1 /* $NetBSD: gencode.c,v 1.11 2018/09/03 15:26:43 christos Exp $ */ 2 3 /*#define CHASE_CHAIN*/ 4 /* 5 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998 6 * The Regents of the University of California. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that: (1) source code distributions 10 * retain the above copyright notice and this paragraph in its entirety, (2) 11 * distributions including binary code include the above copyright notice and 12 * this paragraph in its entirety in the documentation or other materials 13 * provided with the distribution, and (3) all advertising materials mentioning 14 * features or use of this software display the following acknowledgement: 15 * ``This product includes software developed by the University of California, 16 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 17 * the University nor the names of its contributors may be used to endorse 18 * or promote products derived from this software without specific prior 19 * written permission. 20 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 21 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 22 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 23 */ 24 25 #include <sys/cdefs.h> 26 __RCSID("$NetBSD: gencode.c,v 1.11 2018/09/03 15:26:43 christos Exp $"); 27 28 #ifdef HAVE_CONFIG_H 29 #include <config.h> 30 #endif 31 32 #include <pcap-types.h> 33 #ifdef _WIN32 34 #include <ws2tcpip.h> 35 #else 36 #include <sys/socket.h> 37 38 #ifdef __NetBSD__ 39 #include <sys/param.h> 40 #endif 41 42 #include <netinet/in.h> 43 #include <arpa/inet.h> 44 #endif /* _WIN32 */ 45 46 #include <stdlib.h> 47 #include <string.h> 48 #include <memory.h> 49 #include <setjmp.h> 50 #include <stdarg.h> 51 52 #ifdef MSDOS 53 #include "pcap-dos.h" 54 #endif 55 56 #include "pcap-int.h" 57 58 #include "ethertype.h" 59 #include "nlpid.h" 60 #include "llc.h" 61 #include "gencode.h" 62 #include "ieee80211.h" 63 #include "atmuni31.h" 64 #include "sunatmpos.h" 65 #include "ppp.h" 66 #include "pcap/sll.h" 67 #include "pcap/ipnet.h" 68 #include "arcnet.h" 69 70 #include "grammar.h" 71 #include "scanner.h" 72 73 #if defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) 74 #include <linux/types.h> 75 #include <linux/if_packet.h> 76 #include <linux/filter.h> 77 #endif 78 79 #ifdef HAVE_NET_PFVAR_H 80 #include <sys/socket.h> 81 #include <net/if.h> 82 #include <net/pfvar.h> 83 #include <net/if_pflog.h> 84 #endif 85 86 #ifndef offsetof 87 #define offsetof(s, e) ((size_t)&((s *)0)->e) 88 #endif 89 90 #ifdef _WIN32 91 #ifdef INET6 92 #if defined(__MINGW32__) && defined(DEFINE_ADDITIONAL_IPV6_STUFF) 93 /* IPv6 address */ 94 struct in6_addr 95 { 96 union 97 { 98 uint8_t u6_addr8[16]; 99 uint16_t u6_addr16[8]; 100 uint32_t u6_addr32[4]; 101 } in6_u; 102 #define s6_addr in6_u.u6_addr8 103 #define s6_addr16 in6_u.u6_addr16 104 #define s6_addr32 in6_u.u6_addr32 105 #define s6_addr64 in6_u.u6_addr64 106 }; 107 108 typedef unsigned short sa_family_t; 109 110 #define __SOCKADDR_COMMON(sa_prefix) \ 111 sa_family_t sa_prefix##family 112 113 /* Ditto, for IPv6. */ 114 struct sockaddr_in6 115 { 116 __SOCKADDR_COMMON (sin6_); 117 uint16_t sin6_port; /* Transport layer port # */ 118 uint32_t sin6_flowinfo; /* IPv6 flow information */ 119 struct in6_addr sin6_addr; /* IPv6 address */ 120 }; 121 122 #ifndef EAI_ADDRFAMILY 123 struct addrinfo { 124 int ai_flags; /* AI_PASSIVE, AI_CANONNAME */ 125 int ai_family; /* PF_xxx */ 126 int ai_socktype; /* SOCK_xxx */ 127 int ai_protocol; /* 0 or IPPROTO_xxx for IPv4 and IPv6 */ 128 size_t ai_addrlen; /* length of ai_addr */ 129 char *ai_canonname; /* canonical name for hostname */ 130 struct sockaddr *ai_addr; /* binary address */ 131 struct addrinfo *ai_next; /* next structure in linked list */ 132 }; 133 #endif /* EAI_ADDRFAMILY */ 134 #endif /* defined(__MINGW32__) && defined(DEFINE_ADDITIONAL_IPV6_STUFF) */ 135 #endif /* INET6 */ 136 #else /* _WIN32 */ 137 #include <netdb.h> /* for "struct addrinfo" */ 138 #endif /* _WIN32 */ 139 #include <pcap/namedb.h> 140 141 #include "nametoaddr.h" 142 143 #define ETHERMTU 1500 144 145 #ifndef ETHERTYPE_TEB 146 #define ETHERTYPE_TEB 0x6558 147 #endif 148 149 #ifndef IPPROTO_HOPOPTS 150 #define IPPROTO_HOPOPTS 0 151 #endif 152 #ifndef IPPROTO_ROUTING 153 #define IPPROTO_ROUTING 43 154 #endif 155 #ifndef IPPROTO_FRAGMENT 156 #define IPPROTO_FRAGMENT 44 157 #endif 158 #ifndef IPPROTO_DSTOPTS 159 #define IPPROTO_DSTOPTS 60 160 #endif 161 #ifndef IPPROTO_SCTP 162 #define IPPROTO_SCTP 132 163 #endif 164 165 #define GENEVE_PORT 6081 166 167 #ifdef HAVE_OS_PROTO_H 168 #include "os-proto.h" 169 #endif 170 171 #define JMP(c) ((c)|BPF_JMP|BPF_K) 172 173 /* 174 * "Push" the current value of the link-layer header type and link-layer 175 * header offset onto a "stack", and set a new value. (It's not a 176 * full-blown stack; we keep only the top two items.) 177 */ 178 #define PUSH_LINKHDR(cs, new_linktype, new_is_variable, new_constant_part, new_reg) \ 179 { \ 180 (cs)->prevlinktype = (cs)->linktype; \ 181 (cs)->off_prevlinkhdr = (cs)->off_linkhdr; \ 182 (cs)->linktype = (new_linktype); \ 183 (cs)->off_linkhdr.is_variable = (new_is_variable); \ 184 (cs)->off_linkhdr.constant_part = (new_constant_part); \ 185 (cs)->off_linkhdr.reg = (new_reg); \ 186 (cs)->is_geneve = 0; \ 187 } 188 189 /* 190 * Offset "not set" value. 191 */ 192 #define OFFSET_NOT_SET 0xffffffffU 193 194 /* 195 * Absolute offsets, which are offsets from the beginning of the raw 196 * packet data, are, in the general case, the sum of a variable value 197 * and a constant value; the variable value may be absent, in which 198 * case the offset is only the constant value, and the constant value 199 * may be zero, in which case the offset is only the variable value. 200 * 201 * bpf_abs_offset is a structure containing all that information: 202 * 203 * is_variable is 1 if there's a variable part. 204 * 205 * constant_part is the constant part of the value, possibly zero; 206 * 207 * if is_variable is 1, reg is the register number for a register 208 * containing the variable value if the register has been assigned, 209 * and -1 otherwise. 210 */ 211 typedef struct { 212 int is_variable; 213 u_int constant_part; 214 int reg; 215 } bpf_abs_offset; 216 217 /* 218 * Value passed to gen_load_a() to indicate what the offset argument 219 * is relative to the beginning of. 220 */ 221 enum e_offrel { 222 OR_PACKET, /* full packet data */ 223 OR_LINKHDR, /* link-layer header */ 224 OR_PREVLINKHDR, /* previous link-layer header */ 225 OR_LLC, /* 802.2 LLC header */ 226 OR_PREVMPLSHDR, /* previous MPLS header */ 227 OR_LINKTYPE, /* link-layer type */ 228 OR_LINKPL, /* link-layer payload */ 229 OR_LINKPL_NOSNAP, /* link-layer payload, with no SNAP header at the link layer */ 230 OR_TRAN_IPV4, /* transport-layer header, with IPv4 network layer */ 231 OR_TRAN_IPV6 /* transport-layer header, with IPv6 network layer */ 232 }; 233 234 /* 235 * We divy out chunks of memory rather than call malloc each time so 236 * we don't have to worry about leaking memory. It's probably 237 * not a big deal if all this memory was wasted but if this ever 238 * goes into a library that would probably not be a good idea. 239 * 240 * XXX - this *is* in a library.... 241 */ 242 #define NCHUNKS 16 243 #define CHUNK0SIZE 1024 244 struct chunk { 245 size_t n_left; 246 void *m; 247 }; 248 249 /* Code generator state */ 250 251 struct _compiler_state { 252 jmp_buf top_ctx; 253 pcap_t *bpf_pcap; 254 255 struct icode ic; 256 257 int snaplen; 258 259 int linktype; 260 int prevlinktype; 261 int outermostlinktype; 262 263 bpf_u_int32 netmask; 264 int no_optimize; 265 266 /* Hack for handling VLAN and MPLS stacks. */ 267 u_int label_stack_depth; 268 u_int vlan_stack_depth; 269 270 /* XXX */ 271 u_int pcap_fddipad; 272 273 /* 274 * As errors are handled by a longjmp, anything allocated must 275 * be freed in the longjmp handler, so it must be reachable 276 * from that handler. 277 * 278 * One thing that's allocated is the result of pcap_nametoaddrinfo(); 279 * it must be freed with freeaddrinfo(). This variable points to 280 * any addrinfo structure that would need to be freed. 281 */ 282 struct addrinfo *ai; 283 284 /* 285 * Various code constructs need to know the layout of the packet. 286 * These values give the necessary offsets from the beginning 287 * of the packet data. 288 */ 289 290 /* 291 * Absolute offset of the beginning of the link-layer header. 292 */ 293 bpf_abs_offset off_linkhdr; 294 295 /* 296 * If we're checking a link-layer header for a packet encapsulated 297 * in another protocol layer, this is the equivalent information 298 * for the previous layers' link-layer header from the beginning 299 * of the raw packet data. 300 */ 301 bpf_abs_offset off_prevlinkhdr; 302 303 /* 304 * This is the equivalent information for the outermost layers' 305 * link-layer header. 306 */ 307 bpf_abs_offset off_outermostlinkhdr; 308 309 /* 310 * Absolute offset of the beginning of the link-layer payload. 311 */ 312 bpf_abs_offset off_linkpl; 313 314 /* 315 * "off_linktype" is the offset to information in the link-layer 316 * header giving the packet type. This is an absolute offset 317 * from the beginning of the packet. 318 * 319 * For Ethernet, it's the offset of the Ethernet type field; this 320 * means that it must have a value that skips VLAN tags. 321 * 322 * For link-layer types that always use 802.2 headers, it's the 323 * offset of the LLC header; this means that it must have a value 324 * that skips VLAN tags. 325 * 326 * For PPP, it's the offset of the PPP type field. 327 * 328 * For Cisco HDLC, it's the offset of the CHDLC type field. 329 * 330 * For BSD loopback, it's the offset of the AF_ value. 331 * 332 * For Linux cooked sockets, it's the offset of the type field. 333 * 334 * off_linktype.constant_part is set to OFFSET_NOT_SET for no 335 * encapsulation, in which case, IP is assumed. 336 */ 337 bpf_abs_offset off_linktype; 338 339 /* 340 * TRUE if the link layer includes an ATM pseudo-header. 341 */ 342 int is_atm; 343 344 /* 345 * TRUE if "geneve" appeared in the filter; it causes us to 346 * generate code that checks for a Geneve header and assume 347 * that later filters apply to the encapsulated payload. 348 */ 349 int is_geneve; 350 351 /* 352 * TRUE if we need variable length part of VLAN offset 353 */ 354 int is_vlan_vloffset; 355 356 /* 357 * These are offsets for the ATM pseudo-header. 358 */ 359 u_int off_vpi; 360 u_int off_vci; 361 u_int off_proto; 362 363 /* 364 * These are offsets for the MTP2 fields. 365 */ 366 u_int off_li; 367 u_int off_li_hsl; 368 369 /* 370 * These are offsets for the MTP3 fields. 371 */ 372 u_int off_sio; 373 u_int off_opc; 374 u_int off_dpc; 375 u_int off_sls; 376 377 /* 378 * This is the offset of the first byte after the ATM pseudo_header, 379 * or -1 if there is no ATM pseudo-header. 380 */ 381 u_int off_payload; 382 383 /* 384 * These are offsets to the beginning of the network-layer header. 385 * They are relative to the beginning of the link-layer payload 386 * (i.e., they don't include off_linkhdr.constant_part or 387 * off_linkpl.constant_part). 388 * 389 * If the link layer never uses 802.2 LLC: 390 * 391 * "off_nl" and "off_nl_nosnap" are the same. 392 * 393 * If the link layer always uses 802.2 LLC: 394 * 395 * "off_nl" is the offset if there's a SNAP header following 396 * the 802.2 header; 397 * 398 * "off_nl_nosnap" is the offset if there's no SNAP header. 399 * 400 * If the link layer is Ethernet: 401 * 402 * "off_nl" is the offset if the packet is an Ethernet II packet 403 * (we assume no 802.3+802.2+SNAP); 404 * 405 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet 406 * with an 802.2 header following it. 407 */ 408 u_int off_nl; 409 u_int off_nl_nosnap; 410 411 /* 412 * Here we handle simple allocation of the scratch registers. 413 * If too many registers are alloc'd, the allocator punts. 414 */ 415 int regused[BPF_MEMWORDS]; 416 int curreg; 417 418 /* 419 * Memory chunks. 420 */ 421 struct chunk chunks[NCHUNKS]; 422 int cur_chunk; 423 }; 424 425 void PCAP_NORETURN 426 bpf_syntax_error(compiler_state_t *cstate, const char *msg) 427 { 428 bpf_error(cstate, "syntax error in filter expression: %s", msg); 429 /* NOTREACHED */ 430 } 431 432 /* VARARGS */ 433 void PCAP_NORETURN 434 bpf_error(compiler_state_t *cstate, const char *fmt, ...) 435 { 436 va_list ap; 437 438 va_start(ap, fmt); 439 if (cstate->bpf_pcap != NULL) 440 (void)pcap_vsnprintf(pcap_geterr(cstate->bpf_pcap), 441 PCAP_ERRBUF_SIZE, fmt, ap); 442 va_end(ap); 443 longjmp(cstate->top_ctx, 1); 444 /* NOTREACHED */ 445 } 446 447 static void init_linktype(compiler_state_t *, pcap_t *); 448 449 static void init_regs(compiler_state_t *); 450 static int alloc_reg(compiler_state_t *); 451 static void free_reg(compiler_state_t *, int); 452 453 static void initchunks(compiler_state_t *cstate); 454 static void *newchunk(compiler_state_t *cstate, size_t); 455 static void freechunks(compiler_state_t *cstate); 456 static inline struct block *new_block(compiler_state_t *cstate, int); 457 static inline struct slist *new_stmt(compiler_state_t *cstate, int); 458 static struct block *gen_retblk(compiler_state_t *cstate, int); 459 static inline void syntax(compiler_state_t *cstate); 460 461 static void backpatch(struct block *, struct block *); 462 static void merge(struct block *, struct block *); 463 static struct block *gen_cmp(compiler_state_t *, enum e_offrel, u_int, 464 u_int, bpf_int32); 465 static struct block *gen_cmp_gt(compiler_state_t *, enum e_offrel, u_int, 466 u_int, bpf_int32); 467 static struct block *gen_cmp_ge(compiler_state_t *, enum e_offrel, u_int, 468 u_int, bpf_int32); 469 static struct block *gen_cmp_lt(compiler_state_t *, enum e_offrel, u_int, 470 u_int, bpf_int32); 471 static struct block *gen_cmp_le(compiler_state_t *, enum e_offrel, u_int, 472 u_int, bpf_int32); 473 static struct block *gen_mcmp(compiler_state_t *, enum e_offrel, u_int, 474 u_int, bpf_int32, bpf_u_int32); 475 static struct block *gen_bcmp(compiler_state_t *, enum e_offrel, u_int, 476 u_int, const u_char *); 477 static struct block *gen_ncmp(compiler_state_t *, enum e_offrel, bpf_u_int32, 478 bpf_u_int32, bpf_u_int32, bpf_u_int32, int, bpf_int32); 479 static struct slist *gen_load_absoffsetrel(compiler_state_t *, bpf_abs_offset *, 480 u_int, u_int); 481 static struct slist *gen_load_a(compiler_state_t *, enum e_offrel, u_int, 482 u_int); 483 static struct slist *gen_loadx_iphdrlen(compiler_state_t *); 484 static struct block *gen_uncond(compiler_state_t *, int); 485 static inline struct block *gen_true(compiler_state_t *); 486 static inline struct block *gen_false(compiler_state_t *); 487 static struct block *gen_ether_linktype(compiler_state_t *, int); 488 static struct block *gen_ipnet_linktype(compiler_state_t *, int); 489 static struct block *gen_linux_sll_linktype(compiler_state_t *, int); 490 static struct slist *gen_load_prism_llprefixlen(compiler_state_t *); 491 static struct slist *gen_load_avs_llprefixlen(compiler_state_t *); 492 static struct slist *gen_load_radiotap_llprefixlen(compiler_state_t *); 493 static struct slist *gen_load_ppi_llprefixlen(compiler_state_t *); 494 static void insert_compute_vloffsets(compiler_state_t *, struct block *); 495 static struct slist *gen_abs_offset_varpart(compiler_state_t *, 496 bpf_abs_offset *); 497 static int ethertype_to_ppptype(int); 498 static struct block *gen_linktype(compiler_state_t *, int); 499 static struct block *gen_snap(compiler_state_t *, bpf_u_int32, bpf_u_int32); 500 static struct block *gen_llc_linktype(compiler_state_t *, int); 501 static struct block *gen_hostop(compiler_state_t *, bpf_u_int32, bpf_u_int32, 502 int, int, u_int, u_int); 503 #ifdef INET6 504 static struct block *gen_hostop6(compiler_state_t *, struct in6_addr *, 505 struct in6_addr *, int, int, u_int, u_int); 506 #endif 507 static struct block *gen_ahostop(compiler_state_t *, const u_char *, int); 508 static struct block *gen_ehostop(compiler_state_t *, const u_char *, int); 509 static struct block *gen_fhostop(compiler_state_t *, const u_char *, int); 510 static struct block *gen_thostop(compiler_state_t *, const u_char *, int); 511 static struct block *gen_wlanhostop(compiler_state_t *, const u_char *, int); 512 static struct block *gen_ipfchostop(compiler_state_t *, const u_char *, int); 513 static struct block *gen_dnhostop(compiler_state_t *, bpf_u_int32, int); 514 static struct block *gen_mpls_linktype(compiler_state_t *, int); 515 static struct block *gen_host(compiler_state_t *, bpf_u_int32, bpf_u_int32, 516 int, int, int); 517 #ifdef INET6 518 static struct block *gen_host6(compiler_state_t *, struct in6_addr *, 519 struct in6_addr *, int, int, int); 520 #endif 521 #ifndef INET6 522 static struct block *gen_gateway(compiler_state_t *, const u_char *, 523 struct addrinfo *, int, int); 524 #endif 525 static struct block *gen_ipfrag(compiler_state_t *); 526 static struct block *gen_portatom(compiler_state_t *, int, bpf_int32); 527 static struct block *gen_portrangeatom(compiler_state_t *, int, bpf_int32, 528 bpf_int32); 529 static struct block *gen_portatom6(compiler_state_t *, int, bpf_int32); 530 static struct block *gen_portrangeatom6(compiler_state_t *, int, bpf_int32, 531 bpf_int32); 532 struct block *gen_portop(compiler_state_t *, int, int, int); 533 static struct block *gen_port(compiler_state_t *, int, int, int); 534 struct block *gen_portrangeop(compiler_state_t *, int, int, int, int); 535 static struct block *gen_portrange(compiler_state_t *, int, int, int, int); 536 struct block *gen_portop6(compiler_state_t *, int, int, int); 537 static struct block *gen_port6(compiler_state_t *, int, int, int); 538 struct block *gen_portrangeop6(compiler_state_t *, int, int, int, int); 539 static struct block *gen_portrange6(compiler_state_t *, int, int, int, int); 540 static int lookup_proto(compiler_state_t *, const char *, int); 541 static struct block *gen_protochain(compiler_state_t *, int, int, int); 542 static struct block *gen_proto(compiler_state_t *, int, int, int); 543 static struct slist *xfer_to_x(compiler_state_t *, struct arth *); 544 static struct slist *xfer_to_a(compiler_state_t *, struct arth *); 545 static struct block *gen_mac_multicast(compiler_state_t *, int); 546 static struct block *gen_len(compiler_state_t *, int, int); 547 static struct block *gen_check_802_11_data_frame(compiler_state_t *); 548 static struct block *gen_geneve_ll_check(compiler_state_t *cstate); 549 550 static struct block *gen_ppi_dlt_check(compiler_state_t *); 551 static struct block *gen_msg_abbrev(compiler_state_t *, int type); 552 553 static void 554 initchunks(compiler_state_t *cstate) 555 { 556 int i; 557 558 for (i = 0; i < NCHUNKS; i++) { 559 cstate->chunks[i].n_left = 0; 560 cstate->chunks[i].m = NULL; 561 } 562 cstate->cur_chunk = 0; 563 } 564 565 static void * 566 newchunk(compiler_state_t *cstate, size_t n) 567 { 568 struct chunk *cp; 569 int k; 570 size_t size; 571 572 #ifndef __NetBSD__ 573 /* XXX Round up to nearest long. */ 574 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1); 575 #else 576 /* XXX Round up to structure boundary. */ 577 n = ALIGN(n); 578 #endif 579 580 cp = &cstate->chunks[cstate->cur_chunk]; 581 if (n > cp->n_left) { 582 ++cp; 583 k = ++cstate->cur_chunk; 584 if (k >= NCHUNKS) 585 bpf_error(cstate, "out of memory"); 586 size = CHUNK0SIZE << k; 587 cp->m = (void *)malloc(size); 588 if (cp->m == NULL) 589 bpf_error(cstate, "out of memory"); 590 memset((char *)cp->m, 0, size); 591 cp->n_left = size; 592 if (n > size) 593 bpf_error(cstate, "out of memory"); 594 } 595 cp->n_left -= n; 596 return (void *)((char *)cp->m + cp->n_left); 597 } 598 599 static void 600 freechunks(compiler_state_t *cstate) 601 { 602 int i; 603 604 for (i = 0; i < NCHUNKS; ++i) 605 if (cstate->chunks[i].m != NULL) 606 free(cstate->chunks[i].m); 607 } 608 609 /* 610 * A strdup whose allocations are freed after code generation is over. 611 */ 612 char * 613 sdup(compiler_state_t *cstate, const char *s) 614 { 615 size_t n = strlen(s) + 1; 616 char *cp = newchunk(cstate, n); 617 618 strlcpy(cp, s, n); 619 return (cp); 620 } 621 622 static inline struct block * 623 new_block(compiler_state_t *cstate, int code) 624 { 625 struct block *p; 626 627 p = (struct block *)newchunk(cstate, sizeof(*p)); 628 p->s.code = code; 629 p->head = p; 630 631 return p; 632 } 633 634 static inline struct slist * 635 new_stmt(compiler_state_t *cstate, int code) 636 { 637 struct slist *p; 638 639 p = (struct slist *)newchunk(cstate, sizeof(*p)); 640 p->s.code = code; 641 642 return p; 643 } 644 645 static struct block * 646 gen_retblk(compiler_state_t *cstate, int v) 647 { 648 struct block *b = new_block(cstate, BPF_RET|BPF_K); 649 650 b->s.k = v; 651 return b; 652 } 653 654 static inline PCAP_NORETURN_DEF void 655 syntax(compiler_state_t *cstate) 656 { 657 bpf_error(cstate, "syntax error in filter expression"); 658 } 659 660 int 661 pcap_compile(pcap_t *p, struct bpf_program *program, 662 const char *buf, int optimize, bpf_u_int32 mask) 663 { 664 #ifdef _WIN32 665 static int done = 0; 666 #endif 667 compiler_state_t cstate; 668 const char * volatile xbuf = buf; 669 yyscan_t scanner = NULL; 670 volatile YY_BUFFER_STATE in_buffer = NULL; 671 u_int len; 672 int rc; 673 674 /* 675 * If this pcap_t hasn't been activated, it doesn't have a 676 * link-layer type, so we can't use it. 677 */ 678 if (!p->activated) { 679 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 680 "not-yet-activated pcap_t passed to pcap_compile"); 681 return (-1); 682 } 683 684 #ifdef _WIN32 685 if (!done) 686 pcap_wsockinit(); 687 done = 1; 688 #endif 689 690 #ifdef ENABLE_REMOTE 691 /* 692 * If the device on which we're capturing need to be notified 693 * that a new filter is being compiled, do so. 694 * 695 * This allows them to save a copy of it, in case, for example, 696 * they're implementing a form of remote packet capture, and 697 * want the remote machine to filter out the packets in which 698 * it's sending the packets it's captured. 699 * 700 * XXX - the fact that we happen to be compiling a filter 701 * doesn't necessarily mean we'll be installing it as the 702 * filter for this pcap_t; we might be running it from userland 703 * on captured packets to do packet classification. We really 704 * need a better way of handling this, but this is all that 705 * the WinPcap code did. 706 */ 707 if (p->save_current_filter_op != NULL) 708 (p->save_current_filter_op)(p, buf); 709 #endif 710 711 initchunks(&cstate); 712 cstate.no_optimize = 0; 713 #ifdef INET6 714 cstate.ai = NULL; 715 #endif 716 cstate.ic.root = NULL; 717 cstate.ic.cur_mark = 0; 718 cstate.bpf_pcap = p; 719 init_regs(&cstate); 720 721 if (setjmp(cstate.top_ctx)) { 722 #ifdef INET6 723 if (cstate.ai != NULL) 724 freeaddrinfo(cstate.ai); 725 #endif 726 rc = -1; 727 goto quit; 728 } 729 730 cstate.netmask = mask; 731 732 cstate.snaplen = pcap_snapshot(p); 733 if (cstate.snaplen == 0) { 734 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 735 "snaplen of 0 rejects all packets"); 736 rc = -1; 737 goto quit; 738 } 739 740 if (pcap_lex_init(&scanner) != 0) 741 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, 742 errno, "can't initialize scanner"); 743 in_buffer = pcap__scan_string(xbuf ? xbuf : "", scanner); 744 745 /* 746 * Associate the compiler state with the lexical analyzer 747 * state. 748 */ 749 pcap_set_extra(&cstate, scanner); 750 751 init_linktype(&cstate, p); 752 (void)pcap_parse(scanner, &cstate); 753 754 if (cstate.ic.root == NULL) 755 cstate.ic.root = gen_retblk(&cstate, cstate.snaplen); 756 757 if (optimize && !cstate.no_optimize) { 758 bpf_optimize(&cstate, &cstate.ic); 759 if (cstate.ic.root == NULL || 760 (cstate.ic.root->s.code == (BPF_RET|BPF_K) && cstate.ic.root->s.k == 0)) 761 bpf_error(&cstate, "expression rejects all packets"); 762 } 763 program->bf_insns = icode_to_fcode(&cstate, &cstate.ic, cstate.ic.root, &len); 764 program->bf_len = len; 765 766 rc = 0; /* We're all okay */ 767 768 quit: 769 /* 770 * Clean up everything for the lexical analyzer. 771 */ 772 if (in_buffer != NULL) 773 pcap__delete_buffer(in_buffer, scanner); 774 if (scanner != NULL) 775 pcap_lex_destroy(scanner); 776 777 /* 778 * Clean up our own allocated memory. 779 */ 780 freechunks(&cstate); 781 782 return (rc); 783 } 784 785 /* 786 * entry point for using the compiler with no pcap open 787 * pass in all the stuff that is needed explicitly instead. 788 */ 789 int 790 pcap_compile_nopcap(int snaplen_arg, int linktype_arg, 791 struct bpf_program *program, 792 const char *buf, int optimize, bpf_u_int32 mask) 793 { 794 pcap_t *p; 795 int ret; 796 797 p = pcap_open_dead(linktype_arg, snaplen_arg); 798 if (p == NULL) 799 return (-1); 800 ret = pcap_compile(p, program, buf, optimize, mask); 801 pcap_close(p); 802 return (ret); 803 } 804 805 /* 806 * Clean up a "struct bpf_program" by freeing all the memory allocated 807 * in it. 808 */ 809 void 810 pcap_freecode(struct bpf_program *program) 811 { 812 program->bf_len = 0; 813 if (program->bf_insns != NULL) { 814 free((char *)program->bf_insns); 815 program->bf_insns = NULL; 816 } 817 } 818 819 /* 820 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates 821 * which of the jt and jf fields has been resolved and which is a pointer 822 * back to another unresolved block (or nil). At least one of the fields 823 * in each block is already resolved. 824 */ 825 static void 826 backpatch(struct block *list, struct block *target) 827 { 828 struct block *next; 829 830 while (list) { 831 if (!list->sense) { 832 next = JT(list); 833 JT(list) = target; 834 } else { 835 next = JF(list); 836 JF(list) = target; 837 } 838 list = next; 839 } 840 } 841 842 /* 843 * Merge the lists in b0 and b1, using the 'sense' field to indicate 844 * which of jt and jf is the link. 845 */ 846 static void 847 merge(struct block *b0, struct block *b1) 848 { 849 register struct block **p = &b0; 850 851 /* Find end of list. */ 852 while (*p) 853 p = !((*p)->sense) ? &JT(*p) : &JF(*p); 854 855 /* Concatenate the lists. */ 856 *p = b1; 857 } 858 859 void 860 finish_parse(compiler_state_t *cstate, struct block *p) 861 { 862 struct block *ppi_dlt_check; 863 864 /* 865 * Insert before the statements of the first (root) block any 866 * statements needed to load the lengths of any variable-length 867 * headers into registers. 868 * 869 * XXX - a fancier strategy would be to insert those before the 870 * statements of all blocks that use those lengths and that 871 * have no predecessors that use them, so that we only compute 872 * the lengths if we need them. There might be even better 873 * approaches than that. 874 * 875 * However, those strategies would be more complicated, and 876 * as we don't generate code to compute a length if the 877 * program has no tests that use the length, and as most 878 * tests will probably use those lengths, we would just 879 * postpone computing the lengths so that it's not done 880 * for tests that fail early, and it's not clear that's 881 * worth the effort. 882 */ 883 insert_compute_vloffsets(cstate, p->head); 884 885 /* 886 * For DLT_PPI captures, generate a check of the per-packet 887 * DLT value to make sure it's DLT_IEEE802_11. 888 * 889 * XXX - TurboCap cards use DLT_PPI for Ethernet. 890 * Can we just define some DLT_ETHERNET_WITH_PHDR pseudo-header 891 * with appropriate Ethernet information and use that rather 892 * than using something such as DLT_PPI where you don't know 893 * the link-layer header type until runtime, which, in the 894 * general case, would force us to generate both Ethernet *and* 895 * 802.11 code (*and* anything else for which PPI is used) 896 * and choose between them early in the BPF program? 897 */ 898 ppi_dlt_check = gen_ppi_dlt_check(cstate); 899 if (ppi_dlt_check != NULL) 900 gen_and(ppi_dlt_check, p); 901 902 backpatch(p, gen_retblk(cstate, cstate->snaplen)); 903 p->sense = !p->sense; 904 backpatch(p, gen_retblk(cstate, 0)); 905 cstate->ic.root = p->head; 906 } 907 908 void 909 gen_and(struct block *b0, struct block *b1) 910 { 911 backpatch(b0, b1->head); 912 b0->sense = !b0->sense; 913 b1->sense = !b1->sense; 914 merge(b1, b0); 915 b1->sense = !b1->sense; 916 b1->head = b0->head; 917 } 918 919 void 920 gen_or(struct block *b0, struct block *b1) 921 { 922 b0->sense = !b0->sense; 923 backpatch(b0, b1->head); 924 b0->sense = !b0->sense; 925 merge(b1, b0); 926 b1->head = b0->head; 927 } 928 929 void 930 gen_not(struct block *b) 931 { 932 b->sense = !b->sense; 933 } 934 935 static struct block * 936 gen_cmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 937 u_int size, bpf_int32 v) 938 { 939 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v); 940 } 941 942 static struct block * 943 gen_cmp_gt(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 944 u_int size, bpf_int32 v) 945 { 946 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGT, 0, v); 947 } 948 949 static struct block * 950 gen_cmp_ge(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 951 u_int size, bpf_int32 v) 952 { 953 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGE, 0, v); 954 } 955 956 static struct block * 957 gen_cmp_lt(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 958 u_int size, bpf_int32 v) 959 { 960 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGE, 1, v); 961 } 962 963 static struct block * 964 gen_cmp_le(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 965 u_int size, bpf_int32 v) 966 { 967 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGT, 1, v); 968 } 969 970 static struct block * 971 gen_mcmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 972 u_int size, bpf_int32 v, bpf_u_int32 mask) 973 { 974 return gen_ncmp(cstate, offrel, offset, size, mask, BPF_JEQ, 0, v); 975 } 976 977 static struct block * 978 gen_bcmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 979 u_int size, const u_char *v) 980 { 981 register struct block *b, *tmp; 982 983 b = NULL; 984 while (size >= 4) { 985 register const u_char *p = &v[size - 4]; 986 bpf_int32 w = ((bpf_int32)p[0] << 24) | 987 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3]; 988 989 tmp = gen_cmp(cstate, offrel, offset + size - 4, BPF_W, w); 990 if (b != NULL) 991 gen_and(b, tmp); 992 b = tmp; 993 size -= 4; 994 } 995 while (size >= 2) { 996 register const u_char *p = &v[size - 2]; 997 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1]; 998 999 tmp = gen_cmp(cstate, offrel, offset + size - 2, BPF_H, w); 1000 if (b != NULL) 1001 gen_and(b, tmp); 1002 b = tmp; 1003 size -= 2; 1004 } 1005 if (size > 0) { 1006 tmp = gen_cmp(cstate, offrel, offset, BPF_B, (bpf_int32)v[0]); 1007 if (b != NULL) 1008 gen_and(b, tmp); 1009 b = tmp; 1010 } 1011 return b; 1012 } 1013 1014 /* 1015 * AND the field of size "size" at offset "offset" relative to the header 1016 * specified by "offrel" with "mask", and compare it with the value "v" 1017 * with the test specified by "jtype"; if "reverse" is true, the test 1018 * should test the opposite of "jtype". 1019 */ 1020 static struct block * 1021 gen_ncmp(compiler_state_t *cstate, enum e_offrel offrel, bpf_u_int32 offset, 1022 bpf_u_int32 size, bpf_u_int32 mask, bpf_u_int32 jtype, int reverse, 1023 bpf_int32 v) 1024 { 1025 struct slist *s, *s2; 1026 struct block *b; 1027 1028 s = gen_load_a(cstate, offrel, offset, size); 1029 1030 if (mask != 0xffffffff) { 1031 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K); 1032 s2->s.k = mask; 1033 sappend(s, s2); 1034 } 1035 1036 b = new_block(cstate, JMP(jtype)); 1037 b->stmts = s; 1038 b->s.k = v; 1039 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE)) 1040 gen_not(b); 1041 return b; 1042 } 1043 1044 static void 1045 init_linktype(compiler_state_t *cstate, pcap_t *p) 1046 { 1047 cstate->pcap_fddipad = p->fddipad; 1048 1049 /* 1050 * We start out with only one link-layer header. 1051 */ 1052 cstate->outermostlinktype = pcap_datalink(p); 1053 cstate->off_outermostlinkhdr.constant_part = 0; 1054 cstate->off_outermostlinkhdr.is_variable = 0; 1055 cstate->off_outermostlinkhdr.reg = -1; 1056 1057 cstate->prevlinktype = cstate->outermostlinktype; 1058 cstate->off_prevlinkhdr.constant_part = 0; 1059 cstate->off_prevlinkhdr.is_variable = 0; 1060 cstate->off_prevlinkhdr.reg = -1; 1061 1062 cstate->linktype = cstate->outermostlinktype; 1063 cstate->off_linkhdr.constant_part = 0; 1064 cstate->off_linkhdr.is_variable = 0; 1065 cstate->off_linkhdr.reg = -1; 1066 1067 /* 1068 * XXX 1069 */ 1070 cstate->off_linkpl.constant_part = 0; 1071 cstate->off_linkpl.is_variable = 0; 1072 cstate->off_linkpl.reg = -1; 1073 1074 cstate->off_linktype.constant_part = 0; 1075 cstate->off_linktype.is_variable = 0; 1076 cstate->off_linktype.reg = -1; 1077 1078 /* 1079 * Assume it's not raw ATM with a pseudo-header, for now. 1080 */ 1081 cstate->is_atm = 0; 1082 cstate->off_vpi = OFFSET_NOT_SET; 1083 cstate->off_vci = OFFSET_NOT_SET; 1084 cstate->off_proto = OFFSET_NOT_SET; 1085 cstate->off_payload = OFFSET_NOT_SET; 1086 1087 /* 1088 * And not Geneve. 1089 */ 1090 cstate->is_geneve = 0; 1091 1092 /* 1093 * No variable length VLAN offset by default 1094 */ 1095 cstate->is_vlan_vloffset = 0; 1096 1097 /* 1098 * And assume we're not doing SS7. 1099 */ 1100 cstate->off_li = OFFSET_NOT_SET; 1101 cstate->off_li_hsl = OFFSET_NOT_SET; 1102 cstate->off_sio = OFFSET_NOT_SET; 1103 cstate->off_opc = OFFSET_NOT_SET; 1104 cstate->off_dpc = OFFSET_NOT_SET; 1105 cstate->off_sls = OFFSET_NOT_SET; 1106 1107 cstate->label_stack_depth = 0; 1108 cstate->vlan_stack_depth = 0; 1109 1110 switch (cstate->linktype) { 1111 1112 case DLT_ARCNET: 1113 cstate->off_linktype.constant_part = 2; 1114 cstate->off_linkpl.constant_part = 6; 1115 cstate->off_nl = 0; /* XXX in reality, variable! */ 1116 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1117 break; 1118 1119 case DLT_ARCNET_LINUX: 1120 cstate->off_linktype.constant_part = 4; 1121 cstate->off_linkpl.constant_part = 8; 1122 cstate->off_nl = 0; /* XXX in reality, variable! */ 1123 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1124 break; 1125 1126 case DLT_EN10MB: 1127 cstate->off_linktype.constant_part = 12; 1128 cstate->off_linkpl.constant_part = 14; /* Ethernet header length */ 1129 cstate->off_nl = 0; /* Ethernet II */ 1130 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */ 1131 break; 1132 1133 case DLT_SLIP: 1134 /* 1135 * SLIP doesn't have a link level type. The 16 byte 1136 * header is hacked into our SLIP driver. 1137 */ 1138 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1139 cstate->off_linkpl.constant_part = 16; 1140 cstate->off_nl = 0; 1141 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1142 break; 1143 1144 case DLT_SLIP_BSDOS: 1145 /* XXX this may be the same as the DLT_PPP_BSDOS case */ 1146 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1147 /* XXX end */ 1148 cstate->off_linkpl.constant_part = 24; 1149 cstate->off_nl = 0; 1150 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1151 break; 1152 1153 case DLT_NULL: 1154 case DLT_LOOP: 1155 cstate->off_linktype.constant_part = 0; 1156 cstate->off_linkpl.constant_part = 4; 1157 cstate->off_nl = 0; 1158 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1159 break; 1160 1161 case DLT_ENC: 1162 cstate->off_linktype.constant_part = 0; 1163 cstate->off_linkpl.constant_part = 12; 1164 cstate->off_nl = 0; 1165 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1166 break; 1167 1168 case DLT_PPP: 1169 case DLT_PPP_PPPD: 1170 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */ 1171 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */ 1172 cstate->off_linktype.constant_part = 2; /* skip HDLC-like framing */ 1173 cstate->off_linkpl.constant_part = 4; /* skip HDLC-like framing and protocol field */ 1174 cstate->off_nl = 0; 1175 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1176 break; 1177 1178 case DLT_PPP_ETHER: 1179 /* 1180 * This does no include the Ethernet header, and 1181 * only covers session state. 1182 */ 1183 cstate->off_linktype.constant_part = 6; 1184 cstate->off_linkpl.constant_part = 8; 1185 cstate->off_nl = 0; 1186 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1187 break; 1188 1189 case DLT_PPP_BSDOS: 1190 cstate->off_linktype.constant_part = 5; 1191 cstate->off_linkpl.constant_part = 24; 1192 cstate->off_nl = 0; 1193 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1194 break; 1195 1196 case DLT_FDDI: 1197 /* 1198 * FDDI doesn't really have a link-level type field. 1199 * We set "off_linktype" to the offset of the LLC header. 1200 * 1201 * To check for Ethernet types, we assume that SSAP = SNAP 1202 * is being used and pick out the encapsulated Ethernet type. 1203 * XXX - should we generate code to check for SNAP? 1204 */ 1205 cstate->off_linktype.constant_part = 13; 1206 cstate->off_linktype.constant_part += cstate->pcap_fddipad; 1207 cstate->off_linkpl.constant_part = 13; /* FDDI MAC header length */ 1208 cstate->off_linkpl.constant_part += cstate->pcap_fddipad; 1209 cstate->off_nl = 8; /* 802.2+SNAP */ 1210 cstate->off_nl_nosnap = 3; /* 802.2 */ 1211 break; 1212 1213 case DLT_IEEE802: 1214 /* 1215 * Token Ring doesn't really have a link-level type field. 1216 * We set "off_linktype" to the offset of the LLC header. 1217 * 1218 * To check for Ethernet types, we assume that SSAP = SNAP 1219 * is being used and pick out the encapsulated Ethernet type. 1220 * XXX - should we generate code to check for SNAP? 1221 * 1222 * XXX - the header is actually variable-length. 1223 * Some various Linux patched versions gave 38 1224 * as "off_linktype" and 40 as "off_nl"; however, 1225 * if a token ring packet has *no* routing 1226 * information, i.e. is not source-routed, the correct 1227 * values are 20 and 22, as they are in the vanilla code. 1228 * 1229 * A packet is source-routed iff the uppermost bit 1230 * of the first byte of the source address, at an 1231 * offset of 8, has the uppermost bit set. If the 1232 * packet is source-routed, the total number of bytes 1233 * of routing information is 2 plus bits 0x1F00 of 1234 * the 16-bit value at an offset of 14 (shifted right 1235 * 8 - figure out which byte that is). 1236 */ 1237 cstate->off_linktype.constant_part = 14; 1238 cstate->off_linkpl.constant_part = 14; /* Token Ring MAC header length */ 1239 cstate->off_nl = 8; /* 802.2+SNAP */ 1240 cstate->off_nl_nosnap = 3; /* 802.2 */ 1241 break; 1242 1243 case DLT_PRISM_HEADER: 1244 case DLT_IEEE802_11_RADIO_AVS: 1245 case DLT_IEEE802_11_RADIO: 1246 cstate->off_linkhdr.is_variable = 1; 1247 /* Fall through, 802.11 doesn't have a variable link 1248 * prefix but is otherwise the same. */ 1249 1250 case DLT_IEEE802_11: 1251 /* 1252 * 802.11 doesn't really have a link-level type field. 1253 * We set "off_linktype.constant_part" to the offset of 1254 * the LLC header. 1255 * 1256 * To check for Ethernet types, we assume that SSAP = SNAP 1257 * is being used and pick out the encapsulated Ethernet type. 1258 * XXX - should we generate code to check for SNAP? 1259 * 1260 * We also handle variable-length radio headers here. 1261 * The Prism header is in theory variable-length, but in 1262 * practice it's always 144 bytes long. However, some 1263 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but 1264 * sometimes or always supply an AVS header, so we 1265 * have to check whether the radio header is a Prism 1266 * header or an AVS header, so, in practice, it's 1267 * variable-length. 1268 */ 1269 cstate->off_linktype.constant_part = 24; 1270 cstate->off_linkpl.constant_part = 0; /* link-layer header is variable-length */ 1271 cstate->off_linkpl.is_variable = 1; 1272 cstate->off_nl = 8; /* 802.2+SNAP */ 1273 cstate->off_nl_nosnap = 3; /* 802.2 */ 1274 break; 1275 1276 case DLT_PPI: 1277 /* 1278 * At the moment we treat PPI the same way that we treat 1279 * normal Radiotap encoded packets. The difference is in 1280 * the function that generates the code at the beginning 1281 * to compute the header length. Since this code generator 1282 * of PPI supports bare 802.11 encapsulation only (i.e. 1283 * the encapsulated DLT should be DLT_IEEE802_11) we 1284 * generate code to check for this too. 1285 */ 1286 cstate->off_linktype.constant_part = 24; 1287 cstate->off_linkpl.constant_part = 0; /* link-layer header is variable-length */ 1288 cstate->off_linkpl.is_variable = 1; 1289 cstate->off_linkhdr.is_variable = 1; 1290 cstate->off_nl = 8; /* 802.2+SNAP */ 1291 cstate->off_nl_nosnap = 3; /* 802.2 */ 1292 break; 1293 1294 case DLT_ATM_RFC1483: 1295 case DLT_ATM_CLIP: /* Linux ATM defines this */ 1296 /* 1297 * assume routed, non-ISO PDUs 1298 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00) 1299 * 1300 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS, 1301 * or PPP with the PPP NLPID (e.g., PPPoA)? The 1302 * latter would presumably be treated the way PPPoE 1303 * should be, so you can do "pppoe and udp port 2049" 1304 * or "pppoa and tcp port 80" and have it check for 1305 * PPPo{A,E} and a PPP protocol of IP and.... 1306 */ 1307 cstate->off_linktype.constant_part = 0; 1308 cstate->off_linkpl.constant_part = 0; /* packet begins with LLC header */ 1309 cstate->off_nl = 8; /* 802.2+SNAP */ 1310 cstate->off_nl_nosnap = 3; /* 802.2 */ 1311 break; 1312 1313 case DLT_SUNATM: 1314 /* 1315 * Full Frontal ATM; you get AALn PDUs with an ATM 1316 * pseudo-header. 1317 */ 1318 cstate->is_atm = 1; 1319 cstate->off_vpi = SUNATM_VPI_POS; 1320 cstate->off_vci = SUNATM_VCI_POS; 1321 cstate->off_proto = PROTO_POS; 1322 cstate->off_payload = SUNATM_PKT_BEGIN_POS; 1323 cstate->off_linktype.constant_part = cstate->off_payload; 1324 cstate->off_linkpl.constant_part = cstate->off_payload; /* if LLC-encapsulated */ 1325 cstate->off_nl = 8; /* 802.2+SNAP */ 1326 cstate->off_nl_nosnap = 3; /* 802.2 */ 1327 break; 1328 1329 case DLT_RAW: 1330 case DLT_IPV4: 1331 case DLT_IPV6: 1332 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1333 cstate->off_linkpl.constant_part = 0; 1334 cstate->off_nl = 0; 1335 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1336 break; 1337 1338 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */ 1339 cstate->off_linktype.constant_part = 14; 1340 cstate->off_linkpl.constant_part = 16; 1341 cstate->off_nl = 0; 1342 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1343 break; 1344 1345 case DLT_LTALK: 1346 /* 1347 * LocalTalk does have a 1-byte type field in the LLAP header, 1348 * but really it just indicates whether there is a "short" or 1349 * "long" DDP packet following. 1350 */ 1351 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1352 cstate->off_linkpl.constant_part = 0; 1353 cstate->off_nl = 0; 1354 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1355 break; 1356 1357 case DLT_IP_OVER_FC: 1358 /* 1359 * RFC 2625 IP-over-Fibre-Channel doesn't really have a 1360 * link-level type field. We set "off_linktype" to the 1361 * offset of the LLC header. 1362 * 1363 * To check for Ethernet types, we assume that SSAP = SNAP 1364 * is being used and pick out the encapsulated Ethernet type. 1365 * XXX - should we generate code to check for SNAP? RFC 1366 * 2625 says SNAP should be used. 1367 */ 1368 cstate->off_linktype.constant_part = 16; 1369 cstate->off_linkpl.constant_part = 16; 1370 cstate->off_nl = 8; /* 802.2+SNAP */ 1371 cstate->off_nl_nosnap = 3; /* 802.2 */ 1372 break; 1373 1374 case DLT_FRELAY: 1375 /* 1376 * XXX - we should set this to handle SNAP-encapsulated 1377 * frames (NLPID of 0x80). 1378 */ 1379 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1380 cstate->off_linkpl.constant_part = 0; 1381 cstate->off_nl = 0; 1382 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1383 break; 1384 1385 /* 1386 * the only BPF-interesting FRF.16 frames are non-control frames; 1387 * Frame Relay has a variable length link-layer 1388 * so lets start with offset 4 for now and increments later on (FIXME); 1389 */ 1390 case DLT_MFR: 1391 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1392 cstate->off_linkpl.constant_part = 0; 1393 cstate->off_nl = 4; 1394 cstate->off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */ 1395 break; 1396 1397 case DLT_APPLE_IP_OVER_IEEE1394: 1398 cstate->off_linktype.constant_part = 16; 1399 cstate->off_linkpl.constant_part = 18; 1400 cstate->off_nl = 0; 1401 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1402 break; 1403 1404 case DLT_SYMANTEC_FIREWALL: 1405 cstate->off_linktype.constant_part = 6; 1406 cstate->off_linkpl.constant_part = 44; 1407 cstate->off_nl = 0; /* Ethernet II */ 1408 cstate->off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */ 1409 break; 1410 1411 #ifdef HAVE_NET_PFVAR_H 1412 case DLT_PFLOG: 1413 cstate->off_linktype.constant_part = 0; 1414 cstate->off_linkpl.constant_part = PFLOG_HDRLEN; 1415 cstate->off_nl = 0; 1416 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1417 break; 1418 #endif 1419 1420 case DLT_JUNIPER_MFR: 1421 case DLT_JUNIPER_MLFR: 1422 case DLT_JUNIPER_MLPPP: 1423 case DLT_JUNIPER_PPP: 1424 case DLT_JUNIPER_CHDLC: 1425 case DLT_JUNIPER_FRELAY: 1426 cstate->off_linktype.constant_part = 4; 1427 cstate->off_linkpl.constant_part = 4; 1428 cstate->off_nl = 0; 1429 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */ 1430 break; 1431 1432 case DLT_JUNIPER_ATM1: 1433 cstate->off_linktype.constant_part = 4; /* in reality variable between 4-8 */ 1434 cstate->off_linkpl.constant_part = 4; /* in reality variable between 4-8 */ 1435 cstate->off_nl = 0; 1436 cstate->off_nl_nosnap = 10; 1437 break; 1438 1439 case DLT_JUNIPER_ATM2: 1440 cstate->off_linktype.constant_part = 8; /* in reality variable between 8-12 */ 1441 cstate->off_linkpl.constant_part = 8; /* in reality variable between 8-12 */ 1442 cstate->off_nl = 0; 1443 cstate->off_nl_nosnap = 10; 1444 break; 1445 1446 /* frames captured on a Juniper PPPoE service PIC 1447 * contain raw ethernet frames */ 1448 case DLT_JUNIPER_PPPOE: 1449 case DLT_JUNIPER_ETHER: 1450 cstate->off_linkpl.constant_part = 14; 1451 cstate->off_linktype.constant_part = 16; 1452 cstate->off_nl = 18; /* Ethernet II */ 1453 cstate->off_nl_nosnap = 21; /* 802.3+802.2 */ 1454 break; 1455 1456 case DLT_JUNIPER_PPPOE_ATM: 1457 cstate->off_linktype.constant_part = 4; 1458 cstate->off_linkpl.constant_part = 6; 1459 cstate->off_nl = 0; 1460 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */ 1461 break; 1462 1463 case DLT_JUNIPER_GGSN: 1464 cstate->off_linktype.constant_part = 6; 1465 cstate->off_linkpl.constant_part = 12; 1466 cstate->off_nl = 0; 1467 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */ 1468 break; 1469 1470 case DLT_JUNIPER_ES: 1471 cstate->off_linktype.constant_part = 6; 1472 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; /* not really a network layer but raw IP addresses */ 1473 cstate->off_nl = OFFSET_NOT_SET; /* not really a network layer but raw IP addresses */ 1474 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */ 1475 break; 1476 1477 case DLT_JUNIPER_MONITOR: 1478 cstate->off_linktype.constant_part = 12; 1479 cstate->off_linkpl.constant_part = 12; 1480 cstate->off_nl = 0; /* raw IP/IP6 header */ 1481 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */ 1482 break; 1483 1484 case DLT_BACNET_MS_TP: 1485 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1486 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1487 cstate->off_nl = OFFSET_NOT_SET; 1488 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1489 break; 1490 1491 case DLT_JUNIPER_SERVICES: 1492 cstate->off_linktype.constant_part = 12; 1493 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; /* L3 proto location dep. on cookie type */ 1494 cstate->off_nl = OFFSET_NOT_SET; /* L3 proto location dep. on cookie type */ 1495 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */ 1496 break; 1497 1498 case DLT_JUNIPER_VP: 1499 cstate->off_linktype.constant_part = 18; 1500 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1501 cstate->off_nl = OFFSET_NOT_SET; 1502 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1503 break; 1504 1505 case DLT_JUNIPER_ST: 1506 cstate->off_linktype.constant_part = 18; 1507 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1508 cstate->off_nl = OFFSET_NOT_SET; 1509 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1510 break; 1511 1512 case DLT_JUNIPER_ISM: 1513 cstate->off_linktype.constant_part = 8; 1514 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1515 cstate->off_nl = OFFSET_NOT_SET; 1516 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1517 break; 1518 1519 case DLT_JUNIPER_VS: 1520 case DLT_JUNIPER_SRX_E2E: 1521 case DLT_JUNIPER_FIBRECHANNEL: 1522 case DLT_JUNIPER_ATM_CEMIC: 1523 cstate->off_linktype.constant_part = 8; 1524 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1525 cstate->off_nl = OFFSET_NOT_SET; 1526 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1527 break; 1528 1529 case DLT_MTP2: 1530 cstate->off_li = 2; 1531 cstate->off_li_hsl = 4; 1532 cstate->off_sio = 3; 1533 cstate->off_opc = 4; 1534 cstate->off_dpc = 4; 1535 cstate->off_sls = 7; 1536 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1537 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1538 cstate->off_nl = OFFSET_NOT_SET; 1539 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1540 break; 1541 1542 case DLT_MTP2_WITH_PHDR: 1543 cstate->off_li = 6; 1544 cstate->off_li_hsl = 8; 1545 cstate->off_sio = 7; 1546 cstate->off_opc = 8; 1547 cstate->off_dpc = 8; 1548 cstate->off_sls = 11; 1549 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1550 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1551 cstate->off_nl = OFFSET_NOT_SET; 1552 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1553 break; 1554 1555 case DLT_ERF: 1556 cstate->off_li = 22; 1557 cstate->off_li_hsl = 24; 1558 cstate->off_sio = 23; 1559 cstate->off_opc = 24; 1560 cstate->off_dpc = 24; 1561 cstate->off_sls = 27; 1562 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1563 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1564 cstate->off_nl = OFFSET_NOT_SET; 1565 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1566 break; 1567 1568 case DLT_PFSYNC: 1569 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1570 cstate->off_linkpl.constant_part = 4; 1571 cstate->off_nl = 0; 1572 cstate->off_nl_nosnap = 0; 1573 break; 1574 1575 case DLT_AX25_KISS: 1576 /* 1577 * Currently, only raw "link[N:M]" filtering is supported. 1578 */ 1579 cstate->off_linktype.constant_part = OFFSET_NOT_SET; /* variable, min 15, max 71 steps of 7 */ 1580 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1581 cstate->off_nl = OFFSET_NOT_SET; /* variable, min 16, max 71 steps of 7 */ 1582 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */ 1583 break; 1584 1585 case DLT_IPNET: 1586 cstate->off_linktype.constant_part = 1; 1587 cstate->off_linkpl.constant_part = 24; /* ipnet header length */ 1588 cstate->off_nl = 0; 1589 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1590 break; 1591 1592 case DLT_NETANALYZER: 1593 cstate->off_linkhdr.constant_part = 4; /* Ethernet header is past 4-byte pseudo-header */ 1594 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12; 1595 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* pseudo-header+Ethernet header length */ 1596 cstate->off_nl = 0; /* Ethernet II */ 1597 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */ 1598 break; 1599 1600 case DLT_NETANALYZER_TRANSPARENT: 1601 cstate->off_linkhdr.constant_part = 12; /* MAC header is past 4-byte pseudo-header, preamble, and SFD */ 1602 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12; 1603 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* pseudo-header+preamble+SFD+Ethernet header length */ 1604 cstate->off_nl = 0; /* Ethernet II */ 1605 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */ 1606 break; 1607 1608 default: 1609 /* 1610 * For values in the range in which we've assigned new 1611 * DLT_ values, only raw "link[N:M]" filtering is supported. 1612 */ 1613 if (cstate->linktype >= DLT_MATCHING_MIN && 1614 cstate->linktype <= DLT_MATCHING_MAX) { 1615 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1616 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1617 cstate->off_nl = OFFSET_NOT_SET; 1618 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1619 } else { 1620 bpf_error(cstate, "unknown data link type %d", cstate->linktype); 1621 } 1622 break; 1623 } 1624 1625 cstate->off_outermostlinkhdr = cstate->off_prevlinkhdr = cstate->off_linkhdr; 1626 } 1627 1628 /* 1629 * Load a value relative to the specified absolute offset. 1630 */ 1631 static struct slist * 1632 gen_load_absoffsetrel(compiler_state_t *cstate, bpf_abs_offset *abs_offset, 1633 u_int offset, u_int size) 1634 { 1635 struct slist *s, *s2; 1636 1637 s = gen_abs_offset_varpart(cstate, abs_offset); 1638 1639 /* 1640 * If "s" is non-null, it has code to arrange that the X register 1641 * contains the variable part of the absolute offset, so we 1642 * generate a load relative to that, with an offset of 1643 * abs_offset->constant_part + offset. 1644 * 1645 * Otherwise, we can do an absolute load with an offset of 1646 * abs_offset->constant_part + offset. 1647 */ 1648 if (s != NULL) { 1649 /* 1650 * "s" points to a list of statements that puts the 1651 * variable part of the absolute offset into the X register. 1652 * Do an indirect load, to use the X register as an offset. 1653 */ 1654 s2 = new_stmt(cstate, BPF_LD|BPF_IND|size); 1655 s2->s.k = abs_offset->constant_part + offset; 1656 sappend(s, s2); 1657 } else { 1658 /* 1659 * There is no variable part of the absolute offset, so 1660 * just do an absolute load. 1661 */ 1662 s = new_stmt(cstate, BPF_LD|BPF_ABS|size); 1663 s->s.k = abs_offset->constant_part + offset; 1664 } 1665 return s; 1666 } 1667 1668 /* 1669 * Load a value relative to the beginning of the specified header. 1670 */ 1671 static struct slist * 1672 gen_load_a(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 1673 u_int size) 1674 { 1675 struct slist *s, *s2; 1676 1677 switch (offrel) { 1678 1679 case OR_PACKET: 1680 s = new_stmt(cstate, BPF_LD|BPF_ABS|size); 1681 s->s.k = offset; 1682 break; 1683 1684 case OR_LINKHDR: 1685 s = gen_load_absoffsetrel(cstate, &cstate->off_linkhdr, offset, size); 1686 break; 1687 1688 case OR_PREVLINKHDR: 1689 s = gen_load_absoffsetrel(cstate, &cstate->off_prevlinkhdr, offset, size); 1690 break; 1691 1692 case OR_LLC: 1693 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, offset, size); 1694 break; 1695 1696 case OR_PREVMPLSHDR: 1697 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl - 4 + offset, size); 1698 break; 1699 1700 case OR_LINKPL: 1701 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl + offset, size); 1702 break; 1703 1704 case OR_LINKPL_NOSNAP: 1705 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl_nosnap + offset, size); 1706 break; 1707 1708 case OR_LINKTYPE: 1709 s = gen_load_absoffsetrel(cstate, &cstate->off_linktype, offset, size); 1710 break; 1711 1712 case OR_TRAN_IPV4: 1713 /* 1714 * Load the X register with the length of the IPv4 header 1715 * (plus the offset of the link-layer header, if it's 1716 * preceded by a variable-length header such as a radio 1717 * header), in bytes. 1718 */ 1719 s = gen_loadx_iphdrlen(cstate); 1720 1721 /* 1722 * Load the item at {offset of the link-layer payload} + 1723 * {offset, relative to the start of the link-layer 1724 * paylod, of the IPv4 header} + {length of the IPv4 header} + 1725 * {specified offset}. 1726 * 1727 * If the offset of the link-layer payload is variable, 1728 * the variable part of that offset is included in the 1729 * value in the X register, and we include the constant 1730 * part in the offset of the load. 1731 */ 1732 s2 = new_stmt(cstate, BPF_LD|BPF_IND|size); 1733 s2->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + offset; 1734 sappend(s, s2); 1735 break; 1736 1737 case OR_TRAN_IPV6: 1738 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl + 40 + offset, size); 1739 break; 1740 1741 default: 1742 abort(); 1743 /* NOTREACHED */ 1744 } 1745 return s; 1746 } 1747 1748 /* 1749 * Generate code to load into the X register the sum of the length of 1750 * the IPv4 header and the variable part of the offset of the link-layer 1751 * payload. 1752 */ 1753 static struct slist * 1754 gen_loadx_iphdrlen(compiler_state_t *cstate) 1755 { 1756 struct slist *s, *s2; 1757 1758 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl); 1759 if (s != NULL) { 1760 /* 1761 * The offset of the link-layer payload has a variable 1762 * part. "s" points to a list of statements that put 1763 * the variable part of that offset into the X register. 1764 * 1765 * The 4*([k]&0xf) addressing mode can't be used, as we 1766 * don't have a constant offset, so we have to load the 1767 * value in question into the A register and add to it 1768 * the value from the X register. 1769 */ 1770 s2 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 1771 s2->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 1772 sappend(s, s2); 1773 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K); 1774 s2->s.k = 0xf; 1775 sappend(s, s2); 1776 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K); 1777 s2->s.k = 2; 1778 sappend(s, s2); 1779 1780 /* 1781 * The A register now contains the length of the IP header. 1782 * We need to add to it the variable part of the offset of 1783 * the link-layer payload, which is still in the X 1784 * register, and move the result into the X register. 1785 */ 1786 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X)); 1787 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX)); 1788 } else { 1789 /* 1790 * The offset of the link-layer payload is a constant, 1791 * so no code was generated to load the (non-existent) 1792 * variable part of that offset. 1793 * 1794 * This means we can use the 4*([k]&0xf) addressing 1795 * mode. Load the length of the IPv4 header, which 1796 * is at an offset of cstate->off_nl from the beginning of 1797 * the link-layer payload, and thus at an offset of 1798 * cstate->off_linkpl.constant_part + cstate->off_nl from the beginning 1799 * of the raw packet data, using that addressing mode. 1800 */ 1801 s = new_stmt(cstate, BPF_LDX|BPF_MSH|BPF_B); 1802 s->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 1803 } 1804 return s; 1805 } 1806 1807 1808 static struct block * 1809 gen_uncond(compiler_state_t *cstate, int rsense) 1810 { 1811 struct block *b; 1812 struct slist *s; 1813 1814 s = new_stmt(cstate, BPF_LD|BPF_IMM); 1815 s->s.k = !rsense; 1816 b = new_block(cstate, JMP(BPF_JEQ)); 1817 b->stmts = s; 1818 1819 return b; 1820 } 1821 1822 static inline struct block * 1823 gen_true(compiler_state_t *cstate) 1824 { 1825 return gen_uncond(cstate, 1); 1826 } 1827 1828 static inline struct block * 1829 gen_false(compiler_state_t *cstate) 1830 { 1831 return gen_uncond(cstate, 0); 1832 } 1833 1834 /* 1835 * Byte-swap a 32-bit number. 1836 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on 1837 * big-endian platforms.) 1838 */ 1839 #define SWAPLONG(y) \ 1840 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff)) 1841 1842 /* 1843 * Generate code to match a particular packet type. 1844 * 1845 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1846 * value, if <= ETHERMTU. We use that to determine whether to 1847 * match the type/length field or to check the type/length field for 1848 * a value <= ETHERMTU to see whether it's a type field and then do 1849 * the appropriate test. 1850 */ 1851 static struct block * 1852 gen_ether_linktype(compiler_state_t *cstate, int proto) 1853 { 1854 struct block *b0, *b1; 1855 1856 switch (proto) { 1857 1858 case LLCSAP_ISONS: 1859 case LLCSAP_IP: 1860 case LLCSAP_NETBEUI: 1861 /* 1862 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1863 * so we check the DSAP and SSAP. 1864 * 1865 * LLCSAP_IP checks for IP-over-802.2, rather 1866 * than IP-over-Ethernet or IP-over-SNAP. 1867 * 1868 * XXX - should we check both the DSAP and the 1869 * SSAP, like this, or should we check just the 1870 * DSAP, as we do for other types <= ETHERMTU 1871 * (i.e., other SAP values)? 1872 */ 1873 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU); 1874 gen_not(b0); 1875 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_int32) 1876 ((proto << 8) | proto)); 1877 gen_and(b0, b1); 1878 return b1; 1879 1880 case LLCSAP_IPX: 1881 /* 1882 * Check for; 1883 * 1884 * Ethernet_II frames, which are Ethernet 1885 * frames with a frame type of ETHERTYPE_IPX; 1886 * 1887 * Ethernet_802.3 frames, which are 802.3 1888 * frames (i.e., the type/length field is 1889 * a length field, <= ETHERMTU, rather than 1890 * a type field) with the first two bytes 1891 * after the Ethernet/802.3 header being 1892 * 0xFFFF; 1893 * 1894 * Ethernet_802.2 frames, which are 802.3 1895 * frames with an 802.2 LLC header and 1896 * with the IPX LSAP as the DSAP in the LLC 1897 * header; 1898 * 1899 * Ethernet_SNAP frames, which are 802.3 1900 * frames with an LLC header and a SNAP 1901 * header and with an OUI of 0x000000 1902 * (encapsulated Ethernet) and a protocol 1903 * ID of ETHERTYPE_IPX in the SNAP header. 1904 * 1905 * XXX - should we generate the same code both 1906 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX? 1907 */ 1908 1909 /* 1910 * This generates code to check both for the 1911 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3. 1912 */ 1913 b0 = gen_cmp(cstate, OR_LLC, 0, BPF_B, (bpf_int32)LLCSAP_IPX); 1914 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_int32)0xFFFF); 1915 gen_or(b0, b1); 1916 1917 /* 1918 * Now we add code to check for SNAP frames with 1919 * ETHERTYPE_IPX, i.e. Ethernet_SNAP. 1920 */ 1921 b0 = gen_snap(cstate, 0x000000, ETHERTYPE_IPX); 1922 gen_or(b0, b1); 1923 1924 /* 1925 * Now we generate code to check for 802.3 1926 * frames in general. 1927 */ 1928 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU); 1929 gen_not(b0); 1930 1931 /* 1932 * Now add the check for 802.3 frames before the 1933 * check for Ethernet_802.2 and Ethernet_802.3, 1934 * as those checks should only be done on 802.3 1935 * frames, not on Ethernet frames. 1936 */ 1937 gen_and(b0, b1); 1938 1939 /* 1940 * Now add the check for Ethernet_II frames, and 1941 * do that before checking for the other frame 1942 * types. 1943 */ 1944 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)ETHERTYPE_IPX); 1945 gen_or(b0, b1); 1946 return b1; 1947 1948 case ETHERTYPE_ATALK: 1949 case ETHERTYPE_AARP: 1950 /* 1951 * EtherTalk (AppleTalk protocols on Ethernet link 1952 * layer) may use 802.2 encapsulation. 1953 */ 1954 1955 /* 1956 * Check for 802.2 encapsulation (EtherTalk phase 2?); 1957 * we check for an Ethernet type field less than 1958 * 1500, which means it's an 802.3 length field. 1959 */ 1960 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU); 1961 gen_not(b0); 1962 1963 /* 1964 * 802.2-encapsulated ETHERTYPE_ATALK packets are 1965 * SNAP packets with an organization code of 1966 * 0x080007 (Apple, for Appletalk) and a protocol 1967 * type of ETHERTYPE_ATALK (Appletalk). 1968 * 1969 * 802.2-encapsulated ETHERTYPE_AARP packets are 1970 * SNAP packets with an organization code of 1971 * 0x000000 (encapsulated Ethernet) and a protocol 1972 * type of ETHERTYPE_AARP (Appletalk ARP). 1973 */ 1974 if (proto == ETHERTYPE_ATALK) 1975 b1 = gen_snap(cstate, 0x080007, ETHERTYPE_ATALK); 1976 else /* proto == ETHERTYPE_AARP */ 1977 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_AARP); 1978 gen_and(b0, b1); 1979 1980 /* 1981 * Check for Ethernet encapsulation (Ethertalk 1982 * phase 1?); we just check for the Ethernet 1983 * protocol type. 1984 */ 1985 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 1986 1987 gen_or(b0, b1); 1988 return b1; 1989 1990 default: 1991 if (proto <= ETHERMTU) { 1992 /* 1993 * This is an LLC SAP value, so the frames 1994 * that match would be 802.2 frames. 1995 * Check that the frame is an 802.2 frame 1996 * (i.e., that the length/type field is 1997 * a length field, <= ETHERMTU) and 1998 * then check the DSAP. 1999 */ 2000 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU); 2001 gen_not(b0); 2002 b1 = gen_cmp(cstate, OR_LINKTYPE, 2, BPF_B, (bpf_int32)proto); 2003 gen_and(b0, b1); 2004 return b1; 2005 } else { 2006 /* 2007 * This is an Ethernet type, so compare 2008 * the length/type field with it (if 2009 * the frame is an 802.2 frame, the length 2010 * field will be <= ETHERMTU, and, as 2011 * "proto" is > ETHERMTU, this test 2012 * will fail and the frame won't match, 2013 * which is what we want). 2014 */ 2015 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, 2016 (bpf_int32)proto); 2017 } 2018 } 2019 } 2020 2021 static struct block * 2022 gen_loopback_linktype(compiler_state_t *cstate, int proto) 2023 { 2024 /* 2025 * For DLT_NULL, the link-layer header is a 32-bit word 2026 * containing an AF_ value in *host* byte order, and for 2027 * DLT_ENC, the link-layer header begins with a 32-bit 2028 * word containing an AF_ value in host byte order. 2029 * 2030 * In addition, if we're reading a saved capture file, 2031 * the host byte order in the capture may not be the 2032 * same as the host byte order on this machine. 2033 * 2034 * For DLT_LOOP, the link-layer header is a 32-bit 2035 * word containing an AF_ value in *network* byte order. 2036 */ 2037 if (cstate->linktype == DLT_NULL || cstate->linktype == DLT_ENC) { 2038 /* 2039 * The AF_ value is in host byte order, but the BPF 2040 * interpreter will convert it to network byte order. 2041 * 2042 * If this is a save file, and it's from a machine 2043 * with the opposite byte order to ours, we byte-swap 2044 * the AF_ value. 2045 * 2046 * Then we run it through "htonl()", and generate 2047 * code to compare against the result. 2048 */ 2049 if (cstate->bpf_pcap->rfile != NULL && cstate->bpf_pcap->swapped) 2050 proto = SWAPLONG(proto); 2051 proto = htonl(proto); 2052 } 2053 return (gen_cmp(cstate, OR_LINKHDR, 0, BPF_W, (bpf_int32)proto)); 2054 } 2055 2056 /* 2057 * "proto" is an Ethernet type value and for IPNET, if it is not IPv4 2058 * or IPv6 then we have an error. 2059 */ 2060 static struct block * 2061 gen_ipnet_linktype(compiler_state_t *cstate, int proto) 2062 { 2063 switch (proto) { 2064 2065 case ETHERTYPE_IP: 2066 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, (bpf_int32)IPH_AF_INET); 2067 /* NOTREACHED */ 2068 2069 case ETHERTYPE_IPV6: 2070 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 2071 (bpf_int32)IPH_AF_INET6); 2072 /* NOTREACHED */ 2073 2074 default: 2075 break; 2076 } 2077 2078 return gen_false(cstate); 2079 } 2080 2081 /* 2082 * Generate code to match a particular packet type. 2083 * 2084 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 2085 * value, if <= ETHERMTU. We use that to determine whether to 2086 * match the type field or to check the type field for the special 2087 * LINUX_SLL_P_802_2 value and then do the appropriate test. 2088 */ 2089 static struct block * 2090 gen_linux_sll_linktype(compiler_state_t *cstate, int proto) 2091 { 2092 struct block *b0, *b1; 2093 2094 switch (proto) { 2095 2096 case LLCSAP_ISONS: 2097 case LLCSAP_IP: 2098 case LLCSAP_NETBEUI: 2099 /* 2100 * OSI protocols and NetBEUI always use 802.2 encapsulation, 2101 * so we check the DSAP and SSAP. 2102 * 2103 * LLCSAP_IP checks for IP-over-802.2, rather 2104 * than IP-over-Ethernet or IP-over-SNAP. 2105 * 2106 * XXX - should we check both the DSAP and the 2107 * SSAP, like this, or should we check just the 2108 * DSAP, as we do for other types <= ETHERMTU 2109 * (i.e., other SAP values)? 2110 */ 2111 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2); 2112 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_int32) 2113 ((proto << 8) | proto)); 2114 gen_and(b0, b1); 2115 return b1; 2116 2117 case LLCSAP_IPX: 2118 /* 2119 * Ethernet_II frames, which are Ethernet 2120 * frames with a frame type of ETHERTYPE_IPX; 2121 * 2122 * Ethernet_802.3 frames, which have a frame 2123 * type of LINUX_SLL_P_802_3; 2124 * 2125 * Ethernet_802.2 frames, which are 802.3 2126 * frames with an 802.2 LLC header (i.e, have 2127 * a frame type of LINUX_SLL_P_802_2) and 2128 * with the IPX LSAP as the DSAP in the LLC 2129 * header; 2130 * 2131 * Ethernet_SNAP frames, which are 802.3 2132 * frames with an LLC header and a SNAP 2133 * header and with an OUI of 0x000000 2134 * (encapsulated Ethernet) and a protocol 2135 * ID of ETHERTYPE_IPX in the SNAP header. 2136 * 2137 * First, do the checks on LINUX_SLL_P_802_2 2138 * frames; generate the check for either 2139 * Ethernet_802.2 or Ethernet_SNAP frames, and 2140 * then put a check for LINUX_SLL_P_802_2 frames 2141 * before it. 2142 */ 2143 b0 = gen_cmp(cstate, OR_LLC, 0, BPF_B, (bpf_int32)LLCSAP_IPX); 2144 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_IPX); 2145 gen_or(b0, b1); 2146 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2); 2147 gen_and(b0, b1); 2148 2149 /* 2150 * Now check for 802.3 frames and OR that with 2151 * the previous test. 2152 */ 2153 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_3); 2154 gen_or(b0, b1); 2155 2156 /* 2157 * Now add the check for Ethernet_II frames, and 2158 * do that before checking for the other frame 2159 * types. 2160 */ 2161 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)ETHERTYPE_IPX); 2162 gen_or(b0, b1); 2163 return b1; 2164 2165 case ETHERTYPE_ATALK: 2166 case ETHERTYPE_AARP: 2167 /* 2168 * EtherTalk (AppleTalk protocols on Ethernet link 2169 * layer) may use 802.2 encapsulation. 2170 */ 2171 2172 /* 2173 * Check for 802.2 encapsulation (EtherTalk phase 2?); 2174 * we check for the 802.2 protocol type in the 2175 * "Ethernet type" field. 2176 */ 2177 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2); 2178 2179 /* 2180 * 802.2-encapsulated ETHERTYPE_ATALK packets are 2181 * SNAP packets with an organization code of 2182 * 0x080007 (Apple, for Appletalk) and a protocol 2183 * type of ETHERTYPE_ATALK (Appletalk). 2184 * 2185 * 802.2-encapsulated ETHERTYPE_AARP packets are 2186 * SNAP packets with an organization code of 2187 * 0x000000 (encapsulated Ethernet) and a protocol 2188 * type of ETHERTYPE_AARP (Appletalk ARP). 2189 */ 2190 if (proto == ETHERTYPE_ATALK) 2191 b1 = gen_snap(cstate, 0x080007, ETHERTYPE_ATALK); 2192 else /* proto == ETHERTYPE_AARP */ 2193 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_AARP); 2194 gen_and(b0, b1); 2195 2196 /* 2197 * Check for Ethernet encapsulation (Ethertalk 2198 * phase 1?); we just check for the Ethernet 2199 * protocol type. 2200 */ 2201 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 2202 2203 gen_or(b0, b1); 2204 return b1; 2205 2206 default: 2207 if (proto <= ETHERMTU) { 2208 /* 2209 * This is an LLC SAP value, so the frames 2210 * that match would be 802.2 frames. 2211 * Check for the 802.2 protocol type 2212 * in the "Ethernet type" field, and 2213 * then check the DSAP. 2214 */ 2215 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2); 2216 b1 = gen_cmp(cstate, OR_LINKHDR, cstate->off_linkpl.constant_part, BPF_B, 2217 (bpf_int32)proto); 2218 gen_and(b0, b1); 2219 return b1; 2220 } else { 2221 /* 2222 * This is an Ethernet type, so compare 2223 * the length/type field with it (if 2224 * the frame is an 802.2 frame, the length 2225 * field will be <= ETHERMTU, and, as 2226 * "proto" is > ETHERMTU, this test 2227 * will fail and the frame won't match, 2228 * which is what we want). 2229 */ 2230 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 2231 } 2232 } 2233 } 2234 2235 static struct slist * 2236 gen_load_prism_llprefixlen(compiler_state_t *cstate) 2237 { 2238 struct slist *s1, *s2; 2239 struct slist *sjeq_avs_cookie; 2240 struct slist *sjcommon; 2241 2242 /* 2243 * This code is not compatible with the optimizer, as 2244 * we are generating jmp instructions within a normal 2245 * slist of instructions 2246 */ 2247 cstate->no_optimize = 1; 2248 2249 /* 2250 * Generate code to load the length of the radio header into 2251 * the register assigned to hold that length, if one has been 2252 * assigned. (If one hasn't been assigned, no code we've 2253 * generated uses that prefix, so we don't need to generate any 2254 * code to load it.) 2255 * 2256 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes 2257 * or always use the AVS header rather than the Prism header. 2258 * We load a 4-byte big-endian value at the beginning of the 2259 * raw packet data, and see whether, when masked with 0xFFFFF000, 2260 * it's equal to 0x80211000. If so, that indicates that it's 2261 * an AVS header (the masked-out bits are the version number). 2262 * Otherwise, it's a Prism header. 2263 * 2264 * XXX - the Prism header is also, in theory, variable-length, 2265 * but no known software generates headers that aren't 144 2266 * bytes long. 2267 */ 2268 if (cstate->off_linkhdr.reg != -1) { 2269 /* 2270 * Load the cookie. 2271 */ 2272 s1 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS); 2273 s1->s.k = 0; 2274 2275 /* 2276 * AND it with 0xFFFFF000. 2277 */ 2278 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K); 2279 s2->s.k = 0xFFFFF000; 2280 sappend(s1, s2); 2281 2282 /* 2283 * Compare with 0x80211000. 2284 */ 2285 sjeq_avs_cookie = new_stmt(cstate, JMP(BPF_JEQ)); 2286 sjeq_avs_cookie->s.k = 0x80211000; 2287 sappend(s1, sjeq_avs_cookie); 2288 2289 /* 2290 * If it's AVS: 2291 * 2292 * The 4 bytes at an offset of 4 from the beginning of 2293 * the AVS header are the length of the AVS header. 2294 * That field is big-endian. 2295 */ 2296 s2 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS); 2297 s2->s.k = 4; 2298 sappend(s1, s2); 2299 sjeq_avs_cookie->s.jt = s2; 2300 2301 /* 2302 * Now jump to the code to allocate a register 2303 * into which to save the header length and 2304 * store the length there. (The "jump always" 2305 * instruction needs to have the k field set; 2306 * it's added to the PC, so, as we're jumping 2307 * over a single instruction, it should be 1.) 2308 */ 2309 sjcommon = new_stmt(cstate, JMP(BPF_JA)); 2310 sjcommon->s.k = 1; 2311 sappend(s1, sjcommon); 2312 2313 /* 2314 * Now for the code that handles the Prism header. 2315 * Just load the length of the Prism header (144) 2316 * into the A register. Have the test for an AVS 2317 * header branch here if we don't have an AVS header. 2318 */ 2319 s2 = new_stmt(cstate, BPF_LD|BPF_W|BPF_IMM); 2320 s2->s.k = 144; 2321 sappend(s1, s2); 2322 sjeq_avs_cookie->s.jf = s2; 2323 2324 /* 2325 * Now allocate a register to hold that value and store 2326 * it. The code for the AVS header will jump here after 2327 * loading the length of the AVS header. 2328 */ 2329 s2 = new_stmt(cstate, BPF_ST); 2330 s2->s.k = cstate->off_linkhdr.reg; 2331 sappend(s1, s2); 2332 sjcommon->s.jf = s2; 2333 2334 /* 2335 * Now move it into the X register. 2336 */ 2337 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2338 sappend(s1, s2); 2339 2340 return (s1); 2341 } else 2342 return (NULL); 2343 } 2344 2345 static struct slist * 2346 gen_load_avs_llprefixlen(compiler_state_t *cstate) 2347 { 2348 struct slist *s1, *s2; 2349 2350 /* 2351 * Generate code to load the length of the AVS header into 2352 * the register assigned to hold that length, if one has been 2353 * assigned. (If one hasn't been assigned, no code we've 2354 * generated uses that prefix, so we don't need to generate any 2355 * code to load it.) 2356 */ 2357 if (cstate->off_linkhdr.reg != -1) { 2358 /* 2359 * The 4 bytes at an offset of 4 from the beginning of 2360 * the AVS header are the length of the AVS header. 2361 * That field is big-endian. 2362 */ 2363 s1 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS); 2364 s1->s.k = 4; 2365 2366 /* 2367 * Now allocate a register to hold that value and store 2368 * it. 2369 */ 2370 s2 = new_stmt(cstate, BPF_ST); 2371 s2->s.k = cstate->off_linkhdr.reg; 2372 sappend(s1, s2); 2373 2374 /* 2375 * Now move it into the X register. 2376 */ 2377 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2378 sappend(s1, s2); 2379 2380 return (s1); 2381 } else 2382 return (NULL); 2383 } 2384 2385 static struct slist * 2386 gen_load_radiotap_llprefixlen(compiler_state_t *cstate) 2387 { 2388 struct slist *s1, *s2; 2389 2390 /* 2391 * Generate code to load the length of the radiotap header into 2392 * the register assigned to hold that length, if one has been 2393 * assigned. (If one hasn't been assigned, no code we've 2394 * generated uses that prefix, so we don't need to generate any 2395 * code to load it.) 2396 */ 2397 if (cstate->off_linkhdr.reg != -1) { 2398 /* 2399 * The 2 bytes at offsets of 2 and 3 from the beginning 2400 * of the radiotap header are the length of the radiotap 2401 * header; unfortunately, it's little-endian, so we have 2402 * to load it a byte at a time and construct the value. 2403 */ 2404 2405 /* 2406 * Load the high-order byte, at an offset of 3, shift it 2407 * left a byte, and put the result in the X register. 2408 */ 2409 s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 2410 s1->s.k = 3; 2411 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K); 2412 sappend(s1, s2); 2413 s2->s.k = 8; 2414 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2415 sappend(s1, s2); 2416 2417 /* 2418 * Load the next byte, at an offset of 2, and OR the 2419 * value from the X register into it. 2420 */ 2421 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 2422 sappend(s1, s2); 2423 s2->s.k = 2; 2424 s2 = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_X); 2425 sappend(s1, s2); 2426 2427 /* 2428 * Now allocate a register to hold that value and store 2429 * it. 2430 */ 2431 s2 = new_stmt(cstate, BPF_ST); 2432 s2->s.k = cstate->off_linkhdr.reg; 2433 sappend(s1, s2); 2434 2435 /* 2436 * Now move it into the X register. 2437 */ 2438 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2439 sappend(s1, s2); 2440 2441 return (s1); 2442 } else 2443 return (NULL); 2444 } 2445 2446 /* 2447 * At the moment we treat PPI as normal Radiotap encoded 2448 * packets. The difference is in the function that generates 2449 * the code at the beginning to compute the header length. 2450 * Since this code generator of PPI supports bare 802.11 2451 * encapsulation only (i.e. the encapsulated DLT should be 2452 * DLT_IEEE802_11) we generate code to check for this too; 2453 * that's done in finish_parse(). 2454 */ 2455 static struct slist * 2456 gen_load_ppi_llprefixlen(compiler_state_t *cstate) 2457 { 2458 struct slist *s1, *s2; 2459 2460 /* 2461 * Generate code to load the length of the radiotap header 2462 * into the register assigned to hold that length, if one has 2463 * been assigned. 2464 */ 2465 if (cstate->off_linkhdr.reg != -1) { 2466 /* 2467 * The 2 bytes at offsets of 2 and 3 from the beginning 2468 * of the radiotap header are the length of the radiotap 2469 * header; unfortunately, it's little-endian, so we have 2470 * to load it a byte at a time and construct the value. 2471 */ 2472 2473 /* 2474 * Load the high-order byte, at an offset of 3, shift it 2475 * left a byte, and put the result in the X register. 2476 */ 2477 s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 2478 s1->s.k = 3; 2479 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K); 2480 sappend(s1, s2); 2481 s2->s.k = 8; 2482 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2483 sappend(s1, s2); 2484 2485 /* 2486 * Load the next byte, at an offset of 2, and OR the 2487 * value from the X register into it. 2488 */ 2489 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 2490 sappend(s1, s2); 2491 s2->s.k = 2; 2492 s2 = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_X); 2493 sappend(s1, s2); 2494 2495 /* 2496 * Now allocate a register to hold that value and store 2497 * it. 2498 */ 2499 s2 = new_stmt(cstate, BPF_ST); 2500 s2->s.k = cstate->off_linkhdr.reg; 2501 sappend(s1, s2); 2502 2503 /* 2504 * Now move it into the X register. 2505 */ 2506 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2507 sappend(s1, s2); 2508 2509 return (s1); 2510 } else 2511 return (NULL); 2512 } 2513 2514 /* 2515 * Load a value relative to the beginning of the link-layer header after the 802.11 2516 * header, i.e. LLC_SNAP. 2517 * The link-layer header doesn't necessarily begin at the beginning 2518 * of the packet data; there might be a variable-length prefix containing 2519 * radio information. 2520 */ 2521 static struct slist * 2522 gen_load_802_11_header_len(compiler_state_t *cstate, struct slist *s, struct slist *snext) 2523 { 2524 struct slist *s2; 2525 struct slist *sjset_data_frame_1; 2526 struct slist *sjset_data_frame_2; 2527 struct slist *sjset_qos; 2528 struct slist *sjset_radiotap_flags_present; 2529 struct slist *sjset_radiotap_ext_present; 2530 struct slist *sjset_radiotap_tsft_present; 2531 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad; 2532 struct slist *s_roundup; 2533 2534 if (cstate->off_linkpl.reg == -1) { 2535 /* 2536 * No register has been assigned to the offset of 2537 * the link-layer payload, which means nobody needs 2538 * it; don't bother computing it - just return 2539 * what we already have. 2540 */ 2541 return (s); 2542 } 2543 2544 /* 2545 * This code is not compatible with the optimizer, as 2546 * we are generating jmp instructions within a normal 2547 * slist of instructions 2548 */ 2549 cstate->no_optimize = 1; 2550 2551 /* 2552 * If "s" is non-null, it has code to arrange that the X register 2553 * contains the length of the prefix preceding the link-layer 2554 * header. 2555 * 2556 * Otherwise, the length of the prefix preceding the link-layer 2557 * header is "off_outermostlinkhdr.constant_part". 2558 */ 2559 if (s == NULL) { 2560 /* 2561 * There is no variable-length header preceding the 2562 * link-layer header. 2563 * 2564 * Load the length of the fixed-length prefix preceding 2565 * the link-layer header (if any) into the X register, 2566 * and store it in the cstate->off_linkpl.reg register. 2567 * That length is off_outermostlinkhdr.constant_part. 2568 */ 2569 s = new_stmt(cstate, BPF_LDX|BPF_IMM); 2570 s->s.k = cstate->off_outermostlinkhdr.constant_part; 2571 } 2572 2573 /* 2574 * The X register contains the offset of the beginning of the 2575 * link-layer header; add 24, which is the minimum length 2576 * of the MAC header for a data frame, to that, and store it 2577 * in cstate->off_linkpl.reg, and then load the Frame Control field, 2578 * which is at the offset in the X register, with an indexed load. 2579 */ 2580 s2 = new_stmt(cstate, BPF_MISC|BPF_TXA); 2581 sappend(s, s2); 2582 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 2583 s2->s.k = 24; 2584 sappend(s, s2); 2585 s2 = new_stmt(cstate, BPF_ST); 2586 s2->s.k = cstate->off_linkpl.reg; 2587 sappend(s, s2); 2588 2589 s2 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 2590 s2->s.k = 0; 2591 sappend(s, s2); 2592 2593 /* 2594 * Check the Frame Control field to see if this is a data frame; 2595 * a data frame has the 0x08 bit (b3) in that field set and the 2596 * 0x04 bit (b2) clear. 2597 */ 2598 sjset_data_frame_1 = new_stmt(cstate, JMP(BPF_JSET)); 2599 sjset_data_frame_1->s.k = 0x08; 2600 sappend(s, sjset_data_frame_1); 2601 2602 /* 2603 * If b3 is set, test b2, otherwise go to the first statement of 2604 * the rest of the program. 2605 */ 2606 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(cstate, JMP(BPF_JSET)); 2607 sjset_data_frame_2->s.k = 0x04; 2608 sappend(s, sjset_data_frame_2); 2609 sjset_data_frame_1->s.jf = snext; 2610 2611 /* 2612 * If b2 is not set, this is a data frame; test the QoS bit. 2613 * Otherwise, go to the first statement of the rest of the 2614 * program. 2615 */ 2616 sjset_data_frame_2->s.jt = snext; 2617 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(cstate, JMP(BPF_JSET)); 2618 sjset_qos->s.k = 0x80; /* QoS bit */ 2619 sappend(s, sjset_qos); 2620 2621 /* 2622 * If it's set, add 2 to cstate->off_linkpl.reg, to skip the QoS 2623 * field. 2624 * Otherwise, go to the first statement of the rest of the 2625 * program. 2626 */ 2627 sjset_qos->s.jt = s2 = new_stmt(cstate, BPF_LD|BPF_MEM); 2628 s2->s.k = cstate->off_linkpl.reg; 2629 sappend(s, s2); 2630 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM); 2631 s2->s.k = 2; 2632 sappend(s, s2); 2633 s2 = new_stmt(cstate, BPF_ST); 2634 s2->s.k = cstate->off_linkpl.reg; 2635 sappend(s, s2); 2636 2637 /* 2638 * If we have a radiotap header, look at it to see whether 2639 * there's Atheros padding between the MAC-layer header 2640 * and the payload. 2641 * 2642 * Note: all of the fields in the radiotap header are 2643 * little-endian, so we byte-swap all of the values 2644 * we test against, as they will be loaded as big-endian 2645 * values. 2646 * 2647 * XXX - in the general case, we would have to scan through 2648 * *all* the presence bits, if there's more than one word of 2649 * presence bits. That would require a loop, meaning that 2650 * we wouldn't be able to run the filter in the kernel. 2651 * 2652 * We assume here that the Atheros adapters that insert the 2653 * annoying padding don't have multiple antennae and therefore 2654 * do not generate radiotap headers with multiple presence words. 2655 */ 2656 if (cstate->linktype == DLT_IEEE802_11_RADIO) { 2657 /* 2658 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set 2659 * in the first presence flag word? 2660 */ 2661 sjset_qos->s.jf = s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_W); 2662 s2->s.k = 4; 2663 sappend(s, s2); 2664 2665 sjset_radiotap_flags_present = new_stmt(cstate, JMP(BPF_JSET)); 2666 sjset_radiotap_flags_present->s.k = SWAPLONG(0x00000002); 2667 sappend(s, sjset_radiotap_flags_present); 2668 2669 /* 2670 * If not, skip all of this. 2671 */ 2672 sjset_radiotap_flags_present->s.jf = snext; 2673 2674 /* 2675 * Otherwise, is the "extension" bit set in that word? 2676 */ 2677 sjset_radiotap_ext_present = new_stmt(cstate, JMP(BPF_JSET)); 2678 sjset_radiotap_ext_present->s.k = SWAPLONG(0x80000000); 2679 sappend(s, sjset_radiotap_ext_present); 2680 sjset_radiotap_flags_present->s.jt = sjset_radiotap_ext_present; 2681 2682 /* 2683 * If so, skip all of this. 2684 */ 2685 sjset_radiotap_ext_present->s.jt = snext; 2686 2687 /* 2688 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set? 2689 */ 2690 sjset_radiotap_tsft_present = new_stmt(cstate, JMP(BPF_JSET)); 2691 sjset_radiotap_tsft_present->s.k = SWAPLONG(0x00000001); 2692 sappend(s, sjset_radiotap_tsft_present); 2693 sjset_radiotap_ext_present->s.jf = sjset_radiotap_tsft_present; 2694 2695 /* 2696 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is 2697 * at an offset of 16 from the beginning of the raw packet 2698 * data (8 bytes for the radiotap header and 8 bytes for 2699 * the TSFT field). 2700 * 2701 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2702 * is set. 2703 */ 2704 s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B); 2705 s2->s.k = 16; 2706 sappend(s, s2); 2707 sjset_radiotap_tsft_present->s.jt = s2; 2708 2709 sjset_tsft_datapad = new_stmt(cstate, JMP(BPF_JSET)); 2710 sjset_tsft_datapad->s.k = 0x20; 2711 sappend(s, sjset_tsft_datapad); 2712 2713 /* 2714 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is 2715 * at an offset of 8 from the beginning of the raw packet 2716 * data (8 bytes for the radiotap header). 2717 * 2718 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2719 * is set. 2720 */ 2721 s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B); 2722 s2->s.k = 8; 2723 sappend(s, s2); 2724 sjset_radiotap_tsft_present->s.jf = s2; 2725 2726 sjset_notsft_datapad = new_stmt(cstate, JMP(BPF_JSET)); 2727 sjset_notsft_datapad->s.k = 0x20; 2728 sappend(s, sjset_notsft_datapad); 2729 2730 /* 2731 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is 2732 * set, round the length of the 802.11 header to 2733 * a multiple of 4. Do that by adding 3 and then 2734 * dividing by and multiplying by 4, which we do by 2735 * ANDing with ~3. 2736 */ 2737 s_roundup = new_stmt(cstate, BPF_LD|BPF_MEM); 2738 s_roundup->s.k = cstate->off_linkpl.reg; 2739 sappend(s, s_roundup); 2740 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM); 2741 s2->s.k = 3; 2742 sappend(s, s2); 2743 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_IMM); 2744 s2->s.k = ~3; 2745 sappend(s, s2); 2746 s2 = new_stmt(cstate, BPF_ST); 2747 s2->s.k = cstate->off_linkpl.reg; 2748 sappend(s, s2); 2749 2750 sjset_tsft_datapad->s.jt = s_roundup; 2751 sjset_tsft_datapad->s.jf = snext; 2752 sjset_notsft_datapad->s.jt = s_roundup; 2753 sjset_notsft_datapad->s.jf = snext; 2754 } else 2755 sjset_qos->s.jf = snext; 2756 2757 return s; 2758 } 2759 2760 static void 2761 insert_compute_vloffsets(compiler_state_t *cstate, struct block *b) 2762 { 2763 struct slist *s; 2764 2765 /* There is an implicit dependency between the link 2766 * payload and link header since the payload computation 2767 * includes the variable part of the header. Therefore, 2768 * if nobody else has allocated a register for the link 2769 * header and we need it, do it now. */ 2770 if (cstate->off_linkpl.reg != -1 && cstate->off_linkhdr.is_variable && 2771 cstate->off_linkhdr.reg == -1) 2772 cstate->off_linkhdr.reg = alloc_reg(cstate); 2773 2774 /* 2775 * For link-layer types that have a variable-length header 2776 * preceding the link-layer header, generate code to load 2777 * the offset of the link-layer header into the register 2778 * assigned to that offset, if any. 2779 * 2780 * XXX - this, and the next switch statement, won't handle 2781 * encapsulation of 802.11 or 802.11+radio information in 2782 * some other protocol stack. That's significantly more 2783 * complicated. 2784 */ 2785 switch (cstate->outermostlinktype) { 2786 2787 case DLT_PRISM_HEADER: 2788 s = gen_load_prism_llprefixlen(cstate); 2789 break; 2790 2791 case DLT_IEEE802_11_RADIO_AVS: 2792 s = gen_load_avs_llprefixlen(cstate); 2793 break; 2794 2795 case DLT_IEEE802_11_RADIO: 2796 s = gen_load_radiotap_llprefixlen(cstate); 2797 break; 2798 2799 case DLT_PPI: 2800 s = gen_load_ppi_llprefixlen(cstate); 2801 break; 2802 2803 default: 2804 s = NULL; 2805 break; 2806 } 2807 2808 /* 2809 * For link-layer types that have a variable-length link-layer 2810 * header, generate code to load the offset of the link-layer 2811 * payload into the register assigned to that offset, if any. 2812 */ 2813 switch (cstate->outermostlinktype) { 2814 2815 case DLT_IEEE802_11: 2816 case DLT_PRISM_HEADER: 2817 case DLT_IEEE802_11_RADIO_AVS: 2818 case DLT_IEEE802_11_RADIO: 2819 case DLT_PPI: 2820 s = gen_load_802_11_header_len(cstate, s, b->stmts); 2821 break; 2822 } 2823 2824 /* 2825 * If there there is no initialization yet and we need variable 2826 * length offsets for VLAN, initialize them to zero 2827 */ 2828 if (s == NULL && cstate->is_vlan_vloffset) { 2829 struct slist *s2; 2830 2831 if (cstate->off_linkpl.reg == -1) 2832 cstate->off_linkpl.reg = alloc_reg(cstate); 2833 if (cstate->off_linktype.reg == -1) 2834 cstate->off_linktype.reg = alloc_reg(cstate); 2835 2836 s = new_stmt(cstate, BPF_LD|BPF_W|BPF_IMM); 2837 s->s.k = 0; 2838 s2 = new_stmt(cstate, BPF_ST); 2839 s2->s.k = cstate->off_linkpl.reg; 2840 sappend(s, s2); 2841 s2 = new_stmt(cstate, BPF_ST); 2842 s2->s.k = cstate->off_linktype.reg; 2843 sappend(s, s2); 2844 } 2845 2846 /* 2847 * If we have any offset-loading code, append all the 2848 * existing statements in the block to those statements, 2849 * and make the resulting list the list of statements 2850 * for the block. 2851 */ 2852 if (s != NULL) { 2853 sappend(s, b->stmts); 2854 b->stmts = s; 2855 } 2856 } 2857 2858 static struct block * 2859 gen_ppi_dlt_check(compiler_state_t *cstate) 2860 { 2861 struct slist *s_load_dlt; 2862 struct block *b; 2863 2864 if (cstate->linktype == DLT_PPI) 2865 { 2866 /* Create the statements that check for the DLT 2867 */ 2868 s_load_dlt = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS); 2869 s_load_dlt->s.k = 4; 2870 2871 b = new_block(cstate, JMP(BPF_JEQ)); 2872 2873 b->stmts = s_load_dlt; 2874 b->s.k = SWAPLONG(DLT_IEEE802_11); 2875 } 2876 else 2877 { 2878 b = NULL; 2879 } 2880 2881 return b; 2882 } 2883 2884 /* 2885 * Take an absolute offset, and: 2886 * 2887 * if it has no variable part, return NULL; 2888 * 2889 * if it has a variable part, generate code to load the register 2890 * containing that variable part into the X register, returning 2891 * a pointer to that code - if no register for that offset has 2892 * been allocated, allocate it first. 2893 * 2894 * (The code to set that register will be generated later, but will 2895 * be placed earlier in the code sequence.) 2896 */ 2897 static struct slist * 2898 gen_abs_offset_varpart(compiler_state_t *cstate, bpf_abs_offset *off) 2899 { 2900 struct slist *s; 2901 2902 if (off->is_variable) { 2903 if (off->reg == -1) { 2904 /* 2905 * We haven't yet assigned a register for the 2906 * variable part of the offset of the link-layer 2907 * header; allocate one. 2908 */ 2909 off->reg = alloc_reg(cstate); 2910 } 2911 2912 /* 2913 * Load the register containing the variable part of the 2914 * offset of the link-layer header into the X register. 2915 */ 2916 s = new_stmt(cstate, BPF_LDX|BPF_MEM); 2917 s->s.k = off->reg; 2918 return s; 2919 } else { 2920 /* 2921 * That offset isn't variable, there's no variable part, 2922 * so we don't need to generate any code. 2923 */ 2924 return NULL; 2925 } 2926 } 2927 2928 /* 2929 * Map an Ethernet type to the equivalent PPP type. 2930 */ 2931 static int 2932 ethertype_to_ppptype(int proto) 2933 { 2934 switch (proto) { 2935 2936 case ETHERTYPE_IP: 2937 proto = PPP_IP; 2938 break; 2939 2940 case ETHERTYPE_IPV6: 2941 proto = PPP_IPV6; 2942 break; 2943 2944 case ETHERTYPE_DN: 2945 proto = PPP_DECNET; 2946 break; 2947 2948 case ETHERTYPE_ATALK: 2949 proto = PPP_APPLE; 2950 break; 2951 2952 case ETHERTYPE_NS: 2953 proto = PPP_NS; 2954 break; 2955 2956 case LLCSAP_ISONS: 2957 proto = PPP_OSI; 2958 break; 2959 2960 case LLCSAP_8021D: 2961 /* 2962 * I'm assuming the "Bridging PDU"s that go 2963 * over PPP are Spanning Tree Protocol 2964 * Bridging PDUs. 2965 */ 2966 proto = PPP_BRPDU; 2967 break; 2968 2969 case LLCSAP_IPX: 2970 proto = PPP_IPX; 2971 break; 2972 } 2973 return (proto); 2974 } 2975 2976 /* 2977 * Generate any tests that, for encapsulation of a link-layer packet 2978 * inside another protocol stack, need to be done to check for those 2979 * link-layer packets (and that haven't already been done by a check 2980 * for that encapsulation). 2981 */ 2982 static struct block * 2983 gen_prevlinkhdr_check(compiler_state_t *cstate) 2984 { 2985 struct block *b0; 2986 2987 if (cstate->is_geneve) 2988 return gen_geneve_ll_check(cstate); 2989 2990 switch (cstate->prevlinktype) { 2991 2992 case DLT_SUNATM: 2993 /* 2994 * This is LANE-encapsulated Ethernet; check that the LANE 2995 * packet doesn't begin with an LE Control marker, i.e. 2996 * that it's data, not a control message. 2997 * 2998 * (We've already generated a test for LANE.) 2999 */ 3000 b0 = gen_cmp(cstate, OR_PREVLINKHDR, SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00); 3001 gen_not(b0); 3002 return b0; 3003 3004 default: 3005 /* 3006 * No such tests are necessary. 3007 */ 3008 return NULL; 3009 } 3010 /*NOTREACHED*/ 3011 } 3012 3013 /* 3014 * The three different values we should check for when checking for an 3015 * IPv6 packet with DLT_NULL. 3016 */ 3017 #define BSD_AFNUM_INET6_BSD 24 /* NetBSD, OpenBSD, BSD/OS, Npcap */ 3018 #define BSD_AFNUM_INET6_FREEBSD 28 /* FreeBSD */ 3019 #define BSD_AFNUM_INET6_DARWIN 30 /* macOS, iOS, other Darwin-based OSes */ 3020 3021 /* 3022 * Generate code to match a particular packet type by matching the 3023 * link-layer type field or fields in the 802.2 LLC header. 3024 * 3025 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 3026 * value, if <= ETHERMTU. 3027 */ 3028 static struct block * 3029 gen_linktype(compiler_state_t *cstate, int proto) 3030 { 3031 struct block *b0, *b1, *b2; 3032 const char *description; 3033 3034 /* are we checking MPLS-encapsulated packets? */ 3035 if (cstate->label_stack_depth > 0) { 3036 switch (proto) { 3037 case ETHERTYPE_IP: 3038 case PPP_IP: 3039 /* FIXME add other L3 proto IDs */ 3040 return gen_mpls_linktype(cstate, Q_IP); 3041 3042 case ETHERTYPE_IPV6: 3043 case PPP_IPV6: 3044 /* FIXME add other L3 proto IDs */ 3045 return gen_mpls_linktype(cstate, Q_IPV6); 3046 3047 default: 3048 bpf_error(cstate, "unsupported protocol over mpls"); 3049 /* NOTREACHED */ 3050 } 3051 } 3052 3053 switch (cstate->linktype) { 3054 3055 case DLT_EN10MB: 3056 case DLT_NETANALYZER: 3057 case DLT_NETANALYZER_TRANSPARENT: 3058 /* Geneve has an EtherType regardless of whether there is an 3059 * L2 header. */ 3060 if (!cstate->is_geneve) 3061 b0 = gen_prevlinkhdr_check(cstate); 3062 else 3063 b0 = NULL; 3064 3065 b1 = gen_ether_linktype(cstate, proto); 3066 if (b0 != NULL) 3067 gen_and(b0, b1); 3068 return b1; 3069 /*NOTREACHED*/ 3070 break; 3071 3072 case DLT_C_HDLC: 3073 switch (proto) { 3074 3075 case LLCSAP_ISONS: 3076 proto = (proto << 8 | LLCSAP_ISONS); 3077 /* fall through */ 3078 3079 default: 3080 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 3081 /*NOTREACHED*/ 3082 break; 3083 } 3084 break; 3085 3086 case DLT_IEEE802_11: 3087 case DLT_PRISM_HEADER: 3088 case DLT_IEEE802_11_RADIO_AVS: 3089 case DLT_IEEE802_11_RADIO: 3090 case DLT_PPI: 3091 /* 3092 * Check that we have a data frame. 3093 */ 3094 b0 = gen_check_802_11_data_frame(cstate); 3095 3096 /* 3097 * Now check for the specified link-layer type. 3098 */ 3099 b1 = gen_llc_linktype(cstate, proto); 3100 gen_and(b0, b1); 3101 return b1; 3102 /*NOTREACHED*/ 3103 break; 3104 3105 case DLT_FDDI: 3106 /* 3107 * XXX - check for LLC frames. 3108 */ 3109 return gen_llc_linktype(cstate, proto); 3110 /*NOTREACHED*/ 3111 break; 3112 3113 case DLT_IEEE802: 3114 /* 3115 * XXX - check for LLC PDUs, as per IEEE 802.5. 3116 */ 3117 return gen_llc_linktype(cstate, proto); 3118 /*NOTREACHED*/ 3119 break; 3120 3121 case DLT_ATM_RFC1483: 3122 case DLT_ATM_CLIP: 3123 case DLT_IP_OVER_FC: 3124 return gen_llc_linktype(cstate, proto); 3125 /*NOTREACHED*/ 3126 break; 3127 3128 case DLT_SUNATM: 3129 /* 3130 * Check for an LLC-encapsulated version of this protocol; 3131 * if we were checking for LANE, linktype would no longer 3132 * be DLT_SUNATM. 3133 * 3134 * Check for LLC encapsulation and then check the protocol. 3135 */ 3136 b0 = gen_atmfield_code(cstate, A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 3137 b1 = gen_llc_linktype(cstate, proto); 3138 gen_and(b0, b1); 3139 return b1; 3140 /*NOTREACHED*/ 3141 break; 3142 3143 case DLT_LINUX_SLL: 3144 return gen_linux_sll_linktype(cstate, proto); 3145 /*NOTREACHED*/ 3146 break; 3147 3148 case DLT_SLIP: 3149 case DLT_SLIP_BSDOS: 3150 case DLT_RAW: 3151 /* 3152 * These types don't provide any type field; packets 3153 * are always IPv4 or IPv6. 3154 * 3155 * XXX - for IPv4, check for a version number of 4, and, 3156 * for IPv6, check for a version number of 6? 3157 */ 3158 switch (proto) { 3159 3160 case ETHERTYPE_IP: 3161 /* Check for a version number of 4. */ 3162 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, 0x40, 0xF0); 3163 3164 case ETHERTYPE_IPV6: 3165 /* Check for a version number of 6. */ 3166 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, 0x60, 0xF0); 3167 3168 default: 3169 return gen_false(cstate); /* always false */ 3170 } 3171 /*NOTREACHED*/ 3172 break; 3173 3174 case DLT_IPV4: 3175 /* 3176 * Raw IPv4, so no type field. 3177 */ 3178 if (proto == ETHERTYPE_IP) 3179 return gen_true(cstate); /* always true */ 3180 3181 /* Checking for something other than IPv4; always false */ 3182 return gen_false(cstate); 3183 /*NOTREACHED*/ 3184 break; 3185 3186 case DLT_IPV6: 3187 /* 3188 * Raw IPv6, so no type field. 3189 */ 3190 if (proto == ETHERTYPE_IPV6) 3191 return gen_true(cstate); /* always true */ 3192 3193 /* Checking for something other than IPv6; always false */ 3194 return gen_false(cstate); 3195 /*NOTREACHED*/ 3196 break; 3197 3198 case DLT_PPP: 3199 case DLT_PPP_PPPD: 3200 case DLT_PPP_SERIAL: 3201 case DLT_PPP_ETHER: 3202 /* 3203 * We use Ethernet protocol types inside libpcap; 3204 * map them to the corresponding PPP protocol types. 3205 */ 3206 proto = ethertype_to_ppptype(proto); 3207 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 3208 /*NOTREACHED*/ 3209 break; 3210 3211 case DLT_PPP_BSDOS: 3212 /* 3213 * We use Ethernet protocol types inside libpcap; 3214 * map them to the corresponding PPP protocol types. 3215 */ 3216 switch (proto) { 3217 3218 case ETHERTYPE_IP: 3219 /* 3220 * Also check for Van Jacobson-compressed IP. 3221 * XXX - do this for other forms of PPP? 3222 */ 3223 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_IP); 3224 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_VJC); 3225 gen_or(b0, b1); 3226 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_VJNC); 3227 gen_or(b1, b0); 3228 return b0; 3229 3230 default: 3231 proto = ethertype_to_ppptype(proto); 3232 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, 3233 (bpf_int32)proto); 3234 } 3235 /*NOTREACHED*/ 3236 break; 3237 3238 case DLT_NULL: 3239 case DLT_LOOP: 3240 case DLT_ENC: 3241 switch (proto) { 3242 3243 case ETHERTYPE_IP: 3244 return (gen_loopback_linktype(cstate, AF_INET)); 3245 3246 case ETHERTYPE_IPV6: 3247 /* 3248 * AF_ values may, unfortunately, be platform- 3249 * dependent; AF_INET isn't, because everybody 3250 * used 4.2BSD's value, but AF_INET6 is, because 3251 * 4.2BSD didn't have a value for it (given that 3252 * IPv6 didn't exist back in the early 1980's), 3253 * and they all picked their own values. 3254 * 3255 * This means that, if we're reading from a 3256 * savefile, we need to check for all the 3257 * possible values. 3258 * 3259 * If we're doing a live capture, we only need 3260 * to check for this platform's value; however, 3261 * Npcap uses 24, which isn't Windows's AF_INET6 3262 * value. (Given the multiple different values, 3263 * programs that read pcap files shouldn't be 3264 * checking for their platform's AF_INET6 value 3265 * anyway, they should check for all of the 3266 * possible values. and they might as well do 3267 * that even for live captures.) 3268 */ 3269 if (cstate->bpf_pcap->rfile != NULL) { 3270 /* 3271 * Savefile - check for all three 3272 * possible IPv6 values. 3273 */ 3274 b0 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_BSD); 3275 b1 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_FREEBSD); 3276 gen_or(b0, b1); 3277 b0 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_DARWIN); 3278 gen_or(b0, b1); 3279 return (b1); 3280 } else { 3281 /* 3282 * Live capture, so we only need to 3283 * check for the value used on this 3284 * platform. 3285 */ 3286 #ifdef _WIN32 3287 /* 3288 * Npcap doesn't use Windows's AF_INET6, 3289 * as that collides with AF_IPX on 3290 * some BSDs (both have the value 23). 3291 * Instead, it uses 24. 3292 */ 3293 return (gen_loopback_linktype(cstate, 24)); 3294 #else /* _WIN32 */ 3295 #ifdef AF_INET6 3296 return (gen_loopback_linktype(cstate, AF_INET6)); 3297 #else /* AF_INET6 */ 3298 /* 3299 * I guess this platform doesn't support 3300 * IPv6, so we just reject all packets. 3301 */ 3302 return gen_false(cstate); 3303 #endif /* AF_INET6 */ 3304 #endif /* _WIN32 */ 3305 } 3306 3307 default: 3308 /* 3309 * Not a type on which we support filtering. 3310 * XXX - support those that have AF_ values 3311 * #defined on this platform, at least? 3312 */ 3313 return gen_false(cstate); 3314 } 3315 3316 #ifdef HAVE_NET_PFVAR_H 3317 case DLT_PFLOG: 3318 /* 3319 * af field is host byte order in contrast to the rest of 3320 * the packet. 3321 */ 3322 if (proto == ETHERTYPE_IP) 3323 return (gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, af), 3324 BPF_B, (bpf_int32)AF_INET)); 3325 else if (proto == ETHERTYPE_IPV6) 3326 return (gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, af), 3327 BPF_B, (bpf_int32)AF_INET6)); 3328 else 3329 return gen_false(cstate); 3330 /*NOTREACHED*/ 3331 break; 3332 #endif /* HAVE_NET_PFVAR_H */ 3333 3334 case DLT_ARCNET: 3335 case DLT_ARCNET_LINUX: 3336 /* 3337 * XXX should we check for first fragment if the protocol 3338 * uses PHDS? 3339 */ 3340 switch (proto) { 3341 3342 default: 3343 return gen_false(cstate); 3344 3345 case ETHERTYPE_IPV6: 3346 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3347 (bpf_int32)ARCTYPE_INET6)); 3348 3349 case ETHERTYPE_IP: 3350 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3351 (bpf_int32)ARCTYPE_IP); 3352 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3353 (bpf_int32)ARCTYPE_IP_OLD); 3354 gen_or(b0, b1); 3355 return (b1); 3356 3357 case ETHERTYPE_ARP: 3358 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3359 (bpf_int32)ARCTYPE_ARP); 3360 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3361 (bpf_int32)ARCTYPE_ARP_OLD); 3362 gen_or(b0, b1); 3363 return (b1); 3364 3365 case ETHERTYPE_REVARP: 3366 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3367 (bpf_int32)ARCTYPE_REVARP)); 3368 3369 case ETHERTYPE_ATALK: 3370 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3371 (bpf_int32)ARCTYPE_ATALK)); 3372 } 3373 /*NOTREACHED*/ 3374 break; 3375 3376 case DLT_LTALK: 3377 switch (proto) { 3378 case ETHERTYPE_ATALK: 3379 return gen_true(cstate); 3380 default: 3381 return gen_false(cstate); 3382 } 3383 /*NOTREACHED*/ 3384 break; 3385 3386 case DLT_FRELAY: 3387 /* 3388 * XXX - assumes a 2-byte Frame Relay header with 3389 * DLCI and flags. What if the address is longer? 3390 */ 3391 switch (proto) { 3392 3393 case ETHERTYPE_IP: 3394 /* 3395 * Check for the special NLPID for IP. 3396 */ 3397 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0xcc); 3398 3399 case ETHERTYPE_IPV6: 3400 /* 3401 * Check for the special NLPID for IPv6. 3402 */ 3403 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0x8e); 3404 3405 case LLCSAP_ISONS: 3406 /* 3407 * Check for several OSI protocols. 3408 * 3409 * Frame Relay packets typically have an OSI 3410 * NLPID at the beginning; we check for each 3411 * of them. 3412 * 3413 * What we check for is the NLPID and a frame 3414 * control field of UI, i.e. 0x03 followed 3415 * by the NLPID. 3416 */ 3417 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO8473_CLNP); 3418 b1 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO9542_ESIS); 3419 b2 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO10589_ISIS); 3420 gen_or(b1, b2); 3421 gen_or(b0, b2); 3422 return b2; 3423 3424 default: 3425 return gen_false(cstate); 3426 } 3427 /*NOTREACHED*/ 3428 break; 3429 3430 case DLT_MFR: 3431 bpf_error(cstate, "Multi-link Frame Relay link-layer type filtering not implemented"); 3432 3433 case DLT_JUNIPER_MFR: 3434 case DLT_JUNIPER_MLFR: 3435 case DLT_JUNIPER_MLPPP: 3436 case DLT_JUNIPER_ATM1: 3437 case DLT_JUNIPER_ATM2: 3438 case DLT_JUNIPER_PPPOE: 3439 case DLT_JUNIPER_PPPOE_ATM: 3440 case DLT_JUNIPER_GGSN: 3441 case DLT_JUNIPER_ES: 3442 case DLT_JUNIPER_MONITOR: 3443 case DLT_JUNIPER_SERVICES: 3444 case DLT_JUNIPER_ETHER: 3445 case DLT_JUNIPER_PPP: 3446 case DLT_JUNIPER_FRELAY: 3447 case DLT_JUNIPER_CHDLC: 3448 case DLT_JUNIPER_VP: 3449 case DLT_JUNIPER_ST: 3450 case DLT_JUNIPER_ISM: 3451 case DLT_JUNIPER_VS: 3452 case DLT_JUNIPER_SRX_E2E: 3453 case DLT_JUNIPER_FIBRECHANNEL: 3454 case DLT_JUNIPER_ATM_CEMIC: 3455 3456 /* just lets verify the magic number for now - 3457 * on ATM we may have up to 6 different encapsulations on the wire 3458 * and need a lot of heuristics to figure out that the payload 3459 * might be; 3460 * 3461 * FIXME encapsulation specific BPF_ filters 3462 */ 3463 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */ 3464 3465 case DLT_BACNET_MS_TP: 3466 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_W, 0x55FF0000, 0xffff0000); 3467 3468 case DLT_IPNET: 3469 return gen_ipnet_linktype(cstate, proto); 3470 3471 case DLT_LINUX_IRDA: 3472 bpf_error(cstate, "IrDA link-layer type filtering not implemented"); 3473 3474 case DLT_DOCSIS: 3475 bpf_error(cstate, "DOCSIS link-layer type filtering not implemented"); 3476 3477 case DLT_MTP2: 3478 case DLT_MTP2_WITH_PHDR: 3479 bpf_error(cstate, "MTP2 link-layer type filtering not implemented"); 3480 3481 case DLT_ERF: 3482 bpf_error(cstate, "ERF link-layer type filtering not implemented"); 3483 3484 case DLT_PFSYNC: 3485 bpf_error(cstate, "PFSYNC link-layer type filtering not implemented"); 3486 3487 case DLT_LINUX_LAPD: 3488 bpf_error(cstate, "LAPD link-layer type filtering not implemented"); 3489 3490 case DLT_USB_FREEBSD: 3491 case DLT_USB_LINUX: 3492 case DLT_USB_LINUX_MMAPPED: 3493 case DLT_USBPCAP: 3494 bpf_error(cstate, "USB link-layer type filtering not implemented"); 3495 3496 case DLT_BLUETOOTH_HCI_H4: 3497 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR: 3498 bpf_error(cstate, "Bluetooth link-layer type filtering not implemented"); 3499 3500 case DLT_CAN20B: 3501 case DLT_CAN_SOCKETCAN: 3502 bpf_error(cstate, "CAN link-layer type filtering not implemented"); 3503 3504 case DLT_IEEE802_15_4: 3505 case DLT_IEEE802_15_4_LINUX: 3506 case DLT_IEEE802_15_4_NONASK_PHY: 3507 case DLT_IEEE802_15_4_NOFCS: 3508 bpf_error(cstate, "IEEE 802.15.4 link-layer type filtering not implemented"); 3509 3510 case DLT_IEEE802_16_MAC_CPS_RADIO: 3511 bpf_error(cstate, "IEEE 802.16 link-layer type filtering not implemented"); 3512 3513 case DLT_SITA: 3514 bpf_error(cstate, "SITA link-layer type filtering not implemented"); 3515 3516 case DLT_RAIF1: 3517 bpf_error(cstate, "RAIF1 link-layer type filtering not implemented"); 3518 3519 case DLT_IPMB: 3520 bpf_error(cstate, "IPMB link-layer type filtering not implemented"); 3521 3522 case DLT_AX25_KISS: 3523 bpf_error(cstate, "AX.25 link-layer type filtering not implemented"); 3524 3525 case DLT_NFLOG: 3526 /* Using the fixed-size NFLOG header it is possible to tell only 3527 * the address family of the packet, other meaningful data is 3528 * either missing or behind TLVs. 3529 */ 3530 bpf_error(cstate, "NFLOG link-layer type filtering not implemented"); 3531 3532 default: 3533 /* 3534 * Does this link-layer header type have a field 3535 * indicating the type of the next protocol? If 3536 * so, off_linktype.constant_part will be the offset of that 3537 * field in the packet; if not, it will be OFFSET_NOT_SET. 3538 */ 3539 if (cstate->off_linktype.constant_part != OFFSET_NOT_SET) { 3540 /* 3541 * Yes; assume it's an Ethernet type. (If 3542 * it's not, it needs to be handled specially 3543 * above.) 3544 */ 3545 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 3546 } else { 3547 /* 3548 * No; report an error. 3549 */ 3550 description = pcap_datalink_val_to_description(cstate->linktype); 3551 if (description != NULL) { 3552 bpf_error(cstate, "%s link-layer type filtering not implemented", 3553 description); 3554 } else { 3555 bpf_error(cstate, "DLT %u link-layer type filtering not implemented", 3556 cstate->linktype); 3557 } 3558 } 3559 break; 3560 } 3561 } 3562 3563 /* 3564 * Check for an LLC SNAP packet with a given organization code and 3565 * protocol type; we check the entire contents of the 802.2 LLC and 3566 * snap headers, checking for DSAP and SSAP of SNAP and a control 3567 * field of 0x03 in the LLC header, and for the specified organization 3568 * code and protocol type in the SNAP header. 3569 */ 3570 static struct block * 3571 gen_snap(compiler_state_t *cstate, bpf_u_int32 orgcode, bpf_u_int32 ptype) 3572 { 3573 u_char snapblock[8]; 3574 3575 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */ 3576 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */ 3577 snapblock[2] = 0x03; /* control = UI */ 3578 snapblock[3] = (u_char)(orgcode >> 16); /* upper 8 bits of organization code */ 3579 snapblock[4] = (u_char)(orgcode >> 8); /* middle 8 bits of organization code */ 3580 snapblock[5] = (u_char)(orgcode >> 0); /* lower 8 bits of organization code */ 3581 snapblock[6] = (u_char)(ptype >> 8); /* upper 8 bits of protocol type */ 3582 snapblock[7] = (u_char)(ptype >> 0); /* lower 8 bits of protocol type */ 3583 return gen_bcmp(cstate, OR_LLC, 0, 8, snapblock); 3584 } 3585 3586 /* 3587 * Generate code to match frames with an LLC header. 3588 */ 3589 struct block * 3590 gen_llc(compiler_state_t *cstate) 3591 { 3592 struct block *b0, *b1; 3593 3594 switch (cstate->linktype) { 3595 3596 case DLT_EN10MB: 3597 /* 3598 * We check for an Ethernet type field less than 3599 * 1500, which means it's an 802.3 length field. 3600 */ 3601 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU); 3602 gen_not(b0); 3603 3604 /* 3605 * Now check for the purported DSAP and SSAP not being 3606 * 0xFF, to rule out NetWare-over-802.3. 3607 */ 3608 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_int32)0xFFFF); 3609 gen_not(b1); 3610 gen_and(b0, b1); 3611 return b1; 3612 3613 case DLT_SUNATM: 3614 /* 3615 * We check for LLC traffic. 3616 */ 3617 b0 = gen_atmtype_abbrev(cstate, A_LLC); 3618 return b0; 3619 3620 case DLT_IEEE802: /* Token Ring */ 3621 /* 3622 * XXX - check for LLC frames. 3623 */ 3624 return gen_true(cstate); 3625 3626 case DLT_FDDI: 3627 /* 3628 * XXX - check for LLC frames. 3629 */ 3630 return gen_true(cstate); 3631 3632 case DLT_ATM_RFC1483: 3633 /* 3634 * For LLC encapsulation, these are defined to have an 3635 * 802.2 LLC header. 3636 * 3637 * For VC encapsulation, they don't, but there's no 3638 * way to check for that; the protocol used on the VC 3639 * is negotiated out of band. 3640 */ 3641 return gen_true(cstate); 3642 3643 case DLT_IEEE802_11: 3644 case DLT_PRISM_HEADER: 3645 case DLT_IEEE802_11_RADIO: 3646 case DLT_IEEE802_11_RADIO_AVS: 3647 case DLT_PPI: 3648 /* 3649 * Check that we have a data frame. 3650 */ 3651 b0 = gen_check_802_11_data_frame(cstate); 3652 return b0; 3653 3654 default: 3655 bpf_error(cstate, "'llc' not supported for linktype %d", cstate->linktype); 3656 /* NOTREACHED */ 3657 } 3658 } 3659 3660 struct block * 3661 gen_llc_i(compiler_state_t *cstate) 3662 { 3663 struct block *b0, *b1; 3664 struct slist *s; 3665 3666 /* 3667 * Check whether this is an LLC frame. 3668 */ 3669 b0 = gen_llc(cstate); 3670 3671 /* 3672 * Load the control byte and test the low-order bit; it must 3673 * be clear for I frames. 3674 */ 3675 s = gen_load_a(cstate, OR_LLC, 2, BPF_B); 3676 b1 = new_block(cstate, JMP(BPF_JSET)); 3677 b1->s.k = 0x01; 3678 b1->stmts = s; 3679 gen_not(b1); 3680 gen_and(b0, b1); 3681 return b1; 3682 } 3683 3684 struct block * 3685 gen_llc_s(compiler_state_t *cstate) 3686 { 3687 struct block *b0, *b1; 3688 3689 /* 3690 * Check whether this is an LLC frame. 3691 */ 3692 b0 = gen_llc(cstate); 3693 3694 /* 3695 * Now compare the low-order 2 bit of the control byte against 3696 * the appropriate value for S frames. 3697 */ 3698 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, LLC_S_FMT, 0x03); 3699 gen_and(b0, b1); 3700 return b1; 3701 } 3702 3703 struct block * 3704 gen_llc_u(compiler_state_t *cstate) 3705 { 3706 struct block *b0, *b1; 3707 3708 /* 3709 * Check whether this is an LLC frame. 3710 */ 3711 b0 = gen_llc(cstate); 3712 3713 /* 3714 * Now compare the low-order 2 bit of the control byte against 3715 * the appropriate value for U frames. 3716 */ 3717 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, LLC_U_FMT, 0x03); 3718 gen_and(b0, b1); 3719 return b1; 3720 } 3721 3722 struct block * 3723 gen_llc_s_subtype(compiler_state_t *cstate, bpf_u_int32 subtype) 3724 { 3725 struct block *b0, *b1; 3726 3727 /* 3728 * Check whether this is an LLC frame. 3729 */ 3730 b0 = gen_llc(cstate); 3731 3732 /* 3733 * Now check for an S frame with the appropriate type. 3734 */ 3735 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, subtype, LLC_S_CMD_MASK); 3736 gen_and(b0, b1); 3737 return b1; 3738 } 3739 3740 struct block * 3741 gen_llc_u_subtype(compiler_state_t *cstate, bpf_u_int32 subtype) 3742 { 3743 struct block *b0, *b1; 3744 3745 /* 3746 * Check whether this is an LLC frame. 3747 */ 3748 b0 = gen_llc(cstate); 3749 3750 /* 3751 * Now check for a U frame with the appropriate type. 3752 */ 3753 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, subtype, LLC_U_CMD_MASK); 3754 gen_and(b0, b1); 3755 return b1; 3756 } 3757 3758 /* 3759 * Generate code to match a particular packet type, for link-layer types 3760 * using 802.2 LLC headers. 3761 * 3762 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used 3763 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues. 3764 * 3765 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 3766 * value, if <= ETHERMTU. We use that to determine whether to 3767 * match the DSAP or both DSAP and LSAP or to check the OUI and 3768 * protocol ID in a SNAP header. 3769 */ 3770 static struct block * 3771 gen_llc_linktype(compiler_state_t *cstate, int proto) 3772 { 3773 /* 3774 * XXX - handle token-ring variable-length header. 3775 */ 3776 switch (proto) { 3777 3778 case LLCSAP_IP: 3779 case LLCSAP_ISONS: 3780 case LLCSAP_NETBEUI: 3781 /* 3782 * XXX - should we check both the DSAP and the 3783 * SSAP, like this, or should we check just the 3784 * DSAP, as we do for other SAP values? 3785 */ 3786 return gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_u_int32) 3787 ((proto << 8) | proto)); 3788 3789 case LLCSAP_IPX: 3790 /* 3791 * XXX - are there ever SNAP frames for IPX on 3792 * non-Ethernet 802.x networks? 3793 */ 3794 return gen_cmp(cstate, OR_LLC, 0, BPF_B, 3795 (bpf_int32)LLCSAP_IPX); 3796 3797 case ETHERTYPE_ATALK: 3798 /* 3799 * 802.2-encapsulated ETHERTYPE_ATALK packets are 3800 * SNAP packets with an organization code of 3801 * 0x080007 (Apple, for Appletalk) and a protocol 3802 * type of ETHERTYPE_ATALK (Appletalk). 3803 * 3804 * XXX - check for an organization code of 3805 * encapsulated Ethernet as well? 3806 */ 3807 return gen_snap(cstate, 0x080007, ETHERTYPE_ATALK); 3808 3809 default: 3810 /* 3811 * XXX - we don't have to check for IPX 802.3 3812 * here, but should we check for the IPX Ethertype? 3813 */ 3814 if (proto <= ETHERMTU) { 3815 /* 3816 * This is an LLC SAP value, so check 3817 * the DSAP. 3818 */ 3819 return gen_cmp(cstate, OR_LLC, 0, BPF_B, (bpf_int32)proto); 3820 } else { 3821 /* 3822 * This is an Ethernet type; we assume that it's 3823 * unlikely that it'll appear in the right place 3824 * at random, and therefore check only the 3825 * location that would hold the Ethernet type 3826 * in a SNAP frame with an organization code of 3827 * 0x000000 (encapsulated Ethernet). 3828 * 3829 * XXX - if we were to check for the SNAP DSAP and 3830 * LSAP, as per XXX, and were also to check for an 3831 * organization code of 0x000000 (encapsulated 3832 * Ethernet), we'd do 3833 * 3834 * return gen_snap(cstate, 0x000000, proto); 3835 * 3836 * here; for now, we don't, as per the above. 3837 * I don't know whether it's worth the extra CPU 3838 * time to do the right check or not. 3839 */ 3840 return gen_cmp(cstate, OR_LLC, 6, BPF_H, (bpf_int32)proto); 3841 } 3842 } 3843 } 3844 3845 static struct block * 3846 gen_hostop(compiler_state_t *cstate, bpf_u_int32 addr, bpf_u_int32 mask, 3847 int dir, int proto, u_int src_off, u_int dst_off) 3848 { 3849 struct block *b0, *b1; 3850 u_int offset; 3851 3852 switch (dir) { 3853 3854 case Q_SRC: 3855 offset = src_off; 3856 break; 3857 3858 case Q_DST: 3859 offset = dst_off; 3860 break; 3861 3862 case Q_AND: 3863 b0 = gen_hostop(cstate, addr, mask, Q_SRC, proto, src_off, dst_off); 3864 b1 = gen_hostop(cstate, addr, mask, Q_DST, proto, src_off, dst_off); 3865 gen_and(b0, b1); 3866 return b1; 3867 3868 case Q_OR: 3869 case Q_DEFAULT: 3870 b0 = gen_hostop(cstate, addr, mask, Q_SRC, proto, src_off, dst_off); 3871 b1 = gen_hostop(cstate, addr, mask, Q_DST, proto, src_off, dst_off); 3872 gen_or(b0, b1); 3873 return b1; 3874 3875 case Q_ADDR1: 3876 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 3877 break; 3878 3879 case Q_ADDR2: 3880 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 3881 break; 3882 3883 case Q_ADDR3: 3884 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 3885 break; 3886 3887 case Q_ADDR4: 3888 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 3889 break; 3890 3891 case Q_RA: 3892 bpf_error(cstate, "'ra' is not a valid qualifier for addresses other than 802.11 MAC addresses"); 3893 break; 3894 3895 case Q_TA: 3896 bpf_error(cstate, "'ta' is not a valid qualifier for addresses other than 802.11 MAC addresses"); 3897 break; 3898 3899 default: 3900 abort(); 3901 } 3902 b0 = gen_linktype(cstate, proto); 3903 b1 = gen_mcmp(cstate, OR_LINKPL, offset, BPF_W, (bpf_int32)addr, mask); 3904 gen_and(b0, b1); 3905 return b1; 3906 } 3907 3908 #ifdef INET6 3909 static struct block * 3910 gen_hostop6(compiler_state_t *cstate, struct in6_addr *addr, 3911 struct in6_addr *mask, int dir, int proto, u_int src_off, u_int dst_off) 3912 { 3913 struct block *b0, *b1; 3914 u_int offset; 3915 uint32_t *a, *m; 3916 3917 switch (dir) { 3918 3919 case Q_SRC: 3920 offset = src_off; 3921 break; 3922 3923 case Q_DST: 3924 offset = dst_off; 3925 break; 3926 3927 case Q_AND: 3928 b0 = gen_hostop6(cstate, addr, mask, Q_SRC, proto, src_off, dst_off); 3929 b1 = gen_hostop6(cstate, addr, mask, Q_DST, proto, src_off, dst_off); 3930 gen_and(b0, b1); 3931 return b1; 3932 3933 case Q_OR: 3934 case Q_DEFAULT: 3935 b0 = gen_hostop6(cstate, addr, mask, Q_SRC, proto, src_off, dst_off); 3936 b1 = gen_hostop6(cstate, addr, mask, Q_DST, proto, src_off, dst_off); 3937 gen_or(b0, b1); 3938 return b1; 3939 3940 case Q_ADDR1: 3941 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 3942 break; 3943 3944 case Q_ADDR2: 3945 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 3946 break; 3947 3948 case Q_ADDR3: 3949 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 3950 break; 3951 3952 case Q_ADDR4: 3953 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 3954 break; 3955 3956 case Q_RA: 3957 bpf_error(cstate, "'ra' is not a valid qualifier for addresses other than 802.11 MAC addresses"); 3958 break; 3959 3960 case Q_TA: 3961 bpf_error(cstate, "'ta' is not a valid qualifier for addresses other than 802.11 MAC addresses"); 3962 break; 3963 3964 default: 3965 abort(); 3966 } 3967 /* this order is important */ 3968 a = (uint32_t *)addr; 3969 m = (uint32_t *)mask; 3970 b1 = gen_mcmp(cstate, OR_LINKPL, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3])); 3971 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2])); 3972 gen_and(b0, b1); 3973 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1])); 3974 gen_and(b0, b1); 3975 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0])); 3976 gen_and(b0, b1); 3977 b0 = gen_linktype(cstate, proto); 3978 gen_and(b0, b1); 3979 return b1; 3980 } 3981 #endif 3982 3983 static struct block * 3984 gen_ehostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 3985 { 3986 register struct block *b0, *b1; 3987 3988 switch (dir) { 3989 case Q_SRC: 3990 return gen_bcmp(cstate, OR_LINKHDR, 6, 6, eaddr); 3991 3992 case Q_DST: 3993 return gen_bcmp(cstate, OR_LINKHDR, 0, 6, eaddr); 3994 3995 case Q_AND: 3996 b0 = gen_ehostop(cstate, eaddr, Q_SRC); 3997 b1 = gen_ehostop(cstate, eaddr, Q_DST); 3998 gen_and(b0, b1); 3999 return b1; 4000 4001 case Q_DEFAULT: 4002 case Q_OR: 4003 b0 = gen_ehostop(cstate, eaddr, Q_SRC); 4004 b1 = gen_ehostop(cstate, eaddr, Q_DST); 4005 gen_or(b0, b1); 4006 return b1; 4007 4008 case Q_ADDR1: 4009 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11 with 802.11 headers"); 4010 break; 4011 4012 case Q_ADDR2: 4013 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11 with 802.11 headers"); 4014 break; 4015 4016 case Q_ADDR3: 4017 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11 with 802.11 headers"); 4018 break; 4019 4020 case Q_ADDR4: 4021 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11 with 802.11 headers"); 4022 break; 4023 4024 case Q_RA: 4025 bpf_error(cstate, "'ra' is only supported on 802.11 with 802.11 headers"); 4026 break; 4027 4028 case Q_TA: 4029 bpf_error(cstate, "'ta' is only supported on 802.11 with 802.11 headers"); 4030 break; 4031 } 4032 abort(); 4033 /* NOTREACHED */ 4034 } 4035 4036 /* 4037 * Like gen_ehostop, but for DLT_FDDI 4038 */ 4039 static struct block * 4040 gen_fhostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 4041 { 4042 struct block *b0, *b1; 4043 4044 switch (dir) { 4045 case Q_SRC: 4046 return gen_bcmp(cstate, OR_LINKHDR, 6 + 1 + cstate->pcap_fddipad, 6, eaddr); 4047 4048 case Q_DST: 4049 return gen_bcmp(cstate, OR_LINKHDR, 0 + 1 + cstate->pcap_fddipad, 6, eaddr); 4050 4051 case Q_AND: 4052 b0 = gen_fhostop(cstate, eaddr, Q_SRC); 4053 b1 = gen_fhostop(cstate, eaddr, Q_DST); 4054 gen_and(b0, b1); 4055 return b1; 4056 4057 case Q_DEFAULT: 4058 case Q_OR: 4059 b0 = gen_fhostop(cstate, eaddr, Q_SRC); 4060 b1 = gen_fhostop(cstate, eaddr, Q_DST); 4061 gen_or(b0, b1); 4062 return b1; 4063 4064 case Q_ADDR1: 4065 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11"); 4066 break; 4067 4068 case Q_ADDR2: 4069 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11"); 4070 break; 4071 4072 case Q_ADDR3: 4073 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11"); 4074 break; 4075 4076 case Q_ADDR4: 4077 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11"); 4078 break; 4079 4080 case Q_RA: 4081 bpf_error(cstate, "'ra' is only supported on 802.11"); 4082 break; 4083 4084 case Q_TA: 4085 bpf_error(cstate, "'ta' is only supported on 802.11"); 4086 break; 4087 } 4088 abort(); 4089 /* NOTREACHED */ 4090 } 4091 4092 /* 4093 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring) 4094 */ 4095 static struct block * 4096 gen_thostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 4097 { 4098 register struct block *b0, *b1; 4099 4100 switch (dir) { 4101 case Q_SRC: 4102 return gen_bcmp(cstate, OR_LINKHDR, 8, 6, eaddr); 4103 4104 case Q_DST: 4105 return gen_bcmp(cstate, OR_LINKHDR, 2, 6, eaddr); 4106 4107 case Q_AND: 4108 b0 = gen_thostop(cstate, eaddr, Q_SRC); 4109 b1 = gen_thostop(cstate, eaddr, Q_DST); 4110 gen_and(b0, b1); 4111 return b1; 4112 4113 case Q_DEFAULT: 4114 case Q_OR: 4115 b0 = gen_thostop(cstate, eaddr, Q_SRC); 4116 b1 = gen_thostop(cstate, eaddr, Q_DST); 4117 gen_or(b0, b1); 4118 return b1; 4119 4120 case Q_ADDR1: 4121 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11"); 4122 break; 4123 4124 case Q_ADDR2: 4125 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11"); 4126 break; 4127 4128 case Q_ADDR3: 4129 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11"); 4130 break; 4131 4132 case Q_ADDR4: 4133 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11"); 4134 break; 4135 4136 case Q_RA: 4137 bpf_error(cstate, "'ra' is only supported on 802.11"); 4138 break; 4139 4140 case Q_TA: 4141 bpf_error(cstate, "'ta' is only supported on 802.11"); 4142 break; 4143 } 4144 abort(); 4145 /* NOTREACHED */ 4146 } 4147 4148 /* 4149 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and 4150 * various 802.11 + radio headers. 4151 */ 4152 static struct block * 4153 gen_wlanhostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 4154 { 4155 register struct block *b0, *b1, *b2; 4156 register struct slist *s; 4157 4158 #ifdef ENABLE_WLAN_FILTERING_PATCH 4159 /* 4160 * TODO GV 20070613 4161 * We need to disable the optimizer because the optimizer is buggy 4162 * and wipes out some LD instructions generated by the below 4163 * code to validate the Frame Control bits 4164 */ 4165 cstate->no_optimize = 1; 4166 #endif /* ENABLE_WLAN_FILTERING_PATCH */ 4167 4168 switch (dir) { 4169 case Q_SRC: 4170 /* 4171 * Oh, yuk. 4172 * 4173 * For control frames, there is no SA. 4174 * 4175 * For management frames, SA is at an 4176 * offset of 10 from the beginning of 4177 * the packet. 4178 * 4179 * For data frames, SA is at an offset 4180 * of 10 from the beginning of the packet 4181 * if From DS is clear, at an offset of 4182 * 16 from the beginning of the packet 4183 * if From DS is set and To DS is clear, 4184 * and an offset of 24 from the beginning 4185 * of the packet if From DS is set and To DS 4186 * is set. 4187 */ 4188 4189 /* 4190 * Generate the tests to be done for data frames 4191 * with From DS set. 4192 * 4193 * First, check for To DS set, i.e. check "link[1] & 0x01". 4194 */ 4195 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4196 b1 = new_block(cstate, JMP(BPF_JSET)); 4197 b1->s.k = 0x01; /* To DS */ 4198 b1->stmts = s; 4199 4200 /* 4201 * If To DS is set, the SA is at 24. 4202 */ 4203 b0 = gen_bcmp(cstate, OR_LINKHDR, 24, 6, eaddr); 4204 gen_and(b1, b0); 4205 4206 /* 4207 * Now, check for To DS not set, i.e. check 4208 * "!(link[1] & 0x01)". 4209 */ 4210 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4211 b2 = new_block(cstate, JMP(BPF_JSET)); 4212 b2->s.k = 0x01; /* To DS */ 4213 b2->stmts = s; 4214 gen_not(b2); 4215 4216 /* 4217 * If To DS is not set, the SA is at 16. 4218 */ 4219 b1 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr); 4220 gen_and(b2, b1); 4221 4222 /* 4223 * Now OR together the last two checks. That gives 4224 * the complete set of checks for data frames with 4225 * From DS set. 4226 */ 4227 gen_or(b1, b0); 4228 4229 /* 4230 * Now check for From DS being set, and AND that with 4231 * the ORed-together checks. 4232 */ 4233 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4234 b1 = new_block(cstate, JMP(BPF_JSET)); 4235 b1->s.k = 0x02; /* From DS */ 4236 b1->stmts = s; 4237 gen_and(b1, b0); 4238 4239 /* 4240 * Now check for data frames with From DS not set. 4241 */ 4242 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4243 b2 = new_block(cstate, JMP(BPF_JSET)); 4244 b2->s.k = 0x02; /* From DS */ 4245 b2->stmts = s; 4246 gen_not(b2); 4247 4248 /* 4249 * If From DS isn't set, the SA is at 10. 4250 */ 4251 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr); 4252 gen_and(b2, b1); 4253 4254 /* 4255 * Now OR together the checks for data frames with 4256 * From DS not set and for data frames with From DS 4257 * set; that gives the checks done for data frames. 4258 */ 4259 gen_or(b1, b0); 4260 4261 /* 4262 * Now check for a data frame. 4263 * I.e, check "link[0] & 0x08". 4264 */ 4265 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4266 b1 = new_block(cstate, JMP(BPF_JSET)); 4267 b1->s.k = 0x08; 4268 b1->stmts = s; 4269 4270 /* 4271 * AND that with the checks done for data frames. 4272 */ 4273 gen_and(b1, b0); 4274 4275 /* 4276 * If the high-order bit of the type value is 0, this 4277 * is a management frame. 4278 * I.e, check "!(link[0] & 0x08)". 4279 */ 4280 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4281 b2 = new_block(cstate, JMP(BPF_JSET)); 4282 b2->s.k = 0x08; 4283 b2->stmts = s; 4284 gen_not(b2); 4285 4286 /* 4287 * For management frames, the SA is at 10. 4288 */ 4289 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr); 4290 gen_and(b2, b1); 4291 4292 /* 4293 * OR that with the checks done for data frames. 4294 * That gives the checks done for management and 4295 * data frames. 4296 */ 4297 gen_or(b1, b0); 4298 4299 /* 4300 * If the low-order bit of the type value is 1, 4301 * this is either a control frame or a frame 4302 * with a reserved type, and thus not a 4303 * frame with an SA. 4304 * 4305 * I.e., check "!(link[0] & 0x04)". 4306 */ 4307 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4308 b1 = new_block(cstate, JMP(BPF_JSET)); 4309 b1->s.k = 0x04; 4310 b1->stmts = s; 4311 gen_not(b1); 4312 4313 /* 4314 * AND that with the checks for data and management 4315 * frames. 4316 */ 4317 gen_and(b1, b0); 4318 return b0; 4319 4320 case Q_DST: 4321 /* 4322 * Oh, yuk. 4323 * 4324 * For control frames, there is no DA. 4325 * 4326 * For management frames, DA is at an 4327 * offset of 4 from the beginning of 4328 * the packet. 4329 * 4330 * For data frames, DA is at an offset 4331 * of 4 from the beginning of the packet 4332 * if To DS is clear and at an offset of 4333 * 16 from the beginning of the packet 4334 * if To DS is set. 4335 */ 4336 4337 /* 4338 * Generate the tests to be done for data frames. 4339 * 4340 * First, check for To DS set, i.e. "link[1] & 0x01". 4341 */ 4342 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4343 b1 = new_block(cstate, JMP(BPF_JSET)); 4344 b1->s.k = 0x01; /* To DS */ 4345 b1->stmts = s; 4346 4347 /* 4348 * If To DS is set, the DA is at 16. 4349 */ 4350 b0 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr); 4351 gen_and(b1, b0); 4352 4353 /* 4354 * Now, check for To DS not set, i.e. check 4355 * "!(link[1] & 0x01)". 4356 */ 4357 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4358 b2 = new_block(cstate, JMP(BPF_JSET)); 4359 b2->s.k = 0x01; /* To DS */ 4360 b2->stmts = s; 4361 gen_not(b2); 4362 4363 /* 4364 * If To DS is not set, the DA is at 4. 4365 */ 4366 b1 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr); 4367 gen_and(b2, b1); 4368 4369 /* 4370 * Now OR together the last two checks. That gives 4371 * the complete set of checks for data frames. 4372 */ 4373 gen_or(b1, b0); 4374 4375 /* 4376 * Now check for a data frame. 4377 * I.e, check "link[0] & 0x08". 4378 */ 4379 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4380 b1 = new_block(cstate, JMP(BPF_JSET)); 4381 b1->s.k = 0x08; 4382 b1->stmts = s; 4383 4384 /* 4385 * AND that with the checks done for data frames. 4386 */ 4387 gen_and(b1, b0); 4388 4389 /* 4390 * If the high-order bit of the type value is 0, this 4391 * is a management frame. 4392 * I.e, check "!(link[0] & 0x08)". 4393 */ 4394 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4395 b2 = new_block(cstate, JMP(BPF_JSET)); 4396 b2->s.k = 0x08; 4397 b2->stmts = s; 4398 gen_not(b2); 4399 4400 /* 4401 * For management frames, the DA is at 4. 4402 */ 4403 b1 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr); 4404 gen_and(b2, b1); 4405 4406 /* 4407 * OR that with the checks done for data frames. 4408 * That gives the checks done for management and 4409 * data frames. 4410 */ 4411 gen_or(b1, b0); 4412 4413 /* 4414 * If the low-order bit of the type value is 1, 4415 * this is either a control frame or a frame 4416 * with a reserved type, and thus not a 4417 * frame with an SA. 4418 * 4419 * I.e., check "!(link[0] & 0x04)". 4420 */ 4421 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4422 b1 = new_block(cstate, JMP(BPF_JSET)); 4423 b1->s.k = 0x04; 4424 b1->stmts = s; 4425 gen_not(b1); 4426 4427 /* 4428 * AND that with the checks for data and management 4429 * frames. 4430 */ 4431 gen_and(b1, b0); 4432 return b0; 4433 4434 case Q_RA: 4435 /* 4436 * Not present in management frames; addr1 in other 4437 * frames. 4438 */ 4439 4440 /* 4441 * If the high-order bit of the type value is 0, this 4442 * is a management frame. 4443 * I.e, check "(link[0] & 0x08)". 4444 */ 4445 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4446 b1 = new_block(cstate, JMP(BPF_JSET)); 4447 b1->s.k = 0x08; 4448 b1->stmts = s; 4449 4450 /* 4451 * Check addr1. 4452 */ 4453 b0 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr); 4454 4455 /* 4456 * AND that with the check of addr1. 4457 */ 4458 gen_and(b1, b0); 4459 return (b0); 4460 4461 case Q_TA: 4462 /* 4463 * Not present in management frames; addr2, if present, 4464 * in other frames. 4465 */ 4466 4467 /* 4468 * Not present in CTS or ACK control frames. 4469 */ 4470 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4471 IEEE80211_FC0_TYPE_MASK); 4472 gen_not(b0); 4473 b1 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS, 4474 IEEE80211_FC0_SUBTYPE_MASK); 4475 gen_not(b1); 4476 b2 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK, 4477 IEEE80211_FC0_SUBTYPE_MASK); 4478 gen_not(b2); 4479 gen_and(b1, b2); 4480 gen_or(b0, b2); 4481 4482 /* 4483 * If the high-order bit of the type value is 0, this 4484 * is a management frame. 4485 * I.e, check "(link[0] & 0x08)". 4486 */ 4487 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4488 b1 = new_block(cstate, JMP(BPF_JSET)); 4489 b1->s.k = 0x08; 4490 b1->stmts = s; 4491 4492 /* 4493 * AND that with the check for frames other than 4494 * CTS and ACK frames. 4495 */ 4496 gen_and(b1, b2); 4497 4498 /* 4499 * Check addr2. 4500 */ 4501 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr); 4502 gen_and(b2, b1); 4503 return b1; 4504 4505 /* 4506 * XXX - add BSSID keyword? 4507 */ 4508 case Q_ADDR1: 4509 return (gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr)); 4510 4511 case Q_ADDR2: 4512 /* 4513 * Not present in CTS or ACK control frames. 4514 */ 4515 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4516 IEEE80211_FC0_TYPE_MASK); 4517 gen_not(b0); 4518 b1 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS, 4519 IEEE80211_FC0_SUBTYPE_MASK); 4520 gen_not(b1); 4521 b2 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK, 4522 IEEE80211_FC0_SUBTYPE_MASK); 4523 gen_not(b2); 4524 gen_and(b1, b2); 4525 gen_or(b0, b2); 4526 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr); 4527 gen_and(b2, b1); 4528 return b1; 4529 4530 case Q_ADDR3: 4531 /* 4532 * Not present in control frames. 4533 */ 4534 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4535 IEEE80211_FC0_TYPE_MASK); 4536 gen_not(b0); 4537 b1 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr); 4538 gen_and(b0, b1); 4539 return b1; 4540 4541 case Q_ADDR4: 4542 /* 4543 * Present only if the direction mask has both "From DS" 4544 * and "To DS" set. Neither control frames nor management 4545 * frames should have both of those set, so we don't 4546 * check the frame type. 4547 */ 4548 b0 = gen_mcmp(cstate, OR_LINKHDR, 1, BPF_B, 4549 IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK); 4550 b1 = gen_bcmp(cstate, OR_LINKHDR, 24, 6, eaddr); 4551 gen_and(b0, b1); 4552 return b1; 4553 4554 case Q_AND: 4555 b0 = gen_wlanhostop(cstate, eaddr, Q_SRC); 4556 b1 = gen_wlanhostop(cstate, eaddr, Q_DST); 4557 gen_and(b0, b1); 4558 return b1; 4559 4560 case Q_DEFAULT: 4561 case Q_OR: 4562 b0 = gen_wlanhostop(cstate, eaddr, Q_SRC); 4563 b1 = gen_wlanhostop(cstate, eaddr, Q_DST); 4564 gen_or(b0, b1); 4565 return b1; 4566 } 4567 abort(); 4568 /* NOTREACHED */ 4569 } 4570 4571 /* 4572 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel. 4573 * (We assume that the addresses are IEEE 48-bit MAC addresses, 4574 * as the RFC states.) 4575 */ 4576 static struct block * 4577 gen_ipfchostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 4578 { 4579 register struct block *b0, *b1; 4580 4581 switch (dir) { 4582 case Q_SRC: 4583 return gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr); 4584 4585 case Q_DST: 4586 return gen_bcmp(cstate, OR_LINKHDR, 2, 6, eaddr); 4587 4588 case Q_AND: 4589 b0 = gen_ipfchostop(cstate, eaddr, Q_SRC); 4590 b1 = gen_ipfchostop(cstate, eaddr, Q_DST); 4591 gen_and(b0, b1); 4592 return b1; 4593 4594 case Q_DEFAULT: 4595 case Q_OR: 4596 b0 = gen_ipfchostop(cstate, eaddr, Q_SRC); 4597 b1 = gen_ipfchostop(cstate, eaddr, Q_DST); 4598 gen_or(b0, b1); 4599 return b1; 4600 4601 case Q_ADDR1: 4602 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11"); 4603 break; 4604 4605 case Q_ADDR2: 4606 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11"); 4607 break; 4608 4609 case Q_ADDR3: 4610 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11"); 4611 break; 4612 4613 case Q_ADDR4: 4614 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11"); 4615 break; 4616 4617 case Q_RA: 4618 bpf_error(cstate, "'ra' is only supported on 802.11"); 4619 break; 4620 4621 case Q_TA: 4622 bpf_error(cstate, "'ta' is only supported on 802.11"); 4623 break; 4624 } 4625 abort(); 4626 /* NOTREACHED */ 4627 } 4628 4629 /* 4630 * This is quite tricky because there may be pad bytes in front of the 4631 * DECNET header, and then there are two possible data packet formats that 4632 * carry both src and dst addresses, plus 5 packet types in a format that 4633 * carries only the src node, plus 2 types that use a different format and 4634 * also carry just the src node. 4635 * 4636 * Yuck. 4637 * 4638 * Instead of doing those all right, we just look for data packets with 4639 * 0 or 1 bytes of padding. If you want to look at other packets, that 4640 * will require a lot more hacking. 4641 * 4642 * To add support for filtering on DECNET "areas" (network numbers) 4643 * one would want to add a "mask" argument to this routine. That would 4644 * make the filter even more inefficient, although one could be clever 4645 * and not generate masking instructions if the mask is 0xFFFF. 4646 */ 4647 static struct block * 4648 gen_dnhostop(compiler_state_t *cstate, bpf_u_int32 addr, int dir) 4649 { 4650 struct block *b0, *b1, *b2, *tmp; 4651 u_int offset_lh; /* offset if long header is received */ 4652 u_int offset_sh; /* offset if short header is received */ 4653 4654 switch (dir) { 4655 4656 case Q_DST: 4657 offset_sh = 1; /* follows flags */ 4658 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */ 4659 break; 4660 4661 case Q_SRC: 4662 offset_sh = 3; /* follows flags, dstnode */ 4663 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */ 4664 break; 4665 4666 case Q_AND: 4667 /* Inefficient because we do our Calvinball dance twice */ 4668 b0 = gen_dnhostop(cstate, addr, Q_SRC); 4669 b1 = gen_dnhostop(cstate, addr, Q_DST); 4670 gen_and(b0, b1); 4671 return b1; 4672 4673 case Q_OR: 4674 case Q_DEFAULT: 4675 /* Inefficient because we do our Calvinball dance twice */ 4676 b0 = gen_dnhostop(cstate, addr, Q_SRC); 4677 b1 = gen_dnhostop(cstate, addr, Q_DST); 4678 gen_or(b0, b1); 4679 return b1; 4680 4681 case Q_ISO: 4682 bpf_error(cstate, "ISO host filtering not implemented"); 4683 4684 default: 4685 abort(); 4686 } 4687 b0 = gen_linktype(cstate, ETHERTYPE_DN); 4688 /* Check for pad = 1, long header case */ 4689 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_H, 4690 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF)); 4691 b1 = gen_cmp(cstate, OR_LINKPL, 2 + 1 + offset_lh, 4692 BPF_H, (bpf_int32)ntohs((u_short)addr)); 4693 gen_and(tmp, b1); 4694 /* Check for pad = 0, long header case */ 4695 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7); 4696 b2 = gen_cmp(cstate, OR_LINKPL, 2 + offset_lh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4697 gen_and(tmp, b2); 4698 gen_or(b2, b1); 4699 /* Check for pad = 1, short header case */ 4700 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_H, 4701 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF)); 4702 b2 = gen_cmp(cstate, OR_LINKPL, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4703 gen_and(tmp, b2); 4704 gen_or(b2, b1); 4705 /* Check for pad = 0, short header case */ 4706 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7); 4707 b2 = gen_cmp(cstate, OR_LINKPL, 2 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4708 gen_and(tmp, b2); 4709 gen_or(b2, b1); 4710 4711 /* Combine with test for cstate->linktype */ 4712 gen_and(b0, b1); 4713 return b1; 4714 } 4715 4716 /* 4717 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets; 4718 * test the bottom-of-stack bit, and then check the version number 4719 * field in the IP header. 4720 */ 4721 static struct block * 4722 gen_mpls_linktype(compiler_state_t *cstate, int proto) 4723 { 4724 struct block *b0, *b1; 4725 4726 switch (proto) { 4727 4728 case Q_IP: 4729 /* match the bottom-of-stack bit */ 4730 b0 = gen_mcmp(cstate, OR_LINKPL, (u_int)-2, BPF_B, 0x01, 0x01); 4731 /* match the IPv4 version number */ 4732 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_B, 0x40, 0xf0); 4733 gen_and(b0, b1); 4734 return b1; 4735 4736 case Q_IPV6: 4737 /* match the bottom-of-stack bit */ 4738 b0 = gen_mcmp(cstate, OR_LINKPL, (u_int)-2, BPF_B, 0x01, 0x01); 4739 /* match the IPv4 version number */ 4740 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_B, 0x60, 0xf0); 4741 gen_and(b0, b1); 4742 return b1; 4743 4744 default: 4745 abort(); 4746 } 4747 } 4748 4749 static struct block * 4750 gen_host(compiler_state_t *cstate, bpf_u_int32 addr, bpf_u_int32 mask, 4751 int proto, int dir, int type) 4752 { 4753 struct block *b0, *b1; 4754 const char *typestr; 4755 4756 if (type == Q_NET) 4757 typestr = "net"; 4758 else 4759 typestr = "host"; 4760 4761 switch (proto) { 4762 4763 case Q_DEFAULT: 4764 b0 = gen_host(cstate, addr, mask, Q_IP, dir, type); 4765 /* 4766 * Only check for non-IPv4 addresses if we're not 4767 * checking MPLS-encapsulated packets. 4768 */ 4769 if (cstate->label_stack_depth == 0) { 4770 b1 = gen_host(cstate, addr, mask, Q_ARP, dir, type); 4771 gen_or(b0, b1); 4772 b0 = gen_host(cstate, addr, mask, Q_RARP, dir, type); 4773 gen_or(b1, b0); 4774 } 4775 return b0; 4776 4777 case Q_IP: 4778 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_IP, 12, 16); 4779 4780 case Q_RARP: 4781 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_REVARP, 14, 24); 4782 4783 case Q_ARP: 4784 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_ARP, 14, 24); 4785 4786 case Q_TCP: 4787 bpf_error(cstate, "'tcp' modifier applied to %s", typestr); 4788 4789 case Q_SCTP: 4790 bpf_error(cstate, "'sctp' modifier applied to %s", typestr); 4791 4792 case Q_UDP: 4793 bpf_error(cstate, "'udp' modifier applied to %s", typestr); 4794 4795 case Q_ICMP: 4796 bpf_error(cstate, "'icmp' modifier applied to %s", typestr); 4797 4798 case Q_IGMP: 4799 bpf_error(cstate, "'igmp' modifier applied to %s", typestr); 4800 4801 case Q_IGRP: 4802 bpf_error(cstate, "'igrp' modifier applied to %s", typestr); 4803 4804 case Q_PIM: 4805 bpf_error(cstate, "'pim' modifier applied to %s", typestr); 4806 4807 case Q_VRRP: 4808 bpf_error(cstate, "'vrrp' modifier applied to %s", typestr); 4809 4810 case Q_CARP: 4811 bpf_error(cstate, "'carp' modifier applied to %s", typestr); 4812 4813 case Q_ATALK: 4814 bpf_error(cstate, "ATALK host filtering not implemented"); 4815 4816 case Q_AARP: 4817 bpf_error(cstate, "AARP host filtering not implemented"); 4818 4819 case Q_DECNET: 4820 return gen_dnhostop(cstate, addr, dir); 4821 4822 case Q_SCA: 4823 bpf_error(cstate, "SCA host filtering not implemented"); 4824 4825 case Q_LAT: 4826 bpf_error(cstate, "LAT host filtering not implemented"); 4827 4828 case Q_MOPDL: 4829 bpf_error(cstate, "MOPDL host filtering not implemented"); 4830 4831 case Q_MOPRC: 4832 bpf_error(cstate, "MOPRC host filtering not implemented"); 4833 4834 case Q_IPV6: 4835 bpf_error(cstate, "'ip6' modifier applied to ip host"); 4836 4837 case Q_ICMPV6: 4838 bpf_error(cstate, "'icmp6' modifier applied to %s", typestr); 4839 4840 case Q_AH: 4841 bpf_error(cstate, "'ah' modifier applied to %s", typestr); 4842 4843 case Q_ESP: 4844 bpf_error(cstate, "'esp' modifier applied to %s", typestr); 4845 4846 case Q_ISO: 4847 bpf_error(cstate, "ISO host filtering not implemented"); 4848 4849 case Q_ESIS: 4850 bpf_error(cstate, "'esis' modifier applied to %s", typestr); 4851 4852 case Q_ISIS: 4853 bpf_error(cstate, "'isis' modifier applied to %s", typestr); 4854 4855 case Q_CLNP: 4856 bpf_error(cstate, "'clnp' modifier applied to %s", typestr); 4857 4858 case Q_STP: 4859 bpf_error(cstate, "'stp' modifier applied to %s", typestr); 4860 4861 case Q_IPX: 4862 bpf_error(cstate, "IPX host filtering not implemented"); 4863 4864 case Q_NETBEUI: 4865 bpf_error(cstate, "'netbeui' modifier applied to %s", typestr); 4866 4867 case Q_RADIO: 4868 bpf_error(cstate, "'radio' modifier applied to %s", typestr); 4869 4870 default: 4871 abort(); 4872 } 4873 /* NOTREACHED */ 4874 } 4875 4876 #ifdef INET6 4877 static struct block * 4878 gen_host6(compiler_state_t *cstate, struct in6_addr *addr, 4879 struct in6_addr *mask, int proto, int dir, int type) 4880 { 4881 const char *typestr; 4882 4883 if (type == Q_NET) 4884 typestr = "net"; 4885 else 4886 typestr = "host"; 4887 4888 switch (proto) { 4889 4890 case Q_DEFAULT: 4891 return gen_host6(cstate, addr, mask, Q_IPV6, dir, type); 4892 4893 case Q_LINK: 4894 bpf_error(cstate, "link-layer modifier applied to ip6 %s", typestr); 4895 4896 case Q_IP: 4897 bpf_error(cstate, "'ip' modifier applied to ip6 %s", typestr); 4898 4899 case Q_RARP: 4900 bpf_error(cstate, "'rarp' modifier applied to ip6 %s", typestr); 4901 4902 case Q_ARP: 4903 bpf_error(cstate, "'arp' modifier applied to ip6 %s", typestr); 4904 4905 case Q_SCTP: 4906 bpf_error(cstate, "'sctp' modifier applied to %s", typestr); 4907 4908 case Q_TCP: 4909 bpf_error(cstate, "'tcp' modifier applied to %s", typestr); 4910 4911 case Q_UDP: 4912 bpf_error(cstate, "'udp' modifier applied to %s", typestr); 4913 4914 case Q_ICMP: 4915 bpf_error(cstate, "'icmp' modifier applied to %s", typestr); 4916 4917 case Q_IGMP: 4918 bpf_error(cstate, "'igmp' modifier applied to %s", typestr); 4919 4920 case Q_IGRP: 4921 bpf_error(cstate, "'igrp' modifier applied to %s", typestr); 4922 4923 case Q_PIM: 4924 bpf_error(cstate, "'pim' modifier applied to %s", typestr); 4925 4926 case Q_VRRP: 4927 bpf_error(cstate, "'vrrp' modifier applied to %s", typestr); 4928 4929 case Q_CARP: 4930 bpf_error(cstate, "'carp' modifier applied to %s", typestr); 4931 4932 case Q_ATALK: 4933 bpf_error(cstate, "ATALK host filtering not implemented"); 4934 4935 case Q_AARP: 4936 bpf_error(cstate, "AARP host filtering not implemented"); 4937 4938 case Q_DECNET: 4939 bpf_error(cstate, "'decnet' modifier applied to ip6 %s", typestr); 4940 4941 case Q_SCA: 4942 bpf_error(cstate, "SCA host filtering not implemented"); 4943 4944 case Q_LAT: 4945 bpf_error(cstate, "LAT host filtering not implemented"); 4946 4947 case Q_MOPDL: 4948 bpf_error(cstate, "MOPDL host filtering not implemented"); 4949 4950 case Q_MOPRC: 4951 bpf_error(cstate, "MOPRC host filtering not implemented"); 4952 4953 case Q_IPV6: 4954 return gen_hostop6(cstate, addr, mask, dir, ETHERTYPE_IPV6, 8, 24); 4955 4956 case Q_ICMPV6: 4957 bpf_error(cstate, "'icmp6' modifier applied to %s", typestr); 4958 4959 case Q_AH: 4960 bpf_error(cstate, "'ah' modifier applied to %s", typestr); 4961 4962 case Q_ESP: 4963 bpf_error(cstate, "'esp' modifier applied to %s", typestr); 4964 4965 case Q_ISO: 4966 bpf_error(cstate, "ISO host filtering not implemented"); 4967 4968 case Q_ESIS: 4969 bpf_error(cstate, "'esis' modifier applied to %s", typestr); 4970 4971 case Q_ISIS: 4972 bpf_error(cstate, "'isis' modifier applied to %s", typestr); 4973 4974 case Q_CLNP: 4975 bpf_error(cstate, "'clnp' modifier applied to %s", typestr); 4976 4977 case Q_STP: 4978 bpf_error(cstate, "'stp' modifier applied to %s", typestr); 4979 4980 case Q_IPX: 4981 bpf_error(cstate, "IPX host filtering not implemented"); 4982 4983 case Q_NETBEUI: 4984 bpf_error(cstate, "'netbeui' modifier applied to %s", typestr); 4985 4986 case Q_RADIO: 4987 bpf_error(cstate, "'radio' modifier applied to %s", typestr); 4988 4989 default: 4990 abort(); 4991 } 4992 /* NOTREACHED */ 4993 } 4994 #endif 4995 4996 #ifndef INET6 4997 static struct block * 4998 gen_gateway(compiler_state_t *cstate, const u_char *eaddr, 4999 struct addrinfo *alist, int proto, int dir) 5000 { 5001 struct block *b0, *b1, *tmp; 5002 struct addrinfo *ai; 5003 struct sockaddr_in *sin; 5004 5005 if (dir != 0) 5006 bpf_error(cstate, "direction applied to 'gateway'"); 5007 5008 switch (proto) { 5009 case Q_DEFAULT: 5010 case Q_IP: 5011 case Q_ARP: 5012 case Q_RARP: 5013 switch (cstate->linktype) { 5014 case DLT_EN10MB: 5015 case DLT_NETANALYZER: 5016 case DLT_NETANALYZER_TRANSPARENT: 5017 b1 = gen_prevlinkhdr_check(cstate); 5018 b0 = gen_ehostop(cstate, eaddr, Q_OR); 5019 if (b1 != NULL) 5020 gen_and(b1, b0); 5021 break; 5022 case DLT_FDDI: 5023 b0 = gen_fhostop(cstate, eaddr, Q_OR); 5024 break; 5025 case DLT_IEEE802: 5026 b0 = gen_thostop(cstate, eaddr, Q_OR); 5027 break; 5028 case DLT_IEEE802_11: 5029 case DLT_PRISM_HEADER: 5030 case DLT_IEEE802_11_RADIO_AVS: 5031 case DLT_IEEE802_11_RADIO: 5032 case DLT_PPI: 5033 b0 = gen_wlanhostop(cstate, eaddr, Q_OR); 5034 break; 5035 case DLT_SUNATM: 5036 /* 5037 * This is LLC-multiplexed traffic; if it were 5038 * LANE, cstate->linktype would have been set to 5039 * DLT_EN10MB. 5040 */ 5041 bpf_error(cstate, 5042 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 5043 break; 5044 case DLT_IP_OVER_FC: 5045 b0 = gen_ipfchostop(cstate, eaddr, Q_OR); 5046 break; 5047 default: 5048 bpf_error(cstate, 5049 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 5050 } 5051 b1 = NULL; 5052 for (ai = alist; ai != NULL; ai = ai->ai_next) { 5053 /* 5054 * Does it have an address? 5055 */ 5056 if (ai->ai_addr != NULL) { 5057 /* 5058 * Yes. Is it an IPv4 address? 5059 */ 5060 if (ai->ai_addr->sa_family == AF_INET) { 5061 /* 5062 * Generate an entry for it. 5063 */ 5064 sin = (struct sockaddr_in *)ai->ai_addr; 5065 tmp = gen_host(cstate, 5066 ntohl(sin->sin_addr.s_addr), 5067 0xffffffff, proto, Q_OR, Q_HOST); 5068 /* 5069 * Is it the *first* IPv4 address? 5070 */ 5071 if (b1 == NULL) { 5072 /* 5073 * Yes, so start with it. 5074 */ 5075 b1 = tmp; 5076 } else { 5077 /* 5078 * No, so OR it into the 5079 * existing set of 5080 * addresses. 5081 */ 5082 gen_or(b1, tmp); 5083 b1 = tmp; 5084 } 5085 } 5086 } 5087 } 5088 if (b1 == NULL) { 5089 /* 5090 * No IPv4 addresses found. 5091 */ 5092 return (NULL); 5093 } 5094 gen_not(b1); 5095 gen_and(b0, b1); 5096 return b1; 5097 } 5098 bpf_error(cstate, "illegal modifier of 'gateway'"); 5099 /* NOTREACHED */ 5100 } 5101 #endif 5102 5103 struct block * 5104 gen_proto_abbrev(compiler_state_t *cstate, int proto) 5105 { 5106 struct block *b0; 5107 struct block *b1; 5108 5109 switch (proto) { 5110 5111 case Q_SCTP: 5112 b1 = gen_proto(cstate, IPPROTO_SCTP, Q_IP, Q_DEFAULT); 5113 b0 = gen_proto(cstate, IPPROTO_SCTP, Q_IPV6, Q_DEFAULT); 5114 gen_or(b0, b1); 5115 break; 5116 5117 case Q_TCP: 5118 b1 = gen_proto(cstate, IPPROTO_TCP, Q_IP, Q_DEFAULT); 5119 b0 = gen_proto(cstate, IPPROTO_TCP, Q_IPV6, Q_DEFAULT); 5120 gen_or(b0, b1); 5121 break; 5122 5123 case Q_UDP: 5124 b1 = gen_proto(cstate, IPPROTO_UDP, Q_IP, Q_DEFAULT); 5125 b0 = gen_proto(cstate, IPPROTO_UDP, Q_IPV6, Q_DEFAULT); 5126 gen_or(b0, b1); 5127 break; 5128 5129 case Q_ICMP: 5130 b1 = gen_proto(cstate, IPPROTO_ICMP, Q_IP, Q_DEFAULT); 5131 break; 5132 5133 #ifndef IPPROTO_IGMP 5134 #define IPPROTO_IGMP 2 5135 #endif 5136 5137 case Q_IGMP: 5138 b1 = gen_proto(cstate, IPPROTO_IGMP, Q_IP, Q_DEFAULT); 5139 break; 5140 5141 #ifndef IPPROTO_IGRP 5142 #define IPPROTO_IGRP 9 5143 #endif 5144 case Q_IGRP: 5145 b1 = gen_proto(cstate, IPPROTO_IGRP, Q_IP, Q_DEFAULT); 5146 break; 5147 5148 #ifndef IPPROTO_PIM 5149 #define IPPROTO_PIM 103 5150 #endif 5151 5152 case Q_PIM: 5153 b1 = gen_proto(cstate, IPPROTO_PIM, Q_IP, Q_DEFAULT); 5154 b0 = gen_proto(cstate, IPPROTO_PIM, Q_IPV6, Q_DEFAULT); 5155 gen_or(b0, b1); 5156 break; 5157 5158 #ifndef IPPROTO_VRRP 5159 #define IPPROTO_VRRP 112 5160 #endif 5161 5162 case Q_VRRP: 5163 b1 = gen_proto(cstate, IPPROTO_VRRP, Q_IP, Q_DEFAULT); 5164 break; 5165 5166 #ifndef IPPROTO_CARP 5167 #define IPPROTO_CARP 112 5168 #endif 5169 5170 case Q_CARP: 5171 b1 = gen_proto(cstate, IPPROTO_CARP, Q_IP, Q_DEFAULT); 5172 break; 5173 5174 case Q_IP: 5175 b1 = gen_linktype(cstate, ETHERTYPE_IP); 5176 break; 5177 5178 case Q_ARP: 5179 b1 = gen_linktype(cstate, ETHERTYPE_ARP); 5180 break; 5181 5182 case Q_RARP: 5183 b1 = gen_linktype(cstate, ETHERTYPE_REVARP); 5184 break; 5185 5186 case Q_LINK: 5187 bpf_error(cstate, "link layer applied in wrong context"); 5188 5189 case Q_ATALK: 5190 b1 = gen_linktype(cstate, ETHERTYPE_ATALK); 5191 break; 5192 5193 case Q_AARP: 5194 b1 = gen_linktype(cstate, ETHERTYPE_AARP); 5195 break; 5196 5197 case Q_DECNET: 5198 b1 = gen_linktype(cstate, ETHERTYPE_DN); 5199 break; 5200 5201 case Q_SCA: 5202 b1 = gen_linktype(cstate, ETHERTYPE_SCA); 5203 break; 5204 5205 case Q_LAT: 5206 b1 = gen_linktype(cstate, ETHERTYPE_LAT); 5207 break; 5208 5209 case Q_MOPDL: 5210 b1 = gen_linktype(cstate, ETHERTYPE_MOPDL); 5211 break; 5212 5213 case Q_MOPRC: 5214 b1 = gen_linktype(cstate, ETHERTYPE_MOPRC); 5215 break; 5216 5217 case Q_IPV6: 5218 b1 = gen_linktype(cstate, ETHERTYPE_IPV6); 5219 break; 5220 5221 #ifndef IPPROTO_ICMPV6 5222 #define IPPROTO_ICMPV6 58 5223 #endif 5224 case Q_ICMPV6: 5225 b1 = gen_proto(cstate, IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT); 5226 break; 5227 5228 #ifndef IPPROTO_AH 5229 #define IPPROTO_AH 51 5230 #endif 5231 case Q_AH: 5232 b1 = gen_proto(cstate, IPPROTO_AH, Q_IP, Q_DEFAULT); 5233 b0 = gen_proto(cstate, IPPROTO_AH, Q_IPV6, Q_DEFAULT); 5234 gen_or(b0, b1); 5235 break; 5236 5237 #ifndef IPPROTO_ESP 5238 #define IPPROTO_ESP 50 5239 #endif 5240 case Q_ESP: 5241 b1 = gen_proto(cstate, IPPROTO_ESP, Q_IP, Q_DEFAULT); 5242 b0 = gen_proto(cstate, IPPROTO_ESP, Q_IPV6, Q_DEFAULT); 5243 gen_or(b0, b1); 5244 break; 5245 5246 case Q_ISO: 5247 b1 = gen_linktype(cstate, LLCSAP_ISONS); 5248 break; 5249 5250 case Q_ESIS: 5251 b1 = gen_proto(cstate, ISO9542_ESIS, Q_ISO, Q_DEFAULT); 5252 break; 5253 5254 case Q_ISIS: 5255 b1 = gen_proto(cstate, ISO10589_ISIS, Q_ISO, Q_DEFAULT); 5256 break; 5257 5258 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */ 5259 b0 = gen_proto(cstate, ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 5260 b1 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 5261 gen_or(b0, b1); 5262 b0 = gen_proto(cstate, ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 5263 gen_or(b0, b1); 5264 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 5265 gen_or(b0, b1); 5266 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 5267 gen_or(b0, b1); 5268 break; 5269 5270 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */ 5271 b0 = gen_proto(cstate, ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 5272 b1 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 5273 gen_or(b0, b1); 5274 b0 = gen_proto(cstate, ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 5275 gen_or(b0, b1); 5276 b0 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 5277 gen_or(b0, b1); 5278 b0 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 5279 gen_or(b0, b1); 5280 break; 5281 5282 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */ 5283 b0 = gen_proto(cstate, ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 5284 b1 = gen_proto(cstate, ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 5285 gen_or(b0, b1); 5286 b0 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); 5287 gen_or(b0, b1); 5288 break; 5289 5290 case Q_ISIS_LSP: 5291 b0 = gen_proto(cstate, ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 5292 b1 = gen_proto(cstate, ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 5293 gen_or(b0, b1); 5294 break; 5295 5296 case Q_ISIS_SNP: 5297 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 5298 b1 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 5299 gen_or(b0, b1); 5300 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 5301 gen_or(b0, b1); 5302 b0 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 5303 gen_or(b0, b1); 5304 break; 5305 5306 case Q_ISIS_CSNP: 5307 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 5308 b1 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 5309 gen_or(b0, b1); 5310 break; 5311 5312 case Q_ISIS_PSNP: 5313 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 5314 b1 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 5315 gen_or(b0, b1); 5316 break; 5317 5318 case Q_CLNP: 5319 b1 = gen_proto(cstate, ISO8473_CLNP, Q_ISO, Q_DEFAULT); 5320 break; 5321 5322 case Q_STP: 5323 b1 = gen_linktype(cstate, LLCSAP_8021D); 5324 break; 5325 5326 case Q_IPX: 5327 b1 = gen_linktype(cstate, LLCSAP_IPX); 5328 break; 5329 5330 case Q_NETBEUI: 5331 b1 = gen_linktype(cstate, LLCSAP_NETBEUI); 5332 break; 5333 5334 case Q_RADIO: 5335 bpf_error(cstate, "'radio' is not a valid protocol type"); 5336 5337 default: 5338 abort(); 5339 } 5340 return b1; 5341 } 5342 5343 static struct block * 5344 gen_ipfrag(compiler_state_t *cstate) 5345 { 5346 struct slist *s; 5347 struct block *b; 5348 5349 /* not IPv4 frag other than the first frag */ 5350 s = gen_load_a(cstate, OR_LINKPL, 6, BPF_H); 5351 b = new_block(cstate, JMP(BPF_JSET)); 5352 b->s.k = 0x1fff; 5353 b->stmts = s; 5354 gen_not(b); 5355 5356 return b; 5357 } 5358 5359 /* 5360 * Generate a comparison to a port value in the transport-layer header 5361 * at the specified offset from the beginning of that header. 5362 * 5363 * XXX - this handles a variable-length prefix preceding the link-layer 5364 * header, such as the radiotap or AVS radio prefix, but doesn't handle 5365 * variable-length link-layer headers (such as Token Ring or 802.11 5366 * headers). 5367 */ 5368 static struct block * 5369 gen_portatom(compiler_state_t *cstate, int off, bpf_int32 v) 5370 { 5371 return gen_cmp(cstate, OR_TRAN_IPV4, off, BPF_H, v); 5372 } 5373 5374 static struct block * 5375 gen_portatom6(compiler_state_t *cstate, int off, bpf_int32 v) 5376 { 5377 return gen_cmp(cstate, OR_TRAN_IPV6, off, BPF_H, v); 5378 } 5379 5380 struct block * 5381 gen_portop(compiler_state_t *cstate, int port, int proto, int dir) 5382 { 5383 struct block *b0, *b1, *tmp; 5384 5385 /* ip proto 'proto' and not a fragment other than the first fragment */ 5386 tmp = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, (bpf_int32)proto); 5387 b0 = gen_ipfrag(cstate); 5388 gen_and(tmp, b0); 5389 5390 switch (dir) { 5391 case Q_SRC: 5392 b1 = gen_portatom(cstate, 0, (bpf_int32)port); 5393 break; 5394 5395 case Q_DST: 5396 b1 = gen_portatom(cstate, 2, (bpf_int32)port); 5397 break; 5398 5399 case Q_OR: 5400 case Q_DEFAULT: 5401 tmp = gen_portatom(cstate, 0, (bpf_int32)port); 5402 b1 = gen_portatom(cstate, 2, (bpf_int32)port); 5403 gen_or(tmp, b1); 5404 break; 5405 5406 case Q_AND: 5407 tmp = gen_portatom(cstate, 0, (bpf_int32)port); 5408 b1 = gen_portatom(cstate, 2, (bpf_int32)port); 5409 gen_and(tmp, b1); 5410 break; 5411 5412 default: 5413 abort(); 5414 } 5415 gen_and(b0, b1); 5416 5417 return b1; 5418 } 5419 5420 static struct block * 5421 gen_port(compiler_state_t *cstate, int port, int ip_proto, int dir) 5422 { 5423 struct block *b0, *b1, *tmp; 5424 5425 /* 5426 * ether proto ip 5427 * 5428 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 5429 * not LLC encapsulation with LLCSAP_IP. 5430 * 5431 * For IEEE 802 networks - which includes 802.5 token ring 5432 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 5433 * says that SNAP encapsulation is used, not LLC encapsulation 5434 * with LLCSAP_IP. 5435 * 5436 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 5437 * RFC 2225 say that SNAP encapsulation is used, not LLC 5438 * encapsulation with LLCSAP_IP. 5439 * 5440 * So we always check for ETHERTYPE_IP. 5441 */ 5442 b0 = gen_linktype(cstate, ETHERTYPE_IP); 5443 5444 switch (ip_proto) { 5445 case IPPROTO_UDP: 5446 case IPPROTO_TCP: 5447 case IPPROTO_SCTP: 5448 b1 = gen_portop(cstate, port, ip_proto, dir); 5449 break; 5450 5451 case PROTO_UNDEF: 5452 tmp = gen_portop(cstate, port, IPPROTO_TCP, dir); 5453 b1 = gen_portop(cstate, port, IPPROTO_UDP, dir); 5454 gen_or(tmp, b1); 5455 tmp = gen_portop(cstate, port, IPPROTO_SCTP, dir); 5456 gen_or(tmp, b1); 5457 break; 5458 5459 default: 5460 abort(); 5461 } 5462 gen_and(b0, b1); 5463 return b1; 5464 } 5465 5466 struct block * 5467 gen_portop6(compiler_state_t *cstate, int port, int proto, int dir) 5468 { 5469 struct block *b0, *b1, *tmp; 5470 5471 /* ip6 proto 'proto' */ 5472 /* XXX - catch the first fragment of a fragmented packet? */ 5473 b0 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, (bpf_int32)proto); 5474 5475 switch (dir) { 5476 case Q_SRC: 5477 b1 = gen_portatom6(cstate, 0, (bpf_int32)port); 5478 break; 5479 5480 case Q_DST: 5481 b1 = gen_portatom6(cstate, 2, (bpf_int32)port); 5482 break; 5483 5484 case Q_OR: 5485 case Q_DEFAULT: 5486 tmp = gen_portatom6(cstate, 0, (bpf_int32)port); 5487 b1 = gen_portatom6(cstate, 2, (bpf_int32)port); 5488 gen_or(tmp, b1); 5489 break; 5490 5491 case Q_AND: 5492 tmp = gen_portatom6(cstate, 0, (bpf_int32)port); 5493 b1 = gen_portatom6(cstate, 2, (bpf_int32)port); 5494 gen_and(tmp, b1); 5495 break; 5496 5497 default: 5498 abort(); 5499 } 5500 gen_and(b0, b1); 5501 5502 return b1; 5503 } 5504 5505 static struct block * 5506 gen_port6(compiler_state_t *cstate, int port, int ip_proto, int dir) 5507 { 5508 struct block *b0, *b1, *tmp; 5509 5510 /* link proto ip6 */ 5511 b0 = gen_linktype(cstate, ETHERTYPE_IPV6); 5512 5513 switch (ip_proto) { 5514 case IPPROTO_UDP: 5515 case IPPROTO_TCP: 5516 case IPPROTO_SCTP: 5517 b1 = gen_portop6(cstate, port, ip_proto, dir); 5518 break; 5519 5520 case PROTO_UNDEF: 5521 tmp = gen_portop6(cstate, port, IPPROTO_TCP, dir); 5522 b1 = gen_portop6(cstate, port, IPPROTO_UDP, dir); 5523 gen_or(tmp, b1); 5524 tmp = gen_portop6(cstate, port, IPPROTO_SCTP, dir); 5525 gen_or(tmp, b1); 5526 break; 5527 5528 default: 5529 abort(); 5530 } 5531 gen_and(b0, b1); 5532 return b1; 5533 } 5534 5535 /* gen_portrange code */ 5536 static struct block * 5537 gen_portrangeatom(compiler_state_t *cstate, int off, bpf_int32 v1, 5538 bpf_int32 v2) 5539 { 5540 struct block *b1, *b2; 5541 5542 if (v1 > v2) { 5543 /* 5544 * Reverse the order of the ports, so v1 is the lower one. 5545 */ 5546 bpf_int32 vtemp; 5547 5548 vtemp = v1; 5549 v1 = v2; 5550 v2 = vtemp; 5551 } 5552 5553 b1 = gen_cmp_ge(cstate, OR_TRAN_IPV4, off, BPF_H, v1); 5554 b2 = gen_cmp_le(cstate, OR_TRAN_IPV4, off, BPF_H, v2); 5555 5556 gen_and(b1, b2); 5557 5558 return b2; 5559 } 5560 5561 struct block * 5562 gen_portrangeop(compiler_state_t *cstate, int port1, int port2, int proto, 5563 int dir) 5564 { 5565 struct block *b0, *b1, *tmp; 5566 5567 /* ip proto 'proto' and not a fragment other than the first fragment */ 5568 tmp = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, (bpf_int32)proto); 5569 b0 = gen_ipfrag(cstate); 5570 gen_and(tmp, b0); 5571 5572 switch (dir) { 5573 case Q_SRC: 5574 b1 = gen_portrangeatom(cstate, 0, (bpf_int32)port1, (bpf_int32)port2); 5575 break; 5576 5577 case Q_DST: 5578 b1 = gen_portrangeatom(cstate, 2, (bpf_int32)port1, (bpf_int32)port2); 5579 break; 5580 5581 case Q_OR: 5582 case Q_DEFAULT: 5583 tmp = gen_portrangeatom(cstate, 0, (bpf_int32)port1, (bpf_int32)port2); 5584 b1 = gen_portrangeatom(cstate, 2, (bpf_int32)port1, (bpf_int32)port2); 5585 gen_or(tmp, b1); 5586 break; 5587 5588 case Q_AND: 5589 tmp = gen_portrangeatom(cstate, 0, (bpf_int32)port1, (bpf_int32)port2); 5590 b1 = gen_portrangeatom(cstate, 2, (bpf_int32)port1, (bpf_int32)port2); 5591 gen_and(tmp, b1); 5592 break; 5593 5594 default: 5595 abort(); 5596 } 5597 gen_and(b0, b1); 5598 5599 return b1; 5600 } 5601 5602 static struct block * 5603 gen_portrange(compiler_state_t *cstate, int port1, int port2, int ip_proto, 5604 int dir) 5605 { 5606 struct block *b0, *b1, *tmp; 5607 5608 /* link proto ip */ 5609 b0 = gen_linktype(cstate, ETHERTYPE_IP); 5610 5611 switch (ip_proto) { 5612 case IPPROTO_UDP: 5613 case IPPROTO_TCP: 5614 case IPPROTO_SCTP: 5615 b1 = gen_portrangeop(cstate, port1, port2, ip_proto, dir); 5616 break; 5617 5618 case PROTO_UNDEF: 5619 tmp = gen_portrangeop(cstate, port1, port2, IPPROTO_TCP, dir); 5620 b1 = gen_portrangeop(cstate, port1, port2, IPPROTO_UDP, dir); 5621 gen_or(tmp, b1); 5622 tmp = gen_portrangeop(cstate, port1, port2, IPPROTO_SCTP, dir); 5623 gen_or(tmp, b1); 5624 break; 5625 5626 default: 5627 abort(); 5628 } 5629 gen_and(b0, b1); 5630 return b1; 5631 } 5632 5633 static struct block * 5634 gen_portrangeatom6(compiler_state_t *cstate, int off, bpf_int32 v1, 5635 bpf_int32 v2) 5636 { 5637 struct block *b1, *b2; 5638 5639 if (v1 > v2) { 5640 /* 5641 * Reverse the order of the ports, so v1 is the lower one. 5642 */ 5643 bpf_int32 vtemp; 5644 5645 vtemp = v1; 5646 v1 = v2; 5647 v2 = vtemp; 5648 } 5649 5650 b1 = gen_cmp_ge(cstate, OR_TRAN_IPV6, off, BPF_H, v1); 5651 b2 = gen_cmp_le(cstate, OR_TRAN_IPV6, off, BPF_H, v2); 5652 5653 gen_and(b1, b2); 5654 5655 return b2; 5656 } 5657 5658 struct block * 5659 gen_portrangeop6(compiler_state_t *cstate, int port1, int port2, int proto, 5660 int dir) 5661 { 5662 struct block *b0, *b1, *tmp; 5663 5664 /* ip6 proto 'proto' */ 5665 /* XXX - catch the first fragment of a fragmented packet? */ 5666 b0 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, (bpf_int32)proto); 5667 5668 switch (dir) { 5669 case Q_SRC: 5670 b1 = gen_portrangeatom6(cstate, 0, (bpf_int32)port1, (bpf_int32)port2); 5671 break; 5672 5673 case Q_DST: 5674 b1 = gen_portrangeatom6(cstate, 2, (bpf_int32)port1, (bpf_int32)port2); 5675 break; 5676 5677 case Q_OR: 5678 case Q_DEFAULT: 5679 tmp = gen_portrangeatom6(cstate, 0, (bpf_int32)port1, (bpf_int32)port2); 5680 b1 = gen_portrangeatom6(cstate, 2, (bpf_int32)port1, (bpf_int32)port2); 5681 gen_or(tmp, b1); 5682 break; 5683 5684 case Q_AND: 5685 tmp = gen_portrangeatom6(cstate, 0, (bpf_int32)port1, (bpf_int32)port2); 5686 b1 = gen_portrangeatom6(cstate, 2, (bpf_int32)port1, (bpf_int32)port2); 5687 gen_and(tmp, b1); 5688 break; 5689 5690 default: 5691 abort(); 5692 } 5693 gen_and(b0, b1); 5694 5695 return b1; 5696 } 5697 5698 static struct block * 5699 gen_portrange6(compiler_state_t *cstate, int port1, int port2, int ip_proto, 5700 int dir) 5701 { 5702 struct block *b0, *b1, *tmp; 5703 5704 /* link proto ip6 */ 5705 b0 = gen_linktype(cstate, ETHERTYPE_IPV6); 5706 5707 switch (ip_proto) { 5708 case IPPROTO_UDP: 5709 case IPPROTO_TCP: 5710 case IPPROTO_SCTP: 5711 b1 = gen_portrangeop6(cstate, port1, port2, ip_proto, dir); 5712 break; 5713 5714 case PROTO_UNDEF: 5715 tmp = gen_portrangeop6(cstate, port1, port2, IPPROTO_TCP, dir); 5716 b1 = gen_portrangeop6(cstate, port1, port2, IPPROTO_UDP, dir); 5717 gen_or(tmp, b1); 5718 tmp = gen_portrangeop6(cstate, port1, port2, IPPROTO_SCTP, dir); 5719 gen_or(tmp, b1); 5720 break; 5721 5722 default: 5723 abort(); 5724 } 5725 gen_and(b0, b1); 5726 return b1; 5727 } 5728 5729 static int 5730 lookup_proto(compiler_state_t *cstate, const char *name, int proto) 5731 { 5732 register int v; 5733 5734 switch (proto) { 5735 5736 case Q_DEFAULT: 5737 case Q_IP: 5738 case Q_IPV6: 5739 v = pcap_nametoproto(name); 5740 if (v == PROTO_UNDEF) 5741 bpf_error(cstate, "unknown ip proto '%s'", name); 5742 break; 5743 5744 case Q_LINK: 5745 /* XXX should look up h/w protocol type based on cstate->linktype */ 5746 v = pcap_nametoeproto(name); 5747 if (v == PROTO_UNDEF) { 5748 v = pcap_nametollc(name); 5749 if (v == PROTO_UNDEF) 5750 bpf_error(cstate, "unknown ether proto '%s'", name); 5751 } 5752 break; 5753 5754 case Q_ISO: 5755 if (strcmp(name, "esis") == 0) 5756 v = ISO9542_ESIS; 5757 else if (strcmp(name, "isis") == 0) 5758 v = ISO10589_ISIS; 5759 else if (strcmp(name, "clnp") == 0) 5760 v = ISO8473_CLNP; 5761 else 5762 bpf_error(cstate, "unknown osi proto '%s'", name); 5763 break; 5764 5765 default: 5766 v = PROTO_UNDEF; 5767 break; 5768 } 5769 return v; 5770 } 5771 5772 #if 0 5773 struct stmt * 5774 gen_joinsp(struct stmt **s, int n) 5775 { 5776 return NULL; 5777 } 5778 #endif 5779 5780 static struct block * 5781 gen_protochain(compiler_state_t *cstate, int v, int proto, int dir) 5782 { 5783 #ifdef NO_PROTOCHAIN 5784 return gen_proto(cstate, v, proto, dir); 5785 #else 5786 struct block *b0, *b; 5787 struct slist *s[100]; 5788 int fix2, fix3, fix4, fix5; 5789 int ahcheck, again, end; 5790 int i, max; 5791 int reg2 = alloc_reg(cstate); 5792 5793 memset(s, 0, sizeof(s)); 5794 fix3 = fix4 = fix5 = 0; 5795 5796 switch (proto) { 5797 case Q_IP: 5798 case Q_IPV6: 5799 break; 5800 case Q_DEFAULT: 5801 b0 = gen_protochain(cstate, v, Q_IP, dir); 5802 b = gen_protochain(cstate, v, Q_IPV6, dir); 5803 gen_or(b0, b); 5804 return b; 5805 default: 5806 bpf_error(cstate, "bad protocol applied for 'protochain'"); 5807 /*NOTREACHED*/ 5808 } 5809 5810 /* 5811 * We don't handle variable-length prefixes before the link-layer 5812 * header, or variable-length link-layer headers, here yet. 5813 * We might want to add BPF instructions to do the protochain 5814 * work, to simplify that and, on platforms that have a BPF 5815 * interpreter with the new instructions, let the filtering 5816 * be done in the kernel. (We already require a modified BPF 5817 * engine to do the protochain stuff, to support backward 5818 * branches, and backward branch support is unlikely to appear 5819 * in kernel BPF engines.) 5820 */ 5821 if (cstate->off_linkpl.is_variable) 5822 bpf_error(cstate, "'protochain' not supported with variable length headers"); 5823 5824 cstate->no_optimize = 1; /* this code is not compatible with optimizer yet */ 5825 5826 /* 5827 * s[0] is a dummy entry to protect other BPF insn from damage 5828 * by s[fix] = foo with uninitialized variable "fix". It is somewhat 5829 * hard to find interdependency made by jump table fixup. 5830 */ 5831 i = 0; 5832 s[i] = new_stmt(cstate, 0); /*dummy*/ 5833 i++; 5834 5835 switch (proto) { 5836 case Q_IP: 5837 b0 = gen_linktype(cstate, ETHERTYPE_IP); 5838 5839 /* A = ip->ip_p */ 5840 s[i] = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B); 5841 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 9; 5842 i++; 5843 /* X = ip->ip_hl << 2 */ 5844 s[i] = new_stmt(cstate, BPF_LDX|BPF_MSH|BPF_B); 5845 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 5846 i++; 5847 break; 5848 5849 case Q_IPV6: 5850 b0 = gen_linktype(cstate, ETHERTYPE_IPV6); 5851 5852 /* A = ip6->ip_nxt */ 5853 s[i] = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B); 5854 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 6; 5855 i++; 5856 /* X = sizeof(struct ip6_hdr) */ 5857 s[i] = new_stmt(cstate, BPF_LDX|BPF_IMM); 5858 s[i]->s.k = 40; 5859 i++; 5860 break; 5861 5862 default: 5863 bpf_error(cstate, "unsupported proto to gen_protochain"); 5864 /*NOTREACHED*/ 5865 } 5866 5867 /* again: if (A == v) goto end; else fall through; */ 5868 again = i; 5869 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 5870 s[i]->s.k = v; 5871 s[i]->s.jt = NULL; /*later*/ 5872 s[i]->s.jf = NULL; /*update in next stmt*/ 5873 fix5 = i; 5874 i++; 5875 5876 #ifndef IPPROTO_NONE 5877 #define IPPROTO_NONE 59 5878 #endif 5879 /* if (A == IPPROTO_NONE) goto end */ 5880 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 5881 s[i]->s.jt = NULL; /*later*/ 5882 s[i]->s.jf = NULL; /*update in next stmt*/ 5883 s[i]->s.k = IPPROTO_NONE; 5884 s[fix5]->s.jf = s[i]; 5885 fix2 = i; 5886 i++; 5887 5888 if (proto == Q_IPV6) { 5889 int v6start, v6end, v6advance, j; 5890 5891 v6start = i; 5892 /* if (A == IPPROTO_HOPOPTS) goto v6advance */ 5893 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 5894 s[i]->s.jt = NULL; /*later*/ 5895 s[i]->s.jf = NULL; /*update in next stmt*/ 5896 s[i]->s.k = IPPROTO_HOPOPTS; 5897 s[fix2]->s.jf = s[i]; 5898 i++; 5899 /* if (A == IPPROTO_DSTOPTS) goto v6advance */ 5900 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 5901 s[i]->s.jt = NULL; /*later*/ 5902 s[i]->s.jf = NULL; /*update in next stmt*/ 5903 s[i]->s.k = IPPROTO_DSTOPTS; 5904 i++; 5905 /* if (A == IPPROTO_ROUTING) goto v6advance */ 5906 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 5907 s[i]->s.jt = NULL; /*later*/ 5908 s[i]->s.jf = NULL; /*update in next stmt*/ 5909 s[i]->s.k = IPPROTO_ROUTING; 5910 i++; 5911 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */ 5912 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 5913 s[i]->s.jt = NULL; /*later*/ 5914 s[i]->s.jf = NULL; /*later*/ 5915 s[i]->s.k = IPPROTO_FRAGMENT; 5916 fix3 = i; 5917 v6end = i; 5918 i++; 5919 5920 /* v6advance: */ 5921 v6advance = i; 5922 5923 /* 5924 * in short, 5925 * A = P[X + packet head]; 5926 * X = X + (P[X + packet head + 1] + 1) * 8; 5927 */ 5928 /* A = P[X + packet head] */ 5929 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 5930 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 5931 i++; 5932 /* MEM[reg2] = A */ 5933 s[i] = new_stmt(cstate, BPF_ST); 5934 s[i]->s.k = reg2; 5935 i++; 5936 /* A = P[X + packet head + 1]; */ 5937 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 5938 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 1; 5939 i++; 5940 /* A += 1 */ 5941 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 5942 s[i]->s.k = 1; 5943 i++; 5944 /* A *= 8 */ 5945 s[i] = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K); 5946 s[i]->s.k = 8; 5947 i++; 5948 /* A += X */ 5949 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X); 5950 s[i]->s.k = 0; 5951 i++; 5952 /* X = A; */ 5953 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX); 5954 i++; 5955 /* A = MEM[reg2] */ 5956 s[i] = new_stmt(cstate, BPF_LD|BPF_MEM); 5957 s[i]->s.k = reg2; 5958 i++; 5959 5960 /* goto again; (must use BPF_JA for backward jump) */ 5961 s[i] = new_stmt(cstate, BPF_JMP|BPF_JA); 5962 s[i]->s.k = again - i - 1; 5963 s[i - 1]->s.jf = s[i]; 5964 i++; 5965 5966 /* fixup */ 5967 for (j = v6start; j <= v6end; j++) 5968 s[j]->s.jt = s[v6advance]; 5969 } else { 5970 /* nop */ 5971 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 5972 s[i]->s.k = 0; 5973 s[fix2]->s.jf = s[i]; 5974 i++; 5975 } 5976 5977 /* ahcheck: */ 5978 ahcheck = i; 5979 /* if (A == IPPROTO_AH) then fall through; else goto end; */ 5980 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 5981 s[i]->s.jt = NULL; /*later*/ 5982 s[i]->s.jf = NULL; /*later*/ 5983 s[i]->s.k = IPPROTO_AH; 5984 if (fix3) 5985 s[fix3]->s.jf = s[ahcheck]; 5986 fix4 = i; 5987 i++; 5988 5989 /* 5990 * in short, 5991 * A = P[X]; 5992 * X = X + (P[X + 1] + 2) * 4; 5993 */ 5994 /* A = X */ 5995 s[i - 1]->s.jt = s[i] = new_stmt(cstate, BPF_MISC|BPF_TXA); 5996 i++; 5997 /* A = P[X + packet head]; */ 5998 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 5999 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 6000 i++; 6001 /* MEM[reg2] = A */ 6002 s[i] = new_stmt(cstate, BPF_ST); 6003 s[i]->s.k = reg2; 6004 i++; 6005 /* A = X */ 6006 s[i - 1]->s.jt = s[i] = new_stmt(cstate, BPF_MISC|BPF_TXA); 6007 i++; 6008 /* A += 1 */ 6009 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 6010 s[i]->s.k = 1; 6011 i++; 6012 /* X = A */ 6013 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX); 6014 i++; 6015 /* A = P[X + packet head] */ 6016 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 6017 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 6018 i++; 6019 /* A += 2 */ 6020 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 6021 s[i]->s.k = 2; 6022 i++; 6023 /* A *= 4 */ 6024 s[i] = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K); 6025 s[i]->s.k = 4; 6026 i++; 6027 /* X = A; */ 6028 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX); 6029 i++; 6030 /* A = MEM[reg2] */ 6031 s[i] = new_stmt(cstate, BPF_LD|BPF_MEM); 6032 s[i]->s.k = reg2; 6033 i++; 6034 6035 /* goto again; (must use BPF_JA for backward jump) */ 6036 s[i] = new_stmt(cstate, BPF_JMP|BPF_JA); 6037 s[i]->s.k = again - i - 1; 6038 i++; 6039 6040 /* end: nop */ 6041 end = i; 6042 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 6043 s[i]->s.k = 0; 6044 s[fix2]->s.jt = s[end]; 6045 s[fix4]->s.jf = s[end]; 6046 s[fix5]->s.jt = s[end]; 6047 i++; 6048 6049 /* 6050 * make slist chain 6051 */ 6052 max = i; 6053 for (i = 0; i < max - 1; i++) 6054 s[i]->next = s[i + 1]; 6055 s[max - 1]->next = NULL; 6056 6057 /* 6058 * emit final check 6059 */ 6060 b = new_block(cstate, JMP(BPF_JEQ)); 6061 b->stmts = s[1]; /*remember, s[0] is dummy*/ 6062 b->s.k = v; 6063 6064 free_reg(cstate, reg2); 6065 6066 gen_and(b0, b); 6067 return b; 6068 #endif 6069 } 6070 6071 static struct block * 6072 gen_check_802_11_data_frame(compiler_state_t *cstate) 6073 { 6074 struct slist *s; 6075 struct block *b0, *b1; 6076 6077 /* 6078 * A data frame has the 0x08 bit (b3) in the frame control field set 6079 * and the 0x04 bit (b2) clear. 6080 */ 6081 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 6082 b0 = new_block(cstate, JMP(BPF_JSET)); 6083 b0->s.k = 0x08; 6084 b0->stmts = s; 6085 6086 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 6087 b1 = new_block(cstate, JMP(BPF_JSET)); 6088 b1->s.k = 0x04; 6089 b1->stmts = s; 6090 gen_not(b1); 6091 6092 gen_and(b1, b0); 6093 6094 return b0; 6095 } 6096 6097 /* 6098 * Generate code that checks whether the packet is a packet for protocol 6099 * <proto> and whether the type field in that protocol's header has 6100 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an 6101 * IP packet and checks the protocol number in the IP header against <v>. 6102 * 6103 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks 6104 * against Q_IP and Q_IPV6. 6105 */ 6106 static struct block * 6107 gen_proto(compiler_state_t *cstate, int v, int proto, int dir) 6108 { 6109 struct block *b0, *b1; 6110 #ifndef CHASE_CHAIN 6111 struct block *b2; 6112 #endif 6113 6114 if (dir != Q_DEFAULT) 6115 bpf_error(cstate, "direction applied to 'proto'"); 6116 6117 switch (proto) { 6118 case Q_DEFAULT: 6119 b0 = gen_proto(cstate, v, Q_IP, dir); 6120 b1 = gen_proto(cstate, v, Q_IPV6, dir); 6121 gen_or(b0, b1); 6122 return b1; 6123 6124 case Q_IP: 6125 /* 6126 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 6127 * not LLC encapsulation with LLCSAP_IP. 6128 * 6129 * For IEEE 802 networks - which includes 802.5 token ring 6130 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 6131 * says that SNAP encapsulation is used, not LLC encapsulation 6132 * with LLCSAP_IP. 6133 * 6134 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 6135 * RFC 2225 say that SNAP encapsulation is used, not LLC 6136 * encapsulation with LLCSAP_IP. 6137 * 6138 * So we always check for ETHERTYPE_IP. 6139 */ 6140 b0 = gen_linktype(cstate, ETHERTYPE_IP); 6141 #ifndef CHASE_CHAIN 6142 b1 = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, (bpf_int32)v); 6143 #else 6144 b1 = gen_protochain(cstate, v, Q_IP); 6145 #endif 6146 gen_and(b0, b1); 6147 return b1; 6148 6149 case Q_ISO: 6150 switch (cstate->linktype) { 6151 6152 case DLT_FRELAY: 6153 /* 6154 * Frame Relay packets typically have an OSI 6155 * NLPID at the beginning; "gen_linktype(cstate, LLCSAP_ISONS)" 6156 * generates code to check for all the OSI 6157 * NLPIDs, so calling it and then adding a check 6158 * for the particular NLPID for which we're 6159 * looking is bogus, as we can just check for 6160 * the NLPID. 6161 * 6162 * What we check for is the NLPID and a frame 6163 * control field value of UI, i.e. 0x03 followed 6164 * by the NLPID. 6165 * 6166 * XXX - assumes a 2-byte Frame Relay header with 6167 * DLCI and flags. What if the address is longer? 6168 * 6169 * XXX - what about SNAP-encapsulated frames? 6170 */ 6171 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | v); 6172 /*NOTREACHED*/ 6173 break; 6174 6175 case DLT_C_HDLC: 6176 /* 6177 * Cisco uses an Ethertype lookalike - for OSI, 6178 * it's 0xfefe. 6179 */ 6180 b0 = gen_linktype(cstate, LLCSAP_ISONS<<8 | LLCSAP_ISONS); 6181 /* OSI in C-HDLC is stuffed with a fudge byte */ 6182 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 1, BPF_B, (long)v); 6183 gen_and(b0, b1); 6184 return b1; 6185 6186 default: 6187 b0 = gen_linktype(cstate, LLCSAP_ISONS); 6188 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 0, BPF_B, (long)v); 6189 gen_and(b0, b1); 6190 return b1; 6191 } 6192 6193 case Q_ISIS: 6194 b0 = gen_proto(cstate, ISO10589_ISIS, Q_ISO, Q_DEFAULT); 6195 /* 6196 * 4 is the offset of the PDU type relative to the IS-IS 6197 * header. 6198 */ 6199 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 4, BPF_B, (long)v); 6200 gen_and(b0, b1); 6201 return b1; 6202 6203 case Q_ARP: 6204 bpf_error(cstate, "arp does not encapsulate another protocol"); 6205 /* NOTREACHED */ 6206 6207 case Q_RARP: 6208 bpf_error(cstate, "rarp does not encapsulate another protocol"); 6209 /* NOTREACHED */ 6210 6211 case Q_ATALK: 6212 bpf_error(cstate, "atalk encapsulation is not specifiable"); 6213 /* NOTREACHED */ 6214 6215 case Q_DECNET: 6216 bpf_error(cstate, "decnet encapsulation is not specifiable"); 6217 /* NOTREACHED */ 6218 6219 case Q_SCA: 6220 bpf_error(cstate, "sca does not encapsulate another protocol"); 6221 /* NOTREACHED */ 6222 6223 case Q_LAT: 6224 bpf_error(cstate, "lat does not encapsulate another protocol"); 6225 /* NOTREACHED */ 6226 6227 case Q_MOPRC: 6228 bpf_error(cstate, "moprc does not encapsulate another protocol"); 6229 /* NOTREACHED */ 6230 6231 case Q_MOPDL: 6232 bpf_error(cstate, "mopdl does not encapsulate another protocol"); 6233 /* NOTREACHED */ 6234 6235 case Q_LINK: 6236 return gen_linktype(cstate, v); 6237 6238 case Q_UDP: 6239 bpf_error(cstate, "'udp proto' is bogus"); 6240 /* NOTREACHED */ 6241 6242 case Q_TCP: 6243 bpf_error(cstate, "'tcp proto' is bogus"); 6244 /* NOTREACHED */ 6245 6246 case Q_SCTP: 6247 bpf_error(cstate, "'sctp proto' is bogus"); 6248 /* NOTREACHED */ 6249 6250 case Q_ICMP: 6251 bpf_error(cstate, "'icmp proto' is bogus"); 6252 /* NOTREACHED */ 6253 6254 case Q_IGMP: 6255 bpf_error(cstate, "'igmp proto' is bogus"); 6256 /* NOTREACHED */ 6257 6258 case Q_IGRP: 6259 bpf_error(cstate, "'igrp proto' is bogus"); 6260 /* NOTREACHED */ 6261 6262 case Q_PIM: 6263 bpf_error(cstate, "'pim proto' is bogus"); 6264 /* NOTREACHED */ 6265 6266 case Q_VRRP: 6267 bpf_error(cstate, "'vrrp proto' is bogus"); 6268 /* NOTREACHED */ 6269 6270 case Q_CARP: 6271 bpf_error(cstate, "'carp proto' is bogus"); 6272 /* NOTREACHED */ 6273 6274 case Q_IPV6: 6275 b0 = gen_linktype(cstate, ETHERTYPE_IPV6); 6276 #ifndef CHASE_CHAIN 6277 /* 6278 * Also check for a fragment header before the final 6279 * header. 6280 */ 6281 b2 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, IPPROTO_FRAGMENT); 6282 b1 = gen_cmp(cstate, OR_LINKPL, 40, BPF_B, (bpf_int32)v); 6283 gen_and(b2, b1); 6284 b2 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, (bpf_int32)v); 6285 gen_or(b2, b1); 6286 #else 6287 b1 = gen_protochain(cstate, v, Q_IPV6); 6288 #endif 6289 gen_and(b0, b1); 6290 return b1; 6291 6292 case Q_ICMPV6: 6293 bpf_error(cstate, "'icmp6 proto' is bogus"); 6294 6295 case Q_AH: 6296 bpf_error(cstate, "'ah proto' is bogus"); 6297 6298 case Q_ESP: 6299 bpf_error(cstate, "'ah proto' is bogus"); 6300 6301 case Q_STP: 6302 bpf_error(cstate, "'stp proto' is bogus"); 6303 6304 case Q_IPX: 6305 bpf_error(cstate, "'ipx proto' is bogus"); 6306 6307 case Q_NETBEUI: 6308 bpf_error(cstate, "'netbeui proto' is bogus"); 6309 6310 case Q_RADIO: 6311 bpf_error(cstate, "'radio proto' is bogus"); 6312 6313 default: 6314 abort(); 6315 /* NOTREACHED */ 6316 } 6317 /* NOTREACHED */ 6318 } 6319 6320 struct block * 6321 gen_scode(compiler_state_t *cstate, const char *name, struct qual q) 6322 { 6323 int proto = q.proto; 6324 int dir = q.dir; 6325 int tproto; 6326 u_char *eaddr; 6327 bpf_u_int32 mask, addr; 6328 struct addrinfo *res, *res0; 6329 struct sockaddr_in *sin4; 6330 #ifdef INET6 6331 int tproto6; 6332 struct sockaddr_in6 *sin6; 6333 struct in6_addr mask128; 6334 #endif /*INET6*/ 6335 struct block *b, *tmp; 6336 int port, real_proto; 6337 int port1, port2; 6338 6339 switch (q.addr) { 6340 6341 case Q_NET: 6342 addr = pcap_nametonetaddr(name); 6343 if (addr == 0) 6344 bpf_error(cstate, "unknown network '%s'", name); 6345 /* Left justify network addr and calculate its network mask */ 6346 mask = 0xffffffff; 6347 while (addr && (addr & 0xff000000) == 0) { 6348 addr <<= 8; 6349 mask <<= 8; 6350 } 6351 return gen_host(cstate, addr, mask, proto, dir, q.addr); 6352 6353 case Q_DEFAULT: 6354 case Q_HOST: 6355 if (proto == Q_LINK) { 6356 switch (cstate->linktype) { 6357 6358 case DLT_EN10MB: 6359 case DLT_NETANALYZER: 6360 case DLT_NETANALYZER_TRANSPARENT: 6361 eaddr = pcap_ether_hostton(name); 6362 if (eaddr == NULL) 6363 bpf_error(cstate, 6364 "unknown ether host '%s'", name); 6365 tmp = gen_prevlinkhdr_check(cstate); 6366 b = gen_ehostop(cstate, eaddr, dir); 6367 if (tmp != NULL) 6368 gen_and(tmp, b); 6369 free(eaddr); 6370 return b; 6371 6372 case DLT_FDDI: 6373 eaddr = pcap_ether_hostton(name); 6374 if (eaddr == NULL) 6375 bpf_error(cstate, 6376 "unknown FDDI host '%s'", name); 6377 b = gen_fhostop(cstate, eaddr, dir); 6378 free(eaddr); 6379 return b; 6380 6381 case DLT_IEEE802: 6382 eaddr = pcap_ether_hostton(name); 6383 if (eaddr == NULL) 6384 bpf_error(cstate, 6385 "unknown token ring host '%s'", name); 6386 b = gen_thostop(cstate, eaddr, dir); 6387 free(eaddr); 6388 return b; 6389 6390 case DLT_IEEE802_11: 6391 case DLT_PRISM_HEADER: 6392 case DLT_IEEE802_11_RADIO_AVS: 6393 case DLT_IEEE802_11_RADIO: 6394 case DLT_PPI: 6395 eaddr = pcap_ether_hostton(name); 6396 if (eaddr == NULL) 6397 bpf_error(cstate, 6398 "unknown 802.11 host '%s'", name); 6399 b = gen_wlanhostop(cstate, eaddr, dir); 6400 free(eaddr); 6401 return b; 6402 6403 case DLT_IP_OVER_FC: 6404 eaddr = pcap_ether_hostton(name); 6405 if (eaddr == NULL) 6406 bpf_error(cstate, 6407 "unknown Fibre Channel host '%s'", name); 6408 b = gen_ipfchostop(cstate, eaddr, dir); 6409 free(eaddr); 6410 return b; 6411 } 6412 6413 bpf_error(cstate, "only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name"); 6414 } else if (proto == Q_DECNET) { 6415 unsigned short dn_addr; 6416 6417 if (!__pcap_nametodnaddr(name, &dn_addr)) { 6418 #ifdef DECNETLIB 6419 bpf_error(cstate, "unknown decnet host name '%s'\n", name); 6420 #else 6421 bpf_error(cstate, "decnet name support not included, '%s' cannot be translated\n", 6422 name); 6423 #endif 6424 } 6425 /* 6426 * I don't think DECNET hosts can be multihomed, so 6427 * there is no need to build up a list of addresses 6428 */ 6429 return (gen_host(cstate, dn_addr, 0, proto, dir, q.addr)); 6430 } else { 6431 #ifdef INET6 6432 memset(&mask128, 0xff, sizeof(mask128)); 6433 #endif 6434 res0 = res = pcap_nametoaddrinfo(name); 6435 if (res == NULL) 6436 bpf_error(cstate, "unknown host '%s'", name); 6437 cstate->ai = res; 6438 b = tmp = NULL; 6439 tproto = proto; 6440 #ifdef INET6 6441 tproto6 = proto; 6442 #endif 6443 if (cstate->off_linktype.constant_part == OFFSET_NOT_SET && 6444 tproto == Q_DEFAULT) { 6445 tproto = Q_IP; 6446 #ifdef INET6 6447 tproto6 = Q_IPV6; 6448 #endif 6449 } 6450 for (res = res0; res; res = res->ai_next) { 6451 switch (res->ai_family) { 6452 case AF_INET: 6453 #ifdef INET6 6454 if (tproto == Q_IPV6) 6455 continue; 6456 #endif 6457 6458 sin4 = (struct sockaddr_in *) 6459 res->ai_addr; 6460 tmp = gen_host(cstate, ntohl(sin4->sin_addr.s_addr), 6461 0xffffffff, tproto, dir, q.addr); 6462 break; 6463 #ifdef INET6 6464 case AF_INET6: 6465 if (tproto6 == Q_IP) 6466 continue; 6467 6468 sin6 = (struct sockaddr_in6 *) 6469 res->ai_addr; 6470 tmp = gen_host6(cstate, &sin6->sin6_addr, 6471 &mask128, tproto6, dir, q.addr); 6472 break; 6473 #endif 6474 default: 6475 continue; 6476 } 6477 if (b) 6478 gen_or(b, tmp); 6479 b = tmp; 6480 } 6481 cstate->ai = NULL; 6482 freeaddrinfo(res0); 6483 if (b == NULL) { 6484 bpf_error(cstate, "unknown host '%s'%s", name, 6485 (proto == Q_DEFAULT) 6486 ? "" 6487 : " for specified address family"); 6488 } 6489 return b; 6490 } 6491 6492 case Q_PORT: 6493 if (proto != Q_DEFAULT && 6494 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6495 bpf_error(cstate, "illegal qualifier of 'port'"); 6496 if (pcap_nametoport(name, &port, &real_proto) == 0) 6497 bpf_error(cstate, "unknown port '%s'", name); 6498 if (proto == Q_UDP) { 6499 if (real_proto == IPPROTO_TCP) 6500 bpf_error(cstate, "port '%s' is tcp", name); 6501 else if (real_proto == IPPROTO_SCTP) 6502 bpf_error(cstate, "port '%s' is sctp", name); 6503 else 6504 /* override PROTO_UNDEF */ 6505 real_proto = IPPROTO_UDP; 6506 } 6507 if (proto == Q_TCP) { 6508 if (real_proto == IPPROTO_UDP) 6509 bpf_error(cstate, "port '%s' is udp", name); 6510 6511 else if (real_proto == IPPROTO_SCTP) 6512 bpf_error(cstate, "port '%s' is sctp", name); 6513 else 6514 /* override PROTO_UNDEF */ 6515 real_proto = IPPROTO_TCP; 6516 } 6517 if (proto == Q_SCTP) { 6518 if (real_proto == IPPROTO_UDP) 6519 bpf_error(cstate, "port '%s' is udp", name); 6520 6521 else if (real_proto == IPPROTO_TCP) 6522 bpf_error(cstate, "port '%s' is tcp", name); 6523 else 6524 /* override PROTO_UNDEF */ 6525 real_proto = IPPROTO_SCTP; 6526 } 6527 if (port < 0) 6528 bpf_error(cstate, "illegal port number %d < 0", port); 6529 if (port > 65535) 6530 bpf_error(cstate, "illegal port number %d > 65535", port); 6531 b = gen_port(cstate, port, real_proto, dir); 6532 gen_or(gen_port6(cstate, port, real_proto, dir), b); 6533 return b; 6534 6535 case Q_PORTRANGE: 6536 if (proto != Q_DEFAULT && 6537 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6538 bpf_error(cstate, "illegal qualifier of 'portrange'"); 6539 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0) 6540 bpf_error(cstate, "unknown port in range '%s'", name); 6541 if (proto == Q_UDP) { 6542 if (real_proto == IPPROTO_TCP) 6543 bpf_error(cstate, "port in range '%s' is tcp", name); 6544 else if (real_proto == IPPROTO_SCTP) 6545 bpf_error(cstate, "port in range '%s' is sctp", name); 6546 else 6547 /* override PROTO_UNDEF */ 6548 real_proto = IPPROTO_UDP; 6549 } 6550 if (proto == Q_TCP) { 6551 if (real_proto == IPPROTO_UDP) 6552 bpf_error(cstate, "port in range '%s' is udp", name); 6553 else if (real_proto == IPPROTO_SCTP) 6554 bpf_error(cstate, "port in range '%s' is sctp", name); 6555 else 6556 /* override PROTO_UNDEF */ 6557 real_proto = IPPROTO_TCP; 6558 } 6559 if (proto == Q_SCTP) { 6560 if (real_proto == IPPROTO_UDP) 6561 bpf_error(cstate, "port in range '%s' is udp", name); 6562 else if (real_proto == IPPROTO_TCP) 6563 bpf_error(cstate, "port in range '%s' is tcp", name); 6564 else 6565 /* override PROTO_UNDEF */ 6566 real_proto = IPPROTO_SCTP; 6567 } 6568 if (port1 < 0) 6569 bpf_error(cstate, "illegal port number %d < 0", port1); 6570 if (port1 > 65535) 6571 bpf_error(cstate, "illegal port number %d > 65535", port1); 6572 if (port2 < 0) 6573 bpf_error(cstate, "illegal port number %d < 0", port2); 6574 if (port2 > 65535) 6575 bpf_error(cstate, "illegal port number %d > 65535", port2); 6576 6577 b = gen_portrange(cstate, port1, port2, real_proto, dir); 6578 gen_or(gen_portrange6(cstate, port1, port2, real_proto, dir), b); 6579 return b; 6580 6581 case Q_GATEWAY: 6582 #ifndef INET6 6583 eaddr = pcap_ether_hostton(name); 6584 if (eaddr == NULL) 6585 bpf_error(cstate, "unknown ether host: %s", name); 6586 6587 res = pcap_nametoaddrinfo(name); 6588 cstate->ai = res; 6589 if (res == NULL) 6590 bpf_error(cstate, "unknown host '%s'", name); 6591 b = gen_gateway(cstate, eaddr, res, proto, dir); 6592 cstate->ai = NULL; 6593 freeaddrinfo(res); 6594 if (b == NULL) 6595 bpf_error(cstate, "unknown host '%s'", name); 6596 return b; 6597 #else 6598 bpf_error(cstate, "'gateway' not supported in this configuration"); 6599 #endif /*INET6*/ 6600 6601 case Q_PROTO: 6602 real_proto = lookup_proto(cstate, name, proto); 6603 if (real_proto >= 0) 6604 return gen_proto(cstate, real_proto, proto, dir); 6605 else 6606 bpf_error(cstate, "unknown protocol: %s", name); 6607 6608 case Q_PROTOCHAIN: 6609 real_proto = lookup_proto(cstate, name, proto); 6610 if (real_proto >= 0) 6611 return gen_protochain(cstate, real_proto, proto, dir); 6612 else 6613 bpf_error(cstate, "unknown protocol: %s", name); 6614 6615 case Q_UNDEF: 6616 syntax(cstate); 6617 /* NOTREACHED */ 6618 } 6619 abort(); 6620 /* NOTREACHED */ 6621 } 6622 6623 struct block * 6624 gen_mcode(compiler_state_t *cstate, const char *s1, const char *s2, 6625 unsigned int masklen, struct qual q) 6626 { 6627 register int nlen, mlen; 6628 bpf_u_int32 n, m; 6629 6630 nlen = __pcap_atoin(s1, &n); 6631 /* Promote short ipaddr */ 6632 n <<= 32 - nlen; 6633 6634 if (s2 != NULL) { 6635 mlen = __pcap_atoin(s2, &m); 6636 /* Promote short ipaddr */ 6637 m <<= 32 - mlen; 6638 if ((n & ~m) != 0) 6639 bpf_error(cstate, "non-network bits set in \"%s mask %s\"", 6640 s1, s2); 6641 } else { 6642 /* Convert mask len to mask */ 6643 if (masklen > 32) 6644 bpf_error(cstate, "mask length must be <= 32"); 6645 if (masklen == 0) { 6646 /* 6647 * X << 32 is not guaranteed by C to be 0; it's 6648 * undefined. 6649 */ 6650 m = 0; 6651 } else 6652 m = 0xffffffff << (32 - masklen); 6653 if ((n & ~m) != 0) 6654 bpf_error(cstate, "non-network bits set in \"%s/%d\"", 6655 s1, masklen); 6656 } 6657 6658 switch (q.addr) { 6659 6660 case Q_NET: 6661 return gen_host(cstate, n, m, q.proto, q.dir, q.addr); 6662 6663 default: 6664 bpf_error(cstate, "Mask syntax for networks only"); 6665 /* NOTREACHED */ 6666 } 6667 /* NOTREACHED */ 6668 } 6669 6670 struct block * 6671 gen_ncode(compiler_state_t *cstate, const char *s, bpf_u_int32 v, struct qual q) 6672 { 6673 bpf_u_int32 mask; 6674 int proto = q.proto; 6675 int dir = q.dir; 6676 register int vlen; 6677 6678 if (s == NULL) 6679 vlen = 32; 6680 else if (q.proto == Q_DECNET) { 6681 vlen = __pcap_atodn(s, &v); 6682 if (vlen == 0) 6683 bpf_error(cstate, "malformed decnet address '%s'", s); 6684 } else 6685 vlen = __pcap_atoin(s, &v); 6686 6687 switch (q.addr) { 6688 6689 case Q_DEFAULT: 6690 case Q_HOST: 6691 case Q_NET: 6692 if (proto == Q_DECNET) 6693 return gen_host(cstate, v, 0, proto, dir, q.addr); 6694 else if (proto == Q_LINK) { 6695 bpf_error(cstate, "illegal link layer address"); 6696 } else { 6697 mask = 0xffffffff; 6698 if (s == NULL && q.addr == Q_NET) { 6699 /* Promote short net number */ 6700 while (v && (v & 0xff000000) == 0) { 6701 v <<= 8; 6702 mask <<= 8; 6703 } 6704 } else { 6705 /* Promote short ipaddr */ 6706 v <<= 32 - vlen; 6707 mask <<= 32 - vlen ; 6708 } 6709 return gen_host(cstate, v, mask, proto, dir, q.addr); 6710 } 6711 6712 case Q_PORT: 6713 if (proto == Q_UDP) 6714 proto = IPPROTO_UDP; 6715 else if (proto == Q_TCP) 6716 proto = IPPROTO_TCP; 6717 else if (proto == Q_SCTP) 6718 proto = IPPROTO_SCTP; 6719 else if (proto == Q_DEFAULT) 6720 proto = PROTO_UNDEF; 6721 else 6722 bpf_error(cstate, "illegal qualifier of 'port'"); 6723 6724 if (v > 65535) 6725 bpf_error(cstate, "illegal port number %u > 65535", v); 6726 6727 { 6728 struct block *b; 6729 b = gen_port(cstate, (int)v, proto, dir); 6730 gen_or(gen_port6(cstate, (int)v, proto, dir), b); 6731 return b; 6732 } 6733 6734 case Q_PORTRANGE: 6735 if (proto == Q_UDP) 6736 proto = IPPROTO_UDP; 6737 else if (proto == Q_TCP) 6738 proto = IPPROTO_TCP; 6739 else if (proto == Q_SCTP) 6740 proto = IPPROTO_SCTP; 6741 else if (proto == Q_DEFAULT) 6742 proto = PROTO_UNDEF; 6743 else 6744 bpf_error(cstate, "illegal qualifier of 'portrange'"); 6745 6746 if (v > 65535) 6747 bpf_error(cstate, "illegal port number %u > 65535", v); 6748 6749 { 6750 struct block *b; 6751 b = gen_portrange(cstate, (int)v, (int)v, proto, dir); 6752 gen_or(gen_portrange6(cstate, (int)v, (int)v, proto, dir), b); 6753 return b; 6754 } 6755 6756 case Q_GATEWAY: 6757 bpf_error(cstate, "'gateway' requires a name"); 6758 /* NOTREACHED */ 6759 6760 case Q_PROTO: 6761 return gen_proto(cstate, (int)v, proto, dir); 6762 6763 case Q_PROTOCHAIN: 6764 return gen_protochain(cstate, (int)v, proto, dir); 6765 6766 case Q_UNDEF: 6767 syntax(cstate); 6768 /* NOTREACHED */ 6769 6770 default: 6771 abort(); 6772 /* NOTREACHED */ 6773 } 6774 /* NOTREACHED */ 6775 } 6776 6777 #ifdef INET6 6778 struct block * 6779 gen_mcode6(compiler_state_t *cstate, const char *s1, const char *s2, 6780 unsigned int masklen, struct qual q) 6781 { 6782 struct addrinfo *res; 6783 struct in6_addr *addr; 6784 struct in6_addr mask; 6785 struct block *b; 6786 uint32_t *a, *m; 6787 6788 if (s2) 6789 bpf_error(cstate, "no mask %s supported", s2); 6790 6791 res = pcap_nametoaddrinfo(s1); 6792 if (!res) 6793 bpf_error(cstate, "invalid ip6 address %s", s1); 6794 cstate->ai = res; 6795 if (res->ai_next) 6796 bpf_error(cstate, "%s resolved to multiple address", s1); 6797 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr; 6798 6799 if (sizeof(mask) * 8 < masklen) 6800 bpf_error(cstate, "mask length must be <= %u", (unsigned int)(sizeof(mask) * 8)); 6801 memset(&mask, 0, sizeof(mask)); 6802 memset(&mask, 0xff, masklen / 8); 6803 if (masklen % 8) { 6804 mask.s6_addr[masklen / 8] = 6805 (0xff << (8 - masklen % 8)) & 0xff; 6806 } 6807 6808 a = (uint32_t *)addr; 6809 m = (uint32_t *)&mask; 6810 if ((a[0] & ~m[0]) || (a[1] & ~m[1]) 6811 || (a[2] & ~m[2]) || (a[3] & ~m[3])) { 6812 bpf_error(cstate, "non-network bits set in \"%s/%d\"", s1, masklen); 6813 } 6814 6815 switch (q.addr) { 6816 6817 case Q_DEFAULT: 6818 case Q_HOST: 6819 if (masklen != 128) 6820 bpf_error(cstate, "Mask syntax for networks only"); 6821 /* FALLTHROUGH */ 6822 6823 case Q_NET: 6824 b = gen_host6(cstate, addr, &mask, q.proto, q.dir, q.addr); 6825 cstate->ai = NULL; 6826 freeaddrinfo(res); 6827 return b; 6828 6829 default: 6830 bpf_error(cstate, "invalid qualifier against IPv6 address"); 6831 /* NOTREACHED */ 6832 } 6833 } 6834 #endif /*INET6*/ 6835 6836 struct block * 6837 gen_ecode(compiler_state_t *cstate, const u_char *eaddr, struct qual q) 6838 { 6839 struct block *b, *tmp; 6840 6841 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) { 6842 switch (cstate->linktype) { 6843 case DLT_EN10MB: 6844 case DLT_NETANALYZER: 6845 case DLT_NETANALYZER_TRANSPARENT: 6846 tmp = gen_prevlinkhdr_check(cstate); 6847 b = gen_ehostop(cstate, eaddr, (int)q.dir); 6848 if (tmp != NULL) 6849 gen_and(tmp, b); 6850 return b; 6851 case DLT_FDDI: 6852 return gen_fhostop(cstate, eaddr, (int)q.dir); 6853 case DLT_IEEE802: 6854 return gen_thostop(cstate, eaddr, (int)q.dir); 6855 case DLT_IEEE802_11: 6856 case DLT_PRISM_HEADER: 6857 case DLT_IEEE802_11_RADIO_AVS: 6858 case DLT_IEEE802_11_RADIO: 6859 case DLT_PPI: 6860 return gen_wlanhostop(cstate, eaddr, (int)q.dir); 6861 case DLT_IP_OVER_FC: 6862 return gen_ipfchostop(cstate, eaddr, (int)q.dir); 6863 default: 6864 bpf_error(cstate, "ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 6865 break; 6866 } 6867 } 6868 bpf_error(cstate, "ethernet address used in non-ether expression"); 6869 /* NOTREACHED */ 6870 } 6871 6872 void 6873 sappend(struct slist *s0, struct slist *s1) 6874 { 6875 /* 6876 * This is definitely not the best way to do this, but the 6877 * lists will rarely get long. 6878 */ 6879 while (s0->next) 6880 s0 = s0->next; 6881 s0->next = s1; 6882 } 6883 6884 static struct slist * 6885 xfer_to_x(compiler_state_t *cstate, struct arth *a) 6886 { 6887 struct slist *s; 6888 6889 s = new_stmt(cstate, BPF_LDX|BPF_MEM); 6890 s->s.k = a->regno; 6891 return s; 6892 } 6893 6894 static struct slist * 6895 xfer_to_a(compiler_state_t *cstate, struct arth *a) 6896 { 6897 struct slist *s; 6898 6899 s = new_stmt(cstate, BPF_LD|BPF_MEM); 6900 s->s.k = a->regno; 6901 return s; 6902 } 6903 6904 /* 6905 * Modify "index" to use the value stored into its register as an 6906 * offset relative to the beginning of the header for the protocol 6907 * "proto", and allocate a register and put an item "size" bytes long 6908 * (1, 2, or 4) at that offset into that register, making it the register 6909 * for "index". 6910 */ 6911 struct arth * 6912 gen_load(compiler_state_t *cstate, int proto, struct arth *inst, int size) 6913 { 6914 struct slist *s, *tmp; 6915 struct block *b; 6916 int regno = alloc_reg(cstate); 6917 6918 free_reg(cstate, inst->regno); 6919 switch (size) { 6920 6921 default: 6922 bpf_error(cstate, "data size must be 1, 2, or 4"); 6923 6924 case 1: 6925 size = BPF_B; 6926 break; 6927 6928 case 2: 6929 size = BPF_H; 6930 break; 6931 6932 case 4: 6933 size = BPF_W; 6934 break; 6935 } 6936 switch (proto) { 6937 default: 6938 bpf_error(cstate, "unsupported index operation"); 6939 6940 case Q_RADIO: 6941 /* 6942 * The offset is relative to the beginning of the packet 6943 * data, if we have a radio header. (If we don't, this 6944 * is an error.) 6945 */ 6946 if (cstate->linktype != DLT_IEEE802_11_RADIO_AVS && 6947 cstate->linktype != DLT_IEEE802_11_RADIO && 6948 cstate->linktype != DLT_PRISM_HEADER) 6949 bpf_error(cstate, "radio information not present in capture"); 6950 6951 /* 6952 * Load into the X register the offset computed into the 6953 * register specified by "index". 6954 */ 6955 s = xfer_to_x(cstate, inst); 6956 6957 /* 6958 * Load the item at that offset. 6959 */ 6960 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size); 6961 sappend(s, tmp); 6962 sappend(inst->s, s); 6963 break; 6964 6965 case Q_LINK: 6966 /* 6967 * The offset is relative to the beginning of 6968 * the link-layer header. 6969 * 6970 * XXX - what about ATM LANE? Should the index be 6971 * relative to the beginning of the AAL5 frame, so 6972 * that 0 refers to the beginning of the LE Control 6973 * field, or relative to the beginning of the LAN 6974 * frame, so that 0 refers, for Ethernet LANE, to 6975 * the beginning of the destination address? 6976 */ 6977 s = gen_abs_offset_varpart(cstate, &cstate->off_linkhdr); 6978 6979 /* 6980 * If "s" is non-null, it has code to arrange that the 6981 * X register contains the length of the prefix preceding 6982 * the link-layer header. Add to it the offset computed 6983 * into the register specified by "index", and move that 6984 * into the X register. Otherwise, just load into the X 6985 * register the offset computed into the register specified 6986 * by "index". 6987 */ 6988 if (s != NULL) { 6989 sappend(s, xfer_to_a(cstate, inst)); 6990 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X)); 6991 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX)); 6992 } else 6993 s = xfer_to_x(cstate, inst); 6994 6995 /* 6996 * Load the item at the sum of the offset we've put in the 6997 * X register and the offset of the start of the link 6998 * layer header (which is 0 if the radio header is 6999 * variable-length; that header length is what we put 7000 * into the X register and then added to the index). 7001 */ 7002 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size); 7003 tmp->s.k = cstate->off_linkhdr.constant_part; 7004 sappend(s, tmp); 7005 sappend(inst->s, s); 7006 break; 7007 7008 case Q_IP: 7009 case Q_ARP: 7010 case Q_RARP: 7011 case Q_ATALK: 7012 case Q_DECNET: 7013 case Q_SCA: 7014 case Q_LAT: 7015 case Q_MOPRC: 7016 case Q_MOPDL: 7017 case Q_IPV6: 7018 /* 7019 * The offset is relative to the beginning of 7020 * the network-layer header. 7021 * XXX - are there any cases where we want 7022 * cstate->off_nl_nosnap? 7023 */ 7024 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl); 7025 7026 /* 7027 * If "s" is non-null, it has code to arrange that the 7028 * X register contains the variable part of the offset 7029 * of the link-layer payload. Add to it the offset 7030 * computed into the register specified by "index", 7031 * and move that into the X register. Otherwise, just 7032 * load into the X register the offset computed into 7033 * the register specified by "index". 7034 */ 7035 if (s != NULL) { 7036 sappend(s, xfer_to_a(cstate, inst)); 7037 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X)); 7038 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX)); 7039 } else 7040 s = xfer_to_x(cstate, inst); 7041 7042 /* 7043 * Load the item at the sum of the offset we've put in the 7044 * X register, the offset of the start of the network 7045 * layer header from the beginning of the link-layer 7046 * payload, and the constant part of the offset of the 7047 * start of the link-layer payload. 7048 */ 7049 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size); 7050 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 7051 sappend(s, tmp); 7052 sappend(inst->s, s); 7053 7054 /* 7055 * Do the computation only if the packet contains 7056 * the protocol in question. 7057 */ 7058 b = gen_proto_abbrev(cstate, proto); 7059 if (inst->b) 7060 gen_and(inst->b, b); 7061 inst->b = b; 7062 break; 7063 7064 case Q_SCTP: 7065 case Q_TCP: 7066 case Q_UDP: 7067 case Q_ICMP: 7068 case Q_IGMP: 7069 case Q_IGRP: 7070 case Q_PIM: 7071 case Q_VRRP: 7072 case Q_CARP: 7073 /* 7074 * The offset is relative to the beginning of 7075 * the transport-layer header. 7076 * 7077 * Load the X register with the length of the IPv4 header 7078 * (plus the offset of the link-layer header, if it's 7079 * a variable-length header), in bytes. 7080 * 7081 * XXX - are there any cases where we want 7082 * cstate->off_nl_nosnap? 7083 * XXX - we should, if we're built with 7084 * IPv6 support, generate code to load either 7085 * IPv4, IPv6, or both, as appropriate. 7086 */ 7087 s = gen_loadx_iphdrlen(cstate); 7088 7089 /* 7090 * The X register now contains the sum of the variable 7091 * part of the offset of the link-layer payload and the 7092 * length of the network-layer header. 7093 * 7094 * Load into the A register the offset relative to 7095 * the beginning of the transport layer header, 7096 * add the X register to that, move that to the 7097 * X register, and load with an offset from the 7098 * X register equal to the sum of the constant part of 7099 * the offset of the link-layer payload and the offset, 7100 * relative to the beginning of the link-layer payload, 7101 * of the network-layer header. 7102 */ 7103 sappend(s, xfer_to_a(cstate, inst)); 7104 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X)); 7105 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX)); 7106 sappend(s, tmp = new_stmt(cstate, BPF_LD|BPF_IND|size)); 7107 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 7108 sappend(inst->s, s); 7109 7110 /* 7111 * Do the computation only if the packet contains 7112 * the protocol in question - which is true only 7113 * if this is an IP datagram and is the first or 7114 * only fragment of that datagram. 7115 */ 7116 gen_and(gen_proto_abbrev(cstate, proto), b = gen_ipfrag(cstate)); 7117 if (inst->b) 7118 gen_and(inst->b, b); 7119 gen_and(gen_proto_abbrev(cstate, Q_IP), b); 7120 inst->b = b; 7121 break; 7122 case Q_ICMPV6: 7123 /* 7124 * Do the computation only if the packet contains 7125 * the protocol in question. 7126 */ 7127 b = gen_proto_abbrev(cstate, Q_IPV6); 7128 if (inst->b) { 7129 gen_and(inst->b, b); 7130 } 7131 inst->b = b; 7132 7133 /* 7134 * Check if we have an icmp6 next header 7135 */ 7136 b = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, 58); 7137 if (inst->b) { 7138 gen_and(inst->b, b); 7139 } 7140 inst->b = b; 7141 7142 7143 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl); 7144 /* 7145 * If "s" is non-null, it has code to arrange that the 7146 * X register contains the variable part of the offset 7147 * of the link-layer payload. Add to it the offset 7148 * computed into the register specified by "index", 7149 * and move that into the X register. Otherwise, just 7150 * load into the X register the offset computed into 7151 * the register specified by "index". 7152 */ 7153 if (s != NULL) { 7154 sappend(s, xfer_to_a(cstate, inst)); 7155 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X)); 7156 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX)); 7157 } else { 7158 s = xfer_to_x(cstate, inst); 7159 } 7160 7161 /* 7162 * Load the item at the sum of the offset we've put in the 7163 * X register, the offset of the start of the network 7164 * layer header from the beginning of the link-layer 7165 * payload, and the constant part of the offset of the 7166 * start of the link-layer payload. 7167 */ 7168 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size); 7169 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 40; 7170 7171 sappend(s, tmp); 7172 sappend(inst->s, s); 7173 7174 break; 7175 } 7176 inst->regno = regno; 7177 s = new_stmt(cstate, BPF_ST); 7178 s->s.k = regno; 7179 sappend(inst->s, s); 7180 7181 return inst; 7182 } 7183 7184 struct block * 7185 gen_relation(compiler_state_t *cstate, int code, struct arth *a0, 7186 struct arth *a1, int reversed) 7187 { 7188 struct slist *s0, *s1, *s2; 7189 struct block *b, *tmp; 7190 7191 s0 = xfer_to_x(cstate, a1); 7192 s1 = xfer_to_a(cstate, a0); 7193 if (code == BPF_JEQ) { 7194 s2 = new_stmt(cstate, BPF_ALU|BPF_SUB|BPF_X); 7195 b = new_block(cstate, JMP(code)); 7196 sappend(s1, s2); 7197 } 7198 else 7199 b = new_block(cstate, BPF_JMP|code|BPF_X); 7200 if (reversed) 7201 gen_not(b); 7202 7203 sappend(s0, s1); 7204 sappend(a1->s, s0); 7205 sappend(a0->s, a1->s); 7206 7207 b->stmts = a0->s; 7208 7209 free_reg(cstate, a0->regno); 7210 free_reg(cstate, a1->regno); 7211 7212 /* 'and' together protocol checks */ 7213 if (a0->b) { 7214 if (a1->b) { 7215 gen_and(a0->b, tmp = a1->b); 7216 } 7217 else 7218 tmp = a0->b; 7219 } else 7220 tmp = a1->b; 7221 7222 if (tmp) 7223 gen_and(tmp, b); 7224 7225 return b; 7226 } 7227 7228 struct arth * 7229 gen_loadlen(compiler_state_t *cstate) 7230 { 7231 int regno = alloc_reg(cstate); 7232 struct arth *a = (struct arth *)newchunk(cstate, sizeof(*a)); 7233 struct slist *s; 7234 7235 s = new_stmt(cstate, BPF_LD|BPF_LEN); 7236 s->next = new_stmt(cstate, BPF_ST); 7237 s->next->s.k = regno; 7238 a->s = s; 7239 a->regno = regno; 7240 7241 return a; 7242 } 7243 7244 struct arth * 7245 gen_loadi(compiler_state_t *cstate, int val) 7246 { 7247 struct arth *a; 7248 struct slist *s; 7249 int reg; 7250 7251 a = (struct arth *)newchunk(cstate, sizeof(*a)); 7252 7253 reg = alloc_reg(cstate); 7254 7255 s = new_stmt(cstate, BPF_LD|BPF_IMM); 7256 s->s.k = val; 7257 s->next = new_stmt(cstate, BPF_ST); 7258 s->next->s.k = reg; 7259 a->s = s; 7260 a->regno = reg; 7261 7262 return a; 7263 } 7264 7265 struct arth * 7266 gen_neg(compiler_state_t *cstate, struct arth *a) 7267 { 7268 struct slist *s; 7269 7270 s = xfer_to_a(cstate, a); 7271 sappend(a->s, s); 7272 s = new_stmt(cstate, BPF_ALU|BPF_NEG); 7273 s->s.k = 0; 7274 sappend(a->s, s); 7275 s = new_stmt(cstate, BPF_ST); 7276 s->s.k = a->regno; 7277 sappend(a->s, s); 7278 7279 return a; 7280 } 7281 7282 struct arth * 7283 gen_arth(compiler_state_t *cstate, int code, struct arth *a0, 7284 struct arth *a1) 7285 { 7286 struct slist *s0, *s1, *s2; 7287 7288 /* 7289 * Disallow division by, or modulus by, zero; we do this here 7290 * so that it gets done even if the optimizer is disabled. 7291 */ 7292 if (code == BPF_DIV) { 7293 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k == 0) 7294 bpf_error(cstate, "division by zero"); 7295 } else if (code == BPF_MOD) { 7296 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k == 0) 7297 bpf_error(cstate, "modulus by zero"); 7298 } 7299 s0 = xfer_to_x(cstate, a1); 7300 s1 = xfer_to_a(cstate, a0); 7301 s2 = new_stmt(cstate, BPF_ALU|BPF_X|code); 7302 7303 sappend(s1, s2); 7304 sappend(s0, s1); 7305 sappend(a1->s, s0); 7306 sappend(a0->s, a1->s); 7307 7308 free_reg(cstate, a0->regno); 7309 free_reg(cstate, a1->regno); 7310 7311 s0 = new_stmt(cstate, BPF_ST); 7312 a0->regno = s0->s.k = alloc_reg(cstate); 7313 sappend(a0->s, s0); 7314 7315 return a0; 7316 } 7317 7318 /* 7319 * Initialize the table of used registers and the current register. 7320 */ 7321 static void 7322 init_regs(compiler_state_t *cstate) 7323 { 7324 cstate->curreg = 0; 7325 memset(cstate->regused, 0, sizeof cstate->regused); 7326 } 7327 7328 /* 7329 * Return the next free register. 7330 */ 7331 static int 7332 alloc_reg(compiler_state_t *cstate) 7333 { 7334 int n = BPF_MEMWORDS; 7335 7336 while (--n >= 0) { 7337 if (cstate->regused[cstate->curreg]) 7338 cstate->curreg = (cstate->curreg + 1) % BPF_MEMWORDS; 7339 else { 7340 cstate->regused[cstate->curreg] = 1; 7341 return cstate->curreg; 7342 } 7343 } 7344 bpf_error(cstate, "too many registers needed to evaluate expression"); 7345 /* NOTREACHED */ 7346 } 7347 7348 /* 7349 * Return a register to the table so it can 7350 * be used later. 7351 */ 7352 static void 7353 free_reg(compiler_state_t *cstate, int n) 7354 { 7355 cstate->regused[n] = 0; 7356 } 7357 7358 static struct block * 7359 gen_len(compiler_state_t *cstate, int jmp, int n) 7360 { 7361 struct slist *s; 7362 struct block *b; 7363 7364 s = new_stmt(cstate, BPF_LD|BPF_LEN); 7365 b = new_block(cstate, JMP(jmp)); 7366 b->stmts = s; 7367 b->s.k = n; 7368 7369 return b; 7370 } 7371 7372 struct block * 7373 gen_greater(compiler_state_t *cstate, int n) 7374 { 7375 return gen_len(cstate, BPF_JGE, n); 7376 } 7377 7378 /* 7379 * Actually, this is less than or equal. 7380 */ 7381 struct block * 7382 gen_less(compiler_state_t *cstate, int n) 7383 { 7384 struct block *b; 7385 7386 b = gen_len(cstate, BPF_JGT, n); 7387 gen_not(b); 7388 7389 return b; 7390 } 7391 7392 /* 7393 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to 7394 * the beginning of the link-layer header. 7395 * XXX - that means you can't test values in the radiotap header, but 7396 * as that header is difficult if not impossible to parse generally 7397 * without a loop, that might not be a severe problem. A new keyword 7398 * "radio" could be added for that, although what you'd really want 7399 * would be a way of testing particular radio header values, which 7400 * would generate code appropriate to the radio header in question. 7401 */ 7402 struct block * 7403 gen_byteop(compiler_state_t *cstate, int op, int idx, int val) 7404 { 7405 struct block *b; 7406 struct slist *s; 7407 7408 switch (op) { 7409 default: 7410 abort(); 7411 7412 case '=': 7413 return gen_cmp(cstate, OR_LINKHDR, (u_int)idx, BPF_B, (bpf_int32)val); 7414 7415 case '<': 7416 b = gen_cmp_lt(cstate, OR_LINKHDR, (u_int)idx, BPF_B, (bpf_int32)val); 7417 return b; 7418 7419 case '>': 7420 b = gen_cmp_gt(cstate, OR_LINKHDR, (u_int)idx, BPF_B, (bpf_int32)val); 7421 return b; 7422 7423 case '|': 7424 s = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_K); 7425 break; 7426 7427 case '&': 7428 s = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K); 7429 break; 7430 } 7431 s->s.k = val; 7432 b = new_block(cstate, JMP(BPF_JEQ)); 7433 b->stmts = s; 7434 gen_not(b); 7435 7436 return b; 7437 } 7438 7439 static const u_char abroadcast[] = { 0x0 }; 7440 7441 struct block * 7442 gen_broadcast(compiler_state_t *cstate, int proto) 7443 { 7444 bpf_u_int32 hostmask; 7445 struct block *b0, *b1, *b2; 7446 static const u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; 7447 7448 switch (proto) { 7449 7450 case Q_DEFAULT: 7451 case Q_LINK: 7452 switch (cstate->linktype) { 7453 case DLT_ARCNET: 7454 case DLT_ARCNET_LINUX: 7455 return gen_ahostop(cstate, abroadcast, Q_DST); 7456 case DLT_EN10MB: 7457 case DLT_NETANALYZER: 7458 case DLT_NETANALYZER_TRANSPARENT: 7459 b1 = gen_prevlinkhdr_check(cstate); 7460 b0 = gen_ehostop(cstate, ebroadcast, Q_DST); 7461 if (b1 != NULL) 7462 gen_and(b1, b0); 7463 return b0; 7464 case DLT_FDDI: 7465 return gen_fhostop(cstate, ebroadcast, Q_DST); 7466 case DLT_IEEE802: 7467 return gen_thostop(cstate, ebroadcast, Q_DST); 7468 case DLT_IEEE802_11: 7469 case DLT_PRISM_HEADER: 7470 case DLT_IEEE802_11_RADIO_AVS: 7471 case DLT_IEEE802_11_RADIO: 7472 case DLT_PPI: 7473 return gen_wlanhostop(cstate, ebroadcast, Q_DST); 7474 case DLT_IP_OVER_FC: 7475 return gen_ipfchostop(cstate, ebroadcast, Q_DST); 7476 default: 7477 bpf_error(cstate, "not a broadcast link"); 7478 } 7479 break; 7480 7481 case Q_IP: 7482 /* 7483 * We treat a netmask of PCAP_NETMASK_UNKNOWN (0xffffffff) 7484 * as an indication that we don't know the netmask, and fail 7485 * in that case. 7486 */ 7487 if (cstate->netmask == PCAP_NETMASK_UNKNOWN) 7488 bpf_error(cstate, "netmask not known, so 'ip broadcast' not supported"); 7489 b0 = gen_linktype(cstate, ETHERTYPE_IP); 7490 hostmask = ~cstate->netmask; 7491 b1 = gen_mcmp(cstate, OR_LINKPL, 16, BPF_W, (bpf_int32)0, hostmask); 7492 b2 = gen_mcmp(cstate, OR_LINKPL, 16, BPF_W, 7493 (bpf_int32)(~0 & hostmask), hostmask); 7494 gen_or(b1, b2); 7495 gen_and(b0, b2); 7496 return b2; 7497 } 7498 bpf_error(cstate, "only link-layer/IP broadcast filters supported"); 7499 /* NOTREACHED */ 7500 } 7501 7502 /* 7503 * Generate code to test the low-order bit of a MAC address (that's 7504 * the bottom bit of the *first* byte). 7505 */ 7506 static struct block * 7507 gen_mac_multicast(compiler_state_t *cstate, int offset) 7508 { 7509 register struct block *b0; 7510 register struct slist *s; 7511 7512 /* link[offset] & 1 != 0 */ 7513 s = gen_load_a(cstate, OR_LINKHDR, offset, BPF_B); 7514 b0 = new_block(cstate, JMP(BPF_JSET)); 7515 b0->s.k = 1; 7516 b0->stmts = s; 7517 return b0; 7518 } 7519 7520 struct block * 7521 gen_multicast(compiler_state_t *cstate, int proto) 7522 { 7523 register struct block *b0, *b1, *b2; 7524 register struct slist *s; 7525 7526 switch (proto) { 7527 7528 case Q_DEFAULT: 7529 case Q_LINK: 7530 switch (cstate->linktype) { 7531 case DLT_ARCNET: 7532 case DLT_ARCNET_LINUX: 7533 /* all ARCnet multicasts use the same address */ 7534 return gen_ahostop(cstate, abroadcast, Q_DST); 7535 case DLT_EN10MB: 7536 case DLT_NETANALYZER: 7537 case DLT_NETANALYZER_TRANSPARENT: 7538 b1 = gen_prevlinkhdr_check(cstate); 7539 /* ether[0] & 1 != 0 */ 7540 b0 = gen_mac_multicast(cstate, 0); 7541 if (b1 != NULL) 7542 gen_and(b1, b0); 7543 return b0; 7544 case DLT_FDDI: 7545 /* 7546 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX 7547 * 7548 * XXX - was that referring to bit-order issues? 7549 */ 7550 /* fddi[1] & 1 != 0 */ 7551 return gen_mac_multicast(cstate, 1); 7552 case DLT_IEEE802: 7553 /* tr[2] & 1 != 0 */ 7554 return gen_mac_multicast(cstate, 2); 7555 case DLT_IEEE802_11: 7556 case DLT_PRISM_HEADER: 7557 case DLT_IEEE802_11_RADIO_AVS: 7558 case DLT_IEEE802_11_RADIO: 7559 case DLT_PPI: 7560 /* 7561 * Oh, yuk. 7562 * 7563 * For control frames, there is no DA. 7564 * 7565 * For management frames, DA is at an 7566 * offset of 4 from the beginning of 7567 * the packet. 7568 * 7569 * For data frames, DA is at an offset 7570 * of 4 from the beginning of the packet 7571 * if To DS is clear and at an offset of 7572 * 16 from the beginning of the packet 7573 * if To DS is set. 7574 */ 7575 7576 /* 7577 * Generate the tests to be done for data frames. 7578 * 7579 * First, check for To DS set, i.e. "link[1] & 0x01". 7580 */ 7581 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 7582 b1 = new_block(cstate, JMP(BPF_JSET)); 7583 b1->s.k = 0x01; /* To DS */ 7584 b1->stmts = s; 7585 7586 /* 7587 * If To DS is set, the DA is at 16. 7588 */ 7589 b0 = gen_mac_multicast(cstate, 16); 7590 gen_and(b1, b0); 7591 7592 /* 7593 * Now, check for To DS not set, i.e. check 7594 * "!(link[1] & 0x01)". 7595 */ 7596 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 7597 b2 = new_block(cstate, JMP(BPF_JSET)); 7598 b2->s.k = 0x01; /* To DS */ 7599 b2->stmts = s; 7600 gen_not(b2); 7601 7602 /* 7603 * If To DS is not set, the DA is at 4. 7604 */ 7605 b1 = gen_mac_multicast(cstate, 4); 7606 gen_and(b2, b1); 7607 7608 /* 7609 * Now OR together the last two checks. That gives 7610 * the complete set of checks for data frames. 7611 */ 7612 gen_or(b1, b0); 7613 7614 /* 7615 * Now check for a data frame. 7616 * I.e, check "link[0] & 0x08". 7617 */ 7618 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 7619 b1 = new_block(cstate, JMP(BPF_JSET)); 7620 b1->s.k = 0x08; 7621 b1->stmts = s; 7622 7623 /* 7624 * AND that with the checks done for data frames. 7625 */ 7626 gen_and(b1, b0); 7627 7628 /* 7629 * If the high-order bit of the type value is 0, this 7630 * is a management frame. 7631 * I.e, check "!(link[0] & 0x08)". 7632 */ 7633 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 7634 b2 = new_block(cstate, JMP(BPF_JSET)); 7635 b2->s.k = 0x08; 7636 b2->stmts = s; 7637 gen_not(b2); 7638 7639 /* 7640 * For management frames, the DA is at 4. 7641 */ 7642 b1 = gen_mac_multicast(cstate, 4); 7643 gen_and(b2, b1); 7644 7645 /* 7646 * OR that with the checks done for data frames. 7647 * That gives the checks done for management and 7648 * data frames. 7649 */ 7650 gen_or(b1, b0); 7651 7652 /* 7653 * If the low-order bit of the type value is 1, 7654 * this is either a control frame or a frame 7655 * with a reserved type, and thus not a 7656 * frame with an SA. 7657 * 7658 * I.e., check "!(link[0] & 0x04)". 7659 */ 7660 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 7661 b1 = new_block(cstate, JMP(BPF_JSET)); 7662 b1->s.k = 0x04; 7663 b1->stmts = s; 7664 gen_not(b1); 7665 7666 /* 7667 * AND that with the checks for data and management 7668 * frames. 7669 */ 7670 gen_and(b1, b0); 7671 return b0; 7672 case DLT_IP_OVER_FC: 7673 b0 = gen_mac_multicast(cstate, 2); 7674 return b0; 7675 default: 7676 break; 7677 } 7678 /* Link not known to support multicasts */ 7679 break; 7680 7681 case Q_IP: 7682 b0 = gen_linktype(cstate, ETHERTYPE_IP); 7683 b1 = gen_cmp_ge(cstate, OR_LINKPL, 16, BPF_B, (bpf_int32)224); 7684 gen_and(b0, b1); 7685 return b1; 7686 7687 case Q_IPV6: 7688 b0 = gen_linktype(cstate, ETHERTYPE_IPV6); 7689 b1 = gen_cmp(cstate, OR_LINKPL, 24, BPF_B, (bpf_int32)255); 7690 gen_and(b0, b1); 7691 return b1; 7692 } 7693 bpf_error(cstate, "link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel"); 7694 /* NOTREACHED */ 7695 } 7696 7697 /* 7698 * Filter on inbound (dir == 0) or outbound (dir == 1) traffic. 7699 * Outbound traffic is sent by this machine, while inbound traffic is 7700 * sent by a remote machine (and may include packets destined for a 7701 * unicast or multicast link-layer address we are not subscribing to). 7702 * These are the same definitions implemented by pcap_setdirection(). 7703 * Capturing only unicast traffic destined for this host is probably 7704 * better accomplished using a higher-layer filter. 7705 */ 7706 struct block * 7707 gen_inbound(compiler_state_t *cstate, int dir) 7708 { 7709 register struct block *b0; 7710 7711 /* 7712 * Only some data link types support inbound/outbound qualifiers. 7713 */ 7714 switch (cstate->linktype) { 7715 case DLT_SLIP: 7716 b0 = gen_relation(cstate, BPF_JEQ, 7717 gen_load(cstate, Q_LINK, gen_loadi(cstate, 0), 1), 7718 gen_loadi(cstate, 0), 7719 dir); 7720 break; 7721 7722 case DLT_IPNET: 7723 if (dir) { 7724 /* match outgoing packets */ 7725 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, IPNET_OUTBOUND); 7726 } else { 7727 /* match incoming packets */ 7728 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, IPNET_INBOUND); 7729 } 7730 break; 7731 7732 case DLT_LINUX_SLL: 7733 /* match outgoing packets */ 7734 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_H, LINUX_SLL_OUTGOING); 7735 if (!dir) { 7736 /* to filter on inbound traffic, invert the match */ 7737 gen_not(b0); 7738 } 7739 break; 7740 7741 #ifdef HAVE_NET_PFVAR_H 7742 case DLT_PFLOG: 7743 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, dir), BPF_B, 7744 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT)); 7745 break; 7746 #endif 7747 7748 case DLT_PPP_PPPD: 7749 if (dir) { 7750 /* match outgoing packets */ 7751 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_B, PPP_PPPD_OUT); 7752 } else { 7753 /* match incoming packets */ 7754 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_B, PPP_PPPD_IN); 7755 } 7756 break; 7757 7758 case DLT_JUNIPER_MFR: 7759 case DLT_JUNIPER_MLFR: 7760 case DLT_JUNIPER_MLPPP: 7761 case DLT_JUNIPER_ATM1: 7762 case DLT_JUNIPER_ATM2: 7763 case DLT_JUNIPER_PPPOE: 7764 case DLT_JUNIPER_PPPOE_ATM: 7765 case DLT_JUNIPER_GGSN: 7766 case DLT_JUNIPER_ES: 7767 case DLT_JUNIPER_MONITOR: 7768 case DLT_JUNIPER_SERVICES: 7769 case DLT_JUNIPER_ETHER: 7770 case DLT_JUNIPER_PPP: 7771 case DLT_JUNIPER_FRELAY: 7772 case DLT_JUNIPER_CHDLC: 7773 case DLT_JUNIPER_VP: 7774 case DLT_JUNIPER_ST: 7775 case DLT_JUNIPER_ISM: 7776 case DLT_JUNIPER_VS: 7777 case DLT_JUNIPER_SRX_E2E: 7778 case DLT_JUNIPER_FIBRECHANNEL: 7779 case DLT_JUNIPER_ATM_CEMIC: 7780 7781 /* juniper flags (including direction) are stored 7782 * the byte after the 3-byte magic number */ 7783 if (dir) { 7784 /* match outgoing packets */ 7785 b0 = gen_mcmp(cstate, OR_LINKHDR, 3, BPF_B, 0, 0x01); 7786 } else { 7787 /* match incoming packets */ 7788 b0 = gen_mcmp(cstate, OR_LINKHDR, 3, BPF_B, 1, 0x01); 7789 } 7790 break; 7791 7792 default: 7793 /* 7794 * If we have packet meta-data indicating a direction, 7795 * and that metadata can be checked by BPF code, check 7796 * it. Otherwise, give up, as this link-layer type has 7797 * nothing in the packet data. 7798 * 7799 * Currently, the only platform where a BPF filter can 7800 * check that metadata is Linux with the in-kernel 7801 * BPF interpreter. If other packet capture mechanisms 7802 * and BPF filters also supported this, it would be 7803 * nice. It would be even better if they made that 7804 * metadata available so that we could provide it 7805 * with newer capture APIs, allowing it to be saved 7806 * in pcapng files. 7807 */ 7808 #if defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) 7809 /* 7810 * This is Linux with PF_PACKET support. 7811 * If this is a *live* capture, we can look at 7812 * special meta-data in the filter expression; 7813 * if it's a savefile, we can't. 7814 */ 7815 if (cstate->bpf_pcap->rfile != NULL) { 7816 /* We have a FILE *, so this is a savefile */ 7817 bpf_error(cstate, "inbound/outbound not supported on linktype %d when reading savefiles", 7818 cstate->linktype); 7819 b0 = NULL; 7820 /* NOTREACHED */ 7821 } 7822 /* match outgoing packets */ 7823 b0 = gen_cmp(cstate, OR_LINKHDR, SKF_AD_OFF + SKF_AD_PKTTYPE, BPF_H, 7824 PACKET_OUTGOING); 7825 if (!dir) { 7826 /* to filter on inbound traffic, invert the match */ 7827 gen_not(b0); 7828 } 7829 #else /* defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */ 7830 bpf_error(cstate, "inbound/outbound not supported on linktype %d", 7831 cstate->linktype); 7832 /* NOTREACHED */ 7833 #endif /* defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */ 7834 } 7835 return (b0); 7836 } 7837 7838 #ifdef HAVE_NET_PFVAR_H 7839 /* PF firewall log matched interface */ 7840 struct block * 7841 gen_pf_ifname(compiler_state_t *cstate, const char *ifname) 7842 { 7843 struct block *b0; 7844 u_int len, off; 7845 7846 if (cstate->linktype != DLT_PFLOG) { 7847 bpf_error(cstate, "ifname supported only on PF linktype"); 7848 /* NOTREACHED */ 7849 } 7850 len = sizeof(((struct pfloghdr *)0)->ifname); 7851 off = offsetof(struct pfloghdr, ifname); 7852 if (strlen(ifname) >= len) { 7853 bpf_error(cstate, "ifname interface names can only be %d characters", 7854 len-1); 7855 /* NOTREACHED */ 7856 } 7857 b0 = gen_bcmp(cstate, OR_LINKHDR, off, strlen(ifname), (const u_char *)ifname); 7858 return (b0); 7859 } 7860 7861 /* PF firewall log ruleset name */ 7862 struct block * 7863 gen_pf_ruleset(compiler_state_t *cstate, char *ruleset) 7864 { 7865 struct block *b0; 7866 7867 if (cstate->linktype != DLT_PFLOG) { 7868 bpf_error(cstate, "ruleset supported only on PF linktype"); 7869 /* NOTREACHED */ 7870 } 7871 7872 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) { 7873 bpf_error(cstate, "ruleset names can only be %ld characters", 7874 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1)); 7875 /* NOTREACHED */ 7876 } 7877 7878 b0 = gen_bcmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, ruleset), 7879 strlen(ruleset), (const u_char *)ruleset); 7880 return (b0); 7881 } 7882 7883 /* PF firewall log rule number */ 7884 struct block * 7885 gen_pf_rnr(compiler_state_t *cstate, int rnr) 7886 { 7887 struct block *b0; 7888 7889 if (cstate->linktype != DLT_PFLOG) { 7890 bpf_error(cstate, "rnr supported only on PF linktype"); 7891 /* NOTREACHED */ 7892 } 7893 7894 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, rulenr), BPF_W, 7895 (bpf_int32)rnr); 7896 return (b0); 7897 } 7898 7899 /* PF firewall log sub-rule number */ 7900 struct block * 7901 gen_pf_srnr(compiler_state_t *cstate, int srnr) 7902 { 7903 struct block *b0; 7904 7905 if (cstate->linktype != DLT_PFLOG) { 7906 bpf_error(cstate, "srnr supported only on PF linktype"); 7907 /* NOTREACHED */ 7908 } 7909 7910 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, subrulenr), BPF_W, 7911 (bpf_int32)srnr); 7912 return (b0); 7913 } 7914 7915 /* PF firewall log reason code */ 7916 struct block * 7917 gen_pf_reason(compiler_state_t *cstate, int reason) 7918 { 7919 struct block *b0; 7920 7921 if (cstate->linktype != DLT_PFLOG) { 7922 bpf_error(cstate, "reason supported only on PF linktype"); 7923 /* NOTREACHED */ 7924 } 7925 7926 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, reason), BPF_B, 7927 (bpf_int32)reason); 7928 return (b0); 7929 } 7930 7931 /* PF firewall log action */ 7932 struct block * 7933 gen_pf_action(compiler_state_t *cstate, int action) 7934 { 7935 struct block *b0; 7936 7937 if (cstate->linktype != DLT_PFLOG) { 7938 bpf_error(cstate, "action supported only on PF linktype"); 7939 /* NOTREACHED */ 7940 } 7941 7942 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, action), BPF_B, 7943 (bpf_int32)action); 7944 return (b0); 7945 } 7946 #else /* !HAVE_NET_PFVAR_H */ 7947 struct block * 7948 gen_pf_ifname(compiler_state_t *cstate, const char *ifname _U_) 7949 { 7950 bpf_error(cstate, "libpcap was compiled without pf support"); 7951 /* NOTREACHED */ 7952 } 7953 7954 struct block * 7955 gen_pf_ruleset(compiler_state_t *cstate, char *ruleset _U_) 7956 { 7957 bpf_error(cstate, "libpcap was compiled on a machine without pf support"); 7958 /* NOTREACHED */ 7959 } 7960 7961 struct block * 7962 gen_pf_rnr(compiler_state_t *cstate, int rnr _U_) 7963 { 7964 bpf_error(cstate, "libpcap was compiled on a machine without pf support"); 7965 /* NOTREACHED */ 7966 } 7967 7968 struct block * 7969 gen_pf_srnr(compiler_state_t *cstate, int srnr _U_) 7970 { 7971 bpf_error(cstate, "libpcap was compiled on a machine without pf support"); 7972 /* NOTREACHED */ 7973 } 7974 7975 struct block * 7976 gen_pf_reason(compiler_state_t *cstate, int reason _U_) 7977 { 7978 bpf_error(cstate, "libpcap was compiled on a machine without pf support"); 7979 /* NOTREACHED */ 7980 } 7981 7982 struct block * 7983 gen_pf_action(compiler_state_t *cstate, int action _U_) 7984 { 7985 bpf_error(cstate, "libpcap was compiled on a machine without pf support"); 7986 /* NOTREACHED */ 7987 } 7988 #endif /* HAVE_NET_PFVAR_H */ 7989 7990 /* IEEE 802.11 wireless header */ 7991 struct block * 7992 gen_p80211_type(compiler_state_t *cstate, int type, int mask) 7993 { 7994 struct block *b0; 7995 7996 switch (cstate->linktype) { 7997 7998 case DLT_IEEE802_11: 7999 case DLT_PRISM_HEADER: 8000 case DLT_IEEE802_11_RADIO_AVS: 8001 case DLT_IEEE802_11_RADIO: 8002 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, (bpf_int32)type, 8003 (bpf_int32)mask); 8004 break; 8005 8006 default: 8007 bpf_error(cstate, "802.11 link-layer types supported only on 802.11"); 8008 /* NOTREACHED */ 8009 } 8010 8011 return (b0); 8012 } 8013 8014 struct block * 8015 gen_p80211_fcdir(compiler_state_t *cstate, int fcdir) 8016 { 8017 struct block *b0; 8018 8019 switch (cstate->linktype) { 8020 8021 case DLT_IEEE802_11: 8022 case DLT_PRISM_HEADER: 8023 case DLT_IEEE802_11_RADIO_AVS: 8024 case DLT_IEEE802_11_RADIO: 8025 break; 8026 8027 default: 8028 bpf_error(cstate, "frame direction supported only with 802.11 headers"); 8029 /* NOTREACHED */ 8030 } 8031 8032 b0 = gen_mcmp(cstate, OR_LINKHDR, 1, BPF_B, (bpf_int32)fcdir, 8033 (bpf_u_int32)IEEE80211_FC1_DIR_MASK); 8034 8035 return (b0); 8036 } 8037 8038 struct block * 8039 gen_acode(compiler_state_t *cstate, const u_char *eaddr, struct qual q) 8040 { 8041 switch (cstate->linktype) { 8042 8043 case DLT_ARCNET: 8044 case DLT_ARCNET_LINUX: 8045 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && 8046 q.proto == Q_LINK) 8047 return (gen_ahostop(cstate, eaddr, (int)q.dir)); 8048 else { 8049 bpf_error(cstate, "ARCnet address used in non-arc expression"); 8050 /* NOTREACHED */ 8051 } 8052 break; 8053 8054 default: 8055 bpf_error(cstate, "aid supported only on ARCnet"); 8056 /* NOTREACHED */ 8057 } 8058 } 8059 8060 static struct block * 8061 gen_ahostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 8062 { 8063 register struct block *b0, *b1; 8064 8065 switch (dir) { 8066 /* src comes first, different from Ethernet */ 8067 case Q_SRC: 8068 return gen_bcmp(cstate, OR_LINKHDR, 0, 1, eaddr); 8069 8070 case Q_DST: 8071 return gen_bcmp(cstate, OR_LINKHDR, 1, 1, eaddr); 8072 8073 case Q_AND: 8074 b0 = gen_ahostop(cstate, eaddr, Q_SRC); 8075 b1 = gen_ahostop(cstate, eaddr, Q_DST); 8076 gen_and(b0, b1); 8077 return b1; 8078 8079 case Q_DEFAULT: 8080 case Q_OR: 8081 b0 = gen_ahostop(cstate, eaddr, Q_SRC); 8082 b1 = gen_ahostop(cstate, eaddr, Q_DST); 8083 gen_or(b0, b1); 8084 return b1; 8085 8086 case Q_ADDR1: 8087 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11"); 8088 break; 8089 8090 case Q_ADDR2: 8091 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11"); 8092 break; 8093 8094 case Q_ADDR3: 8095 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11"); 8096 break; 8097 8098 case Q_ADDR4: 8099 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11"); 8100 break; 8101 8102 case Q_RA: 8103 bpf_error(cstate, "'ra' is only supported on 802.11"); 8104 break; 8105 8106 case Q_TA: 8107 bpf_error(cstate, "'ta' is only supported on 802.11"); 8108 break; 8109 } 8110 abort(); 8111 /* NOTREACHED */ 8112 } 8113 8114 static struct block * 8115 gen_vlan_tpid_test(compiler_state_t *cstate) 8116 { 8117 struct block *b0, *b1; 8118 8119 /* check for VLAN, including QinQ */ 8120 b0 = gen_linktype(cstate, ETHERTYPE_8021Q); 8121 b1 = gen_linktype(cstate, ETHERTYPE_8021AD); 8122 gen_or(b0,b1); 8123 b0 = b1; 8124 b1 = gen_linktype(cstate, ETHERTYPE_8021QINQ); 8125 gen_or(b0,b1); 8126 8127 return b1; 8128 } 8129 8130 static struct block * 8131 gen_vlan_vid_test(compiler_state_t *cstate, int vlan_num) 8132 { 8133 return gen_mcmp(cstate, OR_LINKPL, 0, BPF_H, (bpf_int32)vlan_num, 0x0fff); 8134 } 8135 8136 static struct block * 8137 gen_vlan_no_bpf_extensions(compiler_state_t *cstate, int vlan_num) 8138 { 8139 struct block *b0, *b1; 8140 8141 b0 = gen_vlan_tpid_test(cstate); 8142 8143 if (vlan_num >= 0) { 8144 b1 = gen_vlan_vid_test(cstate, vlan_num); 8145 gen_and(b0, b1); 8146 b0 = b1; 8147 } 8148 8149 /* 8150 * Both payload and link header type follow the VLAN tags so that 8151 * both need to be updated. 8152 */ 8153 cstate->off_linkpl.constant_part += 4; 8154 cstate->off_linktype.constant_part += 4; 8155 8156 return b0; 8157 } 8158 8159 #if defined(SKF_AD_VLAN_TAG_PRESENT) 8160 /* add v to variable part of off */ 8161 static void 8162 gen_vlan_vloffset_add(compiler_state_t *cstate, bpf_abs_offset *off, int v, struct slist *s) 8163 { 8164 struct slist *s2; 8165 8166 if (!off->is_variable) 8167 off->is_variable = 1; 8168 if (off->reg == -1) 8169 off->reg = alloc_reg(cstate); 8170 8171 s2 = new_stmt(cstate, BPF_LD|BPF_MEM); 8172 s2->s.k = off->reg; 8173 sappend(s, s2); 8174 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM); 8175 s2->s.k = v; 8176 sappend(s, s2); 8177 s2 = new_stmt(cstate, BPF_ST); 8178 s2->s.k = off->reg; 8179 sappend(s, s2); 8180 } 8181 8182 /* 8183 * patch block b_tpid (VLAN TPID test) to update variable parts of link payload 8184 * and link type offsets first 8185 */ 8186 static void 8187 gen_vlan_patch_tpid_test(compiler_state_t *cstate, struct block *b_tpid) 8188 { 8189 struct slist s; 8190 8191 /* offset determined at run time, shift variable part */ 8192 s.next = NULL; 8193 cstate->is_vlan_vloffset = 1; 8194 gen_vlan_vloffset_add(cstate, &cstate->off_linkpl, 4, &s); 8195 gen_vlan_vloffset_add(cstate, &cstate->off_linktype, 4, &s); 8196 8197 /* we get a pointer to a chain of or-ed blocks, patch first of them */ 8198 sappend(s.next, b_tpid->head->stmts); 8199 b_tpid->head->stmts = s.next; 8200 } 8201 8202 /* 8203 * patch block b_vid (VLAN id test) to load VID value either from packet 8204 * metadata (using BPF extensions) if SKF_AD_VLAN_TAG_PRESENT is true 8205 */ 8206 static void 8207 gen_vlan_patch_vid_test(compiler_state_t *cstate, struct block *b_vid) 8208 { 8209 struct slist *s, *s2, *sjeq; 8210 unsigned cnt; 8211 8212 s = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 8213 s->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT; 8214 8215 /* true -> next instructions, false -> beginning of b_vid */ 8216 sjeq = new_stmt(cstate, JMP(BPF_JEQ)); 8217 sjeq->s.k = 1; 8218 sjeq->s.jf = b_vid->stmts; 8219 sappend(s, sjeq); 8220 8221 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 8222 s2->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG; 8223 sappend(s, s2); 8224 sjeq->s.jt = s2; 8225 8226 /* jump to the test in b_vid (bypass loading VID from packet data) */ 8227 cnt = 0; 8228 for (s2 = b_vid->stmts; s2; s2 = s2->next) 8229 cnt++; 8230 s2 = new_stmt(cstate, JMP(BPF_JA)); 8231 s2->s.k = cnt; 8232 sappend(s, s2); 8233 8234 /* insert our statements at the beginning of b_vid */ 8235 sappend(s, b_vid->stmts); 8236 b_vid->stmts = s; 8237 } 8238 8239 /* 8240 * Generate check for "vlan" or "vlan <id>" on systems with support for BPF 8241 * extensions. Even if kernel supports VLAN BPF extensions, (outermost) VLAN 8242 * tag can be either in metadata or in packet data; therefore if the 8243 * SKF_AD_VLAN_TAG_PRESENT test is negative, we need to check link 8244 * header for VLAN tag. As the decision is done at run time, we need 8245 * update variable part of the offsets 8246 */ 8247 static struct block * 8248 gen_vlan_bpf_extensions(compiler_state_t *cstate, int vlan_num) 8249 { 8250 struct block *b0, *b_tpid, *b_vid = NULL; 8251 struct slist *s; 8252 8253 /* generate new filter code based on extracting packet 8254 * metadata */ 8255 s = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 8256 s->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT; 8257 8258 b0 = new_block(cstate, JMP(BPF_JEQ)); 8259 b0->stmts = s; 8260 b0->s.k = 1; 8261 8262 /* 8263 * This is tricky. We need to insert the statements updating variable 8264 * parts of offsets before the the traditional TPID and VID tests so 8265 * that they are called whenever SKF_AD_VLAN_TAG_PRESENT fails but 8266 * we do not want this update to affect those checks. That's why we 8267 * generate both test blocks first and insert the statements updating 8268 * variable parts of both offsets after that. This wouldn't work if 8269 * there already were variable length link header when entering this 8270 * function but gen_vlan_bpf_extensions() isn't called in that case. 8271 */ 8272 b_tpid = gen_vlan_tpid_test(cstate); 8273 if (vlan_num >= 0) 8274 b_vid = gen_vlan_vid_test(cstate, vlan_num); 8275 8276 gen_vlan_patch_tpid_test(cstate, b_tpid); 8277 gen_or(b0, b_tpid); 8278 b0 = b_tpid; 8279 8280 if (vlan_num >= 0) { 8281 gen_vlan_patch_vid_test(cstate, b_vid); 8282 gen_and(b0, b_vid); 8283 b0 = b_vid; 8284 } 8285 8286 return b0; 8287 } 8288 #endif 8289 8290 /* 8291 * support IEEE 802.1Q VLAN trunk over ethernet 8292 */ 8293 struct block * 8294 gen_vlan(compiler_state_t *cstate, int vlan_num) 8295 { 8296 struct block *b0; 8297 8298 /* can't check for VLAN-encapsulated packets inside MPLS */ 8299 if (cstate->label_stack_depth > 0) 8300 bpf_error(cstate, "no VLAN match after MPLS"); 8301 8302 /* 8303 * Check for a VLAN packet, and then change the offsets to point 8304 * to the type and data fields within the VLAN packet. Just 8305 * increment the offsets, so that we can support a hierarchy, e.g. 8306 * "vlan 300 && vlan 200" to capture VLAN 200 encapsulated within 8307 * VLAN 100. 8308 * 8309 * XXX - this is a bit of a kludge. If we were to split the 8310 * compiler into a parser that parses an expression and 8311 * generates an expression tree, and a code generator that 8312 * takes an expression tree (which could come from our 8313 * parser or from some other parser) and generates BPF code, 8314 * we could perhaps make the offsets parameters of routines 8315 * and, in the handler for an "AND" node, pass to subnodes 8316 * other than the VLAN node the adjusted offsets. 8317 * 8318 * This would mean that "vlan" would, instead of changing the 8319 * behavior of *all* tests after it, change only the behavior 8320 * of tests ANDed with it. That would change the documented 8321 * semantics of "vlan", which might break some expressions. 8322 * However, it would mean that "(vlan and ip) or ip" would check 8323 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 8324 * checking only for VLAN-encapsulated IP, so that could still 8325 * be considered worth doing; it wouldn't break expressions 8326 * that are of the form "vlan and ..." or "vlan N and ...", 8327 * which I suspect are the most common expressions involving 8328 * "vlan". "vlan or ..." doesn't necessarily do what the user 8329 * would really want, now, as all the "or ..." tests would 8330 * be done assuming a VLAN, even though the "or" could be viewed 8331 * as meaning "or, if this isn't a VLAN packet...". 8332 */ 8333 switch (cstate->linktype) { 8334 8335 case DLT_EN10MB: 8336 case DLT_NETANALYZER: 8337 case DLT_NETANALYZER_TRANSPARENT: 8338 #if defined(SKF_AD_VLAN_TAG_PRESENT) 8339 /* Verify that this is the outer part of the packet and 8340 * not encapsulated somehow. */ 8341 if (cstate->vlan_stack_depth == 0 && !cstate->off_linkhdr.is_variable && 8342 cstate->off_linkhdr.constant_part == 8343 cstate->off_outermostlinkhdr.constant_part) { 8344 /* 8345 * Do we need special VLAN handling? 8346 */ 8347 if (cstate->bpf_pcap->bpf_codegen_flags & BPF_SPECIAL_VLAN_HANDLING) 8348 b0 = gen_vlan_bpf_extensions(cstate, vlan_num); 8349 else 8350 b0 = gen_vlan_no_bpf_extensions(cstate, vlan_num); 8351 } else 8352 #endif 8353 b0 = gen_vlan_no_bpf_extensions(cstate, vlan_num); 8354 break; 8355 8356 case DLT_IEEE802_11: 8357 case DLT_PRISM_HEADER: 8358 case DLT_IEEE802_11_RADIO_AVS: 8359 case DLT_IEEE802_11_RADIO: 8360 b0 = gen_vlan_no_bpf_extensions(cstate, vlan_num); 8361 break; 8362 8363 default: 8364 bpf_error(cstate, "no VLAN support for data link type %d", 8365 cstate->linktype); 8366 /*NOTREACHED*/ 8367 } 8368 8369 cstate->vlan_stack_depth++; 8370 8371 return (b0); 8372 } 8373 8374 /* 8375 * support for MPLS 8376 */ 8377 struct block * 8378 gen_mpls(compiler_state_t *cstate, int label_num) 8379 { 8380 struct block *b0, *b1; 8381 8382 if (cstate->label_stack_depth > 0) { 8383 /* just match the bottom-of-stack bit clear */ 8384 b0 = gen_mcmp(cstate, OR_PREVMPLSHDR, 2, BPF_B, 0, 0x01); 8385 } else { 8386 /* 8387 * We're not in an MPLS stack yet, so check the link-layer 8388 * type against MPLS. 8389 */ 8390 switch (cstate->linktype) { 8391 8392 case DLT_C_HDLC: /* fall through */ 8393 case DLT_EN10MB: 8394 case DLT_NETANALYZER: 8395 case DLT_NETANALYZER_TRANSPARENT: 8396 b0 = gen_linktype(cstate, ETHERTYPE_MPLS); 8397 break; 8398 8399 case DLT_PPP: 8400 b0 = gen_linktype(cstate, PPP_MPLS_UCAST); 8401 break; 8402 8403 /* FIXME add other DLT_s ... 8404 * for Frame-Relay/and ATM this may get messy due to SNAP headers 8405 * leave it for now */ 8406 8407 default: 8408 bpf_error(cstate, "no MPLS support for data link type %d", 8409 cstate->linktype); 8410 /*NOTREACHED*/ 8411 break; 8412 } 8413 } 8414 8415 /* If a specific MPLS label is requested, check it */ 8416 if (label_num >= 0) { 8417 label_num = label_num << 12; /* label is shifted 12 bits on the wire */ 8418 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_W, (bpf_int32)label_num, 8419 0xfffff000); /* only compare the first 20 bits */ 8420 gen_and(b0, b1); 8421 b0 = b1; 8422 } 8423 8424 /* 8425 * Change the offsets to point to the type and data fields within 8426 * the MPLS packet. Just increment the offsets, so that we 8427 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to 8428 * capture packets with an outer label of 100000 and an inner 8429 * label of 1024. 8430 * 8431 * Increment the MPLS stack depth as well; this indicates that 8432 * we're checking MPLS-encapsulated headers, to make sure higher 8433 * level code generators don't try to match against IP-related 8434 * protocols such as Q_ARP, Q_RARP etc. 8435 * 8436 * XXX - this is a bit of a kludge. See comments in gen_vlan(). 8437 */ 8438 cstate->off_nl_nosnap += 4; 8439 cstate->off_nl += 4; 8440 cstate->label_stack_depth++; 8441 return (b0); 8442 } 8443 8444 /* 8445 * Support PPPOE discovery and session. 8446 */ 8447 struct block * 8448 gen_pppoed(compiler_state_t *cstate) 8449 { 8450 /* check for PPPoE discovery */ 8451 return gen_linktype(cstate, (bpf_int32)ETHERTYPE_PPPOED); 8452 } 8453 8454 struct block * 8455 gen_pppoes(compiler_state_t *cstate, int sess_num) 8456 { 8457 struct block *b0, *b1; 8458 8459 /* 8460 * Test against the PPPoE session link-layer type. 8461 */ 8462 b0 = gen_linktype(cstate, (bpf_int32)ETHERTYPE_PPPOES); 8463 8464 /* If a specific session is requested, check PPPoE session id */ 8465 if (sess_num >= 0) { 8466 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_W, 8467 (bpf_int32)sess_num, 0x0000ffff); 8468 gen_and(b0, b1); 8469 b0 = b1; 8470 } 8471 8472 /* 8473 * Change the offsets to point to the type and data fields within 8474 * the PPP packet, and note that this is PPPoE rather than 8475 * raw PPP. 8476 * 8477 * XXX - this is a bit of a kludge. If we were to split the 8478 * compiler into a parser that parses an expression and 8479 * generates an expression tree, and a code generator that 8480 * takes an expression tree (which could come from our 8481 * parser or from some other parser) and generates BPF code, 8482 * we could perhaps make the offsets parameters of routines 8483 * and, in the handler for an "AND" node, pass to subnodes 8484 * other than the PPPoE node the adjusted offsets. 8485 * 8486 * This would mean that "pppoes" would, instead of changing the 8487 * behavior of *all* tests after it, change only the behavior 8488 * of tests ANDed with it. That would change the documented 8489 * semantics of "pppoes", which might break some expressions. 8490 * However, it would mean that "(pppoes and ip) or ip" would check 8491 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 8492 * checking only for VLAN-encapsulated IP, so that could still 8493 * be considered worth doing; it wouldn't break expressions 8494 * that are of the form "pppoes and ..." which I suspect are the 8495 * most common expressions involving "pppoes". "pppoes or ..." 8496 * doesn't necessarily do what the user would really want, now, 8497 * as all the "or ..." tests would be done assuming PPPoE, even 8498 * though the "or" could be viewed as meaning "or, if this isn't 8499 * a PPPoE packet...". 8500 * 8501 * The "network-layer" protocol is PPPoE, which has a 6-byte 8502 * PPPoE header, followed by a PPP packet. 8503 * 8504 * There is no HDLC encapsulation for the PPP packet (it's 8505 * encapsulated in PPPoES instead), so the link-layer type 8506 * starts at the first byte of the PPP packet. For PPPoE, 8507 * that offset is relative to the beginning of the total 8508 * link-layer payload, including any 802.2 LLC header, so 8509 * it's 6 bytes past cstate->off_nl. 8510 */ 8511 PUSH_LINKHDR(cstate, DLT_PPP, cstate->off_linkpl.is_variable, 8512 cstate->off_linkpl.constant_part + cstate->off_nl + 6, /* 6 bytes past the PPPoE header */ 8513 cstate->off_linkpl.reg); 8514 8515 cstate->off_linktype = cstate->off_linkhdr; 8516 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 2; 8517 8518 cstate->off_nl = 0; 8519 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 8520 8521 return b0; 8522 } 8523 8524 /* Check that this is Geneve and the VNI is correct if 8525 * specified. Parameterized to handle both IPv4 and IPv6. */ 8526 static struct block * 8527 gen_geneve_check(compiler_state_t *cstate, 8528 struct block *(*gen_portfn)(compiler_state_t *, int, int, int), 8529 enum e_offrel offrel, int vni) 8530 { 8531 struct block *b0, *b1; 8532 8533 b0 = gen_portfn(cstate, GENEVE_PORT, IPPROTO_UDP, Q_DST); 8534 8535 /* Check that we are operating on version 0. Otherwise, we 8536 * can't decode the rest of the fields. The version is 2 bits 8537 * in the first byte of the Geneve header. */ 8538 b1 = gen_mcmp(cstate, offrel, 8, BPF_B, (bpf_int32)0, 0xc0); 8539 gen_and(b0, b1); 8540 b0 = b1; 8541 8542 if (vni >= 0) { 8543 vni <<= 8; /* VNI is in the upper 3 bytes */ 8544 b1 = gen_mcmp(cstate, offrel, 12, BPF_W, (bpf_int32)vni, 8545 0xffffff00); 8546 gen_and(b0, b1); 8547 b0 = b1; 8548 } 8549 8550 return b0; 8551 } 8552 8553 /* The IPv4 and IPv6 Geneve checks need to do two things: 8554 * - Verify that this actually is Geneve with the right VNI. 8555 * - Place the IP header length (plus variable link prefix if 8556 * needed) into register A to be used later to compute 8557 * the inner packet offsets. */ 8558 static struct block * 8559 gen_geneve4(compiler_state_t *cstate, int vni) 8560 { 8561 struct block *b0, *b1; 8562 struct slist *s, *s1; 8563 8564 b0 = gen_geneve_check(cstate, gen_port, OR_TRAN_IPV4, vni); 8565 8566 /* Load the IP header length into A. */ 8567 s = gen_loadx_iphdrlen(cstate); 8568 8569 s1 = new_stmt(cstate, BPF_MISC|BPF_TXA); 8570 sappend(s, s1); 8571 8572 /* Forcibly append these statements to the true condition 8573 * of the protocol check by creating a new block that is 8574 * always true and ANDing them. */ 8575 b1 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X); 8576 b1->stmts = s; 8577 b1->s.k = 0; 8578 8579 gen_and(b0, b1); 8580 8581 return b1; 8582 } 8583 8584 static struct block * 8585 gen_geneve6(compiler_state_t *cstate, int vni) 8586 { 8587 struct block *b0, *b1; 8588 struct slist *s, *s1; 8589 8590 b0 = gen_geneve_check(cstate, gen_port6, OR_TRAN_IPV6, vni); 8591 8592 /* Load the IP header length. We need to account for a 8593 * variable length link prefix if there is one. */ 8594 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl); 8595 if (s) { 8596 s1 = new_stmt(cstate, BPF_LD|BPF_IMM); 8597 s1->s.k = 40; 8598 sappend(s, s1); 8599 8600 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X); 8601 s1->s.k = 0; 8602 sappend(s, s1); 8603 } else { 8604 s = new_stmt(cstate, BPF_LD|BPF_IMM); 8605 s->s.k = 40; 8606 } 8607 8608 /* Forcibly append these statements to the true condition 8609 * of the protocol check by creating a new block that is 8610 * always true and ANDing them. */ 8611 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX); 8612 sappend(s, s1); 8613 8614 b1 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X); 8615 b1->stmts = s; 8616 b1->s.k = 0; 8617 8618 gen_and(b0, b1); 8619 8620 return b1; 8621 } 8622 8623 /* We need to store three values based on the Geneve header:: 8624 * - The offset of the linktype. 8625 * - The offset of the end of the Geneve header. 8626 * - The offset of the end of the encapsulated MAC header. */ 8627 static struct slist * 8628 gen_geneve_offsets(compiler_state_t *cstate) 8629 { 8630 struct slist *s, *s1, *s_proto; 8631 8632 /* First we need to calculate the offset of the Geneve header 8633 * itself. This is composed of the IP header previously calculated 8634 * (include any variable link prefix) and stored in A plus the 8635 * fixed sized headers (fixed link prefix, MAC length, and UDP 8636 * header). */ 8637 s = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 8638 s->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 8; 8639 8640 /* Stash this in X since we'll need it later. */ 8641 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX); 8642 sappend(s, s1); 8643 8644 /* The EtherType in Geneve is 2 bytes in. Calculate this and 8645 * store it. */ 8646 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 8647 s1->s.k = 2; 8648 sappend(s, s1); 8649 8650 cstate->off_linktype.reg = alloc_reg(cstate); 8651 cstate->off_linktype.is_variable = 1; 8652 cstate->off_linktype.constant_part = 0; 8653 8654 s1 = new_stmt(cstate, BPF_ST); 8655 s1->s.k = cstate->off_linktype.reg; 8656 sappend(s, s1); 8657 8658 /* Load the Geneve option length and mask and shift to get the 8659 * number of bytes. It is stored in the first byte of the Geneve 8660 * header. */ 8661 s1 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 8662 s1->s.k = 0; 8663 sappend(s, s1); 8664 8665 s1 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K); 8666 s1->s.k = 0x3f; 8667 sappend(s, s1); 8668 8669 s1 = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K); 8670 s1->s.k = 4; 8671 sappend(s, s1); 8672 8673 /* Add in the rest of the Geneve base header. */ 8674 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 8675 s1->s.k = 8; 8676 sappend(s, s1); 8677 8678 /* Add the Geneve header length to its offset and store. */ 8679 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X); 8680 s1->s.k = 0; 8681 sappend(s, s1); 8682 8683 /* Set the encapsulated type as Ethernet. Even though we may 8684 * not actually have Ethernet inside there are two reasons this 8685 * is useful: 8686 * - The linktype field is always in EtherType format regardless 8687 * of whether it is in Geneve or an inner Ethernet frame. 8688 * - The only link layer that we have specific support for is 8689 * Ethernet. We will confirm that the packet actually is 8690 * Ethernet at runtime before executing these checks. */ 8691 PUSH_LINKHDR(cstate, DLT_EN10MB, 1, 0, alloc_reg(cstate)); 8692 8693 s1 = new_stmt(cstate, BPF_ST); 8694 s1->s.k = cstate->off_linkhdr.reg; 8695 sappend(s, s1); 8696 8697 /* Calculate whether we have an Ethernet header or just raw IP/ 8698 * MPLS/etc. If we have Ethernet, advance the end of the MAC offset 8699 * and linktype by 14 bytes so that the network header can be found 8700 * seamlessly. Otherwise, keep what we've calculated already. */ 8701 8702 /* We have a bare jmp so we can't use the optimizer. */ 8703 cstate->no_optimize = 1; 8704 8705 /* Load the EtherType in the Geneve header, 2 bytes in. */ 8706 s1 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_H); 8707 s1->s.k = 2; 8708 sappend(s, s1); 8709 8710 /* Load X with the end of the Geneve header. */ 8711 s1 = new_stmt(cstate, BPF_LDX|BPF_MEM); 8712 s1->s.k = cstate->off_linkhdr.reg; 8713 sappend(s, s1); 8714 8715 /* Check if the EtherType is Transparent Ethernet Bridging. At the 8716 * end of this check, we should have the total length in X. In 8717 * the non-Ethernet case, it's already there. */ 8718 s_proto = new_stmt(cstate, JMP(BPF_JEQ)); 8719 s_proto->s.k = ETHERTYPE_TEB; 8720 sappend(s, s_proto); 8721 8722 s1 = new_stmt(cstate, BPF_MISC|BPF_TXA); 8723 sappend(s, s1); 8724 s_proto->s.jt = s1; 8725 8726 /* Since this is Ethernet, use the EtherType of the payload 8727 * directly as the linktype. Overwrite what we already have. */ 8728 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 8729 s1->s.k = 12; 8730 sappend(s, s1); 8731 8732 s1 = new_stmt(cstate, BPF_ST); 8733 s1->s.k = cstate->off_linktype.reg; 8734 sappend(s, s1); 8735 8736 /* Advance two bytes further to get the end of the Ethernet 8737 * header. */ 8738 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 8739 s1->s.k = 2; 8740 sappend(s, s1); 8741 8742 /* Move the result to X. */ 8743 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX); 8744 sappend(s, s1); 8745 8746 /* Store the final result of our linkpl calculation. */ 8747 cstate->off_linkpl.reg = alloc_reg(cstate); 8748 cstate->off_linkpl.is_variable = 1; 8749 cstate->off_linkpl.constant_part = 0; 8750 8751 s1 = new_stmt(cstate, BPF_STX); 8752 s1->s.k = cstate->off_linkpl.reg; 8753 sappend(s, s1); 8754 s_proto->s.jf = s1; 8755 8756 cstate->off_nl = 0; 8757 8758 return s; 8759 } 8760 8761 /* Check to see if this is a Geneve packet. */ 8762 struct block * 8763 gen_geneve(compiler_state_t *cstate, int vni) 8764 { 8765 struct block *b0, *b1; 8766 struct slist *s; 8767 8768 b0 = gen_geneve4(cstate, vni); 8769 b1 = gen_geneve6(cstate, vni); 8770 8771 gen_or(b0, b1); 8772 b0 = b1; 8773 8774 /* Later filters should act on the payload of the Geneve frame, 8775 * update all of the header pointers. Attach this code so that 8776 * it gets executed in the event that the Geneve filter matches. */ 8777 s = gen_geneve_offsets(cstate); 8778 8779 b1 = gen_true(cstate); 8780 sappend(s, b1->stmts); 8781 b1->stmts = s; 8782 8783 gen_and(b0, b1); 8784 8785 cstate->is_geneve = 1; 8786 8787 return b1; 8788 } 8789 8790 /* Check that the encapsulated frame has a link layer header 8791 * for Ethernet filters. */ 8792 static struct block * 8793 gen_geneve_ll_check(compiler_state_t *cstate) 8794 { 8795 struct block *b0; 8796 struct slist *s, *s1; 8797 8798 /* The easiest way to see if there is a link layer present 8799 * is to check if the link layer header and payload are not 8800 * the same. */ 8801 8802 /* Geneve always generates pure variable offsets so we can 8803 * compare only the registers. */ 8804 s = new_stmt(cstate, BPF_LD|BPF_MEM); 8805 s->s.k = cstate->off_linkhdr.reg; 8806 8807 s1 = new_stmt(cstate, BPF_LDX|BPF_MEM); 8808 s1->s.k = cstate->off_linkpl.reg; 8809 sappend(s, s1); 8810 8811 b0 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X); 8812 b0->stmts = s; 8813 b0->s.k = 0; 8814 gen_not(b0); 8815 8816 return b0; 8817 } 8818 8819 struct block * 8820 gen_atmfield_code(compiler_state_t *cstate, int atmfield, bpf_int32 jvalue, 8821 bpf_u_int32 jtype, int reverse) 8822 { 8823 struct block *b0; 8824 8825 switch (atmfield) { 8826 8827 case A_VPI: 8828 if (!cstate->is_atm) 8829 bpf_error(cstate, "'vpi' supported only on raw ATM"); 8830 if (cstate->off_vpi == OFFSET_NOT_SET) 8831 abort(); 8832 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_vpi, BPF_B, 0xffffffff, jtype, 8833 reverse, jvalue); 8834 break; 8835 8836 case A_VCI: 8837 if (!cstate->is_atm) 8838 bpf_error(cstate, "'vci' supported only on raw ATM"); 8839 if (cstate->off_vci == OFFSET_NOT_SET) 8840 abort(); 8841 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_vci, BPF_H, 0xffffffff, jtype, 8842 reverse, jvalue); 8843 break; 8844 8845 case A_PROTOTYPE: 8846 if (cstate->off_proto == OFFSET_NOT_SET) 8847 abort(); /* XXX - this isn't on FreeBSD */ 8848 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_proto, BPF_B, 0x0f, jtype, 8849 reverse, jvalue); 8850 break; 8851 8852 case A_MSGTYPE: 8853 if (cstate->off_payload == OFFSET_NOT_SET) 8854 abort(); 8855 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_payload + MSG_TYPE_POS, BPF_B, 8856 0xffffffff, jtype, reverse, jvalue); 8857 break; 8858 8859 case A_CALLREFTYPE: 8860 if (!cstate->is_atm) 8861 bpf_error(cstate, "'callref' supported only on raw ATM"); 8862 if (cstate->off_proto == OFFSET_NOT_SET) 8863 abort(); 8864 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_proto, BPF_B, 0xffffffff, 8865 jtype, reverse, jvalue); 8866 break; 8867 8868 default: 8869 abort(); 8870 } 8871 return b0; 8872 } 8873 8874 struct block * 8875 gen_atmtype_abbrev(compiler_state_t *cstate, int type) 8876 { 8877 struct block *b0, *b1; 8878 8879 switch (type) { 8880 8881 case A_METAC: 8882 /* Get all packets in Meta signalling Circuit */ 8883 if (!cstate->is_atm) 8884 bpf_error(cstate, "'metac' supported only on raw ATM"); 8885 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0); 8886 b1 = gen_atmfield_code(cstate, A_VCI, 1, BPF_JEQ, 0); 8887 gen_and(b0, b1); 8888 break; 8889 8890 case A_BCC: 8891 /* Get all packets in Broadcast Circuit*/ 8892 if (!cstate->is_atm) 8893 bpf_error(cstate, "'bcc' supported only on raw ATM"); 8894 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0); 8895 b1 = gen_atmfield_code(cstate, A_VCI, 2, BPF_JEQ, 0); 8896 gen_and(b0, b1); 8897 break; 8898 8899 case A_OAMF4SC: 8900 /* Get all cells in Segment OAM F4 circuit*/ 8901 if (!cstate->is_atm) 8902 bpf_error(cstate, "'oam4sc' supported only on raw ATM"); 8903 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0); 8904 b1 = gen_atmfield_code(cstate, A_VCI, 3, BPF_JEQ, 0); 8905 gen_and(b0, b1); 8906 break; 8907 8908 case A_OAMF4EC: 8909 /* Get all cells in End-to-End OAM F4 Circuit*/ 8910 if (!cstate->is_atm) 8911 bpf_error(cstate, "'oam4ec' supported only on raw ATM"); 8912 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0); 8913 b1 = gen_atmfield_code(cstate, A_VCI, 4, BPF_JEQ, 0); 8914 gen_and(b0, b1); 8915 break; 8916 8917 case A_SC: 8918 /* Get all packets in connection Signalling Circuit */ 8919 if (!cstate->is_atm) 8920 bpf_error(cstate, "'sc' supported only on raw ATM"); 8921 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0); 8922 b1 = gen_atmfield_code(cstate, A_VCI, 5, BPF_JEQ, 0); 8923 gen_and(b0, b1); 8924 break; 8925 8926 case A_ILMIC: 8927 /* Get all packets in ILMI Circuit */ 8928 if (!cstate->is_atm) 8929 bpf_error(cstate, "'ilmic' supported only on raw ATM"); 8930 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0); 8931 b1 = gen_atmfield_code(cstate, A_VCI, 16, BPF_JEQ, 0); 8932 gen_and(b0, b1); 8933 break; 8934 8935 case A_LANE: 8936 /* Get all LANE packets */ 8937 if (!cstate->is_atm) 8938 bpf_error(cstate, "'lane' supported only on raw ATM"); 8939 b1 = gen_atmfield_code(cstate, A_PROTOTYPE, PT_LANE, BPF_JEQ, 0); 8940 8941 /* 8942 * Arrange that all subsequent tests assume LANE 8943 * rather than LLC-encapsulated packets, and set 8944 * the offsets appropriately for LANE-encapsulated 8945 * Ethernet. 8946 * 8947 * We assume LANE means Ethernet, not Token Ring. 8948 */ 8949 PUSH_LINKHDR(cstate, DLT_EN10MB, 0, 8950 cstate->off_payload + 2, /* Ethernet header */ 8951 -1); 8952 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12; 8953 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* Ethernet */ 8954 cstate->off_nl = 0; /* Ethernet II */ 8955 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */ 8956 break; 8957 8958 case A_LLC: 8959 /* Get all LLC-encapsulated packets */ 8960 if (!cstate->is_atm) 8961 bpf_error(cstate, "'llc' supported only on raw ATM"); 8962 b1 = gen_atmfield_code(cstate, A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 8963 cstate->linktype = cstate->prevlinktype; 8964 break; 8965 8966 default: 8967 abort(); 8968 } 8969 return b1; 8970 } 8971 8972 /* 8973 * Filtering for MTP2 messages based on li value 8974 * FISU, length is null 8975 * LSSU, length is 1 or 2 8976 * MSU, length is 3 or more 8977 * For MTP2_HSL, sequences are on 2 bytes, and length on 9 bits 8978 */ 8979 struct block * 8980 gen_mtp2type_abbrev(compiler_state_t *cstate, int type) 8981 { 8982 struct block *b0, *b1; 8983 8984 switch (type) { 8985 8986 case M_FISU: 8987 if ( (cstate->linktype != DLT_MTP2) && 8988 (cstate->linktype != DLT_ERF) && 8989 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 8990 bpf_error(cstate, "'fisu' supported only on MTP2"); 8991 /* gen_ncmp(cstate, offrel, offset, size, mask, jtype, reverse, value) */ 8992 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 0x3f, BPF_JEQ, 0, 0); 8993 break; 8994 8995 case M_LSSU: 8996 if ( (cstate->linktype != DLT_MTP2) && 8997 (cstate->linktype != DLT_ERF) && 8998 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 8999 bpf_error(cstate, "'lssu' supported only on MTP2"); 9000 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 0x3f, BPF_JGT, 1, 2); 9001 b1 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 0x3f, BPF_JGT, 0, 0); 9002 gen_and(b1, b0); 9003 break; 9004 9005 case M_MSU: 9006 if ( (cstate->linktype != DLT_MTP2) && 9007 (cstate->linktype != DLT_ERF) && 9008 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 9009 bpf_error(cstate, "'msu' supported only on MTP2"); 9010 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 0x3f, BPF_JGT, 0, 2); 9011 break; 9012 9013 case MH_FISU: 9014 if ( (cstate->linktype != DLT_MTP2) && 9015 (cstate->linktype != DLT_ERF) && 9016 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 9017 bpf_error(cstate, "'hfisu' supported only on MTP2_HSL"); 9018 /* gen_ncmp(cstate, offrel, offset, size, mask, jtype, reverse, value) */ 9019 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 0xff80, BPF_JEQ, 0, 0); 9020 break; 9021 9022 case MH_LSSU: 9023 if ( (cstate->linktype != DLT_MTP2) && 9024 (cstate->linktype != DLT_ERF) && 9025 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 9026 bpf_error(cstate, "'hlssu' supported only on MTP2_HSL"); 9027 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 0xff80, BPF_JGT, 1, 0x0100); 9028 b1 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 0xff80, BPF_JGT, 0, 0); 9029 gen_and(b1, b0); 9030 break; 9031 9032 case MH_MSU: 9033 if ( (cstate->linktype != DLT_MTP2) && 9034 (cstate->linktype != DLT_ERF) && 9035 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 9036 bpf_error(cstate, "'hmsu' supported only on MTP2_HSL"); 9037 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 0xff80, BPF_JGT, 0, 0x0100); 9038 break; 9039 9040 default: 9041 abort(); 9042 } 9043 return b0; 9044 } 9045 9046 struct block * 9047 gen_mtp3field_code(compiler_state_t *cstate, int mtp3field, bpf_u_int32 jvalue, 9048 bpf_u_int32 jtype, int reverse) 9049 { 9050 struct block *b0; 9051 bpf_u_int32 val1 , val2 , val3; 9052 u_int newoff_sio = cstate->off_sio; 9053 u_int newoff_opc = cstate->off_opc; 9054 u_int newoff_dpc = cstate->off_dpc; 9055 u_int newoff_sls = cstate->off_sls; 9056 9057 switch (mtp3field) { 9058 9059 case MH_SIO: 9060 newoff_sio += 3; /* offset for MTP2_HSL */ 9061 /* FALLTHROUGH */ 9062 9063 case M_SIO: 9064 if (cstate->off_sio == OFFSET_NOT_SET) 9065 bpf_error(cstate, "'sio' supported only on SS7"); 9066 /* sio coded on 1 byte so max value 255 */ 9067 if(jvalue > 255) 9068 bpf_error(cstate, "sio value %u too big; max value = 255", 9069 jvalue); 9070 b0 = gen_ncmp(cstate, OR_PACKET, newoff_sio, BPF_B, 0xffffffff, 9071 (u_int)jtype, reverse, (u_int)jvalue); 9072 break; 9073 9074 case MH_OPC: 9075 newoff_opc+=3; 9076 case M_OPC: 9077 if (cstate->off_opc == OFFSET_NOT_SET) 9078 bpf_error(cstate, "'opc' supported only on SS7"); 9079 /* opc coded on 14 bits so max value 16383 */ 9080 if (jvalue > 16383) 9081 bpf_error(cstate, "opc value %u too big; max value = 16383", 9082 jvalue); 9083 /* the following instructions are made to convert jvalue 9084 * to the form used to write opc in an ss7 message*/ 9085 val1 = jvalue & 0x00003c00; 9086 val1 = val1 >>10; 9087 val2 = jvalue & 0x000003fc; 9088 val2 = val2 <<6; 9089 val3 = jvalue & 0x00000003; 9090 val3 = val3 <<22; 9091 jvalue = val1 + val2 + val3; 9092 b0 = gen_ncmp(cstate, OR_PACKET, newoff_opc, BPF_W, 0x00c0ff0f, 9093 (u_int)jtype, reverse, (u_int)jvalue); 9094 break; 9095 9096 case MH_DPC: 9097 newoff_dpc += 3; 9098 /* FALLTHROUGH */ 9099 9100 case M_DPC: 9101 if (cstate->off_dpc == OFFSET_NOT_SET) 9102 bpf_error(cstate, "'dpc' supported only on SS7"); 9103 /* dpc coded on 14 bits so max value 16383 */ 9104 if (jvalue > 16383) 9105 bpf_error(cstate, "dpc value %u too big; max value = 16383", 9106 jvalue); 9107 /* the following instructions are made to convert jvalue 9108 * to the forme used to write dpc in an ss7 message*/ 9109 val1 = jvalue & 0x000000ff; 9110 val1 = val1 << 24; 9111 val2 = jvalue & 0x00003f00; 9112 val2 = val2 << 8; 9113 jvalue = val1 + val2; 9114 b0 = gen_ncmp(cstate, OR_PACKET, newoff_dpc, BPF_W, 0xff3f0000, 9115 (u_int)jtype, reverse, (u_int)jvalue); 9116 break; 9117 9118 case MH_SLS: 9119 newoff_sls+=3; 9120 case M_SLS: 9121 if (cstate->off_sls == OFFSET_NOT_SET) 9122 bpf_error(cstate, "'sls' supported only on SS7"); 9123 /* sls coded on 4 bits so max value 15 */ 9124 if (jvalue > 15) 9125 bpf_error(cstate, "sls value %u too big; max value = 15", 9126 jvalue); 9127 /* the following instruction is made to convert jvalue 9128 * to the forme used to write sls in an ss7 message*/ 9129 jvalue = jvalue << 4; 9130 b0 = gen_ncmp(cstate, OR_PACKET, newoff_sls, BPF_B, 0xf0, 9131 (u_int)jtype,reverse, (u_int)jvalue); 9132 break; 9133 9134 default: 9135 abort(); 9136 } 9137 return b0; 9138 } 9139 9140 static struct block * 9141 gen_msg_abbrev(compiler_state_t *cstate, int type) 9142 { 9143 struct block *b1; 9144 9145 /* 9146 * Q.2931 signalling protocol messages for handling virtual circuits 9147 * establishment and teardown 9148 */ 9149 switch (type) { 9150 9151 case A_SETUP: 9152 b1 = gen_atmfield_code(cstate, A_MSGTYPE, SETUP, BPF_JEQ, 0); 9153 break; 9154 9155 case A_CALLPROCEED: 9156 b1 = gen_atmfield_code(cstate, A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0); 9157 break; 9158 9159 case A_CONNECT: 9160 b1 = gen_atmfield_code(cstate, A_MSGTYPE, CONNECT, BPF_JEQ, 0); 9161 break; 9162 9163 case A_CONNECTACK: 9164 b1 = gen_atmfield_code(cstate, A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0); 9165 break; 9166 9167 case A_RELEASE: 9168 b1 = gen_atmfield_code(cstate, A_MSGTYPE, RELEASE, BPF_JEQ, 0); 9169 break; 9170 9171 case A_RELEASE_DONE: 9172 b1 = gen_atmfield_code(cstate, A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0); 9173 break; 9174 9175 default: 9176 abort(); 9177 } 9178 return b1; 9179 } 9180 9181 struct block * 9182 gen_atmmulti_abbrev(compiler_state_t *cstate, int type) 9183 { 9184 struct block *b0, *b1; 9185 9186 switch (type) { 9187 9188 case A_OAM: 9189 if (!cstate->is_atm) 9190 bpf_error(cstate, "'oam' supported only on raw ATM"); 9191 b1 = gen_atmmulti_abbrev(cstate, A_OAMF4); 9192 break; 9193 9194 case A_OAMF4: 9195 if (!cstate->is_atm) 9196 bpf_error(cstate, "'oamf4' supported only on raw ATM"); 9197 /* OAM F4 type */ 9198 b0 = gen_atmfield_code(cstate, A_VCI, 3, BPF_JEQ, 0); 9199 b1 = gen_atmfield_code(cstate, A_VCI, 4, BPF_JEQ, 0); 9200 gen_or(b0, b1); 9201 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0); 9202 gen_and(b0, b1); 9203 break; 9204 9205 case A_CONNECTMSG: 9206 /* 9207 * Get Q.2931 signalling messages for switched 9208 * virtual connection 9209 */ 9210 if (!cstate->is_atm) 9211 bpf_error(cstate, "'connectmsg' supported only on raw ATM"); 9212 b0 = gen_msg_abbrev(cstate, A_SETUP); 9213 b1 = gen_msg_abbrev(cstate, A_CALLPROCEED); 9214 gen_or(b0, b1); 9215 b0 = gen_msg_abbrev(cstate, A_CONNECT); 9216 gen_or(b0, b1); 9217 b0 = gen_msg_abbrev(cstate, A_CONNECTACK); 9218 gen_or(b0, b1); 9219 b0 = gen_msg_abbrev(cstate, A_RELEASE); 9220 gen_or(b0, b1); 9221 b0 = gen_msg_abbrev(cstate, A_RELEASE_DONE); 9222 gen_or(b0, b1); 9223 b0 = gen_atmtype_abbrev(cstate, A_SC); 9224 gen_and(b0, b1); 9225 break; 9226 9227 case A_METACONNECT: 9228 if (!cstate->is_atm) 9229 bpf_error(cstate, "'metaconnect' supported only on raw ATM"); 9230 b0 = gen_msg_abbrev(cstate, A_SETUP); 9231 b1 = gen_msg_abbrev(cstate, A_CALLPROCEED); 9232 gen_or(b0, b1); 9233 b0 = gen_msg_abbrev(cstate, A_CONNECT); 9234 gen_or(b0, b1); 9235 b0 = gen_msg_abbrev(cstate, A_RELEASE); 9236 gen_or(b0, b1); 9237 b0 = gen_msg_abbrev(cstate, A_RELEASE_DONE); 9238 gen_or(b0, b1); 9239 b0 = gen_atmtype_abbrev(cstate, A_METAC); 9240 gen_and(b0, b1); 9241 break; 9242 9243 default: 9244 abort(); 9245 } 9246 return b1; 9247 } 9248