1 /*#define CHASE_CHAIN*/ 2 /* 3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998 4 * The Regents of the University of California. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that: (1) source code distributions 8 * retain the above copyright notice and this paragraph in its entirety, (2) 9 * distributions including binary code include the above copyright notice and 10 * this paragraph in its entirety in the documentation or other materials 11 * provided with the distribution, and (3) all advertising materials mentioning 12 * features or use of this software display the following acknowledgement: 13 * ``This product includes software developed by the University of California, 14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 15 * the University nor the names of its contributors may be used to endorse 16 * or promote products derived from this software without specific prior 17 * written permission. 18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 21 */ 22 #ifndef lint 23 static const char rcsid[] _U_ = 24 "@(#) Header: /tcpdump/master/libpcap/gencode.c,v 1.309 2008-12-23 20:13:29 guy Exp (LBL)"; 25 #endif 26 27 #ifdef HAVE_CONFIG_H 28 #include "config.h" 29 #endif 30 31 #ifdef WIN32 32 #include <pcap-stdinc.h> 33 #else /* WIN32 */ 34 #if HAVE_INTTYPES_H 35 #include <inttypes.h> 36 #elif HAVE_STDINT_H 37 #include <stdint.h> 38 #endif 39 #ifdef HAVE_SYS_BITYPES_H 40 #include <sys/bitypes.h> 41 #endif 42 #include <sys/types.h> 43 #include <sys/socket.h> 44 #endif /* WIN32 */ 45 46 /* 47 * XXX - why was this included even on UNIX? 48 */ 49 #ifdef __MINGW32__ 50 #include "IP6_misc.h" 51 #endif 52 53 #ifndef WIN32 54 55 #ifdef __NetBSD__ 56 #include <sys/param.h> 57 #include <net/dlt.h> 58 #endif 59 60 #include <netinet/in.h> 61 #include <arpa/inet.h> 62 63 #endif /* WIN32 */ 64 65 #include <stdlib.h> 66 #include <string.h> 67 #include <memory.h> 68 #include <setjmp.h> 69 #include <stdarg.h> 70 71 #ifdef MSDOS 72 #include "pcap-dos.h" 73 #endif 74 75 #include "pcap-int.h" 76 77 #include "ethertype.h" 78 #include "nlpid.h" 79 #include "llc.h" 80 #include "gencode.h" 81 #include "ieee80211.h" 82 #include "atmuni31.h" 83 #include "sunatmpos.h" 84 #include "ppp.h" 85 #include "pcap/sll.h" 86 #include "pcap/ipnet.h" 87 #include "arcnet.h" 88 #ifdef HAVE_NET_PFVAR_H 89 #include <sys/socket.h> 90 #include <net/if.h> 91 #include <net/pfvar.h> 92 #include <net/if_pflog.h> 93 #endif 94 #ifndef offsetof 95 #define offsetof(s, e) ((size_t)&((s *)0)->e) 96 #endif 97 #ifdef INET6 98 #ifndef WIN32 99 #include <netdb.h> /* for "struct addrinfo" */ 100 #endif /* WIN32 */ 101 #endif /*INET6*/ 102 #include <pcap/namedb.h> 103 104 #define ETHERMTU 1500 105 106 #ifndef IPPROTO_SCTP 107 #define IPPROTO_SCTP 132 108 #endif 109 110 #ifdef HAVE_OS_PROTO_H 111 #include "os-proto.h" 112 #endif 113 114 #define JMP(c) ((c)|BPF_JMP|BPF_K) 115 116 /* Locals */ 117 static jmp_buf top_ctx; 118 static pcap_t *bpf_pcap; 119 120 /* Hack for updating VLAN, MPLS, and PPPoE offsets. */ 121 #ifdef WIN32 122 static u_int orig_linktype = (u_int)-1, orig_nl = (u_int)-1, label_stack_depth = (u_int)-1; 123 #else 124 static u_int orig_linktype = -1U, orig_nl = -1U, label_stack_depth = -1U; 125 #endif 126 127 /* XXX */ 128 #ifdef PCAP_FDDIPAD 129 static int pcap_fddipad; 130 #endif 131 132 /* VARARGS */ 133 void 134 bpf_error(const char *fmt, ...) 135 { 136 va_list ap; 137 138 va_start(ap, fmt); 139 if (bpf_pcap != NULL) 140 (void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE, 141 fmt, ap); 142 va_end(ap); 143 longjmp(top_ctx, 1); 144 /* NOTREACHED */ 145 } 146 147 static void init_linktype(pcap_t *); 148 149 static void init_regs(void); 150 static int alloc_reg(void); 151 static void free_reg(int); 152 153 static struct block *root; 154 155 /* 156 * Value passed to gen_load_a() to indicate what the offset argument 157 * is relative to. 158 */ 159 enum e_offrel { 160 OR_PACKET, /* relative to the beginning of the packet */ 161 OR_LINK, /* relative to the beginning of the link-layer header */ 162 OR_MACPL, /* relative to the end of the MAC-layer header */ 163 OR_NET, /* relative to the network-layer header */ 164 OR_NET_NOSNAP, /* relative to the network-layer header, with no SNAP header at the link layer */ 165 OR_TRAN_IPV4, /* relative to the transport-layer header, with IPv4 network layer */ 166 OR_TRAN_IPV6 /* relative to the transport-layer header, with IPv6 network layer */ 167 }; 168 169 #ifdef INET6 170 /* 171 * As errors are handled by a longjmp, anything allocated must be freed 172 * in the longjmp handler, so it must be reachable from that handler. 173 * One thing that's allocated is the result of pcap_nametoaddrinfo(); 174 * it must be freed with freeaddrinfo(). This variable points to any 175 * addrinfo structure that would need to be freed. 176 */ 177 static struct addrinfo *ai; 178 #endif 179 180 /* 181 * We divy out chunks of memory rather than call malloc each time so 182 * we don't have to worry about leaking memory. It's probably 183 * not a big deal if all this memory was wasted but if this ever 184 * goes into a library that would probably not be a good idea. 185 * 186 * XXX - this *is* in a library.... 187 */ 188 #define NCHUNKS 16 189 #define CHUNK0SIZE 1024 190 struct chunk { 191 u_int n_left; 192 void *m; 193 }; 194 195 static struct chunk chunks[NCHUNKS]; 196 static int cur_chunk; 197 198 static void *newchunk(u_int); 199 static void freechunks(void); 200 static inline struct block *new_block(int); 201 static inline struct slist *new_stmt(int); 202 static struct block *gen_retblk(int); 203 static inline void syntax(void); 204 205 static void backpatch(struct block *, struct block *); 206 static void merge(struct block *, struct block *); 207 static struct block *gen_cmp(enum e_offrel, u_int, u_int, bpf_int32); 208 static struct block *gen_cmp_gt(enum e_offrel, u_int, u_int, bpf_int32); 209 static struct block *gen_cmp_ge(enum e_offrel, u_int, u_int, bpf_int32); 210 static struct block *gen_cmp_lt(enum e_offrel, u_int, u_int, bpf_int32); 211 static struct block *gen_cmp_le(enum e_offrel, u_int, u_int, bpf_int32); 212 static struct block *gen_mcmp(enum e_offrel, u_int, u_int, bpf_int32, 213 bpf_u_int32); 214 static struct block *gen_bcmp(enum e_offrel, u_int, u_int, const u_char *); 215 static struct block *gen_ncmp(enum e_offrel, bpf_u_int32, bpf_u_int32, 216 bpf_u_int32, bpf_u_int32, int, bpf_int32); 217 static struct slist *gen_load_llrel(u_int, u_int); 218 static struct slist *gen_load_macplrel(u_int, u_int); 219 static struct slist *gen_load_a(enum e_offrel, u_int, u_int); 220 static struct slist *gen_loadx_iphdrlen(void); 221 static struct block *gen_uncond(int); 222 static inline struct block *gen_true(void); 223 static inline struct block *gen_false(void); 224 static struct block *gen_ether_linktype(int); 225 static struct block *gen_ipnet_linktype(int); 226 static struct block *gen_linux_sll_linktype(int); 227 static struct slist *gen_load_prism_llprefixlen(void); 228 static struct slist *gen_load_avs_llprefixlen(void); 229 static struct slist *gen_load_radiotap_llprefixlen(void); 230 static struct slist *gen_load_ppi_llprefixlen(void); 231 static void insert_compute_vloffsets(struct block *); 232 static struct slist *gen_llprefixlen(void); 233 static struct slist *gen_off_macpl(void); 234 static int ethertype_to_ppptype(int); 235 static struct block *gen_linktype(int); 236 static struct block *gen_snap(bpf_u_int32, bpf_u_int32); 237 static struct block *gen_llc_linktype(int); 238 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int); 239 #ifdef INET6 240 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int); 241 #endif 242 static struct block *gen_ahostop(const u_char *, int); 243 static struct block *gen_ehostop(const u_char *, int); 244 static struct block *gen_fhostop(const u_char *, int); 245 static struct block *gen_thostop(const u_char *, int); 246 static struct block *gen_wlanhostop(const u_char *, int); 247 static struct block *gen_ipfchostop(const u_char *, int); 248 static struct block *gen_dnhostop(bpf_u_int32, int); 249 static struct block *gen_mpls_linktype(int); 250 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int, int); 251 #ifdef INET6 252 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int, int); 253 #endif 254 #ifndef INET6 255 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int); 256 #endif 257 static struct block *gen_ipfrag(void); 258 static struct block *gen_portatom(int, bpf_int32); 259 static struct block *gen_portrangeatom(int, bpf_int32, bpf_int32); 260 #ifdef INET6 261 static struct block *gen_portatom6(int, bpf_int32); 262 static struct block *gen_portrangeatom6(int, bpf_int32, bpf_int32); 263 #endif 264 struct block *gen_portop(int, int, int); 265 static struct block *gen_port(int, int, int); 266 struct block *gen_portrangeop(int, int, int, int); 267 static struct block *gen_portrange(int, int, int, int); 268 #ifdef INET6 269 struct block *gen_portop6(int, int, int); 270 static struct block *gen_port6(int, int, int); 271 struct block *gen_portrangeop6(int, int, int, int); 272 static struct block *gen_portrange6(int, int, int, int); 273 #endif 274 static int lookup_proto(const char *, int); 275 static struct block *gen_protochain(int, int, int); 276 static struct block *gen_proto(int, int, int); 277 static struct slist *xfer_to_x(struct arth *); 278 static struct slist *xfer_to_a(struct arth *); 279 static struct block *gen_mac_multicast(int); 280 static struct block *gen_len(int, int); 281 static struct block *gen_check_802_11_data_frame(void); 282 283 static struct block *gen_ppi_dlt_check(void); 284 static struct block *gen_msg_abbrev(int type); 285 286 static void * 287 newchunk(n) 288 u_int n; 289 { 290 struct chunk *cp; 291 int k; 292 size_t size; 293 294 #ifndef __NetBSD__ 295 /* XXX Round up to nearest long. */ 296 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1); 297 #else 298 /* XXX Round up to structure boundary. */ 299 n = ALIGN(n); 300 #endif 301 302 cp = &chunks[cur_chunk]; 303 if (n > cp->n_left) { 304 ++cp, k = ++cur_chunk; 305 if (k >= NCHUNKS) 306 bpf_error("out of memory"); 307 size = CHUNK0SIZE << k; 308 cp->m = (void *)malloc(size); 309 if (cp->m == NULL) 310 bpf_error("out of memory"); 311 memset((char *)cp->m, 0, size); 312 cp->n_left = size; 313 if (n > size) 314 bpf_error("out of memory"); 315 } 316 cp->n_left -= n; 317 return (void *)((char *)cp->m + cp->n_left); 318 } 319 320 static void 321 freechunks() 322 { 323 int i; 324 325 cur_chunk = 0; 326 for (i = 0; i < NCHUNKS; ++i) 327 if (chunks[i].m != NULL) { 328 free(chunks[i].m); 329 chunks[i].m = NULL; 330 } 331 } 332 333 /* 334 * A strdup whose allocations are freed after code generation is over. 335 */ 336 char * 337 sdup(s) 338 register const char *s; 339 { 340 int n = strlen(s) + 1; 341 char *cp = newchunk(n); 342 343 strlcpy(cp, s, n); 344 return (cp); 345 } 346 347 static inline struct block * 348 new_block(code) 349 int code; 350 { 351 struct block *p; 352 353 p = (struct block *)newchunk(sizeof(*p)); 354 p->s.code = code; 355 p->head = p; 356 357 return p; 358 } 359 360 static inline struct slist * 361 new_stmt(code) 362 int code; 363 { 364 struct slist *p; 365 366 p = (struct slist *)newchunk(sizeof(*p)); 367 p->s.code = code; 368 369 return p; 370 } 371 372 static struct block * 373 gen_retblk(v) 374 int v; 375 { 376 struct block *b = new_block(BPF_RET|BPF_K); 377 378 b->s.k = v; 379 return b; 380 } 381 382 __dead static inline void 383 syntax(void) 384 { 385 bpf_error("syntax error in filter expression"); 386 } 387 388 static bpf_u_int32 netmask; 389 static int snaplen; 390 int no_optimize; 391 #ifdef WIN32 392 static int 393 pcap_compile_unsafe(pcap_t *p, struct bpf_program *program, 394 const char *buf, int optimize, bpf_u_int32 mask); 395 396 int 397 pcap_compile(pcap_t *p, struct bpf_program *program, 398 const char *buf, int optimize, bpf_u_int32 mask) 399 { 400 int result; 401 402 EnterCriticalSection(&g_PcapCompileCriticalSection); 403 404 result = pcap_compile_unsafe(p, program, buf, optimize, mask); 405 406 LeaveCriticalSection(&g_PcapCompileCriticalSection); 407 408 return result; 409 } 410 411 static int 412 pcap_compile_unsafe(pcap_t *p, struct bpf_program *program, 413 const char *buf, int optimize, bpf_u_int32 mask) 414 #else /* WIN32 */ 415 int 416 pcap_compile(pcap_t *p, struct bpf_program *program, 417 const char *buf, int optimize, bpf_u_int32 mask) 418 #endif /* WIN32 */ 419 { 420 extern int n_errors; 421 const char * volatile xbuf = buf; 422 int len; 423 424 no_optimize = 0; 425 n_errors = 0; 426 root = NULL; 427 bpf_pcap = p; 428 init_regs(); 429 if (setjmp(top_ctx)) { 430 #ifdef INET6 431 if (ai != NULL) { 432 freeaddrinfo(ai); 433 ai = NULL; 434 } 435 #endif 436 lex_cleanup(); 437 freechunks(); 438 return (-1); 439 } 440 441 netmask = mask; 442 443 snaplen = pcap_snapshot(p); 444 if (snaplen == 0) { 445 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 446 "snaplen of 0 rejects all packets"); 447 return -1; 448 } 449 450 lex_init(xbuf ? xbuf : ""); 451 init_linktype(p); 452 (void)pcap_parse(); 453 454 if (n_errors) 455 syntax(); 456 457 if (root == NULL) 458 root = gen_retblk(snaplen); 459 460 if (optimize && !no_optimize) { 461 bpf_optimize(&root); 462 if (root == NULL || 463 (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0)) 464 bpf_error("expression rejects all packets"); 465 } 466 program->bf_insns = icode_to_fcode(root, &len); 467 program->bf_len = len; 468 469 lex_cleanup(); 470 freechunks(); 471 return (0); 472 } 473 474 /* 475 * entry point for using the compiler with no pcap open 476 * pass in all the stuff that is needed explicitly instead. 477 */ 478 int 479 pcap_compile_nopcap(int snaplen_arg, int linktype_arg, 480 struct bpf_program *program, 481 const char *buf, int optimize, bpf_u_int32 mask) 482 { 483 pcap_t *p; 484 int ret; 485 486 p = pcap_open_dead(linktype_arg, snaplen_arg); 487 if (p == NULL) 488 return (-1); 489 ret = pcap_compile(p, program, buf, optimize, mask); 490 pcap_close(p); 491 return (ret); 492 } 493 494 /* 495 * Clean up a "struct bpf_program" by freeing all the memory allocated 496 * in it. 497 */ 498 void 499 pcap_freecode(struct bpf_program *program) 500 { 501 program->bf_len = 0; 502 if (program->bf_insns != NULL) { 503 free((char *)program->bf_insns); 504 program->bf_insns = NULL; 505 } 506 } 507 508 /* 509 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates 510 * which of the jt and jf fields has been resolved and which is a pointer 511 * back to another unresolved block (or nil). At least one of the fields 512 * in each block is already resolved. 513 */ 514 static void 515 backpatch(list, target) 516 struct block *list, *target; 517 { 518 struct block *next; 519 520 while (list) { 521 if (!list->sense) { 522 next = JT(list); 523 JT(list) = target; 524 } else { 525 next = JF(list); 526 JF(list) = target; 527 } 528 list = next; 529 } 530 } 531 532 /* 533 * Merge the lists in b0 and b1, using the 'sense' field to indicate 534 * which of jt and jf is the link. 535 */ 536 static void 537 merge(b0, b1) 538 struct block *b0, *b1; 539 { 540 register struct block **p = &b0; 541 542 /* Find end of list. */ 543 while (*p) 544 p = !((*p)->sense) ? &JT(*p) : &JF(*p); 545 546 /* Concatenate the lists. */ 547 *p = b1; 548 } 549 550 void 551 finish_parse(p) 552 struct block *p; 553 { 554 struct block *ppi_dlt_check; 555 556 /* 557 * Insert before the statements of the first (root) block any 558 * statements needed to load the lengths of any variable-length 559 * headers into registers. 560 * 561 * XXX - a fancier strategy would be to insert those before the 562 * statements of all blocks that use those lengths and that 563 * have no predecessors that use them, so that we only compute 564 * the lengths if we need them. There might be even better 565 * approaches than that. 566 * 567 * However, those strategies would be more complicated, and 568 * as we don't generate code to compute a length if the 569 * program has no tests that use the length, and as most 570 * tests will probably use those lengths, we would just 571 * postpone computing the lengths so that it's not done 572 * for tests that fail early, and it's not clear that's 573 * worth the effort. 574 */ 575 insert_compute_vloffsets(p->head); 576 577 /* 578 * For DLT_PPI captures, generate a check of the per-packet 579 * DLT value to make sure it's DLT_IEEE802_11. 580 */ 581 ppi_dlt_check = gen_ppi_dlt_check(); 582 if (ppi_dlt_check != NULL) 583 gen_and(ppi_dlt_check, p); 584 585 backpatch(p, gen_retblk(snaplen)); 586 p->sense = !p->sense; 587 backpatch(p, gen_retblk(0)); 588 root = p->head; 589 } 590 591 void 592 gen_and(b0, b1) 593 struct block *b0, *b1; 594 { 595 backpatch(b0, b1->head); 596 b0->sense = !b0->sense; 597 b1->sense = !b1->sense; 598 merge(b1, b0); 599 b1->sense = !b1->sense; 600 b1->head = b0->head; 601 } 602 603 void 604 gen_or(b0, b1) 605 struct block *b0, *b1; 606 { 607 b0->sense = !b0->sense; 608 backpatch(b0, b1->head); 609 b0->sense = !b0->sense; 610 merge(b1, b0); 611 b1->head = b0->head; 612 } 613 614 void 615 gen_not(b) 616 struct block *b; 617 { 618 b->sense = !b->sense; 619 } 620 621 static struct block * 622 gen_cmp(offrel, offset, size, v) 623 enum e_offrel offrel; 624 u_int offset, size; 625 bpf_int32 v; 626 { 627 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v); 628 } 629 630 static struct block * 631 gen_cmp_gt(offrel, offset, size, v) 632 enum e_offrel offrel; 633 u_int offset, size; 634 bpf_int32 v; 635 { 636 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 0, v); 637 } 638 639 static struct block * 640 gen_cmp_ge(offrel, offset, size, v) 641 enum e_offrel offrel; 642 u_int offset, size; 643 bpf_int32 v; 644 { 645 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 0, v); 646 } 647 648 static struct block * 649 gen_cmp_lt(offrel, offset, size, v) 650 enum e_offrel offrel; 651 u_int offset, size; 652 bpf_int32 v; 653 { 654 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 1, v); 655 } 656 657 static struct block * 658 gen_cmp_le(offrel, offset, size, v) 659 enum e_offrel offrel; 660 u_int offset, size; 661 bpf_int32 v; 662 { 663 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 1, v); 664 } 665 666 static struct block * 667 gen_mcmp(offrel, offset, size, v, mask) 668 enum e_offrel offrel; 669 u_int offset, size; 670 bpf_int32 v; 671 bpf_u_int32 mask; 672 { 673 return gen_ncmp(offrel, offset, size, mask, BPF_JEQ, 0, v); 674 } 675 676 static struct block * 677 gen_bcmp(offrel, offset, size, v) 678 enum e_offrel offrel; 679 register u_int offset, size; 680 register const u_char *v; 681 { 682 register struct block *b, *tmp; 683 684 b = NULL; 685 while (size >= 4) { 686 register const u_char *p = &v[size - 4]; 687 bpf_int32 w = ((bpf_int32)p[0] << 24) | 688 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3]; 689 690 tmp = gen_cmp(offrel, offset + size - 4, BPF_W, w); 691 if (b != NULL) 692 gen_and(b, tmp); 693 b = tmp; 694 size -= 4; 695 } 696 while (size >= 2) { 697 register const u_char *p = &v[size - 2]; 698 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1]; 699 700 tmp = gen_cmp(offrel, offset + size - 2, BPF_H, w); 701 if (b != NULL) 702 gen_and(b, tmp); 703 b = tmp; 704 size -= 2; 705 } 706 if (size > 0) { 707 tmp = gen_cmp(offrel, offset, BPF_B, (bpf_int32)v[0]); 708 if (b != NULL) 709 gen_and(b, tmp); 710 b = tmp; 711 } 712 return b; 713 } 714 715 /* 716 * AND the field of size "size" at offset "offset" relative to the header 717 * specified by "offrel" with "mask", and compare it with the value "v" 718 * with the test specified by "jtype"; if "reverse" is true, the test 719 * should test the opposite of "jtype". 720 */ 721 static struct block * 722 gen_ncmp(offrel, offset, size, mask, jtype, reverse, v) 723 enum e_offrel offrel; 724 bpf_int32 v; 725 bpf_u_int32 offset, size, mask, jtype; 726 int reverse; 727 { 728 struct slist *s, *s2; 729 struct block *b; 730 731 s = gen_load_a(offrel, offset, size); 732 733 if (mask != 0xffffffff) { 734 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 735 s2->s.k = mask; 736 sappend(s, s2); 737 } 738 739 b = new_block(JMP(jtype)); 740 b->stmts = s; 741 b->s.k = v; 742 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE)) 743 gen_not(b); 744 return b; 745 } 746 747 /* 748 * Various code constructs need to know the layout of the data link 749 * layer. These variables give the necessary offsets from the beginning 750 * of the packet data. 751 */ 752 753 /* 754 * This is the offset of the beginning of the link-layer header from 755 * the beginning of the raw packet data. 756 * 757 * It's usually 0, except for 802.11 with a fixed-length radio header. 758 * (For 802.11 with a variable-length radio header, we have to generate 759 * code to compute that offset; off_ll is 0 in that case.) 760 */ 761 static u_int off_ll; 762 763 /* 764 * If there's a variable-length header preceding the link-layer header, 765 * "reg_off_ll" is the register number for a register containing the 766 * length of that header, and therefore the offset of the link-layer 767 * header from the beginning of the raw packet data. Otherwise, 768 * "reg_off_ll" is -1. 769 */ 770 static int reg_off_ll; 771 772 /* 773 * This is the offset of the beginning of the MAC-layer header from 774 * the beginning of the link-layer header. 775 * It's usually 0, except for ATM LANE, where it's the offset, relative 776 * to the beginning of the raw packet data, of the Ethernet header. 777 */ 778 static u_int off_mac; 779 780 /* 781 * This is the offset of the beginning of the MAC-layer payload, 782 * from the beginning of the raw packet data. 783 * 784 * I.e., it's the sum of the length of the link-layer header (without, 785 * for example, any 802.2 LLC header, so it's the MAC-layer 786 * portion of that header), plus any prefix preceding the 787 * link-layer header. 788 */ 789 static u_int off_macpl; 790 791 /* 792 * This is 1 if the offset of the beginning of the MAC-layer payload 793 * from the beginning of the link-layer header is variable-length. 794 */ 795 static int off_macpl_is_variable; 796 797 /* 798 * If the link layer has variable_length headers, "reg_off_macpl" 799 * is the register number for a register containing the length of the 800 * link-layer header plus the length of any variable-length header 801 * preceding the link-layer header. Otherwise, "reg_off_macpl" 802 * is -1. 803 */ 804 static int reg_off_macpl; 805 806 /* 807 * "off_linktype" is the offset to information in the link-layer header 808 * giving the packet type. This offset is relative to the beginning 809 * of the link-layer header (i.e., it doesn't include off_ll). 810 * 811 * For Ethernet, it's the offset of the Ethernet type field. 812 * 813 * For link-layer types that always use 802.2 headers, it's the 814 * offset of the LLC header. 815 * 816 * For PPP, it's the offset of the PPP type field. 817 * 818 * For Cisco HDLC, it's the offset of the CHDLC type field. 819 * 820 * For BSD loopback, it's the offset of the AF_ value. 821 * 822 * For Linux cooked sockets, it's the offset of the type field. 823 * 824 * It's set to -1 for no encapsulation, in which case, IP is assumed. 825 */ 826 static u_int off_linktype; 827 828 /* 829 * TRUE if "pppoes" appeared in the filter; it causes link-layer type 830 * checks to check the PPP header, assumed to follow a LAN-style link- 831 * layer header and a PPPoE session header. 832 */ 833 static int is_pppoes = 0; 834 835 /* 836 * TRUE if the link layer includes an ATM pseudo-header. 837 */ 838 static int is_atm = 0; 839 840 /* 841 * TRUE if "lane" appeared in the filter; it causes us to generate 842 * code that assumes LANE rather than LLC-encapsulated traffic in SunATM. 843 */ 844 static int is_lane = 0; 845 846 /* 847 * These are offsets for the ATM pseudo-header. 848 */ 849 static u_int off_vpi; 850 static u_int off_vci; 851 static u_int off_proto; 852 853 /* 854 * These are offsets for the MTP2 fields. 855 */ 856 static u_int off_li; 857 858 /* 859 * These are offsets for the MTP3 fields. 860 */ 861 static u_int off_sio; 862 static u_int off_opc; 863 static u_int off_dpc; 864 static u_int off_sls; 865 866 /* 867 * This is the offset of the first byte after the ATM pseudo_header, 868 * or -1 if there is no ATM pseudo-header. 869 */ 870 static u_int off_payload; 871 872 /* 873 * These are offsets to the beginning of the network-layer header. 874 * They are relative to the beginning of the MAC-layer payload (i.e., 875 * they don't include off_ll or off_macpl). 876 * 877 * If the link layer never uses 802.2 LLC: 878 * 879 * "off_nl" and "off_nl_nosnap" are the same. 880 * 881 * If the link layer always uses 802.2 LLC: 882 * 883 * "off_nl" is the offset if there's a SNAP header following 884 * the 802.2 header; 885 * 886 * "off_nl_nosnap" is the offset if there's no SNAP header. 887 * 888 * If the link layer is Ethernet: 889 * 890 * "off_nl" is the offset if the packet is an Ethernet II packet 891 * (we assume no 802.3+802.2+SNAP); 892 * 893 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet 894 * with an 802.2 header following it. 895 */ 896 static u_int off_nl; 897 static u_int off_nl_nosnap; 898 899 static int linktype; 900 901 static void 902 init_linktype(p) 903 pcap_t *p; 904 { 905 linktype = pcap_datalink(p); 906 #ifdef PCAP_FDDIPAD 907 pcap_fddipad = p->fddipad; 908 #endif 909 910 /* 911 * Assume it's not raw ATM with a pseudo-header, for now. 912 */ 913 off_mac = 0; 914 is_atm = 0; 915 is_lane = 0; 916 off_vpi = -1; 917 off_vci = -1; 918 off_proto = -1; 919 off_payload = -1; 920 921 /* 922 * And that we're not doing PPPoE. 923 */ 924 is_pppoes = 0; 925 926 /* 927 * And assume we're not doing SS7. 928 */ 929 off_li = -1; 930 off_sio = -1; 931 off_opc = -1; 932 off_dpc = -1; 933 off_sls = -1; 934 935 /* 936 * Also assume it's not 802.11. 937 */ 938 off_ll = 0; 939 off_macpl = 0; 940 off_macpl_is_variable = 0; 941 942 orig_linktype = -1; 943 orig_nl = -1; 944 label_stack_depth = 0; 945 946 reg_off_ll = -1; 947 reg_off_macpl = -1; 948 949 switch (linktype) { 950 951 case DLT_ARCNET: 952 off_linktype = 2; 953 off_macpl = 6; 954 off_nl = 0; /* XXX in reality, variable! */ 955 off_nl_nosnap = 0; /* no 802.2 LLC */ 956 return; 957 958 case DLT_ARCNET_LINUX: 959 off_linktype = 4; 960 off_macpl = 8; 961 off_nl = 0; /* XXX in reality, variable! */ 962 off_nl_nosnap = 0; /* no 802.2 LLC */ 963 return; 964 965 case DLT_EN10MB: 966 off_linktype = 12; 967 off_macpl = 14; /* Ethernet header length */ 968 off_nl = 0; /* Ethernet II */ 969 off_nl_nosnap = 3; /* 802.3+802.2 */ 970 return; 971 972 case DLT_SLIP: 973 /* 974 * SLIP doesn't have a link level type. The 16 byte 975 * header is hacked into our SLIP driver. 976 */ 977 off_linktype = -1; 978 off_macpl = 16; 979 off_nl = 0; 980 off_nl_nosnap = 0; /* no 802.2 LLC */ 981 return; 982 983 case DLT_SLIP_BSDOS: 984 /* XXX this may be the same as the DLT_PPP_BSDOS case */ 985 off_linktype = -1; 986 /* XXX end */ 987 off_macpl = 24; 988 off_nl = 0; 989 off_nl_nosnap = 0; /* no 802.2 LLC */ 990 return; 991 992 case DLT_NULL: 993 case DLT_LOOP: 994 off_linktype = 0; 995 off_macpl = 4; 996 off_nl = 0; 997 off_nl_nosnap = 0; /* no 802.2 LLC */ 998 return; 999 1000 case DLT_ENC: 1001 off_linktype = 0; 1002 off_macpl = 12; 1003 off_nl = 0; 1004 off_nl_nosnap = 0; /* no 802.2 LLC */ 1005 return; 1006 1007 case DLT_PPP: 1008 case DLT_PPP_PPPD: 1009 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */ 1010 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */ 1011 off_linktype = 2; 1012 off_macpl = 4; 1013 off_nl = 0; 1014 off_nl_nosnap = 0; /* no 802.2 LLC */ 1015 return; 1016 1017 case DLT_PPP_ETHER: 1018 /* 1019 * This does no include the Ethernet header, and 1020 * only covers session state. 1021 */ 1022 off_linktype = 6; 1023 off_macpl = 8; 1024 off_nl = 0; 1025 off_nl_nosnap = 0; /* no 802.2 LLC */ 1026 return; 1027 1028 case DLT_PPP_BSDOS: 1029 off_linktype = 5; 1030 off_macpl = 24; 1031 off_nl = 0; 1032 off_nl_nosnap = 0; /* no 802.2 LLC */ 1033 return; 1034 1035 case DLT_FDDI: 1036 /* 1037 * FDDI doesn't really have a link-level type field. 1038 * We set "off_linktype" to the offset of the LLC header. 1039 * 1040 * To check for Ethernet types, we assume that SSAP = SNAP 1041 * is being used and pick out the encapsulated Ethernet type. 1042 * XXX - should we generate code to check for SNAP? 1043 */ 1044 off_linktype = 13; 1045 #ifdef PCAP_FDDIPAD 1046 off_linktype += pcap_fddipad; 1047 #endif 1048 off_macpl = 13; /* FDDI MAC header length */ 1049 #ifdef PCAP_FDDIPAD 1050 off_macpl += pcap_fddipad; 1051 #endif 1052 off_nl = 8; /* 802.2+SNAP */ 1053 off_nl_nosnap = 3; /* 802.2 */ 1054 return; 1055 1056 case DLT_IEEE802: 1057 /* 1058 * Token Ring doesn't really have a link-level type field. 1059 * We set "off_linktype" to the offset of the LLC header. 1060 * 1061 * To check for Ethernet types, we assume that SSAP = SNAP 1062 * is being used and pick out the encapsulated Ethernet type. 1063 * XXX - should we generate code to check for SNAP? 1064 * 1065 * XXX - the header is actually variable-length. 1066 * Some various Linux patched versions gave 38 1067 * as "off_linktype" and 40 as "off_nl"; however, 1068 * if a token ring packet has *no* routing 1069 * information, i.e. is not source-routed, the correct 1070 * values are 20 and 22, as they are in the vanilla code. 1071 * 1072 * A packet is source-routed iff the uppermost bit 1073 * of the first byte of the source address, at an 1074 * offset of 8, has the uppermost bit set. If the 1075 * packet is source-routed, the total number of bytes 1076 * of routing information is 2 plus bits 0x1F00 of 1077 * the 16-bit value at an offset of 14 (shifted right 1078 * 8 - figure out which byte that is). 1079 */ 1080 off_linktype = 14; 1081 off_macpl = 14; /* Token Ring MAC header length */ 1082 off_nl = 8; /* 802.2+SNAP */ 1083 off_nl_nosnap = 3; /* 802.2 */ 1084 return; 1085 1086 case DLT_IEEE802_11: 1087 case DLT_PRISM_HEADER: 1088 case DLT_IEEE802_11_RADIO_AVS: 1089 case DLT_IEEE802_11_RADIO: 1090 /* 1091 * 802.11 doesn't really have a link-level type field. 1092 * We set "off_linktype" to the offset of the LLC header. 1093 * 1094 * To check for Ethernet types, we assume that SSAP = SNAP 1095 * is being used and pick out the encapsulated Ethernet type. 1096 * XXX - should we generate code to check for SNAP? 1097 * 1098 * We also handle variable-length radio headers here. 1099 * The Prism header is in theory variable-length, but in 1100 * practice it's always 144 bytes long. However, some 1101 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but 1102 * sometimes or always supply an AVS header, so we 1103 * have to check whether the radio header is a Prism 1104 * header or an AVS header, so, in practice, it's 1105 * variable-length. 1106 */ 1107 off_linktype = 24; 1108 off_macpl = 0; /* link-layer header is variable-length */ 1109 off_macpl_is_variable = 1; 1110 off_nl = 8; /* 802.2+SNAP */ 1111 off_nl_nosnap = 3; /* 802.2 */ 1112 return; 1113 1114 case DLT_PPI: 1115 /* 1116 * At the moment we treat PPI the same way that we treat 1117 * normal Radiotap encoded packets. The difference is in 1118 * the function that generates the code at the beginning 1119 * to compute the header length. Since this code generator 1120 * of PPI supports bare 802.11 encapsulation only (i.e. 1121 * the encapsulated DLT should be DLT_IEEE802_11) we 1122 * generate code to check for this too. 1123 */ 1124 off_linktype = 24; 1125 off_macpl = 0; /* link-layer header is variable-length */ 1126 off_macpl_is_variable = 1; 1127 off_nl = 8; /* 802.2+SNAP */ 1128 off_nl_nosnap = 3; /* 802.2 */ 1129 return; 1130 1131 case DLT_ATM_RFC1483: 1132 case DLT_ATM_CLIP: /* Linux ATM defines this */ 1133 /* 1134 * assume routed, non-ISO PDUs 1135 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00) 1136 * 1137 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS, 1138 * or PPP with the PPP NLPID (e.g., PPPoA)? The 1139 * latter would presumably be treated the way PPPoE 1140 * should be, so you can do "pppoe and udp port 2049" 1141 * or "pppoa and tcp port 80" and have it check for 1142 * PPPo{A,E} and a PPP protocol of IP and.... 1143 */ 1144 off_linktype = 0; 1145 off_macpl = 0; /* packet begins with LLC header */ 1146 off_nl = 8; /* 802.2+SNAP */ 1147 off_nl_nosnap = 3; /* 802.2 */ 1148 return; 1149 1150 case DLT_SUNATM: 1151 /* 1152 * Full Frontal ATM; you get AALn PDUs with an ATM 1153 * pseudo-header. 1154 */ 1155 is_atm = 1; 1156 off_vpi = SUNATM_VPI_POS; 1157 off_vci = SUNATM_VCI_POS; 1158 off_proto = PROTO_POS; 1159 off_mac = -1; /* assume LLC-encapsulated, so no MAC-layer header */ 1160 off_payload = SUNATM_PKT_BEGIN_POS; 1161 off_linktype = off_payload; 1162 off_macpl = off_payload; /* if LLC-encapsulated */ 1163 off_nl = 8; /* 802.2+SNAP */ 1164 off_nl_nosnap = 3; /* 802.2 */ 1165 return; 1166 1167 case DLT_RAW: 1168 case DLT_IPV4: 1169 case DLT_IPV6: 1170 off_linktype = -1; 1171 off_macpl = 0; 1172 off_nl = 0; 1173 off_nl_nosnap = 0; /* no 802.2 LLC */ 1174 return; 1175 1176 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */ 1177 off_linktype = 14; 1178 off_macpl = 16; 1179 off_nl = 0; 1180 off_nl_nosnap = 0; /* no 802.2 LLC */ 1181 return; 1182 1183 case DLT_LTALK: 1184 /* 1185 * LocalTalk does have a 1-byte type field in the LLAP header, 1186 * but really it just indicates whether there is a "short" or 1187 * "long" DDP packet following. 1188 */ 1189 off_linktype = -1; 1190 off_macpl = 0; 1191 off_nl = 0; 1192 off_nl_nosnap = 0; /* no 802.2 LLC */ 1193 return; 1194 1195 case DLT_IP_OVER_FC: 1196 /* 1197 * RFC 2625 IP-over-Fibre-Channel doesn't really have a 1198 * link-level type field. We set "off_linktype" to the 1199 * offset of the LLC header. 1200 * 1201 * To check for Ethernet types, we assume that SSAP = SNAP 1202 * is being used and pick out the encapsulated Ethernet type. 1203 * XXX - should we generate code to check for SNAP? RFC 1204 * 2625 says SNAP should be used. 1205 */ 1206 off_linktype = 16; 1207 off_macpl = 16; 1208 off_nl = 8; /* 802.2+SNAP */ 1209 off_nl_nosnap = 3; /* 802.2 */ 1210 return; 1211 1212 case DLT_FRELAY: 1213 /* 1214 * XXX - we should set this to handle SNAP-encapsulated 1215 * frames (NLPID of 0x80). 1216 */ 1217 off_linktype = -1; 1218 off_macpl = 0; 1219 off_nl = 0; 1220 off_nl_nosnap = 0; /* no 802.2 LLC */ 1221 return; 1222 1223 /* 1224 * the only BPF-interesting FRF.16 frames are non-control frames; 1225 * Frame Relay has a variable length link-layer 1226 * so lets start with offset 4 for now and increments later on (FIXME); 1227 */ 1228 case DLT_MFR: 1229 off_linktype = -1; 1230 off_macpl = 0; 1231 off_nl = 4; 1232 off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */ 1233 return; 1234 1235 case DLT_APPLE_IP_OVER_IEEE1394: 1236 off_linktype = 16; 1237 off_macpl = 18; 1238 off_nl = 0; 1239 off_nl_nosnap = 0; /* no 802.2 LLC */ 1240 return; 1241 1242 case DLT_LINUX_IRDA: 1243 /* 1244 * Currently, only raw "link[N:M]" filtering is supported. 1245 */ 1246 off_linktype = -1; 1247 off_macpl = -1; 1248 off_nl = -1; 1249 off_nl_nosnap = -1; 1250 return; 1251 1252 case DLT_DOCSIS: 1253 /* 1254 * Currently, only raw "link[N:M]" filtering is supported. 1255 */ 1256 off_linktype = -1; 1257 off_macpl = -1; 1258 off_nl = -1; 1259 off_nl_nosnap = -1; 1260 return; 1261 1262 case DLT_SYMANTEC_FIREWALL: 1263 off_linktype = 6; 1264 off_macpl = 44; 1265 off_nl = 0; /* Ethernet II */ 1266 off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */ 1267 return; 1268 1269 #ifdef HAVE_NET_PFVAR_H 1270 case DLT_PFLOG: 1271 off_linktype = 0; 1272 off_macpl = PFLOG_HDRLEN; 1273 off_nl = 0; 1274 off_nl_nosnap = 0; /* no 802.2 LLC */ 1275 return; 1276 #endif 1277 1278 case DLT_JUNIPER_MFR: 1279 case DLT_JUNIPER_MLFR: 1280 case DLT_JUNIPER_MLPPP: 1281 case DLT_JUNIPER_PPP: 1282 case DLT_JUNIPER_CHDLC: 1283 case DLT_JUNIPER_FRELAY: 1284 off_linktype = 4; 1285 off_macpl = 4; 1286 off_nl = 0; 1287 off_nl_nosnap = -1; /* no 802.2 LLC */ 1288 return; 1289 1290 case DLT_JUNIPER_ATM1: 1291 off_linktype = 4; /* in reality variable between 4-8 */ 1292 off_macpl = 4; /* in reality variable between 4-8 */ 1293 off_nl = 0; 1294 off_nl_nosnap = 10; 1295 return; 1296 1297 case DLT_JUNIPER_ATM2: 1298 off_linktype = 8; /* in reality variable between 8-12 */ 1299 off_macpl = 8; /* in reality variable between 8-12 */ 1300 off_nl = 0; 1301 off_nl_nosnap = 10; 1302 return; 1303 1304 /* frames captured on a Juniper PPPoE service PIC 1305 * contain raw ethernet frames */ 1306 case DLT_JUNIPER_PPPOE: 1307 case DLT_JUNIPER_ETHER: 1308 off_macpl = 14; 1309 off_linktype = 16; 1310 off_nl = 18; /* Ethernet II */ 1311 off_nl_nosnap = 21; /* 802.3+802.2 */ 1312 return; 1313 1314 case DLT_JUNIPER_PPPOE_ATM: 1315 off_linktype = 4; 1316 off_macpl = 6; 1317 off_nl = 0; 1318 off_nl_nosnap = -1; /* no 802.2 LLC */ 1319 return; 1320 1321 case DLT_JUNIPER_GGSN: 1322 off_linktype = 6; 1323 off_macpl = 12; 1324 off_nl = 0; 1325 off_nl_nosnap = -1; /* no 802.2 LLC */ 1326 return; 1327 1328 case DLT_JUNIPER_ES: 1329 off_linktype = 6; 1330 off_macpl = -1; /* not really a network layer but raw IP addresses */ 1331 off_nl = -1; /* not really a network layer but raw IP addresses */ 1332 off_nl_nosnap = -1; /* no 802.2 LLC */ 1333 return; 1334 1335 case DLT_JUNIPER_MONITOR: 1336 off_linktype = 12; 1337 off_macpl = 12; 1338 off_nl = 0; /* raw IP/IP6 header */ 1339 off_nl_nosnap = -1; /* no 802.2 LLC */ 1340 return; 1341 1342 case DLT_JUNIPER_SERVICES: 1343 off_linktype = 12; 1344 off_macpl = -1; /* L3 proto location dep. on cookie type */ 1345 off_nl = -1; /* L3 proto location dep. on cookie type */ 1346 off_nl_nosnap = -1; /* no 802.2 LLC */ 1347 return; 1348 1349 case DLT_JUNIPER_VP: 1350 off_linktype = 18; 1351 off_macpl = -1; 1352 off_nl = -1; 1353 off_nl_nosnap = -1; 1354 return; 1355 1356 case DLT_JUNIPER_ST: 1357 off_linktype = 18; 1358 off_macpl = -1; 1359 off_nl = -1; 1360 off_nl_nosnap = -1; 1361 return; 1362 1363 case DLT_JUNIPER_ISM: 1364 off_linktype = 8; 1365 off_macpl = -1; 1366 off_nl = -1; 1367 off_nl_nosnap = -1; 1368 return; 1369 1370 case DLT_MTP2: 1371 off_li = 2; 1372 off_sio = 3; 1373 off_opc = 4; 1374 off_dpc = 4; 1375 off_sls = 7; 1376 off_linktype = -1; 1377 off_macpl = -1; 1378 off_nl = -1; 1379 off_nl_nosnap = -1; 1380 return; 1381 1382 case DLT_MTP2_WITH_PHDR: 1383 off_li = 6; 1384 off_sio = 7; 1385 off_opc = 8; 1386 off_dpc = 8; 1387 off_sls = 11; 1388 off_linktype = -1; 1389 off_macpl = -1; 1390 off_nl = -1; 1391 off_nl_nosnap = -1; 1392 return; 1393 1394 case DLT_ERF: 1395 off_li = 22; 1396 off_sio = 23; 1397 off_opc = 24; 1398 off_dpc = 24; 1399 off_sls = 27; 1400 off_linktype = -1; 1401 off_macpl = -1; 1402 off_nl = -1; 1403 off_nl_nosnap = -1; 1404 return; 1405 1406 #ifdef DLT_PFSYNC 1407 case DLT_PFSYNC: 1408 off_linktype = -1; 1409 off_macpl = 4; 1410 off_nl = 0; 1411 off_nl_nosnap = 0; 1412 return; 1413 #endif 1414 1415 case DLT_LINUX_LAPD: 1416 /* 1417 * Currently, only raw "link[N:M]" filtering is supported. 1418 */ 1419 off_linktype = -1; 1420 off_macpl = -1; 1421 off_nl = -1; 1422 off_nl_nosnap = -1; 1423 return; 1424 1425 case DLT_USB: 1426 /* 1427 * Currently, only raw "link[N:M]" filtering is supported. 1428 */ 1429 off_linktype = -1; 1430 off_macpl = -1; 1431 off_nl = -1; 1432 off_nl_nosnap = -1; 1433 return; 1434 1435 case DLT_BLUETOOTH_HCI_H4: 1436 /* 1437 * Currently, only raw "link[N:M]" filtering is supported. 1438 */ 1439 off_linktype = -1; 1440 off_macpl = -1; 1441 off_nl = -1; 1442 off_nl_nosnap = -1; 1443 return; 1444 1445 case DLT_USB_LINUX: 1446 /* 1447 * Currently, only raw "link[N:M]" filtering is supported. 1448 */ 1449 off_linktype = -1; 1450 off_macpl = -1; 1451 off_nl = -1; 1452 off_nl_nosnap = -1; 1453 return; 1454 1455 case DLT_CAN20B: 1456 /* 1457 * Currently, only raw "link[N:M]" filtering is supported. 1458 */ 1459 off_linktype = -1; 1460 off_macpl = -1; 1461 off_nl = -1; 1462 off_nl_nosnap = -1; 1463 return; 1464 1465 case DLT_IEEE802_15_4_LINUX: 1466 /* 1467 * Currently, only raw "link[N:M]" filtering is supported. 1468 */ 1469 off_linktype = -1; 1470 off_macpl = -1; 1471 off_nl = -1; 1472 off_nl_nosnap = -1; 1473 return; 1474 1475 case DLT_IEEE802_16_MAC_CPS_RADIO: 1476 /* 1477 * Currently, only raw "link[N:M]" filtering is supported. 1478 */ 1479 off_linktype = -1; 1480 off_macpl = -1; 1481 off_nl = -1; 1482 off_nl_nosnap = -1; 1483 return; 1484 1485 case DLT_IEEE802_15_4: 1486 /* 1487 * Currently, only raw "link[N:M]" filtering is supported. 1488 */ 1489 off_linktype = -1; 1490 off_macpl = -1; 1491 off_nl = -1; 1492 off_nl_nosnap = -1; 1493 return; 1494 1495 case DLT_SITA: 1496 /* 1497 * Currently, only raw "link[N:M]" filtering is supported. 1498 */ 1499 off_linktype = -1; 1500 off_macpl = -1; 1501 off_nl = -1; 1502 off_nl_nosnap = -1; 1503 return; 1504 1505 case DLT_RAIF1: 1506 /* 1507 * Currently, only raw "link[N:M]" filtering is supported. 1508 */ 1509 off_linktype = -1; 1510 off_macpl = -1; 1511 off_nl = -1; 1512 off_nl_nosnap = -1; 1513 return; 1514 1515 case DLT_IPMB: 1516 /* 1517 * Currently, only raw "link[N:M]" filtering is supported. 1518 */ 1519 off_linktype = -1; 1520 off_macpl = -1; 1521 off_nl = -1; 1522 off_nl_nosnap = -1; 1523 return; 1524 1525 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR: 1526 /* 1527 * Currently, only raw "link[N:M]" filtering is supported. 1528 */ 1529 off_linktype = -1; 1530 off_macpl = -1; 1531 off_nl = -1; 1532 off_nl_nosnap = -1; 1533 return; 1534 1535 case DLT_AX25_KISS: 1536 /* 1537 * Currently, only raw "link[N:M]" filtering is supported. 1538 */ 1539 off_linktype = -1; /* variable, min 15, max 71 steps of 7 */ 1540 off_macpl = -1; 1541 off_nl = -1; /* variable, min 16, max 71 steps of 7 */ 1542 off_nl_nosnap = -1; /* no 802.2 LLC */ 1543 off_mac = 1; /* step over the kiss length byte */ 1544 return; 1545 1546 case DLT_IEEE802_15_4_NONASK_PHY: 1547 /* 1548 * Currently, only raw "link[N:M]" filtering is supported. 1549 */ 1550 off_linktype = -1; 1551 off_macpl = -1; 1552 off_nl = -1; 1553 off_nl_nosnap = -1; 1554 return; 1555 1556 case DLT_MPLS: 1557 /* 1558 * Currently, only raw "link[N:M]" filtering is supported. 1559 */ 1560 off_linktype = -1; 1561 off_macpl = -1; 1562 off_nl = -1; 1563 off_nl_nosnap = -1; 1564 return; 1565 1566 case DLT_USB_LINUX_MMAPPED: 1567 /* 1568 * Currently, only raw "link[N:M]" filtering is supported. 1569 */ 1570 off_linktype = -1; 1571 off_macpl = -1; 1572 off_nl = -1; 1573 off_nl_nosnap = -1; 1574 return; 1575 1576 case DLT_CAN_SOCKETCAN: 1577 /* 1578 * Currently, only raw "link[N:M]" filtering is supported. 1579 */ 1580 off_linktype = -1; 1581 off_macpl = -1; 1582 off_nl = -1; 1583 off_nl_nosnap = -1; 1584 return; 1585 1586 case DLT_IPNET: 1587 off_linktype = 1; 1588 off_macpl = 24; /* ipnet header length */ 1589 off_nl = 0; 1590 off_nl_nosnap = -1; 1591 return; 1592 } 1593 bpf_error("unknown data link type %d", linktype); 1594 /* NOTREACHED */ 1595 } 1596 1597 /* 1598 * Load a value relative to the beginning of the link-layer header. 1599 * The link-layer header doesn't necessarily begin at the beginning 1600 * of the packet data; there might be a variable-length prefix containing 1601 * radio information. 1602 */ 1603 static struct slist * 1604 gen_load_llrel(offset, size) 1605 u_int offset, size; 1606 { 1607 struct slist *s, *s2; 1608 1609 s = gen_llprefixlen(); 1610 1611 /* 1612 * If "s" is non-null, it has code to arrange that the X register 1613 * contains the length of the prefix preceding the link-layer 1614 * header. 1615 * 1616 * Otherwise, the length of the prefix preceding the link-layer 1617 * header is "off_ll". 1618 */ 1619 if (s != NULL) { 1620 /* 1621 * There's a variable-length prefix preceding the 1622 * link-layer header. "s" points to a list of statements 1623 * that put the length of that prefix into the X register. 1624 * do an indirect load, to use the X register as an offset. 1625 */ 1626 s2 = new_stmt(BPF_LD|BPF_IND|size); 1627 s2->s.k = offset; 1628 sappend(s, s2); 1629 } else { 1630 /* 1631 * There is no variable-length header preceding the 1632 * link-layer header; add in off_ll, which, if there's 1633 * a fixed-length header preceding the link-layer header, 1634 * is the length of that header. 1635 */ 1636 s = new_stmt(BPF_LD|BPF_ABS|size); 1637 s->s.k = offset + off_ll; 1638 } 1639 return s; 1640 } 1641 1642 /* 1643 * Load a value relative to the beginning of the MAC-layer payload. 1644 */ 1645 static struct slist * 1646 gen_load_macplrel(offset, size) 1647 u_int offset, size; 1648 { 1649 struct slist *s, *s2; 1650 1651 s = gen_off_macpl(); 1652 1653 /* 1654 * If s is non-null, the offset of the MAC-layer payload is 1655 * variable, and s points to a list of instructions that 1656 * arrange that the X register contains that offset. 1657 * 1658 * Otherwise, the offset of the MAC-layer payload is constant, 1659 * and is in off_macpl. 1660 */ 1661 if (s != NULL) { 1662 /* 1663 * The offset of the MAC-layer payload is in the X 1664 * register. Do an indirect load, to use the X register 1665 * as an offset. 1666 */ 1667 s2 = new_stmt(BPF_LD|BPF_IND|size); 1668 s2->s.k = offset; 1669 sappend(s, s2); 1670 } else { 1671 /* 1672 * The offset of the MAC-layer payload is constant, 1673 * and is in off_macpl; load the value at that offset 1674 * plus the specified offset. 1675 */ 1676 s = new_stmt(BPF_LD|BPF_ABS|size); 1677 s->s.k = off_macpl + offset; 1678 } 1679 return s; 1680 } 1681 1682 /* 1683 * Load a value relative to the beginning of the specified header. 1684 */ 1685 static struct slist * 1686 gen_load_a(offrel, offset, size) 1687 enum e_offrel offrel; 1688 u_int offset, size; 1689 { 1690 struct slist *s, *s2; 1691 1692 switch (offrel) { 1693 1694 case OR_PACKET: 1695 s = new_stmt(BPF_LD|BPF_ABS|size); 1696 s->s.k = offset; 1697 break; 1698 1699 case OR_LINK: 1700 s = gen_load_llrel(offset, size); 1701 break; 1702 1703 case OR_MACPL: 1704 s = gen_load_macplrel(offset, size); 1705 break; 1706 1707 case OR_NET: 1708 s = gen_load_macplrel(off_nl + offset, size); 1709 break; 1710 1711 case OR_NET_NOSNAP: 1712 s = gen_load_macplrel(off_nl_nosnap + offset, size); 1713 break; 1714 1715 case OR_TRAN_IPV4: 1716 /* 1717 * Load the X register with the length of the IPv4 header 1718 * (plus the offset of the link-layer header, if it's 1719 * preceded by a variable-length header such as a radio 1720 * header), in bytes. 1721 */ 1722 s = gen_loadx_iphdrlen(); 1723 1724 /* 1725 * Load the item at {offset of the MAC-layer payload} + 1726 * {offset, relative to the start of the MAC-layer 1727 * paylod, of the IPv4 header} + {length of the IPv4 header} + 1728 * {specified offset}. 1729 * 1730 * (If the offset of the MAC-layer payload is variable, 1731 * it's included in the value in the X register, and 1732 * off_macpl is 0.) 1733 */ 1734 s2 = new_stmt(BPF_LD|BPF_IND|size); 1735 s2->s.k = off_macpl + off_nl + offset; 1736 sappend(s, s2); 1737 break; 1738 1739 case OR_TRAN_IPV6: 1740 s = gen_load_macplrel(off_nl + 40 + offset, size); 1741 break; 1742 1743 default: 1744 abort(); 1745 return NULL; 1746 } 1747 return s; 1748 } 1749 1750 /* 1751 * Generate code to load into the X register the sum of the length of 1752 * the IPv4 header and any variable-length header preceding the link-layer 1753 * header. 1754 */ 1755 static struct slist * 1756 gen_loadx_iphdrlen() 1757 { 1758 struct slist *s, *s2; 1759 1760 s = gen_off_macpl(); 1761 if (s != NULL) { 1762 /* 1763 * There's a variable-length prefix preceding the 1764 * link-layer header, or the link-layer header is itself 1765 * variable-length. "s" points to a list of statements 1766 * that put the offset of the MAC-layer payload into 1767 * the X register. 1768 * 1769 * The 4*([k]&0xf) addressing mode can't be used, as we 1770 * don't have a constant offset, so we have to load the 1771 * value in question into the A register and add to it 1772 * the value from the X register. 1773 */ 1774 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B); 1775 s2->s.k = off_nl; 1776 sappend(s, s2); 1777 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 1778 s2->s.k = 0xf; 1779 sappend(s, s2); 1780 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 1781 s2->s.k = 2; 1782 sappend(s, s2); 1783 1784 /* 1785 * The A register now contains the length of the 1786 * IP header. We need to add to it the offset of 1787 * the MAC-layer payload, which is still in the X 1788 * register, and move the result into the X register. 1789 */ 1790 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 1791 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 1792 } else { 1793 /* 1794 * There is no variable-length header preceding the 1795 * link-layer header, and the link-layer header is 1796 * fixed-length; load the length of the IPv4 header, 1797 * which is at an offset of off_nl from the beginning 1798 * of the MAC-layer payload, and thus at an offset 1799 * of off_mac_pl + off_nl from the beginning of the 1800 * raw packet data. 1801 */ 1802 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B); 1803 s->s.k = off_macpl + off_nl; 1804 } 1805 return s; 1806 } 1807 1808 static struct block * 1809 gen_uncond(rsense) 1810 int rsense; 1811 { 1812 struct block *b; 1813 struct slist *s; 1814 1815 s = new_stmt(BPF_LD|BPF_IMM); 1816 s->s.k = !rsense; 1817 b = new_block(JMP(BPF_JEQ)); 1818 b->stmts = s; 1819 1820 return b; 1821 } 1822 1823 static inline struct block * 1824 gen_true() 1825 { 1826 return gen_uncond(1); 1827 } 1828 1829 static inline struct block * 1830 gen_false() 1831 { 1832 return gen_uncond(0); 1833 } 1834 1835 /* 1836 * Byte-swap a 32-bit number. 1837 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on 1838 * big-endian platforms.) 1839 */ 1840 #define SWAPLONG(y) \ 1841 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff)) 1842 1843 /* 1844 * Generate code to match a particular packet type. 1845 * 1846 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1847 * value, if <= ETHERMTU. We use that to determine whether to 1848 * match the type/length field or to check the type/length field for 1849 * a value <= ETHERMTU to see whether it's a type field and then do 1850 * the appropriate test. 1851 */ 1852 static struct block * 1853 gen_ether_linktype(proto) 1854 register int proto; 1855 { 1856 struct block *b0, *b1; 1857 1858 switch (proto) { 1859 1860 case LLCSAP_ISONS: 1861 case LLCSAP_IP: 1862 case LLCSAP_NETBEUI: 1863 /* 1864 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1865 * so we check the DSAP and SSAP. 1866 * 1867 * LLCSAP_IP checks for IP-over-802.2, rather 1868 * than IP-over-Ethernet or IP-over-SNAP. 1869 * 1870 * XXX - should we check both the DSAP and the 1871 * SSAP, like this, or should we check just the 1872 * DSAP, as we do for other types <= ETHERMTU 1873 * (i.e., other SAP values)? 1874 */ 1875 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1876 gen_not(b0); 1877 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32) 1878 ((proto << 8) | proto)); 1879 gen_and(b0, b1); 1880 return b1; 1881 1882 case LLCSAP_IPX: 1883 /* 1884 * Check for; 1885 * 1886 * Ethernet_II frames, which are Ethernet 1887 * frames with a frame type of ETHERTYPE_IPX; 1888 * 1889 * Ethernet_802.3 frames, which are 802.3 1890 * frames (i.e., the type/length field is 1891 * a length field, <= ETHERMTU, rather than 1892 * a type field) with the first two bytes 1893 * after the Ethernet/802.3 header being 1894 * 0xFFFF; 1895 * 1896 * Ethernet_802.2 frames, which are 802.3 1897 * frames with an 802.2 LLC header and 1898 * with the IPX LSAP as the DSAP in the LLC 1899 * header; 1900 * 1901 * Ethernet_SNAP frames, which are 802.3 1902 * frames with an LLC header and a SNAP 1903 * header and with an OUI of 0x000000 1904 * (encapsulated Ethernet) and a protocol 1905 * ID of ETHERTYPE_IPX in the SNAP header. 1906 * 1907 * XXX - should we generate the same code both 1908 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX? 1909 */ 1910 1911 /* 1912 * This generates code to check both for the 1913 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3. 1914 */ 1915 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX); 1916 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)0xFFFF); 1917 gen_or(b0, b1); 1918 1919 /* 1920 * Now we add code to check for SNAP frames with 1921 * ETHERTYPE_IPX, i.e. Ethernet_SNAP. 1922 */ 1923 b0 = gen_snap(0x000000, ETHERTYPE_IPX); 1924 gen_or(b0, b1); 1925 1926 /* 1927 * Now we generate code to check for 802.3 1928 * frames in general. 1929 */ 1930 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1931 gen_not(b0); 1932 1933 /* 1934 * Now add the check for 802.3 frames before the 1935 * check for Ethernet_802.2 and Ethernet_802.3, 1936 * as those checks should only be done on 802.3 1937 * frames, not on Ethernet frames. 1938 */ 1939 gen_and(b0, b1); 1940 1941 /* 1942 * Now add the check for Ethernet_II frames, and 1943 * do that before checking for the other frame 1944 * types. 1945 */ 1946 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 1947 (bpf_int32)ETHERTYPE_IPX); 1948 gen_or(b0, b1); 1949 return b1; 1950 1951 case ETHERTYPE_ATALK: 1952 case ETHERTYPE_AARP: 1953 /* 1954 * EtherTalk (AppleTalk protocols on Ethernet link 1955 * layer) may use 802.2 encapsulation. 1956 */ 1957 1958 /* 1959 * Check for 802.2 encapsulation (EtherTalk phase 2?); 1960 * we check for an Ethernet type field less than 1961 * 1500, which means it's an 802.3 length field. 1962 */ 1963 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1964 gen_not(b0); 1965 1966 /* 1967 * 802.2-encapsulated ETHERTYPE_ATALK packets are 1968 * SNAP packets with an organization code of 1969 * 0x080007 (Apple, for Appletalk) and a protocol 1970 * type of ETHERTYPE_ATALK (Appletalk). 1971 * 1972 * 802.2-encapsulated ETHERTYPE_AARP packets are 1973 * SNAP packets with an organization code of 1974 * 0x000000 (encapsulated Ethernet) and a protocol 1975 * type of ETHERTYPE_AARP (Appletalk ARP). 1976 */ 1977 if (proto == ETHERTYPE_ATALK) 1978 b1 = gen_snap(0x080007, ETHERTYPE_ATALK); 1979 else /* proto == ETHERTYPE_AARP */ 1980 b1 = gen_snap(0x000000, ETHERTYPE_AARP); 1981 gen_and(b0, b1); 1982 1983 /* 1984 * Check for Ethernet encapsulation (Ethertalk 1985 * phase 1?); we just check for the Ethernet 1986 * protocol type. 1987 */ 1988 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 1989 1990 gen_or(b0, b1); 1991 return b1; 1992 1993 default: 1994 if (proto <= ETHERMTU) { 1995 /* 1996 * This is an LLC SAP value, so the frames 1997 * that match would be 802.2 frames. 1998 * Check that the frame is an 802.2 frame 1999 * (i.e., that the length/type field is 2000 * a length field, <= ETHERMTU) and 2001 * then check the DSAP. 2002 */ 2003 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 2004 gen_not(b0); 2005 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B, 2006 (bpf_int32)proto); 2007 gen_and(b0, b1); 2008 return b1; 2009 } else { 2010 /* 2011 * This is an Ethernet type, so compare 2012 * the length/type field with it (if 2013 * the frame is an 802.2 frame, the length 2014 * field will be <= ETHERMTU, and, as 2015 * "proto" is > ETHERMTU, this test 2016 * will fail and the frame won't match, 2017 * which is what we want). 2018 */ 2019 return gen_cmp(OR_LINK, off_linktype, BPF_H, 2020 (bpf_int32)proto); 2021 } 2022 } 2023 } 2024 2025 /* 2026 * "proto" is an Ethernet type value and for IPNET, if it is not IPv4 2027 * or IPv6 then we have an error. 2028 */ 2029 static struct block * 2030 gen_ipnet_linktype(proto) 2031 register int proto; 2032 { 2033 switch (proto) { 2034 2035 case ETHERTYPE_IP: 2036 return gen_cmp(OR_LINK, off_linktype, BPF_B, 2037 (bpf_int32)IPH_AF_INET); 2038 /* NOTREACHED */ 2039 2040 case ETHERTYPE_IPV6: 2041 return gen_cmp(OR_LINK, off_linktype, BPF_B, 2042 (bpf_int32)IPH_AF_INET6); 2043 /* NOTREACHED */ 2044 2045 default: 2046 break; 2047 } 2048 2049 return gen_false(); 2050 } 2051 2052 /* 2053 * Generate code to match a particular packet type. 2054 * 2055 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 2056 * value, if <= ETHERMTU. We use that to determine whether to 2057 * match the type field or to check the type field for the special 2058 * LINUX_SLL_P_802_2 value and then do the appropriate test. 2059 */ 2060 static struct block * 2061 gen_linux_sll_linktype(proto) 2062 register int proto; 2063 { 2064 struct block *b0, *b1; 2065 2066 switch (proto) { 2067 2068 case LLCSAP_ISONS: 2069 case LLCSAP_IP: 2070 case LLCSAP_NETBEUI: 2071 /* 2072 * OSI protocols and NetBEUI always use 802.2 encapsulation, 2073 * so we check the DSAP and SSAP. 2074 * 2075 * LLCSAP_IP checks for IP-over-802.2, rather 2076 * than IP-over-Ethernet or IP-over-SNAP. 2077 * 2078 * XXX - should we check both the DSAP and the 2079 * SSAP, like this, or should we check just the 2080 * DSAP, as we do for other types <= ETHERMTU 2081 * (i.e., other SAP values)? 2082 */ 2083 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 2084 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32) 2085 ((proto << 8) | proto)); 2086 gen_and(b0, b1); 2087 return b1; 2088 2089 case LLCSAP_IPX: 2090 /* 2091 * Ethernet_II frames, which are Ethernet 2092 * frames with a frame type of ETHERTYPE_IPX; 2093 * 2094 * Ethernet_802.3 frames, which have a frame 2095 * type of LINUX_SLL_P_802_3; 2096 * 2097 * Ethernet_802.2 frames, which are 802.3 2098 * frames with an 802.2 LLC header (i.e, have 2099 * a frame type of LINUX_SLL_P_802_2) and 2100 * with the IPX LSAP as the DSAP in the LLC 2101 * header; 2102 * 2103 * Ethernet_SNAP frames, which are 802.3 2104 * frames with an LLC header and a SNAP 2105 * header and with an OUI of 0x000000 2106 * (encapsulated Ethernet) and a protocol 2107 * ID of ETHERTYPE_IPX in the SNAP header. 2108 * 2109 * First, do the checks on LINUX_SLL_P_802_2 2110 * frames; generate the check for either 2111 * Ethernet_802.2 or Ethernet_SNAP frames, and 2112 * then put a check for LINUX_SLL_P_802_2 frames 2113 * before it. 2114 */ 2115 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX); 2116 b1 = gen_snap(0x000000, ETHERTYPE_IPX); 2117 gen_or(b0, b1); 2118 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 2119 gen_and(b0, b1); 2120 2121 /* 2122 * Now check for 802.3 frames and OR that with 2123 * the previous test. 2124 */ 2125 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_3); 2126 gen_or(b0, b1); 2127 2128 /* 2129 * Now add the check for Ethernet_II frames, and 2130 * do that before checking for the other frame 2131 * types. 2132 */ 2133 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 2134 (bpf_int32)ETHERTYPE_IPX); 2135 gen_or(b0, b1); 2136 return b1; 2137 2138 case ETHERTYPE_ATALK: 2139 case ETHERTYPE_AARP: 2140 /* 2141 * EtherTalk (AppleTalk protocols on Ethernet link 2142 * layer) may use 802.2 encapsulation. 2143 */ 2144 2145 /* 2146 * Check for 802.2 encapsulation (EtherTalk phase 2?); 2147 * we check for the 802.2 protocol type in the 2148 * "Ethernet type" field. 2149 */ 2150 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 2151 2152 /* 2153 * 802.2-encapsulated ETHERTYPE_ATALK packets are 2154 * SNAP packets with an organization code of 2155 * 0x080007 (Apple, for Appletalk) and a protocol 2156 * type of ETHERTYPE_ATALK (Appletalk). 2157 * 2158 * 802.2-encapsulated ETHERTYPE_AARP packets are 2159 * SNAP packets with an organization code of 2160 * 0x000000 (encapsulated Ethernet) and a protocol 2161 * type of ETHERTYPE_AARP (Appletalk ARP). 2162 */ 2163 if (proto == ETHERTYPE_ATALK) 2164 b1 = gen_snap(0x080007, ETHERTYPE_ATALK); 2165 else /* proto == ETHERTYPE_AARP */ 2166 b1 = gen_snap(0x000000, ETHERTYPE_AARP); 2167 gen_and(b0, b1); 2168 2169 /* 2170 * Check for Ethernet encapsulation (Ethertalk 2171 * phase 1?); we just check for the Ethernet 2172 * protocol type. 2173 */ 2174 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 2175 2176 gen_or(b0, b1); 2177 return b1; 2178 2179 default: 2180 if (proto <= ETHERMTU) { 2181 /* 2182 * This is an LLC SAP value, so the frames 2183 * that match would be 802.2 frames. 2184 * Check for the 802.2 protocol type 2185 * in the "Ethernet type" field, and 2186 * then check the DSAP. 2187 */ 2188 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 2189 LINUX_SLL_P_802_2); 2190 b1 = gen_cmp(OR_LINK, off_macpl, BPF_B, 2191 (bpf_int32)proto); 2192 gen_and(b0, b1); 2193 return b1; 2194 } else { 2195 /* 2196 * This is an Ethernet type, so compare 2197 * the length/type field with it (if 2198 * the frame is an 802.2 frame, the length 2199 * field will be <= ETHERMTU, and, as 2200 * "proto" is > ETHERMTU, this test 2201 * will fail and the frame won't match, 2202 * which is what we want). 2203 */ 2204 return gen_cmp(OR_LINK, off_linktype, BPF_H, 2205 (bpf_int32)proto); 2206 } 2207 } 2208 } 2209 2210 static struct slist * 2211 gen_load_prism_llprefixlen() 2212 { 2213 struct slist *s1, *s2; 2214 struct slist *sjeq_avs_cookie; 2215 struct slist *sjcommon; 2216 2217 /* 2218 * This code is not compatible with the optimizer, as 2219 * we are generating jmp instructions within a normal 2220 * slist of instructions 2221 */ 2222 no_optimize = 1; 2223 2224 /* 2225 * Generate code to load the length of the radio header into 2226 * the register assigned to hold that length, if one has been 2227 * assigned. (If one hasn't been assigned, no code we've 2228 * generated uses that prefix, so we don't need to generate any 2229 * code to load it.) 2230 * 2231 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes 2232 * or always use the AVS header rather than the Prism header. 2233 * We load a 4-byte big-endian value at the beginning of the 2234 * raw packet data, and see whether, when masked with 0xFFFFF000, 2235 * it's equal to 0x80211000. If so, that indicates that it's 2236 * an AVS header (the masked-out bits are the version number). 2237 * Otherwise, it's a Prism header. 2238 * 2239 * XXX - the Prism header is also, in theory, variable-length, 2240 * but no known software generates headers that aren't 144 2241 * bytes long. 2242 */ 2243 if (reg_off_ll != -1) { 2244 /* 2245 * Load the cookie. 2246 */ 2247 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2248 s1->s.k = 0; 2249 2250 /* 2251 * AND it with 0xFFFFF000. 2252 */ 2253 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 2254 s2->s.k = 0xFFFFF000; 2255 sappend(s1, s2); 2256 2257 /* 2258 * Compare with 0x80211000. 2259 */ 2260 sjeq_avs_cookie = new_stmt(JMP(BPF_JEQ)); 2261 sjeq_avs_cookie->s.k = 0x80211000; 2262 sappend(s1, sjeq_avs_cookie); 2263 2264 /* 2265 * If it's AVS: 2266 * 2267 * The 4 bytes at an offset of 4 from the beginning of 2268 * the AVS header are the length of the AVS header. 2269 * That field is big-endian. 2270 */ 2271 s2 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2272 s2->s.k = 4; 2273 sappend(s1, s2); 2274 sjeq_avs_cookie->s.jt = s2; 2275 2276 /* 2277 * Now jump to the code to allocate a register 2278 * into which to save the header length and 2279 * store the length there. (The "jump always" 2280 * instruction needs to have the k field set; 2281 * it's added to the PC, so, as we're jumping 2282 * over a single instruction, it should be 1.) 2283 */ 2284 sjcommon = new_stmt(JMP(BPF_JA)); 2285 sjcommon->s.k = 1; 2286 sappend(s1, sjcommon); 2287 2288 /* 2289 * Now for the code that handles the Prism header. 2290 * Just load the length of the Prism header (144) 2291 * into the A register. Have the test for an AVS 2292 * header branch here if we don't have an AVS header. 2293 */ 2294 s2 = new_stmt(BPF_LD|BPF_W|BPF_IMM); 2295 s2->s.k = 144; 2296 sappend(s1, s2); 2297 sjeq_avs_cookie->s.jf = s2; 2298 2299 /* 2300 * Now allocate a register to hold that value and store 2301 * it. The code for the AVS header will jump here after 2302 * loading the length of the AVS header. 2303 */ 2304 s2 = new_stmt(BPF_ST); 2305 s2->s.k = reg_off_ll; 2306 sappend(s1, s2); 2307 sjcommon->s.jf = s2; 2308 2309 /* 2310 * Now move it into the X register. 2311 */ 2312 s2 = new_stmt(BPF_MISC|BPF_TAX); 2313 sappend(s1, s2); 2314 2315 return (s1); 2316 } else 2317 return (NULL); 2318 } 2319 2320 static struct slist * 2321 gen_load_avs_llprefixlen() 2322 { 2323 struct slist *s1, *s2; 2324 2325 /* 2326 * Generate code to load the length of the AVS header into 2327 * the register assigned to hold that length, if one has been 2328 * assigned. (If one hasn't been assigned, no code we've 2329 * generated uses that prefix, so we don't need to generate any 2330 * code to load it.) 2331 */ 2332 if (reg_off_ll != -1) { 2333 /* 2334 * The 4 bytes at an offset of 4 from the beginning of 2335 * the AVS header are the length of the AVS header. 2336 * That field is big-endian. 2337 */ 2338 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2339 s1->s.k = 4; 2340 2341 /* 2342 * Now allocate a register to hold that value and store 2343 * it. 2344 */ 2345 s2 = new_stmt(BPF_ST); 2346 s2->s.k = reg_off_ll; 2347 sappend(s1, s2); 2348 2349 /* 2350 * Now move it into the X register. 2351 */ 2352 s2 = new_stmt(BPF_MISC|BPF_TAX); 2353 sappend(s1, s2); 2354 2355 return (s1); 2356 } else 2357 return (NULL); 2358 } 2359 2360 static struct slist * 2361 gen_load_radiotap_llprefixlen() 2362 { 2363 struct slist *s1, *s2; 2364 2365 /* 2366 * Generate code to load the length of the radiotap header into 2367 * the register assigned to hold that length, if one has been 2368 * assigned. (If one hasn't been assigned, no code we've 2369 * generated uses that prefix, so we don't need to generate any 2370 * code to load it.) 2371 */ 2372 if (reg_off_ll != -1) { 2373 /* 2374 * The 2 bytes at offsets of 2 and 3 from the beginning 2375 * of the radiotap header are the length of the radiotap 2376 * header; unfortunately, it's little-endian, so we have 2377 * to load it a byte at a time and construct the value. 2378 */ 2379 2380 /* 2381 * Load the high-order byte, at an offset of 3, shift it 2382 * left a byte, and put the result in the X register. 2383 */ 2384 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2385 s1->s.k = 3; 2386 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 2387 sappend(s1, s2); 2388 s2->s.k = 8; 2389 s2 = new_stmt(BPF_MISC|BPF_TAX); 2390 sappend(s1, s2); 2391 2392 /* 2393 * Load the next byte, at an offset of 2, and OR the 2394 * value from the X register into it. 2395 */ 2396 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2397 sappend(s1, s2); 2398 s2->s.k = 2; 2399 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X); 2400 sappend(s1, s2); 2401 2402 /* 2403 * Now allocate a register to hold that value and store 2404 * it. 2405 */ 2406 s2 = new_stmt(BPF_ST); 2407 s2->s.k = reg_off_ll; 2408 sappend(s1, s2); 2409 2410 /* 2411 * Now move it into the X register. 2412 */ 2413 s2 = new_stmt(BPF_MISC|BPF_TAX); 2414 sappend(s1, s2); 2415 2416 return (s1); 2417 } else 2418 return (NULL); 2419 } 2420 2421 /* 2422 * At the moment we treat PPI as normal Radiotap encoded 2423 * packets. The difference is in the function that generates 2424 * the code at the beginning to compute the header length. 2425 * Since this code generator of PPI supports bare 802.11 2426 * encapsulation only (i.e. the encapsulated DLT should be 2427 * DLT_IEEE802_11) we generate code to check for this too; 2428 * that's done in finish_parse(). 2429 */ 2430 static struct slist * 2431 gen_load_ppi_llprefixlen() 2432 { 2433 struct slist *s1, *s2; 2434 2435 /* 2436 * Generate code to load the length of the radiotap header 2437 * into the register assigned to hold that length, if one has 2438 * been assigned. 2439 */ 2440 if (reg_off_ll != -1) { 2441 /* 2442 * The 2 bytes at offsets of 2 and 3 from the beginning 2443 * of the radiotap header are the length of the radiotap 2444 * header; unfortunately, it's little-endian, so we have 2445 * to load it a byte at a time and construct the value. 2446 */ 2447 2448 /* 2449 * Load the high-order byte, at an offset of 3, shift it 2450 * left a byte, and put the result in the X register. 2451 */ 2452 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2453 s1->s.k = 3; 2454 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 2455 sappend(s1, s2); 2456 s2->s.k = 8; 2457 s2 = new_stmt(BPF_MISC|BPF_TAX); 2458 sappend(s1, s2); 2459 2460 /* 2461 * Load the next byte, at an offset of 2, and OR the 2462 * value from the X register into it. 2463 */ 2464 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2465 sappend(s1, s2); 2466 s2->s.k = 2; 2467 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X); 2468 sappend(s1, s2); 2469 2470 /* 2471 * Now allocate a register to hold that value and store 2472 * it. 2473 */ 2474 s2 = new_stmt(BPF_ST); 2475 s2->s.k = reg_off_ll; 2476 sappend(s1, s2); 2477 2478 /* 2479 * Now move it into the X register. 2480 */ 2481 s2 = new_stmt(BPF_MISC|BPF_TAX); 2482 sappend(s1, s2); 2483 2484 return (s1); 2485 } else 2486 return (NULL); 2487 } 2488 2489 /* 2490 * Load a value relative to the beginning of the link-layer header after the 802.11 2491 * header, i.e. LLC_SNAP. 2492 * The link-layer header doesn't necessarily begin at the beginning 2493 * of the packet data; there might be a variable-length prefix containing 2494 * radio information. 2495 */ 2496 static struct slist * 2497 gen_load_802_11_header_len(struct slist *s, struct slist *snext) 2498 { 2499 struct slist *s2; 2500 struct slist *sjset_data_frame_1; 2501 struct slist *sjset_data_frame_2; 2502 struct slist *sjset_qos; 2503 struct slist *sjset_radiotap_flags; 2504 struct slist *sjset_radiotap_tsft; 2505 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad; 2506 struct slist *s_roundup; 2507 2508 if (reg_off_macpl == -1) { 2509 /* 2510 * No register has been assigned to the offset of 2511 * the MAC-layer payload, which means nobody needs 2512 * it; don't bother computing it - just return 2513 * what we already have. 2514 */ 2515 return (s); 2516 } 2517 2518 /* 2519 * This code is not compatible with the optimizer, as 2520 * we are generating jmp instructions within a normal 2521 * slist of instructions 2522 */ 2523 no_optimize = 1; 2524 2525 /* 2526 * If "s" is non-null, it has code to arrange that the X register 2527 * contains the length of the prefix preceding the link-layer 2528 * header. 2529 * 2530 * Otherwise, the length of the prefix preceding the link-layer 2531 * header is "off_ll". 2532 */ 2533 if (s == NULL) { 2534 /* 2535 * There is no variable-length header preceding the 2536 * link-layer header. 2537 * 2538 * Load the length of the fixed-length prefix preceding 2539 * the link-layer header (if any) into the X register, 2540 * and store it in the reg_off_macpl register. 2541 * That length is off_ll. 2542 */ 2543 s = new_stmt(BPF_LDX|BPF_IMM); 2544 s->s.k = off_ll; 2545 } 2546 2547 /* 2548 * The X register contains the offset of the beginning of the 2549 * link-layer header; add 24, which is the minimum length 2550 * of the MAC header for a data frame, to that, and store it 2551 * in reg_off_macpl, and then load the Frame Control field, 2552 * which is at the offset in the X register, with an indexed load. 2553 */ 2554 s2 = new_stmt(BPF_MISC|BPF_TXA); 2555 sappend(s, s2); 2556 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 2557 s2->s.k = 24; 2558 sappend(s, s2); 2559 s2 = new_stmt(BPF_ST); 2560 s2->s.k = reg_off_macpl; 2561 sappend(s, s2); 2562 2563 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B); 2564 s2->s.k = 0; 2565 sappend(s, s2); 2566 2567 /* 2568 * Check the Frame Control field to see if this is a data frame; 2569 * a data frame has the 0x08 bit (b3) in that field set and the 2570 * 0x04 bit (b2) clear. 2571 */ 2572 sjset_data_frame_1 = new_stmt(JMP(BPF_JSET)); 2573 sjset_data_frame_1->s.k = 0x08; 2574 sappend(s, sjset_data_frame_1); 2575 2576 /* 2577 * If b3 is set, test b2, otherwise go to the first statement of 2578 * the rest of the program. 2579 */ 2580 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(JMP(BPF_JSET)); 2581 sjset_data_frame_2->s.k = 0x04; 2582 sappend(s, sjset_data_frame_2); 2583 sjset_data_frame_1->s.jf = snext; 2584 2585 /* 2586 * If b2 is not set, this is a data frame; test the QoS bit. 2587 * Otherwise, go to the first statement of the rest of the 2588 * program. 2589 */ 2590 sjset_data_frame_2->s.jt = snext; 2591 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(JMP(BPF_JSET)); 2592 sjset_qos->s.k = 0x80; /* QoS bit */ 2593 sappend(s, sjset_qos); 2594 2595 /* 2596 * If it's set, add 2 to reg_off_macpl, to skip the QoS 2597 * field. 2598 * Otherwise, go to the first statement of the rest of the 2599 * program. 2600 */ 2601 sjset_qos->s.jt = s2 = new_stmt(BPF_LD|BPF_MEM); 2602 s2->s.k = reg_off_macpl; 2603 sappend(s, s2); 2604 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM); 2605 s2->s.k = 2; 2606 sappend(s, s2); 2607 s2 = new_stmt(BPF_ST); 2608 s2->s.k = reg_off_macpl; 2609 sappend(s, s2); 2610 2611 /* 2612 * If we have a radiotap header, look at it to see whether 2613 * there's Atheros padding between the MAC-layer header 2614 * and the payload. 2615 * 2616 * Note: all of the fields in the radiotap header are 2617 * little-endian, so we byte-swap all of the values 2618 * we test against, as they will be loaded as big-endian 2619 * values. 2620 */ 2621 if (linktype == DLT_IEEE802_11_RADIO) { 2622 /* 2623 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set 2624 * in the presence flag? 2625 */ 2626 sjset_qos->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_W); 2627 s2->s.k = 4; 2628 sappend(s, s2); 2629 2630 sjset_radiotap_flags = new_stmt(JMP(BPF_JSET)); 2631 sjset_radiotap_flags->s.k = SWAPLONG(0x00000002); 2632 sappend(s, sjset_radiotap_flags); 2633 2634 /* 2635 * If not, skip all of this. 2636 */ 2637 sjset_radiotap_flags->s.jf = snext; 2638 2639 /* 2640 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set? 2641 */ 2642 sjset_radiotap_tsft = sjset_radiotap_flags->s.jt = 2643 new_stmt(JMP(BPF_JSET)); 2644 sjset_radiotap_tsft->s.k = SWAPLONG(0x00000001); 2645 sappend(s, sjset_radiotap_tsft); 2646 2647 /* 2648 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is 2649 * at an offset of 16 from the beginning of the raw packet 2650 * data (8 bytes for the radiotap header and 8 bytes for 2651 * the TSFT field). 2652 * 2653 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2654 * is set. 2655 */ 2656 sjset_radiotap_tsft->s.jt = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B); 2657 s2->s.k = 16; 2658 sappend(s, s2); 2659 2660 sjset_tsft_datapad = new_stmt(JMP(BPF_JSET)); 2661 sjset_tsft_datapad->s.k = 0x20; 2662 sappend(s, sjset_tsft_datapad); 2663 2664 /* 2665 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is 2666 * at an offset of 8 from the beginning of the raw packet 2667 * data (8 bytes for the radiotap header). 2668 * 2669 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2670 * is set. 2671 */ 2672 sjset_radiotap_tsft->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B); 2673 s2->s.k = 8; 2674 sappend(s, s2); 2675 2676 sjset_notsft_datapad = new_stmt(JMP(BPF_JSET)); 2677 sjset_notsft_datapad->s.k = 0x20; 2678 sappend(s, sjset_notsft_datapad); 2679 2680 /* 2681 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is 2682 * set, round the length of the 802.11 header to 2683 * a multiple of 4. Do that by adding 3 and then 2684 * dividing by and multiplying by 4, which we do by 2685 * ANDing with ~3. 2686 */ 2687 s_roundup = new_stmt(BPF_LD|BPF_MEM); 2688 s_roundup->s.k = reg_off_macpl; 2689 sappend(s, s_roundup); 2690 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM); 2691 s2->s.k = 3; 2692 sappend(s, s2); 2693 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_IMM); 2694 s2->s.k = ~3; 2695 sappend(s, s2); 2696 s2 = new_stmt(BPF_ST); 2697 s2->s.k = reg_off_macpl; 2698 sappend(s, s2); 2699 2700 sjset_tsft_datapad->s.jt = s_roundup; 2701 sjset_tsft_datapad->s.jf = snext; 2702 sjset_notsft_datapad->s.jt = s_roundup; 2703 sjset_notsft_datapad->s.jf = snext; 2704 } else 2705 sjset_qos->s.jf = snext; 2706 2707 return s; 2708 } 2709 2710 static void 2711 insert_compute_vloffsets(b) 2712 struct block *b; 2713 { 2714 struct slist *s; 2715 2716 /* 2717 * For link-layer types that have a variable-length header 2718 * preceding the link-layer header, generate code to load 2719 * the offset of the link-layer header into the register 2720 * assigned to that offset, if any. 2721 */ 2722 switch (linktype) { 2723 2724 case DLT_PRISM_HEADER: 2725 s = gen_load_prism_llprefixlen(); 2726 break; 2727 2728 case DLT_IEEE802_11_RADIO_AVS: 2729 s = gen_load_avs_llprefixlen(); 2730 break; 2731 2732 case DLT_IEEE802_11_RADIO: 2733 s = gen_load_radiotap_llprefixlen(); 2734 break; 2735 2736 case DLT_PPI: 2737 s = gen_load_ppi_llprefixlen(); 2738 break; 2739 2740 default: 2741 s = NULL; 2742 break; 2743 } 2744 2745 /* 2746 * For link-layer types that have a variable-length link-layer 2747 * header, generate code to load the offset of the MAC-layer 2748 * payload into the register assigned to that offset, if any. 2749 */ 2750 switch (linktype) { 2751 2752 case DLT_IEEE802_11: 2753 case DLT_PRISM_HEADER: 2754 case DLT_IEEE802_11_RADIO_AVS: 2755 case DLT_IEEE802_11_RADIO: 2756 case DLT_PPI: 2757 s = gen_load_802_11_header_len(s, b->stmts); 2758 break; 2759 } 2760 2761 /* 2762 * If we have any offset-loading code, append all the 2763 * existing statements in the block to those statements, 2764 * and make the resulting list the list of statements 2765 * for the block. 2766 */ 2767 if (s != NULL) { 2768 sappend(s, b->stmts); 2769 b->stmts = s; 2770 } 2771 } 2772 2773 static struct block * 2774 gen_ppi_dlt_check(void) 2775 { 2776 struct slist *s_load_dlt; 2777 struct block *b; 2778 2779 if (linktype == DLT_PPI) 2780 { 2781 /* Create the statements that check for the DLT 2782 */ 2783 s_load_dlt = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2784 s_load_dlt->s.k = 4; 2785 2786 b = new_block(JMP(BPF_JEQ)); 2787 2788 b->stmts = s_load_dlt; 2789 b->s.k = SWAPLONG(DLT_IEEE802_11); 2790 } 2791 else 2792 { 2793 b = NULL; 2794 } 2795 2796 return b; 2797 } 2798 2799 static struct slist * 2800 gen_prism_llprefixlen(void) 2801 { 2802 struct slist *s; 2803 2804 if (reg_off_ll == -1) { 2805 /* 2806 * We haven't yet assigned a register for the length 2807 * of the radio header; allocate one. 2808 */ 2809 reg_off_ll = alloc_reg(); 2810 } 2811 2812 /* 2813 * Load the register containing the radio length 2814 * into the X register. 2815 */ 2816 s = new_stmt(BPF_LDX|BPF_MEM); 2817 s->s.k = reg_off_ll; 2818 return s; 2819 } 2820 2821 static struct slist * 2822 gen_avs_llprefixlen(void) 2823 { 2824 struct slist *s; 2825 2826 if (reg_off_ll == -1) { 2827 /* 2828 * We haven't yet assigned a register for the length 2829 * of the AVS header; allocate one. 2830 */ 2831 reg_off_ll = alloc_reg(); 2832 } 2833 2834 /* 2835 * Load the register containing the AVS length 2836 * into the X register. 2837 */ 2838 s = new_stmt(BPF_LDX|BPF_MEM); 2839 s->s.k = reg_off_ll; 2840 return s; 2841 } 2842 2843 static struct slist * 2844 gen_radiotap_llprefixlen(void) 2845 { 2846 struct slist *s; 2847 2848 if (reg_off_ll == -1) { 2849 /* 2850 * We haven't yet assigned a register for the length 2851 * of the radiotap header; allocate one. 2852 */ 2853 reg_off_ll = alloc_reg(); 2854 } 2855 2856 /* 2857 * Load the register containing the radiotap length 2858 * into the X register. 2859 */ 2860 s = new_stmt(BPF_LDX|BPF_MEM); 2861 s->s.k = reg_off_ll; 2862 return s; 2863 } 2864 2865 /* 2866 * At the moment we treat PPI as normal Radiotap encoded 2867 * packets. The difference is in the function that generates 2868 * the code at the beginning to compute the header length. 2869 * Since this code generator of PPI supports bare 802.11 2870 * encapsulation only (i.e. the encapsulated DLT should be 2871 * DLT_IEEE802_11) we generate code to check for this too. 2872 */ 2873 static struct slist * 2874 gen_ppi_llprefixlen(void) 2875 { 2876 struct slist *s; 2877 2878 if (reg_off_ll == -1) { 2879 /* 2880 * We haven't yet assigned a register for the length 2881 * of the radiotap header; allocate one. 2882 */ 2883 reg_off_ll = alloc_reg(); 2884 } 2885 2886 /* 2887 * Load the register containing the PPI length 2888 * into the X register. 2889 */ 2890 s = new_stmt(BPF_LDX|BPF_MEM); 2891 s->s.k = reg_off_ll; 2892 return s; 2893 } 2894 2895 /* 2896 * Generate code to compute the link-layer header length, if necessary, 2897 * putting it into the X register, and to return either a pointer to a 2898 * "struct slist" for the list of statements in that code, or NULL if 2899 * no code is necessary. 2900 */ 2901 static struct slist * 2902 gen_llprefixlen(void) 2903 { 2904 switch (linktype) { 2905 2906 case DLT_PRISM_HEADER: 2907 return gen_prism_llprefixlen(); 2908 2909 case DLT_IEEE802_11_RADIO_AVS: 2910 return gen_avs_llprefixlen(); 2911 2912 case DLT_IEEE802_11_RADIO: 2913 return gen_radiotap_llprefixlen(); 2914 2915 case DLT_PPI: 2916 return gen_ppi_llprefixlen(); 2917 2918 default: 2919 return NULL; 2920 } 2921 } 2922 2923 /* 2924 * Generate code to load the register containing the offset of the 2925 * MAC-layer payload into the X register; if no register for that offset 2926 * has been allocated, allocate it first. 2927 */ 2928 static struct slist * 2929 gen_off_macpl(void) 2930 { 2931 struct slist *s; 2932 2933 if (off_macpl_is_variable) { 2934 if (reg_off_macpl == -1) { 2935 /* 2936 * We haven't yet assigned a register for the offset 2937 * of the MAC-layer payload; allocate one. 2938 */ 2939 reg_off_macpl = alloc_reg(); 2940 } 2941 2942 /* 2943 * Load the register containing the offset of the MAC-layer 2944 * payload into the X register. 2945 */ 2946 s = new_stmt(BPF_LDX|BPF_MEM); 2947 s->s.k = reg_off_macpl; 2948 return s; 2949 } else { 2950 /* 2951 * That offset isn't variable, so we don't need to 2952 * generate any code. 2953 */ 2954 return NULL; 2955 } 2956 } 2957 2958 /* 2959 * Map an Ethernet type to the equivalent PPP type. 2960 */ 2961 static int 2962 ethertype_to_ppptype(proto) 2963 int proto; 2964 { 2965 switch (proto) { 2966 2967 case ETHERTYPE_IP: 2968 proto = PPP_IP; 2969 break; 2970 2971 #ifdef INET6 2972 case ETHERTYPE_IPV6: 2973 proto = PPP_IPV6; 2974 break; 2975 #endif 2976 2977 case ETHERTYPE_DN: 2978 proto = PPP_DECNET; 2979 break; 2980 2981 case ETHERTYPE_ATALK: 2982 proto = PPP_APPLE; 2983 break; 2984 2985 case ETHERTYPE_NS: 2986 proto = PPP_NS; 2987 break; 2988 2989 case LLCSAP_ISONS: 2990 proto = PPP_OSI; 2991 break; 2992 2993 case LLCSAP_8021D: 2994 /* 2995 * I'm assuming the "Bridging PDU"s that go 2996 * over PPP are Spanning Tree Protocol 2997 * Bridging PDUs. 2998 */ 2999 proto = PPP_BRPDU; 3000 break; 3001 3002 case LLCSAP_IPX: 3003 proto = PPP_IPX; 3004 break; 3005 } 3006 return (proto); 3007 } 3008 3009 /* 3010 * Generate code to match a particular packet type by matching the 3011 * link-layer type field or fields in the 802.2 LLC header. 3012 * 3013 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 3014 * value, if <= ETHERMTU. 3015 */ 3016 static struct block * 3017 gen_linktype(proto) 3018 register int proto; 3019 { 3020 struct block *b0, *b1, *b2; 3021 3022 /* are we checking MPLS-encapsulated packets? */ 3023 if (label_stack_depth > 0) { 3024 switch (proto) { 3025 case ETHERTYPE_IP: 3026 case PPP_IP: 3027 /* FIXME add other L3 proto IDs */ 3028 return gen_mpls_linktype(Q_IP); 3029 3030 case ETHERTYPE_IPV6: 3031 case PPP_IPV6: 3032 /* FIXME add other L3 proto IDs */ 3033 return gen_mpls_linktype(Q_IPV6); 3034 3035 default: 3036 bpf_error("unsupported protocol over mpls"); 3037 /* NOTREACHED */ 3038 } 3039 } 3040 3041 /* 3042 * Are we testing PPPoE packets? 3043 */ 3044 if (is_pppoes) { 3045 /* 3046 * The PPPoE session header is part of the 3047 * MAC-layer payload, so all references 3048 * should be relative to the beginning of 3049 * that payload. 3050 */ 3051 3052 /* 3053 * We use Ethernet protocol types inside libpcap; 3054 * map them to the corresponding PPP protocol types. 3055 */ 3056 proto = ethertype_to_ppptype(proto); 3057 return gen_cmp(OR_MACPL, off_linktype, BPF_H, (bpf_int32)proto); 3058 } 3059 3060 switch (linktype) { 3061 3062 case DLT_EN10MB: 3063 return gen_ether_linktype(proto); 3064 /*NOTREACHED*/ 3065 break; 3066 3067 case DLT_C_HDLC: 3068 switch (proto) { 3069 3070 case LLCSAP_ISONS: 3071 proto = (proto << 8 | LLCSAP_ISONS); 3072 /* fall through */ 3073 3074 default: 3075 return gen_cmp(OR_LINK, off_linktype, BPF_H, 3076 (bpf_int32)proto); 3077 /*NOTREACHED*/ 3078 break; 3079 } 3080 break; 3081 3082 case DLT_IEEE802_11: 3083 case DLT_PRISM_HEADER: 3084 case DLT_IEEE802_11_RADIO_AVS: 3085 case DLT_IEEE802_11_RADIO: 3086 case DLT_PPI: 3087 /* 3088 * Check that we have a data frame. 3089 */ 3090 b0 = gen_check_802_11_data_frame(); 3091 3092 /* 3093 * Now check for the specified link-layer type. 3094 */ 3095 b1 = gen_llc_linktype(proto); 3096 gen_and(b0, b1); 3097 return b1; 3098 /*NOTREACHED*/ 3099 break; 3100 3101 case DLT_FDDI: 3102 /* 3103 * XXX - check for asynchronous frames, as per RFC 1103. 3104 */ 3105 return gen_llc_linktype(proto); 3106 /*NOTREACHED*/ 3107 break; 3108 3109 case DLT_IEEE802: 3110 /* 3111 * XXX - check for LLC PDUs, as per IEEE 802.5. 3112 */ 3113 return gen_llc_linktype(proto); 3114 /*NOTREACHED*/ 3115 break; 3116 3117 case DLT_ATM_RFC1483: 3118 case DLT_ATM_CLIP: 3119 case DLT_IP_OVER_FC: 3120 return gen_llc_linktype(proto); 3121 /*NOTREACHED*/ 3122 break; 3123 3124 case DLT_SUNATM: 3125 /* 3126 * If "is_lane" is set, check for a LANE-encapsulated 3127 * version of this protocol, otherwise check for an 3128 * LLC-encapsulated version of this protocol. 3129 * 3130 * We assume LANE means Ethernet, not Token Ring. 3131 */ 3132 if (is_lane) { 3133 /* 3134 * Check that the packet doesn't begin with an 3135 * LE Control marker. (We've already generated 3136 * a test for LANE.) 3137 */ 3138 b0 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 3139 0xFF00); 3140 gen_not(b0); 3141 3142 /* 3143 * Now generate an Ethernet test. 3144 */ 3145 b1 = gen_ether_linktype(proto); 3146 gen_and(b0, b1); 3147 return b1; 3148 } else { 3149 /* 3150 * Check for LLC encapsulation and then check the 3151 * protocol. 3152 */ 3153 b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 3154 b1 = gen_llc_linktype(proto); 3155 gen_and(b0, b1); 3156 return b1; 3157 } 3158 /*NOTREACHED*/ 3159 break; 3160 3161 case DLT_LINUX_SLL: 3162 return gen_linux_sll_linktype(proto); 3163 /*NOTREACHED*/ 3164 break; 3165 3166 case DLT_SLIP: 3167 case DLT_SLIP_BSDOS: 3168 case DLT_RAW: 3169 /* 3170 * These types don't provide any type field; packets 3171 * are always IPv4 or IPv6. 3172 * 3173 * XXX - for IPv4, check for a version number of 4, and, 3174 * for IPv6, check for a version number of 6? 3175 */ 3176 switch (proto) { 3177 3178 case ETHERTYPE_IP: 3179 /* Check for a version number of 4. */ 3180 return gen_mcmp(OR_LINK, 0, BPF_B, 0x40, 0xF0); 3181 #ifdef INET6 3182 case ETHERTYPE_IPV6: 3183 /* Check for a version number of 6. */ 3184 return gen_mcmp(OR_LINK, 0, BPF_B, 0x60, 0xF0); 3185 #endif 3186 3187 default: 3188 return gen_false(); /* always false */ 3189 } 3190 /*NOTREACHED*/ 3191 break; 3192 3193 case DLT_IPV4: 3194 /* 3195 * Raw IPv4, so no type field. 3196 */ 3197 if (proto == ETHERTYPE_IP) 3198 return gen_true(); /* always true */ 3199 3200 /* Checking for something other than IPv4; always false */ 3201 return gen_false(); 3202 /*NOTREACHED*/ 3203 break; 3204 3205 case DLT_IPV6: 3206 /* 3207 * Raw IPv6, so no type field. 3208 */ 3209 #ifdef INET6 3210 if (proto == ETHERTYPE_IPV6) 3211 return gen_true(); /* always true */ 3212 #endif 3213 3214 /* Checking for something other than IPv6; always false */ 3215 return gen_false(); 3216 /*NOTREACHED*/ 3217 break; 3218 3219 case DLT_PPP: 3220 case DLT_PPP_PPPD: 3221 case DLT_PPP_SERIAL: 3222 case DLT_PPP_ETHER: 3223 /* 3224 * We use Ethernet protocol types inside libpcap; 3225 * map them to the corresponding PPP protocol types. 3226 */ 3227 proto = ethertype_to_ppptype(proto); 3228 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 3229 /*NOTREACHED*/ 3230 break; 3231 3232 case DLT_PPP_BSDOS: 3233 /* 3234 * We use Ethernet protocol types inside libpcap; 3235 * map them to the corresponding PPP protocol types. 3236 */ 3237 switch (proto) { 3238 3239 case ETHERTYPE_IP: 3240 /* 3241 * Also check for Van Jacobson-compressed IP. 3242 * XXX - do this for other forms of PPP? 3243 */ 3244 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_IP); 3245 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJC); 3246 gen_or(b0, b1); 3247 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJNC); 3248 gen_or(b1, b0); 3249 return b0; 3250 3251 default: 3252 proto = ethertype_to_ppptype(proto); 3253 return gen_cmp(OR_LINK, off_linktype, BPF_H, 3254 (bpf_int32)proto); 3255 } 3256 /*NOTREACHED*/ 3257 break; 3258 3259 case DLT_NULL: 3260 case DLT_LOOP: 3261 case DLT_ENC: 3262 /* 3263 * For DLT_NULL, the link-layer header is a 32-bit 3264 * word containing an AF_ value in *host* byte order, 3265 * and for DLT_ENC, the link-layer header begins 3266 * with a 32-bit work containing an AF_ value in 3267 * host byte order. 3268 * 3269 * In addition, if we're reading a saved capture file, 3270 * the host byte order in the capture may not be the 3271 * same as the host byte order on this machine. 3272 * 3273 * For DLT_LOOP, the link-layer header is a 32-bit 3274 * word containing an AF_ value in *network* byte order. 3275 * 3276 * XXX - AF_ values may, unfortunately, be platform- 3277 * dependent; for example, FreeBSD's AF_INET6 is 24 3278 * whilst NetBSD's and OpenBSD's is 26. 3279 * 3280 * This means that, when reading a capture file, just 3281 * checking for our AF_INET6 value won't work if the 3282 * capture file came from another OS. 3283 */ 3284 switch (proto) { 3285 3286 case ETHERTYPE_IP: 3287 proto = AF_INET; 3288 break; 3289 3290 #ifdef INET6 3291 case ETHERTYPE_IPV6: 3292 proto = AF_INET6; 3293 break; 3294 #endif 3295 3296 default: 3297 /* 3298 * Not a type on which we support filtering. 3299 * XXX - support those that have AF_ values 3300 * #defined on this platform, at least? 3301 */ 3302 return gen_false(); 3303 } 3304 3305 if (linktype == DLT_NULL || linktype == DLT_ENC) { 3306 /* 3307 * The AF_ value is in host byte order, but 3308 * the BPF interpreter will convert it to 3309 * network byte order. 3310 * 3311 * If this is a save file, and it's from a 3312 * machine with the opposite byte order to 3313 * ours, we byte-swap the AF_ value. 3314 * 3315 * Then we run it through "htonl()", and 3316 * generate code to compare against the result. 3317 */ 3318 if (bpf_pcap->sf.rfile != NULL && 3319 bpf_pcap->sf.swapped) 3320 proto = SWAPLONG(proto); 3321 proto = htonl(proto); 3322 } 3323 return (gen_cmp(OR_LINK, 0, BPF_W, (bpf_int32)proto)); 3324 3325 #ifdef HAVE_NET_PFVAR_H 3326 case DLT_PFLOG: 3327 /* 3328 * af field is host byte order in contrast to the rest of 3329 * the packet. 3330 */ 3331 if (proto == ETHERTYPE_IP) 3332 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af), 3333 BPF_B, (bpf_int32)AF_INET)); 3334 #ifdef INET6 3335 else if (proto == ETHERTYPE_IPV6) 3336 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af), 3337 BPF_B, (bpf_int32)AF_INET6)); 3338 #endif /* INET6 */ 3339 else 3340 return gen_false(); 3341 /*NOTREACHED*/ 3342 break; 3343 #endif /* HAVE_NET_PFVAR_H */ 3344 3345 case DLT_ARCNET: 3346 case DLT_ARCNET_LINUX: 3347 /* 3348 * XXX should we check for first fragment if the protocol 3349 * uses PHDS? 3350 */ 3351 switch (proto) { 3352 3353 default: 3354 return gen_false(); 3355 3356 #ifdef INET6 3357 case ETHERTYPE_IPV6: 3358 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 3359 (bpf_int32)ARCTYPE_INET6)); 3360 #endif /* INET6 */ 3361 3362 case ETHERTYPE_IP: 3363 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3364 (bpf_int32)ARCTYPE_IP); 3365 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3366 (bpf_int32)ARCTYPE_IP_OLD); 3367 gen_or(b0, b1); 3368 return (b1); 3369 3370 case ETHERTYPE_ARP: 3371 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3372 (bpf_int32)ARCTYPE_ARP); 3373 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3374 (bpf_int32)ARCTYPE_ARP_OLD); 3375 gen_or(b0, b1); 3376 return (b1); 3377 3378 case ETHERTYPE_REVARP: 3379 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 3380 (bpf_int32)ARCTYPE_REVARP)); 3381 3382 case ETHERTYPE_ATALK: 3383 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 3384 (bpf_int32)ARCTYPE_ATALK)); 3385 } 3386 /*NOTREACHED*/ 3387 break; 3388 3389 case DLT_LTALK: 3390 switch (proto) { 3391 case ETHERTYPE_ATALK: 3392 return gen_true(); 3393 default: 3394 return gen_false(); 3395 } 3396 /*NOTREACHED*/ 3397 break; 3398 3399 case DLT_FRELAY: 3400 /* 3401 * XXX - assumes a 2-byte Frame Relay header with 3402 * DLCI and flags. What if the address is longer? 3403 */ 3404 switch (proto) { 3405 3406 case ETHERTYPE_IP: 3407 /* 3408 * Check for the special NLPID for IP. 3409 */ 3410 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0xcc); 3411 3412 #ifdef INET6 3413 case ETHERTYPE_IPV6: 3414 /* 3415 * Check for the special NLPID for IPv6. 3416 */ 3417 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0x8e); 3418 #endif 3419 3420 case LLCSAP_ISONS: 3421 /* 3422 * Check for several OSI protocols. 3423 * 3424 * Frame Relay packets typically have an OSI 3425 * NLPID at the beginning; we check for each 3426 * of them. 3427 * 3428 * What we check for is the NLPID and a frame 3429 * control field of UI, i.e. 0x03 followed 3430 * by the NLPID. 3431 */ 3432 b0 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO8473_CLNP); 3433 b1 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO9542_ESIS); 3434 b2 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO10589_ISIS); 3435 gen_or(b1, b2); 3436 gen_or(b0, b2); 3437 return b2; 3438 3439 default: 3440 return gen_false(); 3441 } 3442 /*NOTREACHED*/ 3443 break; 3444 3445 case DLT_MFR: 3446 bpf_error("Multi-link Frame Relay link-layer type filtering not implemented"); 3447 3448 case DLT_JUNIPER_MFR: 3449 case DLT_JUNIPER_MLFR: 3450 case DLT_JUNIPER_MLPPP: 3451 case DLT_JUNIPER_ATM1: 3452 case DLT_JUNIPER_ATM2: 3453 case DLT_JUNIPER_PPPOE: 3454 case DLT_JUNIPER_PPPOE_ATM: 3455 case DLT_JUNIPER_GGSN: 3456 case DLT_JUNIPER_ES: 3457 case DLT_JUNIPER_MONITOR: 3458 case DLT_JUNIPER_SERVICES: 3459 case DLT_JUNIPER_ETHER: 3460 case DLT_JUNIPER_PPP: 3461 case DLT_JUNIPER_FRELAY: 3462 case DLT_JUNIPER_CHDLC: 3463 case DLT_JUNIPER_VP: 3464 case DLT_JUNIPER_ST: 3465 case DLT_JUNIPER_ISM: 3466 /* just lets verify the magic number for now - 3467 * on ATM we may have up to 6 different encapsulations on the wire 3468 * and need a lot of heuristics to figure out that the payload 3469 * might be; 3470 * 3471 * FIXME encapsulation specific BPF_ filters 3472 */ 3473 return gen_mcmp(OR_LINK, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */ 3474 3475 case DLT_IPNET: 3476 return gen_ipnet_linktype(proto); 3477 3478 case DLT_LINUX_IRDA: 3479 bpf_error("IrDA link-layer type filtering not implemented"); 3480 3481 case DLT_DOCSIS: 3482 bpf_error("DOCSIS link-layer type filtering not implemented"); 3483 3484 case DLT_MTP2: 3485 case DLT_MTP2_WITH_PHDR: 3486 bpf_error("MTP2 link-layer type filtering not implemented"); 3487 3488 case DLT_ERF: 3489 bpf_error("ERF link-layer type filtering not implemented"); 3490 3491 #ifdef DLT_PFSYNC 3492 case DLT_PFSYNC: 3493 bpf_error("PFSYNC link-layer type filtering not implemented"); 3494 #endif 3495 3496 case DLT_LINUX_LAPD: 3497 bpf_error("LAPD link-layer type filtering not implemented"); 3498 3499 case DLT_USB: 3500 case DLT_USB_LINUX: 3501 case DLT_USB_LINUX_MMAPPED: 3502 bpf_error("USB link-layer type filtering not implemented"); 3503 3504 case DLT_BLUETOOTH_HCI_H4: 3505 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR: 3506 bpf_error("Bluetooth link-layer type filtering not implemented"); 3507 3508 case DLT_CAN20B: 3509 case DLT_CAN_SOCKETCAN: 3510 bpf_error("CAN link-layer type filtering not implemented"); 3511 3512 case DLT_IEEE802_15_4: 3513 case DLT_IEEE802_15_4_LINUX: 3514 case DLT_IEEE802_15_4_NONASK_PHY: 3515 bpf_error("IEEE 802.15.4 link-layer type filtering not implemented"); 3516 3517 case DLT_IEEE802_16_MAC_CPS_RADIO: 3518 bpf_error("IEEE 802.16 link-layer type filtering not implemented"); 3519 3520 case DLT_SITA: 3521 bpf_error("SITA link-layer type filtering not implemented"); 3522 3523 case DLT_RAIF1: 3524 bpf_error("RAIF1 link-layer type filtering not implemented"); 3525 3526 case DLT_IPMB: 3527 bpf_error("IPMB link-layer type filtering not implemented"); 3528 3529 case DLT_AX25_KISS: 3530 bpf_error("AX.25 link-layer type filtering not implemented"); 3531 } 3532 3533 /* 3534 * All the types that have no encapsulation should either be 3535 * handled as DLT_SLIP, DLT_SLIP_BSDOS, and DLT_RAW are, if 3536 * all packets are IP packets, or should be handled in some 3537 * special case, if none of them are (if some are and some 3538 * aren't, the lack of encapsulation is a problem, as we'd 3539 * have to find some other way of determining the packet type). 3540 * 3541 * Therefore, if "off_linktype" is -1, there's an error. 3542 */ 3543 if (off_linktype == (u_int)-1) 3544 abort(); 3545 3546 /* 3547 * Any type not handled above should always have an Ethernet 3548 * type at an offset of "off_linktype". 3549 */ 3550 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 3551 } 3552 3553 /* 3554 * Check for an LLC SNAP packet with a given organization code and 3555 * protocol type; we check the entire contents of the 802.2 LLC and 3556 * snap headers, checking for DSAP and SSAP of SNAP and a control 3557 * field of 0x03 in the LLC header, and for the specified organization 3558 * code and protocol type in the SNAP header. 3559 */ 3560 static struct block * 3561 gen_snap(orgcode, ptype) 3562 bpf_u_int32 orgcode; 3563 bpf_u_int32 ptype; 3564 { 3565 u_char snapblock[8]; 3566 3567 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */ 3568 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */ 3569 snapblock[2] = 0x03; /* control = UI */ 3570 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */ 3571 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */ 3572 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */ 3573 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */ 3574 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */ 3575 return gen_bcmp(OR_MACPL, 0, 8, snapblock); 3576 } 3577 3578 /* 3579 * Generate code to match a particular packet type, for link-layer types 3580 * using 802.2 LLC headers. 3581 * 3582 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used 3583 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues. 3584 * 3585 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 3586 * value, if <= ETHERMTU. We use that to determine whether to 3587 * match the DSAP or both DSAP and LSAP or to check the OUI and 3588 * protocol ID in a SNAP header. 3589 */ 3590 static struct block * 3591 gen_llc_linktype(proto) 3592 int proto; 3593 { 3594 /* 3595 * XXX - handle token-ring variable-length header. 3596 */ 3597 switch (proto) { 3598 3599 case LLCSAP_IP: 3600 case LLCSAP_ISONS: 3601 case LLCSAP_NETBEUI: 3602 /* 3603 * XXX - should we check both the DSAP and the 3604 * SSAP, like this, or should we check just the 3605 * DSAP, as we do for other types <= ETHERMTU 3606 * (i.e., other SAP values)? 3607 */ 3608 return gen_cmp(OR_MACPL, 0, BPF_H, (bpf_u_int32) 3609 ((proto << 8) | proto)); 3610 3611 case LLCSAP_IPX: 3612 /* 3613 * XXX - are there ever SNAP frames for IPX on 3614 * non-Ethernet 802.x networks? 3615 */ 3616 return gen_cmp(OR_MACPL, 0, BPF_B, 3617 (bpf_int32)LLCSAP_IPX); 3618 3619 case ETHERTYPE_ATALK: 3620 /* 3621 * 802.2-encapsulated ETHERTYPE_ATALK packets are 3622 * SNAP packets with an organization code of 3623 * 0x080007 (Apple, for Appletalk) and a protocol 3624 * type of ETHERTYPE_ATALK (Appletalk). 3625 * 3626 * XXX - check for an organization code of 3627 * encapsulated Ethernet as well? 3628 */ 3629 return gen_snap(0x080007, ETHERTYPE_ATALK); 3630 3631 default: 3632 /* 3633 * XXX - we don't have to check for IPX 802.3 3634 * here, but should we check for the IPX Ethertype? 3635 */ 3636 if (proto <= ETHERMTU) { 3637 /* 3638 * This is an LLC SAP value, so check 3639 * the DSAP. 3640 */ 3641 return gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)proto); 3642 } else { 3643 /* 3644 * This is an Ethernet type; we assume that it's 3645 * unlikely that it'll appear in the right place 3646 * at random, and therefore check only the 3647 * location that would hold the Ethernet type 3648 * in a SNAP frame with an organization code of 3649 * 0x000000 (encapsulated Ethernet). 3650 * 3651 * XXX - if we were to check for the SNAP DSAP and 3652 * LSAP, as per XXX, and were also to check for an 3653 * organization code of 0x000000 (encapsulated 3654 * Ethernet), we'd do 3655 * 3656 * return gen_snap(0x000000, proto); 3657 * 3658 * here; for now, we don't, as per the above. 3659 * I don't know whether it's worth the extra CPU 3660 * time to do the right check or not. 3661 */ 3662 return gen_cmp(OR_MACPL, 6, BPF_H, (bpf_int32)proto); 3663 } 3664 } 3665 } 3666 3667 static struct block * 3668 gen_hostop(addr, mask, dir, proto, src_off, dst_off) 3669 bpf_u_int32 addr; 3670 bpf_u_int32 mask; 3671 int dir, proto; 3672 u_int src_off, dst_off; 3673 { 3674 struct block *b0, *b1; 3675 u_int offset; 3676 3677 switch (dir) { 3678 3679 case Q_SRC: 3680 offset = src_off; 3681 break; 3682 3683 case Q_DST: 3684 offset = dst_off; 3685 break; 3686 3687 case Q_AND: 3688 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off); 3689 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off); 3690 gen_and(b0, b1); 3691 return b1; 3692 3693 case Q_OR: 3694 case Q_DEFAULT: 3695 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off); 3696 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off); 3697 gen_or(b0, b1); 3698 return b1; 3699 3700 default: 3701 abort(); 3702 } 3703 b0 = gen_linktype(proto); 3704 b1 = gen_mcmp(OR_NET, offset, BPF_W, (bpf_int32)addr, mask); 3705 gen_and(b0, b1); 3706 return b1; 3707 } 3708 3709 #ifdef INET6 3710 static struct block * 3711 gen_hostop6(addr, mask, dir, proto, src_off, dst_off) 3712 struct in6_addr *addr; 3713 struct in6_addr *mask; 3714 int dir, proto; 3715 u_int src_off, dst_off; 3716 { 3717 struct block *b0, *b1; 3718 u_int offset; 3719 u_int32_t *a, *m; 3720 3721 switch (dir) { 3722 3723 case Q_SRC: 3724 offset = src_off; 3725 break; 3726 3727 case Q_DST: 3728 offset = dst_off; 3729 break; 3730 3731 case Q_AND: 3732 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off); 3733 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off); 3734 gen_and(b0, b1); 3735 return b1; 3736 3737 case Q_OR: 3738 case Q_DEFAULT: 3739 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off); 3740 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off); 3741 gen_or(b0, b1); 3742 return b1; 3743 3744 default: 3745 abort(); 3746 } 3747 /* this order is important */ 3748 a = (u_int32_t *)addr; 3749 m = (u_int32_t *)mask; 3750 b1 = gen_mcmp(OR_NET, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3])); 3751 b0 = gen_mcmp(OR_NET, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2])); 3752 gen_and(b0, b1); 3753 b0 = gen_mcmp(OR_NET, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1])); 3754 gen_and(b0, b1); 3755 b0 = gen_mcmp(OR_NET, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0])); 3756 gen_and(b0, b1); 3757 b0 = gen_linktype(proto); 3758 gen_and(b0, b1); 3759 return b1; 3760 } 3761 #endif /*INET6*/ 3762 3763 static struct block * 3764 gen_ehostop(eaddr, dir) 3765 register const u_char *eaddr; 3766 register int dir; 3767 { 3768 register struct block *b0, *b1; 3769 3770 switch (dir) { 3771 case Q_SRC: 3772 return gen_bcmp(OR_LINK, off_mac + 6, 6, eaddr); 3773 3774 case Q_DST: 3775 return gen_bcmp(OR_LINK, off_mac + 0, 6, eaddr); 3776 3777 case Q_AND: 3778 b0 = gen_ehostop(eaddr, Q_SRC); 3779 b1 = gen_ehostop(eaddr, Q_DST); 3780 gen_and(b0, b1); 3781 return b1; 3782 3783 case Q_DEFAULT: 3784 case Q_OR: 3785 b0 = gen_ehostop(eaddr, Q_SRC); 3786 b1 = gen_ehostop(eaddr, Q_DST); 3787 gen_or(b0, b1); 3788 return b1; 3789 } 3790 abort(); 3791 /* NOTREACHED */ 3792 } 3793 3794 /* 3795 * Like gen_ehostop, but for DLT_FDDI 3796 */ 3797 static struct block * 3798 gen_fhostop(eaddr, dir) 3799 register const u_char *eaddr; 3800 register int dir; 3801 { 3802 struct block *b0, *b1; 3803 3804 switch (dir) { 3805 case Q_SRC: 3806 #ifdef PCAP_FDDIPAD 3807 return gen_bcmp(OR_LINK, 6 + 1 + pcap_fddipad, 6, eaddr); 3808 #else 3809 return gen_bcmp(OR_LINK, 6 + 1, 6, eaddr); 3810 #endif 3811 3812 case Q_DST: 3813 #ifdef PCAP_FDDIPAD 3814 return gen_bcmp(OR_LINK, 0 + 1 + pcap_fddipad, 6, eaddr); 3815 #else 3816 return gen_bcmp(OR_LINK, 0 + 1, 6, eaddr); 3817 #endif 3818 3819 case Q_AND: 3820 b0 = gen_fhostop(eaddr, Q_SRC); 3821 b1 = gen_fhostop(eaddr, Q_DST); 3822 gen_and(b0, b1); 3823 return b1; 3824 3825 case Q_DEFAULT: 3826 case Q_OR: 3827 b0 = gen_fhostop(eaddr, Q_SRC); 3828 b1 = gen_fhostop(eaddr, Q_DST); 3829 gen_or(b0, b1); 3830 return b1; 3831 } 3832 abort(); 3833 /* NOTREACHED */ 3834 } 3835 3836 /* 3837 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring) 3838 */ 3839 static struct block * 3840 gen_thostop(eaddr, dir) 3841 register const u_char *eaddr; 3842 register int dir; 3843 { 3844 register struct block *b0, *b1; 3845 3846 switch (dir) { 3847 case Q_SRC: 3848 return gen_bcmp(OR_LINK, 8, 6, eaddr); 3849 3850 case Q_DST: 3851 return gen_bcmp(OR_LINK, 2, 6, eaddr); 3852 3853 case Q_AND: 3854 b0 = gen_thostop(eaddr, Q_SRC); 3855 b1 = gen_thostop(eaddr, Q_DST); 3856 gen_and(b0, b1); 3857 return b1; 3858 3859 case Q_DEFAULT: 3860 case Q_OR: 3861 b0 = gen_thostop(eaddr, Q_SRC); 3862 b1 = gen_thostop(eaddr, Q_DST); 3863 gen_or(b0, b1); 3864 return b1; 3865 } 3866 abort(); 3867 /* NOTREACHED */ 3868 } 3869 3870 /* 3871 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and 3872 * various 802.11 + radio headers. 3873 */ 3874 static struct block * 3875 gen_wlanhostop(eaddr, dir) 3876 register const u_char *eaddr; 3877 register int dir; 3878 { 3879 register struct block *b0, *b1, *b2; 3880 register struct slist *s; 3881 3882 #ifdef ENABLE_WLAN_FILTERING_PATCH 3883 /* 3884 * TODO GV 20070613 3885 * We need to disable the optimizer because the optimizer is buggy 3886 * and wipes out some LD instructions generated by the below 3887 * code to validate the Frame Control bits 3888 */ 3889 no_optimize = 1; 3890 #endif /* ENABLE_WLAN_FILTERING_PATCH */ 3891 3892 switch (dir) { 3893 case Q_SRC: 3894 /* 3895 * Oh, yuk. 3896 * 3897 * For control frames, there is no SA. 3898 * 3899 * For management frames, SA is at an 3900 * offset of 10 from the beginning of 3901 * the packet. 3902 * 3903 * For data frames, SA is at an offset 3904 * of 10 from the beginning of the packet 3905 * if From DS is clear, at an offset of 3906 * 16 from the beginning of the packet 3907 * if From DS is set and To DS is clear, 3908 * and an offset of 24 from the beginning 3909 * of the packet if From DS is set and To DS 3910 * is set. 3911 */ 3912 3913 /* 3914 * Generate the tests to be done for data frames 3915 * with From DS set. 3916 * 3917 * First, check for To DS set, i.e. check "link[1] & 0x01". 3918 */ 3919 s = gen_load_a(OR_LINK, 1, BPF_B); 3920 b1 = new_block(JMP(BPF_JSET)); 3921 b1->s.k = 0x01; /* To DS */ 3922 b1->stmts = s; 3923 3924 /* 3925 * If To DS is set, the SA is at 24. 3926 */ 3927 b0 = gen_bcmp(OR_LINK, 24, 6, eaddr); 3928 gen_and(b1, b0); 3929 3930 /* 3931 * Now, check for To DS not set, i.e. check 3932 * "!(link[1] & 0x01)". 3933 */ 3934 s = gen_load_a(OR_LINK, 1, BPF_B); 3935 b2 = new_block(JMP(BPF_JSET)); 3936 b2->s.k = 0x01; /* To DS */ 3937 b2->stmts = s; 3938 gen_not(b2); 3939 3940 /* 3941 * If To DS is not set, the SA is at 16. 3942 */ 3943 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr); 3944 gen_and(b2, b1); 3945 3946 /* 3947 * Now OR together the last two checks. That gives 3948 * the complete set of checks for data frames with 3949 * From DS set. 3950 */ 3951 gen_or(b1, b0); 3952 3953 /* 3954 * Now check for From DS being set, and AND that with 3955 * the ORed-together checks. 3956 */ 3957 s = gen_load_a(OR_LINK, 1, BPF_B); 3958 b1 = new_block(JMP(BPF_JSET)); 3959 b1->s.k = 0x02; /* From DS */ 3960 b1->stmts = s; 3961 gen_and(b1, b0); 3962 3963 /* 3964 * Now check for data frames with From DS not set. 3965 */ 3966 s = gen_load_a(OR_LINK, 1, BPF_B); 3967 b2 = new_block(JMP(BPF_JSET)); 3968 b2->s.k = 0x02; /* From DS */ 3969 b2->stmts = s; 3970 gen_not(b2); 3971 3972 /* 3973 * If From DS isn't set, the SA is at 10. 3974 */ 3975 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 3976 gen_and(b2, b1); 3977 3978 /* 3979 * Now OR together the checks for data frames with 3980 * From DS not set and for data frames with From DS 3981 * set; that gives the checks done for data frames. 3982 */ 3983 gen_or(b1, b0); 3984 3985 /* 3986 * Now check for a data frame. 3987 * I.e, check "link[0] & 0x08". 3988 */ 3989 s = gen_load_a(OR_LINK, 0, BPF_B); 3990 b1 = new_block(JMP(BPF_JSET)); 3991 b1->s.k = 0x08; 3992 b1->stmts = s; 3993 3994 /* 3995 * AND that with the checks done for data frames. 3996 */ 3997 gen_and(b1, b0); 3998 3999 /* 4000 * If the high-order bit of the type value is 0, this 4001 * is a management frame. 4002 * I.e, check "!(link[0] & 0x08)". 4003 */ 4004 s = gen_load_a(OR_LINK, 0, BPF_B); 4005 b2 = new_block(JMP(BPF_JSET)); 4006 b2->s.k = 0x08; 4007 b2->stmts = s; 4008 gen_not(b2); 4009 4010 /* 4011 * For management frames, the SA is at 10. 4012 */ 4013 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 4014 gen_and(b2, b1); 4015 4016 /* 4017 * OR that with the checks done for data frames. 4018 * That gives the checks done for management and 4019 * data frames. 4020 */ 4021 gen_or(b1, b0); 4022 4023 /* 4024 * If the low-order bit of the type value is 1, 4025 * this is either a control frame or a frame 4026 * with a reserved type, and thus not a 4027 * frame with an SA. 4028 * 4029 * I.e., check "!(link[0] & 0x04)". 4030 */ 4031 s = gen_load_a(OR_LINK, 0, BPF_B); 4032 b1 = new_block(JMP(BPF_JSET)); 4033 b1->s.k = 0x04; 4034 b1->stmts = s; 4035 gen_not(b1); 4036 4037 /* 4038 * AND that with the checks for data and management 4039 * frames. 4040 */ 4041 gen_and(b1, b0); 4042 return b0; 4043 4044 case Q_DST: 4045 /* 4046 * Oh, yuk. 4047 * 4048 * For control frames, there is no DA. 4049 * 4050 * For management frames, DA is at an 4051 * offset of 4 from the beginning of 4052 * the packet. 4053 * 4054 * For data frames, DA is at an offset 4055 * of 4 from the beginning of the packet 4056 * if To DS is clear and at an offset of 4057 * 16 from the beginning of the packet 4058 * if To DS is set. 4059 */ 4060 4061 /* 4062 * Generate the tests to be done for data frames. 4063 * 4064 * First, check for To DS set, i.e. "link[1] & 0x01". 4065 */ 4066 s = gen_load_a(OR_LINK, 1, BPF_B); 4067 b1 = new_block(JMP(BPF_JSET)); 4068 b1->s.k = 0x01; /* To DS */ 4069 b1->stmts = s; 4070 4071 /* 4072 * If To DS is set, the DA is at 16. 4073 */ 4074 b0 = gen_bcmp(OR_LINK, 16, 6, eaddr); 4075 gen_and(b1, b0); 4076 4077 /* 4078 * Now, check for To DS not set, i.e. check 4079 * "!(link[1] & 0x01)". 4080 */ 4081 s = gen_load_a(OR_LINK, 1, BPF_B); 4082 b2 = new_block(JMP(BPF_JSET)); 4083 b2->s.k = 0x01; /* To DS */ 4084 b2->stmts = s; 4085 gen_not(b2); 4086 4087 /* 4088 * If To DS is not set, the DA is at 4. 4089 */ 4090 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr); 4091 gen_and(b2, b1); 4092 4093 /* 4094 * Now OR together the last two checks. That gives 4095 * the complete set of checks for data frames. 4096 */ 4097 gen_or(b1, b0); 4098 4099 /* 4100 * Now check for a data frame. 4101 * I.e, check "link[0] & 0x08". 4102 */ 4103 s = gen_load_a(OR_LINK, 0, BPF_B); 4104 b1 = new_block(JMP(BPF_JSET)); 4105 b1->s.k = 0x08; 4106 b1->stmts = s; 4107 4108 /* 4109 * AND that with the checks done for data frames. 4110 */ 4111 gen_and(b1, b0); 4112 4113 /* 4114 * If the high-order bit of the type value is 0, this 4115 * is a management frame. 4116 * I.e, check "!(link[0] & 0x08)". 4117 */ 4118 s = gen_load_a(OR_LINK, 0, BPF_B); 4119 b2 = new_block(JMP(BPF_JSET)); 4120 b2->s.k = 0x08; 4121 b2->stmts = s; 4122 gen_not(b2); 4123 4124 /* 4125 * For management frames, the DA is at 4. 4126 */ 4127 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr); 4128 gen_and(b2, b1); 4129 4130 /* 4131 * OR that with the checks done for data frames. 4132 * That gives the checks done for management and 4133 * data frames. 4134 */ 4135 gen_or(b1, b0); 4136 4137 /* 4138 * If the low-order bit of the type value is 1, 4139 * this is either a control frame or a frame 4140 * with a reserved type, and thus not a 4141 * frame with an SA. 4142 * 4143 * I.e., check "!(link[0] & 0x04)". 4144 */ 4145 s = gen_load_a(OR_LINK, 0, BPF_B); 4146 b1 = new_block(JMP(BPF_JSET)); 4147 b1->s.k = 0x04; 4148 b1->stmts = s; 4149 gen_not(b1); 4150 4151 /* 4152 * AND that with the checks for data and management 4153 * frames. 4154 */ 4155 gen_and(b1, b0); 4156 return b0; 4157 4158 /* 4159 * XXX - add RA, TA, and BSSID keywords? 4160 */ 4161 case Q_ADDR1: 4162 return (gen_bcmp(OR_LINK, 4, 6, eaddr)); 4163 4164 case Q_ADDR2: 4165 /* 4166 * Not present in CTS or ACK control frames. 4167 */ 4168 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4169 IEEE80211_FC0_TYPE_MASK); 4170 gen_not(b0); 4171 b1 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS, 4172 IEEE80211_FC0_SUBTYPE_MASK); 4173 gen_not(b1); 4174 b2 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK, 4175 IEEE80211_FC0_SUBTYPE_MASK); 4176 gen_not(b2); 4177 gen_and(b1, b2); 4178 gen_or(b0, b2); 4179 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 4180 gen_and(b2, b1); 4181 return b1; 4182 4183 case Q_ADDR3: 4184 /* 4185 * Not present in control frames. 4186 */ 4187 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4188 IEEE80211_FC0_TYPE_MASK); 4189 gen_not(b0); 4190 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr); 4191 gen_and(b0, b1); 4192 return b1; 4193 4194 case Q_ADDR4: 4195 /* 4196 * Present only if the direction mask has both "From DS" 4197 * and "To DS" set. Neither control frames nor management 4198 * frames should have both of those set, so we don't 4199 * check the frame type. 4200 */ 4201 b0 = gen_mcmp(OR_LINK, 1, BPF_B, 4202 IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK); 4203 b1 = gen_bcmp(OR_LINK, 24, 6, eaddr); 4204 gen_and(b0, b1); 4205 return b1; 4206 4207 case Q_AND: 4208 b0 = gen_wlanhostop(eaddr, Q_SRC); 4209 b1 = gen_wlanhostop(eaddr, Q_DST); 4210 gen_and(b0, b1); 4211 return b1; 4212 4213 case Q_DEFAULT: 4214 case Q_OR: 4215 b0 = gen_wlanhostop(eaddr, Q_SRC); 4216 b1 = gen_wlanhostop(eaddr, Q_DST); 4217 gen_or(b0, b1); 4218 return b1; 4219 } 4220 abort(); 4221 /* NOTREACHED */ 4222 } 4223 4224 /* 4225 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel. 4226 * (We assume that the addresses are IEEE 48-bit MAC addresses, 4227 * as the RFC states.) 4228 */ 4229 static struct block * 4230 gen_ipfchostop(eaddr, dir) 4231 register const u_char *eaddr; 4232 register int dir; 4233 { 4234 register struct block *b0, *b1; 4235 4236 switch (dir) { 4237 case Q_SRC: 4238 return gen_bcmp(OR_LINK, 10, 6, eaddr); 4239 4240 case Q_DST: 4241 return gen_bcmp(OR_LINK, 2, 6, eaddr); 4242 4243 case Q_AND: 4244 b0 = gen_ipfchostop(eaddr, Q_SRC); 4245 b1 = gen_ipfchostop(eaddr, Q_DST); 4246 gen_and(b0, b1); 4247 return b1; 4248 4249 case Q_DEFAULT: 4250 case Q_OR: 4251 b0 = gen_ipfchostop(eaddr, Q_SRC); 4252 b1 = gen_ipfchostop(eaddr, Q_DST); 4253 gen_or(b0, b1); 4254 return b1; 4255 } 4256 abort(); 4257 /* NOTREACHED */ 4258 } 4259 4260 /* 4261 * This is quite tricky because there may be pad bytes in front of the 4262 * DECNET header, and then there are two possible data packet formats that 4263 * carry both src and dst addresses, plus 5 packet types in a format that 4264 * carries only the src node, plus 2 types that use a different format and 4265 * also carry just the src node. 4266 * 4267 * Yuck. 4268 * 4269 * Instead of doing those all right, we just look for data packets with 4270 * 0 or 1 bytes of padding. If you want to look at other packets, that 4271 * will require a lot more hacking. 4272 * 4273 * To add support for filtering on DECNET "areas" (network numbers) 4274 * one would want to add a "mask" argument to this routine. That would 4275 * make the filter even more inefficient, although one could be clever 4276 * and not generate masking instructions if the mask is 0xFFFF. 4277 */ 4278 static struct block * 4279 gen_dnhostop(addr, dir) 4280 bpf_u_int32 addr; 4281 int dir; 4282 { 4283 struct block *b0, *b1, *b2, *tmp; 4284 u_int offset_lh; /* offset if long header is received */ 4285 u_int offset_sh; /* offset if short header is received */ 4286 4287 switch (dir) { 4288 4289 case Q_DST: 4290 offset_sh = 1; /* follows flags */ 4291 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */ 4292 break; 4293 4294 case Q_SRC: 4295 offset_sh = 3; /* follows flags, dstnode */ 4296 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */ 4297 break; 4298 4299 case Q_AND: 4300 /* Inefficient because we do our Calvinball dance twice */ 4301 b0 = gen_dnhostop(addr, Q_SRC); 4302 b1 = gen_dnhostop(addr, Q_DST); 4303 gen_and(b0, b1); 4304 return b1; 4305 4306 case Q_OR: 4307 case Q_DEFAULT: 4308 /* Inefficient because we do our Calvinball dance twice */ 4309 b0 = gen_dnhostop(addr, Q_SRC); 4310 b1 = gen_dnhostop(addr, Q_DST); 4311 gen_or(b0, b1); 4312 return b1; 4313 4314 case Q_ISO: 4315 bpf_error("ISO host filtering not implemented"); 4316 4317 default: 4318 abort(); 4319 } 4320 b0 = gen_linktype(ETHERTYPE_DN); 4321 /* Check for pad = 1, long header case */ 4322 tmp = gen_mcmp(OR_NET, 2, BPF_H, 4323 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF)); 4324 b1 = gen_cmp(OR_NET, 2 + 1 + offset_lh, 4325 BPF_H, (bpf_int32)ntohs((u_short)addr)); 4326 gen_and(tmp, b1); 4327 /* Check for pad = 0, long header case */ 4328 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7); 4329 b2 = gen_cmp(OR_NET, 2 + offset_lh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4330 gen_and(tmp, b2); 4331 gen_or(b2, b1); 4332 /* Check for pad = 1, short header case */ 4333 tmp = gen_mcmp(OR_NET, 2, BPF_H, 4334 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF)); 4335 b2 = gen_cmp(OR_NET, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4336 gen_and(tmp, b2); 4337 gen_or(b2, b1); 4338 /* Check for pad = 0, short header case */ 4339 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7); 4340 b2 = gen_cmp(OR_NET, 2 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4341 gen_and(tmp, b2); 4342 gen_or(b2, b1); 4343 4344 /* Combine with test for linktype */ 4345 gen_and(b0, b1); 4346 return b1; 4347 } 4348 4349 /* 4350 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets; 4351 * test the bottom-of-stack bit, and then check the version number 4352 * field in the IP header. 4353 */ 4354 static struct block * 4355 gen_mpls_linktype(proto) 4356 int proto; 4357 { 4358 struct block *b0, *b1; 4359 4360 switch (proto) { 4361 4362 case Q_IP: 4363 /* match the bottom-of-stack bit */ 4364 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01); 4365 /* match the IPv4 version number */ 4366 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x40, 0xf0); 4367 gen_and(b0, b1); 4368 return b1; 4369 4370 case Q_IPV6: 4371 /* match the bottom-of-stack bit */ 4372 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01); 4373 /* match the IPv4 version number */ 4374 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x60, 0xf0); 4375 gen_and(b0, b1); 4376 return b1; 4377 4378 default: 4379 abort(); 4380 } 4381 } 4382 4383 static struct block * 4384 gen_host(addr, mask, proto, dir, type) 4385 bpf_u_int32 addr; 4386 bpf_u_int32 mask; 4387 int proto; 4388 int dir; 4389 int type; 4390 { 4391 struct block *b0, *b1; 4392 const char *typestr; 4393 4394 if (type == Q_NET) 4395 typestr = "net"; 4396 else 4397 typestr = "host"; 4398 4399 switch (proto) { 4400 4401 case Q_DEFAULT: 4402 b0 = gen_host(addr, mask, Q_IP, dir, type); 4403 /* 4404 * Only check for non-IPv4 addresses if we're not 4405 * checking MPLS-encapsulated packets. 4406 */ 4407 if (label_stack_depth == 0) { 4408 b1 = gen_host(addr, mask, Q_ARP, dir, type); 4409 gen_or(b0, b1); 4410 b0 = gen_host(addr, mask, Q_RARP, dir, type); 4411 gen_or(b1, b0); 4412 } 4413 return b0; 4414 4415 case Q_IP: 4416 return gen_hostop(addr, mask, dir, ETHERTYPE_IP, 12, 16); 4417 4418 case Q_RARP: 4419 return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP, 14, 24); 4420 4421 case Q_ARP: 4422 return gen_hostop(addr, mask, dir, ETHERTYPE_ARP, 14, 24); 4423 4424 case Q_TCP: 4425 bpf_error("'tcp' modifier applied to %s", typestr); 4426 4427 case Q_SCTP: 4428 bpf_error("'sctp' modifier applied to %s", typestr); 4429 4430 case Q_UDP: 4431 bpf_error("'udp' modifier applied to %s", typestr); 4432 4433 case Q_ICMP: 4434 bpf_error("'icmp' modifier applied to %s", typestr); 4435 4436 case Q_IGMP: 4437 bpf_error("'igmp' modifier applied to %s", typestr); 4438 4439 case Q_IGRP: 4440 bpf_error("'igrp' modifier applied to %s", typestr); 4441 4442 case Q_PIM: 4443 bpf_error("'pim' modifier applied to %s", typestr); 4444 4445 case Q_VRRP: 4446 bpf_error("'vrrp' modifier applied to %s", typestr); 4447 4448 case Q_ATALK: 4449 bpf_error("ATALK host filtering not implemented"); 4450 4451 case Q_AARP: 4452 bpf_error("AARP host filtering not implemented"); 4453 4454 case Q_DECNET: 4455 return gen_dnhostop(addr, dir); 4456 4457 case Q_SCA: 4458 bpf_error("SCA host filtering not implemented"); 4459 4460 case Q_LAT: 4461 bpf_error("LAT host filtering not implemented"); 4462 4463 case Q_MOPDL: 4464 bpf_error("MOPDL host filtering not implemented"); 4465 4466 case Q_MOPRC: 4467 bpf_error("MOPRC host filtering not implemented"); 4468 4469 #ifdef INET6 4470 case Q_IPV6: 4471 bpf_error("'ip6' modifier applied to ip host"); 4472 4473 case Q_ICMPV6: 4474 bpf_error("'icmp6' modifier applied to %s", typestr); 4475 #endif /* INET6 */ 4476 4477 case Q_AH: 4478 bpf_error("'ah' modifier applied to %s", typestr); 4479 4480 case Q_ESP: 4481 bpf_error("'esp' modifier applied to %s", typestr); 4482 4483 case Q_ISO: 4484 bpf_error("ISO host filtering not implemented"); 4485 4486 case Q_ESIS: 4487 bpf_error("'esis' modifier applied to %s", typestr); 4488 4489 case Q_ISIS: 4490 bpf_error("'isis' modifier applied to %s", typestr); 4491 4492 case Q_CLNP: 4493 bpf_error("'clnp' modifier applied to %s", typestr); 4494 4495 case Q_STP: 4496 bpf_error("'stp' modifier applied to %s", typestr); 4497 4498 case Q_IPX: 4499 bpf_error("IPX host filtering not implemented"); 4500 4501 case Q_NETBEUI: 4502 bpf_error("'netbeui' modifier applied to %s", typestr); 4503 4504 case Q_RADIO: 4505 bpf_error("'radio' modifier applied to %s", typestr); 4506 4507 default: 4508 abort(); 4509 } 4510 /* NOTREACHED */ 4511 } 4512 4513 #ifdef INET6 4514 static struct block * 4515 gen_host6(addr, mask, proto, dir, type) 4516 struct in6_addr *addr; 4517 struct in6_addr *mask; 4518 int proto; 4519 int dir; 4520 int type; 4521 { 4522 const char *typestr; 4523 4524 if (type == Q_NET) 4525 typestr = "net"; 4526 else 4527 typestr = "host"; 4528 4529 switch (proto) { 4530 4531 case Q_DEFAULT: 4532 return gen_host6(addr, mask, Q_IPV6, dir, type); 4533 4534 case Q_IP: 4535 bpf_error("'ip' modifier applied to ip6 %s", typestr); 4536 4537 case Q_RARP: 4538 bpf_error("'rarp' modifier applied to ip6 %s", typestr); 4539 4540 case Q_ARP: 4541 bpf_error("'arp' modifier applied to ip6 %s", typestr); 4542 4543 case Q_SCTP: 4544 bpf_error("'sctp' modifier applied to %s", typestr); 4545 4546 case Q_TCP: 4547 bpf_error("'tcp' modifier applied to %s", typestr); 4548 4549 case Q_UDP: 4550 bpf_error("'udp' modifier applied to %s", typestr); 4551 4552 case Q_ICMP: 4553 bpf_error("'icmp' modifier applied to %s", typestr); 4554 4555 case Q_IGMP: 4556 bpf_error("'igmp' modifier applied to %s", typestr); 4557 4558 case Q_IGRP: 4559 bpf_error("'igrp' modifier applied to %s", typestr); 4560 4561 case Q_PIM: 4562 bpf_error("'pim' modifier applied to %s", typestr); 4563 4564 case Q_VRRP: 4565 bpf_error("'vrrp' modifier applied to %s", typestr); 4566 4567 case Q_ATALK: 4568 bpf_error("ATALK host filtering not implemented"); 4569 4570 case Q_AARP: 4571 bpf_error("AARP host filtering not implemented"); 4572 4573 case Q_DECNET: 4574 bpf_error("'decnet' modifier applied to ip6 %s", typestr); 4575 4576 case Q_SCA: 4577 bpf_error("SCA host filtering not implemented"); 4578 4579 case Q_LAT: 4580 bpf_error("LAT host filtering not implemented"); 4581 4582 case Q_MOPDL: 4583 bpf_error("MOPDL host filtering not implemented"); 4584 4585 case Q_MOPRC: 4586 bpf_error("MOPRC host filtering not implemented"); 4587 4588 case Q_IPV6: 4589 return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6, 8, 24); 4590 4591 case Q_ICMPV6: 4592 bpf_error("'icmp6' modifier applied to %s", typestr); 4593 4594 case Q_AH: 4595 bpf_error("'ah' modifier applied to %s", typestr); 4596 4597 case Q_ESP: 4598 bpf_error("'esp' modifier applied to %s", typestr); 4599 4600 case Q_ISO: 4601 bpf_error("ISO host filtering not implemented"); 4602 4603 case Q_ESIS: 4604 bpf_error("'esis' modifier applied to %s", typestr); 4605 4606 case Q_ISIS: 4607 bpf_error("'isis' modifier applied to %s", typestr); 4608 4609 case Q_CLNP: 4610 bpf_error("'clnp' modifier applied to %s", typestr); 4611 4612 case Q_STP: 4613 bpf_error("'stp' modifier applied to %s", typestr); 4614 4615 case Q_IPX: 4616 bpf_error("IPX host filtering not implemented"); 4617 4618 case Q_NETBEUI: 4619 bpf_error("'netbeui' modifier applied to %s", typestr); 4620 4621 case Q_RADIO: 4622 bpf_error("'radio' modifier applied to %s", typestr); 4623 4624 default: 4625 abort(); 4626 } 4627 /* NOTREACHED */ 4628 } 4629 #endif /*INET6*/ 4630 4631 #ifndef INET6 4632 static struct block * 4633 gen_gateway(eaddr, alist, proto, dir) 4634 const u_char *eaddr; 4635 bpf_u_int32 **alist; 4636 int proto; 4637 int dir; 4638 { 4639 struct block *b0, *b1, *tmp; 4640 4641 if (dir != 0) 4642 bpf_error("direction applied to 'gateway'"); 4643 4644 switch (proto) { 4645 case Q_DEFAULT: 4646 case Q_IP: 4647 case Q_ARP: 4648 case Q_RARP: 4649 switch (linktype) { 4650 case DLT_EN10MB: 4651 b0 = gen_ehostop(eaddr, Q_OR); 4652 break; 4653 case DLT_FDDI: 4654 b0 = gen_fhostop(eaddr, Q_OR); 4655 break; 4656 case DLT_IEEE802: 4657 b0 = gen_thostop(eaddr, Q_OR); 4658 break; 4659 case DLT_IEEE802_11: 4660 case DLT_PRISM_HEADER: 4661 case DLT_IEEE802_11_RADIO_AVS: 4662 case DLT_IEEE802_11_RADIO: 4663 case DLT_PPI: 4664 b0 = gen_wlanhostop(eaddr, Q_OR); 4665 break; 4666 case DLT_SUNATM: 4667 if (!is_lane) 4668 bpf_error( 4669 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 4670 /* 4671 * Check that the packet doesn't begin with an 4672 * LE Control marker. (We've already generated 4673 * a test for LANE.) 4674 */ 4675 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 4676 BPF_H, 0xFF00); 4677 gen_not(b1); 4678 4679 /* 4680 * Now check the MAC address. 4681 */ 4682 b0 = gen_ehostop(eaddr, Q_OR); 4683 gen_and(b1, b0); 4684 break; 4685 case DLT_IP_OVER_FC: 4686 b0 = gen_ipfchostop(eaddr, Q_OR); 4687 break; 4688 default: 4689 bpf_error( 4690 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 4691 } 4692 b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR, Q_HOST); 4693 while (*alist) { 4694 tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR, 4695 Q_HOST); 4696 gen_or(b1, tmp); 4697 b1 = tmp; 4698 } 4699 gen_not(b1); 4700 gen_and(b0, b1); 4701 return b1; 4702 } 4703 bpf_error("illegal modifier of 'gateway'"); 4704 /* NOTREACHED */ 4705 } 4706 #endif 4707 4708 struct block * 4709 gen_proto_abbrev(proto) 4710 int proto; 4711 { 4712 struct block *b0; 4713 struct block *b1; 4714 4715 switch (proto) { 4716 4717 case Q_SCTP: 4718 b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT); 4719 #ifdef INET6 4720 b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT); 4721 gen_or(b0, b1); 4722 #endif 4723 break; 4724 4725 case Q_TCP: 4726 b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT); 4727 #ifdef INET6 4728 b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT); 4729 gen_or(b0, b1); 4730 #endif 4731 break; 4732 4733 case Q_UDP: 4734 b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT); 4735 #ifdef INET6 4736 b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT); 4737 gen_or(b0, b1); 4738 #endif 4739 break; 4740 4741 case Q_ICMP: 4742 b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT); 4743 break; 4744 4745 #ifndef IPPROTO_IGMP 4746 #define IPPROTO_IGMP 2 4747 #endif 4748 4749 case Q_IGMP: 4750 b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT); 4751 break; 4752 4753 #ifndef IPPROTO_IGRP 4754 #define IPPROTO_IGRP 9 4755 #endif 4756 case Q_IGRP: 4757 b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT); 4758 break; 4759 4760 #ifndef IPPROTO_PIM 4761 #define IPPROTO_PIM 103 4762 #endif 4763 4764 case Q_PIM: 4765 b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT); 4766 #ifdef INET6 4767 b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT); 4768 gen_or(b0, b1); 4769 #endif 4770 break; 4771 4772 #ifndef IPPROTO_VRRP 4773 #define IPPROTO_VRRP 112 4774 #endif 4775 4776 case Q_VRRP: 4777 b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT); 4778 break; 4779 4780 case Q_IP: 4781 b1 = gen_linktype(ETHERTYPE_IP); 4782 break; 4783 4784 case Q_ARP: 4785 b1 = gen_linktype(ETHERTYPE_ARP); 4786 break; 4787 4788 case Q_RARP: 4789 b1 = gen_linktype(ETHERTYPE_REVARP); 4790 break; 4791 4792 case Q_LINK: 4793 bpf_error("link layer applied in wrong context"); 4794 4795 case Q_ATALK: 4796 b1 = gen_linktype(ETHERTYPE_ATALK); 4797 break; 4798 4799 case Q_AARP: 4800 b1 = gen_linktype(ETHERTYPE_AARP); 4801 break; 4802 4803 case Q_DECNET: 4804 b1 = gen_linktype(ETHERTYPE_DN); 4805 break; 4806 4807 case Q_SCA: 4808 b1 = gen_linktype(ETHERTYPE_SCA); 4809 break; 4810 4811 case Q_LAT: 4812 b1 = gen_linktype(ETHERTYPE_LAT); 4813 break; 4814 4815 case Q_MOPDL: 4816 b1 = gen_linktype(ETHERTYPE_MOPDL); 4817 break; 4818 4819 case Q_MOPRC: 4820 b1 = gen_linktype(ETHERTYPE_MOPRC); 4821 break; 4822 4823 #ifdef INET6 4824 case Q_IPV6: 4825 b1 = gen_linktype(ETHERTYPE_IPV6); 4826 break; 4827 4828 #ifndef IPPROTO_ICMPV6 4829 #define IPPROTO_ICMPV6 58 4830 #endif 4831 case Q_ICMPV6: 4832 b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT); 4833 break; 4834 #endif /* INET6 */ 4835 4836 #ifndef IPPROTO_AH 4837 #define IPPROTO_AH 51 4838 #endif 4839 case Q_AH: 4840 b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT); 4841 #ifdef INET6 4842 b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT); 4843 gen_or(b0, b1); 4844 #endif 4845 break; 4846 4847 #ifndef IPPROTO_ESP 4848 #define IPPROTO_ESP 50 4849 #endif 4850 case Q_ESP: 4851 b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT); 4852 #ifdef INET6 4853 b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT); 4854 gen_or(b0, b1); 4855 #endif 4856 break; 4857 4858 case Q_ISO: 4859 b1 = gen_linktype(LLCSAP_ISONS); 4860 break; 4861 4862 case Q_ESIS: 4863 b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT); 4864 break; 4865 4866 case Q_ISIS: 4867 b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT); 4868 break; 4869 4870 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */ 4871 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 4872 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 4873 gen_or(b0, b1); 4874 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 4875 gen_or(b0, b1); 4876 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 4877 gen_or(b0, b1); 4878 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 4879 gen_or(b0, b1); 4880 break; 4881 4882 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */ 4883 b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 4884 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 4885 gen_or(b0, b1); 4886 b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 4887 gen_or(b0, b1); 4888 b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 4889 gen_or(b0, b1); 4890 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 4891 gen_or(b0, b1); 4892 break; 4893 4894 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */ 4895 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 4896 b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 4897 gen_or(b0, b1); 4898 b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); 4899 gen_or(b0, b1); 4900 break; 4901 4902 case Q_ISIS_LSP: 4903 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 4904 b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 4905 gen_or(b0, b1); 4906 break; 4907 4908 case Q_ISIS_SNP: 4909 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 4910 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 4911 gen_or(b0, b1); 4912 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 4913 gen_or(b0, b1); 4914 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 4915 gen_or(b0, b1); 4916 break; 4917 4918 case Q_ISIS_CSNP: 4919 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 4920 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 4921 gen_or(b0, b1); 4922 break; 4923 4924 case Q_ISIS_PSNP: 4925 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 4926 b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 4927 gen_or(b0, b1); 4928 break; 4929 4930 case Q_CLNP: 4931 b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT); 4932 break; 4933 4934 case Q_STP: 4935 b1 = gen_linktype(LLCSAP_8021D); 4936 break; 4937 4938 case Q_IPX: 4939 b1 = gen_linktype(LLCSAP_IPX); 4940 break; 4941 4942 case Q_NETBEUI: 4943 b1 = gen_linktype(LLCSAP_NETBEUI); 4944 break; 4945 4946 case Q_RADIO: 4947 bpf_error("'radio' is not a valid protocol type"); 4948 4949 default: 4950 abort(); 4951 } 4952 return b1; 4953 } 4954 4955 static struct block * 4956 gen_ipfrag() 4957 { 4958 struct slist *s; 4959 struct block *b; 4960 4961 /* not ip frag */ 4962 s = gen_load_a(OR_NET, 6, BPF_H); 4963 b = new_block(JMP(BPF_JSET)); 4964 b->s.k = 0x1fff; 4965 b->stmts = s; 4966 gen_not(b); 4967 4968 return b; 4969 } 4970 4971 /* 4972 * Generate a comparison to a port value in the transport-layer header 4973 * at the specified offset from the beginning of that header. 4974 * 4975 * XXX - this handles a variable-length prefix preceding the link-layer 4976 * header, such as the radiotap or AVS radio prefix, but doesn't handle 4977 * variable-length link-layer headers (such as Token Ring or 802.11 4978 * headers). 4979 */ 4980 static struct block * 4981 gen_portatom(off, v) 4982 int off; 4983 bpf_int32 v; 4984 { 4985 return gen_cmp(OR_TRAN_IPV4, off, BPF_H, v); 4986 } 4987 4988 #ifdef INET6 4989 static struct block * 4990 gen_portatom6(off, v) 4991 int off; 4992 bpf_int32 v; 4993 { 4994 return gen_cmp(OR_TRAN_IPV6, off, BPF_H, v); 4995 } 4996 #endif/*INET6*/ 4997 4998 struct block * 4999 gen_portop(port, proto, dir) 5000 int port, proto, dir; 5001 { 5002 struct block *b0, *b1, *tmp; 5003 5004 /* ip proto 'proto' */ 5005 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto); 5006 b0 = gen_ipfrag(); 5007 gen_and(tmp, b0); 5008 5009 switch (dir) { 5010 case Q_SRC: 5011 b1 = gen_portatom(0, (bpf_int32)port); 5012 break; 5013 5014 case Q_DST: 5015 b1 = gen_portatom(2, (bpf_int32)port); 5016 break; 5017 5018 case Q_OR: 5019 case Q_DEFAULT: 5020 tmp = gen_portatom(0, (bpf_int32)port); 5021 b1 = gen_portatom(2, (bpf_int32)port); 5022 gen_or(tmp, b1); 5023 break; 5024 5025 case Q_AND: 5026 tmp = gen_portatom(0, (bpf_int32)port); 5027 b1 = gen_portatom(2, (bpf_int32)port); 5028 gen_and(tmp, b1); 5029 break; 5030 5031 default: 5032 abort(); 5033 } 5034 gen_and(b0, b1); 5035 5036 return b1; 5037 } 5038 5039 static struct block * 5040 gen_port(port, ip_proto, dir) 5041 int port; 5042 int ip_proto; 5043 int dir; 5044 { 5045 struct block *b0, *b1, *tmp; 5046 5047 /* 5048 * ether proto ip 5049 * 5050 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 5051 * not LLC encapsulation with LLCSAP_IP. 5052 * 5053 * For IEEE 802 networks - which includes 802.5 token ring 5054 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 5055 * says that SNAP encapsulation is used, not LLC encapsulation 5056 * with LLCSAP_IP. 5057 * 5058 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 5059 * RFC 2225 say that SNAP encapsulation is used, not LLC 5060 * encapsulation with LLCSAP_IP. 5061 * 5062 * So we always check for ETHERTYPE_IP. 5063 */ 5064 b0 = gen_linktype(ETHERTYPE_IP); 5065 5066 switch (ip_proto) { 5067 case IPPROTO_UDP: 5068 case IPPROTO_TCP: 5069 case IPPROTO_SCTP: 5070 b1 = gen_portop(port, ip_proto, dir); 5071 break; 5072 5073 case PROTO_UNDEF: 5074 tmp = gen_portop(port, IPPROTO_TCP, dir); 5075 b1 = gen_portop(port, IPPROTO_UDP, dir); 5076 gen_or(tmp, b1); 5077 tmp = gen_portop(port, IPPROTO_SCTP, dir); 5078 gen_or(tmp, b1); 5079 break; 5080 5081 default: 5082 abort(); 5083 } 5084 gen_and(b0, b1); 5085 return b1; 5086 } 5087 5088 #ifdef INET6 5089 struct block * 5090 gen_portop6(port, proto, dir) 5091 int port, proto, dir; 5092 { 5093 struct block *b0, *b1, *tmp; 5094 5095 /* ip6 proto 'proto' */ 5096 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto); 5097 5098 switch (dir) { 5099 case Q_SRC: 5100 b1 = gen_portatom6(0, (bpf_int32)port); 5101 break; 5102 5103 case Q_DST: 5104 b1 = gen_portatom6(2, (bpf_int32)port); 5105 break; 5106 5107 case Q_OR: 5108 case Q_DEFAULT: 5109 tmp = gen_portatom6(0, (bpf_int32)port); 5110 b1 = gen_portatom6(2, (bpf_int32)port); 5111 gen_or(tmp, b1); 5112 break; 5113 5114 case Q_AND: 5115 tmp = gen_portatom6(0, (bpf_int32)port); 5116 b1 = gen_portatom6(2, (bpf_int32)port); 5117 gen_and(tmp, b1); 5118 break; 5119 5120 default: 5121 abort(); 5122 } 5123 gen_and(b0, b1); 5124 5125 return b1; 5126 } 5127 5128 static struct block * 5129 gen_port6(port, ip_proto, dir) 5130 int port; 5131 int ip_proto; 5132 int dir; 5133 { 5134 struct block *b0, *b1, *tmp; 5135 5136 /* link proto ip6 */ 5137 b0 = gen_linktype(ETHERTYPE_IPV6); 5138 5139 switch (ip_proto) { 5140 case IPPROTO_UDP: 5141 case IPPROTO_TCP: 5142 case IPPROTO_SCTP: 5143 b1 = gen_portop6(port, ip_proto, dir); 5144 break; 5145 5146 case PROTO_UNDEF: 5147 tmp = gen_portop6(port, IPPROTO_TCP, dir); 5148 b1 = gen_portop6(port, IPPROTO_UDP, dir); 5149 gen_or(tmp, b1); 5150 tmp = gen_portop6(port, IPPROTO_SCTP, dir); 5151 gen_or(tmp, b1); 5152 break; 5153 5154 default: 5155 abort(); 5156 } 5157 gen_and(b0, b1); 5158 return b1; 5159 } 5160 #endif /* INET6 */ 5161 5162 /* gen_portrange code */ 5163 static struct block * 5164 gen_portrangeatom(off, v1, v2) 5165 int off; 5166 bpf_int32 v1, v2; 5167 { 5168 struct block *b1, *b2; 5169 5170 if (v1 > v2) { 5171 /* 5172 * Reverse the order of the ports, so v1 is the lower one. 5173 */ 5174 bpf_int32 vtemp; 5175 5176 vtemp = v1; 5177 v1 = v2; 5178 v2 = vtemp; 5179 } 5180 5181 b1 = gen_cmp_ge(OR_TRAN_IPV4, off, BPF_H, v1); 5182 b2 = gen_cmp_le(OR_TRAN_IPV4, off, BPF_H, v2); 5183 5184 gen_and(b1, b2); 5185 5186 return b2; 5187 } 5188 5189 struct block * 5190 gen_portrangeop(port1, port2, proto, dir) 5191 int port1, port2; 5192 int proto; 5193 int dir; 5194 { 5195 struct block *b0, *b1, *tmp; 5196 5197 /* ip proto 'proto' */ 5198 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto); 5199 b0 = gen_ipfrag(); 5200 gen_and(tmp, b0); 5201 5202 switch (dir) { 5203 case Q_SRC: 5204 b1 = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5205 break; 5206 5207 case Q_DST: 5208 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5209 break; 5210 5211 case Q_OR: 5212 case Q_DEFAULT: 5213 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5214 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5215 gen_or(tmp, b1); 5216 break; 5217 5218 case Q_AND: 5219 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5220 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5221 gen_and(tmp, b1); 5222 break; 5223 5224 default: 5225 abort(); 5226 } 5227 gen_and(b0, b1); 5228 5229 return b1; 5230 } 5231 5232 static struct block * 5233 gen_portrange(port1, port2, ip_proto, dir) 5234 int port1, port2; 5235 int ip_proto; 5236 int dir; 5237 { 5238 struct block *b0, *b1, *tmp; 5239 5240 /* link proto ip */ 5241 b0 = gen_linktype(ETHERTYPE_IP); 5242 5243 switch (ip_proto) { 5244 case IPPROTO_UDP: 5245 case IPPROTO_TCP: 5246 case IPPROTO_SCTP: 5247 b1 = gen_portrangeop(port1, port2, ip_proto, dir); 5248 break; 5249 5250 case PROTO_UNDEF: 5251 tmp = gen_portrangeop(port1, port2, IPPROTO_TCP, dir); 5252 b1 = gen_portrangeop(port1, port2, IPPROTO_UDP, dir); 5253 gen_or(tmp, b1); 5254 tmp = gen_portrangeop(port1, port2, IPPROTO_SCTP, dir); 5255 gen_or(tmp, b1); 5256 break; 5257 5258 default: 5259 abort(); 5260 } 5261 gen_and(b0, b1); 5262 return b1; 5263 } 5264 5265 #ifdef INET6 5266 static struct block * 5267 gen_portrangeatom6(off, v1, v2) 5268 int off; 5269 bpf_int32 v1, v2; 5270 { 5271 struct block *b1, *b2; 5272 5273 if (v1 > v2) { 5274 /* 5275 * Reverse the order of the ports, so v1 is the lower one. 5276 */ 5277 bpf_int32 vtemp; 5278 5279 vtemp = v1; 5280 v1 = v2; 5281 v2 = vtemp; 5282 } 5283 5284 b1 = gen_cmp_ge(OR_TRAN_IPV6, off, BPF_H, v1); 5285 b2 = gen_cmp_le(OR_TRAN_IPV6, off, BPF_H, v2); 5286 5287 gen_and(b1, b2); 5288 5289 return b2; 5290 } 5291 5292 struct block * 5293 gen_portrangeop6(port1, port2, proto, dir) 5294 int port1, port2; 5295 int proto; 5296 int dir; 5297 { 5298 struct block *b0, *b1, *tmp; 5299 5300 /* ip6 proto 'proto' */ 5301 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto); 5302 5303 switch (dir) { 5304 case Q_SRC: 5305 b1 = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5306 break; 5307 5308 case Q_DST: 5309 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5310 break; 5311 5312 case Q_OR: 5313 case Q_DEFAULT: 5314 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5315 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5316 gen_or(tmp, b1); 5317 break; 5318 5319 case Q_AND: 5320 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5321 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5322 gen_and(tmp, b1); 5323 break; 5324 5325 default: 5326 abort(); 5327 } 5328 gen_and(b0, b1); 5329 5330 return b1; 5331 } 5332 5333 static struct block * 5334 gen_portrange6(port1, port2, ip_proto, dir) 5335 int port1, port2; 5336 int ip_proto; 5337 int dir; 5338 { 5339 struct block *b0, *b1, *tmp; 5340 5341 /* link proto ip6 */ 5342 b0 = gen_linktype(ETHERTYPE_IPV6); 5343 5344 switch (ip_proto) { 5345 case IPPROTO_UDP: 5346 case IPPROTO_TCP: 5347 case IPPROTO_SCTP: 5348 b1 = gen_portrangeop6(port1, port2, ip_proto, dir); 5349 break; 5350 5351 case PROTO_UNDEF: 5352 tmp = gen_portrangeop6(port1, port2, IPPROTO_TCP, dir); 5353 b1 = gen_portrangeop6(port1, port2, IPPROTO_UDP, dir); 5354 gen_or(tmp, b1); 5355 tmp = gen_portrangeop6(port1, port2, IPPROTO_SCTP, dir); 5356 gen_or(tmp, b1); 5357 break; 5358 5359 default: 5360 abort(); 5361 } 5362 gen_and(b0, b1); 5363 return b1; 5364 } 5365 #endif /* INET6 */ 5366 5367 static int 5368 lookup_proto(name, proto) 5369 register const char *name; 5370 register int proto; 5371 { 5372 register int v; 5373 5374 switch (proto) { 5375 5376 case Q_DEFAULT: 5377 case Q_IP: 5378 case Q_IPV6: 5379 v = pcap_nametoproto(name); 5380 if (v == PROTO_UNDEF) 5381 bpf_error("unknown ip proto '%s'", name); 5382 break; 5383 5384 case Q_LINK: 5385 /* XXX should look up h/w protocol type based on linktype */ 5386 v = pcap_nametoeproto(name); 5387 if (v == PROTO_UNDEF) { 5388 v = pcap_nametollc(name); 5389 if (v == PROTO_UNDEF) 5390 bpf_error("unknown ether proto '%s'", name); 5391 } 5392 break; 5393 5394 case Q_ISO: 5395 if (strcmp(name, "esis") == 0) 5396 v = ISO9542_ESIS; 5397 else if (strcmp(name, "isis") == 0) 5398 v = ISO10589_ISIS; 5399 else if (strcmp(name, "clnp") == 0) 5400 v = ISO8473_CLNP; 5401 else 5402 bpf_error("unknown osi proto '%s'", name); 5403 break; 5404 5405 default: 5406 v = PROTO_UNDEF; 5407 break; 5408 } 5409 return v; 5410 } 5411 5412 #if 0 5413 struct stmt * 5414 gen_joinsp(s, n) 5415 struct stmt **s; 5416 int n; 5417 { 5418 return NULL; 5419 } 5420 #endif 5421 5422 static struct block * 5423 gen_protochain(v, proto, dir) 5424 int v; 5425 int proto; 5426 int dir; 5427 { 5428 #ifdef NO_PROTOCHAIN 5429 return gen_proto(v, proto, dir); 5430 #else 5431 struct block *b0, *b; 5432 struct slist *s[100]; 5433 int fix2, fix3, fix4, fix5; 5434 int ahcheck, again, end; 5435 int i, max; 5436 int reg2 = alloc_reg(); 5437 5438 memset(s, 0, sizeof(s)); 5439 fix2 = fix3 = fix4 = fix5 = 0; 5440 5441 switch (proto) { 5442 case Q_IP: 5443 case Q_IPV6: 5444 break; 5445 case Q_DEFAULT: 5446 b0 = gen_protochain(v, Q_IP, dir); 5447 b = gen_protochain(v, Q_IPV6, dir); 5448 gen_or(b0, b); 5449 return b; 5450 default: 5451 bpf_error("bad protocol applied for 'protochain'"); 5452 /*NOTREACHED*/ 5453 } 5454 5455 /* 5456 * We don't handle variable-length prefixes before the link-layer 5457 * header, or variable-length link-layer headers, here yet. 5458 * We might want to add BPF instructions to do the protochain 5459 * work, to simplify that and, on platforms that have a BPF 5460 * interpreter with the new instructions, let the filtering 5461 * be done in the kernel. (We already require a modified BPF 5462 * engine to do the protochain stuff, to support backward 5463 * branches, and backward branch support is unlikely to appear 5464 * in kernel BPF engines.) 5465 */ 5466 switch (linktype) { 5467 5468 case DLT_IEEE802_11: 5469 case DLT_PRISM_HEADER: 5470 case DLT_IEEE802_11_RADIO_AVS: 5471 case DLT_IEEE802_11_RADIO: 5472 case DLT_PPI: 5473 bpf_error("'protochain' not supported with 802.11"); 5474 } 5475 5476 no_optimize = 1; /*this code is not compatible with optimzer yet */ 5477 5478 /* 5479 * s[0] is a dummy entry to protect other BPF insn from damage 5480 * by s[fix] = foo with uninitialized variable "fix". It is somewhat 5481 * hard to find interdependency made by jump table fixup. 5482 */ 5483 i = 0; 5484 s[i] = new_stmt(0); /*dummy*/ 5485 i++; 5486 5487 switch (proto) { 5488 case Q_IP: 5489 b0 = gen_linktype(ETHERTYPE_IP); 5490 5491 /* A = ip->ip_p */ 5492 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B); 5493 s[i]->s.k = off_macpl + off_nl + 9; 5494 i++; 5495 /* X = ip->ip_hl << 2 */ 5496 s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B); 5497 s[i]->s.k = off_macpl + off_nl; 5498 i++; 5499 break; 5500 #ifdef INET6 5501 case Q_IPV6: 5502 b0 = gen_linktype(ETHERTYPE_IPV6); 5503 5504 /* A = ip6->ip_nxt */ 5505 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B); 5506 s[i]->s.k = off_macpl + off_nl + 6; 5507 i++; 5508 /* X = sizeof(struct ip6_hdr) */ 5509 s[i] = new_stmt(BPF_LDX|BPF_IMM); 5510 s[i]->s.k = 40; 5511 i++; 5512 break; 5513 #endif 5514 default: 5515 bpf_error("unsupported proto to gen_protochain"); 5516 /*NOTREACHED*/ 5517 } 5518 5519 /* again: if (A == v) goto end; else fall through; */ 5520 again = i; 5521 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5522 s[i]->s.k = v; 5523 s[i]->s.jt = NULL; /*later*/ 5524 s[i]->s.jf = NULL; /*update in next stmt*/ 5525 fix5 = i; 5526 i++; 5527 5528 #ifndef IPPROTO_NONE 5529 #define IPPROTO_NONE 59 5530 #endif 5531 /* if (A == IPPROTO_NONE) goto end */ 5532 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5533 s[i]->s.jt = NULL; /*later*/ 5534 s[i]->s.jf = NULL; /*update in next stmt*/ 5535 s[i]->s.k = IPPROTO_NONE; 5536 s[fix5]->s.jf = s[i]; 5537 fix2 = i; 5538 i++; 5539 5540 #ifdef INET6 5541 if (proto == Q_IPV6) { 5542 int v6start, v6end, v6advance, j; 5543 5544 v6start = i; 5545 /* if (A == IPPROTO_HOPOPTS) goto v6advance */ 5546 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5547 s[i]->s.jt = NULL; /*later*/ 5548 s[i]->s.jf = NULL; /*update in next stmt*/ 5549 s[i]->s.k = IPPROTO_HOPOPTS; 5550 s[fix2]->s.jf = s[i]; 5551 i++; 5552 /* if (A == IPPROTO_DSTOPTS) goto v6advance */ 5553 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5554 s[i]->s.jt = NULL; /*later*/ 5555 s[i]->s.jf = NULL; /*update in next stmt*/ 5556 s[i]->s.k = IPPROTO_DSTOPTS; 5557 i++; 5558 /* if (A == IPPROTO_ROUTING) goto v6advance */ 5559 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5560 s[i]->s.jt = NULL; /*later*/ 5561 s[i]->s.jf = NULL; /*update in next stmt*/ 5562 s[i]->s.k = IPPROTO_ROUTING; 5563 i++; 5564 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */ 5565 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5566 s[i]->s.jt = NULL; /*later*/ 5567 s[i]->s.jf = NULL; /*later*/ 5568 s[i]->s.k = IPPROTO_FRAGMENT; 5569 fix3 = i; 5570 v6end = i; 5571 i++; 5572 5573 /* v6advance: */ 5574 v6advance = i; 5575 5576 /* 5577 * in short, 5578 * A = P[X]; 5579 * X = X + (P[X + 1] + 1) * 8; 5580 */ 5581 /* A = X */ 5582 s[i] = new_stmt(BPF_MISC|BPF_TXA); 5583 i++; 5584 /* A = P[X + packet head] */ 5585 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5586 s[i]->s.k = off_macpl + off_nl; 5587 i++; 5588 /* MEM[reg2] = A */ 5589 s[i] = new_stmt(BPF_ST); 5590 s[i]->s.k = reg2; 5591 i++; 5592 /* A = X */ 5593 s[i] = new_stmt(BPF_MISC|BPF_TXA); 5594 i++; 5595 /* A += 1 */ 5596 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5597 s[i]->s.k = 1; 5598 i++; 5599 /* X = A */ 5600 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5601 i++; 5602 /* A = P[X + packet head]; */ 5603 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5604 s[i]->s.k = off_macpl + off_nl; 5605 i++; 5606 /* A += 1 */ 5607 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5608 s[i]->s.k = 1; 5609 i++; 5610 /* A *= 8 */ 5611 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K); 5612 s[i]->s.k = 8; 5613 i++; 5614 /* X = A; */ 5615 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5616 i++; 5617 /* A = MEM[reg2] */ 5618 s[i] = new_stmt(BPF_LD|BPF_MEM); 5619 s[i]->s.k = reg2; 5620 i++; 5621 5622 /* goto again; (must use BPF_JA for backward jump) */ 5623 s[i] = new_stmt(BPF_JMP|BPF_JA); 5624 s[i]->s.k = again - i - 1; 5625 s[i - 1]->s.jf = s[i]; 5626 i++; 5627 5628 /* fixup */ 5629 for (j = v6start; j <= v6end; j++) 5630 s[j]->s.jt = s[v6advance]; 5631 } else 5632 #endif 5633 { 5634 /* nop */ 5635 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5636 s[i]->s.k = 0; 5637 s[fix2]->s.jf = s[i]; 5638 i++; 5639 } 5640 5641 /* ahcheck: */ 5642 ahcheck = i; 5643 /* if (A == IPPROTO_AH) then fall through; else goto end; */ 5644 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5645 s[i]->s.jt = NULL; /*later*/ 5646 s[i]->s.jf = NULL; /*later*/ 5647 s[i]->s.k = IPPROTO_AH; 5648 if (fix3) 5649 s[fix3]->s.jf = s[ahcheck]; 5650 fix4 = i; 5651 i++; 5652 5653 /* 5654 * in short, 5655 * A = P[X]; 5656 * X = X + (P[X + 1] + 2) * 4; 5657 */ 5658 /* A = X */ 5659 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA); 5660 i++; 5661 /* A = P[X + packet head]; */ 5662 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5663 s[i]->s.k = off_macpl + off_nl; 5664 i++; 5665 /* MEM[reg2] = A */ 5666 s[i] = new_stmt(BPF_ST); 5667 s[i]->s.k = reg2; 5668 i++; 5669 /* A = X */ 5670 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA); 5671 i++; 5672 /* A += 1 */ 5673 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5674 s[i]->s.k = 1; 5675 i++; 5676 /* X = A */ 5677 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5678 i++; 5679 /* A = P[X + packet head] */ 5680 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5681 s[i]->s.k = off_macpl + off_nl; 5682 i++; 5683 /* A += 2 */ 5684 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5685 s[i]->s.k = 2; 5686 i++; 5687 /* A *= 4 */ 5688 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K); 5689 s[i]->s.k = 4; 5690 i++; 5691 /* X = A; */ 5692 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5693 i++; 5694 /* A = MEM[reg2] */ 5695 s[i] = new_stmt(BPF_LD|BPF_MEM); 5696 s[i]->s.k = reg2; 5697 i++; 5698 5699 /* goto again; (must use BPF_JA for backward jump) */ 5700 s[i] = new_stmt(BPF_JMP|BPF_JA); 5701 s[i]->s.k = again - i - 1; 5702 i++; 5703 5704 /* end: nop */ 5705 end = i; 5706 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5707 s[i]->s.k = 0; 5708 s[fix2]->s.jt = s[end]; 5709 s[fix4]->s.jf = s[end]; 5710 s[fix5]->s.jt = s[end]; 5711 i++; 5712 5713 /* 5714 * make slist chain 5715 */ 5716 max = i; 5717 for (i = 0; i < max - 1; i++) 5718 s[i]->next = s[i + 1]; 5719 s[max - 1]->next = NULL; 5720 5721 /* 5722 * emit final check 5723 */ 5724 b = new_block(JMP(BPF_JEQ)); 5725 b->stmts = s[1]; /*remember, s[0] is dummy*/ 5726 b->s.k = v; 5727 5728 free_reg(reg2); 5729 5730 gen_and(b0, b); 5731 return b; 5732 #endif 5733 } 5734 5735 static struct block * 5736 gen_check_802_11_data_frame() 5737 { 5738 struct slist *s; 5739 struct block *b0, *b1; 5740 5741 /* 5742 * A data frame has the 0x08 bit (b3) in the frame control field set 5743 * and the 0x04 bit (b2) clear. 5744 */ 5745 s = gen_load_a(OR_LINK, 0, BPF_B); 5746 b0 = new_block(JMP(BPF_JSET)); 5747 b0->s.k = 0x08; 5748 b0->stmts = s; 5749 5750 s = gen_load_a(OR_LINK, 0, BPF_B); 5751 b1 = new_block(JMP(BPF_JSET)); 5752 b1->s.k = 0x04; 5753 b1->stmts = s; 5754 gen_not(b1); 5755 5756 gen_and(b1, b0); 5757 5758 return b0; 5759 } 5760 5761 /* 5762 * Generate code that checks whether the packet is a packet for protocol 5763 * <proto> and whether the type field in that protocol's header has 5764 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an 5765 * IP packet and checks the protocol number in the IP header against <v>. 5766 * 5767 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks 5768 * against Q_IP and Q_IPV6. 5769 */ 5770 static struct block * 5771 gen_proto(v, proto, dir) 5772 int v; 5773 int proto; 5774 int dir; 5775 { 5776 struct block *b0, *b1; 5777 5778 if (dir != Q_DEFAULT) 5779 bpf_error("direction applied to 'proto'"); 5780 5781 switch (proto) { 5782 case Q_DEFAULT: 5783 #ifdef INET6 5784 b0 = gen_proto(v, Q_IP, dir); 5785 b1 = gen_proto(v, Q_IPV6, dir); 5786 gen_or(b0, b1); 5787 return b1; 5788 #else 5789 /*FALLTHROUGH*/ 5790 #endif 5791 case Q_IP: 5792 /* 5793 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 5794 * not LLC encapsulation with LLCSAP_IP. 5795 * 5796 * For IEEE 802 networks - which includes 802.5 token ring 5797 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 5798 * says that SNAP encapsulation is used, not LLC encapsulation 5799 * with LLCSAP_IP. 5800 * 5801 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 5802 * RFC 2225 say that SNAP encapsulation is used, not LLC 5803 * encapsulation with LLCSAP_IP. 5804 * 5805 * So we always check for ETHERTYPE_IP. 5806 */ 5807 b0 = gen_linktype(ETHERTYPE_IP); 5808 #ifndef CHASE_CHAIN 5809 b1 = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)v); 5810 #else 5811 b1 = gen_protochain(v, Q_IP); 5812 #endif 5813 gen_and(b0, b1); 5814 return b1; 5815 5816 case Q_ISO: 5817 switch (linktype) { 5818 5819 case DLT_FRELAY: 5820 /* 5821 * Frame Relay packets typically have an OSI 5822 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)" 5823 * generates code to check for all the OSI 5824 * NLPIDs, so calling it and then adding a check 5825 * for the particular NLPID for which we're 5826 * looking is bogus, as we can just check for 5827 * the NLPID. 5828 * 5829 * What we check for is the NLPID and a frame 5830 * control field value of UI, i.e. 0x03 followed 5831 * by the NLPID. 5832 * 5833 * XXX - assumes a 2-byte Frame Relay header with 5834 * DLCI and flags. What if the address is longer? 5835 * 5836 * XXX - what about SNAP-encapsulated frames? 5837 */ 5838 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | v); 5839 /*NOTREACHED*/ 5840 break; 5841 5842 case DLT_C_HDLC: 5843 /* 5844 * Cisco uses an Ethertype lookalike - for OSI, 5845 * it's 0xfefe. 5846 */ 5847 b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS); 5848 /* OSI in C-HDLC is stuffed with a fudge byte */ 5849 b1 = gen_cmp(OR_NET_NOSNAP, 1, BPF_B, (long)v); 5850 gen_and(b0, b1); 5851 return b1; 5852 5853 default: 5854 b0 = gen_linktype(LLCSAP_ISONS); 5855 b1 = gen_cmp(OR_NET_NOSNAP, 0, BPF_B, (long)v); 5856 gen_and(b0, b1); 5857 return b1; 5858 } 5859 5860 case Q_ISIS: 5861 b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT); 5862 /* 5863 * 4 is the offset of the PDU type relative to the IS-IS 5864 * header. 5865 */ 5866 b1 = gen_cmp(OR_NET_NOSNAP, 4, BPF_B, (long)v); 5867 gen_and(b0, b1); 5868 return b1; 5869 5870 case Q_ARP: 5871 bpf_error("arp does not encapsulate another protocol"); 5872 /* NOTREACHED */ 5873 5874 case Q_RARP: 5875 bpf_error("rarp does not encapsulate another protocol"); 5876 /* NOTREACHED */ 5877 5878 case Q_ATALK: 5879 bpf_error("atalk encapsulation is not specifiable"); 5880 /* NOTREACHED */ 5881 5882 case Q_DECNET: 5883 bpf_error("decnet encapsulation is not specifiable"); 5884 /* NOTREACHED */ 5885 5886 case Q_SCA: 5887 bpf_error("sca does not encapsulate another protocol"); 5888 /* NOTREACHED */ 5889 5890 case Q_LAT: 5891 bpf_error("lat does not encapsulate another protocol"); 5892 /* NOTREACHED */ 5893 5894 case Q_MOPRC: 5895 bpf_error("moprc does not encapsulate another protocol"); 5896 /* NOTREACHED */ 5897 5898 case Q_MOPDL: 5899 bpf_error("mopdl does not encapsulate another protocol"); 5900 /* NOTREACHED */ 5901 5902 case Q_LINK: 5903 return gen_linktype(v); 5904 5905 case Q_UDP: 5906 bpf_error("'udp proto' is bogus"); 5907 /* NOTREACHED */ 5908 5909 case Q_TCP: 5910 bpf_error("'tcp proto' is bogus"); 5911 /* NOTREACHED */ 5912 5913 case Q_SCTP: 5914 bpf_error("'sctp proto' is bogus"); 5915 /* NOTREACHED */ 5916 5917 case Q_ICMP: 5918 bpf_error("'icmp proto' is bogus"); 5919 /* NOTREACHED */ 5920 5921 case Q_IGMP: 5922 bpf_error("'igmp proto' is bogus"); 5923 /* NOTREACHED */ 5924 5925 case Q_IGRP: 5926 bpf_error("'igrp proto' is bogus"); 5927 /* NOTREACHED */ 5928 5929 case Q_PIM: 5930 bpf_error("'pim proto' is bogus"); 5931 /* NOTREACHED */ 5932 5933 case Q_VRRP: 5934 bpf_error("'vrrp proto' is bogus"); 5935 /* NOTREACHED */ 5936 5937 #ifdef INET6 5938 case Q_IPV6: 5939 b0 = gen_linktype(ETHERTYPE_IPV6); 5940 #ifndef CHASE_CHAIN 5941 b1 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)v); 5942 #else 5943 b1 = gen_protochain(v, Q_IPV6); 5944 #endif 5945 gen_and(b0, b1); 5946 return b1; 5947 5948 case Q_ICMPV6: 5949 bpf_error("'icmp6 proto' is bogus"); 5950 #endif /* INET6 */ 5951 5952 case Q_AH: 5953 bpf_error("'ah proto' is bogus"); 5954 5955 case Q_ESP: 5956 bpf_error("'ah proto' is bogus"); 5957 5958 case Q_STP: 5959 bpf_error("'stp proto' is bogus"); 5960 5961 case Q_IPX: 5962 bpf_error("'ipx proto' is bogus"); 5963 5964 case Q_NETBEUI: 5965 bpf_error("'netbeui proto' is bogus"); 5966 5967 case Q_RADIO: 5968 bpf_error("'radio proto' is bogus"); 5969 5970 default: 5971 abort(); 5972 /* NOTREACHED */ 5973 } 5974 /* NOTREACHED */ 5975 } 5976 5977 struct block * 5978 gen_scode(name, q) 5979 register const char *name; 5980 struct qual q; 5981 { 5982 int proto = q.proto; 5983 int dir = q.dir; 5984 int tproto; 5985 u_char *eaddr; 5986 bpf_u_int32 mask, addr; 5987 #ifndef INET6 5988 bpf_u_int32 **alist; 5989 #else 5990 int tproto6; 5991 struct sockaddr_in *sin4; 5992 struct sockaddr_in6 *sin6; 5993 struct addrinfo *res, *res0; 5994 struct in6_addr mask128; 5995 #endif /*INET6*/ 5996 struct block *b, *tmp; 5997 int port, real_proto; 5998 int port1, port2; 5999 6000 switch (q.addr) { 6001 6002 case Q_NET: 6003 addr = pcap_nametonetaddr(name); 6004 if (addr == 0) 6005 bpf_error("unknown network '%s'", name); 6006 /* Left justify network addr and calculate its network mask */ 6007 mask = 0xffffffff; 6008 while (addr && (addr & 0xff000000) == 0) { 6009 addr <<= 8; 6010 mask <<= 8; 6011 } 6012 return gen_host(addr, mask, proto, dir, q.addr); 6013 6014 case Q_DEFAULT: 6015 case Q_HOST: 6016 if (proto == Q_LINK) { 6017 switch (linktype) { 6018 6019 case DLT_EN10MB: 6020 eaddr = pcap_ether_hostton(name); 6021 if (eaddr == NULL) 6022 bpf_error( 6023 "unknown ether host '%s'", name); 6024 b = gen_ehostop(eaddr, dir); 6025 free(eaddr); 6026 return b; 6027 6028 case DLT_FDDI: 6029 eaddr = pcap_ether_hostton(name); 6030 if (eaddr == NULL) 6031 bpf_error( 6032 "unknown FDDI host '%s'", name); 6033 b = gen_fhostop(eaddr, dir); 6034 free(eaddr); 6035 return b; 6036 6037 case DLT_IEEE802: 6038 eaddr = pcap_ether_hostton(name); 6039 if (eaddr == NULL) 6040 bpf_error( 6041 "unknown token ring host '%s'", name); 6042 b = gen_thostop(eaddr, dir); 6043 free(eaddr); 6044 return b; 6045 6046 case DLT_IEEE802_11: 6047 case DLT_PRISM_HEADER: 6048 case DLT_IEEE802_11_RADIO_AVS: 6049 case DLT_IEEE802_11_RADIO: 6050 case DLT_PPI: 6051 eaddr = pcap_ether_hostton(name); 6052 if (eaddr == NULL) 6053 bpf_error( 6054 "unknown 802.11 host '%s'", name); 6055 b = gen_wlanhostop(eaddr, dir); 6056 free(eaddr); 6057 return b; 6058 6059 case DLT_IP_OVER_FC: 6060 eaddr = pcap_ether_hostton(name); 6061 if (eaddr == NULL) 6062 bpf_error( 6063 "unknown Fibre Channel host '%s'", name); 6064 b = gen_ipfchostop(eaddr, dir); 6065 free(eaddr); 6066 return b; 6067 6068 case DLT_SUNATM: 6069 if (!is_lane) 6070 break; 6071 6072 /* 6073 * Check that the packet doesn't begin 6074 * with an LE Control marker. (We've 6075 * already generated a test for LANE.) 6076 */ 6077 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 6078 BPF_H, 0xFF00); 6079 gen_not(tmp); 6080 6081 eaddr = pcap_ether_hostton(name); 6082 if (eaddr == NULL) 6083 bpf_error( 6084 "unknown ether host '%s'", name); 6085 b = gen_ehostop(eaddr, dir); 6086 gen_and(tmp, b); 6087 free(eaddr); 6088 return b; 6089 } 6090 6091 bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name"); 6092 } else if (proto == Q_DECNET) { 6093 unsigned short dn_addr = __pcap_nametodnaddr(name); 6094 /* 6095 * I don't think DECNET hosts can be multihomed, so 6096 * there is no need to build up a list of addresses 6097 */ 6098 return (gen_host(dn_addr, 0, proto, dir, q.addr)); 6099 } else { 6100 #ifndef INET6 6101 alist = pcap_nametoaddr(name); 6102 if (alist == NULL || *alist == NULL) 6103 bpf_error("unknown host '%s'", name); 6104 tproto = proto; 6105 if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT) 6106 tproto = Q_IP; 6107 b = gen_host(**alist++, 0xffffffff, tproto, dir, q.addr); 6108 while (*alist) { 6109 tmp = gen_host(**alist++, 0xffffffff, 6110 tproto, dir, q.addr); 6111 gen_or(b, tmp); 6112 b = tmp; 6113 } 6114 return b; 6115 #else 6116 memset(&mask128, 0xff, sizeof(mask128)); 6117 res0 = res = pcap_nametoaddrinfo(name); 6118 if (res == NULL) 6119 bpf_error("unknown host '%s'", name); 6120 ai = res; 6121 b = tmp = NULL; 6122 tproto = tproto6 = proto; 6123 if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT) { 6124 tproto = Q_IP; 6125 tproto6 = Q_IPV6; 6126 } 6127 for (res = res0; res; res = res->ai_next) { 6128 switch (res->ai_family) { 6129 case AF_INET: 6130 if (tproto == Q_IPV6) 6131 continue; 6132 6133 sin4 = (struct sockaddr_in *) 6134 res->ai_addr; 6135 tmp = gen_host(ntohl(sin4->sin_addr.s_addr), 6136 0xffffffff, tproto, dir, q.addr); 6137 break; 6138 case AF_INET6: 6139 if (tproto6 == Q_IP) 6140 continue; 6141 6142 sin6 = (struct sockaddr_in6 *) 6143 res->ai_addr; 6144 tmp = gen_host6(&sin6->sin6_addr, 6145 &mask128, tproto6, dir, q.addr); 6146 break; 6147 default: 6148 continue; 6149 } 6150 if (b) 6151 gen_or(b, tmp); 6152 b = tmp; 6153 } 6154 ai = NULL; 6155 freeaddrinfo(res0); 6156 if (b == NULL) { 6157 bpf_error("unknown host '%s'%s", name, 6158 (proto == Q_DEFAULT) 6159 ? "" 6160 : " for specified address family"); 6161 } 6162 return b; 6163 #endif /*INET6*/ 6164 } 6165 6166 case Q_PORT: 6167 if (proto != Q_DEFAULT && 6168 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6169 bpf_error("illegal qualifier of 'port'"); 6170 if (pcap_nametoport(name, &port, &real_proto) == 0) 6171 bpf_error("unknown port '%s'", name); 6172 if (proto == Q_UDP) { 6173 if (real_proto == IPPROTO_TCP) 6174 bpf_error("port '%s' is tcp", name); 6175 else if (real_proto == IPPROTO_SCTP) 6176 bpf_error("port '%s' is sctp", name); 6177 else 6178 /* override PROTO_UNDEF */ 6179 real_proto = IPPROTO_UDP; 6180 } 6181 if (proto == Q_TCP) { 6182 if (real_proto == IPPROTO_UDP) 6183 bpf_error("port '%s' is udp", name); 6184 6185 else if (real_proto == IPPROTO_SCTP) 6186 bpf_error("port '%s' is sctp", name); 6187 else 6188 /* override PROTO_UNDEF */ 6189 real_proto = IPPROTO_TCP; 6190 } 6191 if (proto == Q_SCTP) { 6192 if (real_proto == IPPROTO_UDP) 6193 bpf_error("port '%s' is udp", name); 6194 6195 else if (real_proto == IPPROTO_TCP) 6196 bpf_error("port '%s' is tcp", name); 6197 else 6198 /* override PROTO_UNDEF */ 6199 real_proto = IPPROTO_SCTP; 6200 } 6201 #ifndef INET6 6202 return gen_port(port, real_proto, dir); 6203 #else 6204 b = gen_port(port, real_proto, dir); 6205 gen_or(gen_port6(port, real_proto, dir), b); 6206 return b; 6207 #endif /* INET6 */ 6208 6209 case Q_PORTRANGE: 6210 if (proto != Q_DEFAULT && 6211 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6212 bpf_error("illegal qualifier of 'portrange'"); 6213 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0) 6214 bpf_error("unknown port in range '%s'", name); 6215 if (proto == Q_UDP) { 6216 if (real_proto == IPPROTO_TCP) 6217 bpf_error("port in range '%s' is tcp", name); 6218 else if (real_proto == IPPROTO_SCTP) 6219 bpf_error("port in range '%s' is sctp", name); 6220 else 6221 /* override PROTO_UNDEF */ 6222 real_proto = IPPROTO_UDP; 6223 } 6224 if (proto == Q_TCP) { 6225 if (real_proto == IPPROTO_UDP) 6226 bpf_error("port in range '%s' is udp", name); 6227 else if (real_proto == IPPROTO_SCTP) 6228 bpf_error("port in range '%s' is sctp", name); 6229 else 6230 /* override PROTO_UNDEF */ 6231 real_proto = IPPROTO_TCP; 6232 } 6233 if (proto == Q_SCTP) { 6234 if (real_proto == IPPROTO_UDP) 6235 bpf_error("port in range '%s' is udp", name); 6236 else if (real_proto == IPPROTO_TCP) 6237 bpf_error("port in range '%s' is tcp", name); 6238 else 6239 /* override PROTO_UNDEF */ 6240 real_proto = IPPROTO_SCTP; 6241 } 6242 #ifndef INET6 6243 return gen_portrange(port1, port2, real_proto, dir); 6244 #else 6245 b = gen_portrange(port1, port2, real_proto, dir); 6246 gen_or(gen_portrange6(port1, port2, real_proto, dir), b); 6247 return b; 6248 #endif /* INET6 */ 6249 6250 case Q_GATEWAY: 6251 #ifndef INET6 6252 eaddr = pcap_ether_hostton(name); 6253 if (eaddr == NULL) 6254 bpf_error("unknown ether host: %s", name); 6255 6256 alist = pcap_nametoaddr(name); 6257 if (alist == NULL || *alist == NULL) 6258 bpf_error("unknown host '%s'", name); 6259 b = gen_gateway(eaddr, alist, proto, dir); 6260 free(eaddr); 6261 return b; 6262 #else 6263 bpf_error("'gateway' not supported in this configuration"); 6264 #endif /*INET6*/ 6265 6266 case Q_PROTO: 6267 real_proto = lookup_proto(name, proto); 6268 if (real_proto >= 0) 6269 return gen_proto(real_proto, proto, dir); 6270 else 6271 bpf_error("unknown protocol: %s", name); 6272 6273 case Q_PROTOCHAIN: 6274 real_proto = lookup_proto(name, proto); 6275 if (real_proto >= 0) 6276 return gen_protochain(real_proto, proto, dir); 6277 else 6278 bpf_error("unknown protocol: %s", name); 6279 6280 case Q_UNDEF: 6281 syntax(); 6282 /* NOTREACHED */ 6283 } 6284 abort(); 6285 /* NOTREACHED */ 6286 } 6287 6288 struct block * 6289 gen_mcode(s1, s2, masklen, q) 6290 register const char *s1, *s2; 6291 register int masklen; 6292 struct qual q; 6293 { 6294 register int nlen, mlen; 6295 bpf_u_int32 n, m; 6296 6297 nlen = __pcap_atoin(s1, &n); 6298 /* Promote short ipaddr */ 6299 n <<= 32 - nlen; 6300 6301 if (s2 != NULL) { 6302 mlen = __pcap_atoin(s2, &m); 6303 /* Promote short ipaddr */ 6304 m <<= 32 - mlen; 6305 if ((n & ~m) != 0) 6306 bpf_error("non-network bits set in \"%s mask %s\"", 6307 s1, s2); 6308 } else { 6309 /* Convert mask len to mask */ 6310 if (masklen > 32) 6311 bpf_error("mask length must be <= 32"); 6312 if (masklen == 0) { 6313 /* 6314 * X << 32 is not guaranteed by C to be 0; it's 6315 * undefined. 6316 */ 6317 m = 0; 6318 } else 6319 m = 0xffffffff << (32 - masklen); 6320 if ((n & ~m) != 0) 6321 bpf_error("non-network bits set in \"%s/%d\"", 6322 s1, masklen); 6323 } 6324 6325 switch (q.addr) { 6326 6327 case Q_NET: 6328 return gen_host(n, m, q.proto, q.dir, q.addr); 6329 6330 default: 6331 bpf_error("Mask syntax for networks only"); 6332 /* NOTREACHED */ 6333 } 6334 /* NOTREACHED */ 6335 return NULL; 6336 } 6337 6338 struct block * 6339 gen_ncode(s, v, q) 6340 register const char *s; 6341 bpf_u_int32 v; 6342 struct qual q; 6343 { 6344 bpf_u_int32 mask; 6345 int proto = q.proto; 6346 int dir = q.dir; 6347 register int vlen; 6348 6349 if (s == NULL) 6350 vlen = 32; 6351 else if (q.proto == Q_DECNET) 6352 vlen = __pcap_atodn(s, &v); 6353 else 6354 vlen = __pcap_atoin(s, &v); 6355 6356 switch (q.addr) { 6357 6358 case Q_DEFAULT: 6359 case Q_HOST: 6360 case Q_NET: 6361 if (proto == Q_DECNET) 6362 return gen_host(v, 0, proto, dir, q.addr); 6363 else if (proto == Q_LINK) { 6364 bpf_error("illegal link layer address"); 6365 } else { 6366 mask = 0xffffffff; 6367 if (s == NULL && q.addr == Q_NET) { 6368 /* Promote short net number */ 6369 while (v && (v & 0xff000000) == 0) { 6370 v <<= 8; 6371 mask <<= 8; 6372 } 6373 } else { 6374 /* Promote short ipaddr */ 6375 v <<= 32 - vlen; 6376 mask <<= 32 - vlen; 6377 } 6378 return gen_host(v, mask, proto, dir, q.addr); 6379 } 6380 6381 case Q_PORT: 6382 if (proto == Q_UDP) 6383 proto = IPPROTO_UDP; 6384 else if (proto == Q_TCP) 6385 proto = IPPROTO_TCP; 6386 else if (proto == Q_SCTP) 6387 proto = IPPROTO_SCTP; 6388 else if (proto == Q_DEFAULT) 6389 proto = PROTO_UNDEF; 6390 else 6391 bpf_error("illegal qualifier of 'port'"); 6392 6393 #ifndef INET6 6394 return gen_port((int)v, proto, dir); 6395 #else 6396 { 6397 struct block *b; 6398 b = gen_port((int)v, proto, dir); 6399 gen_or(gen_port6((int)v, proto, dir), b); 6400 return b; 6401 } 6402 #endif /* INET6 */ 6403 6404 case Q_PORTRANGE: 6405 if (proto == Q_UDP) 6406 proto = IPPROTO_UDP; 6407 else if (proto == Q_TCP) 6408 proto = IPPROTO_TCP; 6409 else if (proto == Q_SCTP) 6410 proto = IPPROTO_SCTP; 6411 else if (proto == Q_DEFAULT) 6412 proto = PROTO_UNDEF; 6413 else 6414 bpf_error("illegal qualifier of 'portrange'"); 6415 6416 #ifndef INET6 6417 return gen_portrange((int)v, (int)v, proto, dir); 6418 #else 6419 { 6420 struct block *b; 6421 b = gen_portrange((int)v, (int)v, proto, dir); 6422 gen_or(gen_portrange6((int)v, (int)v, proto, dir), b); 6423 return b; 6424 } 6425 #endif /* INET6 */ 6426 6427 case Q_GATEWAY: 6428 bpf_error("'gateway' requires a name"); 6429 /* NOTREACHED */ 6430 6431 case Q_PROTO: 6432 return gen_proto((int)v, proto, dir); 6433 6434 case Q_PROTOCHAIN: 6435 return gen_protochain((int)v, proto, dir); 6436 6437 case Q_UNDEF: 6438 syntax(); 6439 /* NOTREACHED */ 6440 6441 default: 6442 abort(); 6443 /* NOTREACHED */ 6444 } 6445 /* NOTREACHED */ 6446 } 6447 6448 #ifdef INET6 6449 struct block * 6450 gen_mcode6(s1, s2, masklen, q) 6451 register const char *s1, *s2; 6452 register int masklen; 6453 struct qual q; 6454 { 6455 struct addrinfo *res; 6456 struct in6_addr *addr; 6457 struct in6_addr mask; 6458 struct block *b; 6459 u_int32_t *a, *m; 6460 6461 if (s2) 6462 bpf_error("no mask %s supported", s2); 6463 6464 res = pcap_nametoaddrinfo(s1); 6465 if (!res) 6466 bpf_error("invalid ip6 address %s", s1); 6467 ai = res; 6468 if (res->ai_next) 6469 bpf_error("%s resolved to multiple address", s1); 6470 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr; 6471 6472 if ((int)sizeof(mask) * 8 < masklen) 6473 bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8)); 6474 memset(&mask, 0, sizeof(mask)); 6475 memset(&mask, 0xff, masklen / 8); 6476 if (masklen % 8) { 6477 mask.s6_addr[masklen / 8] = 6478 (0xff << (8 - masklen % 8)) & 0xff; 6479 } 6480 6481 a = (u_int32_t *)addr; 6482 m = (u_int32_t *)&mask; 6483 if ((a[0] & ~m[0]) || (a[1] & ~m[1]) 6484 || (a[2] & ~m[2]) || (a[3] & ~m[3])) { 6485 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen); 6486 } 6487 6488 switch (q.addr) { 6489 6490 case Q_DEFAULT: 6491 case Q_HOST: 6492 if (masklen != 128) 6493 bpf_error("Mask syntax for networks only"); 6494 /* FALLTHROUGH */ 6495 6496 case Q_NET: 6497 b = gen_host6(addr, &mask, q.proto, q.dir, q.addr); 6498 ai = NULL; 6499 freeaddrinfo(res); 6500 return b; 6501 6502 default: 6503 bpf_error("invalid qualifier against IPv6 address"); 6504 /* NOTREACHED */ 6505 } 6506 return NULL; 6507 } 6508 #endif /*INET6*/ 6509 6510 struct block * 6511 gen_ecode(eaddr, q) 6512 register const u_char *eaddr; 6513 struct qual q; 6514 { 6515 struct block *b, *tmp; 6516 6517 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) { 6518 switch (linktype) { 6519 case DLT_EN10MB: 6520 return gen_ehostop(eaddr, (int)q.dir); 6521 case DLT_FDDI: 6522 return gen_fhostop(eaddr, (int)q.dir); 6523 case DLT_IEEE802: 6524 return gen_thostop(eaddr, (int)q.dir); 6525 case DLT_IEEE802_11: 6526 case DLT_PRISM_HEADER: 6527 case DLT_IEEE802_11_RADIO_AVS: 6528 case DLT_IEEE802_11_RADIO: 6529 case DLT_PPI: 6530 return gen_wlanhostop(eaddr, (int)q.dir); 6531 case DLT_SUNATM: 6532 if (is_lane) { 6533 /* 6534 * Check that the packet doesn't begin with an 6535 * LE Control marker. (We've already generated 6536 * a test for LANE.) 6537 */ 6538 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 6539 0xFF00); 6540 gen_not(tmp); 6541 6542 /* 6543 * Now check the MAC address. 6544 */ 6545 b = gen_ehostop(eaddr, (int)q.dir); 6546 gen_and(tmp, b); 6547 return b; 6548 } 6549 break; 6550 case DLT_IP_OVER_FC: 6551 return gen_ipfchostop(eaddr, (int)q.dir); 6552 default: 6553 bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 6554 break; 6555 } 6556 } 6557 bpf_error("ethernet address used in non-ether expression"); 6558 /* NOTREACHED */ 6559 return NULL; 6560 } 6561 6562 void 6563 sappend(s0, s1) 6564 struct slist *s0, *s1; 6565 { 6566 /* 6567 * This is definitely not the best way to do this, but the 6568 * lists will rarely get long. 6569 */ 6570 while (s0->next) 6571 s0 = s0->next; 6572 s0->next = s1; 6573 } 6574 6575 static struct slist * 6576 xfer_to_x(a) 6577 struct arth *a; 6578 { 6579 struct slist *s; 6580 6581 s = new_stmt(BPF_LDX|BPF_MEM); 6582 s->s.k = a->regno; 6583 return s; 6584 } 6585 6586 static struct slist * 6587 xfer_to_a(a) 6588 struct arth *a; 6589 { 6590 struct slist *s; 6591 6592 s = new_stmt(BPF_LD|BPF_MEM); 6593 s->s.k = a->regno; 6594 return s; 6595 } 6596 6597 /* 6598 * Modify "index" to use the value stored into its register as an 6599 * offset relative to the beginning of the header for the protocol 6600 * "proto", and allocate a register and put an item "size" bytes long 6601 * (1, 2, or 4) at that offset into that register, making it the register 6602 * for "index". 6603 */ 6604 struct arth * 6605 gen_load(proto, inst, size) 6606 int proto; 6607 struct arth *inst; 6608 int size; 6609 { 6610 struct slist *s, *tmp; 6611 struct block *b; 6612 int regno = alloc_reg(); 6613 6614 free_reg(inst->regno); 6615 switch (size) { 6616 6617 default: 6618 bpf_error("data size must be 1, 2, or 4"); 6619 6620 case 1: 6621 size = BPF_B; 6622 break; 6623 6624 case 2: 6625 size = BPF_H; 6626 break; 6627 6628 case 4: 6629 size = BPF_W; 6630 break; 6631 } 6632 switch (proto) { 6633 default: 6634 bpf_error("unsupported index operation"); 6635 6636 case Q_RADIO: 6637 /* 6638 * The offset is relative to the beginning of the packet 6639 * data, if we have a radio header. (If we don't, this 6640 * is an error.) 6641 */ 6642 if (linktype != DLT_IEEE802_11_RADIO_AVS && 6643 linktype != DLT_IEEE802_11_RADIO && 6644 linktype != DLT_PRISM_HEADER) 6645 bpf_error("radio information not present in capture"); 6646 6647 /* 6648 * Load into the X register the offset computed into the 6649 * register specifed by "index". 6650 */ 6651 s = xfer_to_x(inst); 6652 6653 /* 6654 * Load the item at that offset. 6655 */ 6656 tmp = new_stmt(BPF_LD|BPF_IND|size); 6657 sappend(s, tmp); 6658 sappend(inst->s, s); 6659 break; 6660 6661 case Q_LINK: 6662 /* 6663 * The offset is relative to the beginning of 6664 * the link-layer header. 6665 * 6666 * XXX - what about ATM LANE? Should the index be 6667 * relative to the beginning of the AAL5 frame, so 6668 * that 0 refers to the beginning of the LE Control 6669 * field, or relative to the beginning of the LAN 6670 * frame, so that 0 refers, for Ethernet LANE, to 6671 * the beginning of the destination address? 6672 */ 6673 s = gen_llprefixlen(); 6674 6675 /* 6676 * If "s" is non-null, it has code to arrange that the 6677 * X register contains the length of the prefix preceding 6678 * the link-layer header. Add to it the offset computed 6679 * into the register specified by "index", and move that 6680 * into the X register. Otherwise, just load into the X 6681 * register the offset computed into the register specifed 6682 * by "index". 6683 */ 6684 if (s != NULL) { 6685 sappend(s, xfer_to_a(inst)); 6686 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 6687 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 6688 } else 6689 s = xfer_to_x(inst); 6690 6691 /* 6692 * Load the item at the sum of the offset we've put in the 6693 * X register and the offset of the start of the link 6694 * layer header (which is 0 if the radio header is 6695 * variable-length; that header length is what we put 6696 * into the X register and then added to the index). 6697 */ 6698 tmp = new_stmt(BPF_LD|BPF_IND|size); 6699 tmp->s.k = off_ll; 6700 sappend(s, tmp); 6701 sappend(inst->s, s); 6702 break; 6703 6704 case Q_IP: 6705 case Q_ARP: 6706 case Q_RARP: 6707 case Q_ATALK: 6708 case Q_DECNET: 6709 case Q_SCA: 6710 case Q_LAT: 6711 case Q_MOPRC: 6712 case Q_MOPDL: 6713 #ifdef INET6 6714 case Q_IPV6: 6715 #endif 6716 /* 6717 * The offset is relative to the beginning of 6718 * the network-layer header. 6719 * XXX - are there any cases where we want 6720 * off_nl_nosnap? 6721 */ 6722 s = gen_off_macpl(); 6723 6724 /* 6725 * If "s" is non-null, it has code to arrange that the 6726 * X register contains the offset of the MAC-layer 6727 * payload. Add to it the offset computed into the 6728 * register specified by "index", and move that into 6729 * the X register. Otherwise, just load into the X 6730 * register the offset computed into the register specifed 6731 * by "index". 6732 */ 6733 if (s != NULL) { 6734 sappend(s, xfer_to_a(inst)); 6735 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 6736 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 6737 } else 6738 s = xfer_to_x(inst); 6739 6740 /* 6741 * Load the item at the sum of the offset we've put in the 6742 * X register, the offset of the start of the network 6743 * layer header from the beginning of the MAC-layer 6744 * payload, and the purported offset of the start of the 6745 * MAC-layer payload (which might be 0 if there's a 6746 * variable-length prefix before the link-layer header 6747 * or the link-layer header itself is variable-length; 6748 * the variable-length offset of the start of the 6749 * MAC-layer payload is what we put into the X register 6750 * and then added to the index). 6751 */ 6752 tmp = new_stmt(BPF_LD|BPF_IND|size); 6753 tmp->s.k = off_macpl + off_nl; 6754 sappend(s, tmp); 6755 sappend(inst->s, s); 6756 6757 /* 6758 * Do the computation only if the packet contains 6759 * the protocol in question. 6760 */ 6761 b = gen_proto_abbrev(proto); 6762 if (inst->b) 6763 gen_and(inst->b, b); 6764 inst->b = b; 6765 break; 6766 6767 case Q_SCTP: 6768 case Q_TCP: 6769 case Q_UDP: 6770 case Q_ICMP: 6771 case Q_IGMP: 6772 case Q_IGRP: 6773 case Q_PIM: 6774 case Q_VRRP: 6775 /* 6776 * The offset is relative to the beginning of 6777 * the transport-layer header. 6778 * 6779 * Load the X register with the length of the IPv4 header 6780 * (plus the offset of the link-layer header, if it's 6781 * a variable-length header), in bytes. 6782 * 6783 * XXX - are there any cases where we want 6784 * off_nl_nosnap? 6785 * XXX - we should, if we're built with 6786 * IPv6 support, generate code to load either 6787 * IPv4, IPv6, or both, as appropriate. 6788 */ 6789 s = gen_loadx_iphdrlen(); 6790 6791 /* 6792 * The X register now contains the sum of the length 6793 * of any variable-length header preceding the link-layer 6794 * header, any variable-length link-layer header, and the 6795 * length of the network-layer header. 6796 * 6797 * Load into the A register the offset relative to 6798 * the beginning of the transport layer header, 6799 * add the X register to that, move that to the 6800 * X register, and load with an offset from the 6801 * X register equal to the offset of the network 6802 * layer header relative to the beginning of 6803 * the MAC-layer payload plus the fixed-length 6804 * portion of the offset of the MAC-layer payload 6805 * from the beginning of the raw packet data. 6806 */ 6807 sappend(s, xfer_to_a(inst)); 6808 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 6809 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 6810 sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size)); 6811 tmp->s.k = off_macpl + off_nl; 6812 sappend(inst->s, s); 6813 6814 /* 6815 * Do the computation only if the packet contains 6816 * the protocol in question - which is true only 6817 * if this is an IP datagram and is the first or 6818 * only fragment of that datagram. 6819 */ 6820 gen_and(gen_proto_abbrev(proto), b = gen_ipfrag()); 6821 if (inst->b) 6822 gen_and(inst->b, b); 6823 #ifdef INET6 6824 gen_and(gen_proto_abbrev(Q_IP), b); 6825 #endif 6826 inst->b = b; 6827 break; 6828 #ifdef INET6 6829 case Q_ICMPV6: 6830 bpf_error("IPv6 upper-layer protocol is not supported by proto[x]"); 6831 /*NOTREACHED*/ 6832 #endif 6833 } 6834 inst->regno = regno; 6835 s = new_stmt(BPF_ST); 6836 s->s.k = regno; 6837 sappend(inst->s, s); 6838 6839 return inst; 6840 } 6841 6842 struct block * 6843 gen_relation(code, a0, a1, reversed) 6844 int code; 6845 struct arth *a0, *a1; 6846 int reversed; 6847 { 6848 struct slist *s0, *s1, *s2; 6849 struct block *b, *tmp; 6850 6851 s0 = xfer_to_x(a1); 6852 s1 = xfer_to_a(a0); 6853 if (code == BPF_JEQ) { 6854 s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X); 6855 b = new_block(JMP(code)); 6856 sappend(s1, s2); 6857 } 6858 else 6859 b = new_block(BPF_JMP|code|BPF_X); 6860 if (reversed) 6861 gen_not(b); 6862 6863 sappend(s0, s1); 6864 sappend(a1->s, s0); 6865 sappend(a0->s, a1->s); 6866 6867 b->stmts = a0->s; 6868 6869 free_reg(a0->regno); 6870 free_reg(a1->regno); 6871 6872 /* 'and' together protocol checks */ 6873 if (a0->b) { 6874 if (a1->b) { 6875 gen_and(a0->b, tmp = a1->b); 6876 } 6877 else 6878 tmp = a0->b; 6879 } else 6880 tmp = a1->b; 6881 6882 if (tmp) 6883 gen_and(tmp, b); 6884 6885 return b; 6886 } 6887 6888 struct arth * 6889 gen_loadlen() 6890 { 6891 int regno = alloc_reg(); 6892 struct arth *a = (struct arth *)newchunk(sizeof(*a)); 6893 struct slist *s; 6894 6895 s = new_stmt(BPF_LD|BPF_LEN); 6896 s->next = new_stmt(BPF_ST); 6897 s->next->s.k = regno; 6898 a->s = s; 6899 a->regno = regno; 6900 6901 return a; 6902 } 6903 6904 struct arth * 6905 gen_loadi(val) 6906 int val; 6907 { 6908 struct arth *a; 6909 struct slist *s; 6910 int reg; 6911 6912 a = (struct arth *)newchunk(sizeof(*a)); 6913 6914 reg = alloc_reg(); 6915 6916 s = new_stmt(BPF_LD|BPF_IMM); 6917 s->s.k = val; 6918 s->next = new_stmt(BPF_ST); 6919 s->next->s.k = reg; 6920 a->s = s; 6921 a->regno = reg; 6922 6923 return a; 6924 } 6925 6926 struct arth * 6927 gen_neg(a) 6928 struct arth *a; 6929 { 6930 struct slist *s; 6931 6932 s = xfer_to_a(a); 6933 sappend(a->s, s); 6934 s = new_stmt(BPF_ALU|BPF_NEG); 6935 s->s.k = 0; 6936 sappend(a->s, s); 6937 s = new_stmt(BPF_ST); 6938 s->s.k = a->regno; 6939 sappend(a->s, s); 6940 6941 return a; 6942 } 6943 6944 struct arth * 6945 gen_arth(code, a0, a1) 6946 int code; 6947 struct arth *a0, *a1; 6948 { 6949 struct slist *s0, *s1, *s2; 6950 6951 s0 = xfer_to_x(a1); 6952 s1 = xfer_to_a(a0); 6953 s2 = new_stmt(BPF_ALU|BPF_X|code); 6954 6955 sappend(s1, s2); 6956 sappend(s0, s1); 6957 sappend(a1->s, s0); 6958 sappend(a0->s, a1->s); 6959 6960 free_reg(a0->regno); 6961 free_reg(a1->regno); 6962 6963 s0 = new_stmt(BPF_ST); 6964 a0->regno = s0->s.k = alloc_reg(); 6965 sappend(a0->s, s0); 6966 6967 return a0; 6968 } 6969 6970 /* 6971 * Here we handle simple allocation of the scratch registers. 6972 * If too many registers are alloc'd, the allocator punts. 6973 */ 6974 static int regused[BPF_MEMWORDS]; 6975 static int curreg; 6976 6977 /* 6978 * Initialize the table of used registers and the current register. 6979 */ 6980 static void 6981 init_regs() 6982 { 6983 curreg = 0; 6984 memset(regused, 0, sizeof regused); 6985 } 6986 6987 /* 6988 * Return the next free register. 6989 */ 6990 static int 6991 alloc_reg() 6992 { 6993 int n = BPF_MEMWORDS; 6994 6995 while (--n >= 0) { 6996 if (regused[curreg]) 6997 curreg = (curreg + 1) % BPF_MEMWORDS; 6998 else { 6999 regused[curreg] = 1; 7000 return curreg; 7001 } 7002 } 7003 bpf_error("too many registers needed to evaluate expression"); 7004 /* NOTREACHED */ 7005 return 0; 7006 } 7007 7008 /* 7009 * Return a register to the table so it can 7010 * be used later. 7011 */ 7012 static void 7013 free_reg(n) 7014 int n; 7015 { 7016 regused[n] = 0; 7017 } 7018 7019 static struct block * 7020 gen_len(jmp, n) 7021 int jmp, n; 7022 { 7023 struct slist *s; 7024 struct block *b; 7025 7026 s = new_stmt(BPF_LD|BPF_LEN); 7027 b = new_block(JMP(jmp)); 7028 b->stmts = s; 7029 b->s.k = n; 7030 7031 return b; 7032 } 7033 7034 struct block * 7035 gen_greater(n) 7036 int n; 7037 { 7038 return gen_len(BPF_JGE, n); 7039 } 7040 7041 /* 7042 * Actually, this is less than or equal. 7043 */ 7044 struct block * 7045 gen_less(n) 7046 int n; 7047 { 7048 struct block *b; 7049 7050 b = gen_len(BPF_JGT, n); 7051 gen_not(b); 7052 7053 return b; 7054 } 7055 7056 /* 7057 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to 7058 * the beginning of the link-layer header. 7059 * XXX - that means you can't test values in the radiotap header, but 7060 * as that header is difficult if not impossible to parse generally 7061 * without a loop, that might not be a severe problem. A new keyword 7062 * "radio" could be added for that, although what you'd really want 7063 * would be a way of testing particular radio header values, which 7064 * would generate code appropriate to the radio header in question. 7065 */ 7066 struct block * 7067 gen_byteop(op, idx, val) 7068 int op, idx, val; 7069 { 7070 struct block *b; 7071 struct slist *s; 7072 7073 switch (op) { 7074 default: 7075 abort(); 7076 7077 case '=': 7078 return gen_cmp(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 7079 7080 case '<': 7081 b = gen_cmp_lt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 7082 return b; 7083 7084 case '>': 7085 b = gen_cmp_gt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 7086 return b; 7087 7088 case '|': 7089 s = new_stmt(BPF_ALU|BPF_OR|BPF_K); 7090 break; 7091 7092 case '&': 7093 s = new_stmt(BPF_ALU|BPF_AND|BPF_K); 7094 break; 7095 } 7096 s->s.k = val; 7097 b = new_block(JMP(BPF_JEQ)); 7098 b->stmts = s; 7099 gen_not(b); 7100 7101 return b; 7102 } 7103 7104 static u_char abroadcast[] = { 0x0 }; 7105 7106 struct block * 7107 gen_broadcast(proto) 7108 int proto; 7109 { 7110 bpf_u_int32 hostmask; 7111 struct block *b0, *b1, *b2; 7112 static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; 7113 7114 switch (proto) { 7115 7116 case Q_DEFAULT: 7117 case Q_LINK: 7118 switch (linktype) { 7119 case DLT_ARCNET: 7120 case DLT_ARCNET_LINUX: 7121 return gen_ahostop(abroadcast, Q_DST); 7122 case DLT_EN10MB: 7123 return gen_ehostop(ebroadcast, Q_DST); 7124 case DLT_FDDI: 7125 return gen_fhostop(ebroadcast, Q_DST); 7126 case DLT_IEEE802: 7127 return gen_thostop(ebroadcast, Q_DST); 7128 case DLT_IEEE802_11: 7129 case DLT_PRISM_HEADER: 7130 case DLT_IEEE802_11_RADIO_AVS: 7131 case DLT_IEEE802_11_RADIO: 7132 case DLT_PPI: 7133 return gen_wlanhostop(ebroadcast, Q_DST); 7134 case DLT_IP_OVER_FC: 7135 return gen_ipfchostop(ebroadcast, Q_DST); 7136 case DLT_SUNATM: 7137 if (is_lane) { 7138 /* 7139 * Check that the packet doesn't begin with an 7140 * LE Control marker. (We've already generated 7141 * a test for LANE.) 7142 */ 7143 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 7144 BPF_H, 0xFF00); 7145 gen_not(b1); 7146 7147 /* 7148 * Now check the MAC address. 7149 */ 7150 b0 = gen_ehostop(ebroadcast, Q_DST); 7151 gen_and(b1, b0); 7152 return b0; 7153 } 7154 break; 7155 default: 7156 bpf_error("not a broadcast link"); 7157 } 7158 break; 7159 7160 case Q_IP: 7161 /* 7162 * We treat a netmask of PCAP_NETMASK_UNKNOWN (0xffffffff) 7163 * as an indication that we don't know the netmask, and fail 7164 * in that case. 7165 */ 7166 if (netmask == PCAP_NETMASK_UNKNOWN) 7167 bpf_error("netmask not known, so 'ip broadcast' not supported"); 7168 b0 = gen_linktype(ETHERTYPE_IP); 7169 hostmask = ~netmask; 7170 b1 = gen_mcmp(OR_NET, 16, BPF_W, (bpf_int32)0, hostmask); 7171 b2 = gen_mcmp(OR_NET, 16, BPF_W, 7172 (bpf_int32)(~0 & hostmask), hostmask); 7173 gen_or(b1, b2); 7174 gen_and(b0, b2); 7175 return b2; 7176 } 7177 bpf_error("only link-layer/IP broadcast filters supported"); 7178 /* NOTREACHED */ 7179 return NULL; 7180 } 7181 7182 /* 7183 * Generate code to test the low-order bit of a MAC address (that's 7184 * the bottom bit of the *first* byte). 7185 */ 7186 static struct block * 7187 gen_mac_multicast(offset) 7188 int offset; 7189 { 7190 register struct block *b0; 7191 register struct slist *s; 7192 7193 /* link[offset] & 1 != 0 */ 7194 s = gen_load_a(OR_LINK, offset, BPF_B); 7195 b0 = new_block(JMP(BPF_JSET)); 7196 b0->s.k = 1; 7197 b0->stmts = s; 7198 return b0; 7199 } 7200 7201 struct block * 7202 gen_multicast(proto) 7203 int proto; 7204 { 7205 register struct block *b0, *b1, *b2; 7206 register struct slist *s; 7207 7208 switch (proto) { 7209 7210 case Q_DEFAULT: 7211 case Q_LINK: 7212 switch (linktype) { 7213 case DLT_ARCNET: 7214 case DLT_ARCNET_LINUX: 7215 /* all ARCnet multicasts use the same address */ 7216 return gen_ahostop(abroadcast, Q_DST); 7217 case DLT_EN10MB: 7218 /* ether[0] & 1 != 0 */ 7219 return gen_mac_multicast(0); 7220 case DLT_FDDI: 7221 /* 7222 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX 7223 * 7224 * XXX - was that referring to bit-order issues? 7225 */ 7226 /* fddi[1] & 1 != 0 */ 7227 return gen_mac_multicast(1); 7228 case DLT_IEEE802: 7229 /* tr[2] & 1 != 0 */ 7230 return gen_mac_multicast(2); 7231 case DLT_IEEE802_11: 7232 case DLT_PRISM_HEADER: 7233 case DLT_IEEE802_11_RADIO_AVS: 7234 case DLT_IEEE802_11_RADIO: 7235 case DLT_PPI: 7236 /* 7237 * Oh, yuk. 7238 * 7239 * For control frames, there is no DA. 7240 * 7241 * For management frames, DA is at an 7242 * offset of 4 from the beginning of 7243 * the packet. 7244 * 7245 * For data frames, DA is at an offset 7246 * of 4 from the beginning of the packet 7247 * if To DS is clear and at an offset of 7248 * 16 from the beginning of the packet 7249 * if To DS is set. 7250 */ 7251 7252 /* 7253 * Generate the tests to be done for data frames. 7254 * 7255 * First, check for To DS set, i.e. "link[1] & 0x01". 7256 */ 7257 s = gen_load_a(OR_LINK, 1, BPF_B); 7258 b1 = new_block(JMP(BPF_JSET)); 7259 b1->s.k = 0x01; /* To DS */ 7260 b1->stmts = s; 7261 7262 /* 7263 * If To DS is set, the DA is at 16. 7264 */ 7265 b0 = gen_mac_multicast(16); 7266 gen_and(b1, b0); 7267 7268 /* 7269 * Now, check for To DS not set, i.e. check 7270 * "!(link[1] & 0x01)". 7271 */ 7272 s = gen_load_a(OR_LINK, 1, BPF_B); 7273 b2 = new_block(JMP(BPF_JSET)); 7274 b2->s.k = 0x01; /* To DS */ 7275 b2->stmts = s; 7276 gen_not(b2); 7277 7278 /* 7279 * If To DS is not set, the DA is at 4. 7280 */ 7281 b1 = gen_mac_multicast(4); 7282 gen_and(b2, b1); 7283 7284 /* 7285 * Now OR together the last two checks. That gives 7286 * the complete set of checks for data frames. 7287 */ 7288 gen_or(b1, b0); 7289 7290 /* 7291 * Now check for a data frame. 7292 * I.e, check "link[0] & 0x08". 7293 */ 7294 s = gen_load_a(OR_LINK, 0, BPF_B); 7295 b1 = new_block(JMP(BPF_JSET)); 7296 b1->s.k = 0x08; 7297 b1->stmts = s; 7298 7299 /* 7300 * AND that with the checks done for data frames. 7301 */ 7302 gen_and(b1, b0); 7303 7304 /* 7305 * If the high-order bit of the type value is 0, this 7306 * is a management frame. 7307 * I.e, check "!(link[0] & 0x08)". 7308 */ 7309 s = gen_load_a(OR_LINK, 0, BPF_B); 7310 b2 = new_block(JMP(BPF_JSET)); 7311 b2->s.k = 0x08; 7312 b2->stmts = s; 7313 gen_not(b2); 7314 7315 /* 7316 * For management frames, the DA is at 4. 7317 */ 7318 b1 = gen_mac_multicast(4); 7319 gen_and(b2, b1); 7320 7321 /* 7322 * OR that with the checks done for data frames. 7323 * That gives the checks done for management and 7324 * data frames. 7325 */ 7326 gen_or(b1, b0); 7327 7328 /* 7329 * If the low-order bit of the type value is 1, 7330 * this is either a control frame or a frame 7331 * with a reserved type, and thus not a 7332 * frame with an SA. 7333 * 7334 * I.e., check "!(link[0] & 0x04)". 7335 */ 7336 s = gen_load_a(OR_LINK, 0, BPF_B); 7337 b1 = new_block(JMP(BPF_JSET)); 7338 b1->s.k = 0x04; 7339 b1->stmts = s; 7340 gen_not(b1); 7341 7342 /* 7343 * AND that with the checks for data and management 7344 * frames. 7345 */ 7346 gen_and(b1, b0); 7347 return b0; 7348 case DLT_IP_OVER_FC: 7349 b0 = gen_mac_multicast(2); 7350 return b0; 7351 case DLT_SUNATM: 7352 if (is_lane) { 7353 /* 7354 * Check that the packet doesn't begin with an 7355 * LE Control marker. (We've already generated 7356 * a test for LANE.) 7357 */ 7358 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 7359 BPF_H, 0xFF00); 7360 gen_not(b1); 7361 7362 /* ether[off_mac] & 1 != 0 */ 7363 b0 = gen_mac_multicast(off_mac); 7364 gen_and(b1, b0); 7365 return b0; 7366 } 7367 break; 7368 default: 7369 break; 7370 } 7371 /* Link not known to support multicasts */ 7372 break; 7373 7374 case Q_IP: 7375 b0 = gen_linktype(ETHERTYPE_IP); 7376 b1 = gen_cmp_ge(OR_NET, 16, BPF_B, (bpf_int32)224); 7377 gen_and(b0, b1); 7378 return b1; 7379 7380 #ifdef INET6 7381 case Q_IPV6: 7382 b0 = gen_linktype(ETHERTYPE_IPV6); 7383 b1 = gen_cmp(OR_NET, 24, BPF_B, (bpf_int32)255); 7384 gen_and(b0, b1); 7385 return b1; 7386 #endif /* INET6 */ 7387 } 7388 bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel"); 7389 /* NOTREACHED */ 7390 return NULL; 7391 } 7392 7393 /* 7394 * generate command for inbound/outbound. It's here so we can 7395 * make it link-type specific. 'dir' = 0 implies "inbound", 7396 * = 1 implies "outbound". 7397 */ 7398 struct block * 7399 gen_inbound(dir) 7400 int dir; 7401 { 7402 register struct block *b0; 7403 7404 /* 7405 * Only some data link types support inbound/outbound qualifiers. 7406 */ 7407 switch (linktype) { 7408 case DLT_SLIP: 7409 b0 = gen_relation(BPF_JEQ, 7410 gen_load(Q_LINK, gen_loadi(0), 1), 7411 gen_loadi(0), 7412 dir); 7413 break; 7414 7415 case DLT_IPNET: 7416 if (dir) { 7417 /* match outgoing packets */ 7418 b0 = gen_cmp(OR_LINK, 2, BPF_H, IPNET_OUTBOUND); 7419 } else { 7420 /* match incoming packets */ 7421 b0 = gen_cmp(OR_LINK, 2, BPF_H, IPNET_INBOUND); 7422 } 7423 break; 7424 7425 case DLT_LINUX_SLL: 7426 if (dir) { 7427 /* 7428 * Match packets sent by this machine. 7429 */ 7430 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_OUTGOING); 7431 } else { 7432 /* 7433 * Match packets sent to this machine. 7434 * (No broadcast or multicast packets, or 7435 * packets sent to some other machine and 7436 * received promiscuously.) 7437 * 7438 * XXX - packets sent to other machines probably 7439 * shouldn't be matched, but what about broadcast 7440 * or multicast packets we received? 7441 */ 7442 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_HOST); 7443 } 7444 break; 7445 7446 #ifdef HAVE_NET_PFVAR_H 7447 case DLT_PFLOG: 7448 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, dir), BPF_B, 7449 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT)); 7450 break; 7451 #endif 7452 7453 case DLT_PPP_PPPD: 7454 if (dir) { 7455 /* match outgoing packets */ 7456 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_OUT); 7457 } else { 7458 /* match incoming packets */ 7459 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_IN); 7460 } 7461 break; 7462 7463 case DLT_JUNIPER_MFR: 7464 case DLT_JUNIPER_MLFR: 7465 case DLT_JUNIPER_MLPPP: 7466 case DLT_JUNIPER_ATM1: 7467 case DLT_JUNIPER_ATM2: 7468 case DLT_JUNIPER_PPPOE: 7469 case DLT_JUNIPER_PPPOE_ATM: 7470 case DLT_JUNIPER_GGSN: 7471 case DLT_JUNIPER_ES: 7472 case DLT_JUNIPER_MONITOR: 7473 case DLT_JUNIPER_SERVICES: 7474 case DLT_JUNIPER_ETHER: 7475 case DLT_JUNIPER_PPP: 7476 case DLT_JUNIPER_FRELAY: 7477 case DLT_JUNIPER_CHDLC: 7478 case DLT_JUNIPER_VP: 7479 case DLT_JUNIPER_ST: 7480 case DLT_JUNIPER_ISM: 7481 /* juniper flags (including direction) are stored 7482 * the byte after the 3-byte magic number */ 7483 if (dir) { 7484 /* match outgoing packets */ 7485 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 0, 0x01); 7486 } else { 7487 /* match incoming packets */ 7488 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 1, 0x01); 7489 } 7490 break; 7491 7492 default: 7493 bpf_error("inbound/outbound not supported on linktype %d", 7494 linktype); 7495 b0 = NULL; 7496 /* NOTREACHED */ 7497 } 7498 return (b0); 7499 } 7500 7501 #ifdef HAVE_NET_PFVAR_H 7502 /* PF firewall log matched interface */ 7503 struct block * 7504 gen_pf_ifname(const char *ifname) 7505 { 7506 struct block *b0; 7507 u_int len, off; 7508 7509 if (linktype != DLT_PFLOG) { 7510 bpf_error("ifname supported only on PF linktype"); 7511 /* NOTREACHED */ 7512 } 7513 len = sizeof(((struct pfloghdr *)0)->ifname); 7514 off = offsetof(struct pfloghdr, ifname); 7515 if (strlen(ifname) >= len) { 7516 bpf_error("ifname interface names can only be %d characters", 7517 len-1); 7518 /* NOTREACHED */ 7519 } 7520 b0 = gen_bcmp(OR_LINK, off, strlen(ifname), (const u_char *)ifname); 7521 return (b0); 7522 } 7523 7524 /* PF firewall log ruleset name */ 7525 struct block * 7526 gen_pf_ruleset(char *ruleset) 7527 { 7528 struct block *b0; 7529 7530 if (linktype != DLT_PFLOG) { 7531 bpf_error("ruleset supported only on PF linktype"); 7532 /* NOTREACHED */ 7533 } 7534 7535 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) { 7536 bpf_error("ruleset names can only be %ld characters", 7537 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1)); 7538 /* NOTREACHED */ 7539 } 7540 7541 b0 = gen_bcmp(OR_LINK, offsetof(struct pfloghdr, ruleset), 7542 strlen(ruleset), (const u_char *)ruleset); 7543 return (b0); 7544 } 7545 7546 /* PF firewall log rule number */ 7547 struct block * 7548 gen_pf_rnr(int rnr) 7549 { 7550 struct block *b0; 7551 7552 if (linktype != DLT_PFLOG) { 7553 bpf_error("rnr supported only on PF linktype"); 7554 /* NOTREACHED */ 7555 } 7556 7557 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, rulenr), BPF_W, 7558 (bpf_int32)rnr); 7559 return (b0); 7560 } 7561 7562 /* PF firewall log sub-rule number */ 7563 struct block * 7564 gen_pf_srnr(int srnr) 7565 { 7566 struct block *b0; 7567 7568 if (linktype != DLT_PFLOG) { 7569 bpf_error("srnr supported only on PF linktype"); 7570 /* NOTREACHED */ 7571 } 7572 7573 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, subrulenr), BPF_W, 7574 (bpf_int32)srnr); 7575 return (b0); 7576 } 7577 7578 /* PF firewall log reason code */ 7579 struct block * 7580 gen_pf_reason(int reason) 7581 { 7582 struct block *b0; 7583 7584 if (linktype != DLT_PFLOG) { 7585 bpf_error("reason supported only on PF linktype"); 7586 /* NOTREACHED */ 7587 } 7588 7589 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, reason), BPF_B, 7590 (bpf_int32)reason); 7591 return (b0); 7592 } 7593 7594 /* PF firewall log action */ 7595 struct block * 7596 gen_pf_action(int action) 7597 { 7598 struct block *b0; 7599 7600 if (linktype != DLT_PFLOG) { 7601 bpf_error("action supported only on PF linktype"); 7602 /* NOTREACHED */ 7603 } 7604 7605 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, action), BPF_B, 7606 (bpf_int32)action); 7607 return (b0); 7608 } 7609 #else /* !HAVE_NET_PFVAR_H */ 7610 struct block * 7611 gen_pf_ifname(const char *ifname) 7612 { 7613 bpf_error("libpcap was compiled without pf support"); 7614 /* NOTREACHED */ 7615 return (NULL); 7616 } 7617 7618 struct block * 7619 gen_pf_ruleset(char *ruleset) 7620 { 7621 bpf_error("libpcap was compiled on a machine without pf support"); 7622 /* NOTREACHED */ 7623 return (NULL); 7624 } 7625 7626 struct block * 7627 gen_pf_rnr(int rnr) 7628 { 7629 bpf_error("libpcap was compiled on a machine without pf support"); 7630 /* NOTREACHED */ 7631 return (NULL); 7632 } 7633 7634 struct block * 7635 gen_pf_srnr(int srnr) 7636 { 7637 bpf_error("libpcap was compiled on a machine without pf support"); 7638 /* NOTREACHED */ 7639 return (NULL); 7640 } 7641 7642 struct block * 7643 gen_pf_reason(int reason) 7644 { 7645 bpf_error("libpcap was compiled on a machine without pf support"); 7646 /* NOTREACHED */ 7647 return (NULL); 7648 } 7649 7650 struct block * 7651 gen_pf_action(int action) 7652 { 7653 bpf_error("libpcap was compiled on a machine without pf support"); 7654 /* NOTREACHED */ 7655 return (NULL); 7656 } 7657 #endif /* HAVE_NET_PFVAR_H */ 7658 7659 /* IEEE 802.11 wireless header */ 7660 struct block * 7661 gen_p80211_type(int type, int mask) 7662 { 7663 struct block *b0; 7664 7665 switch (linktype) { 7666 7667 case DLT_IEEE802_11: 7668 case DLT_PRISM_HEADER: 7669 case DLT_IEEE802_11_RADIO_AVS: 7670 case DLT_IEEE802_11_RADIO: 7671 b0 = gen_mcmp(OR_LINK, 0, BPF_B, (bpf_int32)type, 7672 (bpf_int32)mask); 7673 break; 7674 7675 default: 7676 bpf_error("802.11 link-layer types supported only on 802.11"); 7677 /* NOTREACHED */ 7678 } 7679 7680 return (b0); 7681 } 7682 7683 struct block * 7684 gen_p80211_fcdir(int fcdir) 7685 { 7686 struct block *b0; 7687 7688 switch (linktype) { 7689 7690 case DLT_IEEE802_11: 7691 case DLT_PRISM_HEADER: 7692 case DLT_IEEE802_11_RADIO_AVS: 7693 case DLT_IEEE802_11_RADIO: 7694 break; 7695 7696 default: 7697 bpf_error("frame direction supported only with 802.11 headers"); 7698 /* NOTREACHED */ 7699 } 7700 7701 b0 = gen_mcmp(OR_LINK, 1, BPF_B, (bpf_int32)fcdir, 7702 (bpf_u_int32)IEEE80211_FC1_DIR_MASK); 7703 7704 return (b0); 7705 } 7706 7707 struct block * 7708 gen_acode(eaddr, q) 7709 register const u_char *eaddr; 7710 struct qual q; 7711 { 7712 switch (linktype) { 7713 7714 case DLT_ARCNET: 7715 case DLT_ARCNET_LINUX: 7716 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && 7717 q.proto == Q_LINK) 7718 return (gen_ahostop(eaddr, (int)q.dir)); 7719 else { 7720 bpf_error("ARCnet address used in non-arc expression"); 7721 /* NOTREACHED */ 7722 } 7723 break; 7724 7725 default: 7726 bpf_error("aid supported only on ARCnet"); 7727 /* NOTREACHED */ 7728 } 7729 bpf_error("ARCnet address used in non-arc expression"); 7730 /* NOTREACHED */ 7731 return NULL; 7732 } 7733 7734 static struct block * 7735 gen_ahostop(eaddr, dir) 7736 register const u_char *eaddr; 7737 register int dir; 7738 { 7739 register struct block *b0, *b1; 7740 7741 switch (dir) { 7742 /* src comes first, different from Ethernet */ 7743 case Q_SRC: 7744 return gen_bcmp(OR_LINK, 0, 1, eaddr); 7745 7746 case Q_DST: 7747 return gen_bcmp(OR_LINK, 1, 1, eaddr); 7748 7749 case Q_AND: 7750 b0 = gen_ahostop(eaddr, Q_SRC); 7751 b1 = gen_ahostop(eaddr, Q_DST); 7752 gen_and(b0, b1); 7753 return b1; 7754 7755 case Q_DEFAULT: 7756 case Q_OR: 7757 b0 = gen_ahostop(eaddr, Q_SRC); 7758 b1 = gen_ahostop(eaddr, Q_DST); 7759 gen_or(b0, b1); 7760 return b1; 7761 } 7762 abort(); 7763 /* NOTREACHED */ 7764 } 7765 7766 /* 7767 * support IEEE 802.1Q VLAN trunk over ethernet 7768 */ 7769 struct block * 7770 gen_vlan(vlan_num) 7771 int vlan_num; 7772 { 7773 struct block *b0, *b1; 7774 7775 /* can't check for VLAN-encapsulated packets inside MPLS */ 7776 if (label_stack_depth > 0) 7777 bpf_error("no VLAN match after MPLS"); 7778 7779 /* 7780 * Check for a VLAN packet, and then change the offsets to point 7781 * to the type and data fields within the VLAN packet. Just 7782 * increment the offsets, so that we can support a hierarchy, e.g. 7783 * "vlan 300 && vlan 200" to capture VLAN 200 encapsulated within 7784 * VLAN 100. 7785 * 7786 * XXX - this is a bit of a kludge. If we were to split the 7787 * compiler into a parser that parses an expression and 7788 * generates an expression tree, and a code generator that 7789 * takes an expression tree (which could come from our 7790 * parser or from some other parser) and generates BPF code, 7791 * we could perhaps make the offsets parameters of routines 7792 * and, in the handler for an "AND" node, pass to subnodes 7793 * other than the VLAN node the adjusted offsets. 7794 * 7795 * This would mean that "vlan" would, instead of changing the 7796 * behavior of *all* tests after it, change only the behavior 7797 * of tests ANDed with it. That would change the documented 7798 * semantics of "vlan", which might break some expressions. 7799 * However, it would mean that "(vlan and ip) or ip" would check 7800 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 7801 * checking only for VLAN-encapsulated IP, so that could still 7802 * be considered worth doing; it wouldn't break expressions 7803 * that are of the form "vlan and ..." or "vlan N and ...", 7804 * which I suspect are the most common expressions involving 7805 * "vlan". "vlan or ..." doesn't necessarily do what the user 7806 * would really want, now, as all the "or ..." tests would 7807 * be done assuming a VLAN, even though the "or" could be viewed 7808 * as meaning "or, if this isn't a VLAN packet...". 7809 */ 7810 orig_nl = off_nl; 7811 7812 switch (linktype) { 7813 7814 case DLT_EN10MB: 7815 /* check for VLAN */ 7816 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 7817 (bpf_int32)ETHERTYPE_8021Q); 7818 7819 /* If a specific VLAN is requested, check VLAN id */ 7820 if (vlan_num >= 0) { 7821 b1 = gen_mcmp(OR_MACPL, 0, BPF_H, 7822 (bpf_int32)vlan_num, 0x0fff); 7823 gen_and(b0, b1); 7824 b0 = b1; 7825 } 7826 7827 off_macpl += 4; 7828 off_linktype += 4; 7829 #if 0 7830 off_nl_nosnap += 4; 7831 off_nl += 4; 7832 #endif 7833 break; 7834 7835 default: 7836 bpf_error("no VLAN support for data link type %d", 7837 linktype); 7838 /*NOTREACHED*/ 7839 } 7840 7841 return (b0); 7842 } 7843 7844 /* 7845 * support for MPLS 7846 */ 7847 struct block * 7848 gen_mpls(label_num) 7849 int label_num; 7850 { 7851 struct block *b0,*b1; 7852 7853 /* 7854 * Change the offsets to point to the type and data fields within 7855 * the MPLS packet. Just increment the offsets, so that we 7856 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to 7857 * capture packets with an outer label of 100000 and an inner 7858 * label of 1024. 7859 * 7860 * XXX - this is a bit of a kludge. See comments in gen_vlan(). 7861 */ 7862 orig_nl = off_nl; 7863 7864 if (label_stack_depth > 0) { 7865 /* just match the bottom-of-stack bit clear */ 7866 b0 = gen_mcmp(OR_MACPL, orig_nl-2, BPF_B, 0, 0x01); 7867 } else { 7868 /* 7869 * Indicate that we're checking MPLS-encapsulated headers, 7870 * to make sure higher level code generators don't try to 7871 * match against IP-related protocols such as Q_ARP, Q_RARP 7872 * etc. 7873 */ 7874 switch (linktype) { 7875 7876 case DLT_C_HDLC: /* fall through */ 7877 case DLT_EN10MB: 7878 b0 = gen_linktype(ETHERTYPE_MPLS); 7879 break; 7880 7881 case DLT_PPP: 7882 b0 = gen_linktype(PPP_MPLS_UCAST); 7883 break; 7884 7885 /* FIXME add other DLT_s ... 7886 * for Frame-Relay/and ATM this may get messy due to SNAP headers 7887 * leave it for now */ 7888 7889 default: 7890 bpf_error("no MPLS support for data link type %d", 7891 linktype); 7892 b0 = NULL; 7893 /*NOTREACHED*/ 7894 break; 7895 } 7896 } 7897 7898 /* If a specific MPLS label is requested, check it */ 7899 if (label_num >= 0) { 7900 label_num = label_num << 12; /* label is shifted 12 bits on the wire */ 7901 b1 = gen_mcmp(OR_MACPL, orig_nl, BPF_W, (bpf_int32)label_num, 7902 0xfffff000); /* only compare the first 20 bits */ 7903 gen_and(b0, b1); 7904 b0 = b1; 7905 } 7906 7907 off_nl_nosnap += 4; 7908 off_nl += 4; 7909 label_stack_depth++; 7910 return (b0); 7911 } 7912 7913 /* 7914 * Support PPPOE discovery and session. 7915 */ 7916 struct block * 7917 gen_pppoed() 7918 { 7919 /* check for PPPoE discovery */ 7920 return gen_linktype((bpf_int32)ETHERTYPE_PPPOED); 7921 } 7922 7923 struct block * 7924 gen_pppoes() 7925 { 7926 struct block *b0; 7927 7928 /* 7929 * Test against the PPPoE session link-layer type. 7930 */ 7931 b0 = gen_linktype((bpf_int32)ETHERTYPE_PPPOES); 7932 7933 /* 7934 * Change the offsets to point to the type and data fields within 7935 * the PPP packet, and note that this is PPPoE rather than 7936 * raw PPP. 7937 * 7938 * XXX - this is a bit of a kludge. If we were to split the 7939 * compiler into a parser that parses an expression and 7940 * generates an expression tree, and a code generator that 7941 * takes an expression tree (which could come from our 7942 * parser or from some other parser) and generates BPF code, 7943 * we could perhaps make the offsets parameters of routines 7944 * and, in the handler for an "AND" node, pass to subnodes 7945 * other than the PPPoE node the adjusted offsets. 7946 * 7947 * This would mean that "pppoes" would, instead of changing the 7948 * behavior of *all* tests after it, change only the behavior 7949 * of tests ANDed with it. That would change the documented 7950 * semantics of "pppoes", which might break some expressions. 7951 * However, it would mean that "(pppoes and ip) or ip" would check 7952 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 7953 * checking only for VLAN-encapsulated IP, so that could still 7954 * be considered worth doing; it wouldn't break expressions 7955 * that are of the form "pppoes and ..." which I suspect are the 7956 * most common expressions involving "pppoes". "pppoes or ..." 7957 * doesn't necessarily do what the user would really want, now, 7958 * as all the "or ..." tests would be done assuming PPPoE, even 7959 * though the "or" could be viewed as meaning "or, if this isn't 7960 * a PPPoE packet...". 7961 */ 7962 orig_linktype = off_linktype; /* save original values */ 7963 orig_nl = off_nl; 7964 is_pppoes = 1; 7965 7966 /* 7967 * The "network-layer" protocol is PPPoE, which has a 6-byte 7968 * PPPoE header, followed by a PPP packet. 7969 * 7970 * There is no HDLC encapsulation for the PPP packet (it's 7971 * encapsulated in PPPoES instead), so the link-layer type 7972 * starts at the first byte of the PPP packet. For PPPoE, 7973 * that offset is relative to the beginning of the total 7974 * link-layer payload, including any 802.2 LLC header, so 7975 * it's 6 bytes past off_nl. 7976 */ 7977 off_linktype = off_nl + 6; 7978 7979 /* 7980 * The network-layer offsets are relative to the beginning 7981 * of the MAC-layer payload; that's past the 6-byte 7982 * PPPoE header and the 2-byte PPP header. 7983 */ 7984 off_nl = 6+2; 7985 off_nl_nosnap = 6+2; 7986 7987 return b0; 7988 } 7989 7990 struct block * 7991 gen_atmfield_code(atmfield, jvalue, jtype, reverse) 7992 int atmfield; 7993 bpf_int32 jvalue; 7994 bpf_u_int32 jtype; 7995 int reverse; 7996 { 7997 struct block *b0; 7998 7999 switch (atmfield) { 8000 8001 case A_VPI: 8002 if (!is_atm) 8003 bpf_error("'vpi' supported only on raw ATM"); 8004 if (off_vpi == (u_int)-1) 8005 abort(); 8006 b0 = gen_ncmp(OR_LINK, off_vpi, BPF_B, 0xffffffff, jtype, 8007 reverse, jvalue); 8008 break; 8009 8010 case A_VCI: 8011 if (!is_atm) 8012 bpf_error("'vci' supported only on raw ATM"); 8013 if (off_vci == (u_int)-1) 8014 abort(); 8015 b0 = gen_ncmp(OR_LINK, off_vci, BPF_H, 0xffffffff, jtype, 8016 reverse, jvalue); 8017 break; 8018 8019 case A_PROTOTYPE: 8020 if (off_proto == (u_int)-1) 8021 abort(); /* XXX - this isn't on FreeBSD */ 8022 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0x0f, jtype, 8023 reverse, jvalue); 8024 break; 8025 8026 case A_MSGTYPE: 8027 if (off_payload == (u_int)-1) 8028 abort(); 8029 b0 = gen_ncmp(OR_LINK, off_payload + MSG_TYPE_POS, BPF_B, 8030 0xffffffff, jtype, reverse, jvalue); 8031 break; 8032 8033 case A_CALLREFTYPE: 8034 if (!is_atm) 8035 bpf_error("'callref' supported only on raw ATM"); 8036 if (off_proto == (u_int)-1) 8037 abort(); 8038 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0xffffffff, 8039 jtype, reverse, jvalue); 8040 break; 8041 8042 default: 8043 abort(); 8044 } 8045 return b0; 8046 } 8047 8048 struct block * 8049 gen_atmtype_abbrev(type) 8050 int type; 8051 { 8052 struct block *b0, *b1; 8053 8054 switch (type) { 8055 8056 case A_METAC: 8057 /* Get all packets in Meta signalling Circuit */ 8058 if (!is_atm) 8059 bpf_error("'metac' supported only on raw ATM"); 8060 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8061 b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0); 8062 gen_and(b0, b1); 8063 break; 8064 8065 case A_BCC: 8066 /* Get all packets in Broadcast Circuit*/ 8067 if (!is_atm) 8068 bpf_error("'bcc' supported only on raw ATM"); 8069 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8070 b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0); 8071 gen_and(b0, b1); 8072 break; 8073 8074 case A_OAMF4SC: 8075 /* Get all cells in Segment OAM F4 circuit*/ 8076 if (!is_atm) 8077 bpf_error("'oam4sc' supported only on raw ATM"); 8078 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8079 b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0); 8080 gen_and(b0, b1); 8081 break; 8082 8083 case A_OAMF4EC: 8084 /* Get all cells in End-to-End OAM F4 Circuit*/ 8085 if (!is_atm) 8086 bpf_error("'oam4ec' supported only on raw ATM"); 8087 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8088 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0); 8089 gen_and(b0, b1); 8090 break; 8091 8092 case A_SC: 8093 /* Get all packets in connection Signalling Circuit */ 8094 if (!is_atm) 8095 bpf_error("'sc' supported only on raw ATM"); 8096 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8097 b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0); 8098 gen_and(b0, b1); 8099 break; 8100 8101 case A_ILMIC: 8102 /* Get all packets in ILMI Circuit */ 8103 if (!is_atm) 8104 bpf_error("'ilmic' supported only on raw ATM"); 8105 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8106 b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0); 8107 gen_and(b0, b1); 8108 break; 8109 8110 case A_LANE: 8111 /* Get all LANE packets */ 8112 if (!is_atm) 8113 bpf_error("'lane' supported only on raw ATM"); 8114 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0); 8115 8116 /* 8117 * Arrange that all subsequent tests assume LANE 8118 * rather than LLC-encapsulated packets, and set 8119 * the offsets appropriately for LANE-encapsulated 8120 * Ethernet. 8121 * 8122 * "off_mac" is the offset of the Ethernet header, 8123 * which is 2 bytes past the ATM pseudo-header 8124 * (skipping the pseudo-header and 2-byte LE Client 8125 * field). The other offsets are Ethernet offsets 8126 * relative to "off_mac". 8127 */ 8128 is_lane = 1; 8129 off_mac = off_payload + 2; /* MAC header */ 8130 off_linktype = off_mac + 12; 8131 off_macpl = off_mac + 14; /* Ethernet */ 8132 off_nl = 0; /* Ethernet II */ 8133 off_nl_nosnap = 3; /* 802.3+802.2 */ 8134 break; 8135 8136 case A_LLC: 8137 /* Get all LLC-encapsulated packets */ 8138 if (!is_atm) 8139 bpf_error("'llc' supported only on raw ATM"); 8140 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 8141 is_lane = 0; 8142 break; 8143 8144 default: 8145 abort(); 8146 } 8147 return b1; 8148 } 8149 8150 /* 8151 * Filtering for MTP2 messages based on li value 8152 * FISU, length is null 8153 * LSSU, length is 1 or 2 8154 * MSU, length is 3 or more 8155 */ 8156 struct block * 8157 gen_mtp2type_abbrev(type) 8158 int type; 8159 { 8160 struct block *b0, *b1; 8161 8162 switch (type) { 8163 8164 case M_FISU: 8165 if ( (linktype != DLT_MTP2) && 8166 (linktype != DLT_ERF) && 8167 (linktype != DLT_MTP2_WITH_PHDR) ) 8168 bpf_error("'fisu' supported only on MTP2"); 8169 /* gen_ncmp(offrel, offset, size, mask, jtype, reverse, value) */ 8170 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JEQ, 0, 0); 8171 break; 8172 8173 case M_LSSU: 8174 if ( (linktype != DLT_MTP2) && 8175 (linktype != DLT_ERF) && 8176 (linktype != DLT_MTP2_WITH_PHDR) ) 8177 bpf_error("'lssu' supported only on MTP2"); 8178 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 1, 2); 8179 b1 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 0); 8180 gen_and(b1, b0); 8181 break; 8182 8183 case M_MSU: 8184 if ( (linktype != DLT_MTP2) && 8185 (linktype != DLT_ERF) && 8186 (linktype != DLT_MTP2_WITH_PHDR) ) 8187 bpf_error("'msu' supported only on MTP2"); 8188 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 2); 8189 break; 8190 8191 default: 8192 abort(); 8193 } 8194 return b0; 8195 } 8196 8197 struct block * 8198 gen_mtp3field_code(mtp3field, jvalue, jtype, reverse) 8199 int mtp3field; 8200 bpf_u_int32 jvalue; 8201 bpf_u_int32 jtype; 8202 int reverse; 8203 { 8204 struct block *b0; 8205 bpf_u_int32 val1 , val2 , val3; 8206 8207 switch (mtp3field) { 8208 8209 case M_SIO: 8210 if (off_sio == (u_int)-1) 8211 bpf_error("'sio' supported only on SS7"); 8212 /* sio coded on 1 byte so max value 255 */ 8213 if(jvalue > 255) 8214 bpf_error("sio value %u too big; max value = 255", 8215 jvalue); 8216 b0 = gen_ncmp(OR_PACKET, off_sio, BPF_B, 0xffffffff, 8217 (u_int)jtype, reverse, (u_int)jvalue); 8218 break; 8219 8220 case M_OPC: 8221 if (off_opc == (u_int)-1) 8222 bpf_error("'opc' supported only on SS7"); 8223 /* opc coded on 14 bits so max value 16383 */ 8224 if (jvalue > 16383) 8225 bpf_error("opc value %u too big; max value = 16383", 8226 jvalue); 8227 /* the following instructions are made to convert jvalue 8228 * to the form used to write opc in an ss7 message*/ 8229 val1 = jvalue & 0x00003c00; 8230 val1 = val1 >>10; 8231 val2 = jvalue & 0x000003fc; 8232 val2 = val2 <<6; 8233 val3 = jvalue & 0x00000003; 8234 val3 = val3 <<22; 8235 jvalue = val1 + val2 + val3; 8236 b0 = gen_ncmp(OR_PACKET, off_opc, BPF_W, 0x00c0ff0f, 8237 (u_int)jtype, reverse, (u_int)jvalue); 8238 break; 8239 8240 case M_DPC: 8241 if (off_dpc == (u_int)-1) 8242 bpf_error("'dpc' supported only on SS7"); 8243 /* dpc coded on 14 bits so max value 16383 */ 8244 if (jvalue > 16383) 8245 bpf_error("dpc value %u too big; max value = 16383", 8246 jvalue); 8247 /* the following instructions are made to convert jvalue 8248 * to the forme used to write dpc in an ss7 message*/ 8249 val1 = jvalue & 0x000000ff; 8250 val1 = val1 << 24; 8251 val2 = jvalue & 0x00003f00; 8252 val2 = val2 << 8; 8253 jvalue = val1 + val2; 8254 b0 = gen_ncmp(OR_PACKET, off_dpc, BPF_W, 0xff3f0000, 8255 (u_int)jtype, reverse, (u_int)jvalue); 8256 break; 8257 8258 case M_SLS: 8259 if (off_sls == (u_int)-1) 8260 bpf_error("'sls' supported only on SS7"); 8261 /* sls coded on 4 bits so max value 15 */ 8262 if (jvalue > 15) 8263 bpf_error("sls value %u too big; max value = 15", 8264 jvalue); 8265 /* the following instruction is made to convert jvalue 8266 * to the forme used to write sls in an ss7 message*/ 8267 jvalue = jvalue << 4; 8268 b0 = gen_ncmp(OR_PACKET, off_sls, BPF_B, 0xf0, 8269 (u_int)jtype,reverse, (u_int)jvalue); 8270 break; 8271 8272 default: 8273 abort(); 8274 } 8275 return b0; 8276 } 8277 8278 static struct block * 8279 gen_msg_abbrev(type) 8280 int type; 8281 { 8282 struct block *b1; 8283 8284 /* 8285 * Q.2931 signalling protocol messages for handling virtual circuits 8286 * establishment and teardown 8287 */ 8288 switch (type) { 8289 8290 case A_SETUP: 8291 b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0); 8292 break; 8293 8294 case A_CALLPROCEED: 8295 b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0); 8296 break; 8297 8298 case A_CONNECT: 8299 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0); 8300 break; 8301 8302 case A_CONNECTACK: 8303 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0); 8304 break; 8305 8306 case A_RELEASE: 8307 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0); 8308 break; 8309 8310 case A_RELEASE_DONE: 8311 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0); 8312 break; 8313 8314 default: 8315 abort(); 8316 } 8317 return b1; 8318 } 8319 8320 struct block * 8321 gen_atmmulti_abbrev(type) 8322 int type; 8323 { 8324 struct block *b0, *b1; 8325 8326 switch (type) { 8327 8328 case A_OAM: 8329 if (!is_atm) 8330 bpf_error("'oam' supported only on raw ATM"); 8331 b1 = gen_atmmulti_abbrev(A_OAMF4); 8332 break; 8333 8334 case A_OAMF4: 8335 if (!is_atm) 8336 bpf_error("'oamf4' supported only on raw ATM"); 8337 /* OAM F4 type */ 8338 b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0); 8339 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0); 8340 gen_or(b0, b1); 8341 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8342 gen_and(b0, b1); 8343 break; 8344 8345 case A_CONNECTMSG: 8346 /* 8347 * Get Q.2931 signalling messages for switched 8348 * virtual connection 8349 */ 8350 if (!is_atm) 8351 bpf_error("'connectmsg' supported only on raw ATM"); 8352 b0 = gen_msg_abbrev(A_SETUP); 8353 b1 = gen_msg_abbrev(A_CALLPROCEED); 8354 gen_or(b0, b1); 8355 b0 = gen_msg_abbrev(A_CONNECT); 8356 gen_or(b0, b1); 8357 b0 = gen_msg_abbrev(A_CONNECTACK); 8358 gen_or(b0, b1); 8359 b0 = gen_msg_abbrev(A_RELEASE); 8360 gen_or(b0, b1); 8361 b0 = gen_msg_abbrev(A_RELEASE_DONE); 8362 gen_or(b0, b1); 8363 b0 = gen_atmtype_abbrev(A_SC); 8364 gen_and(b0, b1); 8365 break; 8366 8367 case A_METACONNECT: 8368 if (!is_atm) 8369 bpf_error("'metaconnect' supported only on raw ATM"); 8370 b0 = gen_msg_abbrev(A_SETUP); 8371 b1 = gen_msg_abbrev(A_CALLPROCEED); 8372 gen_or(b0, b1); 8373 b0 = gen_msg_abbrev(A_CONNECT); 8374 gen_or(b0, b1); 8375 b0 = gen_msg_abbrev(A_RELEASE); 8376 gen_or(b0, b1); 8377 b0 = gen_msg_abbrev(A_RELEASE_DONE); 8378 gen_or(b0, b1); 8379 b0 = gen_atmtype_abbrev(A_METAC); 8380 gen_and(b0, b1); 8381 break; 8382 8383 default: 8384 abort(); 8385 } 8386 return b1; 8387 } 8388