1 /* $NetBSD: gencode.c,v 1.6 2013/12/31 17:08:23 christos Exp $ */ 2 3 /*#define CHASE_CHAIN*/ 4 /* 5 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998 6 * The Regents of the University of California. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that: (1) source code distributions 10 * retain the above copyright notice and this paragraph in its entirety, (2) 11 * distributions including binary code include the above copyright notice and 12 * this paragraph in its entirety in the documentation or other materials 13 * provided with the distribution, and (3) all advertising materials mentioning 14 * features or use of this software display the following acknowledgement: 15 * ``This product includes software developed by the University of California, 16 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 17 * the University nor the names of its contributors may be used to endorse 18 * or promote products derived from this software without specific prior 19 * written permission. 20 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 21 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 22 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 23 */ 24 #ifndef lint 25 static const char rcsid[] _U_ = 26 "@(#) Header: /tcpdump/master/libpcap/gencode.c,v 1.309 2008-12-23 20:13:29 guy Exp (LBL)"; 27 #endif 28 29 #ifdef HAVE_CONFIG_H 30 #include "config.h" 31 #endif 32 33 #ifdef WIN32 34 #include <pcap-stdinc.h> 35 #else /* WIN32 */ 36 #if HAVE_INTTYPES_H 37 #include <inttypes.h> 38 #elif HAVE_STDINT_H 39 #include <stdint.h> 40 #endif 41 #ifdef HAVE_SYS_BITYPES_H 42 #include <sys/bitypes.h> 43 #endif 44 #include <sys/types.h> 45 #include <sys/socket.h> 46 #endif /* WIN32 */ 47 48 /* 49 * XXX - why was this included even on UNIX? 50 */ 51 #ifdef __MINGW32__ 52 #include "ip6_misc.h" 53 #endif 54 55 #ifndef WIN32 56 57 #ifdef __NetBSD__ 58 #include <sys/param.h> 59 #include <net/dlt.h> 60 #endif 61 62 #include <netinet/in.h> 63 #include <arpa/inet.h> 64 65 #endif /* WIN32 */ 66 67 #include <stdlib.h> 68 #include <string.h> 69 #include <memory.h> 70 #include <setjmp.h> 71 #include <stdarg.h> 72 73 #ifdef MSDOS 74 #include "pcap-dos.h" 75 #endif 76 77 #include "pcap-int.h" 78 79 #include "ethertype.h" 80 #include "nlpid.h" 81 #include "llc.h" 82 #include "gencode.h" 83 #include "ieee80211.h" 84 #include "atmuni31.h" 85 #include "sunatmpos.h" 86 #include "ppp.h" 87 #include "pcap/sll.h" 88 #include "pcap/ipnet.h" 89 #include "arcnet.h" 90 #if defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) 91 #include <linux/types.h> 92 #include <linux/if_packet.h> 93 #include <linux/filter.h> 94 #endif 95 #ifdef HAVE_NET_PFVAR_H 96 #include <sys/socket.h> 97 #include <net/if.h> 98 #include <net/pfvar.h> 99 #include <net/if_pflog.h> 100 #endif 101 #ifndef offsetof 102 #define offsetof(s, e) ((size_t)&((s *)0)->e) 103 #endif 104 #ifdef INET6 105 #ifndef WIN32 106 #include <netdb.h> /* for "struct addrinfo" */ 107 #endif /* WIN32 */ 108 #endif /*INET6*/ 109 #include <pcap/namedb.h> 110 111 #define ETHERMTU 1500 112 113 #ifndef IPPROTO_HOPOPTS 114 #define IPPROTO_HOPOPTS 0 115 #endif 116 #ifndef IPPROTO_ROUTING 117 #define IPPROTO_ROUTING 43 118 #endif 119 #ifndef IPPROTO_FRAGMENT 120 #define IPPROTO_FRAGMENT 44 121 #endif 122 #ifndef IPPROTO_DSTOPTS 123 #define IPPROTO_DSTOPTS 60 124 #endif 125 #ifndef IPPROTO_SCTP 126 #define IPPROTO_SCTP 132 127 #endif 128 129 #ifdef HAVE_OS_PROTO_H 130 #include "os-proto.h" 131 #endif 132 133 #define JMP(c) ((c)|BPF_JMP|BPF_K) 134 135 /* Locals */ 136 static jmp_buf top_ctx; 137 static pcap_t *bpf_pcap; 138 139 /* Hack for updating VLAN, MPLS, and PPPoE offsets. */ 140 #ifdef WIN32 141 static u_int orig_linktype = (u_int)-1, orig_nl = (u_int)-1, label_stack_depth = (u_int)-1; 142 #else 143 static u_int orig_linktype = -1U, orig_nl = -1U, label_stack_depth = -1U; 144 #endif 145 146 /* XXX */ 147 static int pcap_fddipad; 148 149 /* VARARGS */ 150 void 151 bpf_error(const char *fmt, ...) 152 { 153 va_list ap; 154 155 va_start(ap, fmt); 156 if (bpf_pcap != NULL) 157 (void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE, 158 fmt, ap); 159 va_end(ap); 160 longjmp(top_ctx, 1); 161 /* NOTREACHED */ 162 } 163 164 static void init_linktype(pcap_t *); 165 166 static void init_regs(void); 167 static int alloc_reg(void); 168 static void free_reg(int); 169 170 static struct block *root; 171 172 /* 173 * Value passed to gen_load_a() to indicate what the offset argument 174 * is relative to. 175 */ 176 enum e_offrel { 177 OR_PACKET, /* relative to the beginning of the packet */ 178 OR_LINK, /* relative to the beginning of the link-layer header */ 179 OR_MACPL, /* relative to the end of the MAC-layer header */ 180 OR_NET, /* relative to the network-layer header */ 181 OR_NET_NOSNAP, /* relative to the network-layer header, with no SNAP header at the link layer */ 182 OR_TRAN_IPV4, /* relative to the transport-layer header, with IPv4 network layer */ 183 OR_TRAN_IPV6 /* relative to the transport-layer header, with IPv6 network layer */ 184 }; 185 186 #ifdef INET6 187 /* 188 * As errors are handled by a longjmp, anything allocated must be freed 189 * in the longjmp handler, so it must be reachable from that handler. 190 * One thing that's allocated is the result of pcap_nametoaddrinfo(); 191 * it must be freed with freeaddrinfo(). This variable points to any 192 * addrinfo structure that would need to be freed. 193 */ 194 static struct addrinfo *ai; 195 #endif 196 197 /* 198 * We divy out chunks of memory rather than call malloc each time so 199 * we don't have to worry about leaking memory. It's probably 200 * not a big deal if all this memory was wasted but if this ever 201 * goes into a library that would probably not be a good idea. 202 * 203 * XXX - this *is* in a library.... 204 */ 205 #define NCHUNKS 16 206 #define CHUNK0SIZE 1024 207 struct chunk { 208 u_int n_left; 209 void *m; 210 }; 211 212 static struct chunk chunks[NCHUNKS]; 213 static int cur_chunk; 214 215 static void *newchunk(u_int); 216 static void freechunks(void); 217 static inline struct block *new_block(int); 218 static inline struct slist *new_stmt(int); 219 static struct block *gen_retblk(int); 220 static inline void syntax(void); 221 222 static void backpatch(struct block *, struct block *); 223 static void merge(struct block *, struct block *); 224 static struct block *gen_cmp(enum e_offrel, u_int, u_int, bpf_int32); 225 static struct block *gen_cmp_gt(enum e_offrel, u_int, u_int, bpf_int32); 226 static struct block *gen_cmp_ge(enum e_offrel, u_int, u_int, bpf_int32); 227 static struct block *gen_cmp_lt(enum e_offrel, u_int, u_int, bpf_int32); 228 static struct block *gen_cmp_le(enum e_offrel, u_int, u_int, bpf_int32); 229 static struct block *gen_mcmp(enum e_offrel, u_int, u_int, bpf_int32, 230 bpf_u_int32); 231 static struct block *gen_bcmp(enum e_offrel, u_int, u_int, const u_char *); 232 static struct block *gen_ncmp(enum e_offrel, bpf_u_int32, bpf_u_int32, 233 bpf_u_int32, bpf_u_int32, int, bpf_int32); 234 static struct slist *gen_load_llrel(u_int, u_int); 235 static struct slist *gen_load_macplrel(u_int, u_int); 236 static struct slist *gen_load_a(enum e_offrel, u_int, u_int); 237 static struct slist *gen_loadx_iphdrlen(void); 238 static struct block *gen_uncond(int); 239 static inline struct block *gen_true(void); 240 static inline struct block *gen_false(void); 241 static struct block *gen_ether_linktype(int); 242 static struct block *gen_ipnet_linktype(int); 243 static struct block *gen_linux_sll_linktype(int); 244 static struct slist *gen_load_prism_llprefixlen(void); 245 static struct slist *gen_load_avs_llprefixlen(void); 246 static struct slist *gen_load_radiotap_llprefixlen(void); 247 static struct slist *gen_load_ppi_llprefixlen(void); 248 static void insert_compute_vloffsets(struct block *); 249 static struct slist *gen_llprefixlen(void); 250 static struct slist *gen_off_macpl(void); 251 static int ethertype_to_ppptype(int); 252 static struct block *gen_linktype(int); 253 static struct block *gen_snap(bpf_u_int32, bpf_u_int32); 254 static struct block *gen_llc_linktype(int); 255 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int); 256 #ifdef INET6 257 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int); 258 #endif 259 static struct block *gen_ahostop(const u_char *, int); 260 static struct block *gen_ehostop(const u_char *, int); 261 static struct block *gen_fhostop(const u_char *, int); 262 static struct block *gen_thostop(const u_char *, int); 263 static struct block *gen_wlanhostop(const u_char *, int); 264 static struct block *gen_ipfchostop(const u_char *, int); 265 static struct block *gen_dnhostop(bpf_u_int32, int); 266 static struct block *gen_mpls_linktype(int); 267 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int, int); 268 #ifdef INET6 269 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int, int); 270 #endif 271 #ifndef INET6 272 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int); 273 #endif 274 static struct block *gen_ipfrag(void); 275 static struct block *gen_portatom(int, bpf_int32); 276 static struct block *gen_portrangeatom(int, bpf_int32, bpf_int32); 277 static struct block *gen_portatom6(int, bpf_int32); 278 static struct block *gen_portrangeatom6(int, bpf_int32, bpf_int32); 279 struct block *gen_portop(int, int, int); 280 static struct block *gen_port(int, int, int); 281 struct block *gen_portrangeop(int, int, int, int); 282 static struct block *gen_portrange(int, int, int, int); 283 struct block *gen_portop6(int, int, int); 284 static struct block *gen_port6(int, int, int); 285 struct block *gen_portrangeop6(int, int, int, int); 286 static struct block *gen_portrange6(int, int, int, int); 287 static int lookup_proto(const char *, int); 288 static struct block *gen_protochain(int, int, int); 289 static struct block *gen_proto(int, int, int); 290 static struct slist *xfer_to_x(struct arth *); 291 static struct slist *xfer_to_a(struct arth *); 292 static struct block *gen_mac_multicast(int); 293 static struct block *gen_len(int, int); 294 static struct block *gen_check_802_11_data_frame(void); 295 296 static struct block *gen_ppi_dlt_check(void); 297 static struct block *gen_msg_abbrev(int type); 298 299 static void * 300 newchunk(n) 301 u_int n; 302 { 303 struct chunk *cp; 304 int k; 305 size_t size; 306 307 #ifndef __NetBSD__ 308 /* XXX Round up to nearest long. */ 309 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1); 310 #else 311 /* XXX Round up to structure boundary. */ 312 n = ALIGN(n); 313 #endif 314 315 cp = &chunks[cur_chunk]; 316 if (n > cp->n_left) { 317 ++cp, k = ++cur_chunk; 318 if (k >= NCHUNKS) 319 bpf_error("out of memory"); 320 size = CHUNK0SIZE << k; 321 cp->m = (void *)malloc(size); 322 if (cp->m == NULL) 323 bpf_error("out of memory"); 324 memset((char *)cp->m, 0, size); 325 cp->n_left = size; 326 if (n > size) 327 bpf_error("out of memory"); 328 } 329 cp->n_left -= n; 330 return (void *)((char *)cp->m + cp->n_left); 331 } 332 333 static void 334 freechunks() 335 { 336 int i; 337 338 cur_chunk = 0; 339 for (i = 0; i < NCHUNKS; ++i) 340 if (chunks[i].m != NULL) { 341 free(chunks[i].m); 342 chunks[i].m = NULL; 343 } 344 } 345 346 /* 347 * A strdup whose allocations are freed after code generation is over. 348 */ 349 char * 350 sdup(s) 351 register const char *s; 352 { 353 int n = strlen(s) + 1; 354 char *cp = newchunk(n); 355 356 strlcpy(cp, s, n); 357 return (cp); 358 } 359 360 static inline struct block * 361 new_block(code) 362 int code; 363 { 364 struct block *p; 365 366 p = (struct block *)newchunk(sizeof(*p)); 367 p->s.code = code; 368 p->head = p; 369 370 return p; 371 } 372 373 static inline struct slist * 374 new_stmt(code) 375 int code; 376 { 377 struct slist *p; 378 379 p = (struct slist *)newchunk(sizeof(*p)); 380 p->s.code = code; 381 382 return p; 383 } 384 385 static struct block * 386 gen_retblk(v) 387 int v; 388 { 389 struct block *b = new_block(BPF_RET|BPF_K); 390 391 b->s.k = v; 392 return b; 393 } 394 395 __dead static inline void 396 syntax(void) 397 { 398 bpf_error("syntax error in filter expression"); 399 } 400 401 static bpf_u_int32 netmask; 402 static int snaplen; 403 int no_optimize; 404 #ifdef WIN32 405 static int 406 pcap_compile_unsafe(pcap_t *p, struct bpf_program *program, 407 const char *buf, int optimize, bpf_u_int32 mask); 408 409 int 410 pcap_compile(pcap_t *p, struct bpf_program *program, 411 const char *buf, int optimize, bpf_u_int32 mask) 412 { 413 int result; 414 415 EnterCriticalSection(&g_PcapCompileCriticalSection); 416 417 result = pcap_compile_unsafe(p, program, buf, optimize, mask); 418 419 LeaveCriticalSection(&g_PcapCompileCriticalSection); 420 421 return result; 422 } 423 424 static int 425 pcap_compile_unsafe(pcap_t *p, struct bpf_program *program, 426 const char *buf, int optimize, bpf_u_int32 mask) 427 #else /* WIN32 */ 428 int 429 pcap_compile(pcap_t *p, struct bpf_program *program, 430 const char *buf, int optimize, bpf_u_int32 mask) 431 #endif /* WIN32 */ 432 { 433 extern int n_errors; 434 const char * volatile xbuf = buf; 435 u_int len; 436 437 /* 438 * If this pcap_t hasn't been activated, it doesn't have a 439 * link-layer type, so we can't use it. 440 */ 441 if (!p->activated) { 442 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 443 "not-yet-activated pcap_t passed to pcap_compile"); 444 return (-1); 445 } 446 no_optimize = 0; 447 n_errors = 0; 448 root = NULL; 449 bpf_pcap = p; 450 init_regs(); 451 if (setjmp(top_ctx)) { 452 #ifdef INET6 453 if (ai != NULL) { 454 freeaddrinfo(ai); 455 ai = NULL; 456 } 457 #endif 458 lex_cleanup(); 459 freechunks(); 460 return (-1); 461 } 462 463 netmask = mask; 464 465 snaplen = pcap_snapshot(p); 466 if (snaplen == 0) { 467 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 468 "snaplen of 0 rejects all packets"); 469 return -1; 470 } 471 472 lex_init(xbuf ? xbuf : ""); 473 init_linktype(p); 474 (void)pcap_parse(); 475 476 if (n_errors) 477 syntax(); 478 479 if (root == NULL) 480 root = gen_retblk(snaplen); 481 482 if (optimize && !no_optimize) { 483 bpf_optimize(&root); 484 if (root == NULL || 485 (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0)) 486 bpf_error("expression rejects all packets"); 487 } 488 program->bf_insns = icode_to_fcode(root, &len); 489 program->bf_len = len; 490 491 lex_cleanup(); 492 freechunks(); 493 return (0); 494 } 495 496 /* 497 * entry point for using the compiler with no pcap open 498 * pass in all the stuff that is needed explicitly instead. 499 */ 500 int 501 pcap_compile_nopcap(int snaplen_arg, int linktype_arg, 502 struct bpf_program *program, 503 const char *buf, int optimize, bpf_u_int32 mask) 504 { 505 pcap_t *p; 506 int ret; 507 508 p = pcap_open_dead(linktype_arg, snaplen_arg); 509 if (p == NULL) 510 return (-1); 511 ret = pcap_compile(p, program, buf, optimize, mask); 512 pcap_close(p); 513 return (ret); 514 } 515 516 /* 517 * Clean up a "struct bpf_program" by freeing all the memory allocated 518 * in it. 519 */ 520 void 521 pcap_freecode(struct bpf_program *program) 522 { 523 program->bf_len = 0; 524 if (program->bf_insns != NULL) { 525 free((char *)program->bf_insns); 526 program->bf_insns = NULL; 527 } 528 } 529 530 /* 531 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates 532 * which of the jt and jf fields has been resolved and which is a pointer 533 * back to another unresolved block (or nil). At least one of the fields 534 * in each block is already resolved. 535 */ 536 static void 537 backpatch(list, target) 538 struct block *list, *target; 539 { 540 struct block *next; 541 542 while (list) { 543 if (!list->sense) { 544 next = JT(list); 545 JT(list) = target; 546 } else { 547 next = JF(list); 548 JF(list) = target; 549 } 550 list = next; 551 } 552 } 553 554 /* 555 * Merge the lists in b0 and b1, using the 'sense' field to indicate 556 * which of jt and jf is the link. 557 */ 558 static void 559 merge(b0, b1) 560 struct block *b0, *b1; 561 { 562 register struct block **p = &b0; 563 564 /* Find end of list. */ 565 while (*p) 566 p = !((*p)->sense) ? &JT(*p) : &JF(*p); 567 568 /* Concatenate the lists. */ 569 *p = b1; 570 } 571 572 void 573 finish_parse(p) 574 struct block *p; 575 { 576 struct block *ppi_dlt_check; 577 578 /* 579 * Insert before the statements of the first (root) block any 580 * statements needed to load the lengths of any variable-length 581 * headers into registers. 582 * 583 * XXX - a fancier strategy would be to insert those before the 584 * statements of all blocks that use those lengths and that 585 * have no predecessors that use them, so that we only compute 586 * the lengths if we need them. There might be even better 587 * approaches than that. 588 * 589 * However, those strategies would be more complicated, and 590 * as we don't generate code to compute a length if the 591 * program has no tests that use the length, and as most 592 * tests will probably use those lengths, we would just 593 * postpone computing the lengths so that it's not done 594 * for tests that fail early, and it's not clear that's 595 * worth the effort. 596 */ 597 insert_compute_vloffsets(p->head); 598 599 /* 600 * For DLT_PPI captures, generate a check of the per-packet 601 * DLT value to make sure it's DLT_IEEE802_11. 602 */ 603 ppi_dlt_check = gen_ppi_dlt_check(); 604 if (ppi_dlt_check != NULL) 605 gen_and(ppi_dlt_check, p); 606 607 backpatch(p, gen_retblk(snaplen)); 608 p->sense = !p->sense; 609 backpatch(p, gen_retblk(0)); 610 root = p->head; 611 } 612 613 void 614 gen_and(b0, b1) 615 struct block *b0, *b1; 616 { 617 backpatch(b0, b1->head); 618 b0->sense = !b0->sense; 619 b1->sense = !b1->sense; 620 merge(b1, b0); 621 b1->sense = !b1->sense; 622 b1->head = b0->head; 623 } 624 625 void 626 gen_or(b0, b1) 627 struct block *b0, *b1; 628 { 629 b0->sense = !b0->sense; 630 backpatch(b0, b1->head); 631 b0->sense = !b0->sense; 632 merge(b1, b0); 633 b1->head = b0->head; 634 } 635 636 void 637 gen_not(b) 638 struct block *b; 639 { 640 b->sense = !b->sense; 641 } 642 643 static struct block * 644 gen_cmp(offrel, offset, size, v) 645 enum e_offrel offrel; 646 u_int offset, size; 647 bpf_int32 v; 648 { 649 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v); 650 } 651 652 static struct block * 653 gen_cmp_gt(offrel, offset, size, v) 654 enum e_offrel offrel; 655 u_int offset, size; 656 bpf_int32 v; 657 { 658 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 0, v); 659 } 660 661 static struct block * 662 gen_cmp_ge(offrel, offset, size, v) 663 enum e_offrel offrel; 664 u_int offset, size; 665 bpf_int32 v; 666 { 667 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 0, v); 668 } 669 670 static struct block * 671 gen_cmp_lt(offrel, offset, size, v) 672 enum e_offrel offrel; 673 u_int offset, size; 674 bpf_int32 v; 675 { 676 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 1, v); 677 } 678 679 static struct block * 680 gen_cmp_le(offrel, offset, size, v) 681 enum e_offrel offrel; 682 u_int offset, size; 683 bpf_int32 v; 684 { 685 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 1, v); 686 } 687 688 static struct block * 689 gen_mcmp(offrel, offset, size, v, mask) 690 enum e_offrel offrel; 691 u_int offset, size; 692 bpf_int32 v; 693 bpf_u_int32 mask; 694 { 695 return gen_ncmp(offrel, offset, size, mask, BPF_JEQ, 0, v); 696 } 697 698 static struct block * 699 gen_bcmp(offrel, offset, size, v) 700 enum e_offrel offrel; 701 register u_int offset, size; 702 register const u_char *v; 703 { 704 register struct block *b, *tmp; 705 706 b = NULL; 707 while (size >= 4) { 708 register const u_char *p = &v[size - 4]; 709 bpf_int32 w = ((bpf_int32)p[0] << 24) | 710 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3]; 711 712 tmp = gen_cmp(offrel, offset + size - 4, BPF_W, w); 713 if (b != NULL) 714 gen_and(b, tmp); 715 b = tmp; 716 size -= 4; 717 } 718 while (size >= 2) { 719 register const u_char *p = &v[size - 2]; 720 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1]; 721 722 tmp = gen_cmp(offrel, offset + size - 2, BPF_H, w); 723 if (b != NULL) 724 gen_and(b, tmp); 725 b = tmp; 726 size -= 2; 727 } 728 if (size > 0) { 729 tmp = gen_cmp(offrel, offset, BPF_B, (bpf_int32)v[0]); 730 if (b != NULL) 731 gen_and(b, tmp); 732 b = tmp; 733 } 734 return b; 735 } 736 737 /* 738 * AND the field of size "size" at offset "offset" relative to the header 739 * specified by "offrel" with "mask", and compare it with the value "v" 740 * with the test specified by "jtype"; if "reverse" is true, the test 741 * should test the opposite of "jtype". 742 */ 743 static struct block * 744 gen_ncmp(offrel, offset, size, mask, jtype, reverse, v) 745 enum e_offrel offrel; 746 bpf_int32 v; 747 bpf_u_int32 offset, size, mask, jtype; 748 int reverse; 749 { 750 struct slist *s, *s2; 751 struct block *b; 752 753 s = gen_load_a(offrel, offset, size); 754 755 if (mask != 0xffffffff) { 756 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 757 s2->s.k = mask; 758 sappend(s, s2); 759 } 760 761 b = new_block(JMP(jtype)); 762 b->stmts = s; 763 b->s.k = v; 764 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE)) 765 gen_not(b); 766 return b; 767 } 768 769 /* 770 * Various code constructs need to know the layout of the data link 771 * layer. These variables give the necessary offsets from the beginning 772 * of the packet data. 773 */ 774 775 /* 776 * This is the offset of the beginning of the link-layer header from 777 * the beginning of the raw packet data. 778 * 779 * It's usually 0, except for 802.11 with a fixed-length radio header. 780 * (For 802.11 with a variable-length radio header, we have to generate 781 * code to compute that offset; off_ll is 0 in that case.) 782 */ 783 static u_int off_ll; 784 785 /* 786 * If there's a variable-length header preceding the link-layer header, 787 * "reg_off_ll" is the register number for a register containing the 788 * length of that header, and therefore the offset of the link-layer 789 * header from the beginning of the raw packet data. Otherwise, 790 * "reg_off_ll" is -1. 791 */ 792 static int reg_off_ll; 793 794 /* 795 * This is the offset of the beginning of the MAC-layer header from 796 * the beginning of the link-layer header. 797 * It's usually 0, except for ATM LANE, where it's the offset, relative 798 * to the beginning of the raw packet data, of the Ethernet header, and 799 * for Ethernet with various additional information. 800 */ 801 static u_int off_mac; 802 803 /* 804 * This is the offset of the beginning of the MAC-layer payload, 805 * from the beginning of the raw packet data. 806 * 807 * I.e., it's the sum of the length of the link-layer header (without, 808 * for example, any 802.2 LLC header, so it's the MAC-layer 809 * portion of that header), plus any prefix preceding the 810 * link-layer header. 811 */ 812 static u_int off_macpl; 813 814 /* 815 * This is 1 if the offset of the beginning of the MAC-layer payload 816 * from the beginning of the link-layer header is variable-length. 817 */ 818 static int off_macpl_is_variable; 819 820 /* 821 * If the link layer has variable_length headers, "reg_off_macpl" 822 * is the register number for a register containing the length of the 823 * link-layer header plus the length of any variable-length header 824 * preceding the link-layer header. Otherwise, "reg_off_macpl" 825 * is -1. 826 */ 827 static int reg_off_macpl; 828 829 /* 830 * "off_linktype" is the offset to information in the link-layer header 831 * giving the packet type. This offset is relative to the beginning 832 * of the link-layer header (i.e., it doesn't include off_ll). 833 * 834 * For Ethernet, it's the offset of the Ethernet type field. 835 * 836 * For link-layer types that always use 802.2 headers, it's the 837 * offset of the LLC header. 838 * 839 * For PPP, it's the offset of the PPP type field. 840 * 841 * For Cisco HDLC, it's the offset of the CHDLC type field. 842 * 843 * For BSD loopback, it's the offset of the AF_ value. 844 * 845 * For Linux cooked sockets, it's the offset of the type field. 846 * 847 * It's set to -1 for no encapsulation, in which case, IP is assumed. 848 */ 849 static u_int off_linktype; 850 851 /* 852 * TRUE if "pppoes" appeared in the filter; it causes link-layer type 853 * checks to check the PPP header, assumed to follow a LAN-style link- 854 * layer header and a PPPoE session header. 855 */ 856 static int is_pppoes = 0; 857 858 /* 859 * TRUE if the link layer includes an ATM pseudo-header. 860 */ 861 static int is_atm = 0; 862 863 /* 864 * TRUE if "lane" appeared in the filter; it causes us to generate 865 * code that assumes LANE rather than LLC-encapsulated traffic in SunATM. 866 */ 867 static int is_lane = 0; 868 869 /* 870 * These are offsets for the ATM pseudo-header. 871 */ 872 static u_int off_vpi; 873 static u_int off_vci; 874 static u_int off_proto; 875 876 /* 877 * These are offsets for the MTP2 fields. 878 */ 879 static u_int off_li; 880 static u_int off_li_hsl; 881 882 /* 883 * These are offsets for the MTP3 fields. 884 */ 885 static u_int off_sio; 886 static u_int off_opc; 887 static u_int off_dpc; 888 static u_int off_sls; 889 890 /* 891 * This is the offset of the first byte after the ATM pseudo_header, 892 * or -1 if there is no ATM pseudo-header. 893 */ 894 static u_int off_payload; 895 896 /* 897 * These are offsets to the beginning of the network-layer header. 898 * They are relative to the beginning of the MAC-layer payload (i.e., 899 * they don't include off_ll or off_macpl). 900 * 901 * If the link layer never uses 802.2 LLC: 902 * 903 * "off_nl" and "off_nl_nosnap" are the same. 904 * 905 * If the link layer always uses 802.2 LLC: 906 * 907 * "off_nl" is the offset if there's a SNAP header following 908 * the 802.2 header; 909 * 910 * "off_nl_nosnap" is the offset if there's no SNAP header. 911 * 912 * If the link layer is Ethernet: 913 * 914 * "off_nl" is the offset if the packet is an Ethernet II packet 915 * (we assume no 802.3+802.2+SNAP); 916 * 917 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet 918 * with an 802.2 header following it. 919 */ 920 static u_int off_nl; 921 static u_int off_nl_nosnap; 922 923 static int linktype; 924 925 static void 926 init_linktype(p) 927 pcap_t *p; 928 { 929 linktype = pcap_datalink(p); 930 pcap_fddipad = p->fddipad; 931 932 /* 933 * Assume it's not raw ATM with a pseudo-header, for now. 934 */ 935 off_mac = 0; 936 is_atm = 0; 937 is_lane = 0; 938 off_vpi = -1; 939 off_vci = -1; 940 off_proto = -1; 941 off_payload = -1; 942 943 /* 944 * And that we're not doing PPPoE. 945 */ 946 is_pppoes = 0; 947 948 /* 949 * And assume we're not doing SS7. 950 */ 951 off_li = -1; 952 off_li_hsl = -1; 953 off_sio = -1; 954 off_opc = -1; 955 off_dpc = -1; 956 off_sls = -1; 957 958 /* 959 * Also assume it's not 802.11. 960 */ 961 off_ll = 0; 962 off_macpl = 0; 963 off_macpl_is_variable = 0; 964 965 orig_linktype = -1; 966 orig_nl = -1; 967 label_stack_depth = 0; 968 969 reg_off_ll = -1; 970 reg_off_macpl = -1; 971 972 switch (linktype) { 973 974 case DLT_ARCNET: 975 off_linktype = 2; 976 off_macpl = 6; 977 off_nl = 0; /* XXX in reality, variable! */ 978 off_nl_nosnap = 0; /* no 802.2 LLC */ 979 return; 980 981 case DLT_ARCNET_LINUX: 982 off_linktype = 4; 983 off_macpl = 8; 984 off_nl = 0; /* XXX in reality, variable! */ 985 off_nl_nosnap = 0; /* no 802.2 LLC */ 986 return; 987 988 case DLT_EN10MB: 989 off_linktype = 12; 990 off_macpl = 14; /* Ethernet header length */ 991 off_nl = 0; /* Ethernet II */ 992 off_nl_nosnap = 3; /* 802.3+802.2 */ 993 return; 994 995 case DLT_SLIP: 996 /* 997 * SLIP doesn't have a link level type. The 16 byte 998 * header is hacked into our SLIP driver. 999 */ 1000 off_linktype = -1; 1001 off_macpl = 16; 1002 off_nl = 0; 1003 off_nl_nosnap = 0; /* no 802.2 LLC */ 1004 return; 1005 1006 case DLT_SLIP_BSDOS: 1007 /* XXX this may be the same as the DLT_PPP_BSDOS case */ 1008 off_linktype = -1; 1009 /* XXX end */ 1010 off_macpl = 24; 1011 off_nl = 0; 1012 off_nl_nosnap = 0; /* no 802.2 LLC */ 1013 return; 1014 1015 case DLT_NULL: 1016 case DLT_LOOP: 1017 off_linktype = 0; 1018 off_macpl = 4; 1019 off_nl = 0; 1020 off_nl_nosnap = 0; /* no 802.2 LLC */ 1021 return; 1022 1023 case DLT_ENC: 1024 off_linktype = 0; 1025 off_macpl = 12; 1026 off_nl = 0; 1027 off_nl_nosnap = 0; /* no 802.2 LLC */ 1028 return; 1029 1030 case DLT_PPP: 1031 case DLT_PPP_PPPD: 1032 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */ 1033 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */ 1034 off_linktype = 2; 1035 off_macpl = 4; 1036 off_nl = 0; 1037 off_nl_nosnap = 0; /* no 802.2 LLC */ 1038 return; 1039 1040 case DLT_PPP_ETHER: 1041 /* 1042 * This does no include the Ethernet header, and 1043 * only covers session state. 1044 */ 1045 off_linktype = 6; 1046 off_macpl = 8; 1047 off_nl = 0; 1048 off_nl_nosnap = 0; /* no 802.2 LLC */ 1049 return; 1050 1051 case DLT_PPP_BSDOS: 1052 off_linktype = 5; 1053 off_macpl = 24; 1054 off_nl = 0; 1055 off_nl_nosnap = 0; /* no 802.2 LLC */ 1056 return; 1057 1058 case DLT_FDDI: 1059 /* 1060 * FDDI doesn't really have a link-level type field. 1061 * We set "off_linktype" to the offset of the LLC header. 1062 * 1063 * To check for Ethernet types, we assume that SSAP = SNAP 1064 * is being used and pick out the encapsulated Ethernet type. 1065 * XXX - should we generate code to check for SNAP? 1066 */ 1067 off_linktype = 13; 1068 off_linktype += pcap_fddipad; 1069 off_macpl = 13; /* FDDI MAC header length */ 1070 off_macpl += pcap_fddipad; 1071 off_nl = 8; /* 802.2+SNAP */ 1072 off_nl_nosnap = 3; /* 802.2 */ 1073 return; 1074 1075 case DLT_IEEE802: 1076 /* 1077 * Token Ring doesn't really have a link-level type field. 1078 * We set "off_linktype" to the offset of the LLC header. 1079 * 1080 * To check for Ethernet types, we assume that SSAP = SNAP 1081 * is being used and pick out the encapsulated Ethernet type. 1082 * XXX - should we generate code to check for SNAP? 1083 * 1084 * XXX - the header is actually variable-length. 1085 * Some various Linux patched versions gave 38 1086 * as "off_linktype" and 40 as "off_nl"; however, 1087 * if a token ring packet has *no* routing 1088 * information, i.e. is not source-routed, the correct 1089 * values are 20 and 22, as they are in the vanilla code. 1090 * 1091 * A packet is source-routed iff the uppermost bit 1092 * of the first byte of the source address, at an 1093 * offset of 8, has the uppermost bit set. If the 1094 * packet is source-routed, the total number of bytes 1095 * of routing information is 2 plus bits 0x1F00 of 1096 * the 16-bit value at an offset of 14 (shifted right 1097 * 8 - figure out which byte that is). 1098 */ 1099 off_linktype = 14; 1100 off_macpl = 14; /* Token Ring MAC header length */ 1101 off_nl = 8; /* 802.2+SNAP */ 1102 off_nl_nosnap = 3; /* 802.2 */ 1103 return; 1104 1105 case DLT_IEEE802_11: 1106 case DLT_PRISM_HEADER: 1107 case DLT_IEEE802_11_RADIO_AVS: 1108 case DLT_IEEE802_11_RADIO: 1109 /* 1110 * 802.11 doesn't really have a link-level type field. 1111 * We set "off_linktype" to the offset of the LLC header. 1112 * 1113 * To check for Ethernet types, we assume that SSAP = SNAP 1114 * is being used and pick out the encapsulated Ethernet type. 1115 * XXX - should we generate code to check for SNAP? 1116 * 1117 * We also handle variable-length radio headers here. 1118 * The Prism header is in theory variable-length, but in 1119 * practice it's always 144 bytes long. However, some 1120 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but 1121 * sometimes or always supply an AVS header, so we 1122 * have to check whether the radio header is a Prism 1123 * header or an AVS header, so, in practice, it's 1124 * variable-length. 1125 */ 1126 off_linktype = 24; 1127 off_macpl = 0; /* link-layer header is variable-length */ 1128 off_macpl_is_variable = 1; 1129 off_nl = 8; /* 802.2+SNAP */ 1130 off_nl_nosnap = 3; /* 802.2 */ 1131 return; 1132 1133 case DLT_PPI: 1134 /* 1135 * At the moment we treat PPI the same way that we treat 1136 * normal Radiotap encoded packets. The difference is in 1137 * the function that generates the code at the beginning 1138 * to compute the header length. Since this code generator 1139 * of PPI supports bare 802.11 encapsulation only (i.e. 1140 * the encapsulated DLT should be DLT_IEEE802_11) we 1141 * generate code to check for this too. 1142 */ 1143 off_linktype = 24; 1144 off_macpl = 0; /* link-layer header is variable-length */ 1145 off_macpl_is_variable = 1; 1146 off_nl = 8; /* 802.2+SNAP */ 1147 off_nl_nosnap = 3; /* 802.2 */ 1148 return; 1149 1150 case DLT_ATM_RFC1483: 1151 case DLT_ATM_CLIP: /* Linux ATM defines this */ 1152 /* 1153 * assume routed, non-ISO PDUs 1154 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00) 1155 * 1156 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS, 1157 * or PPP with the PPP NLPID (e.g., PPPoA)? The 1158 * latter would presumably be treated the way PPPoE 1159 * should be, so you can do "pppoe and udp port 2049" 1160 * or "pppoa and tcp port 80" and have it check for 1161 * PPPo{A,E} and a PPP protocol of IP and.... 1162 */ 1163 off_linktype = 0; 1164 off_macpl = 0; /* packet begins with LLC header */ 1165 off_nl = 8; /* 802.2+SNAP */ 1166 off_nl_nosnap = 3; /* 802.2 */ 1167 return; 1168 1169 case DLT_SUNATM: 1170 /* 1171 * Full Frontal ATM; you get AALn PDUs with an ATM 1172 * pseudo-header. 1173 */ 1174 is_atm = 1; 1175 off_vpi = SUNATM_VPI_POS; 1176 off_vci = SUNATM_VCI_POS; 1177 off_proto = PROTO_POS; 1178 off_mac = -1; /* assume LLC-encapsulated, so no MAC-layer header */ 1179 off_payload = SUNATM_PKT_BEGIN_POS; 1180 off_linktype = off_payload; 1181 off_macpl = off_payload; /* if LLC-encapsulated */ 1182 off_nl = 8; /* 802.2+SNAP */ 1183 off_nl_nosnap = 3; /* 802.2 */ 1184 return; 1185 1186 case DLT_RAW: 1187 case DLT_IPV4: 1188 case DLT_IPV6: 1189 off_linktype = -1; 1190 off_macpl = 0; 1191 off_nl = 0; 1192 off_nl_nosnap = 0; /* no 802.2 LLC */ 1193 return; 1194 1195 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */ 1196 off_linktype = 14; 1197 off_macpl = 16; 1198 off_nl = 0; 1199 off_nl_nosnap = 0; /* no 802.2 LLC */ 1200 return; 1201 1202 case DLT_LTALK: 1203 /* 1204 * LocalTalk does have a 1-byte type field in the LLAP header, 1205 * but really it just indicates whether there is a "short" or 1206 * "long" DDP packet following. 1207 */ 1208 off_linktype = -1; 1209 off_macpl = 0; 1210 off_nl = 0; 1211 off_nl_nosnap = 0; /* no 802.2 LLC */ 1212 return; 1213 1214 case DLT_IP_OVER_FC: 1215 /* 1216 * RFC 2625 IP-over-Fibre-Channel doesn't really have a 1217 * link-level type field. We set "off_linktype" to the 1218 * offset of the LLC header. 1219 * 1220 * To check for Ethernet types, we assume that SSAP = SNAP 1221 * is being used and pick out the encapsulated Ethernet type. 1222 * XXX - should we generate code to check for SNAP? RFC 1223 * 2625 says SNAP should be used. 1224 */ 1225 off_linktype = 16; 1226 off_macpl = 16; 1227 off_nl = 8; /* 802.2+SNAP */ 1228 off_nl_nosnap = 3; /* 802.2 */ 1229 return; 1230 1231 case DLT_FRELAY: 1232 /* 1233 * XXX - we should set this to handle SNAP-encapsulated 1234 * frames (NLPID of 0x80). 1235 */ 1236 off_linktype = -1; 1237 off_macpl = 0; 1238 off_nl = 0; 1239 off_nl_nosnap = 0; /* no 802.2 LLC */ 1240 return; 1241 1242 /* 1243 * the only BPF-interesting FRF.16 frames are non-control frames; 1244 * Frame Relay has a variable length link-layer 1245 * so lets start with offset 4 for now and increments later on (FIXME); 1246 */ 1247 case DLT_MFR: 1248 off_linktype = -1; 1249 off_macpl = 0; 1250 off_nl = 4; 1251 off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */ 1252 return; 1253 1254 case DLT_APPLE_IP_OVER_IEEE1394: 1255 off_linktype = 16; 1256 off_macpl = 18; 1257 off_nl = 0; 1258 off_nl_nosnap = 0; /* no 802.2 LLC */ 1259 return; 1260 1261 case DLT_SYMANTEC_FIREWALL: 1262 off_linktype = 6; 1263 off_macpl = 44; 1264 off_nl = 0; /* Ethernet II */ 1265 off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */ 1266 return; 1267 1268 #ifdef HAVE_NET_PFVAR_H 1269 case DLT_PFLOG: 1270 off_linktype = 0; 1271 off_macpl = PFLOG_HDRLEN; 1272 off_nl = 0; 1273 off_nl_nosnap = 0; /* no 802.2 LLC */ 1274 return; 1275 #endif 1276 1277 case DLT_JUNIPER_MFR: 1278 case DLT_JUNIPER_MLFR: 1279 case DLT_JUNIPER_MLPPP: 1280 case DLT_JUNIPER_PPP: 1281 case DLT_JUNIPER_CHDLC: 1282 case DLT_JUNIPER_FRELAY: 1283 off_linktype = 4; 1284 off_macpl = 4; 1285 off_nl = 0; 1286 off_nl_nosnap = -1; /* no 802.2 LLC */ 1287 return; 1288 1289 case DLT_JUNIPER_ATM1: 1290 off_linktype = 4; /* in reality variable between 4-8 */ 1291 off_macpl = 4; /* in reality variable between 4-8 */ 1292 off_nl = 0; 1293 off_nl_nosnap = 10; 1294 return; 1295 1296 case DLT_JUNIPER_ATM2: 1297 off_linktype = 8; /* in reality variable between 8-12 */ 1298 off_macpl = 8; /* in reality variable between 8-12 */ 1299 off_nl = 0; 1300 off_nl_nosnap = 10; 1301 return; 1302 1303 /* frames captured on a Juniper PPPoE service PIC 1304 * contain raw ethernet frames */ 1305 case DLT_JUNIPER_PPPOE: 1306 case DLT_JUNIPER_ETHER: 1307 off_macpl = 14; 1308 off_linktype = 16; 1309 off_nl = 18; /* Ethernet II */ 1310 off_nl_nosnap = 21; /* 802.3+802.2 */ 1311 return; 1312 1313 case DLT_JUNIPER_PPPOE_ATM: 1314 off_linktype = 4; 1315 off_macpl = 6; 1316 off_nl = 0; 1317 off_nl_nosnap = -1; /* no 802.2 LLC */ 1318 return; 1319 1320 case DLT_JUNIPER_GGSN: 1321 off_linktype = 6; 1322 off_macpl = 12; 1323 off_nl = 0; 1324 off_nl_nosnap = -1; /* no 802.2 LLC */ 1325 return; 1326 1327 case DLT_JUNIPER_ES: 1328 off_linktype = 6; 1329 off_macpl = -1; /* not really a network layer but raw IP addresses */ 1330 off_nl = -1; /* not really a network layer but raw IP addresses */ 1331 off_nl_nosnap = -1; /* no 802.2 LLC */ 1332 return; 1333 1334 case DLT_JUNIPER_MONITOR: 1335 off_linktype = 12; 1336 off_macpl = 12; 1337 off_nl = 0; /* raw IP/IP6 header */ 1338 off_nl_nosnap = -1; /* no 802.2 LLC */ 1339 return; 1340 1341 case DLT_BACNET_MS_TP: 1342 off_linktype = -1; 1343 off_macpl = -1; 1344 off_nl = -1; 1345 off_nl_nosnap = -1; 1346 return; 1347 1348 case DLT_JUNIPER_SERVICES: 1349 off_linktype = 12; 1350 off_macpl = -1; /* L3 proto location dep. on cookie type */ 1351 off_nl = -1; /* L3 proto location dep. on cookie type */ 1352 off_nl_nosnap = -1; /* no 802.2 LLC */ 1353 return; 1354 1355 case DLT_JUNIPER_VP: 1356 off_linktype = 18; 1357 off_macpl = -1; 1358 off_nl = -1; 1359 off_nl_nosnap = -1; 1360 return; 1361 1362 case DLT_JUNIPER_ST: 1363 off_linktype = 18; 1364 off_macpl = -1; 1365 off_nl = -1; 1366 off_nl_nosnap = -1; 1367 return; 1368 1369 case DLT_JUNIPER_ISM: 1370 off_linktype = 8; 1371 off_macpl = -1; 1372 off_nl = -1; 1373 off_nl_nosnap = -1; 1374 return; 1375 1376 case DLT_JUNIPER_VS: 1377 case DLT_JUNIPER_SRX_E2E: 1378 case DLT_JUNIPER_FIBRECHANNEL: 1379 case DLT_JUNIPER_ATM_CEMIC: 1380 off_linktype = 8; 1381 off_macpl = -1; 1382 off_nl = -1; 1383 off_nl_nosnap = -1; 1384 return; 1385 1386 case DLT_MTP2: 1387 off_li = 2; 1388 off_li_hsl = 4; 1389 off_sio = 3; 1390 off_opc = 4; 1391 off_dpc = 4; 1392 off_sls = 7; 1393 off_linktype = -1; 1394 off_macpl = -1; 1395 off_nl = -1; 1396 off_nl_nosnap = -1; 1397 return; 1398 1399 case DLT_MTP2_WITH_PHDR: 1400 off_li = 6; 1401 off_li_hsl = 8; 1402 off_sio = 7; 1403 off_opc = 8; 1404 off_dpc = 8; 1405 off_sls = 11; 1406 off_linktype = -1; 1407 off_macpl = -1; 1408 off_nl = -1; 1409 off_nl_nosnap = -1; 1410 return; 1411 1412 case DLT_ERF: 1413 off_li = 22; 1414 off_li_hsl = 24; 1415 off_sio = 23; 1416 off_opc = 24; 1417 off_dpc = 24; 1418 off_sls = 27; 1419 off_linktype = -1; 1420 off_macpl = -1; 1421 off_nl = -1; 1422 off_nl_nosnap = -1; 1423 return; 1424 1425 case DLT_PFSYNC: 1426 off_linktype = -1; 1427 off_macpl = 4; 1428 off_nl = 0; 1429 off_nl_nosnap = 0; 1430 return; 1431 1432 case DLT_AX25_KISS: 1433 /* 1434 * Currently, only raw "link[N:M]" filtering is supported. 1435 */ 1436 off_linktype = -1; /* variable, min 15, max 71 steps of 7 */ 1437 off_macpl = -1; 1438 off_nl = -1; /* variable, min 16, max 71 steps of 7 */ 1439 off_nl_nosnap = -1; /* no 802.2 LLC */ 1440 off_mac = 1; /* step over the kiss length byte */ 1441 return; 1442 1443 case DLT_IPNET: 1444 off_linktype = 1; 1445 off_macpl = 24; /* ipnet header length */ 1446 off_nl = 0; 1447 off_nl_nosnap = -1; 1448 return; 1449 1450 case DLT_NETANALYZER: 1451 off_mac = 4; /* MAC header is past 4-byte pseudo-header */ 1452 off_linktype = 16; /* includes 4-byte pseudo-header */ 1453 off_macpl = 18; /* pseudo-header+Ethernet header length */ 1454 off_nl = 0; /* Ethernet II */ 1455 off_nl_nosnap = 3; /* 802.3+802.2 */ 1456 return; 1457 1458 case DLT_NETANALYZER_TRANSPARENT: 1459 off_mac = 12; /* MAC header is past 4-byte pseudo-header, preamble, and SFD */ 1460 off_linktype = 24; /* includes 4-byte pseudo-header+preamble+SFD */ 1461 off_macpl = 26; /* pseudo-header+preamble+SFD+Ethernet header length */ 1462 off_nl = 0; /* Ethernet II */ 1463 off_nl_nosnap = 3; /* 802.3+802.2 */ 1464 return; 1465 1466 default: 1467 /* 1468 * For values in the range in which we've assigned new 1469 * DLT_ values, only raw "link[N:M]" filtering is supported. 1470 */ 1471 if (linktype >= DLT_MATCHING_MIN && 1472 linktype <= DLT_MATCHING_MAX) { 1473 off_linktype = -1; 1474 off_macpl = -1; 1475 off_nl = -1; 1476 off_nl_nosnap = -1; 1477 return; 1478 } 1479 1480 } 1481 bpf_error("unknown data link type %d", linktype); 1482 /* NOTREACHED */ 1483 } 1484 1485 /* 1486 * Load a value relative to the beginning of the link-layer header. 1487 * The link-layer header doesn't necessarily begin at the beginning 1488 * of the packet data; there might be a variable-length prefix containing 1489 * radio information. 1490 */ 1491 static struct slist * 1492 gen_load_llrel(offset, size) 1493 u_int offset, size; 1494 { 1495 struct slist *s, *s2; 1496 1497 s = gen_llprefixlen(); 1498 1499 /* 1500 * If "s" is non-null, it has code to arrange that the X register 1501 * contains the length of the prefix preceding the link-layer 1502 * header. 1503 * 1504 * Otherwise, the length of the prefix preceding the link-layer 1505 * header is "off_ll". 1506 */ 1507 if (s != NULL) { 1508 /* 1509 * There's a variable-length prefix preceding the 1510 * link-layer header. "s" points to a list of statements 1511 * that put the length of that prefix into the X register. 1512 * do an indirect load, to use the X register as an offset. 1513 */ 1514 s2 = new_stmt(BPF_LD|BPF_IND|size); 1515 s2->s.k = offset; 1516 sappend(s, s2); 1517 } else { 1518 /* 1519 * There is no variable-length header preceding the 1520 * link-layer header; add in off_ll, which, if there's 1521 * a fixed-length header preceding the link-layer header, 1522 * is the length of that header. 1523 */ 1524 s = new_stmt(BPF_LD|BPF_ABS|size); 1525 s->s.k = offset + off_ll; 1526 } 1527 return s; 1528 } 1529 1530 /* 1531 * Load a value relative to the beginning of the MAC-layer payload. 1532 */ 1533 static struct slist * 1534 gen_load_macplrel(offset, size) 1535 u_int offset, size; 1536 { 1537 struct slist *s, *s2; 1538 1539 s = gen_off_macpl(); 1540 1541 /* 1542 * If s is non-null, the offset of the MAC-layer payload is 1543 * variable, and s points to a list of instructions that 1544 * arrange that the X register contains that offset. 1545 * 1546 * Otherwise, the offset of the MAC-layer payload is constant, 1547 * and is in off_macpl. 1548 */ 1549 if (s != NULL) { 1550 /* 1551 * The offset of the MAC-layer payload is in the X 1552 * register. Do an indirect load, to use the X register 1553 * as an offset. 1554 */ 1555 s2 = new_stmt(BPF_LD|BPF_IND|size); 1556 s2->s.k = offset; 1557 sappend(s, s2); 1558 } else { 1559 /* 1560 * The offset of the MAC-layer payload is constant, 1561 * and is in off_macpl; load the value at that offset 1562 * plus the specified offset. 1563 */ 1564 s = new_stmt(BPF_LD|BPF_ABS|size); 1565 s->s.k = off_macpl + offset; 1566 } 1567 return s; 1568 } 1569 1570 /* 1571 * Load a value relative to the beginning of the specified header. 1572 */ 1573 static struct slist * 1574 gen_load_a(offrel, offset, size) 1575 enum e_offrel offrel; 1576 u_int offset, size; 1577 { 1578 struct slist *s, *s2; 1579 1580 switch (offrel) { 1581 1582 case OR_PACKET: 1583 s = new_stmt(BPF_LD|BPF_ABS|size); 1584 s->s.k = offset; 1585 break; 1586 1587 case OR_LINK: 1588 s = gen_load_llrel(offset, size); 1589 break; 1590 1591 case OR_MACPL: 1592 s = gen_load_macplrel(offset, size); 1593 break; 1594 1595 case OR_NET: 1596 s = gen_load_macplrel(off_nl + offset, size); 1597 break; 1598 1599 case OR_NET_NOSNAP: 1600 s = gen_load_macplrel(off_nl_nosnap + offset, size); 1601 break; 1602 1603 case OR_TRAN_IPV4: 1604 /* 1605 * Load the X register with the length of the IPv4 header 1606 * (plus the offset of the link-layer header, if it's 1607 * preceded by a variable-length header such as a radio 1608 * header), in bytes. 1609 */ 1610 s = gen_loadx_iphdrlen(); 1611 1612 /* 1613 * Load the item at {offset of the MAC-layer payload} + 1614 * {offset, relative to the start of the MAC-layer 1615 * paylod, of the IPv4 header} + {length of the IPv4 header} + 1616 * {specified offset}. 1617 * 1618 * (If the offset of the MAC-layer payload is variable, 1619 * it's included in the value in the X register, and 1620 * off_macpl is 0.) 1621 */ 1622 s2 = new_stmt(BPF_LD|BPF_IND|size); 1623 s2->s.k = off_macpl + off_nl + offset; 1624 sappend(s, s2); 1625 break; 1626 1627 case OR_TRAN_IPV6: 1628 s = gen_load_macplrel(off_nl + 40 + offset, size); 1629 break; 1630 1631 default: 1632 abort(); 1633 return NULL; 1634 } 1635 return s; 1636 } 1637 1638 /* 1639 * Generate code to load into the X register the sum of the length of 1640 * the IPv4 header and any variable-length header preceding the link-layer 1641 * header. 1642 */ 1643 static struct slist * 1644 gen_loadx_iphdrlen() 1645 { 1646 struct slist *s, *s2; 1647 1648 s = gen_off_macpl(); 1649 if (s != NULL) { 1650 /* 1651 * There's a variable-length prefix preceding the 1652 * link-layer header, or the link-layer header is itself 1653 * variable-length. "s" points to a list of statements 1654 * that put the offset of the MAC-layer payload into 1655 * the X register. 1656 * 1657 * The 4*([k]&0xf) addressing mode can't be used, as we 1658 * don't have a constant offset, so we have to load the 1659 * value in question into the A register and add to it 1660 * the value from the X register. 1661 */ 1662 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B); 1663 s2->s.k = off_nl; 1664 sappend(s, s2); 1665 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 1666 s2->s.k = 0xf; 1667 sappend(s, s2); 1668 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 1669 s2->s.k = 2; 1670 sappend(s, s2); 1671 1672 /* 1673 * The A register now contains the length of the 1674 * IP header. We need to add to it the offset of 1675 * the MAC-layer payload, which is still in the X 1676 * register, and move the result into the X register. 1677 */ 1678 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 1679 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 1680 } else { 1681 /* 1682 * There is no variable-length header preceding the 1683 * link-layer header, and the link-layer header is 1684 * fixed-length; load the length of the IPv4 header, 1685 * which is at an offset of off_nl from the beginning 1686 * of the MAC-layer payload, and thus at an offset 1687 * of off_mac_pl + off_nl from the beginning of the 1688 * raw packet data. 1689 */ 1690 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B); 1691 s->s.k = off_macpl + off_nl; 1692 } 1693 return s; 1694 } 1695 1696 static struct block * 1697 gen_uncond(rsense) 1698 int rsense; 1699 { 1700 struct block *b; 1701 struct slist *s; 1702 1703 s = new_stmt(BPF_LD|BPF_IMM); 1704 s->s.k = !rsense; 1705 b = new_block(JMP(BPF_JEQ)); 1706 b->stmts = s; 1707 1708 return b; 1709 } 1710 1711 static inline struct block * 1712 gen_true() 1713 { 1714 return gen_uncond(1); 1715 } 1716 1717 static inline struct block * 1718 gen_false() 1719 { 1720 return gen_uncond(0); 1721 } 1722 1723 /* 1724 * Byte-swap a 32-bit number. 1725 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on 1726 * big-endian platforms.) 1727 */ 1728 #define SWAPLONG(y) \ 1729 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff)) 1730 1731 /* 1732 * Generate code to match a particular packet type. 1733 * 1734 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1735 * value, if <= ETHERMTU. We use that to determine whether to 1736 * match the type/length field or to check the type/length field for 1737 * a value <= ETHERMTU to see whether it's a type field and then do 1738 * the appropriate test. 1739 */ 1740 static struct block * 1741 gen_ether_linktype(proto) 1742 register int proto; 1743 { 1744 struct block *b0, *b1; 1745 1746 switch (proto) { 1747 1748 case LLCSAP_ISONS: 1749 case LLCSAP_IP: 1750 case LLCSAP_NETBEUI: 1751 /* 1752 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1753 * so we check the DSAP and SSAP. 1754 * 1755 * LLCSAP_IP checks for IP-over-802.2, rather 1756 * than IP-over-Ethernet or IP-over-SNAP. 1757 * 1758 * XXX - should we check both the DSAP and the 1759 * SSAP, like this, or should we check just the 1760 * DSAP, as we do for other types <= ETHERMTU 1761 * (i.e., other SAP values)? 1762 */ 1763 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1764 gen_not(b0); 1765 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32) 1766 ((proto << 8) | proto)); 1767 gen_and(b0, b1); 1768 return b1; 1769 1770 case LLCSAP_IPX: 1771 /* 1772 * Check for; 1773 * 1774 * Ethernet_II frames, which are Ethernet 1775 * frames with a frame type of ETHERTYPE_IPX; 1776 * 1777 * Ethernet_802.3 frames, which are 802.3 1778 * frames (i.e., the type/length field is 1779 * a length field, <= ETHERMTU, rather than 1780 * a type field) with the first two bytes 1781 * after the Ethernet/802.3 header being 1782 * 0xFFFF; 1783 * 1784 * Ethernet_802.2 frames, which are 802.3 1785 * frames with an 802.2 LLC header and 1786 * with the IPX LSAP as the DSAP in the LLC 1787 * header; 1788 * 1789 * Ethernet_SNAP frames, which are 802.3 1790 * frames with an LLC header and a SNAP 1791 * header and with an OUI of 0x000000 1792 * (encapsulated Ethernet) and a protocol 1793 * ID of ETHERTYPE_IPX in the SNAP header. 1794 * 1795 * XXX - should we generate the same code both 1796 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX? 1797 */ 1798 1799 /* 1800 * This generates code to check both for the 1801 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3. 1802 */ 1803 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX); 1804 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)0xFFFF); 1805 gen_or(b0, b1); 1806 1807 /* 1808 * Now we add code to check for SNAP frames with 1809 * ETHERTYPE_IPX, i.e. Ethernet_SNAP. 1810 */ 1811 b0 = gen_snap(0x000000, ETHERTYPE_IPX); 1812 gen_or(b0, b1); 1813 1814 /* 1815 * Now we generate code to check for 802.3 1816 * frames in general. 1817 */ 1818 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1819 gen_not(b0); 1820 1821 /* 1822 * Now add the check for 802.3 frames before the 1823 * check for Ethernet_802.2 and Ethernet_802.3, 1824 * as those checks should only be done on 802.3 1825 * frames, not on Ethernet frames. 1826 */ 1827 gen_and(b0, b1); 1828 1829 /* 1830 * Now add the check for Ethernet_II frames, and 1831 * do that before checking for the other frame 1832 * types. 1833 */ 1834 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 1835 (bpf_int32)ETHERTYPE_IPX); 1836 gen_or(b0, b1); 1837 return b1; 1838 1839 case ETHERTYPE_ATALK: 1840 case ETHERTYPE_AARP: 1841 /* 1842 * EtherTalk (AppleTalk protocols on Ethernet link 1843 * layer) may use 802.2 encapsulation. 1844 */ 1845 1846 /* 1847 * Check for 802.2 encapsulation (EtherTalk phase 2?); 1848 * we check for an Ethernet type field less than 1849 * 1500, which means it's an 802.3 length field. 1850 */ 1851 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1852 gen_not(b0); 1853 1854 /* 1855 * 802.2-encapsulated ETHERTYPE_ATALK packets are 1856 * SNAP packets with an organization code of 1857 * 0x080007 (Apple, for Appletalk) and a protocol 1858 * type of ETHERTYPE_ATALK (Appletalk). 1859 * 1860 * 802.2-encapsulated ETHERTYPE_AARP packets are 1861 * SNAP packets with an organization code of 1862 * 0x000000 (encapsulated Ethernet) and a protocol 1863 * type of ETHERTYPE_AARP (Appletalk ARP). 1864 */ 1865 if (proto == ETHERTYPE_ATALK) 1866 b1 = gen_snap(0x080007, ETHERTYPE_ATALK); 1867 else /* proto == ETHERTYPE_AARP */ 1868 b1 = gen_snap(0x000000, ETHERTYPE_AARP); 1869 gen_and(b0, b1); 1870 1871 /* 1872 * Check for Ethernet encapsulation (Ethertalk 1873 * phase 1?); we just check for the Ethernet 1874 * protocol type. 1875 */ 1876 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 1877 1878 gen_or(b0, b1); 1879 return b1; 1880 1881 default: 1882 if (proto <= ETHERMTU) { 1883 /* 1884 * This is an LLC SAP value, so the frames 1885 * that match would be 802.2 frames. 1886 * Check that the frame is an 802.2 frame 1887 * (i.e., that the length/type field is 1888 * a length field, <= ETHERMTU) and 1889 * then check the DSAP. 1890 */ 1891 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1892 gen_not(b0); 1893 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B, 1894 (bpf_int32)proto); 1895 gen_and(b0, b1); 1896 return b1; 1897 } else { 1898 /* 1899 * This is an Ethernet type, so compare 1900 * the length/type field with it (if 1901 * the frame is an 802.2 frame, the length 1902 * field will be <= ETHERMTU, and, as 1903 * "proto" is > ETHERMTU, this test 1904 * will fail and the frame won't match, 1905 * which is what we want). 1906 */ 1907 return gen_cmp(OR_LINK, off_linktype, BPF_H, 1908 (bpf_int32)proto); 1909 } 1910 } 1911 } 1912 1913 /* 1914 * "proto" is an Ethernet type value and for IPNET, if it is not IPv4 1915 * or IPv6 then we have an error. 1916 */ 1917 static struct block * 1918 gen_ipnet_linktype(proto) 1919 register int proto; 1920 { 1921 switch (proto) { 1922 1923 case ETHERTYPE_IP: 1924 return gen_cmp(OR_LINK, off_linktype, BPF_B, 1925 (bpf_int32)IPH_AF_INET); 1926 /* NOTREACHED */ 1927 1928 case ETHERTYPE_IPV6: 1929 return gen_cmp(OR_LINK, off_linktype, BPF_B, 1930 (bpf_int32)IPH_AF_INET6); 1931 /* NOTREACHED */ 1932 1933 default: 1934 break; 1935 } 1936 1937 return gen_false(); 1938 } 1939 1940 /* 1941 * Generate code to match a particular packet type. 1942 * 1943 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1944 * value, if <= ETHERMTU. We use that to determine whether to 1945 * match the type field or to check the type field for the special 1946 * LINUX_SLL_P_802_2 value and then do the appropriate test. 1947 */ 1948 static struct block * 1949 gen_linux_sll_linktype(proto) 1950 register int proto; 1951 { 1952 struct block *b0, *b1; 1953 1954 switch (proto) { 1955 1956 case LLCSAP_ISONS: 1957 case LLCSAP_IP: 1958 case LLCSAP_NETBEUI: 1959 /* 1960 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1961 * so we check the DSAP and SSAP. 1962 * 1963 * LLCSAP_IP checks for IP-over-802.2, rather 1964 * than IP-over-Ethernet or IP-over-SNAP. 1965 * 1966 * XXX - should we check both the DSAP and the 1967 * SSAP, like this, or should we check just the 1968 * DSAP, as we do for other types <= ETHERMTU 1969 * (i.e., other SAP values)? 1970 */ 1971 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 1972 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32) 1973 ((proto << 8) | proto)); 1974 gen_and(b0, b1); 1975 return b1; 1976 1977 case LLCSAP_IPX: 1978 /* 1979 * Ethernet_II frames, which are Ethernet 1980 * frames with a frame type of ETHERTYPE_IPX; 1981 * 1982 * Ethernet_802.3 frames, which have a frame 1983 * type of LINUX_SLL_P_802_3; 1984 * 1985 * Ethernet_802.2 frames, which are 802.3 1986 * frames with an 802.2 LLC header (i.e, have 1987 * a frame type of LINUX_SLL_P_802_2) and 1988 * with the IPX LSAP as the DSAP in the LLC 1989 * header; 1990 * 1991 * Ethernet_SNAP frames, which are 802.3 1992 * frames with an LLC header and a SNAP 1993 * header and with an OUI of 0x000000 1994 * (encapsulated Ethernet) and a protocol 1995 * ID of ETHERTYPE_IPX in the SNAP header. 1996 * 1997 * First, do the checks on LINUX_SLL_P_802_2 1998 * frames; generate the check for either 1999 * Ethernet_802.2 or Ethernet_SNAP frames, and 2000 * then put a check for LINUX_SLL_P_802_2 frames 2001 * before it. 2002 */ 2003 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX); 2004 b1 = gen_snap(0x000000, ETHERTYPE_IPX); 2005 gen_or(b0, b1); 2006 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 2007 gen_and(b0, b1); 2008 2009 /* 2010 * Now check for 802.3 frames and OR that with 2011 * the previous test. 2012 */ 2013 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_3); 2014 gen_or(b0, b1); 2015 2016 /* 2017 * Now add the check for Ethernet_II frames, and 2018 * do that before checking for the other frame 2019 * types. 2020 */ 2021 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 2022 (bpf_int32)ETHERTYPE_IPX); 2023 gen_or(b0, b1); 2024 return b1; 2025 2026 case ETHERTYPE_ATALK: 2027 case ETHERTYPE_AARP: 2028 /* 2029 * EtherTalk (AppleTalk protocols on Ethernet link 2030 * layer) may use 802.2 encapsulation. 2031 */ 2032 2033 /* 2034 * Check for 802.2 encapsulation (EtherTalk phase 2?); 2035 * we check for the 802.2 protocol type in the 2036 * "Ethernet type" field. 2037 */ 2038 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 2039 2040 /* 2041 * 802.2-encapsulated ETHERTYPE_ATALK packets are 2042 * SNAP packets with an organization code of 2043 * 0x080007 (Apple, for Appletalk) and a protocol 2044 * type of ETHERTYPE_ATALK (Appletalk). 2045 * 2046 * 802.2-encapsulated ETHERTYPE_AARP packets are 2047 * SNAP packets with an organization code of 2048 * 0x000000 (encapsulated Ethernet) and a protocol 2049 * type of ETHERTYPE_AARP (Appletalk ARP). 2050 */ 2051 if (proto == ETHERTYPE_ATALK) 2052 b1 = gen_snap(0x080007, ETHERTYPE_ATALK); 2053 else /* proto == ETHERTYPE_AARP */ 2054 b1 = gen_snap(0x000000, ETHERTYPE_AARP); 2055 gen_and(b0, b1); 2056 2057 /* 2058 * Check for Ethernet encapsulation (Ethertalk 2059 * phase 1?); we just check for the Ethernet 2060 * protocol type. 2061 */ 2062 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 2063 2064 gen_or(b0, b1); 2065 return b1; 2066 2067 default: 2068 if (proto <= ETHERMTU) { 2069 /* 2070 * This is an LLC SAP value, so the frames 2071 * that match would be 802.2 frames. 2072 * Check for the 802.2 protocol type 2073 * in the "Ethernet type" field, and 2074 * then check the DSAP. 2075 */ 2076 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 2077 LINUX_SLL_P_802_2); 2078 b1 = gen_cmp(OR_LINK, off_macpl, BPF_B, 2079 (bpf_int32)proto); 2080 gen_and(b0, b1); 2081 return b1; 2082 } else { 2083 /* 2084 * This is an Ethernet type, so compare 2085 * the length/type field with it (if 2086 * the frame is an 802.2 frame, the length 2087 * field will be <= ETHERMTU, and, as 2088 * "proto" is > ETHERMTU, this test 2089 * will fail and the frame won't match, 2090 * which is what we want). 2091 */ 2092 return gen_cmp(OR_LINK, off_linktype, BPF_H, 2093 (bpf_int32)proto); 2094 } 2095 } 2096 } 2097 2098 static struct slist * 2099 gen_load_prism_llprefixlen() 2100 { 2101 struct slist *s1, *s2; 2102 struct slist *sjeq_avs_cookie; 2103 struct slist *sjcommon; 2104 2105 /* 2106 * This code is not compatible with the optimizer, as 2107 * we are generating jmp instructions within a normal 2108 * slist of instructions 2109 */ 2110 no_optimize = 1; 2111 2112 /* 2113 * Generate code to load the length of the radio header into 2114 * the register assigned to hold that length, if one has been 2115 * assigned. (If one hasn't been assigned, no code we've 2116 * generated uses that prefix, so we don't need to generate any 2117 * code to load it.) 2118 * 2119 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes 2120 * or always use the AVS header rather than the Prism header. 2121 * We load a 4-byte big-endian value at the beginning of the 2122 * raw packet data, and see whether, when masked with 0xFFFFF000, 2123 * it's equal to 0x80211000. If so, that indicates that it's 2124 * an AVS header (the masked-out bits are the version number). 2125 * Otherwise, it's a Prism header. 2126 * 2127 * XXX - the Prism header is also, in theory, variable-length, 2128 * but no known software generates headers that aren't 144 2129 * bytes long. 2130 */ 2131 if (reg_off_ll != -1) { 2132 /* 2133 * Load the cookie. 2134 */ 2135 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2136 s1->s.k = 0; 2137 2138 /* 2139 * AND it with 0xFFFFF000. 2140 */ 2141 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 2142 s2->s.k = 0xFFFFF000; 2143 sappend(s1, s2); 2144 2145 /* 2146 * Compare with 0x80211000. 2147 */ 2148 sjeq_avs_cookie = new_stmt(JMP(BPF_JEQ)); 2149 sjeq_avs_cookie->s.k = 0x80211000; 2150 sappend(s1, sjeq_avs_cookie); 2151 2152 /* 2153 * If it's AVS: 2154 * 2155 * The 4 bytes at an offset of 4 from the beginning of 2156 * the AVS header are the length of the AVS header. 2157 * That field is big-endian. 2158 */ 2159 s2 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2160 s2->s.k = 4; 2161 sappend(s1, s2); 2162 sjeq_avs_cookie->s.jt = s2; 2163 2164 /* 2165 * Now jump to the code to allocate a register 2166 * into which to save the header length and 2167 * store the length there. (The "jump always" 2168 * instruction needs to have the k field set; 2169 * it's added to the PC, so, as we're jumping 2170 * over a single instruction, it should be 1.) 2171 */ 2172 sjcommon = new_stmt(JMP(BPF_JA)); 2173 sjcommon->s.k = 1; 2174 sappend(s1, sjcommon); 2175 2176 /* 2177 * Now for the code that handles the Prism header. 2178 * Just load the length of the Prism header (144) 2179 * into the A register. Have the test for an AVS 2180 * header branch here if we don't have an AVS header. 2181 */ 2182 s2 = new_stmt(BPF_LD|BPF_W|BPF_IMM); 2183 s2->s.k = 144; 2184 sappend(s1, s2); 2185 sjeq_avs_cookie->s.jf = s2; 2186 2187 /* 2188 * Now allocate a register to hold that value and store 2189 * it. The code for the AVS header will jump here after 2190 * loading the length of the AVS header. 2191 */ 2192 s2 = new_stmt(BPF_ST); 2193 s2->s.k = reg_off_ll; 2194 sappend(s1, s2); 2195 sjcommon->s.jf = s2; 2196 2197 /* 2198 * Now move it into the X register. 2199 */ 2200 s2 = new_stmt(BPF_MISC|BPF_TAX); 2201 sappend(s1, s2); 2202 2203 return (s1); 2204 } else 2205 return (NULL); 2206 } 2207 2208 static struct slist * 2209 gen_load_avs_llprefixlen() 2210 { 2211 struct slist *s1, *s2; 2212 2213 /* 2214 * Generate code to load the length of the AVS header into 2215 * the register assigned to hold that length, if one has been 2216 * assigned. (If one hasn't been assigned, no code we've 2217 * generated uses that prefix, so we don't need to generate any 2218 * code to load it.) 2219 */ 2220 if (reg_off_ll != -1) { 2221 /* 2222 * The 4 bytes at an offset of 4 from the beginning of 2223 * the AVS header are the length of the AVS header. 2224 * That field is big-endian. 2225 */ 2226 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2227 s1->s.k = 4; 2228 2229 /* 2230 * Now allocate a register to hold that value and store 2231 * it. 2232 */ 2233 s2 = new_stmt(BPF_ST); 2234 s2->s.k = reg_off_ll; 2235 sappend(s1, s2); 2236 2237 /* 2238 * Now move it into the X register. 2239 */ 2240 s2 = new_stmt(BPF_MISC|BPF_TAX); 2241 sappend(s1, s2); 2242 2243 return (s1); 2244 } else 2245 return (NULL); 2246 } 2247 2248 static struct slist * 2249 gen_load_radiotap_llprefixlen() 2250 { 2251 struct slist *s1, *s2; 2252 2253 /* 2254 * Generate code to load the length of the radiotap header into 2255 * the register assigned to hold that length, if one has been 2256 * assigned. (If one hasn't been assigned, no code we've 2257 * generated uses that prefix, so we don't need to generate any 2258 * code to load it.) 2259 */ 2260 if (reg_off_ll != -1) { 2261 /* 2262 * The 2 bytes at offsets of 2 and 3 from the beginning 2263 * of the radiotap header are the length of the radiotap 2264 * header; unfortunately, it's little-endian, so we have 2265 * to load it a byte at a time and construct the value. 2266 */ 2267 2268 /* 2269 * Load the high-order byte, at an offset of 3, shift it 2270 * left a byte, and put the result in the X register. 2271 */ 2272 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2273 s1->s.k = 3; 2274 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 2275 sappend(s1, s2); 2276 s2->s.k = 8; 2277 s2 = new_stmt(BPF_MISC|BPF_TAX); 2278 sappend(s1, s2); 2279 2280 /* 2281 * Load the next byte, at an offset of 2, and OR the 2282 * value from the X register into it. 2283 */ 2284 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2285 sappend(s1, s2); 2286 s2->s.k = 2; 2287 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X); 2288 sappend(s1, s2); 2289 2290 /* 2291 * Now allocate a register to hold that value and store 2292 * it. 2293 */ 2294 s2 = new_stmt(BPF_ST); 2295 s2->s.k = reg_off_ll; 2296 sappend(s1, s2); 2297 2298 /* 2299 * Now move it into the X register. 2300 */ 2301 s2 = new_stmt(BPF_MISC|BPF_TAX); 2302 sappend(s1, s2); 2303 2304 return (s1); 2305 } else 2306 return (NULL); 2307 } 2308 2309 /* 2310 * At the moment we treat PPI as normal Radiotap encoded 2311 * packets. The difference is in the function that generates 2312 * the code at the beginning to compute the header length. 2313 * Since this code generator of PPI supports bare 802.11 2314 * encapsulation only (i.e. the encapsulated DLT should be 2315 * DLT_IEEE802_11) we generate code to check for this too; 2316 * that's done in finish_parse(). 2317 */ 2318 static struct slist * 2319 gen_load_ppi_llprefixlen() 2320 { 2321 struct slist *s1, *s2; 2322 2323 /* 2324 * Generate code to load the length of the radiotap header 2325 * into the register assigned to hold that length, if one has 2326 * been assigned. 2327 */ 2328 if (reg_off_ll != -1) { 2329 /* 2330 * The 2 bytes at offsets of 2 and 3 from the beginning 2331 * of the radiotap header are the length of the radiotap 2332 * header; unfortunately, it's little-endian, so we have 2333 * to load it a byte at a time and construct the value. 2334 */ 2335 2336 /* 2337 * Load the high-order byte, at an offset of 3, shift it 2338 * left a byte, and put the result in the X register. 2339 */ 2340 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2341 s1->s.k = 3; 2342 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 2343 sappend(s1, s2); 2344 s2->s.k = 8; 2345 s2 = new_stmt(BPF_MISC|BPF_TAX); 2346 sappend(s1, s2); 2347 2348 /* 2349 * Load the next byte, at an offset of 2, and OR the 2350 * value from the X register into it. 2351 */ 2352 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2353 sappend(s1, s2); 2354 s2->s.k = 2; 2355 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X); 2356 sappend(s1, s2); 2357 2358 /* 2359 * Now allocate a register to hold that value and store 2360 * it. 2361 */ 2362 s2 = new_stmt(BPF_ST); 2363 s2->s.k = reg_off_ll; 2364 sappend(s1, s2); 2365 2366 /* 2367 * Now move it into the X register. 2368 */ 2369 s2 = new_stmt(BPF_MISC|BPF_TAX); 2370 sappend(s1, s2); 2371 2372 return (s1); 2373 } else 2374 return (NULL); 2375 } 2376 2377 /* 2378 * Load a value relative to the beginning of the link-layer header after the 802.11 2379 * header, i.e. LLC_SNAP. 2380 * The link-layer header doesn't necessarily begin at the beginning 2381 * of the packet data; there might be a variable-length prefix containing 2382 * radio information. 2383 */ 2384 static struct slist * 2385 gen_load_802_11_header_len(struct slist *s, struct slist *snext) 2386 { 2387 struct slist *s2; 2388 struct slist *sjset_data_frame_1; 2389 struct slist *sjset_data_frame_2; 2390 struct slist *sjset_qos; 2391 struct slist *sjset_radiotap_flags; 2392 struct slist *sjset_radiotap_tsft; 2393 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad; 2394 struct slist *s_roundup; 2395 2396 if (reg_off_macpl == -1) { 2397 /* 2398 * No register has been assigned to the offset of 2399 * the MAC-layer payload, which means nobody needs 2400 * it; don't bother computing it - just return 2401 * what we already have. 2402 */ 2403 return (s); 2404 } 2405 2406 /* 2407 * This code is not compatible with the optimizer, as 2408 * we are generating jmp instructions within a normal 2409 * slist of instructions 2410 */ 2411 no_optimize = 1; 2412 2413 /* 2414 * If "s" is non-null, it has code to arrange that the X register 2415 * contains the length of the prefix preceding the link-layer 2416 * header. 2417 * 2418 * Otherwise, the length of the prefix preceding the link-layer 2419 * header is "off_ll". 2420 */ 2421 if (s == NULL) { 2422 /* 2423 * There is no variable-length header preceding the 2424 * link-layer header. 2425 * 2426 * Load the length of the fixed-length prefix preceding 2427 * the link-layer header (if any) into the X register, 2428 * and store it in the reg_off_macpl register. 2429 * That length is off_ll. 2430 */ 2431 s = new_stmt(BPF_LDX|BPF_IMM); 2432 s->s.k = off_ll; 2433 } 2434 2435 /* 2436 * The X register contains the offset of the beginning of the 2437 * link-layer header; add 24, which is the minimum length 2438 * of the MAC header for a data frame, to that, and store it 2439 * in reg_off_macpl, and then load the Frame Control field, 2440 * which is at the offset in the X register, with an indexed load. 2441 */ 2442 s2 = new_stmt(BPF_MISC|BPF_TXA); 2443 sappend(s, s2); 2444 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 2445 s2->s.k = 24; 2446 sappend(s, s2); 2447 s2 = new_stmt(BPF_ST); 2448 s2->s.k = reg_off_macpl; 2449 sappend(s, s2); 2450 2451 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B); 2452 s2->s.k = 0; 2453 sappend(s, s2); 2454 2455 /* 2456 * Check the Frame Control field to see if this is a data frame; 2457 * a data frame has the 0x08 bit (b3) in that field set and the 2458 * 0x04 bit (b2) clear. 2459 */ 2460 sjset_data_frame_1 = new_stmt(JMP(BPF_JSET)); 2461 sjset_data_frame_1->s.k = 0x08; 2462 sappend(s, sjset_data_frame_1); 2463 2464 /* 2465 * If b3 is set, test b2, otherwise go to the first statement of 2466 * the rest of the program. 2467 */ 2468 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(JMP(BPF_JSET)); 2469 sjset_data_frame_2->s.k = 0x04; 2470 sappend(s, sjset_data_frame_2); 2471 sjset_data_frame_1->s.jf = snext; 2472 2473 /* 2474 * If b2 is not set, this is a data frame; test the QoS bit. 2475 * Otherwise, go to the first statement of the rest of the 2476 * program. 2477 */ 2478 sjset_data_frame_2->s.jt = snext; 2479 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(JMP(BPF_JSET)); 2480 sjset_qos->s.k = 0x80; /* QoS bit */ 2481 sappend(s, sjset_qos); 2482 2483 /* 2484 * If it's set, add 2 to reg_off_macpl, to skip the QoS 2485 * field. 2486 * Otherwise, go to the first statement of the rest of the 2487 * program. 2488 */ 2489 sjset_qos->s.jt = s2 = new_stmt(BPF_LD|BPF_MEM); 2490 s2->s.k = reg_off_macpl; 2491 sappend(s, s2); 2492 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM); 2493 s2->s.k = 2; 2494 sappend(s, s2); 2495 s2 = new_stmt(BPF_ST); 2496 s2->s.k = reg_off_macpl; 2497 sappend(s, s2); 2498 2499 /* 2500 * If we have a radiotap header, look at it to see whether 2501 * there's Atheros padding between the MAC-layer header 2502 * and the payload. 2503 * 2504 * Note: all of the fields in the radiotap header are 2505 * little-endian, so we byte-swap all of the values 2506 * we test against, as they will be loaded as big-endian 2507 * values. 2508 */ 2509 if (linktype == DLT_IEEE802_11_RADIO) { 2510 /* 2511 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set 2512 * in the presence flag? 2513 */ 2514 sjset_qos->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_W); 2515 s2->s.k = 4; 2516 sappend(s, s2); 2517 2518 sjset_radiotap_flags = new_stmt(JMP(BPF_JSET)); 2519 sjset_radiotap_flags->s.k = SWAPLONG(0x00000002); 2520 sappend(s, sjset_radiotap_flags); 2521 2522 /* 2523 * If not, skip all of this. 2524 */ 2525 sjset_radiotap_flags->s.jf = snext; 2526 2527 /* 2528 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set? 2529 */ 2530 sjset_radiotap_tsft = sjset_radiotap_flags->s.jt = 2531 new_stmt(JMP(BPF_JSET)); 2532 sjset_radiotap_tsft->s.k = SWAPLONG(0x00000001); 2533 sappend(s, sjset_radiotap_tsft); 2534 2535 /* 2536 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is 2537 * at an offset of 16 from the beginning of the raw packet 2538 * data (8 bytes for the radiotap header and 8 bytes for 2539 * the TSFT field). 2540 * 2541 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2542 * is set. 2543 */ 2544 sjset_radiotap_tsft->s.jt = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B); 2545 s2->s.k = 16; 2546 sappend(s, s2); 2547 2548 sjset_tsft_datapad = new_stmt(JMP(BPF_JSET)); 2549 sjset_tsft_datapad->s.k = 0x20; 2550 sappend(s, sjset_tsft_datapad); 2551 2552 /* 2553 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is 2554 * at an offset of 8 from the beginning of the raw packet 2555 * data (8 bytes for the radiotap header). 2556 * 2557 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2558 * is set. 2559 */ 2560 sjset_radiotap_tsft->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B); 2561 s2->s.k = 8; 2562 sappend(s, s2); 2563 2564 sjset_notsft_datapad = new_stmt(JMP(BPF_JSET)); 2565 sjset_notsft_datapad->s.k = 0x20; 2566 sappend(s, sjset_notsft_datapad); 2567 2568 /* 2569 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is 2570 * set, round the length of the 802.11 header to 2571 * a multiple of 4. Do that by adding 3 and then 2572 * dividing by and multiplying by 4, which we do by 2573 * ANDing with ~3. 2574 */ 2575 s_roundup = new_stmt(BPF_LD|BPF_MEM); 2576 s_roundup->s.k = reg_off_macpl; 2577 sappend(s, s_roundup); 2578 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM); 2579 s2->s.k = 3; 2580 sappend(s, s2); 2581 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_IMM); 2582 s2->s.k = ~3; 2583 sappend(s, s2); 2584 s2 = new_stmt(BPF_ST); 2585 s2->s.k = reg_off_macpl; 2586 sappend(s, s2); 2587 2588 sjset_tsft_datapad->s.jt = s_roundup; 2589 sjset_tsft_datapad->s.jf = snext; 2590 sjset_notsft_datapad->s.jt = s_roundup; 2591 sjset_notsft_datapad->s.jf = snext; 2592 } else 2593 sjset_qos->s.jf = snext; 2594 2595 return s; 2596 } 2597 2598 static void 2599 insert_compute_vloffsets(b) 2600 struct block *b; 2601 { 2602 struct slist *s; 2603 2604 /* 2605 * For link-layer types that have a variable-length header 2606 * preceding the link-layer header, generate code to load 2607 * the offset of the link-layer header into the register 2608 * assigned to that offset, if any. 2609 */ 2610 switch (linktype) { 2611 2612 case DLT_PRISM_HEADER: 2613 s = gen_load_prism_llprefixlen(); 2614 break; 2615 2616 case DLT_IEEE802_11_RADIO_AVS: 2617 s = gen_load_avs_llprefixlen(); 2618 break; 2619 2620 case DLT_IEEE802_11_RADIO: 2621 s = gen_load_radiotap_llprefixlen(); 2622 break; 2623 2624 case DLT_PPI: 2625 s = gen_load_ppi_llprefixlen(); 2626 break; 2627 2628 default: 2629 s = NULL; 2630 break; 2631 } 2632 2633 /* 2634 * For link-layer types that have a variable-length link-layer 2635 * header, generate code to load the offset of the MAC-layer 2636 * payload into the register assigned to that offset, if any. 2637 */ 2638 switch (linktype) { 2639 2640 case DLT_IEEE802_11: 2641 case DLT_PRISM_HEADER: 2642 case DLT_IEEE802_11_RADIO_AVS: 2643 case DLT_IEEE802_11_RADIO: 2644 case DLT_PPI: 2645 s = gen_load_802_11_header_len(s, b->stmts); 2646 break; 2647 } 2648 2649 /* 2650 * If we have any offset-loading code, append all the 2651 * existing statements in the block to those statements, 2652 * and make the resulting list the list of statements 2653 * for the block. 2654 */ 2655 if (s != NULL) { 2656 sappend(s, b->stmts); 2657 b->stmts = s; 2658 } 2659 } 2660 2661 static struct block * 2662 gen_ppi_dlt_check(void) 2663 { 2664 struct slist *s_load_dlt; 2665 struct block *b; 2666 2667 if (linktype == DLT_PPI) 2668 { 2669 /* Create the statements that check for the DLT 2670 */ 2671 s_load_dlt = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2672 s_load_dlt->s.k = 4; 2673 2674 b = new_block(JMP(BPF_JEQ)); 2675 2676 b->stmts = s_load_dlt; 2677 b->s.k = SWAPLONG(DLT_IEEE802_11); 2678 } 2679 else 2680 { 2681 b = NULL; 2682 } 2683 2684 return b; 2685 } 2686 2687 static struct slist * 2688 gen_prism_llprefixlen(void) 2689 { 2690 struct slist *s; 2691 2692 if (reg_off_ll == -1) { 2693 /* 2694 * We haven't yet assigned a register for the length 2695 * of the radio header; allocate one. 2696 */ 2697 reg_off_ll = alloc_reg(); 2698 } 2699 2700 /* 2701 * Load the register containing the radio length 2702 * into the X register. 2703 */ 2704 s = new_stmt(BPF_LDX|BPF_MEM); 2705 s->s.k = reg_off_ll; 2706 return s; 2707 } 2708 2709 static struct slist * 2710 gen_avs_llprefixlen(void) 2711 { 2712 struct slist *s; 2713 2714 if (reg_off_ll == -1) { 2715 /* 2716 * We haven't yet assigned a register for the length 2717 * of the AVS header; allocate one. 2718 */ 2719 reg_off_ll = alloc_reg(); 2720 } 2721 2722 /* 2723 * Load the register containing the AVS length 2724 * into the X register. 2725 */ 2726 s = new_stmt(BPF_LDX|BPF_MEM); 2727 s->s.k = reg_off_ll; 2728 return s; 2729 } 2730 2731 static struct slist * 2732 gen_radiotap_llprefixlen(void) 2733 { 2734 struct slist *s; 2735 2736 if (reg_off_ll == -1) { 2737 /* 2738 * We haven't yet assigned a register for the length 2739 * of the radiotap header; allocate one. 2740 */ 2741 reg_off_ll = alloc_reg(); 2742 } 2743 2744 /* 2745 * Load the register containing the radiotap length 2746 * into the X register. 2747 */ 2748 s = new_stmt(BPF_LDX|BPF_MEM); 2749 s->s.k = reg_off_ll; 2750 return s; 2751 } 2752 2753 /* 2754 * At the moment we treat PPI as normal Radiotap encoded 2755 * packets. The difference is in the function that generates 2756 * the code at the beginning to compute the header length. 2757 * Since this code generator of PPI supports bare 802.11 2758 * encapsulation only (i.e. the encapsulated DLT should be 2759 * DLT_IEEE802_11) we generate code to check for this too. 2760 */ 2761 static struct slist * 2762 gen_ppi_llprefixlen(void) 2763 { 2764 struct slist *s; 2765 2766 if (reg_off_ll == -1) { 2767 /* 2768 * We haven't yet assigned a register for the length 2769 * of the radiotap header; allocate one. 2770 */ 2771 reg_off_ll = alloc_reg(); 2772 } 2773 2774 /* 2775 * Load the register containing the PPI length 2776 * into the X register. 2777 */ 2778 s = new_stmt(BPF_LDX|BPF_MEM); 2779 s->s.k = reg_off_ll; 2780 return s; 2781 } 2782 2783 /* 2784 * Generate code to compute the link-layer header length, if necessary, 2785 * putting it into the X register, and to return either a pointer to a 2786 * "struct slist" for the list of statements in that code, or NULL if 2787 * no code is necessary. 2788 */ 2789 static struct slist * 2790 gen_llprefixlen(void) 2791 { 2792 switch (linktype) { 2793 2794 case DLT_PRISM_HEADER: 2795 return gen_prism_llprefixlen(); 2796 2797 case DLT_IEEE802_11_RADIO_AVS: 2798 return gen_avs_llprefixlen(); 2799 2800 case DLT_IEEE802_11_RADIO: 2801 return gen_radiotap_llprefixlen(); 2802 2803 case DLT_PPI: 2804 return gen_ppi_llprefixlen(); 2805 2806 default: 2807 return NULL; 2808 } 2809 } 2810 2811 /* 2812 * Generate code to load the register containing the offset of the 2813 * MAC-layer payload into the X register; if no register for that offset 2814 * has been allocated, allocate it first. 2815 */ 2816 static struct slist * 2817 gen_off_macpl(void) 2818 { 2819 struct slist *s; 2820 2821 if (off_macpl_is_variable) { 2822 if (reg_off_macpl == -1) { 2823 /* 2824 * We haven't yet assigned a register for the offset 2825 * of the MAC-layer payload; allocate one. 2826 */ 2827 reg_off_macpl = alloc_reg(); 2828 } 2829 2830 /* 2831 * Load the register containing the offset of the MAC-layer 2832 * payload into the X register. 2833 */ 2834 s = new_stmt(BPF_LDX|BPF_MEM); 2835 s->s.k = reg_off_macpl; 2836 return s; 2837 } else { 2838 /* 2839 * That offset isn't variable, so we don't need to 2840 * generate any code. 2841 */ 2842 return NULL; 2843 } 2844 } 2845 2846 /* 2847 * Map an Ethernet type to the equivalent PPP type. 2848 */ 2849 static int 2850 ethertype_to_ppptype(proto) 2851 int proto; 2852 { 2853 switch (proto) { 2854 2855 case ETHERTYPE_IP: 2856 proto = PPP_IP; 2857 break; 2858 2859 case ETHERTYPE_IPV6: 2860 proto = PPP_IPV6; 2861 break; 2862 2863 case ETHERTYPE_DN: 2864 proto = PPP_DECNET; 2865 break; 2866 2867 case ETHERTYPE_ATALK: 2868 proto = PPP_APPLE; 2869 break; 2870 2871 case ETHERTYPE_NS: 2872 proto = PPP_NS; 2873 break; 2874 2875 case LLCSAP_ISONS: 2876 proto = PPP_OSI; 2877 break; 2878 2879 case LLCSAP_8021D: 2880 /* 2881 * I'm assuming the "Bridging PDU"s that go 2882 * over PPP are Spanning Tree Protocol 2883 * Bridging PDUs. 2884 */ 2885 proto = PPP_BRPDU; 2886 break; 2887 2888 case LLCSAP_IPX: 2889 proto = PPP_IPX; 2890 break; 2891 } 2892 return (proto); 2893 } 2894 2895 /* 2896 * Generate code to match a particular packet type by matching the 2897 * link-layer type field or fields in the 802.2 LLC header. 2898 * 2899 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 2900 * value, if <= ETHERMTU. 2901 */ 2902 static struct block * 2903 gen_linktype(proto) 2904 register int proto; 2905 { 2906 struct block *b0, *b1, *b2; 2907 2908 /* are we checking MPLS-encapsulated packets? */ 2909 if (label_stack_depth > 0) { 2910 switch (proto) { 2911 case ETHERTYPE_IP: 2912 case PPP_IP: 2913 /* FIXME add other L3 proto IDs */ 2914 return gen_mpls_linktype(Q_IP); 2915 2916 case ETHERTYPE_IPV6: 2917 case PPP_IPV6: 2918 /* FIXME add other L3 proto IDs */ 2919 return gen_mpls_linktype(Q_IPV6); 2920 2921 default: 2922 bpf_error("unsupported protocol over mpls"); 2923 /* NOTREACHED */ 2924 } 2925 } 2926 2927 /* 2928 * Are we testing PPPoE packets? 2929 */ 2930 if (is_pppoes) { 2931 /* 2932 * The PPPoE session header is part of the 2933 * MAC-layer payload, so all references 2934 * should be relative to the beginning of 2935 * that payload. 2936 */ 2937 2938 /* 2939 * We use Ethernet protocol types inside libpcap; 2940 * map them to the corresponding PPP protocol types. 2941 */ 2942 proto = ethertype_to_ppptype(proto); 2943 return gen_cmp(OR_MACPL, off_linktype, BPF_H, (bpf_int32)proto); 2944 } 2945 2946 switch (linktype) { 2947 2948 case DLT_EN10MB: 2949 case DLT_NETANALYZER: 2950 case DLT_NETANALYZER_TRANSPARENT: 2951 return gen_ether_linktype(proto); 2952 /*NOTREACHED*/ 2953 break; 2954 2955 case DLT_C_HDLC: 2956 switch (proto) { 2957 2958 case LLCSAP_ISONS: 2959 proto = (proto << 8 | LLCSAP_ISONS); 2960 /* fall through */ 2961 2962 default: 2963 return gen_cmp(OR_LINK, off_linktype, BPF_H, 2964 (bpf_int32)proto); 2965 /*NOTREACHED*/ 2966 break; 2967 } 2968 break; 2969 2970 case DLT_IEEE802_11: 2971 case DLT_PRISM_HEADER: 2972 case DLT_IEEE802_11_RADIO_AVS: 2973 case DLT_IEEE802_11_RADIO: 2974 case DLT_PPI: 2975 /* 2976 * Check that we have a data frame. 2977 */ 2978 b0 = gen_check_802_11_data_frame(); 2979 2980 /* 2981 * Now check for the specified link-layer type. 2982 */ 2983 b1 = gen_llc_linktype(proto); 2984 gen_and(b0, b1); 2985 return b1; 2986 /*NOTREACHED*/ 2987 break; 2988 2989 case DLT_FDDI: 2990 /* 2991 * XXX - check for asynchronous frames, as per RFC 1103. 2992 */ 2993 return gen_llc_linktype(proto); 2994 /*NOTREACHED*/ 2995 break; 2996 2997 case DLT_IEEE802: 2998 /* 2999 * XXX - check for LLC PDUs, as per IEEE 802.5. 3000 */ 3001 return gen_llc_linktype(proto); 3002 /*NOTREACHED*/ 3003 break; 3004 3005 case DLT_ATM_RFC1483: 3006 case DLT_ATM_CLIP: 3007 case DLT_IP_OVER_FC: 3008 return gen_llc_linktype(proto); 3009 /*NOTREACHED*/ 3010 break; 3011 3012 case DLT_SUNATM: 3013 /* 3014 * If "is_lane" is set, check for a LANE-encapsulated 3015 * version of this protocol, otherwise check for an 3016 * LLC-encapsulated version of this protocol. 3017 * 3018 * We assume LANE means Ethernet, not Token Ring. 3019 */ 3020 if (is_lane) { 3021 /* 3022 * Check that the packet doesn't begin with an 3023 * LE Control marker. (We've already generated 3024 * a test for LANE.) 3025 */ 3026 b0 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 3027 0xFF00); 3028 gen_not(b0); 3029 3030 /* 3031 * Now generate an Ethernet test. 3032 */ 3033 b1 = gen_ether_linktype(proto); 3034 gen_and(b0, b1); 3035 return b1; 3036 } else { 3037 /* 3038 * Check for LLC encapsulation and then check the 3039 * protocol. 3040 */ 3041 b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 3042 b1 = gen_llc_linktype(proto); 3043 gen_and(b0, b1); 3044 return b1; 3045 } 3046 /*NOTREACHED*/ 3047 break; 3048 3049 case DLT_LINUX_SLL: 3050 return gen_linux_sll_linktype(proto); 3051 /*NOTREACHED*/ 3052 break; 3053 3054 case DLT_SLIP: 3055 case DLT_SLIP_BSDOS: 3056 case DLT_RAW: 3057 /* 3058 * These types don't provide any type field; packets 3059 * are always IPv4 or IPv6. 3060 * 3061 * XXX - for IPv4, check for a version number of 4, and, 3062 * for IPv6, check for a version number of 6? 3063 */ 3064 switch (proto) { 3065 3066 case ETHERTYPE_IP: 3067 /* Check for a version number of 4. */ 3068 return gen_mcmp(OR_LINK, 0, BPF_B, 0x40, 0xF0); 3069 3070 case ETHERTYPE_IPV6: 3071 /* Check for a version number of 6. */ 3072 return gen_mcmp(OR_LINK, 0, BPF_B, 0x60, 0xF0); 3073 3074 default: 3075 return gen_false(); /* always false */ 3076 } 3077 /*NOTREACHED*/ 3078 break; 3079 3080 case DLT_IPV4: 3081 /* 3082 * Raw IPv4, so no type field. 3083 */ 3084 if (proto == ETHERTYPE_IP) 3085 return gen_true(); /* always true */ 3086 3087 /* Checking for something other than IPv4; always false */ 3088 return gen_false(); 3089 /*NOTREACHED*/ 3090 break; 3091 3092 case DLT_IPV6: 3093 /* 3094 * Raw IPv6, so no type field. 3095 */ 3096 if (proto == ETHERTYPE_IPV6) 3097 return gen_true(); /* always true */ 3098 3099 /* Checking for something other than IPv6; always false */ 3100 return gen_false(); 3101 /*NOTREACHED*/ 3102 break; 3103 3104 case DLT_PPP: 3105 case DLT_PPP_PPPD: 3106 case DLT_PPP_SERIAL: 3107 case DLT_PPP_ETHER: 3108 /* 3109 * We use Ethernet protocol types inside libpcap; 3110 * map them to the corresponding PPP protocol types. 3111 */ 3112 proto = ethertype_to_ppptype(proto); 3113 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 3114 /*NOTREACHED*/ 3115 break; 3116 3117 case DLT_PPP_BSDOS: 3118 /* 3119 * We use Ethernet protocol types inside libpcap; 3120 * map them to the corresponding PPP protocol types. 3121 */ 3122 switch (proto) { 3123 3124 case ETHERTYPE_IP: 3125 /* 3126 * Also check for Van Jacobson-compressed IP. 3127 * XXX - do this for other forms of PPP? 3128 */ 3129 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_IP); 3130 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJC); 3131 gen_or(b0, b1); 3132 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJNC); 3133 gen_or(b1, b0); 3134 return b0; 3135 3136 default: 3137 proto = ethertype_to_ppptype(proto); 3138 return gen_cmp(OR_LINK, off_linktype, BPF_H, 3139 (bpf_int32)proto); 3140 } 3141 /*NOTREACHED*/ 3142 break; 3143 3144 case DLT_NULL: 3145 case DLT_LOOP: 3146 case DLT_ENC: 3147 /* 3148 * For DLT_NULL, the link-layer header is a 32-bit 3149 * word containing an AF_ value in *host* byte order, 3150 * and for DLT_ENC, the link-layer header begins 3151 * with a 32-bit work containing an AF_ value in 3152 * host byte order. 3153 * 3154 * In addition, if we're reading a saved capture file, 3155 * the host byte order in the capture may not be the 3156 * same as the host byte order on this machine. 3157 * 3158 * For DLT_LOOP, the link-layer header is a 32-bit 3159 * word containing an AF_ value in *network* byte order. 3160 * 3161 * XXX - AF_ values may, unfortunately, be platform- 3162 * dependent; for example, FreeBSD's AF_INET6 is 24 3163 * whilst NetBSD's and OpenBSD's is 26. 3164 * 3165 * This means that, when reading a capture file, just 3166 * checking for our AF_INET6 value won't work if the 3167 * capture file came from another OS. 3168 */ 3169 switch (proto) { 3170 3171 case ETHERTYPE_IP: 3172 proto = AF_INET; 3173 break; 3174 3175 #ifdef INET6 3176 case ETHERTYPE_IPV6: 3177 proto = AF_INET6; 3178 break; 3179 #endif 3180 3181 default: 3182 /* 3183 * Not a type on which we support filtering. 3184 * XXX - support those that have AF_ values 3185 * #defined on this platform, at least? 3186 */ 3187 return gen_false(); 3188 } 3189 3190 if (linktype == DLT_NULL || linktype == DLT_ENC) { 3191 /* 3192 * The AF_ value is in host byte order, but 3193 * the BPF interpreter will convert it to 3194 * network byte order. 3195 * 3196 * If this is a save file, and it's from a 3197 * machine with the opposite byte order to 3198 * ours, we byte-swap the AF_ value. 3199 * 3200 * Then we run it through "htonl()", and 3201 * generate code to compare against the result. 3202 */ 3203 if (bpf_pcap->rfile != NULL && bpf_pcap->swapped) 3204 proto = SWAPLONG(proto); 3205 proto = htonl(proto); 3206 } 3207 return (gen_cmp(OR_LINK, 0, BPF_W, (bpf_int32)proto)); 3208 3209 #ifdef HAVE_NET_PFVAR_H 3210 case DLT_PFLOG: 3211 /* 3212 * af field is host byte order in contrast to the rest of 3213 * the packet. 3214 */ 3215 if (proto == ETHERTYPE_IP) 3216 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af), 3217 BPF_B, (bpf_int32)AF_INET)); 3218 else if (proto == ETHERTYPE_IPV6) 3219 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af), 3220 BPF_B, (bpf_int32)AF_INET6)); 3221 else 3222 return gen_false(); 3223 /*NOTREACHED*/ 3224 break; 3225 #endif /* HAVE_NET_PFVAR_H */ 3226 3227 case DLT_ARCNET: 3228 case DLT_ARCNET_LINUX: 3229 /* 3230 * XXX should we check for first fragment if the protocol 3231 * uses PHDS? 3232 */ 3233 switch (proto) { 3234 3235 default: 3236 return gen_false(); 3237 3238 case ETHERTYPE_IPV6: 3239 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 3240 (bpf_int32)ARCTYPE_INET6)); 3241 3242 case ETHERTYPE_IP: 3243 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3244 (bpf_int32)ARCTYPE_IP); 3245 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3246 (bpf_int32)ARCTYPE_IP_OLD); 3247 gen_or(b0, b1); 3248 return (b1); 3249 3250 case ETHERTYPE_ARP: 3251 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3252 (bpf_int32)ARCTYPE_ARP); 3253 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3254 (bpf_int32)ARCTYPE_ARP_OLD); 3255 gen_or(b0, b1); 3256 return (b1); 3257 3258 case ETHERTYPE_REVARP: 3259 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 3260 (bpf_int32)ARCTYPE_REVARP)); 3261 3262 case ETHERTYPE_ATALK: 3263 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 3264 (bpf_int32)ARCTYPE_ATALK)); 3265 } 3266 /*NOTREACHED*/ 3267 break; 3268 3269 case DLT_LTALK: 3270 switch (proto) { 3271 case ETHERTYPE_ATALK: 3272 return gen_true(); 3273 default: 3274 return gen_false(); 3275 } 3276 /*NOTREACHED*/ 3277 break; 3278 3279 case DLT_FRELAY: 3280 /* 3281 * XXX - assumes a 2-byte Frame Relay header with 3282 * DLCI and flags. What if the address is longer? 3283 */ 3284 switch (proto) { 3285 3286 case ETHERTYPE_IP: 3287 /* 3288 * Check for the special NLPID for IP. 3289 */ 3290 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0xcc); 3291 3292 case ETHERTYPE_IPV6: 3293 /* 3294 * Check for the special NLPID for IPv6. 3295 */ 3296 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0x8e); 3297 3298 case LLCSAP_ISONS: 3299 /* 3300 * Check for several OSI protocols. 3301 * 3302 * Frame Relay packets typically have an OSI 3303 * NLPID at the beginning; we check for each 3304 * of them. 3305 * 3306 * What we check for is the NLPID and a frame 3307 * control field of UI, i.e. 0x03 followed 3308 * by the NLPID. 3309 */ 3310 b0 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO8473_CLNP); 3311 b1 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO9542_ESIS); 3312 b2 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO10589_ISIS); 3313 gen_or(b1, b2); 3314 gen_or(b0, b2); 3315 return b2; 3316 3317 default: 3318 return gen_false(); 3319 } 3320 /*NOTREACHED*/ 3321 break; 3322 3323 case DLT_MFR: 3324 bpf_error("Multi-link Frame Relay link-layer type filtering not implemented"); 3325 3326 case DLT_JUNIPER_MFR: 3327 case DLT_JUNIPER_MLFR: 3328 case DLT_JUNIPER_MLPPP: 3329 case DLT_JUNIPER_ATM1: 3330 case DLT_JUNIPER_ATM2: 3331 case DLT_JUNIPER_PPPOE: 3332 case DLT_JUNIPER_PPPOE_ATM: 3333 case DLT_JUNIPER_GGSN: 3334 case DLT_JUNIPER_ES: 3335 case DLT_JUNIPER_MONITOR: 3336 case DLT_JUNIPER_SERVICES: 3337 case DLT_JUNIPER_ETHER: 3338 case DLT_JUNIPER_PPP: 3339 case DLT_JUNIPER_FRELAY: 3340 case DLT_JUNIPER_CHDLC: 3341 case DLT_JUNIPER_VP: 3342 case DLT_JUNIPER_ST: 3343 case DLT_JUNIPER_ISM: 3344 case DLT_JUNIPER_VS: 3345 case DLT_JUNIPER_SRX_E2E: 3346 case DLT_JUNIPER_FIBRECHANNEL: 3347 case DLT_JUNIPER_ATM_CEMIC: 3348 3349 /* just lets verify the magic number for now - 3350 * on ATM we may have up to 6 different encapsulations on the wire 3351 * and need a lot of heuristics to figure out that the payload 3352 * might be; 3353 * 3354 * FIXME encapsulation specific BPF_ filters 3355 */ 3356 return gen_mcmp(OR_LINK, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */ 3357 3358 case DLT_BACNET_MS_TP: 3359 return gen_mcmp(OR_LINK, 0, BPF_W, 0x55FF0000, 0xffff0000); 3360 3361 case DLT_IPNET: 3362 return gen_ipnet_linktype(proto); 3363 3364 case DLT_LINUX_IRDA: 3365 bpf_error("IrDA link-layer type filtering not implemented"); 3366 3367 case DLT_DOCSIS: 3368 bpf_error("DOCSIS link-layer type filtering not implemented"); 3369 3370 case DLT_MTP2: 3371 case DLT_MTP2_WITH_PHDR: 3372 bpf_error("MTP2 link-layer type filtering not implemented"); 3373 3374 case DLT_ERF: 3375 bpf_error("ERF link-layer type filtering not implemented"); 3376 3377 case DLT_PFSYNC: 3378 bpf_error("PFSYNC link-layer type filtering not implemented"); 3379 3380 case DLT_LINUX_LAPD: 3381 bpf_error("LAPD link-layer type filtering not implemented"); 3382 3383 case DLT_USB: 3384 case DLT_USB_LINUX: 3385 case DLT_USB_LINUX_MMAPPED: 3386 bpf_error("USB link-layer type filtering not implemented"); 3387 3388 case DLT_BLUETOOTH_HCI_H4: 3389 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR: 3390 bpf_error("Bluetooth link-layer type filtering not implemented"); 3391 3392 case DLT_CAN20B: 3393 case DLT_CAN_SOCKETCAN: 3394 bpf_error("CAN link-layer type filtering not implemented"); 3395 3396 case DLT_IEEE802_15_4: 3397 case DLT_IEEE802_15_4_LINUX: 3398 case DLT_IEEE802_15_4_NONASK_PHY: 3399 case DLT_IEEE802_15_4_NOFCS: 3400 bpf_error("IEEE 802.15.4 link-layer type filtering not implemented"); 3401 3402 case DLT_IEEE802_16_MAC_CPS_RADIO: 3403 bpf_error("IEEE 802.16 link-layer type filtering not implemented"); 3404 3405 case DLT_SITA: 3406 bpf_error("SITA link-layer type filtering not implemented"); 3407 3408 case DLT_RAIF1: 3409 bpf_error("RAIF1 link-layer type filtering not implemented"); 3410 3411 case DLT_IPMB: 3412 bpf_error("IPMB link-layer type filtering not implemented"); 3413 3414 case DLT_AX25_KISS: 3415 bpf_error("AX.25 link-layer type filtering not implemented"); 3416 } 3417 3418 /* 3419 * All the types that have no encapsulation should either be 3420 * handled as DLT_SLIP, DLT_SLIP_BSDOS, and DLT_RAW are, if 3421 * all packets are IP packets, or should be handled in some 3422 * special case, if none of them are (if some are and some 3423 * aren't, the lack of encapsulation is a problem, as we'd 3424 * have to find some other way of determining the packet type). 3425 * 3426 * Therefore, if "off_linktype" is -1, there's an error. 3427 */ 3428 if (off_linktype == (u_int)-1) 3429 abort(); 3430 3431 /* 3432 * Any type not handled above should always have an Ethernet 3433 * type at an offset of "off_linktype". 3434 */ 3435 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 3436 } 3437 3438 /* 3439 * Check for an LLC SNAP packet with a given organization code and 3440 * protocol type; we check the entire contents of the 802.2 LLC and 3441 * snap headers, checking for DSAP and SSAP of SNAP and a control 3442 * field of 0x03 in the LLC header, and for the specified organization 3443 * code and protocol type in the SNAP header. 3444 */ 3445 static struct block * 3446 gen_snap(orgcode, ptype) 3447 bpf_u_int32 orgcode; 3448 bpf_u_int32 ptype; 3449 { 3450 u_char snapblock[8]; 3451 3452 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */ 3453 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */ 3454 snapblock[2] = 0x03; /* control = UI */ 3455 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */ 3456 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */ 3457 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */ 3458 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */ 3459 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */ 3460 return gen_bcmp(OR_MACPL, 0, 8, snapblock); 3461 } 3462 3463 /* 3464 * Generate code to match a particular packet type, for link-layer types 3465 * using 802.2 LLC headers. 3466 * 3467 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used 3468 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues. 3469 * 3470 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 3471 * value, if <= ETHERMTU. We use that to determine whether to 3472 * match the DSAP or both DSAP and LSAP or to check the OUI and 3473 * protocol ID in a SNAP header. 3474 */ 3475 static struct block * 3476 gen_llc_linktype(proto) 3477 int proto; 3478 { 3479 /* 3480 * XXX - handle token-ring variable-length header. 3481 */ 3482 switch (proto) { 3483 3484 case LLCSAP_IP: 3485 case LLCSAP_ISONS: 3486 case LLCSAP_NETBEUI: 3487 /* 3488 * XXX - should we check both the DSAP and the 3489 * SSAP, like this, or should we check just the 3490 * DSAP, as we do for other types <= ETHERMTU 3491 * (i.e., other SAP values)? 3492 */ 3493 return gen_cmp(OR_MACPL, 0, BPF_H, (bpf_u_int32) 3494 ((proto << 8) | proto)); 3495 3496 case LLCSAP_IPX: 3497 /* 3498 * XXX - are there ever SNAP frames for IPX on 3499 * non-Ethernet 802.x networks? 3500 */ 3501 return gen_cmp(OR_MACPL, 0, BPF_B, 3502 (bpf_int32)LLCSAP_IPX); 3503 3504 case ETHERTYPE_ATALK: 3505 /* 3506 * 802.2-encapsulated ETHERTYPE_ATALK packets are 3507 * SNAP packets with an organization code of 3508 * 0x080007 (Apple, for Appletalk) and a protocol 3509 * type of ETHERTYPE_ATALK (Appletalk). 3510 * 3511 * XXX - check for an organization code of 3512 * encapsulated Ethernet as well? 3513 */ 3514 return gen_snap(0x080007, ETHERTYPE_ATALK); 3515 3516 default: 3517 /* 3518 * XXX - we don't have to check for IPX 802.3 3519 * here, but should we check for the IPX Ethertype? 3520 */ 3521 if (proto <= ETHERMTU) { 3522 /* 3523 * This is an LLC SAP value, so check 3524 * the DSAP. 3525 */ 3526 return gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)proto); 3527 } else { 3528 /* 3529 * This is an Ethernet type; we assume that it's 3530 * unlikely that it'll appear in the right place 3531 * at random, and therefore check only the 3532 * location that would hold the Ethernet type 3533 * in a SNAP frame with an organization code of 3534 * 0x000000 (encapsulated Ethernet). 3535 * 3536 * XXX - if we were to check for the SNAP DSAP and 3537 * LSAP, as per XXX, and were also to check for an 3538 * organization code of 0x000000 (encapsulated 3539 * Ethernet), we'd do 3540 * 3541 * return gen_snap(0x000000, proto); 3542 * 3543 * here; for now, we don't, as per the above. 3544 * I don't know whether it's worth the extra CPU 3545 * time to do the right check or not. 3546 */ 3547 return gen_cmp(OR_MACPL, 6, BPF_H, (bpf_int32)proto); 3548 } 3549 } 3550 } 3551 3552 static struct block * 3553 gen_hostop(addr, mask, dir, proto, src_off, dst_off) 3554 bpf_u_int32 addr; 3555 bpf_u_int32 mask; 3556 int dir, proto; 3557 u_int src_off, dst_off; 3558 { 3559 struct block *b0, *b1; 3560 u_int offset; 3561 3562 switch (dir) { 3563 3564 case Q_SRC: 3565 offset = src_off; 3566 break; 3567 3568 case Q_DST: 3569 offset = dst_off; 3570 break; 3571 3572 case Q_AND: 3573 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off); 3574 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off); 3575 gen_and(b0, b1); 3576 return b1; 3577 3578 case Q_OR: 3579 case Q_DEFAULT: 3580 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off); 3581 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off); 3582 gen_or(b0, b1); 3583 return b1; 3584 3585 default: 3586 abort(); 3587 } 3588 b0 = gen_linktype(proto); 3589 b1 = gen_mcmp(OR_NET, offset, BPF_W, (bpf_int32)addr, mask); 3590 gen_and(b0, b1); 3591 return b1; 3592 } 3593 3594 #ifdef INET6 3595 static struct block * 3596 gen_hostop6(addr, mask, dir, proto, src_off, dst_off) 3597 struct in6_addr *addr; 3598 struct in6_addr *mask; 3599 int dir, proto; 3600 u_int src_off, dst_off; 3601 { 3602 struct block *b0, *b1; 3603 u_int offset; 3604 u_int32_t *a, *m; 3605 3606 switch (dir) { 3607 3608 case Q_SRC: 3609 offset = src_off; 3610 break; 3611 3612 case Q_DST: 3613 offset = dst_off; 3614 break; 3615 3616 case Q_AND: 3617 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off); 3618 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off); 3619 gen_and(b0, b1); 3620 return b1; 3621 3622 case Q_OR: 3623 case Q_DEFAULT: 3624 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off); 3625 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off); 3626 gen_or(b0, b1); 3627 return b1; 3628 3629 default: 3630 abort(); 3631 } 3632 /* this order is important */ 3633 a = (u_int32_t *)addr; 3634 m = (u_int32_t *)mask; 3635 b1 = gen_mcmp(OR_NET, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3])); 3636 b0 = gen_mcmp(OR_NET, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2])); 3637 gen_and(b0, b1); 3638 b0 = gen_mcmp(OR_NET, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1])); 3639 gen_and(b0, b1); 3640 b0 = gen_mcmp(OR_NET, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0])); 3641 gen_and(b0, b1); 3642 b0 = gen_linktype(proto); 3643 gen_and(b0, b1); 3644 return b1; 3645 } 3646 #endif 3647 3648 static struct block * 3649 gen_ehostop(eaddr, dir) 3650 register const u_char *eaddr; 3651 register int dir; 3652 { 3653 register struct block *b0, *b1; 3654 3655 switch (dir) { 3656 case Q_SRC: 3657 return gen_bcmp(OR_LINK, off_mac + 6, 6, eaddr); 3658 3659 case Q_DST: 3660 return gen_bcmp(OR_LINK, off_mac + 0, 6, eaddr); 3661 3662 case Q_AND: 3663 b0 = gen_ehostop(eaddr, Q_SRC); 3664 b1 = gen_ehostop(eaddr, Q_DST); 3665 gen_and(b0, b1); 3666 return b1; 3667 3668 case Q_DEFAULT: 3669 case Q_OR: 3670 b0 = gen_ehostop(eaddr, Q_SRC); 3671 b1 = gen_ehostop(eaddr, Q_DST); 3672 gen_or(b0, b1); 3673 return b1; 3674 3675 case Q_ADDR1: 3676 bpf_error("'addr1' is only supported on 802.11 with 802.11 headers"); 3677 break; 3678 3679 case Q_ADDR2: 3680 bpf_error("'addr2' is only supported on 802.11 with 802.11 headers"); 3681 break; 3682 3683 case Q_ADDR3: 3684 bpf_error("'addr3' is only supported on 802.11 with 802.11 headers"); 3685 break; 3686 3687 case Q_ADDR4: 3688 bpf_error("'addr4' is only supported on 802.11 with 802.11 headers"); 3689 break; 3690 3691 case Q_RA: 3692 bpf_error("'ra' is only supported on 802.11 with 802.11 headers"); 3693 break; 3694 3695 case Q_TA: 3696 bpf_error("'ta' is only supported on 802.11 with 802.11 headers"); 3697 break; 3698 } 3699 abort(); 3700 /* NOTREACHED */ 3701 } 3702 3703 /* 3704 * Like gen_ehostop, but for DLT_FDDI 3705 */ 3706 static struct block * 3707 gen_fhostop(eaddr, dir) 3708 register const u_char *eaddr; 3709 register int dir; 3710 { 3711 struct block *b0, *b1; 3712 3713 switch (dir) { 3714 case Q_SRC: 3715 return gen_bcmp(OR_LINK, 6 + 1 + pcap_fddipad, 6, eaddr); 3716 3717 case Q_DST: 3718 return gen_bcmp(OR_LINK, 0 + 1 + pcap_fddipad, 6, eaddr); 3719 3720 case Q_AND: 3721 b0 = gen_fhostop(eaddr, Q_SRC); 3722 b1 = gen_fhostop(eaddr, Q_DST); 3723 gen_and(b0, b1); 3724 return b1; 3725 3726 case Q_DEFAULT: 3727 case Q_OR: 3728 b0 = gen_fhostop(eaddr, Q_SRC); 3729 b1 = gen_fhostop(eaddr, Q_DST); 3730 gen_or(b0, b1); 3731 return b1; 3732 3733 case Q_ADDR1: 3734 bpf_error("'addr1' is only supported on 802.11"); 3735 break; 3736 3737 case Q_ADDR2: 3738 bpf_error("'addr2' is only supported on 802.11"); 3739 break; 3740 3741 case Q_ADDR3: 3742 bpf_error("'addr3' is only supported on 802.11"); 3743 break; 3744 3745 case Q_ADDR4: 3746 bpf_error("'addr4' is only supported on 802.11"); 3747 break; 3748 3749 case Q_RA: 3750 bpf_error("'ra' is only supported on 802.11"); 3751 break; 3752 3753 case Q_TA: 3754 bpf_error("'ta' is only supported on 802.11"); 3755 break; 3756 } 3757 abort(); 3758 /* NOTREACHED */ 3759 } 3760 3761 /* 3762 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring) 3763 */ 3764 static struct block * 3765 gen_thostop(eaddr, dir) 3766 register const u_char *eaddr; 3767 register int dir; 3768 { 3769 register struct block *b0, *b1; 3770 3771 switch (dir) { 3772 case Q_SRC: 3773 return gen_bcmp(OR_LINK, 8, 6, eaddr); 3774 3775 case Q_DST: 3776 return gen_bcmp(OR_LINK, 2, 6, eaddr); 3777 3778 case Q_AND: 3779 b0 = gen_thostop(eaddr, Q_SRC); 3780 b1 = gen_thostop(eaddr, Q_DST); 3781 gen_and(b0, b1); 3782 return b1; 3783 3784 case Q_DEFAULT: 3785 case Q_OR: 3786 b0 = gen_thostop(eaddr, Q_SRC); 3787 b1 = gen_thostop(eaddr, Q_DST); 3788 gen_or(b0, b1); 3789 return b1; 3790 3791 case Q_ADDR1: 3792 bpf_error("'addr1' is only supported on 802.11"); 3793 break; 3794 3795 case Q_ADDR2: 3796 bpf_error("'addr2' is only supported on 802.11"); 3797 break; 3798 3799 case Q_ADDR3: 3800 bpf_error("'addr3' is only supported on 802.11"); 3801 break; 3802 3803 case Q_ADDR4: 3804 bpf_error("'addr4' is only supported on 802.11"); 3805 break; 3806 3807 case Q_RA: 3808 bpf_error("'ra' is only supported on 802.11"); 3809 break; 3810 3811 case Q_TA: 3812 bpf_error("'ta' is only supported on 802.11"); 3813 break; 3814 } 3815 abort(); 3816 /* NOTREACHED */ 3817 } 3818 3819 /* 3820 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and 3821 * various 802.11 + radio headers. 3822 */ 3823 static struct block * 3824 gen_wlanhostop(eaddr, dir) 3825 register const u_char *eaddr; 3826 register int dir; 3827 { 3828 register struct block *b0, *b1, *b2; 3829 register struct slist *s; 3830 3831 #ifdef ENABLE_WLAN_FILTERING_PATCH 3832 /* 3833 * TODO GV 20070613 3834 * We need to disable the optimizer because the optimizer is buggy 3835 * and wipes out some LD instructions generated by the below 3836 * code to validate the Frame Control bits 3837 */ 3838 no_optimize = 1; 3839 #endif /* ENABLE_WLAN_FILTERING_PATCH */ 3840 3841 switch (dir) { 3842 case Q_SRC: 3843 /* 3844 * Oh, yuk. 3845 * 3846 * For control frames, there is no SA. 3847 * 3848 * For management frames, SA is at an 3849 * offset of 10 from the beginning of 3850 * the packet. 3851 * 3852 * For data frames, SA is at an offset 3853 * of 10 from the beginning of the packet 3854 * if From DS is clear, at an offset of 3855 * 16 from the beginning of the packet 3856 * if From DS is set and To DS is clear, 3857 * and an offset of 24 from the beginning 3858 * of the packet if From DS is set and To DS 3859 * is set. 3860 */ 3861 3862 /* 3863 * Generate the tests to be done for data frames 3864 * with From DS set. 3865 * 3866 * First, check for To DS set, i.e. check "link[1] & 0x01". 3867 */ 3868 s = gen_load_a(OR_LINK, 1, BPF_B); 3869 b1 = new_block(JMP(BPF_JSET)); 3870 b1->s.k = 0x01; /* To DS */ 3871 b1->stmts = s; 3872 3873 /* 3874 * If To DS is set, the SA is at 24. 3875 */ 3876 b0 = gen_bcmp(OR_LINK, 24, 6, eaddr); 3877 gen_and(b1, b0); 3878 3879 /* 3880 * Now, check for To DS not set, i.e. check 3881 * "!(link[1] & 0x01)". 3882 */ 3883 s = gen_load_a(OR_LINK, 1, BPF_B); 3884 b2 = new_block(JMP(BPF_JSET)); 3885 b2->s.k = 0x01; /* To DS */ 3886 b2->stmts = s; 3887 gen_not(b2); 3888 3889 /* 3890 * If To DS is not set, the SA is at 16. 3891 */ 3892 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr); 3893 gen_and(b2, b1); 3894 3895 /* 3896 * Now OR together the last two checks. That gives 3897 * the complete set of checks for data frames with 3898 * From DS set. 3899 */ 3900 gen_or(b1, b0); 3901 3902 /* 3903 * Now check for From DS being set, and AND that with 3904 * the ORed-together checks. 3905 */ 3906 s = gen_load_a(OR_LINK, 1, BPF_B); 3907 b1 = new_block(JMP(BPF_JSET)); 3908 b1->s.k = 0x02; /* From DS */ 3909 b1->stmts = s; 3910 gen_and(b1, b0); 3911 3912 /* 3913 * Now check for data frames with From DS not set. 3914 */ 3915 s = gen_load_a(OR_LINK, 1, BPF_B); 3916 b2 = new_block(JMP(BPF_JSET)); 3917 b2->s.k = 0x02; /* From DS */ 3918 b2->stmts = s; 3919 gen_not(b2); 3920 3921 /* 3922 * If From DS isn't set, the SA is at 10. 3923 */ 3924 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 3925 gen_and(b2, b1); 3926 3927 /* 3928 * Now OR together the checks for data frames with 3929 * From DS not set and for data frames with From DS 3930 * set; that gives the checks done for data frames. 3931 */ 3932 gen_or(b1, b0); 3933 3934 /* 3935 * Now check for a data frame. 3936 * I.e, check "link[0] & 0x08". 3937 */ 3938 s = gen_load_a(OR_LINK, 0, BPF_B); 3939 b1 = new_block(JMP(BPF_JSET)); 3940 b1->s.k = 0x08; 3941 b1->stmts = s; 3942 3943 /* 3944 * AND that with the checks done for data frames. 3945 */ 3946 gen_and(b1, b0); 3947 3948 /* 3949 * If the high-order bit of the type value is 0, this 3950 * is a management frame. 3951 * I.e, check "!(link[0] & 0x08)". 3952 */ 3953 s = gen_load_a(OR_LINK, 0, BPF_B); 3954 b2 = new_block(JMP(BPF_JSET)); 3955 b2->s.k = 0x08; 3956 b2->stmts = s; 3957 gen_not(b2); 3958 3959 /* 3960 * For management frames, the SA is at 10. 3961 */ 3962 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 3963 gen_and(b2, b1); 3964 3965 /* 3966 * OR that with the checks done for data frames. 3967 * That gives the checks done for management and 3968 * data frames. 3969 */ 3970 gen_or(b1, b0); 3971 3972 /* 3973 * If the low-order bit of the type value is 1, 3974 * this is either a control frame or a frame 3975 * with a reserved type, and thus not a 3976 * frame with an SA. 3977 * 3978 * I.e., check "!(link[0] & 0x04)". 3979 */ 3980 s = gen_load_a(OR_LINK, 0, BPF_B); 3981 b1 = new_block(JMP(BPF_JSET)); 3982 b1->s.k = 0x04; 3983 b1->stmts = s; 3984 gen_not(b1); 3985 3986 /* 3987 * AND that with the checks for data and management 3988 * frames. 3989 */ 3990 gen_and(b1, b0); 3991 return b0; 3992 3993 case Q_DST: 3994 /* 3995 * Oh, yuk. 3996 * 3997 * For control frames, there is no DA. 3998 * 3999 * For management frames, DA is at an 4000 * offset of 4 from the beginning of 4001 * the packet. 4002 * 4003 * For data frames, DA is at an offset 4004 * of 4 from the beginning of the packet 4005 * if To DS is clear and at an offset of 4006 * 16 from the beginning of the packet 4007 * if To DS is set. 4008 */ 4009 4010 /* 4011 * Generate the tests to be done for data frames. 4012 * 4013 * First, check for To DS set, i.e. "link[1] & 0x01". 4014 */ 4015 s = gen_load_a(OR_LINK, 1, BPF_B); 4016 b1 = new_block(JMP(BPF_JSET)); 4017 b1->s.k = 0x01; /* To DS */ 4018 b1->stmts = s; 4019 4020 /* 4021 * If To DS is set, the DA is at 16. 4022 */ 4023 b0 = gen_bcmp(OR_LINK, 16, 6, eaddr); 4024 gen_and(b1, b0); 4025 4026 /* 4027 * Now, check for To DS not set, i.e. check 4028 * "!(link[1] & 0x01)". 4029 */ 4030 s = gen_load_a(OR_LINK, 1, BPF_B); 4031 b2 = new_block(JMP(BPF_JSET)); 4032 b2->s.k = 0x01; /* To DS */ 4033 b2->stmts = s; 4034 gen_not(b2); 4035 4036 /* 4037 * If To DS is not set, the DA is at 4. 4038 */ 4039 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr); 4040 gen_and(b2, b1); 4041 4042 /* 4043 * Now OR together the last two checks. That gives 4044 * the complete set of checks for data frames. 4045 */ 4046 gen_or(b1, b0); 4047 4048 /* 4049 * Now check for a data frame. 4050 * I.e, check "link[0] & 0x08". 4051 */ 4052 s = gen_load_a(OR_LINK, 0, BPF_B); 4053 b1 = new_block(JMP(BPF_JSET)); 4054 b1->s.k = 0x08; 4055 b1->stmts = s; 4056 4057 /* 4058 * AND that with the checks done for data frames. 4059 */ 4060 gen_and(b1, b0); 4061 4062 /* 4063 * If the high-order bit of the type value is 0, this 4064 * is a management frame. 4065 * I.e, check "!(link[0] & 0x08)". 4066 */ 4067 s = gen_load_a(OR_LINK, 0, BPF_B); 4068 b2 = new_block(JMP(BPF_JSET)); 4069 b2->s.k = 0x08; 4070 b2->stmts = s; 4071 gen_not(b2); 4072 4073 /* 4074 * For management frames, the DA is at 4. 4075 */ 4076 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr); 4077 gen_and(b2, b1); 4078 4079 /* 4080 * OR that with the checks done for data frames. 4081 * That gives the checks done for management and 4082 * data frames. 4083 */ 4084 gen_or(b1, b0); 4085 4086 /* 4087 * If the low-order bit of the type value is 1, 4088 * this is either a control frame or a frame 4089 * with a reserved type, and thus not a 4090 * frame with an SA. 4091 * 4092 * I.e., check "!(link[0] & 0x04)". 4093 */ 4094 s = gen_load_a(OR_LINK, 0, BPF_B); 4095 b1 = new_block(JMP(BPF_JSET)); 4096 b1->s.k = 0x04; 4097 b1->stmts = s; 4098 gen_not(b1); 4099 4100 /* 4101 * AND that with the checks for data and management 4102 * frames. 4103 */ 4104 gen_and(b1, b0); 4105 return b0; 4106 4107 case Q_RA: 4108 /* 4109 * Not present in management frames; addr1 in other 4110 * frames. 4111 */ 4112 4113 /* 4114 * If the high-order bit of the type value is 0, this 4115 * is a management frame. 4116 * I.e, check "(link[0] & 0x08)". 4117 */ 4118 s = gen_load_a(OR_LINK, 0, BPF_B); 4119 b1 = new_block(JMP(BPF_JSET)); 4120 b1->s.k = 0x08; 4121 b1->stmts = s; 4122 4123 /* 4124 * Check addr1. 4125 */ 4126 b0 = gen_bcmp(OR_LINK, 4, 6, eaddr); 4127 4128 /* 4129 * AND that with the check of addr1. 4130 */ 4131 gen_and(b1, b0); 4132 return (b0); 4133 4134 case Q_TA: 4135 /* 4136 * Not present in management frames; addr2, if present, 4137 * in other frames. 4138 */ 4139 4140 /* 4141 * Not present in CTS or ACK control frames. 4142 */ 4143 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4144 IEEE80211_FC0_TYPE_MASK); 4145 gen_not(b0); 4146 b1 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS, 4147 IEEE80211_FC0_SUBTYPE_MASK); 4148 gen_not(b1); 4149 b2 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK, 4150 IEEE80211_FC0_SUBTYPE_MASK); 4151 gen_not(b2); 4152 gen_and(b1, b2); 4153 gen_or(b0, b2); 4154 4155 /* 4156 * If the high-order bit of the type value is 0, this 4157 * is a management frame. 4158 * I.e, check "(link[0] & 0x08)". 4159 */ 4160 s = gen_load_a(OR_LINK, 0, BPF_B); 4161 b1 = new_block(JMP(BPF_JSET)); 4162 b1->s.k = 0x08; 4163 b1->stmts = s; 4164 4165 /* 4166 * AND that with the check for frames other than 4167 * CTS and ACK frames. 4168 */ 4169 gen_and(b1, b2); 4170 4171 /* 4172 * Check addr2. 4173 */ 4174 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 4175 gen_and(b2, b1); 4176 return b1; 4177 4178 /* 4179 * XXX - add BSSID keyword? 4180 */ 4181 case Q_ADDR1: 4182 return (gen_bcmp(OR_LINK, 4, 6, eaddr)); 4183 4184 case Q_ADDR2: 4185 /* 4186 * Not present in CTS or ACK control frames. 4187 */ 4188 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4189 IEEE80211_FC0_TYPE_MASK); 4190 gen_not(b0); 4191 b1 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS, 4192 IEEE80211_FC0_SUBTYPE_MASK); 4193 gen_not(b1); 4194 b2 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK, 4195 IEEE80211_FC0_SUBTYPE_MASK); 4196 gen_not(b2); 4197 gen_and(b1, b2); 4198 gen_or(b0, b2); 4199 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 4200 gen_and(b2, b1); 4201 return b1; 4202 4203 case Q_ADDR3: 4204 /* 4205 * Not present in control frames. 4206 */ 4207 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4208 IEEE80211_FC0_TYPE_MASK); 4209 gen_not(b0); 4210 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr); 4211 gen_and(b0, b1); 4212 return b1; 4213 4214 case Q_ADDR4: 4215 /* 4216 * Present only if the direction mask has both "From DS" 4217 * and "To DS" set. Neither control frames nor management 4218 * frames should have both of those set, so we don't 4219 * check the frame type. 4220 */ 4221 b0 = gen_mcmp(OR_LINK, 1, BPF_B, 4222 IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK); 4223 b1 = gen_bcmp(OR_LINK, 24, 6, eaddr); 4224 gen_and(b0, b1); 4225 return b1; 4226 4227 case Q_AND: 4228 b0 = gen_wlanhostop(eaddr, Q_SRC); 4229 b1 = gen_wlanhostop(eaddr, Q_DST); 4230 gen_and(b0, b1); 4231 return b1; 4232 4233 case Q_DEFAULT: 4234 case Q_OR: 4235 b0 = gen_wlanhostop(eaddr, Q_SRC); 4236 b1 = gen_wlanhostop(eaddr, Q_DST); 4237 gen_or(b0, b1); 4238 return b1; 4239 } 4240 abort(); 4241 /* NOTREACHED */ 4242 } 4243 4244 /* 4245 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel. 4246 * (We assume that the addresses are IEEE 48-bit MAC addresses, 4247 * as the RFC states.) 4248 */ 4249 static struct block * 4250 gen_ipfchostop(eaddr, dir) 4251 register const u_char *eaddr; 4252 register int dir; 4253 { 4254 register struct block *b0, *b1; 4255 4256 switch (dir) { 4257 case Q_SRC: 4258 return gen_bcmp(OR_LINK, 10, 6, eaddr); 4259 4260 case Q_DST: 4261 return gen_bcmp(OR_LINK, 2, 6, eaddr); 4262 4263 case Q_AND: 4264 b0 = gen_ipfchostop(eaddr, Q_SRC); 4265 b1 = gen_ipfchostop(eaddr, Q_DST); 4266 gen_and(b0, b1); 4267 return b1; 4268 4269 case Q_DEFAULT: 4270 case Q_OR: 4271 b0 = gen_ipfchostop(eaddr, Q_SRC); 4272 b1 = gen_ipfchostop(eaddr, Q_DST); 4273 gen_or(b0, b1); 4274 return b1; 4275 4276 case Q_ADDR1: 4277 bpf_error("'addr1' is only supported on 802.11"); 4278 break; 4279 4280 case Q_ADDR2: 4281 bpf_error("'addr2' is only supported on 802.11"); 4282 break; 4283 4284 case Q_ADDR3: 4285 bpf_error("'addr3' is only supported on 802.11"); 4286 break; 4287 4288 case Q_ADDR4: 4289 bpf_error("'addr4' is only supported on 802.11"); 4290 break; 4291 4292 case Q_RA: 4293 bpf_error("'ra' is only supported on 802.11"); 4294 break; 4295 4296 case Q_TA: 4297 bpf_error("'ta' is only supported on 802.11"); 4298 break; 4299 } 4300 abort(); 4301 /* NOTREACHED */ 4302 } 4303 4304 /* 4305 * This is quite tricky because there may be pad bytes in front of the 4306 * DECNET header, and then there are two possible data packet formats that 4307 * carry both src and dst addresses, plus 5 packet types in a format that 4308 * carries only the src node, plus 2 types that use a different format and 4309 * also carry just the src node. 4310 * 4311 * Yuck. 4312 * 4313 * Instead of doing those all right, we just look for data packets with 4314 * 0 or 1 bytes of padding. If you want to look at other packets, that 4315 * will require a lot more hacking. 4316 * 4317 * To add support for filtering on DECNET "areas" (network numbers) 4318 * one would want to add a "mask" argument to this routine. That would 4319 * make the filter even more inefficient, although one could be clever 4320 * and not generate masking instructions if the mask is 0xFFFF. 4321 */ 4322 static struct block * 4323 gen_dnhostop(addr, dir) 4324 bpf_u_int32 addr; 4325 int dir; 4326 { 4327 struct block *b0, *b1, *b2, *tmp; 4328 u_int offset_lh; /* offset if long header is received */ 4329 u_int offset_sh; /* offset if short header is received */ 4330 4331 switch (dir) { 4332 4333 case Q_DST: 4334 offset_sh = 1; /* follows flags */ 4335 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */ 4336 break; 4337 4338 case Q_SRC: 4339 offset_sh = 3; /* follows flags, dstnode */ 4340 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */ 4341 break; 4342 4343 case Q_AND: 4344 /* Inefficient because we do our Calvinball dance twice */ 4345 b0 = gen_dnhostop(addr, Q_SRC); 4346 b1 = gen_dnhostop(addr, Q_DST); 4347 gen_and(b0, b1); 4348 return b1; 4349 4350 case Q_OR: 4351 case Q_DEFAULT: 4352 /* Inefficient because we do our Calvinball dance twice */ 4353 b0 = gen_dnhostop(addr, Q_SRC); 4354 b1 = gen_dnhostop(addr, Q_DST); 4355 gen_or(b0, b1); 4356 return b1; 4357 4358 case Q_ISO: 4359 bpf_error("ISO host filtering not implemented"); 4360 4361 default: 4362 abort(); 4363 } 4364 b0 = gen_linktype(ETHERTYPE_DN); 4365 /* Check for pad = 1, long header case */ 4366 tmp = gen_mcmp(OR_NET, 2, BPF_H, 4367 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF)); 4368 b1 = gen_cmp(OR_NET, 2 + 1 + offset_lh, 4369 BPF_H, (bpf_int32)ntohs((u_short)addr)); 4370 gen_and(tmp, b1); 4371 /* Check for pad = 0, long header case */ 4372 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7); 4373 b2 = gen_cmp(OR_NET, 2 + offset_lh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4374 gen_and(tmp, b2); 4375 gen_or(b2, b1); 4376 /* Check for pad = 1, short header case */ 4377 tmp = gen_mcmp(OR_NET, 2, BPF_H, 4378 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF)); 4379 b2 = gen_cmp(OR_NET, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4380 gen_and(tmp, b2); 4381 gen_or(b2, b1); 4382 /* Check for pad = 0, short header case */ 4383 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7); 4384 b2 = gen_cmp(OR_NET, 2 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4385 gen_and(tmp, b2); 4386 gen_or(b2, b1); 4387 4388 /* Combine with test for linktype */ 4389 gen_and(b0, b1); 4390 return b1; 4391 } 4392 4393 /* 4394 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets; 4395 * test the bottom-of-stack bit, and then check the version number 4396 * field in the IP header. 4397 */ 4398 static struct block * 4399 gen_mpls_linktype(proto) 4400 int proto; 4401 { 4402 struct block *b0, *b1; 4403 4404 switch (proto) { 4405 4406 case Q_IP: 4407 /* match the bottom-of-stack bit */ 4408 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01); 4409 /* match the IPv4 version number */ 4410 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x40, 0xf0); 4411 gen_and(b0, b1); 4412 return b1; 4413 4414 case Q_IPV6: 4415 /* match the bottom-of-stack bit */ 4416 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01); 4417 /* match the IPv4 version number */ 4418 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x60, 0xf0); 4419 gen_and(b0, b1); 4420 return b1; 4421 4422 default: 4423 abort(); 4424 } 4425 } 4426 4427 static struct block * 4428 gen_host(addr, mask, proto, dir, type) 4429 bpf_u_int32 addr; 4430 bpf_u_int32 mask; 4431 int proto; 4432 int dir; 4433 int type; 4434 { 4435 struct block *b0, *b1; 4436 const char *typestr; 4437 4438 if (type == Q_NET) 4439 typestr = "net"; 4440 else 4441 typestr = "host"; 4442 4443 switch (proto) { 4444 4445 case Q_DEFAULT: 4446 b0 = gen_host(addr, mask, Q_IP, dir, type); 4447 /* 4448 * Only check for non-IPv4 addresses if we're not 4449 * checking MPLS-encapsulated packets. 4450 */ 4451 if (label_stack_depth == 0) { 4452 b1 = gen_host(addr, mask, Q_ARP, dir, type); 4453 gen_or(b0, b1); 4454 b0 = gen_host(addr, mask, Q_RARP, dir, type); 4455 gen_or(b1, b0); 4456 } 4457 return b0; 4458 4459 case Q_IP: 4460 return gen_hostop(addr, mask, dir, ETHERTYPE_IP, 12, 16); 4461 4462 case Q_RARP: 4463 return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP, 14, 24); 4464 4465 case Q_ARP: 4466 return gen_hostop(addr, mask, dir, ETHERTYPE_ARP, 14, 24); 4467 4468 case Q_TCP: 4469 bpf_error("'tcp' modifier applied to %s", typestr); 4470 4471 case Q_SCTP: 4472 bpf_error("'sctp' modifier applied to %s", typestr); 4473 4474 case Q_UDP: 4475 bpf_error("'udp' modifier applied to %s", typestr); 4476 4477 case Q_ICMP: 4478 bpf_error("'icmp' modifier applied to %s", typestr); 4479 4480 case Q_IGMP: 4481 bpf_error("'igmp' modifier applied to %s", typestr); 4482 4483 case Q_IGRP: 4484 bpf_error("'igrp' modifier applied to %s", typestr); 4485 4486 case Q_PIM: 4487 bpf_error("'pim' modifier applied to %s", typestr); 4488 4489 case Q_VRRP: 4490 bpf_error("'vrrp' modifier applied to %s", typestr); 4491 4492 case Q_CARP: 4493 bpf_error("'carp' modifier applied to %s", typestr); 4494 4495 case Q_ATALK: 4496 bpf_error("ATALK host filtering not implemented"); 4497 4498 case Q_AARP: 4499 bpf_error("AARP host filtering not implemented"); 4500 4501 case Q_DECNET: 4502 return gen_dnhostop(addr, dir); 4503 4504 case Q_SCA: 4505 bpf_error("SCA host filtering not implemented"); 4506 4507 case Q_LAT: 4508 bpf_error("LAT host filtering not implemented"); 4509 4510 case Q_MOPDL: 4511 bpf_error("MOPDL host filtering not implemented"); 4512 4513 case Q_MOPRC: 4514 bpf_error("MOPRC host filtering not implemented"); 4515 4516 case Q_IPV6: 4517 bpf_error("'ip6' modifier applied to ip host"); 4518 4519 case Q_ICMPV6: 4520 bpf_error("'icmp6' modifier applied to %s", typestr); 4521 4522 case Q_AH: 4523 bpf_error("'ah' modifier applied to %s", typestr); 4524 4525 case Q_ESP: 4526 bpf_error("'esp' modifier applied to %s", typestr); 4527 4528 case Q_ISO: 4529 bpf_error("ISO host filtering not implemented"); 4530 4531 case Q_ESIS: 4532 bpf_error("'esis' modifier applied to %s", typestr); 4533 4534 case Q_ISIS: 4535 bpf_error("'isis' modifier applied to %s", typestr); 4536 4537 case Q_CLNP: 4538 bpf_error("'clnp' modifier applied to %s", typestr); 4539 4540 case Q_STP: 4541 bpf_error("'stp' modifier applied to %s", typestr); 4542 4543 case Q_IPX: 4544 bpf_error("IPX host filtering not implemented"); 4545 4546 case Q_NETBEUI: 4547 bpf_error("'netbeui' modifier applied to %s", typestr); 4548 4549 case Q_RADIO: 4550 bpf_error("'radio' modifier applied to %s", typestr); 4551 4552 default: 4553 abort(); 4554 } 4555 /* NOTREACHED */ 4556 } 4557 4558 #ifdef INET6 4559 static struct block * 4560 gen_host6(addr, mask, proto, dir, type) 4561 struct in6_addr *addr; 4562 struct in6_addr *mask; 4563 int proto; 4564 int dir; 4565 int type; 4566 { 4567 const char *typestr; 4568 4569 if (type == Q_NET) 4570 typestr = "net"; 4571 else 4572 typestr = "host"; 4573 4574 switch (proto) { 4575 4576 case Q_DEFAULT: 4577 return gen_host6(addr, mask, Q_IPV6, dir, type); 4578 4579 case Q_LINK: 4580 bpf_error("link-layer modifier applied to ip6 %s", typestr); 4581 4582 case Q_IP: 4583 bpf_error("'ip' modifier applied to ip6 %s", typestr); 4584 4585 case Q_RARP: 4586 bpf_error("'rarp' modifier applied to ip6 %s", typestr); 4587 4588 case Q_ARP: 4589 bpf_error("'arp' modifier applied to ip6 %s", typestr); 4590 4591 case Q_SCTP: 4592 bpf_error("'sctp' modifier applied to %s", typestr); 4593 4594 case Q_TCP: 4595 bpf_error("'tcp' modifier applied to %s", typestr); 4596 4597 case Q_UDP: 4598 bpf_error("'udp' modifier applied to %s", typestr); 4599 4600 case Q_ICMP: 4601 bpf_error("'icmp' modifier applied to %s", typestr); 4602 4603 case Q_IGMP: 4604 bpf_error("'igmp' modifier applied to %s", typestr); 4605 4606 case Q_IGRP: 4607 bpf_error("'igrp' modifier applied to %s", typestr); 4608 4609 case Q_PIM: 4610 bpf_error("'pim' modifier applied to %s", typestr); 4611 4612 case Q_VRRP: 4613 bpf_error("'vrrp' modifier applied to %s", typestr); 4614 4615 case Q_CARP: 4616 bpf_error("'carp' modifier applied to %s", typestr); 4617 4618 case Q_ATALK: 4619 bpf_error("ATALK host filtering not implemented"); 4620 4621 case Q_AARP: 4622 bpf_error("AARP host filtering not implemented"); 4623 4624 case Q_DECNET: 4625 bpf_error("'decnet' modifier applied to ip6 %s", typestr); 4626 4627 case Q_SCA: 4628 bpf_error("SCA host filtering not implemented"); 4629 4630 case Q_LAT: 4631 bpf_error("LAT host filtering not implemented"); 4632 4633 case Q_MOPDL: 4634 bpf_error("MOPDL host filtering not implemented"); 4635 4636 case Q_MOPRC: 4637 bpf_error("MOPRC host filtering not implemented"); 4638 4639 case Q_IPV6: 4640 return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6, 8, 24); 4641 4642 case Q_ICMPV6: 4643 bpf_error("'icmp6' modifier applied to %s", typestr); 4644 4645 case Q_AH: 4646 bpf_error("'ah' modifier applied to %s", typestr); 4647 4648 case Q_ESP: 4649 bpf_error("'esp' modifier applied to %s", typestr); 4650 4651 case Q_ISO: 4652 bpf_error("ISO host filtering not implemented"); 4653 4654 case Q_ESIS: 4655 bpf_error("'esis' modifier applied to %s", typestr); 4656 4657 case Q_ISIS: 4658 bpf_error("'isis' modifier applied to %s", typestr); 4659 4660 case Q_CLNP: 4661 bpf_error("'clnp' modifier applied to %s", typestr); 4662 4663 case Q_STP: 4664 bpf_error("'stp' modifier applied to %s", typestr); 4665 4666 case Q_IPX: 4667 bpf_error("IPX host filtering not implemented"); 4668 4669 case Q_NETBEUI: 4670 bpf_error("'netbeui' modifier applied to %s", typestr); 4671 4672 case Q_RADIO: 4673 bpf_error("'radio' modifier applied to %s", typestr); 4674 4675 default: 4676 abort(); 4677 } 4678 /* NOTREACHED */ 4679 } 4680 #endif 4681 4682 #ifndef INET6 4683 static struct block * 4684 gen_gateway(eaddr, alist, proto, dir) 4685 const u_char *eaddr; 4686 bpf_u_int32 **alist; 4687 int proto; 4688 int dir; 4689 { 4690 struct block *b0, *b1, *tmp; 4691 4692 if (dir != 0) 4693 bpf_error("direction applied to 'gateway'"); 4694 4695 switch (proto) { 4696 case Q_DEFAULT: 4697 case Q_IP: 4698 case Q_ARP: 4699 case Q_RARP: 4700 switch (linktype) { 4701 case DLT_EN10MB: 4702 case DLT_NETANALYZER: 4703 case DLT_NETANALYZER_TRANSPARENT: 4704 b0 = gen_ehostop(eaddr, Q_OR); 4705 break; 4706 case DLT_FDDI: 4707 b0 = gen_fhostop(eaddr, Q_OR); 4708 break; 4709 case DLT_IEEE802: 4710 b0 = gen_thostop(eaddr, Q_OR); 4711 break; 4712 case DLT_IEEE802_11: 4713 case DLT_PRISM_HEADER: 4714 case DLT_IEEE802_11_RADIO_AVS: 4715 case DLT_IEEE802_11_RADIO: 4716 case DLT_PPI: 4717 b0 = gen_wlanhostop(eaddr, Q_OR); 4718 break; 4719 case DLT_SUNATM: 4720 if (!is_lane) 4721 bpf_error( 4722 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 4723 /* 4724 * Check that the packet doesn't begin with an 4725 * LE Control marker. (We've already generated 4726 * a test for LANE.) 4727 */ 4728 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 4729 BPF_H, 0xFF00); 4730 gen_not(b1); 4731 4732 /* 4733 * Now check the MAC address. 4734 */ 4735 b0 = gen_ehostop(eaddr, Q_OR); 4736 gen_and(b1, b0); 4737 break; 4738 case DLT_IP_OVER_FC: 4739 b0 = gen_ipfchostop(eaddr, Q_OR); 4740 break; 4741 default: 4742 bpf_error( 4743 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 4744 } 4745 b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR, Q_HOST); 4746 while (*alist) { 4747 tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR, 4748 Q_HOST); 4749 gen_or(b1, tmp); 4750 b1 = tmp; 4751 } 4752 gen_not(b1); 4753 gen_and(b0, b1); 4754 return b1; 4755 } 4756 bpf_error("illegal modifier of 'gateway'"); 4757 /* NOTREACHED */ 4758 } 4759 #endif 4760 4761 struct block * 4762 gen_proto_abbrev(proto) 4763 int proto; 4764 { 4765 struct block *b0; 4766 struct block *b1; 4767 4768 switch (proto) { 4769 4770 case Q_SCTP: 4771 b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT); 4772 b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT); 4773 gen_or(b0, b1); 4774 break; 4775 4776 case Q_TCP: 4777 b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT); 4778 b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT); 4779 gen_or(b0, b1); 4780 break; 4781 4782 case Q_UDP: 4783 b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT); 4784 b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT); 4785 gen_or(b0, b1); 4786 break; 4787 4788 case Q_ICMP: 4789 b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT); 4790 break; 4791 4792 #ifndef IPPROTO_IGMP 4793 #define IPPROTO_IGMP 2 4794 #endif 4795 4796 case Q_IGMP: 4797 b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT); 4798 break; 4799 4800 #ifndef IPPROTO_IGRP 4801 #define IPPROTO_IGRP 9 4802 #endif 4803 case Q_IGRP: 4804 b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT); 4805 break; 4806 4807 #ifndef IPPROTO_PIM 4808 #define IPPROTO_PIM 103 4809 #endif 4810 4811 case Q_PIM: 4812 b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT); 4813 b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT); 4814 gen_or(b0, b1); 4815 break; 4816 4817 #ifndef IPPROTO_VRRP 4818 #define IPPROTO_VRRP 112 4819 #endif 4820 4821 case Q_VRRP: 4822 b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT); 4823 break; 4824 4825 #ifndef IPPROTO_CARP 4826 #define IPPROTO_CARP 112 4827 #endif 4828 4829 case Q_CARP: 4830 b1 = gen_proto(IPPROTO_CARP, Q_IP, Q_DEFAULT); 4831 break; 4832 4833 case Q_IP: 4834 b1 = gen_linktype(ETHERTYPE_IP); 4835 break; 4836 4837 case Q_ARP: 4838 b1 = gen_linktype(ETHERTYPE_ARP); 4839 break; 4840 4841 case Q_RARP: 4842 b1 = gen_linktype(ETHERTYPE_REVARP); 4843 break; 4844 4845 case Q_LINK: 4846 bpf_error("link layer applied in wrong context"); 4847 4848 case Q_ATALK: 4849 b1 = gen_linktype(ETHERTYPE_ATALK); 4850 break; 4851 4852 case Q_AARP: 4853 b1 = gen_linktype(ETHERTYPE_AARP); 4854 break; 4855 4856 case Q_DECNET: 4857 b1 = gen_linktype(ETHERTYPE_DN); 4858 break; 4859 4860 case Q_SCA: 4861 b1 = gen_linktype(ETHERTYPE_SCA); 4862 break; 4863 4864 case Q_LAT: 4865 b1 = gen_linktype(ETHERTYPE_LAT); 4866 break; 4867 4868 case Q_MOPDL: 4869 b1 = gen_linktype(ETHERTYPE_MOPDL); 4870 break; 4871 4872 case Q_MOPRC: 4873 b1 = gen_linktype(ETHERTYPE_MOPRC); 4874 break; 4875 4876 case Q_IPV6: 4877 b1 = gen_linktype(ETHERTYPE_IPV6); 4878 break; 4879 4880 #ifndef IPPROTO_ICMPV6 4881 #define IPPROTO_ICMPV6 58 4882 #endif 4883 case Q_ICMPV6: 4884 b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT); 4885 break; 4886 4887 #ifndef IPPROTO_AH 4888 #define IPPROTO_AH 51 4889 #endif 4890 case Q_AH: 4891 b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT); 4892 b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT); 4893 gen_or(b0, b1); 4894 break; 4895 4896 #ifndef IPPROTO_ESP 4897 #define IPPROTO_ESP 50 4898 #endif 4899 case Q_ESP: 4900 b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT); 4901 b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT); 4902 gen_or(b0, b1); 4903 break; 4904 4905 case Q_ISO: 4906 b1 = gen_linktype(LLCSAP_ISONS); 4907 break; 4908 4909 case Q_ESIS: 4910 b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT); 4911 break; 4912 4913 case Q_ISIS: 4914 b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT); 4915 break; 4916 4917 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */ 4918 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 4919 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 4920 gen_or(b0, b1); 4921 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 4922 gen_or(b0, b1); 4923 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 4924 gen_or(b0, b1); 4925 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 4926 gen_or(b0, b1); 4927 break; 4928 4929 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */ 4930 b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 4931 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 4932 gen_or(b0, b1); 4933 b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 4934 gen_or(b0, b1); 4935 b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 4936 gen_or(b0, b1); 4937 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 4938 gen_or(b0, b1); 4939 break; 4940 4941 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */ 4942 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 4943 b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 4944 gen_or(b0, b1); 4945 b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); 4946 gen_or(b0, b1); 4947 break; 4948 4949 case Q_ISIS_LSP: 4950 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 4951 b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 4952 gen_or(b0, b1); 4953 break; 4954 4955 case Q_ISIS_SNP: 4956 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 4957 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 4958 gen_or(b0, b1); 4959 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 4960 gen_or(b0, b1); 4961 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 4962 gen_or(b0, b1); 4963 break; 4964 4965 case Q_ISIS_CSNP: 4966 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 4967 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 4968 gen_or(b0, b1); 4969 break; 4970 4971 case Q_ISIS_PSNP: 4972 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 4973 b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 4974 gen_or(b0, b1); 4975 break; 4976 4977 case Q_CLNP: 4978 b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT); 4979 break; 4980 4981 case Q_STP: 4982 b1 = gen_linktype(LLCSAP_8021D); 4983 break; 4984 4985 case Q_IPX: 4986 b1 = gen_linktype(LLCSAP_IPX); 4987 break; 4988 4989 case Q_NETBEUI: 4990 b1 = gen_linktype(LLCSAP_NETBEUI); 4991 break; 4992 4993 case Q_RADIO: 4994 bpf_error("'radio' is not a valid protocol type"); 4995 4996 default: 4997 abort(); 4998 } 4999 return b1; 5000 } 5001 5002 static struct block * 5003 gen_ipfrag() 5004 { 5005 struct slist *s; 5006 struct block *b; 5007 5008 /* not IPv4 frag other than the first frag */ 5009 s = gen_load_a(OR_NET, 6, BPF_H); 5010 b = new_block(JMP(BPF_JSET)); 5011 b->s.k = 0x1fff; 5012 b->stmts = s; 5013 gen_not(b); 5014 5015 return b; 5016 } 5017 5018 /* 5019 * Generate a comparison to a port value in the transport-layer header 5020 * at the specified offset from the beginning of that header. 5021 * 5022 * XXX - this handles a variable-length prefix preceding the link-layer 5023 * header, such as the radiotap or AVS radio prefix, but doesn't handle 5024 * variable-length link-layer headers (such as Token Ring or 802.11 5025 * headers). 5026 */ 5027 static struct block * 5028 gen_portatom(off, v) 5029 int off; 5030 bpf_int32 v; 5031 { 5032 return gen_cmp(OR_TRAN_IPV4, off, BPF_H, v); 5033 } 5034 5035 static struct block * 5036 gen_portatom6(off, v) 5037 int off; 5038 bpf_int32 v; 5039 { 5040 return gen_cmp(OR_TRAN_IPV6, off, BPF_H, v); 5041 } 5042 5043 struct block * 5044 gen_portop(port, proto, dir) 5045 int port, proto, dir; 5046 { 5047 struct block *b0, *b1, *tmp; 5048 5049 /* ip proto 'proto' and not a fragment other than the first fragment */ 5050 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto); 5051 b0 = gen_ipfrag(); 5052 gen_and(tmp, b0); 5053 5054 switch (dir) { 5055 case Q_SRC: 5056 b1 = gen_portatom(0, (bpf_int32)port); 5057 break; 5058 5059 case Q_DST: 5060 b1 = gen_portatom(2, (bpf_int32)port); 5061 break; 5062 5063 case Q_OR: 5064 case Q_DEFAULT: 5065 tmp = gen_portatom(0, (bpf_int32)port); 5066 b1 = gen_portatom(2, (bpf_int32)port); 5067 gen_or(tmp, b1); 5068 break; 5069 5070 case Q_AND: 5071 tmp = gen_portatom(0, (bpf_int32)port); 5072 b1 = gen_portatom(2, (bpf_int32)port); 5073 gen_and(tmp, b1); 5074 break; 5075 5076 default: 5077 abort(); 5078 } 5079 gen_and(b0, b1); 5080 5081 return b1; 5082 } 5083 5084 static struct block * 5085 gen_port(port, ip_proto, dir) 5086 int port; 5087 int ip_proto; 5088 int dir; 5089 { 5090 struct block *b0, *b1, *tmp; 5091 5092 /* 5093 * ether proto ip 5094 * 5095 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 5096 * not LLC encapsulation with LLCSAP_IP. 5097 * 5098 * For IEEE 802 networks - which includes 802.5 token ring 5099 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 5100 * says that SNAP encapsulation is used, not LLC encapsulation 5101 * with LLCSAP_IP. 5102 * 5103 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 5104 * RFC 2225 say that SNAP encapsulation is used, not LLC 5105 * encapsulation with LLCSAP_IP. 5106 * 5107 * So we always check for ETHERTYPE_IP. 5108 */ 5109 b0 = gen_linktype(ETHERTYPE_IP); 5110 5111 switch (ip_proto) { 5112 case IPPROTO_UDP: 5113 case IPPROTO_TCP: 5114 case IPPROTO_SCTP: 5115 b1 = gen_portop(port, ip_proto, dir); 5116 break; 5117 5118 case PROTO_UNDEF: 5119 tmp = gen_portop(port, IPPROTO_TCP, dir); 5120 b1 = gen_portop(port, IPPROTO_UDP, dir); 5121 gen_or(tmp, b1); 5122 tmp = gen_portop(port, IPPROTO_SCTP, dir); 5123 gen_or(tmp, b1); 5124 break; 5125 5126 default: 5127 abort(); 5128 } 5129 gen_and(b0, b1); 5130 return b1; 5131 } 5132 5133 struct block * 5134 gen_portop6(port, proto, dir) 5135 int port, proto, dir; 5136 { 5137 struct block *b0, *b1, *tmp; 5138 5139 /* ip6 proto 'proto' */ 5140 /* XXX - catch the first fragment of a fragmented packet? */ 5141 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto); 5142 5143 switch (dir) { 5144 case Q_SRC: 5145 b1 = gen_portatom6(0, (bpf_int32)port); 5146 break; 5147 5148 case Q_DST: 5149 b1 = gen_portatom6(2, (bpf_int32)port); 5150 break; 5151 5152 case Q_OR: 5153 case Q_DEFAULT: 5154 tmp = gen_portatom6(0, (bpf_int32)port); 5155 b1 = gen_portatom6(2, (bpf_int32)port); 5156 gen_or(tmp, b1); 5157 break; 5158 5159 case Q_AND: 5160 tmp = gen_portatom6(0, (bpf_int32)port); 5161 b1 = gen_portatom6(2, (bpf_int32)port); 5162 gen_and(tmp, b1); 5163 break; 5164 5165 default: 5166 abort(); 5167 } 5168 gen_and(b0, b1); 5169 5170 return b1; 5171 } 5172 5173 static struct block * 5174 gen_port6(port, ip_proto, dir) 5175 int port; 5176 int ip_proto; 5177 int dir; 5178 { 5179 struct block *b0, *b1, *tmp; 5180 5181 /* link proto ip6 */ 5182 b0 = gen_linktype(ETHERTYPE_IPV6); 5183 5184 switch (ip_proto) { 5185 case IPPROTO_UDP: 5186 case IPPROTO_TCP: 5187 case IPPROTO_SCTP: 5188 b1 = gen_portop6(port, ip_proto, dir); 5189 break; 5190 5191 case PROTO_UNDEF: 5192 tmp = gen_portop6(port, IPPROTO_TCP, dir); 5193 b1 = gen_portop6(port, IPPROTO_UDP, dir); 5194 gen_or(tmp, b1); 5195 tmp = gen_portop6(port, IPPROTO_SCTP, dir); 5196 gen_or(tmp, b1); 5197 break; 5198 5199 default: 5200 abort(); 5201 } 5202 gen_and(b0, b1); 5203 return b1; 5204 } 5205 5206 /* gen_portrange code */ 5207 static struct block * 5208 gen_portrangeatom(off, v1, v2) 5209 int off; 5210 bpf_int32 v1, v2; 5211 { 5212 struct block *b1, *b2; 5213 5214 if (v1 > v2) { 5215 /* 5216 * Reverse the order of the ports, so v1 is the lower one. 5217 */ 5218 bpf_int32 vtemp; 5219 5220 vtemp = v1; 5221 v1 = v2; 5222 v2 = vtemp; 5223 } 5224 5225 b1 = gen_cmp_ge(OR_TRAN_IPV4, off, BPF_H, v1); 5226 b2 = gen_cmp_le(OR_TRAN_IPV4, off, BPF_H, v2); 5227 5228 gen_and(b1, b2); 5229 5230 return b2; 5231 } 5232 5233 struct block * 5234 gen_portrangeop(port1, port2, proto, dir) 5235 int port1, port2; 5236 int proto; 5237 int dir; 5238 { 5239 struct block *b0, *b1, *tmp; 5240 5241 /* ip proto 'proto' and not a fragment other than the first fragment */ 5242 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto); 5243 b0 = gen_ipfrag(); 5244 gen_and(tmp, b0); 5245 5246 switch (dir) { 5247 case Q_SRC: 5248 b1 = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5249 break; 5250 5251 case Q_DST: 5252 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5253 break; 5254 5255 case Q_OR: 5256 case Q_DEFAULT: 5257 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5258 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5259 gen_or(tmp, b1); 5260 break; 5261 5262 case Q_AND: 5263 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5264 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5265 gen_and(tmp, b1); 5266 break; 5267 5268 default: 5269 abort(); 5270 } 5271 gen_and(b0, b1); 5272 5273 return b1; 5274 } 5275 5276 static struct block * 5277 gen_portrange(port1, port2, ip_proto, dir) 5278 int port1, port2; 5279 int ip_proto; 5280 int dir; 5281 { 5282 struct block *b0, *b1, *tmp; 5283 5284 /* link proto ip */ 5285 b0 = gen_linktype(ETHERTYPE_IP); 5286 5287 switch (ip_proto) { 5288 case IPPROTO_UDP: 5289 case IPPROTO_TCP: 5290 case IPPROTO_SCTP: 5291 b1 = gen_portrangeop(port1, port2, ip_proto, dir); 5292 break; 5293 5294 case PROTO_UNDEF: 5295 tmp = gen_portrangeop(port1, port2, IPPROTO_TCP, dir); 5296 b1 = gen_portrangeop(port1, port2, IPPROTO_UDP, dir); 5297 gen_or(tmp, b1); 5298 tmp = gen_portrangeop(port1, port2, IPPROTO_SCTP, dir); 5299 gen_or(tmp, b1); 5300 break; 5301 5302 default: 5303 abort(); 5304 } 5305 gen_and(b0, b1); 5306 return b1; 5307 } 5308 5309 static struct block * 5310 gen_portrangeatom6(off, v1, v2) 5311 int off; 5312 bpf_int32 v1, v2; 5313 { 5314 struct block *b1, *b2; 5315 5316 if (v1 > v2) { 5317 /* 5318 * Reverse the order of the ports, so v1 is the lower one. 5319 */ 5320 bpf_int32 vtemp; 5321 5322 vtemp = v1; 5323 v1 = v2; 5324 v2 = vtemp; 5325 } 5326 5327 b1 = gen_cmp_ge(OR_TRAN_IPV6, off, BPF_H, v1); 5328 b2 = gen_cmp_le(OR_TRAN_IPV6, off, BPF_H, v2); 5329 5330 gen_and(b1, b2); 5331 5332 return b2; 5333 } 5334 5335 struct block * 5336 gen_portrangeop6(port1, port2, proto, dir) 5337 int port1, port2; 5338 int proto; 5339 int dir; 5340 { 5341 struct block *b0, *b1, *tmp; 5342 5343 /* ip6 proto 'proto' */ 5344 /* XXX - catch the first fragment of a fragmented packet? */ 5345 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto); 5346 5347 switch (dir) { 5348 case Q_SRC: 5349 b1 = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5350 break; 5351 5352 case Q_DST: 5353 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5354 break; 5355 5356 case Q_OR: 5357 case Q_DEFAULT: 5358 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5359 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5360 gen_or(tmp, b1); 5361 break; 5362 5363 case Q_AND: 5364 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5365 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5366 gen_and(tmp, b1); 5367 break; 5368 5369 default: 5370 abort(); 5371 } 5372 gen_and(b0, b1); 5373 5374 return b1; 5375 } 5376 5377 static struct block * 5378 gen_portrange6(port1, port2, ip_proto, dir) 5379 int port1, port2; 5380 int ip_proto; 5381 int dir; 5382 { 5383 struct block *b0, *b1, *tmp; 5384 5385 /* link proto ip6 */ 5386 b0 = gen_linktype(ETHERTYPE_IPV6); 5387 5388 switch (ip_proto) { 5389 case IPPROTO_UDP: 5390 case IPPROTO_TCP: 5391 case IPPROTO_SCTP: 5392 b1 = gen_portrangeop6(port1, port2, ip_proto, dir); 5393 break; 5394 5395 case PROTO_UNDEF: 5396 tmp = gen_portrangeop6(port1, port2, IPPROTO_TCP, dir); 5397 b1 = gen_portrangeop6(port1, port2, IPPROTO_UDP, dir); 5398 gen_or(tmp, b1); 5399 tmp = gen_portrangeop6(port1, port2, IPPROTO_SCTP, dir); 5400 gen_or(tmp, b1); 5401 break; 5402 5403 default: 5404 abort(); 5405 } 5406 gen_and(b0, b1); 5407 return b1; 5408 } 5409 5410 static int 5411 lookup_proto(name, proto) 5412 register const char *name; 5413 register int proto; 5414 { 5415 register int v; 5416 5417 switch (proto) { 5418 5419 case Q_DEFAULT: 5420 case Q_IP: 5421 case Q_IPV6: 5422 v = pcap_nametoproto(name); 5423 if (v == PROTO_UNDEF) 5424 bpf_error("unknown ip proto '%s'", name); 5425 break; 5426 5427 case Q_LINK: 5428 /* XXX should look up h/w protocol type based on linktype */ 5429 v = pcap_nametoeproto(name); 5430 if (v == PROTO_UNDEF) { 5431 v = pcap_nametollc(name); 5432 if (v == PROTO_UNDEF) 5433 bpf_error("unknown ether proto '%s'", name); 5434 } 5435 break; 5436 5437 case Q_ISO: 5438 if (strcmp(name, "esis") == 0) 5439 v = ISO9542_ESIS; 5440 else if (strcmp(name, "isis") == 0) 5441 v = ISO10589_ISIS; 5442 else if (strcmp(name, "clnp") == 0) 5443 v = ISO8473_CLNP; 5444 else 5445 bpf_error("unknown osi proto '%s'", name); 5446 break; 5447 5448 default: 5449 v = PROTO_UNDEF; 5450 break; 5451 } 5452 return v; 5453 } 5454 5455 #if 0 5456 struct stmt * 5457 gen_joinsp(s, n) 5458 struct stmt **s; 5459 int n; 5460 { 5461 return NULL; 5462 } 5463 #endif 5464 5465 static struct block * 5466 gen_protochain(v, proto, dir) 5467 int v; 5468 int proto; 5469 int dir; 5470 { 5471 #ifdef NO_PROTOCHAIN 5472 return gen_proto(v, proto, dir); 5473 #else 5474 struct block *b0, *b; 5475 struct slist *s[100]; 5476 int fix2, fix3, fix4, fix5; 5477 int ahcheck, again, end; 5478 int i, max; 5479 int reg2 = alloc_reg(); 5480 5481 memset(s, 0, sizeof(s)); 5482 fix2 = fix3 = fix4 = fix5 = 0; 5483 5484 switch (proto) { 5485 case Q_IP: 5486 case Q_IPV6: 5487 break; 5488 case Q_DEFAULT: 5489 b0 = gen_protochain(v, Q_IP, dir); 5490 b = gen_protochain(v, Q_IPV6, dir); 5491 gen_or(b0, b); 5492 return b; 5493 default: 5494 bpf_error("bad protocol applied for 'protochain'"); 5495 /*NOTREACHED*/ 5496 } 5497 5498 /* 5499 * We don't handle variable-length prefixes before the link-layer 5500 * header, or variable-length link-layer headers, here yet. 5501 * We might want to add BPF instructions to do the protochain 5502 * work, to simplify that and, on platforms that have a BPF 5503 * interpreter with the new instructions, let the filtering 5504 * be done in the kernel. (We already require a modified BPF 5505 * engine to do the protochain stuff, to support backward 5506 * branches, and backward branch support is unlikely to appear 5507 * in kernel BPF engines.) 5508 */ 5509 switch (linktype) { 5510 5511 case DLT_IEEE802_11: 5512 case DLT_PRISM_HEADER: 5513 case DLT_IEEE802_11_RADIO_AVS: 5514 case DLT_IEEE802_11_RADIO: 5515 case DLT_PPI: 5516 bpf_error("'protochain' not supported with 802.11"); 5517 } 5518 5519 no_optimize = 1; /*this code is not compatible with optimzer yet */ 5520 5521 /* 5522 * s[0] is a dummy entry to protect other BPF insn from damage 5523 * by s[fix] = foo with uninitialized variable "fix". It is somewhat 5524 * hard to find interdependency made by jump table fixup. 5525 */ 5526 i = 0; 5527 s[i] = new_stmt(0); /*dummy*/ 5528 i++; 5529 5530 switch (proto) { 5531 case Q_IP: 5532 b0 = gen_linktype(ETHERTYPE_IP); 5533 5534 /* A = ip->ip_p */ 5535 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B); 5536 s[i]->s.k = off_macpl + off_nl + 9; 5537 i++; 5538 /* X = ip->ip_hl << 2 */ 5539 s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B); 5540 s[i]->s.k = off_macpl + off_nl; 5541 i++; 5542 break; 5543 5544 case Q_IPV6: 5545 b0 = gen_linktype(ETHERTYPE_IPV6); 5546 5547 /* A = ip6->ip_nxt */ 5548 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B); 5549 s[i]->s.k = off_macpl + off_nl + 6; 5550 i++; 5551 /* X = sizeof(struct ip6_hdr) */ 5552 s[i] = new_stmt(BPF_LDX|BPF_IMM); 5553 s[i]->s.k = 40; 5554 i++; 5555 break; 5556 5557 default: 5558 bpf_error("unsupported proto to gen_protochain"); 5559 /*NOTREACHED*/ 5560 } 5561 5562 /* again: if (A == v) goto end; else fall through; */ 5563 again = i; 5564 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5565 s[i]->s.k = v; 5566 s[i]->s.jt = NULL; /*later*/ 5567 s[i]->s.jf = NULL; /*update in next stmt*/ 5568 fix5 = i; 5569 i++; 5570 5571 #ifndef IPPROTO_NONE 5572 #define IPPROTO_NONE 59 5573 #endif 5574 /* if (A == IPPROTO_NONE) goto end */ 5575 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5576 s[i]->s.jt = NULL; /*later*/ 5577 s[i]->s.jf = NULL; /*update in next stmt*/ 5578 s[i]->s.k = IPPROTO_NONE; 5579 s[fix5]->s.jf = s[i]; 5580 fix2 = i; 5581 i++; 5582 5583 if (proto == Q_IPV6) { 5584 int v6start, v6end, v6advance, j; 5585 5586 v6start = i; 5587 /* if (A == IPPROTO_HOPOPTS) goto v6advance */ 5588 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5589 s[i]->s.jt = NULL; /*later*/ 5590 s[i]->s.jf = NULL; /*update in next stmt*/ 5591 s[i]->s.k = IPPROTO_HOPOPTS; 5592 s[fix2]->s.jf = s[i]; 5593 i++; 5594 /* if (A == IPPROTO_DSTOPTS) goto v6advance */ 5595 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5596 s[i]->s.jt = NULL; /*later*/ 5597 s[i]->s.jf = NULL; /*update in next stmt*/ 5598 s[i]->s.k = IPPROTO_DSTOPTS; 5599 i++; 5600 /* if (A == IPPROTO_ROUTING) goto v6advance */ 5601 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5602 s[i]->s.jt = NULL; /*later*/ 5603 s[i]->s.jf = NULL; /*update in next stmt*/ 5604 s[i]->s.k = IPPROTO_ROUTING; 5605 i++; 5606 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */ 5607 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5608 s[i]->s.jt = NULL; /*later*/ 5609 s[i]->s.jf = NULL; /*later*/ 5610 s[i]->s.k = IPPROTO_FRAGMENT; 5611 fix3 = i; 5612 v6end = i; 5613 i++; 5614 5615 /* v6advance: */ 5616 v6advance = i; 5617 5618 /* 5619 * in short, 5620 * A = P[X + packet head]; 5621 * X = X + (P[X + packet head + 1] + 1) * 8; 5622 */ 5623 /* A = P[X + packet head] */ 5624 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5625 s[i]->s.k = off_macpl + off_nl; 5626 i++; 5627 /* MEM[reg2] = A */ 5628 s[i] = new_stmt(BPF_ST); 5629 s[i]->s.k = reg2; 5630 i++; 5631 /* A = P[X + packet head + 1]; */ 5632 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5633 s[i]->s.k = off_macpl + off_nl + 1; 5634 i++; 5635 /* A += 1 */ 5636 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5637 s[i]->s.k = 1; 5638 i++; 5639 /* A *= 8 */ 5640 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K); 5641 s[i]->s.k = 8; 5642 i++; 5643 /* A += X */ 5644 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_X); 5645 s[i]->s.k = 0; 5646 i++; 5647 /* X = A; */ 5648 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5649 i++; 5650 /* A = MEM[reg2] */ 5651 s[i] = new_stmt(BPF_LD|BPF_MEM); 5652 s[i]->s.k = reg2; 5653 i++; 5654 5655 /* goto again; (must use BPF_JA for backward jump) */ 5656 s[i] = new_stmt(BPF_JMP|BPF_JA); 5657 s[i]->s.k = again - i - 1; 5658 s[i - 1]->s.jf = s[i]; 5659 i++; 5660 5661 /* fixup */ 5662 for (j = v6start; j <= v6end; j++) 5663 s[j]->s.jt = s[v6advance]; 5664 } else { 5665 /* nop */ 5666 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5667 s[i]->s.k = 0; 5668 s[fix2]->s.jf = s[i]; 5669 i++; 5670 } 5671 5672 /* ahcheck: */ 5673 ahcheck = i; 5674 /* if (A == IPPROTO_AH) then fall through; else goto end; */ 5675 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5676 s[i]->s.jt = NULL; /*later*/ 5677 s[i]->s.jf = NULL; /*later*/ 5678 s[i]->s.k = IPPROTO_AH; 5679 if (fix3) 5680 s[fix3]->s.jf = s[ahcheck]; 5681 fix4 = i; 5682 i++; 5683 5684 /* 5685 * in short, 5686 * A = P[X]; 5687 * X = X + (P[X + 1] + 2) * 4; 5688 */ 5689 /* A = X */ 5690 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA); 5691 i++; 5692 /* A = P[X + packet head]; */ 5693 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5694 s[i]->s.k = off_macpl + off_nl; 5695 i++; 5696 /* MEM[reg2] = A */ 5697 s[i] = new_stmt(BPF_ST); 5698 s[i]->s.k = reg2; 5699 i++; 5700 /* A = X */ 5701 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA); 5702 i++; 5703 /* A += 1 */ 5704 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5705 s[i]->s.k = 1; 5706 i++; 5707 /* X = A */ 5708 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5709 i++; 5710 /* A = P[X + packet head] */ 5711 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5712 s[i]->s.k = off_macpl + off_nl; 5713 i++; 5714 /* A += 2 */ 5715 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5716 s[i]->s.k = 2; 5717 i++; 5718 /* A *= 4 */ 5719 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K); 5720 s[i]->s.k = 4; 5721 i++; 5722 /* X = A; */ 5723 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5724 i++; 5725 /* A = MEM[reg2] */ 5726 s[i] = new_stmt(BPF_LD|BPF_MEM); 5727 s[i]->s.k = reg2; 5728 i++; 5729 5730 /* goto again; (must use BPF_JA for backward jump) */ 5731 s[i] = new_stmt(BPF_JMP|BPF_JA); 5732 s[i]->s.k = again - i - 1; 5733 i++; 5734 5735 /* end: nop */ 5736 end = i; 5737 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5738 s[i]->s.k = 0; 5739 s[fix2]->s.jt = s[end]; 5740 s[fix4]->s.jf = s[end]; 5741 s[fix5]->s.jt = s[end]; 5742 i++; 5743 5744 /* 5745 * make slist chain 5746 */ 5747 max = i; 5748 for (i = 0; i < max - 1; i++) 5749 s[i]->next = s[i + 1]; 5750 s[max - 1]->next = NULL; 5751 5752 /* 5753 * emit final check 5754 */ 5755 b = new_block(JMP(BPF_JEQ)); 5756 b->stmts = s[1]; /*remember, s[0] is dummy*/ 5757 b->s.k = v; 5758 5759 free_reg(reg2); 5760 5761 gen_and(b0, b); 5762 return b; 5763 #endif 5764 } 5765 5766 static struct block * 5767 gen_check_802_11_data_frame() 5768 { 5769 struct slist *s; 5770 struct block *b0, *b1; 5771 5772 /* 5773 * A data frame has the 0x08 bit (b3) in the frame control field set 5774 * and the 0x04 bit (b2) clear. 5775 */ 5776 s = gen_load_a(OR_LINK, 0, BPF_B); 5777 b0 = new_block(JMP(BPF_JSET)); 5778 b0->s.k = 0x08; 5779 b0->stmts = s; 5780 5781 s = gen_load_a(OR_LINK, 0, BPF_B); 5782 b1 = new_block(JMP(BPF_JSET)); 5783 b1->s.k = 0x04; 5784 b1->stmts = s; 5785 gen_not(b1); 5786 5787 gen_and(b1, b0); 5788 5789 return b0; 5790 } 5791 5792 /* 5793 * Generate code that checks whether the packet is a packet for protocol 5794 * <proto> and whether the type field in that protocol's header has 5795 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an 5796 * IP packet and checks the protocol number in the IP header against <v>. 5797 * 5798 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks 5799 * against Q_IP and Q_IPV6. 5800 */ 5801 static struct block * 5802 gen_proto(v, proto, dir) 5803 int v; 5804 int proto; 5805 int dir; 5806 { 5807 struct block *b0, *b1; 5808 #ifndef CHASE_CHAIN 5809 struct block *b2; 5810 #endif 5811 5812 if (dir != Q_DEFAULT) 5813 bpf_error("direction applied to 'proto'"); 5814 5815 switch (proto) { 5816 case Q_DEFAULT: 5817 b0 = gen_proto(v, Q_IP, dir); 5818 b1 = gen_proto(v, Q_IPV6, dir); 5819 gen_or(b0, b1); 5820 return b1; 5821 5822 case Q_IP: 5823 /* 5824 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 5825 * not LLC encapsulation with LLCSAP_IP. 5826 * 5827 * For IEEE 802 networks - which includes 802.5 token ring 5828 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 5829 * says that SNAP encapsulation is used, not LLC encapsulation 5830 * with LLCSAP_IP. 5831 * 5832 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 5833 * RFC 2225 say that SNAP encapsulation is used, not LLC 5834 * encapsulation with LLCSAP_IP. 5835 * 5836 * So we always check for ETHERTYPE_IP. 5837 */ 5838 b0 = gen_linktype(ETHERTYPE_IP); 5839 #ifndef CHASE_CHAIN 5840 b1 = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)v); 5841 #else 5842 b1 = gen_protochain(v, Q_IP); 5843 #endif 5844 gen_and(b0, b1); 5845 return b1; 5846 5847 case Q_ISO: 5848 switch (linktype) { 5849 5850 case DLT_FRELAY: 5851 /* 5852 * Frame Relay packets typically have an OSI 5853 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)" 5854 * generates code to check for all the OSI 5855 * NLPIDs, so calling it and then adding a check 5856 * for the particular NLPID for which we're 5857 * looking is bogus, as we can just check for 5858 * the NLPID. 5859 * 5860 * What we check for is the NLPID and a frame 5861 * control field value of UI, i.e. 0x03 followed 5862 * by the NLPID. 5863 * 5864 * XXX - assumes a 2-byte Frame Relay header with 5865 * DLCI and flags. What if the address is longer? 5866 * 5867 * XXX - what about SNAP-encapsulated frames? 5868 */ 5869 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | v); 5870 /*NOTREACHED*/ 5871 break; 5872 5873 case DLT_C_HDLC: 5874 /* 5875 * Cisco uses an Ethertype lookalike - for OSI, 5876 * it's 0xfefe. 5877 */ 5878 b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS); 5879 /* OSI in C-HDLC is stuffed with a fudge byte */ 5880 b1 = gen_cmp(OR_NET_NOSNAP, 1, BPF_B, (long)v); 5881 gen_and(b0, b1); 5882 return b1; 5883 5884 default: 5885 b0 = gen_linktype(LLCSAP_ISONS); 5886 b1 = gen_cmp(OR_NET_NOSNAP, 0, BPF_B, (long)v); 5887 gen_and(b0, b1); 5888 return b1; 5889 } 5890 5891 case Q_ISIS: 5892 b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT); 5893 /* 5894 * 4 is the offset of the PDU type relative to the IS-IS 5895 * header. 5896 */ 5897 b1 = gen_cmp(OR_NET_NOSNAP, 4, BPF_B, (long)v); 5898 gen_and(b0, b1); 5899 return b1; 5900 5901 case Q_ARP: 5902 bpf_error("arp does not encapsulate another protocol"); 5903 /* NOTREACHED */ 5904 5905 case Q_RARP: 5906 bpf_error("rarp does not encapsulate another protocol"); 5907 /* NOTREACHED */ 5908 5909 case Q_ATALK: 5910 bpf_error("atalk encapsulation is not specifiable"); 5911 /* NOTREACHED */ 5912 5913 case Q_DECNET: 5914 bpf_error("decnet encapsulation is not specifiable"); 5915 /* NOTREACHED */ 5916 5917 case Q_SCA: 5918 bpf_error("sca does not encapsulate another protocol"); 5919 /* NOTREACHED */ 5920 5921 case Q_LAT: 5922 bpf_error("lat does not encapsulate another protocol"); 5923 /* NOTREACHED */ 5924 5925 case Q_MOPRC: 5926 bpf_error("moprc does not encapsulate another protocol"); 5927 /* NOTREACHED */ 5928 5929 case Q_MOPDL: 5930 bpf_error("mopdl does not encapsulate another protocol"); 5931 /* NOTREACHED */ 5932 5933 case Q_LINK: 5934 return gen_linktype(v); 5935 5936 case Q_UDP: 5937 bpf_error("'udp proto' is bogus"); 5938 /* NOTREACHED */ 5939 5940 case Q_TCP: 5941 bpf_error("'tcp proto' is bogus"); 5942 /* NOTREACHED */ 5943 5944 case Q_SCTP: 5945 bpf_error("'sctp proto' is bogus"); 5946 /* NOTREACHED */ 5947 5948 case Q_ICMP: 5949 bpf_error("'icmp proto' is bogus"); 5950 /* NOTREACHED */ 5951 5952 case Q_IGMP: 5953 bpf_error("'igmp proto' is bogus"); 5954 /* NOTREACHED */ 5955 5956 case Q_IGRP: 5957 bpf_error("'igrp proto' is bogus"); 5958 /* NOTREACHED */ 5959 5960 case Q_PIM: 5961 bpf_error("'pim proto' is bogus"); 5962 /* NOTREACHED */ 5963 5964 case Q_VRRP: 5965 bpf_error("'vrrp proto' is bogus"); 5966 /* NOTREACHED */ 5967 5968 case Q_CARP: 5969 bpf_error("'carp proto' is bogus"); 5970 /* NOTREACHED */ 5971 5972 case Q_IPV6: 5973 b0 = gen_linktype(ETHERTYPE_IPV6); 5974 #ifndef CHASE_CHAIN 5975 /* 5976 * Also check for a fragment header before the final 5977 * header. 5978 */ 5979 b2 = gen_cmp(OR_NET, 6, BPF_B, IPPROTO_FRAGMENT); 5980 b1 = gen_cmp(OR_NET, 40, BPF_B, (bpf_int32)v); 5981 gen_and(b2, b1); 5982 b2 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)v); 5983 gen_or(b2, b1); 5984 #else 5985 b1 = gen_protochain(v, Q_IPV6); 5986 #endif 5987 gen_and(b0, b1); 5988 return b1; 5989 5990 case Q_ICMPV6: 5991 bpf_error("'icmp6 proto' is bogus"); 5992 5993 case Q_AH: 5994 bpf_error("'ah proto' is bogus"); 5995 5996 case Q_ESP: 5997 bpf_error("'ah proto' is bogus"); 5998 5999 case Q_STP: 6000 bpf_error("'stp proto' is bogus"); 6001 6002 case Q_IPX: 6003 bpf_error("'ipx proto' is bogus"); 6004 6005 case Q_NETBEUI: 6006 bpf_error("'netbeui proto' is bogus"); 6007 6008 case Q_RADIO: 6009 bpf_error("'radio proto' is bogus"); 6010 6011 default: 6012 abort(); 6013 /* NOTREACHED */ 6014 } 6015 /* NOTREACHED */ 6016 } 6017 6018 struct block * 6019 gen_scode(name, q) 6020 register const char *name; 6021 struct qual q; 6022 { 6023 int proto = q.proto; 6024 int dir = q.dir; 6025 int tproto; 6026 u_char *eaddr; 6027 bpf_u_int32 mask, addr; 6028 #ifndef INET6 6029 bpf_u_int32 **alist; 6030 #else 6031 int tproto6; 6032 struct sockaddr_in *sin4; 6033 struct sockaddr_in6 *sin6; 6034 struct addrinfo *res, *res0; 6035 struct in6_addr mask128; 6036 #endif /*INET6*/ 6037 struct block *b, *tmp; 6038 int port, real_proto; 6039 int port1, port2; 6040 6041 switch (q.addr) { 6042 6043 case Q_NET: 6044 addr = pcap_nametonetaddr(name); 6045 if (addr == 0) 6046 bpf_error("unknown network '%s'", name); 6047 /* Left justify network addr and calculate its network mask */ 6048 mask = 0xffffffff; 6049 while (addr && (addr & 0xff000000) == 0) { 6050 addr <<= 8; 6051 mask <<= 8; 6052 } 6053 return gen_host(addr, mask, proto, dir, q.addr); 6054 6055 case Q_DEFAULT: 6056 case Q_HOST: 6057 if (proto == Q_LINK) { 6058 switch (linktype) { 6059 6060 case DLT_EN10MB: 6061 case DLT_NETANALYZER: 6062 case DLT_NETANALYZER_TRANSPARENT: 6063 eaddr = pcap_ether_hostton(name); 6064 if (eaddr == NULL) 6065 bpf_error( 6066 "unknown ether host '%s'", name); 6067 b = gen_ehostop(eaddr, dir); 6068 free(eaddr); 6069 return b; 6070 6071 case DLT_FDDI: 6072 eaddr = pcap_ether_hostton(name); 6073 if (eaddr == NULL) 6074 bpf_error( 6075 "unknown FDDI host '%s'", name); 6076 b = gen_fhostop(eaddr, dir); 6077 free(eaddr); 6078 return b; 6079 6080 case DLT_IEEE802: 6081 eaddr = pcap_ether_hostton(name); 6082 if (eaddr == NULL) 6083 bpf_error( 6084 "unknown token ring host '%s'", name); 6085 b = gen_thostop(eaddr, dir); 6086 free(eaddr); 6087 return b; 6088 6089 case DLT_IEEE802_11: 6090 case DLT_PRISM_HEADER: 6091 case DLT_IEEE802_11_RADIO_AVS: 6092 case DLT_IEEE802_11_RADIO: 6093 case DLT_PPI: 6094 eaddr = pcap_ether_hostton(name); 6095 if (eaddr == NULL) 6096 bpf_error( 6097 "unknown 802.11 host '%s'", name); 6098 b = gen_wlanhostop(eaddr, dir); 6099 free(eaddr); 6100 return b; 6101 6102 case DLT_IP_OVER_FC: 6103 eaddr = pcap_ether_hostton(name); 6104 if (eaddr == NULL) 6105 bpf_error( 6106 "unknown Fibre Channel host '%s'", name); 6107 b = gen_ipfchostop(eaddr, dir); 6108 free(eaddr); 6109 return b; 6110 6111 case DLT_SUNATM: 6112 if (!is_lane) 6113 break; 6114 6115 /* 6116 * Check that the packet doesn't begin 6117 * with an LE Control marker. (We've 6118 * already generated a test for LANE.) 6119 */ 6120 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 6121 BPF_H, 0xFF00); 6122 gen_not(tmp); 6123 6124 eaddr = pcap_ether_hostton(name); 6125 if (eaddr == NULL) 6126 bpf_error( 6127 "unknown ether host '%s'", name); 6128 b = gen_ehostop(eaddr, dir); 6129 gen_and(tmp, b); 6130 free(eaddr); 6131 return b; 6132 } 6133 6134 bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name"); 6135 } else if (proto == Q_DECNET) { 6136 unsigned short dn_addr = __pcap_nametodnaddr(name); 6137 /* 6138 * I don't think DECNET hosts can be multihomed, so 6139 * there is no need to build up a list of addresses 6140 */ 6141 return (gen_host(dn_addr, 0, proto, dir, q.addr)); 6142 } else { 6143 #ifndef INET6 6144 alist = pcap_nametoaddr(name); 6145 if (alist == NULL || *alist == NULL) 6146 bpf_error("unknown host '%s'", name); 6147 tproto = proto; 6148 if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT) 6149 tproto = Q_IP; 6150 b = gen_host(**alist++, 0xffffffff, tproto, dir, q.addr); 6151 while (*alist) { 6152 tmp = gen_host(**alist++, 0xffffffff, 6153 tproto, dir, q.addr); 6154 gen_or(b, tmp); 6155 b = tmp; 6156 } 6157 return b; 6158 #else 6159 memset(&mask128, 0xff, sizeof(mask128)); 6160 res0 = res = pcap_nametoaddrinfo(name); 6161 if (res == NULL) 6162 bpf_error("unknown host '%s'", name); 6163 ai = res; 6164 b = tmp = NULL; 6165 tproto = tproto6 = proto; 6166 if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT) { 6167 tproto = Q_IP; 6168 tproto6 = Q_IPV6; 6169 } 6170 for (res = res0; res; res = res->ai_next) { 6171 switch (res->ai_family) { 6172 case AF_INET: 6173 if (tproto == Q_IPV6) 6174 continue; 6175 6176 sin4 = (struct sockaddr_in *) 6177 res->ai_addr; 6178 tmp = gen_host(ntohl(sin4->sin_addr.s_addr), 6179 0xffffffff, tproto, dir, q.addr); 6180 break; 6181 case AF_INET6: 6182 if (tproto6 == Q_IP) 6183 continue; 6184 6185 sin6 = (struct sockaddr_in6 *) 6186 res->ai_addr; 6187 tmp = gen_host6(&sin6->sin6_addr, 6188 &mask128, tproto6, dir, q.addr); 6189 break; 6190 default: 6191 continue; 6192 } 6193 if (b) 6194 gen_or(b, tmp); 6195 b = tmp; 6196 } 6197 ai = NULL; 6198 freeaddrinfo(res0); 6199 if (b == NULL) { 6200 bpf_error("unknown host '%s'%s", name, 6201 (proto == Q_DEFAULT) 6202 ? "" 6203 : " for specified address family"); 6204 } 6205 return b; 6206 #endif /*INET6*/ 6207 } 6208 6209 case Q_PORT: 6210 if (proto != Q_DEFAULT && 6211 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6212 bpf_error("illegal qualifier of 'port'"); 6213 if (pcap_nametoport(name, &port, &real_proto) == 0) 6214 bpf_error("unknown port '%s'", name); 6215 if (proto == Q_UDP) { 6216 if (real_proto == IPPROTO_TCP) 6217 bpf_error("port '%s' is tcp", name); 6218 else if (real_proto == IPPROTO_SCTP) 6219 bpf_error("port '%s' is sctp", name); 6220 else 6221 /* override PROTO_UNDEF */ 6222 real_proto = IPPROTO_UDP; 6223 } 6224 if (proto == Q_TCP) { 6225 if (real_proto == IPPROTO_UDP) 6226 bpf_error("port '%s' is udp", name); 6227 6228 else if (real_proto == IPPROTO_SCTP) 6229 bpf_error("port '%s' is sctp", name); 6230 else 6231 /* override PROTO_UNDEF */ 6232 real_proto = IPPROTO_TCP; 6233 } 6234 if (proto == Q_SCTP) { 6235 if (real_proto == IPPROTO_UDP) 6236 bpf_error("port '%s' is udp", name); 6237 6238 else if (real_proto == IPPROTO_TCP) 6239 bpf_error("port '%s' is tcp", name); 6240 else 6241 /* override PROTO_UNDEF */ 6242 real_proto = IPPROTO_SCTP; 6243 } 6244 if (port < 0) 6245 bpf_error("illegal port number %d < 0", port); 6246 if (port > 65535) 6247 bpf_error("illegal port number %d > 65535", port); 6248 b = gen_port(port, real_proto, dir); 6249 gen_or(gen_port6(port, real_proto, dir), b); 6250 return b; 6251 6252 case Q_PORTRANGE: 6253 if (proto != Q_DEFAULT && 6254 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6255 bpf_error("illegal qualifier of 'portrange'"); 6256 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0) 6257 bpf_error("unknown port in range '%s'", name); 6258 if (proto == Q_UDP) { 6259 if (real_proto == IPPROTO_TCP) 6260 bpf_error("port in range '%s' is tcp", name); 6261 else if (real_proto == IPPROTO_SCTP) 6262 bpf_error("port in range '%s' is sctp", name); 6263 else 6264 /* override PROTO_UNDEF */ 6265 real_proto = IPPROTO_UDP; 6266 } 6267 if (proto == Q_TCP) { 6268 if (real_proto == IPPROTO_UDP) 6269 bpf_error("port in range '%s' is udp", name); 6270 else if (real_proto == IPPROTO_SCTP) 6271 bpf_error("port in range '%s' is sctp", name); 6272 else 6273 /* override PROTO_UNDEF */ 6274 real_proto = IPPROTO_TCP; 6275 } 6276 if (proto == Q_SCTP) { 6277 if (real_proto == IPPROTO_UDP) 6278 bpf_error("port in range '%s' is udp", name); 6279 else if (real_proto == IPPROTO_TCP) 6280 bpf_error("port in range '%s' is tcp", name); 6281 else 6282 /* override PROTO_UNDEF */ 6283 real_proto = IPPROTO_SCTP; 6284 } 6285 if (port1 < 0) 6286 bpf_error("illegal port number %d < 0", port1); 6287 if (port1 > 65535) 6288 bpf_error("illegal port number %d > 65535", port1); 6289 if (port2 < 0) 6290 bpf_error("illegal port number %d < 0", port2); 6291 if (port2 > 65535) 6292 bpf_error("illegal port number %d > 65535", port2); 6293 6294 b = gen_portrange(port1, port2, real_proto, dir); 6295 gen_or(gen_portrange6(port1, port2, real_proto, dir), b); 6296 return b; 6297 6298 case Q_GATEWAY: 6299 #ifndef INET6 6300 eaddr = pcap_ether_hostton(name); 6301 if (eaddr == NULL) 6302 bpf_error("unknown ether host: %s", name); 6303 6304 alist = pcap_nametoaddr(name); 6305 if (alist == NULL || *alist == NULL) 6306 bpf_error("unknown host '%s'", name); 6307 b = gen_gateway(eaddr, alist, proto, dir); 6308 free(eaddr); 6309 return b; 6310 #else 6311 bpf_error("'gateway' not supported in this configuration"); 6312 #endif /*INET6*/ 6313 6314 case Q_PROTO: 6315 real_proto = lookup_proto(name, proto); 6316 if (real_proto >= 0) 6317 return gen_proto(real_proto, proto, dir); 6318 else 6319 bpf_error("unknown protocol: %s", name); 6320 6321 case Q_PROTOCHAIN: 6322 real_proto = lookup_proto(name, proto); 6323 if (real_proto >= 0) 6324 return gen_protochain(real_proto, proto, dir); 6325 else 6326 bpf_error("unknown protocol: %s", name); 6327 6328 case Q_UNDEF: 6329 syntax(); 6330 /* NOTREACHED */ 6331 } 6332 abort(); 6333 /* NOTREACHED */ 6334 } 6335 6336 struct block * 6337 gen_mcode(s1, s2, masklen, q) 6338 register const char *s1, *s2; 6339 register int masklen; 6340 struct qual q; 6341 { 6342 register int nlen, mlen; 6343 bpf_u_int32 n, m; 6344 6345 nlen = __pcap_atoin(s1, &n); 6346 /* Promote short ipaddr */ 6347 n <<= 32 - nlen; 6348 6349 if (s2 != NULL) { 6350 mlen = __pcap_atoin(s2, &m); 6351 /* Promote short ipaddr */ 6352 m <<= 32 - mlen; 6353 if ((n & ~m) != 0) 6354 bpf_error("non-network bits set in \"%s mask %s\"", 6355 s1, s2); 6356 } else { 6357 /* Convert mask len to mask */ 6358 if (masklen > 32) 6359 bpf_error("mask length must be <= 32"); 6360 if (masklen == 0) { 6361 /* 6362 * X << 32 is not guaranteed by C to be 0; it's 6363 * undefined. 6364 */ 6365 m = 0; 6366 } else 6367 m = 0xffffffff << (32 - masklen); 6368 if ((n & ~m) != 0) 6369 bpf_error("non-network bits set in \"%s/%d\"", 6370 s1, masklen); 6371 } 6372 6373 switch (q.addr) { 6374 6375 case Q_NET: 6376 return gen_host(n, m, q.proto, q.dir, q.addr); 6377 6378 default: 6379 bpf_error("Mask syntax for networks only"); 6380 /* NOTREACHED */ 6381 } 6382 /* NOTREACHED */ 6383 return NULL; 6384 } 6385 6386 struct block * 6387 gen_ncode(s, v, q) 6388 register const char *s; 6389 bpf_u_int32 v; 6390 struct qual q; 6391 { 6392 bpf_u_int32 mask; 6393 int proto = q.proto; 6394 int dir = q.dir; 6395 register int vlen; 6396 6397 if (s == NULL) 6398 vlen = 32; 6399 else if (q.proto == Q_DECNET) 6400 vlen = __pcap_atodn(s, &v); 6401 else 6402 vlen = __pcap_atoin(s, &v); 6403 6404 switch (q.addr) { 6405 6406 case Q_DEFAULT: 6407 case Q_HOST: 6408 case Q_NET: 6409 if (proto == Q_DECNET) 6410 return gen_host(v, 0, proto, dir, q.addr); 6411 else if (proto == Q_LINK) { 6412 bpf_error("illegal link layer address"); 6413 } else { 6414 mask = 0xffffffff; 6415 if (s == NULL && q.addr == Q_NET) { 6416 /* Promote short net number */ 6417 while (v && (v & 0xff000000) == 0) { 6418 v <<= 8; 6419 mask <<= 8; 6420 } 6421 } else { 6422 /* Promote short ipaddr */ 6423 v <<= 32 - vlen; 6424 mask <<= 32 - vlen; 6425 } 6426 return gen_host(v, mask, proto, dir, q.addr); 6427 } 6428 6429 case Q_PORT: 6430 if (proto == Q_UDP) 6431 proto = IPPROTO_UDP; 6432 else if (proto == Q_TCP) 6433 proto = IPPROTO_TCP; 6434 else if (proto == Q_SCTP) 6435 proto = IPPROTO_SCTP; 6436 else if (proto == Q_DEFAULT) 6437 proto = PROTO_UNDEF; 6438 else 6439 bpf_error("illegal qualifier of 'port'"); 6440 6441 if (v > 65535) 6442 bpf_error("illegal port number %u > 65535", v); 6443 6444 { 6445 struct block *b; 6446 b = gen_port((int)v, proto, dir); 6447 gen_or(gen_port6((int)v, proto, dir), b); 6448 return b; 6449 } 6450 6451 case Q_PORTRANGE: 6452 if (proto == Q_UDP) 6453 proto = IPPROTO_UDP; 6454 else if (proto == Q_TCP) 6455 proto = IPPROTO_TCP; 6456 else if (proto == Q_SCTP) 6457 proto = IPPROTO_SCTP; 6458 else if (proto == Q_DEFAULT) 6459 proto = PROTO_UNDEF; 6460 else 6461 bpf_error("illegal qualifier of 'portrange'"); 6462 6463 if (v > 65535) 6464 bpf_error("illegal port number %u > 65535", v); 6465 6466 { 6467 struct block *b; 6468 b = gen_portrange((int)v, (int)v, proto, dir); 6469 gen_or(gen_portrange6((int)v, (int)v, proto, dir), b); 6470 return b; 6471 } 6472 6473 case Q_GATEWAY: 6474 bpf_error("'gateway' requires a name"); 6475 /* NOTREACHED */ 6476 6477 case Q_PROTO: 6478 return gen_proto((int)v, proto, dir); 6479 6480 case Q_PROTOCHAIN: 6481 return gen_protochain((int)v, proto, dir); 6482 6483 case Q_UNDEF: 6484 syntax(); 6485 /* NOTREACHED */ 6486 6487 default: 6488 abort(); 6489 /* NOTREACHED */ 6490 } 6491 /* NOTREACHED */ 6492 } 6493 6494 #ifdef INET6 6495 struct block * 6496 gen_mcode6(s1, s2, masklen, q) 6497 register const char *s1, *s2; 6498 register int masklen; 6499 struct qual q; 6500 { 6501 struct addrinfo *res; 6502 struct in6_addr *addr; 6503 struct in6_addr mask; 6504 struct block *b; 6505 u_int32_t *a, *m; 6506 6507 if (s2) 6508 bpf_error("no mask %s supported", s2); 6509 6510 res = pcap_nametoaddrinfo(s1); 6511 if (!res) 6512 bpf_error("invalid ip6 address %s", s1); 6513 ai = res; 6514 if (res->ai_next) 6515 bpf_error("%s resolved to multiple address", s1); 6516 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr; 6517 6518 if ((int)sizeof(mask) * 8 < masklen) 6519 bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8)); 6520 memset(&mask, 0, sizeof(mask)); 6521 memset(&mask, 0xff, masklen / 8); 6522 if (masklen % 8) { 6523 mask.s6_addr[masklen / 8] = 6524 (0xff << (8 - masklen % 8)) & 0xff; 6525 } 6526 6527 a = (u_int32_t *)addr; 6528 m = (u_int32_t *)&mask; 6529 if ((a[0] & ~m[0]) || (a[1] & ~m[1]) 6530 || (a[2] & ~m[2]) || (a[3] & ~m[3])) { 6531 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen); 6532 } 6533 6534 switch (q.addr) { 6535 6536 case Q_DEFAULT: 6537 case Q_HOST: 6538 if (masklen != 128) 6539 bpf_error("Mask syntax for networks only"); 6540 /* FALLTHROUGH */ 6541 6542 case Q_NET: 6543 b = gen_host6(addr, &mask, q.proto, q.dir, q.addr); 6544 ai = NULL; 6545 freeaddrinfo(res); 6546 return b; 6547 6548 default: 6549 bpf_error("invalid qualifier against IPv6 address"); 6550 /* NOTREACHED */ 6551 } 6552 return NULL; 6553 } 6554 #endif /*INET6*/ 6555 6556 struct block * 6557 gen_ecode(eaddr, q) 6558 register const u_char *eaddr; 6559 struct qual q; 6560 { 6561 struct block *b, *tmp; 6562 6563 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) { 6564 switch (linktype) { 6565 case DLT_EN10MB: 6566 case DLT_NETANALYZER: 6567 case DLT_NETANALYZER_TRANSPARENT: 6568 return gen_ehostop(eaddr, (int)q.dir); 6569 case DLT_FDDI: 6570 return gen_fhostop(eaddr, (int)q.dir); 6571 case DLT_IEEE802: 6572 return gen_thostop(eaddr, (int)q.dir); 6573 case DLT_IEEE802_11: 6574 case DLT_PRISM_HEADER: 6575 case DLT_IEEE802_11_RADIO_AVS: 6576 case DLT_IEEE802_11_RADIO: 6577 case DLT_PPI: 6578 return gen_wlanhostop(eaddr, (int)q.dir); 6579 case DLT_SUNATM: 6580 if (is_lane) { 6581 /* 6582 * Check that the packet doesn't begin with an 6583 * LE Control marker. (We've already generated 6584 * a test for LANE.) 6585 */ 6586 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 6587 0xFF00); 6588 gen_not(tmp); 6589 6590 /* 6591 * Now check the MAC address. 6592 */ 6593 b = gen_ehostop(eaddr, (int)q.dir); 6594 gen_and(tmp, b); 6595 return b; 6596 } 6597 break; 6598 case DLT_IP_OVER_FC: 6599 return gen_ipfchostop(eaddr, (int)q.dir); 6600 default: 6601 bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 6602 break; 6603 } 6604 } 6605 bpf_error("ethernet address used in non-ether expression"); 6606 /* NOTREACHED */ 6607 return NULL; 6608 } 6609 6610 void 6611 sappend(s0, s1) 6612 struct slist *s0, *s1; 6613 { 6614 /* 6615 * This is definitely not the best way to do this, but the 6616 * lists will rarely get long. 6617 */ 6618 while (s0->next) 6619 s0 = s0->next; 6620 s0->next = s1; 6621 } 6622 6623 static struct slist * 6624 xfer_to_x(a) 6625 struct arth *a; 6626 { 6627 struct slist *s; 6628 6629 s = new_stmt(BPF_LDX|BPF_MEM); 6630 s->s.k = a->regno; 6631 return s; 6632 } 6633 6634 static struct slist * 6635 xfer_to_a(a) 6636 struct arth *a; 6637 { 6638 struct slist *s; 6639 6640 s = new_stmt(BPF_LD|BPF_MEM); 6641 s->s.k = a->regno; 6642 return s; 6643 } 6644 6645 /* 6646 * Modify "index" to use the value stored into its register as an 6647 * offset relative to the beginning of the header for the protocol 6648 * "proto", and allocate a register and put an item "size" bytes long 6649 * (1, 2, or 4) at that offset into that register, making it the register 6650 * for "index". 6651 */ 6652 struct arth * 6653 gen_load(proto, inst, size) 6654 int proto; 6655 struct arth *inst; 6656 int size; 6657 { 6658 struct slist *s, *tmp; 6659 struct block *b; 6660 int regno = alloc_reg(); 6661 6662 free_reg(inst->regno); 6663 switch (size) { 6664 6665 default: 6666 bpf_error("data size must be 1, 2, or 4"); 6667 6668 case 1: 6669 size = BPF_B; 6670 break; 6671 6672 case 2: 6673 size = BPF_H; 6674 break; 6675 6676 case 4: 6677 size = BPF_W; 6678 break; 6679 } 6680 switch (proto) { 6681 default: 6682 bpf_error("unsupported index operation"); 6683 6684 case Q_RADIO: 6685 /* 6686 * The offset is relative to the beginning of the packet 6687 * data, if we have a radio header. (If we don't, this 6688 * is an error.) 6689 */ 6690 if (linktype != DLT_IEEE802_11_RADIO_AVS && 6691 linktype != DLT_IEEE802_11_RADIO && 6692 linktype != DLT_PRISM_HEADER) 6693 bpf_error("radio information not present in capture"); 6694 6695 /* 6696 * Load into the X register the offset computed into the 6697 * register specified by "index". 6698 */ 6699 s = xfer_to_x(inst); 6700 6701 /* 6702 * Load the item at that offset. 6703 */ 6704 tmp = new_stmt(BPF_LD|BPF_IND|size); 6705 sappend(s, tmp); 6706 sappend(inst->s, s); 6707 break; 6708 6709 case Q_LINK: 6710 /* 6711 * The offset is relative to the beginning of 6712 * the link-layer header. 6713 * 6714 * XXX - what about ATM LANE? Should the index be 6715 * relative to the beginning of the AAL5 frame, so 6716 * that 0 refers to the beginning of the LE Control 6717 * field, or relative to the beginning of the LAN 6718 * frame, so that 0 refers, for Ethernet LANE, to 6719 * the beginning of the destination address? 6720 */ 6721 s = gen_llprefixlen(); 6722 6723 /* 6724 * If "s" is non-null, it has code to arrange that the 6725 * X register contains the length of the prefix preceding 6726 * the link-layer header. Add to it the offset computed 6727 * into the register specified by "index", and move that 6728 * into the X register. Otherwise, just load into the X 6729 * register the offset computed into the register specified 6730 * by "index". 6731 */ 6732 if (s != NULL) { 6733 sappend(s, xfer_to_a(inst)); 6734 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 6735 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 6736 } else 6737 s = xfer_to_x(inst); 6738 6739 /* 6740 * Load the item at the sum of the offset we've put in the 6741 * X register and the offset of the start of the link 6742 * layer header (which is 0 if the radio header is 6743 * variable-length; that header length is what we put 6744 * into the X register and then added to the index). 6745 */ 6746 tmp = new_stmt(BPF_LD|BPF_IND|size); 6747 tmp->s.k = off_ll; 6748 sappend(s, tmp); 6749 sappend(inst->s, s); 6750 break; 6751 6752 case Q_IP: 6753 case Q_ARP: 6754 case Q_RARP: 6755 case Q_ATALK: 6756 case Q_DECNET: 6757 case Q_SCA: 6758 case Q_LAT: 6759 case Q_MOPRC: 6760 case Q_MOPDL: 6761 case Q_IPV6: 6762 /* 6763 * The offset is relative to the beginning of 6764 * the network-layer header. 6765 * XXX - are there any cases where we want 6766 * off_nl_nosnap? 6767 */ 6768 s = gen_off_macpl(); 6769 6770 /* 6771 * If "s" is non-null, it has code to arrange that the 6772 * X register contains the offset of the MAC-layer 6773 * payload. Add to it the offset computed into the 6774 * register specified by "index", and move that into 6775 * the X register. Otherwise, just load into the X 6776 * register the offset computed into the register specified 6777 * by "index". 6778 */ 6779 if (s != NULL) { 6780 sappend(s, xfer_to_a(inst)); 6781 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 6782 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 6783 } else 6784 s = xfer_to_x(inst); 6785 6786 /* 6787 * Load the item at the sum of the offset we've put in the 6788 * X register, the offset of the start of the network 6789 * layer header from the beginning of the MAC-layer 6790 * payload, and the purported offset of the start of the 6791 * MAC-layer payload (which might be 0 if there's a 6792 * variable-length prefix before the link-layer header 6793 * or the link-layer header itself is variable-length; 6794 * the variable-length offset of the start of the 6795 * MAC-layer payload is what we put into the X register 6796 * and then added to the index). 6797 */ 6798 tmp = new_stmt(BPF_LD|BPF_IND|size); 6799 tmp->s.k = off_macpl + off_nl; 6800 sappend(s, tmp); 6801 sappend(inst->s, s); 6802 6803 /* 6804 * Do the computation only if the packet contains 6805 * the protocol in question. 6806 */ 6807 b = gen_proto_abbrev(proto); 6808 if (inst->b) 6809 gen_and(inst->b, b); 6810 inst->b = b; 6811 break; 6812 6813 case Q_SCTP: 6814 case Q_TCP: 6815 case Q_UDP: 6816 case Q_ICMP: 6817 case Q_IGMP: 6818 case Q_IGRP: 6819 case Q_PIM: 6820 case Q_VRRP: 6821 case Q_CARP: 6822 /* 6823 * The offset is relative to the beginning of 6824 * the transport-layer header. 6825 * 6826 * Load the X register with the length of the IPv4 header 6827 * (plus the offset of the link-layer header, if it's 6828 * a variable-length header), in bytes. 6829 * 6830 * XXX - are there any cases where we want 6831 * off_nl_nosnap? 6832 * XXX - we should, if we're built with 6833 * IPv6 support, generate code to load either 6834 * IPv4, IPv6, or both, as appropriate. 6835 */ 6836 s = gen_loadx_iphdrlen(); 6837 6838 /* 6839 * The X register now contains the sum of the length 6840 * of any variable-length header preceding the link-layer 6841 * header, any variable-length link-layer header, and the 6842 * length of the network-layer header. 6843 * 6844 * Load into the A register the offset relative to 6845 * the beginning of the transport layer header, 6846 * add the X register to that, move that to the 6847 * X register, and load with an offset from the 6848 * X register equal to the offset of the network 6849 * layer header relative to the beginning of 6850 * the MAC-layer payload plus the fixed-length 6851 * portion of the offset of the MAC-layer payload 6852 * from the beginning of the raw packet data. 6853 */ 6854 sappend(s, xfer_to_a(inst)); 6855 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 6856 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 6857 sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size)); 6858 tmp->s.k = off_macpl + off_nl; 6859 sappend(inst->s, s); 6860 6861 /* 6862 * Do the computation only if the packet contains 6863 * the protocol in question - which is true only 6864 * if this is an IP datagram and is the first or 6865 * only fragment of that datagram. 6866 */ 6867 gen_and(gen_proto_abbrev(proto), b = gen_ipfrag()); 6868 if (inst->b) 6869 gen_and(inst->b, b); 6870 gen_and(gen_proto_abbrev(Q_IP), b); 6871 inst->b = b; 6872 break; 6873 case Q_ICMPV6: 6874 bpf_error("IPv6 upper-layer protocol is not supported by proto[x]"); 6875 /*NOTREACHED*/ 6876 } 6877 inst->regno = regno; 6878 s = new_stmt(BPF_ST); 6879 s->s.k = regno; 6880 sappend(inst->s, s); 6881 6882 return inst; 6883 } 6884 6885 struct block * 6886 gen_relation(code, a0, a1, reversed) 6887 int code; 6888 struct arth *a0, *a1; 6889 int reversed; 6890 { 6891 struct slist *s0, *s1, *s2; 6892 struct block *b, *tmp; 6893 6894 s0 = xfer_to_x(a1); 6895 s1 = xfer_to_a(a0); 6896 if (code == BPF_JEQ) { 6897 s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X); 6898 b = new_block(JMP(code)); 6899 sappend(s1, s2); 6900 } 6901 else 6902 b = new_block(BPF_JMP|code|BPF_X); 6903 if (reversed) 6904 gen_not(b); 6905 6906 sappend(s0, s1); 6907 sappend(a1->s, s0); 6908 sappend(a0->s, a1->s); 6909 6910 b->stmts = a0->s; 6911 6912 free_reg(a0->regno); 6913 free_reg(a1->regno); 6914 6915 /* 'and' together protocol checks */ 6916 if (a0->b) { 6917 if (a1->b) { 6918 gen_and(a0->b, tmp = a1->b); 6919 } 6920 else 6921 tmp = a0->b; 6922 } else 6923 tmp = a1->b; 6924 6925 if (tmp) 6926 gen_and(tmp, b); 6927 6928 return b; 6929 } 6930 6931 struct arth * 6932 gen_loadlen() 6933 { 6934 int regno = alloc_reg(); 6935 struct arth *a = (struct arth *)newchunk(sizeof(*a)); 6936 struct slist *s; 6937 6938 s = new_stmt(BPF_LD|BPF_LEN); 6939 s->next = new_stmt(BPF_ST); 6940 s->next->s.k = regno; 6941 a->s = s; 6942 a->regno = regno; 6943 6944 return a; 6945 } 6946 6947 struct arth * 6948 gen_loadi(val) 6949 int val; 6950 { 6951 struct arth *a; 6952 struct slist *s; 6953 int reg; 6954 6955 a = (struct arth *)newchunk(sizeof(*a)); 6956 6957 reg = alloc_reg(); 6958 6959 s = new_stmt(BPF_LD|BPF_IMM); 6960 s->s.k = val; 6961 s->next = new_stmt(BPF_ST); 6962 s->next->s.k = reg; 6963 a->s = s; 6964 a->regno = reg; 6965 6966 return a; 6967 } 6968 6969 struct arth * 6970 gen_neg(a) 6971 struct arth *a; 6972 { 6973 struct slist *s; 6974 6975 s = xfer_to_a(a); 6976 sappend(a->s, s); 6977 s = new_stmt(BPF_ALU|BPF_NEG); 6978 s->s.k = 0; 6979 sappend(a->s, s); 6980 s = new_stmt(BPF_ST); 6981 s->s.k = a->regno; 6982 sappend(a->s, s); 6983 6984 return a; 6985 } 6986 6987 struct arth * 6988 gen_arth(code, a0, a1) 6989 int code; 6990 struct arth *a0, *a1; 6991 { 6992 struct slist *s0, *s1, *s2; 6993 6994 s0 = xfer_to_x(a1); 6995 s1 = xfer_to_a(a0); 6996 s2 = new_stmt(BPF_ALU|BPF_X|code); 6997 6998 sappend(s1, s2); 6999 sappend(s0, s1); 7000 sappend(a1->s, s0); 7001 sappend(a0->s, a1->s); 7002 7003 free_reg(a0->regno); 7004 free_reg(a1->regno); 7005 7006 s0 = new_stmt(BPF_ST); 7007 a0->regno = s0->s.k = alloc_reg(); 7008 sappend(a0->s, s0); 7009 7010 return a0; 7011 } 7012 7013 /* 7014 * Here we handle simple allocation of the scratch registers. 7015 * If too many registers are alloc'd, the allocator punts. 7016 */ 7017 static int regused[BPF_MEMWORDS]; 7018 static int curreg; 7019 7020 /* 7021 * Initialize the table of used registers and the current register. 7022 */ 7023 static void 7024 init_regs() 7025 { 7026 curreg = 0; 7027 memset(regused, 0, sizeof regused); 7028 } 7029 7030 /* 7031 * Return the next free register. 7032 */ 7033 static int 7034 alloc_reg() 7035 { 7036 int n = BPF_MEMWORDS; 7037 7038 while (--n >= 0) { 7039 if (regused[curreg]) 7040 curreg = (curreg + 1) % BPF_MEMWORDS; 7041 else { 7042 regused[curreg] = 1; 7043 return curreg; 7044 } 7045 } 7046 bpf_error("too many registers needed to evaluate expression"); 7047 /* NOTREACHED */ 7048 return 0; 7049 } 7050 7051 /* 7052 * Return a register to the table so it can 7053 * be used later. 7054 */ 7055 static void 7056 free_reg(n) 7057 int n; 7058 { 7059 regused[n] = 0; 7060 } 7061 7062 static struct block * 7063 gen_len(jmp, n) 7064 int jmp, n; 7065 { 7066 struct slist *s; 7067 struct block *b; 7068 7069 s = new_stmt(BPF_LD|BPF_LEN); 7070 b = new_block(JMP(jmp)); 7071 b->stmts = s; 7072 b->s.k = n; 7073 7074 return b; 7075 } 7076 7077 struct block * 7078 gen_greater(n) 7079 int n; 7080 { 7081 return gen_len(BPF_JGE, n); 7082 } 7083 7084 /* 7085 * Actually, this is less than or equal. 7086 */ 7087 struct block * 7088 gen_less(n) 7089 int n; 7090 { 7091 struct block *b; 7092 7093 b = gen_len(BPF_JGT, n); 7094 gen_not(b); 7095 7096 return b; 7097 } 7098 7099 /* 7100 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to 7101 * the beginning of the link-layer header. 7102 * XXX - that means you can't test values in the radiotap header, but 7103 * as that header is difficult if not impossible to parse generally 7104 * without a loop, that might not be a severe problem. A new keyword 7105 * "radio" could be added for that, although what you'd really want 7106 * would be a way of testing particular radio header values, which 7107 * would generate code appropriate to the radio header in question. 7108 */ 7109 struct block * 7110 gen_byteop(op, idx, val) 7111 int op, idx, val; 7112 { 7113 struct block *b; 7114 struct slist *s; 7115 7116 switch (op) { 7117 default: 7118 abort(); 7119 7120 case '=': 7121 return gen_cmp(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 7122 7123 case '<': 7124 b = gen_cmp_lt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 7125 return b; 7126 7127 case '>': 7128 b = gen_cmp_gt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 7129 return b; 7130 7131 case '|': 7132 s = new_stmt(BPF_ALU|BPF_OR|BPF_K); 7133 break; 7134 7135 case '&': 7136 s = new_stmt(BPF_ALU|BPF_AND|BPF_K); 7137 break; 7138 } 7139 s->s.k = val; 7140 b = new_block(JMP(BPF_JEQ)); 7141 b->stmts = s; 7142 gen_not(b); 7143 7144 return b; 7145 } 7146 7147 static u_char abroadcast[] = { 0x0 }; 7148 7149 struct block * 7150 gen_broadcast(proto) 7151 int proto; 7152 { 7153 bpf_u_int32 hostmask; 7154 struct block *b0, *b1, *b2; 7155 static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; 7156 7157 switch (proto) { 7158 7159 case Q_DEFAULT: 7160 case Q_LINK: 7161 switch (linktype) { 7162 case DLT_ARCNET: 7163 case DLT_ARCNET_LINUX: 7164 return gen_ahostop(abroadcast, Q_DST); 7165 case DLT_EN10MB: 7166 case DLT_NETANALYZER: 7167 case DLT_NETANALYZER_TRANSPARENT: 7168 return gen_ehostop(ebroadcast, Q_DST); 7169 case DLT_FDDI: 7170 return gen_fhostop(ebroadcast, Q_DST); 7171 case DLT_IEEE802: 7172 return gen_thostop(ebroadcast, Q_DST); 7173 case DLT_IEEE802_11: 7174 case DLT_PRISM_HEADER: 7175 case DLT_IEEE802_11_RADIO_AVS: 7176 case DLT_IEEE802_11_RADIO: 7177 case DLT_PPI: 7178 return gen_wlanhostop(ebroadcast, Q_DST); 7179 case DLT_IP_OVER_FC: 7180 return gen_ipfchostop(ebroadcast, Q_DST); 7181 case DLT_SUNATM: 7182 if (is_lane) { 7183 /* 7184 * Check that the packet doesn't begin with an 7185 * LE Control marker. (We've already generated 7186 * a test for LANE.) 7187 */ 7188 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 7189 BPF_H, 0xFF00); 7190 gen_not(b1); 7191 7192 /* 7193 * Now check the MAC address. 7194 */ 7195 b0 = gen_ehostop(ebroadcast, Q_DST); 7196 gen_and(b1, b0); 7197 return b0; 7198 } 7199 break; 7200 default: 7201 bpf_error("not a broadcast link"); 7202 } 7203 break; 7204 7205 case Q_IP: 7206 /* 7207 * We treat a netmask of PCAP_NETMASK_UNKNOWN (0xffffffff) 7208 * as an indication that we don't know the netmask, and fail 7209 * in that case. 7210 */ 7211 if (netmask == PCAP_NETMASK_UNKNOWN) 7212 bpf_error("netmask not known, so 'ip broadcast' not supported"); 7213 b0 = gen_linktype(ETHERTYPE_IP); 7214 hostmask = ~netmask; 7215 b1 = gen_mcmp(OR_NET, 16, BPF_W, (bpf_int32)0, hostmask); 7216 b2 = gen_mcmp(OR_NET, 16, BPF_W, 7217 (bpf_int32)(~0 & hostmask), hostmask); 7218 gen_or(b1, b2); 7219 gen_and(b0, b2); 7220 return b2; 7221 } 7222 bpf_error("only link-layer/IP broadcast filters supported"); 7223 /* NOTREACHED */ 7224 return NULL; 7225 } 7226 7227 /* 7228 * Generate code to test the low-order bit of a MAC address (that's 7229 * the bottom bit of the *first* byte). 7230 */ 7231 static struct block * 7232 gen_mac_multicast(offset) 7233 int offset; 7234 { 7235 register struct block *b0; 7236 register struct slist *s; 7237 7238 /* link[offset] & 1 != 0 */ 7239 s = gen_load_a(OR_LINK, offset, BPF_B); 7240 b0 = new_block(JMP(BPF_JSET)); 7241 b0->s.k = 1; 7242 b0->stmts = s; 7243 return b0; 7244 } 7245 7246 struct block * 7247 gen_multicast(proto) 7248 int proto; 7249 { 7250 register struct block *b0, *b1, *b2; 7251 register struct slist *s; 7252 7253 switch (proto) { 7254 7255 case Q_DEFAULT: 7256 case Q_LINK: 7257 switch (linktype) { 7258 case DLT_ARCNET: 7259 case DLT_ARCNET_LINUX: 7260 /* all ARCnet multicasts use the same address */ 7261 return gen_ahostop(abroadcast, Q_DST); 7262 case DLT_EN10MB: 7263 case DLT_NETANALYZER: 7264 case DLT_NETANALYZER_TRANSPARENT: 7265 /* ether[0] & 1 != 0 */ 7266 return gen_mac_multicast(0); 7267 case DLT_FDDI: 7268 /* 7269 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX 7270 * 7271 * XXX - was that referring to bit-order issues? 7272 */ 7273 /* fddi[1] & 1 != 0 */ 7274 return gen_mac_multicast(1); 7275 case DLT_IEEE802: 7276 /* tr[2] & 1 != 0 */ 7277 return gen_mac_multicast(2); 7278 case DLT_IEEE802_11: 7279 case DLT_PRISM_HEADER: 7280 case DLT_IEEE802_11_RADIO_AVS: 7281 case DLT_IEEE802_11_RADIO: 7282 case DLT_PPI: 7283 /* 7284 * Oh, yuk. 7285 * 7286 * For control frames, there is no DA. 7287 * 7288 * For management frames, DA is at an 7289 * offset of 4 from the beginning of 7290 * the packet. 7291 * 7292 * For data frames, DA is at an offset 7293 * of 4 from the beginning of the packet 7294 * if To DS is clear and at an offset of 7295 * 16 from the beginning of the packet 7296 * if To DS is set. 7297 */ 7298 7299 /* 7300 * Generate the tests to be done for data frames. 7301 * 7302 * First, check for To DS set, i.e. "link[1] & 0x01". 7303 */ 7304 s = gen_load_a(OR_LINK, 1, BPF_B); 7305 b1 = new_block(JMP(BPF_JSET)); 7306 b1->s.k = 0x01; /* To DS */ 7307 b1->stmts = s; 7308 7309 /* 7310 * If To DS is set, the DA is at 16. 7311 */ 7312 b0 = gen_mac_multicast(16); 7313 gen_and(b1, b0); 7314 7315 /* 7316 * Now, check for To DS not set, i.e. check 7317 * "!(link[1] & 0x01)". 7318 */ 7319 s = gen_load_a(OR_LINK, 1, BPF_B); 7320 b2 = new_block(JMP(BPF_JSET)); 7321 b2->s.k = 0x01; /* To DS */ 7322 b2->stmts = s; 7323 gen_not(b2); 7324 7325 /* 7326 * If To DS is not set, the DA is at 4. 7327 */ 7328 b1 = gen_mac_multicast(4); 7329 gen_and(b2, b1); 7330 7331 /* 7332 * Now OR together the last two checks. That gives 7333 * the complete set of checks for data frames. 7334 */ 7335 gen_or(b1, b0); 7336 7337 /* 7338 * Now check for a data frame. 7339 * I.e, check "link[0] & 0x08". 7340 */ 7341 s = gen_load_a(OR_LINK, 0, BPF_B); 7342 b1 = new_block(JMP(BPF_JSET)); 7343 b1->s.k = 0x08; 7344 b1->stmts = s; 7345 7346 /* 7347 * AND that with the checks done for data frames. 7348 */ 7349 gen_and(b1, b0); 7350 7351 /* 7352 * If the high-order bit of the type value is 0, this 7353 * is a management frame. 7354 * I.e, check "!(link[0] & 0x08)". 7355 */ 7356 s = gen_load_a(OR_LINK, 0, BPF_B); 7357 b2 = new_block(JMP(BPF_JSET)); 7358 b2->s.k = 0x08; 7359 b2->stmts = s; 7360 gen_not(b2); 7361 7362 /* 7363 * For management frames, the DA is at 4. 7364 */ 7365 b1 = gen_mac_multicast(4); 7366 gen_and(b2, b1); 7367 7368 /* 7369 * OR that with the checks done for data frames. 7370 * That gives the checks done for management and 7371 * data frames. 7372 */ 7373 gen_or(b1, b0); 7374 7375 /* 7376 * If the low-order bit of the type value is 1, 7377 * this is either a control frame or a frame 7378 * with a reserved type, and thus not a 7379 * frame with an SA. 7380 * 7381 * I.e., check "!(link[0] & 0x04)". 7382 */ 7383 s = gen_load_a(OR_LINK, 0, BPF_B); 7384 b1 = new_block(JMP(BPF_JSET)); 7385 b1->s.k = 0x04; 7386 b1->stmts = s; 7387 gen_not(b1); 7388 7389 /* 7390 * AND that with the checks for data and management 7391 * frames. 7392 */ 7393 gen_and(b1, b0); 7394 return b0; 7395 case DLT_IP_OVER_FC: 7396 b0 = gen_mac_multicast(2); 7397 return b0; 7398 case DLT_SUNATM: 7399 if (is_lane) { 7400 /* 7401 * Check that the packet doesn't begin with an 7402 * LE Control marker. (We've already generated 7403 * a test for LANE.) 7404 */ 7405 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 7406 BPF_H, 0xFF00); 7407 gen_not(b1); 7408 7409 /* ether[off_mac] & 1 != 0 */ 7410 b0 = gen_mac_multicast(off_mac); 7411 gen_and(b1, b0); 7412 return b0; 7413 } 7414 break; 7415 default: 7416 break; 7417 } 7418 /* Link not known to support multicasts */ 7419 break; 7420 7421 case Q_IP: 7422 b0 = gen_linktype(ETHERTYPE_IP); 7423 b1 = gen_cmp_ge(OR_NET, 16, BPF_B, (bpf_int32)224); 7424 gen_and(b0, b1); 7425 return b1; 7426 7427 case Q_IPV6: 7428 b0 = gen_linktype(ETHERTYPE_IPV6); 7429 b1 = gen_cmp(OR_NET, 24, BPF_B, (bpf_int32)255); 7430 gen_and(b0, b1); 7431 return b1; 7432 } 7433 bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel"); 7434 /* NOTREACHED */ 7435 return NULL; 7436 } 7437 7438 /* 7439 * Filter on inbound (dir == 0) or outbound (dir == 1) traffic. 7440 * Outbound traffic is sent by this machine, while inbound traffic is 7441 * sent by a remote machine (and may include packets destined for a 7442 * unicast or multicast link-layer address we are not subscribing to). 7443 * These are the same definitions implemented by pcap_setdirection(). 7444 * Capturing only unicast traffic destined for this host is probably 7445 * better accomplished using a higher-layer filter. 7446 */ 7447 struct block * 7448 gen_inbound(dir) 7449 int dir; 7450 { 7451 register struct block *b0; 7452 7453 /* 7454 * Only some data link types support inbound/outbound qualifiers. 7455 */ 7456 switch (linktype) { 7457 case DLT_SLIP: 7458 b0 = gen_relation(BPF_JEQ, 7459 gen_load(Q_LINK, gen_loadi(0), 1), 7460 gen_loadi(0), 7461 dir); 7462 break; 7463 7464 case DLT_IPNET: 7465 if (dir) { 7466 /* match outgoing packets */ 7467 b0 = gen_cmp(OR_LINK, 2, BPF_H, IPNET_OUTBOUND); 7468 } else { 7469 /* match incoming packets */ 7470 b0 = gen_cmp(OR_LINK, 2, BPF_H, IPNET_INBOUND); 7471 } 7472 break; 7473 7474 case DLT_LINUX_SLL: 7475 /* match outgoing packets */ 7476 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_OUTGOING); 7477 if (!dir) { 7478 /* to filter on inbound traffic, invert the match */ 7479 gen_not(b0); 7480 } 7481 break; 7482 7483 #ifdef HAVE_NET_PFVAR_H 7484 case DLT_PFLOG: 7485 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, dir), BPF_B, 7486 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT)); 7487 break; 7488 #endif 7489 7490 case DLT_PPP_PPPD: 7491 if (dir) { 7492 /* match outgoing packets */ 7493 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_OUT); 7494 } else { 7495 /* match incoming packets */ 7496 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_IN); 7497 } 7498 break; 7499 7500 case DLT_JUNIPER_MFR: 7501 case DLT_JUNIPER_MLFR: 7502 case DLT_JUNIPER_MLPPP: 7503 case DLT_JUNIPER_ATM1: 7504 case DLT_JUNIPER_ATM2: 7505 case DLT_JUNIPER_PPPOE: 7506 case DLT_JUNIPER_PPPOE_ATM: 7507 case DLT_JUNIPER_GGSN: 7508 case DLT_JUNIPER_ES: 7509 case DLT_JUNIPER_MONITOR: 7510 case DLT_JUNIPER_SERVICES: 7511 case DLT_JUNIPER_ETHER: 7512 case DLT_JUNIPER_PPP: 7513 case DLT_JUNIPER_FRELAY: 7514 case DLT_JUNIPER_CHDLC: 7515 case DLT_JUNIPER_VP: 7516 case DLT_JUNIPER_ST: 7517 case DLT_JUNIPER_ISM: 7518 case DLT_JUNIPER_VS: 7519 case DLT_JUNIPER_SRX_E2E: 7520 case DLT_JUNIPER_FIBRECHANNEL: 7521 case DLT_JUNIPER_ATM_CEMIC: 7522 7523 /* juniper flags (including direction) are stored 7524 * the byte after the 3-byte magic number */ 7525 if (dir) { 7526 /* match outgoing packets */ 7527 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 0, 0x01); 7528 } else { 7529 /* match incoming packets */ 7530 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 1, 0x01); 7531 } 7532 break; 7533 7534 default: 7535 /* 7536 * If we have packet meta-data indicating a direction, 7537 * check it, otherwise give up as this link-layer type 7538 * has nothing in the packet data. 7539 */ 7540 #if defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) 7541 /* 7542 * This is Linux with PF_PACKET support. 7543 * If this is a *live* capture, we can look at 7544 * special meta-data in the filter expression; 7545 * if it's a savefile, we can't. 7546 */ 7547 if (bpf_pcap->rfile != NULL) { 7548 /* We have a FILE *, so this is a savefile */ 7549 bpf_error("inbound/outbound not supported on linktype %d when reading savefiles", 7550 linktype); 7551 b0 = NULL; 7552 /* NOTREACHED */ 7553 } 7554 /* match outgoing packets */ 7555 b0 = gen_cmp(OR_LINK, SKF_AD_OFF + SKF_AD_PKTTYPE, BPF_H, 7556 PACKET_OUTGOING); 7557 if (!dir) { 7558 /* to filter on inbound traffic, invert the match */ 7559 gen_not(b0); 7560 } 7561 #else /* defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */ 7562 bpf_error("inbound/outbound not supported on linktype %d", 7563 linktype); 7564 b0 = NULL; 7565 /* NOTREACHED */ 7566 #endif /* defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */ 7567 } 7568 return (b0); 7569 } 7570 7571 #ifdef HAVE_NET_PFVAR_H 7572 /* PF firewall log matched interface */ 7573 struct block * 7574 gen_pf_ifname(const char *ifname) 7575 { 7576 struct block *b0; 7577 u_int len, off; 7578 7579 if (linktype != DLT_PFLOG) { 7580 bpf_error("ifname supported only on PF linktype"); 7581 /* NOTREACHED */ 7582 } 7583 len = sizeof(((struct pfloghdr *)0)->ifname); 7584 off = offsetof(struct pfloghdr, ifname); 7585 if (strlen(ifname) >= len) { 7586 bpf_error("ifname interface names can only be %d characters", 7587 len-1); 7588 /* NOTREACHED */ 7589 } 7590 b0 = gen_bcmp(OR_LINK, off, strlen(ifname), (const u_char *)ifname); 7591 return (b0); 7592 } 7593 7594 /* PF firewall log ruleset name */ 7595 struct block * 7596 gen_pf_ruleset(char *ruleset) 7597 { 7598 struct block *b0; 7599 7600 if (linktype != DLT_PFLOG) { 7601 bpf_error("ruleset supported only on PF linktype"); 7602 /* NOTREACHED */ 7603 } 7604 7605 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) { 7606 bpf_error("ruleset names can only be %ld characters", 7607 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1)); 7608 /* NOTREACHED */ 7609 } 7610 7611 b0 = gen_bcmp(OR_LINK, offsetof(struct pfloghdr, ruleset), 7612 strlen(ruleset), (const u_char *)ruleset); 7613 return (b0); 7614 } 7615 7616 /* PF firewall log rule number */ 7617 struct block * 7618 gen_pf_rnr(int rnr) 7619 { 7620 struct block *b0; 7621 7622 if (linktype != DLT_PFLOG) { 7623 bpf_error("rnr supported only on PF linktype"); 7624 /* NOTREACHED */ 7625 } 7626 7627 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, rulenr), BPF_W, 7628 (bpf_int32)rnr); 7629 return (b0); 7630 } 7631 7632 /* PF firewall log sub-rule number */ 7633 struct block * 7634 gen_pf_srnr(int srnr) 7635 { 7636 struct block *b0; 7637 7638 if (linktype != DLT_PFLOG) { 7639 bpf_error("srnr supported only on PF linktype"); 7640 /* NOTREACHED */ 7641 } 7642 7643 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, subrulenr), BPF_W, 7644 (bpf_int32)srnr); 7645 return (b0); 7646 } 7647 7648 /* PF firewall log reason code */ 7649 struct block * 7650 gen_pf_reason(int reason) 7651 { 7652 struct block *b0; 7653 7654 if (linktype != DLT_PFLOG) { 7655 bpf_error("reason supported only on PF linktype"); 7656 /* NOTREACHED */ 7657 } 7658 7659 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, reason), BPF_B, 7660 (bpf_int32)reason); 7661 return (b0); 7662 } 7663 7664 /* PF firewall log action */ 7665 struct block * 7666 gen_pf_action(int action) 7667 { 7668 struct block *b0; 7669 7670 if (linktype != DLT_PFLOG) { 7671 bpf_error("action supported only on PF linktype"); 7672 /* NOTREACHED */ 7673 } 7674 7675 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, action), BPF_B, 7676 (bpf_int32)action); 7677 return (b0); 7678 } 7679 #else /* !HAVE_NET_PFVAR_H */ 7680 struct block * 7681 gen_pf_ifname(const char *ifname) 7682 { 7683 bpf_error("libpcap was compiled without pf support"); 7684 /* NOTREACHED */ 7685 return (NULL); 7686 } 7687 7688 struct block * 7689 gen_pf_ruleset(char *ruleset) 7690 { 7691 bpf_error("libpcap was compiled on a machine without pf support"); 7692 /* NOTREACHED */ 7693 return (NULL); 7694 } 7695 7696 struct block * 7697 gen_pf_rnr(int rnr) 7698 { 7699 bpf_error("libpcap was compiled on a machine without pf support"); 7700 /* NOTREACHED */ 7701 return (NULL); 7702 } 7703 7704 struct block * 7705 gen_pf_srnr(int srnr) 7706 { 7707 bpf_error("libpcap was compiled on a machine without pf support"); 7708 /* NOTREACHED */ 7709 return (NULL); 7710 } 7711 7712 struct block * 7713 gen_pf_reason(int reason) 7714 { 7715 bpf_error("libpcap was compiled on a machine without pf support"); 7716 /* NOTREACHED */ 7717 return (NULL); 7718 } 7719 7720 struct block * 7721 gen_pf_action(int action) 7722 { 7723 bpf_error("libpcap was compiled on a machine without pf support"); 7724 /* NOTREACHED */ 7725 return (NULL); 7726 } 7727 #endif /* HAVE_NET_PFVAR_H */ 7728 7729 /* IEEE 802.11 wireless header */ 7730 struct block * 7731 gen_p80211_type(int type, int mask) 7732 { 7733 struct block *b0; 7734 7735 switch (linktype) { 7736 7737 case DLT_IEEE802_11: 7738 case DLT_PRISM_HEADER: 7739 case DLT_IEEE802_11_RADIO_AVS: 7740 case DLT_IEEE802_11_RADIO: 7741 b0 = gen_mcmp(OR_LINK, 0, BPF_B, (bpf_int32)type, 7742 (bpf_int32)mask); 7743 break; 7744 7745 default: 7746 bpf_error("802.11 link-layer types supported only on 802.11"); 7747 /* NOTREACHED */ 7748 } 7749 7750 return (b0); 7751 } 7752 7753 struct block * 7754 gen_p80211_fcdir(int fcdir) 7755 { 7756 struct block *b0; 7757 7758 switch (linktype) { 7759 7760 case DLT_IEEE802_11: 7761 case DLT_PRISM_HEADER: 7762 case DLT_IEEE802_11_RADIO_AVS: 7763 case DLT_IEEE802_11_RADIO: 7764 break; 7765 7766 default: 7767 bpf_error("frame direction supported only with 802.11 headers"); 7768 /* NOTREACHED */ 7769 } 7770 7771 b0 = gen_mcmp(OR_LINK, 1, BPF_B, (bpf_int32)fcdir, 7772 (bpf_u_int32)IEEE80211_FC1_DIR_MASK); 7773 7774 return (b0); 7775 } 7776 7777 struct block * 7778 gen_acode(eaddr, q) 7779 register const u_char *eaddr; 7780 struct qual q; 7781 { 7782 switch (linktype) { 7783 7784 case DLT_ARCNET: 7785 case DLT_ARCNET_LINUX: 7786 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && 7787 q.proto == Q_LINK) 7788 return (gen_ahostop(eaddr, (int)q.dir)); 7789 else { 7790 bpf_error("ARCnet address used in non-arc expression"); 7791 /* NOTREACHED */ 7792 } 7793 break; 7794 7795 default: 7796 bpf_error("aid supported only on ARCnet"); 7797 /* NOTREACHED */ 7798 } 7799 bpf_error("ARCnet address used in non-arc expression"); 7800 /* NOTREACHED */ 7801 return NULL; 7802 } 7803 7804 static struct block * 7805 gen_ahostop(eaddr, dir) 7806 register const u_char *eaddr; 7807 register int dir; 7808 { 7809 register struct block *b0, *b1; 7810 7811 switch (dir) { 7812 /* src comes first, different from Ethernet */ 7813 case Q_SRC: 7814 return gen_bcmp(OR_LINK, 0, 1, eaddr); 7815 7816 case Q_DST: 7817 return gen_bcmp(OR_LINK, 1, 1, eaddr); 7818 7819 case Q_AND: 7820 b0 = gen_ahostop(eaddr, Q_SRC); 7821 b1 = gen_ahostop(eaddr, Q_DST); 7822 gen_and(b0, b1); 7823 return b1; 7824 7825 case Q_DEFAULT: 7826 case Q_OR: 7827 b0 = gen_ahostop(eaddr, Q_SRC); 7828 b1 = gen_ahostop(eaddr, Q_DST); 7829 gen_or(b0, b1); 7830 return b1; 7831 7832 case Q_ADDR1: 7833 bpf_error("'addr1' is only supported on 802.11"); 7834 break; 7835 7836 case Q_ADDR2: 7837 bpf_error("'addr2' is only supported on 802.11"); 7838 break; 7839 7840 case Q_ADDR3: 7841 bpf_error("'addr3' is only supported on 802.11"); 7842 break; 7843 7844 case Q_ADDR4: 7845 bpf_error("'addr4' is only supported on 802.11"); 7846 break; 7847 7848 case Q_RA: 7849 bpf_error("'ra' is only supported on 802.11"); 7850 break; 7851 7852 case Q_TA: 7853 bpf_error("'ta' is only supported on 802.11"); 7854 break; 7855 } 7856 abort(); 7857 /* NOTREACHED */ 7858 } 7859 7860 /* 7861 * support IEEE 802.1Q VLAN trunk over ethernet 7862 */ 7863 struct block * 7864 gen_vlan(vlan_num) 7865 int vlan_num; 7866 { 7867 struct block *b0, *b1; 7868 7869 /* can't check for VLAN-encapsulated packets inside MPLS */ 7870 if (label_stack_depth > 0) 7871 bpf_error("no VLAN match after MPLS"); 7872 7873 /* 7874 * Check for a VLAN packet, and then change the offsets to point 7875 * to the type and data fields within the VLAN packet. Just 7876 * increment the offsets, so that we can support a hierarchy, e.g. 7877 * "vlan 300 && vlan 200" to capture VLAN 200 encapsulated within 7878 * VLAN 100. 7879 * 7880 * XXX - this is a bit of a kludge. If we were to split the 7881 * compiler into a parser that parses an expression and 7882 * generates an expression tree, and a code generator that 7883 * takes an expression tree (which could come from our 7884 * parser or from some other parser) and generates BPF code, 7885 * we could perhaps make the offsets parameters of routines 7886 * and, in the handler for an "AND" node, pass to subnodes 7887 * other than the VLAN node the adjusted offsets. 7888 * 7889 * This would mean that "vlan" would, instead of changing the 7890 * behavior of *all* tests after it, change only the behavior 7891 * of tests ANDed with it. That would change the documented 7892 * semantics of "vlan", which might break some expressions. 7893 * However, it would mean that "(vlan and ip) or ip" would check 7894 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 7895 * checking only for VLAN-encapsulated IP, so that could still 7896 * be considered worth doing; it wouldn't break expressions 7897 * that are of the form "vlan and ..." or "vlan N and ...", 7898 * which I suspect are the most common expressions involving 7899 * "vlan". "vlan or ..." doesn't necessarily do what the user 7900 * would really want, now, as all the "or ..." tests would 7901 * be done assuming a VLAN, even though the "or" could be viewed 7902 * as meaning "or, if this isn't a VLAN packet...". 7903 */ 7904 orig_nl = off_nl; 7905 7906 switch (linktype) { 7907 7908 case DLT_EN10MB: 7909 case DLT_NETANALYZER: 7910 case DLT_NETANALYZER_TRANSPARENT: 7911 /* check for VLAN, including QinQ */ 7912 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 7913 (bpf_int32)ETHERTYPE_8021Q); 7914 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, 7915 (bpf_int32)ETHERTYPE_8021QINQ); 7916 gen_or(b0,b1); 7917 b0 = b1; 7918 7919 /* If a specific VLAN is requested, check VLAN id */ 7920 if (vlan_num >= 0) { 7921 b1 = gen_mcmp(OR_MACPL, 0, BPF_H, 7922 (bpf_int32)vlan_num, 0x0fff); 7923 gen_and(b0, b1); 7924 b0 = b1; 7925 } 7926 7927 off_macpl += 4; 7928 off_linktype += 4; 7929 #if 0 7930 off_nl_nosnap += 4; 7931 off_nl += 4; 7932 #endif 7933 break; 7934 7935 default: 7936 bpf_error("no VLAN support for data link type %d", 7937 linktype); 7938 /*NOTREACHED*/ 7939 } 7940 7941 return (b0); 7942 } 7943 7944 /* 7945 * support for MPLS 7946 */ 7947 struct block * 7948 gen_mpls(label_num) 7949 int label_num; 7950 { 7951 struct block *b0,*b1; 7952 7953 /* 7954 * Change the offsets to point to the type and data fields within 7955 * the MPLS packet. Just increment the offsets, so that we 7956 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to 7957 * capture packets with an outer label of 100000 and an inner 7958 * label of 1024. 7959 * 7960 * XXX - this is a bit of a kludge. See comments in gen_vlan(). 7961 */ 7962 orig_nl = off_nl; 7963 7964 if (label_stack_depth > 0) { 7965 /* just match the bottom-of-stack bit clear */ 7966 b0 = gen_mcmp(OR_MACPL, orig_nl-2, BPF_B, 0, 0x01); 7967 } else { 7968 /* 7969 * Indicate that we're checking MPLS-encapsulated headers, 7970 * to make sure higher level code generators don't try to 7971 * match against IP-related protocols such as Q_ARP, Q_RARP 7972 * etc. 7973 */ 7974 switch (linktype) { 7975 7976 case DLT_C_HDLC: /* fall through */ 7977 case DLT_EN10MB: 7978 case DLT_NETANALYZER: 7979 case DLT_NETANALYZER_TRANSPARENT: 7980 b0 = gen_linktype(ETHERTYPE_MPLS); 7981 break; 7982 7983 case DLT_PPP: 7984 b0 = gen_linktype(PPP_MPLS_UCAST); 7985 break; 7986 7987 /* FIXME add other DLT_s ... 7988 * for Frame-Relay/and ATM this may get messy due to SNAP headers 7989 * leave it for now */ 7990 7991 default: 7992 bpf_error("no MPLS support for data link type %d", 7993 linktype); 7994 b0 = NULL; 7995 /*NOTREACHED*/ 7996 break; 7997 } 7998 } 7999 8000 /* If a specific MPLS label is requested, check it */ 8001 if (label_num >= 0) { 8002 label_num = label_num << 12; /* label is shifted 12 bits on the wire */ 8003 b1 = gen_mcmp(OR_MACPL, orig_nl, BPF_W, (bpf_int32)label_num, 8004 0xfffff000); /* only compare the first 20 bits */ 8005 gen_and(b0, b1); 8006 b0 = b1; 8007 } 8008 8009 off_nl_nosnap += 4; 8010 off_nl += 4; 8011 label_stack_depth++; 8012 return (b0); 8013 } 8014 8015 /* 8016 * Support PPPOE discovery and session. 8017 */ 8018 struct block * 8019 gen_pppoed() 8020 { 8021 /* check for PPPoE discovery */ 8022 return gen_linktype((bpf_int32)ETHERTYPE_PPPOED); 8023 } 8024 8025 struct block * 8026 gen_pppoes(sess_num) 8027 int sess_num; 8028 { 8029 struct block *b0, *b1; 8030 8031 /* 8032 * Test against the PPPoE session link-layer type. 8033 */ 8034 b0 = gen_linktype((bpf_int32)ETHERTYPE_PPPOES); 8035 8036 /* 8037 * Change the offsets to point to the type and data fields within 8038 * the PPP packet, and note that this is PPPoE rather than 8039 * raw PPP. 8040 * 8041 * XXX - this is a bit of a kludge. If we were to split the 8042 * compiler into a parser that parses an expression and 8043 * generates an expression tree, and a code generator that 8044 * takes an expression tree (which could come from our 8045 * parser or from some other parser) and generates BPF code, 8046 * we could perhaps make the offsets parameters of routines 8047 * and, in the handler for an "AND" node, pass to subnodes 8048 * other than the PPPoE node the adjusted offsets. 8049 * 8050 * This would mean that "pppoes" would, instead of changing the 8051 * behavior of *all* tests after it, change only the behavior 8052 * of tests ANDed with it. That would change the documented 8053 * semantics of "pppoes", which might break some expressions. 8054 * However, it would mean that "(pppoes and ip) or ip" would check 8055 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 8056 * checking only for VLAN-encapsulated IP, so that could still 8057 * be considered worth doing; it wouldn't break expressions 8058 * that are of the form "pppoes and ..." which I suspect are the 8059 * most common expressions involving "pppoes". "pppoes or ..." 8060 * doesn't necessarily do what the user would really want, now, 8061 * as all the "or ..." tests would be done assuming PPPoE, even 8062 * though the "or" could be viewed as meaning "or, if this isn't 8063 * a PPPoE packet...". 8064 */ 8065 orig_linktype = off_linktype; /* save original values */ 8066 orig_nl = off_nl; 8067 is_pppoes = 1; 8068 8069 /* If a specific session is requested, check PPPoE session id */ 8070 if (sess_num >= 0) { 8071 b1 = gen_mcmp(OR_MACPL, orig_nl, BPF_W, 8072 (bpf_int32)sess_num, 0x0000ffff); 8073 gen_and(b0, b1); 8074 b0 = b1; 8075 } 8076 8077 /* 8078 * The "network-layer" protocol is PPPoE, which has a 6-byte 8079 * PPPoE header, followed by a PPP packet. 8080 * 8081 * There is no HDLC encapsulation for the PPP packet (it's 8082 * encapsulated in PPPoES instead), so the link-layer type 8083 * starts at the first byte of the PPP packet. For PPPoE, 8084 * that offset is relative to the beginning of the total 8085 * link-layer payload, including any 802.2 LLC header, so 8086 * it's 6 bytes past off_nl. 8087 */ 8088 off_linktype = off_nl + 6; 8089 8090 /* 8091 * The network-layer offsets are relative to the beginning 8092 * of the MAC-layer payload; that's past the 6-byte 8093 * PPPoE header and the 2-byte PPP header. 8094 */ 8095 off_nl = 6+2; 8096 off_nl_nosnap = 6+2; 8097 8098 return b0; 8099 } 8100 8101 struct block * 8102 gen_atmfield_code(atmfield, jvalue, jtype, reverse) 8103 int atmfield; 8104 bpf_int32 jvalue; 8105 bpf_u_int32 jtype; 8106 int reverse; 8107 { 8108 struct block *b0; 8109 8110 switch (atmfield) { 8111 8112 case A_VPI: 8113 if (!is_atm) 8114 bpf_error("'vpi' supported only on raw ATM"); 8115 if (off_vpi == (u_int)-1) 8116 abort(); 8117 b0 = gen_ncmp(OR_LINK, off_vpi, BPF_B, 0xffffffff, jtype, 8118 reverse, jvalue); 8119 break; 8120 8121 case A_VCI: 8122 if (!is_atm) 8123 bpf_error("'vci' supported only on raw ATM"); 8124 if (off_vci == (u_int)-1) 8125 abort(); 8126 b0 = gen_ncmp(OR_LINK, off_vci, BPF_H, 0xffffffff, jtype, 8127 reverse, jvalue); 8128 break; 8129 8130 case A_PROTOTYPE: 8131 if (off_proto == (u_int)-1) 8132 abort(); /* XXX - this isn't on FreeBSD */ 8133 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0x0f, jtype, 8134 reverse, jvalue); 8135 break; 8136 8137 case A_MSGTYPE: 8138 if (off_payload == (u_int)-1) 8139 abort(); 8140 b0 = gen_ncmp(OR_LINK, off_payload + MSG_TYPE_POS, BPF_B, 8141 0xffffffff, jtype, reverse, jvalue); 8142 break; 8143 8144 case A_CALLREFTYPE: 8145 if (!is_atm) 8146 bpf_error("'callref' supported only on raw ATM"); 8147 if (off_proto == (u_int)-1) 8148 abort(); 8149 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0xffffffff, 8150 jtype, reverse, jvalue); 8151 break; 8152 8153 default: 8154 abort(); 8155 } 8156 return b0; 8157 } 8158 8159 struct block * 8160 gen_atmtype_abbrev(type) 8161 int type; 8162 { 8163 struct block *b0, *b1; 8164 8165 switch (type) { 8166 8167 case A_METAC: 8168 /* Get all packets in Meta signalling Circuit */ 8169 if (!is_atm) 8170 bpf_error("'metac' supported only on raw ATM"); 8171 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8172 b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0); 8173 gen_and(b0, b1); 8174 break; 8175 8176 case A_BCC: 8177 /* Get all packets in Broadcast Circuit*/ 8178 if (!is_atm) 8179 bpf_error("'bcc' supported only on raw ATM"); 8180 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8181 b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0); 8182 gen_and(b0, b1); 8183 break; 8184 8185 case A_OAMF4SC: 8186 /* Get all cells in Segment OAM F4 circuit*/ 8187 if (!is_atm) 8188 bpf_error("'oam4sc' supported only on raw ATM"); 8189 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8190 b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0); 8191 gen_and(b0, b1); 8192 break; 8193 8194 case A_OAMF4EC: 8195 /* Get all cells in End-to-End OAM F4 Circuit*/ 8196 if (!is_atm) 8197 bpf_error("'oam4ec' supported only on raw ATM"); 8198 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8199 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0); 8200 gen_and(b0, b1); 8201 break; 8202 8203 case A_SC: 8204 /* Get all packets in connection Signalling Circuit */ 8205 if (!is_atm) 8206 bpf_error("'sc' supported only on raw ATM"); 8207 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8208 b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0); 8209 gen_and(b0, b1); 8210 break; 8211 8212 case A_ILMIC: 8213 /* Get all packets in ILMI Circuit */ 8214 if (!is_atm) 8215 bpf_error("'ilmic' supported only on raw ATM"); 8216 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8217 b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0); 8218 gen_and(b0, b1); 8219 break; 8220 8221 case A_LANE: 8222 /* Get all LANE packets */ 8223 if (!is_atm) 8224 bpf_error("'lane' supported only on raw ATM"); 8225 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0); 8226 8227 /* 8228 * Arrange that all subsequent tests assume LANE 8229 * rather than LLC-encapsulated packets, and set 8230 * the offsets appropriately for LANE-encapsulated 8231 * Ethernet. 8232 * 8233 * "off_mac" is the offset of the Ethernet header, 8234 * which is 2 bytes past the ATM pseudo-header 8235 * (skipping the pseudo-header and 2-byte LE Client 8236 * field). The other offsets are Ethernet offsets 8237 * relative to "off_mac". 8238 */ 8239 is_lane = 1; 8240 off_mac = off_payload + 2; /* MAC header */ 8241 off_linktype = off_mac + 12; 8242 off_macpl = off_mac + 14; /* Ethernet */ 8243 off_nl = 0; /* Ethernet II */ 8244 off_nl_nosnap = 3; /* 802.3+802.2 */ 8245 break; 8246 8247 case A_LLC: 8248 /* Get all LLC-encapsulated packets */ 8249 if (!is_atm) 8250 bpf_error("'llc' supported only on raw ATM"); 8251 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 8252 is_lane = 0; 8253 break; 8254 8255 default: 8256 abort(); 8257 } 8258 return b1; 8259 } 8260 8261 /* 8262 * Filtering for MTP2 messages based on li value 8263 * FISU, length is null 8264 * LSSU, length is 1 or 2 8265 * MSU, length is 3 or more 8266 * For MTP2_HSL, sequences are on 2 bytes, and length on 9 bits 8267 */ 8268 struct block * 8269 gen_mtp2type_abbrev(type) 8270 int type; 8271 { 8272 struct block *b0, *b1; 8273 8274 switch (type) { 8275 8276 case M_FISU: 8277 if ( (linktype != DLT_MTP2) && 8278 (linktype != DLT_ERF) && 8279 (linktype != DLT_MTP2_WITH_PHDR) ) 8280 bpf_error("'fisu' supported only on MTP2"); 8281 /* gen_ncmp(offrel, offset, size, mask, jtype, reverse, value) */ 8282 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JEQ, 0, 0); 8283 break; 8284 8285 case M_LSSU: 8286 if ( (linktype != DLT_MTP2) && 8287 (linktype != DLT_ERF) && 8288 (linktype != DLT_MTP2_WITH_PHDR) ) 8289 bpf_error("'lssu' supported only on MTP2"); 8290 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 1, 2); 8291 b1 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 0); 8292 gen_and(b1, b0); 8293 break; 8294 8295 case M_MSU: 8296 if ( (linktype != DLT_MTP2) && 8297 (linktype != DLT_ERF) && 8298 (linktype != DLT_MTP2_WITH_PHDR) ) 8299 bpf_error("'msu' supported only on MTP2"); 8300 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 2); 8301 break; 8302 8303 case MH_FISU: 8304 if ( (linktype != DLT_MTP2) && 8305 (linktype != DLT_ERF) && 8306 (linktype != DLT_MTP2_WITH_PHDR) ) 8307 bpf_error("'hfisu' supported only on MTP2_HSL"); 8308 /* gen_ncmp(offrel, offset, size, mask, jtype, reverse, value) */ 8309 b0 = gen_ncmp(OR_PACKET, off_li_hsl, BPF_H, 0xff80, BPF_JEQ, 0, 0); 8310 break; 8311 8312 case MH_LSSU: 8313 if ( (linktype != DLT_MTP2) && 8314 (linktype != DLT_ERF) && 8315 (linktype != DLT_MTP2_WITH_PHDR) ) 8316 bpf_error("'hlssu' supported only on MTP2_HSL"); 8317 b0 = gen_ncmp(OR_PACKET, off_li_hsl, BPF_H, 0xff80, BPF_JGT, 1, 0x0100); 8318 b1 = gen_ncmp(OR_PACKET, off_li_hsl, BPF_H, 0xff80, BPF_JGT, 0, 0); 8319 gen_and(b1, b0); 8320 break; 8321 8322 case MH_MSU: 8323 if ( (linktype != DLT_MTP2) && 8324 (linktype != DLT_ERF) && 8325 (linktype != DLT_MTP2_WITH_PHDR) ) 8326 bpf_error("'hmsu' supported only on MTP2_HSL"); 8327 b0 = gen_ncmp(OR_PACKET, off_li_hsl, BPF_H, 0xff80, BPF_JGT, 0, 0x0100); 8328 break; 8329 8330 default: 8331 abort(); 8332 } 8333 return b0; 8334 } 8335 8336 struct block * 8337 gen_mtp3field_code(mtp3field, jvalue, jtype, reverse) 8338 int mtp3field; 8339 bpf_u_int32 jvalue; 8340 bpf_u_int32 jtype; 8341 int reverse; 8342 { 8343 struct block *b0; 8344 bpf_u_int32 val1 , val2 , val3; 8345 u_int newoff_sio=off_sio; 8346 u_int newoff_opc=off_opc; 8347 u_int newoff_dpc=off_dpc; 8348 u_int newoff_sls=off_sls; 8349 8350 switch (mtp3field) { 8351 8352 case MH_SIO: 8353 newoff_sio += 3; /* offset for MTP2_HSL */ 8354 /* FALLTHROUGH */ 8355 8356 case M_SIO: 8357 if (off_sio == (u_int)-1) 8358 bpf_error("'sio' supported only on SS7"); 8359 /* sio coded on 1 byte so max value 255 */ 8360 if(jvalue > 255) 8361 bpf_error("sio value %u too big; max value = 255", 8362 jvalue); 8363 b0 = gen_ncmp(OR_PACKET, newoff_sio, BPF_B, 0xffffffff, 8364 (u_int)jtype, reverse, (u_int)jvalue); 8365 break; 8366 8367 case MH_OPC: 8368 newoff_opc+=3; 8369 case M_OPC: 8370 if (off_opc == (u_int)-1) 8371 bpf_error("'opc' supported only on SS7"); 8372 /* opc coded on 14 bits so max value 16383 */ 8373 if (jvalue > 16383) 8374 bpf_error("opc value %u too big; max value = 16383", 8375 jvalue); 8376 /* the following instructions are made to convert jvalue 8377 * to the form used to write opc in an ss7 message*/ 8378 val1 = jvalue & 0x00003c00; 8379 val1 = val1 >>10; 8380 val2 = jvalue & 0x000003fc; 8381 val2 = val2 <<6; 8382 val3 = jvalue & 0x00000003; 8383 val3 = val3 <<22; 8384 jvalue = val1 + val2 + val3; 8385 b0 = gen_ncmp(OR_PACKET, newoff_opc, BPF_W, 0x00c0ff0f, 8386 (u_int)jtype, reverse, (u_int)jvalue); 8387 break; 8388 8389 case MH_DPC: 8390 newoff_dpc += 3; 8391 /* FALLTHROUGH */ 8392 8393 case M_DPC: 8394 if (off_dpc == (u_int)-1) 8395 bpf_error("'dpc' supported only on SS7"); 8396 /* dpc coded on 14 bits so max value 16383 */ 8397 if (jvalue > 16383) 8398 bpf_error("dpc value %u too big; max value = 16383", 8399 jvalue); 8400 /* the following instructions are made to convert jvalue 8401 * to the forme used to write dpc in an ss7 message*/ 8402 val1 = jvalue & 0x000000ff; 8403 val1 = val1 << 24; 8404 val2 = jvalue & 0x00003f00; 8405 val2 = val2 << 8; 8406 jvalue = val1 + val2; 8407 b0 = gen_ncmp(OR_PACKET, newoff_dpc, BPF_W, 0xff3f0000, 8408 (u_int)jtype, reverse, (u_int)jvalue); 8409 break; 8410 8411 case MH_SLS: 8412 newoff_sls+=3; 8413 case M_SLS: 8414 if (off_sls == (u_int)-1) 8415 bpf_error("'sls' supported only on SS7"); 8416 /* sls coded on 4 bits so max value 15 */ 8417 if (jvalue > 15) 8418 bpf_error("sls value %u too big; max value = 15", 8419 jvalue); 8420 /* the following instruction is made to convert jvalue 8421 * to the forme used to write sls in an ss7 message*/ 8422 jvalue = jvalue << 4; 8423 b0 = gen_ncmp(OR_PACKET, newoff_sls, BPF_B, 0xf0, 8424 (u_int)jtype,reverse, (u_int)jvalue); 8425 break; 8426 8427 default: 8428 abort(); 8429 } 8430 return b0; 8431 } 8432 8433 static struct block * 8434 gen_msg_abbrev(type) 8435 int type; 8436 { 8437 struct block *b1; 8438 8439 /* 8440 * Q.2931 signalling protocol messages for handling virtual circuits 8441 * establishment and teardown 8442 */ 8443 switch (type) { 8444 8445 case A_SETUP: 8446 b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0); 8447 break; 8448 8449 case A_CALLPROCEED: 8450 b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0); 8451 break; 8452 8453 case A_CONNECT: 8454 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0); 8455 break; 8456 8457 case A_CONNECTACK: 8458 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0); 8459 break; 8460 8461 case A_RELEASE: 8462 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0); 8463 break; 8464 8465 case A_RELEASE_DONE: 8466 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0); 8467 break; 8468 8469 default: 8470 abort(); 8471 } 8472 return b1; 8473 } 8474 8475 struct block * 8476 gen_atmmulti_abbrev(type) 8477 int type; 8478 { 8479 struct block *b0, *b1; 8480 8481 switch (type) { 8482 8483 case A_OAM: 8484 if (!is_atm) 8485 bpf_error("'oam' supported only on raw ATM"); 8486 b1 = gen_atmmulti_abbrev(A_OAMF4); 8487 break; 8488 8489 case A_OAMF4: 8490 if (!is_atm) 8491 bpf_error("'oamf4' supported only on raw ATM"); 8492 /* OAM F4 type */ 8493 b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0); 8494 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0); 8495 gen_or(b0, b1); 8496 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8497 gen_and(b0, b1); 8498 break; 8499 8500 case A_CONNECTMSG: 8501 /* 8502 * Get Q.2931 signalling messages for switched 8503 * virtual connection 8504 */ 8505 if (!is_atm) 8506 bpf_error("'connectmsg' supported only on raw ATM"); 8507 b0 = gen_msg_abbrev(A_SETUP); 8508 b1 = gen_msg_abbrev(A_CALLPROCEED); 8509 gen_or(b0, b1); 8510 b0 = gen_msg_abbrev(A_CONNECT); 8511 gen_or(b0, b1); 8512 b0 = gen_msg_abbrev(A_CONNECTACK); 8513 gen_or(b0, b1); 8514 b0 = gen_msg_abbrev(A_RELEASE); 8515 gen_or(b0, b1); 8516 b0 = gen_msg_abbrev(A_RELEASE_DONE); 8517 gen_or(b0, b1); 8518 b0 = gen_atmtype_abbrev(A_SC); 8519 gen_and(b0, b1); 8520 break; 8521 8522 case A_METACONNECT: 8523 if (!is_atm) 8524 bpf_error("'metaconnect' supported only on raw ATM"); 8525 b0 = gen_msg_abbrev(A_SETUP); 8526 b1 = gen_msg_abbrev(A_CALLPROCEED); 8527 gen_or(b0, b1); 8528 b0 = gen_msg_abbrev(A_CONNECT); 8529 gen_or(b0, b1); 8530 b0 = gen_msg_abbrev(A_RELEASE); 8531 gen_or(b0, b1); 8532 b0 = gen_msg_abbrev(A_RELEASE_DONE); 8533 gen_or(b0, b1); 8534 b0 = gen_atmtype_abbrev(A_METAC); 8535 gen_and(b0, b1); 8536 break; 8537 8538 default: 8539 abort(); 8540 } 8541 return b1; 8542 } 8543