1 /* $NetBSD: gencode.c,v 1.10 2017/08/12 00:43:25 ginsbach Exp $ */ 2 3 /*#define CHASE_CHAIN*/ 4 /* 5 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998 6 * The Regents of the University of California. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that: (1) source code distributions 10 * retain the above copyright notice and this paragraph in its entirety, (2) 11 * distributions including binary code include the above copyright notice and 12 * this paragraph in its entirety in the documentation or other materials 13 * provided with the distribution, and (3) all advertising materials mentioning 14 * features or use of this software display the following acknowledgement: 15 * ``This product includes software developed by the University of California, 16 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 17 * the University nor the names of its contributors may be used to endorse 18 * or promote products derived from this software without specific prior 19 * written permission. 20 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 21 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 22 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 23 */ 24 25 #include <sys/cdefs.h> 26 __RCSID("$NetBSD: gencode.c,v 1.10 2017/08/12 00:43:25 ginsbach Exp $"); 27 28 #ifdef HAVE_CONFIG_H 29 #include "config.h" 30 #endif 31 32 #ifdef _WIN32 33 #include <pcap-stdinc.h> 34 #else /* _WIN32 */ 35 #if HAVE_INTTYPES_H 36 #include <inttypes.h> 37 #elif HAVE_STDINT_H 38 #include <stdint.h> 39 #endif 40 #ifdef HAVE_SYS_BITYPES_H 41 #include <sys/bitypes.h> 42 #endif 43 #include <sys/types.h> 44 #include <sys/socket.h> 45 #endif /* _WIN32 */ 46 47 #ifndef _WIN32 48 49 #ifdef __NetBSD__ 50 #include <sys/param.h> 51 #include <net/dlt.h> 52 #endif 53 54 #include <netinet/in.h> 55 #include <arpa/inet.h> 56 57 #endif /* _WIN32 */ 58 59 #include <stdlib.h> 60 #include <string.h> 61 #include <memory.h> 62 #include <setjmp.h> 63 #include <stdarg.h> 64 65 #ifdef MSDOS 66 #include "pcap-dos.h" 67 #endif 68 69 #include "pcap-int.h" 70 71 #include "ethertype.h" 72 #include "nlpid.h" 73 #include "llc.h" 74 #include "gencode.h" 75 #include "ieee80211.h" 76 #include "atmuni31.h" 77 #include "sunatmpos.h" 78 #include "ppp.h" 79 #include "pcap/sll.h" 80 #include "pcap/ipnet.h" 81 #include "arcnet.h" 82 83 #include "grammar.h" 84 #include "scanner.h" 85 86 #if defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) 87 #include <linux/types.h> 88 #include <linux/if_packet.h> 89 #include <linux/filter.h> 90 #endif 91 92 #ifdef HAVE_NET_PFVAR_H 93 #include <sys/socket.h> 94 #include <net/if.h> 95 #include <net/pfvar.h> 96 #include <net/if_pflog.h> 97 #endif 98 99 #ifndef offsetof 100 #define offsetof(s, e) ((size_t)&((s *)0)->e) 101 #endif 102 103 #ifdef INET6 104 #ifdef _WIN32 105 #if defined(__MINGW32__) && defined(DEFINE_ADDITIONAL_IPV6_STUFF) 106 /* IPv6 address */ 107 struct in6_addr 108 { 109 union 110 { 111 u_int8_t u6_addr8[16]; 112 u_int16_t u6_addr16[8]; 113 u_int32_t u6_addr32[4]; 114 } in6_u; 115 #define s6_addr in6_u.u6_addr8 116 #define s6_addr16 in6_u.u6_addr16 117 #define s6_addr32 in6_u.u6_addr32 118 #define s6_addr64 in6_u.u6_addr64 119 }; 120 121 typedef unsigned short sa_family_t; 122 123 #define __SOCKADDR_COMMON(sa_prefix) \ 124 sa_family_t sa_prefix##family 125 126 /* Ditto, for IPv6. */ 127 struct sockaddr_in6 128 { 129 __SOCKADDR_COMMON (sin6_); 130 u_int16_t sin6_port; /* Transport layer port # */ 131 u_int32_t sin6_flowinfo; /* IPv6 flow information */ 132 struct in6_addr sin6_addr; /* IPv6 address */ 133 }; 134 135 #ifndef EAI_ADDRFAMILY 136 struct addrinfo { 137 int ai_flags; /* AI_PASSIVE, AI_CANONNAME */ 138 int ai_family; /* PF_xxx */ 139 int ai_socktype; /* SOCK_xxx */ 140 int ai_protocol; /* 0 or IPPROTO_xxx for IPv4 and IPv6 */ 141 size_t ai_addrlen; /* length of ai_addr */ 142 char *ai_canonname; /* canonical name for hostname */ 143 struct sockaddr *ai_addr; /* binary address */ 144 struct addrinfo *ai_next; /* next structure in linked list */ 145 }; 146 #endif /* EAI_ADDRFAMILY */ 147 #endif /* defined(__MINGW32__) && defined(DEFINE_ADDITIONAL_IPV6_STUFF) */ 148 #else /* _WIN32 */ 149 #include <netdb.h> /* for "struct addrinfo" */ 150 #endif /* _WIN32 */ 151 #endif /* INET6 */ 152 #include <pcap/namedb.h> 153 154 #include "nametoaddr.h" 155 156 #define ETHERMTU 1500 157 158 #ifndef ETHERTYPE_TEB 159 #define ETHERTYPE_TEB 0x6558 160 #endif 161 162 #ifndef IPPROTO_HOPOPTS 163 #define IPPROTO_HOPOPTS 0 164 #endif 165 #ifndef IPPROTO_ROUTING 166 #define IPPROTO_ROUTING 43 167 #endif 168 #ifndef IPPROTO_FRAGMENT 169 #define IPPROTO_FRAGMENT 44 170 #endif 171 #ifndef IPPROTO_DSTOPTS 172 #define IPPROTO_DSTOPTS 60 173 #endif 174 #ifndef IPPROTO_SCTP 175 #define IPPROTO_SCTP 132 176 #endif 177 178 #define GENEVE_PORT 6081 179 180 #ifdef HAVE_OS_PROTO_H 181 #include "os-proto.h" 182 #endif 183 184 #define JMP(c) ((c)|BPF_JMP|BPF_K) 185 186 /* 187 * "Push" the current value of the link-layer header type and link-layer 188 * header offset onto a "stack", and set a new value. (It's not a 189 * full-blown stack; we keep only the top two items.) 190 */ 191 #define PUSH_LINKHDR(cs, new_linktype, new_is_variable, new_constant_part, new_reg) \ 192 { \ 193 (cs)->prevlinktype = (cs)->linktype; \ 194 (cs)->off_prevlinkhdr = (cs)->off_linkhdr; \ 195 (cs)->linktype = (new_linktype); \ 196 (cs)->off_linkhdr.is_variable = (new_is_variable); \ 197 (cs)->off_linkhdr.constant_part = (new_constant_part); \ 198 (cs)->off_linkhdr.reg = (new_reg); \ 199 (cs)->is_geneve = 0; \ 200 } 201 202 /* 203 * Offset "not set" value. 204 */ 205 #define OFFSET_NOT_SET 0xffffffffU 206 207 /* 208 * Absolute offsets, which are offsets from the beginning of the raw 209 * packet data, are, in the general case, the sum of a variable value 210 * and a constant value; the variable value may be absent, in which 211 * case the offset is only the constant value, and the constant value 212 * may be zero, in which case the offset is only the variable value. 213 * 214 * bpf_abs_offset is a structure containing all that information: 215 * 216 * is_variable is 1 if there's a variable part. 217 * 218 * constant_part is the constant part of the value, possibly zero; 219 * 220 * if is_variable is 1, reg is the register number for a register 221 * containing the variable value if the register has been assigned, 222 * and -1 otherwise. 223 */ 224 typedef struct { 225 int is_variable; 226 u_int constant_part; 227 int reg; 228 } bpf_abs_offset; 229 230 /* 231 * Value passed to gen_load_a() to indicate what the offset argument 232 * is relative to the beginning of. 233 */ 234 enum e_offrel { 235 OR_PACKET, /* full packet data */ 236 OR_LINKHDR, /* link-layer header */ 237 OR_PREVLINKHDR, /* previous link-layer header */ 238 OR_LLC, /* 802.2 LLC header */ 239 OR_PREVMPLSHDR, /* previous MPLS header */ 240 OR_LINKTYPE, /* link-layer type */ 241 OR_LINKPL, /* link-layer payload */ 242 OR_LINKPL_NOSNAP, /* link-layer payload, with no SNAP header at the link layer */ 243 OR_TRAN_IPV4, /* transport-layer header, with IPv4 network layer */ 244 OR_TRAN_IPV6 /* transport-layer header, with IPv6 network layer */ 245 }; 246 247 /* 248 * We divy out chunks of memory rather than call malloc each time so 249 * we don't have to worry about leaking memory. It's probably 250 * not a big deal if all this memory was wasted but if this ever 251 * goes into a library that would probably not be a good idea. 252 * 253 * XXX - this *is* in a library.... 254 */ 255 #define NCHUNKS 16 256 #define CHUNK0SIZE 1024 257 struct chunk { 258 size_t n_left; 259 void *m; 260 }; 261 262 /* Code generator state */ 263 264 struct _compiler_state { 265 jmp_buf top_ctx; 266 pcap_t *bpf_pcap; 267 268 struct icode ic; 269 270 int snaplen; 271 272 int linktype; 273 int prevlinktype; 274 int outermostlinktype; 275 276 bpf_u_int32 netmask; 277 int no_optimize; 278 279 /* Hack for handling VLAN and MPLS stacks. */ 280 u_int label_stack_depth; 281 u_int vlan_stack_depth; 282 283 /* XXX */ 284 u_int pcap_fddipad; 285 286 #ifdef INET6 287 /* 288 * As errors are handled by a longjmp, anything allocated must 289 * be freed in the longjmp handler, so it must be reachable 290 * from that handler. 291 * 292 * One thing that's allocated is the result of pcap_nametoaddrinfo(); 293 * it must be freed with freeaddrinfo(). This variable points to 294 * any addrinfo structure that would need to be freed. 295 */ 296 struct addrinfo *ai; 297 #endif 298 299 /* 300 * Various code constructs need to know the layout of the packet. 301 * These values give the necessary offsets from the beginning 302 * of the packet data. 303 */ 304 305 /* 306 * Absolute offset of the beginning of the link-layer header. 307 */ 308 bpf_abs_offset off_linkhdr; 309 310 /* 311 * If we're checking a link-layer header for a packet encapsulated 312 * in another protocol layer, this is the equivalent information 313 * for the previous layers' link-layer header from the beginning 314 * of the raw packet data. 315 */ 316 bpf_abs_offset off_prevlinkhdr; 317 318 /* 319 * This is the equivalent information for the outermost layers' 320 * link-layer header. 321 */ 322 bpf_abs_offset off_outermostlinkhdr; 323 324 /* 325 * Absolute offset of the beginning of the link-layer payload. 326 */ 327 bpf_abs_offset off_linkpl; 328 329 /* 330 * "off_linktype" is the offset to information in the link-layer 331 * header giving the packet type. This is an absolute offset 332 * from the beginning of the packet. 333 * 334 * For Ethernet, it's the offset of the Ethernet type field; this 335 * means that it must have a value that skips VLAN tags. 336 * 337 * For link-layer types that always use 802.2 headers, it's the 338 * offset of the LLC header; this means that it must have a value 339 * that skips VLAN tags. 340 * 341 * For PPP, it's the offset of the PPP type field. 342 * 343 * For Cisco HDLC, it's the offset of the CHDLC type field. 344 * 345 * For BSD loopback, it's the offset of the AF_ value. 346 * 347 * For Linux cooked sockets, it's the offset of the type field. 348 * 349 * off_linktype.constant_part is set to OFFSET_NOT_SET for no 350 * encapsulation, in which case, IP is assumed. 351 */ 352 bpf_abs_offset off_linktype; 353 354 /* 355 * TRUE if the link layer includes an ATM pseudo-header. 356 */ 357 int is_atm; 358 359 /* 360 * TRUE if "geneve" appeared in the filter; it causes us to 361 * generate code that checks for a Geneve header and assume 362 * that later filters apply to the encapsulated payload. 363 */ 364 int is_geneve; 365 366 /* 367 * These are offsets for the ATM pseudo-header. 368 */ 369 u_int off_vpi; 370 u_int off_vci; 371 u_int off_proto; 372 373 /* 374 * These are offsets for the MTP2 fields. 375 */ 376 u_int off_li; 377 u_int off_li_hsl; 378 379 /* 380 * These are offsets for the MTP3 fields. 381 */ 382 u_int off_sio; 383 u_int off_opc; 384 u_int off_dpc; 385 u_int off_sls; 386 387 /* 388 * This is the offset of the first byte after the ATM pseudo_header, 389 * or -1 if there is no ATM pseudo-header. 390 */ 391 u_int off_payload; 392 393 /* 394 * These are offsets to the beginning of the network-layer header. 395 * They are relative to the beginning of the link-layer payload 396 * (i.e., they don't include off_linkhdr.constant_part or 397 * off_linkpl.constant_part). 398 * 399 * If the link layer never uses 802.2 LLC: 400 * 401 * "off_nl" and "off_nl_nosnap" are the same. 402 * 403 * If the link layer always uses 802.2 LLC: 404 * 405 * "off_nl" is the offset if there's a SNAP header following 406 * the 802.2 header; 407 * 408 * "off_nl_nosnap" is the offset if there's no SNAP header. 409 * 410 * If the link layer is Ethernet: 411 * 412 * "off_nl" is the offset if the packet is an Ethernet II packet 413 * (we assume no 802.3+802.2+SNAP); 414 * 415 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet 416 * with an 802.2 header following it. 417 */ 418 u_int off_nl; 419 u_int off_nl_nosnap; 420 421 /* 422 * Here we handle simple allocation of the scratch registers. 423 * If too many registers are alloc'd, the allocator punts. 424 */ 425 int regused[BPF_MEMWORDS]; 426 int curreg; 427 428 /* 429 * Memory chunks. 430 */ 431 struct chunk chunks[NCHUNKS]; 432 int cur_chunk; 433 }; 434 435 void 436 bpf_syntax_error(compiler_state_t *cstate, const char *msg) 437 { 438 bpf_error(cstate, "syntax error in filter expression: %s", msg); 439 /* NOTREACHED */ 440 } 441 442 /* VARARGS */ 443 void 444 bpf_error(compiler_state_t *cstate, const char *fmt, ...) 445 { 446 va_list ap; 447 448 va_start(ap, fmt); 449 if (cstate->bpf_pcap != NULL) 450 (void)pcap_vsnprintf(pcap_geterr(cstate->bpf_pcap), 451 PCAP_ERRBUF_SIZE, fmt, ap); 452 va_end(ap); 453 longjmp(cstate->top_ctx, 1); 454 /* NOTREACHED */ 455 } 456 457 static void init_linktype(compiler_state_t *, pcap_t *); 458 459 static void init_regs(compiler_state_t *); 460 static int alloc_reg(compiler_state_t *); 461 static void free_reg(compiler_state_t *, int); 462 463 static void initchunks(compiler_state_t *cstate); 464 static void *newchunk(compiler_state_t *cstate, size_t); 465 static void freechunks(compiler_state_t *cstate); 466 static inline struct block *new_block(compiler_state_t *cstate, int); 467 static inline struct slist *new_stmt(compiler_state_t *cstate, int); 468 static struct block *gen_retblk(compiler_state_t *cstate, int); 469 static inline void syntax(compiler_state_t *cstate); 470 471 static void backpatch(struct block *, struct block *); 472 static void merge(struct block *, struct block *); 473 static struct block *gen_cmp(compiler_state_t *, enum e_offrel, u_int, 474 u_int, bpf_int32); 475 static struct block *gen_cmp_gt(compiler_state_t *, enum e_offrel, u_int, 476 u_int, bpf_int32); 477 static struct block *gen_cmp_ge(compiler_state_t *, enum e_offrel, u_int, 478 u_int, bpf_int32); 479 static struct block *gen_cmp_lt(compiler_state_t *, enum e_offrel, u_int, 480 u_int, bpf_int32); 481 static struct block *gen_cmp_le(compiler_state_t *, enum e_offrel, u_int, 482 u_int, bpf_int32); 483 static struct block *gen_mcmp(compiler_state_t *, enum e_offrel, u_int, 484 u_int, bpf_int32, bpf_u_int32); 485 static struct block *gen_bcmp(compiler_state_t *, enum e_offrel, u_int, 486 u_int, const u_char *); 487 static struct block *gen_ncmp(compiler_state_t *, enum e_offrel, bpf_u_int32, 488 bpf_u_int32, bpf_u_int32, bpf_u_int32, int, bpf_int32); 489 static struct slist *gen_load_absoffsetrel(compiler_state_t *, bpf_abs_offset *, 490 u_int, u_int); 491 static struct slist *gen_load_a(compiler_state_t *, enum e_offrel, u_int, 492 u_int); 493 static struct slist *gen_loadx_iphdrlen(compiler_state_t *); 494 static struct block *gen_uncond(compiler_state_t *, int); 495 static inline struct block *gen_true(compiler_state_t *); 496 static inline struct block *gen_false(compiler_state_t *); 497 static struct block *gen_ether_linktype(compiler_state_t *, int); 498 static struct block *gen_ipnet_linktype(compiler_state_t *, int); 499 static struct block *gen_linux_sll_linktype(compiler_state_t *, int); 500 static struct slist *gen_load_prism_llprefixlen(compiler_state_t *); 501 static struct slist *gen_load_avs_llprefixlen(compiler_state_t *); 502 static struct slist *gen_load_radiotap_llprefixlen(compiler_state_t *); 503 static struct slist *gen_load_ppi_llprefixlen(compiler_state_t *); 504 static void insert_compute_vloffsets(compiler_state_t *, struct block *); 505 static struct slist *gen_abs_offset_varpart(compiler_state_t *, 506 bpf_abs_offset *); 507 static int ethertype_to_ppptype(int); 508 static struct block *gen_linktype(compiler_state_t *, int); 509 static struct block *gen_snap(compiler_state_t *, bpf_u_int32, bpf_u_int32); 510 static struct block *gen_llc_linktype(compiler_state_t *, int); 511 static struct block *gen_hostop(compiler_state_t *, bpf_u_int32, bpf_u_int32, 512 int, int, u_int, u_int); 513 #ifdef INET6 514 static struct block *gen_hostop6(compiler_state_t *, struct in6_addr *, 515 struct in6_addr *, int, int, u_int, u_int); 516 #endif 517 static struct block *gen_ahostop(compiler_state_t *, const u_char *, int); 518 static struct block *gen_ehostop(compiler_state_t *, const u_char *, int); 519 static struct block *gen_fhostop(compiler_state_t *, const u_char *, int); 520 static struct block *gen_thostop(compiler_state_t *, const u_char *, int); 521 static struct block *gen_wlanhostop(compiler_state_t *, const u_char *, int); 522 static struct block *gen_ipfchostop(compiler_state_t *, const u_char *, int); 523 static struct block *gen_dnhostop(compiler_state_t *, bpf_u_int32, int); 524 static struct block *gen_mpls_linktype(compiler_state_t *, int); 525 static struct block *gen_host(compiler_state_t *, bpf_u_int32, bpf_u_int32, 526 int, int, int); 527 #ifdef INET6 528 static struct block *gen_host6(compiler_state_t *, struct in6_addr *, 529 struct in6_addr *, int, int, int); 530 #endif 531 #ifndef INET6 532 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int); 533 #endif 534 static struct block *gen_ipfrag(compiler_state_t *); 535 static struct block *gen_portatom(compiler_state_t *, int, bpf_int32); 536 static struct block *gen_portrangeatom(compiler_state_t *, int, bpf_int32, 537 bpf_int32); 538 static struct block *gen_portatom6(compiler_state_t *, int, bpf_int32); 539 static struct block *gen_portrangeatom6(compiler_state_t *, int, bpf_int32, 540 bpf_int32); 541 struct block *gen_portop(compiler_state_t *, int, int, int); 542 static struct block *gen_port(compiler_state_t *, int, int, int); 543 struct block *gen_portrangeop(compiler_state_t *, int, int, int, int); 544 static struct block *gen_portrange(compiler_state_t *, int, int, int, int); 545 struct block *gen_portop6(compiler_state_t *, int, int, int); 546 static struct block *gen_port6(compiler_state_t *, int, int, int); 547 struct block *gen_portrangeop6(compiler_state_t *, int, int, int, int); 548 static struct block *gen_portrange6(compiler_state_t *, int, int, int, int); 549 static int lookup_proto(compiler_state_t *, const char *, int); 550 static struct block *gen_protochain(compiler_state_t *, int, int, int); 551 static struct block *gen_proto(compiler_state_t *, int, int, int); 552 static struct slist *xfer_to_x(compiler_state_t *, struct arth *); 553 static struct slist *xfer_to_a(compiler_state_t *, struct arth *); 554 static struct block *gen_mac_multicast(compiler_state_t *, int); 555 static struct block *gen_len(compiler_state_t *, int, int); 556 static struct block *gen_check_802_11_data_frame(compiler_state_t *); 557 static struct block *gen_geneve_ll_check(compiler_state_t *cstate); 558 559 static struct block *gen_ppi_dlt_check(compiler_state_t *); 560 static struct block *gen_msg_abbrev(compiler_state_t *, int type); 561 562 static void 563 initchunks(compiler_state_t *cstate) 564 { 565 int i; 566 567 for (i = 0; i < NCHUNKS; i++) { 568 cstate->chunks[i].n_left = 0; 569 cstate->chunks[i].m = NULL; 570 } 571 cstate->cur_chunk = 0; 572 } 573 574 static void * 575 newchunk(compiler_state_t *cstate, size_t n) 576 { 577 struct chunk *cp; 578 int k; 579 size_t size; 580 581 #ifndef __NetBSD__ 582 /* XXX Round up to nearest long. */ 583 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1); 584 #else 585 /* XXX Round up to structure boundary. */ 586 n = ALIGN(n); 587 #endif 588 589 cp = &cstate->chunks[cstate->cur_chunk]; 590 if (n > cp->n_left) { 591 ++cp, k = ++cstate->cur_chunk; 592 if (k >= NCHUNKS) 593 bpf_error(cstate, "out of memory"); 594 size = CHUNK0SIZE << k; 595 cp->m = (void *)malloc(size); 596 if (cp->m == NULL) 597 bpf_error(cstate, "out of memory"); 598 memset((char *)cp->m, 0, size); 599 cp->n_left = size; 600 if (n > size) 601 bpf_error(cstate, "out of memory"); 602 } 603 cp->n_left -= n; 604 return (void *)((char *)cp->m + cp->n_left); 605 } 606 607 static void 608 freechunks(compiler_state_t *cstate) 609 { 610 int i; 611 612 for (i = 0; i < NCHUNKS; ++i) 613 if (cstate->chunks[i].m != NULL) 614 free(cstate->chunks[i].m); 615 } 616 617 /* 618 * A strdup whose allocations are freed after code generation is over. 619 */ 620 char * 621 sdup(compiler_state_t *cstate, const char *s) 622 { 623 size_t n = strlen(s) + 1; 624 char *cp = newchunk(cstate, n); 625 626 strlcpy(cp, s, n); 627 return (cp); 628 } 629 630 static inline struct block * 631 new_block(compiler_state_t *cstate, int code) 632 { 633 struct block *p; 634 635 p = (struct block *)newchunk(cstate, sizeof(*p)); 636 p->s.code = code; 637 p->head = p; 638 639 return p; 640 } 641 642 static inline struct slist * 643 new_stmt(compiler_state_t *cstate, int code) 644 { 645 struct slist *p; 646 647 p = (struct slist *)newchunk(cstate, sizeof(*p)); 648 p->s.code = code; 649 650 return p; 651 } 652 653 static struct block * 654 gen_retblk(compiler_state_t *cstate, int v) 655 { 656 struct block *b = new_block(cstate, BPF_RET|BPF_K); 657 658 b->s.k = v; 659 return b; 660 } 661 662 __dead static inline void 663 syntax(compiler_state_t *cstate) 664 { 665 bpf_error(cstate, "syntax error in filter expression"); 666 } 667 668 int 669 pcap_compile(pcap_t *p, struct bpf_program *program, 670 const char *buf, int optimize, bpf_u_int32 mask) 671 { 672 #ifdef _WIN32 673 static int done = 0; 674 #endif 675 compiler_state_t cstate; 676 const char * volatile xbuf = buf; 677 yyscan_t scanner = NULL; 678 volatile YY_BUFFER_STATE in_buffer = NULL; 679 u_int len; 680 int rc; 681 682 /* 683 * If this pcap_t hasn't been activated, it doesn't have a 684 * link-layer type, so we can't use it. 685 */ 686 if (!p->activated) { 687 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 688 "not-yet-activated pcap_t passed to pcap_compile"); 689 return -1; 690 } 691 692 #ifdef _WIN32 693 if (!done) 694 pcap_wsockinit(); 695 done = 1; 696 #endif 697 initchunks(&cstate); 698 cstate.no_optimize = 0; 699 cstate.ai = NULL; 700 cstate.ic.root = NULL; 701 cstate.ic.cur_mark = 0; 702 cstate.bpf_pcap = p; 703 init_regs(&cstate); 704 705 if (setjmp(cstate.top_ctx)) { 706 #ifdef INET6 707 if (cstate.ai != NULL) 708 freeaddrinfo(cstate.ai); 709 #endif 710 rc = -1; 711 goto quit; 712 } 713 714 cstate.netmask = mask; 715 716 cstate.snaplen = pcap_snapshot(p); 717 if (cstate.snaplen == 0) { 718 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 719 "snaplen of 0 rejects all packets"); 720 rc = -1; 721 goto quit; 722 } 723 724 if (pcap_lex_init(&scanner) != 0) 725 bpf_error(&cstate, "can't initialize scanner: %s", pcap_strerror(errno)); 726 in_buffer = pcap__scan_string(xbuf ? xbuf : "", scanner); 727 728 /* 729 * Associate the compiler state with the lexical analyzer 730 * state. 731 */ 732 pcap_set_extra(&cstate, scanner); 733 734 init_linktype(&cstate, p); 735 (void)pcap_parse(scanner, &cstate); 736 737 if (cstate.ic.root == NULL) 738 cstate.ic.root = gen_retblk(&cstate, cstate.snaplen); 739 740 if (optimize && !cstate.no_optimize) { 741 bpf_optimize(&cstate, &cstate.ic); 742 if (cstate.ic.root == NULL || 743 (cstate.ic.root->s.code == (BPF_RET|BPF_K) && cstate.ic.root->s.k == 0)) 744 bpf_error(&cstate, "expression rejects all packets"); 745 } 746 program->bf_insns = icode_to_fcode(&cstate, &cstate.ic, cstate.ic.root, &len); 747 program->bf_len = len; 748 749 rc = 0; /* We're all okay */ 750 751 quit: 752 /* 753 * Clean up everything for the lexical analyzer. 754 */ 755 if (in_buffer != NULL) 756 pcap__delete_buffer(in_buffer, scanner); 757 if (scanner != NULL) 758 pcap_lex_destroy(scanner); 759 760 /* 761 * Clean up our own allocated memory. 762 */ 763 freechunks(&cstate); 764 765 return (rc); 766 } 767 768 /* 769 * entry point for using the compiler with no pcap open 770 * pass in all the stuff that is needed explicitly instead. 771 */ 772 int 773 pcap_compile_nopcap(int snaplen_arg, int linktype_arg, 774 struct bpf_program *program, 775 const char *buf, int optimize, bpf_u_int32 mask) 776 { 777 pcap_t *p; 778 int ret; 779 780 p = pcap_open_dead(linktype_arg, snaplen_arg); 781 if (p == NULL) 782 return (-1); 783 ret = pcap_compile(p, program, buf, optimize, mask); 784 pcap_close(p); 785 return (ret); 786 } 787 788 /* 789 * Clean up a "struct bpf_program" by freeing all the memory allocated 790 * in it. 791 */ 792 void 793 pcap_freecode(struct bpf_program *program) 794 { 795 program->bf_len = 0; 796 if (program->bf_insns != NULL) { 797 free((char *)program->bf_insns); 798 program->bf_insns = NULL; 799 } 800 } 801 802 /* 803 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates 804 * which of the jt and jf fields has been resolved and which is a pointer 805 * back to another unresolved block (or nil). At least one of the fields 806 * in each block is already resolved. 807 */ 808 static void 809 backpatch(list, target) 810 struct block *list, *target; 811 { 812 struct block *next; 813 814 while (list) { 815 if (!list->sense) { 816 next = JT(list); 817 JT(list) = target; 818 } else { 819 next = JF(list); 820 JF(list) = target; 821 } 822 list = next; 823 } 824 } 825 826 /* 827 * Merge the lists in b0 and b1, using the 'sense' field to indicate 828 * which of jt and jf is the link. 829 */ 830 static void 831 merge(b0, b1) 832 struct block *b0, *b1; 833 { 834 register struct block **p = &b0; 835 836 /* Find end of list. */ 837 while (*p) 838 p = !((*p)->sense) ? &JT(*p) : &JF(*p); 839 840 /* Concatenate the lists. */ 841 *p = b1; 842 } 843 844 void 845 finish_parse(compiler_state_t *cstate, struct block *p) 846 { 847 struct block *ppi_dlt_check; 848 849 /* 850 * Insert before the statements of the first (root) block any 851 * statements needed to load the lengths of any variable-length 852 * headers into registers. 853 * 854 * XXX - a fancier strategy would be to insert those before the 855 * statements of all blocks that use those lengths and that 856 * have no predecessors that use them, so that we only compute 857 * the lengths if we need them. There might be even better 858 * approaches than that. 859 * 860 * However, those strategies would be more complicated, and 861 * as we don't generate code to compute a length if the 862 * program has no tests that use the length, and as most 863 * tests will probably use those lengths, we would just 864 * postpone computing the lengths so that it's not done 865 * for tests that fail early, and it's not clear that's 866 * worth the effort. 867 */ 868 insert_compute_vloffsets(cstate, p->head); 869 870 /* 871 * For DLT_PPI captures, generate a check of the per-packet 872 * DLT value to make sure it's DLT_IEEE802_11. 873 * 874 * XXX - TurboCap cards use DLT_PPI for Ethernet. 875 * Can we just define some DLT_ETHERNET_WITH_PHDR pseudo-header 876 * with appropriate Ethernet information and use that rather 877 * than using something such as DLT_PPI where you don't know 878 * the link-layer header type until runtime, which, in the 879 * general case, would force us to generate both Ethernet *and* 880 * 802.11 code (*and* anything else for which PPI is used) 881 * and choose between them early in the BPF program? 882 */ 883 ppi_dlt_check = gen_ppi_dlt_check(cstate); 884 if (ppi_dlt_check != NULL) 885 gen_and(ppi_dlt_check, p); 886 887 backpatch(p, gen_retblk(cstate, cstate->snaplen)); 888 p->sense = !p->sense; 889 backpatch(p, gen_retblk(cstate, 0)); 890 cstate->ic.root = p->head; 891 } 892 893 void 894 gen_and(b0, b1) 895 struct block *b0, *b1; 896 { 897 backpatch(b0, b1->head); 898 b0->sense = !b0->sense; 899 b1->sense = !b1->sense; 900 merge(b1, b0); 901 b1->sense = !b1->sense; 902 b1->head = b0->head; 903 } 904 905 void 906 gen_or(b0, b1) 907 struct block *b0, *b1; 908 { 909 b0->sense = !b0->sense; 910 backpatch(b0, b1->head); 911 b0->sense = !b0->sense; 912 merge(b1, b0); 913 b1->head = b0->head; 914 } 915 916 void 917 gen_not(b) 918 struct block *b; 919 { 920 b->sense = !b->sense; 921 } 922 923 static struct block * 924 gen_cmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 925 u_int size, bpf_int32 v) 926 { 927 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v); 928 } 929 930 static struct block * 931 gen_cmp_gt(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 932 u_int size, bpf_int32 v) 933 { 934 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGT, 0, v); 935 } 936 937 static struct block * 938 gen_cmp_ge(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 939 u_int size, bpf_int32 v) 940 { 941 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGE, 0, v); 942 } 943 944 static struct block * 945 gen_cmp_lt(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 946 u_int size, bpf_int32 v) 947 { 948 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGE, 1, v); 949 } 950 951 static struct block * 952 gen_cmp_le(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 953 u_int size, bpf_int32 v) 954 { 955 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGT, 1, v); 956 } 957 958 static struct block * 959 gen_mcmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 960 u_int size, bpf_int32 v, bpf_u_int32 mask) 961 { 962 return gen_ncmp(cstate, offrel, offset, size, mask, BPF_JEQ, 0, v); 963 } 964 965 static struct block * 966 gen_bcmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 967 u_int size, const u_char *v) 968 { 969 register struct block *b, *tmp; 970 971 b = NULL; 972 while (size >= 4) { 973 register const u_char *p = &v[size - 4]; 974 bpf_int32 w = ((bpf_int32)p[0] << 24) | 975 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3]; 976 977 tmp = gen_cmp(cstate, offrel, offset + size - 4, BPF_W, w); 978 if (b != NULL) 979 gen_and(b, tmp); 980 b = tmp; 981 size -= 4; 982 } 983 while (size >= 2) { 984 register const u_char *p = &v[size - 2]; 985 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1]; 986 987 tmp = gen_cmp(cstate, offrel, offset + size - 2, BPF_H, w); 988 if (b != NULL) 989 gen_and(b, tmp); 990 b = tmp; 991 size -= 2; 992 } 993 if (size > 0) { 994 tmp = gen_cmp(cstate, offrel, offset, BPF_B, (bpf_int32)v[0]); 995 if (b != NULL) 996 gen_and(b, tmp); 997 b = tmp; 998 } 999 return b; 1000 } 1001 1002 /* 1003 * AND the field of size "size" at offset "offset" relative to the header 1004 * specified by "offrel" with "mask", and compare it with the value "v" 1005 * with the test specified by "jtype"; if "reverse" is true, the test 1006 * should test the opposite of "jtype". 1007 */ 1008 static struct block * 1009 gen_ncmp(compiler_state_t *cstate, enum e_offrel offrel, bpf_u_int32 offset, 1010 bpf_u_int32 size, bpf_u_int32 mask, bpf_u_int32 jtype, int reverse, 1011 bpf_int32 v) 1012 { 1013 struct slist *s, *s2; 1014 struct block *b; 1015 1016 s = gen_load_a(cstate, offrel, offset, size); 1017 1018 if (mask != 0xffffffff) { 1019 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K); 1020 s2->s.k = mask; 1021 sappend(s, s2); 1022 } 1023 1024 b = new_block(cstate, JMP(jtype)); 1025 b->stmts = s; 1026 b->s.k = v; 1027 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE)) 1028 gen_not(b); 1029 return b; 1030 } 1031 1032 static void 1033 init_linktype(compiler_state_t *cstate, pcap_t *p) 1034 { 1035 cstate->pcap_fddipad = p->fddipad; 1036 1037 /* 1038 * We start out with only one link-layer header. 1039 */ 1040 cstate->outermostlinktype = pcap_datalink(p); 1041 cstate->off_outermostlinkhdr.constant_part = 0; 1042 cstate->off_outermostlinkhdr.is_variable = 0; 1043 cstate->off_outermostlinkhdr.reg = -1; 1044 1045 cstate->prevlinktype = cstate->outermostlinktype; 1046 cstate->off_prevlinkhdr.constant_part = 0; 1047 cstate->off_prevlinkhdr.is_variable = 0; 1048 cstate->off_prevlinkhdr.reg = -1; 1049 1050 cstate->linktype = cstate->outermostlinktype; 1051 cstate->off_linkhdr.constant_part = 0; 1052 cstate->off_linkhdr.is_variable = 0; 1053 cstate->off_linkhdr.reg = -1; 1054 1055 /* 1056 * XXX 1057 */ 1058 cstate->off_linkpl.constant_part = 0; 1059 cstate->off_linkpl.is_variable = 0; 1060 cstate->off_linkpl.reg = -1; 1061 1062 cstate->off_linktype.constant_part = 0; 1063 cstate->off_linktype.is_variable = 0; 1064 cstate->off_linktype.reg = -1; 1065 1066 /* 1067 * Assume it's not raw ATM with a pseudo-header, for now. 1068 */ 1069 cstate->is_atm = 0; 1070 cstate->off_vpi = -1; 1071 cstate->off_vci = -1; 1072 cstate->off_proto = -1; 1073 cstate->off_payload = -1; 1074 1075 /* 1076 * And not Geneve. 1077 */ 1078 cstate->is_geneve = 0; 1079 1080 /* 1081 * And assume we're not doing SS7. 1082 */ 1083 cstate->off_li = -1; 1084 cstate->off_li_hsl = -1; 1085 cstate->off_sio = -1; 1086 cstate->off_opc = -1; 1087 cstate->off_dpc = -1; 1088 cstate->off_sls = -1; 1089 1090 cstate->label_stack_depth = 0; 1091 cstate->vlan_stack_depth = 0; 1092 1093 switch (cstate->linktype) { 1094 1095 case DLT_ARCNET: 1096 cstate->off_linktype.constant_part = 2; 1097 cstate->off_linkpl.constant_part = 6; 1098 cstate->off_nl = 0; /* XXX in reality, variable! */ 1099 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1100 break; 1101 1102 case DLT_ARCNET_LINUX: 1103 cstate->off_linktype.constant_part = 4; 1104 cstate->off_linkpl.constant_part = 8; 1105 cstate->off_nl = 0; /* XXX in reality, variable! */ 1106 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1107 break; 1108 1109 case DLT_EN10MB: 1110 cstate->off_linktype.constant_part = 12; 1111 cstate->off_linkpl.constant_part = 14; /* Ethernet header length */ 1112 cstate->off_nl = 0; /* Ethernet II */ 1113 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */ 1114 break; 1115 1116 case DLT_SLIP: 1117 /* 1118 * SLIP doesn't have a link level type. The 16 byte 1119 * header is hacked into our SLIP driver. 1120 */ 1121 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1122 cstate->off_linkpl.constant_part = 16; 1123 cstate->off_nl = 0; 1124 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1125 break; 1126 1127 case DLT_SLIP_BSDOS: 1128 /* XXX this may be the same as the DLT_PPP_BSDOS case */ 1129 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1130 /* XXX end */ 1131 cstate->off_linkpl.constant_part = 24; 1132 cstate->off_nl = 0; 1133 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1134 break; 1135 1136 case DLT_NULL: 1137 case DLT_LOOP: 1138 cstate->off_linktype.constant_part = 0; 1139 cstate->off_linkpl.constant_part = 4; 1140 cstate->off_nl = 0; 1141 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1142 break; 1143 1144 case DLT_ENC: 1145 cstate->off_linktype.constant_part = 0; 1146 cstate->off_linkpl.constant_part = 12; 1147 cstate->off_nl = 0; 1148 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1149 break; 1150 1151 case DLT_PPP: 1152 case DLT_PPP_PPPD: 1153 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */ 1154 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */ 1155 cstate->off_linktype.constant_part = 2; /* skip HDLC-like framing */ 1156 cstate->off_linkpl.constant_part = 4; /* skip HDLC-like framing and protocol field */ 1157 cstate->off_nl = 0; 1158 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1159 break; 1160 1161 case DLT_PPP_ETHER: 1162 /* 1163 * This does no include the Ethernet header, and 1164 * only covers session state. 1165 */ 1166 cstate->off_linktype.constant_part = 6; 1167 cstate->off_linkpl.constant_part = 8; 1168 cstate->off_nl = 0; 1169 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1170 break; 1171 1172 case DLT_PPP_BSDOS: 1173 cstate->off_linktype.constant_part = 5; 1174 cstate->off_linkpl.constant_part = 24; 1175 cstate->off_nl = 0; 1176 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1177 break; 1178 1179 case DLT_FDDI: 1180 /* 1181 * FDDI doesn't really have a link-level type field. 1182 * We set "off_linktype" to the offset of the LLC header. 1183 * 1184 * To check for Ethernet types, we assume that SSAP = SNAP 1185 * is being used and pick out the encapsulated Ethernet type. 1186 * XXX - should we generate code to check for SNAP? 1187 */ 1188 cstate->off_linktype.constant_part = 13; 1189 cstate->off_linktype.constant_part += cstate->pcap_fddipad; 1190 cstate->off_linkpl.constant_part = 13; /* FDDI MAC header length */ 1191 cstate->off_linkpl.constant_part += cstate->pcap_fddipad; 1192 cstate->off_nl = 8; /* 802.2+SNAP */ 1193 cstate->off_nl_nosnap = 3; /* 802.2 */ 1194 break; 1195 1196 case DLT_IEEE802: 1197 /* 1198 * Token Ring doesn't really have a link-level type field. 1199 * We set "off_linktype" to the offset of the LLC header. 1200 * 1201 * To check for Ethernet types, we assume that SSAP = SNAP 1202 * is being used and pick out the encapsulated Ethernet type. 1203 * XXX - should we generate code to check for SNAP? 1204 * 1205 * XXX - the header is actually variable-length. 1206 * Some various Linux patched versions gave 38 1207 * as "off_linktype" and 40 as "off_nl"; however, 1208 * if a token ring packet has *no* routing 1209 * information, i.e. is not source-routed, the correct 1210 * values are 20 and 22, as they are in the vanilla code. 1211 * 1212 * A packet is source-routed iff the uppermost bit 1213 * of the first byte of the source address, at an 1214 * offset of 8, has the uppermost bit set. If the 1215 * packet is source-routed, the total number of bytes 1216 * of routing information is 2 plus bits 0x1F00 of 1217 * the 16-bit value at an offset of 14 (shifted right 1218 * 8 - figure out which byte that is). 1219 */ 1220 cstate->off_linktype.constant_part = 14; 1221 cstate->off_linkpl.constant_part = 14; /* Token Ring MAC header length */ 1222 cstate->off_nl = 8; /* 802.2+SNAP */ 1223 cstate->off_nl_nosnap = 3; /* 802.2 */ 1224 break; 1225 1226 case DLT_PRISM_HEADER: 1227 case DLT_IEEE802_11_RADIO_AVS: 1228 case DLT_IEEE802_11_RADIO: 1229 cstate->off_linkhdr.is_variable = 1; 1230 /* Fall through, 802.11 doesn't have a variable link 1231 * prefix but is otherwise the same. */ 1232 1233 case DLT_IEEE802_11: 1234 /* 1235 * 802.11 doesn't really have a link-level type field. 1236 * We set "off_linktype.constant_part" to the offset of 1237 * the LLC header. 1238 * 1239 * To check for Ethernet types, we assume that SSAP = SNAP 1240 * is being used and pick out the encapsulated Ethernet type. 1241 * XXX - should we generate code to check for SNAP? 1242 * 1243 * We also handle variable-length radio headers here. 1244 * The Prism header is in theory variable-length, but in 1245 * practice it's always 144 bytes long. However, some 1246 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but 1247 * sometimes or always supply an AVS header, so we 1248 * have to check whether the radio header is a Prism 1249 * header or an AVS header, so, in practice, it's 1250 * variable-length. 1251 */ 1252 cstate->off_linktype.constant_part = 24; 1253 cstate->off_linkpl.constant_part = 0; /* link-layer header is variable-length */ 1254 cstate->off_linkpl.is_variable = 1; 1255 cstate->off_nl = 8; /* 802.2+SNAP */ 1256 cstate->off_nl_nosnap = 3; /* 802.2 */ 1257 break; 1258 1259 case DLT_PPI: 1260 /* 1261 * At the moment we treat PPI the same way that we treat 1262 * normal Radiotap encoded packets. The difference is in 1263 * the function that generates the code at the beginning 1264 * to compute the header length. Since this code generator 1265 * of PPI supports bare 802.11 encapsulation only (i.e. 1266 * the encapsulated DLT should be DLT_IEEE802_11) we 1267 * generate code to check for this too. 1268 */ 1269 cstate->off_linktype.constant_part = 24; 1270 cstate->off_linkpl.constant_part = 0; /* link-layer header is variable-length */ 1271 cstate->off_linkpl.is_variable = 1; 1272 cstate->off_linkhdr.is_variable = 1; 1273 cstate->off_nl = 8; /* 802.2+SNAP */ 1274 cstate->off_nl_nosnap = 3; /* 802.2 */ 1275 break; 1276 1277 case DLT_ATM_RFC1483: 1278 case DLT_ATM_CLIP: /* Linux ATM defines this */ 1279 /* 1280 * assume routed, non-ISO PDUs 1281 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00) 1282 * 1283 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS, 1284 * or PPP with the PPP NLPID (e.g., PPPoA)? The 1285 * latter would presumably be treated the way PPPoE 1286 * should be, so you can do "pppoe and udp port 2049" 1287 * or "pppoa and tcp port 80" and have it check for 1288 * PPPo{A,E} and a PPP protocol of IP and.... 1289 */ 1290 cstate->off_linktype.constant_part = 0; 1291 cstate->off_linkpl.constant_part = 0; /* packet begins with LLC header */ 1292 cstate->off_nl = 8; /* 802.2+SNAP */ 1293 cstate->off_nl_nosnap = 3; /* 802.2 */ 1294 break; 1295 1296 case DLT_SUNATM: 1297 /* 1298 * Full Frontal ATM; you get AALn PDUs with an ATM 1299 * pseudo-header. 1300 */ 1301 cstate->is_atm = 1; 1302 cstate->off_vpi = SUNATM_VPI_POS; 1303 cstate->off_vci = SUNATM_VCI_POS; 1304 cstate->off_proto = PROTO_POS; 1305 cstate->off_payload = SUNATM_PKT_BEGIN_POS; 1306 cstate->off_linktype.constant_part = cstate->off_payload; 1307 cstate->off_linkpl.constant_part = cstate->off_payload; /* if LLC-encapsulated */ 1308 cstate->off_nl = 8; /* 802.2+SNAP */ 1309 cstate->off_nl_nosnap = 3; /* 802.2 */ 1310 break; 1311 1312 case DLT_RAW: 1313 case DLT_IPV4: 1314 case DLT_IPV6: 1315 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1316 cstate->off_linkpl.constant_part = 0; 1317 cstate->off_nl = 0; 1318 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1319 break; 1320 1321 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */ 1322 cstate->off_linktype.constant_part = 14; 1323 cstate->off_linkpl.constant_part = 16; 1324 cstate->off_nl = 0; 1325 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1326 break; 1327 1328 case DLT_LTALK: 1329 /* 1330 * LocalTalk does have a 1-byte type field in the LLAP header, 1331 * but really it just indicates whether there is a "short" or 1332 * "long" DDP packet following. 1333 */ 1334 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1335 cstate->off_linkpl.constant_part = 0; 1336 cstate->off_nl = 0; 1337 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1338 break; 1339 1340 case DLT_IP_OVER_FC: 1341 /* 1342 * RFC 2625 IP-over-Fibre-Channel doesn't really have a 1343 * link-level type field. We set "off_linktype" to the 1344 * offset of the LLC header. 1345 * 1346 * To check for Ethernet types, we assume that SSAP = SNAP 1347 * is being used and pick out the encapsulated Ethernet type. 1348 * XXX - should we generate code to check for SNAP? RFC 1349 * 2625 says SNAP should be used. 1350 */ 1351 cstate->off_linktype.constant_part = 16; 1352 cstate->off_linkpl.constant_part = 16; 1353 cstate->off_nl = 8; /* 802.2+SNAP */ 1354 cstate->off_nl_nosnap = 3; /* 802.2 */ 1355 break; 1356 1357 case DLT_FRELAY: 1358 /* 1359 * XXX - we should set this to handle SNAP-encapsulated 1360 * frames (NLPID of 0x80). 1361 */ 1362 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1363 cstate->off_linkpl.constant_part = 0; 1364 cstate->off_nl = 0; 1365 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1366 break; 1367 1368 /* 1369 * the only BPF-interesting FRF.16 frames are non-control frames; 1370 * Frame Relay has a variable length link-layer 1371 * so lets start with offset 4 for now and increments later on (FIXME); 1372 */ 1373 case DLT_MFR: 1374 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1375 cstate->off_linkpl.constant_part = 0; 1376 cstate->off_nl = 4; 1377 cstate->off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */ 1378 break; 1379 1380 case DLT_APPLE_IP_OVER_IEEE1394: 1381 cstate->off_linktype.constant_part = 16; 1382 cstate->off_linkpl.constant_part = 18; 1383 cstate->off_nl = 0; 1384 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1385 break; 1386 1387 case DLT_SYMANTEC_FIREWALL: 1388 cstate->off_linktype.constant_part = 6; 1389 cstate->off_linkpl.constant_part = 44; 1390 cstate->off_nl = 0; /* Ethernet II */ 1391 cstate->off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */ 1392 break; 1393 1394 #ifdef HAVE_NET_PFVAR_H 1395 case DLT_PFLOG: 1396 cstate->off_linktype.constant_part = 0; 1397 cstate->off_linkpl.constant_part = PFLOG_HDRLEN; 1398 cstate->off_nl = 0; 1399 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1400 break; 1401 #endif 1402 1403 case DLT_JUNIPER_MFR: 1404 case DLT_JUNIPER_MLFR: 1405 case DLT_JUNIPER_MLPPP: 1406 case DLT_JUNIPER_PPP: 1407 case DLT_JUNIPER_CHDLC: 1408 case DLT_JUNIPER_FRELAY: 1409 cstate->off_linktype.constant_part = 4; 1410 cstate->off_linkpl.constant_part = 4; 1411 cstate->off_nl = 0; 1412 cstate->off_nl_nosnap = -1; /* no 802.2 LLC */ 1413 break; 1414 1415 case DLT_JUNIPER_ATM1: 1416 cstate->off_linktype.constant_part = 4; /* in reality variable between 4-8 */ 1417 cstate->off_linkpl.constant_part = 4; /* in reality variable between 4-8 */ 1418 cstate->off_nl = 0; 1419 cstate->off_nl_nosnap = 10; 1420 break; 1421 1422 case DLT_JUNIPER_ATM2: 1423 cstate->off_linktype.constant_part = 8; /* in reality variable between 8-12 */ 1424 cstate->off_linkpl.constant_part = 8; /* in reality variable between 8-12 */ 1425 cstate->off_nl = 0; 1426 cstate->off_nl_nosnap = 10; 1427 break; 1428 1429 /* frames captured on a Juniper PPPoE service PIC 1430 * contain raw ethernet frames */ 1431 case DLT_JUNIPER_PPPOE: 1432 case DLT_JUNIPER_ETHER: 1433 cstate->off_linkpl.constant_part = 14; 1434 cstate->off_linktype.constant_part = 16; 1435 cstate->off_nl = 18; /* Ethernet II */ 1436 cstate->off_nl_nosnap = 21; /* 802.3+802.2 */ 1437 break; 1438 1439 case DLT_JUNIPER_PPPOE_ATM: 1440 cstate->off_linktype.constant_part = 4; 1441 cstate->off_linkpl.constant_part = 6; 1442 cstate->off_nl = 0; 1443 cstate->off_nl_nosnap = -1; /* no 802.2 LLC */ 1444 break; 1445 1446 case DLT_JUNIPER_GGSN: 1447 cstate->off_linktype.constant_part = 6; 1448 cstate->off_linkpl.constant_part = 12; 1449 cstate->off_nl = 0; 1450 cstate->off_nl_nosnap = -1; /* no 802.2 LLC */ 1451 break; 1452 1453 case DLT_JUNIPER_ES: 1454 cstate->off_linktype.constant_part = 6; 1455 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; /* not really a network layer but raw IP addresses */ 1456 cstate->off_nl = -1; /* not really a network layer but raw IP addresses */ 1457 cstate->off_nl_nosnap = -1; /* no 802.2 LLC */ 1458 break; 1459 1460 case DLT_JUNIPER_MONITOR: 1461 cstate->off_linktype.constant_part = 12; 1462 cstate->off_linkpl.constant_part = 12; 1463 cstate->off_nl = 0; /* raw IP/IP6 header */ 1464 cstate->off_nl_nosnap = -1; /* no 802.2 LLC */ 1465 break; 1466 1467 case DLT_BACNET_MS_TP: 1468 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1469 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1470 cstate->off_nl = -1; 1471 cstate->off_nl_nosnap = -1; 1472 break; 1473 1474 case DLT_JUNIPER_SERVICES: 1475 cstate->off_linktype.constant_part = 12; 1476 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; /* L3 proto location dep. on cookie type */ 1477 cstate->off_nl = -1; /* L3 proto location dep. on cookie type */ 1478 cstate->off_nl_nosnap = -1; /* no 802.2 LLC */ 1479 break; 1480 1481 case DLT_JUNIPER_VP: 1482 cstate->off_linktype.constant_part = 18; 1483 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1484 cstate->off_nl = -1; 1485 cstate->off_nl_nosnap = -1; 1486 break; 1487 1488 case DLT_JUNIPER_ST: 1489 cstate->off_linktype.constant_part = 18; 1490 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1491 cstate->off_nl = -1; 1492 cstate->off_nl_nosnap = -1; 1493 break; 1494 1495 case DLT_JUNIPER_ISM: 1496 cstate->off_linktype.constant_part = 8; 1497 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1498 cstate->off_nl = -1; 1499 cstate->off_nl_nosnap = -1; 1500 break; 1501 1502 case DLT_JUNIPER_VS: 1503 case DLT_JUNIPER_SRX_E2E: 1504 case DLT_JUNIPER_FIBRECHANNEL: 1505 case DLT_JUNIPER_ATM_CEMIC: 1506 cstate->off_linktype.constant_part = 8; 1507 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1508 cstate->off_nl = -1; 1509 cstate->off_nl_nosnap = -1; 1510 break; 1511 1512 case DLT_MTP2: 1513 cstate->off_li = 2; 1514 cstate->off_li_hsl = 4; 1515 cstate->off_sio = 3; 1516 cstate->off_opc = 4; 1517 cstate->off_dpc = 4; 1518 cstate->off_sls = 7; 1519 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1520 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1521 cstate->off_nl = -1; 1522 cstate->off_nl_nosnap = -1; 1523 break; 1524 1525 case DLT_MTP2_WITH_PHDR: 1526 cstate->off_li = 6; 1527 cstate->off_li_hsl = 8; 1528 cstate->off_sio = 7; 1529 cstate->off_opc = 8; 1530 cstate->off_dpc = 8; 1531 cstate->off_sls = 11; 1532 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1533 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1534 cstate->off_nl = -1; 1535 cstate->off_nl_nosnap = -1; 1536 break; 1537 1538 case DLT_ERF: 1539 cstate->off_li = 22; 1540 cstate->off_li_hsl = 24; 1541 cstate->off_sio = 23; 1542 cstate->off_opc = 24; 1543 cstate->off_dpc = 24; 1544 cstate->off_sls = 27; 1545 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1546 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1547 cstate->off_nl = -1; 1548 cstate->off_nl_nosnap = -1; 1549 break; 1550 1551 case DLT_PFSYNC: 1552 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1553 cstate->off_linkpl.constant_part = 4; 1554 cstate->off_nl = 0; 1555 cstate->off_nl_nosnap = 0; 1556 break; 1557 1558 case DLT_AX25_KISS: 1559 /* 1560 * Currently, only raw "link[N:M]" filtering is supported. 1561 */ 1562 cstate->off_linktype.constant_part = OFFSET_NOT_SET; /* variable, min 15, max 71 steps of 7 */ 1563 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1564 cstate->off_nl = -1; /* variable, min 16, max 71 steps of 7 */ 1565 cstate->off_nl_nosnap = -1; /* no 802.2 LLC */ 1566 break; 1567 1568 case DLT_IPNET: 1569 cstate->off_linktype.constant_part = 1; 1570 cstate->off_linkpl.constant_part = 24; /* ipnet header length */ 1571 cstate->off_nl = 0; 1572 cstate->off_nl_nosnap = -1; 1573 break; 1574 1575 case DLT_NETANALYZER: 1576 cstate->off_linkhdr.constant_part = 4; /* Ethernet header is past 4-byte pseudo-header */ 1577 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12; 1578 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* pseudo-header+Ethernet header length */ 1579 cstate->off_nl = 0; /* Ethernet II */ 1580 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */ 1581 break; 1582 1583 case DLT_NETANALYZER_TRANSPARENT: 1584 cstate->off_linkhdr.constant_part = 12; /* MAC header is past 4-byte pseudo-header, preamble, and SFD */ 1585 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12; 1586 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* pseudo-header+preamble+SFD+Ethernet header length */ 1587 cstate->off_nl = 0; /* Ethernet II */ 1588 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */ 1589 break; 1590 1591 default: 1592 /* 1593 * For values in the range in which we've assigned new 1594 * DLT_ values, only raw "link[N:M]" filtering is supported. 1595 */ 1596 if (cstate->linktype >= DLT_MATCHING_MIN && 1597 cstate->linktype <= DLT_MATCHING_MAX) { 1598 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1599 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1600 cstate->off_nl = -1; 1601 cstate->off_nl_nosnap = -1; 1602 } else { 1603 bpf_error(cstate, "unknown data link type %d", cstate->linktype); 1604 } 1605 break; 1606 } 1607 1608 cstate->off_outermostlinkhdr = cstate->off_prevlinkhdr = cstate->off_linkhdr; 1609 } 1610 1611 /* 1612 * Load a value relative to the specified absolute offset. 1613 */ 1614 static struct slist * 1615 gen_load_absoffsetrel(compiler_state_t *cstate, bpf_abs_offset *abs_offset, 1616 u_int offset, u_int size) 1617 { 1618 struct slist *s, *s2; 1619 1620 s = gen_abs_offset_varpart(cstate, abs_offset); 1621 1622 /* 1623 * If "s" is non-null, it has code to arrange that the X register 1624 * contains the variable part of the absolute offset, so we 1625 * generate a load relative to that, with an offset of 1626 * abs_offset->constant_part + offset. 1627 * 1628 * Otherwise, we can do an absolute load with an offset of 1629 * abs_offset->constant_part + offset. 1630 */ 1631 if (s != NULL) { 1632 /* 1633 * "s" points to a list of statements that puts the 1634 * variable part of the absolute offset into the X register. 1635 * Do an indirect load, to use the X register as an offset. 1636 */ 1637 s2 = new_stmt(cstate, BPF_LD|BPF_IND|size); 1638 s2->s.k = abs_offset->constant_part + offset; 1639 sappend(s, s2); 1640 } else { 1641 /* 1642 * There is no variable part of the absolute offset, so 1643 * just do an absolute load. 1644 */ 1645 s = new_stmt(cstate, BPF_LD|BPF_ABS|size); 1646 s->s.k = abs_offset->constant_part + offset; 1647 } 1648 return s; 1649 } 1650 1651 /* 1652 * Load a value relative to the beginning of the specified header. 1653 */ 1654 static struct slist * 1655 gen_load_a(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 1656 u_int size) 1657 { 1658 struct slist *s, *s2; 1659 1660 switch (offrel) { 1661 1662 case OR_PACKET: 1663 s = new_stmt(cstate, BPF_LD|BPF_ABS|size); 1664 s->s.k = offset; 1665 break; 1666 1667 case OR_LINKHDR: 1668 s = gen_load_absoffsetrel(cstate, &cstate->off_linkhdr, offset, size); 1669 break; 1670 1671 case OR_PREVLINKHDR: 1672 s = gen_load_absoffsetrel(cstate, &cstate->off_prevlinkhdr, offset, size); 1673 break; 1674 1675 case OR_LLC: 1676 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, offset, size); 1677 break; 1678 1679 case OR_PREVMPLSHDR: 1680 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl - 4 + offset, size); 1681 break; 1682 1683 case OR_LINKPL: 1684 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl + offset, size); 1685 break; 1686 1687 case OR_LINKPL_NOSNAP: 1688 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl_nosnap + offset, size); 1689 break; 1690 1691 case OR_LINKTYPE: 1692 s = gen_load_absoffsetrel(cstate, &cstate->off_linktype, offset, size); 1693 break; 1694 1695 case OR_TRAN_IPV4: 1696 /* 1697 * Load the X register with the length of the IPv4 header 1698 * (plus the offset of the link-layer header, if it's 1699 * preceded by a variable-length header such as a radio 1700 * header), in bytes. 1701 */ 1702 s = gen_loadx_iphdrlen(cstate); 1703 1704 /* 1705 * Load the item at {offset of the link-layer payload} + 1706 * {offset, relative to the start of the link-layer 1707 * paylod, of the IPv4 header} + {length of the IPv4 header} + 1708 * {specified offset}. 1709 * 1710 * If the offset of the link-layer payload is variable, 1711 * the variable part of that offset is included in the 1712 * value in the X register, and we include the constant 1713 * part in the offset of the load. 1714 */ 1715 s2 = new_stmt(cstate, BPF_LD|BPF_IND|size); 1716 s2->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + offset; 1717 sappend(s, s2); 1718 break; 1719 1720 case OR_TRAN_IPV6: 1721 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl + 40 + offset, size); 1722 break; 1723 1724 default: 1725 abort(); 1726 return NULL; 1727 } 1728 return s; 1729 } 1730 1731 /* 1732 * Generate code to load into the X register the sum of the length of 1733 * the IPv4 header and the variable part of the offset of the link-layer 1734 * payload. 1735 */ 1736 static struct slist * 1737 gen_loadx_iphdrlen(compiler_state_t *cstate) 1738 { 1739 struct slist *s, *s2; 1740 1741 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl); 1742 if (s != NULL) { 1743 /* 1744 * The offset of the link-layer payload has a variable 1745 * part. "s" points to a list of statements that put 1746 * the variable part of that offset into the X register. 1747 * 1748 * The 4*([k]&0xf) addressing mode can't be used, as we 1749 * don't have a constant offset, so we have to load the 1750 * value in question into the A register and add to it 1751 * the value from the X register. 1752 */ 1753 s2 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 1754 s2->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 1755 sappend(s, s2); 1756 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K); 1757 s2->s.k = 0xf; 1758 sappend(s, s2); 1759 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K); 1760 s2->s.k = 2; 1761 sappend(s, s2); 1762 1763 /* 1764 * The A register now contains the length of the IP header. 1765 * We need to add to it the variable part of the offset of 1766 * the link-layer payload, which is still in the X 1767 * register, and move the result into the X register. 1768 */ 1769 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X)); 1770 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX)); 1771 } else { 1772 /* 1773 * The offset of the link-layer payload is a constant, 1774 * so no code was generated to load the (non-existent) 1775 * variable part of that offset. 1776 * 1777 * This means we can use the 4*([k]&0xf) addressing 1778 * mode. Load the length of the IPv4 header, which 1779 * is at an offset of cstate->off_nl from the beginning of 1780 * the link-layer payload, and thus at an offset of 1781 * cstate->off_linkpl.constant_part + cstate->off_nl from the beginning 1782 * of the raw packet data, using that addressing mode. 1783 */ 1784 s = new_stmt(cstate, BPF_LDX|BPF_MSH|BPF_B); 1785 s->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 1786 } 1787 return s; 1788 } 1789 1790 static struct block * 1791 gen_uncond(compiler_state_t *cstate, int rsense) 1792 { 1793 struct block *b; 1794 struct slist *s; 1795 1796 s = new_stmt(cstate, BPF_LD|BPF_IMM); 1797 s->s.k = !rsense; 1798 b = new_block(cstate, JMP(BPF_JEQ)); 1799 b->stmts = s; 1800 1801 return b; 1802 } 1803 1804 static inline struct block * 1805 gen_true(compiler_state_t *cstate) 1806 { 1807 return gen_uncond(cstate, 1); 1808 } 1809 1810 static inline struct block * 1811 gen_false(compiler_state_t *cstate) 1812 { 1813 return gen_uncond(cstate, 0); 1814 } 1815 1816 /* 1817 * Byte-swap a 32-bit number. 1818 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on 1819 * big-endian platforms.) 1820 */ 1821 #define SWAPLONG(y) \ 1822 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff)) 1823 1824 /* 1825 * Generate code to match a particular packet type. 1826 * 1827 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1828 * value, if <= ETHERMTU. We use that to determine whether to 1829 * match the type/length field or to check the type/length field for 1830 * a value <= ETHERMTU to see whether it's a type field and then do 1831 * the appropriate test. 1832 */ 1833 static struct block * 1834 gen_ether_linktype(compiler_state_t *cstate, int proto) 1835 { 1836 struct block *b0, *b1; 1837 1838 switch (proto) { 1839 1840 case LLCSAP_ISONS: 1841 case LLCSAP_IP: 1842 case LLCSAP_NETBEUI: 1843 /* 1844 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1845 * so we check the DSAP and SSAP. 1846 * 1847 * LLCSAP_IP checks for IP-over-802.2, rather 1848 * than IP-over-Ethernet or IP-over-SNAP. 1849 * 1850 * XXX - should we check both the DSAP and the 1851 * SSAP, like this, or should we check just the 1852 * DSAP, as we do for other types <= ETHERMTU 1853 * (i.e., other SAP values)? 1854 */ 1855 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU); 1856 gen_not(b0); 1857 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_int32) 1858 ((proto << 8) | proto)); 1859 gen_and(b0, b1); 1860 return b1; 1861 1862 case LLCSAP_IPX: 1863 /* 1864 * Check for; 1865 * 1866 * Ethernet_II frames, which are Ethernet 1867 * frames with a frame type of ETHERTYPE_IPX; 1868 * 1869 * Ethernet_802.3 frames, which are 802.3 1870 * frames (i.e., the type/length field is 1871 * a length field, <= ETHERMTU, rather than 1872 * a type field) with the first two bytes 1873 * after the Ethernet/802.3 header being 1874 * 0xFFFF; 1875 * 1876 * Ethernet_802.2 frames, which are 802.3 1877 * frames with an 802.2 LLC header and 1878 * with the IPX LSAP as the DSAP in the LLC 1879 * header; 1880 * 1881 * Ethernet_SNAP frames, which are 802.3 1882 * frames with an LLC header and a SNAP 1883 * header and with an OUI of 0x000000 1884 * (encapsulated Ethernet) and a protocol 1885 * ID of ETHERTYPE_IPX in the SNAP header. 1886 * 1887 * XXX - should we generate the same code both 1888 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX? 1889 */ 1890 1891 /* 1892 * This generates code to check both for the 1893 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3. 1894 */ 1895 b0 = gen_cmp(cstate, OR_LLC, 0, BPF_B, (bpf_int32)LLCSAP_IPX); 1896 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_int32)0xFFFF); 1897 gen_or(b0, b1); 1898 1899 /* 1900 * Now we add code to check for SNAP frames with 1901 * ETHERTYPE_IPX, i.e. Ethernet_SNAP. 1902 */ 1903 b0 = gen_snap(cstate, 0x000000, ETHERTYPE_IPX); 1904 gen_or(b0, b1); 1905 1906 /* 1907 * Now we generate code to check for 802.3 1908 * frames in general. 1909 */ 1910 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU); 1911 gen_not(b0); 1912 1913 /* 1914 * Now add the check for 802.3 frames before the 1915 * check for Ethernet_802.2 and Ethernet_802.3, 1916 * as those checks should only be done on 802.3 1917 * frames, not on Ethernet frames. 1918 */ 1919 gen_and(b0, b1); 1920 1921 /* 1922 * Now add the check for Ethernet_II frames, and 1923 * do that before checking for the other frame 1924 * types. 1925 */ 1926 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)ETHERTYPE_IPX); 1927 gen_or(b0, b1); 1928 return b1; 1929 1930 case ETHERTYPE_ATALK: 1931 case ETHERTYPE_AARP: 1932 /* 1933 * EtherTalk (AppleTalk protocols on Ethernet link 1934 * layer) may use 802.2 encapsulation. 1935 */ 1936 1937 /* 1938 * Check for 802.2 encapsulation (EtherTalk phase 2?); 1939 * we check for an Ethernet type field less than 1940 * 1500, which means it's an 802.3 length field. 1941 */ 1942 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU); 1943 gen_not(b0); 1944 1945 /* 1946 * 802.2-encapsulated ETHERTYPE_ATALK packets are 1947 * SNAP packets with an organization code of 1948 * 0x080007 (Apple, for Appletalk) and a protocol 1949 * type of ETHERTYPE_ATALK (Appletalk). 1950 * 1951 * 802.2-encapsulated ETHERTYPE_AARP packets are 1952 * SNAP packets with an organization code of 1953 * 0x000000 (encapsulated Ethernet) and a protocol 1954 * type of ETHERTYPE_AARP (Appletalk ARP). 1955 */ 1956 if (proto == ETHERTYPE_ATALK) 1957 b1 = gen_snap(cstate, 0x080007, ETHERTYPE_ATALK); 1958 else /* proto == ETHERTYPE_AARP */ 1959 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_AARP); 1960 gen_and(b0, b1); 1961 1962 /* 1963 * Check for Ethernet encapsulation (Ethertalk 1964 * phase 1?); we just check for the Ethernet 1965 * protocol type. 1966 */ 1967 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 1968 1969 gen_or(b0, b1); 1970 return b1; 1971 1972 default: 1973 if (proto <= ETHERMTU) { 1974 /* 1975 * This is an LLC SAP value, so the frames 1976 * that match would be 802.2 frames. 1977 * Check that the frame is an 802.2 frame 1978 * (i.e., that the length/type field is 1979 * a length field, <= ETHERMTU) and 1980 * then check the DSAP. 1981 */ 1982 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU); 1983 gen_not(b0); 1984 b1 = gen_cmp(cstate, OR_LINKTYPE, 2, BPF_B, (bpf_int32)proto); 1985 gen_and(b0, b1); 1986 return b1; 1987 } else { 1988 /* 1989 * This is an Ethernet type, so compare 1990 * the length/type field with it (if 1991 * the frame is an 802.2 frame, the length 1992 * field will be <= ETHERMTU, and, as 1993 * "proto" is > ETHERMTU, this test 1994 * will fail and the frame won't match, 1995 * which is what we want). 1996 */ 1997 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, 1998 (bpf_int32)proto); 1999 } 2000 } 2001 } 2002 2003 static struct block * 2004 gen_loopback_linktype(compiler_state_t *cstate, int proto) 2005 { 2006 /* 2007 * For DLT_NULL, the link-layer header is a 32-bit word 2008 * containing an AF_ value in *host* byte order, and for 2009 * DLT_ENC, the link-layer header begins with a 32-bit 2010 * word containing an AF_ value in host byte order. 2011 * 2012 * In addition, if we're reading a saved capture file, 2013 * the host byte order in the capture may not be the 2014 * same as the host byte order on this machine. 2015 * 2016 * For DLT_LOOP, the link-layer header is a 32-bit 2017 * word containing an AF_ value in *network* byte order. 2018 */ 2019 if (cstate->linktype == DLT_NULL || cstate->linktype == DLT_ENC) { 2020 /* 2021 * The AF_ value is in host byte order, but the BPF 2022 * interpreter will convert it to network byte order. 2023 * 2024 * If this is a save file, and it's from a machine 2025 * with the opposite byte order to ours, we byte-swap 2026 * the AF_ value. 2027 * 2028 * Then we run it through "htonl()", and generate 2029 * code to compare against the result. 2030 */ 2031 if (cstate->bpf_pcap->rfile != NULL && cstate->bpf_pcap->swapped) 2032 proto = SWAPLONG(proto); 2033 proto = htonl(proto); 2034 } 2035 return (gen_cmp(cstate, OR_LINKHDR, 0, BPF_W, (bpf_int32)proto)); 2036 } 2037 2038 /* 2039 * "proto" is an Ethernet type value and for IPNET, if it is not IPv4 2040 * or IPv6 then we have an error. 2041 */ 2042 static struct block * 2043 gen_ipnet_linktype(compiler_state_t *cstate, int proto) 2044 { 2045 switch (proto) { 2046 2047 case ETHERTYPE_IP: 2048 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, (bpf_int32)IPH_AF_INET); 2049 /* NOTREACHED */ 2050 2051 case ETHERTYPE_IPV6: 2052 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 2053 (bpf_int32)IPH_AF_INET6); 2054 /* NOTREACHED */ 2055 2056 default: 2057 break; 2058 } 2059 2060 return gen_false(cstate); 2061 } 2062 2063 /* 2064 * Generate code to match a particular packet type. 2065 * 2066 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 2067 * value, if <= ETHERMTU. We use that to determine whether to 2068 * match the type field or to check the type field for the special 2069 * LINUX_SLL_P_802_2 value and then do the appropriate test. 2070 */ 2071 static struct block * 2072 gen_linux_sll_linktype(compiler_state_t *cstate, int proto) 2073 { 2074 struct block *b0, *b1; 2075 2076 switch (proto) { 2077 2078 case LLCSAP_ISONS: 2079 case LLCSAP_IP: 2080 case LLCSAP_NETBEUI: 2081 /* 2082 * OSI protocols and NetBEUI always use 802.2 encapsulation, 2083 * so we check the DSAP and SSAP. 2084 * 2085 * LLCSAP_IP checks for IP-over-802.2, rather 2086 * than IP-over-Ethernet or IP-over-SNAP. 2087 * 2088 * XXX - should we check both the DSAP and the 2089 * SSAP, like this, or should we check just the 2090 * DSAP, as we do for other types <= ETHERMTU 2091 * (i.e., other SAP values)? 2092 */ 2093 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2); 2094 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_int32) 2095 ((proto << 8) | proto)); 2096 gen_and(b0, b1); 2097 return b1; 2098 2099 case LLCSAP_IPX: 2100 /* 2101 * Ethernet_II frames, which are Ethernet 2102 * frames with a frame type of ETHERTYPE_IPX; 2103 * 2104 * Ethernet_802.3 frames, which have a frame 2105 * type of LINUX_SLL_P_802_3; 2106 * 2107 * Ethernet_802.2 frames, which are 802.3 2108 * frames with an 802.2 LLC header (i.e, have 2109 * a frame type of LINUX_SLL_P_802_2) and 2110 * with the IPX LSAP as the DSAP in the LLC 2111 * header; 2112 * 2113 * Ethernet_SNAP frames, which are 802.3 2114 * frames with an LLC header and a SNAP 2115 * header and with an OUI of 0x000000 2116 * (encapsulated Ethernet) and a protocol 2117 * ID of ETHERTYPE_IPX in the SNAP header. 2118 * 2119 * First, do the checks on LINUX_SLL_P_802_2 2120 * frames; generate the check for either 2121 * Ethernet_802.2 or Ethernet_SNAP frames, and 2122 * then put a check for LINUX_SLL_P_802_2 frames 2123 * before it. 2124 */ 2125 b0 = gen_cmp(cstate, OR_LLC, 0, BPF_B, (bpf_int32)LLCSAP_IPX); 2126 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_IPX); 2127 gen_or(b0, b1); 2128 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2); 2129 gen_and(b0, b1); 2130 2131 /* 2132 * Now check for 802.3 frames and OR that with 2133 * the previous test. 2134 */ 2135 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_3); 2136 gen_or(b0, b1); 2137 2138 /* 2139 * Now add the check for Ethernet_II frames, and 2140 * do that before checking for the other frame 2141 * types. 2142 */ 2143 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)ETHERTYPE_IPX); 2144 gen_or(b0, b1); 2145 return b1; 2146 2147 case ETHERTYPE_ATALK: 2148 case ETHERTYPE_AARP: 2149 /* 2150 * EtherTalk (AppleTalk protocols on Ethernet link 2151 * layer) may use 802.2 encapsulation. 2152 */ 2153 2154 /* 2155 * Check for 802.2 encapsulation (EtherTalk phase 2?); 2156 * we check for the 802.2 protocol type in the 2157 * "Ethernet type" field. 2158 */ 2159 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2); 2160 2161 /* 2162 * 802.2-encapsulated ETHERTYPE_ATALK packets are 2163 * SNAP packets with an organization code of 2164 * 0x080007 (Apple, for Appletalk) and a protocol 2165 * type of ETHERTYPE_ATALK (Appletalk). 2166 * 2167 * 802.2-encapsulated ETHERTYPE_AARP packets are 2168 * SNAP packets with an organization code of 2169 * 0x000000 (encapsulated Ethernet) and a protocol 2170 * type of ETHERTYPE_AARP (Appletalk ARP). 2171 */ 2172 if (proto == ETHERTYPE_ATALK) 2173 b1 = gen_snap(cstate, 0x080007, ETHERTYPE_ATALK); 2174 else /* proto == ETHERTYPE_AARP */ 2175 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_AARP); 2176 gen_and(b0, b1); 2177 2178 /* 2179 * Check for Ethernet encapsulation (Ethertalk 2180 * phase 1?); we just check for the Ethernet 2181 * protocol type. 2182 */ 2183 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 2184 2185 gen_or(b0, b1); 2186 return b1; 2187 2188 default: 2189 if (proto <= ETHERMTU) { 2190 /* 2191 * This is an LLC SAP value, so the frames 2192 * that match would be 802.2 frames. 2193 * Check for the 802.2 protocol type 2194 * in the "Ethernet type" field, and 2195 * then check the DSAP. 2196 */ 2197 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2); 2198 b1 = gen_cmp(cstate, OR_LINKHDR, cstate->off_linkpl.constant_part, BPF_B, 2199 (bpf_int32)proto); 2200 gen_and(b0, b1); 2201 return b1; 2202 } else { 2203 /* 2204 * This is an Ethernet type, so compare 2205 * the length/type field with it (if 2206 * the frame is an 802.2 frame, the length 2207 * field will be <= ETHERMTU, and, as 2208 * "proto" is > ETHERMTU, this test 2209 * will fail and the frame won't match, 2210 * which is what we want). 2211 */ 2212 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 2213 } 2214 } 2215 } 2216 2217 static struct slist * 2218 gen_load_prism_llprefixlen(compiler_state_t *cstate) 2219 { 2220 struct slist *s1, *s2; 2221 struct slist *sjeq_avs_cookie; 2222 struct slist *sjcommon; 2223 2224 /* 2225 * This code is not compatible with the optimizer, as 2226 * we are generating jmp instructions within a normal 2227 * slist of instructions 2228 */ 2229 cstate->no_optimize = 1; 2230 2231 /* 2232 * Generate code to load the length of the radio header into 2233 * the register assigned to hold that length, if one has been 2234 * assigned. (If one hasn't been assigned, no code we've 2235 * generated uses that prefix, so we don't need to generate any 2236 * code to load it.) 2237 * 2238 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes 2239 * or always use the AVS header rather than the Prism header. 2240 * We load a 4-byte big-endian value at the beginning of the 2241 * raw packet data, and see whether, when masked with 0xFFFFF000, 2242 * it's equal to 0x80211000. If so, that indicates that it's 2243 * an AVS header (the masked-out bits are the version number). 2244 * Otherwise, it's a Prism header. 2245 * 2246 * XXX - the Prism header is also, in theory, variable-length, 2247 * but no known software generates headers that aren't 144 2248 * bytes long. 2249 */ 2250 if (cstate->off_linkhdr.reg != -1) { 2251 /* 2252 * Load the cookie. 2253 */ 2254 s1 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS); 2255 s1->s.k = 0; 2256 2257 /* 2258 * AND it with 0xFFFFF000. 2259 */ 2260 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K); 2261 s2->s.k = 0xFFFFF000; 2262 sappend(s1, s2); 2263 2264 /* 2265 * Compare with 0x80211000. 2266 */ 2267 sjeq_avs_cookie = new_stmt(cstate, JMP(BPF_JEQ)); 2268 sjeq_avs_cookie->s.k = 0x80211000; 2269 sappend(s1, sjeq_avs_cookie); 2270 2271 /* 2272 * If it's AVS: 2273 * 2274 * The 4 bytes at an offset of 4 from the beginning of 2275 * the AVS header are the length of the AVS header. 2276 * That field is big-endian. 2277 */ 2278 s2 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS); 2279 s2->s.k = 4; 2280 sappend(s1, s2); 2281 sjeq_avs_cookie->s.jt = s2; 2282 2283 /* 2284 * Now jump to the code to allocate a register 2285 * into which to save the header length and 2286 * store the length there. (The "jump always" 2287 * instruction needs to have the k field set; 2288 * it's added to the PC, so, as we're jumping 2289 * over a single instruction, it should be 1.) 2290 */ 2291 sjcommon = new_stmt(cstate, JMP(BPF_JA)); 2292 sjcommon->s.k = 1; 2293 sappend(s1, sjcommon); 2294 2295 /* 2296 * Now for the code that handles the Prism header. 2297 * Just load the length of the Prism header (144) 2298 * into the A register. Have the test for an AVS 2299 * header branch here if we don't have an AVS header. 2300 */ 2301 s2 = new_stmt(cstate, BPF_LD|BPF_W|BPF_IMM); 2302 s2->s.k = 144; 2303 sappend(s1, s2); 2304 sjeq_avs_cookie->s.jf = s2; 2305 2306 /* 2307 * Now allocate a register to hold that value and store 2308 * it. The code for the AVS header will jump here after 2309 * loading the length of the AVS header. 2310 */ 2311 s2 = new_stmt(cstate, BPF_ST); 2312 s2->s.k = cstate->off_linkhdr.reg; 2313 sappend(s1, s2); 2314 sjcommon->s.jf = s2; 2315 2316 /* 2317 * Now move it into the X register. 2318 */ 2319 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2320 sappend(s1, s2); 2321 2322 return (s1); 2323 } else 2324 return (NULL); 2325 } 2326 2327 static struct slist * 2328 gen_load_avs_llprefixlen(compiler_state_t *cstate) 2329 { 2330 struct slist *s1, *s2; 2331 2332 /* 2333 * Generate code to load the length of the AVS header into 2334 * the register assigned to hold that length, if one has been 2335 * assigned. (If one hasn't been assigned, no code we've 2336 * generated uses that prefix, so we don't need to generate any 2337 * code to load it.) 2338 */ 2339 if (cstate->off_linkhdr.reg != -1) { 2340 /* 2341 * The 4 bytes at an offset of 4 from the beginning of 2342 * the AVS header are the length of the AVS header. 2343 * That field is big-endian. 2344 */ 2345 s1 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS); 2346 s1->s.k = 4; 2347 2348 /* 2349 * Now allocate a register to hold that value and store 2350 * it. 2351 */ 2352 s2 = new_stmt(cstate, BPF_ST); 2353 s2->s.k = cstate->off_linkhdr.reg; 2354 sappend(s1, s2); 2355 2356 /* 2357 * Now move it into the X register. 2358 */ 2359 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2360 sappend(s1, s2); 2361 2362 return (s1); 2363 } else 2364 return (NULL); 2365 } 2366 2367 static struct slist * 2368 gen_load_radiotap_llprefixlen(compiler_state_t *cstate) 2369 { 2370 struct slist *s1, *s2; 2371 2372 /* 2373 * Generate code to load the length of the radiotap header into 2374 * the register assigned to hold that length, if one has been 2375 * assigned. (If one hasn't been assigned, no code we've 2376 * generated uses that prefix, so we don't need to generate any 2377 * code to load it.) 2378 */ 2379 if (cstate->off_linkhdr.reg != -1) { 2380 /* 2381 * The 2 bytes at offsets of 2 and 3 from the beginning 2382 * of the radiotap header are the length of the radiotap 2383 * header; unfortunately, it's little-endian, so we have 2384 * to load it a byte at a time and construct the value. 2385 */ 2386 2387 /* 2388 * Load the high-order byte, at an offset of 3, shift it 2389 * left a byte, and put the result in the X register. 2390 */ 2391 s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 2392 s1->s.k = 3; 2393 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K); 2394 sappend(s1, s2); 2395 s2->s.k = 8; 2396 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2397 sappend(s1, s2); 2398 2399 /* 2400 * Load the next byte, at an offset of 2, and OR the 2401 * value from the X register into it. 2402 */ 2403 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 2404 sappend(s1, s2); 2405 s2->s.k = 2; 2406 s2 = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_X); 2407 sappend(s1, s2); 2408 2409 /* 2410 * Now allocate a register to hold that value and store 2411 * it. 2412 */ 2413 s2 = new_stmt(cstate, BPF_ST); 2414 s2->s.k = cstate->off_linkhdr.reg; 2415 sappend(s1, s2); 2416 2417 /* 2418 * Now move it into the X register. 2419 */ 2420 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2421 sappend(s1, s2); 2422 2423 return (s1); 2424 } else 2425 return (NULL); 2426 } 2427 2428 /* 2429 * At the moment we treat PPI as normal Radiotap encoded 2430 * packets. The difference is in the function that generates 2431 * the code at the beginning to compute the header length. 2432 * Since this code generator of PPI supports bare 802.11 2433 * encapsulation only (i.e. the encapsulated DLT should be 2434 * DLT_IEEE802_11) we generate code to check for this too; 2435 * that's done in finish_parse(). 2436 */ 2437 static struct slist * 2438 gen_load_ppi_llprefixlen(compiler_state_t *cstate) 2439 { 2440 struct slist *s1, *s2; 2441 2442 /* 2443 * Generate code to load the length of the radiotap header 2444 * into the register assigned to hold that length, if one has 2445 * been assigned. 2446 */ 2447 if (cstate->off_linkhdr.reg != -1) { 2448 /* 2449 * The 2 bytes at offsets of 2 and 3 from the beginning 2450 * of the radiotap header are the length of the radiotap 2451 * header; unfortunately, it's little-endian, so we have 2452 * to load it a byte at a time and construct the value. 2453 */ 2454 2455 /* 2456 * Load the high-order byte, at an offset of 3, shift it 2457 * left a byte, and put the result in the X register. 2458 */ 2459 s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 2460 s1->s.k = 3; 2461 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K); 2462 sappend(s1, s2); 2463 s2->s.k = 8; 2464 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2465 sappend(s1, s2); 2466 2467 /* 2468 * Load the next byte, at an offset of 2, and OR the 2469 * value from the X register into it. 2470 */ 2471 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 2472 sappend(s1, s2); 2473 s2->s.k = 2; 2474 s2 = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_X); 2475 sappend(s1, s2); 2476 2477 /* 2478 * Now allocate a register to hold that value and store 2479 * it. 2480 */ 2481 s2 = new_stmt(cstate, BPF_ST); 2482 s2->s.k = cstate->off_linkhdr.reg; 2483 sappend(s1, s2); 2484 2485 /* 2486 * Now move it into the X register. 2487 */ 2488 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2489 sappend(s1, s2); 2490 2491 return (s1); 2492 } else 2493 return (NULL); 2494 } 2495 2496 /* 2497 * Load a value relative to the beginning of the link-layer header after the 802.11 2498 * header, i.e. LLC_SNAP. 2499 * The link-layer header doesn't necessarily begin at the beginning 2500 * of the packet data; there might be a variable-length prefix containing 2501 * radio information. 2502 */ 2503 static struct slist * 2504 gen_load_802_11_header_len(compiler_state_t *cstate, struct slist *s, struct slist *snext) 2505 { 2506 struct slist *s2; 2507 struct slist *sjset_data_frame_1; 2508 struct slist *sjset_data_frame_2; 2509 struct slist *sjset_qos; 2510 struct slist *sjset_radiotap_flags_present; 2511 struct slist *sjset_radiotap_ext_present; 2512 struct slist *sjset_radiotap_tsft_present; 2513 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad; 2514 struct slist *s_roundup; 2515 2516 if (cstate->off_linkpl.reg == -1) { 2517 /* 2518 * No register has been assigned to the offset of 2519 * the link-layer payload, which means nobody needs 2520 * it; don't bother computing it - just return 2521 * what we already have. 2522 */ 2523 return (s); 2524 } 2525 2526 /* 2527 * This code is not compatible with the optimizer, as 2528 * we are generating jmp instructions within a normal 2529 * slist of instructions 2530 */ 2531 cstate->no_optimize = 1; 2532 2533 /* 2534 * If "s" is non-null, it has code to arrange that the X register 2535 * contains the length of the prefix preceding the link-layer 2536 * header. 2537 * 2538 * Otherwise, the length of the prefix preceding the link-layer 2539 * header is "off_outermostlinkhdr.constant_part". 2540 */ 2541 if (s == NULL) { 2542 /* 2543 * There is no variable-length header preceding the 2544 * link-layer header. 2545 * 2546 * Load the length of the fixed-length prefix preceding 2547 * the link-layer header (if any) into the X register, 2548 * and store it in the cstate->off_linkpl.reg register. 2549 * That length is off_outermostlinkhdr.constant_part. 2550 */ 2551 s = new_stmt(cstate, BPF_LDX|BPF_IMM); 2552 s->s.k = cstate->off_outermostlinkhdr.constant_part; 2553 } 2554 2555 /* 2556 * The X register contains the offset of the beginning of the 2557 * link-layer header; add 24, which is the minimum length 2558 * of the MAC header for a data frame, to that, and store it 2559 * in cstate->off_linkpl.reg, and then load the Frame Control field, 2560 * which is at the offset in the X register, with an indexed load. 2561 */ 2562 s2 = new_stmt(cstate, BPF_MISC|BPF_TXA); 2563 sappend(s, s2); 2564 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 2565 s2->s.k = 24; 2566 sappend(s, s2); 2567 s2 = new_stmt(cstate, BPF_ST); 2568 s2->s.k = cstate->off_linkpl.reg; 2569 sappend(s, s2); 2570 2571 s2 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 2572 s2->s.k = 0; 2573 sappend(s, s2); 2574 2575 /* 2576 * Check the Frame Control field to see if this is a data frame; 2577 * a data frame has the 0x08 bit (b3) in that field set and the 2578 * 0x04 bit (b2) clear. 2579 */ 2580 sjset_data_frame_1 = new_stmt(cstate, JMP(BPF_JSET)); 2581 sjset_data_frame_1->s.k = 0x08; 2582 sappend(s, sjset_data_frame_1); 2583 2584 /* 2585 * If b3 is set, test b2, otherwise go to the first statement of 2586 * the rest of the program. 2587 */ 2588 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(cstate, JMP(BPF_JSET)); 2589 sjset_data_frame_2->s.k = 0x04; 2590 sappend(s, sjset_data_frame_2); 2591 sjset_data_frame_1->s.jf = snext; 2592 2593 /* 2594 * If b2 is not set, this is a data frame; test the QoS bit. 2595 * Otherwise, go to the first statement of the rest of the 2596 * program. 2597 */ 2598 sjset_data_frame_2->s.jt = snext; 2599 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(cstate, JMP(BPF_JSET)); 2600 sjset_qos->s.k = 0x80; /* QoS bit */ 2601 sappend(s, sjset_qos); 2602 2603 /* 2604 * If it's set, add 2 to cstate->off_linkpl.reg, to skip the QoS 2605 * field. 2606 * Otherwise, go to the first statement of the rest of the 2607 * program. 2608 */ 2609 sjset_qos->s.jt = s2 = new_stmt(cstate, BPF_LD|BPF_MEM); 2610 s2->s.k = cstate->off_linkpl.reg; 2611 sappend(s, s2); 2612 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM); 2613 s2->s.k = 2; 2614 sappend(s, s2); 2615 s2 = new_stmt(cstate, BPF_ST); 2616 s2->s.k = cstate->off_linkpl.reg; 2617 sappend(s, s2); 2618 2619 /* 2620 * If we have a radiotap header, look at it to see whether 2621 * there's Atheros padding between the MAC-layer header 2622 * and the payload. 2623 * 2624 * Note: all of the fields in the radiotap header are 2625 * little-endian, so we byte-swap all of the values 2626 * we test against, as they will be loaded as big-endian 2627 * values. 2628 * 2629 * XXX - in the general case, we would have to scan through 2630 * *all* the presence bits, if there's more than one word of 2631 * presence bits. That would require a loop, meaning that 2632 * we wouldn't be able to run the filter in the kernel. 2633 * 2634 * We assume here that the Atheros adapters that insert the 2635 * annoying padding don't have multiple antennae and therefore 2636 * do not generate radiotap headers with multiple presence words. 2637 */ 2638 if (cstate->linktype == DLT_IEEE802_11_RADIO) { 2639 /* 2640 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set 2641 * in the first presence flag word? 2642 */ 2643 sjset_qos->s.jf = s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_W); 2644 s2->s.k = 4; 2645 sappend(s, s2); 2646 2647 sjset_radiotap_flags_present = new_stmt(cstate, JMP(BPF_JSET)); 2648 sjset_radiotap_flags_present->s.k = SWAPLONG(0x00000002); 2649 sappend(s, sjset_radiotap_flags_present); 2650 2651 /* 2652 * If not, skip all of this. 2653 */ 2654 sjset_radiotap_flags_present->s.jf = snext; 2655 2656 /* 2657 * Otherwise, is the "extension" bit set in that word? 2658 */ 2659 sjset_radiotap_ext_present = new_stmt(cstate, JMP(BPF_JSET)); 2660 sjset_radiotap_ext_present->s.k = SWAPLONG(0x80000000); 2661 sappend(s, sjset_radiotap_ext_present); 2662 sjset_radiotap_flags_present->s.jt = sjset_radiotap_ext_present; 2663 2664 /* 2665 * If so, skip all of this. 2666 */ 2667 sjset_radiotap_ext_present->s.jt = snext; 2668 2669 /* 2670 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set? 2671 */ 2672 sjset_radiotap_tsft_present = new_stmt(cstate, JMP(BPF_JSET)); 2673 sjset_radiotap_tsft_present->s.k = SWAPLONG(0x00000001); 2674 sappend(s, sjset_radiotap_tsft_present); 2675 sjset_radiotap_ext_present->s.jf = sjset_radiotap_tsft_present; 2676 2677 /* 2678 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is 2679 * at an offset of 16 from the beginning of the raw packet 2680 * data (8 bytes for the radiotap header and 8 bytes for 2681 * the TSFT field). 2682 * 2683 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2684 * is set. 2685 */ 2686 s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B); 2687 s2->s.k = 16; 2688 sappend(s, s2); 2689 sjset_radiotap_tsft_present->s.jt = s2; 2690 2691 sjset_tsft_datapad = new_stmt(cstate, JMP(BPF_JSET)); 2692 sjset_tsft_datapad->s.k = 0x20; 2693 sappend(s, sjset_tsft_datapad); 2694 2695 /* 2696 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is 2697 * at an offset of 8 from the beginning of the raw packet 2698 * data (8 bytes for the radiotap header). 2699 * 2700 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2701 * is set. 2702 */ 2703 s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B); 2704 s2->s.k = 8; 2705 sappend(s, s2); 2706 sjset_radiotap_tsft_present->s.jf = s2; 2707 2708 sjset_notsft_datapad = new_stmt(cstate, JMP(BPF_JSET)); 2709 sjset_notsft_datapad->s.k = 0x20; 2710 sappend(s, sjset_notsft_datapad); 2711 2712 /* 2713 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is 2714 * set, round the length of the 802.11 header to 2715 * a multiple of 4. Do that by adding 3 and then 2716 * dividing by and multiplying by 4, which we do by 2717 * ANDing with ~3. 2718 */ 2719 s_roundup = new_stmt(cstate, BPF_LD|BPF_MEM); 2720 s_roundup->s.k = cstate->off_linkpl.reg; 2721 sappend(s, s_roundup); 2722 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM); 2723 s2->s.k = 3; 2724 sappend(s, s2); 2725 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_IMM); 2726 s2->s.k = ~3; 2727 sappend(s, s2); 2728 s2 = new_stmt(cstate, BPF_ST); 2729 s2->s.k = cstate->off_linkpl.reg; 2730 sappend(s, s2); 2731 2732 sjset_tsft_datapad->s.jt = s_roundup; 2733 sjset_tsft_datapad->s.jf = snext; 2734 sjset_notsft_datapad->s.jt = s_roundup; 2735 sjset_notsft_datapad->s.jf = snext; 2736 } else 2737 sjset_qos->s.jf = snext; 2738 2739 return s; 2740 } 2741 2742 static void 2743 insert_compute_vloffsets(compiler_state_t *cstate, struct block *b) 2744 { 2745 struct slist *s; 2746 2747 /* There is an implicit dependency between the link 2748 * payload and link header since the payload computation 2749 * includes the variable part of the header. Therefore, 2750 * if nobody else has allocated a register for the link 2751 * header and we need it, do it now. */ 2752 if (cstate->off_linkpl.reg != -1 && cstate->off_linkhdr.is_variable && 2753 cstate->off_linkhdr.reg == -1) 2754 cstate->off_linkhdr.reg = alloc_reg(cstate); 2755 2756 /* 2757 * For link-layer types that have a variable-length header 2758 * preceding the link-layer header, generate code to load 2759 * the offset of the link-layer header into the register 2760 * assigned to that offset, if any. 2761 * 2762 * XXX - this, and the next switch statement, won't handle 2763 * encapsulation of 802.11 or 802.11+radio information in 2764 * some other protocol stack. That's significantly more 2765 * complicated. 2766 */ 2767 switch (cstate->outermostlinktype) { 2768 2769 case DLT_PRISM_HEADER: 2770 s = gen_load_prism_llprefixlen(cstate); 2771 break; 2772 2773 case DLT_IEEE802_11_RADIO_AVS: 2774 s = gen_load_avs_llprefixlen(cstate); 2775 break; 2776 2777 case DLT_IEEE802_11_RADIO: 2778 s = gen_load_radiotap_llprefixlen(cstate); 2779 break; 2780 2781 case DLT_PPI: 2782 s = gen_load_ppi_llprefixlen(cstate); 2783 break; 2784 2785 default: 2786 s = NULL; 2787 break; 2788 } 2789 2790 /* 2791 * For link-layer types that have a variable-length link-layer 2792 * header, generate code to load the offset of the link-layer 2793 * payload into the register assigned to that offset, if any. 2794 */ 2795 switch (cstate->outermostlinktype) { 2796 2797 case DLT_IEEE802_11: 2798 case DLT_PRISM_HEADER: 2799 case DLT_IEEE802_11_RADIO_AVS: 2800 case DLT_IEEE802_11_RADIO: 2801 case DLT_PPI: 2802 s = gen_load_802_11_header_len(cstate, s, b->stmts); 2803 break; 2804 } 2805 2806 /* 2807 * If we have any offset-loading code, append all the 2808 * existing statements in the block to those statements, 2809 * and make the resulting list the list of statements 2810 * for the block. 2811 */ 2812 if (s != NULL) { 2813 sappend(s, b->stmts); 2814 b->stmts = s; 2815 } 2816 } 2817 2818 static struct block * 2819 gen_ppi_dlt_check(compiler_state_t *cstate) 2820 { 2821 struct slist *s_load_dlt; 2822 struct block *b; 2823 2824 if (cstate->linktype == DLT_PPI) 2825 { 2826 /* Create the statements that check for the DLT 2827 */ 2828 s_load_dlt = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS); 2829 s_load_dlt->s.k = 4; 2830 2831 b = new_block(cstate, JMP(BPF_JEQ)); 2832 2833 b->stmts = s_load_dlt; 2834 b->s.k = SWAPLONG(DLT_IEEE802_11); 2835 } 2836 else 2837 { 2838 b = NULL; 2839 } 2840 2841 return b; 2842 } 2843 2844 /* 2845 * Take an absolute offset, and: 2846 * 2847 * if it has no variable part, return NULL; 2848 * 2849 * if it has a variable part, generate code to load the register 2850 * containing that variable part into the X register, returning 2851 * a pointer to that code - if no register for that offset has 2852 * been allocated, allocate it first. 2853 * 2854 * (The code to set that register will be generated later, but will 2855 * be placed earlier in the code sequence.) 2856 */ 2857 static struct slist * 2858 gen_abs_offset_varpart(compiler_state_t *cstate, bpf_abs_offset *off) 2859 { 2860 struct slist *s; 2861 2862 if (off->is_variable) { 2863 if (off->reg == -1) { 2864 /* 2865 * We haven't yet assigned a register for the 2866 * variable part of the offset of the link-layer 2867 * header; allocate one. 2868 */ 2869 off->reg = alloc_reg(cstate); 2870 } 2871 2872 /* 2873 * Load the register containing the variable part of the 2874 * offset of the link-layer header into the X register. 2875 */ 2876 s = new_stmt(cstate, BPF_LDX|BPF_MEM); 2877 s->s.k = off->reg; 2878 return s; 2879 } else { 2880 /* 2881 * That offset isn't variable, there's no variable part, 2882 * so we don't need to generate any code. 2883 */ 2884 return NULL; 2885 } 2886 } 2887 2888 /* 2889 * Map an Ethernet type to the equivalent PPP type. 2890 */ 2891 static int 2892 ethertype_to_ppptype(proto) 2893 int proto; 2894 { 2895 switch (proto) { 2896 2897 case ETHERTYPE_IP: 2898 proto = PPP_IP; 2899 break; 2900 2901 case ETHERTYPE_IPV6: 2902 proto = PPP_IPV6; 2903 break; 2904 2905 case ETHERTYPE_DN: 2906 proto = PPP_DECNET; 2907 break; 2908 2909 case ETHERTYPE_ATALK: 2910 proto = PPP_APPLE; 2911 break; 2912 2913 case ETHERTYPE_NS: 2914 proto = PPP_NS; 2915 break; 2916 2917 case LLCSAP_ISONS: 2918 proto = PPP_OSI; 2919 break; 2920 2921 case LLCSAP_8021D: 2922 /* 2923 * I'm assuming the "Bridging PDU"s that go 2924 * over PPP are Spanning Tree Protocol 2925 * Bridging PDUs. 2926 */ 2927 proto = PPP_BRPDU; 2928 break; 2929 2930 case LLCSAP_IPX: 2931 proto = PPP_IPX; 2932 break; 2933 } 2934 return (proto); 2935 } 2936 2937 /* 2938 * Generate any tests that, for encapsulation of a link-layer packet 2939 * inside another protocol stack, need to be done to check for those 2940 * link-layer packets (and that haven't already been done by a check 2941 * for that encapsulation). 2942 */ 2943 static struct block * 2944 gen_prevlinkhdr_check(compiler_state_t *cstate) 2945 { 2946 struct block *b0; 2947 2948 if (cstate->is_geneve) 2949 return gen_geneve_ll_check(cstate); 2950 2951 switch (cstate->prevlinktype) { 2952 2953 case DLT_SUNATM: 2954 /* 2955 * This is LANE-encapsulated Ethernet; check that the LANE 2956 * packet doesn't begin with an LE Control marker, i.e. 2957 * that it's data, not a control message. 2958 * 2959 * (We've already generated a test for LANE.) 2960 */ 2961 b0 = gen_cmp(cstate, OR_PREVLINKHDR, SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00); 2962 gen_not(b0); 2963 return b0; 2964 2965 default: 2966 /* 2967 * No such tests are necessary. 2968 */ 2969 return NULL; 2970 } 2971 /*NOTREACHED*/ 2972 } 2973 2974 /* 2975 * The three different values we should check for when checking for an 2976 * IPv6 packet with DLT_NULL. 2977 */ 2978 #define BSD_AFNUM_INET6_BSD 24 /* NetBSD, OpenBSD, BSD/OS, Npcap */ 2979 #define BSD_AFNUM_INET6_FREEBSD 28 /* FreeBSD */ 2980 #define BSD_AFNUM_INET6_DARWIN 30 /* OS X, iOS, other Darwin-based OSes */ 2981 2982 /* 2983 * Generate code to match a particular packet type by matching the 2984 * link-layer type field or fields in the 802.2 LLC header. 2985 * 2986 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 2987 * value, if <= ETHERMTU. 2988 */ 2989 static struct block * 2990 gen_linktype(compiler_state_t *cstate, int proto) 2991 { 2992 struct block *b0, *b1, *b2; 2993 const char *description; 2994 2995 /* are we checking MPLS-encapsulated packets? */ 2996 if (cstate->label_stack_depth > 0) { 2997 switch (proto) { 2998 case ETHERTYPE_IP: 2999 case PPP_IP: 3000 /* FIXME add other L3 proto IDs */ 3001 return gen_mpls_linktype(cstate, Q_IP); 3002 3003 case ETHERTYPE_IPV6: 3004 case PPP_IPV6: 3005 /* FIXME add other L3 proto IDs */ 3006 return gen_mpls_linktype(cstate, Q_IPV6); 3007 3008 default: 3009 bpf_error(cstate, "unsupported protocol over mpls"); 3010 /* NOTREACHED */ 3011 } 3012 } 3013 3014 switch (cstate->linktype) { 3015 3016 case DLT_EN10MB: 3017 case DLT_NETANALYZER: 3018 case DLT_NETANALYZER_TRANSPARENT: 3019 /* Geneve has an EtherType regardless of whether there is an 3020 * L2 header. */ 3021 if (!cstate->is_geneve) 3022 b0 = gen_prevlinkhdr_check(cstate); 3023 else 3024 b0 = NULL; 3025 3026 b1 = gen_ether_linktype(cstate, proto); 3027 if (b0 != NULL) 3028 gen_and(b0, b1); 3029 return b1; 3030 /*NOTREACHED*/ 3031 break; 3032 3033 case DLT_C_HDLC: 3034 switch (proto) { 3035 3036 case LLCSAP_ISONS: 3037 proto = (proto << 8 | LLCSAP_ISONS); 3038 /* fall through */ 3039 3040 default: 3041 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 3042 /*NOTREACHED*/ 3043 break; 3044 } 3045 break; 3046 3047 case DLT_IEEE802_11: 3048 case DLT_PRISM_HEADER: 3049 case DLT_IEEE802_11_RADIO_AVS: 3050 case DLT_IEEE802_11_RADIO: 3051 case DLT_PPI: 3052 /* 3053 * Check that we have a data frame. 3054 */ 3055 b0 = gen_check_802_11_data_frame(cstate); 3056 3057 /* 3058 * Now check for the specified link-layer type. 3059 */ 3060 b1 = gen_llc_linktype(cstate, proto); 3061 gen_and(b0, b1); 3062 return b1; 3063 /*NOTREACHED*/ 3064 break; 3065 3066 case DLT_FDDI: 3067 /* 3068 * XXX - check for LLC frames. 3069 */ 3070 return gen_llc_linktype(cstate, proto); 3071 /*NOTREACHED*/ 3072 break; 3073 3074 case DLT_IEEE802: 3075 /* 3076 * XXX - check for LLC PDUs, as per IEEE 802.5. 3077 */ 3078 return gen_llc_linktype(cstate, proto); 3079 /*NOTREACHED*/ 3080 break; 3081 3082 case DLT_ATM_RFC1483: 3083 case DLT_ATM_CLIP: 3084 case DLT_IP_OVER_FC: 3085 return gen_llc_linktype(cstate, proto); 3086 /*NOTREACHED*/ 3087 break; 3088 3089 case DLT_SUNATM: 3090 /* 3091 * Check for an LLC-encapsulated version of this protocol; 3092 * if we were checking for LANE, linktype would no longer 3093 * be DLT_SUNATM. 3094 * 3095 * Check for LLC encapsulation and then check the protocol. 3096 */ 3097 b0 = gen_atmfield_code(cstate, A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 3098 b1 = gen_llc_linktype(cstate, proto); 3099 gen_and(b0, b1); 3100 return b1; 3101 /*NOTREACHED*/ 3102 break; 3103 3104 case DLT_LINUX_SLL: 3105 return gen_linux_sll_linktype(cstate, proto); 3106 /*NOTREACHED*/ 3107 break; 3108 3109 case DLT_SLIP: 3110 case DLT_SLIP_BSDOS: 3111 case DLT_RAW: 3112 /* 3113 * These types don't provide any type field; packets 3114 * are always IPv4 or IPv6. 3115 * 3116 * XXX - for IPv4, check for a version number of 4, and, 3117 * for IPv6, check for a version number of 6? 3118 */ 3119 switch (proto) { 3120 3121 case ETHERTYPE_IP: 3122 /* Check for a version number of 4. */ 3123 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, 0x40, 0xF0); 3124 3125 case ETHERTYPE_IPV6: 3126 /* Check for a version number of 6. */ 3127 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, 0x60, 0xF0); 3128 3129 default: 3130 return gen_false(cstate); /* always false */ 3131 } 3132 /*NOTREACHED*/ 3133 break; 3134 3135 case DLT_IPV4: 3136 /* 3137 * Raw IPv4, so no type field. 3138 */ 3139 if (proto == ETHERTYPE_IP) 3140 return gen_true(cstate); /* always true */ 3141 3142 /* Checking for something other than IPv4; always false */ 3143 return gen_false(cstate); 3144 /*NOTREACHED*/ 3145 break; 3146 3147 case DLT_IPV6: 3148 /* 3149 * Raw IPv6, so no type field. 3150 */ 3151 if (proto == ETHERTYPE_IPV6) 3152 return gen_true(cstate); /* always true */ 3153 3154 /* Checking for something other than IPv6; always false */ 3155 return gen_false(cstate); 3156 /*NOTREACHED*/ 3157 break; 3158 3159 case DLT_PPP: 3160 case DLT_PPP_PPPD: 3161 case DLT_PPP_SERIAL: 3162 case DLT_PPP_ETHER: 3163 /* 3164 * We use Ethernet protocol types inside libpcap; 3165 * map them to the corresponding PPP protocol types. 3166 */ 3167 proto = ethertype_to_ppptype(proto); 3168 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 3169 /*NOTREACHED*/ 3170 break; 3171 3172 case DLT_PPP_BSDOS: 3173 /* 3174 * We use Ethernet protocol types inside libpcap; 3175 * map them to the corresponding PPP protocol types. 3176 */ 3177 switch (proto) { 3178 3179 case ETHERTYPE_IP: 3180 /* 3181 * Also check for Van Jacobson-compressed IP. 3182 * XXX - do this for other forms of PPP? 3183 */ 3184 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_IP); 3185 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_VJC); 3186 gen_or(b0, b1); 3187 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_VJNC); 3188 gen_or(b1, b0); 3189 return b0; 3190 3191 default: 3192 proto = ethertype_to_ppptype(proto); 3193 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, 3194 (bpf_int32)proto); 3195 } 3196 /*NOTREACHED*/ 3197 break; 3198 3199 case DLT_NULL: 3200 case DLT_LOOP: 3201 case DLT_ENC: 3202 switch (proto) { 3203 3204 case ETHERTYPE_IP: 3205 return (gen_loopback_linktype(cstate, AF_INET)); 3206 3207 case ETHERTYPE_IPV6: 3208 /* 3209 * AF_ values may, unfortunately, be platform- 3210 * dependent; AF_INET isn't, because everybody 3211 * used 4.2BSD's value, but AF_INET6 is, because 3212 * 4.2BSD didn't have a value for it (given that 3213 * IPv6 didn't exist back in the early 1980's), 3214 * and they all picked their own values. 3215 * 3216 * This means that, if we're reading from a 3217 * savefile, we need to check for all the 3218 * possible values. 3219 * 3220 * If we're doing a live capture, we only need 3221 * to check for this platform's value; however, 3222 * Npcap uses 24, which isn't Windows's AF_INET6 3223 * value. (Given the multiple different values, 3224 * programs that read pcap files shouldn't be 3225 * checking for their platform's AF_INET6 value 3226 * anyway, they should check for all of the 3227 * possible values. and they might as well do 3228 * that even for live captures.) 3229 */ 3230 if (cstate->bpf_pcap->rfile != NULL) { 3231 /* 3232 * Savefile - check for all three 3233 * possible IPv6 values. 3234 */ 3235 b0 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_BSD); 3236 b1 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_FREEBSD); 3237 gen_or(b0, b1); 3238 b0 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_DARWIN); 3239 gen_or(b0, b1); 3240 return (b1); 3241 } else { 3242 /* 3243 * Live capture, so we only need to 3244 * check for the value used on this 3245 * platform. 3246 */ 3247 #ifdef _WIN32 3248 /* 3249 * Npcap doesn't use Windows's AF_INET6, 3250 * as that collides with AF_IPX on 3251 * some BSDs (both have the value 23). 3252 * Instead, it uses 24. 3253 */ 3254 return (gen_loopback_linktype(cstate, 24)); 3255 #else /* _WIN32 */ 3256 #ifdef AF_INET6 3257 return (gen_loopback_linktype(cstate, AF_INET6)); 3258 #else /* AF_INET6 */ 3259 /* 3260 * I guess this platform doesn't support 3261 * IPv6, so we just reject all packets. 3262 */ 3263 return gen_false(cstate); 3264 #endif /* AF_INET6 */ 3265 #endif /* _WIN32 */ 3266 } 3267 3268 default: 3269 /* 3270 * Not a type on which we support filtering. 3271 * XXX - support those that have AF_ values 3272 * #defined on this platform, at least? 3273 */ 3274 return gen_false(cstate); 3275 } 3276 3277 #ifdef HAVE_NET_PFVAR_H 3278 case DLT_PFLOG: 3279 /* 3280 * af field is host byte order in contrast to the rest of 3281 * the packet. 3282 */ 3283 if (proto == ETHERTYPE_IP) 3284 return (gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, af), 3285 BPF_B, (bpf_int32)AF_INET)); 3286 else if (proto == ETHERTYPE_IPV6) 3287 return (gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, af), 3288 BPF_B, (bpf_int32)AF_INET6)); 3289 else 3290 return gen_false(cstate); 3291 /*NOTREACHED*/ 3292 break; 3293 #endif /* HAVE_NET_PFVAR_H */ 3294 3295 case DLT_ARCNET: 3296 case DLT_ARCNET_LINUX: 3297 /* 3298 * XXX should we check for first fragment if the protocol 3299 * uses PHDS? 3300 */ 3301 switch (proto) { 3302 3303 default: 3304 return gen_false(cstate); 3305 3306 case ETHERTYPE_IPV6: 3307 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3308 (bpf_int32)ARCTYPE_INET6)); 3309 3310 case ETHERTYPE_IP: 3311 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3312 (bpf_int32)ARCTYPE_IP); 3313 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3314 (bpf_int32)ARCTYPE_IP_OLD); 3315 gen_or(b0, b1); 3316 return (b1); 3317 3318 case ETHERTYPE_ARP: 3319 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3320 (bpf_int32)ARCTYPE_ARP); 3321 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3322 (bpf_int32)ARCTYPE_ARP_OLD); 3323 gen_or(b0, b1); 3324 return (b1); 3325 3326 case ETHERTYPE_REVARP: 3327 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3328 (bpf_int32)ARCTYPE_REVARP)); 3329 3330 case ETHERTYPE_ATALK: 3331 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3332 (bpf_int32)ARCTYPE_ATALK)); 3333 } 3334 /*NOTREACHED*/ 3335 break; 3336 3337 case DLT_LTALK: 3338 switch (proto) { 3339 case ETHERTYPE_ATALK: 3340 return gen_true(cstate); 3341 default: 3342 return gen_false(cstate); 3343 } 3344 /*NOTREACHED*/ 3345 break; 3346 3347 case DLT_FRELAY: 3348 /* 3349 * XXX - assumes a 2-byte Frame Relay header with 3350 * DLCI and flags. What if the address is longer? 3351 */ 3352 switch (proto) { 3353 3354 case ETHERTYPE_IP: 3355 /* 3356 * Check for the special NLPID for IP. 3357 */ 3358 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0xcc); 3359 3360 case ETHERTYPE_IPV6: 3361 /* 3362 * Check for the special NLPID for IPv6. 3363 */ 3364 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0x8e); 3365 3366 case LLCSAP_ISONS: 3367 /* 3368 * Check for several OSI protocols. 3369 * 3370 * Frame Relay packets typically have an OSI 3371 * NLPID at the beginning; we check for each 3372 * of them. 3373 * 3374 * What we check for is the NLPID and a frame 3375 * control field of UI, i.e. 0x03 followed 3376 * by the NLPID. 3377 */ 3378 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO8473_CLNP); 3379 b1 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO9542_ESIS); 3380 b2 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO10589_ISIS); 3381 gen_or(b1, b2); 3382 gen_or(b0, b2); 3383 return b2; 3384 3385 default: 3386 return gen_false(cstate); 3387 } 3388 /*NOTREACHED*/ 3389 break; 3390 3391 case DLT_MFR: 3392 bpf_error(cstate, "Multi-link Frame Relay link-layer type filtering not implemented"); 3393 3394 case DLT_JUNIPER_MFR: 3395 case DLT_JUNIPER_MLFR: 3396 case DLT_JUNIPER_MLPPP: 3397 case DLT_JUNIPER_ATM1: 3398 case DLT_JUNIPER_ATM2: 3399 case DLT_JUNIPER_PPPOE: 3400 case DLT_JUNIPER_PPPOE_ATM: 3401 case DLT_JUNIPER_GGSN: 3402 case DLT_JUNIPER_ES: 3403 case DLT_JUNIPER_MONITOR: 3404 case DLT_JUNIPER_SERVICES: 3405 case DLT_JUNIPER_ETHER: 3406 case DLT_JUNIPER_PPP: 3407 case DLT_JUNIPER_FRELAY: 3408 case DLT_JUNIPER_CHDLC: 3409 case DLT_JUNIPER_VP: 3410 case DLT_JUNIPER_ST: 3411 case DLT_JUNIPER_ISM: 3412 case DLT_JUNIPER_VS: 3413 case DLT_JUNIPER_SRX_E2E: 3414 case DLT_JUNIPER_FIBRECHANNEL: 3415 case DLT_JUNIPER_ATM_CEMIC: 3416 3417 /* just lets verify the magic number for now - 3418 * on ATM we may have up to 6 different encapsulations on the wire 3419 * and need a lot of heuristics to figure out that the payload 3420 * might be; 3421 * 3422 * FIXME encapsulation specific BPF_ filters 3423 */ 3424 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */ 3425 3426 case DLT_BACNET_MS_TP: 3427 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_W, 0x55FF0000, 0xffff0000); 3428 3429 case DLT_IPNET: 3430 return gen_ipnet_linktype(cstate, proto); 3431 3432 case DLT_LINUX_IRDA: 3433 bpf_error(cstate, "IrDA link-layer type filtering not implemented"); 3434 3435 case DLT_DOCSIS: 3436 bpf_error(cstate, "DOCSIS link-layer type filtering not implemented"); 3437 3438 case DLT_MTP2: 3439 case DLT_MTP2_WITH_PHDR: 3440 bpf_error(cstate, "MTP2 link-layer type filtering not implemented"); 3441 3442 case DLT_ERF: 3443 bpf_error(cstate, "ERF link-layer type filtering not implemented"); 3444 3445 case DLT_PFSYNC: 3446 bpf_error(cstate, "PFSYNC link-layer type filtering not implemented"); 3447 3448 case DLT_LINUX_LAPD: 3449 bpf_error(cstate, "LAPD link-layer type filtering not implemented"); 3450 3451 case DLT_USB_FREEBSD: 3452 case DLT_USB_LINUX: 3453 case DLT_USB_LINUX_MMAPPED: 3454 case DLT_USBPCAP: 3455 bpf_error(cstate, "USB link-layer type filtering not implemented"); 3456 3457 case DLT_BLUETOOTH_HCI_H4: 3458 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR: 3459 bpf_error(cstate, "Bluetooth link-layer type filtering not implemented"); 3460 3461 case DLT_CAN20B: 3462 case DLT_CAN_SOCKETCAN: 3463 bpf_error(cstate, "CAN link-layer type filtering not implemented"); 3464 3465 case DLT_IEEE802_15_4: 3466 case DLT_IEEE802_15_4_LINUX: 3467 case DLT_IEEE802_15_4_NONASK_PHY: 3468 case DLT_IEEE802_15_4_NOFCS: 3469 bpf_error(cstate, "IEEE 802.15.4 link-layer type filtering not implemented"); 3470 3471 case DLT_IEEE802_16_MAC_CPS_RADIO: 3472 bpf_error(cstate, "IEEE 802.16 link-layer type filtering not implemented"); 3473 3474 case DLT_SITA: 3475 bpf_error(cstate, "SITA link-layer type filtering not implemented"); 3476 3477 case DLT_RAIF1: 3478 bpf_error(cstate, "RAIF1 link-layer type filtering not implemented"); 3479 3480 case DLT_IPMB: 3481 bpf_error(cstate, "IPMB link-layer type filtering not implemented"); 3482 3483 case DLT_AX25_KISS: 3484 bpf_error(cstate, "AX.25 link-layer type filtering not implemented"); 3485 3486 case DLT_NFLOG: 3487 /* Using the fixed-size NFLOG header it is possible to tell only 3488 * the address family of the packet, other meaningful data is 3489 * either missing or behind TLVs. 3490 */ 3491 bpf_error(cstate, "NFLOG link-layer type filtering not implemented"); 3492 3493 default: 3494 /* 3495 * Does this link-layer header type have a field 3496 * indicating the type of the next protocol? If 3497 * so, off_linktype.constant_part will be the offset of that 3498 * field in the packet; if not, it will be OFFSET_NOT_SET. 3499 */ 3500 if (cstate->off_linktype.constant_part != OFFSET_NOT_SET) { 3501 /* 3502 * Yes; assume it's an Ethernet type. (If 3503 * it's not, it needs to be handled specially 3504 * above.) 3505 */ 3506 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 3507 } else { 3508 /* 3509 * No; report an error. 3510 */ 3511 description = pcap_datalink_val_to_description(cstate->linktype); 3512 if (description != NULL) { 3513 bpf_error(cstate, "%s link-layer type filtering not implemented", 3514 description); 3515 } else { 3516 bpf_error(cstate, "DLT %u link-layer type filtering not implemented", 3517 cstate->linktype); 3518 } 3519 } 3520 break; 3521 } 3522 } 3523 3524 /* 3525 * Check for an LLC SNAP packet with a given organization code and 3526 * protocol type; we check the entire contents of the 802.2 LLC and 3527 * snap headers, checking for DSAP and SSAP of SNAP and a control 3528 * field of 0x03 in the LLC header, and for the specified organization 3529 * code and protocol type in the SNAP header. 3530 */ 3531 static struct block * 3532 gen_snap(compiler_state_t *cstate, bpf_u_int32 orgcode, bpf_u_int32 ptype) 3533 { 3534 u_char snapblock[8]; 3535 3536 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */ 3537 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */ 3538 snapblock[2] = 0x03; /* control = UI */ 3539 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */ 3540 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */ 3541 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */ 3542 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */ 3543 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */ 3544 return gen_bcmp(cstate, OR_LLC, 0, 8, snapblock); 3545 } 3546 3547 /* 3548 * Generate code to match frames with an LLC header. 3549 */ 3550 struct block * 3551 gen_llc(compiler_state_t *cstate) 3552 { 3553 struct block *b0, *b1; 3554 3555 switch (cstate->linktype) { 3556 3557 case DLT_EN10MB: 3558 /* 3559 * We check for an Ethernet type field less than 3560 * 1500, which means it's an 802.3 length field. 3561 */ 3562 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU); 3563 gen_not(b0); 3564 3565 /* 3566 * Now check for the purported DSAP and SSAP not being 3567 * 0xFF, to rule out NetWare-over-802.3. 3568 */ 3569 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_int32)0xFFFF); 3570 gen_not(b1); 3571 gen_and(b0, b1); 3572 return b1; 3573 3574 case DLT_SUNATM: 3575 /* 3576 * We check for LLC traffic. 3577 */ 3578 b0 = gen_atmtype_abbrev(cstate, A_LLC); 3579 return b0; 3580 3581 case DLT_IEEE802: /* Token Ring */ 3582 /* 3583 * XXX - check for LLC frames. 3584 */ 3585 return gen_true(cstate); 3586 3587 case DLT_FDDI: 3588 /* 3589 * XXX - check for LLC frames. 3590 */ 3591 return gen_true(cstate); 3592 3593 case DLT_ATM_RFC1483: 3594 /* 3595 * For LLC encapsulation, these are defined to have an 3596 * 802.2 LLC header. 3597 * 3598 * For VC encapsulation, they don't, but there's no 3599 * way to check for that; the protocol used on the VC 3600 * is negotiated out of band. 3601 */ 3602 return gen_true(cstate); 3603 3604 case DLT_IEEE802_11: 3605 case DLT_PRISM_HEADER: 3606 case DLT_IEEE802_11_RADIO: 3607 case DLT_IEEE802_11_RADIO_AVS: 3608 case DLT_PPI: 3609 /* 3610 * Check that we have a data frame. 3611 */ 3612 b0 = gen_check_802_11_data_frame(cstate); 3613 return b0; 3614 3615 default: 3616 bpf_error(cstate, "'llc' not supported for linktype %d", cstate->linktype); 3617 /* NOTREACHED */ 3618 } 3619 } 3620 3621 struct block * 3622 gen_llc_i(compiler_state_t *cstate) 3623 { 3624 struct block *b0, *b1; 3625 struct slist *s; 3626 3627 /* 3628 * Check whether this is an LLC frame. 3629 */ 3630 b0 = gen_llc(cstate); 3631 3632 /* 3633 * Load the control byte and test the low-order bit; it must 3634 * be clear for I frames. 3635 */ 3636 s = gen_load_a(cstate, OR_LLC, 2, BPF_B); 3637 b1 = new_block(cstate, JMP(BPF_JSET)); 3638 b1->s.k = 0x01; 3639 b1->stmts = s; 3640 gen_not(b1); 3641 gen_and(b0, b1); 3642 return b1; 3643 } 3644 3645 struct block * 3646 gen_llc_s(compiler_state_t *cstate) 3647 { 3648 struct block *b0, *b1; 3649 3650 /* 3651 * Check whether this is an LLC frame. 3652 */ 3653 b0 = gen_llc(cstate); 3654 3655 /* 3656 * Now compare the low-order 2 bit of the control byte against 3657 * the appropriate value for S frames. 3658 */ 3659 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, LLC_S_FMT, 0x03); 3660 gen_and(b0, b1); 3661 return b1; 3662 } 3663 3664 struct block * 3665 gen_llc_u(compiler_state_t *cstate) 3666 { 3667 struct block *b0, *b1; 3668 3669 /* 3670 * Check whether this is an LLC frame. 3671 */ 3672 b0 = gen_llc(cstate); 3673 3674 /* 3675 * Now compare the low-order 2 bit of the control byte against 3676 * the appropriate value for U frames. 3677 */ 3678 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, LLC_U_FMT, 0x03); 3679 gen_and(b0, b1); 3680 return b1; 3681 } 3682 3683 struct block * 3684 gen_llc_s_subtype(compiler_state_t *cstate, bpf_u_int32 subtype) 3685 { 3686 struct block *b0, *b1; 3687 3688 /* 3689 * Check whether this is an LLC frame. 3690 */ 3691 b0 = gen_llc(cstate); 3692 3693 /* 3694 * Now check for an S frame with the appropriate type. 3695 */ 3696 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, subtype, LLC_S_CMD_MASK); 3697 gen_and(b0, b1); 3698 return b1; 3699 } 3700 3701 struct block * 3702 gen_llc_u_subtype(compiler_state_t *cstate, bpf_u_int32 subtype) 3703 { 3704 struct block *b0, *b1; 3705 3706 /* 3707 * Check whether this is an LLC frame. 3708 */ 3709 b0 = gen_llc(cstate); 3710 3711 /* 3712 * Now check for a U frame with the appropriate type. 3713 */ 3714 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, subtype, LLC_U_CMD_MASK); 3715 gen_and(b0, b1); 3716 return b1; 3717 } 3718 3719 /* 3720 * Generate code to match a particular packet type, for link-layer types 3721 * using 802.2 LLC headers. 3722 * 3723 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used 3724 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues. 3725 * 3726 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 3727 * value, if <= ETHERMTU. We use that to determine whether to 3728 * match the DSAP or both DSAP and LSAP or to check the OUI and 3729 * protocol ID in a SNAP header. 3730 */ 3731 static struct block * 3732 gen_llc_linktype(compiler_state_t *cstate, int proto) 3733 { 3734 /* 3735 * XXX - handle token-ring variable-length header. 3736 */ 3737 switch (proto) { 3738 3739 case LLCSAP_IP: 3740 case LLCSAP_ISONS: 3741 case LLCSAP_NETBEUI: 3742 /* 3743 * XXX - should we check both the DSAP and the 3744 * SSAP, like this, or should we check just the 3745 * DSAP, as we do for other SAP values? 3746 */ 3747 return gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_u_int32) 3748 ((proto << 8) | proto)); 3749 3750 case LLCSAP_IPX: 3751 /* 3752 * XXX - are there ever SNAP frames for IPX on 3753 * non-Ethernet 802.x networks? 3754 */ 3755 return gen_cmp(cstate, OR_LLC, 0, BPF_B, 3756 (bpf_int32)LLCSAP_IPX); 3757 3758 case ETHERTYPE_ATALK: 3759 /* 3760 * 802.2-encapsulated ETHERTYPE_ATALK packets are 3761 * SNAP packets with an organization code of 3762 * 0x080007 (Apple, for Appletalk) and a protocol 3763 * type of ETHERTYPE_ATALK (Appletalk). 3764 * 3765 * XXX - check for an organization code of 3766 * encapsulated Ethernet as well? 3767 */ 3768 return gen_snap(cstate, 0x080007, ETHERTYPE_ATALK); 3769 3770 default: 3771 /* 3772 * XXX - we don't have to check for IPX 802.3 3773 * here, but should we check for the IPX Ethertype? 3774 */ 3775 if (proto <= ETHERMTU) { 3776 /* 3777 * This is an LLC SAP value, so check 3778 * the DSAP. 3779 */ 3780 return gen_cmp(cstate, OR_LLC, 0, BPF_B, (bpf_int32)proto); 3781 } else { 3782 /* 3783 * This is an Ethernet type; we assume that it's 3784 * unlikely that it'll appear in the right place 3785 * at random, and therefore check only the 3786 * location that would hold the Ethernet type 3787 * in a SNAP frame with an organization code of 3788 * 0x000000 (encapsulated Ethernet). 3789 * 3790 * XXX - if we were to check for the SNAP DSAP and 3791 * LSAP, as per XXX, and were also to check for an 3792 * organization code of 0x000000 (encapsulated 3793 * Ethernet), we'd do 3794 * 3795 * return gen_snap(cstate, 0x000000, proto); 3796 * 3797 * here; for now, we don't, as per the above. 3798 * I don't know whether it's worth the extra CPU 3799 * time to do the right check or not. 3800 */ 3801 return gen_cmp(cstate, OR_LLC, 6, BPF_H, (bpf_int32)proto); 3802 } 3803 } 3804 } 3805 3806 static struct block * 3807 gen_hostop(compiler_state_t *cstate, bpf_u_int32 addr, bpf_u_int32 mask, 3808 int dir, int proto, u_int src_off, u_int dst_off) 3809 { 3810 struct block *b0, *b1; 3811 u_int offset; 3812 3813 switch (dir) { 3814 3815 case Q_SRC: 3816 offset = src_off; 3817 break; 3818 3819 case Q_DST: 3820 offset = dst_off; 3821 break; 3822 3823 case Q_AND: 3824 b0 = gen_hostop(cstate, addr, mask, Q_SRC, proto, src_off, dst_off); 3825 b1 = gen_hostop(cstate, addr, mask, Q_DST, proto, src_off, dst_off); 3826 gen_and(b0, b1); 3827 return b1; 3828 3829 case Q_OR: 3830 case Q_DEFAULT: 3831 b0 = gen_hostop(cstate, addr, mask, Q_SRC, proto, src_off, dst_off); 3832 b1 = gen_hostop(cstate, addr, mask, Q_DST, proto, src_off, dst_off); 3833 gen_or(b0, b1); 3834 return b1; 3835 3836 default: 3837 abort(); 3838 } 3839 b0 = gen_linktype(cstate, proto); 3840 b1 = gen_mcmp(cstate, OR_LINKPL, offset, BPF_W, (bpf_int32)addr, mask); 3841 gen_and(b0, b1); 3842 return b1; 3843 } 3844 3845 #ifdef INET6 3846 static struct block * 3847 gen_hostop6(compiler_state_t *cstate, struct in6_addr *addr, 3848 struct in6_addr *mask, int dir, int proto, u_int src_off, u_int dst_off) 3849 { 3850 struct block *b0, *b1; 3851 u_int offset; 3852 u_int32_t *a, *m; 3853 3854 switch (dir) { 3855 3856 case Q_SRC: 3857 offset = src_off; 3858 break; 3859 3860 case Q_DST: 3861 offset = dst_off; 3862 break; 3863 3864 case Q_AND: 3865 b0 = gen_hostop6(cstate, addr, mask, Q_SRC, proto, src_off, dst_off); 3866 b1 = gen_hostop6(cstate, addr, mask, Q_DST, proto, src_off, dst_off); 3867 gen_and(b0, b1); 3868 return b1; 3869 3870 case Q_OR: 3871 case Q_DEFAULT: 3872 b0 = gen_hostop6(cstate, addr, mask, Q_SRC, proto, src_off, dst_off); 3873 b1 = gen_hostop6(cstate, addr, mask, Q_DST, proto, src_off, dst_off); 3874 gen_or(b0, b1); 3875 return b1; 3876 3877 default: 3878 abort(); 3879 } 3880 /* this order is important */ 3881 a = (u_int32_t *)addr; 3882 m = (u_int32_t *)mask; 3883 b1 = gen_mcmp(cstate, OR_LINKPL, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3])); 3884 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2])); 3885 gen_and(b0, b1); 3886 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1])); 3887 gen_and(b0, b1); 3888 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0])); 3889 gen_and(b0, b1); 3890 b0 = gen_linktype(cstate, proto); 3891 gen_and(b0, b1); 3892 return b1; 3893 } 3894 #endif 3895 3896 static struct block * 3897 gen_ehostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 3898 { 3899 register struct block *b0, *b1; 3900 3901 switch (dir) { 3902 case Q_SRC: 3903 return gen_bcmp(cstate, OR_LINKHDR, 6, 6, eaddr); 3904 3905 case Q_DST: 3906 return gen_bcmp(cstate, OR_LINKHDR, 0, 6, eaddr); 3907 3908 case Q_AND: 3909 b0 = gen_ehostop(cstate, eaddr, Q_SRC); 3910 b1 = gen_ehostop(cstate, eaddr, Q_DST); 3911 gen_and(b0, b1); 3912 return b1; 3913 3914 case Q_DEFAULT: 3915 case Q_OR: 3916 b0 = gen_ehostop(cstate, eaddr, Q_SRC); 3917 b1 = gen_ehostop(cstate, eaddr, Q_DST); 3918 gen_or(b0, b1); 3919 return b1; 3920 3921 case Q_ADDR1: 3922 bpf_error(cstate, "'addr1' is only supported on 802.11 with 802.11 headers"); 3923 break; 3924 3925 case Q_ADDR2: 3926 bpf_error(cstate, "'addr2' is only supported on 802.11 with 802.11 headers"); 3927 break; 3928 3929 case Q_ADDR3: 3930 bpf_error(cstate, "'addr3' is only supported on 802.11 with 802.11 headers"); 3931 break; 3932 3933 case Q_ADDR4: 3934 bpf_error(cstate, "'addr4' is only supported on 802.11 with 802.11 headers"); 3935 break; 3936 3937 case Q_RA: 3938 bpf_error(cstate, "'ra' is only supported on 802.11 with 802.11 headers"); 3939 break; 3940 3941 case Q_TA: 3942 bpf_error(cstate, "'ta' is only supported on 802.11 with 802.11 headers"); 3943 break; 3944 } 3945 abort(); 3946 /* NOTREACHED */ 3947 } 3948 3949 /* 3950 * Like gen_ehostop, but for DLT_FDDI 3951 */ 3952 static struct block * 3953 gen_fhostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 3954 { 3955 struct block *b0, *b1; 3956 3957 switch (dir) { 3958 case Q_SRC: 3959 return gen_bcmp(cstate, OR_LINKHDR, 6 + 1 + cstate->pcap_fddipad, 6, eaddr); 3960 3961 case Q_DST: 3962 return gen_bcmp(cstate, OR_LINKHDR, 0 + 1 + cstate->pcap_fddipad, 6, eaddr); 3963 3964 case Q_AND: 3965 b0 = gen_fhostop(cstate, eaddr, Q_SRC); 3966 b1 = gen_fhostop(cstate, eaddr, Q_DST); 3967 gen_and(b0, b1); 3968 return b1; 3969 3970 case Q_DEFAULT: 3971 case Q_OR: 3972 b0 = gen_fhostop(cstate, eaddr, Q_SRC); 3973 b1 = gen_fhostop(cstate, eaddr, Q_DST); 3974 gen_or(b0, b1); 3975 return b1; 3976 3977 case Q_ADDR1: 3978 bpf_error(cstate, "'addr1' is only supported on 802.11"); 3979 break; 3980 3981 case Q_ADDR2: 3982 bpf_error(cstate, "'addr2' is only supported on 802.11"); 3983 break; 3984 3985 case Q_ADDR3: 3986 bpf_error(cstate, "'addr3' is only supported on 802.11"); 3987 break; 3988 3989 case Q_ADDR4: 3990 bpf_error(cstate, "'addr4' is only supported on 802.11"); 3991 break; 3992 3993 case Q_RA: 3994 bpf_error(cstate, "'ra' is only supported on 802.11"); 3995 break; 3996 3997 case Q_TA: 3998 bpf_error(cstate, "'ta' is only supported on 802.11"); 3999 break; 4000 } 4001 abort(); 4002 /* NOTREACHED */ 4003 } 4004 4005 /* 4006 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring) 4007 */ 4008 static struct block * 4009 gen_thostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 4010 { 4011 register struct block *b0, *b1; 4012 4013 switch (dir) { 4014 case Q_SRC: 4015 return gen_bcmp(cstate, OR_LINKHDR, 8, 6, eaddr); 4016 4017 case Q_DST: 4018 return gen_bcmp(cstate, OR_LINKHDR, 2, 6, eaddr); 4019 4020 case Q_AND: 4021 b0 = gen_thostop(cstate, eaddr, Q_SRC); 4022 b1 = gen_thostop(cstate, eaddr, Q_DST); 4023 gen_and(b0, b1); 4024 return b1; 4025 4026 case Q_DEFAULT: 4027 case Q_OR: 4028 b0 = gen_thostop(cstate, eaddr, Q_SRC); 4029 b1 = gen_thostop(cstate, eaddr, Q_DST); 4030 gen_or(b0, b1); 4031 return b1; 4032 4033 case Q_ADDR1: 4034 bpf_error(cstate, "'addr1' is only supported on 802.11"); 4035 break; 4036 4037 case Q_ADDR2: 4038 bpf_error(cstate, "'addr2' is only supported on 802.11"); 4039 break; 4040 4041 case Q_ADDR3: 4042 bpf_error(cstate, "'addr3' is only supported on 802.11"); 4043 break; 4044 4045 case Q_ADDR4: 4046 bpf_error(cstate, "'addr4' is only supported on 802.11"); 4047 break; 4048 4049 case Q_RA: 4050 bpf_error(cstate, "'ra' is only supported on 802.11"); 4051 break; 4052 4053 case Q_TA: 4054 bpf_error(cstate, "'ta' is only supported on 802.11"); 4055 break; 4056 } 4057 abort(); 4058 /* NOTREACHED */ 4059 } 4060 4061 /* 4062 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and 4063 * various 802.11 + radio headers. 4064 */ 4065 static struct block * 4066 gen_wlanhostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 4067 { 4068 register struct block *b0, *b1, *b2; 4069 register struct slist *s; 4070 4071 #ifdef ENABLE_WLAN_FILTERING_PATCH 4072 /* 4073 * TODO GV 20070613 4074 * We need to disable the optimizer because the optimizer is buggy 4075 * and wipes out some LD instructions generated by the below 4076 * code to validate the Frame Control bits 4077 */ 4078 cstate->no_optimize = 1; 4079 #endif /* ENABLE_WLAN_FILTERING_PATCH */ 4080 4081 switch (dir) { 4082 case Q_SRC: 4083 /* 4084 * Oh, yuk. 4085 * 4086 * For control frames, there is no SA. 4087 * 4088 * For management frames, SA is at an 4089 * offset of 10 from the beginning of 4090 * the packet. 4091 * 4092 * For data frames, SA is at an offset 4093 * of 10 from the beginning of the packet 4094 * if From DS is clear, at an offset of 4095 * 16 from the beginning of the packet 4096 * if From DS is set and To DS is clear, 4097 * and an offset of 24 from the beginning 4098 * of the packet if From DS is set and To DS 4099 * is set. 4100 */ 4101 4102 /* 4103 * Generate the tests to be done for data frames 4104 * with From DS set. 4105 * 4106 * First, check for To DS set, i.e. check "link[1] & 0x01". 4107 */ 4108 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4109 b1 = new_block(cstate, JMP(BPF_JSET)); 4110 b1->s.k = 0x01; /* To DS */ 4111 b1->stmts = s; 4112 4113 /* 4114 * If To DS is set, the SA is at 24. 4115 */ 4116 b0 = gen_bcmp(cstate, OR_LINKHDR, 24, 6, eaddr); 4117 gen_and(b1, b0); 4118 4119 /* 4120 * Now, check for To DS not set, i.e. check 4121 * "!(link[1] & 0x01)". 4122 */ 4123 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4124 b2 = new_block(cstate, JMP(BPF_JSET)); 4125 b2->s.k = 0x01; /* To DS */ 4126 b2->stmts = s; 4127 gen_not(b2); 4128 4129 /* 4130 * If To DS is not set, the SA is at 16. 4131 */ 4132 b1 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr); 4133 gen_and(b2, b1); 4134 4135 /* 4136 * Now OR together the last two checks. That gives 4137 * the complete set of checks for data frames with 4138 * From DS set. 4139 */ 4140 gen_or(b1, b0); 4141 4142 /* 4143 * Now check for From DS being set, and AND that with 4144 * the ORed-together checks. 4145 */ 4146 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4147 b1 = new_block(cstate, JMP(BPF_JSET)); 4148 b1->s.k = 0x02; /* From DS */ 4149 b1->stmts = s; 4150 gen_and(b1, b0); 4151 4152 /* 4153 * Now check for data frames with From DS not set. 4154 */ 4155 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4156 b2 = new_block(cstate, JMP(BPF_JSET)); 4157 b2->s.k = 0x02; /* From DS */ 4158 b2->stmts = s; 4159 gen_not(b2); 4160 4161 /* 4162 * If From DS isn't set, the SA is at 10. 4163 */ 4164 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr); 4165 gen_and(b2, b1); 4166 4167 /* 4168 * Now OR together the checks for data frames with 4169 * From DS not set and for data frames with From DS 4170 * set; that gives the checks done for data frames. 4171 */ 4172 gen_or(b1, b0); 4173 4174 /* 4175 * Now check for a data frame. 4176 * I.e, check "link[0] & 0x08". 4177 */ 4178 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4179 b1 = new_block(cstate, JMP(BPF_JSET)); 4180 b1->s.k = 0x08; 4181 b1->stmts = s; 4182 4183 /* 4184 * AND that with the checks done for data frames. 4185 */ 4186 gen_and(b1, b0); 4187 4188 /* 4189 * If the high-order bit of the type value is 0, this 4190 * is a management frame. 4191 * I.e, check "!(link[0] & 0x08)". 4192 */ 4193 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4194 b2 = new_block(cstate, JMP(BPF_JSET)); 4195 b2->s.k = 0x08; 4196 b2->stmts = s; 4197 gen_not(b2); 4198 4199 /* 4200 * For management frames, the SA is at 10. 4201 */ 4202 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr); 4203 gen_and(b2, b1); 4204 4205 /* 4206 * OR that with the checks done for data frames. 4207 * That gives the checks done for management and 4208 * data frames. 4209 */ 4210 gen_or(b1, b0); 4211 4212 /* 4213 * If the low-order bit of the type value is 1, 4214 * this is either a control frame or a frame 4215 * with a reserved type, and thus not a 4216 * frame with an SA. 4217 * 4218 * I.e., check "!(link[0] & 0x04)". 4219 */ 4220 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4221 b1 = new_block(cstate, JMP(BPF_JSET)); 4222 b1->s.k = 0x04; 4223 b1->stmts = s; 4224 gen_not(b1); 4225 4226 /* 4227 * AND that with the checks for data and management 4228 * frames. 4229 */ 4230 gen_and(b1, b0); 4231 return b0; 4232 4233 case Q_DST: 4234 /* 4235 * Oh, yuk. 4236 * 4237 * For control frames, there is no DA. 4238 * 4239 * For management frames, DA is at an 4240 * offset of 4 from the beginning of 4241 * the packet. 4242 * 4243 * For data frames, DA is at an offset 4244 * of 4 from the beginning of the packet 4245 * if To DS is clear and at an offset of 4246 * 16 from the beginning of the packet 4247 * if To DS is set. 4248 */ 4249 4250 /* 4251 * Generate the tests to be done for data frames. 4252 * 4253 * First, check for To DS set, i.e. "link[1] & 0x01". 4254 */ 4255 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4256 b1 = new_block(cstate, JMP(BPF_JSET)); 4257 b1->s.k = 0x01; /* To DS */ 4258 b1->stmts = s; 4259 4260 /* 4261 * If To DS is set, the DA is at 16. 4262 */ 4263 b0 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr); 4264 gen_and(b1, b0); 4265 4266 /* 4267 * Now, check for To DS not set, i.e. check 4268 * "!(link[1] & 0x01)". 4269 */ 4270 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4271 b2 = new_block(cstate, JMP(BPF_JSET)); 4272 b2->s.k = 0x01; /* To DS */ 4273 b2->stmts = s; 4274 gen_not(b2); 4275 4276 /* 4277 * If To DS is not set, the DA is at 4. 4278 */ 4279 b1 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr); 4280 gen_and(b2, b1); 4281 4282 /* 4283 * Now OR together the last two checks. That gives 4284 * the complete set of checks for data frames. 4285 */ 4286 gen_or(b1, b0); 4287 4288 /* 4289 * Now check for a data frame. 4290 * I.e, check "link[0] & 0x08". 4291 */ 4292 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4293 b1 = new_block(cstate, JMP(BPF_JSET)); 4294 b1->s.k = 0x08; 4295 b1->stmts = s; 4296 4297 /* 4298 * AND that with the checks done for data frames. 4299 */ 4300 gen_and(b1, b0); 4301 4302 /* 4303 * If the high-order bit of the type value is 0, this 4304 * is a management frame. 4305 * I.e, check "!(link[0] & 0x08)". 4306 */ 4307 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4308 b2 = new_block(cstate, JMP(BPF_JSET)); 4309 b2->s.k = 0x08; 4310 b2->stmts = s; 4311 gen_not(b2); 4312 4313 /* 4314 * For management frames, the DA is at 4. 4315 */ 4316 b1 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr); 4317 gen_and(b2, b1); 4318 4319 /* 4320 * OR that with the checks done for data frames. 4321 * That gives the checks done for management and 4322 * data frames. 4323 */ 4324 gen_or(b1, b0); 4325 4326 /* 4327 * If the low-order bit of the type value is 1, 4328 * this is either a control frame or a frame 4329 * with a reserved type, and thus not a 4330 * frame with an SA. 4331 * 4332 * I.e., check "!(link[0] & 0x04)". 4333 */ 4334 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4335 b1 = new_block(cstate, JMP(BPF_JSET)); 4336 b1->s.k = 0x04; 4337 b1->stmts = s; 4338 gen_not(b1); 4339 4340 /* 4341 * AND that with the checks for data and management 4342 * frames. 4343 */ 4344 gen_and(b1, b0); 4345 return b0; 4346 4347 case Q_RA: 4348 /* 4349 * Not present in management frames; addr1 in other 4350 * frames. 4351 */ 4352 4353 /* 4354 * If the high-order bit of the type value is 0, this 4355 * is a management frame. 4356 * I.e, check "(link[0] & 0x08)". 4357 */ 4358 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4359 b1 = new_block(cstate, JMP(BPF_JSET)); 4360 b1->s.k = 0x08; 4361 b1->stmts = s; 4362 4363 /* 4364 * Check addr1. 4365 */ 4366 b0 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr); 4367 4368 /* 4369 * AND that with the check of addr1. 4370 */ 4371 gen_and(b1, b0); 4372 return (b0); 4373 4374 case Q_TA: 4375 /* 4376 * Not present in management frames; addr2, if present, 4377 * in other frames. 4378 */ 4379 4380 /* 4381 * Not present in CTS or ACK control frames. 4382 */ 4383 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4384 IEEE80211_FC0_TYPE_MASK); 4385 gen_not(b0); 4386 b1 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS, 4387 IEEE80211_FC0_SUBTYPE_MASK); 4388 gen_not(b1); 4389 b2 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK, 4390 IEEE80211_FC0_SUBTYPE_MASK); 4391 gen_not(b2); 4392 gen_and(b1, b2); 4393 gen_or(b0, b2); 4394 4395 /* 4396 * If the high-order bit of the type value is 0, this 4397 * is a management frame. 4398 * I.e, check "(link[0] & 0x08)". 4399 */ 4400 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4401 b1 = new_block(cstate, JMP(BPF_JSET)); 4402 b1->s.k = 0x08; 4403 b1->stmts = s; 4404 4405 /* 4406 * AND that with the check for frames other than 4407 * CTS and ACK frames. 4408 */ 4409 gen_and(b1, b2); 4410 4411 /* 4412 * Check addr2. 4413 */ 4414 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr); 4415 gen_and(b2, b1); 4416 return b1; 4417 4418 /* 4419 * XXX - add BSSID keyword? 4420 */ 4421 case Q_ADDR1: 4422 return (gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr)); 4423 4424 case Q_ADDR2: 4425 /* 4426 * Not present in CTS or ACK control frames. 4427 */ 4428 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4429 IEEE80211_FC0_TYPE_MASK); 4430 gen_not(b0); 4431 b1 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS, 4432 IEEE80211_FC0_SUBTYPE_MASK); 4433 gen_not(b1); 4434 b2 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK, 4435 IEEE80211_FC0_SUBTYPE_MASK); 4436 gen_not(b2); 4437 gen_and(b1, b2); 4438 gen_or(b0, b2); 4439 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr); 4440 gen_and(b2, b1); 4441 return b1; 4442 4443 case Q_ADDR3: 4444 /* 4445 * Not present in control frames. 4446 */ 4447 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4448 IEEE80211_FC0_TYPE_MASK); 4449 gen_not(b0); 4450 b1 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr); 4451 gen_and(b0, b1); 4452 return b1; 4453 4454 case Q_ADDR4: 4455 /* 4456 * Present only if the direction mask has both "From DS" 4457 * and "To DS" set. Neither control frames nor management 4458 * frames should have both of those set, so we don't 4459 * check the frame type. 4460 */ 4461 b0 = gen_mcmp(cstate, OR_LINKHDR, 1, BPF_B, 4462 IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK); 4463 b1 = gen_bcmp(cstate, OR_LINKHDR, 24, 6, eaddr); 4464 gen_and(b0, b1); 4465 return b1; 4466 4467 case Q_AND: 4468 b0 = gen_wlanhostop(cstate, eaddr, Q_SRC); 4469 b1 = gen_wlanhostop(cstate, eaddr, Q_DST); 4470 gen_and(b0, b1); 4471 return b1; 4472 4473 case Q_DEFAULT: 4474 case Q_OR: 4475 b0 = gen_wlanhostop(cstate, eaddr, Q_SRC); 4476 b1 = gen_wlanhostop(cstate, eaddr, Q_DST); 4477 gen_or(b0, b1); 4478 return b1; 4479 } 4480 abort(); 4481 /* NOTREACHED */ 4482 } 4483 4484 /* 4485 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel. 4486 * (We assume that the addresses are IEEE 48-bit MAC addresses, 4487 * as the RFC states.) 4488 */ 4489 static struct block * 4490 gen_ipfchostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 4491 { 4492 register struct block *b0, *b1; 4493 4494 switch (dir) { 4495 case Q_SRC: 4496 return gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr); 4497 4498 case Q_DST: 4499 return gen_bcmp(cstate, OR_LINKHDR, 2, 6, eaddr); 4500 4501 case Q_AND: 4502 b0 = gen_ipfchostop(cstate, eaddr, Q_SRC); 4503 b1 = gen_ipfchostop(cstate, eaddr, Q_DST); 4504 gen_and(b0, b1); 4505 return b1; 4506 4507 case Q_DEFAULT: 4508 case Q_OR: 4509 b0 = gen_ipfchostop(cstate, eaddr, Q_SRC); 4510 b1 = gen_ipfchostop(cstate, eaddr, Q_DST); 4511 gen_or(b0, b1); 4512 return b1; 4513 4514 case Q_ADDR1: 4515 bpf_error(cstate, "'addr1' is only supported on 802.11"); 4516 break; 4517 4518 case Q_ADDR2: 4519 bpf_error(cstate, "'addr2' is only supported on 802.11"); 4520 break; 4521 4522 case Q_ADDR3: 4523 bpf_error(cstate, "'addr3' is only supported on 802.11"); 4524 break; 4525 4526 case Q_ADDR4: 4527 bpf_error(cstate, "'addr4' is only supported on 802.11"); 4528 break; 4529 4530 case Q_RA: 4531 bpf_error(cstate, "'ra' is only supported on 802.11"); 4532 break; 4533 4534 case Q_TA: 4535 bpf_error(cstate, "'ta' is only supported on 802.11"); 4536 break; 4537 } 4538 abort(); 4539 /* NOTREACHED */ 4540 } 4541 4542 /* 4543 * This is quite tricky because there may be pad bytes in front of the 4544 * DECNET header, and then there are two possible data packet formats that 4545 * carry both src and dst addresses, plus 5 packet types in a format that 4546 * carries only the src node, plus 2 types that use a different format and 4547 * also carry just the src node. 4548 * 4549 * Yuck. 4550 * 4551 * Instead of doing those all right, we just look for data packets with 4552 * 0 or 1 bytes of padding. If you want to look at other packets, that 4553 * will require a lot more hacking. 4554 * 4555 * To add support for filtering on DECNET "areas" (network numbers) 4556 * one would want to add a "mask" argument to this routine. That would 4557 * make the filter even more inefficient, although one could be clever 4558 * and not generate masking instructions if the mask is 0xFFFF. 4559 */ 4560 static struct block * 4561 gen_dnhostop(compiler_state_t *cstate, bpf_u_int32 addr, int dir) 4562 { 4563 struct block *b0, *b1, *b2, *tmp; 4564 u_int offset_lh; /* offset if long header is received */ 4565 u_int offset_sh; /* offset if short header is received */ 4566 4567 switch (dir) { 4568 4569 case Q_DST: 4570 offset_sh = 1; /* follows flags */ 4571 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */ 4572 break; 4573 4574 case Q_SRC: 4575 offset_sh = 3; /* follows flags, dstnode */ 4576 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */ 4577 break; 4578 4579 case Q_AND: 4580 /* Inefficient because we do our Calvinball dance twice */ 4581 b0 = gen_dnhostop(cstate, addr, Q_SRC); 4582 b1 = gen_dnhostop(cstate, addr, Q_DST); 4583 gen_and(b0, b1); 4584 return b1; 4585 4586 case Q_OR: 4587 case Q_DEFAULT: 4588 /* Inefficient because we do our Calvinball dance twice */ 4589 b0 = gen_dnhostop(cstate, addr, Q_SRC); 4590 b1 = gen_dnhostop(cstate, addr, Q_DST); 4591 gen_or(b0, b1); 4592 return b1; 4593 4594 case Q_ISO: 4595 bpf_error(cstate, "ISO host filtering not implemented"); 4596 4597 default: 4598 abort(); 4599 } 4600 b0 = gen_linktype(cstate, ETHERTYPE_DN); 4601 /* Check for pad = 1, long header case */ 4602 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_H, 4603 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF)); 4604 b1 = gen_cmp(cstate, OR_LINKPL, 2 + 1 + offset_lh, 4605 BPF_H, (bpf_int32)ntohs((u_short)addr)); 4606 gen_and(tmp, b1); 4607 /* Check for pad = 0, long header case */ 4608 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7); 4609 b2 = gen_cmp(cstate, OR_LINKPL, 2 + offset_lh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4610 gen_and(tmp, b2); 4611 gen_or(b2, b1); 4612 /* Check for pad = 1, short header case */ 4613 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_H, 4614 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF)); 4615 b2 = gen_cmp(cstate, OR_LINKPL, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4616 gen_and(tmp, b2); 4617 gen_or(b2, b1); 4618 /* Check for pad = 0, short header case */ 4619 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7); 4620 b2 = gen_cmp(cstate, OR_LINKPL, 2 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4621 gen_and(tmp, b2); 4622 gen_or(b2, b1); 4623 4624 /* Combine with test for cstate->linktype */ 4625 gen_and(b0, b1); 4626 return b1; 4627 } 4628 4629 /* 4630 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets; 4631 * test the bottom-of-stack bit, and then check the version number 4632 * field in the IP header. 4633 */ 4634 static struct block * 4635 gen_mpls_linktype(compiler_state_t *cstate, int proto) 4636 { 4637 struct block *b0, *b1; 4638 4639 switch (proto) { 4640 4641 case Q_IP: 4642 /* match the bottom-of-stack bit */ 4643 b0 = gen_mcmp(cstate, OR_LINKPL, -2, BPF_B, 0x01, 0x01); 4644 /* match the IPv4 version number */ 4645 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_B, 0x40, 0xf0); 4646 gen_and(b0, b1); 4647 return b1; 4648 4649 case Q_IPV6: 4650 /* match the bottom-of-stack bit */ 4651 b0 = gen_mcmp(cstate, OR_LINKPL, -2, BPF_B, 0x01, 0x01); 4652 /* match the IPv4 version number */ 4653 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_B, 0x60, 0xf0); 4654 gen_and(b0, b1); 4655 return b1; 4656 4657 default: 4658 abort(); 4659 } 4660 } 4661 4662 static struct block * 4663 gen_host(compiler_state_t *cstate, bpf_u_int32 addr, bpf_u_int32 mask, 4664 int proto, int dir, int type) 4665 { 4666 struct block *b0, *b1; 4667 const char *typestr; 4668 4669 if (type == Q_NET) 4670 typestr = "net"; 4671 else 4672 typestr = "host"; 4673 4674 switch (proto) { 4675 4676 case Q_DEFAULT: 4677 b0 = gen_host(cstate, addr, mask, Q_IP, dir, type); 4678 /* 4679 * Only check for non-IPv4 addresses if we're not 4680 * checking MPLS-encapsulated packets. 4681 */ 4682 if (cstate->label_stack_depth == 0) { 4683 b1 = gen_host(cstate, addr, mask, Q_ARP, dir, type); 4684 gen_or(b0, b1); 4685 b0 = gen_host(cstate, addr, mask, Q_RARP, dir, type); 4686 gen_or(b1, b0); 4687 } 4688 return b0; 4689 4690 case Q_IP: 4691 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_IP, 12, 16); 4692 4693 case Q_RARP: 4694 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_REVARP, 14, 24); 4695 4696 case Q_ARP: 4697 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_ARP, 14, 24); 4698 4699 case Q_TCP: 4700 bpf_error(cstate, "'tcp' modifier applied to %s", typestr); 4701 4702 case Q_SCTP: 4703 bpf_error(cstate, "'sctp' modifier applied to %s", typestr); 4704 4705 case Q_UDP: 4706 bpf_error(cstate, "'udp' modifier applied to %s", typestr); 4707 4708 case Q_ICMP: 4709 bpf_error(cstate, "'icmp' modifier applied to %s", typestr); 4710 4711 case Q_IGMP: 4712 bpf_error(cstate, "'igmp' modifier applied to %s", typestr); 4713 4714 case Q_IGRP: 4715 bpf_error(cstate, "'igrp' modifier applied to %s", typestr); 4716 4717 case Q_PIM: 4718 bpf_error(cstate, "'pim' modifier applied to %s", typestr); 4719 4720 case Q_VRRP: 4721 bpf_error(cstate, "'vrrp' modifier applied to %s", typestr); 4722 4723 case Q_CARP: 4724 bpf_error(cstate, "'carp' modifier applied to %s", typestr); 4725 4726 case Q_ATALK: 4727 bpf_error(cstate, "ATALK host filtering not implemented"); 4728 4729 case Q_AARP: 4730 bpf_error(cstate, "AARP host filtering not implemented"); 4731 4732 case Q_DECNET: 4733 return gen_dnhostop(cstate, addr, dir); 4734 4735 case Q_SCA: 4736 bpf_error(cstate, "SCA host filtering not implemented"); 4737 4738 case Q_LAT: 4739 bpf_error(cstate, "LAT host filtering not implemented"); 4740 4741 case Q_MOPDL: 4742 bpf_error(cstate, "MOPDL host filtering not implemented"); 4743 4744 case Q_MOPRC: 4745 bpf_error(cstate, "MOPRC host filtering not implemented"); 4746 4747 case Q_IPV6: 4748 bpf_error(cstate, "'ip6' modifier applied to ip host"); 4749 4750 case Q_ICMPV6: 4751 bpf_error(cstate, "'icmp6' modifier applied to %s", typestr); 4752 4753 case Q_AH: 4754 bpf_error(cstate, "'ah' modifier applied to %s", typestr); 4755 4756 case Q_ESP: 4757 bpf_error(cstate, "'esp' modifier applied to %s", typestr); 4758 4759 case Q_ISO: 4760 bpf_error(cstate, "ISO host filtering not implemented"); 4761 4762 case Q_ESIS: 4763 bpf_error(cstate, "'esis' modifier applied to %s", typestr); 4764 4765 case Q_ISIS: 4766 bpf_error(cstate, "'isis' modifier applied to %s", typestr); 4767 4768 case Q_CLNP: 4769 bpf_error(cstate, "'clnp' modifier applied to %s", typestr); 4770 4771 case Q_STP: 4772 bpf_error(cstate, "'stp' modifier applied to %s", typestr); 4773 4774 case Q_IPX: 4775 bpf_error(cstate, "IPX host filtering not implemented"); 4776 4777 case Q_NETBEUI: 4778 bpf_error(cstate, "'netbeui' modifier applied to %s", typestr); 4779 4780 case Q_RADIO: 4781 bpf_error(cstate, "'radio' modifier applied to %s", typestr); 4782 4783 default: 4784 abort(); 4785 } 4786 /* NOTREACHED */ 4787 } 4788 4789 #ifdef INET6 4790 static struct block * 4791 gen_host6(compiler_state_t *cstate, struct in6_addr *addr, 4792 struct in6_addr *mask, int proto, int dir, int type) 4793 { 4794 const char *typestr; 4795 4796 if (type == Q_NET) 4797 typestr = "net"; 4798 else 4799 typestr = "host"; 4800 4801 switch (proto) { 4802 4803 case Q_DEFAULT: 4804 return gen_host6(cstate, addr, mask, Q_IPV6, dir, type); 4805 4806 case Q_LINK: 4807 bpf_error(cstate, "link-layer modifier applied to ip6 %s", typestr); 4808 4809 case Q_IP: 4810 bpf_error(cstate, "'ip' modifier applied to ip6 %s", typestr); 4811 4812 case Q_RARP: 4813 bpf_error(cstate, "'rarp' modifier applied to ip6 %s", typestr); 4814 4815 case Q_ARP: 4816 bpf_error(cstate, "'arp' modifier applied to ip6 %s", typestr); 4817 4818 case Q_SCTP: 4819 bpf_error(cstate, "'sctp' modifier applied to %s", typestr); 4820 4821 case Q_TCP: 4822 bpf_error(cstate, "'tcp' modifier applied to %s", typestr); 4823 4824 case Q_UDP: 4825 bpf_error(cstate, "'udp' modifier applied to %s", typestr); 4826 4827 case Q_ICMP: 4828 bpf_error(cstate, "'icmp' modifier applied to %s", typestr); 4829 4830 case Q_IGMP: 4831 bpf_error(cstate, "'igmp' modifier applied to %s", typestr); 4832 4833 case Q_IGRP: 4834 bpf_error(cstate, "'igrp' modifier applied to %s", typestr); 4835 4836 case Q_PIM: 4837 bpf_error(cstate, "'pim' modifier applied to %s", typestr); 4838 4839 case Q_VRRP: 4840 bpf_error(cstate, "'vrrp' modifier applied to %s", typestr); 4841 4842 case Q_CARP: 4843 bpf_error(cstate, "'carp' modifier applied to %s", typestr); 4844 4845 case Q_ATALK: 4846 bpf_error(cstate, "ATALK host filtering not implemented"); 4847 4848 case Q_AARP: 4849 bpf_error(cstate, "AARP host filtering not implemented"); 4850 4851 case Q_DECNET: 4852 bpf_error(cstate, "'decnet' modifier applied to ip6 %s", typestr); 4853 4854 case Q_SCA: 4855 bpf_error(cstate, "SCA host filtering not implemented"); 4856 4857 case Q_LAT: 4858 bpf_error(cstate, "LAT host filtering not implemented"); 4859 4860 case Q_MOPDL: 4861 bpf_error(cstate, "MOPDL host filtering not implemented"); 4862 4863 case Q_MOPRC: 4864 bpf_error(cstate, "MOPRC host filtering not implemented"); 4865 4866 case Q_IPV6: 4867 return gen_hostop6(cstate, addr, mask, dir, ETHERTYPE_IPV6, 8, 24); 4868 4869 case Q_ICMPV6: 4870 bpf_error(cstate, "'icmp6' modifier applied to %s", typestr); 4871 4872 case Q_AH: 4873 bpf_error(cstate, "'ah' modifier applied to %s", typestr); 4874 4875 case Q_ESP: 4876 bpf_error(cstate, "'esp' modifier applied to %s", typestr); 4877 4878 case Q_ISO: 4879 bpf_error(cstate, "ISO host filtering not implemented"); 4880 4881 case Q_ESIS: 4882 bpf_error(cstate, "'esis' modifier applied to %s", typestr); 4883 4884 case Q_ISIS: 4885 bpf_error(cstate, "'isis' modifier applied to %s", typestr); 4886 4887 case Q_CLNP: 4888 bpf_error(cstate, "'clnp' modifier applied to %s", typestr); 4889 4890 case Q_STP: 4891 bpf_error(cstate, "'stp' modifier applied to %s", typestr); 4892 4893 case Q_IPX: 4894 bpf_error(cstate, "IPX host filtering not implemented"); 4895 4896 case Q_NETBEUI: 4897 bpf_error(cstate, "'netbeui' modifier applied to %s", typestr); 4898 4899 case Q_RADIO: 4900 bpf_error(cstate, "'radio' modifier applied to %s", typestr); 4901 4902 default: 4903 abort(); 4904 } 4905 /* NOTREACHED */ 4906 } 4907 #endif 4908 4909 #ifndef INET6 4910 static struct block * 4911 gen_gateway(eaddr, alist, proto, dir) 4912 const u_char *eaddr; 4913 bpf_u_int32 **alist; 4914 int proto; 4915 int dir; 4916 { 4917 struct block *b0, *b1, *tmp; 4918 4919 if (dir != 0) 4920 bpf_error(cstate, "direction applied to 'gateway'"); 4921 4922 switch (proto) { 4923 case Q_DEFAULT: 4924 case Q_IP: 4925 case Q_ARP: 4926 case Q_RARP: 4927 switch (cstate->linktype) { 4928 case DLT_EN10MB: 4929 case DLT_NETANALYZER: 4930 case DLT_NETANALYZER_TRANSPARENT: 4931 b1 = gen_prevlinkhdr_check(cstate); 4932 b0 = gen_ehostop(cstate, eaddr, Q_OR); 4933 if (b1 != NULL) 4934 gen_and(b1, b0); 4935 break; 4936 case DLT_FDDI: 4937 b0 = gen_fhostop(cstate, eaddr, Q_OR); 4938 break; 4939 case DLT_IEEE802: 4940 b0 = gen_thostop(cstate, eaddr, Q_OR); 4941 break; 4942 case DLT_IEEE802_11: 4943 case DLT_PRISM_HEADER: 4944 case DLT_IEEE802_11_RADIO_AVS: 4945 case DLT_IEEE802_11_RADIO: 4946 case DLT_PPI: 4947 b0 = gen_wlanhostop(cstate, eaddr, Q_OR); 4948 break; 4949 case DLT_SUNATM: 4950 /* 4951 * This is LLC-multiplexed traffic; if it were 4952 * LANE, cstate->linktype would have been set to 4953 * DLT_EN10MB. 4954 */ 4955 bpf_error(cstate, 4956 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 4957 break; 4958 case DLT_IP_OVER_FC: 4959 b0 = gen_ipfchostop(cstate, eaddr, Q_OR); 4960 break; 4961 default: 4962 bpf_error(cstate, 4963 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 4964 } 4965 b1 = gen_host(cstate, **alist++, 0xffffffff, proto, Q_OR, Q_HOST); 4966 while (*alist) { 4967 tmp = gen_host(cstate, **alist++, 0xffffffff, proto, Q_OR, 4968 Q_HOST); 4969 gen_or(b1, tmp); 4970 b1 = tmp; 4971 } 4972 gen_not(b1); 4973 gen_and(b0, b1); 4974 return b1; 4975 } 4976 bpf_error(cstate, "illegal modifier of 'gateway'"); 4977 /* NOTREACHED */ 4978 } 4979 #endif 4980 4981 struct block * 4982 gen_proto_abbrev(compiler_state_t *cstate, int proto) 4983 { 4984 struct block *b0; 4985 struct block *b1; 4986 4987 switch (proto) { 4988 4989 case Q_SCTP: 4990 b1 = gen_proto(cstate, IPPROTO_SCTP, Q_IP, Q_DEFAULT); 4991 b0 = gen_proto(cstate, IPPROTO_SCTP, Q_IPV6, Q_DEFAULT); 4992 gen_or(b0, b1); 4993 break; 4994 4995 case Q_TCP: 4996 b1 = gen_proto(cstate, IPPROTO_TCP, Q_IP, Q_DEFAULT); 4997 b0 = gen_proto(cstate, IPPROTO_TCP, Q_IPV6, Q_DEFAULT); 4998 gen_or(b0, b1); 4999 break; 5000 5001 case Q_UDP: 5002 b1 = gen_proto(cstate, IPPROTO_UDP, Q_IP, Q_DEFAULT); 5003 b0 = gen_proto(cstate, IPPROTO_UDP, Q_IPV6, Q_DEFAULT); 5004 gen_or(b0, b1); 5005 break; 5006 5007 case Q_ICMP: 5008 b1 = gen_proto(cstate, IPPROTO_ICMP, Q_IP, Q_DEFAULT); 5009 break; 5010 5011 #ifndef IPPROTO_IGMP 5012 #define IPPROTO_IGMP 2 5013 #endif 5014 5015 case Q_IGMP: 5016 b1 = gen_proto(cstate, IPPROTO_IGMP, Q_IP, Q_DEFAULT); 5017 break; 5018 5019 #ifndef IPPROTO_IGRP 5020 #define IPPROTO_IGRP 9 5021 #endif 5022 case Q_IGRP: 5023 b1 = gen_proto(cstate, IPPROTO_IGRP, Q_IP, Q_DEFAULT); 5024 break; 5025 5026 #ifndef IPPROTO_PIM 5027 #define IPPROTO_PIM 103 5028 #endif 5029 5030 case Q_PIM: 5031 b1 = gen_proto(cstate, IPPROTO_PIM, Q_IP, Q_DEFAULT); 5032 b0 = gen_proto(cstate, IPPROTO_PIM, Q_IPV6, Q_DEFAULT); 5033 gen_or(b0, b1); 5034 break; 5035 5036 #ifndef IPPROTO_VRRP 5037 #define IPPROTO_VRRP 112 5038 #endif 5039 5040 case Q_VRRP: 5041 b1 = gen_proto(cstate, IPPROTO_VRRP, Q_IP, Q_DEFAULT); 5042 break; 5043 5044 #ifndef IPPROTO_CARP 5045 #define IPPROTO_CARP 112 5046 #endif 5047 5048 case Q_CARP: 5049 b1 = gen_proto(cstate, IPPROTO_CARP, Q_IP, Q_DEFAULT); 5050 break; 5051 5052 case Q_IP: 5053 b1 = gen_linktype(cstate, ETHERTYPE_IP); 5054 break; 5055 5056 case Q_ARP: 5057 b1 = gen_linktype(cstate, ETHERTYPE_ARP); 5058 break; 5059 5060 case Q_RARP: 5061 b1 = gen_linktype(cstate, ETHERTYPE_REVARP); 5062 break; 5063 5064 case Q_LINK: 5065 bpf_error(cstate, "link layer applied in wrong context"); 5066 5067 case Q_ATALK: 5068 b1 = gen_linktype(cstate, ETHERTYPE_ATALK); 5069 break; 5070 5071 case Q_AARP: 5072 b1 = gen_linktype(cstate, ETHERTYPE_AARP); 5073 break; 5074 5075 case Q_DECNET: 5076 b1 = gen_linktype(cstate, ETHERTYPE_DN); 5077 break; 5078 5079 case Q_SCA: 5080 b1 = gen_linktype(cstate, ETHERTYPE_SCA); 5081 break; 5082 5083 case Q_LAT: 5084 b1 = gen_linktype(cstate, ETHERTYPE_LAT); 5085 break; 5086 5087 case Q_MOPDL: 5088 b1 = gen_linktype(cstate, ETHERTYPE_MOPDL); 5089 break; 5090 5091 case Q_MOPRC: 5092 b1 = gen_linktype(cstate, ETHERTYPE_MOPRC); 5093 break; 5094 5095 case Q_IPV6: 5096 b1 = gen_linktype(cstate, ETHERTYPE_IPV6); 5097 break; 5098 5099 #ifndef IPPROTO_ICMPV6 5100 #define IPPROTO_ICMPV6 58 5101 #endif 5102 case Q_ICMPV6: 5103 b1 = gen_proto(cstate, IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT); 5104 break; 5105 5106 #ifndef IPPROTO_AH 5107 #define IPPROTO_AH 51 5108 #endif 5109 case Q_AH: 5110 b1 = gen_proto(cstate, IPPROTO_AH, Q_IP, Q_DEFAULT); 5111 b0 = gen_proto(cstate, IPPROTO_AH, Q_IPV6, Q_DEFAULT); 5112 gen_or(b0, b1); 5113 break; 5114 5115 #ifndef IPPROTO_ESP 5116 #define IPPROTO_ESP 50 5117 #endif 5118 case Q_ESP: 5119 b1 = gen_proto(cstate, IPPROTO_ESP, Q_IP, Q_DEFAULT); 5120 b0 = gen_proto(cstate, IPPROTO_ESP, Q_IPV6, Q_DEFAULT); 5121 gen_or(b0, b1); 5122 break; 5123 5124 case Q_ISO: 5125 b1 = gen_linktype(cstate, LLCSAP_ISONS); 5126 break; 5127 5128 case Q_ESIS: 5129 b1 = gen_proto(cstate, ISO9542_ESIS, Q_ISO, Q_DEFAULT); 5130 break; 5131 5132 case Q_ISIS: 5133 b1 = gen_proto(cstate, ISO10589_ISIS, Q_ISO, Q_DEFAULT); 5134 break; 5135 5136 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */ 5137 b0 = gen_proto(cstate, ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 5138 b1 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 5139 gen_or(b0, b1); 5140 b0 = gen_proto(cstate, ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 5141 gen_or(b0, b1); 5142 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 5143 gen_or(b0, b1); 5144 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 5145 gen_or(b0, b1); 5146 break; 5147 5148 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */ 5149 b0 = gen_proto(cstate, ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 5150 b1 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 5151 gen_or(b0, b1); 5152 b0 = gen_proto(cstate, ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 5153 gen_or(b0, b1); 5154 b0 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 5155 gen_or(b0, b1); 5156 b0 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 5157 gen_or(b0, b1); 5158 break; 5159 5160 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */ 5161 b0 = gen_proto(cstate, ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 5162 b1 = gen_proto(cstate, ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 5163 gen_or(b0, b1); 5164 b0 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); 5165 gen_or(b0, b1); 5166 break; 5167 5168 case Q_ISIS_LSP: 5169 b0 = gen_proto(cstate, ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 5170 b1 = gen_proto(cstate, ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 5171 gen_or(b0, b1); 5172 break; 5173 5174 case Q_ISIS_SNP: 5175 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 5176 b1 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 5177 gen_or(b0, b1); 5178 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 5179 gen_or(b0, b1); 5180 b0 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 5181 gen_or(b0, b1); 5182 break; 5183 5184 case Q_ISIS_CSNP: 5185 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 5186 b1 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 5187 gen_or(b0, b1); 5188 break; 5189 5190 case Q_ISIS_PSNP: 5191 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 5192 b1 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 5193 gen_or(b0, b1); 5194 break; 5195 5196 case Q_CLNP: 5197 b1 = gen_proto(cstate, ISO8473_CLNP, Q_ISO, Q_DEFAULT); 5198 break; 5199 5200 case Q_STP: 5201 b1 = gen_linktype(cstate, LLCSAP_8021D); 5202 break; 5203 5204 case Q_IPX: 5205 b1 = gen_linktype(cstate, LLCSAP_IPX); 5206 break; 5207 5208 case Q_NETBEUI: 5209 b1 = gen_linktype(cstate, LLCSAP_NETBEUI); 5210 break; 5211 5212 case Q_RADIO: 5213 bpf_error(cstate, "'radio' is not a valid protocol type"); 5214 5215 default: 5216 abort(); 5217 } 5218 return b1; 5219 } 5220 5221 static struct block * 5222 gen_ipfrag(compiler_state_t *cstate) 5223 { 5224 struct slist *s; 5225 struct block *b; 5226 5227 /* not IPv4 frag other than the first frag */ 5228 s = gen_load_a(cstate, OR_LINKPL, 6, BPF_H); 5229 b = new_block(cstate, JMP(BPF_JSET)); 5230 b->s.k = 0x1fff; 5231 b->stmts = s; 5232 gen_not(b); 5233 5234 return b; 5235 } 5236 5237 /* 5238 * Generate a comparison to a port value in the transport-layer header 5239 * at the specified offset from the beginning of that header. 5240 * 5241 * XXX - this handles a variable-length prefix preceding the link-layer 5242 * header, such as the radiotap or AVS radio prefix, but doesn't handle 5243 * variable-length link-layer headers (such as Token Ring or 802.11 5244 * headers). 5245 */ 5246 static struct block * 5247 gen_portatom(compiler_state_t *cstate, int off, bpf_int32 v) 5248 { 5249 return gen_cmp(cstate, OR_TRAN_IPV4, off, BPF_H, v); 5250 } 5251 5252 static struct block * 5253 gen_portatom6(compiler_state_t *cstate, int off, bpf_int32 v) 5254 { 5255 return gen_cmp(cstate, OR_TRAN_IPV6, off, BPF_H, v); 5256 } 5257 5258 struct block * 5259 gen_portop(compiler_state_t *cstate, int port, int proto, int dir) 5260 { 5261 struct block *b0, *b1, *tmp; 5262 5263 /* ip proto 'proto' and not a fragment other than the first fragment */ 5264 tmp = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, (bpf_int32)proto); 5265 b0 = gen_ipfrag(cstate); 5266 gen_and(tmp, b0); 5267 5268 switch (dir) { 5269 case Q_SRC: 5270 b1 = gen_portatom(cstate, 0, (bpf_int32)port); 5271 break; 5272 5273 case Q_DST: 5274 b1 = gen_portatom(cstate, 2, (bpf_int32)port); 5275 break; 5276 5277 case Q_OR: 5278 case Q_DEFAULT: 5279 tmp = gen_portatom(cstate, 0, (bpf_int32)port); 5280 b1 = gen_portatom(cstate, 2, (bpf_int32)port); 5281 gen_or(tmp, b1); 5282 break; 5283 5284 case Q_AND: 5285 tmp = gen_portatom(cstate, 0, (bpf_int32)port); 5286 b1 = gen_portatom(cstate, 2, (bpf_int32)port); 5287 gen_and(tmp, b1); 5288 break; 5289 5290 default: 5291 abort(); 5292 } 5293 gen_and(b0, b1); 5294 5295 return b1; 5296 } 5297 5298 static struct block * 5299 gen_port(compiler_state_t *cstate, int port, int ip_proto, int dir) 5300 { 5301 struct block *b0, *b1, *tmp; 5302 5303 /* 5304 * ether proto ip 5305 * 5306 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 5307 * not LLC encapsulation with LLCSAP_IP. 5308 * 5309 * For IEEE 802 networks - which includes 802.5 token ring 5310 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 5311 * says that SNAP encapsulation is used, not LLC encapsulation 5312 * with LLCSAP_IP. 5313 * 5314 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 5315 * RFC 2225 say that SNAP encapsulation is used, not LLC 5316 * encapsulation with LLCSAP_IP. 5317 * 5318 * So we always check for ETHERTYPE_IP. 5319 */ 5320 b0 = gen_linktype(cstate, ETHERTYPE_IP); 5321 5322 switch (ip_proto) { 5323 case IPPROTO_UDP: 5324 case IPPROTO_TCP: 5325 case IPPROTO_SCTP: 5326 b1 = gen_portop(cstate, port, ip_proto, dir); 5327 break; 5328 5329 case PROTO_UNDEF: 5330 tmp = gen_portop(cstate, port, IPPROTO_TCP, dir); 5331 b1 = gen_portop(cstate, port, IPPROTO_UDP, dir); 5332 gen_or(tmp, b1); 5333 tmp = gen_portop(cstate, port, IPPROTO_SCTP, dir); 5334 gen_or(tmp, b1); 5335 break; 5336 5337 default: 5338 abort(); 5339 } 5340 gen_and(b0, b1); 5341 return b1; 5342 } 5343 5344 struct block * 5345 gen_portop6(compiler_state_t *cstate, int port, int proto, int dir) 5346 { 5347 struct block *b0, *b1, *tmp; 5348 5349 /* ip6 proto 'proto' */ 5350 /* XXX - catch the first fragment of a fragmented packet? */ 5351 b0 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, (bpf_int32)proto); 5352 5353 switch (dir) { 5354 case Q_SRC: 5355 b1 = gen_portatom6(cstate, 0, (bpf_int32)port); 5356 break; 5357 5358 case Q_DST: 5359 b1 = gen_portatom6(cstate, 2, (bpf_int32)port); 5360 break; 5361 5362 case Q_OR: 5363 case Q_DEFAULT: 5364 tmp = gen_portatom6(cstate, 0, (bpf_int32)port); 5365 b1 = gen_portatom6(cstate, 2, (bpf_int32)port); 5366 gen_or(tmp, b1); 5367 break; 5368 5369 case Q_AND: 5370 tmp = gen_portatom6(cstate, 0, (bpf_int32)port); 5371 b1 = gen_portatom6(cstate, 2, (bpf_int32)port); 5372 gen_and(tmp, b1); 5373 break; 5374 5375 default: 5376 abort(); 5377 } 5378 gen_and(b0, b1); 5379 5380 return b1; 5381 } 5382 5383 static struct block * 5384 gen_port6(compiler_state_t *cstate, int port, int ip_proto, int dir) 5385 { 5386 struct block *b0, *b1, *tmp; 5387 5388 /* link proto ip6 */ 5389 b0 = gen_linktype(cstate, ETHERTYPE_IPV6); 5390 5391 switch (ip_proto) { 5392 case IPPROTO_UDP: 5393 case IPPROTO_TCP: 5394 case IPPROTO_SCTP: 5395 b1 = gen_portop6(cstate, port, ip_proto, dir); 5396 break; 5397 5398 case PROTO_UNDEF: 5399 tmp = gen_portop6(cstate, port, IPPROTO_TCP, dir); 5400 b1 = gen_portop6(cstate, port, IPPROTO_UDP, dir); 5401 gen_or(tmp, b1); 5402 tmp = gen_portop6(cstate, port, IPPROTO_SCTP, dir); 5403 gen_or(tmp, b1); 5404 break; 5405 5406 default: 5407 abort(); 5408 } 5409 gen_and(b0, b1); 5410 return b1; 5411 } 5412 5413 /* gen_portrange code */ 5414 static struct block * 5415 gen_portrangeatom(compiler_state_t *cstate, int off, bpf_int32 v1, 5416 bpf_int32 v2) 5417 { 5418 struct block *b1, *b2; 5419 5420 if (v1 > v2) { 5421 /* 5422 * Reverse the order of the ports, so v1 is the lower one. 5423 */ 5424 bpf_int32 vtemp; 5425 5426 vtemp = v1; 5427 v1 = v2; 5428 v2 = vtemp; 5429 } 5430 5431 b1 = gen_cmp_ge(cstate, OR_TRAN_IPV4, off, BPF_H, v1); 5432 b2 = gen_cmp_le(cstate, OR_TRAN_IPV4, off, BPF_H, v2); 5433 5434 gen_and(b1, b2); 5435 5436 return b2; 5437 } 5438 5439 struct block * 5440 gen_portrangeop(compiler_state_t *cstate, int port1, int port2, int proto, 5441 int dir) 5442 { 5443 struct block *b0, *b1, *tmp; 5444 5445 /* ip proto 'proto' and not a fragment other than the first fragment */ 5446 tmp = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, (bpf_int32)proto); 5447 b0 = gen_ipfrag(cstate); 5448 gen_and(tmp, b0); 5449 5450 switch (dir) { 5451 case Q_SRC: 5452 b1 = gen_portrangeatom(cstate, 0, (bpf_int32)port1, (bpf_int32)port2); 5453 break; 5454 5455 case Q_DST: 5456 b1 = gen_portrangeatom(cstate, 2, (bpf_int32)port1, (bpf_int32)port2); 5457 break; 5458 5459 case Q_OR: 5460 case Q_DEFAULT: 5461 tmp = gen_portrangeatom(cstate, 0, (bpf_int32)port1, (bpf_int32)port2); 5462 b1 = gen_portrangeatom(cstate, 2, (bpf_int32)port1, (bpf_int32)port2); 5463 gen_or(tmp, b1); 5464 break; 5465 5466 case Q_AND: 5467 tmp = gen_portrangeatom(cstate, 0, (bpf_int32)port1, (bpf_int32)port2); 5468 b1 = gen_portrangeatom(cstate, 2, (bpf_int32)port1, (bpf_int32)port2); 5469 gen_and(tmp, b1); 5470 break; 5471 5472 default: 5473 abort(); 5474 } 5475 gen_and(b0, b1); 5476 5477 return b1; 5478 } 5479 5480 static struct block * 5481 gen_portrange(compiler_state_t *cstate, int port1, int port2, int ip_proto, 5482 int dir) 5483 { 5484 struct block *b0, *b1, *tmp; 5485 5486 /* link proto ip */ 5487 b0 = gen_linktype(cstate, ETHERTYPE_IP); 5488 5489 switch (ip_proto) { 5490 case IPPROTO_UDP: 5491 case IPPROTO_TCP: 5492 case IPPROTO_SCTP: 5493 b1 = gen_portrangeop(cstate, port1, port2, ip_proto, dir); 5494 break; 5495 5496 case PROTO_UNDEF: 5497 tmp = gen_portrangeop(cstate, port1, port2, IPPROTO_TCP, dir); 5498 b1 = gen_portrangeop(cstate, port1, port2, IPPROTO_UDP, dir); 5499 gen_or(tmp, b1); 5500 tmp = gen_portrangeop(cstate, port1, port2, IPPROTO_SCTP, dir); 5501 gen_or(tmp, b1); 5502 break; 5503 5504 default: 5505 abort(); 5506 } 5507 gen_and(b0, b1); 5508 return b1; 5509 } 5510 5511 static struct block * 5512 gen_portrangeatom6(compiler_state_t *cstate, int off, bpf_int32 v1, 5513 bpf_int32 v2) 5514 { 5515 struct block *b1, *b2; 5516 5517 if (v1 > v2) { 5518 /* 5519 * Reverse the order of the ports, so v1 is the lower one. 5520 */ 5521 bpf_int32 vtemp; 5522 5523 vtemp = v1; 5524 v1 = v2; 5525 v2 = vtemp; 5526 } 5527 5528 b1 = gen_cmp_ge(cstate, OR_TRAN_IPV6, off, BPF_H, v1); 5529 b2 = gen_cmp_le(cstate, OR_TRAN_IPV6, off, BPF_H, v2); 5530 5531 gen_and(b1, b2); 5532 5533 return b2; 5534 } 5535 5536 struct block * 5537 gen_portrangeop6(compiler_state_t *cstate, int port1, int port2, int proto, 5538 int dir) 5539 { 5540 struct block *b0, *b1, *tmp; 5541 5542 /* ip6 proto 'proto' */ 5543 /* XXX - catch the first fragment of a fragmented packet? */ 5544 b0 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, (bpf_int32)proto); 5545 5546 switch (dir) { 5547 case Q_SRC: 5548 b1 = gen_portrangeatom6(cstate, 0, (bpf_int32)port1, (bpf_int32)port2); 5549 break; 5550 5551 case Q_DST: 5552 b1 = gen_portrangeatom6(cstate, 2, (bpf_int32)port1, (bpf_int32)port2); 5553 break; 5554 5555 case Q_OR: 5556 case Q_DEFAULT: 5557 tmp = gen_portrangeatom6(cstate, 0, (bpf_int32)port1, (bpf_int32)port2); 5558 b1 = gen_portrangeatom6(cstate, 2, (bpf_int32)port1, (bpf_int32)port2); 5559 gen_or(tmp, b1); 5560 break; 5561 5562 case Q_AND: 5563 tmp = gen_portrangeatom6(cstate, 0, (bpf_int32)port1, (bpf_int32)port2); 5564 b1 = gen_portrangeatom6(cstate, 2, (bpf_int32)port1, (bpf_int32)port2); 5565 gen_and(tmp, b1); 5566 break; 5567 5568 default: 5569 abort(); 5570 } 5571 gen_and(b0, b1); 5572 5573 return b1; 5574 } 5575 5576 static struct block * 5577 gen_portrange6(compiler_state_t *cstate, int port1, int port2, int ip_proto, 5578 int dir) 5579 { 5580 struct block *b0, *b1, *tmp; 5581 5582 /* link proto ip6 */ 5583 b0 = gen_linktype(cstate, ETHERTYPE_IPV6); 5584 5585 switch (ip_proto) { 5586 case IPPROTO_UDP: 5587 case IPPROTO_TCP: 5588 case IPPROTO_SCTP: 5589 b1 = gen_portrangeop6(cstate, port1, port2, ip_proto, dir); 5590 break; 5591 5592 case PROTO_UNDEF: 5593 tmp = gen_portrangeop6(cstate, port1, port2, IPPROTO_TCP, dir); 5594 b1 = gen_portrangeop6(cstate, port1, port2, IPPROTO_UDP, dir); 5595 gen_or(tmp, b1); 5596 tmp = gen_portrangeop6(cstate, port1, port2, IPPROTO_SCTP, dir); 5597 gen_or(tmp, b1); 5598 break; 5599 5600 default: 5601 abort(); 5602 } 5603 gen_and(b0, b1); 5604 return b1; 5605 } 5606 5607 static int 5608 lookup_proto(compiler_state_t *cstate, const char *name, int proto) 5609 { 5610 register int v; 5611 5612 switch (proto) { 5613 5614 case Q_DEFAULT: 5615 case Q_IP: 5616 case Q_IPV6: 5617 v = pcap_nametoproto(name); 5618 if (v == PROTO_UNDEF) 5619 bpf_error(cstate, "unknown ip proto '%s'", name); 5620 break; 5621 5622 case Q_LINK: 5623 /* XXX should look up h/w protocol type based on cstate->linktype */ 5624 v = pcap_nametoeproto(name); 5625 if (v == PROTO_UNDEF) { 5626 v = pcap_nametollc(name); 5627 if (v == PROTO_UNDEF) 5628 bpf_error(cstate, "unknown ether proto '%s'", name); 5629 } 5630 break; 5631 5632 case Q_ISO: 5633 if (strcmp(name, "esis") == 0) 5634 v = ISO9542_ESIS; 5635 else if (strcmp(name, "isis") == 0) 5636 v = ISO10589_ISIS; 5637 else if (strcmp(name, "clnp") == 0) 5638 v = ISO8473_CLNP; 5639 else 5640 bpf_error(cstate, "unknown osi proto '%s'", name); 5641 break; 5642 5643 default: 5644 v = PROTO_UNDEF; 5645 break; 5646 } 5647 return v; 5648 } 5649 5650 #if 0 5651 struct stmt * 5652 gen_joinsp(s, n) 5653 struct stmt **s; 5654 int n; 5655 { 5656 return NULL; 5657 } 5658 #endif 5659 5660 static struct block * 5661 gen_protochain(compiler_state_t *cstate, int v, int proto, int dir) 5662 { 5663 #ifdef NO_PROTOCHAIN 5664 return gen_proto(cstate, v, proto, dir); 5665 #else 5666 struct block *b0, *b; 5667 struct slist *s[100]; 5668 int fix2, fix3, fix4, fix5; 5669 int ahcheck, again, end; 5670 int i, max; 5671 int reg2 = alloc_reg(cstate); 5672 5673 memset(s, 0, sizeof(s)); 5674 fix3 = fix4 = fix5 = 0; 5675 5676 switch (proto) { 5677 case Q_IP: 5678 case Q_IPV6: 5679 break; 5680 case Q_DEFAULT: 5681 b0 = gen_protochain(cstate, v, Q_IP, dir); 5682 b = gen_protochain(cstate, v, Q_IPV6, dir); 5683 gen_or(b0, b); 5684 return b; 5685 default: 5686 bpf_error(cstate, "bad protocol applied for 'protochain'"); 5687 /*NOTREACHED*/ 5688 } 5689 5690 /* 5691 * We don't handle variable-length prefixes before the link-layer 5692 * header, or variable-length link-layer headers, here yet. 5693 * We might want to add BPF instructions to do the protochain 5694 * work, to simplify that and, on platforms that have a BPF 5695 * interpreter with the new instructions, let the filtering 5696 * be done in the kernel. (We already require a modified BPF 5697 * engine to do the protochain stuff, to support backward 5698 * branches, and backward branch support is unlikely to appear 5699 * in kernel BPF engines.) 5700 */ 5701 if (cstate->off_linkpl.is_variable) 5702 bpf_error(cstate, "'protochain' not supported with variable length headers"); 5703 5704 cstate->no_optimize = 1; /*this code is not compatible with optimzer yet */ 5705 5706 /* 5707 * s[0] is a dummy entry to protect other BPF insn from damage 5708 * by s[fix] = foo with uninitialized variable "fix". It is somewhat 5709 * hard to find interdependency made by jump table fixup. 5710 */ 5711 i = 0; 5712 s[i] = new_stmt(cstate, 0); /*dummy*/ 5713 i++; 5714 5715 switch (proto) { 5716 case Q_IP: 5717 b0 = gen_linktype(cstate, ETHERTYPE_IP); 5718 5719 /* A = ip->ip_p */ 5720 s[i] = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B); 5721 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 9; 5722 i++; 5723 /* X = ip->ip_hl << 2 */ 5724 s[i] = new_stmt(cstate, BPF_LDX|BPF_MSH|BPF_B); 5725 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 5726 i++; 5727 break; 5728 5729 case Q_IPV6: 5730 b0 = gen_linktype(cstate, ETHERTYPE_IPV6); 5731 5732 /* A = ip6->ip_nxt */ 5733 s[i] = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B); 5734 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 6; 5735 i++; 5736 /* X = sizeof(struct ip6_hdr) */ 5737 s[i] = new_stmt(cstate, BPF_LDX|BPF_IMM); 5738 s[i]->s.k = 40; 5739 i++; 5740 break; 5741 5742 default: 5743 bpf_error(cstate, "unsupported proto to gen_protochain"); 5744 /*NOTREACHED*/ 5745 } 5746 5747 /* again: if (A == v) goto end; else fall through; */ 5748 again = i; 5749 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 5750 s[i]->s.k = v; 5751 s[i]->s.jt = NULL; /*later*/ 5752 s[i]->s.jf = NULL; /*update in next stmt*/ 5753 fix5 = i; 5754 i++; 5755 5756 #ifndef IPPROTO_NONE 5757 #define IPPROTO_NONE 59 5758 #endif 5759 /* if (A == IPPROTO_NONE) goto end */ 5760 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 5761 s[i]->s.jt = NULL; /*later*/ 5762 s[i]->s.jf = NULL; /*update in next stmt*/ 5763 s[i]->s.k = IPPROTO_NONE; 5764 s[fix5]->s.jf = s[i]; 5765 fix2 = i; 5766 i++; 5767 5768 if (proto == Q_IPV6) { 5769 int v6start, v6end, v6advance, j; 5770 5771 v6start = i; 5772 /* if (A == IPPROTO_HOPOPTS) goto v6advance */ 5773 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 5774 s[i]->s.jt = NULL; /*later*/ 5775 s[i]->s.jf = NULL; /*update in next stmt*/ 5776 s[i]->s.k = IPPROTO_HOPOPTS; 5777 s[fix2]->s.jf = s[i]; 5778 i++; 5779 /* if (A == IPPROTO_DSTOPTS) goto v6advance */ 5780 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 5781 s[i]->s.jt = NULL; /*later*/ 5782 s[i]->s.jf = NULL; /*update in next stmt*/ 5783 s[i]->s.k = IPPROTO_DSTOPTS; 5784 i++; 5785 /* if (A == IPPROTO_ROUTING) goto v6advance */ 5786 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 5787 s[i]->s.jt = NULL; /*later*/ 5788 s[i]->s.jf = NULL; /*update in next stmt*/ 5789 s[i]->s.k = IPPROTO_ROUTING; 5790 i++; 5791 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */ 5792 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 5793 s[i]->s.jt = NULL; /*later*/ 5794 s[i]->s.jf = NULL; /*later*/ 5795 s[i]->s.k = IPPROTO_FRAGMENT; 5796 fix3 = i; 5797 v6end = i; 5798 i++; 5799 5800 /* v6advance: */ 5801 v6advance = i; 5802 5803 /* 5804 * in short, 5805 * A = P[X + packet head]; 5806 * X = X + (P[X + packet head + 1] + 1) * 8; 5807 */ 5808 /* A = P[X + packet head] */ 5809 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 5810 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 5811 i++; 5812 /* MEM[reg2] = A */ 5813 s[i] = new_stmt(cstate, BPF_ST); 5814 s[i]->s.k = reg2; 5815 i++; 5816 /* A = P[X + packet head + 1]; */ 5817 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 5818 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 1; 5819 i++; 5820 /* A += 1 */ 5821 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 5822 s[i]->s.k = 1; 5823 i++; 5824 /* A *= 8 */ 5825 s[i] = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K); 5826 s[i]->s.k = 8; 5827 i++; 5828 /* A += X */ 5829 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X); 5830 s[i]->s.k = 0; 5831 i++; 5832 /* X = A; */ 5833 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX); 5834 i++; 5835 /* A = MEM[reg2] */ 5836 s[i] = new_stmt(cstate, BPF_LD|BPF_MEM); 5837 s[i]->s.k = reg2; 5838 i++; 5839 5840 /* goto again; (must use BPF_JA for backward jump) */ 5841 s[i] = new_stmt(cstate, BPF_JMP|BPF_JA); 5842 s[i]->s.k = again - i - 1; 5843 s[i - 1]->s.jf = s[i]; 5844 i++; 5845 5846 /* fixup */ 5847 for (j = v6start; j <= v6end; j++) 5848 s[j]->s.jt = s[v6advance]; 5849 } else { 5850 /* nop */ 5851 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 5852 s[i]->s.k = 0; 5853 s[fix2]->s.jf = s[i]; 5854 i++; 5855 } 5856 5857 /* ahcheck: */ 5858 ahcheck = i; 5859 /* if (A == IPPROTO_AH) then fall through; else goto end; */ 5860 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 5861 s[i]->s.jt = NULL; /*later*/ 5862 s[i]->s.jf = NULL; /*later*/ 5863 s[i]->s.k = IPPROTO_AH; 5864 if (fix3) 5865 s[fix3]->s.jf = s[ahcheck]; 5866 fix4 = i; 5867 i++; 5868 5869 /* 5870 * in short, 5871 * A = P[X]; 5872 * X = X + (P[X + 1] + 2) * 4; 5873 */ 5874 /* A = X */ 5875 s[i - 1]->s.jt = s[i] = new_stmt(cstate, BPF_MISC|BPF_TXA); 5876 i++; 5877 /* A = P[X + packet head]; */ 5878 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 5879 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 5880 i++; 5881 /* MEM[reg2] = A */ 5882 s[i] = new_stmt(cstate, BPF_ST); 5883 s[i]->s.k = reg2; 5884 i++; 5885 /* A = X */ 5886 s[i - 1]->s.jt = s[i] = new_stmt(cstate, BPF_MISC|BPF_TXA); 5887 i++; 5888 /* A += 1 */ 5889 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 5890 s[i]->s.k = 1; 5891 i++; 5892 /* X = A */ 5893 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX); 5894 i++; 5895 /* A = P[X + packet head] */ 5896 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 5897 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 5898 i++; 5899 /* A += 2 */ 5900 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 5901 s[i]->s.k = 2; 5902 i++; 5903 /* A *= 4 */ 5904 s[i] = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K); 5905 s[i]->s.k = 4; 5906 i++; 5907 /* X = A; */ 5908 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX); 5909 i++; 5910 /* A = MEM[reg2] */ 5911 s[i] = new_stmt(cstate, BPF_LD|BPF_MEM); 5912 s[i]->s.k = reg2; 5913 i++; 5914 5915 /* goto again; (must use BPF_JA for backward jump) */ 5916 s[i] = new_stmt(cstate, BPF_JMP|BPF_JA); 5917 s[i]->s.k = again - i - 1; 5918 i++; 5919 5920 /* end: nop */ 5921 end = i; 5922 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 5923 s[i]->s.k = 0; 5924 s[fix2]->s.jt = s[end]; 5925 s[fix4]->s.jf = s[end]; 5926 s[fix5]->s.jt = s[end]; 5927 i++; 5928 5929 /* 5930 * make slist chain 5931 */ 5932 max = i; 5933 for (i = 0; i < max - 1; i++) 5934 s[i]->next = s[i + 1]; 5935 s[max - 1]->next = NULL; 5936 5937 /* 5938 * emit final check 5939 */ 5940 b = new_block(cstate, JMP(BPF_JEQ)); 5941 b->stmts = s[1]; /*remember, s[0] is dummy*/ 5942 b->s.k = v; 5943 5944 free_reg(cstate, reg2); 5945 5946 gen_and(b0, b); 5947 return b; 5948 #endif 5949 } 5950 5951 static struct block * 5952 gen_check_802_11_data_frame(compiler_state_t *cstate) 5953 { 5954 struct slist *s; 5955 struct block *b0, *b1; 5956 5957 /* 5958 * A data frame has the 0x08 bit (b3) in the frame control field set 5959 * and the 0x04 bit (b2) clear. 5960 */ 5961 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 5962 b0 = new_block(cstate, JMP(BPF_JSET)); 5963 b0->s.k = 0x08; 5964 b0->stmts = s; 5965 5966 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 5967 b1 = new_block(cstate, JMP(BPF_JSET)); 5968 b1->s.k = 0x04; 5969 b1->stmts = s; 5970 gen_not(b1); 5971 5972 gen_and(b1, b0); 5973 5974 return b0; 5975 } 5976 5977 /* 5978 * Generate code that checks whether the packet is a packet for protocol 5979 * <proto> and whether the type field in that protocol's header has 5980 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an 5981 * IP packet and checks the protocol number in the IP header against <v>. 5982 * 5983 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks 5984 * against Q_IP and Q_IPV6. 5985 */ 5986 static struct block * 5987 gen_proto(compiler_state_t *cstate, int v, int proto, int dir) 5988 { 5989 struct block *b0, *b1; 5990 #ifndef CHASE_CHAIN 5991 struct block *b2; 5992 #endif 5993 5994 if (dir != Q_DEFAULT) 5995 bpf_error(cstate, "direction applied to 'proto'"); 5996 5997 switch (proto) { 5998 case Q_DEFAULT: 5999 b0 = gen_proto(cstate, v, Q_IP, dir); 6000 b1 = gen_proto(cstate, v, Q_IPV6, dir); 6001 gen_or(b0, b1); 6002 return b1; 6003 6004 case Q_IP: 6005 /* 6006 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 6007 * not LLC encapsulation with LLCSAP_IP. 6008 * 6009 * For IEEE 802 networks - which includes 802.5 token ring 6010 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 6011 * says that SNAP encapsulation is used, not LLC encapsulation 6012 * with LLCSAP_IP. 6013 * 6014 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 6015 * RFC 2225 say that SNAP encapsulation is used, not LLC 6016 * encapsulation with LLCSAP_IP. 6017 * 6018 * So we always check for ETHERTYPE_IP. 6019 */ 6020 b0 = gen_linktype(cstate, ETHERTYPE_IP); 6021 #ifndef CHASE_CHAIN 6022 b1 = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, (bpf_int32)v); 6023 #else 6024 b1 = gen_protochain(cstate, v, Q_IP); 6025 #endif 6026 gen_and(b0, b1); 6027 return b1; 6028 6029 case Q_ISO: 6030 switch (cstate->linktype) { 6031 6032 case DLT_FRELAY: 6033 /* 6034 * Frame Relay packets typically have an OSI 6035 * NLPID at the beginning; "gen_linktype(cstate, LLCSAP_ISONS)" 6036 * generates code to check for all the OSI 6037 * NLPIDs, so calling it and then adding a check 6038 * for the particular NLPID for which we're 6039 * looking is bogus, as we can just check for 6040 * the NLPID. 6041 * 6042 * What we check for is the NLPID and a frame 6043 * control field value of UI, i.e. 0x03 followed 6044 * by the NLPID. 6045 * 6046 * XXX - assumes a 2-byte Frame Relay header with 6047 * DLCI and flags. What if the address is longer? 6048 * 6049 * XXX - what about SNAP-encapsulated frames? 6050 */ 6051 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | v); 6052 /*NOTREACHED*/ 6053 break; 6054 6055 case DLT_C_HDLC: 6056 /* 6057 * Cisco uses an Ethertype lookalike - for OSI, 6058 * it's 0xfefe. 6059 */ 6060 b0 = gen_linktype(cstate, LLCSAP_ISONS<<8 | LLCSAP_ISONS); 6061 /* OSI in C-HDLC is stuffed with a fudge byte */ 6062 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 1, BPF_B, (long)v); 6063 gen_and(b0, b1); 6064 return b1; 6065 6066 default: 6067 b0 = gen_linktype(cstate, LLCSAP_ISONS); 6068 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 0, BPF_B, (long)v); 6069 gen_and(b0, b1); 6070 return b1; 6071 } 6072 6073 case Q_ISIS: 6074 b0 = gen_proto(cstate, ISO10589_ISIS, Q_ISO, Q_DEFAULT); 6075 /* 6076 * 4 is the offset of the PDU type relative to the IS-IS 6077 * header. 6078 */ 6079 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 4, BPF_B, (long)v); 6080 gen_and(b0, b1); 6081 return b1; 6082 6083 case Q_ARP: 6084 bpf_error(cstate, "arp does not encapsulate another protocol"); 6085 /* NOTREACHED */ 6086 6087 case Q_RARP: 6088 bpf_error(cstate, "rarp does not encapsulate another protocol"); 6089 /* NOTREACHED */ 6090 6091 case Q_ATALK: 6092 bpf_error(cstate, "atalk encapsulation is not specifiable"); 6093 /* NOTREACHED */ 6094 6095 case Q_DECNET: 6096 bpf_error(cstate, "decnet encapsulation is not specifiable"); 6097 /* NOTREACHED */ 6098 6099 case Q_SCA: 6100 bpf_error(cstate, "sca does not encapsulate another protocol"); 6101 /* NOTREACHED */ 6102 6103 case Q_LAT: 6104 bpf_error(cstate, "lat does not encapsulate another protocol"); 6105 /* NOTREACHED */ 6106 6107 case Q_MOPRC: 6108 bpf_error(cstate, "moprc does not encapsulate another protocol"); 6109 /* NOTREACHED */ 6110 6111 case Q_MOPDL: 6112 bpf_error(cstate, "mopdl does not encapsulate another protocol"); 6113 /* NOTREACHED */ 6114 6115 case Q_LINK: 6116 return gen_linktype(cstate, v); 6117 6118 case Q_UDP: 6119 bpf_error(cstate, "'udp proto' is bogus"); 6120 /* NOTREACHED */ 6121 6122 case Q_TCP: 6123 bpf_error(cstate, "'tcp proto' is bogus"); 6124 /* NOTREACHED */ 6125 6126 case Q_SCTP: 6127 bpf_error(cstate, "'sctp proto' is bogus"); 6128 /* NOTREACHED */ 6129 6130 case Q_ICMP: 6131 bpf_error(cstate, "'icmp proto' is bogus"); 6132 /* NOTREACHED */ 6133 6134 case Q_IGMP: 6135 bpf_error(cstate, "'igmp proto' is bogus"); 6136 /* NOTREACHED */ 6137 6138 case Q_IGRP: 6139 bpf_error(cstate, "'igrp proto' is bogus"); 6140 /* NOTREACHED */ 6141 6142 case Q_PIM: 6143 bpf_error(cstate, "'pim proto' is bogus"); 6144 /* NOTREACHED */ 6145 6146 case Q_VRRP: 6147 bpf_error(cstate, "'vrrp proto' is bogus"); 6148 /* NOTREACHED */ 6149 6150 case Q_CARP: 6151 bpf_error(cstate, "'carp proto' is bogus"); 6152 /* NOTREACHED */ 6153 6154 case Q_IPV6: 6155 b0 = gen_linktype(cstate, ETHERTYPE_IPV6); 6156 #ifndef CHASE_CHAIN 6157 /* 6158 * Also check for a fragment header before the final 6159 * header. 6160 */ 6161 b2 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, IPPROTO_FRAGMENT); 6162 b1 = gen_cmp(cstate, OR_LINKPL, 40, BPF_B, (bpf_int32)v); 6163 gen_and(b2, b1); 6164 b2 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, (bpf_int32)v); 6165 gen_or(b2, b1); 6166 #else 6167 b1 = gen_protochain(cstate, v, Q_IPV6); 6168 #endif 6169 gen_and(b0, b1); 6170 return b1; 6171 6172 case Q_ICMPV6: 6173 bpf_error(cstate, "'icmp6 proto' is bogus"); 6174 6175 case Q_AH: 6176 bpf_error(cstate, "'ah proto' is bogus"); 6177 6178 case Q_ESP: 6179 bpf_error(cstate, "'ah proto' is bogus"); 6180 6181 case Q_STP: 6182 bpf_error(cstate, "'stp proto' is bogus"); 6183 6184 case Q_IPX: 6185 bpf_error(cstate, "'ipx proto' is bogus"); 6186 6187 case Q_NETBEUI: 6188 bpf_error(cstate, "'netbeui proto' is bogus"); 6189 6190 case Q_RADIO: 6191 bpf_error(cstate, "'radio proto' is bogus"); 6192 6193 default: 6194 abort(); 6195 /* NOTREACHED */ 6196 } 6197 /* NOTREACHED */ 6198 } 6199 6200 struct block * 6201 gen_scode(compiler_state_t *cstate, const char *name, struct qual q) 6202 { 6203 int proto = q.proto; 6204 int dir = q.dir; 6205 int tproto; 6206 u_char *eaddr; 6207 bpf_u_int32 mask, addr; 6208 #ifndef INET6 6209 bpf_u_int32 **alist; 6210 #else 6211 int tproto6; 6212 struct sockaddr_in *sin4; 6213 struct sockaddr_in6 *sin6; 6214 struct addrinfo *res, *res0; 6215 struct in6_addr mask128; 6216 #endif /*INET6*/ 6217 struct block *b, *tmp; 6218 int port, real_proto; 6219 int port1, port2; 6220 6221 switch (q.addr) { 6222 6223 case Q_NET: 6224 addr = pcap_nametonetaddr(name); 6225 if (addr == 0) 6226 bpf_error(cstate, "unknown network '%s'", name); 6227 /* Left justify network addr and calculate its network mask */ 6228 mask = 0xffffffff; 6229 while (addr && (addr & 0xff000000) == 0) { 6230 addr <<= 8; 6231 mask <<= 8; 6232 } 6233 return gen_host(cstate, addr, mask, proto, dir, q.addr); 6234 6235 case Q_DEFAULT: 6236 case Q_HOST: 6237 if (proto == Q_LINK) { 6238 switch (cstate->linktype) { 6239 6240 case DLT_EN10MB: 6241 case DLT_NETANALYZER: 6242 case DLT_NETANALYZER_TRANSPARENT: 6243 eaddr = pcap_ether_hostton(name); 6244 if (eaddr == NULL) 6245 bpf_error(cstate, 6246 "unknown ether host '%s'", name); 6247 tmp = gen_prevlinkhdr_check(cstate); 6248 b = gen_ehostop(cstate, eaddr, dir); 6249 if (tmp != NULL) 6250 gen_and(tmp, b); 6251 free(eaddr); 6252 return b; 6253 6254 case DLT_FDDI: 6255 eaddr = pcap_ether_hostton(name); 6256 if (eaddr == NULL) 6257 bpf_error(cstate, 6258 "unknown FDDI host '%s'", name); 6259 b = gen_fhostop(cstate, eaddr, dir); 6260 free(eaddr); 6261 return b; 6262 6263 case DLT_IEEE802: 6264 eaddr = pcap_ether_hostton(name); 6265 if (eaddr == NULL) 6266 bpf_error(cstate, 6267 "unknown token ring host '%s'", name); 6268 b = gen_thostop(cstate, eaddr, dir); 6269 free(eaddr); 6270 return b; 6271 6272 case DLT_IEEE802_11: 6273 case DLT_PRISM_HEADER: 6274 case DLT_IEEE802_11_RADIO_AVS: 6275 case DLT_IEEE802_11_RADIO: 6276 case DLT_PPI: 6277 eaddr = pcap_ether_hostton(name); 6278 if (eaddr == NULL) 6279 bpf_error(cstate, 6280 "unknown 802.11 host '%s'", name); 6281 b = gen_wlanhostop(cstate, eaddr, dir); 6282 free(eaddr); 6283 return b; 6284 6285 case DLT_IP_OVER_FC: 6286 eaddr = pcap_ether_hostton(name); 6287 if (eaddr == NULL) 6288 bpf_error(cstate, 6289 "unknown Fibre Channel host '%s'", name); 6290 b = gen_ipfchostop(cstate, eaddr, dir); 6291 free(eaddr); 6292 return b; 6293 } 6294 6295 bpf_error(cstate, "only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name"); 6296 } else if (proto == Q_DECNET) { 6297 unsigned short dn_addr; 6298 6299 if (!__pcap_nametodnaddr(name, &dn_addr)) { 6300 #ifdef DECNETLIB 6301 bpf_error(cstate, "unknown decnet host name '%s'\n", name); 6302 #else 6303 bpf_error(cstate, "decnet name support not included, '%s' cannot be translated\n", 6304 name); 6305 #endif 6306 } 6307 /* 6308 * I don't think DECNET hosts can be multihomed, so 6309 * there is no need to build up a list of addresses 6310 */ 6311 return (gen_host(cstate, dn_addr, 0, proto, dir, q.addr)); 6312 } else { 6313 #ifndef INET6 6314 alist = pcap_nametoaddr(name); 6315 if (alist == NULL || *alist == NULL) 6316 bpf_error(cstate, "unknown host '%s'", name); 6317 tproto = proto; 6318 if (cstate->off_linktype.constant_part == OFFSET_NOT_SET && 6319 tproto == Q_DEFAULT) 6320 tproto = Q_IP; 6321 b = gen_host(cstate, **alist++, 0xffffffff, tproto, dir, q.addr); 6322 while (*alist) { 6323 tmp = gen_host(cstate, **alist++, 0xffffffff, 6324 tproto, dir, q.addr); 6325 gen_or(b, tmp); 6326 b = tmp; 6327 } 6328 return b; 6329 #else 6330 memset(&mask128, 0xff, sizeof(mask128)); 6331 res0 = res = pcap_nametoaddrinfo(name); 6332 if (res == NULL) 6333 bpf_error(cstate, "unknown host '%s'", name); 6334 cstate->ai = res; 6335 b = tmp = NULL; 6336 tproto = tproto6 = proto; 6337 if (cstate->off_linktype.constant_part == OFFSET_NOT_SET && 6338 tproto == Q_DEFAULT) { 6339 tproto = Q_IP; 6340 tproto6 = Q_IPV6; 6341 } 6342 for (res = res0; res; res = res->ai_next) { 6343 switch (res->ai_family) { 6344 case AF_INET: 6345 if (tproto == Q_IPV6) 6346 continue; 6347 6348 sin4 = (struct sockaddr_in *) 6349 res->ai_addr; 6350 tmp = gen_host(cstate, ntohl(sin4->sin_addr.s_addr), 6351 0xffffffff, tproto, dir, q.addr); 6352 break; 6353 case AF_INET6: 6354 if (tproto6 == Q_IP) 6355 continue; 6356 6357 sin6 = (struct sockaddr_in6 *) 6358 res->ai_addr; 6359 tmp = gen_host6(cstate, &sin6->sin6_addr, 6360 &mask128, tproto6, dir, q.addr); 6361 break; 6362 default: 6363 continue; 6364 } 6365 if (b) 6366 gen_or(b, tmp); 6367 b = tmp; 6368 } 6369 cstate->ai = NULL; 6370 freeaddrinfo(res0); 6371 if (b == NULL) { 6372 bpf_error(cstate, "unknown host '%s'%s", name, 6373 (proto == Q_DEFAULT) 6374 ? "" 6375 : " for specified address family"); 6376 } 6377 return b; 6378 #endif /*INET6*/ 6379 } 6380 6381 case Q_PORT: 6382 if (proto != Q_DEFAULT && 6383 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6384 bpf_error(cstate, "illegal qualifier of 'port'"); 6385 if (pcap_nametoport(name, &port, &real_proto) == 0) 6386 bpf_error(cstate, "unknown port '%s'", name); 6387 if (proto == Q_UDP) { 6388 if (real_proto == IPPROTO_TCP) 6389 bpf_error(cstate, "port '%s' is tcp", name); 6390 else if (real_proto == IPPROTO_SCTP) 6391 bpf_error(cstate, "port '%s' is sctp", name); 6392 else 6393 /* override PROTO_UNDEF */ 6394 real_proto = IPPROTO_UDP; 6395 } 6396 if (proto == Q_TCP) { 6397 if (real_proto == IPPROTO_UDP) 6398 bpf_error(cstate, "port '%s' is udp", name); 6399 6400 else if (real_proto == IPPROTO_SCTP) 6401 bpf_error(cstate, "port '%s' is sctp", name); 6402 else 6403 /* override PROTO_UNDEF */ 6404 real_proto = IPPROTO_TCP; 6405 } 6406 if (proto == Q_SCTP) { 6407 if (real_proto == IPPROTO_UDP) 6408 bpf_error(cstate, "port '%s' is udp", name); 6409 6410 else if (real_proto == IPPROTO_TCP) 6411 bpf_error(cstate, "port '%s' is tcp", name); 6412 else 6413 /* override PROTO_UNDEF */ 6414 real_proto = IPPROTO_SCTP; 6415 } 6416 if (port < 0) 6417 bpf_error(cstate, "illegal port number %d < 0", port); 6418 if (port > 65535) 6419 bpf_error(cstate, "illegal port number %d > 65535", port); 6420 b = gen_port(cstate, port, real_proto, dir); 6421 gen_or(gen_port6(cstate, port, real_proto, dir), b); 6422 return b; 6423 6424 case Q_PORTRANGE: 6425 if (proto != Q_DEFAULT && 6426 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6427 bpf_error(cstate, "illegal qualifier of 'portrange'"); 6428 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0) 6429 bpf_error(cstate, "unknown port in range '%s'", name); 6430 if (proto == Q_UDP) { 6431 if (real_proto == IPPROTO_TCP) 6432 bpf_error(cstate, "port in range '%s' is tcp", name); 6433 else if (real_proto == IPPROTO_SCTP) 6434 bpf_error(cstate, "port in range '%s' is sctp", name); 6435 else 6436 /* override PROTO_UNDEF */ 6437 real_proto = IPPROTO_UDP; 6438 } 6439 if (proto == Q_TCP) { 6440 if (real_proto == IPPROTO_UDP) 6441 bpf_error(cstate, "port in range '%s' is udp", name); 6442 else if (real_proto == IPPROTO_SCTP) 6443 bpf_error(cstate, "port in range '%s' is sctp", name); 6444 else 6445 /* override PROTO_UNDEF */ 6446 real_proto = IPPROTO_TCP; 6447 } 6448 if (proto == Q_SCTP) { 6449 if (real_proto == IPPROTO_UDP) 6450 bpf_error(cstate, "port in range '%s' is udp", name); 6451 else if (real_proto == IPPROTO_TCP) 6452 bpf_error(cstate, "port in range '%s' is tcp", name); 6453 else 6454 /* override PROTO_UNDEF */ 6455 real_proto = IPPROTO_SCTP; 6456 } 6457 if (port1 < 0) 6458 bpf_error(cstate, "illegal port number %d < 0", port1); 6459 if (port1 > 65535) 6460 bpf_error(cstate, "illegal port number %d > 65535", port1); 6461 if (port2 < 0) 6462 bpf_error(cstate, "illegal port number %d < 0", port2); 6463 if (port2 > 65535) 6464 bpf_error(cstate, "illegal port number %d > 65535", port2); 6465 6466 b = gen_portrange(cstate, port1, port2, real_proto, dir); 6467 gen_or(gen_portrange6(cstate, port1, port2, real_proto, dir), b); 6468 return b; 6469 6470 case Q_GATEWAY: 6471 #ifndef INET6 6472 eaddr = pcap_ether_hostton(name); 6473 if (eaddr == NULL) 6474 bpf_error(cstate, "unknown ether host: %s", name); 6475 6476 alist = pcap_nametoaddr(name); 6477 if (alist == NULL || *alist == NULL) 6478 bpf_error(cstate, "unknown host '%s'", name); 6479 b = gen_gateway(eaddr, alist, proto, dir); 6480 free(eaddr); 6481 return b; 6482 #else 6483 bpf_error(cstate, "'gateway' not supported in this configuration"); 6484 #endif /*INET6*/ 6485 6486 case Q_PROTO: 6487 real_proto = lookup_proto(cstate, name, proto); 6488 if (real_proto >= 0) 6489 return gen_proto(cstate, real_proto, proto, dir); 6490 else 6491 bpf_error(cstate, "unknown protocol: %s", name); 6492 6493 case Q_PROTOCHAIN: 6494 real_proto = lookup_proto(cstate, name, proto); 6495 if (real_proto >= 0) 6496 return gen_protochain(cstate, real_proto, proto, dir); 6497 else 6498 bpf_error(cstate, "unknown protocol: %s", name); 6499 6500 case Q_UNDEF: 6501 syntax(cstate); 6502 /* NOTREACHED */ 6503 } 6504 abort(); 6505 /* NOTREACHED */ 6506 } 6507 6508 struct block * 6509 gen_mcode(compiler_state_t *cstate, const char *s1, const char *s2, 6510 unsigned int masklen, struct qual q) 6511 { 6512 register int nlen, mlen; 6513 bpf_u_int32 n, m; 6514 6515 nlen = __pcap_atoin(s1, &n); 6516 /* Promote short ipaddr */ 6517 n <<= 32 - nlen; 6518 6519 if (s2 != NULL) { 6520 mlen = __pcap_atoin(s2, &m); 6521 /* Promote short ipaddr */ 6522 m <<= 32 - mlen; 6523 if ((n & ~m) != 0) 6524 bpf_error(cstate, "non-network bits set in \"%s mask %s\"", 6525 s1, s2); 6526 } else { 6527 /* Convert mask len to mask */ 6528 if (masklen > 32) 6529 bpf_error(cstate, "mask length must be <= 32"); 6530 if (masklen == 0) { 6531 /* 6532 * X << 32 is not guaranteed by C to be 0; it's 6533 * undefined. 6534 */ 6535 m = 0; 6536 } else 6537 m = 0xffffffff << (32 - masklen); 6538 if ((n & ~m) != 0) 6539 bpf_error(cstate, "non-network bits set in \"%s/%d\"", 6540 s1, masklen); 6541 } 6542 6543 switch (q.addr) { 6544 6545 case Q_NET: 6546 return gen_host(cstate, n, m, q.proto, q.dir, q.addr); 6547 6548 default: 6549 bpf_error(cstate, "Mask syntax for networks only"); 6550 /* NOTREACHED */ 6551 } 6552 /* NOTREACHED */ 6553 return NULL; 6554 } 6555 6556 struct block * 6557 gen_ncode(compiler_state_t *cstate, const char *s, bpf_u_int32 v, struct qual q) 6558 { 6559 bpf_u_int32 mask; 6560 int proto = q.proto; 6561 int dir = q.dir; 6562 register int vlen; 6563 6564 if (s == NULL) 6565 vlen = 32; 6566 else if (q.proto == Q_DECNET) { 6567 vlen = __pcap_atodn(s, &v); 6568 if (vlen == 0) 6569 bpf_error(cstate, "malformed decnet address '%s'", s); 6570 } else 6571 vlen = __pcap_atoin(s, &v); 6572 6573 switch (q.addr) { 6574 6575 case Q_DEFAULT: 6576 case Q_HOST: 6577 case Q_NET: 6578 if (proto == Q_DECNET) 6579 return gen_host(cstate, v, 0, proto, dir, q.addr); 6580 else if (proto == Q_LINK) { 6581 bpf_error(cstate, "illegal link layer address"); 6582 } else { 6583 mask = 0xffffffff; 6584 if (s == NULL && q.addr == Q_NET) { 6585 /* Promote short net number */ 6586 while (v && (v & 0xff000000) == 0) { 6587 v <<= 8; 6588 mask <<= 8; 6589 } 6590 } else { 6591 /* Promote short ipaddr */ 6592 v <<= 32 - vlen; 6593 mask <<= 32 - vlen ; 6594 } 6595 return gen_host(cstate, v, mask, proto, dir, q.addr); 6596 } 6597 6598 case Q_PORT: 6599 if (proto == Q_UDP) 6600 proto = IPPROTO_UDP; 6601 else if (proto == Q_TCP) 6602 proto = IPPROTO_TCP; 6603 else if (proto == Q_SCTP) 6604 proto = IPPROTO_SCTP; 6605 else if (proto == Q_DEFAULT) 6606 proto = PROTO_UNDEF; 6607 else 6608 bpf_error(cstate, "illegal qualifier of 'port'"); 6609 6610 if (v > 65535) 6611 bpf_error(cstate, "illegal port number %u > 65535", v); 6612 6613 { 6614 struct block *b; 6615 b = gen_port(cstate, (int)v, proto, dir); 6616 gen_or(gen_port6(cstate, (int)v, proto, dir), b); 6617 return b; 6618 } 6619 6620 case Q_PORTRANGE: 6621 if (proto == Q_UDP) 6622 proto = IPPROTO_UDP; 6623 else if (proto == Q_TCP) 6624 proto = IPPROTO_TCP; 6625 else if (proto == Q_SCTP) 6626 proto = IPPROTO_SCTP; 6627 else if (proto == Q_DEFAULT) 6628 proto = PROTO_UNDEF; 6629 else 6630 bpf_error(cstate, "illegal qualifier of 'portrange'"); 6631 6632 if (v > 65535) 6633 bpf_error(cstate, "illegal port number %u > 65535", v); 6634 6635 { 6636 struct block *b; 6637 b = gen_portrange(cstate, (int)v, (int)v, proto, dir); 6638 gen_or(gen_portrange6(cstate, (int)v, (int)v, proto, dir), b); 6639 return b; 6640 } 6641 6642 case Q_GATEWAY: 6643 bpf_error(cstate, "'gateway' requires a name"); 6644 /* NOTREACHED */ 6645 6646 case Q_PROTO: 6647 return gen_proto(cstate, (int)v, proto, dir); 6648 6649 case Q_PROTOCHAIN: 6650 return gen_protochain(cstate, (int)v, proto, dir); 6651 6652 case Q_UNDEF: 6653 syntax(cstate); 6654 /* NOTREACHED */ 6655 6656 default: 6657 abort(); 6658 /* NOTREACHED */ 6659 } 6660 /* NOTREACHED */ 6661 } 6662 6663 #ifdef INET6 6664 struct block * 6665 gen_mcode6(compiler_state_t *cstate, const char *s1, const char *s2, 6666 unsigned int masklen, struct qual q) 6667 { 6668 struct addrinfo *res; 6669 struct in6_addr *addr; 6670 struct in6_addr mask; 6671 struct block *b; 6672 u_int32_t *a, *m; 6673 6674 if (s2) 6675 bpf_error(cstate, "no mask %s supported", s2); 6676 6677 res = pcap_nametoaddrinfo(s1); 6678 if (!res) 6679 bpf_error(cstate, "invalid ip6 address %s", s1); 6680 cstate->ai = res; 6681 if (res->ai_next) 6682 bpf_error(cstate, "%s resolved to multiple address", s1); 6683 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr; 6684 6685 if (sizeof(mask) * 8 < masklen) 6686 bpf_error(cstate, "mask length must be <= %u", (unsigned int)(sizeof(mask) * 8)); 6687 memset(&mask, 0, sizeof(mask)); 6688 memset(&mask, 0xff, masklen / 8); 6689 if (masklen % 8) { 6690 mask.s6_addr[masklen / 8] = 6691 (0xff << (8 - masklen % 8)) & 0xff; 6692 } 6693 6694 a = (u_int32_t *)addr; 6695 m = (u_int32_t *)&mask; 6696 if ((a[0] & ~m[0]) || (a[1] & ~m[1]) 6697 || (a[2] & ~m[2]) || (a[3] & ~m[3])) { 6698 bpf_error(cstate, "non-network bits set in \"%s/%d\"", s1, masklen); 6699 } 6700 6701 switch (q.addr) { 6702 6703 case Q_DEFAULT: 6704 case Q_HOST: 6705 if (masklen != 128) 6706 bpf_error(cstate, "Mask syntax for networks only"); 6707 /* FALLTHROUGH */ 6708 6709 case Q_NET: 6710 b = gen_host6(cstate, addr, &mask, q.proto, q.dir, q.addr); 6711 cstate->ai = NULL; 6712 freeaddrinfo(res); 6713 return b; 6714 6715 default: 6716 bpf_error(cstate, "invalid qualifier against IPv6 address"); 6717 /* NOTREACHED */ 6718 } 6719 return NULL; 6720 } 6721 #endif /*INET6*/ 6722 6723 struct block * 6724 gen_ecode(compiler_state_t *cstate, const u_char *eaddr, struct qual q) 6725 { 6726 struct block *b, *tmp; 6727 6728 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) { 6729 switch (cstate->linktype) { 6730 case DLT_EN10MB: 6731 case DLT_NETANALYZER: 6732 case DLT_NETANALYZER_TRANSPARENT: 6733 tmp = gen_prevlinkhdr_check(cstate); 6734 b = gen_ehostop(cstate, eaddr, (int)q.dir); 6735 if (tmp != NULL) 6736 gen_and(tmp, b); 6737 return b; 6738 case DLT_FDDI: 6739 return gen_fhostop(cstate, eaddr, (int)q.dir); 6740 case DLT_IEEE802: 6741 return gen_thostop(cstate, eaddr, (int)q.dir); 6742 case DLT_IEEE802_11: 6743 case DLT_PRISM_HEADER: 6744 case DLT_IEEE802_11_RADIO_AVS: 6745 case DLT_IEEE802_11_RADIO: 6746 case DLT_PPI: 6747 return gen_wlanhostop(cstate, eaddr, (int)q.dir); 6748 case DLT_IP_OVER_FC: 6749 return gen_ipfchostop(cstate, eaddr, (int)q.dir); 6750 default: 6751 bpf_error(cstate, "ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 6752 break; 6753 } 6754 } 6755 bpf_error(cstate, "ethernet address used in non-ether expression"); 6756 /* NOTREACHED */ 6757 return NULL; 6758 } 6759 6760 void 6761 sappend(s0, s1) 6762 struct slist *s0, *s1; 6763 { 6764 /* 6765 * This is definitely not the best way to do this, but the 6766 * lists will rarely get long. 6767 */ 6768 while (s0->next) 6769 s0 = s0->next; 6770 s0->next = s1; 6771 } 6772 6773 static struct slist * 6774 xfer_to_x(compiler_state_t *cstate, struct arth *a) 6775 { 6776 struct slist *s; 6777 6778 s = new_stmt(cstate, BPF_LDX|BPF_MEM); 6779 s->s.k = a->regno; 6780 return s; 6781 } 6782 6783 static struct slist * 6784 xfer_to_a(compiler_state_t *cstate, struct arth *a) 6785 { 6786 struct slist *s; 6787 6788 s = new_stmt(cstate, BPF_LD|BPF_MEM); 6789 s->s.k = a->regno; 6790 return s; 6791 } 6792 6793 /* 6794 * Modify "index" to use the value stored into its register as an 6795 * offset relative to the beginning of the header for the protocol 6796 * "proto", and allocate a register and put an item "size" bytes long 6797 * (1, 2, or 4) at that offset into that register, making it the register 6798 * for "index". 6799 */ 6800 struct arth * 6801 gen_load(compiler_state_t *cstate, int proto, struct arth *inst, int size) 6802 { 6803 struct slist *s, *tmp; 6804 struct block *b; 6805 int regno = alloc_reg(cstate); 6806 6807 free_reg(cstate, inst->regno); 6808 switch (size) { 6809 6810 default: 6811 bpf_error(cstate, "data size must be 1, 2, or 4"); 6812 6813 case 1: 6814 size = BPF_B; 6815 break; 6816 6817 case 2: 6818 size = BPF_H; 6819 break; 6820 6821 case 4: 6822 size = BPF_W; 6823 break; 6824 } 6825 switch (proto) { 6826 default: 6827 bpf_error(cstate, "unsupported index operation"); 6828 6829 case Q_RADIO: 6830 /* 6831 * The offset is relative to the beginning of the packet 6832 * data, if we have a radio header. (If we don't, this 6833 * is an error.) 6834 */ 6835 if (cstate->linktype != DLT_IEEE802_11_RADIO_AVS && 6836 cstate->linktype != DLT_IEEE802_11_RADIO && 6837 cstate->linktype != DLT_PRISM_HEADER) 6838 bpf_error(cstate, "radio information not present in capture"); 6839 6840 /* 6841 * Load into the X register the offset computed into the 6842 * register specified by "index". 6843 */ 6844 s = xfer_to_x(cstate, inst); 6845 6846 /* 6847 * Load the item at that offset. 6848 */ 6849 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size); 6850 sappend(s, tmp); 6851 sappend(inst->s, s); 6852 break; 6853 6854 case Q_LINK: 6855 /* 6856 * The offset is relative to the beginning of 6857 * the link-layer header. 6858 * 6859 * XXX - what about ATM LANE? Should the index be 6860 * relative to the beginning of the AAL5 frame, so 6861 * that 0 refers to the beginning of the LE Control 6862 * field, or relative to the beginning of the LAN 6863 * frame, so that 0 refers, for Ethernet LANE, to 6864 * the beginning of the destination address? 6865 */ 6866 s = gen_abs_offset_varpart(cstate, &cstate->off_linkhdr); 6867 6868 /* 6869 * If "s" is non-null, it has code to arrange that the 6870 * X register contains the length of the prefix preceding 6871 * the link-layer header. Add to it the offset computed 6872 * into the register specified by "index", and move that 6873 * into the X register. Otherwise, just load into the X 6874 * register the offset computed into the register specified 6875 * by "index". 6876 */ 6877 if (s != NULL) { 6878 sappend(s, xfer_to_a(cstate, inst)); 6879 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X)); 6880 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX)); 6881 } else 6882 s = xfer_to_x(cstate, inst); 6883 6884 /* 6885 * Load the item at the sum of the offset we've put in the 6886 * X register and the offset of the start of the link 6887 * layer header (which is 0 if the radio header is 6888 * variable-length; that header length is what we put 6889 * into the X register and then added to the index). 6890 */ 6891 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size); 6892 tmp->s.k = cstate->off_linkhdr.constant_part; 6893 sappend(s, tmp); 6894 sappend(inst->s, s); 6895 break; 6896 6897 case Q_IP: 6898 case Q_ARP: 6899 case Q_RARP: 6900 case Q_ATALK: 6901 case Q_DECNET: 6902 case Q_SCA: 6903 case Q_LAT: 6904 case Q_MOPRC: 6905 case Q_MOPDL: 6906 case Q_IPV6: 6907 /* 6908 * The offset is relative to the beginning of 6909 * the network-layer header. 6910 * XXX - are there any cases where we want 6911 * cstate->off_nl_nosnap? 6912 */ 6913 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl); 6914 6915 /* 6916 * If "s" is non-null, it has code to arrange that the 6917 * X register contains the variable part of the offset 6918 * of the link-layer payload. Add to it the offset 6919 * computed into the register specified by "index", 6920 * and move that into the X register. Otherwise, just 6921 * load into the X register the offset computed into 6922 * the register specified by "index". 6923 */ 6924 if (s != NULL) { 6925 sappend(s, xfer_to_a(cstate, inst)); 6926 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X)); 6927 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX)); 6928 } else 6929 s = xfer_to_x(cstate, inst); 6930 6931 /* 6932 * Load the item at the sum of the offset we've put in the 6933 * X register, the offset of the start of the network 6934 * layer header from the beginning of the link-layer 6935 * payload, and the constant part of the offset of the 6936 * start of the link-layer payload. 6937 */ 6938 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size); 6939 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 6940 sappend(s, tmp); 6941 sappend(inst->s, s); 6942 6943 /* 6944 * Do the computation only if the packet contains 6945 * the protocol in question. 6946 */ 6947 b = gen_proto_abbrev(cstate, proto); 6948 if (inst->b) 6949 gen_and(inst->b, b); 6950 inst->b = b; 6951 break; 6952 6953 case Q_SCTP: 6954 case Q_TCP: 6955 case Q_UDP: 6956 case Q_ICMP: 6957 case Q_IGMP: 6958 case Q_IGRP: 6959 case Q_PIM: 6960 case Q_VRRP: 6961 case Q_CARP: 6962 /* 6963 * The offset is relative to the beginning of 6964 * the transport-layer header. 6965 * 6966 * Load the X register with the length of the IPv4 header 6967 * (plus the offset of the link-layer header, if it's 6968 * a variable-length header), in bytes. 6969 * 6970 * XXX - are there any cases where we want 6971 * cstate->off_nl_nosnap? 6972 * XXX - we should, if we're built with 6973 * IPv6 support, generate code to load either 6974 * IPv4, IPv6, or both, as appropriate. 6975 */ 6976 s = gen_loadx_iphdrlen(cstate); 6977 6978 /* 6979 * The X register now contains the sum of the variable 6980 * part of the offset of the link-layer payload and the 6981 * length of the network-layer header. 6982 * 6983 * Load into the A register the offset relative to 6984 * the beginning of the transport layer header, 6985 * add the X register to that, move that to the 6986 * X register, and load with an offset from the 6987 * X register equal to the sum of the constant part of 6988 * the offset of the link-layer payload and the offset, 6989 * relative to the beginning of the link-layer payload, 6990 * of the network-layer header. 6991 */ 6992 sappend(s, xfer_to_a(cstate, inst)); 6993 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X)); 6994 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX)); 6995 sappend(s, tmp = new_stmt(cstate, BPF_LD|BPF_IND|size)); 6996 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 6997 sappend(inst->s, s); 6998 6999 /* 7000 * Do the computation only if the packet contains 7001 * the protocol in question - which is true only 7002 * if this is an IP datagram and is the first or 7003 * only fragment of that datagram. 7004 */ 7005 gen_and(gen_proto_abbrev(cstate, proto), b = gen_ipfrag(cstate)); 7006 if (inst->b) 7007 gen_and(inst->b, b); 7008 gen_and(gen_proto_abbrev(cstate, Q_IP), b); 7009 inst->b = b; 7010 break; 7011 case Q_ICMPV6: 7012 bpf_error(cstate, "IPv6 upper-layer protocol is not supported by proto[x]"); 7013 /*NOTREACHED*/ 7014 } 7015 inst->regno = regno; 7016 s = new_stmt(cstate, BPF_ST); 7017 s->s.k = regno; 7018 sappend(inst->s, s); 7019 7020 return inst; 7021 } 7022 7023 struct block * 7024 gen_relation(compiler_state_t *cstate, int code, struct arth *a0, 7025 struct arth *a1, int reversed) 7026 { 7027 struct slist *s0, *s1, *s2; 7028 struct block *b, *tmp; 7029 7030 s0 = xfer_to_x(cstate, a1); 7031 s1 = xfer_to_a(cstate, a0); 7032 if (code == BPF_JEQ) { 7033 s2 = new_stmt(cstate, BPF_ALU|BPF_SUB|BPF_X); 7034 b = new_block(cstate, JMP(code)); 7035 sappend(s1, s2); 7036 } 7037 else 7038 b = new_block(cstate, BPF_JMP|code|BPF_X); 7039 if (reversed) 7040 gen_not(b); 7041 7042 sappend(s0, s1); 7043 sappend(a1->s, s0); 7044 sappend(a0->s, a1->s); 7045 7046 b->stmts = a0->s; 7047 7048 free_reg(cstate, a0->regno); 7049 free_reg(cstate, a1->regno); 7050 7051 /* 'and' together protocol checks */ 7052 if (a0->b) { 7053 if (a1->b) { 7054 gen_and(a0->b, tmp = a1->b); 7055 } 7056 else 7057 tmp = a0->b; 7058 } else 7059 tmp = a1->b; 7060 7061 if (tmp) 7062 gen_and(tmp, b); 7063 7064 return b; 7065 } 7066 7067 struct arth * 7068 gen_loadlen(compiler_state_t *cstate) 7069 { 7070 int regno = alloc_reg(cstate); 7071 struct arth *a = (struct arth *)newchunk(cstate, sizeof(*a)); 7072 struct slist *s; 7073 7074 s = new_stmt(cstate, BPF_LD|BPF_LEN); 7075 s->next = new_stmt(cstate, BPF_ST); 7076 s->next->s.k = regno; 7077 a->s = s; 7078 a->regno = regno; 7079 7080 return a; 7081 } 7082 7083 struct arth * 7084 gen_loadi(compiler_state_t *cstate, int val) 7085 { 7086 struct arth *a; 7087 struct slist *s; 7088 int reg; 7089 7090 a = (struct arth *)newchunk(cstate, sizeof(*a)); 7091 7092 reg = alloc_reg(cstate); 7093 7094 s = new_stmt(cstate, BPF_LD|BPF_IMM); 7095 s->s.k = val; 7096 s->next = new_stmt(cstate, BPF_ST); 7097 s->next->s.k = reg; 7098 a->s = s; 7099 a->regno = reg; 7100 7101 return a; 7102 } 7103 7104 struct arth * 7105 gen_neg(compiler_state_t *cstate, struct arth *a) 7106 { 7107 struct slist *s; 7108 7109 s = xfer_to_a(cstate, a); 7110 sappend(a->s, s); 7111 s = new_stmt(cstate, BPF_ALU|BPF_NEG); 7112 s->s.k = 0; 7113 sappend(a->s, s); 7114 s = new_stmt(cstate, BPF_ST); 7115 s->s.k = a->regno; 7116 sappend(a->s, s); 7117 7118 return a; 7119 } 7120 7121 struct arth * 7122 gen_arth(compiler_state_t *cstate, int code, struct arth *a0, 7123 struct arth *a1) 7124 { 7125 struct slist *s0, *s1, *s2; 7126 7127 /* 7128 * Disallow division by, or modulus by, zero; we do this here 7129 * so that it gets done even if the optimizer is disabled. 7130 */ 7131 if (code == BPF_DIV) { 7132 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k == 0) 7133 bpf_error(cstate, "division by zero"); 7134 } else if (code == BPF_MOD) { 7135 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k == 0) 7136 bpf_error(cstate, "modulus by zero"); 7137 } 7138 s0 = xfer_to_x(cstate, a1); 7139 s1 = xfer_to_a(cstate, a0); 7140 s2 = new_stmt(cstate, BPF_ALU|BPF_X|code); 7141 7142 sappend(s1, s2); 7143 sappend(s0, s1); 7144 sappend(a1->s, s0); 7145 sappend(a0->s, a1->s); 7146 7147 free_reg(cstate, a0->regno); 7148 free_reg(cstate, a1->regno); 7149 7150 s0 = new_stmt(cstate, BPF_ST); 7151 a0->regno = s0->s.k = alloc_reg(cstate); 7152 sappend(a0->s, s0); 7153 7154 return a0; 7155 } 7156 7157 /* 7158 * Initialize the table of used registers and the current register. 7159 */ 7160 static void 7161 init_regs(compiler_state_t *cstate) 7162 { 7163 cstate->curreg = 0; 7164 memset(cstate->regused, 0, sizeof cstate->regused); 7165 } 7166 7167 /* 7168 * Return the next free register. 7169 */ 7170 static int 7171 alloc_reg(compiler_state_t *cstate) 7172 { 7173 int n = BPF_MEMWORDS; 7174 7175 while (--n >= 0) { 7176 if (cstate->regused[cstate->curreg]) 7177 cstate->curreg = (cstate->curreg + 1) % BPF_MEMWORDS; 7178 else { 7179 cstate->regused[cstate->curreg] = 1; 7180 return cstate->curreg; 7181 } 7182 } 7183 bpf_error(cstate, "too many registers needed to evaluate expression"); 7184 /* NOTREACHED */ 7185 return 0; 7186 } 7187 7188 /* 7189 * Return a register to the table so it can 7190 * be used later. 7191 */ 7192 static void 7193 free_reg(compiler_state_t *cstate, int n) 7194 { 7195 cstate->regused[n] = 0; 7196 } 7197 7198 static struct block * 7199 gen_len(compiler_state_t *cstate, int jmp, int n) 7200 { 7201 struct slist *s; 7202 struct block *b; 7203 7204 s = new_stmt(cstate, BPF_LD|BPF_LEN); 7205 b = new_block(cstate, JMP(jmp)); 7206 b->stmts = s; 7207 b->s.k = n; 7208 7209 return b; 7210 } 7211 7212 struct block * 7213 gen_greater(compiler_state_t *cstate, int n) 7214 { 7215 return gen_len(cstate, BPF_JGE, n); 7216 } 7217 7218 /* 7219 * Actually, this is less than or equal. 7220 */ 7221 struct block * 7222 gen_less(compiler_state_t *cstate, int n) 7223 { 7224 struct block *b; 7225 7226 b = gen_len(cstate, BPF_JGT, n); 7227 gen_not(b); 7228 7229 return b; 7230 } 7231 7232 /* 7233 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to 7234 * the beginning of the link-layer header. 7235 * XXX - that means you can't test values in the radiotap header, but 7236 * as that header is difficult if not impossible to parse generally 7237 * without a loop, that might not be a severe problem. A new keyword 7238 * "radio" could be added for that, although what you'd really want 7239 * would be a way of testing particular radio header values, which 7240 * would generate code appropriate to the radio header in question. 7241 */ 7242 struct block * 7243 gen_byteop(compiler_state_t *cstate, int op, int idx, int val) 7244 { 7245 struct block *b; 7246 struct slist *s; 7247 7248 switch (op) { 7249 default: 7250 abort(); 7251 7252 case '=': 7253 return gen_cmp(cstate, OR_LINKHDR, (u_int)idx, BPF_B, (bpf_int32)val); 7254 7255 case '<': 7256 b = gen_cmp_lt(cstate, OR_LINKHDR, (u_int)idx, BPF_B, (bpf_int32)val); 7257 return b; 7258 7259 case '>': 7260 b = gen_cmp_gt(cstate, OR_LINKHDR, (u_int)idx, BPF_B, (bpf_int32)val); 7261 return b; 7262 7263 case '|': 7264 s = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_K); 7265 break; 7266 7267 case '&': 7268 s = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K); 7269 break; 7270 } 7271 s->s.k = val; 7272 b = new_block(cstate, JMP(BPF_JEQ)); 7273 b->stmts = s; 7274 gen_not(b); 7275 7276 return b; 7277 } 7278 7279 static const u_char abroadcast[] = { 0x0 }; 7280 7281 struct block * 7282 gen_broadcast(compiler_state_t *cstate, int proto) 7283 { 7284 bpf_u_int32 hostmask; 7285 struct block *b0, *b1, *b2; 7286 static const u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; 7287 7288 switch (proto) { 7289 7290 case Q_DEFAULT: 7291 case Q_LINK: 7292 switch (cstate->linktype) { 7293 case DLT_ARCNET: 7294 case DLT_ARCNET_LINUX: 7295 return gen_ahostop(cstate, abroadcast, Q_DST); 7296 case DLT_EN10MB: 7297 case DLT_NETANALYZER: 7298 case DLT_NETANALYZER_TRANSPARENT: 7299 b1 = gen_prevlinkhdr_check(cstate); 7300 b0 = gen_ehostop(cstate, ebroadcast, Q_DST); 7301 if (b1 != NULL) 7302 gen_and(b1, b0); 7303 return b0; 7304 case DLT_FDDI: 7305 return gen_fhostop(cstate, ebroadcast, Q_DST); 7306 case DLT_IEEE802: 7307 return gen_thostop(cstate, ebroadcast, Q_DST); 7308 case DLT_IEEE802_11: 7309 case DLT_PRISM_HEADER: 7310 case DLT_IEEE802_11_RADIO_AVS: 7311 case DLT_IEEE802_11_RADIO: 7312 case DLT_PPI: 7313 return gen_wlanhostop(cstate, ebroadcast, Q_DST); 7314 case DLT_IP_OVER_FC: 7315 return gen_ipfchostop(cstate, ebroadcast, Q_DST); 7316 default: 7317 bpf_error(cstate, "not a broadcast link"); 7318 } 7319 break; 7320 7321 case Q_IP: 7322 /* 7323 * We treat a netmask of PCAP_NETMASK_UNKNOWN (0xffffffff) 7324 * as an indication that we don't know the netmask, and fail 7325 * in that case. 7326 */ 7327 if (cstate->netmask == PCAP_NETMASK_UNKNOWN) 7328 bpf_error(cstate, "netmask not known, so 'ip broadcast' not supported"); 7329 b0 = gen_linktype(cstate, ETHERTYPE_IP); 7330 hostmask = ~cstate->netmask; 7331 b1 = gen_mcmp(cstate, OR_LINKPL, 16, BPF_W, (bpf_int32)0, hostmask); 7332 b2 = gen_mcmp(cstate, OR_LINKPL, 16, BPF_W, 7333 (bpf_int32)(~0 & hostmask), hostmask); 7334 gen_or(b1, b2); 7335 gen_and(b0, b2); 7336 return b2; 7337 } 7338 bpf_error(cstate, "only link-layer/IP broadcast filters supported"); 7339 /* NOTREACHED */ 7340 return NULL; 7341 } 7342 7343 /* 7344 * Generate code to test the low-order bit of a MAC address (that's 7345 * the bottom bit of the *first* byte). 7346 */ 7347 static struct block * 7348 gen_mac_multicast(compiler_state_t *cstate, int offset) 7349 { 7350 register struct block *b0; 7351 register struct slist *s; 7352 7353 /* link[offset] & 1 != 0 */ 7354 s = gen_load_a(cstate, OR_LINKHDR, offset, BPF_B); 7355 b0 = new_block(cstate, JMP(BPF_JSET)); 7356 b0->s.k = 1; 7357 b0->stmts = s; 7358 return b0; 7359 } 7360 7361 struct block * 7362 gen_multicast(compiler_state_t *cstate, int proto) 7363 { 7364 register struct block *b0, *b1, *b2; 7365 register struct slist *s; 7366 7367 switch (proto) { 7368 7369 case Q_DEFAULT: 7370 case Q_LINK: 7371 switch (cstate->linktype) { 7372 case DLT_ARCNET: 7373 case DLT_ARCNET_LINUX: 7374 /* all ARCnet multicasts use the same address */ 7375 return gen_ahostop(cstate, abroadcast, Q_DST); 7376 case DLT_EN10MB: 7377 case DLT_NETANALYZER: 7378 case DLT_NETANALYZER_TRANSPARENT: 7379 b1 = gen_prevlinkhdr_check(cstate); 7380 /* ether[0] & 1 != 0 */ 7381 b0 = gen_mac_multicast(cstate, 0); 7382 if (b1 != NULL) 7383 gen_and(b1, b0); 7384 return b0; 7385 case DLT_FDDI: 7386 /* 7387 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX 7388 * 7389 * XXX - was that referring to bit-order issues? 7390 */ 7391 /* fddi[1] & 1 != 0 */ 7392 return gen_mac_multicast(cstate, 1); 7393 case DLT_IEEE802: 7394 /* tr[2] & 1 != 0 */ 7395 return gen_mac_multicast(cstate, 2); 7396 case DLT_IEEE802_11: 7397 case DLT_PRISM_HEADER: 7398 case DLT_IEEE802_11_RADIO_AVS: 7399 case DLT_IEEE802_11_RADIO: 7400 case DLT_PPI: 7401 /* 7402 * Oh, yuk. 7403 * 7404 * For control frames, there is no DA. 7405 * 7406 * For management frames, DA is at an 7407 * offset of 4 from the beginning of 7408 * the packet. 7409 * 7410 * For data frames, DA is at an offset 7411 * of 4 from the beginning of the packet 7412 * if To DS is clear and at an offset of 7413 * 16 from the beginning of the packet 7414 * if To DS is set. 7415 */ 7416 7417 /* 7418 * Generate the tests to be done for data frames. 7419 * 7420 * First, check for To DS set, i.e. "link[1] & 0x01". 7421 */ 7422 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 7423 b1 = new_block(cstate, JMP(BPF_JSET)); 7424 b1->s.k = 0x01; /* To DS */ 7425 b1->stmts = s; 7426 7427 /* 7428 * If To DS is set, the DA is at 16. 7429 */ 7430 b0 = gen_mac_multicast(cstate, 16); 7431 gen_and(b1, b0); 7432 7433 /* 7434 * Now, check for To DS not set, i.e. check 7435 * "!(link[1] & 0x01)". 7436 */ 7437 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 7438 b2 = new_block(cstate, JMP(BPF_JSET)); 7439 b2->s.k = 0x01; /* To DS */ 7440 b2->stmts = s; 7441 gen_not(b2); 7442 7443 /* 7444 * If To DS is not set, the DA is at 4. 7445 */ 7446 b1 = gen_mac_multicast(cstate, 4); 7447 gen_and(b2, b1); 7448 7449 /* 7450 * Now OR together the last two checks. That gives 7451 * the complete set of checks for data frames. 7452 */ 7453 gen_or(b1, b0); 7454 7455 /* 7456 * Now check for a data frame. 7457 * I.e, check "link[0] & 0x08". 7458 */ 7459 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 7460 b1 = new_block(cstate, JMP(BPF_JSET)); 7461 b1->s.k = 0x08; 7462 b1->stmts = s; 7463 7464 /* 7465 * AND that with the checks done for data frames. 7466 */ 7467 gen_and(b1, b0); 7468 7469 /* 7470 * If the high-order bit of the type value is 0, this 7471 * is a management frame. 7472 * I.e, check "!(link[0] & 0x08)". 7473 */ 7474 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 7475 b2 = new_block(cstate, JMP(BPF_JSET)); 7476 b2->s.k = 0x08; 7477 b2->stmts = s; 7478 gen_not(b2); 7479 7480 /* 7481 * For management frames, the DA is at 4. 7482 */ 7483 b1 = gen_mac_multicast(cstate, 4); 7484 gen_and(b2, b1); 7485 7486 /* 7487 * OR that with the checks done for data frames. 7488 * That gives the checks done for management and 7489 * data frames. 7490 */ 7491 gen_or(b1, b0); 7492 7493 /* 7494 * If the low-order bit of the type value is 1, 7495 * this is either a control frame or a frame 7496 * with a reserved type, and thus not a 7497 * frame with an SA. 7498 * 7499 * I.e., check "!(link[0] & 0x04)". 7500 */ 7501 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 7502 b1 = new_block(cstate, JMP(BPF_JSET)); 7503 b1->s.k = 0x04; 7504 b1->stmts = s; 7505 gen_not(b1); 7506 7507 /* 7508 * AND that with the checks for data and management 7509 * frames. 7510 */ 7511 gen_and(b1, b0); 7512 return b0; 7513 case DLT_IP_OVER_FC: 7514 b0 = gen_mac_multicast(cstate, 2); 7515 return b0; 7516 default: 7517 break; 7518 } 7519 /* Link not known to support multicasts */ 7520 break; 7521 7522 case Q_IP: 7523 b0 = gen_linktype(cstate, ETHERTYPE_IP); 7524 b1 = gen_cmp_ge(cstate, OR_LINKPL, 16, BPF_B, (bpf_int32)224); 7525 gen_and(b0, b1); 7526 return b1; 7527 7528 case Q_IPV6: 7529 b0 = gen_linktype(cstate, ETHERTYPE_IPV6); 7530 b1 = gen_cmp(cstate, OR_LINKPL, 24, BPF_B, (bpf_int32)255); 7531 gen_and(b0, b1); 7532 return b1; 7533 } 7534 bpf_error(cstate, "link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel"); 7535 /* NOTREACHED */ 7536 return NULL; 7537 } 7538 7539 /* 7540 * Filter on inbound (dir == 0) or outbound (dir == 1) traffic. 7541 * Outbound traffic is sent by this machine, while inbound traffic is 7542 * sent by a remote machine (and may include packets destined for a 7543 * unicast or multicast link-layer address we are not subscribing to). 7544 * These are the same definitions implemented by pcap_setdirection(). 7545 * Capturing only unicast traffic destined for this host is probably 7546 * better accomplished using a higher-layer filter. 7547 */ 7548 struct block * 7549 gen_inbound(compiler_state_t *cstate, int dir) 7550 { 7551 register struct block *b0; 7552 7553 /* 7554 * Only some data link types support inbound/outbound qualifiers. 7555 */ 7556 switch (cstate->linktype) { 7557 case DLT_SLIP: 7558 b0 = gen_relation(cstate, BPF_JEQ, 7559 gen_load(cstate, Q_LINK, gen_loadi(cstate, 0), 1), 7560 gen_loadi(cstate, 0), 7561 dir); 7562 break; 7563 7564 case DLT_IPNET: 7565 if (dir) { 7566 /* match outgoing packets */ 7567 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, IPNET_OUTBOUND); 7568 } else { 7569 /* match incoming packets */ 7570 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, IPNET_INBOUND); 7571 } 7572 break; 7573 7574 case DLT_LINUX_SLL: 7575 /* match outgoing packets */ 7576 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_H, LINUX_SLL_OUTGOING); 7577 if (!dir) { 7578 /* to filter on inbound traffic, invert the match */ 7579 gen_not(b0); 7580 } 7581 break; 7582 7583 #ifdef HAVE_NET_PFVAR_H 7584 case DLT_PFLOG: 7585 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, dir), BPF_B, 7586 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT)); 7587 break; 7588 #endif 7589 7590 case DLT_PPP_PPPD: 7591 if (dir) { 7592 /* match outgoing packets */ 7593 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_B, PPP_PPPD_OUT); 7594 } else { 7595 /* match incoming packets */ 7596 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_B, PPP_PPPD_IN); 7597 } 7598 break; 7599 7600 case DLT_JUNIPER_MFR: 7601 case DLT_JUNIPER_MLFR: 7602 case DLT_JUNIPER_MLPPP: 7603 case DLT_JUNIPER_ATM1: 7604 case DLT_JUNIPER_ATM2: 7605 case DLT_JUNIPER_PPPOE: 7606 case DLT_JUNIPER_PPPOE_ATM: 7607 case DLT_JUNIPER_GGSN: 7608 case DLT_JUNIPER_ES: 7609 case DLT_JUNIPER_MONITOR: 7610 case DLT_JUNIPER_SERVICES: 7611 case DLT_JUNIPER_ETHER: 7612 case DLT_JUNIPER_PPP: 7613 case DLT_JUNIPER_FRELAY: 7614 case DLT_JUNIPER_CHDLC: 7615 case DLT_JUNIPER_VP: 7616 case DLT_JUNIPER_ST: 7617 case DLT_JUNIPER_ISM: 7618 case DLT_JUNIPER_VS: 7619 case DLT_JUNIPER_SRX_E2E: 7620 case DLT_JUNIPER_FIBRECHANNEL: 7621 case DLT_JUNIPER_ATM_CEMIC: 7622 7623 /* juniper flags (including direction) are stored 7624 * the byte after the 3-byte magic number */ 7625 if (dir) { 7626 /* match outgoing packets */ 7627 b0 = gen_mcmp(cstate, OR_LINKHDR, 3, BPF_B, 0, 0x01); 7628 } else { 7629 /* match incoming packets */ 7630 b0 = gen_mcmp(cstate, OR_LINKHDR, 3, BPF_B, 1, 0x01); 7631 } 7632 break; 7633 7634 default: 7635 /* 7636 * If we have packet meta-data indicating a direction, 7637 * check it, otherwise give up as this link-layer type 7638 * has nothing in the packet data. 7639 */ 7640 #if defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) 7641 /* 7642 * This is Linux with PF_PACKET support. 7643 * If this is a *live* capture, we can look at 7644 * special meta-data in the filter expression; 7645 * if it's a savefile, we can't. 7646 */ 7647 if (cstate->bpf_pcap->rfile != NULL) { 7648 /* We have a FILE *, so this is a savefile */ 7649 bpf_error(cstate, "inbound/outbound not supported on linktype %d when reading savefiles", 7650 cstate->linktype); 7651 b0 = NULL; 7652 /* NOTREACHED */ 7653 } 7654 /* match outgoing packets */ 7655 b0 = gen_cmp(cstate, OR_LINKHDR, SKF_AD_OFF + SKF_AD_PKTTYPE, BPF_H, 7656 PACKET_OUTGOING); 7657 if (!dir) { 7658 /* to filter on inbound traffic, invert the match */ 7659 gen_not(b0); 7660 } 7661 #else /* defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */ 7662 bpf_error(cstate, "inbound/outbound not supported on linktype %d", 7663 cstate->linktype); 7664 b0 = NULL; 7665 /* NOTREACHED */ 7666 #endif /* defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */ 7667 } 7668 return (b0); 7669 } 7670 7671 #ifdef HAVE_NET_PFVAR_H 7672 /* PF firewall log matched interface */ 7673 struct block * 7674 gen_pf_ifname(compiler_state_t *cstate, const char *ifname) 7675 { 7676 struct block *b0; 7677 u_int len, off; 7678 7679 if (cstate->linktype != DLT_PFLOG) { 7680 bpf_error(cstate, "ifname supported only on PF linktype"); 7681 /* NOTREACHED */ 7682 } 7683 len = sizeof(((struct pfloghdr *)0)->ifname); 7684 off = offsetof(struct pfloghdr, ifname); 7685 if (strlen(ifname) >= len) { 7686 bpf_error(cstate, "ifname interface names can only be %d characters", 7687 len-1); 7688 /* NOTREACHED */ 7689 } 7690 b0 = gen_bcmp(cstate, OR_LINKHDR, off, strlen(ifname), (const u_char *)ifname); 7691 return (b0); 7692 } 7693 7694 /* PF firewall log ruleset name */ 7695 struct block * 7696 gen_pf_ruleset(compiler_state_t *cstate, char *ruleset) 7697 { 7698 struct block *b0; 7699 7700 if (cstate->linktype != DLT_PFLOG) { 7701 bpf_error(cstate, "ruleset supported only on PF linktype"); 7702 /* NOTREACHED */ 7703 } 7704 7705 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) { 7706 bpf_error(cstate, "ruleset names can only be %ld characters", 7707 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1)); 7708 /* NOTREACHED */ 7709 } 7710 7711 b0 = gen_bcmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, ruleset), 7712 strlen(ruleset), (const u_char *)ruleset); 7713 return (b0); 7714 } 7715 7716 /* PF firewall log rule number */ 7717 struct block * 7718 gen_pf_rnr(compiler_state_t *cstate, int rnr) 7719 { 7720 struct block *b0; 7721 7722 if (cstate->linktype != DLT_PFLOG) { 7723 bpf_error(cstate, "rnr supported only on PF linktype"); 7724 /* NOTREACHED */ 7725 } 7726 7727 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, rulenr), BPF_W, 7728 (bpf_int32)rnr); 7729 return (b0); 7730 } 7731 7732 /* PF firewall log sub-rule number */ 7733 struct block * 7734 gen_pf_srnr(compiler_state_t *cstate, int srnr) 7735 { 7736 struct block *b0; 7737 7738 if (cstate->linktype != DLT_PFLOG) { 7739 bpf_error(cstate, "srnr supported only on PF linktype"); 7740 /* NOTREACHED */ 7741 } 7742 7743 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, subrulenr), BPF_W, 7744 (bpf_int32)srnr); 7745 return (b0); 7746 } 7747 7748 /* PF firewall log reason code */ 7749 struct block * 7750 gen_pf_reason(compiler_state_t *cstate, int reason) 7751 { 7752 struct block *b0; 7753 7754 if (cstate->linktype != DLT_PFLOG) { 7755 bpf_error(cstate, "reason supported only on PF linktype"); 7756 /* NOTREACHED */ 7757 } 7758 7759 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, reason), BPF_B, 7760 (bpf_int32)reason); 7761 return (b0); 7762 } 7763 7764 /* PF firewall log action */ 7765 struct block * 7766 gen_pf_action(compiler_state_t *cstate, int action) 7767 { 7768 struct block *b0; 7769 7770 if (cstate->linktype != DLT_PFLOG) { 7771 bpf_error(cstate, "action supported only on PF linktype"); 7772 /* NOTREACHED */ 7773 } 7774 7775 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, action), BPF_B, 7776 (bpf_int32)action); 7777 return (b0); 7778 } 7779 #else /* !HAVE_NET_PFVAR_H */ 7780 struct block * 7781 gen_pf_ifname(compiler_state_t *cstate, const char *ifname) 7782 { 7783 bpf_error(cstate, "libpcap was compiled without pf support"); 7784 /* NOTREACHED */ 7785 return (NULL); 7786 } 7787 7788 struct block * 7789 gen_pf_ruleset(compiler_state_t *cstate, char *ruleset) 7790 { 7791 bpf_error(cstate, "libpcap was compiled on a machine without pf support"); 7792 /* NOTREACHED */ 7793 return (NULL); 7794 } 7795 7796 struct block * 7797 gen_pf_rnr(compiler_state_t *cstate, int rnr) 7798 { 7799 bpf_error(cstate, "libpcap was compiled on a machine without pf support"); 7800 /* NOTREACHED */ 7801 return (NULL); 7802 } 7803 7804 struct block * 7805 gen_pf_srnr(compiler_state_t *cstate, int srnr) 7806 { 7807 bpf_error(cstate, "libpcap was compiled on a machine without pf support"); 7808 /* NOTREACHED */ 7809 return (NULL); 7810 } 7811 7812 struct block * 7813 gen_pf_reason(compiler_state_t *cstate, int reason) 7814 { 7815 bpf_error(cstate, "libpcap was compiled on a machine without pf support"); 7816 /* NOTREACHED */ 7817 return (NULL); 7818 } 7819 7820 struct block * 7821 gen_pf_action(compiler_state_t *cstate, int action) 7822 { 7823 bpf_error(cstate, "libpcap was compiled on a machine without pf support"); 7824 /* NOTREACHED */ 7825 return (NULL); 7826 } 7827 #endif /* HAVE_NET_PFVAR_H */ 7828 7829 /* IEEE 802.11 wireless header */ 7830 struct block * 7831 gen_p80211_type(compiler_state_t *cstate, int type, int mask) 7832 { 7833 struct block *b0; 7834 7835 switch (cstate->linktype) { 7836 7837 case DLT_IEEE802_11: 7838 case DLT_PRISM_HEADER: 7839 case DLT_IEEE802_11_RADIO_AVS: 7840 case DLT_IEEE802_11_RADIO: 7841 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, (bpf_int32)type, 7842 (bpf_int32)mask); 7843 break; 7844 7845 default: 7846 bpf_error(cstate, "802.11 link-layer types supported only on 802.11"); 7847 /* NOTREACHED */ 7848 } 7849 7850 return (b0); 7851 } 7852 7853 struct block * 7854 gen_p80211_fcdir(compiler_state_t *cstate, int fcdir) 7855 { 7856 struct block *b0; 7857 7858 switch (cstate->linktype) { 7859 7860 case DLT_IEEE802_11: 7861 case DLT_PRISM_HEADER: 7862 case DLT_IEEE802_11_RADIO_AVS: 7863 case DLT_IEEE802_11_RADIO: 7864 break; 7865 7866 default: 7867 bpf_error(cstate, "frame direction supported only with 802.11 headers"); 7868 /* NOTREACHED */ 7869 } 7870 7871 b0 = gen_mcmp(cstate, OR_LINKHDR, 1, BPF_B, (bpf_int32)fcdir, 7872 (bpf_u_int32)IEEE80211_FC1_DIR_MASK); 7873 7874 return (b0); 7875 } 7876 7877 struct block * 7878 gen_acode(compiler_state_t *cstate, const u_char *eaddr, struct qual q) 7879 { 7880 switch (cstate->linktype) { 7881 7882 case DLT_ARCNET: 7883 case DLT_ARCNET_LINUX: 7884 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && 7885 q.proto == Q_LINK) 7886 return (gen_ahostop(cstate, eaddr, (int)q.dir)); 7887 else { 7888 bpf_error(cstate, "ARCnet address used in non-arc expression"); 7889 /* NOTREACHED */ 7890 } 7891 break; 7892 7893 default: 7894 bpf_error(cstate, "aid supported only on ARCnet"); 7895 /* NOTREACHED */ 7896 } 7897 bpf_error(cstate, "ARCnet address used in non-arc expression"); 7898 /* NOTREACHED */ 7899 return NULL; 7900 } 7901 7902 static struct block * 7903 gen_ahostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 7904 { 7905 register struct block *b0, *b1; 7906 7907 switch (dir) { 7908 /* src comes first, different from Ethernet */ 7909 case Q_SRC: 7910 return gen_bcmp(cstate, OR_LINKHDR, 0, 1, eaddr); 7911 7912 case Q_DST: 7913 return gen_bcmp(cstate, OR_LINKHDR, 1, 1, eaddr); 7914 7915 case Q_AND: 7916 b0 = gen_ahostop(cstate, eaddr, Q_SRC); 7917 b1 = gen_ahostop(cstate, eaddr, Q_DST); 7918 gen_and(b0, b1); 7919 return b1; 7920 7921 case Q_DEFAULT: 7922 case Q_OR: 7923 b0 = gen_ahostop(cstate, eaddr, Q_SRC); 7924 b1 = gen_ahostop(cstate, eaddr, Q_DST); 7925 gen_or(b0, b1); 7926 return b1; 7927 7928 case Q_ADDR1: 7929 bpf_error(cstate, "'addr1' is only supported on 802.11"); 7930 break; 7931 7932 case Q_ADDR2: 7933 bpf_error(cstate, "'addr2' is only supported on 802.11"); 7934 break; 7935 7936 case Q_ADDR3: 7937 bpf_error(cstate, "'addr3' is only supported on 802.11"); 7938 break; 7939 7940 case Q_ADDR4: 7941 bpf_error(cstate, "'addr4' is only supported on 802.11"); 7942 break; 7943 7944 case Q_RA: 7945 bpf_error(cstate, "'ra' is only supported on 802.11"); 7946 break; 7947 7948 case Q_TA: 7949 bpf_error(cstate, "'ta' is only supported on 802.11"); 7950 break; 7951 } 7952 abort(); 7953 /* NOTREACHED */ 7954 } 7955 7956 #if defined(SKF_AD_VLAN_TAG) && defined(SKF_AD_VLAN_TAG_PRESENT) 7957 static struct block * 7958 gen_vlan_bpf_extensions(compiler_state_t *cstate, int vlan_num) 7959 { 7960 struct block *b0, *b1; 7961 struct slist *s; 7962 7963 /* generate new filter code based on extracting packet 7964 * metadata */ 7965 s = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 7966 s->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT; 7967 7968 b0 = new_block(cstate, JMP(BPF_JEQ)); 7969 b0->stmts = s; 7970 b0->s.k = 1; 7971 7972 if (vlan_num >= 0) { 7973 s = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 7974 s->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG; 7975 7976 b1 = new_block(cstate, JMP(BPF_JEQ)); 7977 b1->stmts = s; 7978 b1->s.k = (bpf_int32) vlan_num; 7979 7980 gen_and(b0,b1); 7981 b0 = b1; 7982 } 7983 7984 return b0; 7985 } 7986 #endif 7987 7988 static struct block * 7989 gen_vlan_no_bpf_extensions(compiler_state_t *cstate, int vlan_num) 7990 { 7991 struct block *b0, *b1; 7992 7993 /* check for VLAN, including QinQ */ 7994 b0 = gen_linktype(cstate, ETHERTYPE_8021Q); 7995 b1 = gen_linktype(cstate, ETHERTYPE_8021AD); 7996 gen_or(b0,b1); 7997 b0 = b1; 7998 b1 = gen_linktype(cstate, ETHERTYPE_8021QINQ); 7999 gen_or(b0,b1); 8000 b0 = b1; 8001 8002 /* If a specific VLAN is requested, check VLAN id */ 8003 if (vlan_num >= 0) { 8004 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_H, 8005 (bpf_int32)vlan_num, 0x0fff); 8006 gen_and(b0, b1); 8007 b0 = b1; 8008 } 8009 8010 /* 8011 * The payload follows the full header, including the 8012 * VLAN tags, so skip past this VLAN tag. 8013 */ 8014 cstate->off_linkpl.constant_part += 4; 8015 8016 /* 8017 * The link-layer type information follows the VLAN tags, so 8018 * skip past this VLAN tag. 8019 */ 8020 cstate->off_linktype.constant_part += 4; 8021 8022 return b0; 8023 } 8024 8025 /* 8026 * support IEEE 802.1Q VLAN trunk over ethernet 8027 */ 8028 struct block * 8029 gen_vlan(compiler_state_t *cstate, int vlan_num) 8030 { 8031 struct block *b0; 8032 8033 /* can't check for VLAN-encapsulated packets inside MPLS */ 8034 if (cstate->label_stack_depth > 0) 8035 bpf_error(cstate, "no VLAN match after MPLS"); 8036 8037 /* 8038 * Check for a VLAN packet, and then change the offsets to point 8039 * to the type and data fields within the VLAN packet. Just 8040 * increment the offsets, so that we can support a hierarchy, e.g. 8041 * "vlan 300 && vlan 200" to capture VLAN 200 encapsulated within 8042 * VLAN 100. 8043 * 8044 * XXX - this is a bit of a kludge. If we were to split the 8045 * compiler into a parser that parses an expression and 8046 * generates an expression tree, and a code generator that 8047 * takes an expression tree (which could come from our 8048 * parser or from some other parser) and generates BPF code, 8049 * we could perhaps make the offsets parameters of routines 8050 * and, in the handler for an "AND" node, pass to subnodes 8051 * other than the VLAN node the adjusted offsets. 8052 * 8053 * This would mean that "vlan" would, instead of changing the 8054 * behavior of *all* tests after it, change only the behavior 8055 * of tests ANDed with it. That would change the documented 8056 * semantics of "vlan", which might break some expressions. 8057 * However, it would mean that "(vlan and ip) or ip" would check 8058 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 8059 * checking only for VLAN-encapsulated IP, so that could still 8060 * be considered worth doing; it wouldn't break expressions 8061 * that are of the form "vlan and ..." or "vlan N and ...", 8062 * which I suspect are the most common expressions involving 8063 * "vlan". "vlan or ..." doesn't necessarily do what the user 8064 * would really want, now, as all the "or ..." tests would 8065 * be done assuming a VLAN, even though the "or" could be viewed 8066 * as meaning "or, if this isn't a VLAN packet...". 8067 */ 8068 switch (cstate->linktype) { 8069 8070 case DLT_EN10MB: 8071 case DLT_NETANALYZER: 8072 case DLT_NETANALYZER_TRANSPARENT: 8073 #if defined(SKF_AD_VLAN_TAG) && defined(SKF_AD_VLAN_TAG_PRESENT) 8074 /* Verify that this is the outer part of the packet and 8075 * not encapsulated somehow. */ 8076 if (cstate->vlan_stack_depth == 0 && !cstate->off_linkhdr.is_variable && 8077 cstate->off_linkhdr.constant_part == 8078 cstate->off_outermostlinkhdr.constant_part) { 8079 /* 8080 * Do we need special VLAN handling? 8081 */ 8082 if (cstate->bpf_pcap->bpf_codegen_flags & BPF_SPECIAL_VLAN_HANDLING) 8083 b0 = gen_vlan_bpf_extensions(cstate, vlan_num); 8084 else 8085 b0 = gen_vlan_no_bpf_extensions(cstate, vlan_num); 8086 } else 8087 #endif 8088 b0 = gen_vlan_no_bpf_extensions(cstate, vlan_num); 8089 break; 8090 8091 case DLT_IEEE802_11: 8092 case DLT_PRISM_HEADER: 8093 case DLT_IEEE802_11_RADIO_AVS: 8094 case DLT_IEEE802_11_RADIO: 8095 b0 = gen_vlan_no_bpf_extensions(cstate, vlan_num); 8096 break; 8097 8098 default: 8099 bpf_error(cstate, "no VLAN support for data link type %d", 8100 cstate->linktype); 8101 /*NOTREACHED*/ 8102 } 8103 8104 cstate->vlan_stack_depth++; 8105 8106 return (b0); 8107 } 8108 8109 /* 8110 * support for MPLS 8111 */ 8112 struct block * 8113 gen_mpls(compiler_state_t *cstate, int label_num) 8114 { 8115 struct block *b0, *b1; 8116 8117 if (cstate->label_stack_depth > 0) { 8118 /* just match the bottom-of-stack bit clear */ 8119 b0 = gen_mcmp(cstate, OR_PREVMPLSHDR, 2, BPF_B, 0, 0x01); 8120 } else { 8121 /* 8122 * We're not in an MPLS stack yet, so check the link-layer 8123 * type against MPLS. 8124 */ 8125 switch (cstate->linktype) { 8126 8127 case DLT_C_HDLC: /* fall through */ 8128 case DLT_EN10MB: 8129 case DLT_NETANALYZER: 8130 case DLT_NETANALYZER_TRANSPARENT: 8131 b0 = gen_linktype(cstate, ETHERTYPE_MPLS); 8132 break; 8133 8134 case DLT_PPP: 8135 b0 = gen_linktype(cstate, PPP_MPLS_UCAST); 8136 break; 8137 8138 /* FIXME add other DLT_s ... 8139 * for Frame-Relay/and ATM this may get messy due to SNAP headers 8140 * leave it for now */ 8141 8142 default: 8143 bpf_error(cstate, "no MPLS support for data link type %d", 8144 cstate->linktype); 8145 b0 = NULL; 8146 /*NOTREACHED*/ 8147 break; 8148 } 8149 } 8150 8151 /* If a specific MPLS label is requested, check it */ 8152 if (label_num >= 0) { 8153 label_num = label_num << 12; /* label is shifted 12 bits on the wire */ 8154 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_W, (bpf_int32)label_num, 8155 0xfffff000); /* only compare the first 20 bits */ 8156 gen_and(b0, b1); 8157 b0 = b1; 8158 } 8159 8160 /* 8161 * Change the offsets to point to the type and data fields within 8162 * the MPLS packet. Just increment the offsets, so that we 8163 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to 8164 * capture packets with an outer label of 100000 and an inner 8165 * label of 1024. 8166 * 8167 * Increment the MPLS stack depth as well; this indicates that 8168 * we're checking MPLS-encapsulated headers, to make sure higher 8169 * level code generators don't try to match against IP-related 8170 * protocols such as Q_ARP, Q_RARP etc. 8171 * 8172 * XXX - this is a bit of a kludge. See comments in gen_vlan(). 8173 */ 8174 cstate->off_nl_nosnap += 4; 8175 cstate->off_nl += 4; 8176 cstate->label_stack_depth++; 8177 return (b0); 8178 } 8179 8180 /* 8181 * Support PPPOE discovery and session. 8182 */ 8183 struct block * 8184 gen_pppoed(compiler_state_t *cstate) 8185 { 8186 /* check for PPPoE discovery */ 8187 return gen_linktype(cstate, (bpf_int32)ETHERTYPE_PPPOED); 8188 } 8189 8190 struct block * 8191 gen_pppoes(compiler_state_t *cstate, int sess_num) 8192 { 8193 struct block *b0, *b1; 8194 8195 /* 8196 * Test against the PPPoE session link-layer type. 8197 */ 8198 b0 = gen_linktype(cstate, (bpf_int32)ETHERTYPE_PPPOES); 8199 8200 /* If a specific session is requested, check PPPoE session id */ 8201 if (sess_num >= 0) { 8202 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_W, 8203 (bpf_int32)sess_num, 0x0000ffff); 8204 gen_and(b0, b1); 8205 b0 = b1; 8206 } 8207 8208 /* 8209 * Change the offsets to point to the type and data fields within 8210 * the PPP packet, and note that this is PPPoE rather than 8211 * raw PPP. 8212 * 8213 * XXX - this is a bit of a kludge. If we were to split the 8214 * compiler into a parser that parses an expression and 8215 * generates an expression tree, and a code generator that 8216 * takes an expression tree (which could come from our 8217 * parser or from some other parser) and generates BPF code, 8218 * we could perhaps make the offsets parameters of routines 8219 * and, in the handler for an "AND" node, pass to subnodes 8220 * other than the PPPoE node the adjusted offsets. 8221 * 8222 * This would mean that "pppoes" would, instead of changing the 8223 * behavior of *all* tests after it, change only the behavior 8224 * of tests ANDed with it. That would change the documented 8225 * semantics of "pppoes", which might break some expressions. 8226 * However, it would mean that "(pppoes and ip) or ip" would check 8227 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 8228 * checking only for VLAN-encapsulated IP, so that could still 8229 * be considered worth doing; it wouldn't break expressions 8230 * that are of the form "pppoes and ..." which I suspect are the 8231 * most common expressions involving "pppoes". "pppoes or ..." 8232 * doesn't necessarily do what the user would really want, now, 8233 * as all the "or ..." tests would be done assuming PPPoE, even 8234 * though the "or" could be viewed as meaning "or, if this isn't 8235 * a PPPoE packet...". 8236 * 8237 * The "network-layer" protocol is PPPoE, which has a 6-byte 8238 * PPPoE header, followed by a PPP packet. 8239 * 8240 * There is no HDLC encapsulation for the PPP packet (it's 8241 * encapsulated in PPPoES instead), so the link-layer type 8242 * starts at the first byte of the PPP packet. For PPPoE, 8243 * that offset is relative to the beginning of the total 8244 * link-layer payload, including any 802.2 LLC header, so 8245 * it's 6 bytes past cstate->off_nl. 8246 */ 8247 PUSH_LINKHDR(cstate, DLT_PPP, cstate->off_linkpl.is_variable, 8248 cstate->off_linkpl.constant_part + cstate->off_nl + 6, /* 6 bytes past the PPPoE header */ 8249 cstate->off_linkpl.reg); 8250 8251 cstate->off_linktype = cstate->off_linkhdr; 8252 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 2; 8253 8254 cstate->off_nl = 0; 8255 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 8256 8257 return b0; 8258 } 8259 8260 /* Check that this is Geneve and the VNI is correct if 8261 * specified. Parameterized to handle both IPv4 and IPv6. */ 8262 static struct block * 8263 gen_geneve_check(compiler_state_t *cstate, 8264 struct block *(*gen_portfn)(compiler_state_t *, int, int, int), 8265 enum e_offrel offrel, int vni) 8266 { 8267 struct block *b0, *b1; 8268 8269 b0 = gen_portfn(cstate, GENEVE_PORT, IPPROTO_UDP, Q_DST); 8270 8271 /* Check that we are operating on version 0. Otherwise, we 8272 * can't decode the rest of the fields. The version is 2 bits 8273 * in the first byte of the Geneve header. */ 8274 b1 = gen_mcmp(cstate, offrel, 8, BPF_B, (bpf_int32)0, 0xc0); 8275 gen_and(b0, b1); 8276 b0 = b1; 8277 8278 if (vni >= 0) { 8279 vni <<= 8; /* VNI is in the upper 3 bytes */ 8280 b1 = gen_mcmp(cstate, offrel, 12, BPF_W, (bpf_int32)vni, 8281 0xffffff00); 8282 gen_and(b0, b1); 8283 b0 = b1; 8284 } 8285 8286 return b0; 8287 } 8288 8289 /* The IPv4 and IPv6 Geneve checks need to do two things: 8290 * - Verify that this actually is Geneve with the right VNI. 8291 * - Place the IP header length (plus variable link prefix if 8292 * needed) into register A to be used later to compute 8293 * the inner packet offsets. */ 8294 static struct block * 8295 gen_geneve4(compiler_state_t *cstate, int vni) 8296 { 8297 struct block *b0, *b1; 8298 struct slist *s, *s1; 8299 8300 b0 = gen_geneve_check(cstate, gen_port, OR_TRAN_IPV4, vni); 8301 8302 /* Load the IP header length into A. */ 8303 s = gen_loadx_iphdrlen(cstate); 8304 8305 s1 = new_stmt(cstate, BPF_MISC|BPF_TXA); 8306 sappend(s, s1); 8307 8308 /* Forcibly append these statements to the true condition 8309 * of the protocol check by creating a new block that is 8310 * always true and ANDing them. */ 8311 b1 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X); 8312 b1->stmts = s; 8313 b1->s.k = 0; 8314 8315 gen_and(b0, b1); 8316 8317 return b1; 8318 } 8319 8320 static struct block * 8321 gen_geneve6(compiler_state_t *cstate, int vni) 8322 { 8323 struct block *b0, *b1; 8324 struct slist *s, *s1; 8325 8326 b0 = gen_geneve_check(cstate, gen_port6, OR_TRAN_IPV6, vni); 8327 8328 /* Load the IP header length. We need to account for a 8329 * variable length link prefix if there is one. */ 8330 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl); 8331 if (s) { 8332 s1 = new_stmt(cstate, BPF_LD|BPF_IMM); 8333 s1->s.k = 40; 8334 sappend(s, s1); 8335 8336 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X); 8337 s1->s.k = 0; 8338 sappend(s, s1); 8339 } else { 8340 s = new_stmt(cstate, BPF_LD|BPF_IMM); 8341 s->s.k = 40; 8342 } 8343 8344 /* Forcibly append these statements to the true condition 8345 * of the protocol check by creating a new block that is 8346 * always true and ANDing them. */ 8347 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX); 8348 sappend(s, s1); 8349 8350 b1 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X); 8351 b1->stmts = s; 8352 b1->s.k = 0; 8353 8354 gen_and(b0, b1); 8355 8356 return b1; 8357 } 8358 8359 /* We need to store three values based on the Geneve header:: 8360 * - The offset of the linktype. 8361 * - The offset of the end of the Geneve header. 8362 * - The offset of the end of the encapsulated MAC header. */ 8363 static struct slist * 8364 gen_geneve_offsets(compiler_state_t *cstate) 8365 { 8366 struct slist *s, *s1, *s_proto; 8367 8368 /* First we need to calculate the offset of the Geneve header 8369 * itself. This is composed of the IP header previously calculated 8370 * (include any variable link prefix) and stored in A plus the 8371 * fixed sized headers (fixed link prefix, MAC length, and UDP 8372 * header). */ 8373 s = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 8374 s->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 8; 8375 8376 /* Stash this in X since we'll need it later. */ 8377 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX); 8378 sappend(s, s1); 8379 8380 /* The EtherType in Geneve is 2 bytes in. Calculate this and 8381 * store it. */ 8382 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 8383 s1->s.k = 2; 8384 sappend(s, s1); 8385 8386 cstate->off_linktype.reg = alloc_reg(cstate); 8387 cstate->off_linktype.is_variable = 1; 8388 cstate->off_linktype.constant_part = 0; 8389 8390 s1 = new_stmt(cstate, BPF_ST); 8391 s1->s.k = cstate->off_linktype.reg; 8392 sappend(s, s1); 8393 8394 /* Load the Geneve option length and mask and shift to get the 8395 * number of bytes. It is stored in the first byte of the Geneve 8396 * header. */ 8397 s1 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 8398 s1->s.k = 0; 8399 sappend(s, s1); 8400 8401 s1 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K); 8402 s1->s.k = 0x3f; 8403 sappend(s, s1); 8404 8405 s1 = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K); 8406 s1->s.k = 4; 8407 sappend(s, s1); 8408 8409 /* Add in the rest of the Geneve base header. */ 8410 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 8411 s1->s.k = 8; 8412 sappend(s, s1); 8413 8414 /* Add the Geneve header length to its offset and store. */ 8415 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X); 8416 s1->s.k = 0; 8417 sappend(s, s1); 8418 8419 /* Set the encapsulated type as Ethernet. Even though we may 8420 * not actually have Ethernet inside there are two reasons this 8421 * is useful: 8422 * - The linktype field is always in EtherType format regardless 8423 * of whether it is in Geneve or an inner Ethernet frame. 8424 * - The only link layer that we have specific support for is 8425 * Ethernet. We will confirm that the packet actually is 8426 * Ethernet at runtime before executing these checks. */ 8427 PUSH_LINKHDR(cstate, DLT_EN10MB, 1, 0, alloc_reg(cstate)); 8428 8429 s1 = new_stmt(cstate, BPF_ST); 8430 s1->s.k = cstate->off_linkhdr.reg; 8431 sappend(s, s1); 8432 8433 /* Calculate whether we have an Ethernet header or just raw IP/ 8434 * MPLS/etc. If we have Ethernet, advance the end of the MAC offset 8435 * and linktype by 14 bytes so that the network header can be found 8436 * seamlessly. Otherwise, keep what we've calculated already. */ 8437 8438 /* We have a bare jmp so we can't use the optimizer. */ 8439 cstate->no_optimize = 1; 8440 8441 /* Load the EtherType in the Geneve header, 2 bytes in. */ 8442 s1 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_H); 8443 s1->s.k = 2; 8444 sappend(s, s1); 8445 8446 /* Load X with the end of the Geneve header. */ 8447 s1 = new_stmt(cstate, BPF_LDX|BPF_MEM); 8448 s1->s.k = cstate->off_linkhdr.reg; 8449 sappend(s, s1); 8450 8451 /* Check if the EtherType is Transparent Ethernet Bridging. At the 8452 * end of this check, we should have the total length in X. In 8453 * the non-Ethernet case, it's already there. */ 8454 s_proto = new_stmt(cstate, JMP(BPF_JEQ)); 8455 s_proto->s.k = ETHERTYPE_TEB; 8456 sappend(s, s_proto); 8457 8458 s1 = new_stmt(cstate, BPF_MISC|BPF_TXA); 8459 sappend(s, s1); 8460 s_proto->s.jt = s1; 8461 8462 /* Since this is Ethernet, use the EtherType of the payload 8463 * directly as the linktype. Overwrite what we already have. */ 8464 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 8465 s1->s.k = 12; 8466 sappend(s, s1); 8467 8468 s1 = new_stmt(cstate, BPF_ST); 8469 s1->s.k = cstate->off_linktype.reg; 8470 sappend(s, s1); 8471 8472 /* Advance two bytes further to get the end of the Ethernet 8473 * header. */ 8474 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 8475 s1->s.k = 2; 8476 sappend(s, s1); 8477 8478 /* Move the result to X. */ 8479 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX); 8480 sappend(s, s1); 8481 8482 /* Store the final result of our linkpl calculation. */ 8483 cstate->off_linkpl.reg = alloc_reg(cstate); 8484 cstate->off_linkpl.is_variable = 1; 8485 cstate->off_linkpl.constant_part = 0; 8486 8487 s1 = new_stmt(cstate, BPF_STX); 8488 s1->s.k = cstate->off_linkpl.reg; 8489 sappend(s, s1); 8490 s_proto->s.jf = s1; 8491 8492 cstate->off_nl = 0; 8493 8494 return s; 8495 } 8496 8497 /* Check to see if this is a Geneve packet. */ 8498 struct block * 8499 gen_geneve(compiler_state_t *cstate, int vni) 8500 { 8501 struct block *b0, *b1; 8502 struct slist *s; 8503 8504 b0 = gen_geneve4(cstate, vni); 8505 b1 = gen_geneve6(cstate, vni); 8506 8507 gen_or(b0, b1); 8508 b0 = b1; 8509 8510 /* Later filters should act on the payload of the Geneve frame, 8511 * update all of the header pointers. Attach this code so that 8512 * it gets executed in the event that the Geneve filter matches. */ 8513 s = gen_geneve_offsets(cstate); 8514 8515 b1 = gen_true(cstate); 8516 sappend(s, b1->stmts); 8517 b1->stmts = s; 8518 8519 gen_and(b0, b1); 8520 8521 cstate->is_geneve = 1; 8522 8523 return b1; 8524 } 8525 8526 /* Check that the encapsulated frame has a link layer header 8527 * for Ethernet filters. */ 8528 static struct block * 8529 gen_geneve_ll_check(compiler_state_t *cstate) 8530 { 8531 struct block *b0; 8532 struct slist *s, *s1; 8533 8534 /* The easiest way to see if there is a link layer present 8535 * is to check if the link layer header and payload are not 8536 * the same. */ 8537 8538 /* Geneve always generates pure variable offsets so we can 8539 * compare only the registers. */ 8540 s = new_stmt(cstate, BPF_LD|BPF_MEM); 8541 s->s.k = cstate->off_linkhdr.reg; 8542 8543 s1 = new_stmt(cstate, BPF_LDX|BPF_MEM); 8544 s1->s.k = cstate->off_linkpl.reg; 8545 sappend(s, s1); 8546 8547 b0 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X); 8548 b0->stmts = s; 8549 b0->s.k = 0; 8550 gen_not(b0); 8551 8552 return b0; 8553 } 8554 8555 struct block * 8556 gen_atmfield_code(compiler_state_t *cstate, int atmfield, bpf_int32 jvalue, 8557 bpf_u_int32 jtype, int reverse) 8558 { 8559 struct block *b0; 8560 8561 switch (atmfield) { 8562 8563 case A_VPI: 8564 if (!cstate->is_atm) 8565 bpf_error(cstate, "'vpi' supported only on raw ATM"); 8566 if (cstate->off_vpi == (u_int)-1) 8567 abort(); 8568 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_vpi, BPF_B, 0xffffffff, jtype, 8569 reverse, jvalue); 8570 break; 8571 8572 case A_VCI: 8573 if (!cstate->is_atm) 8574 bpf_error(cstate, "'vci' supported only on raw ATM"); 8575 if (cstate->off_vci == (u_int)-1) 8576 abort(); 8577 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_vci, BPF_H, 0xffffffff, jtype, 8578 reverse, jvalue); 8579 break; 8580 8581 case A_PROTOTYPE: 8582 if (cstate->off_proto == (u_int)-1) 8583 abort(); /* XXX - this isn't on FreeBSD */ 8584 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_proto, BPF_B, 0x0f, jtype, 8585 reverse, jvalue); 8586 break; 8587 8588 case A_MSGTYPE: 8589 if (cstate->off_payload == (u_int)-1) 8590 abort(); 8591 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_payload + MSG_TYPE_POS, BPF_B, 8592 0xffffffff, jtype, reverse, jvalue); 8593 break; 8594 8595 case A_CALLREFTYPE: 8596 if (!cstate->is_atm) 8597 bpf_error(cstate, "'callref' supported only on raw ATM"); 8598 if (cstate->off_proto == (u_int)-1) 8599 abort(); 8600 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_proto, BPF_B, 0xffffffff, 8601 jtype, reverse, jvalue); 8602 break; 8603 8604 default: 8605 abort(); 8606 } 8607 return b0; 8608 } 8609 8610 struct block * 8611 gen_atmtype_abbrev(compiler_state_t *cstate, int type) 8612 { 8613 struct block *b0, *b1; 8614 8615 switch (type) { 8616 8617 case A_METAC: 8618 /* Get all packets in Meta signalling Circuit */ 8619 if (!cstate->is_atm) 8620 bpf_error(cstate, "'metac' supported only on raw ATM"); 8621 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0); 8622 b1 = gen_atmfield_code(cstate, A_VCI, 1, BPF_JEQ, 0); 8623 gen_and(b0, b1); 8624 break; 8625 8626 case A_BCC: 8627 /* Get all packets in Broadcast Circuit*/ 8628 if (!cstate->is_atm) 8629 bpf_error(cstate, "'bcc' supported only on raw ATM"); 8630 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0); 8631 b1 = gen_atmfield_code(cstate, A_VCI, 2, BPF_JEQ, 0); 8632 gen_and(b0, b1); 8633 break; 8634 8635 case A_OAMF4SC: 8636 /* Get all cells in Segment OAM F4 circuit*/ 8637 if (!cstate->is_atm) 8638 bpf_error(cstate, "'oam4sc' supported only on raw ATM"); 8639 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0); 8640 b1 = gen_atmfield_code(cstate, A_VCI, 3, BPF_JEQ, 0); 8641 gen_and(b0, b1); 8642 break; 8643 8644 case A_OAMF4EC: 8645 /* Get all cells in End-to-End OAM F4 Circuit*/ 8646 if (!cstate->is_atm) 8647 bpf_error(cstate, "'oam4ec' supported only on raw ATM"); 8648 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0); 8649 b1 = gen_atmfield_code(cstate, A_VCI, 4, BPF_JEQ, 0); 8650 gen_and(b0, b1); 8651 break; 8652 8653 case A_SC: 8654 /* Get all packets in connection Signalling Circuit */ 8655 if (!cstate->is_atm) 8656 bpf_error(cstate, "'sc' supported only on raw ATM"); 8657 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0); 8658 b1 = gen_atmfield_code(cstate, A_VCI, 5, BPF_JEQ, 0); 8659 gen_and(b0, b1); 8660 break; 8661 8662 case A_ILMIC: 8663 /* Get all packets in ILMI Circuit */ 8664 if (!cstate->is_atm) 8665 bpf_error(cstate, "'ilmic' supported only on raw ATM"); 8666 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0); 8667 b1 = gen_atmfield_code(cstate, A_VCI, 16, BPF_JEQ, 0); 8668 gen_and(b0, b1); 8669 break; 8670 8671 case A_LANE: 8672 /* Get all LANE packets */ 8673 if (!cstate->is_atm) 8674 bpf_error(cstate, "'lane' supported only on raw ATM"); 8675 b1 = gen_atmfield_code(cstate, A_PROTOTYPE, PT_LANE, BPF_JEQ, 0); 8676 8677 /* 8678 * Arrange that all subsequent tests assume LANE 8679 * rather than LLC-encapsulated packets, and set 8680 * the offsets appropriately for LANE-encapsulated 8681 * Ethernet. 8682 * 8683 * We assume LANE means Ethernet, not Token Ring. 8684 */ 8685 PUSH_LINKHDR(cstate, DLT_EN10MB, 0, 8686 cstate->off_payload + 2, /* Ethernet header */ 8687 -1); 8688 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12; 8689 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* Ethernet */ 8690 cstate->off_nl = 0; /* Ethernet II */ 8691 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */ 8692 break; 8693 8694 case A_LLC: 8695 /* Get all LLC-encapsulated packets */ 8696 if (!cstate->is_atm) 8697 bpf_error(cstate, "'llc' supported only on raw ATM"); 8698 b1 = gen_atmfield_code(cstate, A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 8699 cstate->linktype = cstate->prevlinktype; 8700 break; 8701 8702 default: 8703 abort(); 8704 } 8705 return b1; 8706 } 8707 8708 /* 8709 * Filtering for MTP2 messages based on li value 8710 * FISU, length is null 8711 * LSSU, length is 1 or 2 8712 * MSU, length is 3 or more 8713 * For MTP2_HSL, sequences are on 2 bytes, and length on 9 bits 8714 */ 8715 struct block * 8716 gen_mtp2type_abbrev(compiler_state_t *cstate, int type) 8717 { 8718 struct block *b0, *b1; 8719 8720 switch (type) { 8721 8722 case M_FISU: 8723 if ( (cstate->linktype != DLT_MTP2) && 8724 (cstate->linktype != DLT_ERF) && 8725 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 8726 bpf_error(cstate, "'fisu' supported only on MTP2"); 8727 /* gen_ncmp(cstate, offrel, offset, size, mask, jtype, reverse, value) */ 8728 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 0x3f, BPF_JEQ, 0, 0); 8729 break; 8730 8731 case M_LSSU: 8732 if ( (cstate->linktype != DLT_MTP2) && 8733 (cstate->linktype != DLT_ERF) && 8734 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 8735 bpf_error(cstate, "'lssu' supported only on MTP2"); 8736 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 0x3f, BPF_JGT, 1, 2); 8737 b1 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 0x3f, BPF_JGT, 0, 0); 8738 gen_and(b1, b0); 8739 break; 8740 8741 case M_MSU: 8742 if ( (cstate->linktype != DLT_MTP2) && 8743 (cstate->linktype != DLT_ERF) && 8744 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 8745 bpf_error(cstate, "'msu' supported only on MTP2"); 8746 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 0x3f, BPF_JGT, 0, 2); 8747 break; 8748 8749 case MH_FISU: 8750 if ( (cstate->linktype != DLT_MTP2) && 8751 (cstate->linktype != DLT_ERF) && 8752 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 8753 bpf_error(cstate, "'hfisu' supported only on MTP2_HSL"); 8754 /* gen_ncmp(cstate, offrel, offset, size, mask, jtype, reverse, value) */ 8755 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 0xff80, BPF_JEQ, 0, 0); 8756 break; 8757 8758 case MH_LSSU: 8759 if ( (cstate->linktype != DLT_MTP2) && 8760 (cstate->linktype != DLT_ERF) && 8761 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 8762 bpf_error(cstate, "'hlssu' supported only on MTP2_HSL"); 8763 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 0xff80, BPF_JGT, 1, 0x0100); 8764 b1 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 0xff80, BPF_JGT, 0, 0); 8765 gen_and(b1, b0); 8766 break; 8767 8768 case MH_MSU: 8769 if ( (cstate->linktype != DLT_MTP2) && 8770 (cstate->linktype != DLT_ERF) && 8771 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 8772 bpf_error(cstate, "'hmsu' supported only on MTP2_HSL"); 8773 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 0xff80, BPF_JGT, 0, 0x0100); 8774 break; 8775 8776 default: 8777 abort(); 8778 } 8779 return b0; 8780 } 8781 8782 struct block * 8783 gen_mtp3field_code(compiler_state_t *cstate, int mtp3field, bpf_u_int32 jvalue, 8784 bpf_u_int32 jtype, int reverse) 8785 { 8786 struct block *b0; 8787 bpf_u_int32 val1 , val2 , val3; 8788 u_int newoff_sio = cstate->off_sio; 8789 u_int newoff_opc = cstate->off_opc; 8790 u_int newoff_dpc = cstate->off_dpc; 8791 u_int newoff_sls = cstate->off_sls; 8792 8793 switch (mtp3field) { 8794 8795 case MH_SIO: 8796 newoff_sio += 3; /* offset for MTP2_HSL */ 8797 /* FALLTHROUGH */ 8798 8799 case M_SIO: 8800 if (cstate->off_sio == (u_int)-1) 8801 bpf_error(cstate, "'sio' supported only on SS7"); 8802 /* sio coded on 1 byte so max value 255 */ 8803 if(jvalue > 255) 8804 bpf_error(cstate, "sio value %u too big; max value = 255", 8805 jvalue); 8806 b0 = gen_ncmp(cstate, OR_PACKET, newoff_sio, BPF_B, 0xffffffff, 8807 (u_int)jtype, reverse, (u_int)jvalue); 8808 break; 8809 8810 case MH_OPC: 8811 newoff_opc+=3; 8812 case M_OPC: 8813 if (cstate->off_opc == (u_int)-1) 8814 bpf_error(cstate, "'opc' supported only on SS7"); 8815 /* opc coded on 14 bits so max value 16383 */ 8816 if (jvalue > 16383) 8817 bpf_error(cstate, "opc value %u too big; max value = 16383", 8818 jvalue); 8819 /* the following instructions are made to convert jvalue 8820 * to the form used to write opc in an ss7 message*/ 8821 val1 = jvalue & 0x00003c00; 8822 val1 = val1 >>10; 8823 val2 = jvalue & 0x000003fc; 8824 val2 = val2 <<6; 8825 val3 = jvalue & 0x00000003; 8826 val3 = val3 <<22; 8827 jvalue = val1 + val2 + val3; 8828 b0 = gen_ncmp(cstate, OR_PACKET, newoff_opc, BPF_W, 0x00c0ff0f, 8829 (u_int)jtype, reverse, (u_int)jvalue); 8830 break; 8831 8832 case MH_DPC: 8833 newoff_dpc += 3; 8834 /* FALLTHROUGH */ 8835 8836 case M_DPC: 8837 if (cstate->off_dpc == (u_int)-1) 8838 bpf_error(cstate, "'dpc' supported only on SS7"); 8839 /* dpc coded on 14 bits so max value 16383 */ 8840 if (jvalue > 16383) 8841 bpf_error(cstate, "dpc value %u too big; max value = 16383", 8842 jvalue); 8843 /* the following instructions are made to convert jvalue 8844 * to the forme used to write dpc in an ss7 message*/ 8845 val1 = jvalue & 0x000000ff; 8846 val1 = val1 << 24; 8847 val2 = jvalue & 0x00003f00; 8848 val2 = val2 << 8; 8849 jvalue = val1 + val2; 8850 b0 = gen_ncmp(cstate, OR_PACKET, newoff_dpc, BPF_W, 0xff3f0000, 8851 (u_int)jtype, reverse, (u_int)jvalue); 8852 break; 8853 8854 case MH_SLS: 8855 newoff_sls+=3; 8856 case M_SLS: 8857 if (cstate->off_sls == (u_int)-1) 8858 bpf_error(cstate, "'sls' supported only on SS7"); 8859 /* sls coded on 4 bits so max value 15 */ 8860 if (jvalue > 15) 8861 bpf_error(cstate, "sls value %u too big; max value = 15", 8862 jvalue); 8863 /* the following instruction is made to convert jvalue 8864 * to the forme used to write sls in an ss7 message*/ 8865 jvalue = jvalue << 4; 8866 b0 = gen_ncmp(cstate, OR_PACKET, newoff_sls, BPF_B, 0xf0, 8867 (u_int)jtype,reverse, (u_int)jvalue); 8868 break; 8869 8870 default: 8871 abort(); 8872 } 8873 return b0; 8874 } 8875 8876 static struct block * 8877 gen_msg_abbrev(compiler_state_t *cstate, int type) 8878 { 8879 struct block *b1; 8880 8881 /* 8882 * Q.2931 signalling protocol messages for handling virtual circuits 8883 * establishment and teardown 8884 */ 8885 switch (type) { 8886 8887 case A_SETUP: 8888 b1 = gen_atmfield_code(cstate, A_MSGTYPE, SETUP, BPF_JEQ, 0); 8889 break; 8890 8891 case A_CALLPROCEED: 8892 b1 = gen_atmfield_code(cstate, A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0); 8893 break; 8894 8895 case A_CONNECT: 8896 b1 = gen_atmfield_code(cstate, A_MSGTYPE, CONNECT, BPF_JEQ, 0); 8897 break; 8898 8899 case A_CONNECTACK: 8900 b1 = gen_atmfield_code(cstate, A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0); 8901 break; 8902 8903 case A_RELEASE: 8904 b1 = gen_atmfield_code(cstate, A_MSGTYPE, RELEASE, BPF_JEQ, 0); 8905 break; 8906 8907 case A_RELEASE_DONE: 8908 b1 = gen_atmfield_code(cstate, A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0); 8909 break; 8910 8911 default: 8912 abort(); 8913 } 8914 return b1; 8915 } 8916 8917 struct block * 8918 gen_atmmulti_abbrev(compiler_state_t *cstate, int type) 8919 { 8920 struct block *b0, *b1; 8921 8922 switch (type) { 8923 8924 case A_OAM: 8925 if (!cstate->is_atm) 8926 bpf_error(cstate, "'oam' supported only on raw ATM"); 8927 b1 = gen_atmmulti_abbrev(cstate, A_OAMF4); 8928 break; 8929 8930 case A_OAMF4: 8931 if (!cstate->is_atm) 8932 bpf_error(cstate, "'oamf4' supported only on raw ATM"); 8933 /* OAM F4 type */ 8934 b0 = gen_atmfield_code(cstate, A_VCI, 3, BPF_JEQ, 0); 8935 b1 = gen_atmfield_code(cstate, A_VCI, 4, BPF_JEQ, 0); 8936 gen_or(b0, b1); 8937 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0); 8938 gen_and(b0, b1); 8939 break; 8940 8941 case A_CONNECTMSG: 8942 /* 8943 * Get Q.2931 signalling messages for switched 8944 * virtual connection 8945 */ 8946 if (!cstate->is_atm) 8947 bpf_error(cstate, "'connectmsg' supported only on raw ATM"); 8948 b0 = gen_msg_abbrev(cstate, A_SETUP); 8949 b1 = gen_msg_abbrev(cstate, A_CALLPROCEED); 8950 gen_or(b0, b1); 8951 b0 = gen_msg_abbrev(cstate, A_CONNECT); 8952 gen_or(b0, b1); 8953 b0 = gen_msg_abbrev(cstate, A_CONNECTACK); 8954 gen_or(b0, b1); 8955 b0 = gen_msg_abbrev(cstate, A_RELEASE); 8956 gen_or(b0, b1); 8957 b0 = gen_msg_abbrev(cstate, A_RELEASE_DONE); 8958 gen_or(b0, b1); 8959 b0 = gen_atmtype_abbrev(cstate, A_SC); 8960 gen_and(b0, b1); 8961 break; 8962 8963 case A_METACONNECT: 8964 if (!cstate->is_atm) 8965 bpf_error(cstate, "'metaconnect' supported only on raw ATM"); 8966 b0 = gen_msg_abbrev(cstate, A_SETUP); 8967 b1 = gen_msg_abbrev(cstate, A_CALLPROCEED); 8968 gen_or(b0, b1); 8969 b0 = gen_msg_abbrev(cstate, A_CONNECT); 8970 gen_or(b0, b1); 8971 b0 = gen_msg_abbrev(cstate, A_RELEASE); 8972 gen_or(b0, b1); 8973 b0 = gen_msg_abbrev(cstate, A_RELEASE_DONE); 8974 gen_or(b0, b1); 8975 b0 = gen_atmtype_abbrev(cstate, A_METAC); 8976 gen_and(b0, b1); 8977 break; 8978 8979 default: 8980 abort(); 8981 } 8982 return b1; 8983 } 8984