1 /*#define CHASE_CHAIN*/
2 /*
3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998
4 * The Regents of the University of California. All rights reserved.
5 *
6 * Some portions Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
7 * Some portions Copyright (C) 2010-2013 Sourcefire, Inc.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that: (1) source code distributions
11 * retain the above copyright notice and this paragraph in its entirety, (2)
12 * distributions including binary code include the above copyright notice and
13 * this paragraph in its entirety in the documentation or other materials
14 * provided with the distribution, and (3) all advertising materials mentioning
15 * features or use of this software display the following acknowledgement:
16 * ``This product includes software developed by the University of California,
17 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
18 * the University nor the names of its contributors may be used to endorse
19 * or promote products derived from this software without specific prior
20 * written permission.
21 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
22 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
23 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
24 */
25 #ifndef lint
26 static const char __attribute__ ((unused)) rcsid[] =
27 "@(#) $Header: /usr/cvsroot/sfeng/ims/src/libraries/daq/daq/sfbpf/sf_gencode.c,v 1.6 2014/06/10 13:38:55 cwaxman Exp $ (LBL)";
28 #endif
29
30 #ifdef HAVE_CONFIG_H
31 #include "config.h"
32 #endif
33
34 #ifdef WIN32
35 #include "win32-stdinc.h"
36 #else /* WIN32 */
37 #if HAVE_INTTYPES_H
38 #include <inttypes.h>
39 #elif HAVE_STDINT_H
40 #include <stdint.h>
41 #endif
42 #ifdef HAVE_SYS_BITYPES_H
43 #include <sys/bitypes.h>
44 #endif
45 #include <sys/types.h>
46 #include <sys/socket.h>
47 #endif /* WIN32 */
48
49 /*
50 * XXX - why was this included even on UNIX?
51 */
52 #ifdef __MINGW32__
53 #include "IP6_misc.h"
54 #endif
55
56 #ifndef WIN32
57
58 #ifdef __NetBSD__
59 #include <sys/param.h>
60 #endif
61
62 #include <netinet/in.h>
63 #include <arpa/inet.h>
64
65 #endif /* WIN32 */
66
67 #include <stdlib.h>
68 #include <string.h>
69 #include <memory.h>
70 #include <setjmp.h>
71 #include <stdarg.h>
72 #include <stdio.h>
73
74 #ifdef MSDOS
75 #include "pcap-dos.h"
76 #endif
77
78 #include "sfbpf-int.h"
79
80 #include "ethertype.h"
81 #include "nlpid.h"
82 #include "llc.h"
83 #include "gencode.h"
84 #include "ieee80211.h"
85 #include "atmuni31.h"
86 #include "sunatmpos.h"
87 #include "ppp.h"
88 #include "sll.h"
89 #include "ipnet.h"
90 #include "arcnet.h"
91 #ifdef HAVE_NET_PFVAR_H
92 #include <sys/socket.h>
93 #include <net/if.h>
94 #include <net/pfvar.h>
95 #include <net/if_pflog.h>
96 #endif
97 #ifndef offsetof
98 #define offsetof(s, e) ((size_t)&((s *)0)->e)
99 #endif
100 #ifdef INET6
101 #ifndef WIN32
102 #include <netdb.h> /* for "struct addrinfo" */
103 #endif /* WIN32 */
104 #endif /*INET6 */
105 #include "namedb.h"
106
107 #define ETHERMTU 1500
108
109 #ifndef IPPROTO_SCTP
110 #define IPPROTO_SCTP 132
111 #endif
112
113 #define JMP(c) ((c)|BPF_JMP|BPF_K)
114
115 #if defined(__GNUC__)
116 #pragma GCC diagnostic ignored "-Wunused-value"
117 #endif /* __GNUC__ */
118
119 /* Locals */
120 static __thread jmp_buf top_ctx;
121 static __thread char bpf_error_filter[PCAP_ERRBUF_SIZE + 1];
122
123 /* Hack for updating VLAN, MPLS, and PPPoE offsets. */
124 #ifdef WIN32
125 static u_int orig_linktype = (u_int) - 1, orig_nl = (u_int) - 1, label_stack_depth = (u_int) - 1;
126 #else
127 static __thread u_int orig_linktype = -1U, orig_nl = -1U, label_stack_depth = -1U;
128 #endif
129
130 /* XXX */
131 #ifdef PCAP_FDDIPAD
132 static int pcap_fddipad;
133 #endif
134
135 /* VARARGS */
bpf_error(const char * fmt,...)136 void bpf_error(const char *fmt, ...)
137 {
138 va_list ap;
139
140 va_start(ap, fmt);
141 (void) vsnprintf(bpf_error_filter, PCAP_ERRBUF_SIZE, fmt, ap);
142 va_end(ap);
143 longjmp(top_ctx, 1);
144 /* NOTREACHED */
145 }
146
147 static void init_linktype(int);
148
149 static void init_regs(void);
150 static int alloc_reg(void);
151 static void free_reg(int);
152
153 static __thread struct block *root;
154
155 /*
156 * Value passed to gen_load_a() to indicate what the offset argument
157 * is relative to.
158 */
159 enum e_offrel
160 {
161 OR_PACKET, /* relative to the beginning of the packet */
162 OR_LINK, /* relative to the beginning of the link-layer header */
163 OR_MACPL, /* relative to the end of the MAC-layer header */
164 OR_NET, /* relative to the network-layer header */
165 OR_NET_NOSNAP, /* relative to the network-layer header, with no SNAP header at the link layer */
166 OR_TRAN_IPV4, /* relative to the transport-layer header, with IPv4 network layer */
167 OR_TRAN_IPV6 /* relative to the transport-layer header, with IPv6 network layer */
168 };
169
170 #ifdef INET6
171 /*
172 * As errors are handled by a longjmp, anything allocated must be freed
173 * in the longjmp handler, so it must be reachable from that handler.
174 * One thing that's allocated is the result of pcap_nametoaddrinfo();
175 * it must be freed with freeaddrinfo(). This variable points to any
176 * addrinfo structure that would need to be freed.
177 */
178 static struct addrinfo *ai;
179 #endif
180
181 /*
182 * We divy out chunks of memory rather than call malloc each time so
183 * we don't have to worry about leaking memory. It's probably
184 * not a big deal if all this memory was wasted but if this ever
185 * goes into a library that would probably not be a good idea.
186 *
187 * XXX - this *is* in a library....
188 */
189 #define NCHUNKS 16
190 #define CHUNK0SIZE 1024
191 struct chunk
192 {
193 u_int n_left;
194 void *m;
195 };
196
197 static __thread struct chunk chunks[NCHUNKS];
198 static __thread int cur_chunk;
199
200 static void *newchunk(u_int);
201 static void freechunks(void);
202 static inline struct block *new_block(int);
203 static inline struct slist *new_stmt(int);
204 static struct block *gen_retblk(int);
205 static inline void syntax(void);
206
207 static void backpatch(struct block *, struct block *);
208 static void merge(struct block *, struct block *);
209 static struct block *gen_cmp(enum e_offrel, u_int, u_int, bpf_int32);
210 static struct block *gen_cmp_gt(enum e_offrel, u_int, u_int, bpf_int32);
211 static struct block *gen_cmp_ge(enum e_offrel, u_int, u_int, bpf_int32);
212 static struct block *gen_cmp_lt(enum e_offrel, u_int, u_int, bpf_int32);
213 static struct block *gen_cmp_le(enum e_offrel, u_int, u_int, bpf_int32);
214 static struct block *gen_mcmp(enum e_offrel, u_int, u_int, bpf_int32, bpf_u_int32);
215 static struct block *gen_bcmp(enum e_offrel, u_int, u_int, const u_char *);
216 static struct block *gen_ncmp(enum e_offrel, bpf_u_int32, bpf_u_int32,
217 bpf_u_int32, bpf_u_int32, int, bpf_int32);
218 static struct slist *gen_load_llrel(u_int, u_int);
219 static struct slist *gen_load_macplrel(u_int, u_int);
220 static struct slist *gen_load_a(enum e_offrel, u_int, u_int);
221 static struct slist *gen_loadx_iphdrlen(void);
222 static struct block *gen_uncond(int);
223 static inline struct block *gen_true(void);
224 static inline struct block *gen_false(void);
225 static struct block *gen_ether_linktype(int);
226 static struct block *gen_ipnet_linktype(int);
227 static struct block *gen_linux_sll_linktype(int);
228 static struct slist *gen_load_prism_llprefixlen(void);
229 static struct slist *gen_load_avs_llprefixlen(void);
230 static struct slist *gen_load_radiotap_llprefixlen(void);
231 static struct slist *gen_load_ppi_llprefixlen(void);
232 static void insert_compute_vloffsets(struct block *);
233 static struct slist *gen_llprefixlen(void);
234 static struct slist *gen_off_macpl(void);
235 static int ethertype_to_ppptype(int);
236 static struct block *gen_linktype(int);
237 static struct block *gen_snap(bpf_u_int32, bpf_u_int32);
238 static struct block *gen_llc_linktype(int);
239 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int);
240 #ifdef INET6
241 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int);
242 #endif
243 static struct block *gen_ahostop(const u_char *, int);
244 static struct block *gen_ehostop(const u_char *, int);
245 static struct block *gen_fhostop(const u_char *, int);
246 static struct block *gen_thostop(const u_char *, int);
247 static struct block *gen_wlanhostop(const u_char *, int);
248 static struct block *gen_ipfchostop(const u_char *, int);
249 static struct block *gen_dnhostop(bpf_u_int32, int);
250 static struct block *gen_mpls_linktype(int);
251 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int, int);
252 #ifdef INET6
253 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int, int);
254 #endif
255 #ifndef INET6
256 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int);
257 #endif
258 static struct block *gen_ipfrag(void);
259 static struct block *gen_portatom(int, bpf_int32);
260 static struct block *gen_portrangeatom(int, bpf_int32, bpf_int32);
261 #ifdef INET6
262 static struct block *gen_portatom6(int, bpf_int32);
263 static struct block *gen_portrangeatom6(int, bpf_int32, bpf_int32);
264 #endif
265 struct block *gen_portop(int, int, int);
266 static struct block *gen_port(int, int, int);
267 struct block *gen_portrangeop(int, int, int, int);
268 static struct block *gen_portrange(int, int, int, int);
269 #ifdef INET6
270 struct block *gen_portop6(int, int, int);
271 static struct block *gen_port6(int, int, int);
272 struct block *gen_portrangeop6(int, int, int, int);
273 static struct block *gen_portrange6(int, int, int, int);
274 #endif
275 static int lookup_proto(const char *, int);
276 static struct block *gen_protochain(int, int, int);
277 static struct block *gen_proto(int, int, int);
278 static struct slist *xfer_to_x(struct arth *);
279 static struct slist *xfer_to_a(struct arth *);
280 static struct block *gen_mac_multicast(int);
281 static struct block *gen_len(int, int);
282 static struct block *gen_check_802_11_data_frame(void);
283
284 static struct block *gen_ppi_dlt_check(void);
285 static struct block *gen_msg_abbrev(int type);
286
newchunk(n)287 static void *newchunk(n)
288 u_int n;
289 {
290 struct chunk *cp;
291 int k;
292 size_t size;
293
294 #ifndef __NetBSD__
295 /* XXX Round up to nearest long. */
296 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1);
297 #else
298 /* XXX Round up to structure boundary. */
299 n = ALIGN(n);
300 #endif
301
302 cp = &chunks[cur_chunk];
303 if (n > cp->n_left)
304 {
305 ++cp, k = ++cur_chunk;
306 if (k >= NCHUNKS)
307 bpf_error("out of memory");
308 size = CHUNK0SIZE << k;
309 cp->m = (void *) malloc(size);
310 if (cp->m == NULL)
311 bpf_error("out of memory");
312 memset((char *) cp->m, 0, size);
313 cp->n_left = size;
314 if (n > size)
315 bpf_error("out of memory");
316 }
317 cp->n_left -= n;
318 return (void *) ((char *) cp->m + cp->n_left);
319 }
320
freechunks()321 static void freechunks()
322 {
323 int i;
324
325 cur_chunk = 0;
326 for (i = 0; i < NCHUNKS; ++i)
327 if (chunks[i].m != NULL)
328 {
329 free(chunks[i].m);
330 chunks[i].m = NULL;
331 }
332 }
333
334 /*
335 * A strdup whose allocations are freed after code generation is over.
336 */
sdup(s)337 char *sdup(s)
338 register const char *s;
339 {
340 int n = strlen(s) + 1;
341 char *cp = newchunk(n);
342
343 strlcpy(cp, s, n);
344 return (cp);
345 }
346
new_block(code)347 static inline struct block *new_block(code)
348 int code;
349 {
350 struct block *p;
351
352 p = (struct block *) newchunk(sizeof(*p));
353 p->s.code = code;
354 p->head = p;
355
356 return p;
357 }
358
new_stmt(code)359 static inline struct slist *new_stmt(code)
360 int code;
361 {
362 struct slist *p;
363
364 p = (struct slist *) newchunk(sizeof(*p));
365 p->s.code = code;
366
367 return p;
368 }
369
gen_retblk(v)370 static struct block *gen_retblk(v)
371 int v;
372 {
373 struct block *b = new_block(BPF_RET | BPF_K);
374
375 b->s.k = v;
376 return b;
377 }
378
syntax()379 static inline void syntax()
380 {
381 bpf_error("syntax error in filter expression");
382 }
383
384 static __thread bpf_u_int32 netmask;
385 static __thread int snaplen;
386 __thread int no_optimize;
387
pcap_compile(int snaplen_arg,int linktype_arg,struct bpf_program * program,const char * buf,int optimize,bpf_u_int32 mask)388 DAQ_SO_PUBLIC int pcap_compile(int snaplen_arg, int linktype_arg, struct bpf_program *program, const char *buf, int optimize, bpf_u_int32 mask)
389 {
390 extern __thread int n_errors;
391 const char *volatile xbuf = buf;
392 int len;
393
394 no_optimize = 0;
395 n_errors = 0;
396 root = NULL;
397 init_regs();
398 if (setjmp(top_ctx))
399 {
400 #ifdef INET6
401 if (ai != NULL)
402 {
403 freeaddrinfo(ai);
404 ai = NULL;
405 }
406 #endif
407 lex_cleanup();
408 freechunks();
409 return (-1);
410 }
411
412 netmask = mask;
413
414 snaplen = snaplen_arg;
415 if (snaplen == 0)
416 {
417 snprintf(bpf_error_filter, PCAP_ERRBUF_SIZE, "snaplen of 0 rejects all packets");
418 return -1;
419 }
420
421 lex_init(xbuf ? xbuf : "");
422 init_linktype(linktype_arg);
423 (void) pcap_parse();
424
425 if (n_errors)
426 syntax();
427
428 if (root == NULL)
429 root = gen_retblk(snaplen);
430
431 if (optimize && !no_optimize)
432 {
433 bpf_optimize(&root);
434 if (root == NULL || (root->s.code == (BPF_RET | BPF_K) && root->s.k == 0))
435 bpf_error("expression rejects all packets");
436 }
437 program->bf_insns = icode_to_fcode(root, &len);
438 program->bf_len = len;
439
440 lex_cleanup();
441 freechunks();
442 return (0);
443 }
444
445 /*
446 * Clean up a "struct bpf_program" by freeing all the memory allocated
447 * in it.
448 */
pcap_freecode(struct bpf_program * program)449 DAQ_SO_PUBLIC void pcap_freecode(struct bpf_program *program)
450 {
451 program->bf_len = 0;
452 if (program->bf_insns != NULL)
453 {
454 free((char *) program->bf_insns);
455 program->bf_insns = NULL;
456 }
457 }
458
459 /*
460 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates
461 * which of the jt and jf fields has been resolved and which is a pointer
462 * back to another unresolved block (or nil). At least one of the fields
463 * in each block is already resolved.
464 */
backpatch(list,target)465 static void backpatch(list, target)
466 struct block *list, *target;
467 {
468 struct block *next;
469
470 while (list)
471 {
472 if (!list->sense)
473 {
474 next = JT(list);
475 JT(list) = target;
476 }
477 else
478 {
479 next = JF(list);
480 JF(list) = target;
481 }
482 list = next;
483 }
484 }
485
486 /*
487 * Merge the lists in b0 and b1, using the 'sense' field to indicate
488 * which of jt and jf is the link.
489 */
merge(b0,b1)490 static void merge(b0, b1)
491 struct block *b0, *b1;
492 {
493 register struct block **p = &b0;
494
495 /* Find end of list. */
496 while (*p)
497 p = !((*p)->sense) ? &JT(*p) : &JF(*p);
498
499 /* Concatenate the lists. */
500 *p = b1;
501 }
502
finish_parse(p)503 void finish_parse(p)
504 struct block *p;
505 {
506 struct block *ppi_dlt_check;
507
508 /*
509 * Insert before the statements of the first (root) block any
510 * statements needed to load the lengths of any variable-length
511 * headers into registers.
512 *
513 * XXX - a fancier strategy would be to insert those before the
514 * statements of all blocks that use those lengths and that
515 * have no predecessors that use them, so that we only compute
516 * the lengths if we need them. There might be even better
517 * approaches than that.
518 *
519 * However, those strategies would be more complicated, and
520 * as we don't generate code to compute a length if the
521 * program has no tests that use the length, and as most
522 * tests will probably use those lengths, we would just
523 * postpone computing the lengths so that it's not done
524 * for tests that fail early, and it's not clear that's
525 * worth the effort.
526 */
527 insert_compute_vloffsets(p->head);
528
529 /*
530 * For DLT_PPI captures, generate a check of the per-packet
531 * DLT value to make sure it's DLT_IEEE802_11.
532 */
533 ppi_dlt_check = gen_ppi_dlt_check();
534 if (ppi_dlt_check != NULL)
535 gen_and(ppi_dlt_check, p);
536
537 backpatch(p, gen_retblk(snaplen));
538 p->sense = !p->sense;
539 backpatch(p, gen_retblk(0));
540 root = p->head;
541 }
542
gen_and(b0,b1)543 void gen_and(b0, b1)
544 struct block *b0, *b1;
545 {
546 backpatch(b0, b1->head);
547 b0->sense = !b0->sense;
548 b1->sense = !b1->sense;
549 merge(b1, b0);
550 b1->sense = !b1->sense;
551 b1->head = b0->head;
552 }
553
gen_or(b0,b1)554 void gen_or(b0, b1)
555 struct block *b0, *b1;
556 {
557 b0->sense = !b0->sense;
558 backpatch(b0, b1->head);
559 b0->sense = !b0->sense;
560 merge(b1, b0);
561 b1->head = b0->head;
562 }
563
gen_not(b)564 void gen_not(b)
565 struct block *b;
566 {
567 b->sense = !b->sense;
568 }
569
gen_cmp(offrel,offset,size,v)570 static struct block *gen_cmp(offrel, offset, size, v)
571 enum e_offrel offrel;
572 u_int offset, size;
573 bpf_int32 v;
574 {
575 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v);
576 }
577
gen_cmp_gt(offrel,offset,size,v)578 static struct block *gen_cmp_gt(offrel, offset, size, v)
579 enum e_offrel offrel;
580 u_int offset, size;
581 bpf_int32 v;
582 {
583 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 0, v);
584 }
585
gen_cmp_ge(offrel,offset,size,v)586 static struct block *gen_cmp_ge(offrel, offset, size, v)
587 enum e_offrel offrel;
588 u_int offset, size;
589 bpf_int32 v;
590 {
591 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 0, v);
592 }
593
gen_cmp_lt(offrel,offset,size,v)594 static struct block *gen_cmp_lt(offrel, offset, size, v)
595 enum e_offrel offrel;
596 u_int offset, size;
597 bpf_int32 v;
598 {
599 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 1, v);
600 }
601
gen_cmp_le(offrel,offset,size,v)602 static struct block *gen_cmp_le(offrel, offset, size, v)
603 enum e_offrel offrel;
604 u_int offset, size;
605 bpf_int32 v;
606 {
607 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 1, v);
608 }
609
gen_mcmp(offrel,offset,size,v,mask)610 static struct block *gen_mcmp(offrel, offset, size, v, mask)
611 enum e_offrel offrel;
612 u_int offset, size;
613 bpf_int32 v;
614 bpf_u_int32 mask;
615 {
616 return gen_ncmp(offrel, offset, size, mask, BPF_JEQ, 0, v);
617 }
618
gen_bcmp(offrel,offset,size,v)619 static struct block *gen_bcmp(offrel, offset, size, v)
620 enum e_offrel offrel;
621 register u_int offset, size;
622 register const u_char *v;
623 {
624 register struct block *b, *tmp;
625
626 b = NULL;
627 while (size >= 4)
628 {
629 register const u_char *p = &v[size - 4];
630 bpf_int32 w = ((bpf_int32) p[0] << 24) | ((bpf_int32) p[1] << 16) | ((bpf_int32) p[2] << 8) | p[3];
631
632 tmp = gen_cmp(offrel, offset + size - 4, BPF_W, w);
633 if (b != NULL)
634 gen_and(b, tmp);
635 b = tmp;
636 size -= 4;
637 }
638 while (size >= 2)
639 {
640 register const u_char *p = &v[size - 2];
641 bpf_int32 w = ((bpf_int32) p[0] << 8) | p[1];
642
643 tmp = gen_cmp(offrel, offset + size - 2, BPF_H, w);
644 if (b != NULL)
645 gen_and(b, tmp);
646 b = tmp;
647 size -= 2;
648 }
649 if (size > 0)
650 {
651 tmp = gen_cmp(offrel, offset, BPF_B, (bpf_int32) v[0]);
652 if (b != NULL)
653 gen_and(b, tmp);
654 b = tmp;
655 }
656 return b;
657 }
658
659 /*
660 * AND the field of size "size" at offset "offset" relative to the header
661 * specified by "offrel" with "mask", and compare it with the value "v"
662 * with the test specified by "jtype"; if "reverse" is true, the test
663 * should test the opposite of "jtype".
664 */
gen_ncmp(offrel,offset,size,mask,jtype,reverse,v)665 static struct block *gen_ncmp(offrel, offset, size, mask, jtype, reverse, v)
666 enum e_offrel offrel;
667 bpf_int32 v;
668 bpf_u_int32 offset, size, mask, jtype;
669 int reverse;
670 {
671 struct slist *s, *s2;
672 struct block *b;
673
674 s = gen_load_a(offrel, offset, size);
675
676 if (mask != 0xffffffff)
677 {
678 s2 = new_stmt(BPF_ALU | BPF_AND | BPF_K);
679 s2->s.k = mask;
680 sappend(s, s2);
681 }
682
683 b = new_block(JMP(jtype));
684 b->stmts = s;
685 b->s.k = v;
686 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE))
687 gen_not(b);
688 return b;
689 }
690
691 /*
692 * Various code constructs need to know the layout of the data link
693 * layer. These variables give the necessary offsets from the beginning
694 * of the packet data.
695 */
696
697 /*
698 * This is the offset of the beginning of the link-layer header from
699 * the beginning of the raw packet data.
700 *
701 * It's usually 0, except for 802.11 with a fixed-length radio header.
702 * (For 802.11 with a variable-length radio header, we have to generate
703 * code to compute that offset; off_ll is 0 in that case.)
704 */
705 static __thread u_int off_ll;
706
707 /*
708 * If there's a variable-length header preceding the link-layer header,
709 * "reg_off_ll" is the register number for a register containing the
710 * length of that header, and therefore the offset of the link-layer
711 * header from the beginning of the raw packet data. Otherwise,
712 * "reg_off_ll" is -1.
713 */
714 static __thread int reg_off_ll;
715
716 /*
717 * This is the offset of the beginning of the MAC-layer header from
718 * the beginning of the link-layer header.
719 * It's usually 0, except for ATM LANE, where it's the offset, relative
720 * to the beginning of the raw packet data, of the Ethernet header.
721 */
722 static __thread u_int off_mac;
723
724 /*
725 * This is the offset of the beginning of the MAC-layer payload,
726 * from the beginning of the raw packet data.
727 *
728 * I.e., it's the sum of the length of the link-layer header (without,
729 * for example, any 802.2 LLC header, so it's the MAC-layer
730 * portion of that header), plus any prefix preceding the
731 * link-layer header.
732 */
733 static __thread u_int off_macpl;
734
735 /*
736 * This is 1 if the offset of the beginning of the MAC-layer payload
737 * from the beginning of the link-layer header is variable-length.
738 */
739 static __thread int off_macpl_is_variable;
740
741 /*
742 * If the link layer has variable_length headers, "reg_off_macpl"
743 * is the register number for a register containing the length of the
744 * link-layer header plus the length of any variable-length header
745 * preceding the link-layer header. Otherwise, "reg_off_macpl"
746 * is -1.
747 */
748 static __thread int reg_off_macpl;
749
750 /*
751 * "off_linktype" is the offset to information in the link-layer header
752 * giving the packet type. This offset is relative to the beginning
753 * of the link-layer header (i.e., it doesn't include off_ll).
754 *
755 * For Ethernet, it's the offset of the Ethernet type field.
756 *
757 * For link-layer types that always use 802.2 headers, it's the
758 * offset of the LLC header.
759 *
760 * For PPP, it's the offset of the PPP type field.
761 *
762 * For Cisco HDLC, it's the offset of the CHDLC type field.
763 *
764 * For BSD loopback, it's the offset of the AF_ value.
765 *
766 * For Linux cooked sockets, it's the offset of the type field.
767 *
768 * It's set to -1 for no encapsulation, in which case, IP is assumed.
769 */
770 static __thread u_int off_linktype;
771
772 /*
773 * TRUE if "pppoes" appeared in the filter; it causes link-layer type
774 * checks to check the PPP header, assumed to follow a LAN-style link-
775 * layer header and a PPPoE session header.
776 */
777 static __thread int is_pppoes = 0;
778
779 /*
780 * TRUE if the link layer includes an ATM pseudo-header.
781 */
782 static __thread int is_atm = 0;
783
784 /*
785 * TRUE if "lane" appeared in the filter; it causes us to generate
786 * code that assumes LANE rather than LLC-encapsulated traffic in SunATM.
787 */
788 static __thread int is_lane = 0;
789
790 /*
791 * These are offsets for the ATM pseudo-header.
792 */
793 static __thread u_int off_vpi;
794 static __thread u_int off_vci;
795 static __thread u_int off_proto;
796
797 /*
798 * These are offsets for the MTP2 fields.
799 */
800 static __thread u_int off_li;
801
802 /*
803 * These are offsets for the MTP3 fields.
804 */
805 static __thread u_int off_sio;
806 static __thread u_int off_opc;
807 static __thread u_int off_dpc;
808 static __thread u_int off_sls;
809
810 /*
811 * This is the offset of the first byte after the ATM pseudo_header,
812 * or -1 if there is no ATM pseudo-header.
813 */
814 static __thread u_int off_payload;
815
816 /*
817 * These are offsets to the beginning of the network-layer header.
818 * They are relative to the beginning of the MAC-layer payload (i.e.,
819 * they don't include off_ll or off_macpl).
820 *
821 * If the link layer never uses 802.2 LLC:
822 *
823 * "off_nl" and "off_nl_nosnap" are the same.
824 *
825 * If the link layer always uses 802.2 LLC:
826 *
827 * "off_nl" is the offset if there's a SNAP header following
828 * the 802.2 header;
829 *
830 * "off_nl_nosnap" is the offset if there's no SNAP header.
831 *
832 * If the link layer is Ethernet:
833 *
834 * "off_nl" is the offset if the packet is an Ethernet II packet
835 * (we assume no 802.3+802.2+SNAP);
836 *
837 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet
838 * with an 802.2 header following it.
839 */
840 static __thread u_int off_nl;
841 static __thread u_int off_nl_nosnap;
842
843 static __thread int linktype;
844
init_linktype(type)845 static void init_linktype(type)
846 int type;
847 {
848 linktype = type;
849 #ifdef PCAP_FDDIPAD
850 pcap_fddipad = p->fddipad;
851 #endif
852
853 /*
854 * Assume it's not raw ATM with a pseudo-header, for now.
855 */
856 off_mac = 0;
857 is_atm = 0;
858 is_lane = 0;
859 off_vpi = -1;
860 off_vci = -1;
861 off_proto = -1;
862 off_payload = -1;
863
864 /*
865 * And that we're not doing PPPoE.
866 */
867 is_pppoes = 0;
868
869 /*
870 * And assume we're not doing SS7.
871 */
872 off_li = -1;
873 off_sio = -1;
874 off_opc = -1;
875 off_dpc = -1;
876 off_sls = -1;
877
878 /*
879 * Also assume it's not 802.11.
880 */
881 off_ll = 0;
882 off_macpl = 0;
883 off_macpl_is_variable = 0;
884
885 orig_linktype = -1;
886 orig_nl = -1;
887 label_stack_depth = 0;
888
889 reg_off_ll = -1;
890 reg_off_macpl = -1;
891
892 switch (linktype)
893 {
894
895 case DLT_ARCNET:
896 off_linktype = 2;
897 off_macpl = 6;
898 off_nl = 0; /* XXX in reality, variable! */
899 off_nl_nosnap = 0; /* no 802.2 LLC */
900 return;
901
902 case DLT_ARCNET_LINUX:
903 off_linktype = 4;
904 off_macpl = 8;
905 off_nl = 0; /* XXX in reality, variable! */
906 off_nl_nosnap = 0; /* no 802.2 LLC */
907 return;
908
909 case DLT_EN10MB:
910 off_linktype = 12;
911 off_macpl = 14; /* Ethernet header length */
912 off_nl = 0; /* Ethernet II */
913 off_nl_nosnap = 3; /* 802.3+802.2 */
914 return;
915
916 case DLT_SLIP:
917 /*
918 * SLIP doesn't have a link level type. The 16 byte
919 * header is hacked into our SLIP driver.
920 */
921 off_linktype = -1;
922 off_macpl = 16;
923 off_nl = 0;
924 off_nl_nosnap = 0; /* no 802.2 LLC */
925 return;
926
927 case DLT_SLIP_BSDOS:
928 /* XXX this may be the same as the DLT_PPP_BSDOS case */
929 off_linktype = -1;
930 /* XXX end */
931 off_macpl = 24;
932 off_nl = 0;
933 off_nl_nosnap = 0; /* no 802.2 LLC */
934 return;
935
936 case DLT_NULL:
937 case DLT_LOOP:
938 off_linktype = 0;
939 off_macpl = 4;
940 off_nl = 0;
941 off_nl_nosnap = 0; /* no 802.2 LLC */
942 return;
943
944 case DLT_ENC:
945 off_linktype = 0;
946 off_macpl = 12;
947 off_nl = 0;
948 off_nl_nosnap = 0; /* no 802.2 LLC */
949 return;
950
951 case DLT_PPP:
952 case DLT_PPP_PPPD:
953 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */
954 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */
955 off_linktype = 2;
956 off_macpl = 4;
957 off_nl = 0;
958 off_nl_nosnap = 0; /* no 802.2 LLC */
959 return;
960
961 case DLT_PPP_ETHER:
962 /*
963 * This does no include the Ethernet header, and
964 * only covers session state.
965 */
966 off_linktype = 6;
967 off_macpl = 8;
968 off_nl = 0;
969 off_nl_nosnap = 0; /* no 802.2 LLC */
970 return;
971
972 case DLT_PPP_BSDOS:
973 off_linktype = 5;
974 off_macpl = 24;
975 off_nl = 0;
976 off_nl_nosnap = 0; /* no 802.2 LLC */
977 return;
978
979 case DLT_FDDI:
980 /*
981 * FDDI doesn't really have a link-level type field.
982 * We set "off_linktype" to the offset of the LLC header.
983 *
984 * To check for Ethernet types, we assume that SSAP = SNAP
985 * is being used and pick out the encapsulated Ethernet type.
986 * XXX - should we generate code to check for SNAP?
987 */
988 off_linktype = 13;
989 #ifdef PCAP_FDDIPAD
990 off_linktype += pcap_fddipad;
991 #endif
992 off_macpl = 13; /* FDDI MAC header length */
993 #ifdef PCAP_FDDIPAD
994 off_macpl += pcap_fddipad;
995 #endif
996 off_nl = 8; /* 802.2+SNAP */
997 off_nl_nosnap = 3; /* 802.2 */
998 return;
999
1000 case DLT_IEEE802:
1001 /*
1002 * Token Ring doesn't really have a link-level type field.
1003 * We set "off_linktype" to the offset of the LLC header.
1004 *
1005 * To check for Ethernet types, we assume that SSAP = SNAP
1006 * is being used and pick out the encapsulated Ethernet type.
1007 * XXX - should we generate code to check for SNAP?
1008 *
1009 * XXX - the header is actually variable-length.
1010 * Some various Linux patched versions gave 38
1011 * as "off_linktype" and 40 as "off_nl"; however,
1012 * if a token ring packet has *no* routing
1013 * information, i.e. is not source-routed, the correct
1014 * values are 20 and 22, as they are in the vanilla code.
1015 *
1016 * A packet is source-routed iff the uppermost bit
1017 * of the first byte of the source address, at an
1018 * offset of 8, has the uppermost bit set. If the
1019 * packet is source-routed, the total number of bytes
1020 * of routing information is 2 plus bits 0x1F00 of
1021 * the 16-bit value at an offset of 14 (shifted right
1022 * 8 - figure out which byte that is).
1023 */
1024 off_linktype = 14;
1025 off_macpl = 14; /* Token Ring MAC header length */
1026 off_nl = 8; /* 802.2+SNAP */
1027 off_nl_nosnap = 3; /* 802.2 */
1028 return;
1029
1030 case DLT_IEEE802_11:
1031 case DLT_PRISM_HEADER:
1032 case DLT_IEEE802_11_RADIO_AVS:
1033 case DLT_IEEE802_11_RADIO:
1034 /*
1035 * 802.11 doesn't really have a link-level type field.
1036 * We set "off_linktype" to the offset of the LLC header.
1037 *
1038 * To check for Ethernet types, we assume that SSAP = SNAP
1039 * is being used and pick out the encapsulated Ethernet type.
1040 * XXX - should we generate code to check for SNAP?
1041 *
1042 * We also handle variable-length radio headers here.
1043 * The Prism header is in theory variable-length, but in
1044 * practice it's always 144 bytes long. However, some
1045 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but
1046 * sometimes or always supply an AVS header, so we
1047 * have to check whether the radio header is a Prism
1048 * header or an AVS header, so, in practice, it's
1049 * variable-length.
1050 */
1051 off_linktype = 24;
1052 off_macpl = 0; /* link-layer header is variable-length */
1053 off_macpl_is_variable = 1;
1054 off_nl = 8; /* 802.2+SNAP */
1055 off_nl_nosnap = 3; /* 802.2 */
1056 return;
1057
1058 case DLT_PPI:
1059 /*
1060 * At the moment we treat PPI the same way that we treat
1061 * normal Radiotap encoded packets. The difference is in
1062 * the function that generates the code at the beginning
1063 * to compute the header length. Since this code generator
1064 * of PPI supports bare 802.11 encapsulation only (i.e.
1065 * the encapsulated DLT should be DLT_IEEE802_11) we
1066 * generate code to check for this too.
1067 */
1068 off_linktype = 24;
1069 off_macpl = 0; /* link-layer header is variable-length */
1070 off_macpl_is_variable = 1;
1071 off_nl = 8; /* 802.2+SNAP */
1072 off_nl_nosnap = 3; /* 802.2 */
1073 return;
1074
1075 case DLT_ATM_RFC1483:
1076 case DLT_ATM_CLIP: /* Linux ATM defines this */
1077 /*
1078 * assume routed, non-ISO PDUs
1079 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00)
1080 *
1081 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS,
1082 * or PPP with the PPP NLPID (e.g., PPPoA)? The
1083 * latter would presumably be treated the way PPPoE
1084 * should be, so you can do "pppoe and udp port 2049"
1085 * or "pppoa and tcp port 80" and have it check for
1086 * PPPo{A,E} and a PPP protocol of IP and....
1087 */
1088 off_linktype = 0;
1089 off_macpl = 0; /* packet begins with LLC header */
1090 off_nl = 8; /* 802.2+SNAP */
1091 off_nl_nosnap = 3; /* 802.2 */
1092 return;
1093
1094 case DLT_SUNATM:
1095 /*
1096 * Full Frontal ATM; you get AALn PDUs with an ATM
1097 * pseudo-header.
1098 */
1099 is_atm = 1;
1100 off_vpi = SUNATM_VPI_POS;
1101 off_vci = SUNATM_VCI_POS;
1102 off_proto = PROTO_POS;
1103 off_mac = -1; /* assume LLC-encapsulated, so no MAC-layer header */
1104 off_payload = SUNATM_PKT_BEGIN_POS;
1105 off_linktype = off_payload;
1106 off_macpl = off_payload; /* if LLC-encapsulated */
1107 off_nl = 8; /* 802.2+SNAP */
1108 off_nl_nosnap = 3; /* 802.2 */
1109 return;
1110
1111 case DLT_RAW:
1112 case DLT_IPV4:
1113 case DLT_IPV6:
1114 off_linktype = -1;
1115 off_macpl = 0;
1116 off_nl = 0;
1117 off_nl_nosnap = 0; /* no 802.2 LLC */
1118 return;
1119
1120 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */
1121 off_linktype = 14;
1122 off_macpl = 16;
1123 off_nl = 0;
1124 off_nl_nosnap = 0; /* no 802.2 LLC */
1125 return;
1126
1127 case DLT_LTALK:
1128 /*
1129 * LocalTalk does have a 1-byte type field in the LLAP header,
1130 * but really it just indicates whether there is a "short" or
1131 * "long" DDP packet following.
1132 */
1133 off_linktype = -1;
1134 off_macpl = 0;
1135 off_nl = 0;
1136 off_nl_nosnap = 0; /* no 802.2 LLC */
1137 return;
1138
1139 case DLT_IP_OVER_FC:
1140 /*
1141 * RFC 2625 IP-over-Fibre-Channel doesn't really have a
1142 * link-level type field. We set "off_linktype" to the
1143 * offset of the LLC header.
1144 *
1145 * To check for Ethernet types, we assume that SSAP = SNAP
1146 * is being used and pick out the encapsulated Ethernet type.
1147 * XXX - should we generate code to check for SNAP? RFC
1148 * 2625 says SNAP should be used.
1149 */
1150 off_linktype = 16;
1151 off_macpl = 16;
1152 off_nl = 8; /* 802.2+SNAP */
1153 off_nl_nosnap = 3; /* 802.2 */
1154 return;
1155
1156 case DLT_FRELAY:
1157 /*
1158 * XXX - we should set this to handle SNAP-encapsulated
1159 * frames (NLPID of 0x80).
1160 */
1161 off_linktype = -1;
1162 off_macpl = 0;
1163 off_nl = 0;
1164 off_nl_nosnap = 0; /* no 802.2 LLC */
1165 return;
1166
1167 /*
1168 * the only BPF-interesting FRF.16 frames are non-control frames;
1169 * Frame Relay has a variable length link-layer
1170 * so lets start with offset 4 for now and increments later on (FIXME);
1171 */
1172 case DLT_MFR:
1173 off_linktype = -1;
1174 off_macpl = 0;
1175 off_nl = 4;
1176 off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */
1177 return;
1178
1179 case DLT_APPLE_IP_OVER_IEEE1394:
1180 off_linktype = 16;
1181 off_macpl = 18;
1182 off_nl = 0;
1183 off_nl_nosnap = 0; /* no 802.2 LLC */
1184 return;
1185
1186 case DLT_LINUX_IRDA:
1187 /*
1188 * Currently, only raw "link[N:M]" filtering is supported.
1189 */
1190 off_linktype = -1;
1191 off_macpl = -1;
1192 off_nl = -1;
1193 off_nl_nosnap = -1;
1194 return;
1195
1196 case DLT_DOCSIS:
1197 /*
1198 * Currently, only raw "link[N:M]" filtering is supported.
1199 */
1200 off_linktype = -1;
1201 off_macpl = -1;
1202 off_nl = -1;
1203 off_nl_nosnap = -1;
1204 return;
1205
1206 case DLT_SYMANTEC_FIREWALL:
1207 off_linktype = 6;
1208 off_macpl = 44;
1209 off_nl = 0; /* Ethernet II */
1210 off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */
1211 return;
1212
1213 #ifdef HAVE_NET_PFVAR_H
1214 case DLT_PFLOG:
1215 off_linktype = 0;
1216 off_macpl = PFLOG_HDRLEN;
1217 off_nl = 0;
1218 off_nl_nosnap = 0; /* no 802.2 LLC */
1219 return;
1220 #endif
1221
1222 case DLT_JUNIPER_MFR:
1223 case DLT_JUNIPER_MLFR:
1224 case DLT_JUNIPER_MLPPP:
1225 case DLT_JUNIPER_PPP:
1226 case DLT_JUNIPER_CHDLC:
1227 case DLT_JUNIPER_FRELAY:
1228 off_linktype = 4;
1229 off_macpl = 4;
1230 off_nl = 0;
1231 off_nl_nosnap = -1; /* no 802.2 LLC */
1232 return;
1233
1234 case DLT_JUNIPER_ATM1:
1235 off_linktype = 4; /* in reality variable between 4-8 */
1236 off_macpl = 4; /* in reality variable between 4-8 */
1237 off_nl = 0;
1238 off_nl_nosnap = 10;
1239 return;
1240
1241 case DLT_JUNIPER_ATM2:
1242 off_linktype = 8; /* in reality variable between 8-12 */
1243 off_macpl = 8; /* in reality variable between 8-12 */
1244 off_nl = 0;
1245 off_nl_nosnap = 10;
1246 return;
1247
1248 /* frames captured on a Juniper PPPoE service PIC
1249 * contain raw ethernet frames */
1250 case DLT_JUNIPER_PPPOE:
1251 case DLT_JUNIPER_ETHER:
1252 off_macpl = 14;
1253 off_linktype = 16;
1254 off_nl = 18; /* Ethernet II */
1255 off_nl_nosnap = 21; /* 802.3+802.2 */
1256 return;
1257
1258 case DLT_JUNIPER_PPPOE_ATM:
1259 off_linktype = 4;
1260 off_macpl = 6;
1261 off_nl = 0;
1262 off_nl_nosnap = -1; /* no 802.2 LLC */
1263 return;
1264
1265 case DLT_JUNIPER_GGSN:
1266 off_linktype = 6;
1267 off_macpl = 12;
1268 off_nl = 0;
1269 off_nl_nosnap = -1; /* no 802.2 LLC */
1270 return;
1271
1272 case DLT_JUNIPER_ES:
1273 off_linktype = 6;
1274 off_macpl = -1; /* not really a network layer but raw IP addresses */
1275 off_nl = -1; /* not really a network layer but raw IP addresses */
1276 off_nl_nosnap = -1; /* no 802.2 LLC */
1277 return;
1278
1279 case DLT_JUNIPER_MONITOR:
1280 off_linktype = 12;
1281 off_macpl = 12;
1282 off_nl = 0; /* raw IP/IP6 header */
1283 off_nl_nosnap = -1; /* no 802.2 LLC */
1284 return;
1285
1286 case DLT_JUNIPER_SERVICES:
1287 off_linktype = 12;
1288 off_macpl = -1; /* L3 proto location dep. on cookie type */
1289 off_nl = -1; /* L3 proto location dep. on cookie type */
1290 off_nl_nosnap = -1; /* no 802.2 LLC */
1291 return;
1292
1293 case DLT_JUNIPER_VP:
1294 off_linktype = 18;
1295 off_macpl = -1;
1296 off_nl = -1;
1297 off_nl_nosnap = -1;
1298 return;
1299
1300 case DLT_JUNIPER_ST:
1301 off_linktype = 18;
1302 off_macpl = -1;
1303 off_nl = -1;
1304 off_nl_nosnap = -1;
1305 return;
1306
1307 case DLT_JUNIPER_ISM:
1308 off_linktype = 8;
1309 off_macpl = -1;
1310 off_nl = -1;
1311 off_nl_nosnap = -1;
1312 return;
1313
1314 case DLT_MTP2:
1315 off_li = 2;
1316 off_sio = 3;
1317 off_opc = 4;
1318 off_dpc = 4;
1319 off_sls = 7;
1320 off_linktype = -1;
1321 off_macpl = -1;
1322 off_nl = -1;
1323 off_nl_nosnap = -1;
1324 return;
1325
1326 case DLT_MTP2_WITH_PHDR:
1327 off_li = 6;
1328 off_sio = 7;
1329 off_opc = 8;
1330 off_dpc = 8;
1331 off_sls = 11;
1332 off_linktype = -1;
1333 off_macpl = -1;
1334 off_nl = -1;
1335 off_nl_nosnap = -1;
1336 return;
1337
1338 case DLT_ERF:
1339 off_li = 22;
1340 off_sio = 23;
1341 off_opc = 24;
1342 off_dpc = 24;
1343 off_sls = 27;
1344 off_linktype = -1;
1345 off_macpl = -1;
1346 off_nl = -1;
1347 off_nl_nosnap = -1;
1348 return;
1349
1350 #ifdef DLT_PFSYNC
1351 case DLT_PFSYNC:
1352 off_linktype = -1;
1353 off_macpl = 4;
1354 off_nl = 0;
1355 off_nl_nosnap = 0;
1356 return;
1357 #endif
1358
1359 case DLT_LINUX_LAPD:
1360 /*
1361 * Currently, only raw "link[N:M]" filtering is supported.
1362 */
1363 off_linktype = -1;
1364 off_macpl = -1;
1365 off_nl = -1;
1366 off_nl_nosnap = -1;
1367 return;
1368
1369 case DLT_USB:
1370 /*
1371 * Currently, only raw "link[N:M]" filtering is supported.
1372 */
1373 off_linktype = -1;
1374 off_macpl = -1;
1375 off_nl = -1;
1376 off_nl_nosnap = -1;
1377 return;
1378
1379 case DLT_BLUETOOTH_HCI_H4:
1380 /*
1381 * Currently, only raw "link[N:M]" filtering is supported.
1382 */
1383 off_linktype = -1;
1384 off_macpl = -1;
1385 off_nl = -1;
1386 off_nl_nosnap = -1;
1387 return;
1388
1389 case DLT_USB_LINUX:
1390 /*
1391 * Currently, only raw "link[N:M]" filtering is supported.
1392 */
1393 off_linktype = -1;
1394 off_macpl = -1;
1395 off_nl = -1;
1396 off_nl_nosnap = -1;
1397 return;
1398
1399 case DLT_CAN20B:
1400 /*
1401 * Currently, only raw "link[N:M]" filtering is supported.
1402 */
1403 off_linktype = -1;
1404 off_macpl = -1;
1405 off_nl = -1;
1406 off_nl_nosnap = -1;
1407 return;
1408
1409 case DLT_IEEE802_15_4_LINUX:
1410 /*
1411 * Currently, only raw "link[N:M]" filtering is supported.
1412 */
1413 off_linktype = -1;
1414 off_macpl = -1;
1415 off_nl = -1;
1416 off_nl_nosnap = -1;
1417 return;
1418
1419 case DLT_IEEE802_16_MAC_CPS_RADIO:
1420 /*
1421 * Currently, only raw "link[N:M]" filtering is supported.
1422 */
1423 off_linktype = -1;
1424 off_macpl = -1;
1425 off_nl = -1;
1426 off_nl_nosnap = -1;
1427 return;
1428
1429 case DLT_IEEE802_15_4:
1430 /*
1431 * Currently, only raw "link[N:M]" filtering is supported.
1432 */
1433 off_linktype = -1;
1434 off_macpl = -1;
1435 off_nl = -1;
1436 off_nl_nosnap = -1;
1437 return;
1438
1439 case DLT_SITA:
1440 /*
1441 * Currently, only raw "link[N:M]" filtering is supported.
1442 */
1443 off_linktype = -1;
1444 off_macpl = -1;
1445 off_nl = -1;
1446 off_nl_nosnap = -1;
1447 return;
1448
1449 case DLT_RAIF1:
1450 /*
1451 * Currently, only raw "link[N:M]" filtering is supported.
1452 */
1453 off_linktype = -1;
1454 off_macpl = -1;
1455 off_nl = -1;
1456 off_nl_nosnap = -1;
1457 return;
1458
1459 case DLT_IPMB:
1460 /*
1461 * Currently, only raw "link[N:M]" filtering is supported.
1462 */
1463 off_linktype = -1;
1464 off_macpl = -1;
1465 off_nl = -1;
1466 off_nl_nosnap = -1;
1467 return;
1468
1469 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR:
1470 /*
1471 * Currently, only raw "link[N:M]" filtering is supported.
1472 */
1473 off_linktype = -1;
1474 off_macpl = -1;
1475 off_nl = -1;
1476 off_nl_nosnap = -1;
1477 return;
1478
1479 case DLT_AX25_KISS:
1480 /*
1481 * Currently, only raw "link[N:M]" filtering is supported.
1482 */
1483 off_linktype = -1; /* variable, min 15, max 71 steps of 7 */
1484 off_macpl = -1;
1485 off_nl = -1; /* variable, min 16, max 71 steps of 7 */
1486 off_nl_nosnap = -1; /* no 802.2 LLC */
1487 off_mac = 1; /* step over the kiss length byte */
1488 return;
1489
1490 case DLT_IEEE802_15_4_NONASK_PHY:
1491 /*
1492 * Currently, only raw "link[N:M]" filtering is supported.
1493 */
1494 off_linktype = -1;
1495 off_macpl = -1;
1496 off_nl = -1;
1497 off_nl_nosnap = -1;
1498 return;
1499
1500 case DLT_MPLS:
1501 /*
1502 * Currently, only raw "link[N:M]" filtering is supported.
1503 */
1504 off_linktype = -1;
1505 off_macpl = -1;
1506 off_nl = -1;
1507 off_nl_nosnap = -1;
1508 return;
1509
1510 case DLT_USB_LINUX_MMAPPED:
1511 /*
1512 * Currently, only raw "link[N:M]" filtering is supported.
1513 */
1514 off_linktype = -1;
1515 off_macpl = -1;
1516 off_nl = -1;
1517 off_nl_nosnap = -1;
1518 return;
1519
1520 case DLT_CAN_SOCKETCAN:
1521 /*
1522 * Currently, only raw "link[N:M]" filtering is supported.
1523 */
1524 off_linktype = -1;
1525 off_macpl = -1;
1526 off_nl = -1;
1527 off_nl_nosnap = -1;
1528 return;
1529
1530 case DLT_IPNET:
1531 off_linktype = 1;
1532 off_macpl = 24; /* ipnet header length */
1533 off_nl = 0;
1534 off_nl_nosnap = -1;
1535 return;
1536 }
1537 bpf_error("unknown data link type %d", linktype);
1538 /* NOTREACHED */
1539 }
1540
1541 /*
1542 * Load a value relative to the beginning of the link-layer header.
1543 * The link-layer header doesn't necessarily begin at the beginning
1544 * of the packet data; there might be a variable-length prefix containing
1545 * radio information.
1546 */
gen_load_llrel(offset,size)1547 static struct slist *gen_load_llrel(offset, size)
1548 u_int offset, size;
1549 {
1550 struct slist *s, *s2;
1551
1552 s = gen_llprefixlen();
1553
1554 /*
1555 * If "s" is non-null, it has code to arrange that the X register
1556 * contains the length of the prefix preceding the link-layer
1557 * header.
1558 *
1559 * Otherwise, the length of the prefix preceding the link-layer
1560 * header is "off_ll".
1561 */
1562 if (s != NULL)
1563 {
1564 /*
1565 * There's a variable-length prefix preceding the
1566 * link-layer header. "s" points to a list of statements
1567 * that put the length of that prefix into the X register.
1568 * do an indirect load, to use the X register as an offset.
1569 */
1570 s2 = new_stmt(BPF_LD | BPF_IND | size);
1571 s2->s.k = offset;
1572 sappend(s, s2);
1573 }
1574 else
1575 {
1576 /*
1577 * There is no variable-length header preceding the
1578 * link-layer header; add in off_ll, which, if there's
1579 * a fixed-length header preceding the link-layer header,
1580 * is the length of that header.
1581 */
1582 s = new_stmt(BPF_LD | BPF_ABS | size);
1583 s->s.k = offset + off_ll;
1584 }
1585 return s;
1586 }
1587
1588 /*
1589 * Load a value relative to the beginning of the MAC-layer payload.
1590 */
gen_load_macplrel(offset,size)1591 static struct slist *gen_load_macplrel(offset, size)
1592 u_int offset, size;
1593 {
1594 struct slist *s, *s2;
1595
1596 s = gen_off_macpl();
1597
1598 /*
1599 * If s is non-null, the offset of the MAC-layer payload is
1600 * variable, and s points to a list of instructions that
1601 * arrange that the X register contains that offset.
1602 *
1603 * Otherwise, the offset of the MAC-layer payload is constant,
1604 * and is in off_macpl.
1605 */
1606 if (s != NULL)
1607 {
1608 /*
1609 * The offset of the MAC-layer payload is in the X
1610 * register. Do an indirect load, to use the X register
1611 * as an offset.
1612 */
1613 s2 = new_stmt(BPF_LD | BPF_IND | size);
1614 s2->s.k = offset;
1615 sappend(s, s2);
1616 }
1617 else
1618 {
1619 /*
1620 * The offset of the MAC-layer payload is constant,
1621 * and is in off_macpl; load the value at that offset
1622 * plus the specified offset.
1623 */
1624 s = new_stmt(BPF_LD | BPF_ABS | size);
1625 s->s.k = off_macpl + offset;
1626 }
1627 return s;
1628 }
1629
1630 /*
1631 * Load a value relative to the beginning of the specified header.
1632 */
gen_load_a(offrel,offset,size)1633 static struct slist *gen_load_a(offrel, offset, size)
1634 enum e_offrel offrel;
1635 u_int offset, size;
1636 {
1637 struct slist *s, *s2;
1638
1639 switch (offrel)
1640 {
1641
1642 case OR_PACKET:
1643 s = new_stmt(BPF_LD | BPF_ABS | size);
1644 s->s.k = offset;
1645 break;
1646
1647 case OR_LINK:
1648 s = gen_load_llrel(offset, size);
1649 break;
1650
1651 case OR_MACPL:
1652 s = gen_load_macplrel(offset, size);
1653 break;
1654
1655 case OR_NET:
1656 s = gen_load_macplrel(off_nl + offset, size);
1657 break;
1658
1659 case OR_NET_NOSNAP:
1660 s = gen_load_macplrel(off_nl_nosnap + offset, size);
1661 break;
1662
1663 case OR_TRAN_IPV4:
1664 /*
1665 * Load the X register with the length of the IPv4 header
1666 * (plus the offset of the link-layer header, if it's
1667 * preceded by a variable-length header such as a radio
1668 * header), in bytes.
1669 */
1670 s = gen_loadx_iphdrlen();
1671
1672 /*
1673 * Load the item at {offset of the MAC-layer payload} +
1674 * {offset, relative to the start of the MAC-layer
1675 * paylod, of the IPv4 header} + {length of the IPv4 header} +
1676 * {specified offset}.
1677 *
1678 * (If the offset of the MAC-layer payload is variable,
1679 * it's included in the value in the X register, and
1680 * off_macpl is 0.)
1681 */
1682 s2 = new_stmt(BPF_LD | BPF_IND | size);
1683 s2->s.k = off_macpl + off_nl + offset;
1684 sappend(s, s2);
1685 break;
1686
1687 case OR_TRAN_IPV6:
1688 s = gen_load_macplrel(off_nl + 40 + offset, size);
1689 break;
1690
1691 default:
1692 abort();
1693 return NULL;
1694 }
1695 return s;
1696 }
1697
1698 /*
1699 * Generate code to load into the X register the sum of the length of
1700 * the IPv4 header and any variable-length header preceding the link-layer
1701 * header.
1702 */
gen_loadx_iphdrlen()1703 static struct slist *gen_loadx_iphdrlen()
1704 {
1705 struct slist *s, *s2;
1706
1707 s = gen_off_macpl();
1708 if (s != NULL)
1709 {
1710 /*
1711 * There's a variable-length prefix preceding the
1712 * link-layer header, or the link-layer header is itself
1713 * variable-length. "s" points to a list of statements
1714 * that put the offset of the MAC-layer payload into
1715 * the X register.
1716 *
1717 * The 4*([k]&0xf) addressing mode can't be used, as we
1718 * don't have a constant offset, so we have to load the
1719 * value in question into the A register and add to it
1720 * the value from the X register.
1721 */
1722 s2 = new_stmt(BPF_LD | BPF_IND | BPF_B);
1723 s2->s.k = off_nl;
1724 sappend(s, s2);
1725 s2 = new_stmt(BPF_ALU | BPF_AND | BPF_K);
1726 s2->s.k = 0xf;
1727 sappend(s, s2);
1728 s2 = new_stmt(BPF_ALU | BPF_LSH | BPF_K);
1729 s2->s.k = 2;
1730 sappend(s, s2);
1731
1732 /*
1733 * The A register now contains the length of the
1734 * IP header. We need to add to it the offset of
1735 * the MAC-layer payload, which is still in the X
1736 * register, and move the result into the X register.
1737 */
1738 sappend(s, new_stmt(BPF_ALU | BPF_ADD | BPF_X));
1739 sappend(s, new_stmt(BPF_MISC | BPF_TAX));
1740 }
1741 else
1742 {
1743 /*
1744 * There is no variable-length header preceding the
1745 * link-layer header, and the link-layer header is
1746 * fixed-length; load the length of the IPv4 header,
1747 * which is at an offset of off_nl from the beginning
1748 * of the MAC-layer payload, and thus at an offset
1749 * of off_mac_pl + off_nl from the beginning of the
1750 * raw packet data.
1751 */
1752 s = new_stmt(BPF_LDX | BPF_MSH | BPF_B);
1753 s->s.k = off_macpl + off_nl;
1754 }
1755 return s;
1756 }
1757
gen_uncond(rsense)1758 static struct block *gen_uncond(rsense)
1759 int rsense;
1760 {
1761 struct block *b;
1762 struct slist *s;
1763
1764 s = new_stmt(BPF_LD | BPF_IMM);
1765 s->s.k = !rsense;
1766 b = new_block(JMP(BPF_JEQ));
1767 b->stmts = s;
1768
1769 return b;
1770 }
1771
gen_true()1772 static inline struct block *gen_true()
1773 {
1774 return gen_uncond(1);
1775 }
1776
gen_false()1777 static inline struct block *gen_false()
1778 {
1779 return gen_uncond(0);
1780 }
1781
1782 /*
1783 * Byte-swap a 32-bit number.
1784 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on
1785 * big-endian platforms.)
1786 */
1787 #define SWAPLONG(y) \
1788 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
1789
1790 /*
1791 * Generate code to match a particular packet type.
1792 *
1793 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1794 * value, if <= ETHERMTU. We use that to determine whether to
1795 * match the type/length field or to check the type/length field for
1796 * a value <= ETHERMTU to see whether it's a type field and then do
1797 * the appropriate test.
1798 */
gen_ether_linktype(proto)1799 static struct block *gen_ether_linktype(proto)
1800 register int proto;
1801 {
1802 struct block *b0, *b1;
1803
1804 switch (proto)
1805 {
1806
1807 case LLCSAP_ISONS:
1808 case LLCSAP_IP:
1809 case LLCSAP_NETBEUI:
1810 /*
1811 * OSI protocols and NetBEUI always use 802.2 encapsulation,
1812 * so we check the DSAP and SSAP.
1813 *
1814 * LLCSAP_IP checks for IP-over-802.2, rather
1815 * than IP-over-Ethernet or IP-over-SNAP.
1816 *
1817 * XXX - should we check both the DSAP and the
1818 * SSAP, like this, or should we check just the
1819 * DSAP, as we do for other types <= ETHERMTU
1820 * (i.e., other SAP values)?
1821 */
1822 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1823 gen_not(b0);
1824 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32) ((proto << 8) | proto));
1825 gen_and(b0, b1);
1826 return b1;
1827
1828 case LLCSAP_IPX:
1829 /*
1830 * Check for;
1831 *
1832 * Ethernet_II frames, which are Ethernet
1833 * frames with a frame type of ETHERTYPE_IPX;
1834 *
1835 * Ethernet_802.3 frames, which are 802.3
1836 * frames (i.e., the type/length field is
1837 * a length field, <= ETHERMTU, rather than
1838 * a type field) with the first two bytes
1839 * after the Ethernet/802.3 header being
1840 * 0xFFFF;
1841 *
1842 * Ethernet_802.2 frames, which are 802.3
1843 * frames with an 802.2 LLC header and
1844 * with the IPX LSAP as the DSAP in the LLC
1845 * header;
1846 *
1847 * Ethernet_SNAP frames, which are 802.3
1848 * frames with an LLC header and a SNAP
1849 * header and with an OUI of 0x000000
1850 * (encapsulated Ethernet) and a protocol
1851 * ID of ETHERTYPE_IPX in the SNAP header.
1852 *
1853 * XXX - should we generate the same code both
1854 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX?
1855 */
1856
1857 /*
1858 * This generates code to check both for the
1859 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3.
1860 */
1861 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32) LLCSAP_IPX);
1862 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32) 0xFFFF);
1863 gen_or(b0, b1);
1864
1865 /*
1866 * Now we add code to check for SNAP frames with
1867 * ETHERTYPE_IPX, i.e. Ethernet_SNAP.
1868 */
1869 b0 = gen_snap(0x000000, ETHERTYPE_IPX);
1870 gen_or(b0, b1);
1871
1872 /*
1873 * Now we generate code to check for 802.3
1874 * frames in general.
1875 */
1876 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1877 gen_not(b0);
1878
1879 /*
1880 * Now add the check for 802.3 frames before the
1881 * check for Ethernet_802.2 and Ethernet_802.3,
1882 * as those checks should only be done on 802.3
1883 * frames, not on Ethernet frames.
1884 */
1885 gen_and(b0, b1);
1886
1887 /*
1888 * Now add the check for Ethernet_II frames, and
1889 * do that before checking for the other frame
1890 * types.
1891 */
1892 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32) ETHERTYPE_IPX);
1893 gen_or(b0, b1);
1894 return b1;
1895
1896 case ETHERTYPE_ATALK:
1897 case ETHERTYPE_AARP:
1898 /*
1899 * EtherTalk (AppleTalk protocols on Ethernet link
1900 * layer) may use 802.2 encapsulation.
1901 */
1902
1903 /*
1904 * Check for 802.2 encapsulation (EtherTalk phase 2?);
1905 * we check for an Ethernet type field less than
1906 * 1500, which means it's an 802.3 length field.
1907 */
1908 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1909 gen_not(b0);
1910
1911 /*
1912 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1913 * SNAP packets with an organization code of
1914 * 0x080007 (Apple, for Appletalk) and a protocol
1915 * type of ETHERTYPE_ATALK (Appletalk).
1916 *
1917 * 802.2-encapsulated ETHERTYPE_AARP packets are
1918 * SNAP packets with an organization code of
1919 * 0x000000 (encapsulated Ethernet) and a protocol
1920 * type of ETHERTYPE_AARP (Appletalk ARP).
1921 */
1922 if (proto == ETHERTYPE_ATALK)
1923 b1 = gen_snap(0x080007, ETHERTYPE_ATALK);
1924 else /* proto == ETHERTYPE_AARP */
1925 b1 = gen_snap(0x000000, ETHERTYPE_AARP);
1926 gen_and(b0, b1);
1927
1928 /*
1929 * Check for Ethernet encapsulation (Ethertalk
1930 * phase 1?); we just check for the Ethernet
1931 * protocol type.
1932 */
1933 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32) proto);
1934
1935 gen_or(b0, b1);
1936 return b1;
1937
1938 default:
1939 if (proto <= ETHERMTU)
1940 {
1941 /*
1942 * This is an LLC SAP value, so the frames
1943 * that match would be 802.2 frames.
1944 * Check that the frame is an 802.2 frame
1945 * (i.e., that the length/type field is
1946 * a length field, <= ETHERMTU) and
1947 * then check the DSAP.
1948 */
1949 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1950 gen_not(b0);
1951 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B, (bpf_int32) proto);
1952 gen_and(b0, b1);
1953 return b1;
1954 }
1955 else
1956 {
1957 /*
1958 * This is an Ethernet type, so compare
1959 * the length/type field with it (if
1960 * the frame is an 802.2 frame, the length
1961 * field will be <= ETHERMTU, and, as
1962 * "proto" is > ETHERMTU, this test
1963 * will fail and the frame won't match,
1964 * which is what we want).
1965 */
1966 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32) proto);
1967 }
1968 }
1969 }
1970
1971 /*
1972 * "proto" is an Ethernet type value and for IPNET, if it is not IPv4
1973 * or IPv6 then we have an error.
1974 */
gen_ipnet_linktype(proto)1975 static struct block *gen_ipnet_linktype(proto)
1976 register int proto;
1977 {
1978 switch (proto)
1979 {
1980
1981 case ETHERTYPE_IP:
1982 return gen_cmp(OR_LINK, off_linktype, BPF_B, (bpf_int32) IPH_AF_INET);
1983 /* NOTREACHED */
1984
1985 case ETHERTYPE_IPV6:
1986 return gen_cmp(OR_LINK, off_linktype, BPF_B, (bpf_int32) IPH_AF_INET6);
1987 /* NOTREACHED */
1988
1989 default:
1990 break;
1991 }
1992
1993 return gen_false();
1994 }
1995
1996 /*
1997 * Generate code to match a particular packet type.
1998 *
1999 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
2000 * value, if <= ETHERMTU. We use that to determine whether to
2001 * match the type field or to check the type field for the special
2002 * LINUX_SLL_P_802_2 value and then do the appropriate test.
2003 */
gen_linux_sll_linktype(proto)2004 static struct block *gen_linux_sll_linktype(proto)
2005 register int proto;
2006 {
2007 struct block *b0, *b1;
2008
2009 switch (proto)
2010 {
2011
2012 case LLCSAP_ISONS:
2013 case LLCSAP_IP:
2014 case LLCSAP_NETBEUI:
2015 /*
2016 * OSI protocols and NetBEUI always use 802.2 encapsulation,
2017 * so we check the DSAP and SSAP.
2018 *
2019 * LLCSAP_IP checks for IP-over-802.2, rather
2020 * than IP-over-Ethernet or IP-over-SNAP.
2021 *
2022 * XXX - should we check both the DSAP and the
2023 * SSAP, like this, or should we check just the
2024 * DSAP, as we do for other types <= ETHERMTU
2025 * (i.e., other SAP values)?
2026 */
2027 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
2028 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32) ((proto << 8) | proto));
2029 gen_and(b0, b1);
2030 return b1;
2031
2032 case LLCSAP_IPX:
2033 /*
2034 * Ethernet_II frames, which are Ethernet
2035 * frames with a frame type of ETHERTYPE_IPX;
2036 *
2037 * Ethernet_802.3 frames, which have a frame
2038 * type of LINUX_SLL_P_802_3;
2039 *
2040 * Ethernet_802.2 frames, which are 802.3
2041 * frames with an 802.2 LLC header (i.e, have
2042 * a frame type of LINUX_SLL_P_802_2) and
2043 * with the IPX LSAP as the DSAP in the LLC
2044 * header;
2045 *
2046 * Ethernet_SNAP frames, which are 802.3
2047 * frames with an LLC header and a SNAP
2048 * header and with an OUI of 0x000000
2049 * (encapsulated Ethernet) and a protocol
2050 * ID of ETHERTYPE_IPX in the SNAP header.
2051 *
2052 * First, do the checks on LINUX_SLL_P_802_2
2053 * frames; generate the check for either
2054 * Ethernet_802.2 or Ethernet_SNAP frames, and
2055 * then put a check for LINUX_SLL_P_802_2 frames
2056 * before it.
2057 */
2058 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32) LLCSAP_IPX);
2059 b1 = gen_snap(0x000000, ETHERTYPE_IPX);
2060 gen_or(b0, b1);
2061 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
2062 gen_and(b0, b1);
2063
2064 /*
2065 * Now check for 802.3 frames and OR that with
2066 * the previous test.
2067 */
2068 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_3);
2069 gen_or(b0, b1);
2070
2071 /*
2072 * Now add the check for Ethernet_II frames, and
2073 * do that before checking for the other frame
2074 * types.
2075 */
2076 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32) ETHERTYPE_IPX);
2077 gen_or(b0, b1);
2078 return b1;
2079
2080 case ETHERTYPE_ATALK:
2081 case ETHERTYPE_AARP:
2082 /*
2083 * EtherTalk (AppleTalk protocols on Ethernet link
2084 * layer) may use 802.2 encapsulation.
2085 */
2086
2087 /*
2088 * Check for 802.2 encapsulation (EtherTalk phase 2?);
2089 * we check for the 802.2 protocol type in the
2090 * "Ethernet type" field.
2091 */
2092 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
2093
2094 /*
2095 * 802.2-encapsulated ETHERTYPE_ATALK packets are
2096 * SNAP packets with an organization code of
2097 * 0x080007 (Apple, for Appletalk) and a protocol
2098 * type of ETHERTYPE_ATALK (Appletalk).
2099 *
2100 * 802.2-encapsulated ETHERTYPE_AARP packets are
2101 * SNAP packets with an organization code of
2102 * 0x000000 (encapsulated Ethernet) and a protocol
2103 * type of ETHERTYPE_AARP (Appletalk ARP).
2104 */
2105 if (proto == ETHERTYPE_ATALK)
2106 b1 = gen_snap(0x080007, ETHERTYPE_ATALK);
2107 else /* proto == ETHERTYPE_AARP */
2108 b1 = gen_snap(0x000000, ETHERTYPE_AARP);
2109 gen_and(b0, b1);
2110
2111 /*
2112 * Check for Ethernet encapsulation (Ethertalk
2113 * phase 1?); we just check for the Ethernet
2114 * protocol type.
2115 */
2116 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32) proto);
2117
2118 gen_or(b0, b1);
2119 return b1;
2120
2121 default:
2122 if (proto <= ETHERMTU)
2123 {
2124 /*
2125 * This is an LLC SAP value, so the frames
2126 * that match would be 802.2 frames.
2127 * Check for the 802.2 protocol type
2128 * in the "Ethernet type" field, and
2129 * then check the DSAP.
2130 */
2131 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
2132 b1 = gen_cmp(OR_LINK, off_macpl, BPF_B, (bpf_int32) proto);
2133 gen_and(b0, b1);
2134 return b1;
2135 }
2136 else
2137 {
2138 /*
2139 * This is an Ethernet type, so compare
2140 * the length/type field with it (if
2141 * the frame is an 802.2 frame, the length
2142 * field will be <= ETHERMTU, and, as
2143 * "proto" is > ETHERMTU, this test
2144 * will fail and the frame won't match,
2145 * which is what we want).
2146 */
2147 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32) proto);
2148 }
2149 }
2150 }
2151
gen_load_prism_llprefixlen()2152 static struct slist *gen_load_prism_llprefixlen()
2153 {
2154 struct slist *s1, *s2;
2155 struct slist *sjeq_avs_cookie;
2156 struct slist *sjcommon;
2157
2158 /*
2159 * This code is not compatible with the optimizer, as
2160 * we are generating jmp instructions within a normal
2161 * slist of instructions
2162 */
2163 no_optimize = 1;
2164
2165 /*
2166 * Generate code to load the length of the radio header into
2167 * the register assigned to hold that length, if one has been
2168 * assigned. (If one hasn't been assigned, no code we've
2169 * generated uses that prefix, so we don't need to generate any
2170 * code to load it.)
2171 *
2172 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes
2173 * or always use the AVS header rather than the Prism header.
2174 * We load a 4-byte big-endian value at the beginning of the
2175 * raw packet data, and see whether, when masked with 0xFFFFF000,
2176 * it's equal to 0x80211000. If so, that indicates that it's
2177 * an AVS header (the masked-out bits are the version number).
2178 * Otherwise, it's a Prism header.
2179 *
2180 * XXX - the Prism header is also, in theory, variable-length,
2181 * but no known software generates headers that aren't 144
2182 * bytes long.
2183 */
2184 if (reg_off_ll != -1)
2185 {
2186 /*
2187 * Load the cookie.
2188 */
2189 s1 = new_stmt(BPF_LD | BPF_W | BPF_ABS);
2190 s1->s.k = 0;
2191
2192 /*
2193 * AND it with 0xFFFFF000.
2194 */
2195 s2 = new_stmt(BPF_ALU | BPF_AND | BPF_K);
2196 s2->s.k = 0xFFFFF000;
2197 sappend(s1, s2);
2198
2199 /*
2200 * Compare with 0x80211000.
2201 */
2202 sjeq_avs_cookie = new_stmt(JMP(BPF_JEQ));
2203 sjeq_avs_cookie->s.k = 0x80211000;
2204 sappend(s1, sjeq_avs_cookie);
2205
2206 /*
2207 * If it's AVS:
2208 *
2209 * The 4 bytes at an offset of 4 from the beginning of
2210 * the AVS header are the length of the AVS header.
2211 * That field is big-endian.
2212 */
2213 s2 = new_stmt(BPF_LD | BPF_W | BPF_ABS);
2214 s2->s.k = 4;
2215 sappend(s1, s2);
2216 sjeq_avs_cookie->s.jt = s2;
2217
2218 /*
2219 * Now jump to the code to allocate a register
2220 * into which to save the header length and
2221 * store the length there. (The "jump always"
2222 * instruction needs to have the k field set;
2223 * it's added to the PC, so, as we're jumping
2224 * over a single instruction, it should be 1.)
2225 */
2226 sjcommon = new_stmt(JMP(BPF_JA));
2227 sjcommon->s.k = 1;
2228 sappend(s1, sjcommon);
2229
2230 /*
2231 * Now for the code that handles the Prism header.
2232 * Just load the length of the Prism header (144)
2233 * into the A register. Have the test for an AVS
2234 * header branch here if we don't have an AVS header.
2235 */
2236 s2 = new_stmt(BPF_LD | BPF_W | BPF_IMM);
2237 s2->s.k = 144;
2238 sappend(s1, s2);
2239 sjeq_avs_cookie->s.jf = s2;
2240
2241 /*
2242 * Now allocate a register to hold that value and store
2243 * it. The code for the AVS header will jump here after
2244 * loading the length of the AVS header.
2245 */
2246 s2 = new_stmt(BPF_ST);
2247 s2->s.k = reg_off_ll;
2248 sappend(s1, s2);
2249 sjcommon->s.jf = s2;
2250
2251 /*
2252 * Now move it into the X register.
2253 */
2254 s2 = new_stmt(BPF_MISC | BPF_TAX);
2255 sappend(s1, s2);
2256
2257 return (s1);
2258 }
2259 else
2260 return (NULL);
2261 }
2262
gen_load_avs_llprefixlen()2263 static struct slist *gen_load_avs_llprefixlen()
2264 {
2265 struct slist *s1, *s2;
2266
2267 /*
2268 * Generate code to load the length of the AVS header into
2269 * the register assigned to hold that length, if one has been
2270 * assigned. (If one hasn't been assigned, no code we've
2271 * generated uses that prefix, so we don't need to generate any
2272 * code to load it.)
2273 */
2274 if (reg_off_ll != -1)
2275 {
2276 /*
2277 * The 4 bytes at an offset of 4 from the beginning of
2278 * the AVS header are the length of the AVS header.
2279 * That field is big-endian.
2280 */
2281 s1 = new_stmt(BPF_LD | BPF_W | BPF_ABS);
2282 s1->s.k = 4;
2283
2284 /*
2285 * Now allocate a register to hold that value and store
2286 * it.
2287 */
2288 s2 = new_stmt(BPF_ST);
2289 s2->s.k = reg_off_ll;
2290 sappend(s1, s2);
2291
2292 /*
2293 * Now move it into the X register.
2294 */
2295 s2 = new_stmt(BPF_MISC | BPF_TAX);
2296 sappend(s1, s2);
2297
2298 return (s1);
2299 }
2300 else
2301 return (NULL);
2302 }
2303
gen_load_radiotap_llprefixlen()2304 static struct slist *gen_load_radiotap_llprefixlen()
2305 {
2306 struct slist *s1, *s2;
2307
2308 /*
2309 * Generate code to load the length of the radiotap header into
2310 * the register assigned to hold that length, if one has been
2311 * assigned. (If one hasn't been assigned, no code we've
2312 * generated uses that prefix, so we don't need to generate any
2313 * code to load it.)
2314 */
2315 if (reg_off_ll != -1)
2316 {
2317 /*
2318 * The 2 bytes at offsets of 2 and 3 from the beginning
2319 * of the radiotap header are the length of the radiotap
2320 * header; unfortunately, it's little-endian, so we have
2321 * to load it a byte at a time and construct the value.
2322 */
2323
2324 /*
2325 * Load the high-order byte, at an offset of 3, shift it
2326 * left a byte, and put the result in the X register.
2327 */
2328 s1 = new_stmt(BPF_LD | BPF_B | BPF_ABS);
2329 s1->s.k = 3;
2330 s2 = new_stmt(BPF_ALU | BPF_LSH | BPF_K);
2331 sappend(s1, s2);
2332 s2->s.k = 8;
2333 s2 = new_stmt(BPF_MISC | BPF_TAX);
2334 sappend(s1, s2);
2335
2336 /*
2337 * Load the next byte, at an offset of 2, and OR the
2338 * value from the X register into it.
2339 */
2340 s2 = new_stmt(BPF_LD | BPF_B | BPF_ABS);
2341 sappend(s1, s2);
2342 s2->s.k = 2;
2343 s2 = new_stmt(BPF_ALU | BPF_OR | BPF_X);
2344 sappend(s1, s2);
2345
2346 /*
2347 * Now allocate a register to hold that value and store
2348 * it.
2349 */
2350 s2 = new_stmt(BPF_ST);
2351 s2->s.k = reg_off_ll;
2352 sappend(s1, s2);
2353
2354 /*
2355 * Now move it into the X register.
2356 */
2357 s2 = new_stmt(BPF_MISC | BPF_TAX);
2358 sappend(s1, s2);
2359
2360 return (s1);
2361 }
2362 else
2363 return (NULL);
2364 }
2365
2366 /*
2367 * At the moment we treat PPI as normal Radiotap encoded
2368 * packets. The difference is in the function that generates
2369 * the code at the beginning to compute the header length.
2370 * Since this code generator of PPI supports bare 802.11
2371 * encapsulation only (i.e. the encapsulated DLT should be
2372 * DLT_IEEE802_11) we generate code to check for this too;
2373 * that's done in finish_parse().
2374 */
gen_load_ppi_llprefixlen()2375 static struct slist *gen_load_ppi_llprefixlen()
2376 {
2377 struct slist *s1, *s2;
2378
2379 /*
2380 * Generate code to load the length of the radiotap header
2381 * into the register assigned to hold that length, if one has
2382 * been assigned.
2383 */
2384 if (reg_off_ll != -1)
2385 {
2386 /*
2387 * The 2 bytes at offsets of 2 and 3 from the beginning
2388 * of the radiotap header are the length of the radiotap
2389 * header; unfortunately, it's little-endian, so we have
2390 * to load it a byte at a time and construct the value.
2391 */
2392
2393 /*
2394 * Load the high-order byte, at an offset of 3, shift it
2395 * left a byte, and put the result in the X register.
2396 */
2397 s1 = new_stmt(BPF_LD | BPF_B | BPF_ABS);
2398 s1->s.k = 3;
2399 s2 = new_stmt(BPF_ALU | BPF_LSH | BPF_K);
2400 sappend(s1, s2);
2401 s2->s.k = 8;
2402 s2 = new_stmt(BPF_MISC | BPF_TAX);
2403 sappend(s1, s2);
2404
2405 /*
2406 * Load the next byte, at an offset of 2, and OR the
2407 * value from the X register into it.
2408 */
2409 s2 = new_stmt(BPF_LD | BPF_B | BPF_ABS);
2410 sappend(s1, s2);
2411 s2->s.k = 2;
2412 s2 = new_stmt(BPF_ALU | BPF_OR | BPF_X);
2413 sappend(s1, s2);
2414
2415 /*
2416 * Now allocate a register to hold that value and store
2417 * it.
2418 */
2419 s2 = new_stmt(BPF_ST);
2420 s2->s.k = reg_off_ll;
2421 sappend(s1, s2);
2422
2423 /*
2424 * Now move it into the X register.
2425 */
2426 s2 = new_stmt(BPF_MISC | BPF_TAX);
2427 sappend(s1, s2);
2428
2429 return (s1);
2430 }
2431 else
2432 return (NULL);
2433 }
2434
2435 /*
2436 * Load a value relative to the beginning of the link-layer header after the 802.11
2437 * header, i.e. LLC_SNAP.
2438 * The link-layer header doesn't necessarily begin at the beginning
2439 * of the packet data; there might be a variable-length prefix containing
2440 * radio information.
2441 */
gen_load_802_11_header_len(struct slist * s,struct slist * snext)2442 static struct slist *gen_load_802_11_header_len(struct slist *s, struct slist *snext)
2443 {
2444 struct slist *s2;
2445 struct slist *sjset_data_frame_1;
2446 struct slist *sjset_data_frame_2;
2447 struct slist *sjset_qos;
2448 struct slist *sjset_radiotap_flags;
2449 struct slist *sjset_radiotap_tsft;
2450 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad;
2451 struct slist *s_roundup;
2452
2453 if (reg_off_macpl == -1)
2454 {
2455 /*
2456 * No register has been assigned to the offset of
2457 * the MAC-layer payload, which means nobody needs
2458 * it; don't bother computing it - just return
2459 * what we already have.
2460 */
2461 return (s);
2462 }
2463
2464 /*
2465 * This code is not compatible with the optimizer, as
2466 * we are generating jmp instructions within a normal
2467 * slist of instructions
2468 */
2469 no_optimize = 1;
2470
2471 /*
2472 * If "s" is non-null, it has code to arrange that the X register
2473 * contains the length of the prefix preceding the link-layer
2474 * header.
2475 *
2476 * Otherwise, the length of the prefix preceding the link-layer
2477 * header is "off_ll".
2478 */
2479 if (s == NULL)
2480 {
2481 /*
2482 * There is no variable-length header preceding the
2483 * link-layer header.
2484 *
2485 * Load the length of the fixed-length prefix preceding
2486 * the link-layer header (if any) into the X register,
2487 * and store it in the reg_off_macpl register.
2488 * That length is off_ll.
2489 */
2490 s = new_stmt(BPF_LDX | BPF_IMM);
2491 s->s.k = off_ll;
2492 }
2493
2494 /*
2495 * The X register contains the offset of the beginning of the
2496 * link-layer header; add 24, which is the minimum length
2497 * of the MAC header for a data frame, to that, and store it
2498 * in reg_off_macpl, and then load the Frame Control field,
2499 * which is at the offset in the X register, with an indexed load.
2500 */
2501 s2 = new_stmt(BPF_MISC | BPF_TXA);
2502 sappend(s, s2);
2503 s2 = new_stmt(BPF_ALU | BPF_ADD | BPF_K);
2504 s2->s.k = 24;
2505 sappend(s, s2);
2506 s2 = new_stmt(BPF_ST);
2507 s2->s.k = reg_off_macpl;
2508 sappend(s, s2);
2509
2510 s2 = new_stmt(BPF_LD | BPF_IND | BPF_B);
2511 s2->s.k = 0;
2512 sappend(s, s2);
2513
2514 /*
2515 * Check the Frame Control field to see if this is a data frame;
2516 * a data frame has the 0x08 bit (b3) in that field set and the
2517 * 0x04 bit (b2) clear.
2518 */
2519 sjset_data_frame_1 = new_stmt(JMP(BPF_JSET));
2520 sjset_data_frame_1->s.k = 0x08;
2521 sappend(s, sjset_data_frame_1);
2522
2523 /*
2524 * If b3 is set, test b2, otherwise go to the first statement of
2525 * the rest of the program.
2526 */
2527 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(JMP(BPF_JSET));
2528 sjset_data_frame_2->s.k = 0x04;
2529 sappend(s, sjset_data_frame_2);
2530 sjset_data_frame_1->s.jf = snext;
2531
2532 /*
2533 * If b2 is not set, this is a data frame; test the QoS bit.
2534 * Otherwise, go to the first statement of the rest of the
2535 * program.
2536 */
2537 sjset_data_frame_2->s.jt = snext;
2538 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(JMP(BPF_JSET));
2539 sjset_qos->s.k = 0x80; /* QoS bit */
2540 sappend(s, sjset_qos);
2541
2542 /*
2543 * If it's set, add 2 to reg_off_macpl, to skip the QoS
2544 * field.
2545 * Otherwise, go to the first statement of the rest of the
2546 * program.
2547 */
2548 sjset_qos->s.jt = s2 = new_stmt(BPF_LD | BPF_MEM);
2549 s2->s.k = reg_off_macpl;
2550 sappend(s, s2);
2551 s2 = new_stmt(BPF_ALU | BPF_ADD | BPF_IMM);
2552 s2->s.k = 2;
2553 sappend(s, s2);
2554 s2 = new_stmt(BPF_ST);
2555 s2->s.k = reg_off_macpl;
2556 sappend(s, s2);
2557
2558 /*
2559 * If we have a radiotap header, look at it to see whether
2560 * there's Atheros padding between the MAC-layer header
2561 * and the payload.
2562 *
2563 * Note: all of the fields in the radiotap header are
2564 * little-endian, so we byte-swap all of the values
2565 * we test against, as they will be loaded as big-endian
2566 * values.
2567 */
2568 if (linktype == DLT_IEEE802_11_RADIO)
2569 {
2570 /*
2571 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set
2572 * in the presence flag?
2573 */
2574 sjset_qos->s.jf = s2 = new_stmt(BPF_LD | BPF_ABS | BPF_W);
2575 s2->s.k = 4;
2576 sappend(s, s2);
2577
2578 sjset_radiotap_flags = new_stmt(JMP(BPF_JSET));
2579 sjset_radiotap_flags->s.k = SWAPLONG(0x00000002);
2580 sappend(s, sjset_radiotap_flags);
2581
2582 /*
2583 * If not, skip all of this.
2584 */
2585 sjset_radiotap_flags->s.jf = snext;
2586
2587 /*
2588 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set?
2589 */
2590 sjset_radiotap_tsft = sjset_radiotap_flags->s.jt = new_stmt(JMP(BPF_JSET));
2591 sjset_radiotap_tsft->s.k = SWAPLONG(0x00000001);
2592 sappend(s, sjset_radiotap_tsft);
2593
2594 /*
2595 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is
2596 * at an offset of 16 from the beginning of the raw packet
2597 * data (8 bytes for the radiotap header and 8 bytes for
2598 * the TSFT field).
2599 *
2600 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
2601 * is set.
2602 */
2603 sjset_radiotap_tsft->s.jt = s2 = new_stmt(BPF_LD | BPF_ABS | BPF_B);
2604 s2->s.k = 16;
2605 sappend(s, s2);
2606
2607 sjset_tsft_datapad = new_stmt(JMP(BPF_JSET));
2608 sjset_tsft_datapad->s.k = 0x20;
2609 sappend(s, sjset_tsft_datapad);
2610
2611 /*
2612 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is
2613 * at an offset of 8 from the beginning of the raw packet
2614 * data (8 bytes for the radiotap header).
2615 *
2616 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
2617 * is set.
2618 */
2619 sjset_radiotap_tsft->s.jf = s2 = new_stmt(BPF_LD | BPF_ABS | BPF_B);
2620 s2->s.k = 8;
2621 sappend(s, s2);
2622
2623 sjset_notsft_datapad = new_stmt(JMP(BPF_JSET));
2624 sjset_notsft_datapad->s.k = 0x20;
2625 sappend(s, sjset_notsft_datapad);
2626
2627 /*
2628 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is
2629 * set, round the length of the 802.11 header to
2630 * a multiple of 4. Do that by adding 3 and then
2631 * dividing by and multiplying by 4, which we do by
2632 * ANDing with ~3.
2633 */
2634 s_roundup = new_stmt(BPF_LD | BPF_MEM);
2635 s_roundup->s.k = reg_off_macpl;
2636 sappend(s, s_roundup);
2637 s2 = new_stmt(BPF_ALU | BPF_ADD | BPF_IMM);
2638 s2->s.k = 3;
2639 sappend(s, s2);
2640 s2 = new_stmt(BPF_ALU | BPF_AND | BPF_IMM);
2641 s2->s.k = ~3;
2642 sappend(s, s2);
2643 s2 = new_stmt(BPF_ST);
2644 s2->s.k = reg_off_macpl;
2645 sappend(s, s2);
2646
2647 sjset_tsft_datapad->s.jt = s_roundup;
2648 sjset_tsft_datapad->s.jf = snext;
2649 sjset_notsft_datapad->s.jt = s_roundup;
2650 sjset_notsft_datapad->s.jf = snext;
2651 }
2652 else
2653 sjset_qos->s.jf = snext;
2654
2655 return s;
2656 }
2657
insert_compute_vloffsets(b)2658 static void insert_compute_vloffsets(b)
2659 struct block *b;
2660 {
2661 struct slist *s;
2662
2663 /*
2664 * For link-layer types that have a variable-length header
2665 * preceding the link-layer header, generate code to load
2666 * the offset of the link-layer header into the register
2667 * assigned to that offset, if any.
2668 */
2669 switch (linktype)
2670 {
2671
2672 case DLT_PRISM_HEADER:
2673 s = gen_load_prism_llprefixlen();
2674 break;
2675
2676 case DLT_IEEE802_11_RADIO_AVS:
2677 s = gen_load_avs_llprefixlen();
2678 break;
2679
2680 case DLT_IEEE802_11_RADIO:
2681 s = gen_load_radiotap_llprefixlen();
2682 break;
2683
2684 case DLT_PPI:
2685 s = gen_load_ppi_llprefixlen();
2686 break;
2687
2688 default:
2689 s = NULL;
2690 break;
2691 }
2692
2693 /*
2694 * For link-layer types that have a variable-length link-layer
2695 * header, generate code to load the offset of the MAC-layer
2696 * payload into the register assigned to that offset, if any.
2697 */
2698 switch (linktype)
2699 {
2700
2701 case DLT_IEEE802_11:
2702 case DLT_PRISM_HEADER:
2703 case DLT_IEEE802_11_RADIO_AVS:
2704 case DLT_IEEE802_11_RADIO:
2705 case DLT_PPI:
2706 s = gen_load_802_11_header_len(s, b->stmts);
2707 break;
2708 }
2709
2710 /*
2711 * If we have any offset-loading code, append all the
2712 * existing statements in the block to those statements,
2713 * and make the resulting list the list of statements
2714 * for the block.
2715 */
2716 if (s != NULL)
2717 {
2718 sappend(s, b->stmts);
2719 b->stmts = s;
2720 }
2721 }
2722
gen_ppi_dlt_check(void)2723 static struct block *gen_ppi_dlt_check(void)
2724 {
2725 struct slist *s_load_dlt;
2726 struct block *b;
2727
2728 if (linktype == DLT_PPI)
2729 {
2730 /* Create the statements that check for the DLT
2731 */
2732 s_load_dlt = new_stmt(BPF_LD | BPF_W | BPF_ABS);
2733 s_load_dlt->s.k = 4;
2734
2735 b = new_block(JMP(BPF_JEQ));
2736
2737 b->stmts = s_load_dlt;
2738 b->s.k = SWAPLONG(DLT_IEEE802_11);
2739 }
2740 else
2741 {
2742 b = NULL;
2743 }
2744
2745 return b;
2746 }
2747
gen_prism_llprefixlen(void)2748 static struct slist *gen_prism_llprefixlen(void)
2749 {
2750 struct slist *s;
2751
2752 if (reg_off_ll == -1)
2753 {
2754 /*
2755 * We haven't yet assigned a register for the length
2756 * of the radio header; allocate one.
2757 */
2758 reg_off_ll = alloc_reg();
2759 }
2760
2761 /*
2762 * Load the register containing the radio length
2763 * into the X register.
2764 */
2765 s = new_stmt(BPF_LDX | BPF_MEM);
2766 s->s.k = reg_off_ll;
2767 return s;
2768 }
2769
gen_avs_llprefixlen(void)2770 static struct slist *gen_avs_llprefixlen(void)
2771 {
2772 struct slist *s;
2773
2774 if (reg_off_ll == -1)
2775 {
2776 /*
2777 * We haven't yet assigned a register for the length
2778 * of the AVS header; allocate one.
2779 */
2780 reg_off_ll = alloc_reg();
2781 }
2782
2783 /*
2784 * Load the register containing the AVS length
2785 * into the X register.
2786 */
2787 s = new_stmt(BPF_LDX | BPF_MEM);
2788 s->s.k = reg_off_ll;
2789 return s;
2790 }
2791
gen_radiotap_llprefixlen(void)2792 static struct slist *gen_radiotap_llprefixlen(void)
2793 {
2794 struct slist *s;
2795
2796 if (reg_off_ll == -1)
2797 {
2798 /*
2799 * We haven't yet assigned a register for the length
2800 * of the radiotap header; allocate one.
2801 */
2802 reg_off_ll = alloc_reg();
2803 }
2804
2805 /*
2806 * Load the register containing the radiotap length
2807 * into the X register.
2808 */
2809 s = new_stmt(BPF_LDX | BPF_MEM);
2810 s->s.k = reg_off_ll;
2811 return s;
2812 }
2813
2814 /*
2815 * At the moment we treat PPI as normal Radiotap encoded
2816 * packets. The difference is in the function that generates
2817 * the code at the beginning to compute the header length.
2818 * Since this code generator of PPI supports bare 802.11
2819 * encapsulation only (i.e. the encapsulated DLT should be
2820 * DLT_IEEE802_11) we generate code to check for this too.
2821 */
gen_ppi_llprefixlen(void)2822 static struct slist *gen_ppi_llprefixlen(void)
2823 {
2824 struct slist *s;
2825
2826 if (reg_off_ll == -1)
2827 {
2828 /*
2829 * We haven't yet assigned a register for the length
2830 * of the radiotap header; allocate one.
2831 */
2832 reg_off_ll = alloc_reg();
2833 }
2834
2835 /*
2836 * Load the register containing the PPI length
2837 * into the X register.
2838 */
2839 s = new_stmt(BPF_LDX | BPF_MEM);
2840 s->s.k = reg_off_ll;
2841 return s;
2842 }
2843
2844 /*
2845 * Generate code to compute the link-layer header length, if necessary,
2846 * putting it into the X register, and to return either a pointer to a
2847 * "struct slist" for the list of statements in that code, or NULL if
2848 * no code is necessary.
2849 */
gen_llprefixlen(void)2850 static struct slist *gen_llprefixlen(void)
2851 {
2852 switch (linktype)
2853 {
2854
2855 case DLT_PRISM_HEADER:
2856 return gen_prism_llprefixlen();
2857
2858 case DLT_IEEE802_11_RADIO_AVS:
2859 return gen_avs_llprefixlen();
2860
2861 case DLT_IEEE802_11_RADIO:
2862 return gen_radiotap_llprefixlen();
2863
2864 case DLT_PPI:
2865 return gen_ppi_llprefixlen();
2866
2867 default:
2868 return NULL;
2869 }
2870 }
2871
2872 /*
2873 * Generate code to load the register containing the offset of the
2874 * MAC-layer payload into the X register; if no register for that offset
2875 * has been allocated, allocate it first.
2876 */
gen_off_macpl(void)2877 static struct slist *gen_off_macpl(void)
2878 {
2879 struct slist *s;
2880
2881 if (off_macpl_is_variable)
2882 {
2883 if (reg_off_macpl == -1)
2884 {
2885 /*
2886 * We haven't yet assigned a register for the offset
2887 * of the MAC-layer payload; allocate one.
2888 */
2889 reg_off_macpl = alloc_reg();
2890 }
2891
2892 /*
2893 * Load the register containing the offset of the MAC-layer
2894 * payload into the X register.
2895 */
2896 s = new_stmt(BPF_LDX | BPF_MEM);
2897 s->s.k = reg_off_macpl;
2898 return s;
2899 }
2900 else
2901 {
2902 /*
2903 * That offset isn't variable, so we don't need to
2904 * generate any code.
2905 */
2906 return NULL;
2907 }
2908 }
2909
2910 /*
2911 * Map an Ethernet type to the equivalent PPP type.
2912 */
ethertype_to_ppptype(proto)2913 static int ethertype_to_ppptype(proto)
2914 int proto;
2915 {
2916 switch (proto)
2917 {
2918
2919 case ETHERTYPE_IP:
2920 proto = PPP_IP;
2921 break;
2922
2923 #ifdef INET6
2924 case ETHERTYPE_IPV6:
2925 proto = PPP_IPV6;
2926 break;
2927 #endif
2928
2929 case ETHERTYPE_DN:
2930 proto = PPP_DECNET;
2931 break;
2932
2933 case ETHERTYPE_ATALK:
2934 proto = PPP_APPLE;
2935 break;
2936
2937 case ETHERTYPE_NS:
2938 proto = PPP_NS;
2939 break;
2940
2941 case LLCSAP_ISONS:
2942 proto = PPP_OSI;
2943 break;
2944
2945 case LLCSAP_8021D:
2946 /*
2947 * I'm assuming the "Bridging PDU"s that go
2948 * over PPP are Spanning Tree Protocol
2949 * Bridging PDUs.
2950 */
2951 proto = PPP_BRPDU;
2952 break;
2953
2954 case LLCSAP_IPX:
2955 proto = PPP_IPX;
2956 break;
2957 }
2958 return (proto);
2959 }
2960
2961 /*
2962 * Generate code to match a particular packet type by matching the
2963 * link-layer type field or fields in the 802.2 LLC header.
2964 *
2965 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
2966 * value, if <= ETHERMTU.
2967 */
gen_linktype(proto)2968 static struct block *gen_linktype(proto)
2969 register int proto;
2970 {
2971 struct block *b0, *b1, *b2;
2972
2973 /* are we checking MPLS-encapsulated packets? */
2974 if (label_stack_depth > 0)
2975 {
2976 switch (proto)
2977 {
2978 case ETHERTYPE_IP:
2979 case PPP_IP:
2980 /* FIXME add other L3 proto IDs */
2981 return gen_mpls_linktype(Q_IP);
2982
2983 case ETHERTYPE_IPV6:
2984 case PPP_IPV6:
2985 /* FIXME add other L3 proto IDs */
2986 return gen_mpls_linktype(Q_IPV6);
2987
2988 default:
2989 bpf_error("unsupported protocol over mpls");
2990 /* NOTREACHED */
2991 }
2992 }
2993
2994 /*
2995 * Are we testing PPPoE packets?
2996 */
2997 if (is_pppoes)
2998 {
2999 /*
3000 * The PPPoE session header is part of the
3001 * MAC-layer payload, so all references
3002 * should be relative to the beginning of
3003 * that payload.
3004 */
3005
3006 /*
3007 * We use Ethernet protocol types inside libpcap;
3008 * map them to the corresponding PPP protocol types.
3009 */
3010 proto = ethertype_to_ppptype(proto);
3011 return gen_cmp(OR_MACPL, off_linktype, BPF_H, (bpf_int32) proto);
3012 }
3013
3014 switch (linktype)
3015 {
3016
3017 case DLT_EN10MB:
3018 return gen_ether_linktype(proto);
3019 /*NOTREACHED*/ break;
3020
3021 case DLT_C_HDLC:
3022 switch (proto)
3023 {
3024
3025 case LLCSAP_ISONS:
3026 proto = (proto << 8 | LLCSAP_ISONS);
3027 /* fall through */
3028
3029 default:
3030 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32) proto);
3031 /*NOTREACHED*/ break;
3032 }
3033 break;
3034
3035 case DLT_IEEE802_11:
3036 case DLT_PRISM_HEADER:
3037 case DLT_IEEE802_11_RADIO_AVS:
3038 case DLT_IEEE802_11_RADIO:
3039 case DLT_PPI:
3040 /*
3041 * Check that we have a data frame.
3042 */
3043 b0 = gen_check_802_11_data_frame();
3044
3045 /*
3046 * Now check for the specified link-layer type.
3047 */
3048 b1 = gen_llc_linktype(proto);
3049 gen_and(b0, b1);
3050 return b1;
3051 /*NOTREACHED*/ break;
3052
3053 case DLT_FDDI:
3054 /*
3055 * XXX - check for asynchronous frames, as per RFC 1103.
3056 */
3057 return gen_llc_linktype(proto);
3058 /*NOTREACHED*/ break;
3059
3060 case DLT_IEEE802:
3061 /*
3062 * XXX - check for LLC PDUs, as per IEEE 802.5.
3063 */
3064 return gen_llc_linktype(proto);
3065 /*NOTREACHED*/ break;
3066
3067 case DLT_ATM_RFC1483:
3068 case DLT_ATM_CLIP:
3069 case DLT_IP_OVER_FC:
3070 return gen_llc_linktype(proto);
3071 /*NOTREACHED*/ break;
3072
3073 case DLT_SUNATM:
3074 /*
3075 * If "is_lane" is set, check for a LANE-encapsulated
3076 * version of this protocol, otherwise check for an
3077 * LLC-encapsulated version of this protocol.
3078 *
3079 * We assume LANE means Ethernet, not Token Ring.
3080 */
3081 if (is_lane)
3082 {
3083 /*
3084 * Check that the packet doesn't begin with an
3085 * LE Control marker. (We've already generated
3086 * a test for LANE.)
3087 */
3088 b0 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
3089 gen_not(b0);
3090
3091 /*
3092 * Now generate an Ethernet test.
3093 */
3094 b1 = gen_ether_linktype(proto);
3095 gen_and(b0, b1);
3096 return b1;
3097 }
3098 else
3099 {
3100 /*
3101 * Check for LLC encapsulation and then check the
3102 * protocol.
3103 */
3104 b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
3105 b1 = gen_llc_linktype(proto);
3106 gen_and(b0, b1);
3107 return b1;
3108 }
3109 /*NOTREACHED*/ break;
3110
3111 case DLT_LINUX_SLL:
3112 return gen_linux_sll_linktype(proto);
3113 /*NOTREACHED*/ break;
3114
3115 case DLT_SLIP:
3116 case DLT_SLIP_BSDOS:
3117 case DLT_RAW:
3118 /*
3119 * These types don't provide any type field; packets
3120 * are always IPv4 or IPv6.
3121 *
3122 * XXX - for IPv4, check for a version number of 4, and,
3123 * for IPv6, check for a version number of 6?
3124 */
3125 switch (proto)
3126 {
3127
3128 case ETHERTYPE_IP:
3129 /* Check for a version number of 4. */
3130 return gen_mcmp(OR_LINK, 0, BPF_B, 0x40, 0xF0);
3131 #ifdef INET6
3132 case ETHERTYPE_IPV6:
3133 /* Check for a version number of 6. */
3134 return gen_mcmp(OR_LINK, 0, BPF_B, 0x60, 0xF0);
3135 #endif
3136
3137 default:
3138 return gen_false(); /* always false */
3139 }
3140 /*NOTREACHED*/ break;
3141
3142 case DLT_IPV4:
3143 /*
3144 * Raw IPv4, so no type field.
3145 */
3146 if (proto == ETHERTYPE_IP)
3147 return gen_true(); /* always true */
3148
3149 /* Checking for something other than IPv4; always false */
3150 return gen_false();
3151 /*NOTREACHED*/ break;
3152
3153 case DLT_IPV6:
3154 /*
3155 * Raw IPv6, so no type field.
3156 */
3157 #ifdef INET6
3158 if (proto == ETHERTYPE_IPV6)
3159 return gen_true(); /* always true */
3160 #endif
3161
3162 /* Checking for something other than IPv6; always false */
3163 return gen_false();
3164 /*NOTREACHED*/ break;
3165
3166 case DLT_PPP:
3167 case DLT_PPP_PPPD:
3168 case DLT_PPP_SERIAL:
3169 case DLT_PPP_ETHER:
3170 /*
3171 * We use Ethernet protocol types inside libpcap;
3172 * map them to the corresponding PPP protocol types.
3173 */
3174 proto = ethertype_to_ppptype(proto);
3175 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32) proto);
3176 /*NOTREACHED*/ break;
3177
3178 case DLT_PPP_BSDOS:
3179 /*
3180 * We use Ethernet protocol types inside libpcap;
3181 * map them to the corresponding PPP protocol types.
3182 */
3183 switch (proto)
3184 {
3185
3186 case ETHERTYPE_IP:
3187 /*
3188 * Also check for Van Jacobson-compressed IP.
3189 * XXX - do this for other forms of PPP?
3190 */
3191 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_IP);
3192 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJC);
3193 gen_or(b0, b1);
3194 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJNC);
3195 gen_or(b1, b0);
3196 return b0;
3197
3198 default:
3199 proto = ethertype_to_ppptype(proto);
3200 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32) proto);
3201 }
3202 /*NOTREACHED*/ break;
3203
3204 case DLT_NULL:
3205 case DLT_LOOP:
3206 case DLT_ENC:
3207 /*
3208 * For DLT_NULL, the link-layer header is a 32-bit
3209 * word containing an AF_ value in *host* byte order,
3210 * and for DLT_ENC, the link-layer header begins
3211 * with a 32-bit work containing an AF_ value in
3212 * host byte order.
3213 *
3214 * In addition, if we're reading a saved capture file,
3215 * the host byte order in the capture may not be the
3216 * same as the host byte order on this machine.
3217 *
3218 * For DLT_LOOP, the link-layer header is a 32-bit
3219 * word containing an AF_ value in *network* byte order.
3220 *
3221 * XXX - AF_ values may, unfortunately, be platform-
3222 * dependent; for example, FreeBSD's AF_INET6 is 24
3223 * whilst NetBSD's and OpenBSD's is 26.
3224 *
3225 * This means that, when reading a capture file, just
3226 * checking for our AF_INET6 value won't work if the
3227 * capture file came from another OS.
3228 */
3229 switch (proto)
3230 {
3231
3232 case ETHERTYPE_IP:
3233 proto = AF_INET;
3234 break;
3235
3236 #ifdef INET6
3237 case ETHERTYPE_IPV6:
3238 proto = AF_INET6;
3239 break;
3240 #endif
3241
3242 default:
3243 /*
3244 * Not a type on which we support filtering.
3245 * XXX - support those that have AF_ values
3246 * #defined on this platform, at least?
3247 */
3248 return gen_false();
3249 }
3250
3251 if (linktype == DLT_NULL || linktype == DLT_ENC)
3252 {
3253 /*
3254 * The AF_ value is in host byte order, but
3255 * the BPF interpreter will convert it to
3256 * network byte order.
3257 *
3258 * If this is a save file, and it's from a
3259 * machine with the opposite byte order to
3260 * ours, we byte-swap the AF_ value.
3261 *
3262 * Then we run it through "htonl()", and
3263 * generate code to compare against the result.
3264 */
3265 //if (bpf_pcap->sf.rfile != NULL && bpf_pcap->sf.swapped)
3266 // proto = SWAPLONG(proto);
3267 proto = htonl(proto);
3268 }
3269 return (gen_cmp(OR_LINK, 0, BPF_W, (bpf_int32) proto));
3270
3271 #ifdef HAVE_NET_PFVAR_H
3272 case DLT_PFLOG:
3273 /*
3274 * af field is host byte order in contrast to the rest of
3275 * the packet.
3276 */
3277 if (proto == ETHERTYPE_IP)
3278 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af), BPF_B, (bpf_int32) AF_INET));
3279 #ifdef INET6
3280 else if (proto == ETHERTYPE_IPV6)
3281 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af), BPF_B, (bpf_int32) AF_INET6));
3282 #endif /* INET6 */
3283 else
3284 return gen_false();
3285 /*NOTREACHED*/ break;
3286 #endif /* HAVE_NET_PFVAR_H */
3287
3288 case DLT_ARCNET:
3289 case DLT_ARCNET_LINUX:
3290 /*
3291 * XXX should we check for first fragment if the protocol
3292 * uses PHDS?
3293 */
3294 switch (proto)
3295 {
3296
3297 default:
3298 return gen_false();
3299
3300 #ifdef INET6
3301 case ETHERTYPE_IPV6:
3302 return (gen_cmp(OR_LINK, off_linktype, BPF_B, (bpf_int32) ARCTYPE_INET6));
3303 #endif /* INET6 */
3304
3305 case ETHERTYPE_IP:
3306 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B, (bpf_int32) ARCTYPE_IP);
3307 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B, (bpf_int32) ARCTYPE_IP_OLD);
3308 gen_or(b0, b1);
3309 return (b1);
3310
3311 case ETHERTYPE_ARP:
3312 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B, (bpf_int32) ARCTYPE_ARP);
3313 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B, (bpf_int32) ARCTYPE_ARP_OLD);
3314 gen_or(b0, b1);
3315 return (b1);
3316
3317 case ETHERTYPE_REVARP:
3318 return (gen_cmp(OR_LINK, off_linktype, BPF_B, (bpf_int32) ARCTYPE_REVARP));
3319
3320 case ETHERTYPE_ATALK:
3321 return (gen_cmp(OR_LINK, off_linktype, BPF_B, (bpf_int32) ARCTYPE_ATALK));
3322 }
3323 /*NOTREACHED*/ break;
3324
3325 case DLT_LTALK:
3326 switch (proto)
3327 {
3328 case ETHERTYPE_ATALK:
3329 return gen_true();
3330 default:
3331 return gen_false();
3332 }
3333 /*NOTREACHED*/ break;
3334
3335 case DLT_FRELAY:
3336 /*
3337 * XXX - assumes a 2-byte Frame Relay header with
3338 * DLCI and flags. What if the address is longer?
3339 */
3340 switch (proto)
3341 {
3342
3343 case ETHERTYPE_IP:
3344 /*
3345 * Check for the special NLPID for IP.
3346 */
3347 return gen_cmp(OR_LINK, 2, BPF_H, (0x03 << 8) | 0xcc);
3348
3349 #ifdef INET6
3350 case ETHERTYPE_IPV6:
3351 /*
3352 * Check for the special NLPID for IPv6.
3353 */
3354 return gen_cmp(OR_LINK, 2, BPF_H, (0x03 << 8) | 0x8e);
3355 #endif
3356
3357 case LLCSAP_ISONS:
3358 /*
3359 * Check for several OSI protocols.
3360 *
3361 * Frame Relay packets typically have an OSI
3362 * NLPID at the beginning; we check for each
3363 * of them.
3364 *
3365 * What we check for is the NLPID and a frame
3366 * control field of UI, i.e. 0x03 followed
3367 * by the NLPID.
3368 */
3369 b0 = gen_cmp(OR_LINK, 2, BPF_H, (0x03 << 8) | ISO8473_CLNP);
3370 b1 = gen_cmp(OR_LINK, 2, BPF_H, (0x03 << 8) | ISO9542_ESIS);
3371 b2 = gen_cmp(OR_LINK, 2, BPF_H, (0x03 << 8) | ISO10589_ISIS);
3372 gen_or(b1, b2);
3373 gen_or(b0, b2);
3374 return b2;
3375
3376 default:
3377 return gen_false();
3378 }
3379 /*NOTREACHED*/ break;
3380
3381 case DLT_MFR:
3382 bpf_error("Multi-link Frame Relay link-layer type filtering not implemented");
3383
3384 case DLT_JUNIPER_MFR:
3385 case DLT_JUNIPER_MLFR:
3386 case DLT_JUNIPER_MLPPP:
3387 case DLT_JUNIPER_ATM1:
3388 case DLT_JUNIPER_ATM2:
3389 case DLT_JUNIPER_PPPOE:
3390 case DLT_JUNIPER_PPPOE_ATM:
3391 case DLT_JUNIPER_GGSN:
3392 case DLT_JUNIPER_ES:
3393 case DLT_JUNIPER_MONITOR:
3394 case DLT_JUNIPER_SERVICES:
3395 case DLT_JUNIPER_ETHER:
3396 case DLT_JUNIPER_PPP:
3397 case DLT_JUNIPER_FRELAY:
3398 case DLT_JUNIPER_CHDLC:
3399 case DLT_JUNIPER_VP:
3400 case DLT_JUNIPER_ST:
3401 case DLT_JUNIPER_ISM:
3402 /* just lets verify the magic number for now -
3403 * on ATM we may have up to 6 different encapsulations on the wire
3404 * and need a lot of heuristics to figure out that the payload
3405 * might be;
3406 *
3407 * FIXME encapsulation specific BPF_ filters
3408 */
3409 return gen_mcmp(OR_LINK, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */
3410
3411 case DLT_IPNET:
3412 return gen_ipnet_linktype(proto);
3413
3414 case DLT_LINUX_IRDA:
3415 bpf_error("IrDA link-layer type filtering not implemented");
3416
3417 case DLT_DOCSIS:
3418 bpf_error("DOCSIS link-layer type filtering not implemented");
3419
3420 case DLT_MTP2:
3421 case DLT_MTP2_WITH_PHDR:
3422 bpf_error("MTP2 link-layer type filtering not implemented");
3423
3424 case DLT_ERF:
3425 bpf_error("ERF link-layer type filtering not implemented");
3426
3427 #ifdef DLT_PFSYNC
3428 case DLT_PFSYNC:
3429 bpf_error("PFSYNC link-layer type filtering not implemented");
3430 #endif
3431
3432 case DLT_LINUX_LAPD:
3433 bpf_error("LAPD link-layer type filtering not implemented");
3434
3435 case DLT_USB:
3436 case DLT_USB_LINUX:
3437 case DLT_USB_LINUX_MMAPPED:
3438 bpf_error("USB link-layer type filtering not implemented");
3439
3440 case DLT_BLUETOOTH_HCI_H4:
3441 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR:
3442 bpf_error("Bluetooth link-layer type filtering not implemented");
3443
3444 case DLT_CAN20B:
3445 case DLT_CAN_SOCKETCAN:
3446 bpf_error("CAN link-layer type filtering not implemented");
3447
3448 case DLT_IEEE802_15_4:
3449 case DLT_IEEE802_15_4_LINUX:
3450 case DLT_IEEE802_15_4_NONASK_PHY:
3451 bpf_error("IEEE 802.15.4 link-layer type filtering not implemented");
3452
3453 case DLT_IEEE802_16_MAC_CPS_RADIO:
3454 bpf_error("IEEE 802.16 link-layer type filtering not implemented");
3455
3456 case DLT_SITA:
3457 bpf_error("SITA link-layer type filtering not implemented");
3458
3459 case DLT_RAIF1:
3460 bpf_error("RAIF1 link-layer type filtering not implemented");
3461
3462 case DLT_IPMB:
3463 bpf_error("IPMB link-layer type filtering not implemented");
3464
3465 case DLT_AX25_KISS:
3466 bpf_error("AX.25 link-layer type filtering not implemented");
3467 }
3468
3469 /*
3470 * All the types that have no encapsulation should either be
3471 * handled as DLT_SLIP, DLT_SLIP_BSDOS, and DLT_RAW are, if
3472 * all packets are IP packets, or should be handled in some
3473 * special case, if none of them are (if some are and some
3474 * aren't, the lack of encapsulation is a problem, as we'd
3475 * have to find some other way of determining the packet type).
3476 *
3477 * Therefore, if "off_linktype" is -1, there's an error.
3478 */
3479 if (off_linktype == (u_int) - 1)
3480 abort();
3481
3482 /*
3483 * Any type not handled above should always have an Ethernet
3484 * type at an offset of "off_linktype".
3485 */
3486 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32) proto);
3487 }
3488
3489 /*
3490 * Check for an LLC SNAP packet with a given organization code and
3491 * protocol type; we check the entire contents of the 802.2 LLC and
3492 * snap headers, checking for DSAP and SSAP of SNAP and a control
3493 * field of 0x03 in the LLC header, and for the specified organization
3494 * code and protocol type in the SNAP header.
3495 */
gen_snap(orgcode,ptype)3496 static struct block *gen_snap(orgcode, ptype)
3497 bpf_u_int32 orgcode;
3498 bpf_u_int32 ptype;
3499 {
3500 u_char snapblock[8];
3501
3502 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */
3503 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */
3504 snapblock[2] = 0x03; /* control = UI */
3505 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */
3506 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */
3507 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */
3508 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */
3509 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */
3510 return gen_bcmp(OR_MACPL, 0, 8, snapblock);
3511 }
3512
3513 /*
3514 * Generate code to match a particular packet type, for link-layer types
3515 * using 802.2 LLC headers.
3516 *
3517 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used
3518 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues.
3519 *
3520 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
3521 * value, if <= ETHERMTU. We use that to determine whether to
3522 * match the DSAP or both DSAP and LSAP or to check the OUI and
3523 * protocol ID in a SNAP header.
3524 */
gen_llc_linktype(proto)3525 static struct block *gen_llc_linktype(proto)
3526 int proto;
3527 {
3528 /*
3529 * XXX - handle token-ring variable-length header.
3530 */
3531 switch (proto)
3532 {
3533
3534 case LLCSAP_IP:
3535 case LLCSAP_ISONS:
3536 case LLCSAP_NETBEUI:
3537 /*
3538 * XXX - should we check both the DSAP and the
3539 * SSAP, like this, or should we check just the
3540 * DSAP, as we do for other types <= ETHERMTU
3541 * (i.e., other SAP values)?
3542 */
3543 return gen_cmp(OR_MACPL, 0, BPF_H, (bpf_u_int32) ((proto << 8) | proto));
3544
3545 case LLCSAP_IPX:
3546 /*
3547 * XXX - are there ever SNAP frames for IPX on
3548 * non-Ethernet 802.x networks?
3549 */
3550 return gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32) LLCSAP_IPX);
3551
3552 case ETHERTYPE_ATALK:
3553 /*
3554 * 802.2-encapsulated ETHERTYPE_ATALK packets are
3555 * SNAP packets with an organization code of
3556 * 0x080007 (Apple, for Appletalk) and a protocol
3557 * type of ETHERTYPE_ATALK (Appletalk).
3558 *
3559 * XXX - check for an organization code of
3560 * encapsulated Ethernet as well?
3561 */
3562 return gen_snap(0x080007, ETHERTYPE_ATALK);
3563
3564 default:
3565 /*
3566 * XXX - we don't have to check for IPX 802.3
3567 * here, but should we check for the IPX Ethertype?
3568 */
3569 if (proto <= ETHERMTU)
3570 {
3571 /*
3572 * This is an LLC SAP value, so check
3573 * the DSAP.
3574 */
3575 return gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32) proto);
3576 }
3577 else
3578 {
3579 /*
3580 * This is an Ethernet type; we assume that it's
3581 * unlikely that it'll appear in the right place
3582 * at random, and therefore check only the
3583 * location that would hold the Ethernet type
3584 * in a SNAP frame with an organization code of
3585 * 0x000000 (encapsulated Ethernet).
3586 *
3587 * XXX - if we were to check for the SNAP DSAP and
3588 * LSAP, as per XXX, and were also to check for an
3589 * organization code of 0x000000 (encapsulated
3590 * Ethernet), we'd do
3591 *
3592 * return gen_snap(0x000000, proto);
3593 *
3594 * here; for now, we don't, as per the above.
3595 * I don't know whether it's worth the extra CPU
3596 * time to do the right check or not.
3597 */
3598 return gen_cmp(OR_MACPL, 6, BPF_H, (bpf_int32) proto);
3599 }
3600 }
3601 }
3602
gen_hostop(addr,mask,dir,proto,src_off,dst_off)3603 static struct block *gen_hostop(addr, mask, dir, proto, src_off, dst_off)
3604 bpf_u_int32 addr;
3605 bpf_u_int32 mask;
3606 int dir, proto;
3607 u_int src_off, dst_off;
3608 {
3609 struct block *b0, *b1;
3610 u_int offset;
3611
3612 switch (dir)
3613 {
3614
3615 case Q_SRC:
3616 offset = src_off;
3617 break;
3618
3619 case Q_DST:
3620 offset = dst_off;
3621 break;
3622
3623 case Q_AND:
3624 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
3625 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
3626 gen_and(b0, b1);
3627 return b1;
3628
3629 case Q_OR:
3630 case Q_DEFAULT:
3631 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
3632 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
3633 gen_or(b0, b1);
3634 return b1;
3635
3636 default:
3637 abort();
3638 }
3639 b0 = gen_linktype(proto);
3640 b1 = gen_mcmp(OR_NET, offset, BPF_W, (bpf_int32) addr, mask);
3641 gen_and(b0, b1);
3642 return b1;
3643 }
3644
3645 #ifdef INET6
gen_hostop6(addr,mask,dir,proto,src_off,dst_off)3646 static struct block *gen_hostop6(addr, mask, dir, proto, src_off, dst_off)
3647 struct in6_addr *addr;
3648 struct in6_addr *mask;
3649 int dir, proto;
3650 u_int src_off, dst_off;
3651 {
3652 struct block *b0, *b1;
3653 u_int offset;
3654 u_int32_t *a, *m;
3655
3656 switch (dir)
3657 {
3658
3659 case Q_SRC:
3660 offset = src_off;
3661 break;
3662
3663 case Q_DST:
3664 offset = dst_off;
3665 break;
3666
3667 case Q_AND:
3668 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
3669 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
3670 gen_and(b0, b1);
3671 return b1;
3672
3673 case Q_OR:
3674 case Q_DEFAULT:
3675 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
3676 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
3677 gen_or(b0, b1);
3678 return b1;
3679
3680 default:
3681 abort();
3682 }
3683 /* this order is important */
3684 a = (u_int32_t *) addr;
3685 m = (u_int32_t *) mask;
3686 b1 = gen_mcmp(OR_NET, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3]));
3687 b0 = gen_mcmp(OR_NET, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2]));
3688 gen_and(b0, b1);
3689 b0 = gen_mcmp(OR_NET, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1]));
3690 gen_and(b0, b1);
3691 b0 = gen_mcmp(OR_NET, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0]));
3692 gen_and(b0, b1);
3693 b0 = gen_linktype(proto);
3694 gen_and(b0, b1);
3695 return b1;
3696 }
3697 #endif /*INET6 */
3698
gen_ehostop(eaddr,dir)3699 static struct block *gen_ehostop(eaddr, dir)
3700 register const u_char *eaddr;
3701 register int dir;
3702 {
3703 register struct block *b0, *b1;
3704
3705 switch (dir)
3706 {
3707 case Q_SRC:
3708 return gen_bcmp(OR_LINK, off_mac + 6, 6, eaddr);
3709
3710 case Q_DST:
3711 return gen_bcmp(OR_LINK, off_mac + 0, 6, eaddr);
3712
3713 case Q_AND:
3714 b0 = gen_ehostop(eaddr, Q_SRC);
3715 b1 = gen_ehostop(eaddr, Q_DST);
3716 gen_and(b0, b1);
3717 return b1;
3718
3719 case Q_DEFAULT:
3720 case Q_OR:
3721 b0 = gen_ehostop(eaddr, Q_SRC);
3722 b1 = gen_ehostop(eaddr, Q_DST);
3723 gen_or(b0, b1);
3724 return b1;
3725 }
3726 abort();
3727 /* NOTREACHED */
3728 }
3729
3730 /*
3731 * Like gen_ehostop, but for DLT_FDDI
3732 */
gen_fhostop(eaddr,dir)3733 static struct block *gen_fhostop(eaddr, dir)
3734 register const u_char *eaddr;
3735 register int dir;
3736 {
3737 struct block *b0, *b1;
3738
3739 switch (dir)
3740 {
3741 case Q_SRC:
3742 #ifdef PCAP_FDDIPAD
3743 return gen_bcmp(OR_LINK, 6 + 1 + pcap_fddipad, 6, eaddr);
3744 #else
3745 return gen_bcmp(OR_LINK, 6 + 1, 6, eaddr);
3746 #endif
3747
3748 case Q_DST:
3749 #ifdef PCAP_FDDIPAD
3750 return gen_bcmp(OR_LINK, 0 + 1 + pcap_fddipad, 6, eaddr);
3751 #else
3752 return gen_bcmp(OR_LINK, 0 + 1, 6, eaddr);
3753 #endif
3754
3755 case Q_AND:
3756 b0 = gen_fhostop(eaddr, Q_SRC);
3757 b1 = gen_fhostop(eaddr, Q_DST);
3758 gen_and(b0, b1);
3759 return b1;
3760
3761 case Q_DEFAULT:
3762 case Q_OR:
3763 b0 = gen_fhostop(eaddr, Q_SRC);
3764 b1 = gen_fhostop(eaddr, Q_DST);
3765 gen_or(b0, b1);
3766 return b1;
3767 }
3768 abort();
3769 /* NOTREACHED */
3770 }
3771
3772 /*
3773 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring)
3774 */
gen_thostop(eaddr,dir)3775 static struct block *gen_thostop(eaddr, dir)
3776 register const u_char *eaddr;
3777 register int dir;
3778 {
3779 register struct block *b0, *b1;
3780
3781 switch (dir)
3782 {
3783 case Q_SRC:
3784 return gen_bcmp(OR_LINK, 8, 6, eaddr);
3785
3786 case Q_DST:
3787 return gen_bcmp(OR_LINK, 2, 6, eaddr);
3788
3789 case Q_AND:
3790 b0 = gen_thostop(eaddr, Q_SRC);
3791 b1 = gen_thostop(eaddr, Q_DST);
3792 gen_and(b0, b1);
3793 return b1;
3794
3795 case Q_DEFAULT:
3796 case Q_OR:
3797 b0 = gen_thostop(eaddr, Q_SRC);
3798 b1 = gen_thostop(eaddr, Q_DST);
3799 gen_or(b0, b1);
3800 return b1;
3801 }
3802 abort();
3803 /* NOTREACHED */
3804 }
3805
3806 /*
3807 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and
3808 * various 802.11 + radio headers.
3809 */
gen_wlanhostop(eaddr,dir)3810 static struct block *gen_wlanhostop(eaddr, dir)
3811 register const u_char *eaddr;
3812 register int dir;
3813 {
3814 register struct block *b0, *b1, *b2;
3815 register struct slist *s;
3816
3817 #ifdef ENABLE_WLAN_FILTERING_PATCH
3818 /*
3819 * GV 20070613
3820 * We need to disable the optimizer because the optimizer is buggy
3821 * and wipes out some LD instructions generated by the below
3822 * code to validate the Frame Control bits
3823 */
3824 no_optimize = 1;
3825 #endif /* ENABLE_WLAN_FILTERING_PATCH */
3826
3827 switch (dir)
3828 {
3829 case Q_SRC:
3830 /*
3831 * Oh, yuk.
3832 *
3833 * For control frames, there is no SA.
3834 *
3835 * For management frames, SA is at an
3836 * offset of 10 from the beginning of
3837 * the packet.
3838 *
3839 * For data frames, SA is at an offset
3840 * of 10 from the beginning of the packet
3841 * if From DS is clear, at an offset of
3842 * 16 from the beginning of the packet
3843 * if From DS is set and To DS is clear,
3844 * and an offset of 24 from the beginning
3845 * of the packet if From DS is set and To DS
3846 * is set.
3847 */
3848
3849 /*
3850 * Generate the tests to be done for data frames
3851 * with From DS set.
3852 *
3853 * First, check for To DS set, i.e. check "link[1] & 0x01".
3854 */
3855 s = gen_load_a(OR_LINK, 1, BPF_B);
3856 b1 = new_block(JMP(BPF_JSET));
3857 b1->s.k = 0x01; /* To DS */
3858 b1->stmts = s;
3859
3860 /*
3861 * If To DS is set, the SA is at 24.
3862 */
3863 b0 = gen_bcmp(OR_LINK, 24, 6, eaddr);
3864 gen_and(b1, b0);
3865
3866 /*
3867 * Now, check for To DS not set, i.e. check
3868 * "!(link[1] & 0x01)".
3869 */
3870 s = gen_load_a(OR_LINK, 1, BPF_B);
3871 b2 = new_block(JMP(BPF_JSET));
3872 b2->s.k = 0x01; /* To DS */
3873 b2->stmts = s;
3874 gen_not(b2);
3875
3876 /*
3877 * If To DS is not set, the SA is at 16.
3878 */
3879 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr);
3880 gen_and(b2, b1);
3881
3882 /*
3883 * Now OR together the last two checks. That gives
3884 * the complete set of checks for data frames with
3885 * From DS set.
3886 */
3887 gen_or(b1, b0);
3888
3889 /*
3890 * Now check for From DS being set, and AND that with
3891 * the ORed-together checks.
3892 */
3893 s = gen_load_a(OR_LINK, 1, BPF_B);
3894 b1 = new_block(JMP(BPF_JSET));
3895 b1->s.k = 0x02; /* From DS */
3896 b1->stmts = s;
3897 gen_and(b1, b0);
3898
3899 /*
3900 * Now check for data frames with From DS not set.
3901 */
3902 s = gen_load_a(OR_LINK, 1, BPF_B);
3903 b2 = new_block(JMP(BPF_JSET));
3904 b2->s.k = 0x02; /* From DS */
3905 b2->stmts = s;
3906 gen_not(b2);
3907
3908 /*
3909 * If From DS isn't set, the SA is at 10.
3910 */
3911 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
3912 gen_and(b2, b1);
3913
3914 /*
3915 * Now OR together the checks for data frames with
3916 * From DS not set and for data frames with From DS
3917 * set; that gives the checks done for data frames.
3918 */
3919 gen_or(b1, b0);
3920
3921 /*
3922 * Now check for a data frame.
3923 * I.e, check "link[0] & 0x08".
3924 */
3925 s = gen_load_a(OR_LINK, 0, BPF_B);
3926 b1 = new_block(JMP(BPF_JSET));
3927 b1->s.k = 0x08;
3928 b1->stmts = s;
3929
3930 /*
3931 * AND that with the checks done for data frames.
3932 */
3933 gen_and(b1, b0);
3934
3935 /*
3936 * If the high-order bit of the type value is 0, this
3937 * is a management frame.
3938 * I.e, check "!(link[0] & 0x08)".
3939 */
3940 s = gen_load_a(OR_LINK, 0, BPF_B);
3941 b2 = new_block(JMP(BPF_JSET));
3942 b2->s.k = 0x08;
3943 b2->stmts = s;
3944 gen_not(b2);
3945
3946 /*
3947 * For management frames, the SA is at 10.
3948 */
3949 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
3950 gen_and(b2, b1);
3951
3952 /*
3953 * OR that with the checks done for data frames.
3954 * That gives the checks done for management and
3955 * data frames.
3956 */
3957 gen_or(b1, b0);
3958
3959 /*
3960 * If the low-order bit of the type value is 1,
3961 * this is either a control frame or a frame
3962 * with a reserved type, and thus not a
3963 * frame with an SA.
3964 *
3965 * I.e., check "!(link[0] & 0x04)".
3966 */
3967 s = gen_load_a(OR_LINK, 0, BPF_B);
3968 b1 = new_block(JMP(BPF_JSET));
3969 b1->s.k = 0x04;
3970 b1->stmts = s;
3971 gen_not(b1);
3972
3973 /*
3974 * AND that with the checks for data and management
3975 * frames.
3976 */
3977 gen_and(b1, b0);
3978 return b0;
3979
3980 case Q_DST:
3981 /*
3982 * Oh, yuk.
3983 *
3984 * For control frames, there is no DA.
3985 *
3986 * For management frames, DA is at an
3987 * offset of 4 from the beginning of
3988 * the packet.
3989 *
3990 * For data frames, DA is at an offset
3991 * of 4 from the beginning of the packet
3992 * if To DS is clear and at an offset of
3993 * 16 from the beginning of the packet
3994 * if To DS is set.
3995 */
3996
3997 /*
3998 * Generate the tests to be done for data frames.
3999 *
4000 * First, check for To DS set, i.e. "link[1] & 0x01".
4001 */
4002 s = gen_load_a(OR_LINK, 1, BPF_B);
4003 b1 = new_block(JMP(BPF_JSET));
4004 b1->s.k = 0x01; /* To DS */
4005 b1->stmts = s;
4006
4007 /*
4008 * If To DS is set, the DA is at 16.
4009 */
4010 b0 = gen_bcmp(OR_LINK, 16, 6, eaddr);
4011 gen_and(b1, b0);
4012
4013 /*
4014 * Now, check for To DS not set, i.e. check
4015 * "!(link[1] & 0x01)".
4016 */
4017 s = gen_load_a(OR_LINK, 1, BPF_B);
4018 b2 = new_block(JMP(BPF_JSET));
4019 b2->s.k = 0x01; /* To DS */
4020 b2->stmts = s;
4021 gen_not(b2);
4022
4023 /*
4024 * If To DS is not set, the DA is at 4.
4025 */
4026 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr);
4027 gen_and(b2, b1);
4028
4029 /*
4030 * Now OR together the last two checks. That gives
4031 * the complete set of checks for data frames.
4032 */
4033 gen_or(b1, b0);
4034
4035 /*
4036 * Now check for a data frame.
4037 * I.e, check "link[0] & 0x08".
4038 */
4039 s = gen_load_a(OR_LINK, 0, BPF_B);
4040 b1 = new_block(JMP(BPF_JSET));
4041 b1->s.k = 0x08;
4042 b1->stmts = s;
4043
4044 /*
4045 * AND that with the checks done for data frames.
4046 */
4047 gen_and(b1, b0);
4048
4049 /*
4050 * If the high-order bit of the type value is 0, this
4051 * is a management frame.
4052 * I.e, check "!(link[0] & 0x08)".
4053 */
4054 s = gen_load_a(OR_LINK, 0, BPF_B);
4055 b2 = new_block(JMP(BPF_JSET));
4056 b2->s.k = 0x08;
4057 b2->stmts = s;
4058 gen_not(b2);
4059
4060 /*
4061 * For management frames, the DA is at 4.
4062 */
4063 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr);
4064 gen_and(b2, b1);
4065
4066 /*
4067 * OR that with the checks done for data frames.
4068 * That gives the checks done for management and
4069 * data frames.
4070 */
4071 gen_or(b1, b0);
4072
4073 /*
4074 * If the low-order bit of the type value is 1,
4075 * this is either a control frame or a frame
4076 * with a reserved type, and thus not a
4077 * frame with an SA.
4078 *
4079 * I.e., check "!(link[0] & 0x04)".
4080 */
4081 s = gen_load_a(OR_LINK, 0, BPF_B);
4082 b1 = new_block(JMP(BPF_JSET));
4083 b1->s.k = 0x04;
4084 b1->stmts = s;
4085 gen_not(b1);
4086
4087 /*
4088 * AND that with the checks for data and management
4089 * frames.
4090 */
4091 gen_and(b1, b0);
4092 return b0;
4093
4094 /*
4095 * XXX - add RA, TA, and BSSID keywords?
4096 */
4097 case Q_ADDR1:
4098 return (gen_bcmp(OR_LINK, 4, 6, eaddr));
4099
4100 case Q_ADDR2:
4101 /*
4102 * Not present in CTS or ACK control frames.
4103 */
4104 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, IEEE80211_FC0_TYPE_MASK);
4105 gen_not(b0);
4106 b1 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS, IEEE80211_FC0_SUBTYPE_MASK);
4107 gen_not(b1);
4108 b2 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK, IEEE80211_FC0_SUBTYPE_MASK);
4109 gen_not(b2);
4110 gen_and(b1, b2);
4111 gen_or(b0, b2);
4112 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
4113 gen_and(b2, b1);
4114 return b1;
4115
4116 case Q_ADDR3:
4117 /*
4118 * Not present in control frames.
4119 */
4120 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, IEEE80211_FC0_TYPE_MASK);
4121 gen_not(b0);
4122 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr);
4123 gen_and(b0, b1);
4124 return b1;
4125
4126 case Q_ADDR4:
4127 /*
4128 * Present only if the direction mask has both "From DS"
4129 * and "To DS" set. Neither control frames nor management
4130 * frames should have both of those set, so we don't
4131 * check the frame type.
4132 */
4133 b0 = gen_mcmp(OR_LINK, 1, BPF_B, IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK);
4134 b1 = gen_bcmp(OR_LINK, 24, 6, eaddr);
4135 gen_and(b0, b1);
4136 return b1;
4137
4138 case Q_AND:
4139 b0 = gen_wlanhostop(eaddr, Q_SRC);
4140 b1 = gen_wlanhostop(eaddr, Q_DST);
4141 gen_and(b0, b1);
4142 return b1;
4143
4144 case Q_DEFAULT:
4145 case Q_OR:
4146 b0 = gen_wlanhostop(eaddr, Q_SRC);
4147 b1 = gen_wlanhostop(eaddr, Q_DST);
4148 gen_or(b0, b1);
4149 return b1;
4150 }
4151 abort();
4152 /* NOTREACHED */
4153 }
4154
4155 /*
4156 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel.
4157 * (We assume that the addresses are IEEE 48-bit MAC addresses,
4158 * as the RFC states.)
4159 */
gen_ipfchostop(eaddr,dir)4160 static struct block *gen_ipfchostop(eaddr, dir)
4161 register const u_char *eaddr;
4162 register int dir;
4163 {
4164 register struct block *b0, *b1;
4165
4166 switch (dir)
4167 {
4168 case Q_SRC:
4169 return gen_bcmp(OR_LINK, 10, 6, eaddr);
4170
4171 case Q_DST:
4172 return gen_bcmp(OR_LINK, 2, 6, eaddr);
4173
4174 case Q_AND:
4175 b0 = gen_ipfchostop(eaddr, Q_SRC);
4176 b1 = gen_ipfchostop(eaddr, Q_DST);
4177 gen_and(b0, b1);
4178 return b1;
4179
4180 case Q_DEFAULT:
4181 case Q_OR:
4182 b0 = gen_ipfchostop(eaddr, Q_SRC);
4183 b1 = gen_ipfchostop(eaddr, Q_DST);
4184 gen_or(b0, b1);
4185 return b1;
4186 }
4187 abort();
4188 /* NOTREACHED */
4189 }
4190
4191 /*
4192 * This is quite tricky because there may be pad bytes in front of the
4193 * DECNET header, and then there are two possible data packet formats that
4194 * carry both src and dst addresses, plus 5 packet types in a format that
4195 * carries only the src node, plus 2 types that use a different format and
4196 * also carry just the src node.
4197 *
4198 * Yuck.
4199 *
4200 * Instead of doing those all right, we just look for data packets with
4201 * 0 or 1 bytes of padding. If you want to look at other packets, that
4202 * will require a lot more hacking.
4203 *
4204 * To add support for filtering on DECNET "areas" (network numbers)
4205 * one would want to add a "mask" argument to this routine. That would
4206 * make the filter even more inefficient, although one could be clever
4207 * and not generate masking instructions if the mask is 0xFFFF.
4208 */
gen_dnhostop(addr,dir)4209 static struct block *gen_dnhostop(addr, dir)
4210 bpf_u_int32 addr;
4211 int dir;
4212 {
4213 struct block *b0, *b1, *b2, *tmp;
4214 u_int offset_lh; /* offset if long header is received */
4215 u_int offset_sh; /* offset if short header is received */
4216
4217 switch (dir)
4218 {
4219
4220 case Q_DST:
4221 offset_sh = 1; /* follows flags */
4222 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */
4223 break;
4224
4225 case Q_SRC:
4226 offset_sh = 3; /* follows flags, dstnode */
4227 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */
4228 break;
4229
4230 case Q_AND:
4231 /* Inefficient because we do our Calvinball dance twice */
4232 b0 = gen_dnhostop(addr, Q_SRC);
4233 b1 = gen_dnhostop(addr, Q_DST);
4234 gen_and(b0, b1);
4235 return b1;
4236
4237 case Q_OR:
4238 case Q_DEFAULT:
4239 /* Inefficient because we do our Calvinball dance twice */
4240 b0 = gen_dnhostop(addr, Q_SRC);
4241 b1 = gen_dnhostop(addr, Q_DST);
4242 gen_or(b0, b1);
4243 return b1;
4244
4245 case Q_ISO:
4246 bpf_error("ISO host filtering not implemented");
4247
4248 default:
4249 abort();
4250 }
4251 b0 = gen_linktype(ETHERTYPE_DN);
4252 /* Check for pad = 1, long header case */
4253 tmp = gen_mcmp(OR_NET, 2, BPF_H, (bpf_int32) ntohs(0x0681), (bpf_int32) ntohs(0x07FF));
4254 b1 = gen_cmp(OR_NET, 2 + 1 + offset_lh, BPF_H, (bpf_int32) ntohs((u_short) addr));
4255 gen_and(tmp, b1);
4256 /* Check for pad = 0, long header case */
4257 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32) 0x06, (bpf_int32) 0x7);
4258 b2 = gen_cmp(OR_NET, 2 + offset_lh, BPF_H, (bpf_int32) ntohs((u_short) addr));
4259 gen_and(tmp, b2);
4260 gen_or(b2, b1);
4261 /* Check for pad = 1, short header case */
4262 tmp = gen_mcmp(OR_NET, 2, BPF_H, (bpf_int32) ntohs(0x0281), (bpf_int32) ntohs(0x07FF));
4263 b2 = gen_cmp(OR_NET, 2 + 1 + offset_sh, BPF_H, (bpf_int32) ntohs((u_short) addr));
4264 gen_and(tmp, b2);
4265 gen_or(b2, b1);
4266 /* Check for pad = 0, short header case */
4267 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32) 0x02, (bpf_int32) 0x7);
4268 b2 = gen_cmp(OR_NET, 2 + offset_sh, BPF_H, (bpf_int32) ntohs((u_short) addr));
4269 gen_and(tmp, b2);
4270 gen_or(b2, b1);
4271
4272 /* Combine with test for linktype */
4273 gen_and(b0, b1);
4274 return b1;
4275 }
4276
4277 /*
4278 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets;
4279 * test the bottom-of-stack bit, and then check the version number
4280 * field in the IP header.
4281 */
gen_mpls_linktype(proto)4282 static struct block *gen_mpls_linktype(proto)
4283 int proto;
4284 {
4285 struct block *b0, *b1;
4286
4287 switch (proto)
4288 {
4289
4290 case Q_IP:
4291 /* match the bottom-of-stack bit */
4292 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01);
4293 /* match the IPv4 version number */
4294 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x40, 0xf0);
4295 gen_and(b0, b1);
4296 return b1;
4297
4298 case Q_IPV6:
4299 /* match the bottom-of-stack bit */
4300 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01);
4301 /* match the IPv4 version number */
4302 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x60, 0xf0);
4303 gen_and(b0, b1);
4304 return b1;
4305
4306 default:
4307 abort();
4308 }
4309 }
4310
gen_host(addr,mask,proto,dir,type)4311 static struct block *gen_host(addr, mask, proto, dir, type)
4312 bpf_u_int32 addr;
4313 bpf_u_int32 mask;
4314 int proto;
4315 int dir;
4316 int type;
4317 {
4318 struct block *b0, *b1;
4319 const char *typestr;
4320
4321 if (type == Q_NET)
4322 typestr = "net";
4323 else
4324 typestr = "host";
4325
4326 switch (proto)
4327 {
4328
4329 case Q_DEFAULT:
4330 b0 = gen_host(addr, mask, Q_IP, dir, type);
4331 /*
4332 * Only check for non-IPv4 addresses if we're not
4333 * checking MPLS-encapsulated packets.
4334 */
4335 if (label_stack_depth == 0)
4336 {
4337 b1 = gen_host(addr, mask, Q_ARP, dir, type);
4338 gen_or(b0, b1);
4339 b0 = gen_host(addr, mask, Q_RARP, dir, type);
4340 gen_or(b1, b0);
4341 }
4342 return b0;
4343
4344 case Q_IP:
4345 return gen_hostop(addr, mask, dir, ETHERTYPE_IP, 12, 16);
4346
4347 case Q_RARP:
4348 return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP, 14, 24);
4349
4350 case Q_ARP:
4351 return gen_hostop(addr, mask, dir, ETHERTYPE_ARP, 14, 24);
4352
4353 case Q_TCP:
4354 bpf_error("'tcp' modifier applied to %s", typestr);
4355
4356 case Q_SCTP:
4357 bpf_error("'sctp' modifier applied to %s", typestr);
4358
4359 case Q_UDP:
4360 bpf_error("'udp' modifier applied to %s", typestr);
4361
4362 case Q_ICMP:
4363 bpf_error("'icmp' modifier applied to %s", typestr);
4364
4365 case Q_IGMP:
4366 bpf_error("'igmp' modifier applied to %s", typestr);
4367
4368 case Q_IGRP:
4369 bpf_error("'igrp' modifier applied to %s", typestr);
4370
4371 case Q_PIM:
4372 bpf_error("'pim' modifier applied to %s", typestr);
4373
4374 case Q_VRRP:
4375 bpf_error("'vrrp' modifier applied to %s", typestr);
4376
4377 case Q_ATALK:
4378 bpf_error("ATALK host filtering not implemented");
4379
4380 case Q_AARP:
4381 bpf_error("AARP host filtering not implemented");
4382
4383 case Q_DECNET:
4384 return gen_dnhostop(addr, dir);
4385
4386 case Q_SCA:
4387 bpf_error("SCA host filtering not implemented");
4388
4389 case Q_LAT:
4390 bpf_error("LAT host filtering not implemented");
4391
4392 case Q_MOPDL:
4393 bpf_error("MOPDL host filtering not implemented");
4394
4395 case Q_MOPRC:
4396 bpf_error("MOPRC host filtering not implemented");
4397
4398 #ifdef INET6
4399 case Q_IPV6:
4400 bpf_error("'ip6' modifier applied to ip host");
4401
4402 case Q_ICMPV6:
4403 bpf_error("'icmp6' modifier applied to %s", typestr);
4404 #endif /* INET6 */
4405
4406 case Q_AH:
4407 bpf_error("'ah' modifier applied to %s", typestr);
4408
4409 case Q_ESP:
4410 bpf_error("'esp' modifier applied to %s", typestr);
4411
4412 case Q_ISO:
4413 bpf_error("ISO host filtering not implemented");
4414
4415 case Q_ESIS:
4416 bpf_error("'esis' modifier applied to %s", typestr);
4417
4418 case Q_ISIS:
4419 bpf_error("'isis' modifier applied to %s", typestr);
4420
4421 case Q_CLNP:
4422 bpf_error("'clnp' modifier applied to %s", typestr);
4423
4424 case Q_STP:
4425 bpf_error("'stp' modifier applied to %s", typestr);
4426
4427 case Q_IPX:
4428 bpf_error("IPX host filtering not implemented");
4429
4430 case Q_NETBEUI:
4431 bpf_error("'netbeui' modifier applied to %s", typestr);
4432
4433 case Q_RADIO:
4434 bpf_error("'radio' modifier applied to %s", typestr);
4435
4436 default:
4437 abort();
4438 }
4439 /* NOTREACHED */
4440 }
4441
4442 #ifdef INET6
gen_host6(addr,mask,proto,dir,type)4443 static struct block *gen_host6(addr, mask, proto, dir, type)
4444 struct in6_addr *addr;
4445 struct in6_addr *mask;
4446 int proto;
4447 int dir;
4448 int type;
4449 {
4450 const char *typestr;
4451
4452 if (type == Q_NET)
4453 typestr = "net";
4454 else
4455 typestr = "host";
4456
4457 switch (proto)
4458 {
4459
4460 case Q_DEFAULT:
4461 return gen_host6(addr, mask, Q_IPV6, dir, type);
4462
4463 case Q_IP:
4464 bpf_error("'ip' modifier applied to ip6 %s", typestr);
4465
4466 case Q_RARP:
4467 bpf_error("'rarp' modifier applied to ip6 %s", typestr);
4468
4469 case Q_ARP:
4470 bpf_error("'arp' modifier applied to ip6 %s", typestr);
4471
4472 case Q_SCTP:
4473 bpf_error("'sctp' modifier applied to %s", typestr);
4474
4475 case Q_TCP:
4476 bpf_error("'tcp' modifier applied to %s", typestr);
4477
4478 case Q_UDP:
4479 bpf_error("'udp' modifier applied to %s", typestr);
4480
4481 case Q_ICMP:
4482 bpf_error("'icmp' modifier applied to %s", typestr);
4483
4484 case Q_IGMP:
4485 bpf_error("'igmp' modifier applied to %s", typestr);
4486
4487 case Q_IGRP:
4488 bpf_error("'igrp' modifier applied to %s", typestr);
4489
4490 case Q_PIM:
4491 bpf_error("'pim' modifier applied to %s", typestr);
4492
4493 case Q_VRRP:
4494 bpf_error("'vrrp' modifier applied to %s", typestr);
4495
4496 case Q_ATALK:
4497 bpf_error("ATALK host filtering not implemented");
4498
4499 case Q_AARP:
4500 bpf_error("AARP host filtering not implemented");
4501
4502 case Q_DECNET:
4503 bpf_error("'decnet' modifier applied to ip6 %s", typestr);
4504
4505 case Q_SCA:
4506 bpf_error("SCA host filtering not implemented");
4507
4508 case Q_LAT:
4509 bpf_error("LAT host filtering not implemented");
4510
4511 case Q_MOPDL:
4512 bpf_error("MOPDL host filtering not implemented");
4513
4514 case Q_MOPRC:
4515 bpf_error("MOPRC host filtering not implemented");
4516
4517 case Q_IPV6:
4518 return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6, 8, 24);
4519
4520 case Q_ICMPV6:
4521 bpf_error("'icmp6' modifier applied to %s", typestr);
4522
4523 case Q_AH:
4524 bpf_error("'ah' modifier applied to %s", typestr);
4525
4526 case Q_ESP:
4527 bpf_error("'esp' modifier applied to %s", typestr);
4528
4529 case Q_ISO:
4530 bpf_error("ISO host filtering not implemented");
4531
4532 case Q_ESIS:
4533 bpf_error("'esis' modifier applied to %s", typestr);
4534
4535 case Q_ISIS:
4536 bpf_error("'isis' modifier applied to %s", typestr);
4537
4538 case Q_CLNP:
4539 bpf_error("'clnp' modifier applied to %s", typestr);
4540
4541 case Q_STP:
4542 bpf_error("'stp' modifier applied to %s", typestr);
4543
4544 case Q_IPX:
4545 bpf_error("IPX host filtering not implemented");
4546
4547 case Q_NETBEUI:
4548 bpf_error("'netbeui' modifier applied to %s", typestr);
4549
4550 case Q_RADIO:
4551 bpf_error("'radio' modifier applied to %s", typestr);
4552
4553 default:
4554 abort();
4555 }
4556 /* NOTREACHED */
4557 }
4558 #endif /*INET6 */
4559
4560 #ifndef INET6
gen_gateway(eaddr,alist,proto,dir)4561 static struct block *gen_gateway(eaddr, alist, proto, dir)
4562 const u_char *eaddr;
4563 bpf_u_int32 **alist;
4564 int proto;
4565 int dir;
4566 {
4567 struct block *b0, *b1, *tmp;
4568
4569 if (dir != 0)
4570 bpf_error("direction applied to 'gateway'");
4571
4572 switch (proto)
4573 {
4574 case Q_DEFAULT:
4575 case Q_IP:
4576 case Q_ARP:
4577 case Q_RARP:
4578 switch (linktype)
4579 {
4580 case DLT_EN10MB:
4581 b0 = gen_ehostop(eaddr, Q_OR);
4582 break;
4583 case DLT_FDDI:
4584 b0 = gen_fhostop(eaddr, Q_OR);
4585 break;
4586 case DLT_IEEE802:
4587 b0 = gen_thostop(eaddr, Q_OR);
4588 break;
4589 case DLT_IEEE802_11:
4590 case DLT_PRISM_HEADER:
4591 case DLT_IEEE802_11_RADIO_AVS:
4592 case DLT_IEEE802_11_RADIO:
4593 case DLT_PPI:
4594 b0 = gen_wlanhostop(eaddr, Q_OR);
4595 break;
4596 case DLT_SUNATM:
4597 if (!is_lane)
4598 bpf_error
4599 ("'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
4600 /*
4601 * Check that the packet doesn't begin with an
4602 * LE Control marker. (We've already generated
4603 * a test for LANE.)
4604 */
4605 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
4606 gen_not(b1);
4607
4608 /*
4609 * Now check the MAC address.
4610 */
4611 b0 = gen_ehostop(eaddr, Q_OR);
4612 gen_and(b1, b0);
4613 break;
4614 case DLT_IP_OVER_FC:
4615 b0 = gen_ipfchostop(eaddr, Q_OR);
4616 break;
4617 default:
4618 bpf_error
4619 ("'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
4620 }
4621 b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR, Q_HOST);
4622 while (*alist)
4623 {
4624 tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR, Q_HOST);
4625 gen_or(b1, tmp);
4626 b1 = tmp;
4627 }
4628 gen_not(b1);
4629 gen_and(b0, b1);
4630 return b1;
4631 }
4632 bpf_error("illegal modifier of 'gateway'");
4633 /* NOTREACHED */
4634 }
4635 #endif
4636
gen_proto_abbrev(proto)4637 struct block *gen_proto_abbrev(proto)
4638 int proto;
4639 {
4640 struct block *b0;
4641 struct block *b1;
4642
4643 switch (proto)
4644 {
4645
4646 case Q_SCTP:
4647 b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT);
4648 #ifdef INET6
4649 b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT);
4650 gen_or(b0, b1);
4651 #endif
4652 break;
4653
4654 case Q_TCP:
4655 b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT);
4656 #ifdef INET6
4657 b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT);
4658 gen_or(b0, b1);
4659 #endif
4660 break;
4661
4662 case Q_UDP:
4663 b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT);
4664 #ifdef INET6
4665 b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT);
4666 gen_or(b0, b1);
4667 #endif
4668 break;
4669
4670 case Q_ICMP:
4671 b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT);
4672 break;
4673
4674 #ifndef IPPROTO_IGMP
4675 #define IPPROTO_IGMP 2
4676 #endif
4677
4678 case Q_IGMP:
4679 b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT);
4680 break;
4681
4682 #ifndef IPPROTO_IGRP
4683 #define IPPROTO_IGRP 9
4684 #endif
4685 case Q_IGRP:
4686 b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT);
4687 break;
4688
4689 #ifndef IPPROTO_PIM
4690 #define IPPROTO_PIM 103
4691 #endif
4692
4693 case Q_PIM:
4694 b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT);
4695 #ifdef INET6
4696 b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT);
4697 gen_or(b0, b1);
4698 #endif
4699 break;
4700
4701 #ifndef IPPROTO_VRRP
4702 #define IPPROTO_VRRP 112
4703 #endif
4704
4705 case Q_VRRP:
4706 b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT);
4707 break;
4708
4709 case Q_IP:
4710 b1 = gen_linktype(ETHERTYPE_IP);
4711 break;
4712
4713 case Q_ARP:
4714 b1 = gen_linktype(ETHERTYPE_ARP);
4715 break;
4716
4717 case Q_RARP:
4718 b1 = gen_linktype(ETHERTYPE_REVARP);
4719 break;
4720
4721 case Q_LINK:
4722 bpf_error("link layer applied in wrong context");
4723
4724 case Q_ATALK:
4725 b1 = gen_linktype(ETHERTYPE_ATALK);
4726 break;
4727
4728 case Q_AARP:
4729 b1 = gen_linktype(ETHERTYPE_AARP);
4730 break;
4731
4732 case Q_DECNET:
4733 b1 = gen_linktype(ETHERTYPE_DN);
4734 break;
4735
4736 case Q_SCA:
4737 b1 = gen_linktype(ETHERTYPE_SCA);
4738 break;
4739
4740 case Q_LAT:
4741 b1 = gen_linktype(ETHERTYPE_LAT);
4742 break;
4743
4744 case Q_MOPDL:
4745 b1 = gen_linktype(ETHERTYPE_MOPDL);
4746 break;
4747
4748 case Q_MOPRC:
4749 b1 = gen_linktype(ETHERTYPE_MOPRC);
4750 break;
4751
4752 #ifdef INET6
4753 case Q_IPV6:
4754 b1 = gen_linktype(ETHERTYPE_IPV6);
4755 break;
4756
4757 #ifndef IPPROTO_ICMPV6
4758 #define IPPROTO_ICMPV6 58
4759 #endif
4760 case Q_ICMPV6:
4761 b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT);
4762 break;
4763 #endif /* INET6 */
4764
4765 #ifndef IPPROTO_AH
4766 #define IPPROTO_AH 51
4767 #endif
4768 case Q_AH:
4769 b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT);
4770 #ifdef INET6
4771 b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT);
4772 gen_or(b0, b1);
4773 #endif
4774 break;
4775
4776 #ifndef IPPROTO_ESP
4777 #define IPPROTO_ESP 50
4778 #endif
4779 case Q_ESP:
4780 b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT);
4781 #ifdef INET6
4782 b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT);
4783 gen_or(b0, b1);
4784 #endif
4785 break;
4786
4787 case Q_ISO:
4788 b1 = gen_linktype(LLCSAP_ISONS);
4789 break;
4790
4791 case Q_ESIS:
4792 b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT);
4793 break;
4794
4795 case Q_ISIS:
4796 b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
4797 break;
4798
4799 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */
4800 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
4801 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
4802 gen_or(b0, b1);
4803 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
4804 gen_or(b0, b1);
4805 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
4806 gen_or(b0, b1);
4807 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
4808 gen_or(b0, b1);
4809 break;
4810
4811 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */
4812 b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
4813 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
4814 gen_or(b0, b1);
4815 b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
4816 gen_or(b0, b1);
4817 b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
4818 gen_or(b0, b1);
4819 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
4820 gen_or(b0, b1);
4821 break;
4822
4823 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */
4824 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
4825 b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
4826 gen_or(b0, b1);
4827 b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT);
4828 gen_or(b0, b1);
4829 break;
4830
4831 case Q_ISIS_LSP:
4832 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
4833 b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
4834 gen_or(b0, b1);
4835 break;
4836
4837 case Q_ISIS_SNP:
4838 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
4839 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
4840 gen_or(b0, b1);
4841 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
4842 gen_or(b0, b1);
4843 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
4844 gen_or(b0, b1);
4845 break;
4846
4847 case Q_ISIS_CSNP:
4848 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
4849 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
4850 gen_or(b0, b1);
4851 break;
4852
4853 case Q_ISIS_PSNP:
4854 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
4855 b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
4856 gen_or(b0, b1);
4857 break;
4858
4859 case Q_CLNP:
4860 b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT);
4861 break;
4862
4863 case Q_STP:
4864 b1 = gen_linktype(LLCSAP_8021D);
4865 break;
4866
4867 case Q_IPX:
4868 b1 = gen_linktype(LLCSAP_IPX);
4869 break;
4870
4871 case Q_NETBEUI:
4872 b1 = gen_linktype(LLCSAP_NETBEUI);
4873 break;
4874
4875 case Q_RADIO:
4876 bpf_error("'radio' is not a valid protocol type");
4877
4878 default:
4879 abort();
4880 }
4881 return b1;
4882 }
4883
gen_ipfrag()4884 static struct block *gen_ipfrag()
4885 {
4886 struct slist *s;
4887 struct block *b;
4888
4889 /* not ip frag */
4890 s = gen_load_a(OR_NET, 6, BPF_H);
4891 b = new_block(JMP(BPF_JSET));
4892 b->s.k = 0x1fff;
4893 b->stmts = s;
4894 gen_not(b);
4895
4896 return b;
4897 }
4898
4899 /*
4900 * Generate a comparison to a port value in the transport-layer header
4901 * at the specified offset from the beginning of that header.
4902 *
4903 * XXX - this handles a variable-length prefix preceding the link-layer
4904 * header, such as the radiotap or AVS radio prefix, but doesn't handle
4905 * variable-length link-layer headers (such as Token Ring or 802.11
4906 * headers).
4907 */
gen_portatom(off,v)4908 static struct block *gen_portatom(off, v)
4909 int off;
4910 bpf_int32 v;
4911 {
4912 return gen_cmp(OR_TRAN_IPV4, off, BPF_H, v);
4913 }
4914
4915 #ifdef INET6
gen_portatom6(off,v)4916 static struct block *gen_portatom6(off, v)
4917 int off;
4918 bpf_int32 v;
4919 {
4920 return gen_cmp(OR_TRAN_IPV6, off, BPF_H, v);
4921 }
4922 #endif /*INET6 */
4923
gen_portop(port,proto,dir)4924 struct block *gen_portop(port, proto, dir)
4925 int port, proto, dir;
4926 {
4927 struct block *b0, *b1, *tmp;
4928
4929 /* ip proto 'proto' */
4930 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32) proto);
4931 b0 = gen_ipfrag();
4932 gen_and(tmp, b0);
4933
4934 switch (dir)
4935 {
4936 case Q_SRC:
4937 b1 = gen_portatom(0, (bpf_int32) port);
4938 break;
4939
4940 case Q_DST:
4941 b1 = gen_portatom(2, (bpf_int32) port);
4942 break;
4943
4944 case Q_OR:
4945 case Q_DEFAULT:
4946 tmp = gen_portatom(0, (bpf_int32) port);
4947 b1 = gen_portatom(2, (bpf_int32) port);
4948 gen_or(tmp, b1);
4949 break;
4950
4951 case Q_AND:
4952 tmp = gen_portatom(0, (bpf_int32) port);
4953 b1 = gen_portatom(2, (bpf_int32) port);
4954 gen_and(tmp, b1);
4955 break;
4956
4957 default:
4958 abort();
4959 }
4960 gen_and(b0, b1);
4961
4962 return b1;
4963 }
4964
gen_port(port,ip_proto,dir)4965 static struct block *gen_port(port, ip_proto, dir)
4966 int port;
4967 int ip_proto;
4968 int dir;
4969 {
4970 struct block *b0, *b1, *tmp;
4971
4972 /*
4973 * ether proto ip
4974 *
4975 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
4976 * not LLC encapsulation with LLCSAP_IP.
4977 *
4978 * For IEEE 802 networks - which includes 802.5 token ring
4979 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
4980 * says that SNAP encapsulation is used, not LLC encapsulation
4981 * with LLCSAP_IP.
4982 *
4983 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
4984 * RFC 2225 say that SNAP encapsulation is used, not LLC
4985 * encapsulation with LLCSAP_IP.
4986 *
4987 * So we always check for ETHERTYPE_IP.
4988 */
4989 b0 = gen_linktype(ETHERTYPE_IP);
4990
4991 switch (ip_proto)
4992 {
4993 case IPPROTO_UDP:
4994 case IPPROTO_TCP:
4995 case IPPROTO_SCTP:
4996 b1 = gen_portop(port, ip_proto, dir);
4997 break;
4998
4999 case PROTO_UNDEF:
5000 tmp = gen_portop(port, IPPROTO_TCP, dir);
5001 b1 = gen_portop(port, IPPROTO_UDP, dir);
5002 gen_or(tmp, b1);
5003 tmp = gen_portop(port, IPPROTO_SCTP, dir);
5004 gen_or(tmp, b1);
5005 break;
5006
5007 default:
5008 abort();
5009 }
5010 gen_and(b0, b1);
5011 return b1;
5012 }
5013
5014 #ifdef INET6
gen_portop6(port,proto,dir)5015 struct block *gen_portop6(port, proto, dir)
5016 int port, proto, dir;
5017 {
5018 struct block *b0, *b1, *tmp;
5019
5020 /* ip6 proto 'proto' */
5021 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32) proto);
5022
5023 switch (dir)
5024 {
5025 case Q_SRC:
5026 b1 = gen_portatom6(0, (bpf_int32) port);
5027 break;
5028
5029 case Q_DST:
5030 b1 = gen_portatom6(2, (bpf_int32) port);
5031 break;
5032
5033 case Q_OR:
5034 case Q_DEFAULT:
5035 tmp = gen_portatom6(0, (bpf_int32) port);
5036 b1 = gen_portatom6(2, (bpf_int32) port);
5037 gen_or(tmp, b1);
5038 break;
5039
5040 case Q_AND:
5041 tmp = gen_portatom6(0, (bpf_int32) port);
5042 b1 = gen_portatom6(2, (bpf_int32) port);
5043 gen_and(tmp, b1);
5044 break;
5045
5046 default:
5047 abort();
5048 }
5049 gen_and(b0, b1);
5050
5051 return b1;
5052 }
5053
gen_port6(port,ip_proto,dir)5054 static struct block *gen_port6(port, ip_proto, dir)
5055 int port;
5056 int ip_proto;
5057 int dir;
5058 {
5059 struct block *b0, *b1, *tmp;
5060
5061 /* link proto ip6 */
5062 b0 = gen_linktype(ETHERTYPE_IPV6);
5063
5064 switch (ip_proto)
5065 {
5066 case IPPROTO_UDP:
5067 case IPPROTO_TCP:
5068 case IPPROTO_SCTP:
5069 b1 = gen_portop6(port, ip_proto, dir);
5070 break;
5071
5072 case PROTO_UNDEF:
5073 tmp = gen_portop6(port, IPPROTO_TCP, dir);
5074 b1 = gen_portop6(port, IPPROTO_UDP, dir);
5075 gen_or(tmp, b1);
5076 tmp = gen_portop6(port, IPPROTO_SCTP, dir);
5077 gen_or(tmp, b1);
5078 break;
5079
5080 default:
5081 abort();
5082 }
5083 gen_and(b0, b1);
5084 return b1;
5085 }
5086 #endif /* INET6 */
5087
5088 /* gen_portrange code */
gen_portrangeatom(off,v1,v2)5089 static struct block *gen_portrangeatom(off, v1, v2)
5090 int off;
5091 bpf_int32 v1, v2;
5092 {
5093 struct block *b1, *b2;
5094
5095 if (v1 > v2)
5096 {
5097 /*
5098 * Reverse the order of the ports, so v1 is the lower one.
5099 */
5100 bpf_int32 vtemp;
5101
5102 vtemp = v1;
5103 v1 = v2;
5104 v2 = vtemp;
5105 }
5106
5107 b1 = gen_cmp_ge(OR_TRAN_IPV4, off, BPF_H, v1);
5108 b2 = gen_cmp_le(OR_TRAN_IPV4, off, BPF_H, v2);
5109
5110 gen_and(b1, b2);
5111
5112 return b2;
5113 }
5114
gen_portrangeop(port1,port2,proto,dir)5115 struct block *gen_portrangeop(port1, port2, proto, dir)
5116 int port1, port2;
5117 int proto;
5118 int dir;
5119 {
5120 struct block *b0, *b1, *tmp;
5121
5122 /* ip proto 'proto' */
5123 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32) proto);
5124 b0 = gen_ipfrag();
5125 gen_and(tmp, b0);
5126
5127 switch (dir)
5128 {
5129 case Q_SRC:
5130 b1 = gen_portrangeatom(0, (bpf_int32) port1, (bpf_int32) port2);
5131 break;
5132
5133 case Q_DST:
5134 b1 = gen_portrangeatom(2, (bpf_int32) port1, (bpf_int32) port2);
5135 break;
5136
5137 case Q_OR:
5138 case Q_DEFAULT:
5139 tmp = gen_portrangeatom(0, (bpf_int32) port1, (bpf_int32) port2);
5140 b1 = gen_portrangeatom(2, (bpf_int32) port1, (bpf_int32) port2);
5141 gen_or(tmp, b1);
5142 break;
5143
5144 case Q_AND:
5145 tmp = gen_portrangeatom(0, (bpf_int32) port1, (bpf_int32) port2);
5146 b1 = gen_portrangeatom(2, (bpf_int32) port1, (bpf_int32) port2);
5147 gen_and(tmp, b1);
5148 break;
5149
5150 default:
5151 abort();
5152 }
5153 gen_and(b0, b1);
5154
5155 return b1;
5156 }
5157
gen_portrange(port1,port2,ip_proto,dir)5158 static struct block *gen_portrange(port1, port2, ip_proto, dir)
5159 int port1, port2;
5160 int ip_proto;
5161 int dir;
5162 {
5163 struct block *b0, *b1, *tmp;
5164
5165 /* link proto ip */
5166 b0 = gen_linktype(ETHERTYPE_IP);
5167
5168 switch (ip_proto)
5169 {
5170 case IPPROTO_UDP:
5171 case IPPROTO_TCP:
5172 case IPPROTO_SCTP:
5173 b1 = gen_portrangeop(port1, port2, ip_proto, dir);
5174 break;
5175
5176 case PROTO_UNDEF:
5177 tmp = gen_portrangeop(port1, port2, IPPROTO_TCP, dir);
5178 b1 = gen_portrangeop(port1, port2, IPPROTO_UDP, dir);
5179 gen_or(tmp, b1);
5180 tmp = gen_portrangeop(port1, port2, IPPROTO_SCTP, dir);
5181 gen_or(tmp, b1);
5182 break;
5183
5184 default:
5185 abort();
5186 }
5187 gen_and(b0, b1);
5188 return b1;
5189 }
5190
5191 #ifdef INET6
gen_portrangeatom6(off,v1,v2)5192 static struct block *gen_portrangeatom6(off, v1, v2)
5193 int off;
5194 bpf_int32 v1, v2;
5195 {
5196 struct block *b1, *b2;
5197
5198 if (v1 > v2)
5199 {
5200 /*
5201 * Reverse the order of the ports, so v1 is the lower one.
5202 */
5203 bpf_int32 vtemp;
5204
5205 vtemp = v1;
5206 v1 = v2;
5207 v2 = vtemp;
5208 }
5209
5210 b1 = gen_cmp_ge(OR_TRAN_IPV6, off, BPF_H, v1);
5211 b2 = gen_cmp_le(OR_TRAN_IPV6, off, BPF_H, v2);
5212
5213 gen_and(b1, b2);
5214
5215 return b2;
5216 }
5217
gen_portrangeop6(port1,port2,proto,dir)5218 struct block *gen_portrangeop6(port1, port2, proto, dir)
5219 int port1, port2;
5220 int proto;
5221 int dir;
5222 {
5223 struct block *b0, *b1, *tmp;
5224
5225 /* ip6 proto 'proto' */
5226 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32) proto);
5227
5228 switch (dir)
5229 {
5230 case Q_SRC:
5231 b1 = gen_portrangeatom6(0, (bpf_int32) port1, (bpf_int32) port2);
5232 break;
5233
5234 case Q_DST:
5235 b1 = gen_portrangeatom6(2, (bpf_int32) port1, (bpf_int32) port2);
5236 break;
5237
5238 case Q_OR:
5239 case Q_DEFAULT:
5240 tmp = gen_portrangeatom6(0, (bpf_int32) port1, (bpf_int32) port2);
5241 b1 = gen_portrangeatom6(2, (bpf_int32) port1, (bpf_int32) port2);
5242 gen_or(tmp, b1);
5243 break;
5244
5245 case Q_AND:
5246 tmp = gen_portrangeatom6(0, (bpf_int32) port1, (bpf_int32) port2);
5247 b1 = gen_portrangeatom6(2, (bpf_int32) port1, (bpf_int32) port2);
5248 gen_and(tmp, b1);
5249 break;
5250
5251 default:
5252 abort();
5253 }
5254 gen_and(b0, b1);
5255
5256 return b1;
5257 }
5258
gen_portrange6(port1,port2,ip_proto,dir)5259 static struct block *gen_portrange6(port1, port2, ip_proto, dir)
5260 int port1, port2;
5261 int ip_proto;
5262 int dir;
5263 {
5264 struct block *b0, *b1, *tmp;
5265
5266 /* link proto ip6 */
5267 b0 = gen_linktype(ETHERTYPE_IPV6);
5268
5269 switch (ip_proto)
5270 {
5271 case IPPROTO_UDP:
5272 case IPPROTO_TCP:
5273 case IPPROTO_SCTP:
5274 b1 = gen_portrangeop6(port1, port2, ip_proto, dir);
5275 break;
5276
5277 case PROTO_UNDEF:
5278 tmp = gen_portrangeop6(port1, port2, IPPROTO_TCP, dir);
5279 b1 = gen_portrangeop6(port1, port2, IPPROTO_UDP, dir);
5280 gen_or(tmp, b1);
5281 tmp = gen_portrangeop6(port1, port2, IPPROTO_SCTP, dir);
5282 gen_or(tmp, b1);
5283 break;
5284
5285 default:
5286 abort();
5287 }
5288 gen_and(b0, b1);
5289 return b1;
5290 }
5291 #endif /* INET6 */
5292
lookup_proto(name,proto)5293 static int lookup_proto(name, proto)
5294 register const char *name;
5295 register int proto;
5296 {
5297 register int v;
5298
5299 switch (proto)
5300 {
5301
5302 case Q_DEFAULT:
5303 case Q_IP:
5304 case Q_IPV6:
5305 v = pcap_nametoproto(name);
5306 if (v == PROTO_UNDEF)
5307 bpf_error("unknown ip proto '%s'", name);
5308 break;
5309
5310 case Q_LINK:
5311 /* XXX should look up h/w protocol type based on linktype */
5312 v = pcap_nametoeproto(name);
5313 if (v == PROTO_UNDEF)
5314 {
5315 v = pcap_nametollc(name);
5316 if (v == PROTO_UNDEF)
5317 bpf_error("unknown ether proto '%s'", name);
5318 }
5319 break;
5320
5321 case Q_ISO:
5322 if (strcmp(name, "esis") == 0)
5323 v = ISO9542_ESIS;
5324 else if (strcmp(name, "isis") == 0)
5325 v = ISO10589_ISIS;
5326 else if (strcmp(name, "clnp") == 0)
5327 v = ISO8473_CLNP;
5328 else
5329 bpf_error("unknown osi proto '%s'", name);
5330 break;
5331
5332 default:
5333 v = PROTO_UNDEF;
5334 break;
5335 }
5336 return v;
5337 }
5338
gen_protochain(v,proto,dir)5339 static struct block *gen_protochain(v, proto, dir)
5340 int v;
5341 int proto;
5342 int dir;
5343 {
5344 #ifdef NO_PROTOCHAIN
5345 return gen_proto(v, proto, dir);
5346 #else
5347 struct block *b0, *b;
5348 struct slist *s[100];
5349 int fix2, fix3, fix4, fix5;
5350 int ahcheck, again, end;
5351 int i, max;
5352 int reg2 = alloc_reg();
5353
5354 memset(s, 0, sizeof(s));
5355 fix2 = fix3 = fix4 = fix5 = 0;
5356
5357 switch (proto)
5358 {
5359 case Q_IP:
5360 case Q_IPV6:
5361 break;
5362 case Q_DEFAULT:
5363 b0 = gen_protochain(v, Q_IP, dir);
5364 b = gen_protochain(v, Q_IPV6, dir);
5365 gen_or(b0, b);
5366 return b;
5367 default:
5368 bpf_error("bad protocol applied for 'protochain'");
5369 /*NOTREACHED*/}
5370
5371 /*
5372 * We don't handle variable-length prefixes before the link-layer
5373 * header, or variable-length link-layer headers, here yet.
5374 * We might want to add BPF instructions to do the protochain
5375 * work, to simplify that and, on platforms that have a BPF
5376 * interpreter with the new instructions, let the filtering
5377 * be done in the kernel. (We already require a modified BPF
5378 * engine to do the protochain stuff, to support backward
5379 * branches, and backward branch support is unlikely to appear
5380 * in kernel BPF engines.)
5381 */
5382 switch (linktype)
5383 {
5384
5385 case DLT_IEEE802_11:
5386 case DLT_PRISM_HEADER:
5387 case DLT_IEEE802_11_RADIO_AVS:
5388 case DLT_IEEE802_11_RADIO:
5389 case DLT_PPI:
5390 bpf_error("'protochain' not supported with 802.11");
5391 }
5392
5393 no_optimize = 1; /*this code is not compatible with optimzer yet */
5394
5395 /*
5396 * s[0] is a dummy entry to protect other BPF insn from damage
5397 * by s[fix] = foo with uninitialized variable "fix". It is somewhat
5398 * hard to find interdependency made by jump table fixup.
5399 */
5400 i = 0;
5401 s[i] = new_stmt(0); /*dummy */
5402 i++;
5403
5404 switch (proto)
5405 {
5406 case Q_IP:
5407 b0 = gen_linktype(ETHERTYPE_IP);
5408
5409 /* A = ip->ip_p */
5410 s[i] = new_stmt(BPF_LD | BPF_ABS | BPF_B);
5411 s[i]->s.k = off_macpl + off_nl + 9;
5412 i++;
5413 /* X = ip->ip_hl << 2 */
5414 s[i] = new_stmt(BPF_LDX | BPF_MSH | BPF_B);
5415 s[i]->s.k = off_macpl + off_nl;
5416 i++;
5417 break;
5418 #ifdef INET6
5419 case Q_IPV6:
5420 b0 = gen_linktype(ETHERTYPE_IPV6);
5421
5422 /* A = ip6->ip_nxt */
5423 s[i] = new_stmt(BPF_LD | BPF_ABS | BPF_B);
5424 s[i]->s.k = off_macpl + off_nl + 6;
5425 i++;
5426 /* X = sizeof(struct ip6_hdr) */
5427 s[i] = new_stmt(BPF_LDX | BPF_IMM);
5428 s[i]->s.k = 40;
5429 i++;
5430 break;
5431 #endif
5432 default:
5433 bpf_error("unsupported proto to gen_protochain");
5434 /*NOTREACHED*/}
5435
5436 /* again: if (A == v) goto end; else fall through; */
5437 again = i;
5438 s[i] = new_stmt(BPF_JMP | BPF_JEQ | BPF_K);
5439 s[i]->s.k = v;
5440 s[i]->s.jt = NULL; /*later */
5441 s[i]->s.jf = NULL; /*update in next stmt */
5442 fix5 = i;
5443 i++;
5444
5445 #ifndef IPPROTO_NONE
5446 #define IPPROTO_NONE 59
5447 #endif
5448 /* if (A == IPPROTO_NONE) goto end */
5449 s[i] = new_stmt(BPF_JMP | BPF_JEQ | BPF_K);
5450 s[i]->s.jt = NULL; /*later */
5451 s[i]->s.jf = NULL; /*update in next stmt */
5452 s[i]->s.k = IPPROTO_NONE;
5453 s[fix5]->s.jf = s[i];
5454 fix2 = i;
5455 i++;
5456
5457 #ifdef INET6
5458 if (proto == Q_IPV6)
5459 {
5460 int v6start, v6end, v6advance, j;
5461
5462 v6start = i;
5463 /* if (A == IPPROTO_HOPOPTS) goto v6advance */
5464 s[i] = new_stmt(BPF_JMP | BPF_JEQ | BPF_K);
5465 s[i]->s.jt = NULL; /*later */
5466 s[i]->s.jf = NULL; /*update in next stmt */
5467 s[i]->s.k = IPPROTO_HOPOPTS;
5468 s[fix2]->s.jf = s[i];
5469 i++;
5470 /* if (A == IPPROTO_DSTOPTS) goto v6advance */
5471 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP | BPF_JEQ | BPF_K);
5472 s[i]->s.jt = NULL; /*later */
5473 s[i]->s.jf = NULL; /*update in next stmt */
5474 s[i]->s.k = IPPROTO_DSTOPTS;
5475 i++;
5476 /* if (A == IPPROTO_ROUTING) goto v6advance */
5477 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP | BPF_JEQ | BPF_K);
5478 s[i]->s.jt = NULL; /*later */
5479 s[i]->s.jf = NULL; /*update in next stmt */
5480 s[i]->s.k = IPPROTO_ROUTING;
5481 i++;
5482 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */
5483 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP | BPF_JEQ | BPF_K);
5484 s[i]->s.jt = NULL; /*later */
5485 s[i]->s.jf = NULL; /*later */
5486 s[i]->s.k = IPPROTO_FRAGMENT;
5487 fix3 = i;
5488 v6end = i;
5489 i++;
5490
5491 /* v6advance: */
5492 v6advance = i;
5493
5494 /*
5495 * in short,
5496 * A = P[X];
5497 * X = X + (P[X + 1] + 1) * 8;
5498 */
5499 /* A = X */
5500 s[i] = new_stmt(BPF_MISC | BPF_TXA);
5501 i++;
5502 /* A = P[X + packet head] */
5503 s[i] = new_stmt(BPF_LD | BPF_IND | BPF_B);
5504 s[i]->s.k = off_macpl + off_nl;
5505 i++;
5506 /* MEM[reg2] = A */
5507 s[i] = new_stmt(BPF_ST);
5508 s[i]->s.k = reg2;
5509 i++;
5510 /* A = X */
5511 s[i] = new_stmt(BPF_MISC | BPF_TXA);
5512 i++;
5513 /* A += 1 */
5514 s[i] = new_stmt(BPF_ALU | BPF_ADD | BPF_K);
5515 s[i]->s.k = 1;
5516 i++;
5517 /* X = A */
5518 s[i] = new_stmt(BPF_MISC | BPF_TAX);
5519 i++;
5520 /* A = P[X + packet head]; */
5521 s[i] = new_stmt(BPF_LD | BPF_IND | BPF_B);
5522 s[i]->s.k = off_macpl + off_nl;
5523 i++;
5524 /* A += 1 */
5525 s[i] = new_stmt(BPF_ALU | BPF_ADD | BPF_K);
5526 s[i]->s.k = 1;
5527 i++;
5528 /* A *= 8 */
5529 s[i] = new_stmt(BPF_ALU | BPF_MUL | BPF_K);
5530 s[i]->s.k = 8;
5531 i++;
5532 /* X = A; */
5533 s[i] = new_stmt(BPF_MISC | BPF_TAX);
5534 i++;
5535 /* A = MEM[reg2] */
5536 s[i] = new_stmt(BPF_LD | BPF_MEM);
5537 s[i]->s.k = reg2;
5538 i++;
5539
5540 /* goto again; (must use BPF_JA for backward jump) */
5541 s[i] = new_stmt(BPF_JMP | BPF_JA);
5542 s[i]->s.k = again - i - 1;
5543 s[i - 1]->s.jf = s[i];
5544 i++;
5545
5546 /* fixup */
5547 for (j = v6start; j <= v6end; j++)
5548 s[j]->s.jt = s[v6advance];
5549 }
5550 else
5551 #endif
5552 {
5553 /* nop */
5554 s[i] = new_stmt(BPF_ALU | BPF_ADD | BPF_K);
5555 s[i]->s.k = 0;
5556 s[fix2]->s.jf = s[i];
5557 i++;
5558 }
5559
5560 /* ahcheck: */
5561 ahcheck = i;
5562 /* if (A == IPPROTO_AH) then fall through; else goto end; */
5563 s[i] = new_stmt(BPF_JMP | BPF_JEQ | BPF_K);
5564 s[i]->s.jt = NULL; /*later */
5565 s[i]->s.jf = NULL; /*later */
5566 s[i]->s.k = IPPROTO_AH;
5567 if (fix3)
5568 s[fix3]->s.jf = s[ahcheck];
5569 fix4 = i;
5570 i++;
5571
5572 /*
5573 * in short,
5574 * A = P[X];
5575 * X = X + (P[X + 1] + 2) * 4;
5576 */
5577 /* A = X */
5578 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC | BPF_TXA);
5579 i++;
5580 /* A = P[X + packet head]; */
5581 s[i] = new_stmt(BPF_LD | BPF_IND | BPF_B);
5582 s[i]->s.k = off_macpl + off_nl;
5583 i++;
5584 /* MEM[reg2] = A */
5585 s[i] = new_stmt(BPF_ST);
5586 s[i]->s.k = reg2;
5587 i++;
5588 /* A = X */
5589 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC | BPF_TXA);
5590 i++;
5591 /* A += 1 */
5592 s[i] = new_stmt(BPF_ALU | BPF_ADD | BPF_K);
5593 s[i]->s.k = 1;
5594 i++;
5595 /* X = A */
5596 s[i] = new_stmt(BPF_MISC | BPF_TAX);
5597 i++;
5598 /* A = P[X + packet head] */
5599 s[i] = new_stmt(BPF_LD | BPF_IND | BPF_B);
5600 s[i]->s.k = off_macpl + off_nl;
5601 i++;
5602 /* A += 2 */
5603 s[i] = new_stmt(BPF_ALU | BPF_ADD | BPF_K);
5604 s[i]->s.k = 2;
5605 i++;
5606 /* A *= 4 */
5607 s[i] = new_stmt(BPF_ALU | BPF_MUL | BPF_K);
5608 s[i]->s.k = 4;
5609 i++;
5610 /* X = A; */
5611 s[i] = new_stmt(BPF_MISC | BPF_TAX);
5612 i++;
5613 /* A = MEM[reg2] */
5614 s[i] = new_stmt(BPF_LD | BPF_MEM);
5615 s[i]->s.k = reg2;
5616 i++;
5617
5618 /* goto again; (must use BPF_JA for backward jump) */
5619 s[i] = new_stmt(BPF_JMP | BPF_JA);
5620 s[i]->s.k = again - i - 1;
5621 i++;
5622
5623 /* end: nop */
5624 end = i;
5625 s[i] = new_stmt(BPF_ALU | BPF_ADD | BPF_K);
5626 s[i]->s.k = 0;
5627 s[fix2]->s.jt = s[end];
5628 s[fix4]->s.jf = s[end];
5629 s[fix5]->s.jt = s[end];
5630 i++;
5631
5632 /*
5633 * make slist chain
5634 */
5635 max = i;
5636 for (i = 0; i < max - 1; i++)
5637 s[i]->next = s[i + 1];
5638 s[max - 1]->next = NULL;
5639
5640 /*
5641 * emit final check
5642 */
5643 b = new_block(JMP(BPF_JEQ));
5644 b->stmts = s[1]; /*remember, s[0] is dummy */
5645 b->s.k = v;
5646
5647 free_reg(reg2);
5648
5649 gen_and(b0, b);
5650 return b;
5651 #endif
5652 }
5653
gen_check_802_11_data_frame()5654 static struct block *gen_check_802_11_data_frame()
5655 {
5656 struct slist *s;
5657 struct block *b0, *b1;
5658
5659 /*
5660 * A data frame has the 0x08 bit (b3) in the frame control field set
5661 * and the 0x04 bit (b2) clear.
5662 */
5663 s = gen_load_a(OR_LINK, 0, BPF_B);
5664 b0 = new_block(JMP(BPF_JSET));
5665 b0->s.k = 0x08;
5666 b0->stmts = s;
5667
5668 s = gen_load_a(OR_LINK, 0, BPF_B);
5669 b1 = new_block(JMP(BPF_JSET));
5670 b1->s.k = 0x04;
5671 b1->stmts = s;
5672 gen_not(b1);
5673
5674 gen_and(b1, b0);
5675
5676 return b0;
5677 }
5678
5679 /*
5680 * Generate code that checks whether the packet is a packet for protocol
5681 * <proto> and whether the type field in that protocol's header has
5682 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an
5683 * IP packet and checks the protocol number in the IP header against <v>.
5684 *
5685 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks
5686 * against Q_IP and Q_IPV6.
5687 */
gen_proto(v,proto,dir)5688 static struct block *gen_proto(v, proto, dir)
5689 int v;
5690 int proto;
5691 int dir;
5692 {
5693 struct block *b0, *b1;
5694
5695 if (dir != Q_DEFAULT)
5696 bpf_error("direction applied to 'proto'");
5697
5698 switch (proto)
5699 {
5700 case Q_DEFAULT:
5701 #ifdef INET6
5702 b0 = gen_proto(v, Q_IP, dir);
5703 b1 = gen_proto(v, Q_IPV6, dir);
5704 gen_or(b0, b1);
5705 return b1;
5706 #else
5707 /*FALLTHROUGH*/
5708 #endif
5709 case Q_IP:
5710 /*
5711 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
5712 * not LLC encapsulation with LLCSAP_IP.
5713 *
5714 * For IEEE 802 networks - which includes 802.5 token ring
5715 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
5716 * says that SNAP encapsulation is used, not LLC encapsulation
5717 * with LLCSAP_IP.
5718 *
5719 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
5720 * RFC 2225 say that SNAP encapsulation is used, not LLC
5721 * encapsulation with LLCSAP_IP.
5722 *
5723 * So we always check for ETHERTYPE_IP.
5724 */
5725 b0 = gen_linktype(ETHERTYPE_IP);
5726 #ifndef CHASE_CHAIN
5727 b1 = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32) v);
5728 #else
5729 b1 = gen_protochain(v, Q_IP);
5730 #endif
5731 gen_and(b0, b1);
5732 return b1;
5733
5734 case Q_ISO:
5735 switch (linktype)
5736 {
5737
5738 case DLT_FRELAY:
5739 /*
5740 * Frame Relay packets typically have an OSI
5741 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)"
5742 * generates code to check for all the OSI
5743 * NLPIDs, so calling it and then adding a check
5744 * for the particular NLPID for which we're
5745 * looking is bogus, as we can just check for
5746 * the NLPID.
5747 *
5748 * What we check for is the NLPID and a frame
5749 * control field value of UI, i.e. 0x03 followed
5750 * by the NLPID.
5751 *
5752 * XXX - assumes a 2-byte Frame Relay header with
5753 * DLCI and flags. What if the address is longer?
5754 *
5755 * XXX - what about SNAP-encapsulated frames?
5756 */
5757 return gen_cmp(OR_LINK, 2, BPF_H, (0x03 << 8) | v);
5758 /*NOTREACHED*/ break;
5759
5760 case DLT_C_HDLC:
5761 /*
5762 * Cisco uses an Ethertype lookalike - for OSI,
5763 * it's 0xfefe.
5764 */
5765 b0 = gen_linktype(LLCSAP_ISONS << 8 | LLCSAP_ISONS);
5766 /* OSI in C-HDLC is stuffed with a fudge byte */
5767 b1 = gen_cmp(OR_NET_NOSNAP, 1, BPF_B, (long) v);
5768 gen_and(b0, b1);
5769 return b1;
5770
5771 default:
5772 b0 = gen_linktype(LLCSAP_ISONS);
5773 b1 = gen_cmp(OR_NET_NOSNAP, 0, BPF_B, (long) v);
5774 gen_and(b0, b1);
5775 return b1;
5776 }
5777
5778 case Q_ISIS:
5779 b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
5780 /*
5781 * 4 is the offset of the PDU type relative to the IS-IS
5782 * header.
5783 */
5784 b1 = gen_cmp(OR_NET_NOSNAP, 4, BPF_B, (long) v);
5785 gen_and(b0, b1);
5786 return b1;
5787
5788 case Q_ARP:
5789 bpf_error("arp does not encapsulate another protocol");
5790 /* NOTREACHED */
5791
5792 case Q_RARP:
5793 bpf_error("rarp does not encapsulate another protocol");
5794 /* NOTREACHED */
5795
5796 case Q_ATALK:
5797 bpf_error("atalk encapsulation is not specifiable");
5798 /* NOTREACHED */
5799
5800 case Q_DECNET:
5801 bpf_error("decnet encapsulation is not specifiable");
5802 /* NOTREACHED */
5803
5804 case Q_SCA:
5805 bpf_error("sca does not encapsulate another protocol");
5806 /* NOTREACHED */
5807
5808 case Q_LAT:
5809 bpf_error("lat does not encapsulate another protocol");
5810 /* NOTREACHED */
5811
5812 case Q_MOPRC:
5813 bpf_error("moprc does not encapsulate another protocol");
5814 /* NOTREACHED */
5815
5816 case Q_MOPDL:
5817 bpf_error("mopdl does not encapsulate another protocol");
5818 /* NOTREACHED */
5819
5820 case Q_LINK:
5821 return gen_linktype(v);
5822
5823 case Q_UDP:
5824 bpf_error("'udp proto' is bogus");
5825 /* NOTREACHED */
5826
5827 case Q_TCP:
5828 bpf_error("'tcp proto' is bogus");
5829 /* NOTREACHED */
5830
5831 case Q_SCTP:
5832 bpf_error("'sctp proto' is bogus");
5833 /* NOTREACHED */
5834
5835 case Q_ICMP:
5836 bpf_error("'icmp proto' is bogus");
5837 /* NOTREACHED */
5838
5839 case Q_IGMP:
5840 bpf_error("'igmp proto' is bogus");
5841 /* NOTREACHED */
5842
5843 case Q_IGRP:
5844 bpf_error("'igrp proto' is bogus");
5845 /* NOTREACHED */
5846
5847 case Q_PIM:
5848 bpf_error("'pim proto' is bogus");
5849 /* NOTREACHED */
5850
5851 case Q_VRRP:
5852 bpf_error("'vrrp proto' is bogus");
5853 /* NOTREACHED */
5854
5855 #ifdef INET6
5856 case Q_IPV6:
5857 b0 = gen_linktype(ETHERTYPE_IPV6);
5858 #ifndef CHASE_CHAIN
5859 b1 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32) v);
5860 #else
5861 b1 = gen_protochain(v, Q_IPV6);
5862 #endif
5863 gen_and(b0, b1);
5864 return b1;
5865
5866 case Q_ICMPV6:
5867 bpf_error("'icmp6 proto' is bogus");
5868 #endif /* INET6 */
5869
5870 case Q_AH:
5871 bpf_error("'ah proto' is bogus");
5872
5873 case Q_ESP:
5874 bpf_error("'ah proto' is bogus");
5875
5876 case Q_STP:
5877 bpf_error("'stp proto' is bogus");
5878
5879 case Q_IPX:
5880 bpf_error("'ipx proto' is bogus");
5881
5882 case Q_NETBEUI:
5883 bpf_error("'netbeui proto' is bogus");
5884
5885 case Q_RADIO:
5886 bpf_error("'radio proto' is bogus");
5887
5888 default:
5889 abort();
5890 /* NOTREACHED */
5891 }
5892 /* NOTREACHED */
5893 }
5894
gen_scode(name,q)5895 struct block *gen_scode(name, q)
5896 register const char *name;
5897 struct qual q;
5898 {
5899 int proto = q.proto;
5900 int dir = q.dir;
5901 int tproto;
5902 u_char *eaddr;
5903 bpf_u_int32 mask, addr;
5904 #ifndef INET6
5905 bpf_u_int32 **alist;
5906 #else
5907 int tproto6;
5908 struct sockaddr_in *sin4;
5909 struct sockaddr_in6 *sin6;
5910 struct addrinfo *res, *res0;
5911 struct in6_addr mask128;
5912 #endif /*INET6 */
5913 struct block *b, *tmp;
5914 int port, real_proto;
5915 int port1, port2;
5916
5917 switch (q.addr)
5918 {
5919
5920 case Q_NET:
5921 addr = pcap_nametonetaddr(name);
5922 if (addr == 0)
5923 bpf_error("unknown network '%s'", name);
5924 /* Left justify network addr and calculate its network mask */
5925 mask = 0xffffffff;
5926 while (addr && (addr & 0xff000000) == 0)
5927 {
5928 addr <<= 8;
5929 mask <<= 8;
5930 }
5931 return gen_host(addr, mask, proto, dir, q.addr);
5932
5933 case Q_DEFAULT:
5934 case Q_HOST:
5935 if (proto == Q_LINK)
5936 {
5937 switch (linktype)
5938 {
5939
5940 case DLT_EN10MB:
5941 eaddr = pcap_ether_hostton(name);
5942 if (eaddr == NULL)
5943 bpf_error("unknown ether host '%s'", name);
5944 b = gen_ehostop(eaddr, dir);
5945 free(eaddr);
5946 return b;
5947
5948 case DLT_FDDI:
5949 eaddr = pcap_ether_hostton(name);
5950 if (eaddr == NULL)
5951 bpf_error("unknown FDDI host '%s'", name);
5952 b = gen_fhostop(eaddr, dir);
5953 free(eaddr);
5954 return b;
5955
5956 case DLT_IEEE802:
5957 eaddr = pcap_ether_hostton(name);
5958 if (eaddr == NULL)
5959 bpf_error("unknown token ring host '%s'", name);
5960 b = gen_thostop(eaddr, dir);
5961 free(eaddr);
5962 return b;
5963
5964 case DLT_IEEE802_11:
5965 case DLT_PRISM_HEADER:
5966 case DLT_IEEE802_11_RADIO_AVS:
5967 case DLT_IEEE802_11_RADIO:
5968 case DLT_PPI:
5969 eaddr = pcap_ether_hostton(name);
5970 if (eaddr == NULL)
5971 bpf_error("unknown 802.11 host '%s'", name);
5972 b = gen_wlanhostop(eaddr, dir);
5973 free(eaddr);
5974 return b;
5975
5976 case DLT_IP_OVER_FC:
5977 eaddr = pcap_ether_hostton(name);
5978 if (eaddr == NULL)
5979 bpf_error("unknown Fibre Channel host '%s'", name);
5980 b = gen_ipfchostop(eaddr, dir);
5981 free(eaddr);
5982 return b;
5983
5984 case DLT_SUNATM:
5985 if (!is_lane)
5986 break;
5987
5988 /*
5989 * Check that the packet doesn't begin
5990 * with an LE Control marker. (We've
5991 * already generated a test for LANE.)
5992 */
5993 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
5994 gen_not(tmp);
5995
5996 eaddr = pcap_ether_hostton(name);
5997 if (eaddr == NULL)
5998 bpf_error("unknown ether host '%s'", name);
5999 b = gen_ehostop(eaddr, dir);
6000 gen_and(tmp, b);
6001 free(eaddr);
6002 return b;
6003 }
6004
6005 bpf_error
6006 ("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name");
6007 }
6008 else if (proto == Q_DECNET)
6009 {
6010 unsigned short dn_addr = __pcap_nametodnaddr(name);
6011 /*
6012 * I don't think DECNET hosts can be multihomed, so
6013 * there is no need to build up a list of addresses
6014 */
6015 return (gen_host(dn_addr, 0, proto, dir, q.addr));
6016 }
6017 else
6018 {
6019 #ifndef INET6
6020 alist = pcap_nametoaddr(name);
6021 if (alist == NULL || *alist == NULL)
6022 bpf_error("unknown host '%s'", name);
6023 tproto = proto;
6024 if (off_linktype == (u_int) - 1 && tproto == Q_DEFAULT)
6025 tproto = Q_IP;
6026 b = gen_host(**alist++, 0xffffffff, tproto, dir, q.addr);
6027 while (*alist)
6028 {
6029 tmp = gen_host(**alist++, 0xffffffff, tproto, dir, q.addr);
6030 gen_or(b, tmp);
6031 b = tmp;
6032 }
6033 return b;
6034 #else
6035 memset(&mask128, 0xff, sizeof(mask128));
6036 res0 = res = pcap_nametoaddrinfo(name);
6037 if (res == NULL)
6038 bpf_error("unknown host '%s'", name);
6039 ai = res;
6040 b = tmp = NULL;
6041 tproto = tproto6 = proto;
6042 if (off_linktype == -1 && tproto == Q_DEFAULT)
6043 {
6044 tproto = Q_IP;
6045 tproto6 = Q_IPV6;
6046 }
6047 for (res = res0; res; res = res->ai_next)
6048 {
6049 switch (res->ai_family)
6050 {
6051 case AF_INET:
6052 if (tproto == Q_IPV6)
6053 continue;
6054
6055 sin4 = (struct sockaddr_in *) res->ai_addr;
6056 tmp = gen_host(ntohl(sin4->sin_addr.s_addr), 0xffffffff, tproto, dir, q.addr);
6057 break;
6058 case AF_INET6:
6059 if (tproto6 == Q_IP)
6060 continue;
6061
6062 sin6 = (struct sockaddr_in6 *) res->ai_addr;
6063 tmp = gen_host6(&sin6->sin6_addr, &mask128, tproto6, dir, q.addr);
6064 break;
6065 default:
6066 continue;
6067 }
6068 if (b)
6069 gen_or(b, tmp);
6070 b = tmp;
6071 }
6072 ai = NULL;
6073 freeaddrinfo(res0);
6074 if (b == NULL)
6075 {
6076 bpf_error("unknown host '%s'%s", name,
6077 (proto == Q_DEFAULT) ? "" : " for specified address family");
6078 }
6079 return b;
6080 #endif /*INET6 */
6081 }
6082
6083 case Q_PORT:
6084 if (proto != Q_DEFAULT && proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
6085 bpf_error("illegal qualifier of 'port'");
6086 if (pcap_nametoport(name, &port, &real_proto) == 0)
6087 bpf_error("unknown port '%s'", name);
6088 if (proto == Q_UDP)
6089 {
6090 if (real_proto == IPPROTO_TCP)
6091 bpf_error("port '%s' is tcp", name);
6092 else if (real_proto == IPPROTO_SCTP)
6093 bpf_error("port '%s' is sctp", name);
6094 else
6095 /* override PROTO_UNDEF */
6096 real_proto = IPPROTO_UDP;
6097 }
6098 if (proto == Q_TCP)
6099 {
6100 if (real_proto == IPPROTO_UDP)
6101 bpf_error("port '%s' is udp", name);
6102
6103 else if (real_proto == IPPROTO_SCTP)
6104 bpf_error("port '%s' is sctp", name);
6105 else
6106 /* override PROTO_UNDEF */
6107 real_proto = IPPROTO_TCP;
6108 }
6109 if (proto == Q_SCTP)
6110 {
6111 if (real_proto == IPPROTO_UDP)
6112 bpf_error("port '%s' is udp", name);
6113
6114 else if (real_proto == IPPROTO_TCP)
6115 bpf_error("port '%s' is tcp", name);
6116 else
6117 /* override PROTO_UNDEF */
6118 real_proto = IPPROTO_SCTP;
6119 }
6120 #ifndef INET6
6121 return gen_port(port, real_proto, dir);
6122 #else
6123 b = gen_port(port, real_proto, dir);
6124 gen_or(gen_port6(port, real_proto, dir), b);
6125 return b;
6126 #endif /* INET6 */
6127
6128 case Q_PORTRANGE:
6129 if (proto != Q_DEFAULT && proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
6130 bpf_error("illegal qualifier of 'portrange'");
6131 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0)
6132 bpf_error("unknown port in range '%s'", name);
6133 if (proto == Q_UDP)
6134 {
6135 if (real_proto == IPPROTO_TCP)
6136 bpf_error("port in range '%s' is tcp", name);
6137 else if (real_proto == IPPROTO_SCTP)
6138 bpf_error("port in range '%s' is sctp", name);
6139 else
6140 /* override PROTO_UNDEF */
6141 real_proto = IPPROTO_UDP;
6142 }
6143 if (proto == Q_TCP)
6144 {
6145 if (real_proto == IPPROTO_UDP)
6146 bpf_error("port in range '%s' is udp", name);
6147 else if (real_proto == IPPROTO_SCTP)
6148 bpf_error("port in range '%s' is sctp", name);
6149 else
6150 /* override PROTO_UNDEF */
6151 real_proto = IPPROTO_TCP;
6152 }
6153 if (proto == Q_SCTP)
6154 {
6155 if (real_proto == IPPROTO_UDP)
6156 bpf_error("port in range '%s' is udp", name);
6157 else if (real_proto == IPPROTO_TCP)
6158 bpf_error("port in range '%s' is tcp", name);
6159 else
6160 /* override PROTO_UNDEF */
6161 real_proto = IPPROTO_SCTP;
6162 }
6163 #ifndef INET6
6164 return gen_portrange(port1, port2, real_proto, dir);
6165 #else
6166 b = gen_portrange(port1, port2, real_proto, dir);
6167 gen_or(gen_portrange6(port1, port2, real_proto, dir), b);
6168 return b;
6169 #endif /* INET6 */
6170
6171 case Q_GATEWAY:
6172 #ifndef INET6
6173 eaddr = pcap_ether_hostton(name);
6174 if (eaddr == NULL)
6175 bpf_error("unknown ether host: %s", name);
6176
6177 alist = pcap_nametoaddr(name);
6178 if (alist == NULL || *alist == NULL)
6179 bpf_error("unknown host '%s'", name);
6180 b = gen_gateway(eaddr, alist, proto, dir);
6181 free(eaddr);
6182 return b;
6183 #else
6184 bpf_error("'gateway' not supported in this configuration");
6185 #endif /*INET6 */
6186
6187 case Q_PROTO:
6188 real_proto = lookup_proto(name, proto);
6189 if (real_proto >= 0)
6190 return gen_proto(real_proto, proto, dir);
6191 else
6192 bpf_error("unknown protocol: %s", name);
6193
6194 case Q_PROTOCHAIN:
6195 real_proto = lookup_proto(name, proto);
6196 if (real_proto >= 0)
6197 return gen_protochain(real_proto, proto, dir);
6198 else
6199 bpf_error("unknown protocol: %s", name);
6200
6201 case Q_UNDEF:
6202 syntax();
6203 /* NOTREACHED */
6204 }
6205 abort();
6206 /* NOTREACHED */
6207 }
6208
gen_mcode(s1,s2,masklen,q)6209 struct block *gen_mcode(s1, s2, masklen, q)
6210 register const char *s1, *s2;
6211 register int masklen;
6212 struct qual q;
6213 {
6214 register int nlen, mlen;
6215 bpf_u_int32 n, m;
6216
6217 nlen = __pcap_atoin(s1, &n);
6218 /* Promote short ipaddr */
6219 n <<= 32 - nlen;
6220
6221 if (s2 != NULL)
6222 {
6223 mlen = __pcap_atoin(s2, &m);
6224 /* Promote short ipaddr */
6225 m <<= 32 - mlen;
6226 if ((n & ~m) != 0)
6227 bpf_error("non-network bits set in \"%s mask %s\"", s1, s2);
6228 }
6229 else
6230 {
6231 /* Convert mask len to mask */
6232 if (masklen > 32)
6233 bpf_error("mask length must be <= 32");
6234 if (masklen == 0)
6235 {
6236 /*
6237 * X << 32 is not guaranteed by C to be 0; it's
6238 * undefined.
6239 */
6240 m = 0;
6241 }
6242 else
6243 m = 0xffffffff << (32 - masklen);
6244 if ((n & ~m) != 0)
6245 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen);
6246 }
6247
6248 switch (q.addr)
6249 {
6250
6251 case Q_NET:
6252 return gen_host(n, m, q.proto, q.dir, q.addr);
6253
6254 default:
6255 bpf_error("Mask syntax for networks only");
6256 /* NOTREACHED */
6257 }
6258 /* NOTREACHED */
6259 return NULL;
6260 }
6261
gen_ncode(s,v,q)6262 struct block *gen_ncode(s, v, q)
6263 register const char *s;
6264 bpf_u_int32 v;
6265 struct qual q;
6266 {
6267 bpf_u_int32 mask;
6268 int proto = q.proto;
6269 int dir = q.dir;
6270 register int vlen;
6271
6272 if (s == NULL)
6273 vlen = 32;
6274 else if (q.proto == Q_DECNET)
6275 vlen = __pcap_atodn(s, &v);
6276 else
6277 vlen = __pcap_atoin(s, &v);
6278
6279 switch (q.addr)
6280 {
6281
6282 case Q_DEFAULT:
6283 case Q_HOST:
6284 case Q_NET:
6285 if (proto == Q_DECNET)
6286 return gen_host(v, 0, proto, dir, q.addr);
6287 else if (proto == Q_LINK)
6288 {
6289 bpf_error("illegal link layer address");
6290 }
6291 else
6292 {
6293 mask = 0xffffffff;
6294 if (s == NULL && q.addr == Q_NET)
6295 {
6296 /* Promote short net number */
6297 while (v && (v & 0xff000000) == 0)
6298 {
6299 v <<= 8;
6300 mask <<= 8;
6301 }
6302 }
6303 else
6304 {
6305 /* Promote short ipaddr */
6306 v <<= 32 - vlen;
6307 mask <<= 32 - vlen;
6308 }
6309 return gen_host(v, mask, proto, dir, q.addr);
6310 }
6311
6312 case Q_PORT:
6313 if (proto == Q_UDP)
6314 proto = IPPROTO_UDP;
6315 else if (proto == Q_TCP)
6316 proto = IPPROTO_TCP;
6317 else if (proto == Q_SCTP)
6318 proto = IPPROTO_SCTP;
6319 else if (proto == Q_DEFAULT)
6320 proto = PROTO_UNDEF;
6321 else
6322 bpf_error("illegal qualifier of 'port'");
6323
6324 #ifndef INET6
6325 return gen_port((int) v, proto, dir);
6326 #else
6327 {
6328 struct block *b;
6329 b = gen_port((int) v, proto, dir);
6330 gen_or(gen_port6((int) v, proto, dir), b);
6331 return b;
6332 }
6333 #endif /* INET6 */
6334
6335 case Q_PORTRANGE:
6336 if (proto == Q_UDP)
6337 proto = IPPROTO_UDP;
6338 else if (proto == Q_TCP)
6339 proto = IPPROTO_TCP;
6340 else if (proto == Q_SCTP)
6341 proto = IPPROTO_SCTP;
6342 else if (proto == Q_DEFAULT)
6343 proto = PROTO_UNDEF;
6344 else
6345 bpf_error("illegal qualifier of 'portrange'");
6346
6347 #ifndef INET6
6348 return gen_portrange((int) v, (int) v, proto, dir);
6349 #else
6350 {
6351 struct block *b;
6352 b = gen_portrange((int) v, (int) v, proto, dir);
6353 gen_or(gen_portrange6((int) v, (int) v, proto, dir), b);
6354 return b;
6355 }
6356 #endif /* INET6 */
6357
6358 case Q_GATEWAY:
6359 bpf_error("'gateway' requires a name");
6360 /* NOTREACHED */
6361
6362 case Q_PROTO:
6363 return gen_proto((int) v, proto, dir);
6364
6365 case Q_PROTOCHAIN:
6366 return gen_protochain((int) v, proto, dir);
6367
6368 case Q_UNDEF:
6369 syntax();
6370 /* NOTREACHED */
6371
6372 default:
6373 abort();
6374 /* NOTREACHED */
6375 }
6376 /* NOTREACHED */
6377 }
6378
6379 #ifdef INET6
gen_mcode6(s1,s2,masklen,q)6380 struct block *gen_mcode6(s1, s2, masklen, q)
6381 register const char *s1, *s2;
6382 register int masklen;
6383 struct qual q;
6384 {
6385 struct addrinfo *res;
6386 struct in6_addr *addr;
6387 struct in6_addr mask;
6388 struct block *b;
6389 u_int32_t *a, *m;
6390
6391 if (s2)
6392 bpf_error("no mask %s supported", s2);
6393
6394 res = pcap_nametoaddrinfo(s1);
6395 if (!res)
6396 bpf_error("invalid ip6 address %s", s1);
6397 ai = res;
6398 if (res->ai_next)
6399 bpf_error("%s resolved to multiple address", s1);
6400 addr = &((struct sockaddr_in6 *) res->ai_addr)->sin6_addr;
6401
6402 if (sizeof(mask) * 8 < masklen)
6403 bpf_error("mask length must be <= %u", (unsigned int) (sizeof(mask) * 8));
6404 memset(&mask, 0, sizeof(mask));
6405 memset(&mask, 0xff, masklen / 8);
6406 if (masklen % 8)
6407 {
6408 mask.s6_addr[masklen / 8] = (0xff << (8 - masklen % 8)) & 0xff;
6409 }
6410
6411 a = (u_int32_t *) addr;
6412 m = (u_int32_t *) & mask;
6413 if ((a[0] & ~m[0]) || (a[1] & ~m[1]) || (a[2] & ~m[2]) || (a[3] & ~m[3]))
6414 {
6415 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen);
6416 }
6417
6418 switch (q.addr)
6419 {
6420
6421 case Q_DEFAULT:
6422 case Q_HOST:
6423 if (masklen != 128)
6424 bpf_error("Mask syntax for networks only");
6425 /* FALLTHROUGH */
6426
6427 case Q_NET:
6428 b = gen_host6(addr, &mask, q.proto, q.dir, q.addr);
6429 ai = NULL;
6430 freeaddrinfo(res);
6431 return b;
6432
6433 default:
6434 bpf_error("invalid qualifier against IPv6 address");
6435 /* NOTREACHED */
6436 }
6437 return NULL;
6438 }
6439 #endif /*INET6 */
6440
gen_ecode(eaddr,q)6441 struct block *gen_ecode(eaddr, q)
6442 register const u_char *eaddr;
6443 struct qual q;
6444 {
6445 struct block *b, *tmp;
6446
6447 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK)
6448 {
6449 switch (linktype)
6450 {
6451 case DLT_EN10MB:
6452 return gen_ehostop(eaddr, (int) q.dir);
6453 case DLT_FDDI:
6454 return gen_fhostop(eaddr, (int) q.dir);
6455 case DLT_IEEE802:
6456 return gen_thostop(eaddr, (int) q.dir);
6457 case DLT_IEEE802_11:
6458 case DLT_PRISM_HEADER:
6459 case DLT_IEEE802_11_RADIO_AVS:
6460 case DLT_IEEE802_11_RADIO:
6461 case DLT_PPI:
6462 return gen_wlanhostop(eaddr, (int) q.dir);
6463 case DLT_SUNATM:
6464 if (is_lane)
6465 {
6466 /*
6467 * Check that the packet doesn't begin with an
6468 * LE Control marker. (We've already generated
6469 * a test for LANE.)
6470 */
6471 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
6472 gen_not(tmp);
6473
6474 /*
6475 * Now check the MAC address.
6476 */
6477 b = gen_ehostop(eaddr, (int) q.dir);
6478 gen_and(tmp, b);
6479 return b;
6480 }
6481 break;
6482 case DLT_IP_OVER_FC:
6483 return gen_ipfchostop(eaddr, (int) q.dir);
6484 default:
6485 bpf_error
6486 ("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
6487 break;
6488 }
6489 }
6490 bpf_error("ethernet address used in non-ether expression");
6491 /* NOTREACHED */
6492 return NULL;
6493 }
6494
sappend(s0,s1)6495 void sappend(s0, s1)
6496 struct slist *s0, *s1;
6497 {
6498 /*
6499 * This is definitely not the best way to do this, but the
6500 * lists will rarely get long.
6501 */
6502 while (s0->next)
6503 s0 = s0->next;
6504 s0->next = s1;
6505 }
6506
xfer_to_x(a)6507 static struct slist *xfer_to_x(a)
6508 struct arth *a;
6509 {
6510 struct slist *s;
6511
6512 s = new_stmt(BPF_LDX | BPF_MEM);
6513 s->s.k = a->regno;
6514 return s;
6515 }
6516
xfer_to_a(a)6517 static struct slist *xfer_to_a(a)
6518 struct arth *a;
6519 {
6520 struct slist *s;
6521
6522 s = new_stmt(BPF_LD | BPF_MEM);
6523 s->s.k = a->regno;
6524 return s;
6525 }
6526
6527 /*
6528 * Modify "index" to use the value stored into its register as an
6529 * offset relative to the beginning of the header for the protocol
6530 * "proto", and allocate a register and put an item "size" bytes long
6531 * (1, 2, or 4) at that offset into that register, making it the register
6532 * for "index".
6533 */
gen_load(proto,inst,size)6534 struct arth *gen_load(proto, inst, size)
6535 int proto;
6536 struct arth *inst;
6537 int size;
6538 {
6539 struct slist *s, *tmp;
6540 struct block *b;
6541 int regno = alloc_reg();
6542
6543 free_reg(inst->regno);
6544 switch (size)
6545 {
6546
6547 default:
6548 bpf_error("data size must be 1, 2, or 4");
6549
6550 case 1:
6551 size = BPF_B;
6552 break;
6553
6554 case 2:
6555 size = BPF_H;
6556 break;
6557
6558 case 4:
6559 size = BPF_W;
6560 break;
6561 }
6562 switch (proto)
6563 {
6564 default:
6565 bpf_error("unsupported index operation");
6566
6567 case Q_RADIO:
6568 /*
6569 * The offset is relative to the beginning of the packet
6570 * data, if we have a radio header. (If we don't, this
6571 * is an error.)
6572 */
6573 if (linktype != DLT_IEEE802_11_RADIO_AVS &&
6574 linktype != DLT_IEEE802_11_RADIO && linktype != DLT_PRISM_HEADER)
6575 bpf_error("radio information not present in capture");
6576
6577 /*
6578 * Load into the X register the offset computed into the
6579 * register specifed by "index".
6580 */
6581 s = xfer_to_x(inst);
6582
6583 /*
6584 * Load the item at that offset.
6585 */
6586 tmp = new_stmt(BPF_LD | BPF_IND | size);
6587 sappend(s, tmp);
6588 sappend(inst->s, s);
6589 break;
6590
6591 case Q_LINK:
6592 /*
6593 * The offset is relative to the beginning of
6594 * the link-layer header.
6595 *
6596 * XXX - what about ATM LANE? Should the index be
6597 * relative to the beginning of the AAL5 frame, so
6598 * that 0 refers to the beginning of the LE Control
6599 * field, or relative to the beginning of the LAN
6600 * frame, so that 0 refers, for Ethernet LANE, to
6601 * the beginning of the destination address?
6602 */
6603 s = gen_llprefixlen();
6604
6605 /*
6606 * If "s" is non-null, it has code to arrange that the
6607 * X register contains the length of the prefix preceding
6608 * the link-layer header. Add to it the offset computed
6609 * into the register specified by "index", and move that
6610 * into the X register. Otherwise, just load into the X
6611 * register the offset computed into the register specifed
6612 * by "index".
6613 */
6614 if (s != NULL)
6615 {
6616 sappend(s, xfer_to_a(inst));
6617 sappend(s, new_stmt(BPF_ALU | BPF_ADD | BPF_X));
6618 sappend(s, new_stmt(BPF_MISC | BPF_TAX));
6619 }
6620 else
6621 s = xfer_to_x(inst);
6622
6623 /*
6624 * Load the item at the sum of the offset we've put in the
6625 * X register and the offset of the start of the link
6626 * layer header (which is 0 if the radio header is
6627 * variable-length; that header length is what we put
6628 * into the X register and then added to the index).
6629 */
6630 tmp = new_stmt(BPF_LD | BPF_IND | size);
6631 tmp->s.k = off_ll;
6632 sappend(s, tmp);
6633 sappend(inst->s, s);
6634 break;
6635
6636 case Q_IP:
6637 case Q_ARP:
6638 case Q_RARP:
6639 case Q_ATALK:
6640 case Q_DECNET:
6641 case Q_SCA:
6642 case Q_LAT:
6643 case Q_MOPRC:
6644 case Q_MOPDL:
6645 #ifdef INET6
6646 case Q_IPV6:
6647 #endif
6648 /*
6649 * The offset is relative to the beginning of
6650 * the network-layer header.
6651 * XXX - are there any cases where we want
6652 * off_nl_nosnap?
6653 */
6654 s = gen_off_macpl();
6655
6656 /*
6657 * If "s" is non-null, it has code to arrange that the
6658 * X register contains the offset of the MAC-layer
6659 * payload. Add to it the offset computed into the
6660 * register specified by "index", and move that into
6661 * the X register. Otherwise, just load into the X
6662 * register the offset computed into the register specifed
6663 * by "index".
6664 */
6665 if (s != NULL)
6666 {
6667 sappend(s, xfer_to_a(inst));
6668 sappend(s, new_stmt(BPF_ALU | BPF_ADD | BPF_X));
6669 sappend(s, new_stmt(BPF_MISC | BPF_TAX));
6670 }
6671 else
6672 s = xfer_to_x(inst);
6673
6674 /*
6675 * Load the item at the sum of the offset we've put in the
6676 * X register, the offset of the start of the network
6677 * layer header from the beginning of the MAC-layer
6678 * payload, and the purported offset of the start of the
6679 * MAC-layer payload (which might be 0 if there's a
6680 * variable-length prefix before the link-layer header
6681 * or the link-layer header itself is variable-length;
6682 * the variable-length offset of the start of the
6683 * MAC-layer payload is what we put into the X register
6684 * and then added to the index).
6685 */
6686 tmp = new_stmt(BPF_LD | BPF_IND | size);
6687 tmp->s.k = off_macpl + off_nl;
6688 sappend(s, tmp);
6689 sappend(inst->s, s);
6690
6691 /*
6692 * Do the computation only if the packet contains
6693 * the protocol in question.
6694 */
6695 b = gen_proto_abbrev(proto);
6696 if (inst->b)
6697 gen_and(inst->b, b);
6698 inst->b = b;
6699 break;
6700
6701 case Q_SCTP:
6702 case Q_TCP:
6703 case Q_UDP:
6704 case Q_ICMP:
6705 case Q_IGMP:
6706 case Q_IGRP:
6707 case Q_PIM:
6708 case Q_VRRP:
6709 /*
6710 * The offset is relative to the beginning of
6711 * the transport-layer header.
6712 *
6713 * Load the X register with the length of the IPv4 header
6714 * (plus the offset of the link-layer header, if it's
6715 * a variable-length header), in bytes.
6716 *
6717 * XXX - are there any cases where we want
6718 * off_nl_nosnap?
6719 * XXX - we should, if we're built with
6720 * IPv6 support, generate code to load either
6721 * IPv4, IPv6, or both, as appropriate.
6722 */
6723 s = gen_loadx_iphdrlen();
6724
6725 /*
6726 * The X register now contains the sum of the length
6727 * of any variable-length header preceding the link-layer
6728 * header, any variable-length link-layer header, and the
6729 * length of the network-layer header.
6730 *
6731 * Load into the A register the offset relative to
6732 * the beginning of the transport layer header,
6733 * add the X register to that, move that to the
6734 * X register, and load with an offset from the
6735 * X register equal to the offset of the network
6736 * layer header relative to the beginning of
6737 * the MAC-layer payload plus the fixed-length
6738 * portion of the offset of the MAC-layer payload
6739 * from the beginning of the raw packet data.
6740 */
6741 sappend(s, xfer_to_a(inst));
6742 sappend(s, new_stmt(BPF_ALU | BPF_ADD | BPF_X));
6743 sappend(s, new_stmt(BPF_MISC | BPF_TAX));
6744 sappend(s, tmp = new_stmt(BPF_LD | BPF_IND | size));
6745 tmp->s.k = off_macpl + off_nl;
6746 sappend(inst->s, s);
6747
6748 /*
6749 * Do the computation only if the packet contains
6750 * the protocol in question - which is true only
6751 * if this is an IP datagram and is the first or
6752 * only fragment of that datagram.
6753 */
6754 gen_and(gen_proto_abbrev(proto), b = gen_ipfrag());
6755 if (inst->b)
6756 gen_and(inst->b, b);
6757 #ifdef INET6
6758 gen_and(gen_proto_abbrev(Q_IP), b);
6759 #endif
6760 inst->b = b;
6761 break;
6762 #ifdef INET6
6763 case Q_ICMPV6:
6764 bpf_error("IPv6 upper-layer protocol is not supported by proto[x]");
6765 /*NOTREACHED*/
6766 #endif
6767 }
6768 inst->regno = regno;
6769 s = new_stmt(BPF_ST);
6770 s->s.k = regno;
6771 sappend(inst->s, s);
6772
6773 return inst;
6774 }
6775
gen_relation(code,a0,a1,reversed)6776 struct block *gen_relation(code, a0, a1, reversed)
6777 int code;
6778 struct arth *a0, *a1;
6779 int reversed;
6780 {
6781 struct slist *s0, *s1, *s2;
6782 struct block *b, *tmp;
6783
6784 s0 = xfer_to_x(a1);
6785 s1 = xfer_to_a(a0);
6786 if (code == BPF_JEQ)
6787 {
6788 s2 = new_stmt(BPF_ALU | BPF_SUB | BPF_X);
6789 b = new_block(JMP(code));
6790 sappend(s1, s2);
6791 }
6792 else
6793 b = new_block(BPF_JMP | code | BPF_X);
6794 if (reversed)
6795 gen_not(b);
6796
6797 sappend(s0, s1);
6798 sappend(a1->s, s0);
6799 sappend(a0->s, a1->s);
6800
6801 b->stmts = a0->s;
6802
6803 free_reg(a0->regno);
6804 free_reg(a1->regno);
6805
6806 /* 'and' together protocol checks */
6807 if (a0->b)
6808 {
6809 if (a1->b)
6810 {
6811 gen_and(a0->b, tmp = a1->b);
6812 }
6813 else
6814 tmp = a0->b;
6815 }
6816 else
6817 tmp = a1->b;
6818
6819 if (tmp)
6820 gen_and(tmp, b);
6821
6822 return b;
6823 }
6824
gen_loadlen()6825 struct arth *gen_loadlen()
6826 {
6827 int regno = alloc_reg();
6828 struct arth *a = (struct arth *) newchunk(sizeof(*a));
6829 struct slist *s;
6830
6831 s = new_stmt(BPF_LD | BPF_LEN);
6832 s->next = new_stmt(BPF_ST);
6833 s->next->s.k = regno;
6834 a->s = s;
6835 a->regno = regno;
6836
6837 return a;
6838 }
6839
gen_loadi(val)6840 struct arth *gen_loadi(val)
6841 int val;
6842 {
6843 struct arth *a;
6844 struct slist *s;
6845 int reg;
6846
6847 a = (struct arth *) newchunk(sizeof(*a));
6848
6849 reg = alloc_reg();
6850
6851 s = new_stmt(BPF_LD | BPF_IMM);
6852 s->s.k = val;
6853 s->next = new_stmt(BPF_ST);
6854 s->next->s.k = reg;
6855 a->s = s;
6856 a->regno = reg;
6857
6858 return a;
6859 }
6860
gen_neg(a)6861 struct arth *gen_neg(a)
6862 struct arth *a;
6863 {
6864 struct slist *s;
6865
6866 s = xfer_to_a(a);
6867 sappend(a->s, s);
6868 s = new_stmt(BPF_ALU | BPF_NEG);
6869 s->s.k = 0;
6870 sappend(a->s, s);
6871 s = new_stmt(BPF_ST);
6872 s->s.k = a->regno;
6873 sappend(a->s, s);
6874
6875 return a;
6876 }
6877
gen_arth(code,a0,a1)6878 struct arth *gen_arth(code, a0, a1)
6879 int code;
6880 struct arth *a0, *a1;
6881 {
6882 struct slist *s0, *s1, *s2;
6883
6884 s0 = xfer_to_x(a1);
6885 s1 = xfer_to_a(a0);
6886 s2 = new_stmt(BPF_ALU | BPF_X | code);
6887
6888 sappend(s1, s2);
6889 sappend(s0, s1);
6890 sappend(a1->s, s0);
6891 sappend(a0->s, a1->s);
6892
6893 free_reg(a0->regno);
6894 free_reg(a1->regno);
6895
6896 s0 = new_stmt(BPF_ST);
6897 a0->regno = s0->s.k = alloc_reg();
6898 sappend(a0->s, s0);
6899
6900 return a0;
6901 }
6902
6903 /*
6904 * Here we handle simple allocation of the scratch registers.
6905 * If too many registers are alloc'd, the allocator punts.
6906 */
6907 static __thread int regused[BPF_MEMWORDS];
6908 static __thread int curreg;
6909
6910 /*
6911 * Initialize the table of used registers and the current register.
6912 */
init_regs()6913 static void init_regs()
6914 {
6915 curreg = 0;
6916 memset(regused, 0, sizeof regused);
6917 }
6918
6919 /*
6920 * Return the next free register.
6921 */
alloc_reg()6922 static int alloc_reg()
6923 {
6924 int n = BPF_MEMWORDS;
6925
6926 while (--n >= 0)
6927 {
6928 if (regused[curreg])
6929 curreg = (curreg + 1) % BPF_MEMWORDS;
6930 else
6931 {
6932 regused[curreg] = 1;
6933 return curreg;
6934 }
6935 }
6936 bpf_error("too many registers needed to evaluate expression");
6937 /* NOTREACHED */
6938 return 0;
6939 }
6940
6941 /*
6942 * Return a register to the table so it can
6943 * be used later.
6944 */
free_reg(n)6945 static void free_reg(n)
6946 int n;
6947 {
6948 regused[n] = 0;
6949 }
6950
gen_len(jmp,n)6951 static struct block *gen_len(jmp, n)
6952 int jmp, n;
6953 {
6954 struct slist *s;
6955 struct block *b;
6956
6957 s = new_stmt(BPF_LD | BPF_LEN);
6958 b = new_block(JMP(jmp));
6959 b->stmts = s;
6960 b->s.k = n;
6961
6962 return b;
6963 }
6964
gen_greater(n)6965 struct block *gen_greater(n)
6966 int n;
6967 {
6968 return gen_len(BPF_JGE, n);
6969 }
6970
6971 /*
6972 * Actually, this is less than or equal.
6973 */
gen_less(n)6974 struct block *gen_less(n)
6975 int n;
6976 {
6977 struct block *b;
6978
6979 b = gen_len(BPF_JGT, n);
6980 gen_not(b);
6981
6982 return b;
6983 }
6984
6985 /*
6986 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to
6987 * the beginning of the link-layer header.
6988 * XXX - that means you can't test values in the radiotap header, but
6989 * as that header is difficult if not impossible to parse generally
6990 * without a loop, that might not be a severe problem. A new keyword
6991 * "radio" could be added for that, although what you'd really want
6992 * would be a way of testing particular radio header values, which
6993 * would generate code appropriate to the radio header in question.
6994 */
gen_byteop(op,idx,val)6995 struct block *gen_byteop(op, idx, val)
6996 int op, idx, val;
6997 {
6998 struct block *b;
6999 struct slist *s;
7000
7001 switch (op)
7002 {
7003 default:
7004 abort();
7005
7006 case '=':
7007 return gen_cmp(OR_LINK, (u_int) idx, BPF_B, (bpf_int32) val);
7008
7009 case '<':
7010 b = gen_cmp_lt(OR_LINK, (u_int) idx, BPF_B, (bpf_int32) val);
7011 return b;
7012
7013 case '>':
7014 b = gen_cmp_gt(OR_LINK, (u_int) idx, BPF_B, (bpf_int32) val);
7015 return b;
7016
7017 case '|':
7018 s = new_stmt(BPF_ALU | BPF_OR | BPF_K);
7019 break;
7020
7021 case '&':
7022 s = new_stmt(BPF_ALU | BPF_AND | BPF_K);
7023 break;
7024 }
7025 s->s.k = val;
7026 b = new_block(JMP(BPF_JEQ));
7027 b->stmts = s;
7028 gen_not(b);
7029
7030 return b;
7031 }
7032
7033 static __thread u_char abroadcast[] = { 0x0 };
7034
gen_broadcast(proto)7035 struct block *gen_broadcast(proto)
7036 int proto;
7037 {
7038 bpf_u_int32 hostmask;
7039 struct block *b0, *b1, *b2;
7040 static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
7041
7042 switch (proto)
7043 {
7044
7045 case Q_DEFAULT:
7046 case Q_LINK:
7047 switch (linktype)
7048 {
7049 case DLT_ARCNET:
7050 case DLT_ARCNET_LINUX:
7051 return gen_ahostop(abroadcast, Q_DST);
7052 case DLT_EN10MB:
7053 return gen_ehostop(ebroadcast, Q_DST);
7054 case DLT_FDDI:
7055 return gen_fhostop(ebroadcast, Q_DST);
7056 case DLT_IEEE802:
7057 return gen_thostop(ebroadcast, Q_DST);
7058 case DLT_IEEE802_11:
7059 case DLT_PRISM_HEADER:
7060 case DLT_IEEE802_11_RADIO_AVS:
7061 case DLT_IEEE802_11_RADIO:
7062 case DLT_PPI:
7063 return gen_wlanhostop(ebroadcast, Q_DST);
7064 case DLT_IP_OVER_FC:
7065 return gen_ipfchostop(ebroadcast, Q_DST);
7066 case DLT_SUNATM:
7067 if (is_lane)
7068 {
7069 /*
7070 * Check that the packet doesn't begin with an
7071 * LE Control marker. (We've already generated
7072 * a test for LANE.)
7073 */
7074 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
7075 gen_not(b1);
7076
7077 /*
7078 * Now check the MAC address.
7079 */
7080 b0 = gen_ehostop(ebroadcast, Q_DST);
7081 gen_and(b1, b0);
7082 return b0;
7083 }
7084 break;
7085 default:
7086 bpf_error("not a broadcast link");
7087 }
7088 break;
7089
7090 case Q_IP:
7091 /*
7092 * We treat a netmask of PCAP_NETMASK_UNKNOWN (0xffffffff)
7093 * as an indication that we don't know the netmask, and fail
7094 * in that case.
7095 */
7096 if (netmask == PCAP_NETMASK_UNKNOWN)
7097 bpf_error("netmask not known, so 'ip broadcast' not supported");
7098 b0 = gen_linktype(ETHERTYPE_IP);
7099 hostmask = ~netmask;
7100 b1 = gen_mcmp(OR_NET, 16, BPF_W, (bpf_int32) 0, hostmask);
7101 b2 = gen_mcmp(OR_NET, 16, BPF_W, (bpf_int32) (~0 & hostmask), hostmask);
7102 gen_or(b1, b2);
7103 gen_and(b0, b2);
7104 return b2;
7105 }
7106 bpf_error("only link-layer/IP broadcast filters supported");
7107 /* NOTREACHED */
7108 return NULL;
7109 }
7110
7111 /*
7112 * Generate code to test the low-order bit of a MAC address (that's
7113 * the bottom bit of the *first* byte).
7114 */
gen_mac_multicast(offset)7115 static struct block *gen_mac_multicast(offset)
7116 int offset;
7117 {
7118 register struct block *b0;
7119 register struct slist *s;
7120
7121 /* link[offset] & 1 != 0 */
7122 s = gen_load_a(OR_LINK, offset, BPF_B);
7123 b0 = new_block(JMP(BPF_JSET));
7124 b0->s.k = 1;
7125 b0->stmts = s;
7126 return b0;
7127 }
7128
gen_multicast(proto)7129 struct block *gen_multicast(proto)
7130 int proto;
7131 {
7132 register struct block *b0, *b1, *b2;
7133 register struct slist *s;
7134
7135 switch (proto)
7136 {
7137
7138 case Q_DEFAULT:
7139 case Q_LINK:
7140 switch (linktype)
7141 {
7142 case DLT_ARCNET:
7143 case DLT_ARCNET_LINUX:
7144 /* all ARCnet multicasts use the same address */
7145 return gen_ahostop(abroadcast, Q_DST);
7146 case DLT_EN10MB:
7147 /* ether[0] & 1 != 0 */
7148 return gen_mac_multicast(0);
7149 case DLT_FDDI:
7150 /*
7151 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX
7152 *
7153 * XXX - was that referring to bit-order issues?
7154 */
7155 /* fddi[1] & 1 != 0 */
7156 return gen_mac_multicast(1);
7157 case DLT_IEEE802:
7158 /* tr[2] & 1 != 0 */
7159 return gen_mac_multicast(2);
7160 case DLT_IEEE802_11:
7161 case DLT_PRISM_HEADER:
7162 case DLT_IEEE802_11_RADIO_AVS:
7163 case DLT_IEEE802_11_RADIO:
7164 case DLT_PPI:
7165 /*
7166 * Oh, yuk.
7167 *
7168 * For control frames, there is no DA.
7169 *
7170 * For management frames, DA is at an
7171 * offset of 4 from the beginning of
7172 * the packet.
7173 *
7174 * For data frames, DA is at an offset
7175 * of 4 from the beginning of the packet
7176 * if To DS is clear and at an offset of
7177 * 16 from the beginning of the packet
7178 * if To DS is set.
7179 */
7180
7181 /*
7182 * Generate the tests to be done for data frames.
7183 *
7184 * First, check for To DS set, i.e. "link[1] & 0x01".
7185 */
7186 s = gen_load_a(OR_LINK, 1, BPF_B);
7187 b1 = new_block(JMP(BPF_JSET));
7188 b1->s.k = 0x01; /* To DS */
7189 b1->stmts = s;
7190
7191 /*
7192 * If To DS is set, the DA is at 16.
7193 */
7194 b0 = gen_mac_multicast(16);
7195 gen_and(b1, b0);
7196
7197 /*
7198 * Now, check for To DS not set, i.e. check
7199 * "!(link[1] & 0x01)".
7200 */
7201 s = gen_load_a(OR_LINK, 1, BPF_B);
7202 b2 = new_block(JMP(BPF_JSET));
7203 b2->s.k = 0x01; /* To DS */
7204 b2->stmts = s;
7205 gen_not(b2);
7206
7207 /*
7208 * If To DS is not set, the DA is at 4.
7209 */
7210 b1 = gen_mac_multicast(4);
7211 gen_and(b2, b1);
7212
7213 /*
7214 * Now OR together the last two checks. That gives
7215 * the complete set of checks for data frames.
7216 */
7217 gen_or(b1, b0);
7218
7219 /*
7220 * Now check for a data frame.
7221 * I.e, check "link[0] & 0x08".
7222 */
7223 s = gen_load_a(OR_LINK, 0, BPF_B);
7224 b1 = new_block(JMP(BPF_JSET));
7225 b1->s.k = 0x08;
7226 b1->stmts = s;
7227
7228 /*
7229 * AND that with the checks done for data frames.
7230 */
7231 gen_and(b1, b0);
7232
7233 /*
7234 * If the high-order bit of the type value is 0, this
7235 * is a management frame.
7236 * I.e, check "!(link[0] & 0x08)".
7237 */
7238 s = gen_load_a(OR_LINK, 0, BPF_B);
7239 b2 = new_block(JMP(BPF_JSET));
7240 b2->s.k = 0x08;
7241 b2->stmts = s;
7242 gen_not(b2);
7243
7244 /*
7245 * For management frames, the DA is at 4.
7246 */
7247 b1 = gen_mac_multicast(4);
7248 gen_and(b2, b1);
7249
7250 /*
7251 * OR that with the checks done for data frames.
7252 * That gives the checks done for management and
7253 * data frames.
7254 */
7255 gen_or(b1, b0);
7256
7257 /*
7258 * If the low-order bit of the type value is 1,
7259 * this is either a control frame or a frame
7260 * with a reserved type, and thus not a
7261 * frame with an SA.
7262 *
7263 * I.e., check "!(link[0] & 0x04)".
7264 */
7265 s = gen_load_a(OR_LINK, 0, BPF_B);
7266 b1 = new_block(JMP(BPF_JSET));
7267 b1->s.k = 0x04;
7268 b1->stmts = s;
7269 gen_not(b1);
7270
7271 /*
7272 * AND that with the checks for data and management
7273 * frames.
7274 */
7275 gen_and(b1, b0);
7276 return b0;
7277 case DLT_IP_OVER_FC:
7278 b0 = gen_mac_multicast(2);
7279 return b0;
7280 case DLT_SUNATM:
7281 if (is_lane)
7282 {
7283 /*
7284 * Check that the packet doesn't begin with an
7285 * LE Control marker. (We've already generated
7286 * a test for LANE.)
7287 */
7288 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
7289 gen_not(b1);
7290
7291 /* ether[off_mac] & 1 != 0 */
7292 b0 = gen_mac_multicast(off_mac);
7293 gen_and(b1, b0);
7294 return b0;
7295 }
7296 break;
7297 default:
7298 break;
7299 }
7300 /* Link not known to support multicasts */
7301 break;
7302
7303 case Q_IP:
7304 b0 = gen_linktype(ETHERTYPE_IP);
7305 b1 = gen_cmp_ge(OR_NET, 16, BPF_B, (bpf_int32) 224);
7306 gen_and(b0, b1);
7307 return b1;
7308
7309 #ifdef INET6
7310 case Q_IPV6:
7311 b0 = gen_linktype(ETHERTYPE_IPV6);
7312 b1 = gen_cmp(OR_NET, 24, BPF_B, (bpf_int32) 255);
7313 gen_and(b0, b1);
7314 return b1;
7315 #endif /* INET6 */
7316 }
7317 bpf_error
7318 ("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel");
7319 /* NOTREACHED */
7320 return NULL;
7321 }
7322
7323 /*
7324 * generate command for inbound/outbound. It's here so we can
7325 * make it link-type specific. 'dir' = 0 implies "inbound",
7326 * = 1 implies "outbound".
7327 */
gen_inbound(dir)7328 struct block *gen_inbound(dir)
7329 int dir;
7330 {
7331 register struct block *b0;
7332
7333 /*
7334 * Only some data link types support inbound/outbound qualifiers.
7335 */
7336 switch (linktype)
7337 {
7338 case DLT_SLIP:
7339 b0 = gen_relation(BPF_JEQ, gen_load(Q_LINK, gen_loadi(0), 1), gen_loadi(0), dir);
7340 break;
7341
7342 case DLT_IPNET:
7343 if (dir)
7344 {
7345 /* match outgoing packets */
7346 b0 = gen_cmp(OR_LINK, 2, BPF_H, IPNET_OUTBOUND);
7347 }
7348 else
7349 {
7350 /* match incoming packets */
7351 b0 = gen_cmp(OR_LINK, 2, BPF_H, IPNET_INBOUND);
7352 }
7353 break;
7354
7355 case DLT_LINUX_SLL:
7356 if (dir)
7357 {
7358 /*
7359 * Match packets sent by this machine.
7360 */
7361 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_OUTGOING);
7362 }
7363 else
7364 {
7365 /*
7366 * Match packets sent to this machine.
7367 * (No broadcast or multicast packets, or
7368 * packets sent to some other machine and
7369 * received promiscuously.)
7370 *
7371 * XXX - packets sent to other machines probably
7372 * shouldn't be matched, but what about broadcast
7373 * or multicast packets we received?
7374 */
7375 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_HOST);
7376 }
7377 break;
7378
7379 #ifdef HAVE_NET_PFVAR_H
7380 case DLT_PFLOG:
7381 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, dir), BPF_B,
7382 (bpf_int32) ((dir == 0) ? PF_IN : PF_OUT));
7383 break;
7384 #endif
7385
7386 case DLT_PPP_PPPD:
7387 if (dir)
7388 {
7389 /* match outgoing packets */
7390 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_OUT);
7391 }
7392 else
7393 {
7394 /* match incoming packets */
7395 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_IN);
7396 }
7397 break;
7398
7399 case DLT_JUNIPER_MFR:
7400 case DLT_JUNIPER_MLFR:
7401 case DLT_JUNIPER_MLPPP:
7402 case DLT_JUNIPER_ATM1:
7403 case DLT_JUNIPER_ATM2:
7404 case DLT_JUNIPER_PPPOE:
7405 case DLT_JUNIPER_PPPOE_ATM:
7406 case DLT_JUNIPER_GGSN:
7407 case DLT_JUNIPER_ES:
7408 case DLT_JUNIPER_MONITOR:
7409 case DLT_JUNIPER_SERVICES:
7410 case DLT_JUNIPER_ETHER:
7411 case DLT_JUNIPER_PPP:
7412 case DLT_JUNIPER_FRELAY:
7413 case DLT_JUNIPER_CHDLC:
7414 case DLT_JUNIPER_VP:
7415 case DLT_JUNIPER_ST:
7416 case DLT_JUNIPER_ISM:
7417 /* juniper flags (including direction) are stored
7418 * the byte after the 3-byte magic number */
7419 if (dir)
7420 {
7421 /* match outgoing packets */
7422 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 0, 0x01);
7423 }
7424 else
7425 {
7426 /* match incoming packets */
7427 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 1, 0x01);
7428 }
7429 break;
7430
7431 default:
7432 bpf_error("inbound/outbound not supported on linktype %d", linktype);
7433 b0 = NULL;
7434 /* NOTREACHED */
7435 }
7436 return (b0);
7437 }
7438
7439 #ifdef HAVE_NET_PFVAR_H
7440 /* PF firewall log matched interface */
gen_pf_ifname(const char * ifname)7441 struct block *gen_pf_ifname(const char *ifname)
7442 {
7443 struct block *b0;
7444 u_int len, off;
7445
7446 if (linktype != DLT_PFLOG)
7447 {
7448 bpf_error("ifname supported only on PF linktype");
7449 /* NOTREACHED */
7450 }
7451 len = sizeof(((struct pfloghdr *) 0)->ifname);
7452 off = offsetof(struct pfloghdr, ifname);
7453 if (strlen(ifname) >= len)
7454 {
7455 bpf_error("ifname interface names can only be %d characters", len - 1);
7456 /* NOTREACHED */
7457 }
7458 b0 = gen_bcmp(OR_LINK, off, strlen(ifname), (const u_char *) ifname);
7459 return (b0);
7460 }
7461
7462 /* PF firewall log ruleset name */
gen_pf_ruleset(char * ruleset)7463 struct block *gen_pf_ruleset(char *ruleset)
7464 {
7465 struct block *b0;
7466
7467 if (linktype != DLT_PFLOG)
7468 {
7469 bpf_error("ruleset supported only on PF linktype");
7470 /* NOTREACHED */
7471 }
7472
7473 if (strlen(ruleset) >= sizeof(((struct pfloghdr *) 0)->ruleset))
7474 {
7475 bpf_error("ruleset names can only be %ld characters",
7476 (long) (sizeof(((struct pfloghdr *) 0)->ruleset) - 1));
7477 /* NOTREACHED */
7478 }
7479
7480 b0 = gen_bcmp(OR_LINK, offsetof(struct pfloghdr, ruleset), strlen(ruleset), (const u_char *) ruleset);
7481 return (b0);
7482 }
7483
7484 /* PF firewall log rule number */
gen_pf_rnr(int rnr)7485 struct block *gen_pf_rnr(int rnr)
7486 {
7487 struct block *b0;
7488
7489 if (linktype != DLT_PFLOG)
7490 {
7491 bpf_error("rnr supported only on PF linktype");
7492 /* NOTREACHED */
7493 }
7494
7495 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, rulenr), BPF_W, (bpf_int32) rnr);
7496 return (b0);
7497 }
7498
7499 /* PF firewall log sub-rule number */
gen_pf_srnr(int srnr)7500 struct block *gen_pf_srnr(int srnr)
7501 {
7502 struct block *b0;
7503
7504 if (linktype != DLT_PFLOG)
7505 {
7506 bpf_error("srnr supported only on PF linktype");
7507 /* NOTREACHED */
7508 }
7509
7510 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, subrulenr), BPF_W, (bpf_int32) srnr);
7511 return (b0);
7512 }
7513
7514 /* PF firewall log reason code */
gen_pf_reason(int reason)7515 struct block *gen_pf_reason(int reason)
7516 {
7517 struct block *b0;
7518
7519 if (linktype != DLT_PFLOG)
7520 {
7521 bpf_error("reason supported only on PF linktype");
7522 /* NOTREACHED */
7523 }
7524
7525 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, reason), BPF_B, (bpf_int32) reason);
7526 return (b0);
7527 }
7528
7529 /* PF firewall log action */
gen_pf_action(int action)7530 struct block *gen_pf_action(int action)
7531 {
7532 struct block *b0;
7533
7534 if (linktype != DLT_PFLOG)
7535 {
7536 bpf_error("action supported only on PF linktype");
7537 /* NOTREACHED */
7538 }
7539
7540 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, action), BPF_B, (bpf_int32) action);
7541 return (b0);
7542 }
7543 #else /* !HAVE_NET_PFVAR_H */
gen_pf_ifname(const char * ifname)7544 struct block *gen_pf_ifname(const char *ifname)
7545 {
7546 bpf_error("libpcap was compiled without pf support");
7547 /* NOTREACHED */
7548 return (NULL);
7549 }
7550
gen_pf_ruleset(char * ruleset)7551 struct block *gen_pf_ruleset(char *ruleset)
7552 {
7553 bpf_error("libpcap was compiled on a machine without pf support");
7554 /* NOTREACHED */
7555 return (NULL);
7556 }
7557
gen_pf_rnr(int rnr)7558 struct block *gen_pf_rnr(int rnr)
7559 {
7560 bpf_error("libpcap was compiled on a machine without pf support");
7561 /* NOTREACHED */
7562 return (NULL);
7563 }
7564
gen_pf_srnr(int srnr)7565 struct block *gen_pf_srnr(int srnr)
7566 {
7567 bpf_error("libpcap was compiled on a machine without pf support");
7568 /* NOTREACHED */
7569 return (NULL);
7570 }
7571
gen_pf_reason(int reason)7572 struct block *gen_pf_reason(int reason)
7573 {
7574 bpf_error("libpcap was compiled on a machine without pf support");
7575 /* NOTREACHED */
7576 return (NULL);
7577 }
7578
gen_pf_action(int action)7579 struct block *gen_pf_action(int action)
7580 {
7581 bpf_error("libpcap was compiled on a machine without pf support");
7582 /* NOTREACHED */
7583 return (NULL);
7584 }
7585 #endif /* HAVE_NET_PFVAR_H */
7586
7587 /* IEEE 802.11 wireless header */
gen_p80211_type(int type,int mask)7588 struct block *gen_p80211_type(int type, int mask)
7589 {
7590 struct block *b0;
7591
7592 switch (linktype)
7593 {
7594
7595 case DLT_IEEE802_11:
7596 case DLT_PRISM_HEADER:
7597 case DLT_IEEE802_11_RADIO_AVS:
7598 case DLT_IEEE802_11_RADIO:
7599 b0 = gen_mcmp(OR_LINK, 0, BPF_B, (bpf_int32) type, (bpf_int32) mask);
7600 break;
7601
7602 default:
7603 bpf_error("802.11 link-layer types supported only on 802.11");
7604 /* NOTREACHED */
7605 }
7606
7607 return (b0);
7608 }
7609
gen_p80211_fcdir(int fcdir)7610 struct block *gen_p80211_fcdir(int fcdir)
7611 {
7612 struct block *b0;
7613
7614 switch (linktype)
7615 {
7616
7617 case DLT_IEEE802_11:
7618 case DLT_PRISM_HEADER:
7619 case DLT_IEEE802_11_RADIO_AVS:
7620 case DLT_IEEE802_11_RADIO:
7621 break;
7622
7623 default:
7624 bpf_error("frame direction supported only with 802.11 headers");
7625 /* NOTREACHED */
7626 }
7627
7628 b0 = gen_mcmp(OR_LINK, 1, BPF_B, (bpf_int32) fcdir, (bpf_u_int32) IEEE80211_FC1_DIR_MASK);
7629
7630 return (b0);
7631 }
7632
gen_acode(eaddr,q)7633 struct block *gen_acode(eaddr, q)
7634 register const u_char *eaddr;
7635 struct qual q;
7636 {
7637 switch (linktype)
7638 {
7639
7640 case DLT_ARCNET:
7641 case DLT_ARCNET_LINUX:
7642 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK)
7643 return (gen_ahostop(eaddr, (int) q.dir));
7644 else
7645 {
7646 bpf_error("ARCnet address used in non-arc expression");
7647 /* NOTREACHED */
7648 }
7649 break;
7650
7651 default:
7652 bpf_error("aid supported only on ARCnet");
7653 /* NOTREACHED */
7654 }
7655 bpf_error("ARCnet address used in non-arc expression");
7656 /* NOTREACHED */
7657 return NULL;
7658 }
7659
gen_ahostop(eaddr,dir)7660 static struct block *gen_ahostop(eaddr, dir)
7661 register const u_char *eaddr;
7662 register int dir;
7663 {
7664 register struct block *b0, *b1;
7665
7666 switch (dir)
7667 {
7668 /* src comes first, different from Ethernet */
7669 case Q_SRC:
7670 return gen_bcmp(OR_LINK, 0, 1, eaddr);
7671
7672 case Q_DST:
7673 return gen_bcmp(OR_LINK, 1, 1, eaddr);
7674
7675 case Q_AND:
7676 b0 = gen_ahostop(eaddr, Q_SRC);
7677 b1 = gen_ahostop(eaddr, Q_DST);
7678 gen_and(b0, b1);
7679 return b1;
7680
7681 case Q_DEFAULT:
7682 case Q_OR:
7683 b0 = gen_ahostop(eaddr, Q_SRC);
7684 b1 = gen_ahostop(eaddr, Q_DST);
7685 gen_or(b0, b1);
7686 return b1;
7687 }
7688 abort();
7689 /* NOTREACHED */
7690 }
7691
7692 /*
7693 * support IEEE 802.1Q VLAN trunk over ethernet
7694 */
gen_vlan(vlan_num)7695 struct block *gen_vlan(vlan_num)
7696 int vlan_num;
7697 {
7698 struct block *b0, *b1;
7699
7700 /* can't check for VLAN-encapsulated packets inside MPLS */
7701 if (label_stack_depth > 0)
7702 bpf_error("no VLAN match after MPLS");
7703
7704 /*
7705 * Check for a VLAN packet, and then change the offsets to point
7706 * to the type and data fields within the VLAN packet. Just
7707 * increment the offsets, so that we can support a hierarchy, e.g.
7708 * "vlan 300 && vlan 200" to capture VLAN 200 encapsulated within
7709 * VLAN 100.
7710 *
7711 * XXX - this is a bit of a kludge. If we were to split the
7712 * compiler into a parser that parses an expression and
7713 * generates an expression tree, and a code generator that
7714 * takes an expression tree (which could come from our
7715 * parser or from some other parser) and generates BPF code,
7716 * we could perhaps make the offsets parameters of routines
7717 * and, in the handler for an "AND" node, pass to subnodes
7718 * other than the VLAN node the adjusted offsets.
7719 *
7720 * This would mean that "vlan" would, instead of changing the
7721 * behavior of *all* tests after it, change only the behavior
7722 * of tests ANDed with it. That would change the documented
7723 * semantics of "vlan", which might break some expressions.
7724 * However, it would mean that "(vlan and ip) or ip" would check
7725 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
7726 * checking only for VLAN-encapsulated IP, so that could still
7727 * be considered worth doing; it wouldn't break expressions
7728 * that are of the form "vlan and ..." or "vlan N and ...",
7729 * which I suspect are the most common expressions involving
7730 * "vlan". "vlan or ..." doesn't necessarily do what the user
7731 * would really want, now, as all the "or ..." tests would
7732 * be done assuming a VLAN, even though the "or" could be viewed
7733 * as meaning "or, if this isn't a VLAN packet...".
7734 */
7735 orig_nl = off_nl;
7736
7737 switch (linktype)
7738 {
7739
7740 case DLT_EN10MB:
7741 /* check for VLAN */
7742 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32) ETHERTYPE_8021Q);
7743
7744 /* If a specific VLAN is requested, check VLAN id */
7745 if (vlan_num >= 0)
7746 {
7747 b1 = gen_mcmp(OR_MACPL, 0, BPF_H, (bpf_int32) vlan_num, 0x0fff);
7748 gen_and(b0, b1);
7749 b0 = b1;
7750 }
7751
7752 off_macpl += 4;
7753 off_linktype += 4;
7754 break;
7755
7756 default:
7757 bpf_error("no VLAN support for data link type %d", linktype);
7758 /*NOTREACHED*/}
7759
7760 return (b0);
7761 }
7762
7763 /*
7764 * support for MPLS
7765 */
gen_mpls(label_num)7766 struct block *gen_mpls(label_num)
7767 int label_num;
7768 {
7769 struct block *b0, *b1;
7770
7771 /*
7772 * Change the offsets to point to the type and data fields within
7773 * the MPLS packet. Just increment the offsets, so that we
7774 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to
7775 * capture packets with an outer label of 100000 and an inner
7776 * label of 1024.
7777 *
7778 * XXX - this is a bit of a kludge. See comments in gen_vlan().
7779 */
7780 orig_nl = off_nl;
7781
7782 if (label_stack_depth > 0)
7783 {
7784 /* just match the bottom-of-stack bit clear */
7785 b0 = gen_mcmp(OR_MACPL, orig_nl - 2, BPF_B, 0, 0x01);
7786 }
7787 else
7788 {
7789 /*
7790 * Indicate that we're checking MPLS-encapsulated headers,
7791 * to make sure higher level code generators don't try to
7792 * match against IP-related protocols such as Q_ARP, Q_RARP
7793 * etc.
7794 */
7795 switch (linktype)
7796 {
7797
7798 case DLT_C_HDLC: /* fall through */
7799 case DLT_EN10MB:
7800 b0 = gen_linktype(ETHERTYPE_MPLS);
7801 break;
7802
7803 case DLT_PPP:
7804 b0 = gen_linktype(PPP_MPLS_UCAST);
7805 break;
7806
7807 /* FIXME add other DLT_s ...
7808 * for Frame-Relay/and ATM this may get messy due to SNAP headers
7809 * leave it for now */
7810
7811 default:
7812 bpf_error("no MPLS support for data link type %d", linktype);
7813 b0 = NULL;
7814 /*NOTREACHED*/ break;
7815 }
7816 }
7817
7818 /* If a specific MPLS label is requested, check it */
7819 if (label_num >= 0)
7820 {
7821 label_num = label_num << 12; /* label is shifted 12 bits on the wire */
7822 b1 = gen_mcmp(OR_MACPL, orig_nl, BPF_W, (bpf_int32) label_num, 0xfffff000); /* only compare the first 20 bits */
7823 gen_and(b0, b1);
7824 b0 = b1;
7825 }
7826
7827 off_nl_nosnap += 4;
7828 off_nl += 4;
7829 label_stack_depth++;
7830 return (b0);
7831 }
7832
7833 /*
7834 * Support PPPOE discovery and session.
7835 */
gen_pppoed()7836 struct block *gen_pppoed()
7837 {
7838 /* check for PPPoE discovery */
7839 return gen_linktype((bpf_int32) ETHERTYPE_PPPOED);
7840 }
7841
gen_pppoes()7842 struct block *gen_pppoes()
7843 {
7844 struct block *b0;
7845
7846 /*
7847 * Test against the PPPoE session link-layer type.
7848 */
7849 b0 = gen_linktype((bpf_int32) ETHERTYPE_PPPOES);
7850
7851 /*
7852 * Change the offsets to point to the type and data fields within
7853 * the PPP packet, and note that this is PPPoE rather than
7854 * raw PPP.
7855 *
7856 * XXX - this is a bit of a kludge. If we were to split the
7857 * compiler into a parser that parses an expression and
7858 * generates an expression tree, and a code generator that
7859 * takes an expression tree (which could come from our
7860 * parser or from some other parser) and generates BPF code,
7861 * we could perhaps make the offsets parameters of routines
7862 * and, in the handler for an "AND" node, pass to subnodes
7863 * other than the PPPoE node the adjusted offsets.
7864 *
7865 * This would mean that "pppoes" would, instead of changing the
7866 * behavior of *all* tests after it, change only the behavior
7867 * of tests ANDed with it. That would change the documented
7868 * semantics of "pppoes", which might break some expressions.
7869 * However, it would mean that "(pppoes and ip) or ip" would check
7870 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
7871 * checking only for VLAN-encapsulated IP, so that could still
7872 * be considered worth doing; it wouldn't break expressions
7873 * that are of the form "pppoes and ..." which I suspect are the
7874 * most common expressions involving "pppoes". "pppoes or ..."
7875 * doesn't necessarily do what the user would really want, now,
7876 * as all the "or ..." tests would be done assuming PPPoE, even
7877 * though the "or" could be viewed as meaning "or, if this isn't
7878 * a PPPoE packet...".
7879 */
7880 orig_linktype = off_linktype; /* save original values */
7881 orig_nl = off_nl;
7882 is_pppoes = 1;
7883
7884 /*
7885 * The "network-layer" protocol is PPPoE, which has a 6-byte
7886 * PPPoE header, followed by a PPP packet.
7887 *
7888 * There is no HDLC encapsulation for the PPP packet (it's
7889 * encapsulated in PPPoES instead), so the link-layer type
7890 * starts at the first byte of the PPP packet. For PPPoE,
7891 * that offset is relative to the beginning of the total
7892 * link-layer payload, including any 802.2 LLC header, so
7893 * it's 6 bytes past off_nl.
7894 */
7895 off_linktype = off_nl + 6;
7896
7897 /*
7898 * The network-layer offsets are relative to the beginning
7899 * of the MAC-layer payload; that's past the 6-byte
7900 * PPPoE header and the 2-byte PPP header.
7901 */
7902 off_nl = 6 + 2;
7903 off_nl_nosnap = 6 + 2;
7904
7905 return b0;
7906 }
7907
gen_atmfield_code(atmfield,jvalue,jtype,reverse)7908 struct block *gen_atmfield_code(atmfield, jvalue, jtype, reverse)
7909 int atmfield;
7910 bpf_int32 jvalue;
7911 bpf_u_int32 jtype;
7912 int reverse;
7913 {
7914 struct block *b0;
7915
7916 switch (atmfield)
7917 {
7918
7919 case A_VPI:
7920 if (!is_atm)
7921 bpf_error("'vpi' supported only on raw ATM");
7922 if (off_vpi == (u_int) - 1)
7923 abort();
7924 b0 = gen_ncmp(OR_LINK, off_vpi, BPF_B, 0xffffffff, jtype, reverse, jvalue);
7925 break;
7926
7927 case A_VCI:
7928 if (!is_atm)
7929 bpf_error("'vci' supported only on raw ATM");
7930 if (off_vci == (u_int) - 1)
7931 abort();
7932 b0 = gen_ncmp(OR_LINK, off_vci, BPF_H, 0xffffffff, jtype, reverse, jvalue);
7933 break;
7934
7935 case A_PROTOTYPE:
7936 if (off_proto == (u_int) - 1)
7937 abort(); /* XXX - this isn't on FreeBSD */
7938 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0x0f, jtype, reverse, jvalue);
7939 break;
7940
7941 case A_MSGTYPE:
7942 if (off_payload == (u_int) - 1)
7943 abort();
7944 b0 = gen_ncmp(OR_LINK, off_payload + MSG_TYPE_POS, BPF_B, 0xffffffff, jtype, reverse, jvalue);
7945 break;
7946
7947 case A_CALLREFTYPE:
7948 if (!is_atm)
7949 bpf_error("'callref' supported only on raw ATM");
7950 if (off_proto == (u_int) - 1)
7951 abort();
7952 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0xffffffff, jtype, reverse, jvalue);
7953 break;
7954
7955 default:
7956 abort();
7957 }
7958 return b0;
7959 }
7960
gen_atmtype_abbrev(type)7961 struct block *gen_atmtype_abbrev(type)
7962 int type;
7963 {
7964 struct block *b0, *b1;
7965
7966 switch (type)
7967 {
7968
7969 case A_METAC:
7970 /* Get all packets in Meta signalling Circuit */
7971 if (!is_atm)
7972 bpf_error("'metac' supported only on raw ATM");
7973 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
7974 b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0);
7975 gen_and(b0, b1);
7976 break;
7977
7978 case A_BCC:
7979 /* Get all packets in Broadcast Circuit */
7980 if (!is_atm)
7981 bpf_error("'bcc' supported only on raw ATM");
7982 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
7983 b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0);
7984 gen_and(b0, b1);
7985 break;
7986
7987 case A_OAMF4SC:
7988 /* Get all cells in Segment OAM F4 circuit */
7989 if (!is_atm)
7990 bpf_error("'oam4sc' supported only on raw ATM");
7991 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
7992 b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
7993 gen_and(b0, b1);
7994 break;
7995
7996 case A_OAMF4EC:
7997 /* Get all cells in End-to-End OAM F4 Circuit */
7998 if (!is_atm)
7999 bpf_error("'oam4ec' supported only on raw ATM");
8000 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8001 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
8002 gen_and(b0, b1);
8003 break;
8004
8005 case A_SC:
8006 /* Get all packets in connection Signalling Circuit */
8007 if (!is_atm)
8008 bpf_error("'sc' supported only on raw ATM");
8009 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8010 b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0);
8011 gen_and(b0, b1);
8012 break;
8013
8014 case A_ILMIC:
8015 /* Get all packets in ILMI Circuit */
8016 if (!is_atm)
8017 bpf_error("'ilmic' supported only on raw ATM");
8018 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8019 b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0);
8020 gen_and(b0, b1);
8021 break;
8022
8023 case A_LANE:
8024 /* Get all LANE packets */
8025 if (!is_atm)
8026 bpf_error("'lane' supported only on raw ATM");
8027 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0);
8028
8029 /*
8030 * Arrange that all subsequent tests assume LANE
8031 * rather than LLC-encapsulated packets, and set
8032 * the offsets appropriately for LANE-encapsulated
8033 * Ethernet.
8034 *
8035 * "off_mac" is the offset of the Ethernet header,
8036 * which is 2 bytes past the ATM pseudo-header
8037 * (skipping the pseudo-header and 2-byte LE Client
8038 * field). The other offsets are Ethernet offsets
8039 * relative to "off_mac".
8040 */
8041 is_lane = 1;
8042 off_mac = off_payload + 2; /* MAC header */
8043 off_linktype = off_mac + 12;
8044 off_macpl = off_mac + 14; /* Ethernet */
8045 off_nl = 0; /* Ethernet II */
8046 off_nl_nosnap = 3; /* 802.3+802.2 */
8047 break;
8048
8049 case A_LLC:
8050 /* Get all LLC-encapsulated packets */
8051 if (!is_atm)
8052 bpf_error("'llc' supported only on raw ATM");
8053 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
8054 is_lane = 0;
8055 break;
8056
8057 default:
8058 abort();
8059 }
8060 return b1;
8061 }
8062
8063 /*
8064 * Filtering for MTP2 messages based on li value
8065 * FISU, length is null
8066 * LSSU, length is 1 or 2
8067 * MSU, length is 3 or more
8068 */
gen_mtp2type_abbrev(type)8069 struct block *gen_mtp2type_abbrev(type)
8070 int type;
8071 {
8072 struct block *b0, *b1;
8073
8074 switch (type)
8075 {
8076
8077 case M_FISU:
8078 if ((linktype != DLT_MTP2) && (linktype != DLT_ERF) && (linktype != DLT_MTP2_WITH_PHDR))
8079 bpf_error("'fisu' supported only on MTP2");
8080 /* gen_ncmp(offrel, offset, size, mask, jtype, reverse, value) */
8081 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JEQ, 0, 0);
8082 break;
8083
8084 case M_LSSU:
8085 if ((linktype != DLT_MTP2) && (linktype != DLT_ERF) && (linktype != DLT_MTP2_WITH_PHDR))
8086 bpf_error("'lssu' supported only on MTP2");
8087 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 1, 2);
8088 b1 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 0);
8089 gen_and(b1, b0);
8090 break;
8091
8092 case M_MSU:
8093 if ((linktype != DLT_MTP2) && (linktype != DLT_ERF) && (linktype != DLT_MTP2_WITH_PHDR))
8094 bpf_error("'msu' supported only on MTP2");
8095 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 2);
8096 break;
8097
8098 default:
8099 abort();
8100 }
8101 return b0;
8102 }
8103
gen_mtp3field_code(mtp3field,jvalue,jtype,reverse)8104 struct block *gen_mtp3field_code(mtp3field, jvalue, jtype, reverse)
8105 int mtp3field;
8106 bpf_u_int32 jvalue;
8107 bpf_u_int32 jtype;
8108 int reverse;
8109 {
8110 struct block *b0;
8111 bpf_u_int32 val1, val2, val3;
8112
8113 switch (mtp3field)
8114 {
8115
8116 case M_SIO:
8117 if (off_sio == (u_int) - 1)
8118 bpf_error("'sio' supported only on SS7");
8119 /* sio coded on 1 byte so max value 255 */
8120 if (jvalue > 255)
8121 bpf_error("sio value %u too big; max value = 255", jvalue);
8122 b0 = gen_ncmp(OR_PACKET, off_sio, BPF_B, 0xffffffff, (u_int) jtype, reverse, (u_int) jvalue);
8123 break;
8124
8125 case M_OPC:
8126 if (off_opc == (u_int) - 1)
8127 bpf_error("'opc' supported only on SS7");
8128 /* opc coded on 14 bits so max value 16383 */
8129 if (jvalue > 16383)
8130 bpf_error("opc value %u too big; max value = 16383", jvalue);
8131 /* the following instructions are made to convert jvalue
8132 * to the form used to write opc in an ss7 message*/
8133 val1 = jvalue & 0x00003c00;
8134 val1 = val1 >> 10;
8135 val2 = jvalue & 0x000003fc;
8136 val2 = val2 << 6;
8137 val3 = jvalue & 0x00000003;
8138 val3 = val3 << 22;
8139 jvalue = val1 + val2 + val3;
8140 b0 = gen_ncmp(OR_PACKET, off_opc, BPF_W, 0x00c0ff0f, (u_int) jtype, reverse, (u_int) jvalue);
8141 break;
8142
8143 case M_DPC:
8144 if (off_dpc == (u_int) - 1)
8145 bpf_error("'dpc' supported only on SS7");
8146 /* dpc coded on 14 bits so max value 16383 */
8147 if (jvalue > 16383)
8148 bpf_error("dpc value %u too big; max value = 16383", jvalue);
8149 /* the following instructions are made to convert jvalue
8150 * to the forme used to write dpc in an ss7 message*/
8151 val1 = jvalue & 0x000000ff;
8152 val1 = val1 << 24;
8153 val2 = jvalue & 0x00003f00;
8154 val2 = val2 << 8;
8155 jvalue = val1 + val2;
8156 b0 = gen_ncmp(OR_PACKET, off_dpc, BPF_W, 0xff3f0000, (u_int) jtype, reverse, (u_int) jvalue);
8157 break;
8158
8159 case M_SLS:
8160 if (off_sls == (u_int) - 1)
8161 bpf_error("'sls' supported only on SS7");
8162 /* sls coded on 4 bits so max value 15 */
8163 if (jvalue > 15)
8164 bpf_error("sls value %u too big; max value = 15", jvalue);
8165 /* the following instruction is made to convert jvalue
8166 * to the forme used to write sls in an ss7 message*/
8167 jvalue = jvalue << 4;
8168 b0 = gen_ncmp(OR_PACKET, off_sls, BPF_B, 0xf0, (u_int) jtype, reverse, (u_int) jvalue);
8169 break;
8170
8171 default:
8172 abort();
8173 }
8174 return b0;
8175 }
8176
gen_msg_abbrev(type)8177 static struct block *gen_msg_abbrev(type)
8178 int type;
8179 {
8180 struct block *b1;
8181
8182 /*
8183 * Q.2931 signalling protocol messages for handling virtual circuits
8184 * establishment and teardown
8185 */
8186 switch (type)
8187 {
8188
8189 case A_SETUP:
8190 b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0);
8191 break;
8192
8193 case A_CALLPROCEED:
8194 b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0);
8195 break;
8196
8197 case A_CONNECT:
8198 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0);
8199 break;
8200
8201 case A_CONNECTACK:
8202 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0);
8203 break;
8204
8205 case A_RELEASE:
8206 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0);
8207 break;
8208
8209 case A_RELEASE_DONE:
8210 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0);
8211 break;
8212
8213 default:
8214 abort();
8215 }
8216 return b1;
8217 }
8218
gen_atmmulti_abbrev(type)8219 struct block *gen_atmmulti_abbrev(type)
8220 int type;
8221 {
8222 struct block *b0, *b1;
8223
8224 switch (type)
8225 {
8226
8227 case A_OAM:
8228 if (!is_atm)
8229 bpf_error("'oam' supported only on raw ATM");
8230 b1 = gen_atmmulti_abbrev(A_OAMF4);
8231 break;
8232
8233 case A_OAMF4:
8234 if (!is_atm)
8235 bpf_error("'oamf4' supported only on raw ATM");
8236 /* OAM F4 type */
8237 b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
8238 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
8239 gen_or(b0, b1);
8240 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8241 gen_and(b0, b1);
8242 break;
8243
8244 case A_CONNECTMSG:
8245 /*
8246 * Get Q.2931 signalling messages for switched
8247 * virtual connection
8248 */
8249 if (!is_atm)
8250 bpf_error("'connectmsg' supported only on raw ATM");
8251 b0 = gen_msg_abbrev(A_SETUP);
8252 b1 = gen_msg_abbrev(A_CALLPROCEED);
8253 gen_or(b0, b1);
8254 b0 = gen_msg_abbrev(A_CONNECT);
8255 gen_or(b0, b1);
8256 b0 = gen_msg_abbrev(A_CONNECTACK);
8257 gen_or(b0, b1);
8258 b0 = gen_msg_abbrev(A_RELEASE);
8259 gen_or(b0, b1);
8260 b0 = gen_msg_abbrev(A_RELEASE_DONE);
8261 gen_or(b0, b1);
8262 b0 = gen_atmtype_abbrev(A_SC);
8263 gen_and(b0, b1);
8264 break;
8265
8266 case A_METACONNECT:
8267 if (!is_atm)
8268 bpf_error("'metaconnect' supported only on raw ATM");
8269 b0 = gen_msg_abbrev(A_SETUP);
8270 b1 = gen_msg_abbrev(A_CALLPROCEED);
8271 gen_or(b0, b1);
8272 b0 = gen_msg_abbrev(A_CONNECT);
8273 gen_or(b0, b1);
8274 b0 = gen_msg_abbrev(A_RELEASE);
8275 gen_or(b0, b1);
8276 b0 = gen_msg_abbrev(A_RELEASE_DONE);
8277 gen_or(b0, b1);
8278 b0 = gen_atmtype_abbrev(A_METAC);
8279 gen_and(b0, b1);
8280 break;
8281
8282 default:
8283 abort();
8284 }
8285 return b1;
8286 }
8287