1 /*#define CHASE_CHAIN*/ 2 /* 3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998 4 * The Regents of the University of California. All rights reserved. 5 * 6 * Some portions Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved. 7 * Some portions Copyright (C) 2010-2013 Sourcefire, Inc. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that: (1) source code distributions 11 * retain the above copyright notice and this paragraph in its entirety, (2) 12 * distributions including binary code include the above copyright notice and 13 * this paragraph in its entirety in the documentation or other materials 14 * provided with the distribution, and (3) all advertising materials mentioning 15 * features or use of this software display the following acknowledgement: 16 * ``This product includes software developed by the University of California, 17 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 18 * the University nor the names of its contributors may be used to endorse 19 * or promote products derived from this software without specific prior 20 * written permission. 21 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 22 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 23 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 24 */ 25 #ifndef lint 26 static const char __attribute__ ((unused)) rcsid[] = 27 "@(#) $Header: /usr/cvsroot/sfeng/ims/src/libraries/daq/daq/sfbpf/sf_gencode.c,v 1.6 2014/06/10 13:38:55 cwaxman Exp $ (LBL)"; 28 #endif 29 30 #ifdef HAVE_CONFIG_H 31 #include "config.h" 32 #endif 33 34 #ifdef WIN32 35 #include "win32-stdinc.h" 36 #else /* WIN32 */ 37 #if HAVE_INTTYPES_H 38 #include <inttypes.h> 39 #elif HAVE_STDINT_H 40 #include <stdint.h> 41 #endif 42 #ifdef HAVE_SYS_BITYPES_H 43 #include <sys/bitypes.h> 44 #endif 45 #include <sys/types.h> 46 #include <sys/socket.h> 47 #endif /* WIN32 */ 48 49 /* 50 * XXX - why was this included even on UNIX? 51 */ 52 #ifdef __MINGW32__ 53 #include "IP6_misc.h" 54 #endif 55 56 #ifndef WIN32 57 58 #ifdef __NetBSD__ 59 #include <sys/param.h> 60 #endif 61 62 #include <netinet/in.h> 63 #include <arpa/inet.h> 64 65 #endif /* WIN32 */ 66 67 #include <stdlib.h> 68 #include <string.h> 69 #include <memory.h> 70 #include <setjmp.h> 71 #include <stdarg.h> 72 #include <stdio.h> 73 74 #ifdef MSDOS 75 #include "pcap-dos.h" 76 #endif 77 78 #include "sfbpf-int.h" 79 80 #include "ethertype.h" 81 #include "nlpid.h" 82 #include "llc.h" 83 #include "gencode.h" 84 #include "ieee80211.h" 85 #include "atmuni31.h" 86 #include "sunatmpos.h" 87 #include "ppp.h" 88 #include "sll.h" 89 #include "ipnet.h" 90 #include "arcnet.h" 91 #ifdef HAVE_NET_PFVAR_H 92 #include <sys/socket.h> 93 #include <net/if.h> 94 #include <net/pfvar.h> 95 #include <net/if_pflog.h> 96 #endif 97 #ifndef offsetof 98 #define offsetof(s, e) ((size_t)&((s *)0)->e) 99 #endif 100 #ifdef INET6 101 #ifndef WIN32 102 #include <netdb.h> /* for "struct addrinfo" */ 103 #endif /* WIN32 */ 104 #endif /*INET6 */ 105 #include "namedb.h" 106 107 #define ETHERMTU 1500 108 109 #ifndef IPPROTO_SCTP 110 #define IPPROTO_SCTP 132 111 #endif 112 113 #define JMP(c) ((c)|BPF_JMP|BPF_K) 114 115 #if defined(__GNUC__) 116 #pragma GCC diagnostic ignored "-Wunused-value" 117 #endif /* __GNUC__ */ 118 119 /* Locals */ 120 static __thread jmp_buf top_ctx; 121 static __thread char bpf_error_filter[PCAP_ERRBUF_SIZE + 1]; 122 123 /* Hack for updating VLAN, MPLS, and PPPoE offsets. */ 124 #ifdef WIN32 125 static u_int orig_linktype = (u_int) - 1, orig_nl = (u_int) - 1, label_stack_depth = (u_int) - 1; 126 #else 127 static __thread u_int orig_linktype = -1U, orig_nl = -1U, label_stack_depth = -1U; 128 #endif 129 130 /* XXX */ 131 #ifdef PCAP_FDDIPAD 132 static int pcap_fddipad; 133 #endif 134 135 /* VARARGS */ 136 void bpf_error(const char *fmt, ...) 137 { 138 va_list ap; 139 140 va_start(ap, fmt); 141 (void) vsnprintf(bpf_error_filter, PCAP_ERRBUF_SIZE, fmt, ap); 142 va_end(ap); 143 longjmp(top_ctx, 1); 144 /* NOTREACHED */ 145 } 146 147 static void init_linktype(int); 148 149 static void init_regs(void); 150 static int alloc_reg(void); 151 static void free_reg(int); 152 153 static __thread struct block *root; 154 155 /* 156 * Value passed to gen_load_a() to indicate what the offset argument 157 * is relative to. 158 */ 159 enum e_offrel 160 { 161 OR_PACKET, /* relative to the beginning of the packet */ 162 OR_LINK, /* relative to the beginning of the link-layer header */ 163 OR_MACPL, /* relative to the end of the MAC-layer header */ 164 OR_NET, /* relative to the network-layer header */ 165 OR_NET_NOSNAP, /* relative to the network-layer header, with no SNAP header at the link layer */ 166 OR_TRAN_IPV4, /* relative to the transport-layer header, with IPv4 network layer */ 167 OR_TRAN_IPV6 /* relative to the transport-layer header, with IPv6 network layer */ 168 }; 169 170 #ifdef INET6 171 /* 172 * As errors are handled by a longjmp, anything allocated must be freed 173 * in the longjmp handler, so it must be reachable from that handler. 174 * One thing that's allocated is the result of pcap_nametoaddrinfo(); 175 * it must be freed with freeaddrinfo(). This variable points to any 176 * addrinfo structure that would need to be freed. 177 */ 178 static struct addrinfo *ai; 179 #endif 180 181 /* 182 * We divy out chunks of memory rather than call malloc each time so 183 * we don't have to worry about leaking memory. It's probably 184 * not a big deal if all this memory was wasted but if this ever 185 * goes into a library that would probably not be a good idea. 186 * 187 * XXX - this *is* in a library.... 188 */ 189 #define NCHUNKS 16 190 #define CHUNK0SIZE 1024 191 struct chunk 192 { 193 u_int n_left; 194 void *m; 195 }; 196 197 static __thread struct chunk chunks[NCHUNKS]; 198 static __thread int cur_chunk; 199 200 static void *newchunk(u_int); 201 static void freechunks(void); 202 static inline struct block *new_block(int); 203 static inline struct slist *new_stmt(int); 204 static struct block *gen_retblk(int); 205 static inline void syntax(void); 206 207 static void backpatch(struct block *, struct block *); 208 static void merge(struct block *, struct block *); 209 static struct block *gen_cmp(enum e_offrel, u_int, u_int, bpf_int32); 210 static struct block *gen_cmp_gt(enum e_offrel, u_int, u_int, bpf_int32); 211 static struct block *gen_cmp_ge(enum e_offrel, u_int, u_int, bpf_int32); 212 static struct block *gen_cmp_lt(enum e_offrel, u_int, u_int, bpf_int32); 213 static struct block *gen_cmp_le(enum e_offrel, u_int, u_int, bpf_int32); 214 static struct block *gen_mcmp(enum e_offrel, u_int, u_int, bpf_int32, bpf_u_int32); 215 static struct block *gen_bcmp(enum e_offrel, u_int, u_int, const u_char *); 216 static struct block *gen_ncmp(enum e_offrel, bpf_u_int32, bpf_u_int32, 217 bpf_u_int32, bpf_u_int32, int, bpf_int32); 218 static struct slist *gen_load_llrel(u_int, u_int); 219 static struct slist *gen_load_macplrel(u_int, u_int); 220 static struct slist *gen_load_a(enum e_offrel, u_int, u_int); 221 static struct slist *gen_loadx_iphdrlen(void); 222 static struct block *gen_uncond(int); 223 static inline struct block *gen_true(void); 224 static inline struct block *gen_false(void); 225 static struct block *gen_ether_linktype(int); 226 static struct block *gen_ipnet_linktype(int); 227 static struct block *gen_linux_sll_linktype(int); 228 static struct slist *gen_load_prism_llprefixlen(void); 229 static struct slist *gen_load_avs_llprefixlen(void); 230 static struct slist *gen_load_radiotap_llprefixlen(void); 231 static struct slist *gen_load_ppi_llprefixlen(void); 232 static void insert_compute_vloffsets(struct block *); 233 static struct slist *gen_llprefixlen(void); 234 static struct slist *gen_off_macpl(void); 235 static int ethertype_to_ppptype(int); 236 static struct block *gen_linktype(int); 237 static struct block *gen_snap(bpf_u_int32, bpf_u_int32); 238 static struct block *gen_llc_linktype(int); 239 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int); 240 #ifdef INET6 241 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int); 242 #endif 243 static struct block *gen_ahostop(const u_char *, int); 244 static struct block *gen_ehostop(const u_char *, int); 245 static struct block *gen_fhostop(const u_char *, int); 246 static struct block *gen_thostop(const u_char *, int); 247 static struct block *gen_wlanhostop(const u_char *, int); 248 static struct block *gen_ipfchostop(const u_char *, int); 249 static struct block *gen_dnhostop(bpf_u_int32, int); 250 static struct block *gen_mpls_linktype(int); 251 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int, int); 252 #ifdef INET6 253 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int, int); 254 #endif 255 #ifndef INET6 256 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int); 257 #endif 258 static struct block *gen_ipfrag(void); 259 static struct block *gen_portatom(int, bpf_int32); 260 static struct block *gen_portrangeatom(int, bpf_int32, bpf_int32); 261 #ifdef INET6 262 static struct block *gen_portatom6(int, bpf_int32); 263 static struct block *gen_portrangeatom6(int, bpf_int32, bpf_int32); 264 #endif 265 struct block *gen_portop(int, int, int); 266 static struct block *gen_port(int, int, int); 267 struct block *gen_portrangeop(int, int, int, int); 268 static struct block *gen_portrange(int, int, int, int); 269 #ifdef INET6 270 struct block *gen_portop6(int, int, int); 271 static struct block *gen_port6(int, int, int); 272 struct block *gen_portrangeop6(int, int, int, int); 273 static struct block *gen_portrange6(int, int, int, int); 274 #endif 275 static int lookup_proto(const char *, int); 276 static struct block *gen_protochain(int, int, int); 277 static struct block *gen_proto(int, int, int); 278 static struct slist *xfer_to_x(struct arth *); 279 static struct slist *xfer_to_a(struct arth *); 280 static struct block *gen_mac_multicast(int); 281 static struct block *gen_len(int, int); 282 static struct block *gen_check_802_11_data_frame(void); 283 284 static struct block *gen_ppi_dlt_check(void); 285 static struct block *gen_msg_abbrev(int type); 286 287 static void *newchunk(n) 288 u_int n; 289 { 290 struct chunk *cp; 291 int k; 292 size_t size; 293 294 #ifndef __NetBSD__ 295 /* XXX Round up to nearest long. */ 296 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1); 297 #else 298 /* XXX Round up to structure boundary. */ 299 n = ALIGN(n); 300 #endif 301 302 cp = &chunks[cur_chunk]; 303 if (n > cp->n_left) 304 { 305 ++cp, k = ++cur_chunk; 306 if (k >= NCHUNKS) 307 bpf_error("out of memory"); 308 size = CHUNK0SIZE << k; 309 cp->m = (void *) malloc(size); 310 if (cp->m == NULL) 311 bpf_error("out of memory"); 312 memset((char *) cp->m, 0, size); 313 cp->n_left = size; 314 if (n > size) 315 bpf_error("out of memory"); 316 } 317 cp->n_left -= n; 318 return (void *) ((char *) cp->m + cp->n_left); 319 } 320 321 static void freechunks() 322 { 323 int i; 324 325 cur_chunk = 0; 326 for (i = 0; i < NCHUNKS; ++i) 327 if (chunks[i].m != NULL) 328 { 329 free(chunks[i].m); 330 chunks[i].m = NULL; 331 } 332 } 333 334 /* 335 * A strdup whose allocations are freed after code generation is over. 336 */ 337 char *sdup(s) 338 register const char *s; 339 { 340 int n = strlen(s) + 1; 341 char *cp = newchunk(n); 342 343 strlcpy(cp, s, n); 344 return (cp); 345 } 346 347 static inline struct block *new_block(code) 348 int code; 349 { 350 struct block *p; 351 352 p = (struct block *) newchunk(sizeof(*p)); 353 p->s.code = code; 354 p->head = p; 355 356 return p; 357 } 358 359 static inline struct slist *new_stmt(code) 360 int code; 361 { 362 struct slist *p; 363 364 p = (struct slist *) newchunk(sizeof(*p)); 365 p->s.code = code; 366 367 return p; 368 } 369 370 static struct block *gen_retblk(v) 371 int v; 372 { 373 struct block *b = new_block(BPF_RET | BPF_K); 374 375 b->s.k = v; 376 return b; 377 } 378 379 static inline void syntax() 380 { 381 bpf_error("syntax error in filter expression"); 382 } 383 384 static __thread bpf_u_int32 netmask; 385 static __thread int snaplen; 386 __thread int no_optimize; 387 388 DAQ_SO_PUBLIC int pcap_compile(int snaplen_arg, int linktype_arg, struct bpf_program *program, const char *buf, int optimize, bpf_u_int32 mask) 389 { 390 extern __thread int n_errors; 391 const char *volatile xbuf = buf; 392 int len; 393 394 no_optimize = 0; 395 n_errors = 0; 396 root = NULL; 397 init_regs(); 398 if (setjmp(top_ctx)) 399 { 400 #ifdef INET6 401 if (ai != NULL) 402 { 403 freeaddrinfo(ai); 404 ai = NULL; 405 } 406 #endif 407 lex_cleanup(); 408 freechunks(); 409 return (-1); 410 } 411 412 netmask = mask; 413 414 snaplen = snaplen_arg; 415 if (snaplen == 0) 416 { 417 snprintf(bpf_error_filter, PCAP_ERRBUF_SIZE, "snaplen of 0 rejects all packets"); 418 return -1; 419 } 420 421 lex_init(xbuf ? xbuf : ""); 422 init_linktype(linktype_arg); 423 (void) pcap_parse(); 424 425 if (n_errors) 426 syntax(); 427 428 if (root == NULL) 429 root = gen_retblk(snaplen); 430 431 if (optimize && !no_optimize) 432 { 433 bpf_optimize(&root); 434 if (root == NULL || (root->s.code == (BPF_RET | BPF_K) && root->s.k == 0)) 435 bpf_error("expression rejects all packets"); 436 } 437 program->bf_insns = icode_to_fcode(root, &len); 438 program->bf_len = len; 439 440 lex_cleanup(); 441 freechunks(); 442 return (0); 443 } 444 445 /* 446 * Clean up a "struct bpf_program" by freeing all the memory allocated 447 * in it. 448 */ 449 DAQ_SO_PUBLIC void pcap_freecode(struct bpf_program *program) 450 { 451 program->bf_len = 0; 452 if (program->bf_insns != NULL) 453 { 454 free((char *) program->bf_insns); 455 program->bf_insns = NULL; 456 } 457 } 458 459 /* 460 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates 461 * which of the jt and jf fields has been resolved and which is a pointer 462 * back to another unresolved block (or nil). At least one of the fields 463 * in each block is already resolved. 464 */ 465 static void backpatch(list, target) 466 struct block *list, *target; 467 { 468 struct block *next; 469 470 while (list) 471 { 472 if (!list->sense) 473 { 474 next = JT(list); 475 JT(list) = target; 476 } 477 else 478 { 479 next = JF(list); 480 JF(list) = target; 481 } 482 list = next; 483 } 484 } 485 486 /* 487 * Merge the lists in b0 and b1, using the 'sense' field to indicate 488 * which of jt and jf is the link. 489 */ 490 static void merge(b0, b1) 491 struct block *b0, *b1; 492 { 493 register struct block **p = &b0; 494 495 /* Find end of list. */ 496 while (*p) 497 p = !((*p)->sense) ? &JT(*p) : &JF(*p); 498 499 /* Concatenate the lists. */ 500 *p = b1; 501 } 502 503 void finish_parse(p) 504 struct block *p; 505 { 506 struct block *ppi_dlt_check; 507 508 /* 509 * Insert before the statements of the first (root) block any 510 * statements needed to load the lengths of any variable-length 511 * headers into registers. 512 * 513 * XXX - a fancier strategy would be to insert those before the 514 * statements of all blocks that use those lengths and that 515 * have no predecessors that use them, so that we only compute 516 * the lengths if we need them. There might be even better 517 * approaches than that. 518 * 519 * However, those strategies would be more complicated, and 520 * as we don't generate code to compute a length if the 521 * program has no tests that use the length, and as most 522 * tests will probably use those lengths, we would just 523 * postpone computing the lengths so that it's not done 524 * for tests that fail early, and it's not clear that's 525 * worth the effort. 526 */ 527 insert_compute_vloffsets(p->head); 528 529 /* 530 * For DLT_PPI captures, generate a check of the per-packet 531 * DLT value to make sure it's DLT_IEEE802_11. 532 */ 533 ppi_dlt_check = gen_ppi_dlt_check(); 534 if (ppi_dlt_check != NULL) 535 gen_and(ppi_dlt_check, p); 536 537 backpatch(p, gen_retblk(snaplen)); 538 p->sense = !p->sense; 539 backpatch(p, gen_retblk(0)); 540 root = p->head; 541 } 542 543 void gen_and(b0, b1) 544 struct block *b0, *b1; 545 { 546 backpatch(b0, b1->head); 547 b0->sense = !b0->sense; 548 b1->sense = !b1->sense; 549 merge(b1, b0); 550 b1->sense = !b1->sense; 551 b1->head = b0->head; 552 } 553 554 void gen_or(b0, b1) 555 struct block *b0, *b1; 556 { 557 b0->sense = !b0->sense; 558 backpatch(b0, b1->head); 559 b0->sense = !b0->sense; 560 merge(b1, b0); 561 b1->head = b0->head; 562 } 563 564 void gen_not(b) 565 struct block *b; 566 { 567 b->sense = !b->sense; 568 } 569 570 static struct block *gen_cmp(offrel, offset, size, v) 571 enum e_offrel offrel; 572 u_int offset, size; 573 bpf_int32 v; 574 { 575 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v); 576 } 577 578 static struct block *gen_cmp_gt(offrel, offset, size, v) 579 enum e_offrel offrel; 580 u_int offset, size; 581 bpf_int32 v; 582 { 583 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 0, v); 584 } 585 586 static struct block *gen_cmp_ge(offrel, offset, size, v) 587 enum e_offrel offrel; 588 u_int offset, size; 589 bpf_int32 v; 590 { 591 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 0, v); 592 } 593 594 static struct block *gen_cmp_lt(offrel, offset, size, v) 595 enum e_offrel offrel; 596 u_int offset, size; 597 bpf_int32 v; 598 { 599 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 1, v); 600 } 601 602 static struct block *gen_cmp_le(offrel, offset, size, v) 603 enum e_offrel offrel; 604 u_int offset, size; 605 bpf_int32 v; 606 { 607 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 1, v); 608 } 609 610 static struct block *gen_mcmp(offrel, offset, size, v, mask) 611 enum e_offrel offrel; 612 u_int offset, size; 613 bpf_int32 v; 614 bpf_u_int32 mask; 615 { 616 return gen_ncmp(offrel, offset, size, mask, BPF_JEQ, 0, v); 617 } 618 619 static struct block *gen_bcmp(offrel, offset, size, v) 620 enum e_offrel offrel; 621 register u_int offset, size; 622 register const u_char *v; 623 { 624 register struct block *b, *tmp; 625 626 b = NULL; 627 while (size >= 4) 628 { 629 register const u_char *p = &v[size - 4]; 630 bpf_int32 w = ((bpf_int32) p[0] << 24) | ((bpf_int32) p[1] << 16) | ((bpf_int32) p[2] << 8) | p[3]; 631 632 tmp = gen_cmp(offrel, offset + size - 4, BPF_W, w); 633 if (b != NULL) 634 gen_and(b, tmp); 635 b = tmp; 636 size -= 4; 637 } 638 while (size >= 2) 639 { 640 register const u_char *p = &v[size - 2]; 641 bpf_int32 w = ((bpf_int32) p[0] << 8) | p[1]; 642 643 tmp = gen_cmp(offrel, offset + size - 2, BPF_H, w); 644 if (b != NULL) 645 gen_and(b, tmp); 646 b = tmp; 647 size -= 2; 648 } 649 if (size > 0) 650 { 651 tmp = gen_cmp(offrel, offset, BPF_B, (bpf_int32) v[0]); 652 if (b != NULL) 653 gen_and(b, tmp); 654 b = tmp; 655 } 656 return b; 657 } 658 659 /* 660 * AND the field of size "size" at offset "offset" relative to the header 661 * specified by "offrel" with "mask", and compare it with the value "v" 662 * with the test specified by "jtype"; if "reverse" is true, the test 663 * should test the opposite of "jtype". 664 */ 665 static struct block *gen_ncmp(offrel, offset, size, mask, jtype, reverse, v) 666 enum e_offrel offrel; 667 bpf_int32 v; 668 bpf_u_int32 offset, size, mask, jtype; 669 int reverse; 670 { 671 struct slist *s, *s2; 672 struct block *b; 673 674 s = gen_load_a(offrel, offset, size); 675 676 if (mask != 0xffffffff) 677 { 678 s2 = new_stmt(BPF_ALU | BPF_AND | BPF_K); 679 s2->s.k = mask; 680 sappend(s, s2); 681 } 682 683 b = new_block(JMP(jtype)); 684 b->stmts = s; 685 b->s.k = v; 686 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE)) 687 gen_not(b); 688 return b; 689 } 690 691 /* 692 * Various code constructs need to know the layout of the data link 693 * layer. These variables give the necessary offsets from the beginning 694 * of the packet data. 695 */ 696 697 /* 698 * This is the offset of the beginning of the link-layer header from 699 * the beginning of the raw packet data. 700 * 701 * It's usually 0, except for 802.11 with a fixed-length radio header. 702 * (For 802.11 with a variable-length radio header, we have to generate 703 * code to compute that offset; off_ll is 0 in that case.) 704 */ 705 static __thread u_int off_ll; 706 707 /* 708 * If there's a variable-length header preceding the link-layer header, 709 * "reg_off_ll" is the register number for a register containing the 710 * length of that header, and therefore the offset of the link-layer 711 * header from the beginning of the raw packet data. Otherwise, 712 * "reg_off_ll" is -1. 713 */ 714 static __thread int reg_off_ll; 715 716 /* 717 * This is the offset of the beginning of the MAC-layer header from 718 * the beginning of the link-layer header. 719 * It's usually 0, except for ATM LANE, where it's the offset, relative 720 * to the beginning of the raw packet data, of the Ethernet header. 721 */ 722 static __thread u_int off_mac; 723 724 /* 725 * This is the offset of the beginning of the MAC-layer payload, 726 * from the beginning of the raw packet data. 727 * 728 * I.e., it's the sum of the length of the link-layer header (without, 729 * for example, any 802.2 LLC header, so it's the MAC-layer 730 * portion of that header), plus any prefix preceding the 731 * link-layer header. 732 */ 733 static __thread u_int off_macpl; 734 735 /* 736 * This is 1 if the offset of the beginning of the MAC-layer payload 737 * from the beginning of the link-layer header is variable-length. 738 */ 739 static __thread int off_macpl_is_variable; 740 741 /* 742 * If the link layer has variable_length headers, "reg_off_macpl" 743 * is the register number for a register containing the length of the 744 * link-layer header plus the length of any variable-length header 745 * preceding the link-layer header. Otherwise, "reg_off_macpl" 746 * is -1. 747 */ 748 static __thread int reg_off_macpl; 749 750 /* 751 * "off_linktype" is the offset to information in the link-layer header 752 * giving the packet type. This offset is relative to the beginning 753 * of the link-layer header (i.e., it doesn't include off_ll). 754 * 755 * For Ethernet, it's the offset of the Ethernet type field. 756 * 757 * For link-layer types that always use 802.2 headers, it's the 758 * offset of the LLC header. 759 * 760 * For PPP, it's the offset of the PPP type field. 761 * 762 * For Cisco HDLC, it's the offset of the CHDLC type field. 763 * 764 * For BSD loopback, it's the offset of the AF_ value. 765 * 766 * For Linux cooked sockets, it's the offset of the type field. 767 * 768 * It's set to -1 for no encapsulation, in which case, IP is assumed. 769 */ 770 static __thread u_int off_linktype; 771 772 /* 773 * TRUE if "pppoes" appeared in the filter; it causes link-layer type 774 * checks to check the PPP header, assumed to follow a LAN-style link- 775 * layer header and a PPPoE session header. 776 */ 777 static __thread int is_pppoes = 0; 778 779 /* 780 * TRUE if the link layer includes an ATM pseudo-header. 781 */ 782 static __thread int is_atm = 0; 783 784 /* 785 * TRUE if "lane" appeared in the filter; it causes us to generate 786 * code that assumes LANE rather than LLC-encapsulated traffic in SunATM. 787 */ 788 static __thread int is_lane = 0; 789 790 /* 791 * These are offsets for the ATM pseudo-header. 792 */ 793 static __thread u_int off_vpi; 794 static __thread u_int off_vci; 795 static __thread u_int off_proto; 796 797 /* 798 * These are offsets for the MTP2 fields. 799 */ 800 static __thread u_int off_li; 801 802 /* 803 * These are offsets for the MTP3 fields. 804 */ 805 static __thread u_int off_sio; 806 static __thread u_int off_opc; 807 static __thread u_int off_dpc; 808 static __thread u_int off_sls; 809 810 /* 811 * This is the offset of the first byte after the ATM pseudo_header, 812 * or -1 if there is no ATM pseudo-header. 813 */ 814 static __thread u_int off_payload; 815 816 /* 817 * These are offsets to the beginning of the network-layer header. 818 * They are relative to the beginning of the MAC-layer payload (i.e., 819 * they don't include off_ll or off_macpl). 820 * 821 * If the link layer never uses 802.2 LLC: 822 * 823 * "off_nl" and "off_nl_nosnap" are the same. 824 * 825 * If the link layer always uses 802.2 LLC: 826 * 827 * "off_nl" is the offset if there's a SNAP header following 828 * the 802.2 header; 829 * 830 * "off_nl_nosnap" is the offset if there's no SNAP header. 831 * 832 * If the link layer is Ethernet: 833 * 834 * "off_nl" is the offset if the packet is an Ethernet II packet 835 * (we assume no 802.3+802.2+SNAP); 836 * 837 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet 838 * with an 802.2 header following it. 839 */ 840 static __thread u_int off_nl; 841 static __thread u_int off_nl_nosnap; 842 843 static __thread int linktype; 844 845 static void init_linktype(type) 846 int type; 847 { 848 linktype = type; 849 #ifdef PCAP_FDDIPAD 850 pcap_fddipad = p->fddipad; 851 #endif 852 853 /* 854 * Assume it's not raw ATM with a pseudo-header, for now. 855 */ 856 off_mac = 0; 857 is_atm = 0; 858 is_lane = 0; 859 off_vpi = -1; 860 off_vci = -1; 861 off_proto = -1; 862 off_payload = -1; 863 864 /* 865 * And that we're not doing PPPoE. 866 */ 867 is_pppoes = 0; 868 869 /* 870 * And assume we're not doing SS7. 871 */ 872 off_li = -1; 873 off_sio = -1; 874 off_opc = -1; 875 off_dpc = -1; 876 off_sls = -1; 877 878 /* 879 * Also assume it's not 802.11. 880 */ 881 off_ll = 0; 882 off_macpl = 0; 883 off_macpl_is_variable = 0; 884 885 orig_linktype = -1; 886 orig_nl = -1; 887 label_stack_depth = 0; 888 889 reg_off_ll = -1; 890 reg_off_macpl = -1; 891 892 switch (linktype) 893 { 894 895 case DLT_ARCNET: 896 off_linktype = 2; 897 off_macpl = 6; 898 off_nl = 0; /* XXX in reality, variable! */ 899 off_nl_nosnap = 0; /* no 802.2 LLC */ 900 return; 901 902 case DLT_ARCNET_LINUX: 903 off_linktype = 4; 904 off_macpl = 8; 905 off_nl = 0; /* XXX in reality, variable! */ 906 off_nl_nosnap = 0; /* no 802.2 LLC */ 907 return; 908 909 case DLT_EN10MB: 910 off_linktype = 12; 911 off_macpl = 14; /* Ethernet header length */ 912 off_nl = 0; /* Ethernet II */ 913 off_nl_nosnap = 3; /* 802.3+802.2 */ 914 return; 915 916 case DLT_SLIP: 917 /* 918 * SLIP doesn't have a link level type. The 16 byte 919 * header is hacked into our SLIP driver. 920 */ 921 off_linktype = -1; 922 off_macpl = 16; 923 off_nl = 0; 924 off_nl_nosnap = 0; /* no 802.2 LLC */ 925 return; 926 927 case DLT_SLIP_BSDOS: 928 /* XXX this may be the same as the DLT_PPP_BSDOS case */ 929 off_linktype = -1; 930 /* XXX end */ 931 off_macpl = 24; 932 off_nl = 0; 933 off_nl_nosnap = 0; /* no 802.2 LLC */ 934 return; 935 936 case DLT_NULL: 937 case DLT_LOOP: 938 off_linktype = 0; 939 off_macpl = 4; 940 off_nl = 0; 941 off_nl_nosnap = 0; /* no 802.2 LLC */ 942 return; 943 944 case DLT_ENC: 945 off_linktype = 0; 946 off_macpl = 12; 947 off_nl = 0; 948 off_nl_nosnap = 0; /* no 802.2 LLC */ 949 return; 950 951 case DLT_PPP: 952 case DLT_PPP_PPPD: 953 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */ 954 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */ 955 off_linktype = 2; 956 off_macpl = 4; 957 off_nl = 0; 958 off_nl_nosnap = 0; /* no 802.2 LLC */ 959 return; 960 961 case DLT_PPP_ETHER: 962 /* 963 * This does no include the Ethernet header, and 964 * only covers session state. 965 */ 966 off_linktype = 6; 967 off_macpl = 8; 968 off_nl = 0; 969 off_nl_nosnap = 0; /* no 802.2 LLC */ 970 return; 971 972 case DLT_PPP_BSDOS: 973 off_linktype = 5; 974 off_macpl = 24; 975 off_nl = 0; 976 off_nl_nosnap = 0; /* no 802.2 LLC */ 977 return; 978 979 case DLT_FDDI: 980 /* 981 * FDDI doesn't really have a link-level type field. 982 * We set "off_linktype" to the offset of the LLC header. 983 * 984 * To check for Ethernet types, we assume that SSAP = SNAP 985 * is being used and pick out the encapsulated Ethernet type. 986 * XXX - should we generate code to check for SNAP? 987 */ 988 off_linktype = 13; 989 #ifdef PCAP_FDDIPAD 990 off_linktype += pcap_fddipad; 991 #endif 992 off_macpl = 13; /* FDDI MAC header length */ 993 #ifdef PCAP_FDDIPAD 994 off_macpl += pcap_fddipad; 995 #endif 996 off_nl = 8; /* 802.2+SNAP */ 997 off_nl_nosnap = 3; /* 802.2 */ 998 return; 999 1000 case DLT_IEEE802: 1001 /* 1002 * Token Ring doesn't really have a link-level type field. 1003 * We set "off_linktype" to the offset of the LLC header. 1004 * 1005 * To check for Ethernet types, we assume that SSAP = SNAP 1006 * is being used and pick out the encapsulated Ethernet type. 1007 * XXX - should we generate code to check for SNAP? 1008 * 1009 * XXX - the header is actually variable-length. 1010 * Some various Linux patched versions gave 38 1011 * as "off_linktype" and 40 as "off_nl"; however, 1012 * if a token ring packet has *no* routing 1013 * information, i.e. is not source-routed, the correct 1014 * values are 20 and 22, as they are in the vanilla code. 1015 * 1016 * A packet is source-routed iff the uppermost bit 1017 * of the first byte of the source address, at an 1018 * offset of 8, has the uppermost bit set. If the 1019 * packet is source-routed, the total number of bytes 1020 * of routing information is 2 plus bits 0x1F00 of 1021 * the 16-bit value at an offset of 14 (shifted right 1022 * 8 - figure out which byte that is). 1023 */ 1024 off_linktype = 14; 1025 off_macpl = 14; /* Token Ring MAC header length */ 1026 off_nl = 8; /* 802.2+SNAP */ 1027 off_nl_nosnap = 3; /* 802.2 */ 1028 return; 1029 1030 case DLT_IEEE802_11: 1031 case DLT_PRISM_HEADER: 1032 case DLT_IEEE802_11_RADIO_AVS: 1033 case DLT_IEEE802_11_RADIO: 1034 /* 1035 * 802.11 doesn't really have a link-level type field. 1036 * We set "off_linktype" to the offset of the LLC header. 1037 * 1038 * To check for Ethernet types, we assume that SSAP = SNAP 1039 * is being used and pick out the encapsulated Ethernet type. 1040 * XXX - should we generate code to check for SNAP? 1041 * 1042 * We also handle variable-length radio headers here. 1043 * The Prism header is in theory variable-length, but in 1044 * practice it's always 144 bytes long. However, some 1045 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but 1046 * sometimes or always supply an AVS header, so we 1047 * have to check whether the radio header is a Prism 1048 * header or an AVS header, so, in practice, it's 1049 * variable-length. 1050 */ 1051 off_linktype = 24; 1052 off_macpl = 0; /* link-layer header is variable-length */ 1053 off_macpl_is_variable = 1; 1054 off_nl = 8; /* 802.2+SNAP */ 1055 off_nl_nosnap = 3; /* 802.2 */ 1056 return; 1057 1058 case DLT_PPI: 1059 /* 1060 * At the moment we treat PPI the same way that we treat 1061 * normal Radiotap encoded packets. The difference is in 1062 * the function that generates the code at the beginning 1063 * to compute the header length. Since this code generator 1064 * of PPI supports bare 802.11 encapsulation only (i.e. 1065 * the encapsulated DLT should be DLT_IEEE802_11) we 1066 * generate code to check for this too. 1067 */ 1068 off_linktype = 24; 1069 off_macpl = 0; /* link-layer header is variable-length */ 1070 off_macpl_is_variable = 1; 1071 off_nl = 8; /* 802.2+SNAP */ 1072 off_nl_nosnap = 3; /* 802.2 */ 1073 return; 1074 1075 case DLT_ATM_RFC1483: 1076 case DLT_ATM_CLIP: /* Linux ATM defines this */ 1077 /* 1078 * assume routed, non-ISO PDUs 1079 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00) 1080 * 1081 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS, 1082 * or PPP with the PPP NLPID (e.g., PPPoA)? The 1083 * latter would presumably be treated the way PPPoE 1084 * should be, so you can do "pppoe and udp port 2049" 1085 * or "pppoa and tcp port 80" and have it check for 1086 * PPPo{A,E} and a PPP protocol of IP and.... 1087 */ 1088 off_linktype = 0; 1089 off_macpl = 0; /* packet begins with LLC header */ 1090 off_nl = 8; /* 802.2+SNAP */ 1091 off_nl_nosnap = 3; /* 802.2 */ 1092 return; 1093 1094 case DLT_SUNATM: 1095 /* 1096 * Full Frontal ATM; you get AALn PDUs with an ATM 1097 * pseudo-header. 1098 */ 1099 is_atm = 1; 1100 off_vpi = SUNATM_VPI_POS; 1101 off_vci = SUNATM_VCI_POS; 1102 off_proto = PROTO_POS; 1103 off_mac = -1; /* assume LLC-encapsulated, so no MAC-layer header */ 1104 off_payload = SUNATM_PKT_BEGIN_POS; 1105 off_linktype = off_payload; 1106 off_macpl = off_payload; /* if LLC-encapsulated */ 1107 off_nl = 8; /* 802.2+SNAP */ 1108 off_nl_nosnap = 3; /* 802.2 */ 1109 return; 1110 1111 case DLT_RAW: 1112 case DLT_IPV4: 1113 case DLT_IPV6: 1114 off_linktype = -1; 1115 off_macpl = 0; 1116 off_nl = 0; 1117 off_nl_nosnap = 0; /* no 802.2 LLC */ 1118 return; 1119 1120 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */ 1121 off_linktype = 14; 1122 off_macpl = 16; 1123 off_nl = 0; 1124 off_nl_nosnap = 0; /* no 802.2 LLC */ 1125 return; 1126 1127 case DLT_LTALK: 1128 /* 1129 * LocalTalk does have a 1-byte type field in the LLAP header, 1130 * but really it just indicates whether there is a "short" or 1131 * "long" DDP packet following. 1132 */ 1133 off_linktype = -1; 1134 off_macpl = 0; 1135 off_nl = 0; 1136 off_nl_nosnap = 0; /* no 802.2 LLC */ 1137 return; 1138 1139 case DLT_IP_OVER_FC: 1140 /* 1141 * RFC 2625 IP-over-Fibre-Channel doesn't really have a 1142 * link-level type field. We set "off_linktype" to the 1143 * offset of the LLC header. 1144 * 1145 * To check for Ethernet types, we assume that SSAP = SNAP 1146 * is being used and pick out the encapsulated Ethernet type. 1147 * XXX - should we generate code to check for SNAP? RFC 1148 * 2625 says SNAP should be used. 1149 */ 1150 off_linktype = 16; 1151 off_macpl = 16; 1152 off_nl = 8; /* 802.2+SNAP */ 1153 off_nl_nosnap = 3; /* 802.2 */ 1154 return; 1155 1156 case DLT_FRELAY: 1157 /* 1158 * XXX - we should set this to handle SNAP-encapsulated 1159 * frames (NLPID of 0x80). 1160 */ 1161 off_linktype = -1; 1162 off_macpl = 0; 1163 off_nl = 0; 1164 off_nl_nosnap = 0; /* no 802.2 LLC */ 1165 return; 1166 1167 /* 1168 * the only BPF-interesting FRF.16 frames are non-control frames; 1169 * Frame Relay has a variable length link-layer 1170 * so lets start with offset 4 for now and increments later on (FIXME); 1171 */ 1172 case DLT_MFR: 1173 off_linktype = -1; 1174 off_macpl = 0; 1175 off_nl = 4; 1176 off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */ 1177 return; 1178 1179 case DLT_APPLE_IP_OVER_IEEE1394: 1180 off_linktype = 16; 1181 off_macpl = 18; 1182 off_nl = 0; 1183 off_nl_nosnap = 0; /* no 802.2 LLC */ 1184 return; 1185 1186 case DLT_LINUX_IRDA: 1187 /* 1188 * Currently, only raw "link[N:M]" filtering is supported. 1189 */ 1190 off_linktype = -1; 1191 off_macpl = -1; 1192 off_nl = -1; 1193 off_nl_nosnap = -1; 1194 return; 1195 1196 case DLT_DOCSIS: 1197 /* 1198 * Currently, only raw "link[N:M]" filtering is supported. 1199 */ 1200 off_linktype = -1; 1201 off_macpl = -1; 1202 off_nl = -1; 1203 off_nl_nosnap = -1; 1204 return; 1205 1206 case DLT_SYMANTEC_FIREWALL: 1207 off_linktype = 6; 1208 off_macpl = 44; 1209 off_nl = 0; /* Ethernet II */ 1210 off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */ 1211 return; 1212 1213 #ifdef HAVE_NET_PFVAR_H 1214 case DLT_PFLOG: 1215 off_linktype = 0; 1216 off_macpl = PFLOG_HDRLEN; 1217 off_nl = 0; 1218 off_nl_nosnap = 0; /* no 802.2 LLC */ 1219 return; 1220 #endif 1221 1222 case DLT_JUNIPER_MFR: 1223 case DLT_JUNIPER_MLFR: 1224 case DLT_JUNIPER_MLPPP: 1225 case DLT_JUNIPER_PPP: 1226 case DLT_JUNIPER_CHDLC: 1227 case DLT_JUNIPER_FRELAY: 1228 off_linktype = 4; 1229 off_macpl = 4; 1230 off_nl = 0; 1231 off_nl_nosnap = -1; /* no 802.2 LLC */ 1232 return; 1233 1234 case DLT_JUNIPER_ATM1: 1235 off_linktype = 4; /* in reality variable between 4-8 */ 1236 off_macpl = 4; /* in reality variable between 4-8 */ 1237 off_nl = 0; 1238 off_nl_nosnap = 10; 1239 return; 1240 1241 case DLT_JUNIPER_ATM2: 1242 off_linktype = 8; /* in reality variable between 8-12 */ 1243 off_macpl = 8; /* in reality variable between 8-12 */ 1244 off_nl = 0; 1245 off_nl_nosnap = 10; 1246 return; 1247 1248 /* frames captured on a Juniper PPPoE service PIC 1249 * contain raw ethernet frames */ 1250 case DLT_JUNIPER_PPPOE: 1251 case DLT_JUNIPER_ETHER: 1252 off_macpl = 14; 1253 off_linktype = 16; 1254 off_nl = 18; /* Ethernet II */ 1255 off_nl_nosnap = 21; /* 802.3+802.2 */ 1256 return; 1257 1258 case DLT_JUNIPER_PPPOE_ATM: 1259 off_linktype = 4; 1260 off_macpl = 6; 1261 off_nl = 0; 1262 off_nl_nosnap = -1; /* no 802.2 LLC */ 1263 return; 1264 1265 case DLT_JUNIPER_GGSN: 1266 off_linktype = 6; 1267 off_macpl = 12; 1268 off_nl = 0; 1269 off_nl_nosnap = -1; /* no 802.2 LLC */ 1270 return; 1271 1272 case DLT_JUNIPER_ES: 1273 off_linktype = 6; 1274 off_macpl = -1; /* not really a network layer but raw IP addresses */ 1275 off_nl = -1; /* not really a network layer but raw IP addresses */ 1276 off_nl_nosnap = -1; /* no 802.2 LLC */ 1277 return; 1278 1279 case DLT_JUNIPER_MONITOR: 1280 off_linktype = 12; 1281 off_macpl = 12; 1282 off_nl = 0; /* raw IP/IP6 header */ 1283 off_nl_nosnap = -1; /* no 802.2 LLC */ 1284 return; 1285 1286 case DLT_JUNIPER_SERVICES: 1287 off_linktype = 12; 1288 off_macpl = -1; /* L3 proto location dep. on cookie type */ 1289 off_nl = -1; /* L3 proto location dep. on cookie type */ 1290 off_nl_nosnap = -1; /* no 802.2 LLC */ 1291 return; 1292 1293 case DLT_JUNIPER_VP: 1294 off_linktype = 18; 1295 off_macpl = -1; 1296 off_nl = -1; 1297 off_nl_nosnap = -1; 1298 return; 1299 1300 case DLT_JUNIPER_ST: 1301 off_linktype = 18; 1302 off_macpl = -1; 1303 off_nl = -1; 1304 off_nl_nosnap = -1; 1305 return; 1306 1307 case DLT_JUNIPER_ISM: 1308 off_linktype = 8; 1309 off_macpl = -1; 1310 off_nl = -1; 1311 off_nl_nosnap = -1; 1312 return; 1313 1314 case DLT_MTP2: 1315 off_li = 2; 1316 off_sio = 3; 1317 off_opc = 4; 1318 off_dpc = 4; 1319 off_sls = 7; 1320 off_linktype = -1; 1321 off_macpl = -1; 1322 off_nl = -1; 1323 off_nl_nosnap = -1; 1324 return; 1325 1326 case DLT_MTP2_WITH_PHDR: 1327 off_li = 6; 1328 off_sio = 7; 1329 off_opc = 8; 1330 off_dpc = 8; 1331 off_sls = 11; 1332 off_linktype = -1; 1333 off_macpl = -1; 1334 off_nl = -1; 1335 off_nl_nosnap = -1; 1336 return; 1337 1338 case DLT_ERF: 1339 off_li = 22; 1340 off_sio = 23; 1341 off_opc = 24; 1342 off_dpc = 24; 1343 off_sls = 27; 1344 off_linktype = -1; 1345 off_macpl = -1; 1346 off_nl = -1; 1347 off_nl_nosnap = -1; 1348 return; 1349 1350 #ifdef DLT_PFSYNC 1351 case DLT_PFSYNC: 1352 off_linktype = -1; 1353 off_macpl = 4; 1354 off_nl = 0; 1355 off_nl_nosnap = 0; 1356 return; 1357 #endif 1358 1359 case DLT_LINUX_LAPD: 1360 /* 1361 * Currently, only raw "link[N:M]" filtering is supported. 1362 */ 1363 off_linktype = -1; 1364 off_macpl = -1; 1365 off_nl = -1; 1366 off_nl_nosnap = -1; 1367 return; 1368 1369 case DLT_USB: 1370 /* 1371 * Currently, only raw "link[N:M]" filtering is supported. 1372 */ 1373 off_linktype = -1; 1374 off_macpl = -1; 1375 off_nl = -1; 1376 off_nl_nosnap = -1; 1377 return; 1378 1379 case DLT_BLUETOOTH_HCI_H4: 1380 /* 1381 * Currently, only raw "link[N:M]" filtering is supported. 1382 */ 1383 off_linktype = -1; 1384 off_macpl = -1; 1385 off_nl = -1; 1386 off_nl_nosnap = -1; 1387 return; 1388 1389 case DLT_USB_LINUX: 1390 /* 1391 * Currently, only raw "link[N:M]" filtering is supported. 1392 */ 1393 off_linktype = -1; 1394 off_macpl = -1; 1395 off_nl = -1; 1396 off_nl_nosnap = -1; 1397 return; 1398 1399 case DLT_CAN20B: 1400 /* 1401 * Currently, only raw "link[N:M]" filtering is supported. 1402 */ 1403 off_linktype = -1; 1404 off_macpl = -1; 1405 off_nl = -1; 1406 off_nl_nosnap = -1; 1407 return; 1408 1409 case DLT_IEEE802_15_4_LINUX: 1410 /* 1411 * Currently, only raw "link[N:M]" filtering is supported. 1412 */ 1413 off_linktype = -1; 1414 off_macpl = -1; 1415 off_nl = -1; 1416 off_nl_nosnap = -1; 1417 return; 1418 1419 case DLT_IEEE802_16_MAC_CPS_RADIO: 1420 /* 1421 * Currently, only raw "link[N:M]" filtering is supported. 1422 */ 1423 off_linktype = -1; 1424 off_macpl = -1; 1425 off_nl = -1; 1426 off_nl_nosnap = -1; 1427 return; 1428 1429 case DLT_IEEE802_15_4: 1430 /* 1431 * Currently, only raw "link[N:M]" filtering is supported. 1432 */ 1433 off_linktype = -1; 1434 off_macpl = -1; 1435 off_nl = -1; 1436 off_nl_nosnap = -1; 1437 return; 1438 1439 case DLT_SITA: 1440 /* 1441 * Currently, only raw "link[N:M]" filtering is supported. 1442 */ 1443 off_linktype = -1; 1444 off_macpl = -1; 1445 off_nl = -1; 1446 off_nl_nosnap = -1; 1447 return; 1448 1449 case DLT_RAIF1: 1450 /* 1451 * Currently, only raw "link[N:M]" filtering is supported. 1452 */ 1453 off_linktype = -1; 1454 off_macpl = -1; 1455 off_nl = -1; 1456 off_nl_nosnap = -1; 1457 return; 1458 1459 case DLT_IPMB: 1460 /* 1461 * Currently, only raw "link[N:M]" filtering is supported. 1462 */ 1463 off_linktype = -1; 1464 off_macpl = -1; 1465 off_nl = -1; 1466 off_nl_nosnap = -1; 1467 return; 1468 1469 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR: 1470 /* 1471 * Currently, only raw "link[N:M]" filtering is supported. 1472 */ 1473 off_linktype = -1; 1474 off_macpl = -1; 1475 off_nl = -1; 1476 off_nl_nosnap = -1; 1477 return; 1478 1479 case DLT_AX25_KISS: 1480 /* 1481 * Currently, only raw "link[N:M]" filtering is supported. 1482 */ 1483 off_linktype = -1; /* variable, min 15, max 71 steps of 7 */ 1484 off_macpl = -1; 1485 off_nl = -1; /* variable, min 16, max 71 steps of 7 */ 1486 off_nl_nosnap = -1; /* no 802.2 LLC */ 1487 off_mac = 1; /* step over the kiss length byte */ 1488 return; 1489 1490 case DLT_IEEE802_15_4_NONASK_PHY: 1491 /* 1492 * Currently, only raw "link[N:M]" filtering is supported. 1493 */ 1494 off_linktype = -1; 1495 off_macpl = -1; 1496 off_nl = -1; 1497 off_nl_nosnap = -1; 1498 return; 1499 1500 case DLT_MPLS: 1501 /* 1502 * Currently, only raw "link[N:M]" filtering is supported. 1503 */ 1504 off_linktype = -1; 1505 off_macpl = -1; 1506 off_nl = -1; 1507 off_nl_nosnap = -1; 1508 return; 1509 1510 case DLT_USB_LINUX_MMAPPED: 1511 /* 1512 * Currently, only raw "link[N:M]" filtering is supported. 1513 */ 1514 off_linktype = -1; 1515 off_macpl = -1; 1516 off_nl = -1; 1517 off_nl_nosnap = -1; 1518 return; 1519 1520 case DLT_CAN_SOCKETCAN: 1521 /* 1522 * Currently, only raw "link[N:M]" filtering is supported. 1523 */ 1524 off_linktype = -1; 1525 off_macpl = -1; 1526 off_nl = -1; 1527 off_nl_nosnap = -1; 1528 return; 1529 1530 case DLT_IPNET: 1531 off_linktype = 1; 1532 off_macpl = 24; /* ipnet header length */ 1533 off_nl = 0; 1534 off_nl_nosnap = -1; 1535 return; 1536 } 1537 bpf_error("unknown data link type %d", linktype); 1538 /* NOTREACHED */ 1539 } 1540 1541 /* 1542 * Load a value relative to the beginning of the link-layer header. 1543 * The link-layer header doesn't necessarily begin at the beginning 1544 * of the packet data; there might be a variable-length prefix containing 1545 * radio information. 1546 */ 1547 static struct slist *gen_load_llrel(offset, size) 1548 u_int offset, size; 1549 { 1550 struct slist *s, *s2; 1551 1552 s = gen_llprefixlen(); 1553 1554 /* 1555 * If "s" is non-null, it has code to arrange that the X register 1556 * contains the length of the prefix preceding the link-layer 1557 * header. 1558 * 1559 * Otherwise, the length of the prefix preceding the link-layer 1560 * header is "off_ll". 1561 */ 1562 if (s != NULL) 1563 { 1564 /* 1565 * There's a variable-length prefix preceding the 1566 * link-layer header. "s" points to a list of statements 1567 * that put the length of that prefix into the X register. 1568 * do an indirect load, to use the X register as an offset. 1569 */ 1570 s2 = new_stmt(BPF_LD | BPF_IND | size); 1571 s2->s.k = offset; 1572 sappend(s, s2); 1573 } 1574 else 1575 { 1576 /* 1577 * There is no variable-length header preceding the 1578 * link-layer header; add in off_ll, which, if there's 1579 * a fixed-length header preceding the link-layer header, 1580 * is the length of that header. 1581 */ 1582 s = new_stmt(BPF_LD | BPF_ABS | size); 1583 s->s.k = offset + off_ll; 1584 } 1585 return s; 1586 } 1587 1588 /* 1589 * Load a value relative to the beginning of the MAC-layer payload. 1590 */ 1591 static struct slist *gen_load_macplrel(offset, size) 1592 u_int offset, size; 1593 { 1594 struct slist *s, *s2; 1595 1596 s = gen_off_macpl(); 1597 1598 /* 1599 * If s is non-null, the offset of the MAC-layer payload is 1600 * variable, and s points to a list of instructions that 1601 * arrange that the X register contains that offset. 1602 * 1603 * Otherwise, the offset of the MAC-layer payload is constant, 1604 * and is in off_macpl. 1605 */ 1606 if (s != NULL) 1607 { 1608 /* 1609 * The offset of the MAC-layer payload is in the X 1610 * register. Do an indirect load, to use the X register 1611 * as an offset. 1612 */ 1613 s2 = new_stmt(BPF_LD | BPF_IND | size); 1614 s2->s.k = offset; 1615 sappend(s, s2); 1616 } 1617 else 1618 { 1619 /* 1620 * The offset of the MAC-layer payload is constant, 1621 * and is in off_macpl; load the value at that offset 1622 * plus the specified offset. 1623 */ 1624 s = new_stmt(BPF_LD | BPF_ABS | size); 1625 s->s.k = off_macpl + offset; 1626 } 1627 return s; 1628 } 1629 1630 /* 1631 * Load a value relative to the beginning of the specified header. 1632 */ 1633 static struct slist *gen_load_a(offrel, offset, size) 1634 enum e_offrel offrel; 1635 u_int offset, size; 1636 { 1637 struct slist *s, *s2; 1638 1639 switch (offrel) 1640 { 1641 1642 case OR_PACKET: 1643 s = new_stmt(BPF_LD | BPF_ABS | size); 1644 s->s.k = offset; 1645 break; 1646 1647 case OR_LINK: 1648 s = gen_load_llrel(offset, size); 1649 break; 1650 1651 case OR_MACPL: 1652 s = gen_load_macplrel(offset, size); 1653 break; 1654 1655 case OR_NET: 1656 s = gen_load_macplrel(off_nl + offset, size); 1657 break; 1658 1659 case OR_NET_NOSNAP: 1660 s = gen_load_macplrel(off_nl_nosnap + offset, size); 1661 break; 1662 1663 case OR_TRAN_IPV4: 1664 /* 1665 * Load the X register with the length of the IPv4 header 1666 * (plus the offset of the link-layer header, if it's 1667 * preceded by a variable-length header such as a radio 1668 * header), in bytes. 1669 */ 1670 s = gen_loadx_iphdrlen(); 1671 1672 /* 1673 * Load the item at {offset of the MAC-layer payload} + 1674 * {offset, relative to the start of the MAC-layer 1675 * paylod, of the IPv4 header} + {length of the IPv4 header} + 1676 * {specified offset}. 1677 * 1678 * (If the offset of the MAC-layer payload is variable, 1679 * it's included in the value in the X register, and 1680 * off_macpl is 0.) 1681 */ 1682 s2 = new_stmt(BPF_LD | BPF_IND | size); 1683 s2->s.k = off_macpl + off_nl + offset; 1684 sappend(s, s2); 1685 break; 1686 1687 case OR_TRAN_IPV6: 1688 s = gen_load_macplrel(off_nl + 40 + offset, size); 1689 break; 1690 1691 default: 1692 abort(); 1693 return NULL; 1694 } 1695 return s; 1696 } 1697 1698 /* 1699 * Generate code to load into the X register the sum of the length of 1700 * the IPv4 header and any variable-length header preceding the link-layer 1701 * header. 1702 */ 1703 static struct slist *gen_loadx_iphdrlen() 1704 { 1705 struct slist *s, *s2; 1706 1707 s = gen_off_macpl(); 1708 if (s != NULL) 1709 { 1710 /* 1711 * There's a variable-length prefix preceding the 1712 * link-layer header, or the link-layer header is itself 1713 * variable-length. "s" points to a list of statements 1714 * that put the offset of the MAC-layer payload into 1715 * the X register. 1716 * 1717 * The 4*([k]&0xf) addressing mode can't be used, as we 1718 * don't have a constant offset, so we have to load the 1719 * value in question into the A register and add to it 1720 * the value from the X register. 1721 */ 1722 s2 = new_stmt(BPF_LD | BPF_IND | BPF_B); 1723 s2->s.k = off_nl; 1724 sappend(s, s2); 1725 s2 = new_stmt(BPF_ALU | BPF_AND | BPF_K); 1726 s2->s.k = 0xf; 1727 sappend(s, s2); 1728 s2 = new_stmt(BPF_ALU | BPF_LSH | BPF_K); 1729 s2->s.k = 2; 1730 sappend(s, s2); 1731 1732 /* 1733 * The A register now contains the length of the 1734 * IP header. We need to add to it the offset of 1735 * the MAC-layer payload, which is still in the X 1736 * register, and move the result into the X register. 1737 */ 1738 sappend(s, new_stmt(BPF_ALU | BPF_ADD | BPF_X)); 1739 sappend(s, new_stmt(BPF_MISC | BPF_TAX)); 1740 } 1741 else 1742 { 1743 /* 1744 * There is no variable-length header preceding the 1745 * link-layer header, and the link-layer header is 1746 * fixed-length; load the length of the IPv4 header, 1747 * which is at an offset of off_nl from the beginning 1748 * of the MAC-layer payload, and thus at an offset 1749 * of off_mac_pl + off_nl from the beginning of the 1750 * raw packet data. 1751 */ 1752 s = new_stmt(BPF_LDX | BPF_MSH | BPF_B); 1753 s->s.k = off_macpl + off_nl; 1754 } 1755 return s; 1756 } 1757 1758 static struct block *gen_uncond(rsense) 1759 int rsense; 1760 { 1761 struct block *b; 1762 struct slist *s; 1763 1764 s = new_stmt(BPF_LD | BPF_IMM); 1765 s->s.k = !rsense; 1766 b = new_block(JMP(BPF_JEQ)); 1767 b->stmts = s; 1768 1769 return b; 1770 } 1771 1772 static inline struct block *gen_true() 1773 { 1774 return gen_uncond(1); 1775 } 1776 1777 static inline struct block *gen_false() 1778 { 1779 return gen_uncond(0); 1780 } 1781 1782 /* 1783 * Byte-swap a 32-bit number. 1784 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on 1785 * big-endian platforms.) 1786 */ 1787 #define SWAPLONG(y) \ 1788 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff)) 1789 1790 /* 1791 * Generate code to match a particular packet type. 1792 * 1793 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1794 * value, if <= ETHERMTU. We use that to determine whether to 1795 * match the type/length field or to check the type/length field for 1796 * a value <= ETHERMTU to see whether it's a type field and then do 1797 * the appropriate test. 1798 */ 1799 static struct block *gen_ether_linktype(proto) 1800 register int proto; 1801 { 1802 struct block *b0, *b1; 1803 1804 switch (proto) 1805 { 1806 1807 case LLCSAP_ISONS: 1808 case LLCSAP_IP: 1809 case LLCSAP_NETBEUI: 1810 /* 1811 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1812 * so we check the DSAP and SSAP. 1813 * 1814 * LLCSAP_IP checks for IP-over-802.2, rather 1815 * than IP-over-Ethernet or IP-over-SNAP. 1816 * 1817 * XXX - should we check both the DSAP and the 1818 * SSAP, like this, or should we check just the 1819 * DSAP, as we do for other types <= ETHERMTU 1820 * (i.e., other SAP values)? 1821 */ 1822 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1823 gen_not(b0); 1824 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32) ((proto << 8) | proto)); 1825 gen_and(b0, b1); 1826 return b1; 1827 1828 case LLCSAP_IPX: 1829 /* 1830 * Check for; 1831 * 1832 * Ethernet_II frames, which are Ethernet 1833 * frames with a frame type of ETHERTYPE_IPX; 1834 * 1835 * Ethernet_802.3 frames, which are 802.3 1836 * frames (i.e., the type/length field is 1837 * a length field, <= ETHERMTU, rather than 1838 * a type field) with the first two bytes 1839 * after the Ethernet/802.3 header being 1840 * 0xFFFF; 1841 * 1842 * Ethernet_802.2 frames, which are 802.3 1843 * frames with an 802.2 LLC header and 1844 * with the IPX LSAP as the DSAP in the LLC 1845 * header; 1846 * 1847 * Ethernet_SNAP frames, which are 802.3 1848 * frames with an LLC header and a SNAP 1849 * header and with an OUI of 0x000000 1850 * (encapsulated Ethernet) and a protocol 1851 * ID of ETHERTYPE_IPX in the SNAP header. 1852 * 1853 * XXX - should we generate the same code both 1854 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX? 1855 */ 1856 1857 /* 1858 * This generates code to check both for the 1859 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3. 1860 */ 1861 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32) LLCSAP_IPX); 1862 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32) 0xFFFF); 1863 gen_or(b0, b1); 1864 1865 /* 1866 * Now we add code to check for SNAP frames with 1867 * ETHERTYPE_IPX, i.e. Ethernet_SNAP. 1868 */ 1869 b0 = gen_snap(0x000000, ETHERTYPE_IPX); 1870 gen_or(b0, b1); 1871 1872 /* 1873 * Now we generate code to check for 802.3 1874 * frames in general. 1875 */ 1876 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1877 gen_not(b0); 1878 1879 /* 1880 * Now add the check for 802.3 frames before the 1881 * check for Ethernet_802.2 and Ethernet_802.3, 1882 * as those checks should only be done on 802.3 1883 * frames, not on Ethernet frames. 1884 */ 1885 gen_and(b0, b1); 1886 1887 /* 1888 * Now add the check for Ethernet_II frames, and 1889 * do that before checking for the other frame 1890 * types. 1891 */ 1892 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32) ETHERTYPE_IPX); 1893 gen_or(b0, b1); 1894 return b1; 1895 1896 case ETHERTYPE_ATALK: 1897 case ETHERTYPE_AARP: 1898 /* 1899 * EtherTalk (AppleTalk protocols on Ethernet link 1900 * layer) may use 802.2 encapsulation. 1901 */ 1902 1903 /* 1904 * Check for 802.2 encapsulation (EtherTalk phase 2?); 1905 * we check for an Ethernet type field less than 1906 * 1500, which means it's an 802.3 length field. 1907 */ 1908 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1909 gen_not(b0); 1910 1911 /* 1912 * 802.2-encapsulated ETHERTYPE_ATALK packets are 1913 * SNAP packets with an organization code of 1914 * 0x080007 (Apple, for Appletalk) and a protocol 1915 * type of ETHERTYPE_ATALK (Appletalk). 1916 * 1917 * 802.2-encapsulated ETHERTYPE_AARP packets are 1918 * SNAP packets with an organization code of 1919 * 0x000000 (encapsulated Ethernet) and a protocol 1920 * type of ETHERTYPE_AARP (Appletalk ARP). 1921 */ 1922 if (proto == ETHERTYPE_ATALK) 1923 b1 = gen_snap(0x080007, ETHERTYPE_ATALK); 1924 else /* proto == ETHERTYPE_AARP */ 1925 b1 = gen_snap(0x000000, ETHERTYPE_AARP); 1926 gen_and(b0, b1); 1927 1928 /* 1929 * Check for Ethernet encapsulation (Ethertalk 1930 * phase 1?); we just check for the Ethernet 1931 * protocol type. 1932 */ 1933 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32) proto); 1934 1935 gen_or(b0, b1); 1936 return b1; 1937 1938 default: 1939 if (proto <= ETHERMTU) 1940 { 1941 /* 1942 * This is an LLC SAP value, so the frames 1943 * that match would be 802.2 frames. 1944 * Check that the frame is an 802.2 frame 1945 * (i.e., that the length/type field is 1946 * a length field, <= ETHERMTU) and 1947 * then check the DSAP. 1948 */ 1949 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1950 gen_not(b0); 1951 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B, (bpf_int32) proto); 1952 gen_and(b0, b1); 1953 return b1; 1954 } 1955 else 1956 { 1957 /* 1958 * This is an Ethernet type, so compare 1959 * the length/type field with it (if 1960 * the frame is an 802.2 frame, the length 1961 * field will be <= ETHERMTU, and, as 1962 * "proto" is > ETHERMTU, this test 1963 * will fail and the frame won't match, 1964 * which is what we want). 1965 */ 1966 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32) proto); 1967 } 1968 } 1969 } 1970 1971 /* 1972 * "proto" is an Ethernet type value and for IPNET, if it is not IPv4 1973 * or IPv6 then we have an error. 1974 */ 1975 static struct block *gen_ipnet_linktype(proto) 1976 register int proto; 1977 { 1978 switch (proto) 1979 { 1980 1981 case ETHERTYPE_IP: 1982 return gen_cmp(OR_LINK, off_linktype, BPF_B, (bpf_int32) IPH_AF_INET); 1983 /* NOTREACHED */ 1984 1985 case ETHERTYPE_IPV6: 1986 return gen_cmp(OR_LINK, off_linktype, BPF_B, (bpf_int32) IPH_AF_INET6); 1987 /* NOTREACHED */ 1988 1989 default: 1990 break; 1991 } 1992 1993 return gen_false(); 1994 } 1995 1996 /* 1997 * Generate code to match a particular packet type. 1998 * 1999 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 2000 * value, if <= ETHERMTU. We use that to determine whether to 2001 * match the type field or to check the type field for the special 2002 * LINUX_SLL_P_802_2 value and then do the appropriate test. 2003 */ 2004 static struct block *gen_linux_sll_linktype(proto) 2005 register int proto; 2006 { 2007 struct block *b0, *b1; 2008 2009 switch (proto) 2010 { 2011 2012 case LLCSAP_ISONS: 2013 case LLCSAP_IP: 2014 case LLCSAP_NETBEUI: 2015 /* 2016 * OSI protocols and NetBEUI always use 802.2 encapsulation, 2017 * so we check the DSAP and SSAP. 2018 * 2019 * LLCSAP_IP checks for IP-over-802.2, rather 2020 * than IP-over-Ethernet or IP-over-SNAP. 2021 * 2022 * XXX - should we check both the DSAP and the 2023 * SSAP, like this, or should we check just the 2024 * DSAP, as we do for other types <= ETHERMTU 2025 * (i.e., other SAP values)? 2026 */ 2027 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 2028 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32) ((proto << 8) | proto)); 2029 gen_and(b0, b1); 2030 return b1; 2031 2032 case LLCSAP_IPX: 2033 /* 2034 * Ethernet_II frames, which are Ethernet 2035 * frames with a frame type of ETHERTYPE_IPX; 2036 * 2037 * Ethernet_802.3 frames, which have a frame 2038 * type of LINUX_SLL_P_802_3; 2039 * 2040 * Ethernet_802.2 frames, which are 802.3 2041 * frames with an 802.2 LLC header (i.e, have 2042 * a frame type of LINUX_SLL_P_802_2) and 2043 * with the IPX LSAP as the DSAP in the LLC 2044 * header; 2045 * 2046 * Ethernet_SNAP frames, which are 802.3 2047 * frames with an LLC header and a SNAP 2048 * header and with an OUI of 0x000000 2049 * (encapsulated Ethernet) and a protocol 2050 * ID of ETHERTYPE_IPX in the SNAP header. 2051 * 2052 * First, do the checks on LINUX_SLL_P_802_2 2053 * frames; generate the check for either 2054 * Ethernet_802.2 or Ethernet_SNAP frames, and 2055 * then put a check for LINUX_SLL_P_802_2 frames 2056 * before it. 2057 */ 2058 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32) LLCSAP_IPX); 2059 b1 = gen_snap(0x000000, ETHERTYPE_IPX); 2060 gen_or(b0, b1); 2061 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 2062 gen_and(b0, b1); 2063 2064 /* 2065 * Now check for 802.3 frames and OR that with 2066 * the previous test. 2067 */ 2068 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_3); 2069 gen_or(b0, b1); 2070 2071 /* 2072 * Now add the check for Ethernet_II frames, and 2073 * do that before checking for the other frame 2074 * types. 2075 */ 2076 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32) ETHERTYPE_IPX); 2077 gen_or(b0, b1); 2078 return b1; 2079 2080 case ETHERTYPE_ATALK: 2081 case ETHERTYPE_AARP: 2082 /* 2083 * EtherTalk (AppleTalk protocols on Ethernet link 2084 * layer) may use 802.2 encapsulation. 2085 */ 2086 2087 /* 2088 * Check for 802.2 encapsulation (EtherTalk phase 2?); 2089 * we check for the 802.2 protocol type in the 2090 * "Ethernet type" field. 2091 */ 2092 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 2093 2094 /* 2095 * 802.2-encapsulated ETHERTYPE_ATALK packets are 2096 * SNAP packets with an organization code of 2097 * 0x080007 (Apple, for Appletalk) and a protocol 2098 * type of ETHERTYPE_ATALK (Appletalk). 2099 * 2100 * 802.2-encapsulated ETHERTYPE_AARP packets are 2101 * SNAP packets with an organization code of 2102 * 0x000000 (encapsulated Ethernet) and a protocol 2103 * type of ETHERTYPE_AARP (Appletalk ARP). 2104 */ 2105 if (proto == ETHERTYPE_ATALK) 2106 b1 = gen_snap(0x080007, ETHERTYPE_ATALK); 2107 else /* proto == ETHERTYPE_AARP */ 2108 b1 = gen_snap(0x000000, ETHERTYPE_AARP); 2109 gen_and(b0, b1); 2110 2111 /* 2112 * Check for Ethernet encapsulation (Ethertalk 2113 * phase 1?); we just check for the Ethernet 2114 * protocol type. 2115 */ 2116 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32) proto); 2117 2118 gen_or(b0, b1); 2119 return b1; 2120 2121 default: 2122 if (proto <= ETHERMTU) 2123 { 2124 /* 2125 * This is an LLC SAP value, so the frames 2126 * that match would be 802.2 frames. 2127 * Check for the 802.2 protocol type 2128 * in the "Ethernet type" field, and 2129 * then check the DSAP. 2130 */ 2131 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 2132 b1 = gen_cmp(OR_LINK, off_macpl, BPF_B, (bpf_int32) proto); 2133 gen_and(b0, b1); 2134 return b1; 2135 } 2136 else 2137 { 2138 /* 2139 * This is an Ethernet type, so compare 2140 * the length/type field with it (if 2141 * the frame is an 802.2 frame, the length 2142 * field will be <= ETHERMTU, and, as 2143 * "proto" is > ETHERMTU, this test 2144 * will fail and the frame won't match, 2145 * which is what we want). 2146 */ 2147 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32) proto); 2148 } 2149 } 2150 } 2151 2152 static struct slist *gen_load_prism_llprefixlen() 2153 { 2154 struct slist *s1, *s2; 2155 struct slist *sjeq_avs_cookie; 2156 struct slist *sjcommon; 2157 2158 /* 2159 * This code is not compatible with the optimizer, as 2160 * we are generating jmp instructions within a normal 2161 * slist of instructions 2162 */ 2163 no_optimize = 1; 2164 2165 /* 2166 * Generate code to load the length of the radio header into 2167 * the register assigned to hold that length, if one has been 2168 * assigned. (If one hasn't been assigned, no code we've 2169 * generated uses that prefix, so we don't need to generate any 2170 * code to load it.) 2171 * 2172 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes 2173 * or always use the AVS header rather than the Prism header. 2174 * We load a 4-byte big-endian value at the beginning of the 2175 * raw packet data, and see whether, when masked with 0xFFFFF000, 2176 * it's equal to 0x80211000. If so, that indicates that it's 2177 * an AVS header (the masked-out bits are the version number). 2178 * Otherwise, it's a Prism header. 2179 * 2180 * XXX - the Prism header is also, in theory, variable-length, 2181 * but no known software generates headers that aren't 144 2182 * bytes long. 2183 */ 2184 if (reg_off_ll != -1) 2185 { 2186 /* 2187 * Load the cookie. 2188 */ 2189 s1 = new_stmt(BPF_LD | BPF_W | BPF_ABS); 2190 s1->s.k = 0; 2191 2192 /* 2193 * AND it with 0xFFFFF000. 2194 */ 2195 s2 = new_stmt(BPF_ALU | BPF_AND | BPF_K); 2196 s2->s.k = 0xFFFFF000; 2197 sappend(s1, s2); 2198 2199 /* 2200 * Compare with 0x80211000. 2201 */ 2202 sjeq_avs_cookie = new_stmt(JMP(BPF_JEQ)); 2203 sjeq_avs_cookie->s.k = 0x80211000; 2204 sappend(s1, sjeq_avs_cookie); 2205 2206 /* 2207 * If it's AVS: 2208 * 2209 * The 4 bytes at an offset of 4 from the beginning of 2210 * the AVS header are the length of the AVS header. 2211 * That field is big-endian. 2212 */ 2213 s2 = new_stmt(BPF_LD | BPF_W | BPF_ABS); 2214 s2->s.k = 4; 2215 sappend(s1, s2); 2216 sjeq_avs_cookie->s.jt = s2; 2217 2218 /* 2219 * Now jump to the code to allocate a register 2220 * into which to save the header length and 2221 * store the length there. (The "jump always" 2222 * instruction needs to have the k field set; 2223 * it's added to the PC, so, as we're jumping 2224 * over a single instruction, it should be 1.) 2225 */ 2226 sjcommon = new_stmt(JMP(BPF_JA)); 2227 sjcommon->s.k = 1; 2228 sappend(s1, sjcommon); 2229 2230 /* 2231 * Now for the code that handles the Prism header. 2232 * Just load the length of the Prism header (144) 2233 * into the A register. Have the test for an AVS 2234 * header branch here if we don't have an AVS header. 2235 */ 2236 s2 = new_stmt(BPF_LD | BPF_W | BPF_IMM); 2237 s2->s.k = 144; 2238 sappend(s1, s2); 2239 sjeq_avs_cookie->s.jf = s2; 2240 2241 /* 2242 * Now allocate a register to hold that value and store 2243 * it. The code for the AVS header will jump here after 2244 * loading the length of the AVS header. 2245 */ 2246 s2 = new_stmt(BPF_ST); 2247 s2->s.k = reg_off_ll; 2248 sappend(s1, s2); 2249 sjcommon->s.jf = s2; 2250 2251 /* 2252 * Now move it into the X register. 2253 */ 2254 s2 = new_stmt(BPF_MISC | BPF_TAX); 2255 sappend(s1, s2); 2256 2257 return (s1); 2258 } 2259 else 2260 return (NULL); 2261 } 2262 2263 static struct slist *gen_load_avs_llprefixlen() 2264 { 2265 struct slist *s1, *s2; 2266 2267 /* 2268 * Generate code to load the length of the AVS header into 2269 * the register assigned to hold that length, if one has been 2270 * assigned. (If one hasn't been assigned, no code we've 2271 * generated uses that prefix, so we don't need to generate any 2272 * code to load it.) 2273 */ 2274 if (reg_off_ll != -1) 2275 { 2276 /* 2277 * The 4 bytes at an offset of 4 from the beginning of 2278 * the AVS header are the length of the AVS header. 2279 * That field is big-endian. 2280 */ 2281 s1 = new_stmt(BPF_LD | BPF_W | BPF_ABS); 2282 s1->s.k = 4; 2283 2284 /* 2285 * Now allocate a register to hold that value and store 2286 * it. 2287 */ 2288 s2 = new_stmt(BPF_ST); 2289 s2->s.k = reg_off_ll; 2290 sappend(s1, s2); 2291 2292 /* 2293 * Now move it into the X register. 2294 */ 2295 s2 = new_stmt(BPF_MISC | BPF_TAX); 2296 sappend(s1, s2); 2297 2298 return (s1); 2299 } 2300 else 2301 return (NULL); 2302 } 2303 2304 static struct slist *gen_load_radiotap_llprefixlen() 2305 { 2306 struct slist *s1, *s2; 2307 2308 /* 2309 * Generate code to load the length of the radiotap header into 2310 * the register assigned to hold that length, if one has been 2311 * assigned. (If one hasn't been assigned, no code we've 2312 * generated uses that prefix, so we don't need to generate any 2313 * code to load it.) 2314 */ 2315 if (reg_off_ll != -1) 2316 { 2317 /* 2318 * The 2 bytes at offsets of 2 and 3 from the beginning 2319 * of the radiotap header are the length of the radiotap 2320 * header; unfortunately, it's little-endian, so we have 2321 * to load it a byte at a time and construct the value. 2322 */ 2323 2324 /* 2325 * Load the high-order byte, at an offset of 3, shift it 2326 * left a byte, and put the result in the X register. 2327 */ 2328 s1 = new_stmt(BPF_LD | BPF_B | BPF_ABS); 2329 s1->s.k = 3; 2330 s2 = new_stmt(BPF_ALU | BPF_LSH | BPF_K); 2331 sappend(s1, s2); 2332 s2->s.k = 8; 2333 s2 = new_stmt(BPF_MISC | BPF_TAX); 2334 sappend(s1, s2); 2335 2336 /* 2337 * Load the next byte, at an offset of 2, and OR the 2338 * value from the X register into it. 2339 */ 2340 s2 = new_stmt(BPF_LD | BPF_B | BPF_ABS); 2341 sappend(s1, s2); 2342 s2->s.k = 2; 2343 s2 = new_stmt(BPF_ALU | BPF_OR | BPF_X); 2344 sappend(s1, s2); 2345 2346 /* 2347 * Now allocate a register to hold that value and store 2348 * it. 2349 */ 2350 s2 = new_stmt(BPF_ST); 2351 s2->s.k = reg_off_ll; 2352 sappend(s1, s2); 2353 2354 /* 2355 * Now move it into the X register. 2356 */ 2357 s2 = new_stmt(BPF_MISC | BPF_TAX); 2358 sappend(s1, s2); 2359 2360 return (s1); 2361 } 2362 else 2363 return (NULL); 2364 } 2365 2366 /* 2367 * At the moment we treat PPI as normal Radiotap encoded 2368 * packets. The difference is in the function that generates 2369 * the code at the beginning to compute the header length. 2370 * Since this code generator of PPI supports bare 802.11 2371 * encapsulation only (i.e. the encapsulated DLT should be 2372 * DLT_IEEE802_11) we generate code to check for this too; 2373 * that's done in finish_parse(). 2374 */ 2375 static struct slist *gen_load_ppi_llprefixlen() 2376 { 2377 struct slist *s1, *s2; 2378 2379 /* 2380 * Generate code to load the length of the radiotap header 2381 * into the register assigned to hold that length, if one has 2382 * been assigned. 2383 */ 2384 if (reg_off_ll != -1) 2385 { 2386 /* 2387 * The 2 bytes at offsets of 2 and 3 from the beginning 2388 * of the radiotap header are the length of the radiotap 2389 * header; unfortunately, it's little-endian, so we have 2390 * to load it a byte at a time and construct the value. 2391 */ 2392 2393 /* 2394 * Load the high-order byte, at an offset of 3, shift it 2395 * left a byte, and put the result in the X register. 2396 */ 2397 s1 = new_stmt(BPF_LD | BPF_B | BPF_ABS); 2398 s1->s.k = 3; 2399 s2 = new_stmt(BPF_ALU | BPF_LSH | BPF_K); 2400 sappend(s1, s2); 2401 s2->s.k = 8; 2402 s2 = new_stmt(BPF_MISC | BPF_TAX); 2403 sappend(s1, s2); 2404 2405 /* 2406 * Load the next byte, at an offset of 2, and OR the 2407 * value from the X register into it. 2408 */ 2409 s2 = new_stmt(BPF_LD | BPF_B | BPF_ABS); 2410 sappend(s1, s2); 2411 s2->s.k = 2; 2412 s2 = new_stmt(BPF_ALU | BPF_OR | BPF_X); 2413 sappend(s1, s2); 2414 2415 /* 2416 * Now allocate a register to hold that value and store 2417 * it. 2418 */ 2419 s2 = new_stmt(BPF_ST); 2420 s2->s.k = reg_off_ll; 2421 sappend(s1, s2); 2422 2423 /* 2424 * Now move it into the X register. 2425 */ 2426 s2 = new_stmt(BPF_MISC | BPF_TAX); 2427 sappend(s1, s2); 2428 2429 return (s1); 2430 } 2431 else 2432 return (NULL); 2433 } 2434 2435 /* 2436 * Load a value relative to the beginning of the link-layer header after the 802.11 2437 * header, i.e. LLC_SNAP. 2438 * The link-layer header doesn't necessarily begin at the beginning 2439 * of the packet data; there might be a variable-length prefix containing 2440 * radio information. 2441 */ 2442 static struct slist *gen_load_802_11_header_len(struct slist *s, struct slist *snext) 2443 { 2444 struct slist *s2; 2445 struct slist *sjset_data_frame_1; 2446 struct slist *sjset_data_frame_2; 2447 struct slist *sjset_qos; 2448 struct slist *sjset_radiotap_flags; 2449 struct slist *sjset_radiotap_tsft; 2450 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad; 2451 struct slist *s_roundup; 2452 2453 if (reg_off_macpl == -1) 2454 { 2455 /* 2456 * No register has been assigned to the offset of 2457 * the MAC-layer payload, which means nobody needs 2458 * it; don't bother computing it - just return 2459 * what we already have. 2460 */ 2461 return (s); 2462 } 2463 2464 /* 2465 * This code is not compatible with the optimizer, as 2466 * we are generating jmp instructions within a normal 2467 * slist of instructions 2468 */ 2469 no_optimize = 1; 2470 2471 /* 2472 * If "s" is non-null, it has code to arrange that the X register 2473 * contains the length of the prefix preceding the link-layer 2474 * header. 2475 * 2476 * Otherwise, the length of the prefix preceding the link-layer 2477 * header is "off_ll". 2478 */ 2479 if (s == NULL) 2480 { 2481 /* 2482 * There is no variable-length header preceding the 2483 * link-layer header. 2484 * 2485 * Load the length of the fixed-length prefix preceding 2486 * the link-layer header (if any) into the X register, 2487 * and store it in the reg_off_macpl register. 2488 * That length is off_ll. 2489 */ 2490 s = new_stmt(BPF_LDX | BPF_IMM); 2491 s->s.k = off_ll; 2492 } 2493 2494 /* 2495 * The X register contains the offset of the beginning of the 2496 * link-layer header; add 24, which is the minimum length 2497 * of the MAC header for a data frame, to that, and store it 2498 * in reg_off_macpl, and then load the Frame Control field, 2499 * which is at the offset in the X register, with an indexed load. 2500 */ 2501 s2 = new_stmt(BPF_MISC | BPF_TXA); 2502 sappend(s, s2); 2503 s2 = new_stmt(BPF_ALU | BPF_ADD | BPF_K); 2504 s2->s.k = 24; 2505 sappend(s, s2); 2506 s2 = new_stmt(BPF_ST); 2507 s2->s.k = reg_off_macpl; 2508 sappend(s, s2); 2509 2510 s2 = new_stmt(BPF_LD | BPF_IND | BPF_B); 2511 s2->s.k = 0; 2512 sappend(s, s2); 2513 2514 /* 2515 * Check the Frame Control field to see if this is a data frame; 2516 * a data frame has the 0x08 bit (b3) in that field set and the 2517 * 0x04 bit (b2) clear. 2518 */ 2519 sjset_data_frame_1 = new_stmt(JMP(BPF_JSET)); 2520 sjset_data_frame_1->s.k = 0x08; 2521 sappend(s, sjset_data_frame_1); 2522 2523 /* 2524 * If b3 is set, test b2, otherwise go to the first statement of 2525 * the rest of the program. 2526 */ 2527 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(JMP(BPF_JSET)); 2528 sjset_data_frame_2->s.k = 0x04; 2529 sappend(s, sjset_data_frame_2); 2530 sjset_data_frame_1->s.jf = snext; 2531 2532 /* 2533 * If b2 is not set, this is a data frame; test the QoS bit. 2534 * Otherwise, go to the first statement of the rest of the 2535 * program. 2536 */ 2537 sjset_data_frame_2->s.jt = snext; 2538 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(JMP(BPF_JSET)); 2539 sjset_qos->s.k = 0x80; /* QoS bit */ 2540 sappend(s, sjset_qos); 2541 2542 /* 2543 * If it's set, add 2 to reg_off_macpl, to skip the QoS 2544 * field. 2545 * Otherwise, go to the first statement of the rest of the 2546 * program. 2547 */ 2548 sjset_qos->s.jt = s2 = new_stmt(BPF_LD | BPF_MEM); 2549 s2->s.k = reg_off_macpl; 2550 sappend(s, s2); 2551 s2 = new_stmt(BPF_ALU | BPF_ADD | BPF_IMM); 2552 s2->s.k = 2; 2553 sappend(s, s2); 2554 s2 = new_stmt(BPF_ST); 2555 s2->s.k = reg_off_macpl; 2556 sappend(s, s2); 2557 2558 /* 2559 * If we have a radiotap header, look at it to see whether 2560 * there's Atheros padding between the MAC-layer header 2561 * and the payload. 2562 * 2563 * Note: all of the fields in the radiotap header are 2564 * little-endian, so we byte-swap all of the values 2565 * we test against, as they will be loaded as big-endian 2566 * values. 2567 */ 2568 if (linktype == DLT_IEEE802_11_RADIO) 2569 { 2570 /* 2571 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set 2572 * in the presence flag? 2573 */ 2574 sjset_qos->s.jf = s2 = new_stmt(BPF_LD | BPF_ABS | BPF_W); 2575 s2->s.k = 4; 2576 sappend(s, s2); 2577 2578 sjset_radiotap_flags = new_stmt(JMP(BPF_JSET)); 2579 sjset_radiotap_flags->s.k = SWAPLONG(0x00000002); 2580 sappend(s, sjset_radiotap_flags); 2581 2582 /* 2583 * If not, skip all of this. 2584 */ 2585 sjset_radiotap_flags->s.jf = snext; 2586 2587 /* 2588 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set? 2589 */ 2590 sjset_radiotap_tsft = sjset_radiotap_flags->s.jt = new_stmt(JMP(BPF_JSET)); 2591 sjset_radiotap_tsft->s.k = SWAPLONG(0x00000001); 2592 sappend(s, sjset_radiotap_tsft); 2593 2594 /* 2595 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is 2596 * at an offset of 16 from the beginning of the raw packet 2597 * data (8 bytes for the radiotap header and 8 bytes for 2598 * the TSFT field). 2599 * 2600 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2601 * is set. 2602 */ 2603 sjset_radiotap_tsft->s.jt = s2 = new_stmt(BPF_LD | BPF_ABS | BPF_B); 2604 s2->s.k = 16; 2605 sappend(s, s2); 2606 2607 sjset_tsft_datapad = new_stmt(JMP(BPF_JSET)); 2608 sjset_tsft_datapad->s.k = 0x20; 2609 sappend(s, sjset_tsft_datapad); 2610 2611 /* 2612 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is 2613 * at an offset of 8 from the beginning of the raw packet 2614 * data (8 bytes for the radiotap header). 2615 * 2616 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2617 * is set. 2618 */ 2619 sjset_radiotap_tsft->s.jf = s2 = new_stmt(BPF_LD | BPF_ABS | BPF_B); 2620 s2->s.k = 8; 2621 sappend(s, s2); 2622 2623 sjset_notsft_datapad = new_stmt(JMP(BPF_JSET)); 2624 sjset_notsft_datapad->s.k = 0x20; 2625 sappend(s, sjset_notsft_datapad); 2626 2627 /* 2628 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is 2629 * set, round the length of the 802.11 header to 2630 * a multiple of 4. Do that by adding 3 and then 2631 * dividing by and multiplying by 4, which we do by 2632 * ANDing with ~3. 2633 */ 2634 s_roundup = new_stmt(BPF_LD | BPF_MEM); 2635 s_roundup->s.k = reg_off_macpl; 2636 sappend(s, s_roundup); 2637 s2 = new_stmt(BPF_ALU | BPF_ADD | BPF_IMM); 2638 s2->s.k = 3; 2639 sappend(s, s2); 2640 s2 = new_stmt(BPF_ALU | BPF_AND | BPF_IMM); 2641 s2->s.k = ~3; 2642 sappend(s, s2); 2643 s2 = new_stmt(BPF_ST); 2644 s2->s.k = reg_off_macpl; 2645 sappend(s, s2); 2646 2647 sjset_tsft_datapad->s.jt = s_roundup; 2648 sjset_tsft_datapad->s.jf = snext; 2649 sjset_notsft_datapad->s.jt = s_roundup; 2650 sjset_notsft_datapad->s.jf = snext; 2651 } 2652 else 2653 sjset_qos->s.jf = snext; 2654 2655 return s; 2656 } 2657 2658 static void insert_compute_vloffsets(b) 2659 struct block *b; 2660 { 2661 struct slist *s; 2662 2663 /* 2664 * For link-layer types that have a variable-length header 2665 * preceding the link-layer header, generate code to load 2666 * the offset of the link-layer header into the register 2667 * assigned to that offset, if any. 2668 */ 2669 switch (linktype) 2670 { 2671 2672 case DLT_PRISM_HEADER: 2673 s = gen_load_prism_llprefixlen(); 2674 break; 2675 2676 case DLT_IEEE802_11_RADIO_AVS: 2677 s = gen_load_avs_llprefixlen(); 2678 break; 2679 2680 case DLT_IEEE802_11_RADIO: 2681 s = gen_load_radiotap_llprefixlen(); 2682 break; 2683 2684 case DLT_PPI: 2685 s = gen_load_ppi_llprefixlen(); 2686 break; 2687 2688 default: 2689 s = NULL; 2690 break; 2691 } 2692 2693 /* 2694 * For link-layer types that have a variable-length link-layer 2695 * header, generate code to load the offset of the MAC-layer 2696 * payload into the register assigned to that offset, if any. 2697 */ 2698 switch (linktype) 2699 { 2700 2701 case DLT_IEEE802_11: 2702 case DLT_PRISM_HEADER: 2703 case DLT_IEEE802_11_RADIO_AVS: 2704 case DLT_IEEE802_11_RADIO: 2705 case DLT_PPI: 2706 s = gen_load_802_11_header_len(s, b->stmts); 2707 break; 2708 } 2709 2710 /* 2711 * If we have any offset-loading code, append all the 2712 * existing statements in the block to those statements, 2713 * and make the resulting list the list of statements 2714 * for the block. 2715 */ 2716 if (s != NULL) 2717 { 2718 sappend(s, b->stmts); 2719 b->stmts = s; 2720 } 2721 } 2722 2723 static struct block *gen_ppi_dlt_check(void) 2724 { 2725 struct slist *s_load_dlt; 2726 struct block *b; 2727 2728 if (linktype == DLT_PPI) 2729 { 2730 /* Create the statements that check for the DLT 2731 */ 2732 s_load_dlt = new_stmt(BPF_LD | BPF_W | BPF_ABS); 2733 s_load_dlt->s.k = 4; 2734 2735 b = new_block(JMP(BPF_JEQ)); 2736 2737 b->stmts = s_load_dlt; 2738 b->s.k = SWAPLONG(DLT_IEEE802_11); 2739 } 2740 else 2741 { 2742 b = NULL; 2743 } 2744 2745 return b; 2746 } 2747 2748 static struct slist *gen_prism_llprefixlen(void) 2749 { 2750 struct slist *s; 2751 2752 if (reg_off_ll == -1) 2753 { 2754 /* 2755 * We haven't yet assigned a register for the length 2756 * of the radio header; allocate one. 2757 */ 2758 reg_off_ll = alloc_reg(); 2759 } 2760 2761 /* 2762 * Load the register containing the radio length 2763 * into the X register. 2764 */ 2765 s = new_stmt(BPF_LDX | BPF_MEM); 2766 s->s.k = reg_off_ll; 2767 return s; 2768 } 2769 2770 static struct slist *gen_avs_llprefixlen(void) 2771 { 2772 struct slist *s; 2773 2774 if (reg_off_ll == -1) 2775 { 2776 /* 2777 * We haven't yet assigned a register for the length 2778 * of the AVS header; allocate one. 2779 */ 2780 reg_off_ll = alloc_reg(); 2781 } 2782 2783 /* 2784 * Load the register containing the AVS length 2785 * into the X register. 2786 */ 2787 s = new_stmt(BPF_LDX | BPF_MEM); 2788 s->s.k = reg_off_ll; 2789 return s; 2790 } 2791 2792 static struct slist *gen_radiotap_llprefixlen(void) 2793 { 2794 struct slist *s; 2795 2796 if (reg_off_ll == -1) 2797 { 2798 /* 2799 * We haven't yet assigned a register for the length 2800 * of the radiotap header; allocate one. 2801 */ 2802 reg_off_ll = alloc_reg(); 2803 } 2804 2805 /* 2806 * Load the register containing the radiotap length 2807 * into the X register. 2808 */ 2809 s = new_stmt(BPF_LDX | BPF_MEM); 2810 s->s.k = reg_off_ll; 2811 return s; 2812 } 2813 2814 /* 2815 * At the moment we treat PPI as normal Radiotap encoded 2816 * packets. The difference is in the function that generates 2817 * the code at the beginning to compute the header length. 2818 * Since this code generator of PPI supports bare 802.11 2819 * encapsulation only (i.e. the encapsulated DLT should be 2820 * DLT_IEEE802_11) we generate code to check for this too. 2821 */ 2822 static struct slist *gen_ppi_llprefixlen(void) 2823 { 2824 struct slist *s; 2825 2826 if (reg_off_ll == -1) 2827 { 2828 /* 2829 * We haven't yet assigned a register for the length 2830 * of the radiotap header; allocate one. 2831 */ 2832 reg_off_ll = alloc_reg(); 2833 } 2834 2835 /* 2836 * Load the register containing the PPI length 2837 * into the X register. 2838 */ 2839 s = new_stmt(BPF_LDX | BPF_MEM); 2840 s->s.k = reg_off_ll; 2841 return s; 2842 } 2843 2844 /* 2845 * Generate code to compute the link-layer header length, if necessary, 2846 * putting it into the X register, and to return either a pointer to a 2847 * "struct slist" for the list of statements in that code, or NULL if 2848 * no code is necessary. 2849 */ 2850 static struct slist *gen_llprefixlen(void) 2851 { 2852 switch (linktype) 2853 { 2854 2855 case DLT_PRISM_HEADER: 2856 return gen_prism_llprefixlen(); 2857 2858 case DLT_IEEE802_11_RADIO_AVS: 2859 return gen_avs_llprefixlen(); 2860 2861 case DLT_IEEE802_11_RADIO: 2862 return gen_radiotap_llprefixlen(); 2863 2864 case DLT_PPI: 2865 return gen_ppi_llprefixlen(); 2866 2867 default: 2868 return NULL; 2869 } 2870 } 2871 2872 /* 2873 * Generate code to load the register containing the offset of the 2874 * MAC-layer payload into the X register; if no register for that offset 2875 * has been allocated, allocate it first. 2876 */ 2877 static struct slist *gen_off_macpl(void) 2878 { 2879 struct slist *s; 2880 2881 if (off_macpl_is_variable) 2882 { 2883 if (reg_off_macpl == -1) 2884 { 2885 /* 2886 * We haven't yet assigned a register for the offset 2887 * of the MAC-layer payload; allocate one. 2888 */ 2889 reg_off_macpl = alloc_reg(); 2890 } 2891 2892 /* 2893 * Load the register containing the offset of the MAC-layer 2894 * payload into the X register. 2895 */ 2896 s = new_stmt(BPF_LDX | BPF_MEM); 2897 s->s.k = reg_off_macpl; 2898 return s; 2899 } 2900 else 2901 { 2902 /* 2903 * That offset isn't variable, so we don't need to 2904 * generate any code. 2905 */ 2906 return NULL; 2907 } 2908 } 2909 2910 /* 2911 * Map an Ethernet type to the equivalent PPP type. 2912 */ 2913 static int ethertype_to_ppptype(proto) 2914 int proto; 2915 { 2916 switch (proto) 2917 { 2918 2919 case ETHERTYPE_IP: 2920 proto = PPP_IP; 2921 break; 2922 2923 #ifdef INET6 2924 case ETHERTYPE_IPV6: 2925 proto = PPP_IPV6; 2926 break; 2927 #endif 2928 2929 case ETHERTYPE_DN: 2930 proto = PPP_DECNET; 2931 break; 2932 2933 case ETHERTYPE_ATALK: 2934 proto = PPP_APPLE; 2935 break; 2936 2937 case ETHERTYPE_NS: 2938 proto = PPP_NS; 2939 break; 2940 2941 case LLCSAP_ISONS: 2942 proto = PPP_OSI; 2943 break; 2944 2945 case LLCSAP_8021D: 2946 /* 2947 * I'm assuming the "Bridging PDU"s that go 2948 * over PPP are Spanning Tree Protocol 2949 * Bridging PDUs. 2950 */ 2951 proto = PPP_BRPDU; 2952 break; 2953 2954 case LLCSAP_IPX: 2955 proto = PPP_IPX; 2956 break; 2957 } 2958 return (proto); 2959 } 2960 2961 /* 2962 * Generate code to match a particular packet type by matching the 2963 * link-layer type field or fields in the 802.2 LLC header. 2964 * 2965 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 2966 * value, if <= ETHERMTU. 2967 */ 2968 static struct block *gen_linktype(proto) 2969 register int proto; 2970 { 2971 struct block *b0, *b1, *b2; 2972 2973 /* are we checking MPLS-encapsulated packets? */ 2974 if (label_stack_depth > 0) 2975 { 2976 switch (proto) 2977 { 2978 case ETHERTYPE_IP: 2979 case PPP_IP: 2980 /* FIXME add other L3 proto IDs */ 2981 return gen_mpls_linktype(Q_IP); 2982 2983 case ETHERTYPE_IPV6: 2984 case PPP_IPV6: 2985 /* FIXME add other L3 proto IDs */ 2986 return gen_mpls_linktype(Q_IPV6); 2987 2988 default: 2989 bpf_error("unsupported protocol over mpls"); 2990 /* NOTREACHED */ 2991 } 2992 } 2993 2994 /* 2995 * Are we testing PPPoE packets? 2996 */ 2997 if (is_pppoes) 2998 { 2999 /* 3000 * The PPPoE session header is part of the 3001 * MAC-layer payload, so all references 3002 * should be relative to the beginning of 3003 * that payload. 3004 */ 3005 3006 /* 3007 * We use Ethernet protocol types inside libpcap; 3008 * map them to the corresponding PPP protocol types. 3009 */ 3010 proto = ethertype_to_ppptype(proto); 3011 return gen_cmp(OR_MACPL, off_linktype, BPF_H, (bpf_int32) proto); 3012 } 3013 3014 switch (linktype) 3015 { 3016 3017 case DLT_EN10MB: 3018 return gen_ether_linktype(proto); 3019 /*NOTREACHED*/ break; 3020 3021 case DLT_C_HDLC: 3022 switch (proto) 3023 { 3024 3025 case LLCSAP_ISONS: 3026 proto = (proto << 8 | LLCSAP_ISONS); 3027 /* fall through */ 3028 3029 default: 3030 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32) proto); 3031 /*NOTREACHED*/ break; 3032 } 3033 break; 3034 3035 case DLT_IEEE802_11: 3036 case DLT_PRISM_HEADER: 3037 case DLT_IEEE802_11_RADIO_AVS: 3038 case DLT_IEEE802_11_RADIO: 3039 case DLT_PPI: 3040 /* 3041 * Check that we have a data frame. 3042 */ 3043 b0 = gen_check_802_11_data_frame(); 3044 3045 /* 3046 * Now check for the specified link-layer type. 3047 */ 3048 b1 = gen_llc_linktype(proto); 3049 gen_and(b0, b1); 3050 return b1; 3051 /*NOTREACHED*/ break; 3052 3053 case DLT_FDDI: 3054 /* 3055 * XXX - check for asynchronous frames, as per RFC 1103. 3056 */ 3057 return gen_llc_linktype(proto); 3058 /*NOTREACHED*/ break; 3059 3060 case DLT_IEEE802: 3061 /* 3062 * XXX - check for LLC PDUs, as per IEEE 802.5. 3063 */ 3064 return gen_llc_linktype(proto); 3065 /*NOTREACHED*/ break; 3066 3067 case DLT_ATM_RFC1483: 3068 case DLT_ATM_CLIP: 3069 case DLT_IP_OVER_FC: 3070 return gen_llc_linktype(proto); 3071 /*NOTREACHED*/ break; 3072 3073 case DLT_SUNATM: 3074 /* 3075 * If "is_lane" is set, check for a LANE-encapsulated 3076 * version of this protocol, otherwise check for an 3077 * LLC-encapsulated version of this protocol. 3078 * 3079 * We assume LANE means Ethernet, not Token Ring. 3080 */ 3081 if (is_lane) 3082 { 3083 /* 3084 * Check that the packet doesn't begin with an 3085 * LE Control marker. (We've already generated 3086 * a test for LANE.) 3087 */ 3088 b0 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00); 3089 gen_not(b0); 3090 3091 /* 3092 * Now generate an Ethernet test. 3093 */ 3094 b1 = gen_ether_linktype(proto); 3095 gen_and(b0, b1); 3096 return b1; 3097 } 3098 else 3099 { 3100 /* 3101 * Check for LLC encapsulation and then check the 3102 * protocol. 3103 */ 3104 b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 3105 b1 = gen_llc_linktype(proto); 3106 gen_and(b0, b1); 3107 return b1; 3108 } 3109 /*NOTREACHED*/ break; 3110 3111 case DLT_LINUX_SLL: 3112 return gen_linux_sll_linktype(proto); 3113 /*NOTREACHED*/ break; 3114 3115 case DLT_SLIP: 3116 case DLT_SLIP_BSDOS: 3117 case DLT_RAW: 3118 /* 3119 * These types don't provide any type field; packets 3120 * are always IPv4 or IPv6. 3121 * 3122 * XXX - for IPv4, check for a version number of 4, and, 3123 * for IPv6, check for a version number of 6? 3124 */ 3125 switch (proto) 3126 { 3127 3128 case ETHERTYPE_IP: 3129 /* Check for a version number of 4. */ 3130 return gen_mcmp(OR_LINK, 0, BPF_B, 0x40, 0xF0); 3131 #ifdef INET6 3132 case ETHERTYPE_IPV6: 3133 /* Check for a version number of 6. */ 3134 return gen_mcmp(OR_LINK, 0, BPF_B, 0x60, 0xF0); 3135 #endif 3136 3137 default: 3138 return gen_false(); /* always false */ 3139 } 3140 /*NOTREACHED*/ break; 3141 3142 case DLT_IPV4: 3143 /* 3144 * Raw IPv4, so no type field. 3145 */ 3146 if (proto == ETHERTYPE_IP) 3147 return gen_true(); /* always true */ 3148 3149 /* Checking for something other than IPv4; always false */ 3150 return gen_false(); 3151 /*NOTREACHED*/ break; 3152 3153 case DLT_IPV6: 3154 /* 3155 * Raw IPv6, so no type field. 3156 */ 3157 #ifdef INET6 3158 if (proto == ETHERTYPE_IPV6) 3159 return gen_true(); /* always true */ 3160 #endif 3161 3162 /* Checking for something other than IPv6; always false */ 3163 return gen_false(); 3164 /*NOTREACHED*/ break; 3165 3166 case DLT_PPP: 3167 case DLT_PPP_PPPD: 3168 case DLT_PPP_SERIAL: 3169 case DLT_PPP_ETHER: 3170 /* 3171 * We use Ethernet protocol types inside libpcap; 3172 * map them to the corresponding PPP protocol types. 3173 */ 3174 proto = ethertype_to_ppptype(proto); 3175 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32) proto); 3176 /*NOTREACHED*/ break; 3177 3178 case DLT_PPP_BSDOS: 3179 /* 3180 * We use Ethernet protocol types inside libpcap; 3181 * map them to the corresponding PPP protocol types. 3182 */ 3183 switch (proto) 3184 { 3185 3186 case ETHERTYPE_IP: 3187 /* 3188 * Also check for Van Jacobson-compressed IP. 3189 * XXX - do this for other forms of PPP? 3190 */ 3191 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_IP); 3192 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJC); 3193 gen_or(b0, b1); 3194 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJNC); 3195 gen_or(b1, b0); 3196 return b0; 3197 3198 default: 3199 proto = ethertype_to_ppptype(proto); 3200 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32) proto); 3201 } 3202 /*NOTREACHED*/ break; 3203 3204 case DLT_NULL: 3205 case DLT_LOOP: 3206 case DLT_ENC: 3207 /* 3208 * For DLT_NULL, the link-layer header is a 32-bit 3209 * word containing an AF_ value in *host* byte order, 3210 * and for DLT_ENC, the link-layer header begins 3211 * with a 32-bit work containing an AF_ value in 3212 * host byte order. 3213 * 3214 * In addition, if we're reading a saved capture file, 3215 * the host byte order in the capture may not be the 3216 * same as the host byte order on this machine. 3217 * 3218 * For DLT_LOOP, the link-layer header is a 32-bit 3219 * word containing an AF_ value in *network* byte order. 3220 * 3221 * XXX - AF_ values may, unfortunately, be platform- 3222 * dependent; for example, FreeBSD's AF_INET6 is 24 3223 * whilst NetBSD's and OpenBSD's is 26. 3224 * 3225 * This means that, when reading a capture file, just 3226 * checking for our AF_INET6 value won't work if the 3227 * capture file came from another OS. 3228 */ 3229 switch (proto) 3230 { 3231 3232 case ETHERTYPE_IP: 3233 proto = AF_INET; 3234 break; 3235 3236 #ifdef INET6 3237 case ETHERTYPE_IPV6: 3238 proto = AF_INET6; 3239 break; 3240 #endif 3241 3242 default: 3243 /* 3244 * Not a type on which we support filtering. 3245 * XXX - support those that have AF_ values 3246 * #defined on this platform, at least? 3247 */ 3248 return gen_false(); 3249 } 3250 3251 if (linktype == DLT_NULL || linktype == DLT_ENC) 3252 { 3253 /* 3254 * The AF_ value is in host byte order, but 3255 * the BPF interpreter will convert it to 3256 * network byte order. 3257 * 3258 * If this is a save file, and it's from a 3259 * machine with the opposite byte order to 3260 * ours, we byte-swap the AF_ value. 3261 * 3262 * Then we run it through "htonl()", and 3263 * generate code to compare against the result. 3264 */ 3265 //if (bpf_pcap->sf.rfile != NULL && bpf_pcap->sf.swapped) 3266 // proto = SWAPLONG(proto); 3267 proto = htonl(proto); 3268 } 3269 return (gen_cmp(OR_LINK, 0, BPF_W, (bpf_int32) proto)); 3270 3271 #ifdef HAVE_NET_PFVAR_H 3272 case DLT_PFLOG: 3273 /* 3274 * af field is host byte order in contrast to the rest of 3275 * the packet. 3276 */ 3277 if (proto == ETHERTYPE_IP) 3278 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af), BPF_B, (bpf_int32) AF_INET)); 3279 #ifdef INET6 3280 else if (proto == ETHERTYPE_IPV6) 3281 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af), BPF_B, (bpf_int32) AF_INET6)); 3282 #endif /* INET6 */ 3283 else 3284 return gen_false(); 3285 /*NOTREACHED*/ break; 3286 #endif /* HAVE_NET_PFVAR_H */ 3287 3288 case DLT_ARCNET: 3289 case DLT_ARCNET_LINUX: 3290 /* 3291 * XXX should we check for first fragment if the protocol 3292 * uses PHDS? 3293 */ 3294 switch (proto) 3295 { 3296 3297 default: 3298 return gen_false(); 3299 3300 #ifdef INET6 3301 case ETHERTYPE_IPV6: 3302 return (gen_cmp(OR_LINK, off_linktype, BPF_B, (bpf_int32) ARCTYPE_INET6)); 3303 #endif /* INET6 */ 3304 3305 case ETHERTYPE_IP: 3306 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B, (bpf_int32) ARCTYPE_IP); 3307 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B, (bpf_int32) ARCTYPE_IP_OLD); 3308 gen_or(b0, b1); 3309 return (b1); 3310 3311 case ETHERTYPE_ARP: 3312 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B, (bpf_int32) ARCTYPE_ARP); 3313 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B, (bpf_int32) ARCTYPE_ARP_OLD); 3314 gen_or(b0, b1); 3315 return (b1); 3316 3317 case ETHERTYPE_REVARP: 3318 return (gen_cmp(OR_LINK, off_linktype, BPF_B, (bpf_int32) ARCTYPE_REVARP)); 3319 3320 case ETHERTYPE_ATALK: 3321 return (gen_cmp(OR_LINK, off_linktype, BPF_B, (bpf_int32) ARCTYPE_ATALK)); 3322 } 3323 /*NOTREACHED*/ break; 3324 3325 case DLT_LTALK: 3326 switch (proto) 3327 { 3328 case ETHERTYPE_ATALK: 3329 return gen_true(); 3330 default: 3331 return gen_false(); 3332 } 3333 /*NOTREACHED*/ break; 3334 3335 case DLT_FRELAY: 3336 /* 3337 * XXX - assumes a 2-byte Frame Relay header with 3338 * DLCI and flags. What if the address is longer? 3339 */ 3340 switch (proto) 3341 { 3342 3343 case ETHERTYPE_IP: 3344 /* 3345 * Check for the special NLPID for IP. 3346 */ 3347 return gen_cmp(OR_LINK, 2, BPF_H, (0x03 << 8) | 0xcc); 3348 3349 #ifdef INET6 3350 case ETHERTYPE_IPV6: 3351 /* 3352 * Check for the special NLPID for IPv6. 3353 */ 3354 return gen_cmp(OR_LINK, 2, BPF_H, (0x03 << 8) | 0x8e); 3355 #endif 3356 3357 case LLCSAP_ISONS: 3358 /* 3359 * Check for several OSI protocols. 3360 * 3361 * Frame Relay packets typically have an OSI 3362 * NLPID at the beginning; we check for each 3363 * of them. 3364 * 3365 * What we check for is the NLPID and a frame 3366 * control field of UI, i.e. 0x03 followed 3367 * by the NLPID. 3368 */ 3369 b0 = gen_cmp(OR_LINK, 2, BPF_H, (0x03 << 8) | ISO8473_CLNP); 3370 b1 = gen_cmp(OR_LINK, 2, BPF_H, (0x03 << 8) | ISO9542_ESIS); 3371 b2 = gen_cmp(OR_LINK, 2, BPF_H, (0x03 << 8) | ISO10589_ISIS); 3372 gen_or(b1, b2); 3373 gen_or(b0, b2); 3374 return b2; 3375 3376 default: 3377 return gen_false(); 3378 } 3379 /*NOTREACHED*/ break; 3380 3381 case DLT_MFR: 3382 bpf_error("Multi-link Frame Relay link-layer type filtering not implemented"); 3383 3384 case DLT_JUNIPER_MFR: 3385 case DLT_JUNIPER_MLFR: 3386 case DLT_JUNIPER_MLPPP: 3387 case DLT_JUNIPER_ATM1: 3388 case DLT_JUNIPER_ATM2: 3389 case DLT_JUNIPER_PPPOE: 3390 case DLT_JUNIPER_PPPOE_ATM: 3391 case DLT_JUNIPER_GGSN: 3392 case DLT_JUNIPER_ES: 3393 case DLT_JUNIPER_MONITOR: 3394 case DLT_JUNIPER_SERVICES: 3395 case DLT_JUNIPER_ETHER: 3396 case DLT_JUNIPER_PPP: 3397 case DLT_JUNIPER_FRELAY: 3398 case DLT_JUNIPER_CHDLC: 3399 case DLT_JUNIPER_VP: 3400 case DLT_JUNIPER_ST: 3401 case DLT_JUNIPER_ISM: 3402 /* just lets verify the magic number for now - 3403 * on ATM we may have up to 6 different encapsulations on the wire 3404 * and need a lot of heuristics to figure out that the payload 3405 * might be; 3406 * 3407 * FIXME encapsulation specific BPF_ filters 3408 */ 3409 return gen_mcmp(OR_LINK, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */ 3410 3411 case DLT_IPNET: 3412 return gen_ipnet_linktype(proto); 3413 3414 case DLT_LINUX_IRDA: 3415 bpf_error("IrDA link-layer type filtering not implemented"); 3416 3417 case DLT_DOCSIS: 3418 bpf_error("DOCSIS link-layer type filtering not implemented"); 3419 3420 case DLT_MTP2: 3421 case DLT_MTP2_WITH_PHDR: 3422 bpf_error("MTP2 link-layer type filtering not implemented"); 3423 3424 case DLT_ERF: 3425 bpf_error("ERF link-layer type filtering not implemented"); 3426 3427 #ifdef DLT_PFSYNC 3428 case DLT_PFSYNC: 3429 bpf_error("PFSYNC link-layer type filtering not implemented"); 3430 #endif 3431 3432 case DLT_LINUX_LAPD: 3433 bpf_error("LAPD link-layer type filtering not implemented"); 3434 3435 case DLT_USB: 3436 case DLT_USB_LINUX: 3437 case DLT_USB_LINUX_MMAPPED: 3438 bpf_error("USB link-layer type filtering not implemented"); 3439 3440 case DLT_BLUETOOTH_HCI_H4: 3441 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR: 3442 bpf_error("Bluetooth link-layer type filtering not implemented"); 3443 3444 case DLT_CAN20B: 3445 case DLT_CAN_SOCKETCAN: 3446 bpf_error("CAN link-layer type filtering not implemented"); 3447 3448 case DLT_IEEE802_15_4: 3449 case DLT_IEEE802_15_4_LINUX: 3450 case DLT_IEEE802_15_4_NONASK_PHY: 3451 bpf_error("IEEE 802.15.4 link-layer type filtering not implemented"); 3452 3453 case DLT_IEEE802_16_MAC_CPS_RADIO: 3454 bpf_error("IEEE 802.16 link-layer type filtering not implemented"); 3455 3456 case DLT_SITA: 3457 bpf_error("SITA link-layer type filtering not implemented"); 3458 3459 case DLT_RAIF1: 3460 bpf_error("RAIF1 link-layer type filtering not implemented"); 3461 3462 case DLT_IPMB: 3463 bpf_error("IPMB link-layer type filtering not implemented"); 3464 3465 case DLT_AX25_KISS: 3466 bpf_error("AX.25 link-layer type filtering not implemented"); 3467 } 3468 3469 /* 3470 * All the types that have no encapsulation should either be 3471 * handled as DLT_SLIP, DLT_SLIP_BSDOS, and DLT_RAW are, if 3472 * all packets are IP packets, or should be handled in some 3473 * special case, if none of them are (if some are and some 3474 * aren't, the lack of encapsulation is a problem, as we'd 3475 * have to find some other way of determining the packet type). 3476 * 3477 * Therefore, if "off_linktype" is -1, there's an error. 3478 */ 3479 if (off_linktype == (u_int) - 1) 3480 abort(); 3481 3482 /* 3483 * Any type not handled above should always have an Ethernet 3484 * type at an offset of "off_linktype". 3485 */ 3486 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32) proto); 3487 } 3488 3489 /* 3490 * Check for an LLC SNAP packet with a given organization code and 3491 * protocol type; we check the entire contents of the 802.2 LLC and 3492 * snap headers, checking for DSAP and SSAP of SNAP and a control 3493 * field of 0x03 in the LLC header, and for the specified organization 3494 * code and protocol type in the SNAP header. 3495 */ 3496 static struct block *gen_snap(orgcode, ptype) 3497 bpf_u_int32 orgcode; 3498 bpf_u_int32 ptype; 3499 { 3500 u_char snapblock[8]; 3501 3502 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */ 3503 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */ 3504 snapblock[2] = 0x03; /* control = UI */ 3505 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */ 3506 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */ 3507 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */ 3508 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */ 3509 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */ 3510 return gen_bcmp(OR_MACPL, 0, 8, snapblock); 3511 } 3512 3513 /* 3514 * Generate code to match a particular packet type, for link-layer types 3515 * using 802.2 LLC headers. 3516 * 3517 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used 3518 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues. 3519 * 3520 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 3521 * value, if <= ETHERMTU. We use that to determine whether to 3522 * match the DSAP or both DSAP and LSAP or to check the OUI and 3523 * protocol ID in a SNAP header. 3524 */ 3525 static struct block *gen_llc_linktype(proto) 3526 int proto; 3527 { 3528 /* 3529 * XXX - handle token-ring variable-length header. 3530 */ 3531 switch (proto) 3532 { 3533 3534 case LLCSAP_IP: 3535 case LLCSAP_ISONS: 3536 case LLCSAP_NETBEUI: 3537 /* 3538 * XXX - should we check both the DSAP and the 3539 * SSAP, like this, or should we check just the 3540 * DSAP, as we do for other types <= ETHERMTU 3541 * (i.e., other SAP values)? 3542 */ 3543 return gen_cmp(OR_MACPL, 0, BPF_H, (bpf_u_int32) ((proto << 8) | proto)); 3544 3545 case LLCSAP_IPX: 3546 /* 3547 * XXX - are there ever SNAP frames for IPX on 3548 * non-Ethernet 802.x networks? 3549 */ 3550 return gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32) LLCSAP_IPX); 3551 3552 case ETHERTYPE_ATALK: 3553 /* 3554 * 802.2-encapsulated ETHERTYPE_ATALK packets are 3555 * SNAP packets with an organization code of 3556 * 0x080007 (Apple, for Appletalk) and a protocol 3557 * type of ETHERTYPE_ATALK (Appletalk). 3558 * 3559 * XXX - check for an organization code of 3560 * encapsulated Ethernet as well? 3561 */ 3562 return gen_snap(0x080007, ETHERTYPE_ATALK); 3563 3564 default: 3565 /* 3566 * XXX - we don't have to check for IPX 802.3 3567 * here, but should we check for the IPX Ethertype? 3568 */ 3569 if (proto <= ETHERMTU) 3570 { 3571 /* 3572 * This is an LLC SAP value, so check 3573 * the DSAP. 3574 */ 3575 return gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32) proto); 3576 } 3577 else 3578 { 3579 /* 3580 * This is an Ethernet type; we assume that it's 3581 * unlikely that it'll appear in the right place 3582 * at random, and therefore check only the 3583 * location that would hold the Ethernet type 3584 * in a SNAP frame with an organization code of 3585 * 0x000000 (encapsulated Ethernet). 3586 * 3587 * XXX - if we were to check for the SNAP DSAP and 3588 * LSAP, as per XXX, and were also to check for an 3589 * organization code of 0x000000 (encapsulated 3590 * Ethernet), we'd do 3591 * 3592 * return gen_snap(0x000000, proto); 3593 * 3594 * here; for now, we don't, as per the above. 3595 * I don't know whether it's worth the extra CPU 3596 * time to do the right check or not. 3597 */ 3598 return gen_cmp(OR_MACPL, 6, BPF_H, (bpf_int32) proto); 3599 } 3600 } 3601 } 3602 3603 static struct block *gen_hostop(addr, mask, dir, proto, src_off, dst_off) 3604 bpf_u_int32 addr; 3605 bpf_u_int32 mask; 3606 int dir, proto; 3607 u_int src_off, dst_off; 3608 { 3609 struct block *b0, *b1; 3610 u_int offset; 3611 3612 switch (dir) 3613 { 3614 3615 case Q_SRC: 3616 offset = src_off; 3617 break; 3618 3619 case Q_DST: 3620 offset = dst_off; 3621 break; 3622 3623 case Q_AND: 3624 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off); 3625 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off); 3626 gen_and(b0, b1); 3627 return b1; 3628 3629 case Q_OR: 3630 case Q_DEFAULT: 3631 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off); 3632 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off); 3633 gen_or(b0, b1); 3634 return b1; 3635 3636 default: 3637 abort(); 3638 } 3639 b0 = gen_linktype(proto); 3640 b1 = gen_mcmp(OR_NET, offset, BPF_W, (bpf_int32) addr, mask); 3641 gen_and(b0, b1); 3642 return b1; 3643 } 3644 3645 #ifdef INET6 3646 static struct block *gen_hostop6(addr, mask, dir, proto, src_off, dst_off) 3647 struct in6_addr *addr; 3648 struct in6_addr *mask; 3649 int dir, proto; 3650 u_int src_off, dst_off; 3651 { 3652 struct block *b0, *b1; 3653 u_int offset; 3654 u_int32_t *a, *m; 3655 3656 switch (dir) 3657 { 3658 3659 case Q_SRC: 3660 offset = src_off; 3661 break; 3662 3663 case Q_DST: 3664 offset = dst_off; 3665 break; 3666 3667 case Q_AND: 3668 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off); 3669 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off); 3670 gen_and(b0, b1); 3671 return b1; 3672 3673 case Q_OR: 3674 case Q_DEFAULT: 3675 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off); 3676 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off); 3677 gen_or(b0, b1); 3678 return b1; 3679 3680 default: 3681 abort(); 3682 } 3683 /* this order is important */ 3684 a = (u_int32_t *) addr; 3685 m = (u_int32_t *) mask; 3686 b1 = gen_mcmp(OR_NET, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3])); 3687 b0 = gen_mcmp(OR_NET, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2])); 3688 gen_and(b0, b1); 3689 b0 = gen_mcmp(OR_NET, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1])); 3690 gen_and(b0, b1); 3691 b0 = gen_mcmp(OR_NET, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0])); 3692 gen_and(b0, b1); 3693 b0 = gen_linktype(proto); 3694 gen_and(b0, b1); 3695 return b1; 3696 } 3697 #endif /*INET6 */ 3698 3699 static struct block *gen_ehostop(eaddr, dir) 3700 register const u_char *eaddr; 3701 register int dir; 3702 { 3703 register struct block *b0, *b1; 3704 3705 switch (dir) 3706 { 3707 case Q_SRC: 3708 return gen_bcmp(OR_LINK, off_mac + 6, 6, eaddr); 3709 3710 case Q_DST: 3711 return gen_bcmp(OR_LINK, off_mac + 0, 6, eaddr); 3712 3713 case Q_AND: 3714 b0 = gen_ehostop(eaddr, Q_SRC); 3715 b1 = gen_ehostop(eaddr, Q_DST); 3716 gen_and(b0, b1); 3717 return b1; 3718 3719 case Q_DEFAULT: 3720 case Q_OR: 3721 b0 = gen_ehostop(eaddr, Q_SRC); 3722 b1 = gen_ehostop(eaddr, Q_DST); 3723 gen_or(b0, b1); 3724 return b1; 3725 } 3726 abort(); 3727 /* NOTREACHED */ 3728 } 3729 3730 /* 3731 * Like gen_ehostop, but for DLT_FDDI 3732 */ 3733 static struct block *gen_fhostop(eaddr, dir) 3734 register const u_char *eaddr; 3735 register int dir; 3736 { 3737 struct block *b0, *b1; 3738 3739 switch (dir) 3740 { 3741 case Q_SRC: 3742 #ifdef PCAP_FDDIPAD 3743 return gen_bcmp(OR_LINK, 6 + 1 + pcap_fddipad, 6, eaddr); 3744 #else 3745 return gen_bcmp(OR_LINK, 6 + 1, 6, eaddr); 3746 #endif 3747 3748 case Q_DST: 3749 #ifdef PCAP_FDDIPAD 3750 return gen_bcmp(OR_LINK, 0 + 1 + pcap_fddipad, 6, eaddr); 3751 #else 3752 return gen_bcmp(OR_LINK, 0 + 1, 6, eaddr); 3753 #endif 3754 3755 case Q_AND: 3756 b0 = gen_fhostop(eaddr, Q_SRC); 3757 b1 = gen_fhostop(eaddr, Q_DST); 3758 gen_and(b0, b1); 3759 return b1; 3760 3761 case Q_DEFAULT: 3762 case Q_OR: 3763 b0 = gen_fhostop(eaddr, Q_SRC); 3764 b1 = gen_fhostop(eaddr, Q_DST); 3765 gen_or(b0, b1); 3766 return b1; 3767 } 3768 abort(); 3769 /* NOTREACHED */ 3770 } 3771 3772 /* 3773 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring) 3774 */ 3775 static struct block *gen_thostop(eaddr, dir) 3776 register const u_char *eaddr; 3777 register int dir; 3778 { 3779 register struct block *b0, *b1; 3780 3781 switch (dir) 3782 { 3783 case Q_SRC: 3784 return gen_bcmp(OR_LINK, 8, 6, eaddr); 3785 3786 case Q_DST: 3787 return gen_bcmp(OR_LINK, 2, 6, eaddr); 3788 3789 case Q_AND: 3790 b0 = gen_thostop(eaddr, Q_SRC); 3791 b1 = gen_thostop(eaddr, Q_DST); 3792 gen_and(b0, b1); 3793 return b1; 3794 3795 case Q_DEFAULT: 3796 case Q_OR: 3797 b0 = gen_thostop(eaddr, Q_SRC); 3798 b1 = gen_thostop(eaddr, Q_DST); 3799 gen_or(b0, b1); 3800 return b1; 3801 } 3802 abort(); 3803 /* NOTREACHED */ 3804 } 3805 3806 /* 3807 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and 3808 * various 802.11 + radio headers. 3809 */ 3810 static struct block *gen_wlanhostop(eaddr, dir) 3811 register const u_char *eaddr; 3812 register int dir; 3813 { 3814 register struct block *b0, *b1, *b2; 3815 register struct slist *s; 3816 3817 #ifdef ENABLE_WLAN_FILTERING_PATCH 3818 /* 3819 * GV 20070613 3820 * We need to disable the optimizer because the optimizer is buggy 3821 * and wipes out some LD instructions generated by the below 3822 * code to validate the Frame Control bits 3823 */ 3824 no_optimize = 1; 3825 #endif /* ENABLE_WLAN_FILTERING_PATCH */ 3826 3827 switch (dir) 3828 { 3829 case Q_SRC: 3830 /* 3831 * Oh, yuk. 3832 * 3833 * For control frames, there is no SA. 3834 * 3835 * For management frames, SA is at an 3836 * offset of 10 from the beginning of 3837 * the packet. 3838 * 3839 * For data frames, SA is at an offset 3840 * of 10 from the beginning of the packet 3841 * if From DS is clear, at an offset of 3842 * 16 from the beginning of the packet 3843 * if From DS is set and To DS is clear, 3844 * and an offset of 24 from the beginning 3845 * of the packet if From DS is set and To DS 3846 * is set. 3847 */ 3848 3849 /* 3850 * Generate the tests to be done for data frames 3851 * with From DS set. 3852 * 3853 * First, check for To DS set, i.e. check "link[1] & 0x01". 3854 */ 3855 s = gen_load_a(OR_LINK, 1, BPF_B); 3856 b1 = new_block(JMP(BPF_JSET)); 3857 b1->s.k = 0x01; /* To DS */ 3858 b1->stmts = s; 3859 3860 /* 3861 * If To DS is set, the SA is at 24. 3862 */ 3863 b0 = gen_bcmp(OR_LINK, 24, 6, eaddr); 3864 gen_and(b1, b0); 3865 3866 /* 3867 * Now, check for To DS not set, i.e. check 3868 * "!(link[1] & 0x01)". 3869 */ 3870 s = gen_load_a(OR_LINK, 1, BPF_B); 3871 b2 = new_block(JMP(BPF_JSET)); 3872 b2->s.k = 0x01; /* To DS */ 3873 b2->stmts = s; 3874 gen_not(b2); 3875 3876 /* 3877 * If To DS is not set, the SA is at 16. 3878 */ 3879 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr); 3880 gen_and(b2, b1); 3881 3882 /* 3883 * Now OR together the last two checks. That gives 3884 * the complete set of checks for data frames with 3885 * From DS set. 3886 */ 3887 gen_or(b1, b0); 3888 3889 /* 3890 * Now check for From DS being set, and AND that with 3891 * the ORed-together checks. 3892 */ 3893 s = gen_load_a(OR_LINK, 1, BPF_B); 3894 b1 = new_block(JMP(BPF_JSET)); 3895 b1->s.k = 0x02; /* From DS */ 3896 b1->stmts = s; 3897 gen_and(b1, b0); 3898 3899 /* 3900 * Now check for data frames with From DS not set. 3901 */ 3902 s = gen_load_a(OR_LINK, 1, BPF_B); 3903 b2 = new_block(JMP(BPF_JSET)); 3904 b2->s.k = 0x02; /* From DS */ 3905 b2->stmts = s; 3906 gen_not(b2); 3907 3908 /* 3909 * If From DS isn't set, the SA is at 10. 3910 */ 3911 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 3912 gen_and(b2, b1); 3913 3914 /* 3915 * Now OR together the checks for data frames with 3916 * From DS not set and for data frames with From DS 3917 * set; that gives the checks done for data frames. 3918 */ 3919 gen_or(b1, b0); 3920 3921 /* 3922 * Now check for a data frame. 3923 * I.e, check "link[0] & 0x08". 3924 */ 3925 s = gen_load_a(OR_LINK, 0, BPF_B); 3926 b1 = new_block(JMP(BPF_JSET)); 3927 b1->s.k = 0x08; 3928 b1->stmts = s; 3929 3930 /* 3931 * AND that with the checks done for data frames. 3932 */ 3933 gen_and(b1, b0); 3934 3935 /* 3936 * If the high-order bit of the type value is 0, this 3937 * is a management frame. 3938 * I.e, check "!(link[0] & 0x08)". 3939 */ 3940 s = gen_load_a(OR_LINK, 0, BPF_B); 3941 b2 = new_block(JMP(BPF_JSET)); 3942 b2->s.k = 0x08; 3943 b2->stmts = s; 3944 gen_not(b2); 3945 3946 /* 3947 * For management frames, the SA is at 10. 3948 */ 3949 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 3950 gen_and(b2, b1); 3951 3952 /* 3953 * OR that with the checks done for data frames. 3954 * That gives the checks done for management and 3955 * data frames. 3956 */ 3957 gen_or(b1, b0); 3958 3959 /* 3960 * If the low-order bit of the type value is 1, 3961 * this is either a control frame or a frame 3962 * with a reserved type, and thus not a 3963 * frame with an SA. 3964 * 3965 * I.e., check "!(link[0] & 0x04)". 3966 */ 3967 s = gen_load_a(OR_LINK, 0, BPF_B); 3968 b1 = new_block(JMP(BPF_JSET)); 3969 b1->s.k = 0x04; 3970 b1->stmts = s; 3971 gen_not(b1); 3972 3973 /* 3974 * AND that with the checks for data and management 3975 * frames. 3976 */ 3977 gen_and(b1, b0); 3978 return b0; 3979 3980 case Q_DST: 3981 /* 3982 * Oh, yuk. 3983 * 3984 * For control frames, there is no DA. 3985 * 3986 * For management frames, DA is at an 3987 * offset of 4 from the beginning of 3988 * the packet. 3989 * 3990 * For data frames, DA is at an offset 3991 * of 4 from the beginning of the packet 3992 * if To DS is clear and at an offset of 3993 * 16 from the beginning of the packet 3994 * if To DS is set. 3995 */ 3996 3997 /* 3998 * Generate the tests to be done for data frames. 3999 * 4000 * First, check for To DS set, i.e. "link[1] & 0x01". 4001 */ 4002 s = gen_load_a(OR_LINK, 1, BPF_B); 4003 b1 = new_block(JMP(BPF_JSET)); 4004 b1->s.k = 0x01; /* To DS */ 4005 b1->stmts = s; 4006 4007 /* 4008 * If To DS is set, the DA is at 16. 4009 */ 4010 b0 = gen_bcmp(OR_LINK, 16, 6, eaddr); 4011 gen_and(b1, b0); 4012 4013 /* 4014 * Now, check for To DS not set, i.e. check 4015 * "!(link[1] & 0x01)". 4016 */ 4017 s = gen_load_a(OR_LINK, 1, BPF_B); 4018 b2 = new_block(JMP(BPF_JSET)); 4019 b2->s.k = 0x01; /* To DS */ 4020 b2->stmts = s; 4021 gen_not(b2); 4022 4023 /* 4024 * If To DS is not set, the DA is at 4. 4025 */ 4026 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr); 4027 gen_and(b2, b1); 4028 4029 /* 4030 * Now OR together the last two checks. That gives 4031 * the complete set of checks for data frames. 4032 */ 4033 gen_or(b1, b0); 4034 4035 /* 4036 * Now check for a data frame. 4037 * I.e, check "link[0] & 0x08". 4038 */ 4039 s = gen_load_a(OR_LINK, 0, BPF_B); 4040 b1 = new_block(JMP(BPF_JSET)); 4041 b1->s.k = 0x08; 4042 b1->stmts = s; 4043 4044 /* 4045 * AND that with the checks done for data frames. 4046 */ 4047 gen_and(b1, b0); 4048 4049 /* 4050 * If the high-order bit of the type value is 0, this 4051 * is a management frame. 4052 * I.e, check "!(link[0] & 0x08)". 4053 */ 4054 s = gen_load_a(OR_LINK, 0, BPF_B); 4055 b2 = new_block(JMP(BPF_JSET)); 4056 b2->s.k = 0x08; 4057 b2->stmts = s; 4058 gen_not(b2); 4059 4060 /* 4061 * For management frames, the DA is at 4. 4062 */ 4063 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr); 4064 gen_and(b2, b1); 4065 4066 /* 4067 * OR that with the checks done for data frames. 4068 * That gives the checks done for management and 4069 * data frames. 4070 */ 4071 gen_or(b1, b0); 4072 4073 /* 4074 * If the low-order bit of the type value is 1, 4075 * this is either a control frame or a frame 4076 * with a reserved type, and thus not a 4077 * frame with an SA. 4078 * 4079 * I.e., check "!(link[0] & 0x04)". 4080 */ 4081 s = gen_load_a(OR_LINK, 0, BPF_B); 4082 b1 = new_block(JMP(BPF_JSET)); 4083 b1->s.k = 0x04; 4084 b1->stmts = s; 4085 gen_not(b1); 4086 4087 /* 4088 * AND that with the checks for data and management 4089 * frames. 4090 */ 4091 gen_and(b1, b0); 4092 return b0; 4093 4094 /* 4095 * XXX - add RA, TA, and BSSID keywords? 4096 */ 4097 case Q_ADDR1: 4098 return (gen_bcmp(OR_LINK, 4, 6, eaddr)); 4099 4100 case Q_ADDR2: 4101 /* 4102 * Not present in CTS or ACK control frames. 4103 */ 4104 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, IEEE80211_FC0_TYPE_MASK); 4105 gen_not(b0); 4106 b1 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS, IEEE80211_FC0_SUBTYPE_MASK); 4107 gen_not(b1); 4108 b2 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK, IEEE80211_FC0_SUBTYPE_MASK); 4109 gen_not(b2); 4110 gen_and(b1, b2); 4111 gen_or(b0, b2); 4112 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 4113 gen_and(b2, b1); 4114 return b1; 4115 4116 case Q_ADDR3: 4117 /* 4118 * Not present in control frames. 4119 */ 4120 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, IEEE80211_FC0_TYPE_MASK); 4121 gen_not(b0); 4122 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr); 4123 gen_and(b0, b1); 4124 return b1; 4125 4126 case Q_ADDR4: 4127 /* 4128 * Present only if the direction mask has both "From DS" 4129 * and "To DS" set. Neither control frames nor management 4130 * frames should have both of those set, so we don't 4131 * check the frame type. 4132 */ 4133 b0 = gen_mcmp(OR_LINK, 1, BPF_B, IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK); 4134 b1 = gen_bcmp(OR_LINK, 24, 6, eaddr); 4135 gen_and(b0, b1); 4136 return b1; 4137 4138 case Q_AND: 4139 b0 = gen_wlanhostop(eaddr, Q_SRC); 4140 b1 = gen_wlanhostop(eaddr, Q_DST); 4141 gen_and(b0, b1); 4142 return b1; 4143 4144 case Q_DEFAULT: 4145 case Q_OR: 4146 b0 = gen_wlanhostop(eaddr, Q_SRC); 4147 b1 = gen_wlanhostop(eaddr, Q_DST); 4148 gen_or(b0, b1); 4149 return b1; 4150 } 4151 abort(); 4152 /* NOTREACHED */ 4153 } 4154 4155 /* 4156 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel. 4157 * (We assume that the addresses are IEEE 48-bit MAC addresses, 4158 * as the RFC states.) 4159 */ 4160 static struct block *gen_ipfchostop(eaddr, dir) 4161 register const u_char *eaddr; 4162 register int dir; 4163 { 4164 register struct block *b0, *b1; 4165 4166 switch (dir) 4167 { 4168 case Q_SRC: 4169 return gen_bcmp(OR_LINK, 10, 6, eaddr); 4170 4171 case Q_DST: 4172 return gen_bcmp(OR_LINK, 2, 6, eaddr); 4173 4174 case Q_AND: 4175 b0 = gen_ipfchostop(eaddr, Q_SRC); 4176 b1 = gen_ipfchostop(eaddr, Q_DST); 4177 gen_and(b0, b1); 4178 return b1; 4179 4180 case Q_DEFAULT: 4181 case Q_OR: 4182 b0 = gen_ipfchostop(eaddr, Q_SRC); 4183 b1 = gen_ipfchostop(eaddr, Q_DST); 4184 gen_or(b0, b1); 4185 return b1; 4186 } 4187 abort(); 4188 /* NOTREACHED */ 4189 } 4190 4191 /* 4192 * This is quite tricky because there may be pad bytes in front of the 4193 * DECNET header, and then there are two possible data packet formats that 4194 * carry both src and dst addresses, plus 5 packet types in a format that 4195 * carries only the src node, plus 2 types that use a different format and 4196 * also carry just the src node. 4197 * 4198 * Yuck. 4199 * 4200 * Instead of doing those all right, we just look for data packets with 4201 * 0 or 1 bytes of padding. If you want to look at other packets, that 4202 * will require a lot more hacking. 4203 * 4204 * To add support for filtering on DECNET "areas" (network numbers) 4205 * one would want to add a "mask" argument to this routine. That would 4206 * make the filter even more inefficient, although one could be clever 4207 * and not generate masking instructions if the mask is 0xFFFF. 4208 */ 4209 static struct block *gen_dnhostop(addr, dir) 4210 bpf_u_int32 addr; 4211 int dir; 4212 { 4213 struct block *b0, *b1, *b2, *tmp; 4214 u_int offset_lh; /* offset if long header is received */ 4215 u_int offset_sh; /* offset if short header is received */ 4216 4217 switch (dir) 4218 { 4219 4220 case Q_DST: 4221 offset_sh = 1; /* follows flags */ 4222 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */ 4223 break; 4224 4225 case Q_SRC: 4226 offset_sh = 3; /* follows flags, dstnode */ 4227 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */ 4228 break; 4229 4230 case Q_AND: 4231 /* Inefficient because we do our Calvinball dance twice */ 4232 b0 = gen_dnhostop(addr, Q_SRC); 4233 b1 = gen_dnhostop(addr, Q_DST); 4234 gen_and(b0, b1); 4235 return b1; 4236 4237 case Q_OR: 4238 case Q_DEFAULT: 4239 /* Inefficient because we do our Calvinball dance twice */ 4240 b0 = gen_dnhostop(addr, Q_SRC); 4241 b1 = gen_dnhostop(addr, Q_DST); 4242 gen_or(b0, b1); 4243 return b1; 4244 4245 case Q_ISO: 4246 bpf_error("ISO host filtering not implemented"); 4247 4248 default: 4249 abort(); 4250 } 4251 b0 = gen_linktype(ETHERTYPE_DN); 4252 /* Check for pad = 1, long header case */ 4253 tmp = gen_mcmp(OR_NET, 2, BPF_H, (bpf_int32) ntohs(0x0681), (bpf_int32) ntohs(0x07FF)); 4254 b1 = gen_cmp(OR_NET, 2 + 1 + offset_lh, BPF_H, (bpf_int32) ntohs((u_short) addr)); 4255 gen_and(tmp, b1); 4256 /* Check for pad = 0, long header case */ 4257 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32) 0x06, (bpf_int32) 0x7); 4258 b2 = gen_cmp(OR_NET, 2 + offset_lh, BPF_H, (bpf_int32) ntohs((u_short) addr)); 4259 gen_and(tmp, b2); 4260 gen_or(b2, b1); 4261 /* Check for pad = 1, short header case */ 4262 tmp = gen_mcmp(OR_NET, 2, BPF_H, (bpf_int32) ntohs(0x0281), (bpf_int32) ntohs(0x07FF)); 4263 b2 = gen_cmp(OR_NET, 2 + 1 + offset_sh, BPF_H, (bpf_int32) ntohs((u_short) addr)); 4264 gen_and(tmp, b2); 4265 gen_or(b2, b1); 4266 /* Check for pad = 0, short header case */ 4267 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32) 0x02, (bpf_int32) 0x7); 4268 b2 = gen_cmp(OR_NET, 2 + offset_sh, BPF_H, (bpf_int32) ntohs((u_short) addr)); 4269 gen_and(tmp, b2); 4270 gen_or(b2, b1); 4271 4272 /* Combine with test for linktype */ 4273 gen_and(b0, b1); 4274 return b1; 4275 } 4276 4277 /* 4278 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets; 4279 * test the bottom-of-stack bit, and then check the version number 4280 * field in the IP header. 4281 */ 4282 static struct block *gen_mpls_linktype(proto) 4283 int proto; 4284 { 4285 struct block *b0, *b1; 4286 4287 switch (proto) 4288 { 4289 4290 case Q_IP: 4291 /* match the bottom-of-stack bit */ 4292 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01); 4293 /* match the IPv4 version number */ 4294 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x40, 0xf0); 4295 gen_and(b0, b1); 4296 return b1; 4297 4298 case Q_IPV6: 4299 /* match the bottom-of-stack bit */ 4300 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01); 4301 /* match the IPv4 version number */ 4302 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x60, 0xf0); 4303 gen_and(b0, b1); 4304 return b1; 4305 4306 default: 4307 abort(); 4308 } 4309 } 4310 4311 static struct block *gen_host(addr, mask, proto, dir, type) 4312 bpf_u_int32 addr; 4313 bpf_u_int32 mask; 4314 int proto; 4315 int dir; 4316 int type; 4317 { 4318 struct block *b0, *b1; 4319 const char *typestr; 4320 4321 if (type == Q_NET) 4322 typestr = "net"; 4323 else 4324 typestr = "host"; 4325 4326 switch (proto) 4327 { 4328 4329 case Q_DEFAULT: 4330 b0 = gen_host(addr, mask, Q_IP, dir, type); 4331 /* 4332 * Only check for non-IPv4 addresses if we're not 4333 * checking MPLS-encapsulated packets. 4334 */ 4335 if (label_stack_depth == 0) 4336 { 4337 b1 = gen_host(addr, mask, Q_ARP, dir, type); 4338 gen_or(b0, b1); 4339 b0 = gen_host(addr, mask, Q_RARP, dir, type); 4340 gen_or(b1, b0); 4341 } 4342 return b0; 4343 4344 case Q_IP: 4345 return gen_hostop(addr, mask, dir, ETHERTYPE_IP, 12, 16); 4346 4347 case Q_RARP: 4348 return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP, 14, 24); 4349 4350 case Q_ARP: 4351 return gen_hostop(addr, mask, dir, ETHERTYPE_ARP, 14, 24); 4352 4353 case Q_TCP: 4354 bpf_error("'tcp' modifier applied to %s", typestr); 4355 4356 case Q_SCTP: 4357 bpf_error("'sctp' modifier applied to %s", typestr); 4358 4359 case Q_UDP: 4360 bpf_error("'udp' modifier applied to %s", typestr); 4361 4362 case Q_ICMP: 4363 bpf_error("'icmp' modifier applied to %s", typestr); 4364 4365 case Q_IGMP: 4366 bpf_error("'igmp' modifier applied to %s", typestr); 4367 4368 case Q_IGRP: 4369 bpf_error("'igrp' modifier applied to %s", typestr); 4370 4371 case Q_PIM: 4372 bpf_error("'pim' modifier applied to %s", typestr); 4373 4374 case Q_VRRP: 4375 bpf_error("'vrrp' modifier applied to %s", typestr); 4376 4377 case Q_ATALK: 4378 bpf_error("ATALK host filtering not implemented"); 4379 4380 case Q_AARP: 4381 bpf_error("AARP host filtering not implemented"); 4382 4383 case Q_DECNET: 4384 return gen_dnhostop(addr, dir); 4385 4386 case Q_SCA: 4387 bpf_error("SCA host filtering not implemented"); 4388 4389 case Q_LAT: 4390 bpf_error("LAT host filtering not implemented"); 4391 4392 case Q_MOPDL: 4393 bpf_error("MOPDL host filtering not implemented"); 4394 4395 case Q_MOPRC: 4396 bpf_error("MOPRC host filtering not implemented"); 4397 4398 #ifdef INET6 4399 case Q_IPV6: 4400 bpf_error("'ip6' modifier applied to ip host"); 4401 4402 case Q_ICMPV6: 4403 bpf_error("'icmp6' modifier applied to %s", typestr); 4404 #endif /* INET6 */ 4405 4406 case Q_AH: 4407 bpf_error("'ah' modifier applied to %s", typestr); 4408 4409 case Q_ESP: 4410 bpf_error("'esp' modifier applied to %s", typestr); 4411 4412 case Q_ISO: 4413 bpf_error("ISO host filtering not implemented"); 4414 4415 case Q_ESIS: 4416 bpf_error("'esis' modifier applied to %s", typestr); 4417 4418 case Q_ISIS: 4419 bpf_error("'isis' modifier applied to %s", typestr); 4420 4421 case Q_CLNP: 4422 bpf_error("'clnp' modifier applied to %s", typestr); 4423 4424 case Q_STP: 4425 bpf_error("'stp' modifier applied to %s", typestr); 4426 4427 case Q_IPX: 4428 bpf_error("IPX host filtering not implemented"); 4429 4430 case Q_NETBEUI: 4431 bpf_error("'netbeui' modifier applied to %s", typestr); 4432 4433 case Q_RADIO: 4434 bpf_error("'radio' modifier applied to %s", typestr); 4435 4436 default: 4437 abort(); 4438 } 4439 /* NOTREACHED */ 4440 } 4441 4442 #ifdef INET6 4443 static struct block *gen_host6(addr, mask, proto, dir, type) 4444 struct in6_addr *addr; 4445 struct in6_addr *mask; 4446 int proto; 4447 int dir; 4448 int type; 4449 { 4450 const char *typestr; 4451 4452 if (type == Q_NET) 4453 typestr = "net"; 4454 else 4455 typestr = "host"; 4456 4457 switch (proto) 4458 { 4459 4460 case Q_DEFAULT: 4461 return gen_host6(addr, mask, Q_IPV6, dir, type); 4462 4463 case Q_IP: 4464 bpf_error("'ip' modifier applied to ip6 %s", typestr); 4465 4466 case Q_RARP: 4467 bpf_error("'rarp' modifier applied to ip6 %s", typestr); 4468 4469 case Q_ARP: 4470 bpf_error("'arp' modifier applied to ip6 %s", typestr); 4471 4472 case Q_SCTP: 4473 bpf_error("'sctp' modifier applied to %s", typestr); 4474 4475 case Q_TCP: 4476 bpf_error("'tcp' modifier applied to %s", typestr); 4477 4478 case Q_UDP: 4479 bpf_error("'udp' modifier applied to %s", typestr); 4480 4481 case Q_ICMP: 4482 bpf_error("'icmp' modifier applied to %s", typestr); 4483 4484 case Q_IGMP: 4485 bpf_error("'igmp' modifier applied to %s", typestr); 4486 4487 case Q_IGRP: 4488 bpf_error("'igrp' modifier applied to %s", typestr); 4489 4490 case Q_PIM: 4491 bpf_error("'pim' modifier applied to %s", typestr); 4492 4493 case Q_VRRP: 4494 bpf_error("'vrrp' modifier applied to %s", typestr); 4495 4496 case Q_ATALK: 4497 bpf_error("ATALK host filtering not implemented"); 4498 4499 case Q_AARP: 4500 bpf_error("AARP host filtering not implemented"); 4501 4502 case Q_DECNET: 4503 bpf_error("'decnet' modifier applied to ip6 %s", typestr); 4504 4505 case Q_SCA: 4506 bpf_error("SCA host filtering not implemented"); 4507 4508 case Q_LAT: 4509 bpf_error("LAT host filtering not implemented"); 4510 4511 case Q_MOPDL: 4512 bpf_error("MOPDL host filtering not implemented"); 4513 4514 case Q_MOPRC: 4515 bpf_error("MOPRC host filtering not implemented"); 4516 4517 case Q_IPV6: 4518 return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6, 8, 24); 4519 4520 case Q_ICMPV6: 4521 bpf_error("'icmp6' modifier applied to %s", typestr); 4522 4523 case Q_AH: 4524 bpf_error("'ah' modifier applied to %s", typestr); 4525 4526 case Q_ESP: 4527 bpf_error("'esp' modifier applied to %s", typestr); 4528 4529 case Q_ISO: 4530 bpf_error("ISO host filtering not implemented"); 4531 4532 case Q_ESIS: 4533 bpf_error("'esis' modifier applied to %s", typestr); 4534 4535 case Q_ISIS: 4536 bpf_error("'isis' modifier applied to %s", typestr); 4537 4538 case Q_CLNP: 4539 bpf_error("'clnp' modifier applied to %s", typestr); 4540 4541 case Q_STP: 4542 bpf_error("'stp' modifier applied to %s", typestr); 4543 4544 case Q_IPX: 4545 bpf_error("IPX host filtering not implemented"); 4546 4547 case Q_NETBEUI: 4548 bpf_error("'netbeui' modifier applied to %s", typestr); 4549 4550 case Q_RADIO: 4551 bpf_error("'radio' modifier applied to %s", typestr); 4552 4553 default: 4554 abort(); 4555 } 4556 /* NOTREACHED */ 4557 } 4558 #endif /*INET6 */ 4559 4560 #ifndef INET6 4561 static struct block *gen_gateway(eaddr, alist, proto, dir) 4562 const u_char *eaddr; 4563 bpf_u_int32 **alist; 4564 int proto; 4565 int dir; 4566 { 4567 struct block *b0, *b1, *tmp; 4568 4569 if (dir != 0) 4570 bpf_error("direction applied to 'gateway'"); 4571 4572 switch (proto) 4573 { 4574 case Q_DEFAULT: 4575 case Q_IP: 4576 case Q_ARP: 4577 case Q_RARP: 4578 switch (linktype) 4579 { 4580 case DLT_EN10MB: 4581 b0 = gen_ehostop(eaddr, Q_OR); 4582 break; 4583 case DLT_FDDI: 4584 b0 = gen_fhostop(eaddr, Q_OR); 4585 break; 4586 case DLT_IEEE802: 4587 b0 = gen_thostop(eaddr, Q_OR); 4588 break; 4589 case DLT_IEEE802_11: 4590 case DLT_PRISM_HEADER: 4591 case DLT_IEEE802_11_RADIO_AVS: 4592 case DLT_IEEE802_11_RADIO: 4593 case DLT_PPI: 4594 b0 = gen_wlanhostop(eaddr, Q_OR); 4595 break; 4596 case DLT_SUNATM: 4597 if (!is_lane) 4598 bpf_error 4599 ("'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 4600 /* 4601 * Check that the packet doesn't begin with an 4602 * LE Control marker. (We've already generated 4603 * a test for LANE.) 4604 */ 4605 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00); 4606 gen_not(b1); 4607 4608 /* 4609 * Now check the MAC address. 4610 */ 4611 b0 = gen_ehostop(eaddr, Q_OR); 4612 gen_and(b1, b0); 4613 break; 4614 case DLT_IP_OVER_FC: 4615 b0 = gen_ipfchostop(eaddr, Q_OR); 4616 break; 4617 default: 4618 bpf_error 4619 ("'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 4620 } 4621 b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR, Q_HOST); 4622 while (*alist) 4623 { 4624 tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR, Q_HOST); 4625 gen_or(b1, tmp); 4626 b1 = tmp; 4627 } 4628 gen_not(b1); 4629 gen_and(b0, b1); 4630 return b1; 4631 } 4632 bpf_error("illegal modifier of 'gateway'"); 4633 /* NOTREACHED */ 4634 } 4635 #endif 4636 4637 struct block *gen_proto_abbrev(proto) 4638 int proto; 4639 { 4640 struct block *b0; 4641 struct block *b1; 4642 4643 switch (proto) 4644 { 4645 4646 case Q_SCTP: 4647 b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT); 4648 #ifdef INET6 4649 b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT); 4650 gen_or(b0, b1); 4651 #endif 4652 break; 4653 4654 case Q_TCP: 4655 b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT); 4656 #ifdef INET6 4657 b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT); 4658 gen_or(b0, b1); 4659 #endif 4660 break; 4661 4662 case Q_UDP: 4663 b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT); 4664 #ifdef INET6 4665 b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT); 4666 gen_or(b0, b1); 4667 #endif 4668 break; 4669 4670 case Q_ICMP: 4671 b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT); 4672 break; 4673 4674 #ifndef IPPROTO_IGMP 4675 #define IPPROTO_IGMP 2 4676 #endif 4677 4678 case Q_IGMP: 4679 b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT); 4680 break; 4681 4682 #ifndef IPPROTO_IGRP 4683 #define IPPROTO_IGRP 9 4684 #endif 4685 case Q_IGRP: 4686 b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT); 4687 break; 4688 4689 #ifndef IPPROTO_PIM 4690 #define IPPROTO_PIM 103 4691 #endif 4692 4693 case Q_PIM: 4694 b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT); 4695 #ifdef INET6 4696 b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT); 4697 gen_or(b0, b1); 4698 #endif 4699 break; 4700 4701 #ifndef IPPROTO_VRRP 4702 #define IPPROTO_VRRP 112 4703 #endif 4704 4705 case Q_VRRP: 4706 b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT); 4707 break; 4708 4709 case Q_IP: 4710 b1 = gen_linktype(ETHERTYPE_IP); 4711 break; 4712 4713 case Q_ARP: 4714 b1 = gen_linktype(ETHERTYPE_ARP); 4715 break; 4716 4717 case Q_RARP: 4718 b1 = gen_linktype(ETHERTYPE_REVARP); 4719 break; 4720 4721 case Q_LINK: 4722 bpf_error("link layer applied in wrong context"); 4723 4724 case Q_ATALK: 4725 b1 = gen_linktype(ETHERTYPE_ATALK); 4726 break; 4727 4728 case Q_AARP: 4729 b1 = gen_linktype(ETHERTYPE_AARP); 4730 break; 4731 4732 case Q_DECNET: 4733 b1 = gen_linktype(ETHERTYPE_DN); 4734 break; 4735 4736 case Q_SCA: 4737 b1 = gen_linktype(ETHERTYPE_SCA); 4738 break; 4739 4740 case Q_LAT: 4741 b1 = gen_linktype(ETHERTYPE_LAT); 4742 break; 4743 4744 case Q_MOPDL: 4745 b1 = gen_linktype(ETHERTYPE_MOPDL); 4746 break; 4747 4748 case Q_MOPRC: 4749 b1 = gen_linktype(ETHERTYPE_MOPRC); 4750 break; 4751 4752 #ifdef INET6 4753 case Q_IPV6: 4754 b1 = gen_linktype(ETHERTYPE_IPV6); 4755 break; 4756 4757 #ifndef IPPROTO_ICMPV6 4758 #define IPPROTO_ICMPV6 58 4759 #endif 4760 case Q_ICMPV6: 4761 b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT); 4762 break; 4763 #endif /* INET6 */ 4764 4765 #ifndef IPPROTO_AH 4766 #define IPPROTO_AH 51 4767 #endif 4768 case Q_AH: 4769 b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT); 4770 #ifdef INET6 4771 b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT); 4772 gen_or(b0, b1); 4773 #endif 4774 break; 4775 4776 #ifndef IPPROTO_ESP 4777 #define IPPROTO_ESP 50 4778 #endif 4779 case Q_ESP: 4780 b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT); 4781 #ifdef INET6 4782 b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT); 4783 gen_or(b0, b1); 4784 #endif 4785 break; 4786 4787 case Q_ISO: 4788 b1 = gen_linktype(LLCSAP_ISONS); 4789 break; 4790 4791 case Q_ESIS: 4792 b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT); 4793 break; 4794 4795 case Q_ISIS: 4796 b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT); 4797 break; 4798 4799 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */ 4800 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 4801 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 4802 gen_or(b0, b1); 4803 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 4804 gen_or(b0, b1); 4805 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 4806 gen_or(b0, b1); 4807 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 4808 gen_or(b0, b1); 4809 break; 4810 4811 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */ 4812 b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 4813 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 4814 gen_or(b0, b1); 4815 b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 4816 gen_or(b0, b1); 4817 b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 4818 gen_or(b0, b1); 4819 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 4820 gen_or(b0, b1); 4821 break; 4822 4823 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */ 4824 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 4825 b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 4826 gen_or(b0, b1); 4827 b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); 4828 gen_or(b0, b1); 4829 break; 4830 4831 case Q_ISIS_LSP: 4832 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 4833 b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 4834 gen_or(b0, b1); 4835 break; 4836 4837 case Q_ISIS_SNP: 4838 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 4839 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 4840 gen_or(b0, b1); 4841 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 4842 gen_or(b0, b1); 4843 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 4844 gen_or(b0, b1); 4845 break; 4846 4847 case Q_ISIS_CSNP: 4848 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 4849 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 4850 gen_or(b0, b1); 4851 break; 4852 4853 case Q_ISIS_PSNP: 4854 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 4855 b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 4856 gen_or(b0, b1); 4857 break; 4858 4859 case Q_CLNP: 4860 b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT); 4861 break; 4862 4863 case Q_STP: 4864 b1 = gen_linktype(LLCSAP_8021D); 4865 break; 4866 4867 case Q_IPX: 4868 b1 = gen_linktype(LLCSAP_IPX); 4869 break; 4870 4871 case Q_NETBEUI: 4872 b1 = gen_linktype(LLCSAP_NETBEUI); 4873 break; 4874 4875 case Q_RADIO: 4876 bpf_error("'radio' is not a valid protocol type"); 4877 4878 default: 4879 abort(); 4880 } 4881 return b1; 4882 } 4883 4884 static struct block *gen_ipfrag() 4885 { 4886 struct slist *s; 4887 struct block *b; 4888 4889 /* not ip frag */ 4890 s = gen_load_a(OR_NET, 6, BPF_H); 4891 b = new_block(JMP(BPF_JSET)); 4892 b->s.k = 0x1fff; 4893 b->stmts = s; 4894 gen_not(b); 4895 4896 return b; 4897 } 4898 4899 /* 4900 * Generate a comparison to a port value in the transport-layer header 4901 * at the specified offset from the beginning of that header. 4902 * 4903 * XXX - this handles a variable-length prefix preceding the link-layer 4904 * header, such as the radiotap or AVS radio prefix, but doesn't handle 4905 * variable-length link-layer headers (such as Token Ring or 802.11 4906 * headers). 4907 */ 4908 static struct block *gen_portatom(off, v) 4909 int off; 4910 bpf_int32 v; 4911 { 4912 return gen_cmp(OR_TRAN_IPV4, off, BPF_H, v); 4913 } 4914 4915 #ifdef INET6 4916 static struct block *gen_portatom6(off, v) 4917 int off; 4918 bpf_int32 v; 4919 { 4920 return gen_cmp(OR_TRAN_IPV6, off, BPF_H, v); 4921 } 4922 #endif /*INET6 */ 4923 4924 struct block *gen_portop(port, proto, dir) 4925 int port, proto, dir; 4926 { 4927 struct block *b0, *b1, *tmp; 4928 4929 /* ip proto 'proto' */ 4930 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32) proto); 4931 b0 = gen_ipfrag(); 4932 gen_and(tmp, b0); 4933 4934 switch (dir) 4935 { 4936 case Q_SRC: 4937 b1 = gen_portatom(0, (bpf_int32) port); 4938 break; 4939 4940 case Q_DST: 4941 b1 = gen_portatom(2, (bpf_int32) port); 4942 break; 4943 4944 case Q_OR: 4945 case Q_DEFAULT: 4946 tmp = gen_portatom(0, (bpf_int32) port); 4947 b1 = gen_portatom(2, (bpf_int32) port); 4948 gen_or(tmp, b1); 4949 break; 4950 4951 case Q_AND: 4952 tmp = gen_portatom(0, (bpf_int32) port); 4953 b1 = gen_portatom(2, (bpf_int32) port); 4954 gen_and(tmp, b1); 4955 break; 4956 4957 default: 4958 abort(); 4959 } 4960 gen_and(b0, b1); 4961 4962 return b1; 4963 } 4964 4965 static struct block *gen_port(port, ip_proto, dir) 4966 int port; 4967 int ip_proto; 4968 int dir; 4969 { 4970 struct block *b0, *b1, *tmp; 4971 4972 /* 4973 * ether proto ip 4974 * 4975 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 4976 * not LLC encapsulation with LLCSAP_IP. 4977 * 4978 * For IEEE 802 networks - which includes 802.5 token ring 4979 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 4980 * says that SNAP encapsulation is used, not LLC encapsulation 4981 * with LLCSAP_IP. 4982 * 4983 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 4984 * RFC 2225 say that SNAP encapsulation is used, not LLC 4985 * encapsulation with LLCSAP_IP. 4986 * 4987 * So we always check for ETHERTYPE_IP. 4988 */ 4989 b0 = gen_linktype(ETHERTYPE_IP); 4990 4991 switch (ip_proto) 4992 { 4993 case IPPROTO_UDP: 4994 case IPPROTO_TCP: 4995 case IPPROTO_SCTP: 4996 b1 = gen_portop(port, ip_proto, dir); 4997 break; 4998 4999 case PROTO_UNDEF: 5000 tmp = gen_portop(port, IPPROTO_TCP, dir); 5001 b1 = gen_portop(port, IPPROTO_UDP, dir); 5002 gen_or(tmp, b1); 5003 tmp = gen_portop(port, IPPROTO_SCTP, dir); 5004 gen_or(tmp, b1); 5005 break; 5006 5007 default: 5008 abort(); 5009 } 5010 gen_and(b0, b1); 5011 return b1; 5012 } 5013 5014 #ifdef INET6 5015 struct block *gen_portop6(port, proto, dir) 5016 int port, proto, dir; 5017 { 5018 struct block *b0, *b1, *tmp; 5019 5020 /* ip6 proto 'proto' */ 5021 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32) proto); 5022 5023 switch (dir) 5024 { 5025 case Q_SRC: 5026 b1 = gen_portatom6(0, (bpf_int32) port); 5027 break; 5028 5029 case Q_DST: 5030 b1 = gen_portatom6(2, (bpf_int32) port); 5031 break; 5032 5033 case Q_OR: 5034 case Q_DEFAULT: 5035 tmp = gen_portatom6(0, (bpf_int32) port); 5036 b1 = gen_portatom6(2, (bpf_int32) port); 5037 gen_or(tmp, b1); 5038 break; 5039 5040 case Q_AND: 5041 tmp = gen_portatom6(0, (bpf_int32) port); 5042 b1 = gen_portatom6(2, (bpf_int32) port); 5043 gen_and(tmp, b1); 5044 break; 5045 5046 default: 5047 abort(); 5048 } 5049 gen_and(b0, b1); 5050 5051 return b1; 5052 } 5053 5054 static struct block *gen_port6(port, ip_proto, dir) 5055 int port; 5056 int ip_proto; 5057 int dir; 5058 { 5059 struct block *b0, *b1, *tmp; 5060 5061 /* link proto ip6 */ 5062 b0 = gen_linktype(ETHERTYPE_IPV6); 5063 5064 switch (ip_proto) 5065 { 5066 case IPPROTO_UDP: 5067 case IPPROTO_TCP: 5068 case IPPROTO_SCTP: 5069 b1 = gen_portop6(port, ip_proto, dir); 5070 break; 5071 5072 case PROTO_UNDEF: 5073 tmp = gen_portop6(port, IPPROTO_TCP, dir); 5074 b1 = gen_portop6(port, IPPROTO_UDP, dir); 5075 gen_or(tmp, b1); 5076 tmp = gen_portop6(port, IPPROTO_SCTP, dir); 5077 gen_or(tmp, b1); 5078 break; 5079 5080 default: 5081 abort(); 5082 } 5083 gen_and(b0, b1); 5084 return b1; 5085 } 5086 #endif /* INET6 */ 5087 5088 /* gen_portrange code */ 5089 static struct block *gen_portrangeatom(off, v1, v2) 5090 int off; 5091 bpf_int32 v1, v2; 5092 { 5093 struct block *b1, *b2; 5094 5095 if (v1 > v2) 5096 { 5097 /* 5098 * Reverse the order of the ports, so v1 is the lower one. 5099 */ 5100 bpf_int32 vtemp; 5101 5102 vtemp = v1; 5103 v1 = v2; 5104 v2 = vtemp; 5105 } 5106 5107 b1 = gen_cmp_ge(OR_TRAN_IPV4, off, BPF_H, v1); 5108 b2 = gen_cmp_le(OR_TRAN_IPV4, off, BPF_H, v2); 5109 5110 gen_and(b1, b2); 5111 5112 return b2; 5113 } 5114 5115 struct block *gen_portrangeop(port1, port2, proto, dir) 5116 int port1, port2; 5117 int proto; 5118 int dir; 5119 { 5120 struct block *b0, *b1, *tmp; 5121 5122 /* ip proto 'proto' */ 5123 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32) proto); 5124 b0 = gen_ipfrag(); 5125 gen_and(tmp, b0); 5126 5127 switch (dir) 5128 { 5129 case Q_SRC: 5130 b1 = gen_portrangeatom(0, (bpf_int32) port1, (bpf_int32) port2); 5131 break; 5132 5133 case Q_DST: 5134 b1 = gen_portrangeatom(2, (bpf_int32) port1, (bpf_int32) port2); 5135 break; 5136 5137 case Q_OR: 5138 case Q_DEFAULT: 5139 tmp = gen_portrangeatom(0, (bpf_int32) port1, (bpf_int32) port2); 5140 b1 = gen_portrangeatom(2, (bpf_int32) port1, (bpf_int32) port2); 5141 gen_or(tmp, b1); 5142 break; 5143 5144 case Q_AND: 5145 tmp = gen_portrangeatom(0, (bpf_int32) port1, (bpf_int32) port2); 5146 b1 = gen_portrangeatom(2, (bpf_int32) port1, (bpf_int32) port2); 5147 gen_and(tmp, b1); 5148 break; 5149 5150 default: 5151 abort(); 5152 } 5153 gen_and(b0, b1); 5154 5155 return b1; 5156 } 5157 5158 static struct block *gen_portrange(port1, port2, ip_proto, dir) 5159 int port1, port2; 5160 int ip_proto; 5161 int dir; 5162 { 5163 struct block *b0, *b1, *tmp; 5164 5165 /* link proto ip */ 5166 b0 = gen_linktype(ETHERTYPE_IP); 5167 5168 switch (ip_proto) 5169 { 5170 case IPPROTO_UDP: 5171 case IPPROTO_TCP: 5172 case IPPROTO_SCTP: 5173 b1 = gen_portrangeop(port1, port2, ip_proto, dir); 5174 break; 5175 5176 case PROTO_UNDEF: 5177 tmp = gen_portrangeop(port1, port2, IPPROTO_TCP, dir); 5178 b1 = gen_portrangeop(port1, port2, IPPROTO_UDP, dir); 5179 gen_or(tmp, b1); 5180 tmp = gen_portrangeop(port1, port2, IPPROTO_SCTP, dir); 5181 gen_or(tmp, b1); 5182 break; 5183 5184 default: 5185 abort(); 5186 } 5187 gen_and(b0, b1); 5188 return b1; 5189 } 5190 5191 #ifdef INET6 5192 static struct block *gen_portrangeatom6(off, v1, v2) 5193 int off; 5194 bpf_int32 v1, v2; 5195 { 5196 struct block *b1, *b2; 5197 5198 if (v1 > v2) 5199 { 5200 /* 5201 * Reverse the order of the ports, so v1 is the lower one. 5202 */ 5203 bpf_int32 vtemp; 5204 5205 vtemp = v1; 5206 v1 = v2; 5207 v2 = vtemp; 5208 } 5209 5210 b1 = gen_cmp_ge(OR_TRAN_IPV6, off, BPF_H, v1); 5211 b2 = gen_cmp_le(OR_TRAN_IPV6, off, BPF_H, v2); 5212 5213 gen_and(b1, b2); 5214 5215 return b2; 5216 } 5217 5218 struct block *gen_portrangeop6(port1, port2, proto, dir) 5219 int port1, port2; 5220 int proto; 5221 int dir; 5222 { 5223 struct block *b0, *b1, *tmp; 5224 5225 /* ip6 proto 'proto' */ 5226 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32) proto); 5227 5228 switch (dir) 5229 { 5230 case Q_SRC: 5231 b1 = gen_portrangeatom6(0, (bpf_int32) port1, (bpf_int32) port2); 5232 break; 5233 5234 case Q_DST: 5235 b1 = gen_portrangeatom6(2, (bpf_int32) port1, (bpf_int32) port2); 5236 break; 5237 5238 case Q_OR: 5239 case Q_DEFAULT: 5240 tmp = gen_portrangeatom6(0, (bpf_int32) port1, (bpf_int32) port2); 5241 b1 = gen_portrangeatom6(2, (bpf_int32) port1, (bpf_int32) port2); 5242 gen_or(tmp, b1); 5243 break; 5244 5245 case Q_AND: 5246 tmp = gen_portrangeatom6(0, (bpf_int32) port1, (bpf_int32) port2); 5247 b1 = gen_portrangeatom6(2, (bpf_int32) port1, (bpf_int32) port2); 5248 gen_and(tmp, b1); 5249 break; 5250 5251 default: 5252 abort(); 5253 } 5254 gen_and(b0, b1); 5255 5256 return b1; 5257 } 5258 5259 static struct block *gen_portrange6(port1, port2, ip_proto, dir) 5260 int port1, port2; 5261 int ip_proto; 5262 int dir; 5263 { 5264 struct block *b0, *b1, *tmp; 5265 5266 /* link proto ip6 */ 5267 b0 = gen_linktype(ETHERTYPE_IPV6); 5268 5269 switch (ip_proto) 5270 { 5271 case IPPROTO_UDP: 5272 case IPPROTO_TCP: 5273 case IPPROTO_SCTP: 5274 b1 = gen_portrangeop6(port1, port2, ip_proto, dir); 5275 break; 5276 5277 case PROTO_UNDEF: 5278 tmp = gen_portrangeop6(port1, port2, IPPROTO_TCP, dir); 5279 b1 = gen_portrangeop6(port1, port2, IPPROTO_UDP, dir); 5280 gen_or(tmp, b1); 5281 tmp = gen_portrangeop6(port1, port2, IPPROTO_SCTP, dir); 5282 gen_or(tmp, b1); 5283 break; 5284 5285 default: 5286 abort(); 5287 } 5288 gen_and(b0, b1); 5289 return b1; 5290 } 5291 #endif /* INET6 */ 5292 5293 static int lookup_proto(name, proto) 5294 register const char *name; 5295 register int proto; 5296 { 5297 register int v; 5298 5299 switch (proto) 5300 { 5301 5302 case Q_DEFAULT: 5303 case Q_IP: 5304 case Q_IPV6: 5305 v = pcap_nametoproto(name); 5306 if (v == PROTO_UNDEF) 5307 bpf_error("unknown ip proto '%s'", name); 5308 break; 5309 5310 case Q_LINK: 5311 /* XXX should look up h/w protocol type based on linktype */ 5312 v = pcap_nametoeproto(name); 5313 if (v == PROTO_UNDEF) 5314 { 5315 v = pcap_nametollc(name); 5316 if (v == PROTO_UNDEF) 5317 bpf_error("unknown ether proto '%s'", name); 5318 } 5319 break; 5320 5321 case Q_ISO: 5322 if (strcmp(name, "esis") == 0) 5323 v = ISO9542_ESIS; 5324 else if (strcmp(name, "isis") == 0) 5325 v = ISO10589_ISIS; 5326 else if (strcmp(name, "clnp") == 0) 5327 v = ISO8473_CLNP; 5328 else 5329 bpf_error("unknown osi proto '%s'", name); 5330 break; 5331 5332 default: 5333 v = PROTO_UNDEF; 5334 break; 5335 } 5336 return v; 5337 } 5338 5339 static struct block *gen_protochain(v, proto, dir) 5340 int v; 5341 int proto; 5342 int dir; 5343 { 5344 #ifdef NO_PROTOCHAIN 5345 return gen_proto(v, proto, dir); 5346 #else 5347 struct block *b0, *b; 5348 struct slist *s[100]; 5349 int fix2, fix3, fix4, fix5; 5350 int ahcheck, again, end; 5351 int i, max; 5352 int reg2 = alloc_reg(); 5353 5354 memset(s, 0, sizeof(s)); 5355 fix2 = fix3 = fix4 = fix5 = 0; 5356 5357 switch (proto) 5358 { 5359 case Q_IP: 5360 case Q_IPV6: 5361 break; 5362 case Q_DEFAULT: 5363 b0 = gen_protochain(v, Q_IP, dir); 5364 b = gen_protochain(v, Q_IPV6, dir); 5365 gen_or(b0, b); 5366 return b; 5367 default: 5368 bpf_error("bad protocol applied for 'protochain'"); 5369 /*NOTREACHED*/} 5370 5371 /* 5372 * We don't handle variable-length prefixes before the link-layer 5373 * header, or variable-length link-layer headers, here yet. 5374 * We might want to add BPF instructions to do the protochain 5375 * work, to simplify that and, on platforms that have a BPF 5376 * interpreter with the new instructions, let the filtering 5377 * be done in the kernel. (We already require a modified BPF 5378 * engine to do the protochain stuff, to support backward 5379 * branches, and backward branch support is unlikely to appear 5380 * in kernel BPF engines.) 5381 */ 5382 switch (linktype) 5383 { 5384 5385 case DLT_IEEE802_11: 5386 case DLT_PRISM_HEADER: 5387 case DLT_IEEE802_11_RADIO_AVS: 5388 case DLT_IEEE802_11_RADIO: 5389 case DLT_PPI: 5390 bpf_error("'protochain' not supported with 802.11"); 5391 } 5392 5393 no_optimize = 1; /*this code is not compatible with optimzer yet */ 5394 5395 /* 5396 * s[0] is a dummy entry to protect other BPF insn from damage 5397 * by s[fix] = foo with uninitialized variable "fix". It is somewhat 5398 * hard to find interdependency made by jump table fixup. 5399 */ 5400 i = 0; 5401 s[i] = new_stmt(0); /*dummy */ 5402 i++; 5403 5404 switch (proto) 5405 { 5406 case Q_IP: 5407 b0 = gen_linktype(ETHERTYPE_IP); 5408 5409 /* A = ip->ip_p */ 5410 s[i] = new_stmt(BPF_LD | BPF_ABS | BPF_B); 5411 s[i]->s.k = off_macpl + off_nl + 9; 5412 i++; 5413 /* X = ip->ip_hl << 2 */ 5414 s[i] = new_stmt(BPF_LDX | BPF_MSH | BPF_B); 5415 s[i]->s.k = off_macpl + off_nl; 5416 i++; 5417 break; 5418 #ifdef INET6 5419 case Q_IPV6: 5420 b0 = gen_linktype(ETHERTYPE_IPV6); 5421 5422 /* A = ip6->ip_nxt */ 5423 s[i] = new_stmt(BPF_LD | BPF_ABS | BPF_B); 5424 s[i]->s.k = off_macpl + off_nl + 6; 5425 i++; 5426 /* X = sizeof(struct ip6_hdr) */ 5427 s[i] = new_stmt(BPF_LDX | BPF_IMM); 5428 s[i]->s.k = 40; 5429 i++; 5430 break; 5431 #endif 5432 default: 5433 bpf_error("unsupported proto to gen_protochain"); 5434 /*NOTREACHED*/} 5435 5436 /* again: if (A == v) goto end; else fall through; */ 5437 again = i; 5438 s[i] = new_stmt(BPF_JMP | BPF_JEQ | BPF_K); 5439 s[i]->s.k = v; 5440 s[i]->s.jt = NULL; /*later */ 5441 s[i]->s.jf = NULL; /*update in next stmt */ 5442 fix5 = i; 5443 i++; 5444 5445 #ifndef IPPROTO_NONE 5446 #define IPPROTO_NONE 59 5447 #endif 5448 /* if (A == IPPROTO_NONE) goto end */ 5449 s[i] = new_stmt(BPF_JMP | BPF_JEQ | BPF_K); 5450 s[i]->s.jt = NULL; /*later */ 5451 s[i]->s.jf = NULL; /*update in next stmt */ 5452 s[i]->s.k = IPPROTO_NONE; 5453 s[fix5]->s.jf = s[i]; 5454 fix2 = i; 5455 i++; 5456 5457 #ifdef INET6 5458 if (proto == Q_IPV6) 5459 { 5460 int v6start, v6end, v6advance, j; 5461 5462 v6start = i; 5463 /* if (A == IPPROTO_HOPOPTS) goto v6advance */ 5464 s[i] = new_stmt(BPF_JMP | BPF_JEQ | BPF_K); 5465 s[i]->s.jt = NULL; /*later */ 5466 s[i]->s.jf = NULL; /*update in next stmt */ 5467 s[i]->s.k = IPPROTO_HOPOPTS; 5468 s[fix2]->s.jf = s[i]; 5469 i++; 5470 /* if (A == IPPROTO_DSTOPTS) goto v6advance */ 5471 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP | BPF_JEQ | BPF_K); 5472 s[i]->s.jt = NULL; /*later */ 5473 s[i]->s.jf = NULL; /*update in next stmt */ 5474 s[i]->s.k = IPPROTO_DSTOPTS; 5475 i++; 5476 /* if (A == IPPROTO_ROUTING) goto v6advance */ 5477 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP | BPF_JEQ | BPF_K); 5478 s[i]->s.jt = NULL; /*later */ 5479 s[i]->s.jf = NULL; /*update in next stmt */ 5480 s[i]->s.k = IPPROTO_ROUTING; 5481 i++; 5482 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */ 5483 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP | BPF_JEQ | BPF_K); 5484 s[i]->s.jt = NULL; /*later */ 5485 s[i]->s.jf = NULL; /*later */ 5486 s[i]->s.k = IPPROTO_FRAGMENT; 5487 fix3 = i; 5488 v6end = i; 5489 i++; 5490 5491 /* v6advance: */ 5492 v6advance = i; 5493 5494 /* 5495 * in short, 5496 * A = P[X]; 5497 * X = X + (P[X + 1] + 1) * 8; 5498 */ 5499 /* A = X */ 5500 s[i] = new_stmt(BPF_MISC | BPF_TXA); 5501 i++; 5502 /* A = P[X + packet head] */ 5503 s[i] = new_stmt(BPF_LD | BPF_IND | BPF_B); 5504 s[i]->s.k = off_macpl + off_nl; 5505 i++; 5506 /* MEM[reg2] = A */ 5507 s[i] = new_stmt(BPF_ST); 5508 s[i]->s.k = reg2; 5509 i++; 5510 /* A = X */ 5511 s[i] = new_stmt(BPF_MISC | BPF_TXA); 5512 i++; 5513 /* A += 1 */ 5514 s[i] = new_stmt(BPF_ALU | BPF_ADD | BPF_K); 5515 s[i]->s.k = 1; 5516 i++; 5517 /* X = A */ 5518 s[i] = new_stmt(BPF_MISC | BPF_TAX); 5519 i++; 5520 /* A = P[X + packet head]; */ 5521 s[i] = new_stmt(BPF_LD | BPF_IND | BPF_B); 5522 s[i]->s.k = off_macpl + off_nl; 5523 i++; 5524 /* A += 1 */ 5525 s[i] = new_stmt(BPF_ALU | BPF_ADD | BPF_K); 5526 s[i]->s.k = 1; 5527 i++; 5528 /* A *= 8 */ 5529 s[i] = new_stmt(BPF_ALU | BPF_MUL | BPF_K); 5530 s[i]->s.k = 8; 5531 i++; 5532 /* X = A; */ 5533 s[i] = new_stmt(BPF_MISC | BPF_TAX); 5534 i++; 5535 /* A = MEM[reg2] */ 5536 s[i] = new_stmt(BPF_LD | BPF_MEM); 5537 s[i]->s.k = reg2; 5538 i++; 5539 5540 /* goto again; (must use BPF_JA for backward jump) */ 5541 s[i] = new_stmt(BPF_JMP | BPF_JA); 5542 s[i]->s.k = again - i - 1; 5543 s[i - 1]->s.jf = s[i]; 5544 i++; 5545 5546 /* fixup */ 5547 for (j = v6start; j <= v6end; j++) 5548 s[j]->s.jt = s[v6advance]; 5549 } 5550 else 5551 #endif 5552 { 5553 /* nop */ 5554 s[i] = new_stmt(BPF_ALU | BPF_ADD | BPF_K); 5555 s[i]->s.k = 0; 5556 s[fix2]->s.jf = s[i]; 5557 i++; 5558 } 5559 5560 /* ahcheck: */ 5561 ahcheck = i; 5562 /* if (A == IPPROTO_AH) then fall through; else goto end; */ 5563 s[i] = new_stmt(BPF_JMP | BPF_JEQ | BPF_K); 5564 s[i]->s.jt = NULL; /*later */ 5565 s[i]->s.jf = NULL; /*later */ 5566 s[i]->s.k = IPPROTO_AH; 5567 if (fix3) 5568 s[fix3]->s.jf = s[ahcheck]; 5569 fix4 = i; 5570 i++; 5571 5572 /* 5573 * in short, 5574 * A = P[X]; 5575 * X = X + (P[X + 1] + 2) * 4; 5576 */ 5577 /* A = X */ 5578 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC | BPF_TXA); 5579 i++; 5580 /* A = P[X + packet head]; */ 5581 s[i] = new_stmt(BPF_LD | BPF_IND | BPF_B); 5582 s[i]->s.k = off_macpl + off_nl; 5583 i++; 5584 /* MEM[reg2] = A */ 5585 s[i] = new_stmt(BPF_ST); 5586 s[i]->s.k = reg2; 5587 i++; 5588 /* A = X */ 5589 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC | BPF_TXA); 5590 i++; 5591 /* A += 1 */ 5592 s[i] = new_stmt(BPF_ALU | BPF_ADD | BPF_K); 5593 s[i]->s.k = 1; 5594 i++; 5595 /* X = A */ 5596 s[i] = new_stmt(BPF_MISC | BPF_TAX); 5597 i++; 5598 /* A = P[X + packet head] */ 5599 s[i] = new_stmt(BPF_LD | BPF_IND | BPF_B); 5600 s[i]->s.k = off_macpl + off_nl; 5601 i++; 5602 /* A += 2 */ 5603 s[i] = new_stmt(BPF_ALU | BPF_ADD | BPF_K); 5604 s[i]->s.k = 2; 5605 i++; 5606 /* A *= 4 */ 5607 s[i] = new_stmt(BPF_ALU | BPF_MUL | BPF_K); 5608 s[i]->s.k = 4; 5609 i++; 5610 /* X = A; */ 5611 s[i] = new_stmt(BPF_MISC | BPF_TAX); 5612 i++; 5613 /* A = MEM[reg2] */ 5614 s[i] = new_stmt(BPF_LD | BPF_MEM); 5615 s[i]->s.k = reg2; 5616 i++; 5617 5618 /* goto again; (must use BPF_JA for backward jump) */ 5619 s[i] = new_stmt(BPF_JMP | BPF_JA); 5620 s[i]->s.k = again - i - 1; 5621 i++; 5622 5623 /* end: nop */ 5624 end = i; 5625 s[i] = new_stmt(BPF_ALU | BPF_ADD | BPF_K); 5626 s[i]->s.k = 0; 5627 s[fix2]->s.jt = s[end]; 5628 s[fix4]->s.jf = s[end]; 5629 s[fix5]->s.jt = s[end]; 5630 i++; 5631 5632 /* 5633 * make slist chain 5634 */ 5635 max = i; 5636 for (i = 0; i < max - 1; i++) 5637 s[i]->next = s[i + 1]; 5638 s[max - 1]->next = NULL; 5639 5640 /* 5641 * emit final check 5642 */ 5643 b = new_block(JMP(BPF_JEQ)); 5644 b->stmts = s[1]; /*remember, s[0] is dummy */ 5645 b->s.k = v; 5646 5647 free_reg(reg2); 5648 5649 gen_and(b0, b); 5650 return b; 5651 #endif 5652 } 5653 5654 static struct block *gen_check_802_11_data_frame() 5655 { 5656 struct slist *s; 5657 struct block *b0, *b1; 5658 5659 /* 5660 * A data frame has the 0x08 bit (b3) in the frame control field set 5661 * and the 0x04 bit (b2) clear. 5662 */ 5663 s = gen_load_a(OR_LINK, 0, BPF_B); 5664 b0 = new_block(JMP(BPF_JSET)); 5665 b0->s.k = 0x08; 5666 b0->stmts = s; 5667 5668 s = gen_load_a(OR_LINK, 0, BPF_B); 5669 b1 = new_block(JMP(BPF_JSET)); 5670 b1->s.k = 0x04; 5671 b1->stmts = s; 5672 gen_not(b1); 5673 5674 gen_and(b1, b0); 5675 5676 return b0; 5677 } 5678 5679 /* 5680 * Generate code that checks whether the packet is a packet for protocol 5681 * <proto> and whether the type field in that protocol's header has 5682 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an 5683 * IP packet and checks the protocol number in the IP header against <v>. 5684 * 5685 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks 5686 * against Q_IP and Q_IPV6. 5687 */ 5688 static struct block *gen_proto(v, proto, dir) 5689 int v; 5690 int proto; 5691 int dir; 5692 { 5693 struct block *b0, *b1; 5694 5695 if (dir != Q_DEFAULT) 5696 bpf_error("direction applied to 'proto'"); 5697 5698 switch (proto) 5699 { 5700 case Q_DEFAULT: 5701 #ifdef INET6 5702 b0 = gen_proto(v, Q_IP, dir); 5703 b1 = gen_proto(v, Q_IPV6, dir); 5704 gen_or(b0, b1); 5705 return b1; 5706 #else 5707 /*FALLTHROUGH*/ 5708 #endif 5709 case Q_IP: 5710 /* 5711 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 5712 * not LLC encapsulation with LLCSAP_IP. 5713 * 5714 * For IEEE 802 networks - which includes 802.5 token ring 5715 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 5716 * says that SNAP encapsulation is used, not LLC encapsulation 5717 * with LLCSAP_IP. 5718 * 5719 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 5720 * RFC 2225 say that SNAP encapsulation is used, not LLC 5721 * encapsulation with LLCSAP_IP. 5722 * 5723 * So we always check for ETHERTYPE_IP. 5724 */ 5725 b0 = gen_linktype(ETHERTYPE_IP); 5726 #ifndef CHASE_CHAIN 5727 b1 = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32) v); 5728 #else 5729 b1 = gen_protochain(v, Q_IP); 5730 #endif 5731 gen_and(b0, b1); 5732 return b1; 5733 5734 case Q_ISO: 5735 switch (linktype) 5736 { 5737 5738 case DLT_FRELAY: 5739 /* 5740 * Frame Relay packets typically have an OSI 5741 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)" 5742 * generates code to check for all the OSI 5743 * NLPIDs, so calling it and then adding a check 5744 * for the particular NLPID for which we're 5745 * looking is bogus, as we can just check for 5746 * the NLPID. 5747 * 5748 * What we check for is the NLPID and a frame 5749 * control field value of UI, i.e. 0x03 followed 5750 * by the NLPID. 5751 * 5752 * XXX - assumes a 2-byte Frame Relay header with 5753 * DLCI and flags. What if the address is longer? 5754 * 5755 * XXX - what about SNAP-encapsulated frames? 5756 */ 5757 return gen_cmp(OR_LINK, 2, BPF_H, (0x03 << 8) | v); 5758 /*NOTREACHED*/ break; 5759 5760 case DLT_C_HDLC: 5761 /* 5762 * Cisco uses an Ethertype lookalike - for OSI, 5763 * it's 0xfefe. 5764 */ 5765 b0 = gen_linktype(LLCSAP_ISONS << 8 | LLCSAP_ISONS); 5766 /* OSI in C-HDLC is stuffed with a fudge byte */ 5767 b1 = gen_cmp(OR_NET_NOSNAP, 1, BPF_B, (long) v); 5768 gen_and(b0, b1); 5769 return b1; 5770 5771 default: 5772 b0 = gen_linktype(LLCSAP_ISONS); 5773 b1 = gen_cmp(OR_NET_NOSNAP, 0, BPF_B, (long) v); 5774 gen_and(b0, b1); 5775 return b1; 5776 } 5777 5778 case Q_ISIS: 5779 b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT); 5780 /* 5781 * 4 is the offset of the PDU type relative to the IS-IS 5782 * header. 5783 */ 5784 b1 = gen_cmp(OR_NET_NOSNAP, 4, BPF_B, (long) v); 5785 gen_and(b0, b1); 5786 return b1; 5787 5788 case Q_ARP: 5789 bpf_error("arp does not encapsulate another protocol"); 5790 /* NOTREACHED */ 5791 5792 case Q_RARP: 5793 bpf_error("rarp does not encapsulate another protocol"); 5794 /* NOTREACHED */ 5795 5796 case Q_ATALK: 5797 bpf_error("atalk encapsulation is not specifiable"); 5798 /* NOTREACHED */ 5799 5800 case Q_DECNET: 5801 bpf_error("decnet encapsulation is not specifiable"); 5802 /* NOTREACHED */ 5803 5804 case Q_SCA: 5805 bpf_error("sca does not encapsulate another protocol"); 5806 /* NOTREACHED */ 5807 5808 case Q_LAT: 5809 bpf_error("lat does not encapsulate another protocol"); 5810 /* NOTREACHED */ 5811 5812 case Q_MOPRC: 5813 bpf_error("moprc does not encapsulate another protocol"); 5814 /* NOTREACHED */ 5815 5816 case Q_MOPDL: 5817 bpf_error("mopdl does not encapsulate another protocol"); 5818 /* NOTREACHED */ 5819 5820 case Q_LINK: 5821 return gen_linktype(v); 5822 5823 case Q_UDP: 5824 bpf_error("'udp proto' is bogus"); 5825 /* NOTREACHED */ 5826 5827 case Q_TCP: 5828 bpf_error("'tcp proto' is bogus"); 5829 /* NOTREACHED */ 5830 5831 case Q_SCTP: 5832 bpf_error("'sctp proto' is bogus"); 5833 /* NOTREACHED */ 5834 5835 case Q_ICMP: 5836 bpf_error("'icmp proto' is bogus"); 5837 /* NOTREACHED */ 5838 5839 case Q_IGMP: 5840 bpf_error("'igmp proto' is bogus"); 5841 /* NOTREACHED */ 5842 5843 case Q_IGRP: 5844 bpf_error("'igrp proto' is bogus"); 5845 /* NOTREACHED */ 5846 5847 case Q_PIM: 5848 bpf_error("'pim proto' is bogus"); 5849 /* NOTREACHED */ 5850 5851 case Q_VRRP: 5852 bpf_error("'vrrp proto' is bogus"); 5853 /* NOTREACHED */ 5854 5855 #ifdef INET6 5856 case Q_IPV6: 5857 b0 = gen_linktype(ETHERTYPE_IPV6); 5858 #ifndef CHASE_CHAIN 5859 b1 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32) v); 5860 #else 5861 b1 = gen_protochain(v, Q_IPV6); 5862 #endif 5863 gen_and(b0, b1); 5864 return b1; 5865 5866 case Q_ICMPV6: 5867 bpf_error("'icmp6 proto' is bogus"); 5868 #endif /* INET6 */ 5869 5870 case Q_AH: 5871 bpf_error("'ah proto' is bogus"); 5872 5873 case Q_ESP: 5874 bpf_error("'ah proto' is bogus"); 5875 5876 case Q_STP: 5877 bpf_error("'stp proto' is bogus"); 5878 5879 case Q_IPX: 5880 bpf_error("'ipx proto' is bogus"); 5881 5882 case Q_NETBEUI: 5883 bpf_error("'netbeui proto' is bogus"); 5884 5885 case Q_RADIO: 5886 bpf_error("'radio proto' is bogus"); 5887 5888 default: 5889 abort(); 5890 /* NOTREACHED */ 5891 } 5892 /* NOTREACHED */ 5893 } 5894 5895 struct block *gen_scode(name, q) 5896 register const char *name; 5897 struct qual q; 5898 { 5899 int proto = q.proto; 5900 int dir = q.dir; 5901 int tproto; 5902 u_char *eaddr; 5903 bpf_u_int32 mask, addr; 5904 #ifndef INET6 5905 bpf_u_int32 **alist; 5906 #else 5907 int tproto6; 5908 struct sockaddr_in *sin4; 5909 struct sockaddr_in6 *sin6; 5910 struct addrinfo *res, *res0; 5911 struct in6_addr mask128; 5912 #endif /*INET6 */ 5913 struct block *b, *tmp; 5914 int port, real_proto; 5915 int port1, port2; 5916 5917 switch (q.addr) 5918 { 5919 5920 case Q_NET: 5921 addr = pcap_nametonetaddr(name); 5922 if (addr == 0) 5923 bpf_error("unknown network '%s'", name); 5924 /* Left justify network addr and calculate its network mask */ 5925 mask = 0xffffffff; 5926 while (addr && (addr & 0xff000000) == 0) 5927 { 5928 addr <<= 8; 5929 mask <<= 8; 5930 } 5931 return gen_host(addr, mask, proto, dir, q.addr); 5932 5933 case Q_DEFAULT: 5934 case Q_HOST: 5935 if (proto == Q_LINK) 5936 { 5937 switch (linktype) 5938 { 5939 5940 case DLT_EN10MB: 5941 eaddr = pcap_ether_hostton(name); 5942 if (eaddr == NULL) 5943 bpf_error("unknown ether host '%s'", name); 5944 b = gen_ehostop(eaddr, dir); 5945 free(eaddr); 5946 return b; 5947 5948 case DLT_FDDI: 5949 eaddr = pcap_ether_hostton(name); 5950 if (eaddr == NULL) 5951 bpf_error("unknown FDDI host '%s'", name); 5952 b = gen_fhostop(eaddr, dir); 5953 free(eaddr); 5954 return b; 5955 5956 case DLT_IEEE802: 5957 eaddr = pcap_ether_hostton(name); 5958 if (eaddr == NULL) 5959 bpf_error("unknown token ring host '%s'", name); 5960 b = gen_thostop(eaddr, dir); 5961 free(eaddr); 5962 return b; 5963 5964 case DLT_IEEE802_11: 5965 case DLT_PRISM_HEADER: 5966 case DLT_IEEE802_11_RADIO_AVS: 5967 case DLT_IEEE802_11_RADIO: 5968 case DLT_PPI: 5969 eaddr = pcap_ether_hostton(name); 5970 if (eaddr == NULL) 5971 bpf_error("unknown 802.11 host '%s'", name); 5972 b = gen_wlanhostop(eaddr, dir); 5973 free(eaddr); 5974 return b; 5975 5976 case DLT_IP_OVER_FC: 5977 eaddr = pcap_ether_hostton(name); 5978 if (eaddr == NULL) 5979 bpf_error("unknown Fibre Channel host '%s'", name); 5980 b = gen_ipfchostop(eaddr, dir); 5981 free(eaddr); 5982 return b; 5983 5984 case DLT_SUNATM: 5985 if (!is_lane) 5986 break; 5987 5988 /* 5989 * Check that the packet doesn't begin 5990 * with an LE Control marker. (We've 5991 * already generated a test for LANE.) 5992 */ 5993 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00); 5994 gen_not(tmp); 5995 5996 eaddr = pcap_ether_hostton(name); 5997 if (eaddr == NULL) 5998 bpf_error("unknown ether host '%s'", name); 5999 b = gen_ehostop(eaddr, dir); 6000 gen_and(tmp, b); 6001 free(eaddr); 6002 return b; 6003 } 6004 6005 bpf_error 6006 ("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name"); 6007 } 6008 else if (proto == Q_DECNET) 6009 { 6010 unsigned short dn_addr = __pcap_nametodnaddr(name); 6011 /* 6012 * I don't think DECNET hosts can be multihomed, so 6013 * there is no need to build up a list of addresses 6014 */ 6015 return (gen_host(dn_addr, 0, proto, dir, q.addr)); 6016 } 6017 else 6018 { 6019 #ifndef INET6 6020 alist = pcap_nametoaddr(name); 6021 if (alist == NULL || *alist == NULL) 6022 bpf_error("unknown host '%s'", name); 6023 tproto = proto; 6024 if (off_linktype == (u_int) - 1 && tproto == Q_DEFAULT) 6025 tproto = Q_IP; 6026 b = gen_host(**alist++, 0xffffffff, tproto, dir, q.addr); 6027 while (*alist) 6028 { 6029 tmp = gen_host(**alist++, 0xffffffff, tproto, dir, q.addr); 6030 gen_or(b, tmp); 6031 b = tmp; 6032 } 6033 return b; 6034 #else 6035 memset(&mask128, 0xff, sizeof(mask128)); 6036 res0 = res = pcap_nametoaddrinfo(name); 6037 if (res == NULL) 6038 bpf_error("unknown host '%s'", name); 6039 ai = res; 6040 b = tmp = NULL; 6041 tproto = tproto6 = proto; 6042 if (off_linktype == -1 && tproto == Q_DEFAULT) 6043 { 6044 tproto = Q_IP; 6045 tproto6 = Q_IPV6; 6046 } 6047 for (res = res0; res; res = res->ai_next) 6048 { 6049 switch (res->ai_family) 6050 { 6051 case AF_INET: 6052 if (tproto == Q_IPV6) 6053 continue; 6054 6055 sin4 = (struct sockaddr_in *) res->ai_addr; 6056 tmp = gen_host(ntohl(sin4->sin_addr.s_addr), 0xffffffff, tproto, dir, q.addr); 6057 break; 6058 case AF_INET6: 6059 if (tproto6 == Q_IP) 6060 continue; 6061 6062 sin6 = (struct sockaddr_in6 *) res->ai_addr; 6063 tmp = gen_host6(&sin6->sin6_addr, &mask128, tproto6, dir, q.addr); 6064 break; 6065 default: 6066 continue; 6067 } 6068 if (b) 6069 gen_or(b, tmp); 6070 b = tmp; 6071 } 6072 ai = NULL; 6073 freeaddrinfo(res0); 6074 if (b == NULL) 6075 { 6076 bpf_error("unknown host '%s'%s", name, 6077 (proto == Q_DEFAULT) ? "" : " for specified address family"); 6078 } 6079 return b; 6080 #endif /*INET6 */ 6081 } 6082 6083 case Q_PORT: 6084 if (proto != Q_DEFAULT && proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6085 bpf_error("illegal qualifier of 'port'"); 6086 if (pcap_nametoport(name, &port, &real_proto) == 0) 6087 bpf_error("unknown port '%s'", name); 6088 if (proto == Q_UDP) 6089 { 6090 if (real_proto == IPPROTO_TCP) 6091 bpf_error("port '%s' is tcp", name); 6092 else if (real_proto == IPPROTO_SCTP) 6093 bpf_error("port '%s' is sctp", name); 6094 else 6095 /* override PROTO_UNDEF */ 6096 real_proto = IPPROTO_UDP; 6097 } 6098 if (proto == Q_TCP) 6099 { 6100 if (real_proto == IPPROTO_UDP) 6101 bpf_error("port '%s' is udp", name); 6102 6103 else if (real_proto == IPPROTO_SCTP) 6104 bpf_error("port '%s' is sctp", name); 6105 else 6106 /* override PROTO_UNDEF */ 6107 real_proto = IPPROTO_TCP; 6108 } 6109 if (proto == Q_SCTP) 6110 { 6111 if (real_proto == IPPROTO_UDP) 6112 bpf_error("port '%s' is udp", name); 6113 6114 else if (real_proto == IPPROTO_TCP) 6115 bpf_error("port '%s' is tcp", name); 6116 else 6117 /* override PROTO_UNDEF */ 6118 real_proto = IPPROTO_SCTP; 6119 } 6120 #ifndef INET6 6121 return gen_port(port, real_proto, dir); 6122 #else 6123 b = gen_port(port, real_proto, dir); 6124 gen_or(gen_port6(port, real_proto, dir), b); 6125 return b; 6126 #endif /* INET6 */ 6127 6128 case Q_PORTRANGE: 6129 if (proto != Q_DEFAULT && proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6130 bpf_error("illegal qualifier of 'portrange'"); 6131 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0) 6132 bpf_error("unknown port in range '%s'", name); 6133 if (proto == Q_UDP) 6134 { 6135 if (real_proto == IPPROTO_TCP) 6136 bpf_error("port in range '%s' is tcp", name); 6137 else if (real_proto == IPPROTO_SCTP) 6138 bpf_error("port in range '%s' is sctp", name); 6139 else 6140 /* override PROTO_UNDEF */ 6141 real_proto = IPPROTO_UDP; 6142 } 6143 if (proto == Q_TCP) 6144 { 6145 if (real_proto == IPPROTO_UDP) 6146 bpf_error("port in range '%s' is udp", name); 6147 else if (real_proto == IPPROTO_SCTP) 6148 bpf_error("port in range '%s' is sctp", name); 6149 else 6150 /* override PROTO_UNDEF */ 6151 real_proto = IPPROTO_TCP; 6152 } 6153 if (proto == Q_SCTP) 6154 { 6155 if (real_proto == IPPROTO_UDP) 6156 bpf_error("port in range '%s' is udp", name); 6157 else if (real_proto == IPPROTO_TCP) 6158 bpf_error("port in range '%s' is tcp", name); 6159 else 6160 /* override PROTO_UNDEF */ 6161 real_proto = IPPROTO_SCTP; 6162 } 6163 #ifndef INET6 6164 return gen_portrange(port1, port2, real_proto, dir); 6165 #else 6166 b = gen_portrange(port1, port2, real_proto, dir); 6167 gen_or(gen_portrange6(port1, port2, real_proto, dir), b); 6168 return b; 6169 #endif /* INET6 */ 6170 6171 case Q_GATEWAY: 6172 #ifndef INET6 6173 eaddr = pcap_ether_hostton(name); 6174 if (eaddr == NULL) 6175 bpf_error("unknown ether host: %s", name); 6176 6177 alist = pcap_nametoaddr(name); 6178 if (alist == NULL || *alist == NULL) 6179 bpf_error("unknown host '%s'", name); 6180 b = gen_gateway(eaddr, alist, proto, dir); 6181 free(eaddr); 6182 return b; 6183 #else 6184 bpf_error("'gateway' not supported in this configuration"); 6185 #endif /*INET6 */ 6186 6187 case Q_PROTO: 6188 real_proto = lookup_proto(name, proto); 6189 if (real_proto >= 0) 6190 return gen_proto(real_proto, proto, dir); 6191 else 6192 bpf_error("unknown protocol: %s", name); 6193 6194 case Q_PROTOCHAIN: 6195 real_proto = lookup_proto(name, proto); 6196 if (real_proto >= 0) 6197 return gen_protochain(real_proto, proto, dir); 6198 else 6199 bpf_error("unknown protocol: %s", name); 6200 6201 case Q_UNDEF: 6202 syntax(); 6203 /* NOTREACHED */ 6204 } 6205 abort(); 6206 /* NOTREACHED */ 6207 } 6208 6209 struct block *gen_mcode(s1, s2, masklen, q) 6210 register const char *s1, *s2; 6211 register int masklen; 6212 struct qual q; 6213 { 6214 register int nlen, mlen; 6215 bpf_u_int32 n, m; 6216 6217 nlen = __pcap_atoin(s1, &n); 6218 /* Promote short ipaddr */ 6219 n <<= 32 - nlen; 6220 6221 if (s2 != NULL) 6222 { 6223 mlen = __pcap_atoin(s2, &m); 6224 /* Promote short ipaddr */ 6225 m <<= 32 - mlen; 6226 if ((n & ~m) != 0) 6227 bpf_error("non-network bits set in \"%s mask %s\"", s1, s2); 6228 } 6229 else 6230 { 6231 /* Convert mask len to mask */ 6232 if (masklen > 32) 6233 bpf_error("mask length must be <= 32"); 6234 if (masklen == 0) 6235 { 6236 /* 6237 * X << 32 is not guaranteed by C to be 0; it's 6238 * undefined. 6239 */ 6240 m = 0; 6241 } 6242 else 6243 m = 0xffffffff << (32 - masklen); 6244 if ((n & ~m) != 0) 6245 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen); 6246 } 6247 6248 switch (q.addr) 6249 { 6250 6251 case Q_NET: 6252 return gen_host(n, m, q.proto, q.dir, q.addr); 6253 6254 default: 6255 bpf_error("Mask syntax for networks only"); 6256 /* NOTREACHED */ 6257 } 6258 /* NOTREACHED */ 6259 return NULL; 6260 } 6261 6262 struct block *gen_ncode(s, v, q) 6263 register const char *s; 6264 bpf_u_int32 v; 6265 struct qual q; 6266 { 6267 bpf_u_int32 mask; 6268 int proto = q.proto; 6269 int dir = q.dir; 6270 register int vlen; 6271 6272 if (s == NULL) 6273 vlen = 32; 6274 else if (q.proto == Q_DECNET) 6275 vlen = __pcap_atodn(s, &v); 6276 else 6277 vlen = __pcap_atoin(s, &v); 6278 6279 switch (q.addr) 6280 { 6281 6282 case Q_DEFAULT: 6283 case Q_HOST: 6284 case Q_NET: 6285 if (proto == Q_DECNET) 6286 return gen_host(v, 0, proto, dir, q.addr); 6287 else if (proto == Q_LINK) 6288 { 6289 bpf_error("illegal link layer address"); 6290 } 6291 else 6292 { 6293 mask = 0xffffffff; 6294 if (s == NULL && q.addr == Q_NET) 6295 { 6296 /* Promote short net number */ 6297 while (v && (v & 0xff000000) == 0) 6298 { 6299 v <<= 8; 6300 mask <<= 8; 6301 } 6302 } 6303 else 6304 { 6305 /* Promote short ipaddr */ 6306 v <<= 32 - vlen; 6307 mask <<= 32 - vlen; 6308 } 6309 return gen_host(v, mask, proto, dir, q.addr); 6310 } 6311 6312 case Q_PORT: 6313 if (proto == Q_UDP) 6314 proto = IPPROTO_UDP; 6315 else if (proto == Q_TCP) 6316 proto = IPPROTO_TCP; 6317 else if (proto == Q_SCTP) 6318 proto = IPPROTO_SCTP; 6319 else if (proto == Q_DEFAULT) 6320 proto = PROTO_UNDEF; 6321 else 6322 bpf_error("illegal qualifier of 'port'"); 6323 6324 #ifndef INET6 6325 return gen_port((int) v, proto, dir); 6326 #else 6327 { 6328 struct block *b; 6329 b = gen_port((int) v, proto, dir); 6330 gen_or(gen_port6((int) v, proto, dir), b); 6331 return b; 6332 } 6333 #endif /* INET6 */ 6334 6335 case Q_PORTRANGE: 6336 if (proto == Q_UDP) 6337 proto = IPPROTO_UDP; 6338 else if (proto == Q_TCP) 6339 proto = IPPROTO_TCP; 6340 else if (proto == Q_SCTP) 6341 proto = IPPROTO_SCTP; 6342 else if (proto == Q_DEFAULT) 6343 proto = PROTO_UNDEF; 6344 else 6345 bpf_error("illegal qualifier of 'portrange'"); 6346 6347 #ifndef INET6 6348 return gen_portrange((int) v, (int) v, proto, dir); 6349 #else 6350 { 6351 struct block *b; 6352 b = gen_portrange((int) v, (int) v, proto, dir); 6353 gen_or(gen_portrange6((int) v, (int) v, proto, dir), b); 6354 return b; 6355 } 6356 #endif /* INET6 */ 6357 6358 case Q_GATEWAY: 6359 bpf_error("'gateway' requires a name"); 6360 /* NOTREACHED */ 6361 6362 case Q_PROTO: 6363 return gen_proto((int) v, proto, dir); 6364 6365 case Q_PROTOCHAIN: 6366 return gen_protochain((int) v, proto, dir); 6367 6368 case Q_UNDEF: 6369 syntax(); 6370 /* NOTREACHED */ 6371 6372 default: 6373 abort(); 6374 /* NOTREACHED */ 6375 } 6376 /* NOTREACHED */ 6377 } 6378 6379 #ifdef INET6 6380 struct block *gen_mcode6(s1, s2, masklen, q) 6381 register const char *s1, *s2; 6382 register int masklen; 6383 struct qual q; 6384 { 6385 struct addrinfo *res; 6386 struct in6_addr *addr; 6387 struct in6_addr mask; 6388 struct block *b; 6389 u_int32_t *a, *m; 6390 6391 if (s2) 6392 bpf_error("no mask %s supported", s2); 6393 6394 res = pcap_nametoaddrinfo(s1); 6395 if (!res) 6396 bpf_error("invalid ip6 address %s", s1); 6397 ai = res; 6398 if (res->ai_next) 6399 bpf_error("%s resolved to multiple address", s1); 6400 addr = &((struct sockaddr_in6 *) res->ai_addr)->sin6_addr; 6401 6402 if (sizeof(mask) * 8 < masklen) 6403 bpf_error("mask length must be <= %u", (unsigned int) (sizeof(mask) * 8)); 6404 memset(&mask, 0, sizeof(mask)); 6405 memset(&mask, 0xff, masklen / 8); 6406 if (masklen % 8) 6407 { 6408 mask.s6_addr[masklen / 8] = (0xff << (8 - masklen % 8)) & 0xff; 6409 } 6410 6411 a = (u_int32_t *) addr; 6412 m = (u_int32_t *) & mask; 6413 if ((a[0] & ~m[0]) || (a[1] & ~m[1]) || (a[2] & ~m[2]) || (a[3] & ~m[3])) 6414 { 6415 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen); 6416 } 6417 6418 switch (q.addr) 6419 { 6420 6421 case Q_DEFAULT: 6422 case Q_HOST: 6423 if (masklen != 128) 6424 bpf_error("Mask syntax for networks only"); 6425 /* FALLTHROUGH */ 6426 6427 case Q_NET: 6428 b = gen_host6(addr, &mask, q.proto, q.dir, q.addr); 6429 ai = NULL; 6430 freeaddrinfo(res); 6431 return b; 6432 6433 default: 6434 bpf_error("invalid qualifier against IPv6 address"); 6435 /* NOTREACHED */ 6436 } 6437 return NULL; 6438 } 6439 #endif /*INET6 */ 6440 6441 struct block *gen_ecode(eaddr, q) 6442 register const u_char *eaddr; 6443 struct qual q; 6444 { 6445 struct block *b, *tmp; 6446 6447 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) 6448 { 6449 switch (linktype) 6450 { 6451 case DLT_EN10MB: 6452 return gen_ehostop(eaddr, (int) q.dir); 6453 case DLT_FDDI: 6454 return gen_fhostop(eaddr, (int) q.dir); 6455 case DLT_IEEE802: 6456 return gen_thostop(eaddr, (int) q.dir); 6457 case DLT_IEEE802_11: 6458 case DLT_PRISM_HEADER: 6459 case DLT_IEEE802_11_RADIO_AVS: 6460 case DLT_IEEE802_11_RADIO: 6461 case DLT_PPI: 6462 return gen_wlanhostop(eaddr, (int) q.dir); 6463 case DLT_SUNATM: 6464 if (is_lane) 6465 { 6466 /* 6467 * Check that the packet doesn't begin with an 6468 * LE Control marker. (We've already generated 6469 * a test for LANE.) 6470 */ 6471 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00); 6472 gen_not(tmp); 6473 6474 /* 6475 * Now check the MAC address. 6476 */ 6477 b = gen_ehostop(eaddr, (int) q.dir); 6478 gen_and(tmp, b); 6479 return b; 6480 } 6481 break; 6482 case DLT_IP_OVER_FC: 6483 return gen_ipfchostop(eaddr, (int) q.dir); 6484 default: 6485 bpf_error 6486 ("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 6487 break; 6488 } 6489 } 6490 bpf_error("ethernet address used in non-ether expression"); 6491 /* NOTREACHED */ 6492 return NULL; 6493 } 6494 6495 void sappend(s0, s1) 6496 struct slist *s0, *s1; 6497 { 6498 /* 6499 * This is definitely not the best way to do this, but the 6500 * lists will rarely get long. 6501 */ 6502 while (s0->next) 6503 s0 = s0->next; 6504 s0->next = s1; 6505 } 6506 6507 static struct slist *xfer_to_x(a) 6508 struct arth *a; 6509 { 6510 struct slist *s; 6511 6512 s = new_stmt(BPF_LDX | BPF_MEM); 6513 s->s.k = a->regno; 6514 return s; 6515 } 6516 6517 static struct slist *xfer_to_a(a) 6518 struct arth *a; 6519 { 6520 struct slist *s; 6521 6522 s = new_stmt(BPF_LD | BPF_MEM); 6523 s->s.k = a->regno; 6524 return s; 6525 } 6526 6527 /* 6528 * Modify "index" to use the value stored into its register as an 6529 * offset relative to the beginning of the header for the protocol 6530 * "proto", and allocate a register and put an item "size" bytes long 6531 * (1, 2, or 4) at that offset into that register, making it the register 6532 * for "index". 6533 */ 6534 struct arth *gen_load(proto, inst, size) 6535 int proto; 6536 struct arth *inst; 6537 int size; 6538 { 6539 struct slist *s, *tmp; 6540 struct block *b; 6541 int regno = alloc_reg(); 6542 6543 free_reg(inst->regno); 6544 switch (size) 6545 { 6546 6547 default: 6548 bpf_error("data size must be 1, 2, or 4"); 6549 6550 case 1: 6551 size = BPF_B; 6552 break; 6553 6554 case 2: 6555 size = BPF_H; 6556 break; 6557 6558 case 4: 6559 size = BPF_W; 6560 break; 6561 } 6562 switch (proto) 6563 { 6564 default: 6565 bpf_error("unsupported index operation"); 6566 6567 case Q_RADIO: 6568 /* 6569 * The offset is relative to the beginning of the packet 6570 * data, if we have a radio header. (If we don't, this 6571 * is an error.) 6572 */ 6573 if (linktype != DLT_IEEE802_11_RADIO_AVS && 6574 linktype != DLT_IEEE802_11_RADIO && linktype != DLT_PRISM_HEADER) 6575 bpf_error("radio information not present in capture"); 6576 6577 /* 6578 * Load into the X register the offset computed into the 6579 * register specifed by "index". 6580 */ 6581 s = xfer_to_x(inst); 6582 6583 /* 6584 * Load the item at that offset. 6585 */ 6586 tmp = new_stmt(BPF_LD | BPF_IND | size); 6587 sappend(s, tmp); 6588 sappend(inst->s, s); 6589 break; 6590 6591 case Q_LINK: 6592 /* 6593 * The offset is relative to the beginning of 6594 * the link-layer header. 6595 * 6596 * XXX - what about ATM LANE? Should the index be 6597 * relative to the beginning of the AAL5 frame, so 6598 * that 0 refers to the beginning of the LE Control 6599 * field, or relative to the beginning of the LAN 6600 * frame, so that 0 refers, for Ethernet LANE, to 6601 * the beginning of the destination address? 6602 */ 6603 s = gen_llprefixlen(); 6604 6605 /* 6606 * If "s" is non-null, it has code to arrange that the 6607 * X register contains the length of the prefix preceding 6608 * the link-layer header. Add to it the offset computed 6609 * into the register specified by "index", and move that 6610 * into the X register. Otherwise, just load into the X 6611 * register the offset computed into the register specifed 6612 * by "index". 6613 */ 6614 if (s != NULL) 6615 { 6616 sappend(s, xfer_to_a(inst)); 6617 sappend(s, new_stmt(BPF_ALU | BPF_ADD | BPF_X)); 6618 sappend(s, new_stmt(BPF_MISC | BPF_TAX)); 6619 } 6620 else 6621 s = xfer_to_x(inst); 6622 6623 /* 6624 * Load the item at the sum of the offset we've put in the 6625 * X register and the offset of the start of the link 6626 * layer header (which is 0 if the radio header is 6627 * variable-length; that header length is what we put 6628 * into the X register and then added to the index). 6629 */ 6630 tmp = new_stmt(BPF_LD | BPF_IND | size); 6631 tmp->s.k = off_ll; 6632 sappend(s, tmp); 6633 sappend(inst->s, s); 6634 break; 6635 6636 case Q_IP: 6637 case Q_ARP: 6638 case Q_RARP: 6639 case Q_ATALK: 6640 case Q_DECNET: 6641 case Q_SCA: 6642 case Q_LAT: 6643 case Q_MOPRC: 6644 case Q_MOPDL: 6645 #ifdef INET6 6646 case Q_IPV6: 6647 #endif 6648 /* 6649 * The offset is relative to the beginning of 6650 * the network-layer header. 6651 * XXX - are there any cases where we want 6652 * off_nl_nosnap? 6653 */ 6654 s = gen_off_macpl(); 6655 6656 /* 6657 * If "s" is non-null, it has code to arrange that the 6658 * X register contains the offset of the MAC-layer 6659 * payload. Add to it the offset computed into the 6660 * register specified by "index", and move that into 6661 * the X register. Otherwise, just load into the X 6662 * register the offset computed into the register specifed 6663 * by "index". 6664 */ 6665 if (s != NULL) 6666 { 6667 sappend(s, xfer_to_a(inst)); 6668 sappend(s, new_stmt(BPF_ALU | BPF_ADD | BPF_X)); 6669 sappend(s, new_stmt(BPF_MISC | BPF_TAX)); 6670 } 6671 else 6672 s = xfer_to_x(inst); 6673 6674 /* 6675 * Load the item at the sum of the offset we've put in the 6676 * X register, the offset of the start of the network 6677 * layer header from the beginning of the MAC-layer 6678 * payload, and the purported offset of the start of the 6679 * MAC-layer payload (which might be 0 if there's a 6680 * variable-length prefix before the link-layer header 6681 * or the link-layer header itself is variable-length; 6682 * the variable-length offset of the start of the 6683 * MAC-layer payload is what we put into the X register 6684 * and then added to the index). 6685 */ 6686 tmp = new_stmt(BPF_LD | BPF_IND | size); 6687 tmp->s.k = off_macpl + off_nl; 6688 sappend(s, tmp); 6689 sappend(inst->s, s); 6690 6691 /* 6692 * Do the computation only if the packet contains 6693 * the protocol in question. 6694 */ 6695 b = gen_proto_abbrev(proto); 6696 if (inst->b) 6697 gen_and(inst->b, b); 6698 inst->b = b; 6699 break; 6700 6701 case Q_SCTP: 6702 case Q_TCP: 6703 case Q_UDP: 6704 case Q_ICMP: 6705 case Q_IGMP: 6706 case Q_IGRP: 6707 case Q_PIM: 6708 case Q_VRRP: 6709 /* 6710 * The offset is relative to the beginning of 6711 * the transport-layer header. 6712 * 6713 * Load the X register with the length of the IPv4 header 6714 * (plus the offset of the link-layer header, if it's 6715 * a variable-length header), in bytes. 6716 * 6717 * XXX - are there any cases where we want 6718 * off_nl_nosnap? 6719 * XXX - we should, if we're built with 6720 * IPv6 support, generate code to load either 6721 * IPv4, IPv6, or both, as appropriate. 6722 */ 6723 s = gen_loadx_iphdrlen(); 6724 6725 /* 6726 * The X register now contains the sum of the length 6727 * of any variable-length header preceding the link-layer 6728 * header, any variable-length link-layer header, and the 6729 * length of the network-layer header. 6730 * 6731 * Load into the A register the offset relative to 6732 * the beginning of the transport layer header, 6733 * add the X register to that, move that to the 6734 * X register, and load with an offset from the 6735 * X register equal to the offset of the network 6736 * layer header relative to the beginning of 6737 * the MAC-layer payload plus the fixed-length 6738 * portion of the offset of the MAC-layer payload 6739 * from the beginning of the raw packet data. 6740 */ 6741 sappend(s, xfer_to_a(inst)); 6742 sappend(s, new_stmt(BPF_ALU | BPF_ADD | BPF_X)); 6743 sappend(s, new_stmt(BPF_MISC | BPF_TAX)); 6744 sappend(s, tmp = new_stmt(BPF_LD | BPF_IND | size)); 6745 tmp->s.k = off_macpl + off_nl; 6746 sappend(inst->s, s); 6747 6748 /* 6749 * Do the computation only if the packet contains 6750 * the protocol in question - which is true only 6751 * if this is an IP datagram and is the first or 6752 * only fragment of that datagram. 6753 */ 6754 gen_and(gen_proto_abbrev(proto), b = gen_ipfrag()); 6755 if (inst->b) 6756 gen_and(inst->b, b); 6757 #ifdef INET6 6758 gen_and(gen_proto_abbrev(Q_IP), b); 6759 #endif 6760 inst->b = b; 6761 break; 6762 #ifdef INET6 6763 case Q_ICMPV6: 6764 bpf_error("IPv6 upper-layer protocol is not supported by proto[x]"); 6765 /*NOTREACHED*/ 6766 #endif 6767 } 6768 inst->regno = regno; 6769 s = new_stmt(BPF_ST); 6770 s->s.k = regno; 6771 sappend(inst->s, s); 6772 6773 return inst; 6774 } 6775 6776 struct block *gen_relation(code, a0, a1, reversed) 6777 int code; 6778 struct arth *a0, *a1; 6779 int reversed; 6780 { 6781 struct slist *s0, *s1, *s2; 6782 struct block *b, *tmp; 6783 6784 s0 = xfer_to_x(a1); 6785 s1 = xfer_to_a(a0); 6786 if (code == BPF_JEQ) 6787 { 6788 s2 = new_stmt(BPF_ALU | BPF_SUB | BPF_X); 6789 b = new_block(JMP(code)); 6790 sappend(s1, s2); 6791 } 6792 else 6793 b = new_block(BPF_JMP | code | BPF_X); 6794 if (reversed) 6795 gen_not(b); 6796 6797 sappend(s0, s1); 6798 sappend(a1->s, s0); 6799 sappend(a0->s, a1->s); 6800 6801 b->stmts = a0->s; 6802 6803 free_reg(a0->regno); 6804 free_reg(a1->regno); 6805 6806 /* 'and' together protocol checks */ 6807 if (a0->b) 6808 { 6809 if (a1->b) 6810 { 6811 gen_and(a0->b, tmp = a1->b); 6812 } 6813 else 6814 tmp = a0->b; 6815 } 6816 else 6817 tmp = a1->b; 6818 6819 if (tmp) 6820 gen_and(tmp, b); 6821 6822 return b; 6823 } 6824 6825 struct arth *gen_loadlen() 6826 { 6827 int regno = alloc_reg(); 6828 struct arth *a = (struct arth *) newchunk(sizeof(*a)); 6829 struct slist *s; 6830 6831 s = new_stmt(BPF_LD | BPF_LEN); 6832 s->next = new_stmt(BPF_ST); 6833 s->next->s.k = regno; 6834 a->s = s; 6835 a->regno = regno; 6836 6837 return a; 6838 } 6839 6840 struct arth *gen_loadi(val) 6841 int val; 6842 { 6843 struct arth *a; 6844 struct slist *s; 6845 int reg; 6846 6847 a = (struct arth *) newchunk(sizeof(*a)); 6848 6849 reg = alloc_reg(); 6850 6851 s = new_stmt(BPF_LD | BPF_IMM); 6852 s->s.k = val; 6853 s->next = new_stmt(BPF_ST); 6854 s->next->s.k = reg; 6855 a->s = s; 6856 a->regno = reg; 6857 6858 return a; 6859 } 6860 6861 struct arth *gen_neg(a) 6862 struct arth *a; 6863 { 6864 struct slist *s; 6865 6866 s = xfer_to_a(a); 6867 sappend(a->s, s); 6868 s = new_stmt(BPF_ALU | BPF_NEG); 6869 s->s.k = 0; 6870 sappend(a->s, s); 6871 s = new_stmt(BPF_ST); 6872 s->s.k = a->regno; 6873 sappend(a->s, s); 6874 6875 return a; 6876 } 6877 6878 struct arth *gen_arth(code, a0, a1) 6879 int code; 6880 struct arth *a0, *a1; 6881 { 6882 struct slist *s0, *s1, *s2; 6883 6884 s0 = xfer_to_x(a1); 6885 s1 = xfer_to_a(a0); 6886 s2 = new_stmt(BPF_ALU | BPF_X | code); 6887 6888 sappend(s1, s2); 6889 sappend(s0, s1); 6890 sappend(a1->s, s0); 6891 sappend(a0->s, a1->s); 6892 6893 free_reg(a0->regno); 6894 free_reg(a1->regno); 6895 6896 s0 = new_stmt(BPF_ST); 6897 a0->regno = s0->s.k = alloc_reg(); 6898 sappend(a0->s, s0); 6899 6900 return a0; 6901 } 6902 6903 /* 6904 * Here we handle simple allocation of the scratch registers. 6905 * If too many registers are alloc'd, the allocator punts. 6906 */ 6907 static __thread int regused[BPF_MEMWORDS]; 6908 static __thread int curreg; 6909 6910 /* 6911 * Initialize the table of used registers and the current register. 6912 */ 6913 static void init_regs() 6914 { 6915 curreg = 0; 6916 memset(regused, 0, sizeof regused); 6917 } 6918 6919 /* 6920 * Return the next free register. 6921 */ 6922 static int alloc_reg() 6923 { 6924 int n = BPF_MEMWORDS; 6925 6926 while (--n >= 0) 6927 { 6928 if (regused[curreg]) 6929 curreg = (curreg + 1) % BPF_MEMWORDS; 6930 else 6931 { 6932 regused[curreg] = 1; 6933 return curreg; 6934 } 6935 } 6936 bpf_error("too many registers needed to evaluate expression"); 6937 /* NOTREACHED */ 6938 return 0; 6939 } 6940 6941 /* 6942 * Return a register to the table so it can 6943 * be used later. 6944 */ 6945 static void free_reg(n) 6946 int n; 6947 { 6948 regused[n] = 0; 6949 } 6950 6951 static struct block *gen_len(jmp, n) 6952 int jmp, n; 6953 { 6954 struct slist *s; 6955 struct block *b; 6956 6957 s = new_stmt(BPF_LD | BPF_LEN); 6958 b = new_block(JMP(jmp)); 6959 b->stmts = s; 6960 b->s.k = n; 6961 6962 return b; 6963 } 6964 6965 struct block *gen_greater(n) 6966 int n; 6967 { 6968 return gen_len(BPF_JGE, n); 6969 } 6970 6971 /* 6972 * Actually, this is less than or equal. 6973 */ 6974 struct block *gen_less(n) 6975 int n; 6976 { 6977 struct block *b; 6978 6979 b = gen_len(BPF_JGT, n); 6980 gen_not(b); 6981 6982 return b; 6983 } 6984 6985 /* 6986 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to 6987 * the beginning of the link-layer header. 6988 * XXX - that means you can't test values in the radiotap header, but 6989 * as that header is difficult if not impossible to parse generally 6990 * without a loop, that might not be a severe problem. A new keyword 6991 * "radio" could be added for that, although what you'd really want 6992 * would be a way of testing particular radio header values, which 6993 * would generate code appropriate to the radio header in question. 6994 */ 6995 struct block *gen_byteop(op, idx, val) 6996 int op, idx, val; 6997 { 6998 struct block *b; 6999 struct slist *s; 7000 7001 switch (op) 7002 { 7003 default: 7004 abort(); 7005 7006 case '=': 7007 return gen_cmp(OR_LINK, (u_int) idx, BPF_B, (bpf_int32) val); 7008 7009 case '<': 7010 b = gen_cmp_lt(OR_LINK, (u_int) idx, BPF_B, (bpf_int32) val); 7011 return b; 7012 7013 case '>': 7014 b = gen_cmp_gt(OR_LINK, (u_int) idx, BPF_B, (bpf_int32) val); 7015 return b; 7016 7017 case '|': 7018 s = new_stmt(BPF_ALU | BPF_OR | BPF_K); 7019 break; 7020 7021 case '&': 7022 s = new_stmt(BPF_ALU | BPF_AND | BPF_K); 7023 break; 7024 } 7025 s->s.k = val; 7026 b = new_block(JMP(BPF_JEQ)); 7027 b->stmts = s; 7028 gen_not(b); 7029 7030 return b; 7031 } 7032 7033 static __thread u_char abroadcast[] = { 0x0 }; 7034 7035 struct block *gen_broadcast(proto) 7036 int proto; 7037 { 7038 bpf_u_int32 hostmask; 7039 struct block *b0, *b1, *b2; 7040 static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; 7041 7042 switch (proto) 7043 { 7044 7045 case Q_DEFAULT: 7046 case Q_LINK: 7047 switch (linktype) 7048 { 7049 case DLT_ARCNET: 7050 case DLT_ARCNET_LINUX: 7051 return gen_ahostop(abroadcast, Q_DST); 7052 case DLT_EN10MB: 7053 return gen_ehostop(ebroadcast, Q_DST); 7054 case DLT_FDDI: 7055 return gen_fhostop(ebroadcast, Q_DST); 7056 case DLT_IEEE802: 7057 return gen_thostop(ebroadcast, Q_DST); 7058 case DLT_IEEE802_11: 7059 case DLT_PRISM_HEADER: 7060 case DLT_IEEE802_11_RADIO_AVS: 7061 case DLT_IEEE802_11_RADIO: 7062 case DLT_PPI: 7063 return gen_wlanhostop(ebroadcast, Q_DST); 7064 case DLT_IP_OVER_FC: 7065 return gen_ipfchostop(ebroadcast, Q_DST); 7066 case DLT_SUNATM: 7067 if (is_lane) 7068 { 7069 /* 7070 * Check that the packet doesn't begin with an 7071 * LE Control marker. (We've already generated 7072 * a test for LANE.) 7073 */ 7074 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00); 7075 gen_not(b1); 7076 7077 /* 7078 * Now check the MAC address. 7079 */ 7080 b0 = gen_ehostop(ebroadcast, Q_DST); 7081 gen_and(b1, b0); 7082 return b0; 7083 } 7084 break; 7085 default: 7086 bpf_error("not a broadcast link"); 7087 } 7088 break; 7089 7090 case Q_IP: 7091 /* 7092 * We treat a netmask of PCAP_NETMASK_UNKNOWN (0xffffffff) 7093 * as an indication that we don't know the netmask, and fail 7094 * in that case. 7095 */ 7096 if (netmask == PCAP_NETMASK_UNKNOWN) 7097 bpf_error("netmask not known, so 'ip broadcast' not supported"); 7098 b0 = gen_linktype(ETHERTYPE_IP); 7099 hostmask = ~netmask; 7100 b1 = gen_mcmp(OR_NET, 16, BPF_W, (bpf_int32) 0, hostmask); 7101 b2 = gen_mcmp(OR_NET, 16, BPF_W, (bpf_int32) (~0 & hostmask), hostmask); 7102 gen_or(b1, b2); 7103 gen_and(b0, b2); 7104 return b2; 7105 } 7106 bpf_error("only link-layer/IP broadcast filters supported"); 7107 /* NOTREACHED */ 7108 return NULL; 7109 } 7110 7111 /* 7112 * Generate code to test the low-order bit of a MAC address (that's 7113 * the bottom bit of the *first* byte). 7114 */ 7115 static struct block *gen_mac_multicast(offset) 7116 int offset; 7117 { 7118 register struct block *b0; 7119 register struct slist *s; 7120 7121 /* link[offset] & 1 != 0 */ 7122 s = gen_load_a(OR_LINK, offset, BPF_B); 7123 b0 = new_block(JMP(BPF_JSET)); 7124 b0->s.k = 1; 7125 b0->stmts = s; 7126 return b0; 7127 } 7128 7129 struct block *gen_multicast(proto) 7130 int proto; 7131 { 7132 register struct block *b0, *b1, *b2; 7133 register struct slist *s; 7134 7135 switch (proto) 7136 { 7137 7138 case Q_DEFAULT: 7139 case Q_LINK: 7140 switch (linktype) 7141 { 7142 case DLT_ARCNET: 7143 case DLT_ARCNET_LINUX: 7144 /* all ARCnet multicasts use the same address */ 7145 return gen_ahostop(abroadcast, Q_DST); 7146 case DLT_EN10MB: 7147 /* ether[0] & 1 != 0 */ 7148 return gen_mac_multicast(0); 7149 case DLT_FDDI: 7150 /* 7151 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX 7152 * 7153 * XXX - was that referring to bit-order issues? 7154 */ 7155 /* fddi[1] & 1 != 0 */ 7156 return gen_mac_multicast(1); 7157 case DLT_IEEE802: 7158 /* tr[2] & 1 != 0 */ 7159 return gen_mac_multicast(2); 7160 case DLT_IEEE802_11: 7161 case DLT_PRISM_HEADER: 7162 case DLT_IEEE802_11_RADIO_AVS: 7163 case DLT_IEEE802_11_RADIO: 7164 case DLT_PPI: 7165 /* 7166 * Oh, yuk. 7167 * 7168 * For control frames, there is no DA. 7169 * 7170 * For management frames, DA is at an 7171 * offset of 4 from the beginning of 7172 * the packet. 7173 * 7174 * For data frames, DA is at an offset 7175 * of 4 from the beginning of the packet 7176 * if To DS is clear and at an offset of 7177 * 16 from the beginning of the packet 7178 * if To DS is set. 7179 */ 7180 7181 /* 7182 * Generate the tests to be done for data frames. 7183 * 7184 * First, check for To DS set, i.e. "link[1] & 0x01". 7185 */ 7186 s = gen_load_a(OR_LINK, 1, BPF_B); 7187 b1 = new_block(JMP(BPF_JSET)); 7188 b1->s.k = 0x01; /* To DS */ 7189 b1->stmts = s; 7190 7191 /* 7192 * If To DS is set, the DA is at 16. 7193 */ 7194 b0 = gen_mac_multicast(16); 7195 gen_and(b1, b0); 7196 7197 /* 7198 * Now, check for To DS not set, i.e. check 7199 * "!(link[1] & 0x01)". 7200 */ 7201 s = gen_load_a(OR_LINK, 1, BPF_B); 7202 b2 = new_block(JMP(BPF_JSET)); 7203 b2->s.k = 0x01; /* To DS */ 7204 b2->stmts = s; 7205 gen_not(b2); 7206 7207 /* 7208 * If To DS is not set, the DA is at 4. 7209 */ 7210 b1 = gen_mac_multicast(4); 7211 gen_and(b2, b1); 7212 7213 /* 7214 * Now OR together the last two checks. That gives 7215 * the complete set of checks for data frames. 7216 */ 7217 gen_or(b1, b0); 7218 7219 /* 7220 * Now check for a data frame. 7221 * I.e, check "link[0] & 0x08". 7222 */ 7223 s = gen_load_a(OR_LINK, 0, BPF_B); 7224 b1 = new_block(JMP(BPF_JSET)); 7225 b1->s.k = 0x08; 7226 b1->stmts = s; 7227 7228 /* 7229 * AND that with the checks done for data frames. 7230 */ 7231 gen_and(b1, b0); 7232 7233 /* 7234 * If the high-order bit of the type value is 0, this 7235 * is a management frame. 7236 * I.e, check "!(link[0] & 0x08)". 7237 */ 7238 s = gen_load_a(OR_LINK, 0, BPF_B); 7239 b2 = new_block(JMP(BPF_JSET)); 7240 b2->s.k = 0x08; 7241 b2->stmts = s; 7242 gen_not(b2); 7243 7244 /* 7245 * For management frames, the DA is at 4. 7246 */ 7247 b1 = gen_mac_multicast(4); 7248 gen_and(b2, b1); 7249 7250 /* 7251 * OR that with the checks done for data frames. 7252 * That gives the checks done for management and 7253 * data frames. 7254 */ 7255 gen_or(b1, b0); 7256 7257 /* 7258 * If the low-order bit of the type value is 1, 7259 * this is either a control frame or a frame 7260 * with a reserved type, and thus not a 7261 * frame with an SA. 7262 * 7263 * I.e., check "!(link[0] & 0x04)". 7264 */ 7265 s = gen_load_a(OR_LINK, 0, BPF_B); 7266 b1 = new_block(JMP(BPF_JSET)); 7267 b1->s.k = 0x04; 7268 b1->stmts = s; 7269 gen_not(b1); 7270 7271 /* 7272 * AND that with the checks for data and management 7273 * frames. 7274 */ 7275 gen_and(b1, b0); 7276 return b0; 7277 case DLT_IP_OVER_FC: 7278 b0 = gen_mac_multicast(2); 7279 return b0; 7280 case DLT_SUNATM: 7281 if (is_lane) 7282 { 7283 /* 7284 * Check that the packet doesn't begin with an 7285 * LE Control marker. (We've already generated 7286 * a test for LANE.) 7287 */ 7288 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00); 7289 gen_not(b1); 7290 7291 /* ether[off_mac] & 1 != 0 */ 7292 b0 = gen_mac_multicast(off_mac); 7293 gen_and(b1, b0); 7294 return b0; 7295 } 7296 break; 7297 default: 7298 break; 7299 } 7300 /* Link not known to support multicasts */ 7301 break; 7302 7303 case Q_IP: 7304 b0 = gen_linktype(ETHERTYPE_IP); 7305 b1 = gen_cmp_ge(OR_NET, 16, BPF_B, (bpf_int32) 224); 7306 gen_and(b0, b1); 7307 return b1; 7308 7309 #ifdef INET6 7310 case Q_IPV6: 7311 b0 = gen_linktype(ETHERTYPE_IPV6); 7312 b1 = gen_cmp(OR_NET, 24, BPF_B, (bpf_int32) 255); 7313 gen_and(b0, b1); 7314 return b1; 7315 #endif /* INET6 */ 7316 } 7317 bpf_error 7318 ("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel"); 7319 /* NOTREACHED */ 7320 return NULL; 7321 } 7322 7323 /* 7324 * generate command for inbound/outbound. It's here so we can 7325 * make it link-type specific. 'dir' = 0 implies "inbound", 7326 * = 1 implies "outbound". 7327 */ 7328 struct block *gen_inbound(dir) 7329 int dir; 7330 { 7331 register struct block *b0; 7332 7333 /* 7334 * Only some data link types support inbound/outbound qualifiers. 7335 */ 7336 switch (linktype) 7337 { 7338 case DLT_SLIP: 7339 b0 = gen_relation(BPF_JEQ, gen_load(Q_LINK, gen_loadi(0), 1), gen_loadi(0), dir); 7340 break; 7341 7342 case DLT_IPNET: 7343 if (dir) 7344 { 7345 /* match outgoing packets */ 7346 b0 = gen_cmp(OR_LINK, 2, BPF_H, IPNET_OUTBOUND); 7347 } 7348 else 7349 { 7350 /* match incoming packets */ 7351 b0 = gen_cmp(OR_LINK, 2, BPF_H, IPNET_INBOUND); 7352 } 7353 break; 7354 7355 case DLT_LINUX_SLL: 7356 if (dir) 7357 { 7358 /* 7359 * Match packets sent by this machine. 7360 */ 7361 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_OUTGOING); 7362 } 7363 else 7364 { 7365 /* 7366 * Match packets sent to this machine. 7367 * (No broadcast or multicast packets, or 7368 * packets sent to some other machine and 7369 * received promiscuously.) 7370 * 7371 * XXX - packets sent to other machines probably 7372 * shouldn't be matched, but what about broadcast 7373 * or multicast packets we received? 7374 */ 7375 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_HOST); 7376 } 7377 break; 7378 7379 #ifdef HAVE_NET_PFVAR_H 7380 case DLT_PFLOG: 7381 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, dir), BPF_B, 7382 (bpf_int32) ((dir == 0) ? PF_IN : PF_OUT)); 7383 break; 7384 #endif 7385 7386 case DLT_PPP_PPPD: 7387 if (dir) 7388 { 7389 /* match outgoing packets */ 7390 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_OUT); 7391 } 7392 else 7393 { 7394 /* match incoming packets */ 7395 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_IN); 7396 } 7397 break; 7398 7399 case DLT_JUNIPER_MFR: 7400 case DLT_JUNIPER_MLFR: 7401 case DLT_JUNIPER_MLPPP: 7402 case DLT_JUNIPER_ATM1: 7403 case DLT_JUNIPER_ATM2: 7404 case DLT_JUNIPER_PPPOE: 7405 case DLT_JUNIPER_PPPOE_ATM: 7406 case DLT_JUNIPER_GGSN: 7407 case DLT_JUNIPER_ES: 7408 case DLT_JUNIPER_MONITOR: 7409 case DLT_JUNIPER_SERVICES: 7410 case DLT_JUNIPER_ETHER: 7411 case DLT_JUNIPER_PPP: 7412 case DLT_JUNIPER_FRELAY: 7413 case DLT_JUNIPER_CHDLC: 7414 case DLT_JUNIPER_VP: 7415 case DLT_JUNIPER_ST: 7416 case DLT_JUNIPER_ISM: 7417 /* juniper flags (including direction) are stored 7418 * the byte after the 3-byte magic number */ 7419 if (dir) 7420 { 7421 /* match outgoing packets */ 7422 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 0, 0x01); 7423 } 7424 else 7425 { 7426 /* match incoming packets */ 7427 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 1, 0x01); 7428 } 7429 break; 7430 7431 default: 7432 bpf_error("inbound/outbound not supported on linktype %d", linktype); 7433 b0 = NULL; 7434 /* NOTREACHED */ 7435 } 7436 return (b0); 7437 } 7438 7439 #ifdef HAVE_NET_PFVAR_H 7440 /* PF firewall log matched interface */ 7441 struct block *gen_pf_ifname(const char *ifname) 7442 { 7443 struct block *b0; 7444 u_int len, off; 7445 7446 if (linktype != DLT_PFLOG) 7447 { 7448 bpf_error("ifname supported only on PF linktype"); 7449 /* NOTREACHED */ 7450 } 7451 len = sizeof(((struct pfloghdr *) 0)->ifname); 7452 off = offsetof(struct pfloghdr, ifname); 7453 if (strlen(ifname) >= len) 7454 { 7455 bpf_error("ifname interface names can only be %d characters", len - 1); 7456 /* NOTREACHED */ 7457 } 7458 b0 = gen_bcmp(OR_LINK, off, strlen(ifname), (const u_char *) ifname); 7459 return (b0); 7460 } 7461 7462 /* PF firewall log ruleset name */ 7463 struct block *gen_pf_ruleset(char *ruleset) 7464 { 7465 struct block *b0; 7466 7467 if (linktype != DLT_PFLOG) 7468 { 7469 bpf_error("ruleset supported only on PF linktype"); 7470 /* NOTREACHED */ 7471 } 7472 7473 if (strlen(ruleset) >= sizeof(((struct pfloghdr *) 0)->ruleset)) 7474 { 7475 bpf_error("ruleset names can only be %ld characters", 7476 (long) (sizeof(((struct pfloghdr *) 0)->ruleset) - 1)); 7477 /* NOTREACHED */ 7478 } 7479 7480 b0 = gen_bcmp(OR_LINK, offsetof(struct pfloghdr, ruleset), strlen(ruleset), (const u_char *) ruleset); 7481 return (b0); 7482 } 7483 7484 /* PF firewall log rule number */ 7485 struct block *gen_pf_rnr(int rnr) 7486 { 7487 struct block *b0; 7488 7489 if (linktype != DLT_PFLOG) 7490 { 7491 bpf_error("rnr supported only on PF linktype"); 7492 /* NOTREACHED */ 7493 } 7494 7495 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, rulenr), BPF_W, (bpf_int32) rnr); 7496 return (b0); 7497 } 7498 7499 /* PF firewall log sub-rule number */ 7500 struct block *gen_pf_srnr(int srnr) 7501 { 7502 struct block *b0; 7503 7504 if (linktype != DLT_PFLOG) 7505 { 7506 bpf_error("srnr supported only on PF linktype"); 7507 /* NOTREACHED */ 7508 } 7509 7510 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, subrulenr), BPF_W, (bpf_int32) srnr); 7511 return (b0); 7512 } 7513 7514 /* PF firewall log reason code */ 7515 struct block *gen_pf_reason(int reason) 7516 { 7517 struct block *b0; 7518 7519 if (linktype != DLT_PFLOG) 7520 { 7521 bpf_error("reason supported only on PF linktype"); 7522 /* NOTREACHED */ 7523 } 7524 7525 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, reason), BPF_B, (bpf_int32) reason); 7526 return (b0); 7527 } 7528 7529 /* PF firewall log action */ 7530 struct block *gen_pf_action(int action) 7531 { 7532 struct block *b0; 7533 7534 if (linktype != DLT_PFLOG) 7535 { 7536 bpf_error("action supported only on PF linktype"); 7537 /* NOTREACHED */ 7538 } 7539 7540 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, action), BPF_B, (bpf_int32) action); 7541 return (b0); 7542 } 7543 #else /* !HAVE_NET_PFVAR_H */ 7544 struct block *gen_pf_ifname(const char *ifname) 7545 { 7546 bpf_error("libpcap was compiled without pf support"); 7547 /* NOTREACHED */ 7548 return (NULL); 7549 } 7550 7551 struct block *gen_pf_ruleset(char *ruleset) 7552 { 7553 bpf_error("libpcap was compiled on a machine without pf support"); 7554 /* NOTREACHED */ 7555 return (NULL); 7556 } 7557 7558 struct block *gen_pf_rnr(int rnr) 7559 { 7560 bpf_error("libpcap was compiled on a machine without pf support"); 7561 /* NOTREACHED */ 7562 return (NULL); 7563 } 7564 7565 struct block *gen_pf_srnr(int srnr) 7566 { 7567 bpf_error("libpcap was compiled on a machine without pf support"); 7568 /* NOTREACHED */ 7569 return (NULL); 7570 } 7571 7572 struct block *gen_pf_reason(int reason) 7573 { 7574 bpf_error("libpcap was compiled on a machine without pf support"); 7575 /* NOTREACHED */ 7576 return (NULL); 7577 } 7578 7579 struct block *gen_pf_action(int action) 7580 { 7581 bpf_error("libpcap was compiled on a machine without pf support"); 7582 /* NOTREACHED */ 7583 return (NULL); 7584 } 7585 #endif /* HAVE_NET_PFVAR_H */ 7586 7587 /* IEEE 802.11 wireless header */ 7588 struct block *gen_p80211_type(int type, int mask) 7589 { 7590 struct block *b0; 7591 7592 switch (linktype) 7593 { 7594 7595 case DLT_IEEE802_11: 7596 case DLT_PRISM_HEADER: 7597 case DLT_IEEE802_11_RADIO_AVS: 7598 case DLT_IEEE802_11_RADIO: 7599 b0 = gen_mcmp(OR_LINK, 0, BPF_B, (bpf_int32) type, (bpf_int32) mask); 7600 break; 7601 7602 default: 7603 bpf_error("802.11 link-layer types supported only on 802.11"); 7604 /* NOTREACHED */ 7605 } 7606 7607 return (b0); 7608 } 7609 7610 struct block *gen_p80211_fcdir(int fcdir) 7611 { 7612 struct block *b0; 7613 7614 switch (linktype) 7615 { 7616 7617 case DLT_IEEE802_11: 7618 case DLT_PRISM_HEADER: 7619 case DLT_IEEE802_11_RADIO_AVS: 7620 case DLT_IEEE802_11_RADIO: 7621 break; 7622 7623 default: 7624 bpf_error("frame direction supported only with 802.11 headers"); 7625 /* NOTREACHED */ 7626 } 7627 7628 b0 = gen_mcmp(OR_LINK, 1, BPF_B, (bpf_int32) fcdir, (bpf_u_int32) IEEE80211_FC1_DIR_MASK); 7629 7630 return (b0); 7631 } 7632 7633 struct block *gen_acode(eaddr, q) 7634 register const u_char *eaddr; 7635 struct qual q; 7636 { 7637 switch (linktype) 7638 { 7639 7640 case DLT_ARCNET: 7641 case DLT_ARCNET_LINUX: 7642 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) 7643 return (gen_ahostop(eaddr, (int) q.dir)); 7644 else 7645 { 7646 bpf_error("ARCnet address used in non-arc expression"); 7647 /* NOTREACHED */ 7648 } 7649 break; 7650 7651 default: 7652 bpf_error("aid supported only on ARCnet"); 7653 /* NOTREACHED */ 7654 } 7655 bpf_error("ARCnet address used in non-arc expression"); 7656 /* NOTREACHED */ 7657 return NULL; 7658 } 7659 7660 static struct block *gen_ahostop(eaddr, dir) 7661 register const u_char *eaddr; 7662 register int dir; 7663 { 7664 register struct block *b0, *b1; 7665 7666 switch (dir) 7667 { 7668 /* src comes first, different from Ethernet */ 7669 case Q_SRC: 7670 return gen_bcmp(OR_LINK, 0, 1, eaddr); 7671 7672 case Q_DST: 7673 return gen_bcmp(OR_LINK, 1, 1, eaddr); 7674 7675 case Q_AND: 7676 b0 = gen_ahostop(eaddr, Q_SRC); 7677 b1 = gen_ahostop(eaddr, Q_DST); 7678 gen_and(b0, b1); 7679 return b1; 7680 7681 case Q_DEFAULT: 7682 case Q_OR: 7683 b0 = gen_ahostop(eaddr, Q_SRC); 7684 b1 = gen_ahostop(eaddr, Q_DST); 7685 gen_or(b0, b1); 7686 return b1; 7687 } 7688 abort(); 7689 /* NOTREACHED */ 7690 } 7691 7692 /* 7693 * support IEEE 802.1Q VLAN trunk over ethernet 7694 */ 7695 struct block *gen_vlan(vlan_num) 7696 int vlan_num; 7697 { 7698 struct block *b0, *b1; 7699 7700 /* can't check for VLAN-encapsulated packets inside MPLS */ 7701 if (label_stack_depth > 0) 7702 bpf_error("no VLAN match after MPLS"); 7703 7704 /* 7705 * Check for a VLAN packet, and then change the offsets to point 7706 * to the type and data fields within the VLAN packet. Just 7707 * increment the offsets, so that we can support a hierarchy, e.g. 7708 * "vlan 300 && vlan 200" to capture VLAN 200 encapsulated within 7709 * VLAN 100. 7710 * 7711 * XXX - this is a bit of a kludge. If we were to split the 7712 * compiler into a parser that parses an expression and 7713 * generates an expression tree, and a code generator that 7714 * takes an expression tree (which could come from our 7715 * parser or from some other parser) and generates BPF code, 7716 * we could perhaps make the offsets parameters of routines 7717 * and, in the handler for an "AND" node, pass to subnodes 7718 * other than the VLAN node the adjusted offsets. 7719 * 7720 * This would mean that "vlan" would, instead of changing the 7721 * behavior of *all* tests after it, change only the behavior 7722 * of tests ANDed with it. That would change the documented 7723 * semantics of "vlan", which might break some expressions. 7724 * However, it would mean that "(vlan and ip) or ip" would check 7725 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 7726 * checking only for VLAN-encapsulated IP, so that could still 7727 * be considered worth doing; it wouldn't break expressions 7728 * that are of the form "vlan and ..." or "vlan N and ...", 7729 * which I suspect are the most common expressions involving 7730 * "vlan". "vlan or ..." doesn't necessarily do what the user 7731 * would really want, now, as all the "or ..." tests would 7732 * be done assuming a VLAN, even though the "or" could be viewed 7733 * as meaning "or, if this isn't a VLAN packet...". 7734 */ 7735 orig_nl = off_nl; 7736 7737 switch (linktype) 7738 { 7739 7740 case DLT_EN10MB: 7741 /* check for VLAN */ 7742 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32) ETHERTYPE_8021Q); 7743 7744 /* If a specific VLAN is requested, check VLAN id */ 7745 if (vlan_num >= 0) 7746 { 7747 b1 = gen_mcmp(OR_MACPL, 0, BPF_H, (bpf_int32) vlan_num, 0x0fff); 7748 gen_and(b0, b1); 7749 b0 = b1; 7750 } 7751 7752 off_macpl += 4; 7753 off_linktype += 4; 7754 break; 7755 7756 default: 7757 bpf_error("no VLAN support for data link type %d", linktype); 7758 /*NOTREACHED*/} 7759 7760 return (b0); 7761 } 7762 7763 /* 7764 * support for MPLS 7765 */ 7766 struct block *gen_mpls(label_num) 7767 int label_num; 7768 { 7769 struct block *b0, *b1; 7770 7771 /* 7772 * Change the offsets to point to the type and data fields within 7773 * the MPLS packet. Just increment the offsets, so that we 7774 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to 7775 * capture packets with an outer label of 100000 and an inner 7776 * label of 1024. 7777 * 7778 * XXX - this is a bit of a kludge. See comments in gen_vlan(). 7779 */ 7780 orig_nl = off_nl; 7781 7782 if (label_stack_depth > 0) 7783 { 7784 /* just match the bottom-of-stack bit clear */ 7785 b0 = gen_mcmp(OR_MACPL, orig_nl - 2, BPF_B, 0, 0x01); 7786 } 7787 else 7788 { 7789 /* 7790 * Indicate that we're checking MPLS-encapsulated headers, 7791 * to make sure higher level code generators don't try to 7792 * match against IP-related protocols such as Q_ARP, Q_RARP 7793 * etc. 7794 */ 7795 switch (linktype) 7796 { 7797 7798 case DLT_C_HDLC: /* fall through */ 7799 case DLT_EN10MB: 7800 b0 = gen_linktype(ETHERTYPE_MPLS); 7801 break; 7802 7803 case DLT_PPP: 7804 b0 = gen_linktype(PPP_MPLS_UCAST); 7805 break; 7806 7807 /* FIXME add other DLT_s ... 7808 * for Frame-Relay/and ATM this may get messy due to SNAP headers 7809 * leave it for now */ 7810 7811 default: 7812 bpf_error("no MPLS support for data link type %d", linktype); 7813 b0 = NULL; 7814 /*NOTREACHED*/ break; 7815 } 7816 } 7817 7818 /* If a specific MPLS label is requested, check it */ 7819 if (label_num >= 0) 7820 { 7821 label_num = label_num << 12; /* label is shifted 12 bits on the wire */ 7822 b1 = gen_mcmp(OR_MACPL, orig_nl, BPF_W, (bpf_int32) label_num, 0xfffff000); /* only compare the first 20 bits */ 7823 gen_and(b0, b1); 7824 b0 = b1; 7825 } 7826 7827 off_nl_nosnap += 4; 7828 off_nl += 4; 7829 label_stack_depth++; 7830 return (b0); 7831 } 7832 7833 /* 7834 * Support PPPOE discovery and session. 7835 */ 7836 struct block *gen_pppoed() 7837 { 7838 /* check for PPPoE discovery */ 7839 return gen_linktype((bpf_int32) ETHERTYPE_PPPOED); 7840 } 7841 7842 struct block *gen_pppoes() 7843 { 7844 struct block *b0; 7845 7846 /* 7847 * Test against the PPPoE session link-layer type. 7848 */ 7849 b0 = gen_linktype((bpf_int32) ETHERTYPE_PPPOES); 7850 7851 /* 7852 * Change the offsets to point to the type and data fields within 7853 * the PPP packet, and note that this is PPPoE rather than 7854 * raw PPP. 7855 * 7856 * XXX - this is a bit of a kludge. If we were to split the 7857 * compiler into a parser that parses an expression and 7858 * generates an expression tree, and a code generator that 7859 * takes an expression tree (which could come from our 7860 * parser or from some other parser) and generates BPF code, 7861 * we could perhaps make the offsets parameters of routines 7862 * and, in the handler for an "AND" node, pass to subnodes 7863 * other than the PPPoE node the adjusted offsets. 7864 * 7865 * This would mean that "pppoes" would, instead of changing the 7866 * behavior of *all* tests after it, change only the behavior 7867 * of tests ANDed with it. That would change the documented 7868 * semantics of "pppoes", which might break some expressions. 7869 * However, it would mean that "(pppoes and ip) or ip" would check 7870 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 7871 * checking only for VLAN-encapsulated IP, so that could still 7872 * be considered worth doing; it wouldn't break expressions 7873 * that are of the form "pppoes and ..." which I suspect are the 7874 * most common expressions involving "pppoes". "pppoes or ..." 7875 * doesn't necessarily do what the user would really want, now, 7876 * as all the "or ..." tests would be done assuming PPPoE, even 7877 * though the "or" could be viewed as meaning "or, if this isn't 7878 * a PPPoE packet...". 7879 */ 7880 orig_linktype = off_linktype; /* save original values */ 7881 orig_nl = off_nl; 7882 is_pppoes = 1; 7883 7884 /* 7885 * The "network-layer" protocol is PPPoE, which has a 6-byte 7886 * PPPoE header, followed by a PPP packet. 7887 * 7888 * There is no HDLC encapsulation for the PPP packet (it's 7889 * encapsulated in PPPoES instead), so the link-layer type 7890 * starts at the first byte of the PPP packet. For PPPoE, 7891 * that offset is relative to the beginning of the total 7892 * link-layer payload, including any 802.2 LLC header, so 7893 * it's 6 bytes past off_nl. 7894 */ 7895 off_linktype = off_nl + 6; 7896 7897 /* 7898 * The network-layer offsets are relative to the beginning 7899 * of the MAC-layer payload; that's past the 6-byte 7900 * PPPoE header and the 2-byte PPP header. 7901 */ 7902 off_nl = 6 + 2; 7903 off_nl_nosnap = 6 + 2; 7904 7905 return b0; 7906 } 7907 7908 struct block *gen_atmfield_code(atmfield, jvalue, jtype, reverse) 7909 int atmfield; 7910 bpf_int32 jvalue; 7911 bpf_u_int32 jtype; 7912 int reverse; 7913 { 7914 struct block *b0; 7915 7916 switch (atmfield) 7917 { 7918 7919 case A_VPI: 7920 if (!is_atm) 7921 bpf_error("'vpi' supported only on raw ATM"); 7922 if (off_vpi == (u_int) - 1) 7923 abort(); 7924 b0 = gen_ncmp(OR_LINK, off_vpi, BPF_B, 0xffffffff, jtype, reverse, jvalue); 7925 break; 7926 7927 case A_VCI: 7928 if (!is_atm) 7929 bpf_error("'vci' supported only on raw ATM"); 7930 if (off_vci == (u_int) - 1) 7931 abort(); 7932 b0 = gen_ncmp(OR_LINK, off_vci, BPF_H, 0xffffffff, jtype, reverse, jvalue); 7933 break; 7934 7935 case A_PROTOTYPE: 7936 if (off_proto == (u_int) - 1) 7937 abort(); /* XXX - this isn't on FreeBSD */ 7938 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0x0f, jtype, reverse, jvalue); 7939 break; 7940 7941 case A_MSGTYPE: 7942 if (off_payload == (u_int) - 1) 7943 abort(); 7944 b0 = gen_ncmp(OR_LINK, off_payload + MSG_TYPE_POS, BPF_B, 0xffffffff, jtype, reverse, jvalue); 7945 break; 7946 7947 case A_CALLREFTYPE: 7948 if (!is_atm) 7949 bpf_error("'callref' supported only on raw ATM"); 7950 if (off_proto == (u_int) - 1) 7951 abort(); 7952 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0xffffffff, jtype, reverse, jvalue); 7953 break; 7954 7955 default: 7956 abort(); 7957 } 7958 return b0; 7959 } 7960 7961 struct block *gen_atmtype_abbrev(type) 7962 int type; 7963 { 7964 struct block *b0, *b1; 7965 7966 switch (type) 7967 { 7968 7969 case A_METAC: 7970 /* Get all packets in Meta signalling Circuit */ 7971 if (!is_atm) 7972 bpf_error("'metac' supported only on raw ATM"); 7973 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 7974 b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0); 7975 gen_and(b0, b1); 7976 break; 7977 7978 case A_BCC: 7979 /* Get all packets in Broadcast Circuit */ 7980 if (!is_atm) 7981 bpf_error("'bcc' supported only on raw ATM"); 7982 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 7983 b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0); 7984 gen_and(b0, b1); 7985 break; 7986 7987 case A_OAMF4SC: 7988 /* Get all cells in Segment OAM F4 circuit */ 7989 if (!is_atm) 7990 bpf_error("'oam4sc' supported only on raw ATM"); 7991 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 7992 b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0); 7993 gen_and(b0, b1); 7994 break; 7995 7996 case A_OAMF4EC: 7997 /* Get all cells in End-to-End OAM F4 Circuit */ 7998 if (!is_atm) 7999 bpf_error("'oam4ec' supported only on raw ATM"); 8000 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8001 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0); 8002 gen_and(b0, b1); 8003 break; 8004 8005 case A_SC: 8006 /* Get all packets in connection Signalling Circuit */ 8007 if (!is_atm) 8008 bpf_error("'sc' supported only on raw ATM"); 8009 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8010 b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0); 8011 gen_and(b0, b1); 8012 break; 8013 8014 case A_ILMIC: 8015 /* Get all packets in ILMI Circuit */ 8016 if (!is_atm) 8017 bpf_error("'ilmic' supported only on raw ATM"); 8018 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8019 b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0); 8020 gen_and(b0, b1); 8021 break; 8022 8023 case A_LANE: 8024 /* Get all LANE packets */ 8025 if (!is_atm) 8026 bpf_error("'lane' supported only on raw ATM"); 8027 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0); 8028 8029 /* 8030 * Arrange that all subsequent tests assume LANE 8031 * rather than LLC-encapsulated packets, and set 8032 * the offsets appropriately for LANE-encapsulated 8033 * Ethernet. 8034 * 8035 * "off_mac" is the offset of the Ethernet header, 8036 * which is 2 bytes past the ATM pseudo-header 8037 * (skipping the pseudo-header and 2-byte LE Client 8038 * field). The other offsets are Ethernet offsets 8039 * relative to "off_mac". 8040 */ 8041 is_lane = 1; 8042 off_mac = off_payload + 2; /* MAC header */ 8043 off_linktype = off_mac + 12; 8044 off_macpl = off_mac + 14; /* Ethernet */ 8045 off_nl = 0; /* Ethernet II */ 8046 off_nl_nosnap = 3; /* 802.3+802.2 */ 8047 break; 8048 8049 case A_LLC: 8050 /* Get all LLC-encapsulated packets */ 8051 if (!is_atm) 8052 bpf_error("'llc' supported only on raw ATM"); 8053 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 8054 is_lane = 0; 8055 break; 8056 8057 default: 8058 abort(); 8059 } 8060 return b1; 8061 } 8062 8063 /* 8064 * Filtering for MTP2 messages based on li value 8065 * FISU, length is null 8066 * LSSU, length is 1 or 2 8067 * MSU, length is 3 or more 8068 */ 8069 struct block *gen_mtp2type_abbrev(type) 8070 int type; 8071 { 8072 struct block *b0, *b1; 8073 8074 switch (type) 8075 { 8076 8077 case M_FISU: 8078 if ((linktype != DLT_MTP2) && (linktype != DLT_ERF) && (linktype != DLT_MTP2_WITH_PHDR)) 8079 bpf_error("'fisu' supported only on MTP2"); 8080 /* gen_ncmp(offrel, offset, size, mask, jtype, reverse, value) */ 8081 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JEQ, 0, 0); 8082 break; 8083 8084 case M_LSSU: 8085 if ((linktype != DLT_MTP2) && (linktype != DLT_ERF) && (linktype != DLT_MTP2_WITH_PHDR)) 8086 bpf_error("'lssu' supported only on MTP2"); 8087 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 1, 2); 8088 b1 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 0); 8089 gen_and(b1, b0); 8090 break; 8091 8092 case M_MSU: 8093 if ((linktype != DLT_MTP2) && (linktype != DLT_ERF) && (linktype != DLT_MTP2_WITH_PHDR)) 8094 bpf_error("'msu' supported only on MTP2"); 8095 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 2); 8096 break; 8097 8098 default: 8099 abort(); 8100 } 8101 return b0; 8102 } 8103 8104 struct block *gen_mtp3field_code(mtp3field, jvalue, jtype, reverse) 8105 int mtp3field; 8106 bpf_u_int32 jvalue; 8107 bpf_u_int32 jtype; 8108 int reverse; 8109 { 8110 struct block *b0; 8111 bpf_u_int32 val1, val2, val3; 8112 8113 switch (mtp3field) 8114 { 8115 8116 case M_SIO: 8117 if (off_sio == (u_int) - 1) 8118 bpf_error("'sio' supported only on SS7"); 8119 /* sio coded on 1 byte so max value 255 */ 8120 if (jvalue > 255) 8121 bpf_error("sio value %u too big; max value = 255", jvalue); 8122 b0 = gen_ncmp(OR_PACKET, off_sio, BPF_B, 0xffffffff, (u_int) jtype, reverse, (u_int) jvalue); 8123 break; 8124 8125 case M_OPC: 8126 if (off_opc == (u_int) - 1) 8127 bpf_error("'opc' supported only on SS7"); 8128 /* opc coded on 14 bits so max value 16383 */ 8129 if (jvalue > 16383) 8130 bpf_error("opc value %u too big; max value = 16383", jvalue); 8131 /* the following instructions are made to convert jvalue 8132 * to the form used to write opc in an ss7 message*/ 8133 val1 = jvalue & 0x00003c00; 8134 val1 = val1 >> 10; 8135 val2 = jvalue & 0x000003fc; 8136 val2 = val2 << 6; 8137 val3 = jvalue & 0x00000003; 8138 val3 = val3 << 22; 8139 jvalue = val1 + val2 + val3; 8140 b0 = gen_ncmp(OR_PACKET, off_opc, BPF_W, 0x00c0ff0f, (u_int) jtype, reverse, (u_int) jvalue); 8141 break; 8142 8143 case M_DPC: 8144 if (off_dpc == (u_int) - 1) 8145 bpf_error("'dpc' supported only on SS7"); 8146 /* dpc coded on 14 bits so max value 16383 */ 8147 if (jvalue > 16383) 8148 bpf_error("dpc value %u too big; max value = 16383", jvalue); 8149 /* the following instructions are made to convert jvalue 8150 * to the forme used to write dpc in an ss7 message*/ 8151 val1 = jvalue & 0x000000ff; 8152 val1 = val1 << 24; 8153 val2 = jvalue & 0x00003f00; 8154 val2 = val2 << 8; 8155 jvalue = val1 + val2; 8156 b0 = gen_ncmp(OR_PACKET, off_dpc, BPF_W, 0xff3f0000, (u_int) jtype, reverse, (u_int) jvalue); 8157 break; 8158 8159 case M_SLS: 8160 if (off_sls == (u_int) - 1) 8161 bpf_error("'sls' supported only on SS7"); 8162 /* sls coded on 4 bits so max value 15 */ 8163 if (jvalue > 15) 8164 bpf_error("sls value %u too big; max value = 15", jvalue); 8165 /* the following instruction is made to convert jvalue 8166 * to the forme used to write sls in an ss7 message*/ 8167 jvalue = jvalue << 4; 8168 b0 = gen_ncmp(OR_PACKET, off_sls, BPF_B, 0xf0, (u_int) jtype, reverse, (u_int) jvalue); 8169 break; 8170 8171 default: 8172 abort(); 8173 } 8174 return b0; 8175 } 8176 8177 static struct block *gen_msg_abbrev(type) 8178 int type; 8179 { 8180 struct block *b1; 8181 8182 /* 8183 * Q.2931 signalling protocol messages for handling virtual circuits 8184 * establishment and teardown 8185 */ 8186 switch (type) 8187 { 8188 8189 case A_SETUP: 8190 b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0); 8191 break; 8192 8193 case A_CALLPROCEED: 8194 b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0); 8195 break; 8196 8197 case A_CONNECT: 8198 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0); 8199 break; 8200 8201 case A_CONNECTACK: 8202 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0); 8203 break; 8204 8205 case A_RELEASE: 8206 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0); 8207 break; 8208 8209 case A_RELEASE_DONE: 8210 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0); 8211 break; 8212 8213 default: 8214 abort(); 8215 } 8216 return b1; 8217 } 8218 8219 struct block *gen_atmmulti_abbrev(type) 8220 int type; 8221 { 8222 struct block *b0, *b1; 8223 8224 switch (type) 8225 { 8226 8227 case A_OAM: 8228 if (!is_atm) 8229 bpf_error("'oam' supported only on raw ATM"); 8230 b1 = gen_atmmulti_abbrev(A_OAMF4); 8231 break; 8232 8233 case A_OAMF4: 8234 if (!is_atm) 8235 bpf_error("'oamf4' supported only on raw ATM"); 8236 /* OAM F4 type */ 8237 b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0); 8238 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0); 8239 gen_or(b0, b1); 8240 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8241 gen_and(b0, b1); 8242 break; 8243 8244 case A_CONNECTMSG: 8245 /* 8246 * Get Q.2931 signalling messages for switched 8247 * virtual connection 8248 */ 8249 if (!is_atm) 8250 bpf_error("'connectmsg' supported only on raw ATM"); 8251 b0 = gen_msg_abbrev(A_SETUP); 8252 b1 = gen_msg_abbrev(A_CALLPROCEED); 8253 gen_or(b0, b1); 8254 b0 = gen_msg_abbrev(A_CONNECT); 8255 gen_or(b0, b1); 8256 b0 = gen_msg_abbrev(A_CONNECTACK); 8257 gen_or(b0, b1); 8258 b0 = gen_msg_abbrev(A_RELEASE); 8259 gen_or(b0, b1); 8260 b0 = gen_msg_abbrev(A_RELEASE_DONE); 8261 gen_or(b0, b1); 8262 b0 = gen_atmtype_abbrev(A_SC); 8263 gen_and(b0, b1); 8264 break; 8265 8266 case A_METACONNECT: 8267 if (!is_atm) 8268 bpf_error("'metaconnect' supported only on raw ATM"); 8269 b0 = gen_msg_abbrev(A_SETUP); 8270 b1 = gen_msg_abbrev(A_CALLPROCEED); 8271 gen_or(b0, b1); 8272 b0 = gen_msg_abbrev(A_CONNECT); 8273 gen_or(b0, b1); 8274 b0 = gen_msg_abbrev(A_RELEASE); 8275 gen_or(b0, b1); 8276 b0 = gen_msg_abbrev(A_RELEASE_DONE); 8277 gen_or(b0, b1); 8278 b0 = gen_atmtype_abbrev(A_METAC); 8279 gen_and(b0, b1); 8280 break; 8281 8282 default: 8283 abort(); 8284 } 8285 return b1; 8286 } 8287