1 /* $NetBSD: gencode.c,v 1.13 2023/08/17 15:18:12 christos Exp $ */ 2 3 /* 4 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998 5 * The Regents of the University of California. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that: (1) source code distributions 9 * retain the above copyright notice and this paragraph in its entirety, (2) 10 * distributions including binary code include the above copyright notice and 11 * this paragraph in its entirety in the documentation or other materials 12 * provided with the distribution, and (3) all advertising materials mentioning 13 * features or use of this software display the following acknowledgement: 14 * ``This product includes software developed by the University of California, 15 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 16 * the University nor the names of its contributors may be used to endorse 17 * or promote products derived from this software without specific prior 18 * written permission. 19 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 20 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 21 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 22 */ 23 24 #include <sys/cdefs.h> 25 __RCSID("$NetBSD: gencode.c,v 1.13 2023/08/17 15:18:12 christos Exp $"); 26 27 #ifdef HAVE_CONFIG_H 28 #include <config.h> 29 #endif 30 31 #ifdef _WIN32 32 #include <ws2tcpip.h> 33 #else 34 #include <sys/socket.h> 35 36 #ifdef __NetBSD__ 37 #include <sys/param.h> 38 #endif 39 40 #include <netinet/in.h> 41 #include <arpa/inet.h> 42 #endif /* _WIN32 */ 43 44 #include <stdlib.h> 45 #include <string.h> 46 #include <memory.h> 47 #include <setjmp.h> 48 #include <stdarg.h> 49 #include <stdio.h> 50 51 #ifdef MSDOS 52 #include "pcap-dos.h" 53 #endif 54 55 #include "pcap-int.h" 56 57 #include "extract.h" 58 59 #include "ethertype.h" 60 #include "nlpid.h" 61 #include "llc.h" 62 #include "gencode.h" 63 #include "ieee80211.h" 64 #include "atmuni31.h" 65 #include "sunatmpos.h" 66 #include "pflog.h" 67 #include "ppp.h" 68 #include "pcap/sll.h" 69 #include "pcap/ipnet.h" 70 #include "arcnet.h" 71 #include "diag-control.h" 72 73 #include "scanner.h" 74 75 #if defined(linux) 76 #include <linux/types.h> 77 #include <linux/if_packet.h> 78 #include <linux/filter.h> 79 #endif 80 81 #ifndef offsetof 82 #define offsetof(s, e) ((size_t)&((s *)0)->e) 83 #endif 84 85 #ifdef _WIN32 86 #ifdef INET6 87 #if defined(__MINGW32__) && defined(DEFINE_ADDITIONAL_IPV6_STUFF) 88 /* IPv6 address */ 89 struct in6_addr 90 { 91 union 92 { 93 uint8_t u6_addr8[16]; 94 uint16_t u6_addr16[8]; 95 uint32_t u6_addr32[4]; 96 } in6_u; 97 #define s6_addr in6_u.u6_addr8 98 #define s6_addr16 in6_u.u6_addr16 99 #define s6_addr32 in6_u.u6_addr32 100 #define s6_addr64 in6_u.u6_addr64 101 }; 102 103 typedef unsigned short sa_family_t; 104 105 #define __SOCKADDR_COMMON(sa_prefix) \ 106 sa_family_t sa_prefix##family 107 108 /* Ditto, for IPv6. */ 109 struct sockaddr_in6 110 { 111 __SOCKADDR_COMMON (sin6_); 112 uint16_t sin6_port; /* Transport layer port # */ 113 uint32_t sin6_flowinfo; /* IPv6 flow information */ 114 struct in6_addr sin6_addr; /* IPv6 address */ 115 }; 116 117 #ifndef EAI_ADDRFAMILY 118 struct addrinfo { 119 int ai_flags; /* AI_PASSIVE, AI_CANONNAME */ 120 int ai_family; /* PF_xxx */ 121 int ai_socktype; /* SOCK_xxx */ 122 int ai_protocol; /* 0 or IPPROTO_xxx for IPv4 and IPv6 */ 123 size_t ai_addrlen; /* length of ai_addr */ 124 char *ai_canonname; /* canonical name for hostname */ 125 struct sockaddr *ai_addr; /* binary address */ 126 struct addrinfo *ai_next; /* next structure in linked list */ 127 }; 128 #endif /* EAI_ADDRFAMILY */ 129 #endif /* defined(__MINGW32__) && defined(DEFINE_ADDITIONAL_IPV6_STUFF) */ 130 #endif /* INET6 */ 131 #else /* _WIN32 */ 132 #include <netdb.h> /* for "struct addrinfo" */ 133 #endif /* _WIN32 */ 134 #include <pcap/namedb.h> 135 136 #include "nametoaddr.h" 137 138 #define ETHERMTU 1500 139 140 #ifndef IPPROTO_HOPOPTS 141 #define IPPROTO_HOPOPTS 0 142 #endif 143 #ifndef IPPROTO_ROUTING 144 #define IPPROTO_ROUTING 43 145 #endif 146 #ifndef IPPROTO_FRAGMENT 147 #define IPPROTO_FRAGMENT 44 148 #endif 149 #ifndef IPPROTO_DSTOPTS 150 #define IPPROTO_DSTOPTS 60 151 #endif 152 #ifndef IPPROTO_SCTP 153 #define IPPROTO_SCTP 132 154 #endif 155 156 #define GENEVE_PORT 6081 157 158 #ifdef HAVE_OS_PROTO_H 159 #include "os-proto.h" 160 #endif 161 162 #define JMP(c) ((c)|BPF_JMP|BPF_K) 163 164 /* 165 * "Push" the current value of the link-layer header type and link-layer 166 * header offset onto a "stack", and set a new value. (It's not a 167 * full-blown stack; we keep only the top two items.) 168 */ 169 #define PUSH_LINKHDR(cs, new_linktype, new_is_variable, new_constant_part, new_reg) \ 170 { \ 171 (cs)->prevlinktype = (cs)->linktype; \ 172 (cs)->off_prevlinkhdr = (cs)->off_linkhdr; \ 173 (cs)->linktype = (new_linktype); \ 174 (cs)->off_linkhdr.is_variable = (new_is_variable); \ 175 (cs)->off_linkhdr.constant_part = (new_constant_part); \ 176 (cs)->off_linkhdr.reg = (new_reg); \ 177 (cs)->is_geneve = 0; \ 178 } 179 180 /* 181 * Offset "not set" value. 182 */ 183 #define OFFSET_NOT_SET 0xffffffffU 184 185 /* 186 * Absolute offsets, which are offsets from the beginning of the raw 187 * packet data, are, in the general case, the sum of a variable value 188 * and a constant value; the variable value may be absent, in which 189 * case the offset is only the constant value, and the constant value 190 * may be zero, in which case the offset is only the variable value. 191 * 192 * bpf_abs_offset is a structure containing all that information: 193 * 194 * is_variable is 1 if there's a variable part. 195 * 196 * constant_part is the constant part of the value, possibly zero; 197 * 198 * if is_variable is 1, reg is the register number for a register 199 * containing the variable value if the register has been assigned, 200 * and -1 otherwise. 201 */ 202 typedef struct { 203 int is_variable; 204 u_int constant_part; 205 int reg; 206 } bpf_abs_offset; 207 208 /* 209 * Value passed to gen_load_a() to indicate what the offset argument 210 * is relative to the beginning of. 211 */ 212 enum e_offrel { 213 OR_PACKET, /* full packet data */ 214 OR_LINKHDR, /* link-layer header */ 215 OR_PREVLINKHDR, /* previous link-layer header */ 216 OR_LLC, /* 802.2 LLC header */ 217 OR_PREVMPLSHDR, /* previous MPLS header */ 218 OR_LINKTYPE, /* link-layer type */ 219 OR_LINKPL, /* link-layer payload */ 220 OR_LINKPL_NOSNAP, /* link-layer payload, with no SNAP header at the link layer */ 221 OR_TRAN_IPV4, /* transport-layer header, with IPv4 network layer */ 222 OR_TRAN_IPV6 /* transport-layer header, with IPv6 network layer */ 223 }; 224 225 /* 226 * We divy out chunks of memory rather than call malloc each time so 227 * we don't have to worry about leaking memory. It's probably 228 * not a big deal if all this memory was wasted but if this ever 229 * goes into a library that would probably not be a good idea. 230 * 231 * XXX - this *is* in a library.... 232 */ 233 #define NCHUNKS 16 234 #define CHUNK0SIZE 1024 235 struct chunk { 236 size_t n_left; 237 void *m; 238 }; 239 240 /* Code generator state */ 241 242 struct _compiler_state { 243 jmp_buf top_ctx; 244 pcap_t *bpf_pcap; 245 int error_set; 246 247 struct icode ic; 248 249 int snaplen; 250 251 int linktype; 252 int prevlinktype; 253 int outermostlinktype; 254 255 bpf_u_int32 netmask; 256 int no_optimize; 257 258 /* Hack for handling VLAN and MPLS stacks. */ 259 u_int label_stack_depth; 260 u_int vlan_stack_depth; 261 262 /* XXX */ 263 u_int pcap_fddipad; 264 265 /* 266 * As errors are handled by a longjmp, anything allocated must 267 * be freed in the longjmp handler, so it must be reachable 268 * from that handler. 269 * 270 * One thing that's allocated is the result of pcap_nametoaddrinfo(); 271 * it must be freed with freeaddrinfo(). This variable points to 272 * any addrinfo structure that would need to be freed. 273 */ 274 struct addrinfo *ai; 275 276 /* 277 * Another thing that's allocated is the result of pcap_ether_aton(); 278 * it must be freed with free(). This variable points to any 279 * address that would need to be freed. 280 */ 281 u_char *e; 282 283 /* 284 * Various code constructs need to know the layout of the packet. 285 * These values give the necessary offsets from the beginning 286 * of the packet data. 287 */ 288 289 /* 290 * Absolute offset of the beginning of the link-layer header. 291 */ 292 bpf_abs_offset off_linkhdr; 293 294 /* 295 * If we're checking a link-layer header for a packet encapsulated 296 * in another protocol layer, this is the equivalent information 297 * for the previous layers' link-layer header from the beginning 298 * of the raw packet data. 299 */ 300 bpf_abs_offset off_prevlinkhdr; 301 302 /* 303 * This is the equivalent information for the outermost layers' 304 * link-layer header. 305 */ 306 bpf_abs_offset off_outermostlinkhdr; 307 308 /* 309 * Absolute offset of the beginning of the link-layer payload. 310 */ 311 bpf_abs_offset off_linkpl; 312 313 /* 314 * "off_linktype" is the offset to information in the link-layer 315 * header giving the packet type. This is an absolute offset 316 * from the beginning of the packet. 317 * 318 * For Ethernet, it's the offset of the Ethernet type field; this 319 * means that it must have a value that skips VLAN tags. 320 * 321 * For link-layer types that always use 802.2 headers, it's the 322 * offset of the LLC header; this means that it must have a value 323 * that skips VLAN tags. 324 * 325 * For PPP, it's the offset of the PPP type field. 326 * 327 * For Cisco HDLC, it's the offset of the CHDLC type field. 328 * 329 * For BSD loopback, it's the offset of the AF_ value. 330 * 331 * For Linux cooked sockets, it's the offset of the type field. 332 * 333 * off_linktype.constant_part is set to OFFSET_NOT_SET for no 334 * encapsulation, in which case, IP is assumed. 335 */ 336 bpf_abs_offset off_linktype; 337 338 /* 339 * TRUE if the link layer includes an ATM pseudo-header. 340 */ 341 int is_atm; 342 343 /* 344 * TRUE if "geneve" appeared in the filter; it causes us to 345 * generate code that checks for a Geneve header and assume 346 * that later filters apply to the encapsulated payload. 347 */ 348 int is_geneve; 349 350 /* 351 * TRUE if we need variable length part of VLAN offset 352 */ 353 int is_vlan_vloffset; 354 355 /* 356 * These are offsets for the ATM pseudo-header. 357 */ 358 u_int off_vpi; 359 u_int off_vci; 360 u_int off_proto; 361 362 /* 363 * These are offsets for the MTP2 fields. 364 */ 365 u_int off_li; 366 u_int off_li_hsl; 367 368 /* 369 * These are offsets for the MTP3 fields. 370 */ 371 u_int off_sio; 372 u_int off_opc; 373 u_int off_dpc; 374 u_int off_sls; 375 376 /* 377 * This is the offset of the first byte after the ATM pseudo_header, 378 * or -1 if there is no ATM pseudo-header. 379 */ 380 u_int off_payload; 381 382 /* 383 * These are offsets to the beginning of the network-layer header. 384 * They are relative to the beginning of the link-layer payload 385 * (i.e., they don't include off_linkhdr.constant_part or 386 * off_linkpl.constant_part). 387 * 388 * If the link layer never uses 802.2 LLC: 389 * 390 * "off_nl" and "off_nl_nosnap" are the same. 391 * 392 * If the link layer always uses 802.2 LLC: 393 * 394 * "off_nl" is the offset if there's a SNAP header following 395 * the 802.2 header; 396 * 397 * "off_nl_nosnap" is the offset if there's no SNAP header. 398 * 399 * If the link layer is Ethernet: 400 * 401 * "off_nl" is the offset if the packet is an Ethernet II packet 402 * (we assume no 802.3+802.2+SNAP); 403 * 404 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet 405 * with an 802.2 header following it. 406 */ 407 u_int off_nl; 408 u_int off_nl_nosnap; 409 410 /* 411 * Here we handle simple allocation of the scratch registers. 412 * If too many registers are alloc'd, the allocator punts. 413 */ 414 int regused[BPF_MEMWORDS]; 415 int curreg; 416 417 /* 418 * Memory chunks. 419 */ 420 struct chunk chunks[NCHUNKS]; 421 int cur_chunk; 422 }; 423 424 /* 425 * For use by routines outside this file. 426 */ 427 /* VARARGS */ 428 void 429 bpf_set_error(compiler_state_t *cstate, const char *fmt, ...) 430 { 431 va_list ap; 432 433 /* 434 * If we've already set an error, don't override it. 435 * The lexical analyzer reports some errors by setting 436 * the error and then returning a LEX_ERROR token, which 437 * is not recognized by any grammar rule, and thus forces 438 * the parse to stop. We don't want the error reported 439 * by the lexical analyzer to be overwritten by the syntax 440 * error. 441 */ 442 if (!cstate->error_set) { 443 va_start(ap, fmt); 444 (void)vsnprintf(cstate->bpf_pcap->errbuf, PCAP_ERRBUF_SIZE, 445 fmt, ap); 446 va_end(ap); 447 cstate->error_set = 1; 448 } 449 } 450 451 /* 452 * For use *ONLY* in routines in this file. 453 */ 454 static void PCAP_NORETURN bpf_error(compiler_state_t *, const char *, ...) 455 PCAP_PRINTFLIKE(2, 3); 456 457 /* VARARGS */ 458 static void PCAP_NORETURN 459 bpf_error(compiler_state_t *cstate, const char *fmt, ...) 460 { 461 va_list ap; 462 463 va_start(ap, fmt); 464 (void)vsnprintf(cstate->bpf_pcap->errbuf, PCAP_ERRBUF_SIZE, 465 fmt, ap); 466 va_end(ap); 467 longjmp(cstate->top_ctx, 1); 468 /*NOTREACHED*/ 469 #ifdef _AIX 470 PCAP_UNREACHABLE 471 #endif /* _AIX */ 472 } 473 474 static int init_linktype(compiler_state_t *, pcap_t *); 475 476 static void init_regs(compiler_state_t *); 477 static int alloc_reg(compiler_state_t *); 478 static void free_reg(compiler_state_t *, int); 479 480 static void initchunks(compiler_state_t *cstate); 481 static void *newchunk_nolongjmp(compiler_state_t *cstate, size_t); 482 static void *newchunk(compiler_state_t *cstate, size_t); 483 static void freechunks(compiler_state_t *cstate); 484 static inline struct block *new_block(compiler_state_t *cstate, int); 485 static inline struct slist *new_stmt(compiler_state_t *cstate, int); 486 static struct block *gen_retblk(compiler_state_t *cstate, int); 487 static inline void syntax(compiler_state_t *cstate); 488 489 static void backpatch(struct block *, struct block *); 490 static void merge(struct block *, struct block *); 491 static struct block *gen_cmp(compiler_state_t *, enum e_offrel, u_int, 492 u_int, bpf_u_int32); 493 static struct block *gen_cmp_gt(compiler_state_t *, enum e_offrel, u_int, 494 u_int, bpf_u_int32); 495 static struct block *gen_cmp_ge(compiler_state_t *, enum e_offrel, u_int, 496 u_int, bpf_u_int32); 497 static struct block *gen_cmp_lt(compiler_state_t *, enum e_offrel, u_int, 498 u_int, bpf_u_int32); 499 static struct block *gen_cmp_le(compiler_state_t *, enum e_offrel, u_int, 500 u_int, bpf_u_int32); 501 static struct block *gen_mcmp(compiler_state_t *, enum e_offrel, u_int, 502 u_int, bpf_u_int32, bpf_u_int32); 503 static struct block *gen_bcmp(compiler_state_t *, enum e_offrel, u_int, 504 u_int, const u_char *); 505 static struct block *gen_ncmp(compiler_state_t *, enum e_offrel, u_int, 506 u_int, bpf_u_int32, int, int, bpf_u_int32); 507 static struct slist *gen_load_absoffsetrel(compiler_state_t *, bpf_abs_offset *, 508 u_int, u_int); 509 static struct slist *gen_load_a(compiler_state_t *, enum e_offrel, u_int, 510 u_int); 511 static struct slist *gen_loadx_iphdrlen(compiler_state_t *); 512 static struct block *gen_uncond(compiler_state_t *, int); 513 static inline struct block *gen_true(compiler_state_t *); 514 static inline struct block *gen_false(compiler_state_t *); 515 static struct block *gen_ether_linktype(compiler_state_t *, bpf_u_int32); 516 static struct block *gen_ipnet_linktype(compiler_state_t *, bpf_u_int32); 517 static struct block *gen_linux_sll_linktype(compiler_state_t *, bpf_u_int32); 518 static struct slist *gen_load_pflog_llprefixlen(compiler_state_t *); 519 static struct slist *gen_load_prism_llprefixlen(compiler_state_t *); 520 static struct slist *gen_load_avs_llprefixlen(compiler_state_t *); 521 static struct slist *gen_load_radiotap_llprefixlen(compiler_state_t *); 522 static struct slist *gen_load_ppi_llprefixlen(compiler_state_t *); 523 static void insert_compute_vloffsets(compiler_state_t *, struct block *); 524 static struct slist *gen_abs_offset_varpart(compiler_state_t *, 525 bpf_abs_offset *); 526 static bpf_u_int32 ethertype_to_ppptype(bpf_u_int32); 527 static struct block *gen_linktype(compiler_state_t *, bpf_u_int32); 528 static struct block *gen_snap(compiler_state_t *, bpf_u_int32, bpf_u_int32); 529 static struct block *gen_llc_linktype(compiler_state_t *, bpf_u_int32); 530 static struct block *gen_hostop(compiler_state_t *, bpf_u_int32, bpf_u_int32, 531 int, bpf_u_int32, u_int, u_int); 532 #ifdef INET6 533 static struct block *gen_hostop6(compiler_state_t *, struct in6_addr *, 534 struct in6_addr *, int, bpf_u_int32, u_int, u_int); 535 #endif 536 static struct block *gen_ahostop(compiler_state_t *, const u_char *, int); 537 static struct block *gen_ehostop(compiler_state_t *, const u_char *, int); 538 static struct block *gen_fhostop(compiler_state_t *, const u_char *, int); 539 static struct block *gen_thostop(compiler_state_t *, const u_char *, int); 540 static struct block *gen_wlanhostop(compiler_state_t *, const u_char *, int); 541 static struct block *gen_ipfchostop(compiler_state_t *, const u_char *, int); 542 static struct block *gen_dnhostop(compiler_state_t *, bpf_u_int32, int); 543 static struct block *gen_mpls_linktype(compiler_state_t *, bpf_u_int32); 544 static struct block *gen_host(compiler_state_t *, bpf_u_int32, bpf_u_int32, 545 int, int, int); 546 #ifdef INET6 547 static struct block *gen_host6(compiler_state_t *, struct in6_addr *, 548 struct in6_addr *, int, int, int); 549 #endif 550 #ifndef INET6 551 static struct block *gen_gateway(compiler_state_t *, const u_char *, 552 struct addrinfo *, int, int); 553 #endif 554 static struct block *gen_ipfrag(compiler_state_t *); 555 static struct block *gen_portatom(compiler_state_t *, int, bpf_u_int32); 556 static struct block *gen_portrangeatom(compiler_state_t *, u_int, bpf_u_int32, 557 bpf_u_int32); 558 static struct block *gen_portatom6(compiler_state_t *, int, bpf_u_int32); 559 static struct block *gen_portrangeatom6(compiler_state_t *, u_int, bpf_u_int32, 560 bpf_u_int32); 561 static struct block *gen_portop(compiler_state_t *, u_int, u_int, int); 562 static struct block *gen_port(compiler_state_t *, u_int, int, int); 563 static struct block *gen_portrangeop(compiler_state_t *, u_int, u_int, 564 bpf_u_int32, int); 565 static struct block *gen_portrange(compiler_state_t *, u_int, u_int, int, int); 566 struct block *gen_portop6(compiler_state_t *, u_int, u_int, int); 567 static struct block *gen_port6(compiler_state_t *, u_int, int, int); 568 static struct block *gen_portrangeop6(compiler_state_t *, u_int, u_int, 569 bpf_u_int32, int); 570 static struct block *gen_portrange6(compiler_state_t *, u_int, u_int, int, int); 571 static int lookup_proto(compiler_state_t *, const char *, int); 572 #if !defined(NO_PROTOCHAIN) 573 static struct block *gen_protochain(compiler_state_t *, bpf_u_int32, int); 574 #endif /* !defined(NO_PROTOCHAIN) */ 575 static struct block *gen_proto(compiler_state_t *, bpf_u_int32, int, int); 576 static struct slist *xfer_to_x(compiler_state_t *, struct arth *); 577 static struct slist *xfer_to_a(compiler_state_t *, struct arth *); 578 static struct block *gen_mac_multicast(compiler_state_t *, int); 579 static struct block *gen_len(compiler_state_t *, int, int); 580 static struct block *gen_check_802_11_data_frame(compiler_state_t *); 581 static struct block *gen_geneve_ll_check(compiler_state_t *cstate); 582 583 static struct block *gen_ppi_dlt_check(compiler_state_t *); 584 static struct block *gen_atmfield_code_internal(compiler_state_t *, int, 585 bpf_u_int32, int, int); 586 static struct block *gen_atmtype_llc(compiler_state_t *); 587 static struct block *gen_msg_abbrev(compiler_state_t *, int type); 588 589 static void 590 initchunks(compiler_state_t *cstate) 591 { 592 int i; 593 594 for (i = 0; i < NCHUNKS; i++) { 595 cstate->chunks[i].n_left = 0; 596 cstate->chunks[i].m = NULL; 597 } 598 cstate->cur_chunk = 0; 599 } 600 601 static void * 602 newchunk_nolongjmp(compiler_state_t *cstate, size_t n) 603 { 604 struct chunk *cp; 605 int k; 606 size_t size; 607 608 #ifndef __NetBSD__ 609 /* XXX Round up to nearest long. */ 610 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1); 611 #else 612 /* XXX Round up to structure boundary. */ 613 n = ALIGN(n); 614 #endif 615 616 cp = &cstate->chunks[cstate->cur_chunk]; 617 if (n > cp->n_left) { 618 ++cp; 619 k = ++cstate->cur_chunk; 620 if (k >= NCHUNKS) { 621 bpf_set_error(cstate, "out of memory"); 622 return (NULL); 623 } 624 size = CHUNK0SIZE << k; 625 cp->m = (void *)malloc(size); 626 if (cp->m == NULL) { 627 bpf_set_error(cstate, "out of memory"); 628 return (NULL); 629 } 630 memset((char *)cp->m, 0, size); 631 cp->n_left = size; 632 if (n > size) { 633 bpf_set_error(cstate, "out of memory"); 634 return (NULL); 635 } 636 } 637 cp->n_left -= n; 638 return (void *)((char *)cp->m + cp->n_left); 639 } 640 641 static void * 642 newchunk(compiler_state_t *cstate, size_t n) 643 { 644 void *p; 645 646 p = newchunk_nolongjmp(cstate, n); 647 if (p == NULL) { 648 longjmp(cstate->top_ctx, 1); 649 /*NOTREACHED*/ 650 } 651 return (p); 652 } 653 654 static void 655 freechunks(compiler_state_t *cstate) 656 { 657 int i; 658 659 for (i = 0; i < NCHUNKS; ++i) 660 if (cstate->chunks[i].m != NULL) 661 free(cstate->chunks[i].m); 662 } 663 664 /* 665 * A strdup whose allocations are freed after code generation is over. 666 * This is used by the lexical analyzer, so it can't longjmp; it just 667 * returns NULL on an allocation error, and the callers must check 668 * for it. 669 */ 670 char * 671 sdup(compiler_state_t *cstate, const char *s) 672 { 673 size_t n = strlen(s) + 1; 674 char *cp = newchunk_nolongjmp(cstate, n); 675 676 if (cp == NULL) 677 return (NULL); 678 pcap_strlcpy(cp, s, n); 679 return (cp); 680 } 681 682 static inline struct block * 683 new_block(compiler_state_t *cstate, int code) 684 { 685 struct block *p; 686 687 p = (struct block *)newchunk(cstate, sizeof(*p)); 688 p->s.code = code; 689 p->head = p; 690 691 return p; 692 } 693 694 static inline struct slist * 695 new_stmt(compiler_state_t *cstate, int code) 696 { 697 struct slist *p; 698 699 p = (struct slist *)newchunk(cstate, sizeof(*p)); 700 p->s.code = code; 701 702 return p; 703 } 704 705 static struct block * 706 gen_retblk(compiler_state_t *cstate, int v) 707 { 708 struct block *b = new_block(cstate, BPF_RET|BPF_K); 709 710 b->s.k = v; 711 return b; 712 } 713 714 static inline PCAP_NORETURN_DEF void 715 syntax(compiler_state_t *cstate) 716 { 717 bpf_error(cstate, "syntax error in filter expression"); 718 } 719 720 int 721 pcap_compile(pcap_t *p, struct bpf_program *program, 722 const char *buf, int optimize, bpf_u_int32 mask) 723 { 724 #ifdef _WIN32 725 static int done = 0; 726 #endif 727 compiler_state_t cstate; 728 const char * volatile xbuf = buf; 729 yyscan_t scanner = NULL; 730 volatile YY_BUFFER_STATE in_buffer = NULL; 731 u_int len; 732 int rc; 733 734 /* 735 * If this pcap_t hasn't been activated, it doesn't have a 736 * link-layer type, so we can't use it. 737 */ 738 if (!p->activated) { 739 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 740 "not-yet-activated pcap_t passed to pcap_compile"); 741 return (PCAP_ERROR); 742 } 743 744 #ifdef _WIN32 745 if (!done) 746 pcap_wsockinit(); 747 done = 1; 748 #endif 749 750 #ifdef ENABLE_REMOTE 751 /* 752 * If the device on which we're capturing need to be notified 753 * that a new filter is being compiled, do so. 754 * 755 * This allows them to save a copy of it, in case, for example, 756 * they're implementing a form of remote packet capture, and 757 * want the remote machine to filter out the packets in which 758 * it's sending the packets it's captured. 759 * 760 * XXX - the fact that we happen to be compiling a filter 761 * doesn't necessarily mean we'll be installing it as the 762 * filter for this pcap_t; we might be running it from userland 763 * on captured packets to do packet classification. We really 764 * need a better way of handling this, but this is all that 765 * the WinPcap remote capture code did. 766 */ 767 if (p->save_current_filter_op != NULL) 768 (p->save_current_filter_op)(p, buf); 769 #endif 770 771 initchunks(&cstate); 772 cstate.no_optimize = 0; 773 #ifdef INET6 774 cstate.ai = NULL; 775 #endif 776 cstate.e = NULL; 777 cstate.ic.root = NULL; 778 cstate.ic.cur_mark = 0; 779 cstate.bpf_pcap = p; 780 cstate.error_set = 0; 781 init_regs(&cstate); 782 783 cstate.netmask = mask; 784 785 cstate.snaplen = pcap_snapshot(p); 786 if (cstate.snaplen == 0) { 787 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 788 "snaplen of 0 rejects all packets"); 789 rc = PCAP_ERROR; 790 goto quit; 791 } 792 793 if (pcap_lex_init(&scanner) != 0) 794 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, 795 errno, "can't initialize scanner"); 796 in_buffer = pcap__scan_string(xbuf ? xbuf : "", scanner); 797 798 /* 799 * Associate the compiler state with the lexical analyzer 800 * state. 801 */ 802 pcap_set_extra(&cstate, scanner); 803 804 if (init_linktype(&cstate, p) == -1) { 805 rc = PCAP_ERROR; 806 goto quit; 807 } 808 if (pcap_parse(scanner, &cstate) != 0) { 809 #ifdef INET6 810 if (cstate.ai != NULL) 811 freeaddrinfo(cstate.ai); 812 #endif 813 if (cstate.e != NULL) 814 free(cstate.e); 815 rc = PCAP_ERROR; 816 goto quit; 817 } 818 819 if (cstate.ic.root == NULL) { 820 /* 821 * Catch errors reported by gen_retblk(). 822 */ 823 if (setjmp(cstate.top_ctx)) { 824 rc = PCAP_ERROR; 825 goto quit; 826 } 827 cstate.ic.root = gen_retblk(&cstate, cstate.snaplen); 828 } 829 830 if (optimize && !cstate.no_optimize) { 831 if (bpf_optimize(&cstate.ic, p->errbuf) == -1) { 832 /* Failure */ 833 rc = PCAP_ERROR; 834 goto quit; 835 } 836 if (cstate.ic.root == NULL || 837 (cstate.ic.root->s.code == (BPF_RET|BPF_K) && cstate.ic.root->s.k == 0)) { 838 (void)snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 839 "expression rejects all packets"); 840 rc = PCAP_ERROR; 841 goto quit; 842 } 843 } 844 program->bf_insns = icode_to_fcode(&cstate.ic, 845 cstate.ic.root, &len, p->errbuf); 846 if (program->bf_insns == NULL) { 847 /* Failure */ 848 rc = PCAP_ERROR; 849 goto quit; 850 } 851 program->bf_len = len; 852 853 rc = 0; /* We're all okay */ 854 855 quit: 856 /* 857 * Clean up everything for the lexical analyzer. 858 */ 859 if (in_buffer != NULL) 860 pcap__delete_buffer(in_buffer, scanner); 861 if (scanner != NULL) 862 pcap_lex_destroy(scanner); 863 864 /* 865 * Clean up our own allocated memory. 866 */ 867 freechunks(&cstate); 868 869 return (rc); 870 } 871 872 /* 873 * entry point for using the compiler with no pcap open 874 * pass in all the stuff that is needed explicitly instead. 875 */ 876 int 877 pcap_compile_nopcap(int snaplen_arg, int linktype_arg, 878 struct bpf_program *program, 879 const char *buf, int optimize, bpf_u_int32 mask) 880 { 881 pcap_t *p; 882 int ret; 883 884 p = pcap_open_dead(linktype_arg, snaplen_arg); 885 if (p == NULL) 886 return (PCAP_ERROR); 887 ret = pcap_compile(p, program, buf, optimize, mask); 888 pcap_close(p); 889 return (ret); 890 } 891 892 /* 893 * Clean up a "struct bpf_program" by freeing all the memory allocated 894 * in it. 895 */ 896 void 897 pcap_freecode(struct bpf_program *program) 898 { 899 program->bf_len = 0; 900 if (program->bf_insns != NULL) { 901 free((char *)program->bf_insns); 902 program->bf_insns = NULL; 903 } 904 } 905 906 /* 907 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates 908 * which of the jt and jf fields has been resolved and which is a pointer 909 * back to another unresolved block (or nil). At least one of the fields 910 * in each block is already resolved. 911 */ 912 static void 913 backpatch(struct block *list, struct block *target) 914 { 915 struct block *next; 916 917 while (list) { 918 if (!list->sense) { 919 next = JT(list); 920 JT(list) = target; 921 } else { 922 next = JF(list); 923 JF(list) = target; 924 } 925 list = next; 926 } 927 } 928 929 /* 930 * Merge the lists in b0 and b1, using the 'sense' field to indicate 931 * which of jt and jf is the link. 932 */ 933 static void 934 merge(struct block *b0, struct block *b1) 935 { 936 register struct block **p = &b0; 937 938 /* Find end of list. */ 939 while (*p) 940 p = !((*p)->sense) ? &JT(*p) : &JF(*p); 941 942 /* Concatenate the lists. */ 943 *p = b1; 944 } 945 946 int 947 finish_parse(compiler_state_t *cstate, struct block *p) 948 { 949 struct block *ppi_dlt_check; 950 951 /* 952 * Catch errors reported by us and routines below us, and return -1 953 * on an error. 954 */ 955 if (setjmp(cstate->top_ctx)) 956 return (-1); 957 958 /* 959 * Insert before the statements of the first (root) block any 960 * statements needed to load the lengths of any variable-length 961 * headers into registers. 962 * 963 * XXX - a fancier strategy would be to insert those before the 964 * statements of all blocks that use those lengths and that 965 * have no predecessors that use them, so that we only compute 966 * the lengths if we need them. There might be even better 967 * approaches than that. 968 * 969 * However, those strategies would be more complicated, and 970 * as we don't generate code to compute a length if the 971 * program has no tests that use the length, and as most 972 * tests will probably use those lengths, we would just 973 * postpone computing the lengths so that it's not done 974 * for tests that fail early, and it's not clear that's 975 * worth the effort. 976 */ 977 insert_compute_vloffsets(cstate, p->head); 978 979 /* 980 * For DLT_PPI captures, generate a check of the per-packet 981 * DLT value to make sure it's DLT_IEEE802_11. 982 * 983 * XXX - TurboCap cards use DLT_PPI for Ethernet. 984 * Can we just define some DLT_ETHERNET_WITH_PHDR pseudo-header 985 * with appropriate Ethernet information and use that rather 986 * than using something such as DLT_PPI where you don't know 987 * the link-layer header type until runtime, which, in the 988 * general case, would force us to generate both Ethernet *and* 989 * 802.11 code (*and* anything else for which PPI is used) 990 * and choose between them early in the BPF program? 991 */ 992 ppi_dlt_check = gen_ppi_dlt_check(cstate); 993 if (ppi_dlt_check != NULL) 994 gen_and(ppi_dlt_check, p); 995 996 backpatch(p, gen_retblk(cstate, cstate->snaplen)); 997 p->sense = !p->sense; 998 backpatch(p, gen_retblk(cstate, 0)); 999 cstate->ic.root = p->head; 1000 return (0); 1001 } 1002 1003 void 1004 gen_and(struct block *b0, struct block *b1) 1005 { 1006 backpatch(b0, b1->head); 1007 b0->sense = !b0->sense; 1008 b1->sense = !b1->sense; 1009 merge(b1, b0); 1010 b1->sense = !b1->sense; 1011 b1->head = b0->head; 1012 } 1013 1014 void 1015 gen_or(struct block *b0, struct block *b1) 1016 { 1017 b0->sense = !b0->sense; 1018 backpatch(b0, b1->head); 1019 b0->sense = !b0->sense; 1020 merge(b1, b0); 1021 b1->head = b0->head; 1022 } 1023 1024 void 1025 gen_not(struct block *b) 1026 { 1027 b->sense = !b->sense; 1028 } 1029 1030 static struct block * 1031 gen_cmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 1032 u_int size, bpf_u_int32 v) 1033 { 1034 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v); 1035 } 1036 1037 static struct block * 1038 gen_cmp_gt(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 1039 u_int size, bpf_u_int32 v) 1040 { 1041 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGT, 0, v); 1042 } 1043 1044 static struct block * 1045 gen_cmp_ge(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 1046 u_int size, bpf_u_int32 v) 1047 { 1048 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGE, 0, v); 1049 } 1050 1051 static struct block * 1052 gen_cmp_lt(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 1053 u_int size, bpf_u_int32 v) 1054 { 1055 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGE, 1, v); 1056 } 1057 1058 static struct block * 1059 gen_cmp_le(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 1060 u_int size, bpf_u_int32 v) 1061 { 1062 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGT, 1, v); 1063 } 1064 1065 static struct block * 1066 gen_mcmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 1067 u_int size, bpf_u_int32 v, bpf_u_int32 mask) 1068 { 1069 return gen_ncmp(cstate, offrel, offset, size, mask, BPF_JEQ, 0, v); 1070 } 1071 1072 static struct block * 1073 gen_bcmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 1074 u_int size, const u_char *v) 1075 { 1076 register struct block *b, *tmp; 1077 1078 b = NULL; 1079 while (size >= 4) { 1080 register const u_char *p = &v[size - 4]; 1081 1082 tmp = gen_cmp(cstate, offrel, offset + size - 4, BPF_W, 1083 EXTRACT_BE_U_4(p)); 1084 if (b != NULL) 1085 gen_and(b, tmp); 1086 b = tmp; 1087 size -= 4; 1088 } 1089 while (size >= 2) { 1090 register const u_char *p = &v[size - 2]; 1091 1092 tmp = gen_cmp(cstate, offrel, offset + size - 2, BPF_H, 1093 EXTRACT_BE_U_2(p)); 1094 if (b != NULL) 1095 gen_and(b, tmp); 1096 b = tmp; 1097 size -= 2; 1098 } 1099 if (size > 0) { 1100 tmp = gen_cmp(cstate, offrel, offset, BPF_B, v[0]); 1101 if (b != NULL) 1102 gen_and(b, tmp); 1103 b = tmp; 1104 } 1105 return b; 1106 } 1107 1108 /* 1109 * AND the field of size "size" at offset "offset" relative to the header 1110 * specified by "offrel" with "mask", and compare it with the value "v" 1111 * with the test specified by "jtype"; if "reverse" is true, the test 1112 * should test the opposite of "jtype". 1113 */ 1114 static struct block * 1115 gen_ncmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 1116 u_int size, bpf_u_int32 mask, int jtype, int reverse, 1117 bpf_u_int32 v) 1118 { 1119 struct slist *s, *s2; 1120 struct block *b; 1121 1122 s = gen_load_a(cstate, offrel, offset, size); 1123 1124 if (mask != 0xffffffff) { 1125 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K); 1126 s2->s.k = mask; 1127 sappend(s, s2); 1128 } 1129 1130 b = new_block(cstate, JMP(jtype)); 1131 b->stmts = s; 1132 b->s.k = v; 1133 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE)) 1134 gen_not(b); 1135 return b; 1136 } 1137 1138 static int 1139 init_linktype(compiler_state_t *cstate, pcap_t *p) 1140 { 1141 cstate->pcap_fddipad = p->fddipad; 1142 1143 /* 1144 * We start out with only one link-layer header. 1145 */ 1146 cstate->outermostlinktype = pcap_datalink(p); 1147 cstate->off_outermostlinkhdr.constant_part = 0; 1148 cstate->off_outermostlinkhdr.is_variable = 0; 1149 cstate->off_outermostlinkhdr.reg = -1; 1150 1151 cstate->prevlinktype = cstate->outermostlinktype; 1152 cstate->off_prevlinkhdr.constant_part = 0; 1153 cstate->off_prevlinkhdr.is_variable = 0; 1154 cstate->off_prevlinkhdr.reg = -1; 1155 1156 cstate->linktype = cstate->outermostlinktype; 1157 cstate->off_linkhdr.constant_part = 0; 1158 cstate->off_linkhdr.is_variable = 0; 1159 cstate->off_linkhdr.reg = -1; 1160 1161 /* 1162 * XXX 1163 */ 1164 cstate->off_linkpl.constant_part = 0; 1165 cstate->off_linkpl.is_variable = 0; 1166 cstate->off_linkpl.reg = -1; 1167 1168 cstate->off_linktype.constant_part = 0; 1169 cstate->off_linktype.is_variable = 0; 1170 cstate->off_linktype.reg = -1; 1171 1172 /* 1173 * Assume it's not raw ATM with a pseudo-header, for now. 1174 */ 1175 cstate->is_atm = 0; 1176 cstate->off_vpi = OFFSET_NOT_SET; 1177 cstate->off_vci = OFFSET_NOT_SET; 1178 cstate->off_proto = OFFSET_NOT_SET; 1179 cstate->off_payload = OFFSET_NOT_SET; 1180 1181 /* 1182 * And not Geneve. 1183 */ 1184 cstate->is_geneve = 0; 1185 1186 /* 1187 * No variable length VLAN offset by default 1188 */ 1189 cstate->is_vlan_vloffset = 0; 1190 1191 /* 1192 * And assume we're not doing SS7. 1193 */ 1194 cstate->off_li = OFFSET_NOT_SET; 1195 cstate->off_li_hsl = OFFSET_NOT_SET; 1196 cstate->off_sio = OFFSET_NOT_SET; 1197 cstate->off_opc = OFFSET_NOT_SET; 1198 cstate->off_dpc = OFFSET_NOT_SET; 1199 cstate->off_sls = OFFSET_NOT_SET; 1200 1201 cstate->label_stack_depth = 0; 1202 cstate->vlan_stack_depth = 0; 1203 1204 switch (cstate->linktype) { 1205 1206 case DLT_ARCNET: 1207 cstate->off_linktype.constant_part = 2; 1208 cstate->off_linkpl.constant_part = 6; 1209 cstate->off_nl = 0; /* XXX in reality, variable! */ 1210 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1211 break; 1212 1213 case DLT_ARCNET_LINUX: 1214 cstate->off_linktype.constant_part = 4; 1215 cstate->off_linkpl.constant_part = 8; 1216 cstate->off_nl = 0; /* XXX in reality, variable! */ 1217 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1218 break; 1219 1220 case DLT_EN10MB: 1221 cstate->off_linktype.constant_part = 12; 1222 cstate->off_linkpl.constant_part = 14; /* Ethernet header length */ 1223 cstate->off_nl = 0; /* Ethernet II */ 1224 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */ 1225 break; 1226 1227 case DLT_SLIP: 1228 /* 1229 * SLIP doesn't have a link level type. The 16 byte 1230 * header is hacked into our SLIP driver. 1231 */ 1232 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1233 cstate->off_linkpl.constant_part = 16; 1234 cstate->off_nl = 0; 1235 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1236 break; 1237 1238 case DLT_SLIP_BSDOS: 1239 /* XXX this may be the same as the DLT_PPP_BSDOS case */ 1240 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1241 /* XXX end */ 1242 cstate->off_linkpl.constant_part = 24; 1243 cstate->off_nl = 0; 1244 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1245 break; 1246 1247 case DLT_NULL: 1248 case DLT_LOOP: 1249 cstate->off_linktype.constant_part = 0; 1250 cstate->off_linkpl.constant_part = 4; 1251 cstate->off_nl = 0; 1252 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1253 break; 1254 1255 case DLT_ENC: 1256 cstate->off_linktype.constant_part = 0; 1257 cstate->off_linkpl.constant_part = 12; 1258 cstate->off_nl = 0; 1259 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1260 break; 1261 1262 case DLT_PPP: 1263 case DLT_PPP_PPPD: 1264 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */ 1265 case DLT_HDLC: /* NetBSD (Cisco) HDLC */ 1266 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */ 1267 cstate->off_linktype.constant_part = 2; /* skip HDLC-like framing */ 1268 cstate->off_linkpl.constant_part = 4; /* skip HDLC-like framing and protocol field */ 1269 cstate->off_nl = 0; 1270 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1271 break; 1272 1273 case DLT_PPP_ETHER: 1274 /* 1275 * This does no include the Ethernet header, and 1276 * only covers session state. 1277 */ 1278 cstate->off_linktype.constant_part = 6; 1279 cstate->off_linkpl.constant_part = 8; 1280 cstate->off_nl = 0; 1281 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1282 break; 1283 1284 case DLT_PPP_BSDOS: 1285 cstate->off_linktype.constant_part = 5; 1286 cstate->off_linkpl.constant_part = 24; 1287 cstate->off_nl = 0; 1288 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1289 break; 1290 1291 case DLT_FDDI: 1292 /* 1293 * FDDI doesn't really have a link-level type field. 1294 * We set "off_linktype" to the offset of the LLC header. 1295 * 1296 * To check for Ethernet types, we assume that SSAP = SNAP 1297 * is being used and pick out the encapsulated Ethernet type. 1298 * XXX - should we generate code to check for SNAP? 1299 */ 1300 cstate->off_linktype.constant_part = 13; 1301 cstate->off_linktype.constant_part += cstate->pcap_fddipad; 1302 cstate->off_linkpl.constant_part = 13; /* FDDI MAC header length */ 1303 cstate->off_linkpl.constant_part += cstate->pcap_fddipad; 1304 cstate->off_nl = 8; /* 802.2+SNAP */ 1305 cstate->off_nl_nosnap = 3; /* 802.2 */ 1306 break; 1307 1308 case DLT_IEEE802: 1309 /* 1310 * Token Ring doesn't really have a link-level type field. 1311 * We set "off_linktype" to the offset of the LLC header. 1312 * 1313 * To check for Ethernet types, we assume that SSAP = SNAP 1314 * is being used and pick out the encapsulated Ethernet type. 1315 * XXX - should we generate code to check for SNAP? 1316 * 1317 * XXX - the header is actually variable-length. 1318 * Some various Linux patched versions gave 38 1319 * as "off_linktype" and 40 as "off_nl"; however, 1320 * if a token ring packet has *no* routing 1321 * information, i.e. is not source-routed, the correct 1322 * values are 20 and 22, as they are in the vanilla code. 1323 * 1324 * A packet is source-routed iff the uppermost bit 1325 * of the first byte of the source address, at an 1326 * offset of 8, has the uppermost bit set. If the 1327 * packet is source-routed, the total number of bytes 1328 * of routing information is 2 plus bits 0x1F00 of 1329 * the 16-bit value at an offset of 14 (shifted right 1330 * 8 - figure out which byte that is). 1331 */ 1332 cstate->off_linktype.constant_part = 14; 1333 cstate->off_linkpl.constant_part = 14; /* Token Ring MAC header length */ 1334 cstate->off_nl = 8; /* 802.2+SNAP */ 1335 cstate->off_nl_nosnap = 3; /* 802.2 */ 1336 break; 1337 1338 case DLT_PRISM_HEADER: 1339 case DLT_IEEE802_11_RADIO_AVS: 1340 case DLT_IEEE802_11_RADIO: 1341 cstate->off_linkhdr.is_variable = 1; 1342 /* Fall through, 802.11 doesn't have a variable link 1343 * prefix but is otherwise the same. */ 1344 /* FALLTHROUGH */ 1345 1346 case DLT_IEEE802_11: 1347 /* 1348 * 802.11 doesn't really have a link-level type field. 1349 * We set "off_linktype.constant_part" to the offset of 1350 * the LLC header. 1351 * 1352 * To check for Ethernet types, we assume that SSAP = SNAP 1353 * is being used and pick out the encapsulated Ethernet type. 1354 * XXX - should we generate code to check for SNAP? 1355 * 1356 * We also handle variable-length radio headers here. 1357 * The Prism header is in theory variable-length, but in 1358 * practice it's always 144 bytes long. However, some 1359 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but 1360 * sometimes or always supply an AVS header, so we 1361 * have to check whether the radio header is a Prism 1362 * header or an AVS header, so, in practice, it's 1363 * variable-length. 1364 */ 1365 cstate->off_linktype.constant_part = 24; 1366 cstate->off_linkpl.constant_part = 0; /* link-layer header is variable-length */ 1367 cstate->off_linkpl.is_variable = 1; 1368 cstate->off_nl = 8; /* 802.2+SNAP */ 1369 cstate->off_nl_nosnap = 3; /* 802.2 */ 1370 break; 1371 1372 case DLT_PPI: 1373 /* 1374 * At the moment we treat PPI the same way that we treat 1375 * normal Radiotap encoded packets. The difference is in 1376 * the function that generates the code at the beginning 1377 * to compute the header length. Since this code generator 1378 * of PPI supports bare 802.11 encapsulation only (i.e. 1379 * the encapsulated DLT should be DLT_IEEE802_11) we 1380 * generate code to check for this too. 1381 */ 1382 cstate->off_linktype.constant_part = 24; 1383 cstate->off_linkpl.constant_part = 0; /* link-layer header is variable-length */ 1384 cstate->off_linkpl.is_variable = 1; 1385 cstate->off_linkhdr.is_variable = 1; 1386 cstate->off_nl = 8; /* 802.2+SNAP */ 1387 cstate->off_nl_nosnap = 3; /* 802.2 */ 1388 break; 1389 1390 case DLT_ATM_RFC1483: 1391 case DLT_ATM_CLIP: /* Linux ATM defines this */ 1392 /* 1393 * assume routed, non-ISO PDUs 1394 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00) 1395 * 1396 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS, 1397 * or PPP with the PPP NLPID (e.g., PPPoA)? The 1398 * latter would presumably be treated the way PPPoE 1399 * should be, so you can do "pppoe and udp port 2049" 1400 * or "pppoa and tcp port 80" and have it check for 1401 * PPPo{A,E} and a PPP protocol of IP and.... 1402 */ 1403 cstate->off_linktype.constant_part = 0; 1404 cstate->off_linkpl.constant_part = 0; /* packet begins with LLC header */ 1405 cstate->off_nl = 8; /* 802.2+SNAP */ 1406 cstate->off_nl_nosnap = 3; /* 802.2 */ 1407 break; 1408 1409 case DLT_SUNATM: 1410 /* 1411 * Full Frontal ATM; you get AALn PDUs with an ATM 1412 * pseudo-header. 1413 */ 1414 cstate->is_atm = 1; 1415 cstate->off_vpi = SUNATM_VPI_POS; 1416 cstate->off_vci = SUNATM_VCI_POS; 1417 cstate->off_proto = PROTO_POS; 1418 cstate->off_payload = SUNATM_PKT_BEGIN_POS; 1419 cstate->off_linktype.constant_part = cstate->off_payload; 1420 cstate->off_linkpl.constant_part = cstate->off_payload; /* if LLC-encapsulated */ 1421 cstate->off_nl = 8; /* 802.2+SNAP */ 1422 cstate->off_nl_nosnap = 3; /* 802.2 */ 1423 break; 1424 1425 case DLT_RAW: 1426 case DLT_IPV4: 1427 case DLT_IPV6: 1428 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1429 cstate->off_linkpl.constant_part = 0; 1430 cstate->off_nl = 0; 1431 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1432 break; 1433 1434 case DLT_LINUX_SLL: /* fake header for Linux cooked socket v1 */ 1435 cstate->off_linktype.constant_part = 14; 1436 cstate->off_linkpl.constant_part = 16; 1437 cstate->off_nl = 0; 1438 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1439 break; 1440 1441 case DLT_LINUX_SLL2: /* fake header for Linux cooked socket v2 */ 1442 cstate->off_linktype.constant_part = 0; 1443 cstate->off_linkpl.constant_part = 20; 1444 cstate->off_nl = 0; 1445 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1446 break; 1447 1448 case DLT_LTALK: 1449 /* 1450 * LocalTalk does have a 1-byte type field in the LLAP header, 1451 * but really it just indicates whether there is a "short" or 1452 * "long" DDP packet following. 1453 */ 1454 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1455 cstate->off_linkpl.constant_part = 0; 1456 cstate->off_nl = 0; 1457 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1458 break; 1459 1460 case DLT_IP_OVER_FC: 1461 /* 1462 * RFC 2625 IP-over-Fibre-Channel doesn't really have a 1463 * link-level type field. We set "off_linktype" to the 1464 * offset of the LLC header. 1465 * 1466 * To check for Ethernet types, we assume that SSAP = SNAP 1467 * is being used and pick out the encapsulated Ethernet type. 1468 * XXX - should we generate code to check for SNAP? RFC 1469 * 2625 says SNAP should be used. 1470 */ 1471 cstate->off_linktype.constant_part = 16; 1472 cstate->off_linkpl.constant_part = 16; 1473 cstate->off_nl = 8; /* 802.2+SNAP */ 1474 cstate->off_nl_nosnap = 3; /* 802.2 */ 1475 break; 1476 1477 case DLT_FRELAY: 1478 /* 1479 * XXX - we should set this to handle SNAP-encapsulated 1480 * frames (NLPID of 0x80). 1481 */ 1482 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1483 cstate->off_linkpl.constant_part = 0; 1484 cstate->off_nl = 0; 1485 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1486 break; 1487 1488 /* 1489 * the only BPF-interesting FRF.16 frames are non-control frames; 1490 * Frame Relay has a variable length link-layer 1491 * so lets start with offset 4 for now and increments later on (FIXME); 1492 */ 1493 case DLT_MFR: 1494 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1495 cstate->off_linkpl.constant_part = 0; 1496 cstate->off_nl = 4; 1497 cstate->off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */ 1498 break; 1499 1500 case DLT_APPLE_IP_OVER_IEEE1394: 1501 cstate->off_linktype.constant_part = 16; 1502 cstate->off_linkpl.constant_part = 18; 1503 cstate->off_nl = 0; 1504 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1505 break; 1506 1507 case DLT_SYMANTEC_FIREWALL: 1508 cstate->off_linktype.constant_part = 6; 1509 cstate->off_linkpl.constant_part = 44; 1510 cstate->off_nl = 0; /* Ethernet II */ 1511 cstate->off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */ 1512 break; 1513 1514 case DLT_PFLOG: 1515 cstate->off_linktype.constant_part = 0; 1516 cstate->off_linkpl.constant_part = 0; /* link-layer header is variable-length */ 1517 cstate->off_linkpl.is_variable = 1; 1518 cstate->off_nl = 0; 1519 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1520 break; 1521 1522 case DLT_JUNIPER_MFR: 1523 case DLT_JUNIPER_MLFR: 1524 case DLT_JUNIPER_MLPPP: 1525 case DLT_JUNIPER_PPP: 1526 case DLT_JUNIPER_CHDLC: 1527 case DLT_JUNIPER_FRELAY: 1528 cstate->off_linktype.constant_part = 4; 1529 cstate->off_linkpl.constant_part = 4; 1530 cstate->off_nl = 0; 1531 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */ 1532 break; 1533 1534 case DLT_JUNIPER_ATM1: 1535 cstate->off_linktype.constant_part = 4; /* in reality variable between 4-8 */ 1536 cstate->off_linkpl.constant_part = 4; /* in reality variable between 4-8 */ 1537 cstate->off_nl = 0; 1538 cstate->off_nl_nosnap = 10; 1539 break; 1540 1541 case DLT_JUNIPER_ATM2: 1542 cstate->off_linktype.constant_part = 8; /* in reality variable between 8-12 */ 1543 cstate->off_linkpl.constant_part = 8; /* in reality variable between 8-12 */ 1544 cstate->off_nl = 0; 1545 cstate->off_nl_nosnap = 10; 1546 break; 1547 1548 /* frames captured on a Juniper PPPoE service PIC 1549 * contain raw ethernet frames */ 1550 case DLT_JUNIPER_PPPOE: 1551 case DLT_JUNIPER_ETHER: 1552 cstate->off_linkpl.constant_part = 14; 1553 cstate->off_linktype.constant_part = 16; 1554 cstate->off_nl = 18; /* Ethernet II */ 1555 cstate->off_nl_nosnap = 21; /* 802.3+802.2 */ 1556 break; 1557 1558 case DLT_JUNIPER_PPPOE_ATM: 1559 cstate->off_linktype.constant_part = 4; 1560 cstate->off_linkpl.constant_part = 6; 1561 cstate->off_nl = 0; 1562 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */ 1563 break; 1564 1565 case DLT_JUNIPER_GGSN: 1566 cstate->off_linktype.constant_part = 6; 1567 cstate->off_linkpl.constant_part = 12; 1568 cstate->off_nl = 0; 1569 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */ 1570 break; 1571 1572 case DLT_JUNIPER_ES: 1573 cstate->off_linktype.constant_part = 6; 1574 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; /* not really a network layer but raw IP addresses */ 1575 cstate->off_nl = OFFSET_NOT_SET; /* not really a network layer but raw IP addresses */ 1576 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */ 1577 break; 1578 1579 case DLT_JUNIPER_MONITOR: 1580 cstate->off_linktype.constant_part = 12; 1581 cstate->off_linkpl.constant_part = 12; 1582 cstate->off_nl = 0; /* raw IP/IP6 header */ 1583 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */ 1584 break; 1585 1586 case DLT_BACNET_MS_TP: 1587 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1588 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1589 cstate->off_nl = OFFSET_NOT_SET; 1590 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1591 break; 1592 1593 case DLT_JUNIPER_SERVICES: 1594 cstate->off_linktype.constant_part = 12; 1595 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; /* L3 proto location dep. on cookie type */ 1596 cstate->off_nl = OFFSET_NOT_SET; /* L3 proto location dep. on cookie type */ 1597 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */ 1598 break; 1599 1600 case DLT_JUNIPER_VP: 1601 cstate->off_linktype.constant_part = 18; 1602 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1603 cstate->off_nl = OFFSET_NOT_SET; 1604 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1605 break; 1606 1607 case DLT_JUNIPER_ST: 1608 cstate->off_linktype.constant_part = 18; 1609 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1610 cstate->off_nl = OFFSET_NOT_SET; 1611 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1612 break; 1613 1614 case DLT_JUNIPER_ISM: 1615 cstate->off_linktype.constant_part = 8; 1616 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1617 cstate->off_nl = OFFSET_NOT_SET; 1618 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1619 break; 1620 1621 case DLT_JUNIPER_VS: 1622 case DLT_JUNIPER_SRX_E2E: 1623 case DLT_JUNIPER_FIBRECHANNEL: 1624 case DLT_JUNIPER_ATM_CEMIC: 1625 cstate->off_linktype.constant_part = 8; 1626 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1627 cstate->off_nl = OFFSET_NOT_SET; 1628 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1629 break; 1630 1631 case DLT_MTP2: 1632 cstate->off_li = 2; 1633 cstate->off_li_hsl = 4; 1634 cstate->off_sio = 3; 1635 cstate->off_opc = 4; 1636 cstate->off_dpc = 4; 1637 cstate->off_sls = 7; 1638 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1639 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1640 cstate->off_nl = OFFSET_NOT_SET; 1641 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1642 break; 1643 1644 case DLT_MTP2_WITH_PHDR: 1645 cstate->off_li = 6; 1646 cstate->off_li_hsl = 8; 1647 cstate->off_sio = 7; 1648 cstate->off_opc = 8; 1649 cstate->off_dpc = 8; 1650 cstate->off_sls = 11; 1651 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1652 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1653 cstate->off_nl = OFFSET_NOT_SET; 1654 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1655 break; 1656 1657 case DLT_ERF: 1658 cstate->off_li = 22; 1659 cstate->off_li_hsl = 24; 1660 cstate->off_sio = 23; 1661 cstate->off_opc = 24; 1662 cstate->off_dpc = 24; 1663 cstate->off_sls = 27; 1664 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1665 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1666 cstate->off_nl = OFFSET_NOT_SET; 1667 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1668 break; 1669 1670 case DLT_PFSYNC: 1671 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1672 cstate->off_linkpl.constant_part = 4; 1673 cstate->off_nl = 0; 1674 cstate->off_nl_nosnap = 0; 1675 break; 1676 1677 case DLT_AX25_KISS: 1678 /* 1679 * Currently, only raw "link[N:M]" filtering is supported. 1680 */ 1681 cstate->off_linktype.constant_part = OFFSET_NOT_SET; /* variable, min 15, max 71 steps of 7 */ 1682 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1683 cstate->off_nl = OFFSET_NOT_SET; /* variable, min 16, max 71 steps of 7 */ 1684 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */ 1685 break; 1686 1687 case DLT_IPNET: 1688 cstate->off_linktype.constant_part = 1; 1689 cstate->off_linkpl.constant_part = 24; /* ipnet header length */ 1690 cstate->off_nl = 0; 1691 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1692 break; 1693 1694 case DLT_NETANALYZER: 1695 cstate->off_linkhdr.constant_part = 4; /* Ethernet header is past 4-byte pseudo-header */ 1696 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12; 1697 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* pseudo-header+Ethernet header length */ 1698 cstate->off_nl = 0; /* Ethernet II */ 1699 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */ 1700 break; 1701 1702 case DLT_NETANALYZER_TRANSPARENT: 1703 cstate->off_linkhdr.constant_part = 12; /* MAC header is past 4-byte pseudo-header, preamble, and SFD */ 1704 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12; 1705 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* pseudo-header+preamble+SFD+Ethernet header length */ 1706 cstate->off_nl = 0; /* Ethernet II */ 1707 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */ 1708 break; 1709 1710 default: 1711 /* 1712 * For values in the range in which we've assigned new 1713 * DLT_ values, only raw "link[N:M]" filtering is supported. 1714 */ 1715 if (cstate->linktype >= DLT_MATCHING_MIN && 1716 cstate->linktype <= DLT_MATCHING_MAX) { 1717 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1718 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1719 cstate->off_nl = OFFSET_NOT_SET; 1720 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1721 } else { 1722 bpf_set_error(cstate, "unknown data link type %d (min %d, max %d)", 1723 cstate->linktype, DLT_MATCHING_MIN, DLT_MATCHING_MAX); 1724 return (-1); 1725 } 1726 break; 1727 } 1728 1729 cstate->off_outermostlinkhdr = cstate->off_prevlinkhdr = cstate->off_linkhdr; 1730 return (0); 1731 } 1732 1733 /* 1734 * Load a value relative to the specified absolute offset. 1735 */ 1736 static struct slist * 1737 gen_load_absoffsetrel(compiler_state_t *cstate, bpf_abs_offset *abs_offset, 1738 u_int offset, u_int size) 1739 { 1740 struct slist *s, *s2; 1741 1742 s = gen_abs_offset_varpart(cstate, abs_offset); 1743 1744 /* 1745 * If "s" is non-null, it has code to arrange that the X register 1746 * contains the variable part of the absolute offset, so we 1747 * generate a load relative to that, with an offset of 1748 * abs_offset->constant_part + offset. 1749 * 1750 * Otherwise, we can do an absolute load with an offset of 1751 * abs_offset->constant_part + offset. 1752 */ 1753 if (s != NULL) { 1754 /* 1755 * "s" points to a list of statements that puts the 1756 * variable part of the absolute offset into the X register. 1757 * Do an indirect load, to use the X register as an offset. 1758 */ 1759 s2 = new_stmt(cstate, BPF_LD|BPF_IND|size); 1760 s2->s.k = abs_offset->constant_part + offset; 1761 sappend(s, s2); 1762 } else { 1763 /* 1764 * There is no variable part of the absolute offset, so 1765 * just do an absolute load. 1766 */ 1767 s = new_stmt(cstate, BPF_LD|BPF_ABS|size); 1768 s->s.k = abs_offset->constant_part + offset; 1769 } 1770 return s; 1771 } 1772 1773 /* 1774 * Load a value relative to the beginning of the specified header. 1775 */ 1776 static struct slist * 1777 gen_load_a(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 1778 u_int size) 1779 { 1780 struct slist *s, *s2; 1781 1782 /* 1783 * Squelch warnings from compilers that *don't* assume that 1784 * offrel always has a valid enum value and therefore don't 1785 * assume that we'll always go through one of the case arms. 1786 * 1787 * If we have a default case, compilers that *do* assume that 1788 * will then complain about the default case code being 1789 * unreachable. 1790 * 1791 * Damned if you do, damned if you don't. 1792 */ 1793 s = NULL; 1794 1795 switch (offrel) { 1796 1797 case OR_PACKET: 1798 s = new_stmt(cstate, BPF_LD|BPF_ABS|size); 1799 s->s.k = offset; 1800 break; 1801 1802 case OR_LINKHDR: 1803 s = gen_load_absoffsetrel(cstate, &cstate->off_linkhdr, offset, size); 1804 break; 1805 1806 case OR_PREVLINKHDR: 1807 s = gen_load_absoffsetrel(cstate, &cstate->off_prevlinkhdr, offset, size); 1808 break; 1809 1810 case OR_LLC: 1811 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, offset, size); 1812 break; 1813 1814 case OR_PREVMPLSHDR: 1815 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl - 4 + offset, size); 1816 break; 1817 1818 case OR_LINKPL: 1819 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl + offset, size); 1820 break; 1821 1822 case OR_LINKPL_NOSNAP: 1823 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl_nosnap + offset, size); 1824 break; 1825 1826 case OR_LINKTYPE: 1827 s = gen_load_absoffsetrel(cstate, &cstate->off_linktype, offset, size); 1828 break; 1829 1830 case OR_TRAN_IPV4: 1831 /* 1832 * Load the X register with the length of the IPv4 header 1833 * (plus the offset of the link-layer header, if it's 1834 * preceded by a variable-length header such as a radio 1835 * header), in bytes. 1836 */ 1837 s = gen_loadx_iphdrlen(cstate); 1838 1839 /* 1840 * Load the item at {offset of the link-layer payload} + 1841 * {offset, relative to the start of the link-layer 1842 * paylod, of the IPv4 header} + {length of the IPv4 header} + 1843 * {specified offset}. 1844 * 1845 * If the offset of the link-layer payload is variable, 1846 * the variable part of that offset is included in the 1847 * value in the X register, and we include the constant 1848 * part in the offset of the load. 1849 */ 1850 s2 = new_stmt(cstate, BPF_LD|BPF_IND|size); 1851 s2->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + offset; 1852 sappend(s, s2); 1853 break; 1854 1855 case OR_TRAN_IPV6: 1856 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl + 40 + offset, size); 1857 break; 1858 } 1859 return s; 1860 } 1861 1862 /* 1863 * Generate code to load into the X register the sum of the length of 1864 * the IPv4 header and the variable part of the offset of the link-layer 1865 * payload. 1866 */ 1867 static struct slist * 1868 gen_loadx_iphdrlen(compiler_state_t *cstate) 1869 { 1870 struct slist *s, *s2; 1871 1872 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl); 1873 if (s != NULL) { 1874 /* 1875 * The offset of the link-layer payload has a variable 1876 * part. "s" points to a list of statements that put 1877 * the variable part of that offset into the X register. 1878 * 1879 * The 4*([k]&0xf) addressing mode can't be used, as we 1880 * don't have a constant offset, so we have to load the 1881 * value in question into the A register and add to it 1882 * the value from the X register. 1883 */ 1884 s2 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 1885 s2->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 1886 sappend(s, s2); 1887 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K); 1888 s2->s.k = 0xf; 1889 sappend(s, s2); 1890 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K); 1891 s2->s.k = 2; 1892 sappend(s, s2); 1893 1894 /* 1895 * The A register now contains the length of the IP header. 1896 * We need to add to it the variable part of the offset of 1897 * the link-layer payload, which is still in the X 1898 * register, and move the result into the X register. 1899 */ 1900 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X)); 1901 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX)); 1902 } else { 1903 /* 1904 * The offset of the link-layer payload is a constant, 1905 * so no code was generated to load the (non-existent) 1906 * variable part of that offset. 1907 * 1908 * This means we can use the 4*([k]&0xf) addressing 1909 * mode. Load the length of the IPv4 header, which 1910 * is at an offset of cstate->off_nl from the beginning of 1911 * the link-layer payload, and thus at an offset of 1912 * cstate->off_linkpl.constant_part + cstate->off_nl from the beginning 1913 * of the raw packet data, using that addressing mode. 1914 */ 1915 s = new_stmt(cstate, BPF_LDX|BPF_MSH|BPF_B); 1916 s->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 1917 } 1918 return s; 1919 } 1920 1921 1922 static struct block * 1923 gen_uncond(compiler_state_t *cstate, int rsense) 1924 { 1925 struct block *b; 1926 struct slist *s; 1927 1928 s = new_stmt(cstate, BPF_LD|BPF_IMM); 1929 s->s.k = !rsense; 1930 b = new_block(cstate, JMP(BPF_JEQ)); 1931 b->stmts = s; 1932 1933 return b; 1934 } 1935 1936 static inline struct block * 1937 gen_true(compiler_state_t *cstate) 1938 { 1939 return gen_uncond(cstate, 1); 1940 } 1941 1942 static inline struct block * 1943 gen_false(compiler_state_t *cstate) 1944 { 1945 return gen_uncond(cstate, 0); 1946 } 1947 1948 /* 1949 * Byte-swap a 32-bit number. 1950 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on 1951 * big-endian platforms.) 1952 */ 1953 #define SWAPLONG(y) \ 1954 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff)) 1955 1956 /* 1957 * Generate code to match a particular packet type. 1958 * 1959 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1960 * value, if <= ETHERMTU. We use that to determine whether to 1961 * match the type/length field or to check the type/length field for 1962 * a value <= ETHERMTU to see whether it's a type field and then do 1963 * the appropriate test. 1964 */ 1965 static struct block * 1966 gen_ether_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto) 1967 { 1968 struct block *b0, *b1; 1969 1970 switch (ll_proto) { 1971 1972 case LLCSAP_ISONS: 1973 case LLCSAP_IP: 1974 case LLCSAP_NETBEUI: 1975 /* 1976 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1977 * so we check the DSAP and SSAP. 1978 * 1979 * LLCSAP_IP checks for IP-over-802.2, rather 1980 * than IP-over-Ethernet or IP-over-SNAP. 1981 * 1982 * XXX - should we check both the DSAP and the 1983 * SSAP, like this, or should we check just the 1984 * DSAP, as we do for other types <= ETHERMTU 1985 * (i.e., other SAP values)? 1986 */ 1987 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU); 1988 gen_not(b0); 1989 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (ll_proto << 8) | ll_proto); 1990 gen_and(b0, b1); 1991 return b1; 1992 1993 case LLCSAP_IPX: 1994 /* 1995 * Check for; 1996 * 1997 * Ethernet_II frames, which are Ethernet 1998 * frames with a frame type of ETHERTYPE_IPX; 1999 * 2000 * Ethernet_802.3 frames, which are 802.3 2001 * frames (i.e., the type/length field is 2002 * a length field, <= ETHERMTU, rather than 2003 * a type field) with the first two bytes 2004 * after the Ethernet/802.3 header being 2005 * 0xFFFF; 2006 * 2007 * Ethernet_802.2 frames, which are 802.3 2008 * frames with an 802.2 LLC header and 2009 * with the IPX LSAP as the DSAP in the LLC 2010 * header; 2011 * 2012 * Ethernet_SNAP frames, which are 802.3 2013 * frames with an LLC header and a SNAP 2014 * header and with an OUI of 0x000000 2015 * (encapsulated Ethernet) and a protocol 2016 * ID of ETHERTYPE_IPX in the SNAP header. 2017 * 2018 * XXX - should we generate the same code both 2019 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX? 2020 */ 2021 2022 /* 2023 * This generates code to check both for the 2024 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3. 2025 */ 2026 b0 = gen_cmp(cstate, OR_LLC, 0, BPF_B, LLCSAP_IPX); 2027 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, 0xFFFF); 2028 gen_or(b0, b1); 2029 2030 /* 2031 * Now we add code to check for SNAP frames with 2032 * ETHERTYPE_IPX, i.e. Ethernet_SNAP. 2033 */ 2034 b0 = gen_snap(cstate, 0x000000, ETHERTYPE_IPX); 2035 gen_or(b0, b1); 2036 2037 /* 2038 * Now we generate code to check for 802.3 2039 * frames in general. 2040 */ 2041 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU); 2042 gen_not(b0); 2043 2044 /* 2045 * Now add the check for 802.3 frames before the 2046 * check for Ethernet_802.2 and Ethernet_802.3, 2047 * as those checks should only be done on 802.3 2048 * frames, not on Ethernet frames. 2049 */ 2050 gen_and(b0, b1); 2051 2052 /* 2053 * Now add the check for Ethernet_II frames, and 2054 * do that before checking for the other frame 2055 * types. 2056 */ 2057 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ETHERTYPE_IPX); 2058 gen_or(b0, b1); 2059 return b1; 2060 2061 case ETHERTYPE_ATALK: 2062 case ETHERTYPE_AARP: 2063 /* 2064 * EtherTalk (AppleTalk protocols on Ethernet link 2065 * layer) may use 802.2 encapsulation. 2066 */ 2067 2068 /* 2069 * Check for 802.2 encapsulation (EtherTalk phase 2?); 2070 * we check for an Ethernet type field less than 2071 * 1500, which means it's an 802.3 length field. 2072 */ 2073 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU); 2074 gen_not(b0); 2075 2076 /* 2077 * 802.2-encapsulated ETHERTYPE_ATALK packets are 2078 * SNAP packets with an organization code of 2079 * 0x080007 (Apple, for Appletalk) and a protocol 2080 * type of ETHERTYPE_ATALK (Appletalk). 2081 * 2082 * 802.2-encapsulated ETHERTYPE_AARP packets are 2083 * SNAP packets with an organization code of 2084 * 0x000000 (encapsulated Ethernet) and a protocol 2085 * type of ETHERTYPE_AARP (Appletalk ARP). 2086 */ 2087 if (ll_proto == ETHERTYPE_ATALK) 2088 b1 = gen_snap(cstate, 0x080007, ETHERTYPE_ATALK); 2089 else /* ll_proto == ETHERTYPE_AARP */ 2090 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_AARP); 2091 gen_and(b0, b1); 2092 2093 /* 2094 * Check for Ethernet encapsulation (Ethertalk 2095 * phase 1?); we just check for the Ethernet 2096 * protocol type. 2097 */ 2098 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto); 2099 2100 gen_or(b0, b1); 2101 return b1; 2102 2103 default: 2104 if (ll_proto <= ETHERMTU) { 2105 /* 2106 * This is an LLC SAP value, so the frames 2107 * that match would be 802.2 frames. 2108 * Check that the frame is an 802.2 frame 2109 * (i.e., that the length/type field is 2110 * a length field, <= ETHERMTU) and 2111 * then check the DSAP. 2112 */ 2113 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU); 2114 gen_not(b0); 2115 b1 = gen_cmp(cstate, OR_LINKTYPE, 2, BPF_B, ll_proto); 2116 gen_and(b0, b1); 2117 return b1; 2118 } else { 2119 /* 2120 * This is an Ethernet type, so compare 2121 * the length/type field with it (if 2122 * the frame is an 802.2 frame, the length 2123 * field will be <= ETHERMTU, and, as 2124 * "ll_proto" is > ETHERMTU, this test 2125 * will fail and the frame won't match, 2126 * which is what we want). 2127 */ 2128 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto); 2129 } 2130 } 2131 } 2132 2133 static struct block * 2134 gen_loopback_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto) 2135 { 2136 /* 2137 * For DLT_NULL, the link-layer header is a 32-bit word 2138 * containing an AF_ value in *host* byte order, and for 2139 * DLT_ENC, the link-layer header begins with a 32-bit 2140 * word containing an AF_ value in host byte order. 2141 * 2142 * In addition, if we're reading a saved capture file, 2143 * the host byte order in the capture may not be the 2144 * same as the host byte order on this machine. 2145 * 2146 * For DLT_LOOP, the link-layer header is a 32-bit 2147 * word containing an AF_ value in *network* byte order. 2148 */ 2149 if (cstate->linktype == DLT_NULL || cstate->linktype == DLT_ENC) { 2150 /* 2151 * The AF_ value is in host byte order, but the BPF 2152 * interpreter will convert it to network byte order. 2153 * 2154 * If this is a save file, and it's from a machine 2155 * with the opposite byte order to ours, we byte-swap 2156 * the AF_ value. 2157 * 2158 * Then we run it through "htonl()", and generate 2159 * code to compare against the result. 2160 */ 2161 if (cstate->bpf_pcap->rfile != NULL && cstate->bpf_pcap->swapped) 2162 ll_proto = SWAPLONG(ll_proto); 2163 ll_proto = htonl(ll_proto); 2164 } 2165 return (gen_cmp(cstate, OR_LINKHDR, 0, BPF_W, ll_proto)); 2166 } 2167 2168 /* 2169 * "proto" is an Ethernet type value and for IPNET, if it is not IPv4 2170 * or IPv6 then we have an error. 2171 */ 2172 static struct block * 2173 gen_ipnet_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto) 2174 { 2175 switch (ll_proto) { 2176 2177 case ETHERTYPE_IP: 2178 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, IPH_AF_INET); 2179 /*NOTREACHED*/ 2180 2181 case ETHERTYPE_IPV6: 2182 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, IPH_AF_INET6); 2183 /*NOTREACHED*/ 2184 2185 default: 2186 break; 2187 } 2188 2189 return gen_false(cstate); 2190 } 2191 2192 /* 2193 * Generate code to match a particular packet type. 2194 * 2195 * "ll_proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 2196 * value, if <= ETHERMTU. We use that to determine whether to 2197 * match the type field or to check the type field for the special 2198 * LINUX_SLL_P_802_2 value and then do the appropriate test. 2199 */ 2200 static struct block * 2201 gen_linux_sll_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto) 2202 { 2203 struct block *b0, *b1; 2204 2205 switch (ll_proto) { 2206 2207 case LLCSAP_ISONS: 2208 case LLCSAP_IP: 2209 case LLCSAP_NETBEUI: 2210 /* 2211 * OSI protocols and NetBEUI always use 802.2 encapsulation, 2212 * so we check the DSAP and SSAP. 2213 * 2214 * LLCSAP_IP checks for IP-over-802.2, rather 2215 * than IP-over-Ethernet or IP-over-SNAP. 2216 * 2217 * XXX - should we check both the DSAP and the 2218 * SSAP, like this, or should we check just the 2219 * DSAP, as we do for other types <= ETHERMTU 2220 * (i.e., other SAP values)? 2221 */ 2222 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2); 2223 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (ll_proto << 8) | ll_proto); 2224 gen_and(b0, b1); 2225 return b1; 2226 2227 case LLCSAP_IPX: 2228 /* 2229 * Ethernet_II frames, which are Ethernet 2230 * frames with a frame type of ETHERTYPE_IPX; 2231 * 2232 * Ethernet_802.3 frames, which have a frame 2233 * type of LINUX_SLL_P_802_3; 2234 * 2235 * Ethernet_802.2 frames, which are 802.3 2236 * frames with an 802.2 LLC header (i.e, have 2237 * a frame type of LINUX_SLL_P_802_2) and 2238 * with the IPX LSAP as the DSAP in the LLC 2239 * header; 2240 * 2241 * Ethernet_SNAP frames, which are 802.3 2242 * frames with an LLC header and a SNAP 2243 * header and with an OUI of 0x000000 2244 * (encapsulated Ethernet) and a protocol 2245 * ID of ETHERTYPE_IPX in the SNAP header. 2246 * 2247 * First, do the checks on LINUX_SLL_P_802_2 2248 * frames; generate the check for either 2249 * Ethernet_802.2 or Ethernet_SNAP frames, and 2250 * then put a check for LINUX_SLL_P_802_2 frames 2251 * before it. 2252 */ 2253 b0 = gen_cmp(cstate, OR_LLC, 0, BPF_B, LLCSAP_IPX); 2254 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_IPX); 2255 gen_or(b0, b1); 2256 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2); 2257 gen_and(b0, b1); 2258 2259 /* 2260 * Now check for 802.3 frames and OR that with 2261 * the previous test. 2262 */ 2263 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_3); 2264 gen_or(b0, b1); 2265 2266 /* 2267 * Now add the check for Ethernet_II frames, and 2268 * do that before checking for the other frame 2269 * types. 2270 */ 2271 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ETHERTYPE_IPX); 2272 gen_or(b0, b1); 2273 return b1; 2274 2275 case ETHERTYPE_ATALK: 2276 case ETHERTYPE_AARP: 2277 /* 2278 * EtherTalk (AppleTalk protocols on Ethernet link 2279 * layer) may use 802.2 encapsulation. 2280 */ 2281 2282 /* 2283 * Check for 802.2 encapsulation (EtherTalk phase 2?); 2284 * we check for the 802.2 protocol type in the 2285 * "Ethernet type" field. 2286 */ 2287 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2); 2288 2289 /* 2290 * 802.2-encapsulated ETHERTYPE_ATALK packets are 2291 * SNAP packets with an organization code of 2292 * 0x080007 (Apple, for Appletalk) and a protocol 2293 * type of ETHERTYPE_ATALK (Appletalk). 2294 * 2295 * 802.2-encapsulated ETHERTYPE_AARP packets are 2296 * SNAP packets with an organization code of 2297 * 0x000000 (encapsulated Ethernet) and a protocol 2298 * type of ETHERTYPE_AARP (Appletalk ARP). 2299 */ 2300 if (ll_proto == ETHERTYPE_ATALK) 2301 b1 = gen_snap(cstate, 0x080007, ETHERTYPE_ATALK); 2302 else /* ll_proto == ETHERTYPE_AARP */ 2303 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_AARP); 2304 gen_and(b0, b1); 2305 2306 /* 2307 * Check for Ethernet encapsulation (Ethertalk 2308 * phase 1?); we just check for the Ethernet 2309 * protocol type. 2310 */ 2311 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto); 2312 2313 gen_or(b0, b1); 2314 return b1; 2315 2316 default: 2317 if (ll_proto <= ETHERMTU) { 2318 /* 2319 * This is an LLC SAP value, so the frames 2320 * that match would be 802.2 frames. 2321 * Check for the 802.2 protocol type 2322 * in the "Ethernet type" field, and 2323 * then check the DSAP. 2324 */ 2325 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2); 2326 b1 = gen_cmp(cstate, OR_LINKHDR, cstate->off_linkpl.constant_part, BPF_B, 2327 ll_proto); 2328 gen_and(b0, b1); 2329 return b1; 2330 } else { 2331 /* 2332 * This is an Ethernet type, so compare 2333 * the length/type field with it (if 2334 * the frame is an 802.2 frame, the length 2335 * field will be <= ETHERMTU, and, as 2336 * "ll_proto" is > ETHERMTU, this test 2337 * will fail and the frame won't match, 2338 * which is what we want). 2339 */ 2340 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto); 2341 } 2342 } 2343 } 2344 2345 /* 2346 * Load a value relative to the beginning of the link-layer header after the 2347 * pflog header. 2348 */ 2349 static struct slist * 2350 gen_load_pflog_llprefixlen(compiler_state_t *cstate) 2351 { 2352 struct slist *s1, *s2; 2353 2354 /* 2355 * Generate code to load the length of the pflog header into 2356 * the register assigned to hold that length, if one has been 2357 * assigned. (If one hasn't been assigned, no code we've 2358 * generated uses that prefix, so we don't need to generate any 2359 * code to load it.) 2360 */ 2361 if (cstate->off_linkpl.reg != -1) { 2362 /* 2363 * The length is in the first byte of the header. 2364 */ 2365 s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 2366 s1->s.k = 0; 2367 2368 /* 2369 * Round it up to a multiple of 4. 2370 * Add 3, and clear the lower 2 bits. 2371 */ 2372 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 2373 s2->s.k = 3; 2374 sappend(s1, s2); 2375 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K); 2376 s2->s.k = 0xfffffffc; 2377 sappend(s1, s2); 2378 2379 /* 2380 * Now allocate a register to hold that value and store 2381 * it. 2382 */ 2383 s2 = new_stmt(cstate, BPF_ST); 2384 s2->s.k = cstate->off_linkpl.reg; 2385 sappend(s1, s2); 2386 2387 /* 2388 * Now move it into the X register. 2389 */ 2390 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2391 sappend(s1, s2); 2392 2393 return (s1); 2394 } else 2395 return (NULL); 2396 } 2397 2398 static struct slist * 2399 gen_load_prism_llprefixlen(compiler_state_t *cstate) 2400 { 2401 struct slist *s1, *s2; 2402 struct slist *sjeq_avs_cookie; 2403 struct slist *sjcommon; 2404 2405 /* 2406 * This code is not compatible with the optimizer, as 2407 * we are generating jmp instructions within a normal 2408 * slist of instructions 2409 */ 2410 cstate->no_optimize = 1; 2411 2412 /* 2413 * Generate code to load the length of the radio header into 2414 * the register assigned to hold that length, if one has been 2415 * assigned. (If one hasn't been assigned, no code we've 2416 * generated uses that prefix, so we don't need to generate any 2417 * code to load it.) 2418 * 2419 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes 2420 * or always use the AVS header rather than the Prism header. 2421 * We load a 4-byte big-endian value at the beginning of the 2422 * raw packet data, and see whether, when masked with 0xFFFFF000, 2423 * it's equal to 0x80211000. If so, that indicates that it's 2424 * an AVS header (the masked-out bits are the version number). 2425 * Otherwise, it's a Prism header. 2426 * 2427 * XXX - the Prism header is also, in theory, variable-length, 2428 * but no known software generates headers that aren't 144 2429 * bytes long. 2430 */ 2431 if (cstate->off_linkhdr.reg != -1) { 2432 /* 2433 * Load the cookie. 2434 */ 2435 s1 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS); 2436 s1->s.k = 0; 2437 2438 /* 2439 * AND it with 0xFFFFF000. 2440 */ 2441 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K); 2442 s2->s.k = 0xFFFFF000; 2443 sappend(s1, s2); 2444 2445 /* 2446 * Compare with 0x80211000. 2447 */ 2448 sjeq_avs_cookie = new_stmt(cstate, JMP(BPF_JEQ)); 2449 sjeq_avs_cookie->s.k = 0x80211000; 2450 sappend(s1, sjeq_avs_cookie); 2451 2452 /* 2453 * If it's AVS: 2454 * 2455 * The 4 bytes at an offset of 4 from the beginning of 2456 * the AVS header are the length of the AVS header. 2457 * That field is big-endian. 2458 */ 2459 s2 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS); 2460 s2->s.k = 4; 2461 sappend(s1, s2); 2462 sjeq_avs_cookie->s.jt = s2; 2463 2464 /* 2465 * Now jump to the code to allocate a register 2466 * into which to save the header length and 2467 * store the length there. (The "jump always" 2468 * instruction needs to have the k field set; 2469 * it's added to the PC, so, as we're jumping 2470 * over a single instruction, it should be 1.) 2471 */ 2472 sjcommon = new_stmt(cstate, JMP(BPF_JA)); 2473 sjcommon->s.k = 1; 2474 sappend(s1, sjcommon); 2475 2476 /* 2477 * Now for the code that handles the Prism header. 2478 * Just load the length of the Prism header (144) 2479 * into the A register. Have the test for an AVS 2480 * header branch here if we don't have an AVS header. 2481 */ 2482 s2 = new_stmt(cstate, BPF_LD|BPF_W|BPF_IMM); 2483 s2->s.k = 144; 2484 sappend(s1, s2); 2485 sjeq_avs_cookie->s.jf = s2; 2486 2487 /* 2488 * Now allocate a register to hold that value and store 2489 * it. The code for the AVS header will jump here after 2490 * loading the length of the AVS header. 2491 */ 2492 s2 = new_stmt(cstate, BPF_ST); 2493 s2->s.k = cstate->off_linkhdr.reg; 2494 sappend(s1, s2); 2495 sjcommon->s.jf = s2; 2496 2497 /* 2498 * Now move it into the X register. 2499 */ 2500 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2501 sappend(s1, s2); 2502 2503 return (s1); 2504 } else 2505 return (NULL); 2506 } 2507 2508 static struct slist * 2509 gen_load_avs_llprefixlen(compiler_state_t *cstate) 2510 { 2511 struct slist *s1, *s2; 2512 2513 /* 2514 * Generate code to load the length of the AVS header into 2515 * the register assigned to hold that length, if one has been 2516 * assigned. (If one hasn't been assigned, no code we've 2517 * generated uses that prefix, so we don't need to generate any 2518 * code to load it.) 2519 */ 2520 if (cstate->off_linkhdr.reg != -1) { 2521 /* 2522 * The 4 bytes at an offset of 4 from the beginning of 2523 * the AVS header are the length of the AVS header. 2524 * That field is big-endian. 2525 */ 2526 s1 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS); 2527 s1->s.k = 4; 2528 2529 /* 2530 * Now allocate a register to hold that value and store 2531 * it. 2532 */ 2533 s2 = new_stmt(cstate, BPF_ST); 2534 s2->s.k = cstate->off_linkhdr.reg; 2535 sappend(s1, s2); 2536 2537 /* 2538 * Now move it into the X register. 2539 */ 2540 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2541 sappend(s1, s2); 2542 2543 return (s1); 2544 } else 2545 return (NULL); 2546 } 2547 2548 static struct slist * 2549 gen_load_radiotap_llprefixlen(compiler_state_t *cstate) 2550 { 2551 struct slist *s1, *s2; 2552 2553 /* 2554 * Generate code to load the length of the radiotap header into 2555 * the register assigned to hold that length, if one has been 2556 * assigned. (If one hasn't been assigned, no code we've 2557 * generated uses that prefix, so we don't need to generate any 2558 * code to load it.) 2559 */ 2560 if (cstate->off_linkhdr.reg != -1) { 2561 /* 2562 * The 2 bytes at offsets of 2 and 3 from the beginning 2563 * of the radiotap header are the length of the radiotap 2564 * header; unfortunately, it's little-endian, so we have 2565 * to load it a byte at a time and construct the value. 2566 */ 2567 2568 /* 2569 * Load the high-order byte, at an offset of 3, shift it 2570 * left a byte, and put the result in the X register. 2571 */ 2572 s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 2573 s1->s.k = 3; 2574 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K); 2575 sappend(s1, s2); 2576 s2->s.k = 8; 2577 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2578 sappend(s1, s2); 2579 2580 /* 2581 * Load the next byte, at an offset of 2, and OR the 2582 * value from the X register into it. 2583 */ 2584 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 2585 sappend(s1, s2); 2586 s2->s.k = 2; 2587 s2 = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_X); 2588 sappend(s1, s2); 2589 2590 /* 2591 * Now allocate a register to hold that value and store 2592 * it. 2593 */ 2594 s2 = new_stmt(cstate, BPF_ST); 2595 s2->s.k = cstate->off_linkhdr.reg; 2596 sappend(s1, s2); 2597 2598 /* 2599 * Now move it into the X register. 2600 */ 2601 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2602 sappend(s1, s2); 2603 2604 return (s1); 2605 } else 2606 return (NULL); 2607 } 2608 2609 /* 2610 * At the moment we treat PPI as normal Radiotap encoded 2611 * packets. The difference is in the function that generates 2612 * the code at the beginning to compute the header length. 2613 * Since this code generator of PPI supports bare 802.11 2614 * encapsulation only (i.e. the encapsulated DLT should be 2615 * DLT_IEEE802_11) we generate code to check for this too; 2616 * that's done in finish_parse(). 2617 */ 2618 static struct slist * 2619 gen_load_ppi_llprefixlen(compiler_state_t *cstate) 2620 { 2621 struct slist *s1, *s2; 2622 2623 /* 2624 * Generate code to load the length of the radiotap header 2625 * into the register assigned to hold that length, if one has 2626 * been assigned. 2627 */ 2628 if (cstate->off_linkhdr.reg != -1) { 2629 /* 2630 * The 2 bytes at offsets of 2 and 3 from the beginning 2631 * of the radiotap header are the length of the radiotap 2632 * header; unfortunately, it's little-endian, so we have 2633 * to load it a byte at a time and construct the value. 2634 */ 2635 2636 /* 2637 * Load the high-order byte, at an offset of 3, shift it 2638 * left a byte, and put the result in the X register. 2639 */ 2640 s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 2641 s1->s.k = 3; 2642 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K); 2643 sappend(s1, s2); 2644 s2->s.k = 8; 2645 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2646 sappend(s1, s2); 2647 2648 /* 2649 * Load the next byte, at an offset of 2, and OR the 2650 * value from the X register into it. 2651 */ 2652 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 2653 sappend(s1, s2); 2654 s2->s.k = 2; 2655 s2 = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_X); 2656 sappend(s1, s2); 2657 2658 /* 2659 * Now allocate a register to hold that value and store 2660 * it. 2661 */ 2662 s2 = new_stmt(cstate, BPF_ST); 2663 s2->s.k = cstate->off_linkhdr.reg; 2664 sappend(s1, s2); 2665 2666 /* 2667 * Now move it into the X register. 2668 */ 2669 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2670 sappend(s1, s2); 2671 2672 return (s1); 2673 } else 2674 return (NULL); 2675 } 2676 2677 /* 2678 * Load a value relative to the beginning of the link-layer header after the 802.11 2679 * header, i.e. LLC_SNAP. 2680 * The link-layer header doesn't necessarily begin at the beginning 2681 * of the packet data; there might be a variable-length prefix containing 2682 * radio information. 2683 */ 2684 static struct slist * 2685 gen_load_802_11_header_len(compiler_state_t *cstate, struct slist *s, struct slist *snext) 2686 { 2687 struct slist *s2; 2688 struct slist *sjset_data_frame_1; 2689 struct slist *sjset_data_frame_2; 2690 struct slist *sjset_qos; 2691 struct slist *sjset_radiotap_flags_present; 2692 struct slist *sjset_radiotap_ext_present; 2693 struct slist *sjset_radiotap_tsft_present; 2694 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad; 2695 struct slist *s_roundup; 2696 2697 if (cstate->off_linkpl.reg == -1) { 2698 /* 2699 * No register has been assigned to the offset of 2700 * the link-layer payload, which means nobody needs 2701 * it; don't bother computing it - just return 2702 * what we already have. 2703 */ 2704 return (s); 2705 } 2706 2707 /* 2708 * This code is not compatible with the optimizer, as 2709 * we are generating jmp instructions within a normal 2710 * slist of instructions 2711 */ 2712 cstate->no_optimize = 1; 2713 2714 /* 2715 * If "s" is non-null, it has code to arrange that the X register 2716 * contains the length of the prefix preceding the link-layer 2717 * header. 2718 * 2719 * Otherwise, the length of the prefix preceding the link-layer 2720 * header is "off_outermostlinkhdr.constant_part". 2721 */ 2722 if (s == NULL) { 2723 /* 2724 * There is no variable-length header preceding the 2725 * link-layer header. 2726 * 2727 * Load the length of the fixed-length prefix preceding 2728 * the link-layer header (if any) into the X register, 2729 * and store it in the cstate->off_linkpl.reg register. 2730 * That length is off_outermostlinkhdr.constant_part. 2731 */ 2732 s = new_stmt(cstate, BPF_LDX|BPF_IMM); 2733 s->s.k = cstate->off_outermostlinkhdr.constant_part; 2734 } 2735 2736 /* 2737 * The X register contains the offset of the beginning of the 2738 * link-layer header; add 24, which is the minimum length 2739 * of the MAC header for a data frame, to that, and store it 2740 * in cstate->off_linkpl.reg, and then load the Frame Control field, 2741 * which is at the offset in the X register, with an indexed load. 2742 */ 2743 s2 = new_stmt(cstate, BPF_MISC|BPF_TXA); 2744 sappend(s, s2); 2745 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 2746 s2->s.k = 24; 2747 sappend(s, s2); 2748 s2 = new_stmt(cstate, BPF_ST); 2749 s2->s.k = cstate->off_linkpl.reg; 2750 sappend(s, s2); 2751 2752 s2 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 2753 s2->s.k = 0; 2754 sappend(s, s2); 2755 2756 /* 2757 * Check the Frame Control field to see if this is a data frame; 2758 * a data frame has the 0x08 bit (b3) in that field set and the 2759 * 0x04 bit (b2) clear. 2760 */ 2761 sjset_data_frame_1 = new_stmt(cstate, JMP(BPF_JSET)); 2762 sjset_data_frame_1->s.k = 0x08; 2763 sappend(s, sjset_data_frame_1); 2764 2765 /* 2766 * If b3 is set, test b2, otherwise go to the first statement of 2767 * the rest of the program. 2768 */ 2769 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(cstate, JMP(BPF_JSET)); 2770 sjset_data_frame_2->s.k = 0x04; 2771 sappend(s, sjset_data_frame_2); 2772 sjset_data_frame_1->s.jf = snext; 2773 2774 /* 2775 * If b2 is not set, this is a data frame; test the QoS bit. 2776 * Otherwise, go to the first statement of the rest of the 2777 * program. 2778 */ 2779 sjset_data_frame_2->s.jt = snext; 2780 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(cstate, JMP(BPF_JSET)); 2781 sjset_qos->s.k = 0x80; /* QoS bit */ 2782 sappend(s, sjset_qos); 2783 2784 /* 2785 * If it's set, add 2 to cstate->off_linkpl.reg, to skip the QoS 2786 * field. 2787 * Otherwise, go to the first statement of the rest of the 2788 * program. 2789 */ 2790 sjset_qos->s.jt = s2 = new_stmt(cstate, BPF_LD|BPF_MEM); 2791 s2->s.k = cstate->off_linkpl.reg; 2792 sappend(s, s2); 2793 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM); 2794 s2->s.k = 2; 2795 sappend(s, s2); 2796 s2 = new_stmt(cstate, BPF_ST); 2797 s2->s.k = cstate->off_linkpl.reg; 2798 sappend(s, s2); 2799 2800 /* 2801 * If we have a radiotap header, look at it to see whether 2802 * there's Atheros padding between the MAC-layer header 2803 * and the payload. 2804 * 2805 * Note: all of the fields in the radiotap header are 2806 * little-endian, so we byte-swap all of the values 2807 * we test against, as they will be loaded as big-endian 2808 * values. 2809 * 2810 * XXX - in the general case, we would have to scan through 2811 * *all* the presence bits, if there's more than one word of 2812 * presence bits. That would require a loop, meaning that 2813 * we wouldn't be able to run the filter in the kernel. 2814 * 2815 * We assume here that the Atheros adapters that insert the 2816 * annoying padding don't have multiple antennae and therefore 2817 * do not generate radiotap headers with multiple presence words. 2818 */ 2819 if (cstate->linktype == DLT_IEEE802_11_RADIO) { 2820 /* 2821 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set 2822 * in the first presence flag word? 2823 */ 2824 sjset_qos->s.jf = s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_W); 2825 s2->s.k = 4; 2826 sappend(s, s2); 2827 2828 sjset_radiotap_flags_present = new_stmt(cstate, JMP(BPF_JSET)); 2829 sjset_radiotap_flags_present->s.k = SWAPLONG(0x00000002); 2830 sappend(s, sjset_radiotap_flags_present); 2831 2832 /* 2833 * If not, skip all of this. 2834 */ 2835 sjset_radiotap_flags_present->s.jf = snext; 2836 2837 /* 2838 * Otherwise, is the "extension" bit set in that word? 2839 */ 2840 sjset_radiotap_ext_present = new_stmt(cstate, JMP(BPF_JSET)); 2841 sjset_radiotap_ext_present->s.k = SWAPLONG(0x80000000); 2842 sappend(s, sjset_radiotap_ext_present); 2843 sjset_radiotap_flags_present->s.jt = sjset_radiotap_ext_present; 2844 2845 /* 2846 * If so, skip all of this. 2847 */ 2848 sjset_radiotap_ext_present->s.jt = snext; 2849 2850 /* 2851 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set? 2852 */ 2853 sjset_radiotap_tsft_present = new_stmt(cstate, JMP(BPF_JSET)); 2854 sjset_radiotap_tsft_present->s.k = SWAPLONG(0x00000001); 2855 sappend(s, sjset_radiotap_tsft_present); 2856 sjset_radiotap_ext_present->s.jf = sjset_radiotap_tsft_present; 2857 2858 /* 2859 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is 2860 * at an offset of 16 from the beginning of the raw packet 2861 * data (8 bytes for the radiotap header and 8 bytes for 2862 * the TSFT field). 2863 * 2864 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2865 * is set. 2866 */ 2867 s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B); 2868 s2->s.k = 16; 2869 sappend(s, s2); 2870 sjset_radiotap_tsft_present->s.jt = s2; 2871 2872 sjset_tsft_datapad = new_stmt(cstate, JMP(BPF_JSET)); 2873 sjset_tsft_datapad->s.k = 0x20; 2874 sappend(s, sjset_tsft_datapad); 2875 2876 /* 2877 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is 2878 * at an offset of 8 from the beginning of the raw packet 2879 * data (8 bytes for the radiotap header). 2880 * 2881 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2882 * is set. 2883 */ 2884 s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B); 2885 s2->s.k = 8; 2886 sappend(s, s2); 2887 sjset_radiotap_tsft_present->s.jf = s2; 2888 2889 sjset_notsft_datapad = new_stmt(cstate, JMP(BPF_JSET)); 2890 sjset_notsft_datapad->s.k = 0x20; 2891 sappend(s, sjset_notsft_datapad); 2892 2893 /* 2894 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is 2895 * set, round the length of the 802.11 header to 2896 * a multiple of 4. Do that by adding 3 and then 2897 * dividing by and multiplying by 4, which we do by 2898 * ANDing with ~3. 2899 */ 2900 s_roundup = new_stmt(cstate, BPF_LD|BPF_MEM); 2901 s_roundup->s.k = cstate->off_linkpl.reg; 2902 sappend(s, s_roundup); 2903 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM); 2904 s2->s.k = 3; 2905 sappend(s, s2); 2906 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_IMM); 2907 s2->s.k = (bpf_u_int32)~3; 2908 sappend(s, s2); 2909 s2 = new_stmt(cstate, BPF_ST); 2910 s2->s.k = cstate->off_linkpl.reg; 2911 sappend(s, s2); 2912 2913 sjset_tsft_datapad->s.jt = s_roundup; 2914 sjset_tsft_datapad->s.jf = snext; 2915 sjset_notsft_datapad->s.jt = s_roundup; 2916 sjset_notsft_datapad->s.jf = snext; 2917 } else 2918 sjset_qos->s.jf = snext; 2919 2920 return s; 2921 } 2922 2923 static void 2924 insert_compute_vloffsets(compiler_state_t *cstate, struct block *b) 2925 { 2926 struct slist *s; 2927 2928 /* There is an implicit dependency between the link 2929 * payload and link header since the payload computation 2930 * includes the variable part of the header. Therefore, 2931 * if nobody else has allocated a register for the link 2932 * header and we need it, do it now. */ 2933 if (cstate->off_linkpl.reg != -1 && cstate->off_linkhdr.is_variable && 2934 cstate->off_linkhdr.reg == -1) 2935 cstate->off_linkhdr.reg = alloc_reg(cstate); 2936 2937 /* 2938 * For link-layer types that have a variable-length header 2939 * preceding the link-layer header, generate code to load 2940 * the offset of the link-layer header into the register 2941 * assigned to that offset, if any. 2942 * 2943 * XXX - this, and the next switch statement, won't handle 2944 * encapsulation of 802.11 or 802.11+radio information in 2945 * some other protocol stack. That's significantly more 2946 * complicated. 2947 */ 2948 switch (cstate->outermostlinktype) { 2949 2950 case DLT_PRISM_HEADER: 2951 s = gen_load_prism_llprefixlen(cstate); 2952 break; 2953 2954 case DLT_IEEE802_11_RADIO_AVS: 2955 s = gen_load_avs_llprefixlen(cstate); 2956 break; 2957 2958 case DLT_IEEE802_11_RADIO: 2959 s = gen_load_radiotap_llprefixlen(cstate); 2960 break; 2961 2962 case DLT_PPI: 2963 s = gen_load_ppi_llprefixlen(cstate); 2964 break; 2965 2966 default: 2967 s = NULL; 2968 break; 2969 } 2970 2971 /* 2972 * For link-layer types that have a variable-length link-layer 2973 * header, generate code to load the offset of the link-layer 2974 * payload into the register assigned to that offset, if any. 2975 */ 2976 switch (cstate->outermostlinktype) { 2977 2978 case DLT_IEEE802_11: 2979 case DLT_PRISM_HEADER: 2980 case DLT_IEEE802_11_RADIO_AVS: 2981 case DLT_IEEE802_11_RADIO: 2982 case DLT_PPI: 2983 s = gen_load_802_11_header_len(cstate, s, b->stmts); 2984 break; 2985 2986 case DLT_PFLOG: 2987 s = gen_load_pflog_llprefixlen(cstate); 2988 break; 2989 } 2990 2991 /* 2992 * If there is no initialization yet and we need variable 2993 * length offsets for VLAN, initialize them to zero 2994 */ 2995 if (s == NULL && cstate->is_vlan_vloffset) { 2996 struct slist *s2; 2997 2998 if (cstate->off_linkpl.reg == -1) 2999 cstate->off_linkpl.reg = alloc_reg(cstate); 3000 if (cstate->off_linktype.reg == -1) 3001 cstate->off_linktype.reg = alloc_reg(cstate); 3002 3003 s = new_stmt(cstate, BPF_LD|BPF_W|BPF_IMM); 3004 s->s.k = 0; 3005 s2 = new_stmt(cstate, BPF_ST); 3006 s2->s.k = cstate->off_linkpl.reg; 3007 sappend(s, s2); 3008 s2 = new_stmt(cstate, BPF_ST); 3009 s2->s.k = cstate->off_linktype.reg; 3010 sappend(s, s2); 3011 } 3012 3013 /* 3014 * If we have any offset-loading code, append all the 3015 * existing statements in the block to those statements, 3016 * and make the resulting list the list of statements 3017 * for the block. 3018 */ 3019 if (s != NULL) { 3020 sappend(s, b->stmts); 3021 b->stmts = s; 3022 } 3023 } 3024 3025 static struct block * 3026 gen_ppi_dlt_check(compiler_state_t *cstate) 3027 { 3028 struct slist *s_load_dlt; 3029 struct block *b; 3030 3031 if (cstate->linktype == DLT_PPI) 3032 { 3033 /* Create the statements that check for the DLT 3034 */ 3035 s_load_dlt = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS); 3036 s_load_dlt->s.k = 4; 3037 3038 b = new_block(cstate, JMP(BPF_JEQ)); 3039 3040 b->stmts = s_load_dlt; 3041 b->s.k = SWAPLONG(DLT_IEEE802_11); 3042 } 3043 else 3044 { 3045 b = NULL; 3046 } 3047 3048 return b; 3049 } 3050 3051 /* 3052 * Take an absolute offset, and: 3053 * 3054 * if it has no variable part, return NULL; 3055 * 3056 * if it has a variable part, generate code to load the register 3057 * containing that variable part into the X register, returning 3058 * a pointer to that code - if no register for that offset has 3059 * been allocated, allocate it first. 3060 * 3061 * (The code to set that register will be generated later, but will 3062 * be placed earlier in the code sequence.) 3063 */ 3064 static struct slist * 3065 gen_abs_offset_varpart(compiler_state_t *cstate, bpf_abs_offset *off) 3066 { 3067 struct slist *s; 3068 3069 if (off->is_variable) { 3070 if (off->reg == -1) { 3071 /* 3072 * We haven't yet assigned a register for the 3073 * variable part of the offset of the link-layer 3074 * header; allocate one. 3075 */ 3076 off->reg = alloc_reg(cstate); 3077 } 3078 3079 /* 3080 * Load the register containing the variable part of the 3081 * offset of the link-layer header into the X register. 3082 */ 3083 s = new_stmt(cstate, BPF_LDX|BPF_MEM); 3084 s->s.k = off->reg; 3085 return s; 3086 } else { 3087 /* 3088 * That offset isn't variable, there's no variable part, 3089 * so we don't need to generate any code. 3090 */ 3091 return NULL; 3092 } 3093 } 3094 3095 /* 3096 * Map an Ethernet type to the equivalent PPP type. 3097 */ 3098 static bpf_u_int32 3099 ethertype_to_ppptype(bpf_u_int32 ll_proto) 3100 { 3101 switch (ll_proto) { 3102 3103 case ETHERTYPE_IP: 3104 ll_proto = PPP_IP; 3105 break; 3106 3107 case ETHERTYPE_IPV6: 3108 ll_proto = PPP_IPV6; 3109 break; 3110 3111 case ETHERTYPE_DN: 3112 ll_proto = PPP_DECNET; 3113 break; 3114 3115 case ETHERTYPE_ATALK: 3116 ll_proto = PPP_APPLE; 3117 break; 3118 3119 case ETHERTYPE_NS: 3120 ll_proto = PPP_NS; 3121 break; 3122 3123 case LLCSAP_ISONS: 3124 ll_proto = PPP_OSI; 3125 break; 3126 3127 case LLCSAP_8021D: 3128 /* 3129 * I'm assuming the "Bridging PDU"s that go 3130 * over PPP are Spanning Tree Protocol 3131 * Bridging PDUs. 3132 */ 3133 ll_proto = PPP_BRPDU; 3134 break; 3135 3136 case LLCSAP_IPX: 3137 ll_proto = PPP_IPX; 3138 break; 3139 } 3140 return (ll_proto); 3141 } 3142 3143 /* 3144 * Generate any tests that, for encapsulation of a link-layer packet 3145 * inside another protocol stack, need to be done to check for those 3146 * link-layer packets (and that haven't already been done by a check 3147 * for that encapsulation). 3148 */ 3149 static struct block * 3150 gen_prevlinkhdr_check(compiler_state_t *cstate) 3151 { 3152 struct block *b0; 3153 3154 if (cstate->is_geneve) 3155 return gen_geneve_ll_check(cstate); 3156 3157 switch (cstate->prevlinktype) { 3158 3159 case DLT_SUNATM: 3160 /* 3161 * This is LANE-encapsulated Ethernet; check that the LANE 3162 * packet doesn't begin with an LE Control marker, i.e. 3163 * that it's data, not a control message. 3164 * 3165 * (We've already generated a test for LANE.) 3166 */ 3167 b0 = gen_cmp(cstate, OR_PREVLINKHDR, SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00); 3168 gen_not(b0); 3169 return b0; 3170 3171 default: 3172 /* 3173 * No such tests are necessary. 3174 */ 3175 return NULL; 3176 } 3177 /*NOTREACHED*/ 3178 } 3179 3180 /* 3181 * The three different values we should check for when checking for an 3182 * IPv6 packet with DLT_NULL. 3183 */ 3184 #define BSD_AFNUM_INET6_BSD 24 /* NetBSD, OpenBSD, BSD/OS, Npcap */ 3185 #define BSD_AFNUM_INET6_FREEBSD 28 /* FreeBSD */ 3186 #define BSD_AFNUM_INET6_DARWIN 30 /* macOS, iOS, other Darwin-based OSes */ 3187 3188 /* 3189 * Generate code to match a particular packet type by matching the 3190 * link-layer type field or fields in the 802.2 LLC header. 3191 * 3192 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 3193 * value, if <= ETHERMTU. 3194 */ 3195 static struct block * 3196 gen_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto) 3197 { 3198 struct block *b0, *b1, *b2; 3199 const char *description; 3200 3201 /* are we checking MPLS-encapsulated packets? */ 3202 if (cstate->label_stack_depth > 0) 3203 return gen_mpls_linktype(cstate, ll_proto); 3204 3205 switch (cstate->linktype) { 3206 3207 case DLT_EN10MB: 3208 case DLT_NETANALYZER: 3209 case DLT_NETANALYZER_TRANSPARENT: 3210 /* Geneve has an EtherType regardless of whether there is an 3211 * L2 header. */ 3212 if (!cstate->is_geneve) 3213 b0 = gen_prevlinkhdr_check(cstate); 3214 else 3215 b0 = NULL; 3216 3217 b1 = gen_ether_linktype(cstate, ll_proto); 3218 if (b0 != NULL) 3219 gen_and(b0, b1); 3220 return b1; 3221 /*NOTREACHED*/ 3222 3223 case DLT_C_HDLC: 3224 case DLT_HDLC: 3225 switch (ll_proto) { 3226 3227 case LLCSAP_ISONS: 3228 ll_proto = (ll_proto << 8 | LLCSAP_ISONS); 3229 /* fall through */ 3230 3231 default: 3232 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto); 3233 /*NOTREACHED*/ 3234 } 3235 3236 case DLT_IEEE802_11: 3237 case DLT_PRISM_HEADER: 3238 case DLT_IEEE802_11_RADIO_AVS: 3239 case DLT_IEEE802_11_RADIO: 3240 case DLT_PPI: 3241 /* 3242 * Check that we have a data frame. 3243 */ 3244 b0 = gen_check_802_11_data_frame(cstate); 3245 3246 /* 3247 * Now check for the specified link-layer type. 3248 */ 3249 b1 = gen_llc_linktype(cstate, ll_proto); 3250 gen_and(b0, b1); 3251 return b1; 3252 /*NOTREACHED*/ 3253 3254 case DLT_FDDI: 3255 /* 3256 * XXX - check for LLC frames. 3257 */ 3258 return gen_llc_linktype(cstate, ll_proto); 3259 /*NOTREACHED*/ 3260 3261 case DLT_IEEE802: 3262 /* 3263 * XXX - check for LLC PDUs, as per IEEE 802.5. 3264 */ 3265 return gen_llc_linktype(cstate, ll_proto); 3266 /*NOTREACHED*/ 3267 3268 case DLT_ATM_RFC1483: 3269 case DLT_ATM_CLIP: 3270 case DLT_IP_OVER_FC: 3271 return gen_llc_linktype(cstate, ll_proto); 3272 /*NOTREACHED*/ 3273 3274 case DLT_SUNATM: 3275 /* 3276 * Check for an LLC-encapsulated version of this protocol; 3277 * if we were checking for LANE, linktype would no longer 3278 * be DLT_SUNATM. 3279 * 3280 * Check for LLC encapsulation and then check the protocol. 3281 */ 3282 b0 = gen_atmfield_code_internal(cstate, A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 3283 b1 = gen_llc_linktype(cstate, ll_proto); 3284 gen_and(b0, b1); 3285 return b1; 3286 /*NOTREACHED*/ 3287 3288 case DLT_LINUX_SLL: 3289 return gen_linux_sll_linktype(cstate, ll_proto); 3290 /*NOTREACHED*/ 3291 3292 case DLT_SLIP: 3293 case DLT_SLIP_BSDOS: 3294 case DLT_RAW: 3295 /* 3296 * These types don't provide any type field; packets 3297 * are always IPv4 or IPv6. 3298 * 3299 * XXX - for IPv4, check for a version number of 4, and, 3300 * for IPv6, check for a version number of 6? 3301 */ 3302 switch (ll_proto) { 3303 3304 case ETHERTYPE_IP: 3305 /* Check for a version number of 4. */ 3306 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, 0x40, 0xF0); 3307 3308 case ETHERTYPE_IPV6: 3309 /* Check for a version number of 6. */ 3310 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, 0x60, 0xF0); 3311 3312 default: 3313 return gen_false(cstate); /* always false */ 3314 } 3315 /*NOTREACHED*/ 3316 3317 case DLT_IPV4: 3318 /* 3319 * Raw IPv4, so no type field. 3320 */ 3321 if (ll_proto == ETHERTYPE_IP) 3322 return gen_true(cstate); /* always true */ 3323 3324 /* Checking for something other than IPv4; always false */ 3325 return gen_false(cstate); 3326 /*NOTREACHED*/ 3327 3328 case DLT_IPV6: 3329 /* 3330 * Raw IPv6, so no type field. 3331 */ 3332 if (ll_proto == ETHERTYPE_IPV6) 3333 return gen_true(cstate); /* always true */ 3334 3335 /* Checking for something other than IPv6; always false */ 3336 return gen_false(cstate); 3337 /*NOTREACHED*/ 3338 3339 case DLT_PPP: 3340 case DLT_PPP_PPPD: 3341 case DLT_PPP_SERIAL: 3342 case DLT_PPP_ETHER: 3343 /* 3344 * We use Ethernet protocol types inside libpcap; 3345 * map them to the corresponding PPP protocol types. 3346 */ 3347 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, 3348 ethertype_to_ppptype(ll_proto)); 3349 /*NOTREACHED*/ 3350 3351 case DLT_PPP_BSDOS: 3352 /* 3353 * We use Ethernet protocol types inside libpcap; 3354 * map them to the corresponding PPP protocol types. 3355 */ 3356 switch (ll_proto) { 3357 3358 case ETHERTYPE_IP: 3359 /* 3360 * Also check for Van Jacobson-compressed IP. 3361 * XXX - do this for other forms of PPP? 3362 */ 3363 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_IP); 3364 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_VJC); 3365 gen_or(b0, b1); 3366 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_VJNC); 3367 gen_or(b1, b0); 3368 return b0; 3369 3370 default: 3371 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, 3372 ethertype_to_ppptype(ll_proto)); 3373 } 3374 /*NOTREACHED*/ 3375 3376 case DLT_NULL: 3377 case DLT_LOOP: 3378 case DLT_ENC: 3379 switch (ll_proto) { 3380 3381 case ETHERTYPE_IP: 3382 return (gen_loopback_linktype(cstate, AF_INET)); 3383 3384 case ETHERTYPE_IPV6: 3385 /* 3386 * AF_ values may, unfortunately, be platform- 3387 * dependent; AF_INET isn't, because everybody 3388 * used 4.2BSD's value, but AF_INET6 is, because 3389 * 4.2BSD didn't have a value for it (given that 3390 * IPv6 didn't exist back in the early 1980's), 3391 * and they all picked their own values. 3392 * 3393 * This means that, if we're reading from a 3394 * savefile, we need to check for all the 3395 * possible values. 3396 * 3397 * If we're doing a live capture, we only need 3398 * to check for this platform's value; however, 3399 * Npcap uses 24, which isn't Windows's AF_INET6 3400 * value. (Given the multiple different values, 3401 * programs that read pcap files shouldn't be 3402 * checking for their platform's AF_INET6 value 3403 * anyway, they should check for all of the 3404 * possible values. and they might as well do 3405 * that even for live captures.) 3406 */ 3407 if (cstate->bpf_pcap->rfile != NULL) { 3408 /* 3409 * Savefile - check for all three 3410 * possible IPv6 values. 3411 */ 3412 b0 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_BSD); 3413 b1 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_FREEBSD); 3414 gen_or(b0, b1); 3415 b0 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_DARWIN); 3416 gen_or(b0, b1); 3417 return (b1); 3418 } else { 3419 /* 3420 * Live capture, so we only need to 3421 * check for the value used on this 3422 * platform. 3423 */ 3424 #ifdef _WIN32 3425 /* 3426 * Npcap doesn't use Windows's AF_INET6, 3427 * as that collides with AF_IPX on 3428 * some BSDs (both have the value 23). 3429 * Instead, it uses 24. 3430 */ 3431 return (gen_loopback_linktype(cstate, 24)); 3432 #else /* _WIN32 */ 3433 #ifdef AF_INET6 3434 return (gen_loopback_linktype(cstate, AF_INET6)); 3435 #else /* AF_INET6 */ 3436 /* 3437 * I guess this platform doesn't support 3438 * IPv6, so we just reject all packets. 3439 */ 3440 return gen_false(cstate); 3441 #endif /* AF_INET6 */ 3442 #endif /* _WIN32 */ 3443 } 3444 3445 default: 3446 /* 3447 * Not a type on which we support filtering. 3448 * XXX - support those that have AF_ values 3449 * #defined on this platform, at least? 3450 */ 3451 return gen_false(cstate); 3452 } 3453 3454 case DLT_PFLOG: 3455 /* 3456 * af field is host byte order in contrast to the rest of 3457 * the packet. 3458 */ 3459 if (ll_proto == ETHERTYPE_IP) 3460 return (gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, af), 3461 BPF_B, AF_INET)); 3462 else if (ll_proto == ETHERTYPE_IPV6) 3463 return (gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, af), 3464 BPF_B, AF_INET6)); 3465 else 3466 return gen_false(cstate); 3467 /*NOTREACHED*/ 3468 3469 case DLT_ARCNET: 3470 case DLT_ARCNET_LINUX: 3471 /* 3472 * XXX should we check for first fragment if the protocol 3473 * uses PHDS? 3474 */ 3475 switch (ll_proto) { 3476 3477 default: 3478 return gen_false(cstate); 3479 3480 case ETHERTYPE_IPV6: 3481 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3482 ARCTYPE_INET6)); 3483 3484 case ETHERTYPE_IP: 3485 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3486 ARCTYPE_IP); 3487 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3488 ARCTYPE_IP_OLD); 3489 gen_or(b0, b1); 3490 return (b1); 3491 3492 case ETHERTYPE_ARP: 3493 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3494 ARCTYPE_ARP); 3495 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3496 ARCTYPE_ARP_OLD); 3497 gen_or(b0, b1); 3498 return (b1); 3499 3500 case ETHERTYPE_REVARP: 3501 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3502 ARCTYPE_REVARP)); 3503 3504 case ETHERTYPE_ATALK: 3505 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3506 ARCTYPE_ATALK)); 3507 } 3508 /*NOTREACHED*/ 3509 3510 case DLT_LTALK: 3511 switch (ll_proto) { 3512 case ETHERTYPE_ATALK: 3513 return gen_true(cstate); 3514 default: 3515 return gen_false(cstate); 3516 } 3517 /*NOTREACHED*/ 3518 3519 case DLT_FRELAY: 3520 /* 3521 * XXX - assumes a 2-byte Frame Relay header with 3522 * DLCI and flags. What if the address is longer? 3523 */ 3524 switch (ll_proto) { 3525 3526 case ETHERTYPE_IP: 3527 /* 3528 * Check for the special NLPID for IP. 3529 */ 3530 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0xcc); 3531 3532 case ETHERTYPE_IPV6: 3533 /* 3534 * Check for the special NLPID for IPv6. 3535 */ 3536 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0x8e); 3537 3538 case LLCSAP_ISONS: 3539 /* 3540 * Check for several OSI protocols. 3541 * 3542 * Frame Relay packets typically have an OSI 3543 * NLPID at the beginning; we check for each 3544 * of them. 3545 * 3546 * What we check for is the NLPID and a frame 3547 * control field of UI, i.e. 0x03 followed 3548 * by the NLPID. 3549 */ 3550 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO8473_CLNP); 3551 b1 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO9542_ESIS); 3552 b2 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO10589_ISIS); 3553 gen_or(b1, b2); 3554 gen_or(b0, b2); 3555 return b2; 3556 3557 default: 3558 return gen_false(cstate); 3559 } 3560 /*NOTREACHED*/ 3561 3562 case DLT_MFR: 3563 bpf_error(cstate, "Multi-link Frame Relay link-layer type filtering not implemented"); 3564 3565 case DLT_JUNIPER_MFR: 3566 case DLT_JUNIPER_MLFR: 3567 case DLT_JUNIPER_MLPPP: 3568 case DLT_JUNIPER_ATM1: 3569 case DLT_JUNIPER_ATM2: 3570 case DLT_JUNIPER_PPPOE: 3571 case DLT_JUNIPER_PPPOE_ATM: 3572 case DLT_JUNIPER_GGSN: 3573 case DLT_JUNIPER_ES: 3574 case DLT_JUNIPER_MONITOR: 3575 case DLT_JUNIPER_SERVICES: 3576 case DLT_JUNIPER_ETHER: 3577 case DLT_JUNIPER_PPP: 3578 case DLT_JUNIPER_FRELAY: 3579 case DLT_JUNIPER_CHDLC: 3580 case DLT_JUNIPER_VP: 3581 case DLT_JUNIPER_ST: 3582 case DLT_JUNIPER_ISM: 3583 case DLT_JUNIPER_VS: 3584 case DLT_JUNIPER_SRX_E2E: 3585 case DLT_JUNIPER_FIBRECHANNEL: 3586 case DLT_JUNIPER_ATM_CEMIC: 3587 3588 /* just lets verify the magic number for now - 3589 * on ATM we may have up to 6 different encapsulations on the wire 3590 * and need a lot of heuristics to figure out that the payload 3591 * might be; 3592 * 3593 * FIXME encapsulation specific BPF_ filters 3594 */ 3595 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */ 3596 3597 case DLT_BACNET_MS_TP: 3598 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_W, 0x55FF0000, 0xffff0000); 3599 3600 case DLT_IPNET: 3601 return gen_ipnet_linktype(cstate, ll_proto); 3602 3603 case DLT_LINUX_IRDA: 3604 bpf_error(cstate, "IrDA link-layer type filtering not implemented"); 3605 3606 case DLT_DOCSIS: 3607 bpf_error(cstate, "DOCSIS link-layer type filtering not implemented"); 3608 3609 case DLT_MTP2: 3610 case DLT_MTP2_WITH_PHDR: 3611 bpf_error(cstate, "MTP2 link-layer type filtering not implemented"); 3612 3613 case DLT_ERF: 3614 bpf_error(cstate, "ERF link-layer type filtering not implemented"); 3615 3616 case DLT_PFSYNC: 3617 bpf_error(cstate, "PFSYNC link-layer type filtering not implemented"); 3618 3619 case DLT_LINUX_LAPD: 3620 bpf_error(cstate, "LAPD link-layer type filtering not implemented"); 3621 3622 case DLT_USB_FREEBSD: 3623 case DLT_USB_LINUX: 3624 case DLT_USB_LINUX_MMAPPED: 3625 case DLT_USBPCAP: 3626 bpf_error(cstate, "USB link-layer type filtering not implemented"); 3627 3628 case DLT_BLUETOOTH_HCI_H4: 3629 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR: 3630 bpf_error(cstate, "Bluetooth link-layer type filtering not implemented"); 3631 3632 case DLT_CAN20B: 3633 case DLT_CAN_SOCKETCAN: 3634 bpf_error(cstate, "CAN link-layer type filtering not implemented"); 3635 3636 case DLT_IEEE802_15_4: 3637 case DLT_IEEE802_15_4_LINUX: 3638 case DLT_IEEE802_15_4_NONASK_PHY: 3639 case DLT_IEEE802_15_4_NOFCS: 3640 case DLT_IEEE802_15_4_TAP: 3641 bpf_error(cstate, "IEEE 802.15.4 link-layer type filtering not implemented"); 3642 3643 case DLT_IEEE802_16_MAC_CPS_RADIO: 3644 bpf_error(cstate, "IEEE 802.16 link-layer type filtering not implemented"); 3645 3646 case DLT_SITA: 3647 bpf_error(cstate, "SITA link-layer type filtering not implemented"); 3648 3649 case DLT_RAIF1: 3650 bpf_error(cstate, "RAIF1 link-layer type filtering not implemented"); 3651 3652 case DLT_IPMB_KONTRON: 3653 case DLT_IPMB_LINUX: 3654 bpf_error(cstate, "IPMB link-layer type filtering not implemented"); 3655 3656 case DLT_AX25_KISS: 3657 bpf_error(cstate, "AX.25 link-layer type filtering not implemented"); 3658 3659 case DLT_NFLOG: 3660 /* Using the fixed-size NFLOG header it is possible to tell only 3661 * the address family of the packet, other meaningful data is 3662 * either missing or behind TLVs. 3663 */ 3664 bpf_error(cstate, "NFLOG link-layer type filtering not implemented"); 3665 3666 default: 3667 /* 3668 * Does this link-layer header type have a field 3669 * indicating the type of the next protocol? If 3670 * so, off_linktype.constant_part will be the offset of that 3671 * field in the packet; if not, it will be OFFSET_NOT_SET. 3672 */ 3673 if (cstate->off_linktype.constant_part != OFFSET_NOT_SET) { 3674 /* 3675 * Yes; assume it's an Ethernet type. (If 3676 * it's not, it needs to be handled specially 3677 * above.) 3678 */ 3679 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto); 3680 /*NOTREACHED */ 3681 } else { 3682 /* 3683 * No; report an error. 3684 */ 3685 description = pcap_datalink_val_to_description_or_dlt(cstate->linktype); 3686 bpf_error(cstate, "%s link-layer type filtering not implemented", 3687 description); 3688 /*NOTREACHED */ 3689 } 3690 } 3691 } 3692 3693 /* 3694 * Check for an LLC SNAP packet with a given organization code and 3695 * protocol type; we check the entire contents of the 802.2 LLC and 3696 * snap headers, checking for DSAP and SSAP of SNAP and a control 3697 * field of 0x03 in the LLC header, and for the specified organization 3698 * code and protocol type in the SNAP header. 3699 */ 3700 static struct block * 3701 gen_snap(compiler_state_t *cstate, bpf_u_int32 orgcode, bpf_u_int32 ptype) 3702 { 3703 u_char snapblock[8]; 3704 3705 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */ 3706 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */ 3707 snapblock[2] = 0x03; /* control = UI */ 3708 snapblock[3] = (u_char)(orgcode >> 16); /* upper 8 bits of organization code */ 3709 snapblock[4] = (u_char)(orgcode >> 8); /* middle 8 bits of organization code */ 3710 snapblock[5] = (u_char)(orgcode >> 0); /* lower 8 bits of organization code */ 3711 snapblock[6] = (u_char)(ptype >> 8); /* upper 8 bits of protocol type */ 3712 snapblock[7] = (u_char)(ptype >> 0); /* lower 8 bits of protocol type */ 3713 return gen_bcmp(cstate, OR_LLC, 0, 8, snapblock); 3714 } 3715 3716 /* 3717 * Generate code to match frames with an LLC header. 3718 */ 3719 static struct block * 3720 gen_llc_internal(compiler_state_t *cstate) 3721 { 3722 struct block *b0, *b1; 3723 3724 switch (cstate->linktype) { 3725 3726 case DLT_EN10MB: 3727 /* 3728 * We check for an Ethernet type field less than 3729 * 1500, which means it's an 802.3 length field. 3730 */ 3731 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU); 3732 gen_not(b0); 3733 3734 /* 3735 * Now check for the purported DSAP and SSAP not being 3736 * 0xFF, to rule out NetWare-over-802.3. 3737 */ 3738 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, 0xFFFF); 3739 gen_not(b1); 3740 gen_and(b0, b1); 3741 return b1; 3742 3743 case DLT_SUNATM: 3744 /* 3745 * We check for LLC traffic. 3746 */ 3747 b0 = gen_atmtype_llc(cstate); 3748 return b0; 3749 3750 case DLT_IEEE802: /* Token Ring */ 3751 /* 3752 * XXX - check for LLC frames. 3753 */ 3754 return gen_true(cstate); 3755 3756 case DLT_FDDI: 3757 /* 3758 * XXX - check for LLC frames. 3759 */ 3760 return gen_true(cstate); 3761 3762 case DLT_ATM_RFC1483: 3763 /* 3764 * For LLC encapsulation, these are defined to have an 3765 * 802.2 LLC header. 3766 * 3767 * For VC encapsulation, they don't, but there's no 3768 * way to check for that; the protocol used on the VC 3769 * is negotiated out of band. 3770 */ 3771 return gen_true(cstate); 3772 3773 case DLT_IEEE802_11: 3774 case DLT_PRISM_HEADER: 3775 case DLT_IEEE802_11_RADIO: 3776 case DLT_IEEE802_11_RADIO_AVS: 3777 case DLT_PPI: 3778 /* 3779 * Check that we have a data frame. 3780 */ 3781 b0 = gen_check_802_11_data_frame(cstate); 3782 return b0; 3783 3784 default: 3785 bpf_error(cstate, "'llc' not supported for %s", 3786 pcap_datalink_val_to_description_or_dlt(cstate->linktype)); 3787 /*NOTREACHED*/ 3788 } 3789 } 3790 3791 struct block * 3792 gen_llc(compiler_state_t *cstate) 3793 { 3794 /* 3795 * Catch errors reported by us and routines below us, and return NULL 3796 * on an error. 3797 */ 3798 if (setjmp(cstate->top_ctx)) 3799 return (NULL); 3800 3801 return gen_llc_internal(cstate); 3802 } 3803 3804 struct block * 3805 gen_llc_i(compiler_state_t *cstate) 3806 { 3807 struct block *b0, *b1; 3808 struct slist *s; 3809 3810 /* 3811 * Catch errors reported by us and routines below us, and return NULL 3812 * on an error. 3813 */ 3814 if (setjmp(cstate->top_ctx)) 3815 return (NULL); 3816 3817 /* 3818 * Check whether this is an LLC frame. 3819 */ 3820 b0 = gen_llc_internal(cstate); 3821 3822 /* 3823 * Load the control byte and test the low-order bit; it must 3824 * be clear for I frames. 3825 */ 3826 s = gen_load_a(cstate, OR_LLC, 2, BPF_B); 3827 b1 = new_block(cstate, JMP(BPF_JSET)); 3828 b1->s.k = 0x01; 3829 b1->stmts = s; 3830 gen_not(b1); 3831 gen_and(b0, b1); 3832 return b1; 3833 } 3834 3835 struct block * 3836 gen_llc_s(compiler_state_t *cstate) 3837 { 3838 struct block *b0, *b1; 3839 3840 /* 3841 * Catch errors reported by us and routines below us, and return NULL 3842 * on an error. 3843 */ 3844 if (setjmp(cstate->top_ctx)) 3845 return (NULL); 3846 3847 /* 3848 * Check whether this is an LLC frame. 3849 */ 3850 b0 = gen_llc_internal(cstate); 3851 3852 /* 3853 * Now compare the low-order 2 bit of the control byte against 3854 * the appropriate value for S frames. 3855 */ 3856 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, LLC_S_FMT, 0x03); 3857 gen_and(b0, b1); 3858 return b1; 3859 } 3860 3861 struct block * 3862 gen_llc_u(compiler_state_t *cstate) 3863 { 3864 struct block *b0, *b1; 3865 3866 /* 3867 * Catch errors reported by us and routines below us, and return NULL 3868 * on an error. 3869 */ 3870 if (setjmp(cstate->top_ctx)) 3871 return (NULL); 3872 3873 /* 3874 * Check whether this is an LLC frame. 3875 */ 3876 b0 = gen_llc_internal(cstate); 3877 3878 /* 3879 * Now compare the low-order 2 bit of the control byte against 3880 * the appropriate value for U frames. 3881 */ 3882 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, LLC_U_FMT, 0x03); 3883 gen_and(b0, b1); 3884 return b1; 3885 } 3886 3887 struct block * 3888 gen_llc_s_subtype(compiler_state_t *cstate, bpf_u_int32 subtype) 3889 { 3890 struct block *b0, *b1; 3891 3892 /* 3893 * Catch errors reported by us and routines below us, and return NULL 3894 * on an error. 3895 */ 3896 if (setjmp(cstate->top_ctx)) 3897 return (NULL); 3898 3899 /* 3900 * Check whether this is an LLC frame. 3901 */ 3902 b0 = gen_llc_internal(cstate); 3903 3904 /* 3905 * Now check for an S frame with the appropriate type. 3906 */ 3907 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, subtype, LLC_S_CMD_MASK); 3908 gen_and(b0, b1); 3909 return b1; 3910 } 3911 3912 struct block * 3913 gen_llc_u_subtype(compiler_state_t *cstate, bpf_u_int32 subtype) 3914 { 3915 struct block *b0, *b1; 3916 3917 /* 3918 * Catch errors reported by us and routines below us, and return NULL 3919 * on an error. 3920 */ 3921 if (setjmp(cstate->top_ctx)) 3922 return (NULL); 3923 3924 /* 3925 * Check whether this is an LLC frame. 3926 */ 3927 b0 = gen_llc_internal(cstate); 3928 3929 /* 3930 * Now check for a U frame with the appropriate type. 3931 */ 3932 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, subtype, LLC_U_CMD_MASK); 3933 gen_and(b0, b1); 3934 return b1; 3935 } 3936 3937 /* 3938 * Generate code to match a particular packet type, for link-layer types 3939 * using 802.2 LLC headers. 3940 * 3941 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used 3942 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues. 3943 * 3944 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 3945 * value, if <= ETHERMTU. We use that to determine whether to 3946 * match the DSAP or both DSAP and LSAP or to check the OUI and 3947 * protocol ID in a SNAP header. 3948 */ 3949 static struct block * 3950 gen_llc_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto) 3951 { 3952 /* 3953 * XXX - handle token-ring variable-length header. 3954 */ 3955 switch (ll_proto) { 3956 3957 case LLCSAP_IP: 3958 case LLCSAP_ISONS: 3959 case LLCSAP_NETBEUI: 3960 /* 3961 * XXX - should we check both the DSAP and the 3962 * SSAP, like this, or should we check just the 3963 * DSAP, as we do for other SAP values? 3964 */ 3965 return gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_u_int32) 3966 ((ll_proto << 8) | ll_proto)); 3967 3968 case LLCSAP_IPX: 3969 /* 3970 * XXX - are there ever SNAP frames for IPX on 3971 * non-Ethernet 802.x networks? 3972 */ 3973 return gen_cmp(cstate, OR_LLC, 0, BPF_B, LLCSAP_IPX); 3974 3975 case ETHERTYPE_ATALK: 3976 /* 3977 * 802.2-encapsulated ETHERTYPE_ATALK packets are 3978 * SNAP packets with an organization code of 3979 * 0x080007 (Apple, for Appletalk) and a protocol 3980 * type of ETHERTYPE_ATALK (Appletalk). 3981 * 3982 * XXX - check for an organization code of 3983 * encapsulated Ethernet as well? 3984 */ 3985 return gen_snap(cstate, 0x080007, ETHERTYPE_ATALK); 3986 3987 default: 3988 /* 3989 * XXX - we don't have to check for IPX 802.3 3990 * here, but should we check for the IPX Ethertype? 3991 */ 3992 if (ll_proto <= ETHERMTU) { 3993 /* 3994 * This is an LLC SAP value, so check 3995 * the DSAP. 3996 */ 3997 return gen_cmp(cstate, OR_LLC, 0, BPF_B, ll_proto); 3998 } else { 3999 /* 4000 * This is an Ethernet type; we assume that it's 4001 * unlikely that it'll appear in the right place 4002 * at random, and therefore check only the 4003 * location that would hold the Ethernet type 4004 * in a SNAP frame with an organization code of 4005 * 0x000000 (encapsulated Ethernet). 4006 * 4007 * XXX - if we were to check for the SNAP DSAP and 4008 * LSAP, as per XXX, and were also to check for an 4009 * organization code of 0x000000 (encapsulated 4010 * Ethernet), we'd do 4011 * 4012 * return gen_snap(cstate, 0x000000, ll_proto); 4013 * 4014 * here; for now, we don't, as per the above. 4015 * I don't know whether it's worth the extra CPU 4016 * time to do the right check or not. 4017 */ 4018 return gen_cmp(cstate, OR_LLC, 6, BPF_H, ll_proto); 4019 } 4020 } 4021 } 4022 4023 static struct block * 4024 gen_hostop(compiler_state_t *cstate, bpf_u_int32 addr, bpf_u_int32 mask, 4025 int dir, bpf_u_int32 ll_proto, u_int src_off, u_int dst_off) 4026 { 4027 struct block *b0, *b1; 4028 u_int offset; 4029 4030 switch (dir) { 4031 4032 case Q_SRC: 4033 offset = src_off; 4034 break; 4035 4036 case Q_DST: 4037 offset = dst_off; 4038 break; 4039 4040 case Q_AND: 4041 b0 = gen_hostop(cstate, addr, mask, Q_SRC, ll_proto, src_off, dst_off); 4042 b1 = gen_hostop(cstate, addr, mask, Q_DST, ll_proto, src_off, dst_off); 4043 gen_and(b0, b1); 4044 return b1; 4045 4046 case Q_DEFAULT: 4047 case Q_OR: 4048 b0 = gen_hostop(cstate, addr, mask, Q_SRC, ll_proto, src_off, dst_off); 4049 b1 = gen_hostop(cstate, addr, mask, Q_DST, ll_proto, src_off, dst_off); 4050 gen_or(b0, b1); 4051 return b1; 4052 4053 case Q_ADDR1: 4054 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 4055 /*NOTREACHED*/ 4056 4057 case Q_ADDR2: 4058 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 4059 /*NOTREACHED*/ 4060 4061 case Q_ADDR3: 4062 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 4063 /*NOTREACHED*/ 4064 4065 case Q_ADDR4: 4066 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 4067 /*NOTREACHED*/ 4068 4069 case Q_RA: 4070 bpf_error(cstate, "'ra' is not a valid qualifier for addresses other than 802.11 MAC addresses"); 4071 /*NOTREACHED*/ 4072 4073 case Q_TA: 4074 bpf_error(cstate, "'ta' is not a valid qualifier for addresses other than 802.11 MAC addresses"); 4075 /*NOTREACHED*/ 4076 4077 default: 4078 abort(); 4079 /*NOTREACHED*/ 4080 } 4081 b0 = gen_linktype(cstate, ll_proto); 4082 b1 = gen_mcmp(cstate, OR_LINKPL, offset, BPF_W, addr, mask); 4083 gen_and(b0, b1); 4084 return b1; 4085 } 4086 4087 #ifdef INET6 4088 static struct block * 4089 gen_hostop6(compiler_state_t *cstate, struct in6_addr *addr, 4090 struct in6_addr *mask, int dir, bpf_u_int32 ll_proto, u_int src_off, 4091 u_int dst_off) 4092 { 4093 struct block *b0, *b1; 4094 u_int offset; 4095 uint32_t *a, *m; 4096 4097 switch (dir) { 4098 4099 case Q_SRC: 4100 offset = src_off; 4101 break; 4102 4103 case Q_DST: 4104 offset = dst_off; 4105 break; 4106 4107 case Q_AND: 4108 b0 = gen_hostop6(cstate, addr, mask, Q_SRC, ll_proto, src_off, dst_off); 4109 b1 = gen_hostop6(cstate, addr, mask, Q_DST, ll_proto, src_off, dst_off); 4110 gen_and(b0, b1); 4111 return b1; 4112 4113 case Q_DEFAULT: 4114 case Q_OR: 4115 b0 = gen_hostop6(cstate, addr, mask, Q_SRC, ll_proto, src_off, dst_off); 4116 b1 = gen_hostop6(cstate, addr, mask, Q_DST, ll_proto, src_off, dst_off); 4117 gen_or(b0, b1); 4118 return b1; 4119 4120 case Q_ADDR1: 4121 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 4122 /*NOTREACHED*/ 4123 4124 case Q_ADDR2: 4125 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 4126 /*NOTREACHED*/ 4127 4128 case Q_ADDR3: 4129 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 4130 /*NOTREACHED*/ 4131 4132 case Q_ADDR4: 4133 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 4134 /*NOTREACHED*/ 4135 4136 case Q_RA: 4137 bpf_error(cstate, "'ra' is not a valid qualifier for addresses other than 802.11 MAC addresses"); 4138 /*NOTREACHED*/ 4139 4140 case Q_TA: 4141 bpf_error(cstate, "'ta' is not a valid qualifier for addresses other than 802.11 MAC addresses"); 4142 /*NOTREACHED*/ 4143 4144 default: 4145 abort(); 4146 /*NOTREACHED*/ 4147 } 4148 /* this order is important */ 4149 a = (uint32_t *)addr; 4150 m = (uint32_t *)mask; 4151 b1 = gen_mcmp(cstate, OR_LINKPL, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3])); 4152 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2])); 4153 gen_and(b0, b1); 4154 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1])); 4155 gen_and(b0, b1); 4156 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0])); 4157 gen_and(b0, b1); 4158 b0 = gen_linktype(cstate, ll_proto); 4159 gen_and(b0, b1); 4160 return b1; 4161 } 4162 #endif 4163 4164 static struct block * 4165 gen_ehostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 4166 { 4167 register struct block *b0, *b1; 4168 4169 switch (dir) { 4170 case Q_SRC: 4171 return gen_bcmp(cstate, OR_LINKHDR, 6, 6, eaddr); 4172 4173 case Q_DST: 4174 return gen_bcmp(cstate, OR_LINKHDR, 0, 6, eaddr); 4175 4176 case Q_AND: 4177 b0 = gen_ehostop(cstate, eaddr, Q_SRC); 4178 b1 = gen_ehostop(cstate, eaddr, Q_DST); 4179 gen_and(b0, b1); 4180 return b1; 4181 4182 case Q_DEFAULT: 4183 case Q_OR: 4184 b0 = gen_ehostop(cstate, eaddr, Q_SRC); 4185 b1 = gen_ehostop(cstate, eaddr, Q_DST); 4186 gen_or(b0, b1); 4187 return b1; 4188 4189 case Q_ADDR1: 4190 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11 with 802.11 headers"); 4191 /*NOTREACHED*/ 4192 4193 case Q_ADDR2: 4194 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11 with 802.11 headers"); 4195 /*NOTREACHED*/ 4196 4197 case Q_ADDR3: 4198 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11 with 802.11 headers"); 4199 /*NOTREACHED*/ 4200 4201 case Q_ADDR4: 4202 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11 with 802.11 headers"); 4203 /*NOTREACHED*/ 4204 4205 case Q_RA: 4206 bpf_error(cstate, "'ra' is only supported on 802.11 with 802.11 headers"); 4207 /*NOTREACHED*/ 4208 4209 case Q_TA: 4210 bpf_error(cstate, "'ta' is only supported on 802.11 with 802.11 headers"); 4211 /*NOTREACHED*/ 4212 } 4213 abort(); 4214 /*NOTREACHED*/ 4215 } 4216 4217 /* 4218 * Like gen_ehostop, but for DLT_FDDI 4219 */ 4220 static struct block * 4221 gen_fhostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 4222 { 4223 struct block *b0, *b1; 4224 4225 switch (dir) { 4226 case Q_SRC: 4227 return gen_bcmp(cstate, OR_LINKHDR, 6 + 1 + cstate->pcap_fddipad, 6, eaddr); 4228 4229 case Q_DST: 4230 return gen_bcmp(cstate, OR_LINKHDR, 0 + 1 + cstate->pcap_fddipad, 6, eaddr); 4231 4232 case Q_AND: 4233 b0 = gen_fhostop(cstate, eaddr, Q_SRC); 4234 b1 = gen_fhostop(cstate, eaddr, Q_DST); 4235 gen_and(b0, b1); 4236 return b1; 4237 4238 case Q_DEFAULT: 4239 case Q_OR: 4240 b0 = gen_fhostop(cstate, eaddr, Q_SRC); 4241 b1 = gen_fhostop(cstate, eaddr, Q_DST); 4242 gen_or(b0, b1); 4243 return b1; 4244 4245 case Q_ADDR1: 4246 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11"); 4247 /*NOTREACHED*/ 4248 4249 case Q_ADDR2: 4250 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11"); 4251 /*NOTREACHED*/ 4252 4253 case Q_ADDR3: 4254 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11"); 4255 /*NOTREACHED*/ 4256 4257 case Q_ADDR4: 4258 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11"); 4259 /*NOTREACHED*/ 4260 4261 case Q_RA: 4262 bpf_error(cstate, "'ra' is only supported on 802.11"); 4263 /*NOTREACHED*/ 4264 4265 case Q_TA: 4266 bpf_error(cstate, "'ta' is only supported on 802.11"); 4267 /*NOTREACHED*/ 4268 } 4269 abort(); 4270 /*NOTREACHED*/ 4271 } 4272 4273 /* 4274 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring) 4275 */ 4276 static struct block * 4277 gen_thostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 4278 { 4279 register struct block *b0, *b1; 4280 4281 switch (dir) { 4282 case Q_SRC: 4283 return gen_bcmp(cstate, OR_LINKHDR, 8, 6, eaddr); 4284 4285 case Q_DST: 4286 return gen_bcmp(cstate, OR_LINKHDR, 2, 6, eaddr); 4287 4288 case Q_AND: 4289 b0 = gen_thostop(cstate, eaddr, Q_SRC); 4290 b1 = gen_thostop(cstate, eaddr, Q_DST); 4291 gen_and(b0, b1); 4292 return b1; 4293 4294 case Q_DEFAULT: 4295 case Q_OR: 4296 b0 = gen_thostop(cstate, eaddr, Q_SRC); 4297 b1 = gen_thostop(cstate, eaddr, Q_DST); 4298 gen_or(b0, b1); 4299 return b1; 4300 4301 case Q_ADDR1: 4302 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11"); 4303 /*NOTREACHED*/ 4304 4305 case Q_ADDR2: 4306 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11"); 4307 /*NOTREACHED*/ 4308 4309 case Q_ADDR3: 4310 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11"); 4311 /*NOTREACHED*/ 4312 4313 case Q_ADDR4: 4314 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11"); 4315 /*NOTREACHED*/ 4316 4317 case Q_RA: 4318 bpf_error(cstate, "'ra' is only supported on 802.11"); 4319 /*NOTREACHED*/ 4320 4321 case Q_TA: 4322 bpf_error(cstate, "'ta' is only supported on 802.11"); 4323 /*NOTREACHED*/ 4324 } 4325 abort(); 4326 /*NOTREACHED*/ 4327 } 4328 4329 /* 4330 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and 4331 * various 802.11 + radio headers. 4332 */ 4333 static struct block * 4334 gen_wlanhostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 4335 { 4336 register struct block *b0, *b1, *b2; 4337 register struct slist *s; 4338 4339 #ifdef ENABLE_WLAN_FILTERING_PATCH 4340 /* 4341 * TODO GV 20070613 4342 * We need to disable the optimizer because the optimizer is buggy 4343 * and wipes out some LD instructions generated by the below 4344 * code to validate the Frame Control bits 4345 */ 4346 cstate->no_optimize = 1; 4347 #endif /* ENABLE_WLAN_FILTERING_PATCH */ 4348 4349 switch (dir) { 4350 case Q_SRC: 4351 /* 4352 * Oh, yuk. 4353 * 4354 * For control frames, there is no SA. 4355 * 4356 * For management frames, SA is at an 4357 * offset of 10 from the beginning of 4358 * the packet. 4359 * 4360 * For data frames, SA is at an offset 4361 * of 10 from the beginning of the packet 4362 * if From DS is clear, at an offset of 4363 * 16 from the beginning of the packet 4364 * if From DS is set and To DS is clear, 4365 * and an offset of 24 from the beginning 4366 * of the packet if From DS is set and To DS 4367 * is set. 4368 */ 4369 4370 /* 4371 * Generate the tests to be done for data frames 4372 * with From DS set. 4373 * 4374 * First, check for To DS set, i.e. check "link[1] & 0x01". 4375 */ 4376 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4377 b1 = new_block(cstate, JMP(BPF_JSET)); 4378 b1->s.k = 0x01; /* To DS */ 4379 b1->stmts = s; 4380 4381 /* 4382 * If To DS is set, the SA is at 24. 4383 */ 4384 b0 = gen_bcmp(cstate, OR_LINKHDR, 24, 6, eaddr); 4385 gen_and(b1, b0); 4386 4387 /* 4388 * Now, check for To DS not set, i.e. check 4389 * "!(link[1] & 0x01)". 4390 */ 4391 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4392 b2 = new_block(cstate, JMP(BPF_JSET)); 4393 b2->s.k = 0x01; /* To DS */ 4394 b2->stmts = s; 4395 gen_not(b2); 4396 4397 /* 4398 * If To DS is not set, the SA is at 16. 4399 */ 4400 b1 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr); 4401 gen_and(b2, b1); 4402 4403 /* 4404 * Now OR together the last two checks. That gives 4405 * the complete set of checks for data frames with 4406 * From DS set. 4407 */ 4408 gen_or(b1, b0); 4409 4410 /* 4411 * Now check for From DS being set, and AND that with 4412 * the ORed-together checks. 4413 */ 4414 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4415 b1 = new_block(cstate, JMP(BPF_JSET)); 4416 b1->s.k = 0x02; /* From DS */ 4417 b1->stmts = s; 4418 gen_and(b1, b0); 4419 4420 /* 4421 * Now check for data frames with From DS not set. 4422 */ 4423 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4424 b2 = new_block(cstate, JMP(BPF_JSET)); 4425 b2->s.k = 0x02; /* From DS */ 4426 b2->stmts = s; 4427 gen_not(b2); 4428 4429 /* 4430 * If From DS isn't set, the SA is at 10. 4431 */ 4432 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr); 4433 gen_and(b2, b1); 4434 4435 /* 4436 * Now OR together the checks for data frames with 4437 * From DS not set and for data frames with From DS 4438 * set; that gives the checks done for data frames. 4439 */ 4440 gen_or(b1, b0); 4441 4442 /* 4443 * Now check for a data frame. 4444 * I.e, check "link[0] & 0x08". 4445 */ 4446 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4447 b1 = new_block(cstate, JMP(BPF_JSET)); 4448 b1->s.k = 0x08; 4449 b1->stmts = s; 4450 4451 /* 4452 * AND that with the checks done for data frames. 4453 */ 4454 gen_and(b1, b0); 4455 4456 /* 4457 * If the high-order bit of the type value is 0, this 4458 * is a management frame. 4459 * I.e, check "!(link[0] & 0x08)". 4460 */ 4461 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4462 b2 = new_block(cstate, JMP(BPF_JSET)); 4463 b2->s.k = 0x08; 4464 b2->stmts = s; 4465 gen_not(b2); 4466 4467 /* 4468 * For management frames, the SA is at 10. 4469 */ 4470 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr); 4471 gen_and(b2, b1); 4472 4473 /* 4474 * OR that with the checks done for data frames. 4475 * That gives the checks done for management and 4476 * data frames. 4477 */ 4478 gen_or(b1, b0); 4479 4480 /* 4481 * If the low-order bit of the type value is 1, 4482 * this is either a control frame or a frame 4483 * with a reserved type, and thus not a 4484 * frame with an SA. 4485 * 4486 * I.e., check "!(link[0] & 0x04)". 4487 */ 4488 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4489 b1 = new_block(cstate, JMP(BPF_JSET)); 4490 b1->s.k = 0x04; 4491 b1->stmts = s; 4492 gen_not(b1); 4493 4494 /* 4495 * AND that with the checks for data and management 4496 * frames. 4497 */ 4498 gen_and(b1, b0); 4499 return b0; 4500 4501 case Q_DST: 4502 /* 4503 * Oh, yuk. 4504 * 4505 * For control frames, there is no DA. 4506 * 4507 * For management frames, DA is at an 4508 * offset of 4 from the beginning of 4509 * the packet. 4510 * 4511 * For data frames, DA is at an offset 4512 * of 4 from the beginning of the packet 4513 * if To DS is clear and at an offset of 4514 * 16 from the beginning of the packet 4515 * if To DS is set. 4516 */ 4517 4518 /* 4519 * Generate the tests to be done for data frames. 4520 * 4521 * First, check for To DS set, i.e. "link[1] & 0x01". 4522 */ 4523 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4524 b1 = new_block(cstate, JMP(BPF_JSET)); 4525 b1->s.k = 0x01; /* To DS */ 4526 b1->stmts = s; 4527 4528 /* 4529 * If To DS is set, the DA is at 16. 4530 */ 4531 b0 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr); 4532 gen_and(b1, b0); 4533 4534 /* 4535 * Now, check for To DS not set, i.e. check 4536 * "!(link[1] & 0x01)". 4537 */ 4538 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4539 b2 = new_block(cstate, JMP(BPF_JSET)); 4540 b2->s.k = 0x01; /* To DS */ 4541 b2->stmts = s; 4542 gen_not(b2); 4543 4544 /* 4545 * If To DS is not set, the DA is at 4. 4546 */ 4547 b1 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr); 4548 gen_and(b2, b1); 4549 4550 /* 4551 * Now OR together the last two checks. That gives 4552 * the complete set of checks for data frames. 4553 */ 4554 gen_or(b1, b0); 4555 4556 /* 4557 * Now check for a data frame. 4558 * I.e, check "link[0] & 0x08". 4559 */ 4560 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4561 b1 = new_block(cstate, JMP(BPF_JSET)); 4562 b1->s.k = 0x08; 4563 b1->stmts = s; 4564 4565 /* 4566 * AND that with the checks done for data frames. 4567 */ 4568 gen_and(b1, b0); 4569 4570 /* 4571 * If the high-order bit of the type value is 0, this 4572 * is a management frame. 4573 * I.e, check "!(link[0] & 0x08)". 4574 */ 4575 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4576 b2 = new_block(cstate, JMP(BPF_JSET)); 4577 b2->s.k = 0x08; 4578 b2->stmts = s; 4579 gen_not(b2); 4580 4581 /* 4582 * For management frames, the DA is at 4. 4583 */ 4584 b1 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr); 4585 gen_and(b2, b1); 4586 4587 /* 4588 * OR that with the checks done for data frames. 4589 * That gives the checks done for management and 4590 * data frames. 4591 */ 4592 gen_or(b1, b0); 4593 4594 /* 4595 * If the low-order bit of the type value is 1, 4596 * this is either a control frame or a frame 4597 * with a reserved type, and thus not a 4598 * frame with an SA. 4599 * 4600 * I.e., check "!(link[0] & 0x04)". 4601 */ 4602 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4603 b1 = new_block(cstate, JMP(BPF_JSET)); 4604 b1->s.k = 0x04; 4605 b1->stmts = s; 4606 gen_not(b1); 4607 4608 /* 4609 * AND that with the checks for data and management 4610 * frames. 4611 */ 4612 gen_and(b1, b0); 4613 return b0; 4614 4615 case Q_AND: 4616 b0 = gen_wlanhostop(cstate, eaddr, Q_SRC); 4617 b1 = gen_wlanhostop(cstate, eaddr, Q_DST); 4618 gen_and(b0, b1); 4619 return b1; 4620 4621 case Q_DEFAULT: 4622 case Q_OR: 4623 b0 = gen_wlanhostop(cstate, eaddr, Q_SRC); 4624 b1 = gen_wlanhostop(cstate, eaddr, Q_DST); 4625 gen_or(b0, b1); 4626 return b1; 4627 4628 /* 4629 * XXX - add BSSID keyword? 4630 */ 4631 case Q_ADDR1: 4632 return (gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr)); 4633 4634 case Q_ADDR2: 4635 /* 4636 * Not present in CTS or ACK control frames. 4637 */ 4638 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4639 IEEE80211_FC0_TYPE_MASK); 4640 gen_not(b0); 4641 b1 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS, 4642 IEEE80211_FC0_SUBTYPE_MASK); 4643 gen_not(b1); 4644 b2 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK, 4645 IEEE80211_FC0_SUBTYPE_MASK); 4646 gen_not(b2); 4647 gen_and(b1, b2); 4648 gen_or(b0, b2); 4649 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr); 4650 gen_and(b2, b1); 4651 return b1; 4652 4653 case Q_ADDR3: 4654 /* 4655 * Not present in control frames. 4656 */ 4657 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4658 IEEE80211_FC0_TYPE_MASK); 4659 gen_not(b0); 4660 b1 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr); 4661 gen_and(b0, b1); 4662 return b1; 4663 4664 case Q_ADDR4: 4665 /* 4666 * Present only if the direction mask has both "From DS" 4667 * and "To DS" set. Neither control frames nor management 4668 * frames should have both of those set, so we don't 4669 * check the frame type. 4670 */ 4671 b0 = gen_mcmp(cstate, OR_LINKHDR, 1, BPF_B, 4672 IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK); 4673 b1 = gen_bcmp(cstate, OR_LINKHDR, 24, 6, eaddr); 4674 gen_and(b0, b1); 4675 return b1; 4676 4677 case Q_RA: 4678 /* 4679 * Not present in management frames; addr1 in other 4680 * frames. 4681 */ 4682 4683 /* 4684 * If the high-order bit of the type value is 0, this 4685 * is a management frame. 4686 * I.e, check "(link[0] & 0x08)". 4687 */ 4688 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4689 b1 = new_block(cstate, JMP(BPF_JSET)); 4690 b1->s.k = 0x08; 4691 b1->stmts = s; 4692 4693 /* 4694 * Check addr1. 4695 */ 4696 b0 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr); 4697 4698 /* 4699 * AND that with the check of addr1. 4700 */ 4701 gen_and(b1, b0); 4702 return (b0); 4703 4704 case Q_TA: 4705 /* 4706 * Not present in management frames; addr2, if present, 4707 * in other frames. 4708 */ 4709 4710 /* 4711 * Not present in CTS or ACK control frames. 4712 */ 4713 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4714 IEEE80211_FC0_TYPE_MASK); 4715 gen_not(b0); 4716 b1 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS, 4717 IEEE80211_FC0_SUBTYPE_MASK); 4718 gen_not(b1); 4719 b2 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK, 4720 IEEE80211_FC0_SUBTYPE_MASK); 4721 gen_not(b2); 4722 gen_and(b1, b2); 4723 gen_or(b0, b2); 4724 4725 /* 4726 * If the high-order bit of the type value is 0, this 4727 * is a management frame. 4728 * I.e, check "(link[0] & 0x08)". 4729 */ 4730 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4731 b1 = new_block(cstate, JMP(BPF_JSET)); 4732 b1->s.k = 0x08; 4733 b1->stmts = s; 4734 4735 /* 4736 * AND that with the check for frames other than 4737 * CTS and ACK frames. 4738 */ 4739 gen_and(b1, b2); 4740 4741 /* 4742 * Check addr2. 4743 */ 4744 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr); 4745 gen_and(b2, b1); 4746 return b1; 4747 } 4748 abort(); 4749 /*NOTREACHED*/ 4750 } 4751 4752 /* 4753 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel. 4754 * (We assume that the addresses are IEEE 48-bit MAC addresses, 4755 * as the RFC states.) 4756 */ 4757 static struct block * 4758 gen_ipfchostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 4759 { 4760 register struct block *b0, *b1; 4761 4762 switch (dir) { 4763 case Q_SRC: 4764 return gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr); 4765 4766 case Q_DST: 4767 return gen_bcmp(cstate, OR_LINKHDR, 2, 6, eaddr); 4768 4769 case Q_AND: 4770 b0 = gen_ipfchostop(cstate, eaddr, Q_SRC); 4771 b1 = gen_ipfchostop(cstate, eaddr, Q_DST); 4772 gen_and(b0, b1); 4773 return b1; 4774 4775 case Q_DEFAULT: 4776 case Q_OR: 4777 b0 = gen_ipfchostop(cstate, eaddr, Q_SRC); 4778 b1 = gen_ipfchostop(cstate, eaddr, Q_DST); 4779 gen_or(b0, b1); 4780 return b1; 4781 4782 case Q_ADDR1: 4783 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11"); 4784 /*NOTREACHED*/ 4785 4786 case Q_ADDR2: 4787 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11"); 4788 /*NOTREACHED*/ 4789 4790 case Q_ADDR3: 4791 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11"); 4792 /*NOTREACHED*/ 4793 4794 case Q_ADDR4: 4795 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11"); 4796 /*NOTREACHED*/ 4797 4798 case Q_RA: 4799 bpf_error(cstate, "'ra' is only supported on 802.11"); 4800 /*NOTREACHED*/ 4801 4802 case Q_TA: 4803 bpf_error(cstate, "'ta' is only supported on 802.11"); 4804 /*NOTREACHED*/ 4805 } 4806 abort(); 4807 /*NOTREACHED*/ 4808 } 4809 4810 /* 4811 * This is quite tricky because there may be pad bytes in front of the 4812 * DECNET header, and then there are two possible data packet formats that 4813 * carry both src and dst addresses, plus 5 packet types in a format that 4814 * carries only the src node, plus 2 types that use a different format and 4815 * also carry just the src node. 4816 * 4817 * Yuck. 4818 * 4819 * Instead of doing those all right, we just look for data packets with 4820 * 0 or 1 bytes of padding. If you want to look at other packets, that 4821 * will require a lot more hacking. 4822 * 4823 * To add support for filtering on DECNET "areas" (network numbers) 4824 * one would want to add a "mask" argument to this routine. That would 4825 * make the filter even more inefficient, although one could be clever 4826 * and not generate masking instructions if the mask is 0xFFFF. 4827 */ 4828 static struct block * 4829 gen_dnhostop(compiler_state_t *cstate, bpf_u_int32 addr, int dir) 4830 { 4831 struct block *b0, *b1, *b2, *tmp; 4832 u_int offset_lh; /* offset if long header is received */ 4833 u_int offset_sh; /* offset if short header is received */ 4834 4835 switch (dir) { 4836 4837 case Q_DST: 4838 offset_sh = 1; /* follows flags */ 4839 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */ 4840 break; 4841 4842 case Q_SRC: 4843 offset_sh = 3; /* follows flags, dstnode */ 4844 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */ 4845 break; 4846 4847 case Q_AND: 4848 /* Inefficient because we do our Calvinball dance twice */ 4849 b0 = gen_dnhostop(cstate, addr, Q_SRC); 4850 b1 = gen_dnhostop(cstate, addr, Q_DST); 4851 gen_and(b0, b1); 4852 return b1; 4853 4854 case Q_DEFAULT: 4855 case Q_OR: 4856 /* Inefficient because we do our Calvinball dance twice */ 4857 b0 = gen_dnhostop(cstate, addr, Q_SRC); 4858 b1 = gen_dnhostop(cstate, addr, Q_DST); 4859 gen_or(b0, b1); 4860 return b1; 4861 4862 case Q_ADDR1: 4863 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 4864 /*NOTREACHED*/ 4865 4866 case Q_ADDR2: 4867 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 4868 /*NOTREACHED*/ 4869 4870 case Q_ADDR3: 4871 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 4872 /*NOTREACHED*/ 4873 4874 case Q_ADDR4: 4875 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 4876 /*NOTREACHED*/ 4877 4878 case Q_RA: 4879 bpf_error(cstate, "'ra' is not a valid qualifier for addresses other than 802.11 MAC addresses"); 4880 /*NOTREACHED*/ 4881 4882 case Q_TA: 4883 bpf_error(cstate, "'ta' is not a valid qualifier for addresses other than 802.11 MAC addresses"); 4884 /*NOTREACHED*/ 4885 4886 default: 4887 abort(); 4888 /*NOTREACHED*/ 4889 } 4890 b0 = gen_linktype(cstate, ETHERTYPE_DN); 4891 /* Check for pad = 1, long header case */ 4892 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_H, 4893 (bpf_u_int32)ntohs(0x0681), (bpf_u_int32)ntohs(0x07FF)); 4894 b1 = gen_cmp(cstate, OR_LINKPL, 2 + 1 + offset_lh, 4895 BPF_H, (bpf_u_int32)ntohs((u_short)addr)); 4896 gen_and(tmp, b1); 4897 /* Check for pad = 0, long header case */ 4898 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_B, (bpf_u_int32)0x06, 4899 (bpf_u_int32)0x7); 4900 b2 = gen_cmp(cstate, OR_LINKPL, 2 + offset_lh, BPF_H, 4901 (bpf_u_int32)ntohs((u_short)addr)); 4902 gen_and(tmp, b2); 4903 gen_or(b2, b1); 4904 /* Check for pad = 1, short header case */ 4905 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_H, 4906 (bpf_u_int32)ntohs(0x0281), (bpf_u_int32)ntohs(0x07FF)); 4907 b2 = gen_cmp(cstate, OR_LINKPL, 2 + 1 + offset_sh, BPF_H, 4908 (bpf_u_int32)ntohs((u_short)addr)); 4909 gen_and(tmp, b2); 4910 gen_or(b2, b1); 4911 /* Check for pad = 0, short header case */ 4912 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_B, (bpf_u_int32)0x02, 4913 (bpf_u_int32)0x7); 4914 b2 = gen_cmp(cstate, OR_LINKPL, 2 + offset_sh, BPF_H, 4915 (bpf_u_int32)ntohs((u_short)addr)); 4916 gen_and(tmp, b2); 4917 gen_or(b2, b1); 4918 4919 /* Combine with test for cstate->linktype */ 4920 gen_and(b0, b1); 4921 return b1; 4922 } 4923 4924 /* 4925 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets; 4926 * test the bottom-of-stack bit, and then check the version number 4927 * field in the IP header. 4928 */ 4929 static struct block * 4930 gen_mpls_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto) 4931 { 4932 struct block *b0, *b1; 4933 4934 switch (ll_proto) { 4935 4936 case ETHERTYPE_IP: 4937 /* match the bottom-of-stack bit */ 4938 b0 = gen_mcmp(cstate, OR_LINKPL, (u_int)-2, BPF_B, 0x01, 0x01); 4939 /* match the IPv4 version number */ 4940 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_B, 0x40, 0xf0); 4941 gen_and(b0, b1); 4942 return b1; 4943 4944 case ETHERTYPE_IPV6: 4945 /* match the bottom-of-stack bit */ 4946 b0 = gen_mcmp(cstate, OR_LINKPL, (u_int)-2, BPF_B, 0x01, 0x01); 4947 /* match the IPv4 version number */ 4948 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_B, 0x60, 0xf0); 4949 gen_and(b0, b1); 4950 return b1; 4951 4952 default: 4953 /* FIXME add other L3 proto IDs */ 4954 bpf_error(cstate, "unsupported protocol over mpls"); 4955 /*NOTREACHED*/ 4956 } 4957 } 4958 4959 static struct block * 4960 gen_host(compiler_state_t *cstate, bpf_u_int32 addr, bpf_u_int32 mask, 4961 int proto, int dir, int type) 4962 { 4963 struct block *b0, *b1; 4964 const char *typestr; 4965 4966 if (type == Q_NET) 4967 typestr = "net"; 4968 else 4969 typestr = "host"; 4970 4971 switch (proto) { 4972 4973 case Q_DEFAULT: 4974 b0 = gen_host(cstate, addr, mask, Q_IP, dir, type); 4975 /* 4976 * Only check for non-IPv4 addresses if we're not 4977 * checking MPLS-encapsulated packets. 4978 */ 4979 if (cstate->label_stack_depth == 0) { 4980 b1 = gen_host(cstate, addr, mask, Q_ARP, dir, type); 4981 gen_or(b0, b1); 4982 b0 = gen_host(cstate, addr, mask, Q_RARP, dir, type); 4983 gen_or(b1, b0); 4984 } 4985 return b0; 4986 4987 case Q_LINK: 4988 bpf_error(cstate, "link-layer modifier applied to %s", typestr); 4989 4990 case Q_IP: 4991 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_IP, 12, 16); 4992 4993 case Q_RARP: 4994 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_REVARP, 14, 24); 4995 4996 case Q_ARP: 4997 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_ARP, 14, 24); 4998 4999 case Q_SCTP: 5000 bpf_error(cstate, "'sctp' modifier applied to %s", typestr); 5001 5002 case Q_TCP: 5003 bpf_error(cstate, "'tcp' modifier applied to %s", typestr); 5004 5005 case Q_UDP: 5006 bpf_error(cstate, "'udp' modifier applied to %s", typestr); 5007 5008 case Q_ICMP: 5009 bpf_error(cstate, "'icmp' modifier applied to %s", typestr); 5010 5011 case Q_IGMP: 5012 bpf_error(cstate, "'igmp' modifier applied to %s", typestr); 5013 5014 case Q_IGRP: 5015 bpf_error(cstate, "'igrp' modifier applied to %s", typestr); 5016 5017 case Q_ATALK: 5018 bpf_error(cstate, "AppleTalk host filtering not implemented"); 5019 5020 case Q_DECNET: 5021 return gen_dnhostop(cstate, addr, dir); 5022 5023 case Q_LAT: 5024 bpf_error(cstate, "LAT host filtering not implemented"); 5025 5026 case Q_SCA: 5027 bpf_error(cstate, "SCA host filtering not implemented"); 5028 5029 case Q_MOPRC: 5030 bpf_error(cstate, "MOPRC host filtering not implemented"); 5031 5032 case Q_MOPDL: 5033 bpf_error(cstate, "MOPDL host filtering not implemented"); 5034 5035 case Q_IPV6: 5036 bpf_error(cstate, "'ip6' modifier applied to ip host"); 5037 5038 case Q_ICMPV6: 5039 bpf_error(cstate, "'icmp6' modifier applied to %s", typestr); 5040 5041 case Q_AH: 5042 bpf_error(cstate, "'ah' modifier applied to %s", typestr); 5043 5044 case Q_ESP: 5045 bpf_error(cstate, "'esp' modifier applied to %s", typestr); 5046 5047 case Q_PIM: 5048 bpf_error(cstate, "'pim' modifier applied to %s", typestr); 5049 5050 case Q_VRRP: 5051 bpf_error(cstate, "'vrrp' modifier applied to %s", typestr); 5052 5053 case Q_AARP: 5054 bpf_error(cstate, "AARP host filtering not implemented"); 5055 5056 case Q_ISO: 5057 bpf_error(cstate, "ISO host filtering not implemented"); 5058 5059 case Q_ESIS: 5060 bpf_error(cstate, "'esis' modifier applied to %s", typestr); 5061 5062 case Q_ISIS: 5063 bpf_error(cstate, "'isis' modifier applied to %s", typestr); 5064 5065 case Q_CLNP: 5066 bpf_error(cstate, "'clnp' modifier applied to %s", typestr); 5067 5068 case Q_STP: 5069 bpf_error(cstate, "'stp' modifier applied to %s", typestr); 5070 5071 case Q_IPX: 5072 bpf_error(cstate, "IPX host filtering not implemented"); 5073 5074 case Q_NETBEUI: 5075 bpf_error(cstate, "'netbeui' modifier applied to %s", typestr); 5076 5077 case Q_ISIS_L1: 5078 bpf_error(cstate, "'l1' modifier applied to %s", typestr); 5079 5080 case Q_ISIS_L2: 5081 bpf_error(cstate, "'l2' modifier applied to %s", typestr); 5082 5083 case Q_ISIS_IIH: 5084 bpf_error(cstate, "'iih' modifier applied to %s", typestr); 5085 5086 case Q_ISIS_SNP: 5087 bpf_error(cstate, "'snp' modifier applied to %s", typestr); 5088 5089 case Q_ISIS_CSNP: 5090 bpf_error(cstate, "'csnp' modifier applied to %s", typestr); 5091 5092 case Q_ISIS_PSNP: 5093 bpf_error(cstate, "'psnp' modifier applied to %s", typestr); 5094 5095 case Q_ISIS_LSP: 5096 bpf_error(cstate, "'lsp' modifier applied to %s", typestr); 5097 5098 case Q_RADIO: 5099 bpf_error(cstate, "'radio' modifier applied to %s", typestr); 5100 5101 case Q_CARP: 5102 bpf_error(cstate, "'carp' modifier applied to %s", typestr); 5103 5104 default: 5105 abort(); 5106 } 5107 /*NOTREACHED*/ 5108 } 5109 5110 #ifdef INET6 5111 static struct block * 5112 gen_host6(compiler_state_t *cstate, struct in6_addr *addr, 5113 struct in6_addr *mask, int proto, int dir, int type) 5114 { 5115 const char *typestr; 5116 5117 if (type == Q_NET) 5118 typestr = "net"; 5119 else 5120 typestr = "host"; 5121 5122 switch (proto) { 5123 5124 case Q_DEFAULT: 5125 return gen_host6(cstate, addr, mask, Q_IPV6, dir, type); 5126 5127 case Q_LINK: 5128 bpf_error(cstate, "link-layer modifier applied to ip6 %s", typestr); 5129 5130 case Q_IP: 5131 bpf_error(cstate, "'ip' modifier applied to ip6 %s", typestr); 5132 5133 case Q_RARP: 5134 bpf_error(cstate, "'rarp' modifier applied to ip6 %s", typestr); 5135 5136 case Q_ARP: 5137 bpf_error(cstate, "'arp' modifier applied to ip6 %s", typestr); 5138 5139 case Q_SCTP: 5140 bpf_error(cstate, "'sctp' modifier applied to ip6 %s", typestr); 5141 5142 case Q_TCP: 5143 bpf_error(cstate, "'tcp' modifier applied to ip6 %s", typestr); 5144 5145 case Q_UDP: 5146 bpf_error(cstate, "'udp' modifier applied to ip6 %s", typestr); 5147 5148 case Q_ICMP: 5149 bpf_error(cstate, "'icmp' modifier applied to ip6 %s", typestr); 5150 5151 case Q_IGMP: 5152 bpf_error(cstate, "'igmp' modifier applied to ip6 %s", typestr); 5153 5154 case Q_IGRP: 5155 bpf_error(cstate, "'igrp' modifier applied to ip6 %s", typestr); 5156 5157 case Q_ATALK: 5158 bpf_error(cstate, "AppleTalk modifier applied to ip6 %s", typestr); 5159 5160 case Q_DECNET: 5161 bpf_error(cstate, "'decnet' modifier applied to ip6 %s", typestr); 5162 5163 case Q_LAT: 5164 bpf_error(cstate, "'lat' modifier applied to ip6 %s", typestr); 5165 5166 case Q_SCA: 5167 bpf_error(cstate, "'sca' modifier applied to ip6 %s", typestr); 5168 5169 case Q_MOPRC: 5170 bpf_error(cstate, "'moprc' modifier applied to ip6 %s", typestr); 5171 5172 case Q_MOPDL: 5173 bpf_error(cstate, "'mopdl' modifier applied to ip6 %s", typestr); 5174 5175 case Q_IPV6: 5176 return gen_hostop6(cstate, addr, mask, dir, ETHERTYPE_IPV6, 8, 24); 5177 5178 case Q_ICMPV6: 5179 bpf_error(cstate, "'icmp6' modifier applied to ip6 %s", typestr); 5180 5181 case Q_AH: 5182 bpf_error(cstate, "'ah' modifier applied to ip6 %s", typestr); 5183 5184 case Q_ESP: 5185 bpf_error(cstate, "'esp' modifier applied to ip6 %s", typestr); 5186 5187 case Q_PIM: 5188 bpf_error(cstate, "'pim' modifier applied to ip6 %s", typestr); 5189 5190 case Q_VRRP: 5191 bpf_error(cstate, "'vrrp' modifier applied to ip6 %s", typestr); 5192 5193 case Q_AARP: 5194 bpf_error(cstate, "'aarp' modifier applied to ip6 %s", typestr); 5195 5196 case Q_ISO: 5197 bpf_error(cstate, "'iso' modifier applied to ip6 %s", typestr); 5198 5199 case Q_ESIS: 5200 bpf_error(cstate, "'esis' modifier applied to ip6 %s", typestr); 5201 5202 case Q_ISIS: 5203 bpf_error(cstate, "'isis' modifier applied to ip6 %s", typestr); 5204 5205 case Q_CLNP: 5206 bpf_error(cstate, "'clnp' modifier applied to ip6 %s", typestr); 5207 5208 case Q_STP: 5209 bpf_error(cstate, "'stp' modifier applied to ip6 %s", typestr); 5210 5211 case Q_IPX: 5212 bpf_error(cstate, "'ipx' modifier applied to ip6 %s", typestr); 5213 5214 case Q_NETBEUI: 5215 bpf_error(cstate, "'netbeui' modifier applied to ip6 %s", typestr); 5216 5217 case Q_ISIS_L1: 5218 bpf_error(cstate, "'l1' modifier applied to ip6 %s", typestr); 5219 5220 case Q_ISIS_L2: 5221 bpf_error(cstate, "'l2' modifier applied to ip6 %s", typestr); 5222 5223 case Q_ISIS_IIH: 5224 bpf_error(cstate, "'iih' modifier applied to ip6 %s", typestr); 5225 5226 case Q_ISIS_SNP: 5227 bpf_error(cstate, "'snp' modifier applied to ip6 %s", typestr); 5228 5229 case Q_ISIS_CSNP: 5230 bpf_error(cstate, "'csnp' modifier applied to ip6 %s", typestr); 5231 5232 case Q_ISIS_PSNP: 5233 bpf_error(cstate, "'psnp' modifier applied to ip6 %s", typestr); 5234 5235 case Q_ISIS_LSP: 5236 bpf_error(cstate, "'lsp' modifier applied to ip6 %s", typestr); 5237 5238 case Q_RADIO: 5239 bpf_error(cstate, "'radio' modifier applied to ip6 %s", typestr); 5240 5241 case Q_CARP: 5242 bpf_error(cstate, "'carp' modifier applied to ip6 %s", typestr); 5243 5244 default: 5245 abort(); 5246 } 5247 /*NOTREACHED*/ 5248 } 5249 #endif 5250 5251 #ifndef INET6 5252 static struct block * 5253 gen_gateway(compiler_state_t *cstate, const u_char *eaddr, 5254 struct addrinfo *alist, int proto, int dir) 5255 { 5256 struct block *b0, *b1, *tmp; 5257 struct addrinfo *ai; 5258 struct sockaddr_in *sin; 5259 5260 if (dir != 0) 5261 bpf_error(cstate, "direction applied to 'gateway'"); 5262 5263 switch (proto) { 5264 case Q_DEFAULT: 5265 case Q_IP: 5266 case Q_ARP: 5267 case Q_RARP: 5268 switch (cstate->linktype) { 5269 case DLT_EN10MB: 5270 case DLT_NETANALYZER: 5271 case DLT_NETANALYZER_TRANSPARENT: 5272 b1 = gen_prevlinkhdr_check(cstate); 5273 b0 = gen_ehostop(cstate, eaddr, Q_OR); 5274 if (b1 != NULL) 5275 gen_and(b1, b0); 5276 break; 5277 case DLT_FDDI: 5278 b0 = gen_fhostop(cstate, eaddr, Q_OR); 5279 break; 5280 case DLT_IEEE802: 5281 b0 = gen_thostop(cstate, eaddr, Q_OR); 5282 break; 5283 case DLT_IEEE802_11: 5284 case DLT_PRISM_HEADER: 5285 case DLT_IEEE802_11_RADIO_AVS: 5286 case DLT_IEEE802_11_RADIO: 5287 case DLT_PPI: 5288 b0 = gen_wlanhostop(cstate, eaddr, Q_OR); 5289 break; 5290 case DLT_SUNATM: 5291 /* 5292 * This is LLC-multiplexed traffic; if it were 5293 * LANE, cstate->linktype would have been set to 5294 * DLT_EN10MB. 5295 */ 5296 bpf_error(cstate, 5297 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 5298 break; 5299 case DLT_IP_OVER_FC: 5300 b0 = gen_ipfchostop(cstate, eaddr, Q_OR); 5301 break; 5302 default: 5303 bpf_error(cstate, 5304 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 5305 } 5306 b1 = NULL; 5307 for (ai = alist; ai != NULL; ai = ai->ai_next) { 5308 /* 5309 * Does it have an address? 5310 */ 5311 if (ai->ai_addr != NULL) { 5312 /* 5313 * Yes. Is it an IPv4 address? 5314 */ 5315 if (ai->ai_addr->sa_family == AF_INET) { 5316 /* 5317 * Generate an entry for it. 5318 */ 5319 sin = (struct sockaddr_in *)ai->ai_addr; 5320 tmp = gen_host(cstate, 5321 ntohl(sin->sin_addr.s_addr), 5322 0xffffffff, proto, Q_OR, Q_HOST); 5323 /* 5324 * Is it the *first* IPv4 address? 5325 */ 5326 if (b1 == NULL) { 5327 /* 5328 * Yes, so start with it. 5329 */ 5330 b1 = tmp; 5331 } else { 5332 /* 5333 * No, so OR it into the 5334 * existing set of 5335 * addresses. 5336 */ 5337 gen_or(b1, tmp); 5338 b1 = tmp; 5339 } 5340 } 5341 } 5342 } 5343 if (b1 == NULL) { 5344 /* 5345 * No IPv4 addresses found. 5346 */ 5347 return (NULL); 5348 } 5349 gen_not(b1); 5350 gen_and(b0, b1); 5351 return b1; 5352 } 5353 bpf_error(cstate, "illegal modifier of 'gateway'"); 5354 /*NOTREACHED*/ 5355 } 5356 #endif 5357 5358 static struct block * 5359 gen_proto_abbrev_internal(compiler_state_t *cstate, int proto) 5360 { 5361 struct block *b0; 5362 struct block *b1; 5363 5364 switch (proto) { 5365 5366 case Q_SCTP: 5367 b1 = gen_proto(cstate, IPPROTO_SCTP, Q_DEFAULT, Q_DEFAULT); 5368 break; 5369 5370 case Q_TCP: 5371 b1 = gen_proto(cstate, IPPROTO_TCP, Q_DEFAULT, Q_DEFAULT); 5372 break; 5373 5374 case Q_UDP: 5375 b1 = gen_proto(cstate, IPPROTO_UDP, Q_DEFAULT, Q_DEFAULT); 5376 break; 5377 5378 case Q_ICMP: 5379 b1 = gen_proto(cstate, IPPROTO_ICMP, Q_IP, Q_DEFAULT); 5380 break; 5381 5382 #ifndef IPPROTO_IGMP 5383 #define IPPROTO_IGMP 2 5384 #endif 5385 5386 case Q_IGMP: 5387 b1 = gen_proto(cstate, IPPROTO_IGMP, Q_IP, Q_DEFAULT); 5388 break; 5389 5390 #ifndef IPPROTO_IGRP 5391 #define IPPROTO_IGRP 9 5392 #endif 5393 case Q_IGRP: 5394 b1 = gen_proto(cstate, IPPROTO_IGRP, Q_IP, Q_DEFAULT); 5395 break; 5396 5397 #ifndef IPPROTO_PIM 5398 #define IPPROTO_PIM 103 5399 #endif 5400 5401 case Q_PIM: 5402 b1 = gen_proto(cstate, IPPROTO_PIM, Q_DEFAULT, Q_DEFAULT); 5403 break; 5404 5405 #ifndef IPPROTO_VRRP 5406 #define IPPROTO_VRRP 112 5407 #endif 5408 5409 case Q_VRRP: 5410 b1 = gen_proto(cstate, IPPROTO_VRRP, Q_IP, Q_DEFAULT); 5411 break; 5412 5413 #ifndef IPPROTO_CARP 5414 #define IPPROTO_CARP 112 5415 #endif 5416 5417 case Q_CARP: 5418 b1 = gen_proto(cstate, IPPROTO_CARP, Q_IP, Q_DEFAULT); 5419 break; 5420 5421 case Q_IP: 5422 b1 = gen_linktype(cstate, ETHERTYPE_IP); 5423 break; 5424 5425 case Q_ARP: 5426 b1 = gen_linktype(cstate, ETHERTYPE_ARP); 5427 break; 5428 5429 case Q_RARP: 5430 b1 = gen_linktype(cstate, ETHERTYPE_REVARP); 5431 break; 5432 5433 case Q_LINK: 5434 bpf_error(cstate, "link layer applied in wrong context"); 5435 5436 case Q_ATALK: 5437 b1 = gen_linktype(cstate, ETHERTYPE_ATALK); 5438 break; 5439 5440 case Q_AARP: 5441 b1 = gen_linktype(cstate, ETHERTYPE_AARP); 5442 break; 5443 5444 case Q_DECNET: 5445 b1 = gen_linktype(cstate, ETHERTYPE_DN); 5446 break; 5447 5448 case Q_SCA: 5449 b1 = gen_linktype(cstate, ETHERTYPE_SCA); 5450 break; 5451 5452 case Q_LAT: 5453 b1 = gen_linktype(cstate, ETHERTYPE_LAT); 5454 break; 5455 5456 case Q_MOPDL: 5457 b1 = gen_linktype(cstate, ETHERTYPE_MOPDL); 5458 break; 5459 5460 case Q_MOPRC: 5461 b1 = gen_linktype(cstate, ETHERTYPE_MOPRC); 5462 break; 5463 5464 case Q_IPV6: 5465 b1 = gen_linktype(cstate, ETHERTYPE_IPV6); 5466 break; 5467 5468 #ifndef IPPROTO_ICMPV6 5469 #define IPPROTO_ICMPV6 58 5470 #endif 5471 case Q_ICMPV6: 5472 b1 = gen_proto(cstate, IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT); 5473 break; 5474 5475 #ifndef IPPROTO_AH 5476 #define IPPROTO_AH 51 5477 #endif 5478 case Q_AH: 5479 b1 = gen_proto(cstate, IPPROTO_AH, Q_DEFAULT, Q_DEFAULT); 5480 break; 5481 5482 #ifndef IPPROTO_ESP 5483 #define IPPROTO_ESP 50 5484 #endif 5485 case Q_ESP: 5486 b1 = gen_proto(cstate, IPPROTO_ESP, Q_DEFAULT, Q_DEFAULT); 5487 break; 5488 5489 case Q_ISO: 5490 b1 = gen_linktype(cstate, LLCSAP_ISONS); 5491 break; 5492 5493 case Q_ESIS: 5494 b1 = gen_proto(cstate, ISO9542_ESIS, Q_ISO, Q_DEFAULT); 5495 break; 5496 5497 case Q_ISIS: 5498 b1 = gen_proto(cstate, ISO10589_ISIS, Q_ISO, Q_DEFAULT); 5499 break; 5500 5501 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */ 5502 b0 = gen_proto(cstate, ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 5503 b1 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 5504 gen_or(b0, b1); 5505 b0 = gen_proto(cstate, ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 5506 gen_or(b0, b1); 5507 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 5508 gen_or(b0, b1); 5509 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 5510 gen_or(b0, b1); 5511 break; 5512 5513 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */ 5514 b0 = gen_proto(cstate, ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 5515 b1 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 5516 gen_or(b0, b1); 5517 b0 = gen_proto(cstate, ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 5518 gen_or(b0, b1); 5519 b0 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 5520 gen_or(b0, b1); 5521 b0 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 5522 gen_or(b0, b1); 5523 break; 5524 5525 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */ 5526 b0 = gen_proto(cstate, ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 5527 b1 = gen_proto(cstate, ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 5528 gen_or(b0, b1); 5529 b0 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); 5530 gen_or(b0, b1); 5531 break; 5532 5533 case Q_ISIS_LSP: 5534 b0 = gen_proto(cstate, ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 5535 b1 = gen_proto(cstate, ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 5536 gen_or(b0, b1); 5537 break; 5538 5539 case Q_ISIS_SNP: 5540 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 5541 b1 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 5542 gen_or(b0, b1); 5543 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 5544 gen_or(b0, b1); 5545 b0 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 5546 gen_or(b0, b1); 5547 break; 5548 5549 case Q_ISIS_CSNP: 5550 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 5551 b1 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 5552 gen_or(b0, b1); 5553 break; 5554 5555 case Q_ISIS_PSNP: 5556 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 5557 b1 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 5558 gen_or(b0, b1); 5559 break; 5560 5561 case Q_CLNP: 5562 b1 = gen_proto(cstate, ISO8473_CLNP, Q_ISO, Q_DEFAULT); 5563 break; 5564 5565 case Q_STP: 5566 b1 = gen_linktype(cstate, LLCSAP_8021D); 5567 break; 5568 5569 case Q_IPX: 5570 b1 = gen_linktype(cstate, LLCSAP_IPX); 5571 break; 5572 5573 case Q_NETBEUI: 5574 b1 = gen_linktype(cstate, LLCSAP_NETBEUI); 5575 break; 5576 5577 case Q_RADIO: 5578 bpf_error(cstate, "'radio' is not a valid protocol type"); 5579 5580 default: 5581 abort(); 5582 } 5583 return b1; 5584 } 5585 5586 struct block * 5587 gen_proto_abbrev(compiler_state_t *cstate, int proto) 5588 { 5589 /* 5590 * Catch errors reported by us and routines below us, and return NULL 5591 * on an error. 5592 */ 5593 if (setjmp(cstate->top_ctx)) 5594 return (NULL); 5595 5596 return gen_proto_abbrev_internal(cstate, proto); 5597 } 5598 5599 static struct block * 5600 gen_ipfrag(compiler_state_t *cstate) 5601 { 5602 struct slist *s; 5603 struct block *b; 5604 5605 /* not IPv4 frag other than the first frag */ 5606 s = gen_load_a(cstate, OR_LINKPL, 6, BPF_H); 5607 b = new_block(cstate, JMP(BPF_JSET)); 5608 b->s.k = 0x1fff; 5609 b->stmts = s; 5610 gen_not(b); 5611 5612 return b; 5613 } 5614 5615 /* 5616 * Generate a comparison to a port value in the transport-layer header 5617 * at the specified offset from the beginning of that header. 5618 * 5619 * XXX - this handles a variable-length prefix preceding the link-layer 5620 * header, such as the radiotap or AVS radio prefix, but doesn't handle 5621 * variable-length link-layer headers (such as Token Ring or 802.11 5622 * headers). 5623 */ 5624 static struct block * 5625 gen_portatom(compiler_state_t *cstate, int off, bpf_u_int32 v) 5626 { 5627 return gen_cmp(cstate, OR_TRAN_IPV4, off, BPF_H, v); 5628 } 5629 5630 static struct block * 5631 gen_portatom6(compiler_state_t *cstate, int off, bpf_u_int32 v) 5632 { 5633 return gen_cmp(cstate, OR_TRAN_IPV6, off, BPF_H, v); 5634 } 5635 5636 static struct block * 5637 gen_portop(compiler_state_t *cstate, u_int port, u_int proto, int dir) 5638 { 5639 struct block *b0, *b1, *tmp; 5640 5641 /* ip proto 'proto' and not a fragment other than the first fragment */ 5642 tmp = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, proto); 5643 b0 = gen_ipfrag(cstate); 5644 gen_and(tmp, b0); 5645 5646 switch (dir) { 5647 case Q_SRC: 5648 b1 = gen_portatom(cstate, 0, port); 5649 break; 5650 5651 case Q_DST: 5652 b1 = gen_portatom(cstate, 2, port); 5653 break; 5654 5655 case Q_AND: 5656 tmp = gen_portatom(cstate, 0, port); 5657 b1 = gen_portatom(cstate, 2, port); 5658 gen_and(tmp, b1); 5659 break; 5660 5661 case Q_DEFAULT: 5662 case Q_OR: 5663 tmp = gen_portatom(cstate, 0, port); 5664 b1 = gen_portatom(cstate, 2, port); 5665 gen_or(tmp, b1); 5666 break; 5667 5668 case Q_ADDR1: 5669 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for ports"); 5670 /*NOTREACHED*/ 5671 5672 case Q_ADDR2: 5673 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for ports"); 5674 /*NOTREACHED*/ 5675 5676 case Q_ADDR3: 5677 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for ports"); 5678 /*NOTREACHED*/ 5679 5680 case Q_ADDR4: 5681 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for ports"); 5682 /*NOTREACHED*/ 5683 5684 case Q_RA: 5685 bpf_error(cstate, "'ra' is not a valid qualifier for ports"); 5686 /*NOTREACHED*/ 5687 5688 case Q_TA: 5689 bpf_error(cstate, "'ta' is not a valid qualifier for ports"); 5690 /*NOTREACHED*/ 5691 5692 default: 5693 abort(); 5694 /*NOTREACHED*/ 5695 } 5696 gen_and(b0, b1); 5697 5698 return b1; 5699 } 5700 5701 static struct block * 5702 gen_port(compiler_state_t *cstate, u_int port, int ip_proto, int dir) 5703 { 5704 struct block *b0, *b1, *tmp; 5705 5706 /* 5707 * ether proto ip 5708 * 5709 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 5710 * not LLC encapsulation with LLCSAP_IP. 5711 * 5712 * For IEEE 802 networks - which includes 802.5 token ring 5713 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 5714 * says that SNAP encapsulation is used, not LLC encapsulation 5715 * with LLCSAP_IP. 5716 * 5717 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 5718 * RFC 2225 say that SNAP encapsulation is used, not LLC 5719 * encapsulation with LLCSAP_IP. 5720 * 5721 * So we always check for ETHERTYPE_IP. 5722 */ 5723 b0 = gen_linktype(cstate, ETHERTYPE_IP); 5724 5725 switch (ip_proto) { 5726 case IPPROTO_UDP: 5727 case IPPROTO_TCP: 5728 case IPPROTO_SCTP: 5729 b1 = gen_portop(cstate, port, (u_int)ip_proto, dir); 5730 break; 5731 5732 case PROTO_UNDEF: 5733 tmp = gen_portop(cstate, port, IPPROTO_TCP, dir); 5734 b1 = gen_portop(cstate, port, IPPROTO_UDP, dir); 5735 gen_or(tmp, b1); 5736 tmp = gen_portop(cstate, port, IPPROTO_SCTP, dir); 5737 gen_or(tmp, b1); 5738 break; 5739 5740 default: 5741 abort(); 5742 } 5743 gen_and(b0, b1); 5744 return b1; 5745 } 5746 5747 struct block * 5748 gen_portop6(compiler_state_t *cstate, u_int port, u_int proto, int dir) 5749 { 5750 struct block *b0, *b1, *tmp; 5751 5752 /* ip6 proto 'proto' */ 5753 /* XXX - catch the first fragment of a fragmented packet? */ 5754 b0 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, proto); 5755 5756 switch (dir) { 5757 case Q_SRC: 5758 b1 = gen_portatom6(cstate, 0, port); 5759 break; 5760 5761 case Q_DST: 5762 b1 = gen_portatom6(cstate, 2, port); 5763 break; 5764 5765 case Q_AND: 5766 tmp = gen_portatom6(cstate, 0, port); 5767 b1 = gen_portatom6(cstate, 2, port); 5768 gen_and(tmp, b1); 5769 break; 5770 5771 case Q_DEFAULT: 5772 case Q_OR: 5773 tmp = gen_portatom6(cstate, 0, port); 5774 b1 = gen_portatom6(cstate, 2, port); 5775 gen_or(tmp, b1); 5776 break; 5777 5778 default: 5779 abort(); 5780 } 5781 gen_and(b0, b1); 5782 5783 return b1; 5784 } 5785 5786 static struct block * 5787 gen_port6(compiler_state_t *cstate, u_int port, int ip_proto, int dir) 5788 { 5789 struct block *b0, *b1, *tmp; 5790 5791 /* link proto ip6 */ 5792 b0 = gen_linktype(cstate, ETHERTYPE_IPV6); 5793 5794 switch (ip_proto) { 5795 case IPPROTO_UDP: 5796 case IPPROTO_TCP: 5797 case IPPROTO_SCTP: 5798 b1 = gen_portop6(cstate, port, (u_int)ip_proto, dir); 5799 break; 5800 5801 case PROTO_UNDEF: 5802 tmp = gen_portop6(cstate, port, IPPROTO_TCP, dir); 5803 b1 = gen_portop6(cstate, port, IPPROTO_UDP, dir); 5804 gen_or(tmp, b1); 5805 tmp = gen_portop6(cstate, port, IPPROTO_SCTP, dir); 5806 gen_or(tmp, b1); 5807 break; 5808 5809 default: 5810 abort(); 5811 } 5812 gen_and(b0, b1); 5813 return b1; 5814 } 5815 5816 /* gen_portrange code */ 5817 static struct block * 5818 gen_portrangeatom(compiler_state_t *cstate, u_int off, bpf_u_int32 v1, 5819 bpf_u_int32 v2) 5820 { 5821 struct block *b1, *b2; 5822 5823 if (v1 > v2) { 5824 /* 5825 * Reverse the order of the ports, so v1 is the lower one. 5826 */ 5827 bpf_u_int32 vtemp; 5828 5829 vtemp = v1; 5830 v1 = v2; 5831 v2 = vtemp; 5832 } 5833 5834 b1 = gen_cmp_ge(cstate, OR_TRAN_IPV4, off, BPF_H, v1); 5835 b2 = gen_cmp_le(cstate, OR_TRAN_IPV4, off, BPF_H, v2); 5836 5837 gen_and(b1, b2); 5838 5839 return b2; 5840 } 5841 5842 static struct block * 5843 gen_portrangeop(compiler_state_t *cstate, u_int port1, u_int port2, 5844 bpf_u_int32 proto, int dir) 5845 { 5846 struct block *b0, *b1, *tmp; 5847 5848 /* ip proto 'proto' and not a fragment other than the first fragment */ 5849 tmp = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, proto); 5850 b0 = gen_ipfrag(cstate); 5851 gen_and(tmp, b0); 5852 5853 switch (dir) { 5854 case Q_SRC: 5855 b1 = gen_portrangeatom(cstate, 0, port1, port2); 5856 break; 5857 5858 case Q_DST: 5859 b1 = gen_portrangeatom(cstate, 2, port1, port2); 5860 break; 5861 5862 case Q_AND: 5863 tmp = gen_portrangeatom(cstate, 0, port1, port2); 5864 b1 = gen_portrangeatom(cstate, 2, port1, port2); 5865 gen_and(tmp, b1); 5866 break; 5867 5868 case Q_DEFAULT: 5869 case Q_OR: 5870 tmp = gen_portrangeatom(cstate, 0, port1, port2); 5871 b1 = gen_portrangeatom(cstate, 2, port1, port2); 5872 gen_or(tmp, b1); 5873 break; 5874 5875 case Q_ADDR1: 5876 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for port ranges"); 5877 /*NOTREACHED*/ 5878 5879 case Q_ADDR2: 5880 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for port ranges"); 5881 /*NOTREACHED*/ 5882 5883 case Q_ADDR3: 5884 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for port ranges"); 5885 /*NOTREACHED*/ 5886 5887 case Q_ADDR4: 5888 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for port ranges"); 5889 /*NOTREACHED*/ 5890 5891 case Q_RA: 5892 bpf_error(cstate, "'ra' is not a valid qualifier for port ranges"); 5893 /*NOTREACHED*/ 5894 5895 case Q_TA: 5896 bpf_error(cstate, "'ta' is not a valid qualifier for port ranges"); 5897 /*NOTREACHED*/ 5898 5899 default: 5900 abort(); 5901 /*NOTREACHED*/ 5902 } 5903 gen_and(b0, b1); 5904 5905 return b1; 5906 } 5907 5908 static struct block * 5909 gen_portrange(compiler_state_t *cstate, u_int port1, u_int port2, int ip_proto, 5910 int dir) 5911 { 5912 struct block *b0, *b1, *tmp; 5913 5914 /* link proto ip */ 5915 b0 = gen_linktype(cstate, ETHERTYPE_IP); 5916 5917 switch (ip_proto) { 5918 case IPPROTO_UDP: 5919 case IPPROTO_TCP: 5920 case IPPROTO_SCTP: 5921 b1 = gen_portrangeop(cstate, port1, port2, (bpf_u_int32)ip_proto, 5922 dir); 5923 break; 5924 5925 case PROTO_UNDEF: 5926 tmp = gen_portrangeop(cstate, port1, port2, IPPROTO_TCP, dir); 5927 b1 = gen_portrangeop(cstate, port1, port2, IPPROTO_UDP, dir); 5928 gen_or(tmp, b1); 5929 tmp = gen_portrangeop(cstate, port1, port2, IPPROTO_SCTP, dir); 5930 gen_or(tmp, b1); 5931 break; 5932 5933 default: 5934 abort(); 5935 } 5936 gen_and(b0, b1); 5937 return b1; 5938 } 5939 5940 static struct block * 5941 gen_portrangeatom6(compiler_state_t *cstate, u_int off, bpf_u_int32 v1, 5942 bpf_u_int32 v2) 5943 { 5944 struct block *b1, *b2; 5945 5946 if (v1 > v2) { 5947 /* 5948 * Reverse the order of the ports, so v1 is the lower one. 5949 */ 5950 bpf_u_int32 vtemp; 5951 5952 vtemp = v1; 5953 v1 = v2; 5954 v2 = vtemp; 5955 } 5956 5957 b1 = gen_cmp_ge(cstate, OR_TRAN_IPV6, off, BPF_H, v1); 5958 b2 = gen_cmp_le(cstate, OR_TRAN_IPV6, off, BPF_H, v2); 5959 5960 gen_and(b1, b2); 5961 5962 return b2; 5963 } 5964 5965 static struct block * 5966 gen_portrangeop6(compiler_state_t *cstate, u_int port1, u_int port2, 5967 bpf_u_int32 proto, int dir) 5968 { 5969 struct block *b0, *b1, *tmp; 5970 5971 /* ip6 proto 'proto' */ 5972 /* XXX - catch the first fragment of a fragmented packet? */ 5973 b0 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, proto); 5974 5975 switch (dir) { 5976 case Q_SRC: 5977 b1 = gen_portrangeatom6(cstate, 0, port1, port2); 5978 break; 5979 5980 case Q_DST: 5981 b1 = gen_portrangeatom6(cstate, 2, port1, port2); 5982 break; 5983 5984 case Q_AND: 5985 tmp = gen_portrangeatom6(cstate, 0, port1, port2); 5986 b1 = gen_portrangeatom6(cstate, 2, port1, port2); 5987 gen_and(tmp, b1); 5988 break; 5989 5990 case Q_DEFAULT: 5991 case Q_OR: 5992 tmp = gen_portrangeatom6(cstate, 0, port1, port2); 5993 b1 = gen_portrangeatom6(cstate, 2, port1, port2); 5994 gen_or(tmp, b1); 5995 break; 5996 5997 default: 5998 abort(); 5999 } 6000 gen_and(b0, b1); 6001 6002 return b1; 6003 } 6004 6005 static struct block * 6006 gen_portrange6(compiler_state_t *cstate, u_int port1, u_int port2, int ip_proto, 6007 int dir) 6008 { 6009 struct block *b0, *b1, *tmp; 6010 6011 /* link proto ip6 */ 6012 b0 = gen_linktype(cstate, ETHERTYPE_IPV6); 6013 6014 switch (ip_proto) { 6015 case IPPROTO_UDP: 6016 case IPPROTO_TCP: 6017 case IPPROTO_SCTP: 6018 b1 = gen_portrangeop6(cstate, port1, port2, (bpf_u_int32)ip_proto, 6019 dir); 6020 break; 6021 6022 case PROTO_UNDEF: 6023 tmp = gen_portrangeop6(cstate, port1, port2, IPPROTO_TCP, dir); 6024 b1 = gen_portrangeop6(cstate, port1, port2, IPPROTO_UDP, dir); 6025 gen_or(tmp, b1); 6026 tmp = gen_portrangeop6(cstate, port1, port2, IPPROTO_SCTP, dir); 6027 gen_or(tmp, b1); 6028 break; 6029 6030 default: 6031 abort(); 6032 } 6033 gen_and(b0, b1); 6034 return b1; 6035 } 6036 6037 static int 6038 lookup_proto(compiler_state_t *cstate, const char *name, int proto) 6039 { 6040 register int v; 6041 6042 switch (proto) { 6043 6044 case Q_DEFAULT: 6045 case Q_IP: 6046 case Q_IPV6: 6047 v = pcap_nametoproto(name); 6048 if (v == PROTO_UNDEF) 6049 bpf_error(cstate, "unknown ip proto '%s'", name); 6050 break; 6051 6052 case Q_LINK: 6053 /* XXX should look up h/w protocol type based on cstate->linktype */ 6054 v = pcap_nametoeproto(name); 6055 if (v == PROTO_UNDEF) { 6056 v = pcap_nametollc(name); 6057 if (v == PROTO_UNDEF) 6058 bpf_error(cstate, "unknown ether proto '%s'", name); 6059 } 6060 break; 6061 6062 case Q_ISO: 6063 if (strcmp(name, "esis") == 0) 6064 v = ISO9542_ESIS; 6065 else if (strcmp(name, "isis") == 0) 6066 v = ISO10589_ISIS; 6067 else if (strcmp(name, "clnp") == 0) 6068 v = ISO8473_CLNP; 6069 else 6070 bpf_error(cstate, "unknown osi proto '%s'", name); 6071 break; 6072 6073 default: 6074 v = PROTO_UNDEF; 6075 break; 6076 } 6077 return v; 6078 } 6079 6080 #if !defined(NO_PROTOCHAIN) 6081 static struct block * 6082 gen_protochain(compiler_state_t *cstate, bpf_u_int32 v, int proto) 6083 { 6084 struct block *b0, *b; 6085 struct slist *s[100]; 6086 int fix2, fix3, fix4, fix5; 6087 int ahcheck, again, end; 6088 int i, max; 6089 int reg2 = alloc_reg(cstate); 6090 6091 memset(s, 0, sizeof(s)); 6092 fix3 = fix4 = fix5 = 0; 6093 6094 switch (proto) { 6095 case Q_IP: 6096 case Q_IPV6: 6097 break; 6098 case Q_DEFAULT: 6099 b0 = gen_protochain(cstate, v, Q_IP); 6100 b = gen_protochain(cstate, v, Q_IPV6); 6101 gen_or(b0, b); 6102 return b; 6103 default: 6104 bpf_error(cstate, "bad protocol applied for 'protochain'"); 6105 /*NOTREACHED*/ 6106 } 6107 6108 /* 6109 * We don't handle variable-length prefixes before the link-layer 6110 * header, or variable-length link-layer headers, here yet. 6111 * We might want to add BPF instructions to do the protochain 6112 * work, to simplify that and, on platforms that have a BPF 6113 * interpreter with the new instructions, let the filtering 6114 * be done in the kernel. (We already require a modified BPF 6115 * engine to do the protochain stuff, to support backward 6116 * branches, and backward branch support is unlikely to appear 6117 * in kernel BPF engines.) 6118 */ 6119 if (cstate->off_linkpl.is_variable) 6120 bpf_error(cstate, "'protochain' not supported with variable length headers"); 6121 6122 /* 6123 * To quote a comment in optimize.c: 6124 * 6125 * "These data structures are used in a Cocke and Shwarz style 6126 * value numbering scheme. Since the flowgraph is acyclic, 6127 * exit values can be propagated from a node's predecessors 6128 * provided it is uniquely defined." 6129 * 6130 * "Acyclic" means "no backward branches", which means "no 6131 * loops", so we have to turn the optimizer off. 6132 */ 6133 cstate->no_optimize = 1; 6134 6135 /* 6136 * s[0] is a dummy entry to protect other BPF insn from damage 6137 * by s[fix] = foo with uninitialized variable "fix". It is somewhat 6138 * hard to find interdependency made by jump table fixup. 6139 */ 6140 i = 0; 6141 s[i] = new_stmt(cstate, 0); /*dummy*/ 6142 i++; 6143 6144 switch (proto) { 6145 case Q_IP: 6146 b0 = gen_linktype(cstate, ETHERTYPE_IP); 6147 6148 /* A = ip->ip_p */ 6149 s[i] = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B); 6150 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 9; 6151 i++; 6152 /* X = ip->ip_hl << 2 */ 6153 s[i] = new_stmt(cstate, BPF_LDX|BPF_MSH|BPF_B); 6154 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 6155 i++; 6156 break; 6157 6158 case Q_IPV6: 6159 b0 = gen_linktype(cstate, ETHERTYPE_IPV6); 6160 6161 /* A = ip6->ip_nxt */ 6162 s[i] = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B); 6163 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 6; 6164 i++; 6165 /* X = sizeof(struct ip6_hdr) */ 6166 s[i] = new_stmt(cstate, BPF_LDX|BPF_IMM); 6167 s[i]->s.k = 40; 6168 i++; 6169 break; 6170 6171 default: 6172 bpf_error(cstate, "unsupported proto to gen_protochain"); 6173 /*NOTREACHED*/ 6174 } 6175 6176 /* again: if (A == v) goto end; else fall through; */ 6177 again = i; 6178 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 6179 s[i]->s.k = v; 6180 s[i]->s.jt = NULL; /*later*/ 6181 s[i]->s.jf = NULL; /*update in next stmt*/ 6182 fix5 = i; 6183 i++; 6184 6185 #ifndef IPPROTO_NONE 6186 #define IPPROTO_NONE 59 6187 #endif 6188 /* if (A == IPPROTO_NONE) goto end */ 6189 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 6190 s[i]->s.jt = NULL; /*later*/ 6191 s[i]->s.jf = NULL; /*update in next stmt*/ 6192 s[i]->s.k = IPPROTO_NONE; 6193 s[fix5]->s.jf = s[i]; 6194 fix2 = i; 6195 i++; 6196 6197 if (proto == Q_IPV6) { 6198 int v6start, v6end, v6advance, j; 6199 6200 v6start = i; 6201 /* if (A == IPPROTO_HOPOPTS) goto v6advance */ 6202 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 6203 s[i]->s.jt = NULL; /*later*/ 6204 s[i]->s.jf = NULL; /*update in next stmt*/ 6205 s[i]->s.k = IPPROTO_HOPOPTS; 6206 s[fix2]->s.jf = s[i]; 6207 i++; 6208 /* if (A == IPPROTO_DSTOPTS) goto v6advance */ 6209 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 6210 s[i]->s.jt = NULL; /*later*/ 6211 s[i]->s.jf = NULL; /*update in next stmt*/ 6212 s[i]->s.k = IPPROTO_DSTOPTS; 6213 i++; 6214 /* if (A == IPPROTO_ROUTING) goto v6advance */ 6215 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 6216 s[i]->s.jt = NULL; /*later*/ 6217 s[i]->s.jf = NULL; /*update in next stmt*/ 6218 s[i]->s.k = IPPROTO_ROUTING; 6219 i++; 6220 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */ 6221 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 6222 s[i]->s.jt = NULL; /*later*/ 6223 s[i]->s.jf = NULL; /*later*/ 6224 s[i]->s.k = IPPROTO_FRAGMENT; 6225 fix3 = i; 6226 v6end = i; 6227 i++; 6228 6229 /* v6advance: */ 6230 v6advance = i; 6231 6232 /* 6233 * in short, 6234 * A = P[X + packet head]; 6235 * X = X + (P[X + packet head + 1] + 1) * 8; 6236 */ 6237 /* A = P[X + packet head] */ 6238 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 6239 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 6240 i++; 6241 /* MEM[reg2] = A */ 6242 s[i] = new_stmt(cstate, BPF_ST); 6243 s[i]->s.k = reg2; 6244 i++; 6245 /* A = P[X + packet head + 1]; */ 6246 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 6247 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 1; 6248 i++; 6249 /* A += 1 */ 6250 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 6251 s[i]->s.k = 1; 6252 i++; 6253 /* A *= 8 */ 6254 s[i] = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K); 6255 s[i]->s.k = 8; 6256 i++; 6257 /* A += X */ 6258 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X); 6259 s[i]->s.k = 0; 6260 i++; 6261 /* X = A; */ 6262 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX); 6263 i++; 6264 /* A = MEM[reg2] */ 6265 s[i] = new_stmt(cstate, BPF_LD|BPF_MEM); 6266 s[i]->s.k = reg2; 6267 i++; 6268 6269 /* goto again; (must use BPF_JA for backward jump) */ 6270 s[i] = new_stmt(cstate, BPF_JMP|BPF_JA); 6271 s[i]->s.k = again - i - 1; 6272 s[i - 1]->s.jf = s[i]; 6273 i++; 6274 6275 /* fixup */ 6276 for (j = v6start; j <= v6end; j++) 6277 s[j]->s.jt = s[v6advance]; 6278 } else { 6279 /* nop */ 6280 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 6281 s[i]->s.k = 0; 6282 s[fix2]->s.jf = s[i]; 6283 i++; 6284 } 6285 6286 /* ahcheck: */ 6287 ahcheck = i; 6288 /* if (A == IPPROTO_AH) then fall through; else goto end; */ 6289 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 6290 s[i]->s.jt = NULL; /*later*/ 6291 s[i]->s.jf = NULL; /*later*/ 6292 s[i]->s.k = IPPROTO_AH; 6293 if (fix3) 6294 s[fix3]->s.jf = s[ahcheck]; 6295 fix4 = i; 6296 i++; 6297 6298 /* 6299 * in short, 6300 * A = P[X]; 6301 * X = X + (P[X + 1] + 2) * 4; 6302 */ 6303 /* A = X */ 6304 s[i - 1]->s.jt = s[i] = new_stmt(cstate, BPF_MISC|BPF_TXA); 6305 i++; 6306 /* A = P[X + packet head]; */ 6307 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 6308 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 6309 i++; 6310 /* MEM[reg2] = A */ 6311 s[i] = new_stmt(cstate, BPF_ST); 6312 s[i]->s.k = reg2; 6313 i++; 6314 /* A = X */ 6315 s[i - 1]->s.jt = s[i] = new_stmt(cstate, BPF_MISC|BPF_TXA); 6316 i++; 6317 /* A += 1 */ 6318 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 6319 s[i]->s.k = 1; 6320 i++; 6321 /* X = A */ 6322 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX); 6323 i++; 6324 /* A = P[X + packet head] */ 6325 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 6326 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 6327 i++; 6328 /* A += 2 */ 6329 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 6330 s[i]->s.k = 2; 6331 i++; 6332 /* A *= 4 */ 6333 s[i] = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K); 6334 s[i]->s.k = 4; 6335 i++; 6336 /* X = A; */ 6337 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX); 6338 i++; 6339 /* A = MEM[reg2] */ 6340 s[i] = new_stmt(cstate, BPF_LD|BPF_MEM); 6341 s[i]->s.k = reg2; 6342 i++; 6343 6344 /* goto again; (must use BPF_JA for backward jump) */ 6345 s[i] = new_stmt(cstate, BPF_JMP|BPF_JA); 6346 s[i]->s.k = again - i - 1; 6347 i++; 6348 6349 /* end: nop */ 6350 end = i; 6351 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 6352 s[i]->s.k = 0; 6353 s[fix2]->s.jt = s[end]; 6354 s[fix4]->s.jf = s[end]; 6355 s[fix5]->s.jt = s[end]; 6356 i++; 6357 6358 /* 6359 * make slist chain 6360 */ 6361 max = i; 6362 for (i = 0; i < max - 1; i++) 6363 s[i]->next = s[i + 1]; 6364 s[max - 1]->next = NULL; 6365 6366 /* 6367 * emit final check 6368 */ 6369 b = new_block(cstate, JMP(BPF_JEQ)); 6370 b->stmts = s[1]; /*remember, s[0] is dummy*/ 6371 b->s.k = v; 6372 6373 free_reg(cstate, reg2); 6374 6375 gen_and(b0, b); 6376 return b; 6377 } 6378 #endif /* !defined(NO_PROTOCHAIN) */ 6379 6380 static struct block * 6381 gen_check_802_11_data_frame(compiler_state_t *cstate) 6382 { 6383 struct slist *s; 6384 struct block *b0, *b1; 6385 6386 /* 6387 * A data frame has the 0x08 bit (b3) in the frame control field set 6388 * and the 0x04 bit (b2) clear. 6389 */ 6390 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 6391 b0 = new_block(cstate, JMP(BPF_JSET)); 6392 b0->s.k = 0x08; 6393 b0->stmts = s; 6394 6395 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 6396 b1 = new_block(cstate, JMP(BPF_JSET)); 6397 b1->s.k = 0x04; 6398 b1->stmts = s; 6399 gen_not(b1); 6400 6401 gen_and(b1, b0); 6402 6403 return b0; 6404 } 6405 6406 /* 6407 * Generate code that checks whether the packet is a packet for protocol 6408 * <proto> and whether the type field in that protocol's header has 6409 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an 6410 * IP packet and checks the protocol number in the IP header against <v>. 6411 * 6412 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks 6413 * against Q_IP and Q_IPV6. 6414 */ 6415 static struct block * 6416 gen_proto(compiler_state_t *cstate, bpf_u_int32 v, int proto, int dir) 6417 { 6418 struct block *b0, *b1; 6419 struct block *b2; 6420 6421 if (dir != Q_DEFAULT) 6422 bpf_error(cstate, "direction applied to 'proto'"); 6423 6424 switch (proto) { 6425 case Q_DEFAULT: 6426 b0 = gen_proto(cstate, v, Q_IP, dir); 6427 b1 = gen_proto(cstate, v, Q_IPV6, dir); 6428 gen_or(b0, b1); 6429 return b1; 6430 6431 case Q_LINK: 6432 return gen_linktype(cstate, v); 6433 6434 case Q_IP: 6435 /* 6436 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 6437 * not LLC encapsulation with LLCSAP_IP. 6438 * 6439 * For IEEE 802 networks - which includes 802.5 token ring 6440 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 6441 * says that SNAP encapsulation is used, not LLC encapsulation 6442 * with LLCSAP_IP. 6443 * 6444 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 6445 * RFC 2225 say that SNAP encapsulation is used, not LLC 6446 * encapsulation with LLCSAP_IP. 6447 * 6448 * So we always check for ETHERTYPE_IP. 6449 */ 6450 b0 = gen_linktype(cstate, ETHERTYPE_IP); 6451 b1 = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, v); 6452 gen_and(b0, b1); 6453 return b1; 6454 6455 case Q_ARP: 6456 bpf_error(cstate, "arp does not encapsulate another protocol"); 6457 /*NOTREACHED*/ 6458 6459 case Q_RARP: 6460 bpf_error(cstate, "rarp does not encapsulate another protocol"); 6461 /*NOTREACHED*/ 6462 6463 case Q_SCTP: 6464 bpf_error(cstate, "'sctp proto' is bogus"); 6465 /*NOTREACHED*/ 6466 6467 case Q_TCP: 6468 bpf_error(cstate, "'tcp proto' is bogus"); 6469 /*NOTREACHED*/ 6470 6471 case Q_UDP: 6472 bpf_error(cstate, "'udp proto' is bogus"); 6473 /*NOTREACHED*/ 6474 6475 case Q_ICMP: 6476 bpf_error(cstate, "'icmp proto' is bogus"); 6477 /*NOTREACHED*/ 6478 6479 case Q_IGMP: 6480 bpf_error(cstate, "'igmp proto' is bogus"); 6481 /*NOTREACHED*/ 6482 6483 case Q_IGRP: 6484 bpf_error(cstate, "'igrp proto' is bogus"); 6485 /*NOTREACHED*/ 6486 6487 case Q_ATALK: 6488 bpf_error(cstate, "AppleTalk encapsulation is not specifiable"); 6489 /*NOTREACHED*/ 6490 6491 case Q_DECNET: 6492 bpf_error(cstate, "DECNET encapsulation is not specifiable"); 6493 /*NOTREACHED*/ 6494 6495 case Q_LAT: 6496 bpf_error(cstate, "LAT does not encapsulate another protocol"); 6497 /*NOTREACHED*/ 6498 6499 case Q_SCA: 6500 bpf_error(cstate, "SCA does not encapsulate another protocol"); 6501 /*NOTREACHED*/ 6502 6503 case Q_MOPRC: 6504 bpf_error(cstate, "MOPRC does not encapsulate another protocol"); 6505 /*NOTREACHED*/ 6506 6507 case Q_MOPDL: 6508 bpf_error(cstate, "MOPDL does not encapsulate another protocol"); 6509 /*NOTREACHED*/ 6510 6511 case Q_IPV6: 6512 b0 = gen_linktype(cstate, ETHERTYPE_IPV6); 6513 /* 6514 * Also check for a fragment header before the final 6515 * header. 6516 */ 6517 b2 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, IPPROTO_FRAGMENT); 6518 b1 = gen_cmp(cstate, OR_LINKPL, 40, BPF_B, v); 6519 gen_and(b2, b1); 6520 b2 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, v); 6521 gen_or(b2, b1); 6522 gen_and(b0, b1); 6523 return b1; 6524 6525 case Q_ICMPV6: 6526 bpf_error(cstate, "'icmp6 proto' is bogus"); 6527 /*NOTREACHED*/ 6528 6529 case Q_AH: 6530 bpf_error(cstate, "'ah proto' is bogus"); 6531 /*NOTREACHED*/ 6532 6533 case Q_ESP: 6534 bpf_error(cstate, "'esp proto' is bogus"); 6535 /*NOTREACHED*/ 6536 6537 case Q_PIM: 6538 bpf_error(cstate, "'pim proto' is bogus"); 6539 /*NOTREACHED*/ 6540 6541 case Q_VRRP: 6542 bpf_error(cstate, "'vrrp proto' is bogus"); 6543 /*NOTREACHED*/ 6544 6545 case Q_AARP: 6546 bpf_error(cstate, "'aarp proto' is bogus"); 6547 /*NOTREACHED*/ 6548 6549 case Q_ISO: 6550 switch (cstate->linktype) { 6551 6552 case DLT_FRELAY: 6553 /* 6554 * Frame Relay packets typically have an OSI 6555 * NLPID at the beginning; "gen_linktype(cstate, LLCSAP_ISONS)" 6556 * generates code to check for all the OSI 6557 * NLPIDs, so calling it and then adding a check 6558 * for the particular NLPID for which we're 6559 * looking is bogus, as we can just check for 6560 * the NLPID. 6561 * 6562 * What we check for is the NLPID and a frame 6563 * control field value of UI, i.e. 0x03 followed 6564 * by the NLPID. 6565 * 6566 * XXX - assumes a 2-byte Frame Relay header with 6567 * DLCI and flags. What if the address is longer? 6568 * 6569 * XXX - what about SNAP-encapsulated frames? 6570 */ 6571 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | v); 6572 /*NOTREACHED*/ 6573 6574 case DLT_C_HDLC: 6575 case DLT_HDLC: 6576 /* 6577 * Cisco uses an Ethertype lookalike - for OSI, 6578 * it's 0xfefe. 6579 */ 6580 b0 = gen_linktype(cstate, LLCSAP_ISONS<<8 | LLCSAP_ISONS); 6581 /* OSI in C-HDLC is stuffed with a fudge byte */ 6582 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 1, BPF_B, v); 6583 gen_and(b0, b1); 6584 return b1; 6585 6586 default: 6587 b0 = gen_linktype(cstate, LLCSAP_ISONS); 6588 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 0, BPF_B, v); 6589 gen_and(b0, b1); 6590 return b1; 6591 } 6592 6593 case Q_ESIS: 6594 bpf_error(cstate, "'esis proto' is bogus"); 6595 /*NOTREACHED*/ 6596 6597 case Q_ISIS: 6598 b0 = gen_proto(cstate, ISO10589_ISIS, Q_ISO, Q_DEFAULT); 6599 /* 6600 * 4 is the offset of the PDU type relative to the IS-IS 6601 * header. 6602 */ 6603 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 4, BPF_B, v); 6604 gen_and(b0, b1); 6605 return b1; 6606 6607 case Q_CLNP: 6608 bpf_error(cstate, "'clnp proto' is not supported"); 6609 /*NOTREACHED*/ 6610 6611 case Q_STP: 6612 bpf_error(cstate, "'stp proto' is bogus"); 6613 /*NOTREACHED*/ 6614 6615 case Q_IPX: 6616 bpf_error(cstate, "'ipx proto' is bogus"); 6617 /*NOTREACHED*/ 6618 6619 case Q_NETBEUI: 6620 bpf_error(cstate, "'netbeui proto' is bogus"); 6621 /*NOTREACHED*/ 6622 6623 case Q_ISIS_L1: 6624 bpf_error(cstate, "'l1 proto' is bogus"); 6625 /*NOTREACHED*/ 6626 6627 case Q_ISIS_L2: 6628 bpf_error(cstate, "'l2 proto' is bogus"); 6629 /*NOTREACHED*/ 6630 6631 case Q_ISIS_IIH: 6632 bpf_error(cstate, "'iih proto' is bogus"); 6633 /*NOTREACHED*/ 6634 6635 case Q_ISIS_SNP: 6636 bpf_error(cstate, "'snp proto' is bogus"); 6637 /*NOTREACHED*/ 6638 6639 case Q_ISIS_CSNP: 6640 bpf_error(cstate, "'csnp proto' is bogus"); 6641 /*NOTREACHED*/ 6642 6643 case Q_ISIS_PSNP: 6644 bpf_error(cstate, "'psnp proto' is bogus"); 6645 /*NOTREACHED*/ 6646 6647 case Q_ISIS_LSP: 6648 bpf_error(cstate, "'lsp proto' is bogus"); 6649 /*NOTREACHED*/ 6650 6651 case Q_RADIO: 6652 bpf_error(cstate, "'radio proto' is bogus"); 6653 /*NOTREACHED*/ 6654 6655 case Q_CARP: 6656 bpf_error(cstate, "'carp proto' is bogus"); 6657 /*NOTREACHED*/ 6658 6659 default: 6660 abort(); 6661 /*NOTREACHED*/ 6662 } 6663 /*NOTREACHED*/ 6664 } 6665 6666 struct block * 6667 gen_scode(compiler_state_t *cstate, const char *name, struct qual q) 6668 { 6669 int proto = q.proto; 6670 int dir = q.dir; 6671 int tproto; 6672 u_char *eaddr; 6673 bpf_u_int32 mask, addr; 6674 struct addrinfo *res, *res0; 6675 struct sockaddr_in *sin4; 6676 #ifdef INET6 6677 int tproto6; 6678 struct sockaddr_in6 *sin6; 6679 struct in6_addr mask128; 6680 #endif /*INET6*/ 6681 struct block *b, *tmp; 6682 int port, real_proto; 6683 int port1, port2; 6684 6685 /* 6686 * Catch errors reported by us and routines below us, and return NULL 6687 * on an error. 6688 */ 6689 if (setjmp(cstate->top_ctx)) 6690 return (NULL); 6691 6692 switch (q.addr) { 6693 6694 case Q_NET: 6695 addr = pcap_nametonetaddr(name); 6696 if (addr == 0) 6697 bpf_error(cstate, "unknown network '%s'", name); 6698 /* Left justify network addr and calculate its network mask */ 6699 mask = 0xffffffff; 6700 while (addr && (addr & 0xff000000) == 0) { 6701 addr <<= 8; 6702 mask <<= 8; 6703 } 6704 return gen_host(cstate, addr, mask, proto, dir, q.addr); 6705 6706 case Q_DEFAULT: 6707 case Q_HOST: 6708 if (proto == Q_LINK) { 6709 switch (cstate->linktype) { 6710 6711 case DLT_EN10MB: 6712 case DLT_NETANALYZER: 6713 case DLT_NETANALYZER_TRANSPARENT: 6714 eaddr = pcap_ether_hostton(name); 6715 if (eaddr == NULL) 6716 bpf_error(cstate, 6717 "unknown ether host '%s'", name); 6718 tmp = gen_prevlinkhdr_check(cstate); 6719 b = gen_ehostop(cstate, eaddr, dir); 6720 if (tmp != NULL) 6721 gen_and(tmp, b); 6722 free(eaddr); 6723 return b; 6724 6725 case DLT_FDDI: 6726 eaddr = pcap_ether_hostton(name); 6727 if (eaddr == NULL) 6728 bpf_error(cstate, 6729 "unknown FDDI host '%s'", name); 6730 b = gen_fhostop(cstate, eaddr, dir); 6731 free(eaddr); 6732 return b; 6733 6734 case DLT_IEEE802: 6735 eaddr = pcap_ether_hostton(name); 6736 if (eaddr == NULL) 6737 bpf_error(cstate, 6738 "unknown token ring host '%s'", name); 6739 b = gen_thostop(cstate, eaddr, dir); 6740 free(eaddr); 6741 return b; 6742 6743 case DLT_IEEE802_11: 6744 case DLT_PRISM_HEADER: 6745 case DLT_IEEE802_11_RADIO_AVS: 6746 case DLT_IEEE802_11_RADIO: 6747 case DLT_PPI: 6748 eaddr = pcap_ether_hostton(name); 6749 if (eaddr == NULL) 6750 bpf_error(cstate, 6751 "unknown 802.11 host '%s'", name); 6752 b = gen_wlanhostop(cstate, eaddr, dir); 6753 free(eaddr); 6754 return b; 6755 6756 case DLT_IP_OVER_FC: 6757 eaddr = pcap_ether_hostton(name); 6758 if (eaddr == NULL) 6759 bpf_error(cstate, 6760 "unknown Fibre Channel host '%s'", name); 6761 b = gen_ipfchostop(cstate, eaddr, dir); 6762 free(eaddr); 6763 return b; 6764 } 6765 6766 bpf_error(cstate, "only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name"); 6767 } else if (proto == Q_DECNET) { 6768 unsigned short dn_addr; 6769 6770 if (!__pcap_nametodnaddr(name, &dn_addr)) { 6771 #ifdef DECNETLIB 6772 bpf_error(cstate, "unknown decnet host name '%s'\n", name); 6773 #else 6774 bpf_error(cstate, "decnet name support not included, '%s' cannot be translated\n", 6775 name); 6776 #endif 6777 } 6778 /* 6779 * I don't think DECNET hosts can be multihomed, so 6780 * there is no need to build up a list of addresses 6781 */ 6782 return (gen_host(cstate, dn_addr, 0, proto, dir, q.addr)); 6783 } else { 6784 #ifdef INET6 6785 memset(&mask128, 0xff, sizeof(mask128)); 6786 #endif 6787 res0 = res = pcap_nametoaddrinfo(name); 6788 if (res == NULL) 6789 bpf_error(cstate, "unknown host '%s'", name); 6790 cstate->ai = res; 6791 b = tmp = NULL; 6792 tproto = proto; 6793 #ifdef INET6 6794 tproto6 = proto; 6795 #endif 6796 if (cstate->off_linktype.constant_part == OFFSET_NOT_SET && 6797 tproto == Q_DEFAULT) { 6798 tproto = Q_IP; 6799 #ifdef INET6 6800 tproto6 = Q_IPV6; 6801 #endif 6802 } 6803 for (res = res0; res; res = res->ai_next) { 6804 switch (res->ai_family) { 6805 case AF_INET: 6806 #ifdef INET6 6807 if (tproto == Q_IPV6) 6808 continue; 6809 #endif 6810 6811 sin4 = (struct sockaddr_in *) 6812 res->ai_addr; 6813 tmp = gen_host(cstate, ntohl(sin4->sin_addr.s_addr), 6814 0xffffffff, tproto, dir, q.addr); 6815 break; 6816 #ifdef INET6 6817 case AF_INET6: 6818 if (tproto6 == Q_IP) 6819 continue; 6820 6821 sin6 = (struct sockaddr_in6 *) 6822 res->ai_addr; 6823 tmp = gen_host6(cstate, &sin6->sin6_addr, 6824 &mask128, tproto6, dir, q.addr); 6825 break; 6826 #endif 6827 default: 6828 continue; 6829 } 6830 if (b) 6831 gen_or(b, tmp); 6832 b = tmp; 6833 } 6834 cstate->ai = NULL; 6835 freeaddrinfo(res0); 6836 if (b == NULL) { 6837 bpf_error(cstate, "unknown host '%s'%s", name, 6838 (proto == Q_DEFAULT) 6839 ? "" 6840 : " for specified address family"); 6841 } 6842 return b; 6843 } 6844 6845 case Q_PORT: 6846 if (proto != Q_DEFAULT && 6847 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6848 bpf_error(cstate, "illegal qualifier of 'port'"); 6849 if (pcap_nametoport(name, &port, &real_proto) == 0) 6850 bpf_error(cstate, "unknown port '%s'", name); 6851 if (proto == Q_UDP) { 6852 if (real_proto == IPPROTO_TCP) 6853 bpf_error(cstate, "port '%s' is tcp", name); 6854 else if (real_proto == IPPROTO_SCTP) 6855 bpf_error(cstate, "port '%s' is sctp", name); 6856 else 6857 /* override PROTO_UNDEF */ 6858 real_proto = IPPROTO_UDP; 6859 } 6860 if (proto == Q_TCP) { 6861 if (real_proto == IPPROTO_UDP) 6862 bpf_error(cstate, "port '%s' is udp", name); 6863 6864 else if (real_proto == IPPROTO_SCTP) 6865 bpf_error(cstate, "port '%s' is sctp", name); 6866 else 6867 /* override PROTO_UNDEF */ 6868 real_proto = IPPROTO_TCP; 6869 } 6870 if (proto == Q_SCTP) { 6871 if (real_proto == IPPROTO_UDP) 6872 bpf_error(cstate, "port '%s' is udp", name); 6873 6874 else if (real_proto == IPPROTO_TCP) 6875 bpf_error(cstate, "port '%s' is tcp", name); 6876 else 6877 /* override PROTO_UNDEF */ 6878 real_proto = IPPROTO_SCTP; 6879 } 6880 if (port < 0) 6881 bpf_error(cstate, "illegal port number %d < 0", port); 6882 if (port > 65535) 6883 bpf_error(cstate, "illegal port number %d > 65535", port); 6884 b = gen_port(cstate, port, real_proto, dir); 6885 gen_or(gen_port6(cstate, port, real_proto, dir), b); 6886 return b; 6887 6888 case Q_PORTRANGE: 6889 if (proto != Q_DEFAULT && 6890 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6891 bpf_error(cstate, "illegal qualifier of 'portrange'"); 6892 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0) 6893 bpf_error(cstate, "unknown port in range '%s'", name); 6894 if (proto == Q_UDP) { 6895 if (real_proto == IPPROTO_TCP) 6896 bpf_error(cstate, "port in range '%s' is tcp", name); 6897 else if (real_proto == IPPROTO_SCTP) 6898 bpf_error(cstate, "port in range '%s' is sctp", name); 6899 else 6900 /* override PROTO_UNDEF */ 6901 real_proto = IPPROTO_UDP; 6902 } 6903 if (proto == Q_TCP) { 6904 if (real_proto == IPPROTO_UDP) 6905 bpf_error(cstate, "port in range '%s' is udp", name); 6906 else if (real_proto == IPPROTO_SCTP) 6907 bpf_error(cstate, "port in range '%s' is sctp", name); 6908 else 6909 /* override PROTO_UNDEF */ 6910 real_proto = IPPROTO_TCP; 6911 } 6912 if (proto == Q_SCTP) { 6913 if (real_proto == IPPROTO_UDP) 6914 bpf_error(cstate, "port in range '%s' is udp", name); 6915 else if (real_proto == IPPROTO_TCP) 6916 bpf_error(cstate, "port in range '%s' is tcp", name); 6917 else 6918 /* override PROTO_UNDEF */ 6919 real_proto = IPPROTO_SCTP; 6920 } 6921 if (port1 < 0) 6922 bpf_error(cstate, "illegal port number %d < 0", port1); 6923 if (port1 > 65535) 6924 bpf_error(cstate, "illegal port number %d > 65535", port1); 6925 if (port2 < 0) 6926 bpf_error(cstate, "illegal port number %d < 0", port2); 6927 if (port2 > 65535) 6928 bpf_error(cstate, "illegal port number %d > 65535", port2); 6929 6930 b = gen_portrange(cstate, port1, port2, real_proto, dir); 6931 gen_or(gen_portrange6(cstate, port1, port2, real_proto, dir), b); 6932 return b; 6933 6934 case Q_GATEWAY: 6935 #ifndef INET6 6936 eaddr = pcap_ether_hostton(name); 6937 if (eaddr == NULL) 6938 bpf_error(cstate, "unknown ether host: %s", name); 6939 6940 res = pcap_nametoaddrinfo(name); 6941 cstate->ai = res; 6942 if (res == NULL) 6943 bpf_error(cstate, "unknown host '%s'", name); 6944 b = gen_gateway(cstate, eaddr, res, proto, dir); 6945 cstate->ai = NULL; 6946 freeaddrinfo(res); 6947 if (b == NULL) 6948 bpf_error(cstate, "unknown host '%s'", name); 6949 return b; 6950 #else 6951 bpf_error(cstate, "'gateway' not supported in this configuration"); 6952 #endif /*INET6*/ 6953 6954 case Q_PROTO: 6955 real_proto = lookup_proto(cstate, name, proto); 6956 if (real_proto >= 0) 6957 return gen_proto(cstate, real_proto, proto, dir); 6958 else 6959 bpf_error(cstate, "unknown protocol: %s", name); 6960 6961 #if !defined(NO_PROTOCHAIN) 6962 case Q_PROTOCHAIN: 6963 real_proto = lookup_proto(cstate, name, proto); 6964 if (real_proto >= 0) 6965 return gen_protochain(cstate, real_proto, proto); 6966 else 6967 bpf_error(cstate, "unknown protocol: %s", name); 6968 #endif /* !defined(NO_PROTOCHAIN) */ 6969 6970 case Q_UNDEF: 6971 syntax(cstate); 6972 /*NOTREACHED*/ 6973 } 6974 abort(); 6975 /*NOTREACHED*/ 6976 } 6977 6978 struct block * 6979 gen_mcode(compiler_state_t *cstate, const char *s1, const char *s2, 6980 bpf_u_int32 masklen, struct qual q) 6981 { 6982 register int nlen, mlen; 6983 bpf_u_int32 n, m; 6984 6985 /* 6986 * Catch errors reported by us and routines below us, and return NULL 6987 * on an error. 6988 */ 6989 if (setjmp(cstate->top_ctx)) 6990 return (NULL); 6991 6992 nlen = __pcap_atoin(s1, &n); 6993 if (nlen < 0) 6994 bpf_error(cstate, "invalid IPv4 address '%s'", s1); 6995 /* Promote short ipaddr */ 6996 n <<= 32 - nlen; 6997 6998 if (s2 != NULL) { 6999 mlen = __pcap_atoin(s2, &m); 7000 if (mlen < 0) 7001 bpf_error(cstate, "invalid IPv4 address '%s'", s2); 7002 /* Promote short ipaddr */ 7003 m <<= 32 - mlen; 7004 if ((n & ~m) != 0) 7005 bpf_error(cstate, "non-network bits set in \"%s mask %s\"", 7006 s1, s2); 7007 } else { 7008 /* Convert mask len to mask */ 7009 if (masklen > 32) 7010 bpf_error(cstate, "mask length must be <= 32"); 7011 if (masklen == 0) { 7012 /* 7013 * X << 32 is not guaranteed by C to be 0; it's 7014 * undefined. 7015 */ 7016 m = 0; 7017 } else 7018 m = 0xffffffff << (32 - masklen); 7019 if ((n & ~m) != 0) 7020 bpf_error(cstate, "non-network bits set in \"%s/%d\"", 7021 s1, masklen); 7022 } 7023 7024 switch (q.addr) { 7025 7026 case Q_NET: 7027 return gen_host(cstate, n, m, q.proto, q.dir, q.addr); 7028 7029 default: 7030 bpf_error(cstate, "Mask syntax for networks only"); 7031 /*NOTREACHED*/ 7032 } 7033 /*NOTREACHED*/ 7034 } 7035 7036 struct block * 7037 gen_ncode(compiler_state_t *cstate, const char *s, bpf_u_int32 v, struct qual q) 7038 { 7039 bpf_u_int32 mask; 7040 int proto; 7041 int dir; 7042 register int vlen; 7043 7044 /* 7045 * Catch errors reported by us and routines below us, and return NULL 7046 * on an error. 7047 */ 7048 if (setjmp(cstate->top_ctx)) 7049 return (NULL); 7050 7051 proto = q.proto; 7052 dir = q.dir; 7053 if (s == NULL) 7054 vlen = 32; 7055 else if (q.proto == Q_DECNET) { 7056 vlen = __pcap_atodn(s, &v); 7057 if (vlen == 0) 7058 bpf_error(cstate, "malformed decnet address '%s'", s); 7059 } else { 7060 vlen = __pcap_atoin(s, &v); 7061 if (vlen < 0) 7062 bpf_error(cstate, "invalid IPv4 address '%s'", s); 7063 } 7064 7065 switch (q.addr) { 7066 7067 case Q_DEFAULT: 7068 case Q_HOST: 7069 case Q_NET: 7070 if (proto == Q_DECNET) 7071 return gen_host(cstate, v, 0, proto, dir, q.addr); 7072 else if (proto == Q_LINK) { 7073 bpf_error(cstate, "illegal link layer address"); 7074 } else { 7075 mask = 0xffffffff; 7076 if (s == NULL && q.addr == Q_NET) { 7077 /* Promote short net number */ 7078 while (v && (v & 0xff000000) == 0) { 7079 v <<= 8; 7080 mask <<= 8; 7081 } 7082 } else { 7083 /* Promote short ipaddr */ 7084 v <<= 32 - vlen; 7085 mask <<= 32 - vlen ; 7086 } 7087 return gen_host(cstate, v, mask, proto, dir, q.addr); 7088 } 7089 7090 case Q_PORT: 7091 if (proto == Q_UDP) 7092 proto = IPPROTO_UDP; 7093 else if (proto == Q_TCP) 7094 proto = IPPROTO_TCP; 7095 else if (proto == Q_SCTP) 7096 proto = IPPROTO_SCTP; 7097 else if (proto == Q_DEFAULT) 7098 proto = PROTO_UNDEF; 7099 else 7100 bpf_error(cstate, "illegal qualifier of 'port'"); 7101 7102 if (v > 65535) 7103 bpf_error(cstate, "illegal port number %u > 65535", v); 7104 7105 { 7106 struct block *b; 7107 b = gen_port(cstate, v, proto, dir); 7108 gen_or(gen_port6(cstate, v, proto, dir), b); 7109 return b; 7110 } 7111 7112 case Q_PORTRANGE: 7113 if (proto == Q_UDP) 7114 proto = IPPROTO_UDP; 7115 else if (proto == Q_TCP) 7116 proto = IPPROTO_TCP; 7117 else if (proto == Q_SCTP) 7118 proto = IPPROTO_SCTP; 7119 else if (proto == Q_DEFAULT) 7120 proto = PROTO_UNDEF; 7121 else 7122 bpf_error(cstate, "illegal qualifier of 'portrange'"); 7123 7124 if (v > 65535) 7125 bpf_error(cstate, "illegal port number %u > 65535", v); 7126 7127 { 7128 struct block *b; 7129 b = gen_portrange(cstate, v, v, proto, dir); 7130 gen_or(gen_portrange6(cstate, v, v, proto, dir), b); 7131 return b; 7132 } 7133 7134 case Q_GATEWAY: 7135 bpf_error(cstate, "'gateway' requires a name"); 7136 /*NOTREACHED*/ 7137 7138 case Q_PROTO: 7139 return gen_proto(cstate, v, proto, dir); 7140 7141 #if !defined(NO_PROTOCHAIN) 7142 case Q_PROTOCHAIN: 7143 return gen_protochain(cstate, v, proto); 7144 #endif 7145 7146 case Q_UNDEF: 7147 syntax(cstate); 7148 /*NOTREACHED*/ 7149 7150 default: 7151 abort(); 7152 /*NOTREACHED*/ 7153 } 7154 /*NOTREACHED*/ 7155 } 7156 7157 #ifdef INET6 7158 struct block * 7159 gen_mcode6(compiler_state_t *cstate, const char *s1, const char *s2, 7160 bpf_u_int32 masklen, struct qual q) 7161 { 7162 struct addrinfo *res; 7163 struct in6_addr *addr; 7164 struct in6_addr mask; 7165 struct block *b; 7166 uint32_t *a, *m; 7167 7168 /* 7169 * Catch errors reported by us and routines below us, and return NULL 7170 * on an error. 7171 */ 7172 if (setjmp(cstate->top_ctx)) 7173 return (NULL); 7174 7175 if (s2) 7176 bpf_error(cstate, "no mask %s supported", s2); 7177 7178 res = pcap_nametoaddrinfo(s1); 7179 if (!res) 7180 bpf_error(cstate, "invalid ip6 address %s", s1); 7181 cstate->ai = res; 7182 if (res->ai_next) 7183 bpf_error(cstate, "%s resolved to multiple address", s1); 7184 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr; 7185 7186 if (masklen > sizeof(mask.s6_addr) * 8) 7187 bpf_error(cstate, "mask length must be <= %u", (unsigned int)(sizeof(mask.s6_addr) * 8)); 7188 memset(&mask, 0, sizeof(mask)); 7189 memset(&mask.s6_addr, 0xff, masklen / 8); 7190 if (masklen % 8) { 7191 mask.s6_addr[masklen / 8] = 7192 (0xff << (8 - masklen % 8)) & 0xff; 7193 } 7194 7195 a = (uint32_t *)addr; 7196 m = (uint32_t *)&mask; 7197 if ((a[0] & ~m[0]) || (a[1] & ~m[1]) 7198 || (a[2] & ~m[2]) || (a[3] & ~m[3])) { 7199 bpf_error(cstate, "non-network bits set in \"%s/%d\"", s1, masklen); 7200 } 7201 7202 switch (q.addr) { 7203 7204 case Q_DEFAULT: 7205 case Q_HOST: 7206 if (masklen != 128) 7207 bpf_error(cstate, "Mask syntax for networks only"); 7208 /* FALLTHROUGH */ 7209 7210 case Q_NET: 7211 b = gen_host6(cstate, addr, &mask, q.proto, q.dir, q.addr); 7212 cstate->ai = NULL; 7213 freeaddrinfo(res); 7214 return b; 7215 7216 default: 7217 bpf_error(cstate, "invalid qualifier against IPv6 address"); 7218 /*NOTREACHED*/ 7219 } 7220 } 7221 #endif /*INET6*/ 7222 7223 struct block * 7224 gen_ecode(compiler_state_t *cstate, const char *s, struct qual q) 7225 { 7226 struct block *b, *tmp; 7227 7228 /* 7229 * Catch errors reported by us and routines below us, and return NULL 7230 * on an error. 7231 */ 7232 if (setjmp(cstate->top_ctx)) 7233 return (NULL); 7234 7235 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) { 7236 cstate->e = pcap_ether_aton(s); 7237 if (cstate->e == NULL) 7238 bpf_error(cstate, "malloc"); 7239 switch (cstate->linktype) { 7240 case DLT_EN10MB: 7241 case DLT_NETANALYZER: 7242 case DLT_NETANALYZER_TRANSPARENT: 7243 tmp = gen_prevlinkhdr_check(cstate); 7244 b = gen_ehostop(cstate, cstate->e, (int)q.dir); 7245 if (tmp != NULL) 7246 gen_and(tmp, b); 7247 break; 7248 case DLT_FDDI: 7249 b = gen_fhostop(cstate, cstate->e, (int)q.dir); 7250 break; 7251 case DLT_IEEE802: 7252 b = gen_thostop(cstate, cstate->e, (int)q.dir); 7253 break; 7254 case DLT_IEEE802_11: 7255 case DLT_PRISM_HEADER: 7256 case DLT_IEEE802_11_RADIO_AVS: 7257 case DLT_IEEE802_11_RADIO: 7258 case DLT_PPI: 7259 b = gen_wlanhostop(cstate, cstate->e, (int)q.dir); 7260 break; 7261 case DLT_IP_OVER_FC: 7262 b = gen_ipfchostop(cstate, cstate->e, (int)q.dir); 7263 break; 7264 default: 7265 free(cstate->e); 7266 cstate->e = NULL; 7267 bpf_error(cstate, "ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 7268 /*NOTREACHED*/ 7269 } 7270 free(cstate->e); 7271 cstate->e = NULL; 7272 return (b); 7273 } 7274 bpf_error(cstate, "ethernet address used in non-ether expression"); 7275 /*NOTREACHED*/ 7276 } 7277 7278 void 7279 sappend(struct slist *s0, struct slist *s1) 7280 { 7281 /* 7282 * This is definitely not the best way to do this, but the 7283 * lists will rarely get long. 7284 */ 7285 while (s0->next) 7286 s0 = s0->next; 7287 s0->next = s1; 7288 } 7289 7290 static struct slist * 7291 xfer_to_x(compiler_state_t *cstate, struct arth *a) 7292 { 7293 struct slist *s; 7294 7295 s = new_stmt(cstate, BPF_LDX|BPF_MEM); 7296 s->s.k = a->regno; 7297 return s; 7298 } 7299 7300 static struct slist * 7301 xfer_to_a(compiler_state_t *cstate, struct arth *a) 7302 { 7303 struct slist *s; 7304 7305 s = new_stmt(cstate, BPF_LD|BPF_MEM); 7306 s->s.k = a->regno; 7307 return s; 7308 } 7309 7310 /* 7311 * Modify "index" to use the value stored into its register as an 7312 * offset relative to the beginning of the header for the protocol 7313 * "proto", and allocate a register and put an item "size" bytes long 7314 * (1, 2, or 4) at that offset into that register, making it the register 7315 * for "index". 7316 */ 7317 static struct arth * 7318 gen_load_internal(compiler_state_t *cstate, int proto, struct arth *inst, 7319 bpf_u_int32 size) 7320 { 7321 int size_code; 7322 struct slist *s, *tmp; 7323 struct block *b; 7324 int regno = alloc_reg(cstate); 7325 7326 free_reg(cstate, inst->regno); 7327 switch (size) { 7328 7329 default: 7330 bpf_error(cstate, "data size must be 1, 2, or 4"); 7331 /*NOTREACHED*/ 7332 7333 case 1: 7334 size_code = BPF_B; 7335 break; 7336 7337 case 2: 7338 size_code = BPF_H; 7339 break; 7340 7341 case 4: 7342 size_code = BPF_W; 7343 break; 7344 } 7345 switch (proto) { 7346 default: 7347 bpf_error(cstate, "unsupported index operation"); 7348 7349 case Q_RADIO: 7350 /* 7351 * The offset is relative to the beginning of the packet 7352 * data, if we have a radio header. (If we don't, this 7353 * is an error.) 7354 */ 7355 if (cstate->linktype != DLT_IEEE802_11_RADIO_AVS && 7356 cstate->linktype != DLT_IEEE802_11_RADIO && 7357 cstate->linktype != DLT_PRISM_HEADER) 7358 bpf_error(cstate, "radio information not present in capture"); 7359 7360 /* 7361 * Load into the X register the offset computed into the 7362 * register specified by "index". 7363 */ 7364 s = xfer_to_x(cstate, inst); 7365 7366 /* 7367 * Load the item at that offset. 7368 */ 7369 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size_code); 7370 sappend(s, tmp); 7371 sappend(inst->s, s); 7372 break; 7373 7374 case Q_LINK: 7375 /* 7376 * The offset is relative to the beginning of 7377 * the link-layer header. 7378 * 7379 * XXX - what about ATM LANE? Should the index be 7380 * relative to the beginning of the AAL5 frame, so 7381 * that 0 refers to the beginning of the LE Control 7382 * field, or relative to the beginning of the LAN 7383 * frame, so that 0 refers, for Ethernet LANE, to 7384 * the beginning of the destination address? 7385 */ 7386 s = gen_abs_offset_varpart(cstate, &cstate->off_linkhdr); 7387 7388 /* 7389 * If "s" is non-null, it has code to arrange that the 7390 * X register contains the length of the prefix preceding 7391 * the link-layer header. Add to it the offset computed 7392 * into the register specified by "index", and move that 7393 * into the X register. Otherwise, just load into the X 7394 * register the offset computed into the register specified 7395 * by "index". 7396 */ 7397 if (s != NULL) { 7398 sappend(s, xfer_to_a(cstate, inst)); 7399 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X)); 7400 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX)); 7401 } else 7402 s = xfer_to_x(cstate, inst); 7403 7404 /* 7405 * Load the item at the sum of the offset we've put in the 7406 * X register and the offset of the start of the link 7407 * layer header (which is 0 if the radio header is 7408 * variable-length; that header length is what we put 7409 * into the X register and then added to the index). 7410 */ 7411 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size_code); 7412 tmp->s.k = cstate->off_linkhdr.constant_part; 7413 sappend(s, tmp); 7414 sappend(inst->s, s); 7415 break; 7416 7417 case Q_IP: 7418 case Q_ARP: 7419 case Q_RARP: 7420 case Q_ATALK: 7421 case Q_DECNET: 7422 case Q_SCA: 7423 case Q_LAT: 7424 case Q_MOPRC: 7425 case Q_MOPDL: 7426 case Q_IPV6: 7427 /* 7428 * The offset is relative to the beginning of 7429 * the network-layer header. 7430 * XXX - are there any cases where we want 7431 * cstate->off_nl_nosnap? 7432 */ 7433 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl); 7434 7435 /* 7436 * If "s" is non-null, it has code to arrange that the 7437 * X register contains the variable part of the offset 7438 * of the link-layer payload. Add to it the offset 7439 * computed into the register specified by "index", 7440 * and move that into the X register. Otherwise, just 7441 * load into the X register the offset computed into 7442 * the register specified by "index". 7443 */ 7444 if (s != NULL) { 7445 sappend(s, xfer_to_a(cstate, inst)); 7446 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X)); 7447 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX)); 7448 } else 7449 s = xfer_to_x(cstate, inst); 7450 7451 /* 7452 * Load the item at the sum of the offset we've put in the 7453 * X register, the offset of the start of the network 7454 * layer header from the beginning of the link-layer 7455 * payload, and the constant part of the offset of the 7456 * start of the link-layer payload. 7457 */ 7458 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size_code); 7459 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 7460 sappend(s, tmp); 7461 sappend(inst->s, s); 7462 7463 /* 7464 * Do the computation only if the packet contains 7465 * the protocol in question. 7466 */ 7467 b = gen_proto_abbrev_internal(cstate, proto); 7468 if (inst->b) 7469 gen_and(inst->b, b); 7470 inst->b = b; 7471 break; 7472 7473 case Q_SCTP: 7474 case Q_TCP: 7475 case Q_UDP: 7476 case Q_ICMP: 7477 case Q_IGMP: 7478 case Q_IGRP: 7479 case Q_PIM: 7480 case Q_VRRP: 7481 case Q_CARP: 7482 /* 7483 * The offset is relative to the beginning of 7484 * the transport-layer header. 7485 * 7486 * Load the X register with the length of the IPv4 header 7487 * (plus the offset of the link-layer header, if it's 7488 * a variable-length header), in bytes. 7489 * 7490 * XXX - are there any cases where we want 7491 * cstate->off_nl_nosnap? 7492 * XXX - we should, if we're built with 7493 * IPv6 support, generate code to load either 7494 * IPv4, IPv6, or both, as appropriate. 7495 */ 7496 s = gen_loadx_iphdrlen(cstate); 7497 7498 /* 7499 * The X register now contains the sum of the variable 7500 * part of the offset of the link-layer payload and the 7501 * length of the network-layer header. 7502 * 7503 * Load into the A register the offset relative to 7504 * the beginning of the transport layer header, 7505 * add the X register to that, move that to the 7506 * X register, and load with an offset from the 7507 * X register equal to the sum of the constant part of 7508 * the offset of the link-layer payload and the offset, 7509 * relative to the beginning of the link-layer payload, 7510 * of the network-layer header. 7511 */ 7512 sappend(s, xfer_to_a(cstate, inst)); 7513 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X)); 7514 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX)); 7515 sappend(s, tmp = new_stmt(cstate, BPF_LD|BPF_IND|size_code)); 7516 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 7517 sappend(inst->s, s); 7518 7519 /* 7520 * Do the computation only if the packet contains 7521 * the protocol in question - which is true only 7522 * if this is an IP datagram and is the first or 7523 * only fragment of that datagram. 7524 */ 7525 gen_and(gen_proto_abbrev_internal(cstate, proto), b = gen_ipfrag(cstate)); 7526 if (inst->b) 7527 gen_and(inst->b, b); 7528 gen_and(gen_proto_abbrev_internal(cstate, Q_IP), b); 7529 inst->b = b; 7530 break; 7531 case Q_ICMPV6: 7532 /* 7533 * Do the computation only if the packet contains 7534 * the protocol in question. 7535 */ 7536 b = gen_proto_abbrev_internal(cstate, Q_IPV6); 7537 if (inst->b) { 7538 gen_and(inst->b, b); 7539 } 7540 inst->b = b; 7541 7542 /* 7543 * Check if we have an icmp6 next header 7544 */ 7545 b = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, 58); 7546 if (inst->b) { 7547 gen_and(inst->b, b); 7548 } 7549 inst->b = b; 7550 7551 7552 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl); 7553 /* 7554 * If "s" is non-null, it has code to arrange that the 7555 * X register contains the variable part of the offset 7556 * of the link-layer payload. Add to it the offset 7557 * computed into the register specified by "index", 7558 * and move that into the X register. Otherwise, just 7559 * load into the X register the offset computed into 7560 * the register specified by "index". 7561 */ 7562 if (s != NULL) { 7563 sappend(s, xfer_to_a(cstate, inst)); 7564 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X)); 7565 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX)); 7566 } else { 7567 s = xfer_to_x(cstate, inst); 7568 } 7569 7570 /* 7571 * Load the item at the sum of the offset we've put in the 7572 * X register, the offset of the start of the network 7573 * layer header from the beginning of the link-layer 7574 * payload, and the constant part of the offset of the 7575 * start of the link-layer payload. 7576 */ 7577 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size_code); 7578 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 40; 7579 7580 sappend(s, tmp); 7581 sappend(inst->s, s); 7582 7583 break; 7584 } 7585 inst->regno = regno; 7586 s = new_stmt(cstate, BPF_ST); 7587 s->s.k = regno; 7588 sappend(inst->s, s); 7589 7590 return inst; 7591 } 7592 7593 struct arth * 7594 gen_load(compiler_state_t *cstate, int proto, struct arth *inst, 7595 bpf_u_int32 size) 7596 { 7597 /* 7598 * Catch errors reported by us and routines below us, and return NULL 7599 * on an error. 7600 */ 7601 if (setjmp(cstate->top_ctx)) 7602 return (NULL); 7603 7604 return gen_load_internal(cstate, proto, inst, size); 7605 } 7606 7607 static struct block * 7608 gen_relation_internal(compiler_state_t *cstate, int code, struct arth *a0, 7609 struct arth *a1, int reversed) 7610 { 7611 struct slist *s0, *s1, *s2; 7612 struct block *b, *tmp; 7613 7614 s0 = xfer_to_x(cstate, a1); 7615 s1 = xfer_to_a(cstate, a0); 7616 if (code == BPF_JEQ) { 7617 s2 = new_stmt(cstate, BPF_ALU|BPF_SUB|BPF_X); 7618 b = new_block(cstate, JMP(code)); 7619 sappend(s1, s2); 7620 } 7621 else 7622 b = new_block(cstate, BPF_JMP|code|BPF_X); 7623 if (reversed) 7624 gen_not(b); 7625 7626 sappend(s0, s1); 7627 sappend(a1->s, s0); 7628 sappend(a0->s, a1->s); 7629 7630 b->stmts = a0->s; 7631 7632 free_reg(cstate, a0->regno); 7633 free_reg(cstate, a1->regno); 7634 7635 /* 'and' together protocol checks */ 7636 if (a0->b) { 7637 if (a1->b) { 7638 gen_and(a0->b, tmp = a1->b); 7639 } 7640 else 7641 tmp = a0->b; 7642 } else 7643 tmp = a1->b; 7644 7645 if (tmp) 7646 gen_and(tmp, b); 7647 7648 return b; 7649 } 7650 7651 struct block * 7652 gen_relation(compiler_state_t *cstate, int code, struct arth *a0, 7653 struct arth *a1, int reversed) 7654 { 7655 /* 7656 * Catch errors reported by us and routines below us, and return NULL 7657 * on an error. 7658 */ 7659 if (setjmp(cstate->top_ctx)) 7660 return (NULL); 7661 7662 return gen_relation_internal(cstate, code, a0, a1, reversed); 7663 } 7664 7665 struct arth * 7666 gen_loadlen(compiler_state_t *cstate) 7667 { 7668 int regno; 7669 struct arth *a; 7670 struct slist *s; 7671 7672 /* 7673 * Catch errors reported by us and routines below us, and return NULL 7674 * on an error. 7675 */ 7676 if (setjmp(cstate->top_ctx)) 7677 return (NULL); 7678 7679 regno = alloc_reg(cstate); 7680 a = (struct arth *)newchunk(cstate, sizeof(*a)); 7681 s = new_stmt(cstate, BPF_LD|BPF_LEN); 7682 s->next = new_stmt(cstate, BPF_ST); 7683 s->next->s.k = regno; 7684 a->s = s; 7685 a->regno = regno; 7686 7687 return a; 7688 } 7689 7690 static struct arth * 7691 gen_loadi_internal(compiler_state_t *cstate, bpf_u_int32 val) 7692 { 7693 struct arth *a; 7694 struct slist *s; 7695 int reg; 7696 7697 a = (struct arth *)newchunk(cstate, sizeof(*a)); 7698 7699 reg = alloc_reg(cstate); 7700 7701 s = new_stmt(cstate, BPF_LD|BPF_IMM); 7702 s->s.k = val; 7703 s->next = new_stmt(cstate, BPF_ST); 7704 s->next->s.k = reg; 7705 a->s = s; 7706 a->regno = reg; 7707 7708 return a; 7709 } 7710 7711 struct arth * 7712 gen_loadi(compiler_state_t *cstate, bpf_u_int32 val) 7713 { 7714 /* 7715 * Catch errors reported by us and routines below us, and return NULL 7716 * on an error. 7717 */ 7718 if (setjmp(cstate->top_ctx)) 7719 return (NULL); 7720 7721 return gen_loadi_internal(cstate, val); 7722 } 7723 7724 /* 7725 * The a_arg dance is to avoid annoying whining by compilers that 7726 * a might be clobbered by longjmp - yeah, it might, but *WHO CARES*? 7727 * It's not *used* after setjmp returns. 7728 */ 7729 struct arth * 7730 gen_neg(compiler_state_t *cstate, struct arth *a_arg) 7731 { 7732 struct arth * volatile a = a_arg; 7733 struct slist *s; 7734 7735 /* 7736 * Catch errors reported by us and routines below us, and return NULL 7737 * on an error. 7738 */ 7739 if (setjmp(cstate->top_ctx)) 7740 return (NULL); 7741 7742 s = xfer_to_a(cstate, a); 7743 sappend(a->s, s); 7744 s = new_stmt(cstate, BPF_ALU|BPF_NEG); 7745 s->s.k = 0; 7746 sappend(a->s, s); 7747 s = new_stmt(cstate, BPF_ST); 7748 s->s.k = a->regno; 7749 sappend(a->s, s); 7750 7751 return a; 7752 } 7753 7754 /* 7755 * The a0_arg dance is to avoid annoying whining by compilers that 7756 * a0 might be clobbered by longjmp - yeah, it might, but *WHO CARES*? 7757 * It's not *used* after setjmp returns. 7758 */ 7759 struct arth * 7760 gen_arth(compiler_state_t *cstate, int code, struct arth *a0_arg, 7761 struct arth *a1) 7762 { 7763 struct arth * volatile a0 = a0_arg; 7764 struct slist *s0, *s1, *s2; 7765 7766 /* 7767 * Catch errors reported by us and routines below us, and return NULL 7768 * on an error. 7769 */ 7770 if (setjmp(cstate->top_ctx)) 7771 return (NULL); 7772 7773 /* 7774 * Disallow division by, or modulus by, zero; we do this here 7775 * so that it gets done even if the optimizer is disabled. 7776 * 7777 * Also disallow shifts by a value greater than 31; we do this 7778 * here, for the same reason. 7779 */ 7780 if (code == BPF_DIV) { 7781 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k == 0) 7782 bpf_error(cstate, "division by zero"); 7783 } else if (code == BPF_MOD) { 7784 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k == 0) 7785 bpf_error(cstate, "modulus by zero"); 7786 } else if (code == BPF_LSH || code == BPF_RSH) { 7787 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k > 31) 7788 bpf_error(cstate, "shift by more than 31 bits"); 7789 } 7790 s0 = xfer_to_x(cstate, a1); 7791 s1 = xfer_to_a(cstate, a0); 7792 s2 = new_stmt(cstate, BPF_ALU|BPF_X|code); 7793 7794 sappend(s1, s2); 7795 sappend(s0, s1); 7796 sappend(a1->s, s0); 7797 sappend(a0->s, a1->s); 7798 7799 free_reg(cstate, a0->regno); 7800 free_reg(cstate, a1->regno); 7801 7802 s0 = new_stmt(cstate, BPF_ST); 7803 a0->regno = s0->s.k = alloc_reg(cstate); 7804 sappend(a0->s, s0); 7805 7806 return a0; 7807 } 7808 7809 /* 7810 * Initialize the table of used registers and the current register. 7811 */ 7812 static void 7813 init_regs(compiler_state_t *cstate) 7814 { 7815 cstate->curreg = 0; 7816 memset(cstate->regused, 0, sizeof cstate->regused); 7817 } 7818 7819 /* 7820 * Return the next free register. 7821 */ 7822 static int 7823 alloc_reg(compiler_state_t *cstate) 7824 { 7825 int n = BPF_MEMWORDS; 7826 7827 while (--n >= 0) { 7828 if (cstate->regused[cstate->curreg]) 7829 cstate->curreg = (cstate->curreg + 1) % BPF_MEMWORDS; 7830 else { 7831 cstate->regused[cstate->curreg] = 1; 7832 return cstate->curreg; 7833 } 7834 } 7835 bpf_error(cstate, "too many registers needed to evaluate expression"); 7836 /*NOTREACHED*/ 7837 } 7838 7839 /* 7840 * Return a register to the table so it can 7841 * be used later. 7842 */ 7843 static void 7844 free_reg(compiler_state_t *cstate, int n) 7845 { 7846 cstate->regused[n] = 0; 7847 } 7848 7849 static struct block * 7850 gen_len(compiler_state_t *cstate, int jmp, int n) 7851 { 7852 struct slist *s; 7853 struct block *b; 7854 7855 s = new_stmt(cstate, BPF_LD|BPF_LEN); 7856 b = new_block(cstate, JMP(jmp)); 7857 b->stmts = s; 7858 b->s.k = n; 7859 7860 return b; 7861 } 7862 7863 struct block * 7864 gen_greater(compiler_state_t *cstate, int n) 7865 { 7866 /* 7867 * Catch errors reported by us and routines below us, and return NULL 7868 * on an error. 7869 */ 7870 if (setjmp(cstate->top_ctx)) 7871 return (NULL); 7872 7873 return gen_len(cstate, BPF_JGE, n); 7874 } 7875 7876 /* 7877 * Actually, this is less than or equal. 7878 */ 7879 struct block * 7880 gen_less(compiler_state_t *cstate, int n) 7881 { 7882 struct block *b; 7883 7884 /* 7885 * Catch errors reported by us and routines below us, and return NULL 7886 * on an error. 7887 */ 7888 if (setjmp(cstate->top_ctx)) 7889 return (NULL); 7890 7891 b = gen_len(cstate, BPF_JGT, n); 7892 gen_not(b); 7893 7894 return b; 7895 } 7896 7897 /* 7898 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to 7899 * the beginning of the link-layer header. 7900 * XXX - that means you can't test values in the radiotap header, but 7901 * as that header is difficult if not impossible to parse generally 7902 * without a loop, that might not be a severe problem. A new keyword 7903 * "radio" could be added for that, although what you'd really want 7904 * would be a way of testing particular radio header values, which 7905 * would generate code appropriate to the radio header in question. 7906 */ 7907 struct block * 7908 gen_byteop(compiler_state_t *cstate, int op, int idx, bpf_u_int32 val) 7909 { 7910 struct block *b; 7911 struct slist *s; 7912 7913 /* 7914 * Catch errors reported by us and routines below us, and return NULL 7915 * on an error. 7916 */ 7917 if (setjmp(cstate->top_ctx)) 7918 return (NULL); 7919 7920 switch (op) { 7921 default: 7922 abort(); 7923 7924 case '=': 7925 return gen_cmp(cstate, OR_LINKHDR, (u_int)idx, BPF_B, val); 7926 7927 case '<': 7928 b = gen_cmp_lt(cstate, OR_LINKHDR, (u_int)idx, BPF_B, val); 7929 return b; 7930 7931 case '>': 7932 b = gen_cmp_gt(cstate, OR_LINKHDR, (u_int)idx, BPF_B, val); 7933 return b; 7934 7935 case '|': 7936 s = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_K); 7937 break; 7938 7939 case '&': 7940 s = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K); 7941 break; 7942 } 7943 s->s.k = val; 7944 b = new_block(cstate, JMP(BPF_JEQ)); 7945 b->stmts = s; 7946 gen_not(b); 7947 7948 return b; 7949 } 7950 7951 static const u_char abroadcast[] = { 0x0 }; 7952 7953 struct block * 7954 gen_broadcast(compiler_state_t *cstate, int proto) 7955 { 7956 bpf_u_int32 hostmask; 7957 struct block *b0, *b1, *b2; 7958 static const u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; 7959 7960 /* 7961 * Catch errors reported by us and routines below us, and return NULL 7962 * on an error. 7963 */ 7964 if (setjmp(cstate->top_ctx)) 7965 return (NULL); 7966 7967 switch (proto) { 7968 7969 case Q_DEFAULT: 7970 case Q_LINK: 7971 switch (cstate->linktype) { 7972 case DLT_ARCNET: 7973 case DLT_ARCNET_LINUX: 7974 return gen_ahostop(cstate, abroadcast, Q_DST); 7975 case DLT_EN10MB: 7976 case DLT_NETANALYZER: 7977 case DLT_NETANALYZER_TRANSPARENT: 7978 b1 = gen_prevlinkhdr_check(cstate); 7979 b0 = gen_ehostop(cstate, ebroadcast, Q_DST); 7980 if (b1 != NULL) 7981 gen_and(b1, b0); 7982 return b0; 7983 case DLT_FDDI: 7984 return gen_fhostop(cstate, ebroadcast, Q_DST); 7985 case DLT_IEEE802: 7986 return gen_thostop(cstate, ebroadcast, Q_DST); 7987 case DLT_IEEE802_11: 7988 case DLT_PRISM_HEADER: 7989 case DLT_IEEE802_11_RADIO_AVS: 7990 case DLT_IEEE802_11_RADIO: 7991 case DLT_PPI: 7992 return gen_wlanhostop(cstate, ebroadcast, Q_DST); 7993 case DLT_IP_OVER_FC: 7994 return gen_ipfchostop(cstate, ebroadcast, Q_DST); 7995 default: 7996 bpf_error(cstate, "not a broadcast link"); 7997 } 7998 /*NOTREACHED*/ 7999 8000 case Q_IP: 8001 /* 8002 * We treat a netmask of PCAP_NETMASK_UNKNOWN (0xffffffff) 8003 * as an indication that we don't know the netmask, and fail 8004 * in that case. 8005 */ 8006 if (cstate->netmask == PCAP_NETMASK_UNKNOWN) 8007 bpf_error(cstate, "netmask not known, so 'ip broadcast' not supported"); 8008 b0 = gen_linktype(cstate, ETHERTYPE_IP); 8009 hostmask = ~cstate->netmask; 8010 b1 = gen_mcmp(cstate, OR_LINKPL, 16, BPF_W, 0, hostmask); 8011 b2 = gen_mcmp(cstate, OR_LINKPL, 16, BPF_W, 8012 ~0 & hostmask, hostmask); 8013 gen_or(b1, b2); 8014 gen_and(b0, b2); 8015 return b2; 8016 } 8017 bpf_error(cstate, "only link-layer/IP broadcast filters supported"); 8018 /*NOTREACHED*/ 8019 } 8020 8021 /* 8022 * Generate code to test the low-order bit of a MAC address (that's 8023 * the bottom bit of the *first* byte). 8024 */ 8025 static struct block * 8026 gen_mac_multicast(compiler_state_t *cstate, int offset) 8027 { 8028 register struct block *b0; 8029 register struct slist *s; 8030 8031 /* link[offset] & 1 != 0 */ 8032 s = gen_load_a(cstate, OR_LINKHDR, offset, BPF_B); 8033 b0 = new_block(cstate, JMP(BPF_JSET)); 8034 b0->s.k = 1; 8035 b0->stmts = s; 8036 return b0; 8037 } 8038 8039 struct block * 8040 gen_multicast(compiler_state_t *cstate, int proto) 8041 { 8042 register struct block *b0, *b1, *b2; 8043 register struct slist *s; 8044 8045 /* 8046 * Catch errors reported by us and routines below us, and return NULL 8047 * on an error. 8048 */ 8049 if (setjmp(cstate->top_ctx)) 8050 return (NULL); 8051 8052 switch (proto) { 8053 8054 case Q_DEFAULT: 8055 case Q_LINK: 8056 switch (cstate->linktype) { 8057 case DLT_ARCNET: 8058 case DLT_ARCNET_LINUX: 8059 /* all ARCnet multicasts use the same address */ 8060 return gen_ahostop(cstate, abroadcast, Q_DST); 8061 case DLT_EN10MB: 8062 case DLT_NETANALYZER: 8063 case DLT_NETANALYZER_TRANSPARENT: 8064 b1 = gen_prevlinkhdr_check(cstate); 8065 /* ether[0] & 1 != 0 */ 8066 b0 = gen_mac_multicast(cstate, 0); 8067 if (b1 != NULL) 8068 gen_and(b1, b0); 8069 return b0; 8070 case DLT_FDDI: 8071 /* 8072 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX 8073 * 8074 * XXX - was that referring to bit-order issues? 8075 */ 8076 /* fddi[1] & 1 != 0 */ 8077 return gen_mac_multicast(cstate, 1); 8078 case DLT_IEEE802: 8079 /* tr[2] & 1 != 0 */ 8080 return gen_mac_multicast(cstate, 2); 8081 case DLT_IEEE802_11: 8082 case DLT_PRISM_HEADER: 8083 case DLT_IEEE802_11_RADIO_AVS: 8084 case DLT_IEEE802_11_RADIO: 8085 case DLT_PPI: 8086 /* 8087 * Oh, yuk. 8088 * 8089 * For control frames, there is no DA. 8090 * 8091 * For management frames, DA is at an 8092 * offset of 4 from the beginning of 8093 * the packet. 8094 * 8095 * For data frames, DA is at an offset 8096 * of 4 from the beginning of the packet 8097 * if To DS is clear and at an offset of 8098 * 16 from the beginning of the packet 8099 * if To DS is set. 8100 */ 8101 8102 /* 8103 * Generate the tests to be done for data frames. 8104 * 8105 * First, check for To DS set, i.e. "link[1] & 0x01". 8106 */ 8107 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 8108 b1 = new_block(cstate, JMP(BPF_JSET)); 8109 b1->s.k = 0x01; /* To DS */ 8110 b1->stmts = s; 8111 8112 /* 8113 * If To DS is set, the DA is at 16. 8114 */ 8115 b0 = gen_mac_multicast(cstate, 16); 8116 gen_and(b1, b0); 8117 8118 /* 8119 * Now, check for To DS not set, i.e. check 8120 * "!(link[1] & 0x01)". 8121 */ 8122 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 8123 b2 = new_block(cstate, JMP(BPF_JSET)); 8124 b2->s.k = 0x01; /* To DS */ 8125 b2->stmts = s; 8126 gen_not(b2); 8127 8128 /* 8129 * If To DS is not set, the DA is at 4. 8130 */ 8131 b1 = gen_mac_multicast(cstate, 4); 8132 gen_and(b2, b1); 8133 8134 /* 8135 * Now OR together the last two checks. That gives 8136 * the complete set of checks for data frames. 8137 */ 8138 gen_or(b1, b0); 8139 8140 /* 8141 * Now check for a data frame. 8142 * I.e, check "link[0] & 0x08". 8143 */ 8144 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 8145 b1 = new_block(cstate, JMP(BPF_JSET)); 8146 b1->s.k = 0x08; 8147 b1->stmts = s; 8148 8149 /* 8150 * AND that with the checks done for data frames. 8151 */ 8152 gen_and(b1, b0); 8153 8154 /* 8155 * If the high-order bit of the type value is 0, this 8156 * is a management frame. 8157 * I.e, check "!(link[0] & 0x08)". 8158 */ 8159 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 8160 b2 = new_block(cstate, JMP(BPF_JSET)); 8161 b2->s.k = 0x08; 8162 b2->stmts = s; 8163 gen_not(b2); 8164 8165 /* 8166 * For management frames, the DA is at 4. 8167 */ 8168 b1 = gen_mac_multicast(cstate, 4); 8169 gen_and(b2, b1); 8170 8171 /* 8172 * OR that with the checks done for data frames. 8173 * That gives the checks done for management and 8174 * data frames. 8175 */ 8176 gen_or(b1, b0); 8177 8178 /* 8179 * If the low-order bit of the type value is 1, 8180 * this is either a control frame or a frame 8181 * with a reserved type, and thus not a 8182 * frame with an SA. 8183 * 8184 * I.e., check "!(link[0] & 0x04)". 8185 */ 8186 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 8187 b1 = new_block(cstate, JMP(BPF_JSET)); 8188 b1->s.k = 0x04; 8189 b1->stmts = s; 8190 gen_not(b1); 8191 8192 /* 8193 * AND that with the checks for data and management 8194 * frames. 8195 */ 8196 gen_and(b1, b0); 8197 return b0; 8198 case DLT_IP_OVER_FC: 8199 b0 = gen_mac_multicast(cstate, 2); 8200 return b0; 8201 default: 8202 break; 8203 } 8204 /* Link not known to support multicasts */ 8205 break; 8206 8207 case Q_IP: 8208 b0 = gen_linktype(cstate, ETHERTYPE_IP); 8209 b1 = gen_cmp_ge(cstate, OR_LINKPL, 16, BPF_B, 224); 8210 gen_and(b0, b1); 8211 return b1; 8212 8213 case Q_IPV6: 8214 b0 = gen_linktype(cstate, ETHERTYPE_IPV6); 8215 b1 = gen_cmp(cstate, OR_LINKPL, 24, BPF_B, 255); 8216 gen_and(b0, b1); 8217 return b1; 8218 } 8219 bpf_error(cstate, "link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel"); 8220 /*NOTREACHED*/ 8221 } 8222 8223 struct block * 8224 gen_ifindex(compiler_state_t *cstate, int ifindex) 8225 { 8226 register struct block *b0; 8227 8228 /* 8229 * Catch errors reported by us and routines below us, and return NULL 8230 * on an error. 8231 */ 8232 if (setjmp(cstate->top_ctx)) 8233 return (NULL); 8234 8235 /* 8236 * Only some data link types support ifindex qualifiers. 8237 */ 8238 switch (cstate->linktype) { 8239 case DLT_LINUX_SLL2: 8240 /* match packets on this interface */ 8241 b0 = gen_cmp(cstate, OR_LINKHDR, 4, BPF_W, ifindex); 8242 break; 8243 default: 8244 #if defined(linux) 8245 /* 8246 * This is Linux; we require PF_PACKET support. 8247 * If this is a *live* capture, we can look at 8248 * special meta-data in the filter expression; 8249 * if it's a savefile, we can't. 8250 */ 8251 if (cstate->bpf_pcap->rfile != NULL) { 8252 /* We have a FILE *, so this is a savefile */ 8253 bpf_error(cstate, "ifindex not supported on %s when reading savefiles", 8254 pcap_datalink_val_to_description_or_dlt(cstate->linktype)); 8255 b0 = NULL; 8256 /*NOTREACHED*/ 8257 } 8258 /* match ifindex */ 8259 b0 = gen_cmp(cstate, OR_LINKHDR, SKF_AD_OFF + SKF_AD_IFINDEX, BPF_W, 8260 ifindex); 8261 #else /* defined(linux) */ 8262 bpf_error(cstate, "ifindex not supported on %s", 8263 pcap_datalink_val_to_description_or_dlt(cstate->linktype)); 8264 /*NOTREACHED*/ 8265 #endif /* defined(linux) */ 8266 } 8267 return (b0); 8268 } 8269 8270 /* 8271 * Filter on inbound (dir == 0) or outbound (dir == 1) traffic. 8272 * Outbound traffic is sent by this machine, while inbound traffic is 8273 * sent by a remote machine (and may include packets destined for a 8274 * unicast or multicast link-layer address we are not subscribing to). 8275 * These are the same definitions implemented by pcap_setdirection(). 8276 * Capturing only unicast traffic destined for this host is probably 8277 * better accomplished using a higher-layer filter. 8278 */ 8279 struct block * 8280 gen_inbound(compiler_state_t *cstate, int dir) 8281 { 8282 register struct block *b0; 8283 8284 /* 8285 * Catch errors reported by us and routines below us, and return NULL 8286 * on an error. 8287 */ 8288 if (setjmp(cstate->top_ctx)) 8289 return (NULL); 8290 8291 /* 8292 * Only some data link types support inbound/outbound qualifiers. 8293 */ 8294 switch (cstate->linktype) { 8295 case DLT_SLIP: 8296 b0 = gen_relation_internal(cstate, BPF_JEQ, 8297 gen_load_internal(cstate, Q_LINK, gen_loadi_internal(cstate, 0), 1), 8298 gen_loadi_internal(cstate, 0), 8299 dir); 8300 break; 8301 8302 case DLT_IPNET: 8303 if (dir) { 8304 /* match outgoing packets */ 8305 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, IPNET_OUTBOUND); 8306 } else { 8307 /* match incoming packets */ 8308 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, IPNET_INBOUND); 8309 } 8310 break; 8311 8312 case DLT_LINUX_SLL: 8313 /* match outgoing packets */ 8314 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_H, LINUX_SLL_OUTGOING); 8315 if (!dir) { 8316 /* to filter on inbound traffic, invert the match */ 8317 gen_not(b0); 8318 } 8319 break; 8320 8321 case DLT_LINUX_SLL2: 8322 /* match outgoing packets */ 8323 b0 = gen_cmp(cstate, OR_LINKHDR, 10, BPF_B, LINUX_SLL_OUTGOING); 8324 if (!dir) { 8325 /* to filter on inbound traffic, invert the match */ 8326 gen_not(b0); 8327 } 8328 break; 8329 8330 case DLT_PFLOG: 8331 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, dir), BPF_B, 8332 ((dir == 0) ? PF_IN : PF_OUT)); 8333 break; 8334 8335 case DLT_PPP_PPPD: 8336 if (dir) { 8337 /* match outgoing packets */ 8338 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_B, PPP_PPPD_OUT); 8339 } else { 8340 /* match incoming packets */ 8341 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_B, PPP_PPPD_IN); 8342 } 8343 break; 8344 8345 case DLT_JUNIPER_MFR: 8346 case DLT_JUNIPER_MLFR: 8347 case DLT_JUNIPER_MLPPP: 8348 case DLT_JUNIPER_ATM1: 8349 case DLT_JUNIPER_ATM2: 8350 case DLT_JUNIPER_PPPOE: 8351 case DLT_JUNIPER_PPPOE_ATM: 8352 case DLT_JUNIPER_GGSN: 8353 case DLT_JUNIPER_ES: 8354 case DLT_JUNIPER_MONITOR: 8355 case DLT_JUNIPER_SERVICES: 8356 case DLT_JUNIPER_ETHER: 8357 case DLT_JUNIPER_PPP: 8358 case DLT_JUNIPER_FRELAY: 8359 case DLT_JUNIPER_CHDLC: 8360 case DLT_JUNIPER_VP: 8361 case DLT_JUNIPER_ST: 8362 case DLT_JUNIPER_ISM: 8363 case DLT_JUNIPER_VS: 8364 case DLT_JUNIPER_SRX_E2E: 8365 case DLT_JUNIPER_FIBRECHANNEL: 8366 case DLT_JUNIPER_ATM_CEMIC: 8367 8368 /* juniper flags (including direction) are stored 8369 * the byte after the 3-byte magic number */ 8370 if (dir) { 8371 /* match outgoing packets */ 8372 b0 = gen_mcmp(cstate, OR_LINKHDR, 3, BPF_B, 0, 0x01); 8373 } else { 8374 /* match incoming packets */ 8375 b0 = gen_mcmp(cstate, OR_LINKHDR, 3, BPF_B, 1, 0x01); 8376 } 8377 break; 8378 8379 default: 8380 /* 8381 * If we have packet meta-data indicating a direction, 8382 * and that metadata can be checked by BPF code, check 8383 * it. Otherwise, give up, as this link-layer type has 8384 * nothing in the packet data. 8385 * 8386 * Currently, the only platform where a BPF filter can 8387 * check that metadata is Linux with the in-kernel 8388 * BPF interpreter. If other packet capture mechanisms 8389 * and BPF filters also supported this, it would be 8390 * nice. It would be even better if they made that 8391 * metadata available so that we could provide it 8392 * with newer capture APIs, allowing it to be saved 8393 * in pcapng files. 8394 */ 8395 #if defined(linux) 8396 /* 8397 * This is Linux; we require PF_PACKET support. 8398 * If this is a *live* capture, we can look at 8399 * special meta-data in the filter expression; 8400 * if it's a savefile, we can't. 8401 */ 8402 if (cstate->bpf_pcap->rfile != NULL) { 8403 /* We have a FILE *, so this is a savefile */ 8404 bpf_error(cstate, "inbound/outbound not supported on %s when reading savefiles", 8405 pcap_datalink_val_to_description_or_dlt(cstate->linktype)); 8406 /*NOTREACHED*/ 8407 } 8408 /* match outgoing packets */ 8409 b0 = gen_cmp(cstate, OR_LINKHDR, SKF_AD_OFF + SKF_AD_PKTTYPE, BPF_H, 8410 PACKET_OUTGOING); 8411 if (!dir) { 8412 /* to filter on inbound traffic, invert the match */ 8413 gen_not(b0); 8414 } 8415 #else /* defined(linux) */ 8416 bpf_error(cstate, "inbound/outbound not supported on %s", 8417 pcap_datalink_val_to_description_or_dlt(cstate->linktype)); 8418 /*NOTREACHED*/ 8419 #endif /* defined(linux) */ 8420 } 8421 return (b0); 8422 } 8423 8424 /* PF firewall log matched interface */ 8425 struct block * 8426 gen_pf_ifname(compiler_state_t *cstate, const char *ifname) 8427 { 8428 struct block *b0; 8429 u_int len, off; 8430 8431 /* 8432 * Catch errors reported by us and routines below us, and return NULL 8433 * on an error. 8434 */ 8435 if (setjmp(cstate->top_ctx)) 8436 return (NULL); 8437 8438 if (cstate->linktype != DLT_PFLOG) { 8439 bpf_error(cstate, "ifname supported only on PF linktype"); 8440 /*NOTREACHED*/ 8441 } 8442 len = sizeof(((struct pfloghdr *)0)->ifname); 8443 off = offsetof(struct pfloghdr, ifname); 8444 if (strlen(ifname) >= len) { 8445 bpf_error(cstate, "ifname interface names can only be %d characters", 8446 len-1); 8447 /*NOTREACHED*/ 8448 } 8449 b0 = gen_bcmp(cstate, OR_LINKHDR, off, (u_int)strlen(ifname), 8450 (const u_char *)ifname); 8451 return (b0); 8452 } 8453 8454 /* PF firewall log ruleset name */ 8455 struct block * 8456 gen_pf_ruleset(compiler_state_t *cstate, char *ruleset) 8457 { 8458 struct block *b0; 8459 8460 /* 8461 * Catch errors reported by us and routines below us, and return NULL 8462 * on an error. 8463 */ 8464 if (setjmp(cstate->top_ctx)) 8465 return (NULL); 8466 8467 if (cstate->linktype != DLT_PFLOG) { 8468 bpf_error(cstate, "ruleset supported only on PF linktype"); 8469 /*NOTREACHED*/ 8470 } 8471 8472 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) { 8473 bpf_error(cstate, "ruleset names can only be %ld characters", 8474 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1)); 8475 /*NOTREACHED*/ 8476 } 8477 8478 b0 = gen_bcmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, ruleset), 8479 (u_int)strlen(ruleset), (const u_char *)ruleset); 8480 return (b0); 8481 } 8482 8483 /* PF firewall log rule number */ 8484 struct block * 8485 gen_pf_rnr(compiler_state_t *cstate, int rnr) 8486 { 8487 struct block *b0; 8488 8489 /* 8490 * Catch errors reported by us and routines below us, and return NULL 8491 * on an error. 8492 */ 8493 if (setjmp(cstate->top_ctx)) 8494 return (NULL); 8495 8496 if (cstate->linktype != DLT_PFLOG) { 8497 bpf_error(cstate, "rnr supported only on PF linktype"); 8498 /*NOTREACHED*/ 8499 } 8500 8501 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, rulenr), BPF_W, 8502 (bpf_u_int32)rnr); 8503 return (b0); 8504 } 8505 8506 /* PF firewall log sub-rule number */ 8507 struct block * 8508 gen_pf_srnr(compiler_state_t *cstate, int srnr) 8509 { 8510 struct block *b0; 8511 8512 /* 8513 * Catch errors reported by us and routines below us, and return NULL 8514 * on an error. 8515 */ 8516 if (setjmp(cstate->top_ctx)) 8517 return (NULL); 8518 8519 if (cstate->linktype != DLT_PFLOG) { 8520 bpf_error(cstate, "srnr supported only on PF linktype"); 8521 /*NOTREACHED*/ 8522 } 8523 8524 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, subrulenr), BPF_W, 8525 (bpf_u_int32)srnr); 8526 return (b0); 8527 } 8528 8529 /* PF firewall log reason code */ 8530 struct block * 8531 gen_pf_reason(compiler_state_t *cstate, int reason) 8532 { 8533 struct block *b0; 8534 8535 /* 8536 * Catch errors reported by us and routines below us, and return NULL 8537 * on an error. 8538 */ 8539 if (setjmp(cstate->top_ctx)) 8540 return (NULL); 8541 8542 if (cstate->linktype != DLT_PFLOG) { 8543 bpf_error(cstate, "reason supported only on PF linktype"); 8544 /*NOTREACHED*/ 8545 } 8546 8547 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, reason), BPF_B, 8548 (bpf_u_int32)reason); 8549 return (b0); 8550 } 8551 8552 /* PF firewall log action */ 8553 struct block * 8554 gen_pf_action(compiler_state_t *cstate, int action) 8555 { 8556 struct block *b0; 8557 8558 /* 8559 * Catch errors reported by us and routines below us, and return NULL 8560 * on an error. 8561 */ 8562 if (setjmp(cstate->top_ctx)) 8563 return (NULL); 8564 8565 if (cstate->linktype != DLT_PFLOG) { 8566 bpf_error(cstate, "action supported only on PF linktype"); 8567 /*NOTREACHED*/ 8568 } 8569 8570 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, action), BPF_B, 8571 (bpf_u_int32)action); 8572 return (b0); 8573 } 8574 8575 /* IEEE 802.11 wireless header */ 8576 struct block * 8577 gen_p80211_type(compiler_state_t *cstate, bpf_u_int32 type, bpf_u_int32 mask) 8578 { 8579 struct block *b0; 8580 8581 /* 8582 * Catch errors reported by us and routines below us, and return NULL 8583 * on an error. 8584 */ 8585 if (setjmp(cstate->top_ctx)) 8586 return (NULL); 8587 8588 switch (cstate->linktype) { 8589 8590 case DLT_IEEE802_11: 8591 case DLT_PRISM_HEADER: 8592 case DLT_IEEE802_11_RADIO_AVS: 8593 case DLT_IEEE802_11_RADIO: 8594 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, type, mask); 8595 break; 8596 8597 default: 8598 bpf_error(cstate, "802.11 link-layer types supported only on 802.11"); 8599 /*NOTREACHED*/ 8600 } 8601 8602 return (b0); 8603 } 8604 8605 struct block * 8606 gen_p80211_fcdir(compiler_state_t *cstate, bpf_u_int32 fcdir) 8607 { 8608 struct block *b0; 8609 8610 /* 8611 * Catch errors reported by us and routines below us, and return NULL 8612 * on an error. 8613 */ 8614 if (setjmp(cstate->top_ctx)) 8615 return (NULL); 8616 8617 switch (cstate->linktype) { 8618 8619 case DLT_IEEE802_11: 8620 case DLT_PRISM_HEADER: 8621 case DLT_IEEE802_11_RADIO_AVS: 8622 case DLT_IEEE802_11_RADIO: 8623 break; 8624 8625 default: 8626 bpf_error(cstate, "frame direction supported only with 802.11 headers"); 8627 /*NOTREACHED*/ 8628 } 8629 8630 b0 = gen_mcmp(cstate, OR_LINKHDR, 1, BPF_B, fcdir, 8631 IEEE80211_FC1_DIR_MASK); 8632 8633 return (b0); 8634 } 8635 8636 struct block * 8637 gen_acode(compiler_state_t *cstate, const char *s, struct qual q) 8638 { 8639 struct block *b; 8640 8641 /* 8642 * Catch errors reported by us and routines below us, and return NULL 8643 * on an error. 8644 */ 8645 if (setjmp(cstate->top_ctx)) 8646 return (NULL); 8647 8648 switch (cstate->linktype) { 8649 8650 case DLT_ARCNET: 8651 case DLT_ARCNET_LINUX: 8652 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && 8653 q.proto == Q_LINK) { 8654 cstate->e = pcap_ether_aton(s); 8655 if (cstate->e == NULL) 8656 bpf_error(cstate, "malloc"); 8657 b = gen_ahostop(cstate, cstate->e, (int)q.dir); 8658 free(cstate->e); 8659 cstate->e = NULL; 8660 return (b); 8661 } else 8662 bpf_error(cstate, "ARCnet address used in non-arc expression"); 8663 /*NOTREACHED*/ 8664 8665 default: 8666 bpf_error(cstate, "aid supported only on ARCnet"); 8667 /*NOTREACHED*/ 8668 } 8669 } 8670 8671 static struct block * 8672 gen_ahostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 8673 { 8674 register struct block *b0, *b1; 8675 8676 switch (dir) { 8677 /* src comes first, different from Ethernet */ 8678 case Q_SRC: 8679 return gen_bcmp(cstate, OR_LINKHDR, 0, 1, eaddr); 8680 8681 case Q_DST: 8682 return gen_bcmp(cstate, OR_LINKHDR, 1, 1, eaddr); 8683 8684 case Q_AND: 8685 b0 = gen_ahostop(cstate, eaddr, Q_SRC); 8686 b1 = gen_ahostop(cstate, eaddr, Q_DST); 8687 gen_and(b0, b1); 8688 return b1; 8689 8690 case Q_DEFAULT: 8691 case Q_OR: 8692 b0 = gen_ahostop(cstate, eaddr, Q_SRC); 8693 b1 = gen_ahostop(cstate, eaddr, Q_DST); 8694 gen_or(b0, b1); 8695 return b1; 8696 8697 case Q_ADDR1: 8698 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11"); 8699 /*NOTREACHED*/ 8700 8701 case Q_ADDR2: 8702 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11"); 8703 /*NOTREACHED*/ 8704 8705 case Q_ADDR3: 8706 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11"); 8707 /*NOTREACHED*/ 8708 8709 case Q_ADDR4: 8710 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11"); 8711 /*NOTREACHED*/ 8712 8713 case Q_RA: 8714 bpf_error(cstate, "'ra' is only supported on 802.11"); 8715 /*NOTREACHED*/ 8716 8717 case Q_TA: 8718 bpf_error(cstate, "'ta' is only supported on 802.11"); 8719 /*NOTREACHED*/ 8720 } 8721 abort(); 8722 /*NOTREACHED*/ 8723 } 8724 8725 static struct block * 8726 gen_vlan_tpid_test(compiler_state_t *cstate) 8727 { 8728 struct block *b0, *b1; 8729 8730 /* check for VLAN, including 802.1ad and QinQ */ 8731 b0 = gen_linktype(cstate, ETHERTYPE_8021Q); 8732 b1 = gen_linktype(cstate, ETHERTYPE_8021AD); 8733 gen_or(b0,b1); 8734 b0 = b1; 8735 b1 = gen_linktype(cstate, ETHERTYPE_8021QINQ); 8736 gen_or(b0,b1); 8737 8738 return b1; 8739 } 8740 8741 static struct block * 8742 gen_vlan_vid_test(compiler_state_t *cstate, bpf_u_int32 vlan_num) 8743 { 8744 if (vlan_num > 0x0fff) { 8745 bpf_error(cstate, "VLAN tag %u greater than maximum %u", 8746 vlan_num, 0x0fff); 8747 } 8748 return gen_mcmp(cstate, OR_LINKPL, 0, BPF_H, vlan_num, 0x0fff); 8749 } 8750 8751 static struct block * 8752 gen_vlan_no_bpf_extensions(compiler_state_t *cstate, bpf_u_int32 vlan_num, 8753 int has_vlan_tag) 8754 { 8755 struct block *b0, *b1; 8756 8757 b0 = gen_vlan_tpid_test(cstate); 8758 8759 if (has_vlan_tag) { 8760 b1 = gen_vlan_vid_test(cstate, vlan_num); 8761 gen_and(b0, b1); 8762 b0 = b1; 8763 } 8764 8765 /* 8766 * Both payload and link header type follow the VLAN tags so that 8767 * both need to be updated. 8768 */ 8769 cstate->off_linkpl.constant_part += 4; 8770 cstate->off_linktype.constant_part += 4; 8771 8772 return b0; 8773 } 8774 8775 #if defined(SKF_AD_VLAN_TAG_PRESENT) 8776 /* add v to variable part of off */ 8777 static void 8778 gen_vlan_vloffset_add(compiler_state_t *cstate, bpf_abs_offset *off, 8779 bpf_u_int32 v, struct slist *s) 8780 { 8781 struct slist *s2; 8782 8783 if (!off->is_variable) 8784 off->is_variable = 1; 8785 if (off->reg == -1) 8786 off->reg = alloc_reg(cstate); 8787 8788 s2 = new_stmt(cstate, BPF_LD|BPF_MEM); 8789 s2->s.k = off->reg; 8790 sappend(s, s2); 8791 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM); 8792 s2->s.k = v; 8793 sappend(s, s2); 8794 s2 = new_stmt(cstate, BPF_ST); 8795 s2->s.k = off->reg; 8796 sappend(s, s2); 8797 } 8798 8799 /* 8800 * patch block b_tpid (VLAN TPID test) to update variable parts of link payload 8801 * and link type offsets first 8802 */ 8803 static void 8804 gen_vlan_patch_tpid_test(compiler_state_t *cstate, struct block *b_tpid) 8805 { 8806 struct slist s; 8807 8808 /* offset determined at run time, shift variable part */ 8809 s.next = NULL; 8810 cstate->is_vlan_vloffset = 1; 8811 gen_vlan_vloffset_add(cstate, &cstate->off_linkpl, 4, &s); 8812 gen_vlan_vloffset_add(cstate, &cstate->off_linktype, 4, &s); 8813 8814 /* we get a pointer to a chain of or-ed blocks, patch first of them */ 8815 sappend(s.next, b_tpid->head->stmts); 8816 b_tpid->head->stmts = s.next; 8817 } 8818 8819 /* 8820 * patch block b_vid (VLAN id test) to load VID value either from packet 8821 * metadata (using BPF extensions) if SKF_AD_VLAN_TAG_PRESENT is true 8822 */ 8823 static void 8824 gen_vlan_patch_vid_test(compiler_state_t *cstate, struct block *b_vid) 8825 { 8826 struct slist *s, *s2, *sjeq; 8827 unsigned cnt; 8828 8829 s = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 8830 s->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT; 8831 8832 /* true -> next instructions, false -> beginning of b_vid */ 8833 sjeq = new_stmt(cstate, JMP(BPF_JEQ)); 8834 sjeq->s.k = 1; 8835 sjeq->s.jf = b_vid->stmts; 8836 sappend(s, sjeq); 8837 8838 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 8839 s2->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG; 8840 sappend(s, s2); 8841 sjeq->s.jt = s2; 8842 8843 /* Jump to the test in b_vid. We need to jump one instruction before 8844 * the end of the b_vid block so that we only skip loading the TCI 8845 * from packet data and not the 'and' instruction extractging VID. 8846 */ 8847 cnt = 0; 8848 for (s2 = b_vid->stmts; s2; s2 = s2->next) 8849 cnt++; 8850 s2 = new_stmt(cstate, JMP(BPF_JA)); 8851 s2->s.k = cnt - 1; 8852 sappend(s, s2); 8853 8854 /* insert our statements at the beginning of b_vid */ 8855 sappend(s, b_vid->stmts); 8856 b_vid->stmts = s; 8857 } 8858 8859 /* 8860 * Generate check for "vlan" or "vlan <id>" on systems with support for BPF 8861 * extensions. Even if kernel supports VLAN BPF extensions, (outermost) VLAN 8862 * tag can be either in metadata or in packet data; therefore if the 8863 * SKF_AD_VLAN_TAG_PRESENT test is negative, we need to check link 8864 * header for VLAN tag. As the decision is done at run time, we need 8865 * update variable part of the offsets 8866 */ 8867 static struct block * 8868 gen_vlan_bpf_extensions(compiler_state_t *cstate, bpf_u_int32 vlan_num, 8869 int has_vlan_tag) 8870 { 8871 struct block *b0, *b_tpid, *b_vid = NULL; 8872 struct slist *s; 8873 8874 /* generate new filter code based on extracting packet 8875 * metadata */ 8876 s = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 8877 s->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT; 8878 8879 b0 = new_block(cstate, JMP(BPF_JEQ)); 8880 b0->stmts = s; 8881 b0->s.k = 1; 8882 8883 /* 8884 * This is tricky. We need to insert the statements updating variable 8885 * parts of offsets before the traditional TPID and VID tests so 8886 * that they are called whenever SKF_AD_VLAN_TAG_PRESENT fails but 8887 * we do not want this update to affect those checks. That's why we 8888 * generate both test blocks first and insert the statements updating 8889 * variable parts of both offsets after that. This wouldn't work if 8890 * there already were variable length link header when entering this 8891 * function but gen_vlan_bpf_extensions() isn't called in that case. 8892 */ 8893 b_tpid = gen_vlan_tpid_test(cstate); 8894 if (has_vlan_tag) 8895 b_vid = gen_vlan_vid_test(cstate, vlan_num); 8896 8897 gen_vlan_patch_tpid_test(cstate, b_tpid); 8898 gen_or(b0, b_tpid); 8899 b0 = b_tpid; 8900 8901 if (has_vlan_tag) { 8902 gen_vlan_patch_vid_test(cstate, b_vid); 8903 gen_and(b0, b_vid); 8904 b0 = b_vid; 8905 } 8906 8907 return b0; 8908 } 8909 #endif 8910 8911 /* 8912 * support IEEE 802.1Q VLAN trunk over ethernet 8913 */ 8914 struct block * 8915 gen_vlan(compiler_state_t *cstate, bpf_u_int32 vlan_num, int has_vlan_tag) 8916 { 8917 struct block *b0; 8918 8919 /* 8920 * Catch errors reported by us and routines below us, and return NULL 8921 * on an error. 8922 */ 8923 if (setjmp(cstate->top_ctx)) 8924 return (NULL); 8925 8926 /* can't check for VLAN-encapsulated packets inside MPLS */ 8927 if (cstate->label_stack_depth > 0) 8928 bpf_error(cstate, "no VLAN match after MPLS"); 8929 8930 /* 8931 * Check for a VLAN packet, and then change the offsets to point 8932 * to the type and data fields within the VLAN packet. Just 8933 * increment the offsets, so that we can support a hierarchy, e.g. 8934 * "vlan 300 && vlan 200" to capture VLAN 200 encapsulated within 8935 * VLAN 100. 8936 * 8937 * XXX - this is a bit of a kludge. If we were to split the 8938 * compiler into a parser that parses an expression and 8939 * generates an expression tree, and a code generator that 8940 * takes an expression tree (which could come from our 8941 * parser or from some other parser) and generates BPF code, 8942 * we could perhaps make the offsets parameters of routines 8943 * and, in the handler for an "AND" node, pass to subnodes 8944 * other than the VLAN node the adjusted offsets. 8945 * 8946 * This would mean that "vlan" would, instead of changing the 8947 * behavior of *all* tests after it, change only the behavior 8948 * of tests ANDed with it. That would change the documented 8949 * semantics of "vlan", which might break some expressions. 8950 * However, it would mean that "(vlan and ip) or ip" would check 8951 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 8952 * checking only for VLAN-encapsulated IP, so that could still 8953 * be considered worth doing; it wouldn't break expressions 8954 * that are of the form "vlan and ..." or "vlan N and ...", 8955 * which I suspect are the most common expressions involving 8956 * "vlan". "vlan or ..." doesn't necessarily do what the user 8957 * would really want, now, as all the "or ..." tests would 8958 * be done assuming a VLAN, even though the "or" could be viewed 8959 * as meaning "or, if this isn't a VLAN packet...". 8960 */ 8961 switch (cstate->linktype) { 8962 8963 case DLT_EN10MB: 8964 case DLT_NETANALYZER: 8965 case DLT_NETANALYZER_TRANSPARENT: 8966 #if defined(SKF_AD_VLAN_TAG_PRESENT) 8967 /* Verify that this is the outer part of the packet and 8968 * not encapsulated somehow. */ 8969 if (cstate->vlan_stack_depth == 0 && !cstate->off_linkhdr.is_variable && 8970 cstate->off_linkhdr.constant_part == 8971 cstate->off_outermostlinkhdr.constant_part) { 8972 /* 8973 * Do we need special VLAN handling? 8974 */ 8975 if (cstate->bpf_pcap->bpf_codegen_flags & BPF_SPECIAL_VLAN_HANDLING) 8976 b0 = gen_vlan_bpf_extensions(cstate, vlan_num, 8977 has_vlan_tag); 8978 else 8979 b0 = gen_vlan_no_bpf_extensions(cstate, 8980 vlan_num, has_vlan_tag); 8981 } else 8982 #endif 8983 b0 = gen_vlan_no_bpf_extensions(cstate, vlan_num, 8984 has_vlan_tag); 8985 break; 8986 8987 case DLT_IEEE802_11: 8988 case DLT_PRISM_HEADER: 8989 case DLT_IEEE802_11_RADIO_AVS: 8990 case DLT_IEEE802_11_RADIO: 8991 b0 = gen_vlan_no_bpf_extensions(cstate, vlan_num, has_vlan_tag); 8992 break; 8993 8994 default: 8995 bpf_error(cstate, "no VLAN support for %s", 8996 pcap_datalink_val_to_description_or_dlt(cstate->linktype)); 8997 /*NOTREACHED*/ 8998 } 8999 9000 cstate->vlan_stack_depth++; 9001 9002 return (b0); 9003 } 9004 9005 /* 9006 * support for MPLS 9007 * 9008 * The label_num_arg dance is to avoid annoying whining by compilers that 9009 * label_num might be clobbered by longjmp - yeah, it might, but *WHO CARES*? 9010 * It's not *used* after setjmp returns. 9011 */ 9012 struct block * 9013 gen_mpls(compiler_state_t *cstate, bpf_u_int32 label_num_arg, 9014 int has_label_num) 9015 { 9016 volatile bpf_u_int32 label_num = label_num_arg; 9017 struct block *b0, *b1; 9018 9019 /* 9020 * Catch errors reported by us and routines below us, and return NULL 9021 * on an error. 9022 */ 9023 if (setjmp(cstate->top_ctx)) 9024 return (NULL); 9025 9026 if (cstate->label_stack_depth > 0) { 9027 /* just match the bottom-of-stack bit clear */ 9028 b0 = gen_mcmp(cstate, OR_PREVMPLSHDR, 2, BPF_B, 0, 0x01); 9029 } else { 9030 /* 9031 * We're not in an MPLS stack yet, so check the link-layer 9032 * type against MPLS. 9033 */ 9034 switch (cstate->linktype) { 9035 9036 case DLT_C_HDLC: /* fall through */ 9037 case DLT_HDLC: 9038 case DLT_EN10MB: 9039 case DLT_NETANALYZER: 9040 case DLT_NETANALYZER_TRANSPARENT: 9041 b0 = gen_linktype(cstate, ETHERTYPE_MPLS); 9042 break; 9043 9044 case DLT_PPP: 9045 b0 = gen_linktype(cstate, PPP_MPLS_UCAST); 9046 break; 9047 9048 /* FIXME add other DLT_s ... 9049 * for Frame-Relay/and ATM this may get messy due to SNAP headers 9050 * leave it for now */ 9051 9052 default: 9053 bpf_error(cstate, "no MPLS support for %s", 9054 pcap_datalink_val_to_description_or_dlt(cstate->linktype)); 9055 /*NOTREACHED*/ 9056 } 9057 } 9058 9059 /* If a specific MPLS label is requested, check it */ 9060 if (has_label_num) { 9061 if (label_num > 0xFFFFF) { 9062 bpf_error(cstate, "MPLS label %u greater than maximum %u", 9063 label_num, 0xFFFFF); 9064 } 9065 label_num = label_num << 12; /* label is shifted 12 bits on the wire */ 9066 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_W, label_num, 9067 0xfffff000); /* only compare the first 20 bits */ 9068 gen_and(b0, b1); 9069 b0 = b1; 9070 } 9071 9072 /* 9073 * Change the offsets to point to the type and data fields within 9074 * the MPLS packet. Just increment the offsets, so that we 9075 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to 9076 * capture packets with an outer label of 100000 and an inner 9077 * label of 1024. 9078 * 9079 * Increment the MPLS stack depth as well; this indicates that 9080 * we're checking MPLS-encapsulated headers, to make sure higher 9081 * level code generators don't try to match against IP-related 9082 * protocols such as Q_ARP, Q_RARP etc. 9083 * 9084 * XXX - this is a bit of a kludge. See comments in gen_vlan(). 9085 */ 9086 cstate->off_nl_nosnap += 4; 9087 cstate->off_nl += 4; 9088 cstate->label_stack_depth++; 9089 return (b0); 9090 } 9091 9092 /* 9093 * Support PPPOE discovery and session. 9094 */ 9095 struct block * 9096 gen_pppoed(compiler_state_t *cstate) 9097 { 9098 /* 9099 * Catch errors reported by us and routines below us, and return NULL 9100 * on an error. 9101 */ 9102 if (setjmp(cstate->top_ctx)) 9103 return (NULL); 9104 9105 /* check for PPPoE discovery */ 9106 return gen_linktype(cstate, ETHERTYPE_PPPOED); 9107 } 9108 9109 struct block * 9110 gen_pppoes(compiler_state_t *cstate, bpf_u_int32 sess_num, int has_sess_num) 9111 { 9112 struct block *b0, *b1; 9113 9114 /* 9115 * Catch errors reported by us and routines below us, and return NULL 9116 * on an error. 9117 */ 9118 if (setjmp(cstate->top_ctx)) 9119 return (NULL); 9120 9121 /* 9122 * Test against the PPPoE session link-layer type. 9123 */ 9124 b0 = gen_linktype(cstate, ETHERTYPE_PPPOES); 9125 9126 /* If a specific session is requested, check PPPoE session id */ 9127 if (has_sess_num) { 9128 if (sess_num > 0x0000ffff) { 9129 bpf_error(cstate, "PPPoE session number %u greater than maximum %u", 9130 sess_num, 0x0000ffff); 9131 } 9132 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_W, sess_num, 0x0000ffff); 9133 gen_and(b0, b1); 9134 b0 = b1; 9135 } 9136 9137 /* 9138 * Change the offsets to point to the type and data fields within 9139 * the PPP packet, and note that this is PPPoE rather than 9140 * raw PPP. 9141 * 9142 * XXX - this is a bit of a kludge. See the comments in 9143 * gen_vlan(). 9144 * 9145 * The "network-layer" protocol is PPPoE, which has a 6-byte 9146 * PPPoE header, followed by a PPP packet. 9147 * 9148 * There is no HDLC encapsulation for the PPP packet (it's 9149 * encapsulated in PPPoES instead), so the link-layer type 9150 * starts at the first byte of the PPP packet. For PPPoE, 9151 * that offset is relative to the beginning of the total 9152 * link-layer payload, including any 802.2 LLC header, so 9153 * it's 6 bytes past cstate->off_nl. 9154 */ 9155 PUSH_LINKHDR(cstate, DLT_PPP, cstate->off_linkpl.is_variable, 9156 cstate->off_linkpl.constant_part + cstate->off_nl + 6, /* 6 bytes past the PPPoE header */ 9157 cstate->off_linkpl.reg); 9158 9159 cstate->off_linktype = cstate->off_linkhdr; 9160 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 2; 9161 9162 cstate->off_nl = 0; 9163 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 9164 9165 return b0; 9166 } 9167 9168 /* Check that this is Geneve and the VNI is correct if 9169 * specified. Parameterized to handle both IPv4 and IPv6. */ 9170 static struct block * 9171 gen_geneve_check(compiler_state_t *cstate, 9172 struct block *(*gen_portfn)(compiler_state_t *, u_int, int, int), 9173 enum e_offrel offrel, bpf_u_int32 vni, int has_vni) 9174 { 9175 struct block *b0, *b1; 9176 9177 b0 = gen_portfn(cstate, GENEVE_PORT, IPPROTO_UDP, Q_DST); 9178 9179 /* Check that we are operating on version 0. Otherwise, we 9180 * can't decode the rest of the fields. The version is 2 bits 9181 * in the first byte of the Geneve header. */ 9182 b1 = gen_mcmp(cstate, offrel, 8, BPF_B, 0, 0xc0); 9183 gen_and(b0, b1); 9184 b0 = b1; 9185 9186 if (has_vni) { 9187 if (vni > 0xffffff) { 9188 bpf_error(cstate, "Geneve VNI %u greater than maximum %u", 9189 vni, 0xffffff); 9190 } 9191 vni <<= 8; /* VNI is in the upper 3 bytes */ 9192 b1 = gen_mcmp(cstate, offrel, 12, BPF_W, vni, 0xffffff00); 9193 gen_and(b0, b1); 9194 b0 = b1; 9195 } 9196 9197 return b0; 9198 } 9199 9200 /* The IPv4 and IPv6 Geneve checks need to do two things: 9201 * - Verify that this actually is Geneve with the right VNI. 9202 * - Place the IP header length (plus variable link prefix if 9203 * needed) into register A to be used later to compute 9204 * the inner packet offsets. */ 9205 static struct block * 9206 gen_geneve4(compiler_state_t *cstate, bpf_u_int32 vni, int has_vni) 9207 { 9208 struct block *b0, *b1; 9209 struct slist *s, *s1; 9210 9211 b0 = gen_geneve_check(cstate, gen_port, OR_TRAN_IPV4, vni, has_vni); 9212 9213 /* Load the IP header length into A. */ 9214 s = gen_loadx_iphdrlen(cstate); 9215 9216 s1 = new_stmt(cstate, BPF_MISC|BPF_TXA); 9217 sappend(s, s1); 9218 9219 /* Forcibly append these statements to the true condition 9220 * of the protocol check by creating a new block that is 9221 * always true and ANDing them. */ 9222 b1 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X); 9223 b1->stmts = s; 9224 b1->s.k = 0; 9225 9226 gen_and(b0, b1); 9227 9228 return b1; 9229 } 9230 9231 static struct block * 9232 gen_geneve6(compiler_state_t *cstate, bpf_u_int32 vni, int has_vni) 9233 { 9234 struct block *b0, *b1; 9235 struct slist *s, *s1; 9236 9237 b0 = gen_geneve_check(cstate, gen_port6, OR_TRAN_IPV6, vni, has_vni); 9238 9239 /* Load the IP header length. We need to account for a 9240 * variable length link prefix if there is one. */ 9241 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl); 9242 if (s) { 9243 s1 = new_stmt(cstate, BPF_LD|BPF_IMM); 9244 s1->s.k = 40; 9245 sappend(s, s1); 9246 9247 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X); 9248 s1->s.k = 0; 9249 sappend(s, s1); 9250 } else { 9251 s = new_stmt(cstate, BPF_LD|BPF_IMM); 9252 s->s.k = 40; 9253 } 9254 9255 /* Forcibly append these statements to the true condition 9256 * of the protocol check by creating a new block that is 9257 * always true and ANDing them. */ 9258 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX); 9259 sappend(s, s1); 9260 9261 b1 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X); 9262 b1->stmts = s; 9263 b1->s.k = 0; 9264 9265 gen_and(b0, b1); 9266 9267 return b1; 9268 } 9269 9270 /* We need to store three values based on the Geneve header:: 9271 * - The offset of the linktype. 9272 * - The offset of the end of the Geneve header. 9273 * - The offset of the end of the encapsulated MAC header. */ 9274 static struct slist * 9275 gen_geneve_offsets(compiler_state_t *cstate) 9276 { 9277 struct slist *s, *s1, *s_proto; 9278 9279 /* First we need to calculate the offset of the Geneve header 9280 * itself. This is composed of the IP header previously calculated 9281 * (include any variable link prefix) and stored in A plus the 9282 * fixed sized headers (fixed link prefix, MAC length, and UDP 9283 * header). */ 9284 s = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 9285 s->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 8; 9286 9287 /* Stash this in X since we'll need it later. */ 9288 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX); 9289 sappend(s, s1); 9290 9291 /* The EtherType in Geneve is 2 bytes in. Calculate this and 9292 * store it. */ 9293 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 9294 s1->s.k = 2; 9295 sappend(s, s1); 9296 9297 cstate->off_linktype.reg = alloc_reg(cstate); 9298 cstate->off_linktype.is_variable = 1; 9299 cstate->off_linktype.constant_part = 0; 9300 9301 s1 = new_stmt(cstate, BPF_ST); 9302 s1->s.k = cstate->off_linktype.reg; 9303 sappend(s, s1); 9304 9305 /* Load the Geneve option length and mask and shift to get the 9306 * number of bytes. It is stored in the first byte of the Geneve 9307 * header. */ 9308 s1 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 9309 s1->s.k = 0; 9310 sappend(s, s1); 9311 9312 s1 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K); 9313 s1->s.k = 0x3f; 9314 sappend(s, s1); 9315 9316 s1 = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K); 9317 s1->s.k = 4; 9318 sappend(s, s1); 9319 9320 /* Add in the rest of the Geneve base header. */ 9321 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 9322 s1->s.k = 8; 9323 sappend(s, s1); 9324 9325 /* Add the Geneve header length to its offset and store. */ 9326 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X); 9327 s1->s.k = 0; 9328 sappend(s, s1); 9329 9330 /* Set the encapsulated type as Ethernet. Even though we may 9331 * not actually have Ethernet inside there are two reasons this 9332 * is useful: 9333 * - The linktype field is always in EtherType format regardless 9334 * of whether it is in Geneve or an inner Ethernet frame. 9335 * - The only link layer that we have specific support for is 9336 * Ethernet. We will confirm that the packet actually is 9337 * Ethernet at runtime before executing these checks. */ 9338 PUSH_LINKHDR(cstate, DLT_EN10MB, 1, 0, alloc_reg(cstate)); 9339 9340 s1 = new_stmt(cstate, BPF_ST); 9341 s1->s.k = cstate->off_linkhdr.reg; 9342 sappend(s, s1); 9343 9344 /* Calculate whether we have an Ethernet header or just raw IP/ 9345 * MPLS/etc. If we have Ethernet, advance the end of the MAC offset 9346 * and linktype by 14 bytes so that the network header can be found 9347 * seamlessly. Otherwise, keep what we've calculated already. */ 9348 9349 /* We have a bare jmp so we can't use the optimizer. */ 9350 cstate->no_optimize = 1; 9351 9352 /* Load the EtherType in the Geneve header, 2 bytes in. */ 9353 s1 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_H); 9354 s1->s.k = 2; 9355 sappend(s, s1); 9356 9357 /* Load X with the end of the Geneve header. */ 9358 s1 = new_stmt(cstate, BPF_LDX|BPF_MEM); 9359 s1->s.k = cstate->off_linkhdr.reg; 9360 sappend(s, s1); 9361 9362 /* Check if the EtherType is Transparent Ethernet Bridging. At the 9363 * end of this check, we should have the total length in X. In 9364 * the non-Ethernet case, it's already there. */ 9365 s_proto = new_stmt(cstate, JMP(BPF_JEQ)); 9366 s_proto->s.k = ETHERTYPE_TEB; 9367 sappend(s, s_proto); 9368 9369 s1 = new_stmt(cstate, BPF_MISC|BPF_TXA); 9370 sappend(s, s1); 9371 s_proto->s.jt = s1; 9372 9373 /* Since this is Ethernet, use the EtherType of the payload 9374 * directly as the linktype. Overwrite what we already have. */ 9375 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 9376 s1->s.k = 12; 9377 sappend(s, s1); 9378 9379 s1 = new_stmt(cstate, BPF_ST); 9380 s1->s.k = cstate->off_linktype.reg; 9381 sappend(s, s1); 9382 9383 /* Advance two bytes further to get the end of the Ethernet 9384 * header. */ 9385 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 9386 s1->s.k = 2; 9387 sappend(s, s1); 9388 9389 /* Move the result to X. */ 9390 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX); 9391 sappend(s, s1); 9392 9393 /* Store the final result of our linkpl calculation. */ 9394 cstate->off_linkpl.reg = alloc_reg(cstate); 9395 cstate->off_linkpl.is_variable = 1; 9396 cstate->off_linkpl.constant_part = 0; 9397 9398 s1 = new_stmt(cstate, BPF_STX); 9399 s1->s.k = cstate->off_linkpl.reg; 9400 sappend(s, s1); 9401 s_proto->s.jf = s1; 9402 9403 cstate->off_nl = 0; 9404 9405 return s; 9406 } 9407 9408 /* Check to see if this is a Geneve packet. */ 9409 struct block * 9410 gen_geneve(compiler_state_t *cstate, bpf_u_int32 vni, int has_vni) 9411 { 9412 struct block *b0, *b1; 9413 struct slist *s; 9414 9415 /* 9416 * Catch errors reported by us and routines below us, and return NULL 9417 * on an error. 9418 */ 9419 if (setjmp(cstate->top_ctx)) 9420 return (NULL); 9421 9422 b0 = gen_geneve4(cstate, vni, has_vni); 9423 b1 = gen_geneve6(cstate, vni, has_vni); 9424 9425 gen_or(b0, b1); 9426 b0 = b1; 9427 9428 /* Later filters should act on the payload of the Geneve frame, 9429 * update all of the header pointers. Attach this code so that 9430 * it gets executed in the event that the Geneve filter matches. */ 9431 s = gen_geneve_offsets(cstate); 9432 9433 b1 = gen_true(cstate); 9434 sappend(s, b1->stmts); 9435 b1->stmts = s; 9436 9437 gen_and(b0, b1); 9438 9439 cstate->is_geneve = 1; 9440 9441 return b1; 9442 } 9443 9444 /* Check that the encapsulated frame has a link layer header 9445 * for Ethernet filters. */ 9446 static struct block * 9447 gen_geneve_ll_check(compiler_state_t *cstate) 9448 { 9449 struct block *b0; 9450 struct slist *s, *s1; 9451 9452 /* The easiest way to see if there is a link layer present 9453 * is to check if the link layer header and payload are not 9454 * the same. */ 9455 9456 /* Geneve always generates pure variable offsets so we can 9457 * compare only the registers. */ 9458 s = new_stmt(cstate, BPF_LD|BPF_MEM); 9459 s->s.k = cstate->off_linkhdr.reg; 9460 9461 s1 = new_stmt(cstate, BPF_LDX|BPF_MEM); 9462 s1->s.k = cstate->off_linkpl.reg; 9463 sappend(s, s1); 9464 9465 b0 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X); 9466 b0->stmts = s; 9467 b0->s.k = 0; 9468 gen_not(b0); 9469 9470 return b0; 9471 } 9472 9473 static struct block * 9474 gen_atmfield_code_internal(compiler_state_t *cstate, int atmfield, 9475 bpf_u_int32 jvalue, int jtype, int reverse) 9476 { 9477 struct block *b0; 9478 9479 switch (atmfield) { 9480 9481 case A_VPI: 9482 if (!cstate->is_atm) 9483 bpf_error(cstate, "'vpi' supported only on raw ATM"); 9484 if (cstate->off_vpi == OFFSET_NOT_SET) 9485 abort(); 9486 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_vpi, BPF_B, 9487 0xffffffffU, jtype, reverse, jvalue); 9488 break; 9489 9490 case A_VCI: 9491 if (!cstate->is_atm) 9492 bpf_error(cstate, "'vci' supported only on raw ATM"); 9493 if (cstate->off_vci == OFFSET_NOT_SET) 9494 abort(); 9495 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_vci, BPF_H, 9496 0xffffffffU, jtype, reverse, jvalue); 9497 break; 9498 9499 case A_PROTOTYPE: 9500 if (cstate->off_proto == OFFSET_NOT_SET) 9501 abort(); /* XXX - this isn't on FreeBSD */ 9502 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_proto, BPF_B, 9503 0x0fU, jtype, reverse, jvalue); 9504 break; 9505 9506 case A_MSGTYPE: 9507 if (cstate->off_payload == OFFSET_NOT_SET) 9508 abort(); 9509 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_payload + MSG_TYPE_POS, BPF_B, 9510 0xffffffffU, jtype, reverse, jvalue); 9511 break; 9512 9513 case A_CALLREFTYPE: 9514 if (!cstate->is_atm) 9515 bpf_error(cstate, "'callref' supported only on raw ATM"); 9516 if (cstate->off_proto == OFFSET_NOT_SET) 9517 abort(); 9518 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_proto, BPF_B, 9519 0xffffffffU, jtype, reverse, jvalue); 9520 break; 9521 9522 default: 9523 abort(); 9524 } 9525 return b0; 9526 } 9527 9528 static struct block * 9529 gen_atmtype_metac(compiler_state_t *cstate) 9530 { 9531 struct block *b0, *b1; 9532 9533 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0); 9534 b1 = gen_atmfield_code_internal(cstate, A_VCI, 1, BPF_JEQ, 0); 9535 gen_and(b0, b1); 9536 return b1; 9537 } 9538 9539 static struct block * 9540 gen_atmtype_sc(compiler_state_t *cstate) 9541 { 9542 struct block *b0, *b1; 9543 9544 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0); 9545 b1 = gen_atmfield_code_internal(cstate, A_VCI, 5, BPF_JEQ, 0); 9546 gen_and(b0, b1); 9547 return b1; 9548 } 9549 9550 static struct block * 9551 gen_atmtype_llc(compiler_state_t *cstate) 9552 { 9553 struct block *b0; 9554 9555 b0 = gen_atmfield_code_internal(cstate, A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 9556 cstate->linktype = cstate->prevlinktype; 9557 return b0; 9558 } 9559 9560 struct block * 9561 gen_atmfield_code(compiler_state_t *cstate, int atmfield, 9562 bpf_u_int32 jvalue, int jtype, int reverse) 9563 { 9564 /* 9565 * Catch errors reported by us and routines below us, and return NULL 9566 * on an error. 9567 */ 9568 if (setjmp(cstate->top_ctx)) 9569 return (NULL); 9570 9571 return gen_atmfield_code_internal(cstate, atmfield, jvalue, jtype, 9572 reverse); 9573 } 9574 9575 struct block * 9576 gen_atmtype_abbrev(compiler_state_t *cstate, int type) 9577 { 9578 struct block *b0, *b1; 9579 9580 /* 9581 * Catch errors reported by us and routines below us, and return NULL 9582 * on an error. 9583 */ 9584 if (setjmp(cstate->top_ctx)) 9585 return (NULL); 9586 9587 switch (type) { 9588 9589 case A_METAC: 9590 /* Get all packets in Meta signalling Circuit */ 9591 if (!cstate->is_atm) 9592 bpf_error(cstate, "'metac' supported only on raw ATM"); 9593 b1 = gen_atmtype_metac(cstate); 9594 break; 9595 9596 case A_BCC: 9597 /* Get all packets in Broadcast Circuit*/ 9598 if (!cstate->is_atm) 9599 bpf_error(cstate, "'bcc' supported only on raw ATM"); 9600 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0); 9601 b1 = gen_atmfield_code_internal(cstate, A_VCI, 2, BPF_JEQ, 0); 9602 gen_and(b0, b1); 9603 break; 9604 9605 case A_OAMF4SC: 9606 /* Get all cells in Segment OAM F4 circuit*/ 9607 if (!cstate->is_atm) 9608 bpf_error(cstate, "'oam4sc' supported only on raw ATM"); 9609 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0); 9610 b1 = gen_atmfield_code_internal(cstate, A_VCI, 3, BPF_JEQ, 0); 9611 gen_and(b0, b1); 9612 break; 9613 9614 case A_OAMF4EC: 9615 /* Get all cells in End-to-End OAM F4 Circuit*/ 9616 if (!cstate->is_atm) 9617 bpf_error(cstate, "'oam4ec' supported only on raw ATM"); 9618 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0); 9619 b1 = gen_atmfield_code_internal(cstate, A_VCI, 4, BPF_JEQ, 0); 9620 gen_and(b0, b1); 9621 break; 9622 9623 case A_SC: 9624 /* Get all packets in connection Signalling Circuit */ 9625 if (!cstate->is_atm) 9626 bpf_error(cstate, "'sc' supported only on raw ATM"); 9627 b1 = gen_atmtype_sc(cstate); 9628 break; 9629 9630 case A_ILMIC: 9631 /* Get all packets in ILMI Circuit */ 9632 if (!cstate->is_atm) 9633 bpf_error(cstate, "'ilmic' supported only on raw ATM"); 9634 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0); 9635 b1 = gen_atmfield_code_internal(cstate, A_VCI, 16, BPF_JEQ, 0); 9636 gen_and(b0, b1); 9637 break; 9638 9639 case A_LANE: 9640 /* Get all LANE packets */ 9641 if (!cstate->is_atm) 9642 bpf_error(cstate, "'lane' supported only on raw ATM"); 9643 b1 = gen_atmfield_code_internal(cstate, A_PROTOTYPE, PT_LANE, BPF_JEQ, 0); 9644 9645 /* 9646 * Arrange that all subsequent tests assume LANE 9647 * rather than LLC-encapsulated packets, and set 9648 * the offsets appropriately for LANE-encapsulated 9649 * Ethernet. 9650 * 9651 * We assume LANE means Ethernet, not Token Ring. 9652 */ 9653 PUSH_LINKHDR(cstate, DLT_EN10MB, 0, 9654 cstate->off_payload + 2, /* Ethernet header */ 9655 -1); 9656 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12; 9657 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* Ethernet */ 9658 cstate->off_nl = 0; /* Ethernet II */ 9659 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */ 9660 break; 9661 9662 case A_LLC: 9663 /* Get all LLC-encapsulated packets */ 9664 if (!cstate->is_atm) 9665 bpf_error(cstate, "'llc' supported only on raw ATM"); 9666 b1 = gen_atmtype_llc(cstate); 9667 break; 9668 9669 default: 9670 abort(); 9671 } 9672 return b1; 9673 } 9674 9675 /* 9676 * Filtering for MTP2 messages based on li value 9677 * FISU, length is null 9678 * LSSU, length is 1 or 2 9679 * MSU, length is 3 or more 9680 * For MTP2_HSL, sequences are on 2 bytes, and length on 9 bits 9681 */ 9682 struct block * 9683 gen_mtp2type_abbrev(compiler_state_t *cstate, int type) 9684 { 9685 struct block *b0, *b1; 9686 9687 /* 9688 * Catch errors reported by us and routines below us, and return NULL 9689 * on an error. 9690 */ 9691 if (setjmp(cstate->top_ctx)) 9692 return (NULL); 9693 9694 switch (type) { 9695 9696 case M_FISU: 9697 if ( (cstate->linktype != DLT_MTP2) && 9698 (cstate->linktype != DLT_ERF) && 9699 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 9700 bpf_error(cstate, "'fisu' supported only on MTP2"); 9701 /* gen_ncmp(cstate, offrel, offset, size, mask, jtype, reverse, value) */ 9702 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 9703 0x3fU, BPF_JEQ, 0, 0U); 9704 break; 9705 9706 case M_LSSU: 9707 if ( (cstate->linktype != DLT_MTP2) && 9708 (cstate->linktype != DLT_ERF) && 9709 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 9710 bpf_error(cstate, "'lssu' supported only on MTP2"); 9711 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 9712 0x3fU, BPF_JGT, 1, 2U); 9713 b1 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 9714 0x3fU, BPF_JGT, 0, 0U); 9715 gen_and(b1, b0); 9716 break; 9717 9718 case M_MSU: 9719 if ( (cstate->linktype != DLT_MTP2) && 9720 (cstate->linktype != DLT_ERF) && 9721 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 9722 bpf_error(cstate, "'msu' supported only on MTP2"); 9723 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 9724 0x3fU, BPF_JGT, 0, 2U); 9725 break; 9726 9727 case MH_FISU: 9728 if ( (cstate->linktype != DLT_MTP2) && 9729 (cstate->linktype != DLT_ERF) && 9730 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 9731 bpf_error(cstate, "'hfisu' supported only on MTP2_HSL"); 9732 /* gen_ncmp(cstate, offrel, offset, size, mask, jtype, reverse, value) */ 9733 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 9734 0xff80U, BPF_JEQ, 0, 0U); 9735 break; 9736 9737 case MH_LSSU: 9738 if ( (cstate->linktype != DLT_MTP2) && 9739 (cstate->linktype != DLT_ERF) && 9740 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 9741 bpf_error(cstate, "'hlssu' supported only on MTP2_HSL"); 9742 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 9743 0xff80U, BPF_JGT, 1, 0x0100U); 9744 b1 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 9745 0xff80U, BPF_JGT, 0, 0U); 9746 gen_and(b1, b0); 9747 break; 9748 9749 case MH_MSU: 9750 if ( (cstate->linktype != DLT_MTP2) && 9751 (cstate->linktype != DLT_ERF) && 9752 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 9753 bpf_error(cstate, "'hmsu' supported only on MTP2_HSL"); 9754 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 9755 0xff80U, BPF_JGT, 0, 0x0100U); 9756 break; 9757 9758 default: 9759 abort(); 9760 } 9761 return b0; 9762 } 9763 9764 /* 9765 * The jvalue_arg dance is to avoid annoying whining by compilers that 9766 * jvalue might be clobbered by longjmp - yeah, it might, but *WHO CARES*? 9767 * It's not *used* after setjmp returns. 9768 */ 9769 struct block * 9770 gen_mtp3field_code(compiler_state_t *cstate, int mtp3field, 9771 bpf_u_int32 jvalue_arg, int jtype, int reverse) 9772 { 9773 volatile bpf_u_int32 jvalue = jvalue_arg; 9774 struct block *b0; 9775 bpf_u_int32 val1 , val2 , val3; 9776 u_int newoff_sio; 9777 u_int newoff_opc; 9778 u_int newoff_dpc; 9779 u_int newoff_sls; 9780 9781 /* 9782 * Catch errors reported by us and routines below us, and return NULL 9783 * on an error. 9784 */ 9785 if (setjmp(cstate->top_ctx)) 9786 return (NULL); 9787 9788 newoff_sio = cstate->off_sio; 9789 newoff_opc = cstate->off_opc; 9790 newoff_dpc = cstate->off_dpc; 9791 newoff_sls = cstate->off_sls; 9792 switch (mtp3field) { 9793 9794 case MH_SIO: 9795 newoff_sio += 3; /* offset for MTP2_HSL */ 9796 /* FALLTHROUGH */ 9797 9798 case M_SIO: 9799 if (cstate->off_sio == OFFSET_NOT_SET) 9800 bpf_error(cstate, "'sio' supported only on SS7"); 9801 /* sio coded on 1 byte so max value 255 */ 9802 if(jvalue > 255) 9803 bpf_error(cstate, "sio value %u too big; max value = 255", 9804 jvalue); 9805 b0 = gen_ncmp(cstate, OR_PACKET, newoff_sio, BPF_B, 0xffffffffU, 9806 jtype, reverse, jvalue); 9807 break; 9808 9809 case MH_OPC: 9810 newoff_opc += 3; 9811 9812 /* FALLTHROUGH */ 9813 case M_OPC: 9814 if (cstate->off_opc == OFFSET_NOT_SET) 9815 bpf_error(cstate, "'opc' supported only on SS7"); 9816 /* opc coded on 14 bits so max value 16383 */ 9817 if (jvalue > 16383) 9818 bpf_error(cstate, "opc value %u too big; max value = 16383", 9819 jvalue); 9820 /* the following instructions are made to convert jvalue 9821 * to the form used to write opc in an ss7 message*/ 9822 val1 = jvalue & 0x00003c00; 9823 val1 = val1 >>10; 9824 val2 = jvalue & 0x000003fc; 9825 val2 = val2 <<6; 9826 val3 = jvalue & 0x00000003; 9827 val3 = val3 <<22; 9828 jvalue = val1 + val2 + val3; 9829 b0 = gen_ncmp(cstate, OR_PACKET, newoff_opc, BPF_W, 0x00c0ff0fU, 9830 jtype, reverse, jvalue); 9831 break; 9832 9833 case MH_DPC: 9834 newoff_dpc += 3; 9835 /* FALLTHROUGH */ 9836 9837 case M_DPC: 9838 if (cstate->off_dpc == OFFSET_NOT_SET) 9839 bpf_error(cstate, "'dpc' supported only on SS7"); 9840 /* dpc coded on 14 bits so max value 16383 */ 9841 if (jvalue > 16383) 9842 bpf_error(cstate, "dpc value %u too big; max value = 16383", 9843 jvalue); 9844 /* the following instructions are made to convert jvalue 9845 * to the forme used to write dpc in an ss7 message*/ 9846 val1 = jvalue & 0x000000ff; 9847 val1 = val1 << 24; 9848 val2 = jvalue & 0x00003f00; 9849 val2 = val2 << 8; 9850 jvalue = val1 + val2; 9851 b0 = gen_ncmp(cstate, OR_PACKET, newoff_dpc, BPF_W, 0xff3f0000U, 9852 jtype, reverse, jvalue); 9853 break; 9854 9855 case MH_SLS: 9856 newoff_sls += 3; 9857 /* FALLTHROUGH */ 9858 9859 case M_SLS: 9860 if (cstate->off_sls == OFFSET_NOT_SET) 9861 bpf_error(cstate, "'sls' supported only on SS7"); 9862 /* sls coded on 4 bits so max value 15 */ 9863 if (jvalue > 15) 9864 bpf_error(cstate, "sls value %u too big; max value = 15", 9865 jvalue); 9866 /* the following instruction is made to convert jvalue 9867 * to the forme used to write sls in an ss7 message*/ 9868 jvalue = jvalue << 4; 9869 b0 = gen_ncmp(cstate, OR_PACKET, newoff_sls, BPF_B, 0xf0U, 9870 jtype, reverse, jvalue); 9871 break; 9872 9873 default: 9874 abort(); 9875 } 9876 return b0; 9877 } 9878 9879 static struct block * 9880 gen_msg_abbrev(compiler_state_t *cstate, int type) 9881 { 9882 struct block *b1; 9883 9884 /* 9885 * Q.2931 signalling protocol messages for handling virtual circuits 9886 * establishment and teardown 9887 */ 9888 switch (type) { 9889 9890 case A_SETUP: 9891 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, SETUP, BPF_JEQ, 0); 9892 break; 9893 9894 case A_CALLPROCEED: 9895 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0); 9896 break; 9897 9898 case A_CONNECT: 9899 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, CONNECT, BPF_JEQ, 0); 9900 break; 9901 9902 case A_CONNECTACK: 9903 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0); 9904 break; 9905 9906 case A_RELEASE: 9907 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, RELEASE, BPF_JEQ, 0); 9908 break; 9909 9910 case A_RELEASE_DONE: 9911 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0); 9912 break; 9913 9914 default: 9915 abort(); 9916 } 9917 return b1; 9918 } 9919 9920 struct block * 9921 gen_atmmulti_abbrev(compiler_state_t *cstate, int type) 9922 { 9923 struct block *b0, *b1; 9924 9925 /* 9926 * Catch errors reported by us and routines below us, and return NULL 9927 * on an error. 9928 */ 9929 if (setjmp(cstate->top_ctx)) 9930 return (NULL); 9931 9932 switch (type) { 9933 9934 case A_OAM: 9935 if (!cstate->is_atm) 9936 bpf_error(cstate, "'oam' supported only on raw ATM"); 9937 /* OAM F4 type */ 9938 b0 = gen_atmfield_code_internal(cstate, A_VCI, 3, BPF_JEQ, 0); 9939 b1 = gen_atmfield_code_internal(cstate, A_VCI, 4, BPF_JEQ, 0); 9940 gen_or(b0, b1); 9941 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0); 9942 gen_and(b0, b1); 9943 break; 9944 9945 case A_OAMF4: 9946 if (!cstate->is_atm) 9947 bpf_error(cstate, "'oamf4' supported only on raw ATM"); 9948 /* OAM F4 type */ 9949 b0 = gen_atmfield_code_internal(cstate, A_VCI, 3, BPF_JEQ, 0); 9950 b1 = gen_atmfield_code_internal(cstate, A_VCI, 4, BPF_JEQ, 0); 9951 gen_or(b0, b1); 9952 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0); 9953 gen_and(b0, b1); 9954 break; 9955 9956 case A_CONNECTMSG: 9957 /* 9958 * Get Q.2931 signalling messages for switched 9959 * virtual connection 9960 */ 9961 if (!cstate->is_atm) 9962 bpf_error(cstate, "'connectmsg' supported only on raw ATM"); 9963 b0 = gen_msg_abbrev(cstate, A_SETUP); 9964 b1 = gen_msg_abbrev(cstate, A_CALLPROCEED); 9965 gen_or(b0, b1); 9966 b0 = gen_msg_abbrev(cstate, A_CONNECT); 9967 gen_or(b0, b1); 9968 b0 = gen_msg_abbrev(cstate, A_CONNECTACK); 9969 gen_or(b0, b1); 9970 b0 = gen_msg_abbrev(cstate, A_RELEASE); 9971 gen_or(b0, b1); 9972 b0 = gen_msg_abbrev(cstate, A_RELEASE_DONE); 9973 gen_or(b0, b1); 9974 b0 = gen_atmtype_sc(cstate); 9975 gen_and(b0, b1); 9976 break; 9977 9978 case A_METACONNECT: 9979 if (!cstate->is_atm) 9980 bpf_error(cstate, "'metaconnect' supported only on raw ATM"); 9981 b0 = gen_msg_abbrev(cstate, A_SETUP); 9982 b1 = gen_msg_abbrev(cstate, A_CALLPROCEED); 9983 gen_or(b0, b1); 9984 b0 = gen_msg_abbrev(cstate, A_CONNECT); 9985 gen_or(b0, b1); 9986 b0 = gen_msg_abbrev(cstate, A_RELEASE); 9987 gen_or(b0, b1); 9988 b0 = gen_msg_abbrev(cstate, A_RELEASE_DONE); 9989 gen_or(b0, b1); 9990 b0 = gen_atmtype_metac(cstate); 9991 gen_and(b0, b1); 9992 break; 9993 9994 default: 9995 abort(); 9996 } 9997 return b1; 9998 } 9999