = gen_linktype(PPP_MPLS_UCAST); 8053 break; 8054 8055 /* FIXME add other DLT_s ... 8056 * for Frame-Relay/and ATM this may get messy due to SNAP headers 8057 * leave it for now */ 8058 8059 default: 8060 bpf_error("no MPLS support for data link type %d", 8061 linktype); 8062 b0 = NULL; 8063 /*NOTREACHED*/ 8064 break; 8065 } 8066 } 8067 8068 /* If a specific MPLS label is requested, check it */ 8069 if (label_num >= 0) { 8070 label_num = label_num << 12; /* label is shifted 12 bits on the wire */ 8071 b1 = gen_mcmp(OR_LINKPL, 0, BPF_W, (bpf_int32)label_num, 8072 0xfffff000); /* only compare the first 20 bits */ 8073 gen_and(b0, b1); 8074 b0 = b1; 8075 } 8076 8077 /* 8078 * Change the offsets to point to the type and data fields within 8079 * the MPLS packet. Just increment the offsets, so that we 8080 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to 8081 * capture packets with an outer label of 100000 and an inner 8082 * label of 1024. 8083 * 8084 * Increment the MPLS stack depth as well; this indicates that 8085 * we're checking MPLS-encapsulated headers, to make sure higher 8086 * level code generators don't try to match against IP-related 8087 * protocols such as Q_ARP, Q_RARP etc. 8088 * 8089 * XXX - this is a bit of a kludge. See comments in gen_vlan(). 8090 */ 8091 off_nl_nosnap += 4; 8092 off_nl += 4; 8093 label_stack_depth++; 8094 return (b0); 8095 } 8096 8097 /* 8098 * Support PPPOE discovery and session. 8099 */ 8100 struct block * 8101 gen_pppoed() 8102 { 8103 /* check for PPPoE discovery */ 8104 return gen_linktype((bpf_int32)ETHERTYPE_PPPOED); 8105 } 8106 8107 struct block * 8108 gen_pppoes(sess_num) 8109 int sess_num; 8110 { 8111 struct block *b0, *b1; 8112 8113 /* 8114 * Test against the PPPoE session link-layer type. 8115 */ 8116 b0 = gen_linktype((bpf_int32)ETHERTYPE_PPPOES); 8117 8118 /* If a specific session is requested, check PPPoE session id */ 8119 if (sess_num >= 0) { 8120 b1 = gen_mcmp(OR_LINKPL, 0, BPF_W, 8121 (bpf_int32)sess_num, 0x0000ffff); 8122 gen_and(b0, b1); 8123 b0 = b1; 8124 } 8125 8126 /* 8127 * Change the offsets to point to the type and data fields within 8128 * the PPP packet, and note that this is PPPoE rather than 8129 * raw PPP. 8130 * 8131 * XXX - this is a bit of a kludge. If we were to split the 8132 * compiler into a parser that parses an expression and 8133 * generates an expression tree, and a code generator that 8134 * takes an expression tree (which could come from our 8135 * parser or from some other parser) and generates BPF code, 8136 * we could perhaps make the offsets parameters of routines 8137 * and, in the handler for an "AND" node, pass to subnodes 8138 * other than the PPPoE node the adjusted offsets. 8139 * 8140 * This would mean that "pppoes" would, instead of changing the 8141 * behavior of *all* tests after it, change only the behavior 8142 * of tests ANDed with it. That would change the documented 8143 * semantics of "pppoes", which might break some expressions. 8144 * However, it would mean that "(pppoes and ip) or ip" would check 8145 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 8146 * checking only for VLAN-encapsulated IP, so that could still 8147 * be considered worth doing; it wouldn't break expressions 8148 * that are of the form "pppoes and ..." which I suspect are the 8149 * most common expressions involving "pppoes". "pppoes or ..." 8150 * doesn't necessarily do what the user would really want, now, 8151 * as all the "or ..." tests would be done assuming PPPoE, even 8152 * though the "or" could be viewed as meaning "or, if this isn't 8153 * a PPPoE packet...". 8154 * 8155 * The "network-layer" protocol is PPPoE, which has a 6-byte 8156 * PPPoE header, followed by a PPP packet. 8157 * 8158 * There is no HDLC encapsulation for the PPP packet (it's 8159 * encapsulated in PPPoES instead), so the link-layer type 8160 * starts at the first byte of the PPP packet. For PPPoE, 8161 * that offset is relative to the beginning of the total 8162 * link-layer payload, including any 802.2 LLC header, so 8163 * it's 6 bytes past off_nl. 8164 */ 8165 PUSH_LINKHDR(DLT_PPP, off_linkpl.is_variable, 8166 off_linkpl.constant_part + off_nl + 6, /* 6 bytes past the PPPoE header */ 8167 off_linkpl.reg); 8168 8169 off_linktype = off_linkhdr; 8170 off_linkpl.constant_part = off_linkhdr.constant_part + 2; 8171 8172 off_nl = 0; 8173 off_nl_nosnap = 0; /* no 802.2 LLC */ 8174 8175 return b0; 8176 } 8177 8178 /* Check that this is Geneve and the VNI is correct if 8179 * specified. Parameterized to handle both IPv4 and IPv6. */ 8180 static struct block * 8181 gen_geneve_check(struct block *(*gen_portfn)(int, int, int), 8182 enum e_offrel offrel, int vni) 8183 { 8184 struct block *b0, *b1; 8185 8186 b0 = gen_portfn(GENEVE_PORT, IPPROTO_UDP, Q_DST); 8187 8188 /* Check that we are operating on version 0. Otherwise, we 8189 * can't decode the rest of the fields. The version is 2 bits 8190 * in the first byte of the Geneve header. */ 8191 b1 = gen_mcmp(offrel, 8, BPF_B, (bpf_int32)0, 0xc0); 8192 gen_and(b0, b1); 8193 b0 = b1; 8194 8195 if (vni >= 0) { 8196 vni <<= 8; /* VNI is in the upper 3 bytes */ 8197 b1 = gen_mcmp(offrel, 12, BPF_W, (bpf_int32)vni, 8198 0xffffff00); 8199 gen_and(b0, b1); 8200 b0 = b1; 8201 } 8202 8203 return b0; 8204 } 8205 8206 /* The IPv4 and IPv6 Geneve checks need to do two things: 8207 * - Verify that this actually is Geneve with the right VNI. 8208 * - Place the IP header length (plus variable link prefix if 8209 * needed) into register A to be used later to compute 8210 * the inner packet offsets. */ 8211 static struct block * 8212 gen_geneve4(int vni) 8213 { 8214 struct block *b0, *b1; 8215 struct slist *s, *s1; 8216 8217 b0 = gen_geneve_check(gen_port, OR_TRAN_IPV4, vni); 8218 8219 /* Load the IP header length into A. */ 8220 s = gen_loadx_iphdrlen(); 8221 8222 s1 = new_stmt(BPF_MISC|BPF_TXA); 8223 sappend(s, s1); 8224 8225 /* Forcibly append these statements to the true condition 8226 * of the protocol check by creating a new block that is 8227 * always true and ANDing them. */ 8228 b1 = new_block(BPF_JMP|BPF_JEQ|BPF_X); 8229 b1->stmts = s; 8230 b1->s.k = 0; 8231 8232 gen_and(b0, b1); 8233 8234 return b1; 8235 } 8236 8237 static struct block * 8238 gen_geneve6(int vni) 8239 { 8240 struct block *b0, *b1; 8241 struct slist *s, *s1; 8242 8243 b0 = gen_geneve_check(gen_port6, OR_TRAN_IPV6, vni); 8244 8245 /* Load the IP header length. We need to account for a 8246 * variable length link prefix if there is one. */ 8247 s = gen_abs_offset_varpart(&off_linkpl); 8248 if (s) { 8249 s1 = new_stmt(BPF_LD|BPF_IMM); 8250 s1->s.k = 40; 8251 sappend(s, s1); 8252 8253 s1 = new_stmt(BPF_ALU|BPF_ADD|BPF_X); 8254 s1->s.k = 0; 8255 sappend(s, s1); 8256 } else { 8257 s = new_stmt(BPF_LD|BPF_IMM); 8258 s->s.k = 40;; 8259 } 8260 8261 /* Forcibly append these statements to the true condition 8262 * of the protocol check by creating a new block that is 8263 * always true and ANDing them. */ 8264 s1 = new_stmt(BPF_MISC|BPF_TAX); 8265 sappend(s, s1); 8266 8267 b1 = new_block(BPF_JMP|BPF_JEQ|BPF_X); 8268 b1->stmts = s; 8269 b1->s.k = 0; 8270 8271 gen_and(b0, b1); 8272 8273 return b1; 8274 } 8275 8276 /* We need to store three values based on the Geneve header:: 8277 * - The offset of the linktype. 8278 * - The offset of the end of the Geneve header. 8279 * - The offset of the end of the encapsulated MAC header. */ 8280 static struct slist * 8281 gen_geneve_offsets(void) 8282 { 8283 struct slist *s, *s1, *s_proto; 8284 8285 /* First we need to calculate the offset of the Geneve header 8286 * itself. This is composed of the IP header previously calculated 8287 * (include any variable link prefix) and stored in A plus the 8288 * fixed sized headers (fixed link prefix, MAC length, and UDP 8289 * header). */ 8290 s = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 8291 s->s.k = off_linkpl.constant_part + off_nl + 8; 8292 8293 /* Stash this in X since we'll need it later. */ 8294 s1 = new_stmt(BPF_MISC|BPF_TAX); 8295 sappend(s, s1); 8296 8297 /* The EtherType in Geneve is 2 bytes in. Calculate this and 8298 * store it. */ 8299 s1 = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 8300 s1->s.k = 2; 8301 sappend(s, s1); 8302 8303 off_linktype.reg = alloc_reg(); 8304 off_linktype.is_variable = 1; 8305 off_linktype.constant_part = 0; 8306 8307 s1 = new_stmt(BPF_ST); 8308 s1->s.k = off_linktype.reg; 8309 sappend(s, s1); 8310 8311 /* Load the Geneve option length and mask and shift to get the 8312 * number of bytes. It is stored in the first byte of the Geneve 8313 * header. */ 8314 s1 = new_stmt(BPF_LD|BPF_IND|BPF_B); 8315 s1->s.k = 0; 8316 sappend(s, s1); 8317 8318 s1 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 8319 s1->s.k = 0x3f; 8320 sappend(s, s1); 8321 8322 s1 = new_stmt(BPF_ALU|BPF_MUL|BPF_K); 8323 s1->s.k = 4; 8324 sappend(s, s1); 8325 8326 /* Add in the rest of the Geneve base header. */ 8327 s1 = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 8328 s1->s.k = 8; 8329 sappend(s, s1); 8330 8331 /* Add the Geneve header length to its offset and store. */ 8332 s1 = new_stmt(BPF_ALU|BPF_ADD|BPF_X); 8333 s1->s.k = 0; 8334 sappend(s, s1); 8335 8336 /* Set the encapsulated type as Ethernet. Even though we may 8337 * not actually have Ethernet inside there are two reasons this 8338 * is useful: 8339 * - The linktype field is always in EtherType format regardless 8340 * of whether it is in Geneve or an inner Ethernet frame. 8341 * - The only link layer that we have specific support for is 8342 * Ethernet. We will confirm that the packet actually is 8343 * Ethernet at runtime before executing these checks. */ 8344 PUSH_LINKHDR(DLT_EN10MB, 1, 0, alloc_reg()); 8345 8346 s1 = new_stmt(BPF_ST); 8347 s1->s.k = off_linkhdr.reg; 8348 sappend(s, s1); 8349 8350 /* Calculate whether we have an Ethernet header or just raw IP/ 8351 * MPLS/etc. If we have Ethernet, advance the end of the MAC offset 8352 * and linktype by 14 bytes so that the network header can be found 8353 * seamlessly. Otherwise, keep what we've calculated already. */ 8354 8355 /* We have a bare jmp so we can't use the optimizer. */ 8356 no_optimize = 1; 8357 8358 /* Load the EtherType in the Geneve header, 2 bytes in. */ 8359 s1 = new_stmt(BPF_LD|BPF_IND|BPF_H); 8360 s1->s.k = 2; 8361 sappend(s, s1); 8362 8363 /* Load X with the end of the Geneve header. */ 8364 s1 = new_stmt(BPF_LDX|BPF_MEM); 8365 s1->s.k = off_linkhdr.reg; 8366 sappend(s, s1); 8367 8368 /* Check if the EtherType is Transparent Ethernet Bridging. At the 8369 * end of this check, we should have the total length in X. In 8370 * the non-Ethernet case, it's already there. */ 8371 s_proto = new_stmt(JMP(BPF_JEQ)); 8372 s_proto->s.k = ETHERTYPE_TEB; 8373 sappend(s, s_proto); 8374 8375 s1 = new_stmt(BPF_MISC|BPF_TXA); 8376 sappend(s, s1); 8377 s_proto->s.jt = s1; 8378 8379 /* Since this is Ethernet, use the EtherType of the payload 8380 * directly as the linktype. Overwrite what we already have. */ 8381 s1 = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 8382 s1->s.k = 12; 8383 sappend(s, s1); 8384 8385 s1 = new_stmt(BPF_ST); 8386 s1->s.k = off_linktype.reg; 8387 sappend(s, s1); 8388 8389 /* Advance two bytes further to get the end of the Ethernet 8390 * header. */ 8391 s1 = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 8392 s1->s.k = 2; 8393 sappend(s, s1); 8394 8395 /* Move the result to X. */ 8396 s1 = new_stmt(BPF_MISC|BPF_TAX); 8397 sappend(s, s1); 8398 8399 /* Store the final result of our linkpl calculation. */ 8400 off_linkpl.reg = alloc_reg(); 8401 off_linkpl.is_variable = 1; 8402 off_linkpl.constant_part = 0; 8403 8404 s1 = new_stmt(BPF_STX); 8405 s1->s.k = off_linkpl.reg; 8406 sappend(s, s1); 8407 s_proto->s.jf = s1; 8408 8409 off_nl = 0; 8410 8411 return s; 8412 } 8413 8414 /* Check to see if this is a Geneve packet. */ 8415 struct block * 8416 gen_geneve(int vni) 8417 { 8418 struct block *b0, *b1; 8419 struct slist *s; 8420 8421 b0 = gen_geneve4(vni); 8422 b1 = gen_geneve6(vni); 8423 8424 gen_or(b0, b1); 8425 b0 = b1; 8426 8427 /* Later filters should act on the payload of the Geneve frame, 8428 * update all of the header pointers. Attach this code so that 8429 * it gets executed in the event that the Geneve filter matches. */ 8430 s = gen_geneve_offsets(); 8431 8432 b1 = gen_true(); 8433 sappend(s, b1->stmts); 8434 b1->stmts = s; 8435 8436 gen_and(b0, b1); 8437 8438 is_geneve = 1; 8439 8440 return b1; 8441 } 8442 8443 /* Check that the encapsulated frame has a link layer header 8444 * for Ethernet filters. */ 8445 static struct block * 8446 gen_geneve_ll_check() 8447 { 8448 struct block *b0; 8449 struct slist *s, *s1; 8450 8451 /* The easiest way to see if there is a link layer present 8452 * is to check if the link layer header and payload are not 8453 * the same. */ 8454 8455 /* Geneve always generates pure variable offsets so we can 8456 * compare only the registers. */ 8457 s = new_stmt(BPF_LD|BPF_MEM); 8458 s->s.k = off_linkhdr.reg; 8459 8460 s1 = new_stmt(BPF_LDX|BPF_MEM); 8461 s1->s.k = off_linkpl.reg; 8462 sappend(s, s1); 8463 8464 b0 = new_block(BPF_JMP|BPF_JEQ|BPF_X); 8465 b0->stmts = s; 8466 b0->s.k = 0; 8467 gen_not(b0); 8468 8469 return b0; 8470 } 8471 8472 struct block * 8473 gen_atmfield_code(atmfield, jvalue, jtype, reverse) 8474 int atmfield; 8475 bpf_int32 jvalue; 8476 bpf_u_int32 jtype; 8477 int reverse; 8478 { 8479 struct block *b0; 8480 8481 switch (atmfield) { 8482 8483 case A_VPI: 8484 if (!is_atm) 8485 bpf_error("'vpi' supported only on raw ATM"); 8486 if (off_vpi == (u_int)-1) 8487 abort(); 8488 b0 = gen_ncmp(OR_LINKHDR, off_vpi, BPF_B, 0xffffffff, jtype, 8489 reverse, jvalue); 8490 break; 8491 8492 case A_VCI: 8493 if (!is_atm) 8494 bpf_error("'vci' supported only on raw ATM"); 8495 if (off_vci == (u_int)-1) 8496 abort(); 8497 b0 = gen_ncmp(OR_LINKHDR, off_vci, BPF_H, 0xffffffff, jtype, 8498 reverse, jvalue); 8499 break; 8500 8501 case A_PROTOTYPE: 8502 if (off_proto == (u_int)-1) 8503 abort(); /* XXX - this isn't on FreeBSD */ 8504 b0 = gen_ncmp(OR_LINKHDR, off_proto, BPF_B, 0x0f, jtype, 8505 reverse, jvalue); 8506 break; 8507 8508 case A_MSGTYPE: 8509 if (off_payload == (u_int)-1) 8510 abort(); 8511 b0 = gen_ncmp(OR_LINKHDR, off_payload + MSG_TYPE_POS, BPF_B, 8512 0xffffffff, jtype, reverse, jvalue); 8513 break; 8514 8515 case A_CALLREFTYPE: 8516 if (!is_atm) 8517 bpf_error("'callref' supported only on raw ATM"); 8518 if (off_proto == (u_int)-1) 8519 abort(); 8520 b0 = gen_ncmp(OR_LINKHDR, off_proto, BPF_B, 0xffffffff, 8521 jtype, reverse, jvalue); 8522 break; 8523 8524 default: 8525 abort(); 8526 } 8527 return b0; 8528 } 8529 8530 struct block * 8531 gen_atmtype_abbrev(type) 8532 int type; 8533 { 8534 struct block *b0, *b1; 8535 8536 switch (type) { 8537 8538 case A_METAC: 8539 /* Get all packets in Meta signalling Circuit */ 8540 if (!is_atm) 8541 bpf_error("'metac' supported only on raw ATM"); 8542 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8543 b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0); 8544 gen_and(b0, b1); 8545 break; 8546 8547 case A_BCC: 8548 /* Get all packets in Broadcast Circuit*/ 8549 if (!is_atm) 8550 bpf_error("'bcc' supported only on raw ATM"); 8551 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8552 b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0); 8553 gen_and(b0, b1); 8554 break; 8555 8556 case A_OAMF4SC: 8557 /* Get all cells in Segment OAM F4 circuit*/ 8558 if (!is_atm) 8559 bpf_error("'oam4sc' supported only on raw ATM"); 8560 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8561 b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0); 8562 gen_and(b0, b1); 8563 break; 8564 8565 case A_OAMF4EC: 8566 /* Get all cells in End-to-End OAM F4 Circuit*/ 8567 if (!is_atm) 8568 bpf_error("'oam4ec' supported only on raw ATM"); 8569 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8570 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0); 8571 gen_and(b0, b1); 8572 break; 8573 8574 case A_SC: 8575 /* Get all packets in connection Signalling Circuit */ 8576 if (!is_atm) 8577 bpf_error("'sc' supported only on raw ATM"); 8578 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8579 b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0); 8580 gen_and(b0, b1); 8581 break; 8582 8583 case A_ILMIC: 8584 /* Get all packets in ILMI Circuit */ 8585 if (!is_atm) 8586 bpf_error("'ilmic' supported only on raw ATM"); 8587 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8588 b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0); 8589 gen_and(b0, b1); 8590 break; 8591 8592 case A_LANE: 8593 /* Get all LANE packets */ 8594 if (!is_atm) 8595 bpf_error("'lane' supported only on raw ATM"); 8596 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0); 8597 8598 /* 8599 * Arrange that all subsequent tests assume LANE 8600 * rather than LLC-encapsulated packets, and set 8601 * the offsets appropriately for LANE-encapsulated 8602 * Ethernet. 8603 * 8604 * We assume LANE means Ethernet, not Token Ring. 8605 */ 8606 PUSH_LINKHDR(DLT_EN10MB, 0, 8607 off_payload + 2, /* Ethernet header */ 8608 -1); 8609 off_linktype.constant_part = off_linkhdr.constant_part + 12; 8610 off_linkpl.constant_part = off_linkhdr.constant_part + 14; /* Ethernet */ 8611 off_nl = 0; /* Ethernet II */ 8612 off_nl_nosnap = 3; /* 802.3+802.2 */ 8613 break; 8614 8615 case A_LLC: 8616 /* Get all LLC-encapsulated packets */ 8617 if (!is_atm) 8618 bpf_error("'llc' supported only on raw ATM"); 8619 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 8620 linktype = prevlinktype; 8621 break; 8622 8623 default: 8624 abort(); 8625 } 8626 return b1; 8627 } 8628 8629 /* 8630 * Filtering for MTP2 messages based on li value 8631 * FISU, length is null 8632 * LSSU, length is 1 or 2 8633 * MSU, length is 3 or more 8634 * For MTP2_HSL, sequences are on 2 bytes, and length on 9 bits 8635 */ 8636 struct block * 8637 gen_mtp2type_abbrev(type) 8638 int type; 8639 { 8640 struct block *b0, *b1; 8641 8642 switch (type) { 8643 8644 case M_FISU: 8645 if ( (linktype != DLT_MTP2) && 8646 (linktype != DLT_ERF) && 8647 (linktype != DLT_MTP2_WITH_PHDR) ) 8648 bpf_error("'fisu' supported only on MTP2"); 8649 /* gen_ncmp(offrel, offset, size, mask, jtype, reverse, value) */ 8650 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JEQ, 0, 0); 8651 break; 8652 8653 case M_LSSU: 8654 if ( (linktype != DLT_MTP2) && 8655 (linktype != DLT_ERF) && 8656 (linktype != DLT_MTP2_WITH_PHDR) ) 8657 bpf_error("'lssu' supported only on MTP2"); 8658 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 1, 2); 8659 b1 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 0); 8660 gen_and(b1, b0); 8661 break; 8662 8663 case M_MSU: 8664 if ( (linktype != DLT_MTP2) && 8665 (linktype != DLT_ERF) && 8666 (linktype != DLT_MTP2_WITH_PHDR) ) 8667 bpf_error("'msu' supported only on MTP2"); 8668 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 2); 8669 break; 8670 8671 case MH_FISU: 8672 if ( (linktype != DLT_MTP2) && 8673 (linktype != DLT_ERF) && 8674 (linktype != DLT_MTP2_WITH_PHDR) ) 8675 bpf_error("'hfisu' supported only on MTP2_HSL"); 8676 /* gen_ncmp(offrel, offset, size, mask, jtype, reverse, value) */ 8677 b0 = gen_ncmp(OR_PACKET, off_li_hsl, BPF_H, 0xff80, BPF_JEQ, 0, 0); 8678 break; 8679 8680 case MH_LSSU: 8681 if ( (linktype != DLT_MTP2) && 8682 (linktype != DLT_ERF) && 8683 (linktype != DLT_MTP2_WITH_PHDR) ) 8684 bpf_error("'hlssu' supported only on MTP2_HSL"); 8685 b0 = gen_ncmp(OR_PACKET, off_li_hsl, BPF_H, 0xff80, BPF_JGT, 1, 0x0100); 8686 b1 = gen_ncmp(OR_PACKET, off_li_hsl, BPF_H, 0xff80, BPF_JGT, 0, 0); 8687 gen_and(b1, b0); 8688 break; 8689 8690 case MH_MSU: 8691 if ( (linktype != DLT_MTP2) && 8692 (linktype != DLT_ERF) && 8693 (linktype != DLT_MTP2_WITH_PHDR) ) 8694 bpf_error("'hmsu' supported only on MTP2_HSL"); 8695 b0 = gen_ncmp(OR_PACKET, off_li_hsl, BPF_H, 0xff80, BPF_JGT, 0, 0x0100); 8696 break; 8697 8698 default: 8699 abort(); 8700 } 8701 return b0; 8702 } 8703 8704 struct block * 8705 gen_mtp3field_code(mtp3field, jvalue, jtype, reverse) 8706 int mtp3field; 8707 bpf_u_int32 jvalue; 8708 bpf_u_int32 jtype; 8709 int reverse; 8710 { 8711 struct block *b0; 8712 bpf_u_int32 val1 , val2 , val3; 8713 u_int newoff_sio=off_sio; 8714 u_int newoff_opc=off_opc; 8715 u_int newoff_dpc=off_dpc; 8716 u_int newoff_sls=off_sls; 8717 8718 switch (mtp3field) { 8719 8720 case MH_SIO: 8721 newoff_sio += 3; /* offset for MTP2_HSL */ 8722 /* FALLTHROUGH */ 8723 8724 case M_SIO: 8725 if (off_sio == (u_int)-1) 8726 bpf_error("'sio' supported only on SS7"); 8727 /* sio coded on 1 byte so max value 255 */ 8728 if(jvalue > 255) 8729 bpf_error("sio value %u too big; max value = 255", 8730 jvalue); 8731 b0 = gen_ncmp(OR_PACKET, newoff_sio, BPF_B, 0xffffffff, 8732 (u_int)jtype, reverse, (u_int)jvalue); 8733 break; 8734 8735 case MH_OPC: 8736 newoff_opc+=3; 8737 case M_OPC: 8738 if (off_opc == (u_int)-1) 8739 bpf_error("'opc' supported only on SS7"); 8740 /* opc coded on 14 bits so max value 16383 */ 8741 if (jvalue > 16383) 8742 bpf_error("opc value %u too big; max value = 16383", 8743 jvalue); 8744 /* the following instructions are made to convert jvalue 8745 * to the form used to write opc in an ss7 message*/ 8746 val1 = jvalue & 0x00003c00; 8747 val1 = val1 >>10; 8748 val2 = jvalue & 0x000003fc; 8749 val2 = val2 <<6; 8750 val3 = jvalue & 0x00000003; 8751 val3 = val3 <<22; 8752 jvalue = val1 + val2 + val3; 8753 b0 = gen_ncmp(OR_PACKET, newoff_opc, BPF_W, 0x00c0ff0f, 8754 (u_int)jtype, reverse, (u_int)jvalue); 8755 break; 8756 8757 case MH_DPC: 8758 newoff_dpc += 3; 8759 /* FALLTHROUGH */ 8760 8761 case M_DPC: 8762 if (off_dpc == (u_int)-1) 8763 bpf_error("'dpc' supported only on SS7"); 8764 /* dpc coded on 14 bits so max value 16383 */ 8765 if (jvalue > 16383) 8766 bpf_error("dpc value %u too big; max value = 16383", 8767 jvalue); 8768 /* the following instructions are made to convert jvalue 8769 * to the forme used to write dpc in an ss7 message*/ 8770 val1 = jvalue & 0x000000ff; 8771 val1 = val1 << 24; 8772 val2 = jvalue & 0x00003f00; 8773 val2 = val2 << 8; 8774 jvalue = val1 + val2; 8775 b0 = gen_ncmp(OR_PACKET, newoff_dpc, BPF_W, 0xff3f0000, 8776 (u_int)jtype, reverse, (u_int)jvalue); 8777 break; 8778 8779 case MH_SLS: 8780 newoff_sls+=3; 8781 case M_SLS: 8782 if (off_sls == (u_int)-1) 8783 bpf_error("'sls' supported only on SS7"); 8784 /* sls coded on 4 bits so max value 15 */ 8785 if (jvalue > 15) 8786 bpf_error("sls value %u too big; max value = 15", 8787 jvalue); 8788 /* the following instruction is made to convert jvalue 8789 * to the forme used to write sls in an ss7 message*/ 8790 jvalue = jvalue << 4; 8791 b0 = gen_ncmp(OR_PACKET, newoff_sls, BPF_B, 0xf0, 8792 (u_int)jtype,reverse, (u_int)jvalue); 8793 break; 8794 8795 default: 8796 abort(); 8797 } 8798 return b0; 8799 } 8800 8801 static struct block * 8802 gen_msg_abbrev(type) 8803 int type; 8804 { 8805 struct block *b1; 8806 8807 /* 8808 * Q.2931 signalling protocol messages for handling virtual circuits 8809 * establishment and teardown 8810 */ 8811 switch (type) { 8812 8813 case A_SETUP: 8814 b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0); 8815 break; 8816 8817 case A_CALLPROCEED: 8818 b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0); 8819 break; 8820 8821 case A_CONNECT: 8822 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0); 8823 break; 8824 8825 case A_CONNECTACK: 8826 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0); 8827 break; 8828 8829 case A_RELEASE: 8830 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0); 8831 break; 8832 8833 case A_RELEASE_DONE: 8834 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0); 8835 break; 8836 8837 default: 8838 abort(); 8839 } 8840 return b1; 8841 } 8842 8843 struct block * 8844 gen_atmmulti_abbrev(type) 8845 int type; 8846 { 8847 struct block *b0, *b1; 8848 8849 switch (type) { 8850 8851 case A_OAM: 8852 if (!is_atm) 8853 bpf_error("'oam' supported only on raw ATM"); 8854 b1 = gen_atmmulti_abbrev(A_OAMF4); 8855 break; 8856 8857 case A_OAMF4: 8858 if (!is_atm) 8859 bpf_error("'oamf4' supported only on raw ATM"); 8860 /* OAM F4 type */ 8861 b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0); 8862 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0); 8863 gen_or(b0, b1); 8864 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8865 gen_and(b0, b1); 8866 break; 8867 8868 case A_CONNECTMSG: 8869 /* 8870 * Get Q.2931 signalling messages for switched 8871 * virtual connection 8872 */ 8873 if (!is_atm) 8874 bpf_error("'connectmsg' supported only on raw ATM"); 8875 b0 = gen_msg_abbrev(A_SETUP); 8876 b1 = gen_msg_abbrev(A_CALLPROCEED); 8877 gen_or(b0, b1); 8878 b0 = gen_msg_abbrev(A_CONNECT); 8879 gen_or(b0, b1); 8880 b0 = gen_msg_abbrev(A_CONNECTACK); 8881 gen_or(b0, b1); 8882 b0 = gen_msg_abbrev(A_RELEASE); 8883 gen_or(b0, b1); 8884 b0 = gen_msg_abbrev(A_RELEASE_DONE); 8885 gen_or(b0, b1); 8886 b0 = gen_atmtype_abbrev(A_SC); 8887 gen_and(b0, b1); 8888 break; 8889 8890 case A_METACONNECT: 8891 if (!is_atm) 8892 bpf_error("'metaconnect' supported only on raw ATM"); 8893 b0 = gen_msg_abbrev(A_SETUP); 8894 b1 = gen_msg_abbrev(A_CALLPROCEED); 8895 gen_or(b0, b1); 8896 b0 = gen_msg_abbrev(A_CONNECT); 8897 gen_or(b0, b1); 8898 b0 = gen_msg_abbrev(A_RELEASE); 8899 gen_or(b0, b1); 8900 b0 = gen_msg_abbrev(A_RELEASE_DONE); 8901 gen_or(b0, b1); 8902 b0 = gen_atmtype_abbrev(A_METAC); 8903 gen_and(b0, b1); 8904 break; 8905 8906 default: 8907 abort(); 8908 } 8909 return b1; 8910 } 8911