1 /*#define CHASE_CHAIN*/ 2 /* 3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998 4 * The Regents of the University of California. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that: (1) source code distributions 8 * retain the above copyright notice and this paragraph in its entirety, (2) 9 * distributions including binary code include the above copyright notice and 10 * this paragraph in its entirety in the documentation or other materials 11 * provided with the distribution, and (3) all advertising materials mentioning 12 * features or use of this software display the following acknowledgement: 13 * ``This product includes software developed by the University of California, 14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 15 * the University nor the names of its contributors may be used to endorse 16 * or promote products derived from this software without specific prior 17 * written permission. 18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 21 */ 22 #ifndef lint 23 static const char rcsid[] _U_ = 24 "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.309 2008-12-23 20:13:29 guy Exp $ (LBL)"; 25 #endif 26 27 #ifdef HAVE_CONFIG_H 28 #include "config.h" 29 #endif 30 31 #ifdef WIN32 32 #include <pcap-stdinc.h> 33 #else /* WIN32 */ 34 #if HAVE_INTTYPES_H 35 #include <inttypes.h> 36 #elif HAVE_STDINT_H 37 #include <stdint.h> 38 #endif 39 #ifdef HAVE_SYS_BITYPES_H 40 #include <sys/bitypes.h> 41 #endif 42 #include <sys/types.h> 43 #include <sys/socket.h> 44 #endif /* WIN32 */ 45 46 /* 47 * XXX - why was this included even on UNIX? 48 */ 49 #ifdef __MINGW32__ 50 #include "ip6_misc.h" 51 #endif 52 53 #ifndef WIN32 54 55 #ifdef __NetBSD__ 56 #include <sys/param.h> 57 #endif 58 59 #include <netinet/in.h> 60 #include <arpa/inet.h> 61 62 #endif /* WIN32 */ 63 64 #include <stdlib.h> 65 #include <string.h> 66 #include <memory.h> 67 #include <setjmp.h> 68 #include <stdarg.h> 69 70 #ifdef MSDOS 71 #include "pcap-dos.h" 72 #endif 73 74 #include "pcap-int.h" 75 76 #include "ethertype.h" 77 #include "nlpid.h" 78 #include "llc.h" 79 #include "gencode.h" 80 #include "ieee80211.h" 81 #include "atmuni31.h" 82 #include "sunatmpos.h" 83 #include "ppp.h" 84 #include "pcap/sll.h" 85 #include "pcap/ipnet.h" 86 #include "arcnet.h" 87 #if defined(PF_PACKET) && defined(SO_ATTACH_FILTER) 88 #include <linux/types.h> 89 #include <linux/if_packet.h> 90 #include <linux/filter.h> 91 #endif 92 #ifdef HAVE_NET_PFVAR_H 93 #include <sys/socket.h> 94 #include <net/if.h> 95 #include <net/pf/pfvar.h> 96 #include <net/pf/if_pflog.h> 97 #endif 98 #ifndef offsetof 99 #define offsetof(s, e) ((size_t)&((s *)0)->e) 100 #endif 101 #ifdef INET6 102 #ifndef WIN32 103 #include <netdb.h> /* for "struct addrinfo" */ 104 #endif /* WIN32 */ 105 #endif /*INET6*/ 106 #include <pcap/namedb.h> 107 108 #define ETHERMTU 1500 109 110 #ifndef IPPROTO_SCTP 111 #define IPPROTO_SCTP 132 112 #endif 113 114 #ifdef HAVE_OS_PROTO_H 115 #include "os-proto.h" 116 #endif 117 118 #define JMP(c) ((c)|BPF_JMP|BPF_K) 119 120 /* Locals */ 121 static jmp_buf top_ctx; 122 static pcap_t *bpf_pcap; 123 124 /* Hack for updating VLAN, MPLS, and PPPoE offsets. */ 125 #ifdef WIN32 126 static u_int orig_linktype = (u_int)-1, orig_nl = (u_int)-1, label_stack_depth = (u_int)-1; 127 #else 128 static u_int orig_linktype = -1U, orig_nl = -1U, label_stack_depth = -1U; 129 #endif 130 131 /* XXX */ 132 #ifdef PCAP_FDDIPAD 133 static int pcap_fddipad; 134 #endif 135 136 /* VARARGS */ 137 void 138 bpf_error(const char *fmt, ...) 139 { 140 va_list ap; 141 142 va_start(ap, fmt); 143 if (bpf_pcap != NULL) 144 (void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE, 145 fmt, ap); 146 va_end(ap); 147 longjmp(top_ctx, 1); 148 /* NOTREACHED */ 149 } 150 151 static void init_linktype(pcap_t *); 152 153 static void init_regs(void); 154 static int alloc_reg(void); 155 static void free_reg(int); 156 157 static struct block *root; 158 159 /* 160 * Value passed to gen_load_a() to indicate what the offset argument 161 * is relative to. 162 */ 163 enum e_offrel { 164 OR_PACKET, /* relative to the beginning of the packet */ 165 OR_LINK, /* relative to the beginning of the link-layer header */ 166 OR_MACPL, /* relative to the end of the MAC-layer header */ 167 OR_NET, /* relative to the network-layer header */ 168 OR_NET_NOSNAP, /* relative to the network-layer header, with no SNAP header at the link layer */ 169 OR_TRAN_IPV4, /* relative to the transport-layer header, with IPv4 network layer */ 170 OR_TRAN_IPV6 /* relative to the transport-layer header, with IPv6 network layer */ 171 }; 172 173 #ifdef INET6 174 /* 175 * As errors are handled by a longjmp, anything allocated must be freed 176 * in the longjmp handler, so it must be reachable from that handler. 177 * One thing that's allocated is the result of pcap_nametoaddrinfo(); 178 * it must be freed with freeaddrinfo(). This variable points to any 179 * addrinfo structure that would need to be freed. 180 */ 181 static struct addrinfo *ai; 182 #endif 183 184 /* 185 * We divy out chunks of memory rather than call malloc each time so 186 * we don't have to worry about leaking memory. It's probably 187 * not a big deal if all this memory was wasted but if this ever 188 * goes into a library that would probably not be a good idea. 189 * 190 * XXX - this *is* in a library.... 191 */ 192 #define NCHUNKS 16 193 #define CHUNK0SIZE 1024 194 struct chunk { 195 u_int n_left; 196 void *m; 197 }; 198 199 static struct chunk chunks[NCHUNKS]; 200 static int cur_chunk; 201 202 static void *newchunk(u_int); 203 static void freechunks(void); 204 static inline struct block *new_block(int); 205 static inline struct slist *new_stmt(int); 206 static struct block *gen_retblk(int); 207 static inline void syntax(void); 208 209 static void backpatch(struct block *, struct block *); 210 static void merge(struct block *, struct block *); 211 static struct block *gen_cmp(enum e_offrel, u_int, u_int, bpf_int32); 212 static struct block *gen_cmp_gt(enum e_offrel, u_int, u_int, bpf_int32); 213 static struct block *gen_cmp_ge(enum e_offrel, u_int, u_int, bpf_int32); 214 static struct block *gen_cmp_lt(enum e_offrel, u_int, u_int, bpf_int32); 215 static struct block *gen_cmp_le(enum e_offrel, u_int, u_int, bpf_int32); 216 static struct block *gen_mcmp(enum e_offrel, u_int, u_int, bpf_int32, 217 bpf_u_int32); 218 static struct block *gen_bcmp(enum e_offrel, u_int, u_int, const u_char *); 219 static struct block *gen_ncmp(enum e_offrel, bpf_u_int32, bpf_u_int32, 220 bpf_u_int32, bpf_u_int32, int, bpf_int32); 221 static struct slist *gen_load_llrel(u_int, u_int); 222 static struct slist *gen_load_macplrel(u_int, u_int); 223 static struct slist *gen_load_a(enum e_offrel, u_int, u_int); 224 static struct slist *gen_loadx_iphdrlen(void); 225 static struct block *gen_uncond(int); 226 static inline struct block *gen_true(void); 227 static inline struct block *gen_false(void); 228 static struct block *gen_ether_linktype(int); 229 static struct block *gen_ipnet_linktype(int); 230 static struct block *gen_linux_sll_linktype(int); 231 static struct slist *gen_load_prism_llprefixlen(void); 232 static struct slist *gen_load_avs_llprefixlen(void); 233 static struct slist *gen_load_radiotap_llprefixlen(void); 234 static struct slist *gen_load_ppi_llprefixlen(void); 235 static void insert_compute_vloffsets(struct block *); 236 static struct slist *gen_llprefixlen(void); 237 static struct slist *gen_off_macpl(void); 238 static int ethertype_to_ppptype(int); 239 static struct block *gen_linktype(int); 240 static struct block *gen_snap(bpf_u_int32, bpf_u_int32); 241 static struct block *gen_llc_linktype(int); 242 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int); 243 #ifdef INET6 244 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int); 245 #endif 246 static struct block *gen_ahostop(const u_char *, int); 247 static struct block *gen_ehostop(const u_char *, int); 248 static struct block *gen_fhostop(const u_char *, int); 249 static struct block *gen_thostop(const u_char *, int); 250 static struct block *gen_wlanhostop(const u_char *, int); 251 static struct block *gen_ipfchostop(const u_char *, int); 252 static struct block *gen_dnhostop(bpf_u_int32, int); 253 static struct block *gen_mpls_linktype(int); 254 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int, int); 255 #ifdef INET6 256 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int, int); 257 #endif 258 #ifndef INET6 259 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int); 260 #endif 261 static struct block *gen_ipfrag(void); 262 static struct block *gen_portatom(int, bpf_int32); 263 static struct block *gen_portrangeatom(int, bpf_int32, bpf_int32); 264 #ifdef INET6 265 static struct block *gen_portatom6(int, bpf_int32); 266 static struct block *gen_portrangeatom6(int, bpf_int32, bpf_int32); 267 #endif 268 struct block *gen_portop(int, int, int); 269 static struct block *gen_port(int, int, int); 270 struct block *gen_portrangeop(int, int, int, int); 271 static struct block *gen_portrange(int, int, int, int); 272 #ifdef INET6 273 struct block *gen_portop6(int, int, int); 274 static struct block *gen_port6(int, int, int); 275 struct block *gen_portrangeop6(int, int, int, int); 276 static struct block *gen_portrange6(int, int, int, int); 277 #endif 278 static int lookup_proto(const char *, int); 279 static struct block *gen_protochain(int, int, int); 280 static struct block *gen_proto(int, int, int); 281 static struct slist *xfer_to_x(struct arth *); 282 static struct slist *xfer_to_a(struct arth *); 283 static struct block *gen_mac_multicast(int); 284 static struct block *gen_len(int, int); 285 static struct block *gen_check_802_11_data_frame(void); 286 287 static struct block *gen_ppi_dlt_check(void); 288 static struct block *gen_msg_abbrev(int type); 289 290 static void * 291 newchunk(n) 292 u_int n; 293 { 294 struct chunk *cp; 295 int k; 296 size_t size; 297 298 #ifndef __NetBSD__ 299 /* XXX Round up to nearest long. */ 300 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1); 301 #else 302 /* XXX Round up to structure boundary. */ 303 n = ALIGN(n); 304 #endif 305 306 cp = &chunks[cur_chunk]; 307 if (n > cp->n_left) { 308 ++cp, k = ++cur_chunk; 309 if (k >= NCHUNKS) 310 bpf_error("out of memory"); 311 size = CHUNK0SIZE << k; 312 cp->m = (void *)malloc(size); 313 if (cp->m == NULL) 314 bpf_error("out of memory"); 315 memset((char *)cp->m, 0, size); 316 cp->n_left = size; 317 if (n > size) 318 bpf_error("out of memory"); 319 } 320 cp->n_left -= n; 321 return (void *)((char *)cp->m + cp->n_left); 322 } 323 324 static void 325 freechunks() 326 { 327 int i; 328 329 cur_chunk = 0; 330 for (i = 0; i < NCHUNKS; ++i) 331 if (chunks[i].m != NULL) { 332 free(chunks[i].m); 333 chunks[i].m = NULL; 334 } 335 } 336 337 /* 338 * A strdup whose allocations are freed after code generation is over. 339 */ 340 char * 341 sdup(s) 342 register const char *s; 343 { 344 int n = strlen(s) + 1; 345 char *cp = newchunk(n); 346 347 strlcpy(cp, s, n); 348 return (cp); 349 } 350 351 static inline struct block * 352 new_block(code) 353 int code; 354 { 355 struct block *p; 356 357 p = (struct block *)newchunk(sizeof(*p)); 358 p->s.code = code; 359 p->head = p; 360 361 return p; 362 } 363 364 static inline struct slist * 365 new_stmt(code) 366 int code; 367 { 368 struct slist *p; 369 370 p = (struct slist *)newchunk(sizeof(*p)); 371 p->s.code = code; 372 373 return p; 374 } 375 376 static struct block * 377 gen_retblk(v) 378 int v; 379 { 380 struct block *b = new_block(BPF_RET|BPF_K); 381 382 b->s.k = v; 383 return b; 384 } 385 386 static inline void 387 syntax() 388 { 389 bpf_error("syntax error in filter expression"); 390 } 391 392 static bpf_u_int32 netmask; 393 static int snaplen; 394 int no_optimize; 395 #ifdef WIN32 396 static int 397 pcap_compile_unsafe(pcap_t *p, struct bpf_program *program, 398 const char *buf, int optimize, bpf_u_int32 mask); 399 400 int 401 pcap_compile(pcap_t *p, struct bpf_program *program, 402 const char *buf, int optimize, bpf_u_int32 mask) 403 { 404 int result; 405 406 EnterCriticalSection(&g_PcapCompileCriticalSection); 407 408 result = pcap_compile_unsafe(p, program, buf, optimize, mask); 409 410 LeaveCriticalSection(&g_PcapCompileCriticalSection); 411 412 return result; 413 } 414 415 static int 416 pcap_compile_unsafe(pcap_t *p, struct bpf_program *program, 417 const char *buf, int optimize, bpf_u_int32 mask) 418 #else /* WIN32 */ 419 int 420 pcap_compile(pcap_t *p, struct bpf_program *program, 421 const char *buf, int optimize, bpf_u_int32 mask) 422 #endif /* WIN32 */ 423 { 424 extern int n_errors; 425 const char * volatile xbuf = buf; 426 u_int len; 427 428 no_optimize = 0; 429 n_errors = 0; 430 root = NULL; 431 bpf_pcap = p; 432 init_regs(); 433 if (setjmp(top_ctx)) { 434 #ifdef INET6 435 if (ai != NULL) { 436 freeaddrinfo(ai); 437 ai = NULL; 438 } 439 #endif 440 lex_cleanup(); 441 freechunks(); 442 return (-1); 443 } 444 445 netmask = mask; 446 447 snaplen = pcap_snapshot(p); 448 if (snaplen == 0) { 449 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 450 "snaplen of 0 rejects all packets"); 451 return -1; 452 } 453 454 lex_init(xbuf ? xbuf : ""); 455 init_linktype(p); 456 (void)pcap_parse(); 457 458 if (n_errors) 459 syntax(); 460 461 if (root == NULL) 462 root = gen_retblk(snaplen); 463 464 if (optimize && !no_optimize) { 465 bpf_optimize(&root); 466 if (root == NULL || 467 (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0)) 468 bpf_error("expression rejects all packets"); 469 } 470 program->bf_insns = icode_to_fcode(root, &len); 471 program->bf_len = len; 472 473 lex_cleanup(); 474 freechunks(); 475 return (0); 476 } 477 478 /* 479 * entry point for using the compiler with no pcap open 480 * pass in all the stuff that is needed explicitly instead. 481 */ 482 int 483 pcap_compile_nopcap(int snaplen_arg, int linktype_arg, 484 struct bpf_program *program, 485 const char *buf, int optimize, bpf_u_int32 mask) 486 { 487 pcap_t *p; 488 int ret; 489 490 p = pcap_open_dead(linktype_arg, snaplen_arg); 491 if (p == NULL) 492 return (-1); 493 ret = pcap_compile(p, program, buf, optimize, mask); 494 pcap_close(p); 495 return (ret); 496 } 497 498 /* 499 * Clean up a "struct bpf_program" by freeing all the memory allocated 500 * in it. 501 */ 502 void 503 pcap_freecode(struct bpf_program *program) 504 { 505 program->bf_len = 0; 506 if (program->bf_insns != NULL) { 507 free((char *)program->bf_insns); 508 program->bf_insns = NULL; 509 } 510 } 511 512 /* 513 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates 514 * which of the jt and jf fields has been resolved and which is a pointer 515 * back to another unresolved block (or nil). At least one of the fields 516 * in each block is already resolved. 517 */ 518 static void 519 backpatch(list, target) 520 struct block *list, *target; 521 { 522 struct block *next; 523 524 while (list) { 525 if (!list->sense) { 526 next = JT(list); 527 JT(list) = target; 528 } else { 529 next = JF(list); 530 JF(list) = target; 531 } 532 list = next; 533 } 534 } 535 536 /* 537 * Merge the lists in b0 and b1, using the 'sense' field to indicate 538 * which of jt and jf is the link. 539 */ 540 static void 541 merge(b0, b1) 542 struct block *b0, *b1; 543 { 544 register struct block **p = &b0; 545 546 /* Find end of list. */ 547 while (*p) 548 p = !((*p)->sense) ? &JT(*p) : &JF(*p); 549 550 /* Concatenate the lists. */ 551 *p = b1; 552 } 553 554 void 555 finish_parse(p) 556 struct block *p; 557 { 558 struct block *ppi_dlt_check; 559 560 /* 561 * Insert before the statements of the first (root) block any 562 * statements needed to load the lengths of any variable-length 563 * headers into registers. 564 * 565 * XXX - a fancier strategy would be to insert those before the 566 * statements of all blocks that use those lengths and that 567 * have no predecessors that use them, so that we only compute 568 * the lengths if we need them. There might be even better 569 * approaches than that. 570 * 571 * However, those strategies would be more complicated, and 572 * as we don't generate code to compute a length if the 573 * program has no tests that use the length, and as most 574 * tests will probably use those lengths, we would just 575 * postpone computing the lengths so that it's not done 576 * for tests that fail early, and it's not clear that's 577 * worth the effort. 578 */ 579 insert_compute_vloffsets(p->head); 580 581 /* 582 * For DLT_PPI captures, generate a check of the per-packet 583 * DLT value to make sure it's DLT_IEEE802_11. 584 */ 585 ppi_dlt_check = gen_ppi_dlt_check(); 586 if (ppi_dlt_check != NULL) 587 gen_and(ppi_dlt_check, p); 588 589 backpatch(p, gen_retblk(snaplen)); 590 p->sense = !p->sense; 591 backpatch(p, gen_retblk(0)); 592 root = p->head; 593 } 594 595 void 596 gen_and(b0, b1) 597 struct block *b0, *b1; 598 { 599 backpatch(b0, b1->head); 600 b0->sense = !b0->sense; 601 b1->sense = !b1->sense; 602 merge(b1, b0); 603 b1->sense = !b1->sense; 604 b1->head = b0->head; 605 } 606 607 void 608 gen_or(b0, b1) 609 struct block *b0, *b1; 610 { 611 b0->sense = !b0->sense; 612 backpatch(b0, b1->head); 613 b0->sense = !b0->sense; 614 merge(b1, b0); 615 b1->head = b0->head; 616 } 617 618 void 619 gen_not(b) 620 struct block *b; 621 { 622 b->sense = !b->sense; 623 } 624 625 static struct block * 626 gen_cmp(offrel, offset, size, v) 627 enum e_offrel offrel; 628 u_int offset, size; 629 bpf_int32 v; 630 { 631 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v); 632 } 633 634 static struct block * 635 gen_cmp_gt(offrel, offset, size, v) 636 enum e_offrel offrel; 637 u_int offset, size; 638 bpf_int32 v; 639 { 640 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 0, v); 641 } 642 643 static struct block * 644 gen_cmp_ge(offrel, offset, size, v) 645 enum e_offrel offrel; 646 u_int offset, size; 647 bpf_int32 v; 648 { 649 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 0, v); 650 } 651 652 static struct block * 653 gen_cmp_lt(offrel, offset, size, v) 654 enum e_offrel offrel; 655 u_int offset, size; 656 bpf_int32 v; 657 { 658 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 1, v); 659 } 660 661 static struct block * 662 gen_cmp_le(offrel, offset, size, v) 663 enum e_offrel offrel; 664 u_int offset, size; 665 bpf_int32 v; 666 { 667 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 1, v); 668 } 669 670 static struct block * 671 gen_mcmp(offrel, offset, size, v, mask) 672 enum e_offrel offrel; 673 u_int offset, size; 674 bpf_int32 v; 675 bpf_u_int32 mask; 676 { 677 return gen_ncmp(offrel, offset, size, mask, BPF_JEQ, 0, v); 678 } 679 680 static struct block * 681 gen_bcmp(offrel, offset, size, v) 682 enum e_offrel offrel; 683 register u_int offset, size; 684 register const u_char *v; 685 { 686 register struct block *b, *tmp; 687 688 b = NULL; 689 while (size >= 4) { 690 register const u_char *p = &v[size - 4]; 691 bpf_int32 w = ((bpf_int32)p[0] << 24) | 692 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3]; 693 694 tmp = gen_cmp(offrel, offset + size - 4, BPF_W, w); 695 if (b != NULL) 696 gen_and(b, tmp); 697 b = tmp; 698 size -= 4; 699 } 700 while (size >= 2) { 701 register const u_char *p = &v[size - 2]; 702 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1]; 703 704 tmp = gen_cmp(offrel, offset + size - 2, BPF_H, w); 705 if (b != NULL) 706 gen_and(b, tmp); 707 b = tmp; 708 size -= 2; 709 } 710 if (size > 0) { 711 tmp = gen_cmp(offrel, offset, BPF_B, (bpf_int32)v[0]); 712 if (b != NULL) 713 gen_and(b, tmp); 714 b = tmp; 715 } 716 return b; 717 } 718 719 /* 720 * AND the field of size "size" at offset "offset" relative to the header 721 * specified by "offrel" with "mask", and compare it with the value "v" 722 * with the test specified by "jtype"; if "reverse" is true, the test 723 * should test the opposite of "jtype". 724 */ 725 static struct block * 726 gen_ncmp(offrel, offset, size, mask, jtype, reverse, v) 727 enum e_offrel offrel; 728 bpf_int32 v; 729 bpf_u_int32 offset, size, mask, jtype; 730 int reverse; 731 { 732 struct slist *s, *s2; 733 struct block *b; 734 735 s = gen_load_a(offrel, offset, size); 736 737 if (mask != 0xffffffff) { 738 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 739 s2->s.k = mask; 740 sappend(s, s2); 741 } 742 743 b = new_block(JMP(jtype)); 744 b->stmts = s; 745 b->s.k = v; 746 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE)) 747 gen_not(b); 748 return b; 749 } 750 751 /* 752 * Various code constructs need to know the layout of the data link 753 * layer. These variables give the necessary offsets from the beginning 754 * of the packet data. 755 */ 756 757 /* 758 * This is the offset of the beginning of the link-layer header from 759 * the beginning of the raw packet data. 760 * 761 * It's usually 0, except for 802.11 with a fixed-length radio header. 762 * (For 802.11 with a variable-length radio header, we have to generate 763 * code to compute that offset; off_ll is 0 in that case.) 764 */ 765 static u_int off_ll; 766 767 /* 768 * If there's a variable-length header preceding the link-layer header, 769 * "reg_off_ll" is the register number for a register containing the 770 * length of that header, and therefore the offset of the link-layer 771 * header from the beginning of the raw packet data. Otherwise, 772 * "reg_off_ll" is -1. 773 */ 774 static int reg_off_ll; 775 776 /* 777 * This is the offset of the beginning of the MAC-layer header from 778 * the beginning of the link-layer header. 779 * It's usually 0, except for ATM LANE, where it's the offset, relative 780 * to the beginning of the raw packet data, of the Ethernet header, and 781 * for Ethernet with various additional information. 782 */ 783 static u_int off_mac; 784 785 /* 786 * This is the offset of the beginning of the MAC-layer payload, 787 * from the beginning of the raw packet data. 788 * 789 * I.e., it's the sum of the length of the link-layer header (without, 790 * for example, any 802.2 LLC header, so it's the MAC-layer 791 * portion of that header), plus any prefix preceding the 792 * link-layer header. 793 */ 794 static u_int off_macpl; 795 796 /* 797 * This is 1 if the offset of the beginning of the MAC-layer payload 798 * from the beginning of the link-layer header is variable-length. 799 */ 800 static int off_macpl_is_variable; 801 802 /* 803 * If the link layer has variable_length headers, "reg_off_macpl" 804 * is the register number for a register containing the length of the 805 * link-layer header plus the length of any variable-length header 806 * preceding the link-layer header. Otherwise, "reg_off_macpl" 807 * is -1. 808 */ 809 static int reg_off_macpl; 810 811 /* 812 * "off_linktype" is the offset to information in the link-layer header 813 * giving the packet type. This offset is relative to the beginning 814 * of the link-layer header (i.e., it doesn't include off_ll). 815 * 816 * For Ethernet, it's the offset of the Ethernet type field. 817 * 818 * For link-layer types that always use 802.2 headers, it's the 819 * offset of the LLC header. 820 * 821 * For PPP, it's the offset of the PPP type field. 822 * 823 * For Cisco HDLC, it's the offset of the CHDLC type field. 824 * 825 * For BSD loopback, it's the offset of the AF_ value. 826 * 827 * For Linux cooked sockets, it's the offset of the type field. 828 * 829 * It's set to -1 for no encapsulation, in which case, IP is assumed. 830 */ 831 static u_int off_linktype; 832 833 /* 834 * TRUE if "pppoes" appeared in the filter; it causes link-layer type 835 * checks to check the PPP header, assumed to follow a LAN-style link- 836 * layer header and a PPPoE session header. 837 */ 838 static int is_pppoes = 0; 839 840 /* 841 * TRUE if the link layer includes an ATM pseudo-header. 842 */ 843 static int is_atm = 0; 844 845 /* 846 * TRUE if "lane" appeared in the filter; it causes us to generate 847 * code that assumes LANE rather than LLC-encapsulated traffic in SunATM. 848 */ 849 static int is_lane = 0; 850 851 /* 852 * These are offsets for the ATM pseudo-header. 853 */ 854 static u_int off_vpi; 855 static u_int off_vci; 856 static u_int off_proto; 857 858 /* 859 * These are offsets for the MTP2 fields. 860 */ 861 static u_int off_li; 862 863 /* 864 * These are offsets for the MTP3 fields. 865 */ 866 static u_int off_sio; 867 static u_int off_opc; 868 static u_int off_dpc; 869 static u_int off_sls; 870 871 /* 872 * This is the offset of the first byte after the ATM pseudo_header, 873 * or -1 if there is no ATM pseudo-header. 874 */ 875 static u_int off_payload; 876 877 /* 878 * These are offsets to the beginning of the network-layer header. 879 * They are relative to the beginning of the MAC-layer payload (i.e., 880 * they don't include off_ll or off_macpl). 881 * 882 * If the link layer never uses 802.2 LLC: 883 * 884 * "off_nl" and "off_nl_nosnap" are the same. 885 * 886 * If the link layer always uses 802.2 LLC: 887 * 888 * "off_nl" is the offset if there's a SNAP header following 889 * the 802.2 header; 890 * 891 * "off_nl_nosnap" is the offset if there's no SNAP header. 892 * 893 * If the link layer is Ethernet: 894 * 895 * "off_nl" is the offset if the packet is an Ethernet II packet 896 * (we assume no 802.3+802.2+SNAP); 897 * 898 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet 899 * with an 802.2 header following it. 900 */ 901 static u_int off_nl; 902 static u_int off_nl_nosnap; 903 904 static int linktype; 905 906 static void 907 init_linktype(p) 908 pcap_t *p; 909 { 910 linktype = pcap_datalink(p); 911 #ifdef PCAP_FDDIPAD 912 pcap_fddipad = p->fddipad; 913 #endif 914 915 /* 916 * Assume it's not raw ATM with a pseudo-header, for now. 917 */ 918 off_mac = 0; 919 is_atm = 0; 920 is_lane = 0; 921 off_vpi = -1; 922 off_vci = -1; 923 off_proto = -1; 924 off_payload = -1; 925 926 /* 927 * And that we're not doing PPPoE. 928 */ 929 is_pppoes = 0; 930 931 /* 932 * And assume we're not doing SS7. 933 */ 934 off_li = -1; 935 off_sio = -1; 936 off_opc = -1; 937 off_dpc = -1; 938 off_sls = -1; 939 940 /* 941 * Also assume it's not 802.11. 942 */ 943 off_ll = 0; 944 off_macpl = 0; 945 off_macpl_is_variable = 0; 946 947 orig_linktype = -1; 948 orig_nl = -1; 949 label_stack_depth = 0; 950 951 reg_off_ll = -1; 952 reg_off_macpl = -1; 953 954 switch (linktype) { 955 956 case DLT_ARCNET: 957 off_linktype = 2; 958 off_macpl = 6; 959 off_nl = 0; /* XXX in reality, variable! */ 960 off_nl_nosnap = 0; /* no 802.2 LLC */ 961 return; 962 963 case DLT_ARCNET_LINUX: 964 off_linktype = 4; 965 off_macpl = 8; 966 off_nl = 0; /* XXX in reality, variable! */ 967 off_nl_nosnap = 0; /* no 802.2 LLC */ 968 return; 969 970 case DLT_EN10MB: 971 off_linktype = 12; 972 off_macpl = 14; /* Ethernet header length */ 973 off_nl = 0; /* Ethernet II */ 974 off_nl_nosnap = 3; /* 802.3+802.2 */ 975 return; 976 977 case DLT_SLIP: 978 /* 979 * SLIP doesn't have a link level type. The 16 byte 980 * header is hacked into our SLIP driver. 981 */ 982 off_linktype = -1; 983 off_macpl = 16; 984 off_nl = 0; 985 off_nl_nosnap = 0; /* no 802.2 LLC */ 986 return; 987 988 case DLT_SLIP_BSDOS: 989 /* XXX this may be the same as the DLT_PPP_BSDOS case */ 990 off_linktype = -1; 991 /* XXX end */ 992 off_macpl = 24; 993 off_nl = 0; 994 off_nl_nosnap = 0; /* no 802.2 LLC */ 995 return; 996 997 case DLT_NULL: 998 case DLT_LOOP: 999 off_linktype = 0; 1000 off_macpl = 4; 1001 off_nl = 0; 1002 off_nl_nosnap = 0; /* no 802.2 LLC */ 1003 return; 1004 1005 case DLT_ENC: 1006 off_linktype = 0; 1007 off_macpl = 12; 1008 off_nl = 0; 1009 off_nl_nosnap = 0; /* no 802.2 LLC */ 1010 return; 1011 1012 case DLT_PPP: 1013 case DLT_PPP_PPPD: 1014 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */ 1015 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */ 1016 off_linktype = 2; 1017 off_macpl = 4; 1018 off_nl = 0; 1019 off_nl_nosnap = 0; /* no 802.2 LLC */ 1020 return; 1021 1022 case DLT_PPP_ETHER: 1023 /* 1024 * This does no include the Ethernet header, and 1025 * only covers session state. 1026 */ 1027 off_linktype = 6; 1028 off_macpl = 8; 1029 off_nl = 0; 1030 off_nl_nosnap = 0; /* no 802.2 LLC */ 1031 return; 1032 1033 case DLT_PPP_BSDOS: 1034 off_linktype = 5; 1035 off_macpl = 24; 1036 off_nl = 0; 1037 off_nl_nosnap = 0; /* no 802.2 LLC */ 1038 return; 1039 1040 case DLT_FDDI: 1041 /* 1042 * FDDI doesn't really have a link-level type field. 1043 * We set "off_linktype" to the offset of the LLC header. 1044 * 1045 * To check for Ethernet types, we assume that SSAP = SNAP 1046 * is being used and pick out the encapsulated Ethernet type. 1047 * XXX - should we generate code to check for SNAP? 1048 */ 1049 off_linktype = 13; 1050 #ifdef PCAP_FDDIPAD 1051 off_linktype += pcap_fddipad; 1052 #endif 1053 off_macpl = 13; /* FDDI MAC header length */ 1054 #ifdef PCAP_FDDIPAD 1055 off_macpl += pcap_fddipad; 1056 #endif 1057 off_nl = 8; /* 802.2+SNAP */ 1058 off_nl_nosnap = 3; /* 802.2 */ 1059 return; 1060 1061 case DLT_IEEE802: 1062 /* 1063 * Token Ring doesn't really have a link-level type field. 1064 * We set "off_linktype" to the offset of the LLC header. 1065 * 1066 * To check for Ethernet types, we assume that SSAP = SNAP 1067 * is being used and pick out the encapsulated Ethernet type. 1068 * XXX - should we generate code to check for SNAP? 1069 * 1070 * XXX - the header is actually variable-length. 1071 * Some various Linux patched versions gave 38 1072 * as "off_linktype" and 40 as "off_nl"; however, 1073 * if a token ring packet has *no* routing 1074 * information, i.e. is not source-routed, the correct 1075 * values are 20 and 22, as they are in the vanilla code. 1076 * 1077 * A packet is source-routed iff the uppermost bit 1078 * of the first byte of the source address, at an 1079 * offset of 8, has the uppermost bit set. If the 1080 * packet is source-routed, the total number of bytes 1081 * of routing information is 2 plus bits 0x1F00 of 1082 * the 16-bit value at an offset of 14 (shifted right 1083 * 8 - figure out which byte that is). 1084 */ 1085 off_linktype = 14; 1086 off_macpl = 14; /* Token Ring MAC header length */ 1087 off_nl = 8; /* 802.2+SNAP */ 1088 off_nl_nosnap = 3; /* 802.2 */ 1089 return; 1090 1091 case DLT_IEEE802_11: 1092 case DLT_PRISM_HEADER: 1093 case DLT_IEEE802_11_RADIO_AVS: 1094 case DLT_IEEE802_11_RADIO: 1095 /* 1096 * 802.11 doesn't really have a link-level type field. 1097 * We set "off_linktype" to the offset of the LLC header. 1098 * 1099 * To check for Ethernet types, we assume that SSAP = SNAP 1100 * is being used and pick out the encapsulated Ethernet type. 1101 * XXX - should we generate code to check for SNAP? 1102 * 1103 * We also handle variable-length radio headers here. 1104 * The Prism header is in theory variable-length, but in 1105 * practice it's always 144 bytes long. However, some 1106 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but 1107 * sometimes or always supply an AVS header, so we 1108 * have to check whether the radio header is a Prism 1109 * header or an AVS header, so, in practice, it's 1110 * variable-length. 1111 */ 1112 off_linktype = 24; 1113 off_macpl = 0; /* link-layer header is variable-length */ 1114 off_macpl_is_variable = 1; 1115 off_nl = 8; /* 802.2+SNAP */ 1116 off_nl_nosnap = 3; /* 802.2 */ 1117 return; 1118 1119 case DLT_PPI: 1120 /* 1121 * At the moment we treat PPI the same way that we treat 1122 * normal Radiotap encoded packets. The difference is in 1123 * the function that generates the code at the beginning 1124 * to compute the header length. Since this code generator 1125 * of PPI supports bare 802.11 encapsulation only (i.e. 1126 * the encapsulated DLT should be DLT_IEEE802_11) we 1127 * generate code to check for this too. 1128 */ 1129 off_linktype = 24; 1130 off_macpl = 0; /* link-layer header is variable-length */ 1131 off_macpl_is_variable = 1; 1132 off_nl = 8; /* 802.2+SNAP */ 1133 off_nl_nosnap = 3; /* 802.2 */ 1134 return; 1135 1136 case DLT_ATM_RFC1483: 1137 case DLT_ATM_CLIP: /* Linux ATM defines this */ 1138 /* 1139 * assume routed, non-ISO PDUs 1140 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00) 1141 * 1142 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS, 1143 * or PPP with the PPP NLPID (e.g., PPPoA)? The 1144 * latter would presumably be treated the way PPPoE 1145 * should be, so you can do "pppoe and udp port 2049" 1146 * or "pppoa and tcp port 80" and have it check for 1147 * PPPo{A,E} and a PPP protocol of IP and.... 1148 */ 1149 off_linktype = 0; 1150 off_macpl = 0; /* packet begins with LLC header */ 1151 off_nl = 8; /* 802.2+SNAP */ 1152 off_nl_nosnap = 3; /* 802.2 */ 1153 return; 1154 1155 case DLT_SUNATM: 1156 /* 1157 * Full Frontal ATM; you get AALn PDUs with an ATM 1158 * pseudo-header. 1159 */ 1160 is_atm = 1; 1161 off_vpi = SUNATM_VPI_POS; 1162 off_vci = SUNATM_VCI_POS; 1163 off_proto = PROTO_POS; 1164 off_mac = -1; /* assume LLC-encapsulated, so no MAC-layer header */ 1165 off_payload = SUNATM_PKT_BEGIN_POS; 1166 off_linktype = off_payload; 1167 off_macpl = off_payload; /* if LLC-encapsulated */ 1168 off_nl = 8; /* 802.2+SNAP */ 1169 off_nl_nosnap = 3; /* 802.2 */ 1170 return; 1171 1172 case DLT_RAW: 1173 case DLT_IPV4: 1174 case DLT_IPV6: 1175 off_linktype = -1; 1176 off_macpl = 0; 1177 off_nl = 0; 1178 off_nl_nosnap = 0; /* no 802.2 LLC */ 1179 return; 1180 1181 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */ 1182 off_linktype = 14; 1183 off_macpl = 16; 1184 off_nl = 0; 1185 off_nl_nosnap = 0; /* no 802.2 LLC */ 1186 return; 1187 1188 case DLT_LTALK: 1189 /* 1190 * LocalTalk does have a 1-byte type field in the LLAP header, 1191 * but really it just indicates whether there is a "short" or 1192 * "long" DDP packet following. 1193 */ 1194 off_linktype = -1; 1195 off_macpl = 0; 1196 off_nl = 0; 1197 off_nl_nosnap = 0; /* no 802.2 LLC */ 1198 return; 1199 1200 case DLT_IP_OVER_FC: 1201 /* 1202 * RFC 2625 IP-over-Fibre-Channel doesn't really have a 1203 * link-level type field. We set "off_linktype" to the 1204 * offset of the LLC header. 1205 * 1206 * To check for Ethernet types, we assume that SSAP = SNAP 1207 * is being used and pick out the encapsulated Ethernet type. 1208 * XXX - should we generate code to check for SNAP? RFC 1209 * 2625 says SNAP should be used. 1210 */ 1211 off_linktype = 16; 1212 off_macpl = 16; 1213 off_nl = 8; /* 802.2+SNAP */ 1214 off_nl_nosnap = 3; /* 802.2 */ 1215 return; 1216 1217 case DLT_FRELAY: 1218 /* 1219 * XXX - we should set this to handle SNAP-encapsulated 1220 * frames (NLPID of 0x80). 1221 */ 1222 off_linktype = -1; 1223 off_macpl = 0; 1224 off_nl = 0; 1225 off_nl_nosnap = 0; /* no 802.2 LLC */ 1226 return; 1227 1228 /* 1229 * the only BPF-interesting FRF.16 frames are non-control frames; 1230 * Frame Relay has a variable length link-layer 1231 * so lets start with offset 4 for now and increments later on (FIXME); 1232 */ 1233 case DLT_MFR: 1234 off_linktype = -1; 1235 off_macpl = 0; 1236 off_nl = 4; 1237 off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */ 1238 return; 1239 1240 case DLT_APPLE_IP_OVER_IEEE1394: 1241 off_linktype = 16; 1242 off_macpl = 18; 1243 off_nl = 0; 1244 off_nl_nosnap = 0; /* no 802.2 LLC */ 1245 return; 1246 1247 case DLT_SYMANTEC_FIREWALL: 1248 off_linktype = 6; 1249 off_macpl = 44; 1250 off_nl = 0; /* Ethernet II */ 1251 off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */ 1252 return; 1253 1254 #ifdef HAVE_NET_PFVAR_H 1255 case DLT_PFLOG: 1256 off_linktype = 0; 1257 off_macpl = PFLOG_HDRLEN; 1258 off_nl = 0; 1259 off_nl_nosnap = 0; /* no 802.2 LLC */ 1260 return; 1261 #endif 1262 1263 case DLT_JUNIPER_MFR: 1264 case DLT_JUNIPER_MLFR: 1265 case DLT_JUNIPER_MLPPP: 1266 case DLT_JUNIPER_PPP: 1267 case DLT_JUNIPER_CHDLC: 1268 case DLT_JUNIPER_FRELAY: 1269 off_linktype = 4; 1270 off_macpl = 4; 1271 off_nl = 0; 1272 off_nl_nosnap = -1; /* no 802.2 LLC */ 1273 return; 1274 1275 case DLT_JUNIPER_ATM1: 1276 off_linktype = 4; /* in reality variable between 4-8 */ 1277 off_macpl = 4; /* in reality variable between 4-8 */ 1278 off_nl = 0; 1279 off_nl_nosnap = 10; 1280 return; 1281 1282 case DLT_JUNIPER_ATM2: 1283 off_linktype = 8; /* in reality variable between 8-12 */ 1284 off_macpl = 8; /* in reality variable between 8-12 */ 1285 off_nl = 0; 1286 off_nl_nosnap = 10; 1287 return; 1288 1289 /* frames captured on a Juniper PPPoE service PIC 1290 * contain raw ethernet frames */ 1291 case DLT_JUNIPER_PPPOE: 1292 case DLT_JUNIPER_ETHER: 1293 off_macpl = 14; 1294 off_linktype = 16; 1295 off_nl = 18; /* Ethernet II */ 1296 off_nl_nosnap = 21; /* 802.3+802.2 */ 1297 return; 1298 1299 case DLT_JUNIPER_PPPOE_ATM: 1300 off_linktype = 4; 1301 off_macpl = 6; 1302 off_nl = 0; 1303 off_nl_nosnap = -1; /* no 802.2 LLC */ 1304 return; 1305 1306 case DLT_JUNIPER_GGSN: 1307 off_linktype = 6; 1308 off_macpl = 12; 1309 off_nl = 0; 1310 off_nl_nosnap = -1; /* no 802.2 LLC */ 1311 return; 1312 1313 case DLT_JUNIPER_ES: 1314 off_linktype = 6; 1315 off_macpl = -1; /* not really a network layer but raw IP addresses */ 1316 off_nl = -1; /* not really a network layer but raw IP addresses */ 1317 off_nl_nosnap = -1; /* no 802.2 LLC */ 1318 return; 1319 1320 case DLT_JUNIPER_MONITOR: 1321 off_linktype = 12; 1322 off_macpl = 12; 1323 off_nl = 0; /* raw IP/IP6 header */ 1324 off_nl_nosnap = -1; /* no 802.2 LLC */ 1325 return; 1326 1327 case DLT_JUNIPER_SERVICES: 1328 off_linktype = 12; 1329 off_macpl = -1; /* L3 proto location dep. on cookie type */ 1330 off_nl = -1; /* L3 proto location dep. on cookie type */ 1331 off_nl_nosnap = -1; /* no 802.2 LLC */ 1332 return; 1333 1334 case DLT_JUNIPER_VP: 1335 off_linktype = 18; 1336 off_macpl = -1; 1337 off_nl = -1; 1338 off_nl_nosnap = -1; 1339 return; 1340 1341 case DLT_JUNIPER_ST: 1342 off_linktype = 18; 1343 off_macpl = -1; 1344 off_nl = -1; 1345 off_nl_nosnap = -1; 1346 return; 1347 1348 case DLT_JUNIPER_ISM: 1349 off_linktype = 8; 1350 off_macpl = -1; 1351 off_nl = -1; 1352 off_nl_nosnap = -1; 1353 return; 1354 1355 case DLT_JUNIPER_VS: 1356 case DLT_JUNIPER_SRX_E2E: 1357 case DLT_JUNIPER_FIBRECHANNEL: 1358 case DLT_JUNIPER_ATM_CEMIC: 1359 off_linktype = 8; 1360 off_macpl = -1; 1361 off_nl = -1; 1362 off_nl_nosnap = -1; 1363 return; 1364 1365 case DLT_MTP2: 1366 off_li = 2; 1367 off_sio = 3; 1368 off_opc = 4; 1369 off_dpc = 4; 1370 off_sls = 7; 1371 off_linktype = -1; 1372 off_macpl = -1; 1373 off_nl = -1; 1374 off_nl_nosnap = -1; 1375 return; 1376 1377 case DLT_MTP2_WITH_PHDR: 1378 off_li = 6; 1379 off_sio = 7; 1380 off_opc = 8; 1381 off_dpc = 8; 1382 off_sls = 11; 1383 off_linktype = -1; 1384 off_macpl = -1; 1385 off_nl = -1; 1386 off_nl_nosnap = -1; 1387 return; 1388 1389 case DLT_ERF: 1390 off_li = 22; 1391 off_sio = 23; 1392 off_opc = 24; 1393 off_dpc = 24; 1394 off_sls = 27; 1395 off_linktype = -1; 1396 off_macpl = -1; 1397 off_nl = -1; 1398 off_nl_nosnap = -1; 1399 return; 1400 1401 case DLT_PFSYNC: 1402 off_linktype = -1; 1403 off_macpl = 4; 1404 off_nl = 0; 1405 off_nl_nosnap = 0; 1406 return; 1407 1408 case DLT_AX25_KISS: 1409 /* 1410 * Currently, only raw "link[N:M]" filtering is supported. 1411 */ 1412 off_linktype = -1; /* variable, min 15, max 71 steps of 7 */ 1413 off_macpl = -1; 1414 off_nl = -1; /* variable, min 16, max 71 steps of 7 */ 1415 off_nl_nosnap = -1; /* no 802.2 LLC */ 1416 off_mac = 1; /* step over the kiss length byte */ 1417 return; 1418 1419 case DLT_IPNET: 1420 off_linktype = 1; 1421 off_macpl = 24; /* ipnet header length */ 1422 off_nl = 0; 1423 off_nl_nosnap = -1; 1424 return; 1425 1426 case DLT_NETANALYZER: 1427 off_mac = 4; /* MAC header is past 4-byte pseudo-header */ 1428 off_linktype = 16; /* includes 4-byte pseudo-header */ 1429 off_macpl = 18; /* pseudo-header+Ethernet header length */ 1430 off_nl = 0; /* Ethernet II */ 1431 off_nl_nosnap = 3; /* 802.3+802.2 */ 1432 return; 1433 1434 case DLT_NETANALYZER_TRANSPARENT: 1435 off_mac = 12; /* MAC header is past 4-byte pseudo-header, preamble, and SFD */ 1436 off_linktype = 24; /* includes 4-byte pseudo-header+preamble+SFD */ 1437 off_macpl = 26; /* pseudo-header+preamble+SFD+Ethernet header length */ 1438 off_nl = 0; /* Ethernet II */ 1439 off_nl_nosnap = 3; /* 802.3+802.2 */ 1440 return; 1441 1442 default: 1443 /* 1444 * For values in the range in which we've assigned new 1445 * DLT_ values, only raw "link[N:M]" filtering is supported. 1446 */ 1447 if (linktype >= DLT_MATCHING_MIN && 1448 linktype <= DLT_MATCHING_MAX) { 1449 off_linktype = -1; 1450 off_macpl = -1; 1451 off_nl = -1; 1452 off_nl_nosnap = -1; 1453 return; 1454 } 1455 1456 } 1457 bpf_error("unknown data link type %d", linktype); 1458 /* NOTREACHED */ 1459 } 1460 1461 /* 1462 * Load a value relative to the beginning of the link-layer header. 1463 * The link-layer header doesn't necessarily begin at the beginning 1464 * of the packet data; there might be a variable-length prefix containing 1465 * radio information. 1466 */ 1467 static struct slist * 1468 gen_load_llrel(offset, size) 1469 u_int offset, size; 1470 { 1471 struct slist *s, *s2; 1472 1473 s = gen_llprefixlen(); 1474 1475 /* 1476 * If "s" is non-null, it has code to arrange that the X register 1477 * contains the length of the prefix preceding the link-layer 1478 * header. 1479 * 1480 * Otherwise, the length of the prefix preceding the link-layer 1481 * header is "off_ll". 1482 */ 1483 if (s != NULL) { 1484 /* 1485 * There's a variable-length prefix preceding the 1486 * link-layer header. "s" points to a list of statements 1487 * that put the length of that prefix into the X register. 1488 * do an indirect load, to use the X register as an offset. 1489 */ 1490 s2 = new_stmt(BPF_LD|BPF_IND|size); 1491 s2->s.k = offset; 1492 sappend(s, s2); 1493 } else { 1494 /* 1495 * There is no variable-length header preceding the 1496 * link-layer header; add in off_ll, which, if there's 1497 * a fixed-length header preceding the link-layer header, 1498 * is the length of that header. 1499 */ 1500 s = new_stmt(BPF_LD|BPF_ABS|size); 1501 s->s.k = offset + off_ll; 1502 } 1503 return s; 1504 } 1505 1506 /* 1507 * Load a value relative to the beginning of the MAC-layer payload. 1508 */ 1509 static struct slist * 1510 gen_load_macplrel(offset, size) 1511 u_int offset, size; 1512 { 1513 struct slist *s, *s2; 1514 1515 s = gen_off_macpl(); 1516 1517 /* 1518 * If s is non-null, the offset of the MAC-layer payload is 1519 * variable, and s points to a list of instructions that 1520 * arrange that the X register contains that offset. 1521 * 1522 * Otherwise, the offset of the MAC-layer payload is constant, 1523 * and is in off_macpl. 1524 */ 1525 if (s != NULL) { 1526 /* 1527 * The offset of the MAC-layer payload is in the X 1528 * register. Do an indirect load, to use the X register 1529 * as an offset. 1530 */ 1531 s2 = new_stmt(BPF_LD|BPF_IND|size); 1532 s2->s.k = offset; 1533 sappend(s, s2); 1534 } else { 1535 /* 1536 * The offset of the MAC-layer payload is constant, 1537 * and is in off_macpl; load the value at that offset 1538 * plus the specified offset. 1539 */ 1540 s = new_stmt(BPF_LD|BPF_ABS|size); 1541 s->s.k = off_macpl + offset; 1542 } 1543 return s; 1544 } 1545 1546 /* 1547 * Load a value relative to the beginning of the specified header. 1548 */ 1549 static struct slist * 1550 gen_load_a(offrel, offset, size) 1551 enum e_offrel offrel; 1552 u_int offset, size; 1553 { 1554 struct slist *s, *s2; 1555 1556 switch (offrel) { 1557 1558 case OR_PACKET: 1559 s = new_stmt(BPF_LD|BPF_ABS|size); 1560 s->s.k = offset; 1561 break; 1562 1563 case OR_LINK: 1564 s = gen_load_llrel(offset, size); 1565 break; 1566 1567 case OR_MACPL: 1568 s = gen_load_macplrel(offset, size); 1569 break; 1570 1571 case OR_NET: 1572 s = gen_load_macplrel(off_nl + offset, size); 1573 break; 1574 1575 case OR_NET_NOSNAP: 1576 s = gen_load_macplrel(off_nl_nosnap + offset, size); 1577 break; 1578 1579 case OR_TRAN_IPV4: 1580 /* 1581 * Load the X register with the length of the IPv4 header 1582 * (plus the offset of the link-layer header, if it's 1583 * preceded by a variable-length header such as a radio 1584 * header), in bytes. 1585 */ 1586 s = gen_loadx_iphdrlen(); 1587 1588 /* 1589 * Load the item at {offset of the MAC-layer payload} + 1590 * {offset, relative to the start of the MAC-layer 1591 * paylod, of the IPv4 header} + {length of the IPv4 header} + 1592 * {specified offset}. 1593 * 1594 * (If the offset of the MAC-layer payload is variable, 1595 * it's included in the value in the X register, and 1596 * off_macpl is 0.) 1597 */ 1598 s2 = new_stmt(BPF_LD|BPF_IND|size); 1599 s2->s.k = off_macpl + off_nl + offset; 1600 sappend(s, s2); 1601 break; 1602 1603 case OR_TRAN_IPV6: 1604 s = gen_load_macplrel(off_nl + 40 + offset, size); 1605 break; 1606 1607 default: 1608 abort(); 1609 return NULL; 1610 } 1611 return s; 1612 } 1613 1614 /* 1615 * Generate code to load into the X register the sum of the length of 1616 * the IPv4 header and any variable-length header preceding the link-layer 1617 * header. 1618 */ 1619 static struct slist * 1620 gen_loadx_iphdrlen() 1621 { 1622 struct slist *s, *s2; 1623 1624 s = gen_off_macpl(); 1625 if (s != NULL) { 1626 /* 1627 * There's a variable-length prefix preceding the 1628 * link-layer header, or the link-layer header is itself 1629 * variable-length. "s" points to a list of statements 1630 * that put the offset of the MAC-layer payload into 1631 * the X register. 1632 * 1633 * The 4*([k]&0xf) addressing mode can't be used, as we 1634 * don't have a constant offset, so we have to load the 1635 * value in question into the A register and add to it 1636 * the value from the X register. 1637 */ 1638 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B); 1639 s2->s.k = off_nl; 1640 sappend(s, s2); 1641 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 1642 s2->s.k = 0xf; 1643 sappend(s, s2); 1644 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 1645 s2->s.k = 2; 1646 sappend(s, s2); 1647 1648 /* 1649 * The A register now contains the length of the 1650 * IP header. We need to add to it the offset of 1651 * the MAC-layer payload, which is still in the X 1652 * register, and move the result into the X register. 1653 */ 1654 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 1655 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 1656 } else { 1657 /* 1658 * There is no variable-length header preceding the 1659 * link-layer header, and the link-layer header is 1660 * fixed-length; load the length of the IPv4 header, 1661 * which is at an offset of off_nl from the beginning 1662 * of the MAC-layer payload, and thus at an offset 1663 * of off_mac_pl + off_nl from the beginning of the 1664 * raw packet data. 1665 */ 1666 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B); 1667 s->s.k = off_macpl + off_nl; 1668 } 1669 return s; 1670 } 1671 1672 static struct block * 1673 gen_uncond(rsense) 1674 int rsense; 1675 { 1676 struct block *b; 1677 struct slist *s; 1678 1679 s = new_stmt(BPF_LD|BPF_IMM); 1680 s->s.k = !rsense; 1681 b = new_block(JMP(BPF_JEQ)); 1682 b->stmts = s; 1683 1684 return b; 1685 } 1686 1687 static inline struct block * 1688 gen_true() 1689 { 1690 return gen_uncond(1); 1691 } 1692 1693 static inline struct block * 1694 gen_false() 1695 { 1696 return gen_uncond(0); 1697 } 1698 1699 /* 1700 * Byte-swap a 32-bit number. 1701 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on 1702 * big-endian platforms.) 1703 */ 1704 #define SWAPLONG(y) \ 1705 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff)) 1706 1707 /* 1708 * Generate code to match a particular packet type. 1709 * 1710 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1711 * value, if <= ETHERMTU. We use that to determine whether to 1712 * match the type/length field or to check the type/length field for 1713 * a value <= ETHERMTU to see whether it's a type field and then do 1714 * the appropriate test. 1715 */ 1716 static struct block * 1717 gen_ether_linktype(proto) 1718 register int proto; 1719 { 1720 struct block *b0, *b1; 1721 1722 switch (proto) { 1723 1724 case LLCSAP_ISONS: 1725 case LLCSAP_IP: 1726 case LLCSAP_NETBEUI: 1727 /* 1728 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1729 * so we check the DSAP and SSAP. 1730 * 1731 * LLCSAP_IP checks for IP-over-802.2, rather 1732 * than IP-over-Ethernet or IP-over-SNAP. 1733 * 1734 * XXX - should we check both the DSAP and the 1735 * SSAP, like this, or should we check just the 1736 * DSAP, as we do for other types <= ETHERMTU 1737 * (i.e., other SAP values)? 1738 */ 1739 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1740 gen_not(b0); 1741 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32) 1742 ((proto << 8) | proto)); 1743 gen_and(b0, b1); 1744 return b1; 1745 1746 case LLCSAP_IPX: 1747 /* 1748 * Check for; 1749 * 1750 * Ethernet_II frames, which are Ethernet 1751 * frames with a frame type of ETHERTYPE_IPX; 1752 * 1753 * Ethernet_802.3 frames, which are 802.3 1754 * frames (i.e., the type/length field is 1755 * a length field, <= ETHERMTU, rather than 1756 * a type field) with the first two bytes 1757 * after the Ethernet/802.3 header being 1758 * 0xFFFF; 1759 * 1760 * Ethernet_802.2 frames, which are 802.3 1761 * frames with an 802.2 LLC header and 1762 * with the IPX LSAP as the DSAP in the LLC 1763 * header; 1764 * 1765 * Ethernet_SNAP frames, which are 802.3 1766 * frames with an LLC header and a SNAP 1767 * header and with an OUI of 0x000000 1768 * (encapsulated Ethernet) and a protocol 1769 * ID of ETHERTYPE_IPX in the SNAP header. 1770 * 1771 * XXX - should we generate the same code both 1772 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX? 1773 */ 1774 1775 /* 1776 * This generates code to check both for the 1777 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3. 1778 */ 1779 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX); 1780 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)0xFFFF); 1781 gen_or(b0, b1); 1782 1783 /* 1784 * Now we add code to check for SNAP frames with 1785 * ETHERTYPE_IPX, i.e. Ethernet_SNAP. 1786 */ 1787 b0 = gen_snap(0x000000, ETHERTYPE_IPX); 1788 gen_or(b0, b1); 1789 1790 /* 1791 * Now we generate code to check for 802.3 1792 * frames in general. 1793 */ 1794 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1795 gen_not(b0); 1796 1797 /* 1798 * Now add the check for 802.3 frames before the 1799 * check for Ethernet_802.2 and Ethernet_802.3, 1800 * as those checks should only be done on 802.3 1801 * frames, not on Ethernet frames. 1802 */ 1803 gen_and(b0, b1); 1804 1805 /* 1806 * Now add the check for Ethernet_II frames, and 1807 * do that before checking for the other frame 1808 * types. 1809 */ 1810 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 1811 (bpf_int32)ETHERTYPE_IPX); 1812 gen_or(b0, b1); 1813 return b1; 1814 1815 case ETHERTYPE_ATALK: 1816 case ETHERTYPE_AARP: 1817 /* 1818 * EtherTalk (AppleTalk protocols on Ethernet link 1819 * layer) may use 802.2 encapsulation. 1820 */ 1821 1822 /* 1823 * Check for 802.2 encapsulation (EtherTalk phase 2?); 1824 * we check for an Ethernet type field less than 1825 * 1500, which means it's an 802.3 length field. 1826 */ 1827 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1828 gen_not(b0); 1829 1830 /* 1831 * 802.2-encapsulated ETHERTYPE_ATALK packets are 1832 * SNAP packets with an organization code of 1833 * 0x080007 (Apple, for Appletalk) and a protocol 1834 * type of ETHERTYPE_ATALK (Appletalk). 1835 * 1836 * 802.2-encapsulated ETHERTYPE_AARP packets are 1837 * SNAP packets with an organization code of 1838 * 0x000000 (encapsulated Ethernet) and a protocol 1839 * type of ETHERTYPE_AARP (Appletalk ARP). 1840 */ 1841 if (proto == ETHERTYPE_ATALK) 1842 b1 = gen_snap(0x080007, ETHERTYPE_ATALK); 1843 else /* proto == ETHERTYPE_AARP */ 1844 b1 = gen_snap(0x000000, ETHERTYPE_AARP); 1845 gen_and(b0, b1); 1846 1847 /* 1848 * Check for Ethernet encapsulation (Ethertalk 1849 * phase 1?); we just check for the Ethernet 1850 * protocol type. 1851 */ 1852 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 1853 1854 gen_or(b0, b1); 1855 return b1; 1856 1857 default: 1858 if (proto <= ETHERMTU) { 1859 /* 1860 * This is an LLC SAP value, so the frames 1861 * that match would be 802.2 frames. 1862 * Check that the frame is an 802.2 frame 1863 * (i.e., that the length/type field is 1864 * a length field, <= ETHERMTU) and 1865 * then check the DSAP. 1866 */ 1867 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1868 gen_not(b0); 1869 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B, 1870 (bpf_int32)proto); 1871 gen_and(b0, b1); 1872 return b1; 1873 } else { 1874 /* 1875 * This is an Ethernet type, so compare 1876 * the length/type field with it (if 1877 * the frame is an 802.2 frame, the length 1878 * field will be <= ETHERMTU, and, as 1879 * "proto" is > ETHERMTU, this test 1880 * will fail and the frame won't match, 1881 * which is what we want). 1882 */ 1883 return gen_cmp(OR_LINK, off_linktype, BPF_H, 1884 (bpf_int32)proto); 1885 } 1886 } 1887 } 1888 1889 /* 1890 * "proto" is an Ethernet type value and for IPNET, if it is not IPv4 1891 * or IPv6 then we have an error. 1892 */ 1893 static struct block * 1894 gen_ipnet_linktype(proto) 1895 register int proto; 1896 { 1897 switch (proto) { 1898 1899 case ETHERTYPE_IP: 1900 return gen_cmp(OR_LINK, off_linktype, BPF_B, 1901 (bpf_int32)IPH_AF_INET); 1902 /* NOTREACHED */ 1903 1904 case ETHERTYPE_IPV6: 1905 return gen_cmp(OR_LINK, off_linktype, BPF_B, 1906 (bpf_int32)IPH_AF_INET6); 1907 /* NOTREACHED */ 1908 1909 default: 1910 break; 1911 } 1912 1913 return gen_false(); 1914 } 1915 1916 /* 1917 * Generate code to match a particular packet type. 1918 * 1919 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1920 * value, if <= ETHERMTU. We use that to determine whether to 1921 * match the type field or to check the type field for the special 1922 * LINUX_SLL_P_802_2 value and then do the appropriate test. 1923 */ 1924 static struct block * 1925 gen_linux_sll_linktype(proto) 1926 register int proto; 1927 { 1928 struct block *b0, *b1; 1929 1930 switch (proto) { 1931 1932 case LLCSAP_ISONS: 1933 case LLCSAP_IP: 1934 case LLCSAP_NETBEUI: 1935 /* 1936 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1937 * so we check the DSAP and SSAP. 1938 * 1939 * LLCSAP_IP checks for IP-over-802.2, rather 1940 * than IP-over-Ethernet or IP-over-SNAP. 1941 * 1942 * XXX - should we check both the DSAP and the 1943 * SSAP, like this, or should we check just the 1944 * DSAP, as we do for other types <= ETHERMTU 1945 * (i.e., other SAP values)? 1946 */ 1947 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 1948 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32) 1949 ((proto << 8) | proto)); 1950 gen_and(b0, b1); 1951 return b1; 1952 1953 case LLCSAP_IPX: 1954 /* 1955 * Ethernet_II frames, which are Ethernet 1956 * frames with a frame type of ETHERTYPE_IPX; 1957 * 1958 * Ethernet_802.3 frames, which have a frame 1959 * type of LINUX_SLL_P_802_3; 1960 * 1961 * Ethernet_802.2 frames, which are 802.3 1962 * frames with an 802.2 LLC header (i.e, have 1963 * a frame type of LINUX_SLL_P_802_2) and 1964 * with the IPX LSAP as the DSAP in the LLC 1965 * header; 1966 * 1967 * Ethernet_SNAP frames, which are 802.3 1968 * frames with an LLC header and a SNAP 1969 * header and with an OUI of 0x000000 1970 * (encapsulated Ethernet) and a protocol 1971 * ID of ETHERTYPE_IPX in the SNAP header. 1972 * 1973 * First, do the checks on LINUX_SLL_P_802_2 1974 * frames; generate the check for either 1975 * Ethernet_802.2 or Ethernet_SNAP frames, and 1976 * then put a check for LINUX_SLL_P_802_2 frames 1977 * before it. 1978 */ 1979 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX); 1980 b1 = gen_snap(0x000000, ETHERTYPE_IPX); 1981 gen_or(b0, b1); 1982 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 1983 gen_and(b0, b1); 1984 1985 /* 1986 * Now check for 802.3 frames and OR that with 1987 * the previous test. 1988 */ 1989 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_3); 1990 gen_or(b0, b1); 1991 1992 /* 1993 * Now add the check for Ethernet_II frames, and 1994 * do that before checking for the other frame 1995 * types. 1996 */ 1997 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 1998 (bpf_int32)ETHERTYPE_IPX); 1999 gen_or(b0, b1); 2000 return b1; 2001 2002 case ETHERTYPE_ATALK: 2003 case ETHERTYPE_AARP: 2004 /* 2005 * EtherTalk (AppleTalk protocols on Ethernet link 2006 * layer) may use 802.2 encapsulation. 2007 */ 2008 2009 /* 2010 * Check for 802.2 encapsulation (EtherTalk phase 2?); 2011 * we check for the 802.2 protocol type in the 2012 * "Ethernet type" field. 2013 */ 2014 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 2015 2016 /* 2017 * 802.2-encapsulated ETHERTYPE_ATALK packets are 2018 * SNAP packets with an organization code of 2019 * 0x080007 (Apple, for Appletalk) and a protocol 2020 * type of ETHERTYPE_ATALK (Appletalk). 2021 * 2022 * 802.2-encapsulated ETHERTYPE_AARP packets are 2023 * SNAP packets with an organization code of 2024 * 0x000000 (encapsulated Ethernet) and a protocol 2025 * type of ETHERTYPE_AARP (Appletalk ARP). 2026 */ 2027 if (proto == ETHERTYPE_ATALK) 2028 b1 = gen_snap(0x080007, ETHERTYPE_ATALK); 2029 else /* proto == ETHERTYPE_AARP */ 2030 b1 = gen_snap(0x000000, ETHERTYPE_AARP); 2031 gen_and(b0, b1); 2032 2033 /* 2034 * Check for Ethernet encapsulation (Ethertalk 2035 * phase 1?); we just check for the Ethernet 2036 * protocol type. 2037 */ 2038 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 2039 2040 gen_or(b0, b1); 2041 return b1; 2042 2043 default: 2044 if (proto <= ETHERMTU) { 2045 /* 2046 * This is an LLC SAP value, so the frames 2047 * that match would be 802.2 frames. 2048 * Check for the 802.2 protocol type 2049 * in the "Ethernet type" field, and 2050 * then check the DSAP. 2051 */ 2052 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 2053 LINUX_SLL_P_802_2); 2054 b1 = gen_cmp(OR_LINK, off_macpl, BPF_B, 2055 (bpf_int32)proto); 2056 gen_and(b0, b1); 2057 return b1; 2058 } else { 2059 /* 2060 * This is an Ethernet type, so compare 2061 * the length/type field with it (if 2062 * the frame is an 802.2 frame, the length 2063 * field will be <= ETHERMTU, and, as 2064 * "proto" is > ETHERMTU, this test 2065 * will fail and the frame won't match, 2066 * which is what we want). 2067 */ 2068 return gen_cmp(OR_LINK, off_linktype, BPF_H, 2069 (bpf_int32)proto); 2070 } 2071 } 2072 } 2073 2074 static struct slist * 2075 gen_load_prism_llprefixlen() 2076 { 2077 struct slist *s1, *s2; 2078 struct slist *sjeq_avs_cookie; 2079 struct slist *sjcommon; 2080 2081 /* 2082 * This code is not compatible with the optimizer, as 2083 * we are generating jmp instructions within a normal 2084 * slist of instructions 2085 */ 2086 no_optimize = 1; 2087 2088 /* 2089 * Generate code to load the length of the radio header into 2090 * the register assigned to hold that length, if one has been 2091 * assigned. (If one hasn't been assigned, no code we've 2092 * generated uses that prefix, so we don't need to generate any 2093 * code to load it.) 2094 * 2095 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes 2096 * or always use the AVS header rather than the Prism header. 2097 * We load a 4-byte big-endian value at the beginning of the 2098 * raw packet data, and see whether, when masked with 0xFFFFF000, 2099 * it's equal to 0x80211000. If so, that indicates that it's 2100 * an AVS header (the masked-out bits are the version number). 2101 * Otherwise, it's a Prism header. 2102 * 2103 * XXX - the Prism header is also, in theory, variable-length, 2104 * but no known software generates headers that aren't 144 2105 * bytes long. 2106 */ 2107 if (reg_off_ll != -1) { 2108 /* 2109 * Load the cookie. 2110 */ 2111 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2112 s1->s.k = 0; 2113 2114 /* 2115 * AND it with 0xFFFFF000. 2116 */ 2117 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 2118 s2->s.k = 0xFFFFF000; 2119 sappend(s1, s2); 2120 2121 /* 2122 * Compare with 0x80211000. 2123 */ 2124 sjeq_avs_cookie = new_stmt(JMP(BPF_JEQ)); 2125 sjeq_avs_cookie->s.k = 0x80211000; 2126 sappend(s1, sjeq_avs_cookie); 2127 2128 /* 2129 * If it's AVS: 2130 * 2131 * The 4 bytes at an offset of 4 from the beginning of 2132 * the AVS header are the length of the AVS header. 2133 * That field is big-endian. 2134 */ 2135 s2 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2136 s2->s.k = 4; 2137 sappend(s1, s2); 2138 sjeq_avs_cookie->s.jt = s2; 2139 2140 /* 2141 * Now jump to the code to allocate a register 2142 * into which to save the header length and 2143 * store the length there. (The "jump always" 2144 * instruction needs to have the k field set; 2145 * it's added to the PC, so, as we're jumping 2146 * over a single instruction, it should be 1.) 2147 */ 2148 sjcommon = new_stmt(JMP(BPF_JA)); 2149 sjcommon->s.k = 1; 2150 sappend(s1, sjcommon); 2151 2152 /* 2153 * Now for the code that handles the Prism header. 2154 * Just load the length of the Prism header (144) 2155 * into the A register. Have the test for an AVS 2156 * header branch here if we don't have an AVS header. 2157 */ 2158 s2 = new_stmt(BPF_LD|BPF_W|BPF_IMM); 2159 s2->s.k = 144; 2160 sappend(s1, s2); 2161 sjeq_avs_cookie->s.jf = s2; 2162 2163 /* 2164 * Now allocate a register to hold that value and store 2165 * it. The code for the AVS header will jump here after 2166 * loading the length of the AVS header. 2167 */ 2168 s2 = new_stmt(BPF_ST); 2169 s2->s.k = reg_off_ll; 2170 sappend(s1, s2); 2171 sjcommon->s.jf = s2; 2172 2173 /* 2174 * Now move it into the X register. 2175 */ 2176 s2 = new_stmt(BPF_MISC|BPF_TAX); 2177 sappend(s1, s2); 2178 2179 return (s1); 2180 } else 2181 return (NULL); 2182 } 2183 2184 static struct slist * 2185 gen_load_avs_llprefixlen() 2186 { 2187 struct slist *s1, *s2; 2188 2189 /* 2190 * Generate code to load the length of the AVS header into 2191 * the register assigned to hold that length, if one has been 2192 * assigned. (If one hasn't been assigned, no code we've 2193 * generated uses that prefix, so we don't need to generate any 2194 * code to load it.) 2195 */ 2196 if (reg_off_ll != -1) { 2197 /* 2198 * The 4 bytes at an offset of 4 from the beginning of 2199 * the AVS header are the length of the AVS header. 2200 * That field is big-endian. 2201 */ 2202 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2203 s1->s.k = 4; 2204 2205 /* 2206 * Now allocate a register to hold that value and store 2207 * it. 2208 */ 2209 s2 = new_stmt(BPF_ST); 2210 s2->s.k = reg_off_ll; 2211 sappend(s1, s2); 2212 2213 /* 2214 * Now move it into the X register. 2215 */ 2216 s2 = new_stmt(BPF_MISC|BPF_TAX); 2217 sappend(s1, s2); 2218 2219 return (s1); 2220 } else 2221 return (NULL); 2222 } 2223 2224 static struct slist * 2225 gen_load_radiotap_llprefixlen() 2226 { 2227 struct slist *s1, *s2; 2228 2229 /* 2230 * Generate code to load the length of the radiotap header into 2231 * the register assigned to hold that length, if one has been 2232 * assigned. (If one hasn't been assigned, no code we've 2233 * generated uses that prefix, so we don't need to generate any 2234 * code to load it.) 2235 */ 2236 if (reg_off_ll != -1) { 2237 /* 2238 * The 2 bytes at offsets of 2 and 3 from the beginning 2239 * of the radiotap header are the length of the radiotap 2240 * header; unfortunately, it's little-endian, so we have 2241 * to load it a byte at a time and construct the value. 2242 */ 2243 2244 /* 2245 * Load the high-order byte, at an offset of 3, shift it 2246 * left a byte, and put the result in the X register. 2247 */ 2248 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2249 s1->s.k = 3; 2250 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 2251 sappend(s1, s2); 2252 s2->s.k = 8; 2253 s2 = new_stmt(BPF_MISC|BPF_TAX); 2254 sappend(s1, s2); 2255 2256 /* 2257 * Load the next byte, at an offset of 2, and OR the 2258 * value from the X register into it. 2259 */ 2260 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2261 sappend(s1, s2); 2262 s2->s.k = 2; 2263 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X); 2264 sappend(s1, s2); 2265 2266 /* 2267 * Now allocate a register to hold that value and store 2268 * it. 2269 */ 2270 s2 = new_stmt(BPF_ST); 2271 s2->s.k = reg_off_ll; 2272 sappend(s1, s2); 2273 2274 /* 2275 * Now move it into the X register. 2276 */ 2277 s2 = new_stmt(BPF_MISC|BPF_TAX); 2278 sappend(s1, s2); 2279 2280 return (s1); 2281 } else 2282 return (NULL); 2283 } 2284 2285 /* 2286 * At the moment we treat PPI as normal Radiotap encoded 2287 * packets. The difference is in the function that generates 2288 * the code at the beginning to compute the header length. 2289 * Since this code generator of PPI supports bare 802.11 2290 * encapsulation only (i.e. the encapsulated DLT should be 2291 * DLT_IEEE802_11) we generate code to check for this too; 2292 * that's done in finish_parse(). 2293 */ 2294 static struct slist * 2295 gen_load_ppi_llprefixlen() 2296 { 2297 struct slist *s1, *s2; 2298 2299 /* 2300 * Generate code to load the length of the radiotap header 2301 * into the register assigned to hold that length, if one has 2302 * been assigned. 2303 */ 2304 if (reg_off_ll != -1) { 2305 /* 2306 * The 2 bytes at offsets of 2 and 3 from the beginning 2307 * of the radiotap header are the length of the radiotap 2308 * header; unfortunately, it's little-endian, so we have 2309 * to load it a byte at a time and construct the value. 2310 */ 2311 2312 /* 2313 * Load the high-order byte, at an offset of 3, shift it 2314 * left a byte, and put the result in the X register. 2315 */ 2316 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2317 s1->s.k = 3; 2318 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 2319 sappend(s1, s2); 2320 s2->s.k = 8; 2321 s2 = new_stmt(BPF_MISC|BPF_TAX); 2322 sappend(s1, s2); 2323 2324 /* 2325 * Load the next byte, at an offset of 2, and OR the 2326 * value from the X register into it. 2327 */ 2328 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2329 sappend(s1, s2); 2330 s2->s.k = 2; 2331 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X); 2332 sappend(s1, s2); 2333 2334 /* 2335 * Now allocate a register to hold that value and store 2336 * it. 2337 */ 2338 s2 = new_stmt(BPF_ST); 2339 s2->s.k = reg_off_ll; 2340 sappend(s1, s2); 2341 2342 /* 2343 * Now move it into the X register. 2344 */ 2345 s2 = new_stmt(BPF_MISC|BPF_TAX); 2346 sappend(s1, s2); 2347 2348 return (s1); 2349 } else 2350 return (NULL); 2351 } 2352 2353 /* 2354 * Load a value relative to the beginning of the link-layer header after the 802.11 2355 * header, i.e. LLC_SNAP. 2356 * The link-layer header doesn't necessarily begin at the beginning 2357 * of the packet data; there might be a variable-length prefix containing 2358 * radio information. 2359 */ 2360 static struct slist * 2361 gen_load_802_11_header_len(struct slist *s, struct slist *snext) 2362 { 2363 struct slist *s2; 2364 struct slist *sjset_data_frame_1; 2365 struct slist *sjset_data_frame_2; 2366 struct slist *sjset_qos; 2367 struct slist *sjset_radiotap_flags; 2368 struct slist *sjset_radiotap_tsft; 2369 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad; 2370 struct slist *s_roundup; 2371 2372 if (reg_off_macpl == -1) { 2373 /* 2374 * No register has been assigned to the offset of 2375 * the MAC-layer payload, which means nobody needs 2376 * it; don't bother computing it - just return 2377 * what we already have. 2378 */ 2379 return (s); 2380 } 2381 2382 /* 2383 * This code is not compatible with the optimizer, as 2384 * we are generating jmp instructions within a normal 2385 * slist of instructions 2386 */ 2387 no_optimize = 1; 2388 2389 /* 2390 * If "s" is non-null, it has code to arrange that the X register 2391 * contains the length of the prefix preceding the link-layer 2392 * header. 2393 * 2394 * Otherwise, the length of the prefix preceding the link-layer 2395 * header is "off_ll". 2396 */ 2397 if (s == NULL) { 2398 /* 2399 * There is no variable-length header preceding the 2400 * link-layer header. 2401 * 2402 * Load the length of the fixed-length prefix preceding 2403 * the link-layer header (if any) into the X register, 2404 * and store it in the reg_off_macpl register. 2405 * That length is off_ll. 2406 */ 2407 s = new_stmt(BPF_LDX|BPF_IMM); 2408 s->s.k = off_ll; 2409 } 2410 2411 /* 2412 * The X register contains the offset of the beginning of the 2413 * link-layer header; add 24, which is the minimum length 2414 * of the MAC header for a data frame, to that, and store it 2415 * in reg_off_macpl, and then load the Frame Control field, 2416 * which is at the offset in the X register, with an indexed load. 2417 */ 2418 s2 = new_stmt(BPF_MISC|BPF_TXA); 2419 sappend(s, s2); 2420 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 2421 s2->s.k = 24; 2422 sappend(s, s2); 2423 s2 = new_stmt(BPF_ST); 2424 s2->s.k = reg_off_macpl; 2425 sappend(s, s2); 2426 2427 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B); 2428 s2->s.k = 0; 2429 sappend(s, s2); 2430 2431 /* 2432 * Check the Frame Control field to see if this is a data frame; 2433 * a data frame has the 0x08 bit (b3) in that field set and the 2434 * 0x04 bit (b2) clear. 2435 */ 2436 sjset_data_frame_1 = new_stmt(JMP(BPF_JSET)); 2437 sjset_data_frame_1->s.k = 0x08; 2438 sappend(s, sjset_data_frame_1); 2439 2440 /* 2441 * If b3 is set, test b2, otherwise go to the first statement of 2442 * the rest of the program. 2443 */ 2444 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(JMP(BPF_JSET)); 2445 sjset_data_frame_2->s.k = 0x04; 2446 sappend(s, sjset_data_frame_2); 2447 sjset_data_frame_1->s.jf = snext; 2448 2449 /* 2450 * If b2 is not set, this is a data frame; test the QoS bit. 2451 * Otherwise, go to the first statement of the rest of the 2452 * program. 2453 */ 2454 sjset_data_frame_2->s.jt = snext; 2455 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(JMP(BPF_JSET)); 2456 sjset_qos->s.k = 0x80; /* QoS bit */ 2457 sappend(s, sjset_qos); 2458 2459 /* 2460 * If it's set, add 2 to reg_off_macpl, to skip the QoS 2461 * field. 2462 * Otherwise, go to the first statement of the rest of the 2463 * program. 2464 */ 2465 sjset_qos->s.jt = s2 = new_stmt(BPF_LD|BPF_MEM); 2466 s2->s.k = reg_off_macpl; 2467 sappend(s, s2); 2468 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM); 2469 s2->s.k = 2; 2470 sappend(s, s2); 2471 s2 = new_stmt(BPF_ST); 2472 s2->s.k = reg_off_macpl; 2473 sappend(s, s2); 2474 2475 /* 2476 * If we have a radiotap header, look at it to see whether 2477 * there's Atheros padding between the MAC-layer header 2478 * and the payload. 2479 * 2480 * Note: all of the fields in the radiotap header are 2481 * little-endian, so we byte-swap all of the values 2482 * we test against, as they will be loaded as big-endian 2483 * values. 2484 */ 2485 if (linktype == DLT_IEEE802_11_RADIO) { 2486 /* 2487 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set 2488 * in the presence flag? 2489 */ 2490 sjset_qos->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_W); 2491 s2->s.k = 4; 2492 sappend(s, s2); 2493 2494 sjset_radiotap_flags = new_stmt(JMP(BPF_JSET)); 2495 sjset_radiotap_flags->s.k = SWAPLONG(0x00000002); 2496 sappend(s, sjset_radiotap_flags); 2497 2498 /* 2499 * If not, skip all of this. 2500 */ 2501 sjset_radiotap_flags->s.jf = snext; 2502 2503 /* 2504 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set? 2505 */ 2506 sjset_radiotap_tsft = sjset_radiotap_flags->s.jt = 2507 new_stmt(JMP(BPF_JSET)); 2508 sjset_radiotap_tsft->s.k = SWAPLONG(0x00000001); 2509 sappend(s, sjset_radiotap_tsft); 2510 2511 /* 2512 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is 2513 * at an offset of 16 from the beginning of the raw packet 2514 * data (8 bytes for the radiotap header and 8 bytes for 2515 * the TSFT field). 2516 * 2517 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2518 * is set. 2519 */ 2520 sjset_radiotap_tsft->s.jt = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B); 2521 s2->s.k = 16; 2522 sappend(s, s2); 2523 2524 sjset_tsft_datapad = new_stmt(JMP(BPF_JSET)); 2525 sjset_tsft_datapad->s.k = 0x20; 2526 sappend(s, sjset_tsft_datapad); 2527 2528 /* 2529 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is 2530 * at an offset of 8 from the beginning of the raw packet 2531 * data (8 bytes for the radiotap header). 2532 * 2533 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2534 * is set. 2535 */ 2536 sjset_radiotap_tsft->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B); 2537 s2->s.k = 8; 2538 sappend(s, s2); 2539 2540 sjset_notsft_datapad = new_stmt(JMP(BPF_JSET)); 2541 sjset_notsft_datapad->s.k = 0x20; 2542 sappend(s, sjset_notsft_datapad); 2543 2544 /* 2545 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is 2546 * set, round the length of the 802.11 header to 2547 * a multiple of 4. Do that by adding 3 and then 2548 * dividing by and multiplying by 4, which we do by 2549 * ANDing with ~3. 2550 */ 2551 s_roundup = new_stmt(BPF_LD|BPF_MEM); 2552 s_roundup->s.k = reg_off_macpl; 2553 sappend(s, s_roundup); 2554 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM); 2555 s2->s.k = 3; 2556 sappend(s, s2); 2557 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_IMM); 2558 s2->s.k = ~3; 2559 sappend(s, s2); 2560 s2 = new_stmt(BPF_ST); 2561 s2->s.k = reg_off_macpl; 2562 sappend(s, s2); 2563 2564 sjset_tsft_datapad->s.jt = s_roundup; 2565 sjset_tsft_datapad->s.jf = snext; 2566 sjset_notsft_datapad->s.jt = s_roundup; 2567 sjset_notsft_datapad->s.jf = snext; 2568 } else 2569 sjset_qos->s.jf = snext; 2570 2571 return s; 2572 } 2573 2574 static void 2575 insert_compute_vloffsets(b) 2576 struct block *b; 2577 { 2578 struct slist *s; 2579 2580 /* 2581 * For link-layer types that have a variable-length header 2582 * preceding the link-layer header, generate code to load 2583 * the offset of the link-layer header into the register 2584 * assigned to that offset, if any. 2585 */ 2586 switch (linktype) { 2587 2588 case DLT_PRISM_HEADER: 2589 s = gen_load_prism_llprefixlen(); 2590 break; 2591 2592 case DLT_IEEE802_11_RADIO_AVS: 2593 s = gen_load_avs_llprefixlen(); 2594 break; 2595 2596 case DLT_IEEE802_11_RADIO: 2597 s = gen_load_radiotap_llprefixlen(); 2598 break; 2599 2600 case DLT_PPI: 2601 s = gen_load_ppi_llprefixlen(); 2602 break; 2603 2604 default: 2605 s = NULL; 2606 break; 2607 } 2608 2609 /* 2610 * For link-layer types that have a variable-length link-layer 2611 * header, generate code to load the offset of the MAC-layer 2612 * payload into the register assigned to that offset, if any. 2613 */ 2614 switch (linktype) { 2615 2616 case DLT_IEEE802_11: 2617 case DLT_PRISM_HEADER: 2618 case DLT_IEEE802_11_RADIO_AVS: 2619 case DLT_IEEE802_11_RADIO: 2620 case DLT_PPI: 2621 s = gen_load_802_11_header_len(s, b->stmts); 2622 break; 2623 } 2624 2625 /* 2626 * If we have any offset-loading code, append all the 2627 * existing statements in the block to those statements, 2628 * and make the resulting list the list of statements 2629 * for the block. 2630 */ 2631 if (s != NULL) { 2632 sappend(s, b->stmts); 2633 b->stmts = s; 2634 } 2635 } 2636 2637 static struct block * 2638 gen_ppi_dlt_check(void) 2639 { 2640 struct slist *s_load_dlt; 2641 struct block *b; 2642 2643 if (linktype == DLT_PPI) 2644 { 2645 /* Create the statements that check for the DLT 2646 */ 2647 s_load_dlt = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2648 s_load_dlt->s.k = 4; 2649 2650 b = new_block(JMP(BPF_JEQ)); 2651 2652 b->stmts = s_load_dlt; 2653 b->s.k = SWAPLONG(DLT_IEEE802_11); 2654 } 2655 else 2656 { 2657 b = NULL; 2658 } 2659 2660 return b; 2661 } 2662 2663 static struct slist * 2664 gen_prism_llprefixlen(void) 2665 { 2666 struct slist *s; 2667 2668 if (reg_off_ll == -1) { 2669 /* 2670 * We haven't yet assigned a register for the length 2671 * of the radio header; allocate one. 2672 */ 2673 reg_off_ll = alloc_reg(); 2674 } 2675 2676 /* 2677 * Load the register containing the radio length 2678 * into the X register. 2679 */ 2680 s = new_stmt(BPF_LDX|BPF_MEM); 2681 s->s.k = reg_off_ll; 2682 return s; 2683 } 2684 2685 static struct slist * 2686 gen_avs_llprefixlen(void) 2687 { 2688 struct slist *s; 2689 2690 if (reg_off_ll == -1) { 2691 /* 2692 * We haven't yet assigned a register for the length 2693 * of the AVS header; allocate one. 2694 */ 2695 reg_off_ll = alloc_reg(); 2696 } 2697 2698 /* 2699 * Load the register containing the AVS length 2700 * into the X register. 2701 */ 2702 s = new_stmt(BPF_LDX|BPF_MEM); 2703 s->s.k = reg_off_ll; 2704 return s; 2705 } 2706 2707 static struct slist * 2708 gen_radiotap_llprefixlen(void) 2709 { 2710 struct slist *s; 2711 2712 if (reg_off_ll == -1) { 2713 /* 2714 * We haven't yet assigned a register for the length 2715 * of the radiotap header; allocate one. 2716 */ 2717 reg_off_ll = alloc_reg(); 2718 } 2719 2720 /* 2721 * Load the register containing the radiotap length 2722 * into the X register. 2723 */ 2724 s = new_stmt(BPF_LDX|BPF_MEM); 2725 s->s.k = reg_off_ll; 2726 return s; 2727 } 2728 2729 /* 2730 * At the moment we treat PPI as normal Radiotap encoded 2731 * packets. The difference is in the function that generates 2732 * the code at the beginning to compute the header length. 2733 * Since this code generator of PPI supports bare 802.11 2734 * encapsulation only (i.e. the encapsulated DLT should be 2735 * DLT_IEEE802_11) we generate code to check for this too. 2736 */ 2737 static struct slist * 2738 gen_ppi_llprefixlen(void) 2739 { 2740 struct slist *s; 2741 2742 if (reg_off_ll == -1) { 2743 /* 2744 * We haven't yet assigned a register for the length 2745 * of the radiotap header; allocate one. 2746 */ 2747 reg_off_ll = alloc_reg(); 2748 } 2749 2750 /* 2751 * Load the register containing the PPI length 2752 * into the X register. 2753 */ 2754 s = new_stmt(BPF_LDX|BPF_MEM); 2755 s->s.k = reg_off_ll; 2756 return s; 2757 } 2758 2759 /* 2760 * Generate code to compute the link-layer header length, if necessary, 2761 * putting it into the X register, and to return either a pointer to a 2762 * "struct slist" for the list of statements in that code, or NULL if 2763 * no code is necessary. 2764 */ 2765 static struct slist * 2766 gen_llprefixlen(void) 2767 { 2768 switch (linktype) { 2769 2770 case DLT_PRISM_HEADER: 2771 return gen_prism_llprefixlen(); 2772 2773 case DLT_IEEE802_11_RADIO_AVS: 2774 return gen_avs_llprefixlen(); 2775 2776 case DLT_IEEE802_11_RADIO: 2777 return gen_radiotap_llprefixlen(); 2778 2779 case DLT_PPI: 2780 return gen_ppi_llprefixlen(); 2781 2782 default: 2783 return NULL; 2784 } 2785 } 2786 2787 /* 2788 * Generate code to load the register containing the offset of the 2789 * MAC-layer payload into the X register; if no register for that offset 2790 * has been allocated, allocate it first. 2791 */ 2792 static struct slist * 2793 gen_off_macpl(void) 2794 { 2795 struct slist *s; 2796 2797 if (off_macpl_is_variable) { 2798 if (reg_off_macpl == -1) { 2799 /* 2800 * We haven't yet assigned a register for the offset 2801 * of the MAC-layer payload; allocate one. 2802 */ 2803 reg_off_macpl = alloc_reg(); 2804 } 2805 2806 /* 2807 * Load the register containing the offset of the MAC-layer 2808 * payload into the X register. 2809 */ 2810 s = new_stmt(BPF_LDX|BPF_MEM); 2811 s->s.k = reg_off_macpl; 2812 return s; 2813 } else { 2814 /* 2815 * That offset isn't variable, so we don't need to 2816 * generate any code. 2817 */ 2818 return NULL; 2819 } 2820 } 2821 2822 /* 2823 * Map an Ethernet type to the equivalent PPP type. 2824 */ 2825 static int 2826 ethertype_to_ppptype(proto) 2827 int proto; 2828 { 2829 switch (proto) { 2830 2831 case ETHERTYPE_IP: 2832 proto = PPP_IP; 2833 break; 2834 2835 #ifdef INET6 2836 case ETHERTYPE_IPV6: 2837 proto = PPP_IPV6; 2838 break; 2839 #endif 2840 2841 case ETHERTYPE_DN: 2842 proto = PPP_DECNET; 2843 break; 2844 2845 case ETHERTYPE_ATALK: 2846 proto = PPP_APPLE; 2847 break; 2848 2849 case ETHERTYPE_NS: 2850 proto = PPP_NS; 2851 break; 2852 2853 case LLCSAP_ISONS: 2854 proto = PPP_OSI; 2855 break; 2856 2857 case LLCSAP_8021D: 2858 /* 2859 * I'm assuming the "Bridging PDU"s that go 2860 * over PPP are Spanning Tree Protocol 2861 * Bridging PDUs. 2862 */ 2863 proto = PPP_BRPDU; 2864 break; 2865 2866 case LLCSAP_IPX: 2867 proto = PPP_IPX; 2868 break; 2869 } 2870 return (proto); 2871 } 2872 2873 /* 2874 * Generate code to match a particular packet type by matching the 2875 * link-layer type field or fields in the 802.2 LLC header. 2876 * 2877 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 2878 * value, if <= ETHERMTU. 2879 */ 2880 static struct block * 2881 gen_linktype(proto) 2882 register int proto; 2883 { 2884 struct block *b0, *b1, *b2; 2885 2886 /* are we checking MPLS-encapsulated packets? */ 2887 if (label_stack_depth > 0) { 2888 switch (proto) { 2889 case ETHERTYPE_IP: 2890 case PPP_IP: 2891 /* FIXME add other L3 proto IDs */ 2892 return gen_mpls_linktype(Q_IP); 2893 2894 case ETHERTYPE_IPV6: 2895 case PPP_IPV6: 2896 /* FIXME add other L3 proto IDs */ 2897 return gen_mpls_linktype(Q_IPV6); 2898 2899 default: 2900 bpf_error("unsupported protocol over mpls"); 2901 /* NOTREACHED */ 2902 } 2903 } 2904 2905 /* 2906 * Are we testing PPPoE packets? 2907 */ 2908 if (is_pppoes) { 2909 /* 2910 * The PPPoE session header is part of the 2911 * MAC-layer payload, so all references 2912 * should be relative to the beginning of 2913 * that payload. 2914 */ 2915 2916 /* 2917 * We use Ethernet protocol types inside libpcap; 2918 * map them to the corresponding PPP protocol types. 2919 */ 2920 proto = ethertype_to_ppptype(proto); 2921 return gen_cmp(OR_MACPL, off_linktype, BPF_H, (bpf_int32)proto); 2922 } 2923 2924 switch (linktype) { 2925 2926 case DLT_EN10MB: 2927 case DLT_NETANALYZER: 2928 case DLT_NETANALYZER_TRANSPARENT: 2929 return gen_ether_linktype(proto); 2930 /*NOTREACHED*/ 2931 break; 2932 2933 case DLT_C_HDLC: 2934 switch (proto) { 2935 2936 case LLCSAP_ISONS: 2937 proto = (proto << 8 | LLCSAP_ISONS); 2938 /* fall through */ 2939 2940 default: 2941 return gen_cmp(OR_LINK, off_linktype, BPF_H, 2942 (bpf_int32)proto); 2943 /*NOTREACHED*/ 2944 break; 2945 } 2946 break; 2947 2948 case DLT_IEEE802_11: 2949 case DLT_PRISM_HEADER: 2950 case DLT_IEEE802_11_RADIO_AVS: 2951 case DLT_IEEE802_11_RADIO: 2952 case DLT_PPI: 2953 /* 2954 * Check that we have a data frame. 2955 */ 2956 b0 = gen_check_802_11_data_frame(); 2957 2958 /* 2959 * Now check for the specified link-layer type. 2960 */ 2961 b1 = gen_llc_linktype(proto); 2962 gen_and(b0, b1); 2963 return b1; 2964 /*NOTREACHED*/ 2965 break; 2966 2967 case DLT_FDDI: 2968 /* 2969 * XXX - check for asynchronous frames, as per RFC 1103. 2970 */ 2971 return gen_llc_linktype(proto); 2972 /*NOTREACHED*/ 2973 break; 2974 2975 case DLT_IEEE802: 2976 /* 2977 * XXX - check for LLC PDUs, as per IEEE 802.5. 2978 */ 2979 return gen_llc_linktype(proto); 2980 /*NOTREACHED*/ 2981 break; 2982 2983 case DLT_ATM_RFC1483: 2984 case DLT_ATM_CLIP: 2985 case DLT_IP_OVER_FC: 2986 return gen_llc_linktype(proto); 2987 /*NOTREACHED*/ 2988 break; 2989 2990 case DLT_SUNATM: 2991 /* 2992 * If "is_lane" is set, check for a LANE-encapsulated 2993 * version of this protocol, otherwise check for an 2994 * LLC-encapsulated version of this protocol. 2995 * 2996 * We assume LANE means Ethernet, not Token Ring. 2997 */ 2998 if (is_lane) { 2999 /* 3000 * Check that the packet doesn't begin with an 3001 * LE Control marker. (We've already generated 3002 * a test for LANE.) 3003 */ 3004 b0 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 3005 0xFF00); 3006 gen_not(b0); 3007 3008 /* 3009 * Now generate an Ethernet test. 3010 */ 3011 b1 = gen_ether_linktype(proto); 3012 gen_and(b0, b1); 3013 return b1; 3014 } else { 3015 /* 3016 * Check for LLC encapsulation and then check the 3017 * protocol. 3018 */ 3019 b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 3020 b1 = gen_llc_linktype(proto); 3021 gen_and(b0, b1); 3022 return b1; 3023 } 3024 /*NOTREACHED*/ 3025 break; 3026 3027 case DLT_LINUX_SLL: 3028 return gen_linux_sll_linktype(proto); 3029 /*NOTREACHED*/ 3030 break; 3031 3032 case DLT_SLIP: 3033 case DLT_SLIP_BSDOS: 3034 case DLT_RAW: 3035 /* 3036 * These types don't provide any type field; packets 3037 * are always IPv4 or IPv6. 3038 * 3039 * XXX - for IPv4, check for a version number of 4, and, 3040 * for IPv6, check for a version number of 6? 3041 */ 3042 switch (proto) { 3043 3044 case ETHERTYPE_IP: 3045 /* Check for a version number of 4. */ 3046 return gen_mcmp(OR_LINK, 0, BPF_B, 0x40, 0xF0); 3047 #ifdef INET6 3048 case ETHERTYPE_IPV6: 3049 /* Check for a version number of 6. */ 3050 return gen_mcmp(OR_LINK, 0, BPF_B, 0x60, 0xF0); 3051 #endif 3052 3053 default: 3054 return gen_false(); /* always false */ 3055 } 3056 /*NOTREACHED*/ 3057 break; 3058 3059 case DLT_IPV4: 3060 /* 3061 * Raw IPv4, so no type field. 3062 */ 3063 if (proto == ETHERTYPE_IP) 3064 return gen_true(); /* always true */ 3065 3066 /* Checking for something other than IPv4; always false */ 3067 return gen_false(); 3068 /*NOTREACHED*/ 3069 break; 3070 3071 case DLT_IPV6: 3072 /* 3073 * Raw IPv6, so no type field. 3074 */ 3075 #ifdef INET6 3076 if (proto == ETHERTYPE_IPV6) 3077 return gen_true(); /* always true */ 3078 #endif 3079 3080 /* Checking for something other than IPv6; always false */ 3081 return gen_false(); 3082 /*NOTREACHED*/ 3083 break; 3084 3085 case DLT_PPP: 3086 case DLT_PPP_PPPD: 3087 case DLT_PPP_SERIAL: 3088 case DLT_PPP_ETHER: 3089 /* 3090 * We use Ethernet protocol types inside libpcap; 3091 * map them to the corresponding PPP protocol types. 3092 */ 3093 proto = ethertype_to_ppptype(proto); 3094 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 3095 /*NOTREACHED*/ 3096 break; 3097 3098 case DLT_PPP_BSDOS: 3099 /* 3100 * We use Ethernet protocol types inside libpcap; 3101 * map them to the corresponding PPP protocol types. 3102 */ 3103 switch (proto) { 3104 3105 case ETHERTYPE_IP: 3106 /* 3107 * Also check for Van Jacobson-compressed IP. 3108 * XXX - do this for other forms of PPP? 3109 */ 3110 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_IP); 3111 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJC); 3112 gen_or(b0, b1); 3113 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJNC); 3114 gen_or(b1, b0); 3115 return b0; 3116 3117 default: 3118 proto = ethertype_to_ppptype(proto); 3119 return gen_cmp(OR_LINK, off_linktype, BPF_H, 3120 (bpf_int32)proto); 3121 } 3122 /*NOTREACHED*/ 3123 break; 3124 3125 case DLT_NULL: 3126 case DLT_LOOP: 3127 case DLT_ENC: 3128 /* 3129 * For DLT_NULL, the link-layer header is a 32-bit 3130 * word containing an AF_ value in *host* byte order, 3131 * and for DLT_ENC, the link-layer header begins 3132 * with a 32-bit work containing an AF_ value in 3133 * host byte order. 3134 * 3135 * In addition, if we're reading a saved capture file, 3136 * the host byte order in the capture may not be the 3137 * same as the host byte order on this machine. 3138 * 3139 * For DLT_LOOP, the link-layer header is a 32-bit 3140 * word containing an AF_ value in *network* byte order. 3141 * 3142 * XXX - AF_ values may, unfortunately, be platform- 3143 * dependent; for example, FreeBSD's AF_INET6 is 24 3144 * whilst NetBSD's and OpenBSD's is 26. 3145 * 3146 * This means that, when reading a capture file, just 3147 * checking for our AF_INET6 value won't work if the 3148 * capture file came from another OS. 3149 */ 3150 switch (proto) { 3151 3152 case ETHERTYPE_IP: 3153 proto = AF_INET; 3154 break; 3155 3156 #ifdef INET6 3157 case ETHERTYPE_IPV6: 3158 proto = AF_INET6; 3159 break; 3160 #endif 3161 3162 default: 3163 /* 3164 * Not a type on which we support filtering. 3165 * XXX - support those that have AF_ values 3166 * #defined on this platform, at least? 3167 */ 3168 return gen_false(); 3169 } 3170 3171 if (linktype == DLT_NULL || linktype == DLT_ENC) { 3172 /* 3173 * The AF_ value is in host byte order, but 3174 * the BPF interpreter will convert it to 3175 * network byte order. 3176 * 3177 * If this is a save file, and it's from a 3178 * machine with the opposite byte order to 3179 * ours, we byte-swap the AF_ value. 3180 * 3181 * Then we run it through "htonl()", and 3182 * generate code to compare against the result. 3183 */ 3184 if (bpf_pcap->sf.rfile != NULL && 3185 bpf_pcap->sf.swapped) 3186 proto = SWAPLONG(proto); 3187 proto = htonl(proto); 3188 } 3189 return (gen_cmp(OR_LINK, 0, BPF_W, (bpf_int32)proto)); 3190 3191 #ifdef HAVE_NET_PFVAR_H 3192 case DLT_PFLOG: 3193 /* 3194 * af field is host byte order in contrast to the rest of 3195 * the packet. 3196 */ 3197 if (proto == ETHERTYPE_IP) 3198 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af), 3199 BPF_B, (bpf_int32)AF_INET)); 3200 #ifdef INET6 3201 else if (proto == ETHERTYPE_IPV6) 3202 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af), 3203 BPF_B, (bpf_int32)AF_INET6)); 3204 #endif /* INET6 */ 3205 else 3206 return gen_false(); 3207 /*NOTREACHED*/ 3208 break; 3209 #endif /* HAVE_NET_PFVAR_H */ 3210 3211 case DLT_ARCNET: 3212 case DLT_ARCNET_LINUX: 3213 /* 3214 * XXX should we check for first fragment if the protocol 3215 * uses PHDS? 3216 */ 3217 switch (proto) { 3218 3219 default: 3220 return gen_false(); 3221 3222 #ifdef INET6 3223 case ETHERTYPE_IPV6: 3224 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 3225 (bpf_int32)ARCTYPE_INET6)); 3226 #endif /* INET6 */ 3227 3228 case ETHERTYPE_IP: 3229 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3230 (bpf_int32)ARCTYPE_IP); 3231 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3232 (bpf_int32)ARCTYPE_IP_OLD); 3233 gen_or(b0, b1); 3234 return (b1); 3235 3236 case ETHERTYPE_ARP: 3237 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3238 (bpf_int32)ARCTYPE_ARP); 3239 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3240 (bpf_int32)ARCTYPE_ARP_OLD); 3241 gen_or(b0, b1); 3242 return (b1); 3243 3244 case ETHERTYPE_REVARP: 3245 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 3246 (bpf_int32)ARCTYPE_REVARP)); 3247 3248 case ETHERTYPE_ATALK: 3249 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 3250 (bpf_int32)ARCTYPE_ATALK)); 3251 } 3252 /*NOTREACHED*/ 3253 break; 3254 3255 case DLT_LTALK: 3256 switch (proto) { 3257 case ETHERTYPE_ATALK: 3258 return gen_true(); 3259 default: 3260 return gen_false(); 3261 } 3262 /*NOTREACHED*/ 3263 break; 3264 3265 case DLT_FRELAY: 3266 /* 3267 * XXX - assumes a 2-byte Frame Relay header with 3268 * DLCI and flags. What if the address is longer? 3269 */ 3270 switch (proto) { 3271 3272 case ETHERTYPE_IP: 3273 /* 3274 * Check for the special NLPID for IP. 3275 */ 3276 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0xcc); 3277 3278 #ifdef INET6 3279 case ETHERTYPE_IPV6: 3280 /* 3281 * Check for the special NLPID for IPv6. 3282 */ 3283 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0x8e); 3284 #endif 3285 3286 case LLCSAP_ISONS: 3287 /* 3288 * Check for several OSI protocols. 3289 * 3290 * Frame Relay packets typically have an OSI 3291 * NLPID at the beginning; we check for each 3292 * of them. 3293 * 3294 * What we check for is the NLPID and a frame 3295 * control field of UI, i.e. 0x03 followed 3296 * by the NLPID. 3297 */ 3298 b0 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO8473_CLNP); 3299 b1 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO9542_ESIS); 3300 b2 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO10589_ISIS); 3301 gen_or(b1, b2); 3302 gen_or(b0, b2); 3303 return b2; 3304 3305 default: 3306 return gen_false(); 3307 } 3308 /*NOTREACHED*/ 3309 break; 3310 3311 case DLT_MFR: 3312 bpf_error("Multi-link Frame Relay link-layer type filtering not implemented"); 3313 3314 case DLT_JUNIPER_MFR: 3315 case DLT_JUNIPER_MLFR: 3316 case DLT_JUNIPER_MLPPP: 3317 case DLT_JUNIPER_ATM1: 3318 case DLT_JUNIPER_ATM2: 3319 case DLT_JUNIPER_PPPOE: 3320 case DLT_JUNIPER_PPPOE_ATM: 3321 case DLT_JUNIPER_GGSN: 3322 case DLT_JUNIPER_ES: 3323 case DLT_JUNIPER_MONITOR: 3324 case DLT_JUNIPER_SERVICES: 3325 case DLT_JUNIPER_ETHER: 3326 case DLT_JUNIPER_PPP: 3327 case DLT_JUNIPER_FRELAY: 3328 case DLT_JUNIPER_CHDLC: 3329 case DLT_JUNIPER_VP: 3330 case DLT_JUNIPER_ST: 3331 case DLT_JUNIPER_ISM: 3332 case DLT_JUNIPER_VS: 3333 case DLT_JUNIPER_SRX_E2E: 3334 case DLT_JUNIPER_FIBRECHANNEL: 3335 case DLT_JUNIPER_ATM_CEMIC: 3336 3337 /* just lets verify the magic number for now - 3338 * on ATM we may have up to 6 different encapsulations on the wire 3339 * and need a lot of heuristics to figure out that the payload 3340 * might be; 3341 * 3342 * FIXME encapsulation specific BPF_ filters 3343 */ 3344 return gen_mcmp(OR_LINK, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */ 3345 3346 case DLT_IPNET: 3347 return gen_ipnet_linktype(proto); 3348 3349 case DLT_LINUX_IRDA: 3350 bpf_error("IrDA link-layer type filtering not implemented"); 3351 3352 case DLT_DOCSIS: 3353 bpf_error("DOCSIS link-layer type filtering not implemented"); 3354 3355 case DLT_MTP2: 3356 case DLT_MTP2_WITH_PHDR: 3357 bpf_error("MTP2 link-layer type filtering not implemented"); 3358 3359 case DLT_ERF: 3360 bpf_error("ERF link-layer type filtering not implemented"); 3361 3362 case DLT_PFSYNC: 3363 bpf_error("PFSYNC link-layer type filtering not implemented"); 3364 3365 case DLT_LINUX_LAPD: 3366 bpf_error("LAPD link-layer type filtering not implemented"); 3367 3368 case DLT_USB: 3369 case DLT_USB_LINUX: 3370 case DLT_USB_LINUX_MMAPPED: 3371 bpf_error("USB link-layer type filtering not implemented"); 3372 3373 case DLT_BLUETOOTH_HCI_H4: 3374 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR: 3375 bpf_error("Bluetooth link-layer type filtering not implemented"); 3376 3377 case DLT_CAN20B: 3378 case DLT_CAN_SOCKETCAN: 3379 bpf_error("CAN link-layer type filtering not implemented"); 3380 3381 case DLT_IEEE802_15_4: 3382 case DLT_IEEE802_15_4_LINUX: 3383 case DLT_IEEE802_15_4_NONASK_PHY: 3384 case DLT_IEEE802_15_4_NOFCS: 3385 bpf_error("IEEE 802.15.4 link-layer type filtering not implemented"); 3386 3387 case DLT_IEEE802_16_MAC_CPS_RADIO: 3388 bpf_error("IEEE 802.16 link-layer type filtering not implemented"); 3389 3390 case DLT_SITA: 3391 bpf_error("SITA link-layer type filtering not implemented"); 3392 3393 case DLT_RAIF1: 3394 bpf_error("RAIF1 link-layer type filtering not implemented"); 3395 3396 case DLT_IPMB: 3397 bpf_error("IPMB link-layer type filtering not implemented"); 3398 3399 case DLT_AX25_KISS: 3400 bpf_error("AX.25 link-layer type filtering not implemented"); 3401 } 3402 3403 /* 3404 * All the types that have no encapsulation should either be 3405 * handled as DLT_SLIP, DLT_SLIP_BSDOS, and DLT_RAW are, if 3406 * all packets are IP packets, or should be handled in some 3407 * special case, if none of them are (if some are and some 3408 * aren't, the lack of encapsulation is a problem, as we'd 3409 * have to find some other way of determining the packet type). 3410 * 3411 * Therefore, if "off_linktype" is -1, there's an error. 3412 */ 3413 if (off_linktype == (u_int)-1) 3414 abort(); 3415 3416 /* 3417 * Any type not handled above should always have an Ethernet 3418 * type at an offset of "off_linktype". 3419 */ 3420 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 3421 } 3422 3423 /* 3424 * Check for an LLC SNAP packet with a given organization code and 3425 * protocol type; we check the entire contents of the 802.2 LLC and 3426 * snap headers, checking for DSAP and SSAP of SNAP and a control 3427 * field of 0x03 in the LLC header, and for the specified organization 3428 * code and protocol type in the SNAP header. 3429 */ 3430 static struct block * 3431 gen_snap(orgcode, ptype) 3432 bpf_u_int32 orgcode; 3433 bpf_u_int32 ptype; 3434 { 3435 u_char snapblock[8]; 3436 3437 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */ 3438 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */ 3439 snapblock[2] = 0x03; /* control = UI */ 3440 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */ 3441 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */ 3442 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */ 3443 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */ 3444 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */ 3445 return gen_bcmp(OR_MACPL, 0, 8, snapblock); 3446 } 3447 3448 /* 3449 * Generate code to match a particular packet type, for link-layer types 3450 * using 802.2 LLC headers. 3451 * 3452 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used 3453 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues. 3454 * 3455 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 3456 * value, if <= ETHERMTU. We use that to determine whether to 3457 * match the DSAP or both DSAP and LSAP or to check the OUI and 3458 * protocol ID in a SNAP header. 3459 */ 3460 static struct block * 3461 gen_llc_linktype(proto) 3462 int proto; 3463 { 3464 /* 3465 * XXX - handle token-ring variable-length header. 3466 */ 3467 switch (proto) { 3468 3469 case LLCSAP_IP: 3470 case LLCSAP_ISONS: 3471 case LLCSAP_NETBEUI: 3472 /* 3473 * XXX - should we check both the DSAP and the 3474 * SSAP, like this, or should we check just the 3475 * DSAP, as we do for other types <= ETHERMTU 3476 * (i.e., other SAP values)? 3477 */ 3478 return gen_cmp(OR_MACPL, 0, BPF_H, (bpf_u_int32) 3479 ((proto << 8) | proto)); 3480 3481 case LLCSAP_IPX: 3482 /* 3483 * XXX - are there ever SNAP frames for IPX on 3484 * non-Ethernet 802.x networks? 3485 */ 3486 return gen_cmp(OR_MACPL, 0, BPF_B, 3487 (bpf_int32)LLCSAP_IPX); 3488 3489 case ETHERTYPE_ATALK: 3490 /* 3491 * 802.2-encapsulated ETHERTYPE_ATALK packets are 3492 * SNAP packets with an organization code of 3493 * 0x080007 (Apple, for Appletalk) and a protocol 3494 * type of ETHERTYPE_ATALK (Appletalk). 3495 * 3496 * XXX - check for an organization code of 3497 * encapsulated Ethernet as well? 3498 */ 3499 return gen_snap(0x080007, ETHERTYPE_ATALK); 3500 3501 default: 3502 /* 3503 * XXX - we don't have to check for IPX 802.3 3504 * here, but should we check for the IPX Ethertype? 3505 */ 3506 if (proto <= ETHERMTU) { 3507 /* 3508 * This is an LLC SAP value, so check 3509 * the DSAP. 3510 */ 3511 return gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)proto); 3512 } else { 3513 /* 3514 * This is an Ethernet type; we assume that it's 3515 * unlikely that it'll appear in the right place 3516 * at random, and therefore check only the 3517 * location that would hold the Ethernet type 3518 * in a SNAP frame with an organization code of 3519 * 0x000000 (encapsulated Ethernet). 3520 * 3521 * XXX - if we were to check for the SNAP DSAP and 3522 * LSAP, as per XXX, and were also to check for an 3523 * organization code of 0x000000 (encapsulated 3524 * Ethernet), we'd do 3525 * 3526 * return gen_snap(0x000000, proto); 3527 * 3528 * here; for now, we don't, as per the above. 3529 * I don't know whether it's worth the extra CPU 3530 * time to do the right check or not. 3531 */ 3532 return gen_cmp(OR_MACPL, 6, BPF_H, (bpf_int32)proto); 3533 } 3534 } 3535 } 3536 3537 static struct block * 3538 gen_hostop(addr, mask, dir, proto, src_off, dst_off) 3539 bpf_u_int32 addr; 3540 bpf_u_int32 mask; 3541 int dir, proto; 3542 u_int src_off, dst_off; 3543 { 3544 struct block *b0, *b1; 3545 u_int offset; 3546 3547 switch (dir) { 3548 3549 case Q_SRC: 3550 offset = src_off; 3551 break; 3552 3553 case Q_DST: 3554 offset = dst_off; 3555 break; 3556 3557 case Q_AND: 3558 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off); 3559 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off); 3560 gen_and(b0, b1); 3561 return b1; 3562 3563 case Q_OR: 3564 case Q_DEFAULT: 3565 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off); 3566 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off); 3567 gen_or(b0, b1); 3568 return b1; 3569 3570 default: 3571 abort(); 3572 } 3573 b0 = gen_linktype(proto); 3574 b1 = gen_mcmp(OR_NET, offset, BPF_W, (bpf_int32)addr, mask); 3575 gen_and(b0, b1); 3576 return b1; 3577 } 3578 3579 #ifdef INET6 3580 static struct block * 3581 gen_hostop6(addr, mask, dir, proto, src_off, dst_off) 3582 struct in6_addr *addr; 3583 struct in6_addr *mask; 3584 int dir, proto; 3585 u_int src_off, dst_off; 3586 { 3587 struct block *b0, *b1; 3588 u_int offset; 3589 u_int32_t *a, *m; 3590 3591 switch (dir) { 3592 3593 case Q_SRC: 3594 offset = src_off; 3595 break; 3596 3597 case Q_DST: 3598 offset = dst_off; 3599 break; 3600 3601 case Q_AND: 3602 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off); 3603 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off); 3604 gen_and(b0, b1); 3605 return b1; 3606 3607 case Q_OR: 3608 case Q_DEFAULT: 3609 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off); 3610 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off); 3611 gen_or(b0, b1); 3612 return b1; 3613 3614 default: 3615 abort(); 3616 } 3617 /* this order is important */ 3618 a = (u_int32_t *)addr; 3619 m = (u_int32_t *)mask; 3620 b1 = gen_mcmp(OR_NET, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3])); 3621 b0 = gen_mcmp(OR_NET, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2])); 3622 gen_and(b0, b1); 3623 b0 = gen_mcmp(OR_NET, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1])); 3624 gen_and(b0, b1); 3625 b0 = gen_mcmp(OR_NET, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0])); 3626 gen_and(b0, b1); 3627 b0 = gen_linktype(proto); 3628 gen_and(b0, b1); 3629 return b1; 3630 } 3631 #endif /*INET6*/ 3632 3633 static struct block * 3634 gen_ehostop(eaddr, dir) 3635 register const u_char *eaddr; 3636 register int dir; 3637 { 3638 register struct block *b0, *b1; 3639 3640 switch (dir) { 3641 case Q_SRC: 3642 return gen_bcmp(OR_LINK, off_mac + 6, 6, eaddr); 3643 3644 case Q_DST: 3645 return gen_bcmp(OR_LINK, off_mac + 0, 6, eaddr); 3646 3647 case Q_AND: 3648 b0 = gen_ehostop(eaddr, Q_SRC); 3649 b1 = gen_ehostop(eaddr, Q_DST); 3650 gen_and(b0, b1); 3651 return b1; 3652 3653 case Q_DEFAULT: 3654 case Q_OR: 3655 b0 = gen_ehostop(eaddr, Q_SRC); 3656 b1 = gen_ehostop(eaddr, Q_DST); 3657 gen_or(b0, b1); 3658 return b1; 3659 3660 case Q_ADDR1: 3661 bpf_error("'addr1' is only supported on 802.11 with 802.11 headers"); 3662 break; 3663 3664 case Q_ADDR2: 3665 bpf_error("'addr2' is only supported on 802.11 with 802.11 headers"); 3666 break; 3667 3668 case Q_ADDR3: 3669 bpf_error("'addr3' is only supported on 802.11 with 802.11 headers"); 3670 break; 3671 3672 case Q_ADDR4: 3673 bpf_error("'addr4' is only supported on 802.11 with 802.11 headers"); 3674 break; 3675 3676 case Q_RA: 3677 bpf_error("'ra' is only supported on 802.11 with 802.11 headers"); 3678 break; 3679 3680 case Q_TA: 3681 bpf_error("'ta' is only supported on 802.11 with 802.11 headers"); 3682 break; 3683 } 3684 abort(); 3685 /* NOTREACHED */ 3686 } 3687 3688 /* 3689 * Like gen_ehostop, but for DLT_FDDI 3690 */ 3691 static struct block * 3692 gen_fhostop(eaddr, dir) 3693 register const u_char *eaddr; 3694 register int dir; 3695 { 3696 struct block *b0, *b1; 3697 3698 switch (dir) { 3699 case Q_SRC: 3700 #ifdef PCAP_FDDIPAD 3701 return gen_bcmp(OR_LINK, 6 + 1 + pcap_fddipad, 6, eaddr); 3702 #else 3703 return gen_bcmp(OR_LINK, 6 + 1, 6, eaddr); 3704 #endif 3705 3706 case Q_DST: 3707 #ifdef PCAP_FDDIPAD 3708 return gen_bcmp(OR_LINK, 0 + 1 + pcap_fddipad, 6, eaddr); 3709 #else 3710 return gen_bcmp(OR_LINK, 0 + 1, 6, eaddr); 3711 #endif 3712 3713 case Q_AND: 3714 b0 = gen_fhostop(eaddr, Q_SRC); 3715 b1 = gen_fhostop(eaddr, Q_DST); 3716 gen_and(b0, b1); 3717 return b1; 3718 3719 case Q_DEFAULT: 3720 case Q_OR: 3721 b0 = gen_fhostop(eaddr, Q_SRC); 3722 b1 = gen_fhostop(eaddr, Q_DST); 3723 gen_or(b0, b1); 3724 return b1; 3725 3726 case Q_ADDR1: 3727 bpf_error("'addr1' is only supported on 802.11"); 3728 break; 3729 3730 case Q_ADDR2: 3731 bpf_error("'addr2' is only supported on 802.11"); 3732 break; 3733 3734 case Q_ADDR3: 3735 bpf_error("'addr3' is only supported on 802.11"); 3736 break; 3737 3738 case Q_ADDR4: 3739 bpf_error("'addr4' is only supported on 802.11"); 3740 break; 3741 3742 case Q_RA: 3743 bpf_error("'ra' is only supported on 802.11"); 3744 break; 3745 3746 case Q_TA: 3747 bpf_error("'ta' is only supported on 802.11"); 3748 break; 3749 } 3750 abort(); 3751 /* NOTREACHED */ 3752 } 3753 3754 /* 3755 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring) 3756 */ 3757 static struct block * 3758 gen_thostop(eaddr, dir) 3759 register const u_char *eaddr; 3760 register int dir; 3761 { 3762 register struct block *b0, *b1; 3763 3764 switch (dir) { 3765 case Q_SRC: 3766 return gen_bcmp(OR_LINK, 8, 6, eaddr); 3767 3768 case Q_DST: 3769 return gen_bcmp(OR_LINK, 2, 6, eaddr); 3770 3771 case Q_AND: 3772 b0 = gen_thostop(eaddr, Q_SRC); 3773 b1 = gen_thostop(eaddr, Q_DST); 3774 gen_and(b0, b1); 3775 return b1; 3776 3777 case Q_DEFAULT: 3778 case Q_OR: 3779 b0 = gen_thostop(eaddr, Q_SRC); 3780 b1 = gen_thostop(eaddr, Q_DST); 3781 gen_or(b0, b1); 3782 return b1; 3783 3784 case Q_ADDR1: 3785 bpf_error("'addr1' is only supported on 802.11"); 3786 break; 3787 3788 case Q_ADDR2: 3789 bpf_error("'addr2' is only supported on 802.11"); 3790 break; 3791 3792 case Q_ADDR3: 3793 bpf_error("'addr3' is only supported on 802.11"); 3794 break; 3795 3796 case Q_ADDR4: 3797 bpf_error("'addr4' is only supported on 802.11"); 3798 break; 3799 3800 case Q_RA: 3801 bpf_error("'ra' is only supported on 802.11"); 3802 break; 3803 3804 case Q_TA: 3805 bpf_error("'ta' is only supported on 802.11"); 3806 break; 3807 } 3808 abort(); 3809 /* NOTREACHED */ 3810 } 3811 3812 /* 3813 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and 3814 * various 802.11 + radio headers. 3815 */ 3816 static struct block * 3817 gen_wlanhostop(eaddr, dir) 3818 register const u_char *eaddr; 3819 register int dir; 3820 { 3821 register struct block *b0, *b1, *b2; 3822 register struct slist *s; 3823 3824 #ifdef ENABLE_WLAN_FILTERING_PATCH 3825 /* 3826 * TODO GV 20070613 3827 * We need to disable the optimizer because the optimizer is buggy 3828 * and wipes out some LD instructions generated by the below 3829 * code to validate the Frame Control bits 3830 */ 3831 no_optimize = 1; 3832 #endif /* ENABLE_WLAN_FILTERING_PATCH */ 3833 3834 switch (dir) { 3835 case Q_SRC: 3836 /* 3837 * Oh, yuk. 3838 * 3839 * For control frames, there is no SA. 3840 * 3841 * For management frames, SA is at an 3842 * offset of 10 from the beginning of 3843 * the packet. 3844 * 3845 * For data frames, SA is at an offset 3846 * of 10 from the beginning of the packet 3847 * if From DS is clear, at an offset of 3848 * 16 from the beginning of the packet 3849 * if From DS is set and To DS is clear, 3850 * and an offset of 24 from the beginning 3851 * of the packet if From DS is set and To DS 3852 * is set. 3853 */ 3854 3855 /* 3856 * Generate the tests to be done for data frames 3857 * with From DS set. 3858 * 3859 * First, check for To DS set, i.e. check "link[1] & 0x01". 3860 */ 3861 s = gen_load_a(OR_LINK, 1, BPF_B); 3862 b1 = new_block(JMP(BPF_JSET)); 3863 b1->s.k = 0x01; /* To DS */ 3864 b1->stmts = s; 3865 3866 /* 3867 * If To DS is set, the SA is at 24. 3868 */ 3869 b0 = gen_bcmp(OR_LINK, 24, 6, eaddr); 3870 gen_and(b1, b0); 3871 3872 /* 3873 * Now, check for To DS not set, i.e. check 3874 * "!(link[1] & 0x01)". 3875 */ 3876 s = gen_load_a(OR_LINK, 1, BPF_B); 3877 b2 = new_block(JMP(BPF_JSET)); 3878 b2->s.k = 0x01; /* To DS */ 3879 b2->stmts = s; 3880 gen_not(b2); 3881 3882 /* 3883 * If To DS is not set, the SA is at 16. 3884 */ 3885 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr); 3886 gen_and(b2, b1); 3887 3888 /* 3889 * Now OR together the last two checks. That gives 3890 * the complete set of checks for data frames with 3891 * From DS set. 3892 */ 3893 gen_or(b1, b0); 3894 3895 /* 3896 * Now check for From DS being set, and AND that with 3897 * the ORed-together checks. 3898 */ 3899 s = gen_load_a(OR_LINK, 1, BPF_B); 3900 b1 = new_block(JMP(BPF_JSET)); 3901 b1->s.k = 0x02; /* From DS */ 3902 b1->stmts = s; 3903 gen_and(b1, b0); 3904 3905 /* 3906 * Now check for data frames with From DS not set. 3907 */ 3908 s = gen_load_a(OR_LINK, 1, BPF_B); 3909 b2 = new_block(JMP(BPF_JSET)); 3910 b2->s.k = 0x02; /* From DS */ 3911 b2->stmts = s; 3912 gen_not(b2); 3913 3914 /* 3915 * If From DS isn't set, the SA is at 10. 3916 */ 3917 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 3918 gen_and(b2, b1); 3919 3920 /* 3921 * Now OR together the checks for data frames with 3922 * From DS not set and for data frames with From DS 3923 * set; that gives the checks done for data frames. 3924 */ 3925 gen_or(b1, b0); 3926 3927 /* 3928 * Now check for a data frame. 3929 * I.e, check "link[0] & 0x08". 3930 */ 3931 s = gen_load_a(OR_LINK, 0, BPF_B); 3932 b1 = new_block(JMP(BPF_JSET)); 3933 b1->s.k = 0x08; 3934 b1->stmts = s; 3935 3936 /* 3937 * AND that with the checks done for data frames. 3938 */ 3939 gen_and(b1, b0); 3940 3941 /* 3942 * If the high-order bit of the type value is 0, this 3943 * is a management frame. 3944 * I.e, check "!(link[0] & 0x08)". 3945 */ 3946 s = gen_load_a(OR_LINK, 0, BPF_B); 3947 b2 = new_block(JMP(BPF_JSET)); 3948 b2->s.k = 0x08; 3949 b2->stmts = s; 3950 gen_not(b2); 3951 3952 /* 3953 * For management frames, the SA is at 10. 3954 */ 3955 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 3956 gen_and(b2, b1); 3957 3958 /* 3959 * OR that with the checks done for data frames. 3960 * That gives the checks done for management and 3961 * data frames. 3962 */ 3963 gen_or(b1, b0); 3964 3965 /* 3966 * If the low-order bit of the type value is 1, 3967 * this is either a control frame or a frame 3968 * with a reserved type, and thus not a 3969 * frame with an SA. 3970 * 3971 * I.e., check "!(link[0] & 0x04)". 3972 */ 3973 s = gen_load_a(OR_LINK, 0, BPF_B); 3974 b1 = new_block(JMP(BPF_JSET)); 3975 b1->s.k = 0x04; 3976 b1->stmts = s; 3977 gen_not(b1); 3978 3979 /* 3980 * AND that with the checks for data and management 3981 * frames. 3982 */ 3983 gen_and(b1, b0); 3984 return b0; 3985 3986 case Q_DST: 3987 /* 3988 * Oh, yuk. 3989 * 3990 * For control frames, there is no DA. 3991 * 3992 * For management frames, DA is at an 3993 * offset of 4 from the beginning of 3994 * the packet. 3995 * 3996 * For data frames, DA is at an offset 3997 * of 4 from the beginning of the packet 3998 * if To DS is clear and at an offset of 3999 * 16 from the beginning of the packet 4000 * if To DS is set. 4001 */ 4002 4003 /* 4004 * Generate the tests to be done for data frames. 4005 * 4006 * First, check for To DS set, i.e. "link[1] & 0x01". 4007 */ 4008 s = gen_load_a(OR_LINK, 1, BPF_B); 4009 b1 = new_block(JMP(BPF_JSET)); 4010 b1->s.k = 0x01; /* To DS */ 4011 b1->stmts = s; 4012 4013 /* 4014 * If To DS is set, the DA is at 16. 4015 */ 4016 b0 = gen_bcmp(OR_LINK, 16, 6, eaddr); 4017 gen_and(b1, b0); 4018 4019 /* 4020 * Now, check for To DS not set, i.e. check 4021 * "!(link[1] & 0x01)". 4022 */ 4023 s = gen_load_a(OR_LINK, 1, BPF_B); 4024 b2 = new_block(JMP(BPF_JSET)); 4025 b2->s.k = 0x01; /* To DS */ 4026 b2->stmts = s; 4027 gen_not(b2); 4028 4029 /* 4030 * If To DS is not set, the DA is at 4. 4031 */ 4032 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr); 4033 gen_and(b2, b1); 4034 4035 /* 4036 * Now OR together the last two checks. That gives 4037 * the complete set of checks for data frames. 4038 */ 4039 gen_or(b1, b0); 4040 4041 /* 4042 * Now check for a data frame. 4043 * I.e, check "link[0] & 0x08". 4044 */ 4045 s = gen_load_a(OR_LINK, 0, BPF_B); 4046 b1 = new_block(JMP(BPF_JSET)); 4047 b1->s.k = 0x08; 4048 b1->stmts = s; 4049 4050 /* 4051 * AND that with the checks done for data frames. 4052 */ 4053 gen_and(b1, b0); 4054 4055 /* 4056 * If the high-order bit of the type value is 0, this 4057 * is a management frame. 4058 * I.e, check "!(link[0] & 0x08)". 4059 */ 4060 s = gen_load_a(OR_LINK, 0, BPF_B); 4061 b2 = new_block(JMP(BPF_JSET)); 4062 b2->s.k = 0x08; 4063 b2->stmts = s; 4064 gen_not(b2); 4065 4066 /* 4067 * For management frames, the DA is at 4. 4068 */ 4069 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr); 4070 gen_and(b2, b1); 4071 4072 /* 4073 * OR that with the checks done for data frames. 4074 * That gives the checks done for management and 4075 * data frames. 4076 */ 4077 gen_or(b1, b0); 4078 4079 /* 4080 * If the low-order bit of the type value is 1, 4081 * this is either a control frame or a frame 4082 * with a reserved type, and thus not a 4083 * frame with an SA. 4084 * 4085 * I.e., check "!(link[0] & 0x04)". 4086 */ 4087 s = gen_load_a(OR_LINK, 0, BPF_B); 4088 b1 = new_block(JMP(BPF_JSET)); 4089 b1->s.k = 0x04; 4090 b1->stmts = s; 4091 gen_not(b1); 4092 4093 /* 4094 * AND that with the checks for data and management 4095 * frames. 4096 */ 4097 gen_and(b1, b0); 4098 return b0; 4099 4100 case Q_RA: 4101 /* 4102 * Not present in management frames; addr1 in other 4103 * frames. 4104 */ 4105 4106 /* 4107 * If the high-order bit of the type value is 0, this 4108 * is a management frame. 4109 * I.e, check "(link[0] & 0x08)". 4110 */ 4111 s = gen_load_a(OR_LINK, 0, BPF_B); 4112 b1 = new_block(JMP(BPF_JSET)); 4113 b1->s.k = 0x08; 4114 b1->stmts = s; 4115 4116 /* 4117 * Check addr1. 4118 */ 4119 b0 = gen_bcmp(OR_LINK, 4, 6, eaddr); 4120 4121 /* 4122 * AND that with the check of addr1. 4123 */ 4124 gen_and(b1, b0); 4125 return (b0); 4126 4127 case Q_TA: 4128 /* 4129 * Not present in management frames; addr2, if present, 4130 * in other frames. 4131 */ 4132 4133 /* 4134 * Not present in CTS or ACK control frames. 4135 */ 4136 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4137 IEEE80211_FC0_TYPE_MASK); 4138 gen_not(b0); 4139 b1 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS, 4140 IEEE80211_FC0_SUBTYPE_MASK); 4141 gen_not(b1); 4142 b2 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK, 4143 IEEE80211_FC0_SUBTYPE_MASK); 4144 gen_not(b2); 4145 gen_and(b1, b2); 4146 gen_or(b0, b2); 4147 4148 /* 4149 * If the high-order bit of the type value is 0, this 4150 * is a management frame. 4151 * I.e, check "(link[0] & 0x08)". 4152 */ 4153 s = gen_load_a(OR_LINK, 0, BPF_B); 4154 b1 = new_block(JMP(BPF_JSET)); 4155 b1->s.k = 0x08; 4156 b1->stmts = s; 4157 4158 /* 4159 * AND that with the check for frames other than 4160 * CTS and ACK frames. 4161 */ 4162 gen_and(b1, b2); 4163 4164 /* 4165 * Check addr2. 4166 */ 4167 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 4168 gen_and(b2, b1); 4169 return b1; 4170 4171 /* 4172 * XXX - add BSSID keyword? 4173 */ 4174 case Q_ADDR1: 4175 return (gen_bcmp(OR_LINK, 4, 6, eaddr)); 4176 4177 case Q_ADDR2: 4178 /* 4179 * Not present in CTS or ACK control frames. 4180 */ 4181 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4182 IEEE80211_FC0_TYPE_MASK); 4183 gen_not(b0); 4184 b1 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS, 4185 IEEE80211_FC0_SUBTYPE_MASK); 4186 gen_not(b1); 4187 b2 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK, 4188 IEEE80211_FC0_SUBTYPE_MASK); 4189 gen_not(b2); 4190 gen_and(b1, b2); 4191 gen_or(b0, b2); 4192 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 4193 gen_and(b2, b1); 4194 return b1; 4195 4196 case Q_ADDR3: 4197 /* 4198 * Not present in control frames. 4199 */ 4200 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4201 IEEE80211_FC0_TYPE_MASK); 4202 gen_not(b0); 4203 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr); 4204 gen_and(b0, b1); 4205 return b1; 4206 4207 case Q_ADDR4: 4208 /* 4209 * Present only if the direction mask has both "From DS" 4210 * and "To DS" set. Neither control frames nor management 4211 * frames should have both of those set, so we don't 4212 * check the frame type. 4213 */ 4214 b0 = gen_mcmp(OR_LINK, 1, BPF_B, 4215 IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK); 4216 b1 = gen_bcmp(OR_LINK, 24, 6, eaddr); 4217 gen_and(b0, b1); 4218 return b1; 4219 4220 case Q_AND: 4221 b0 = gen_wlanhostop(eaddr, Q_SRC); 4222 b1 = gen_wlanhostop(eaddr, Q_DST); 4223 gen_and(b0, b1); 4224 return b1; 4225 4226 case Q_DEFAULT: 4227 case Q_OR: 4228 b0 = gen_wlanhostop(eaddr, Q_SRC); 4229 b1 = gen_wlanhostop(eaddr, Q_DST); 4230 gen_or(b0, b1); 4231 return b1; 4232 } 4233 abort(); 4234 /* NOTREACHED */ 4235 } 4236 4237 /* 4238 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel. 4239 * (We assume that the addresses are IEEE 48-bit MAC addresses, 4240 * as the RFC states.) 4241 */ 4242 static struct block * 4243 gen_ipfchostop(eaddr, dir) 4244 register const u_char *eaddr; 4245 register int dir; 4246 { 4247 register struct block *b0, *b1; 4248 4249 switch (dir) { 4250 case Q_SRC: 4251 return gen_bcmp(OR_LINK, 10, 6, eaddr); 4252 4253 case Q_DST: 4254 return gen_bcmp(OR_LINK, 2, 6, eaddr); 4255 4256 case Q_AND: 4257 b0 = gen_ipfchostop(eaddr, Q_SRC); 4258 b1 = gen_ipfchostop(eaddr, Q_DST); 4259 gen_and(b0, b1); 4260 return b1; 4261 4262 case Q_DEFAULT: 4263 case Q_OR: 4264 b0 = gen_ipfchostop(eaddr, Q_SRC); 4265 b1 = gen_ipfchostop(eaddr, Q_DST); 4266 gen_or(b0, b1); 4267 return b1; 4268 4269 case Q_ADDR1: 4270 bpf_error("'addr1' is only supported on 802.11"); 4271 break; 4272 4273 case Q_ADDR2: 4274 bpf_error("'addr2' is only supported on 802.11"); 4275 break; 4276 4277 case Q_ADDR3: 4278 bpf_error("'addr3' is only supported on 802.11"); 4279 break; 4280 4281 case Q_ADDR4: 4282 bpf_error("'addr4' is only supported on 802.11"); 4283 break; 4284 4285 case Q_RA: 4286 bpf_error("'ra' is only supported on 802.11"); 4287 break; 4288 4289 case Q_TA: 4290 bpf_error("'ta' is only supported on 802.11"); 4291 break; 4292 } 4293 abort(); 4294 /* NOTREACHED */ 4295 } 4296 4297 /* 4298 * This is quite tricky because there may be pad bytes in front of the 4299 * DECNET header, and then there are two possible data packet formats that 4300 * carry both src and dst addresses, plus 5 packet types in a format that 4301 * carries only the src node, plus 2 types that use a different format and 4302 * also carry just the src node. 4303 * 4304 * Yuck. 4305 * 4306 * Instead of doing those all right, we just look for data packets with 4307 * 0 or 1 bytes of padding. If you want to look at other packets, that 4308 * will require a lot more hacking. 4309 * 4310 * To add support for filtering on DECNET "areas" (network numbers) 4311 * one would want to add a "mask" argument to this routine. That would 4312 * make the filter even more inefficient, although one could be clever 4313 * and not generate masking instructions if the mask is 0xFFFF. 4314 */ 4315 static struct block * 4316 gen_dnhostop(addr, dir) 4317 bpf_u_int32 addr; 4318 int dir; 4319 { 4320 struct block *b0, *b1, *b2, *tmp; 4321 u_int offset_lh; /* offset if long header is received */ 4322 u_int offset_sh; /* offset if short header is received */ 4323 4324 switch (dir) { 4325 4326 case Q_DST: 4327 offset_sh = 1; /* follows flags */ 4328 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */ 4329 break; 4330 4331 case Q_SRC: 4332 offset_sh = 3; /* follows flags, dstnode */ 4333 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */ 4334 break; 4335 4336 case Q_AND: 4337 /* Inefficient because we do our Calvinball dance twice */ 4338 b0 = gen_dnhostop(addr, Q_SRC); 4339 b1 = gen_dnhostop(addr, Q_DST); 4340 gen_and(b0, b1); 4341 return b1; 4342 4343 case Q_OR: 4344 case Q_DEFAULT: 4345 /* Inefficient because we do our Calvinball dance twice */ 4346 b0 = gen_dnhostop(addr, Q_SRC); 4347 b1 = gen_dnhostop(addr, Q_DST); 4348 gen_or(b0, b1); 4349 return b1; 4350 4351 case Q_ISO: 4352 bpf_error("ISO host filtering not implemented"); 4353 4354 default: 4355 abort(); 4356 } 4357 b0 = gen_linktype(ETHERTYPE_DN); 4358 /* Check for pad = 1, long header case */ 4359 tmp = gen_mcmp(OR_NET, 2, BPF_H, 4360 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF)); 4361 b1 = gen_cmp(OR_NET, 2 + 1 + offset_lh, 4362 BPF_H, (bpf_int32)ntohs((u_short)addr)); 4363 gen_and(tmp, b1); 4364 /* Check for pad = 0, long header case */ 4365 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7); 4366 b2 = gen_cmp(OR_NET, 2 + offset_lh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4367 gen_and(tmp, b2); 4368 gen_or(b2, b1); 4369 /* Check for pad = 1, short header case */ 4370 tmp = gen_mcmp(OR_NET, 2, BPF_H, 4371 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF)); 4372 b2 = gen_cmp(OR_NET, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4373 gen_and(tmp, b2); 4374 gen_or(b2, b1); 4375 /* Check for pad = 0, short header case */ 4376 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7); 4377 b2 = gen_cmp(OR_NET, 2 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4378 gen_and(tmp, b2); 4379 gen_or(b2, b1); 4380 4381 /* Combine with test for linktype */ 4382 gen_and(b0, b1); 4383 return b1; 4384 } 4385 4386 /* 4387 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets; 4388 * test the bottom-of-stack bit, and then check the version number 4389 * field in the IP header. 4390 */ 4391 static struct block * 4392 gen_mpls_linktype(proto) 4393 int proto; 4394 { 4395 struct block *b0, *b1; 4396 4397 switch (proto) { 4398 4399 case Q_IP: 4400 /* match the bottom-of-stack bit */ 4401 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01); 4402 /* match the IPv4 version number */ 4403 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x40, 0xf0); 4404 gen_and(b0, b1); 4405 return b1; 4406 4407 case Q_IPV6: 4408 /* match the bottom-of-stack bit */ 4409 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01); 4410 /* match the IPv4 version number */ 4411 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x60, 0xf0); 4412 gen_and(b0, b1); 4413 return b1; 4414 4415 default: 4416 abort(); 4417 } 4418 } 4419 4420 static struct block * 4421 gen_host(addr, mask, proto, dir, type) 4422 bpf_u_int32 addr; 4423 bpf_u_int32 mask; 4424 int proto; 4425 int dir; 4426 int type; 4427 { 4428 struct block *b0, *b1; 4429 const char *typestr; 4430 4431 if (type == Q_NET) 4432 typestr = "net"; 4433 else 4434 typestr = "host"; 4435 4436 switch (proto) { 4437 4438 case Q_DEFAULT: 4439 b0 = gen_host(addr, mask, Q_IP, dir, type); 4440 /* 4441 * Only check for non-IPv4 addresses if we're not 4442 * checking MPLS-encapsulated packets. 4443 */ 4444 if (label_stack_depth == 0) { 4445 b1 = gen_host(addr, mask, Q_ARP, dir, type); 4446 gen_or(b0, b1); 4447 b0 = gen_host(addr, mask, Q_RARP, dir, type); 4448 gen_or(b1, b0); 4449 } 4450 return b0; 4451 4452 case Q_IP: 4453 return gen_hostop(addr, mask, dir, ETHERTYPE_IP, 12, 16); 4454 4455 case Q_RARP: 4456 return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP, 14, 24); 4457 4458 case Q_ARP: 4459 return gen_hostop(addr, mask, dir, ETHERTYPE_ARP, 14, 24); 4460 4461 case Q_TCP: 4462 bpf_error("'tcp' modifier applied to %s", typestr); 4463 4464 case Q_SCTP: 4465 bpf_error("'sctp' modifier applied to %s", typestr); 4466 4467 case Q_UDP: 4468 bpf_error("'udp' modifier applied to %s", typestr); 4469 4470 case Q_ICMP: 4471 bpf_error("'icmp' modifier applied to %s", typestr); 4472 4473 case Q_IGMP: 4474 bpf_error("'igmp' modifier applied to %s", typestr); 4475 4476 case Q_IGRP: 4477 bpf_error("'igrp' modifier applied to %s", typestr); 4478 4479 case Q_PIM: 4480 bpf_error("'pim' modifier applied to %s", typestr); 4481 4482 case Q_VRRP: 4483 bpf_error("'vrrp' modifier applied to %s", typestr); 4484 4485 case Q_CARP: 4486 bpf_error("'carp' modifier applied to %s", typestr); 4487 4488 case Q_ATALK: 4489 bpf_error("ATALK host filtering not implemented"); 4490 4491 case Q_AARP: 4492 bpf_error("AARP host filtering not implemented"); 4493 4494 case Q_DECNET: 4495 return gen_dnhostop(addr, dir); 4496 4497 case Q_SCA: 4498 bpf_error("SCA host filtering not implemented"); 4499 4500 case Q_LAT: 4501 bpf_error("LAT host filtering not implemented"); 4502 4503 case Q_MOPDL: 4504 bpf_error("MOPDL host filtering not implemented"); 4505 4506 case Q_MOPRC: 4507 bpf_error("MOPRC host filtering not implemented"); 4508 4509 #ifdef INET6 4510 case Q_IPV6: 4511 bpf_error("'ip6' modifier applied to ip host"); 4512 4513 case Q_ICMPV6: 4514 bpf_error("'icmp6' modifier applied to %s", typestr); 4515 #endif /* INET6 */ 4516 4517 case Q_AH: 4518 bpf_error("'ah' modifier applied to %s", typestr); 4519 4520 case Q_ESP: 4521 bpf_error("'esp' modifier applied to %s", typestr); 4522 4523 case Q_ISO: 4524 bpf_error("ISO host filtering not implemented"); 4525 4526 case Q_ESIS: 4527 bpf_error("'esis' modifier applied to %s", typestr); 4528 4529 case Q_ISIS: 4530 bpf_error("'isis' modifier applied to %s", typestr); 4531 4532 case Q_CLNP: 4533 bpf_error("'clnp' modifier applied to %s", typestr); 4534 4535 case Q_STP: 4536 bpf_error("'stp' modifier applied to %s", typestr); 4537 4538 case Q_IPX: 4539 bpf_error("IPX host filtering not implemented"); 4540 4541 case Q_NETBEUI: 4542 bpf_error("'netbeui' modifier applied to %s", typestr); 4543 4544 case Q_RADIO: 4545 bpf_error("'radio' modifier applied to %s", typestr); 4546 4547 default: 4548 abort(); 4549 } 4550 /* NOTREACHED */ 4551 } 4552 4553 #ifdef INET6 4554 static struct block * 4555 gen_host6(addr, mask, proto, dir, type) 4556 struct in6_addr *addr; 4557 struct in6_addr *mask; 4558 int proto; 4559 int dir; 4560 int type; 4561 { 4562 const char *typestr; 4563 4564 if (type == Q_NET) 4565 typestr = "net"; 4566 else 4567 typestr = "host"; 4568 4569 switch (proto) { 4570 4571 case Q_DEFAULT: 4572 return gen_host6(addr, mask, Q_IPV6, dir, type); 4573 4574 case Q_IP: 4575 bpf_error("'ip' modifier applied to ip6 %s", typestr); 4576 4577 case Q_RARP: 4578 bpf_error("'rarp' modifier applied to ip6 %s", typestr); 4579 4580 case Q_ARP: 4581 bpf_error("'arp' modifier applied to ip6 %s", typestr); 4582 4583 case Q_SCTP: 4584 bpf_error("'sctp' modifier applied to %s", typestr); 4585 4586 case Q_TCP: 4587 bpf_error("'tcp' modifier applied to %s", typestr); 4588 4589 case Q_UDP: 4590 bpf_error("'udp' modifier applied to %s", typestr); 4591 4592 case Q_ICMP: 4593 bpf_error("'icmp' modifier applied to %s", typestr); 4594 4595 case Q_IGMP: 4596 bpf_error("'igmp' modifier applied to %s", typestr); 4597 4598 case Q_IGRP: 4599 bpf_error("'igrp' modifier applied to %s", typestr); 4600 4601 case Q_PIM: 4602 bpf_error("'pim' modifier applied to %s", typestr); 4603 4604 case Q_VRRP: 4605 bpf_error("'vrrp' modifier applied to %s", typestr); 4606 4607 case Q_CARP: 4608 bpf_error("'carp' modifier applied to %s", typestr); 4609 4610 case Q_ATALK: 4611 bpf_error("ATALK host filtering not implemented"); 4612 4613 case Q_AARP: 4614 bpf_error("AARP host filtering not implemented"); 4615 4616 case Q_DECNET: 4617 bpf_error("'decnet' modifier applied to ip6 %s", typestr); 4618 4619 case Q_SCA: 4620 bpf_error("SCA host filtering not implemented"); 4621 4622 case Q_LAT: 4623 bpf_error("LAT host filtering not implemented"); 4624 4625 case Q_MOPDL: 4626 bpf_error("MOPDL host filtering not implemented"); 4627 4628 case Q_MOPRC: 4629 bpf_error("MOPRC host filtering not implemented"); 4630 4631 case Q_IPV6: 4632 return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6, 8, 24); 4633 4634 case Q_ICMPV6: 4635 bpf_error("'icmp6' modifier applied to %s", typestr); 4636 4637 case Q_AH: 4638 bpf_error("'ah' modifier applied to %s", typestr); 4639 4640 case Q_ESP: 4641 bpf_error("'esp' modifier applied to %s", typestr); 4642 4643 case Q_ISO: 4644 bpf_error("ISO host filtering not implemented"); 4645 4646 case Q_ESIS: 4647 bpf_error("'esis' modifier applied to %s", typestr); 4648 4649 case Q_ISIS: 4650 bpf_error("'isis' modifier applied to %s", typestr); 4651 4652 case Q_CLNP: 4653 bpf_error("'clnp' modifier applied to %s", typestr); 4654 4655 case Q_STP: 4656 bpf_error("'stp' modifier applied to %s", typestr); 4657 4658 case Q_IPX: 4659 bpf_error("IPX host filtering not implemented"); 4660 4661 case Q_NETBEUI: 4662 bpf_error("'netbeui' modifier applied to %s", typestr); 4663 4664 case Q_RADIO: 4665 bpf_error("'radio' modifier applied to %s", typestr); 4666 4667 default: 4668 abort(); 4669 } 4670 /* NOTREACHED */ 4671 } 4672 #endif /*INET6*/ 4673 4674 #ifndef INET6 4675 static struct block * 4676 gen_gateway(eaddr, alist, proto, dir) 4677 const u_char *eaddr; 4678 bpf_u_int32 **alist; 4679 int proto; 4680 int dir; 4681 { 4682 struct block *b0, *b1, *tmp; 4683 4684 if (dir != 0) 4685 bpf_error("direction applied to 'gateway'"); 4686 4687 switch (proto) { 4688 case Q_DEFAULT: 4689 case Q_IP: 4690 case Q_ARP: 4691 case Q_RARP: 4692 switch (linktype) { 4693 case DLT_EN10MB: 4694 case DLT_NETANALYZER: 4695 case DLT_NETANALYZER_TRANSPARENT: 4696 b0 = gen_ehostop(eaddr, Q_OR); 4697 break; 4698 case DLT_FDDI: 4699 b0 = gen_fhostop(eaddr, Q_OR); 4700 break; 4701 case DLT_IEEE802: 4702 b0 = gen_thostop(eaddr, Q_OR); 4703 break; 4704 case DLT_IEEE802_11: 4705 case DLT_PRISM_HEADER: 4706 case DLT_IEEE802_11_RADIO_AVS: 4707 case DLT_IEEE802_11_RADIO: 4708 case DLT_PPI: 4709 b0 = gen_wlanhostop(eaddr, Q_OR); 4710 break; 4711 case DLT_SUNATM: 4712 if (!is_lane) 4713 bpf_error( 4714 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 4715 /* 4716 * Check that the packet doesn't begin with an 4717 * LE Control marker. (We've already generated 4718 * a test for LANE.) 4719 */ 4720 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 4721 BPF_H, 0xFF00); 4722 gen_not(b1); 4723 4724 /* 4725 * Now check the MAC address. 4726 */ 4727 b0 = gen_ehostop(eaddr, Q_OR); 4728 gen_and(b1, b0); 4729 break; 4730 case DLT_IP_OVER_FC: 4731 b0 = gen_ipfchostop(eaddr, Q_OR); 4732 break; 4733 default: 4734 bpf_error( 4735 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 4736 } 4737 b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR, Q_HOST); 4738 while (*alist) { 4739 tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR, 4740 Q_HOST); 4741 gen_or(b1, tmp); 4742 b1 = tmp; 4743 } 4744 gen_not(b1); 4745 gen_and(b0, b1); 4746 return b1; 4747 } 4748 bpf_error("illegal modifier of 'gateway'"); 4749 /* NOTREACHED */ 4750 } 4751 #endif 4752 4753 struct block * 4754 gen_proto_abbrev(proto) 4755 int proto; 4756 { 4757 struct block *b0; 4758 struct block *b1; 4759 4760 switch (proto) { 4761 4762 case Q_SCTP: 4763 b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT); 4764 #ifdef INET6 4765 b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT); 4766 gen_or(b0, b1); 4767 #endif 4768 break; 4769 4770 case Q_TCP: 4771 b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT); 4772 #ifdef INET6 4773 b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT); 4774 gen_or(b0, b1); 4775 #endif 4776 break; 4777 4778 case Q_UDP: 4779 b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT); 4780 #ifdef INET6 4781 b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT); 4782 gen_or(b0, b1); 4783 #endif 4784 break; 4785 4786 case Q_ICMP: 4787 b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT); 4788 break; 4789 4790 #ifndef IPPROTO_IGMP 4791 #define IPPROTO_IGMP 2 4792 #endif 4793 4794 case Q_IGMP: 4795 b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT); 4796 break; 4797 4798 #ifndef IPPROTO_IGRP 4799 #define IPPROTO_IGRP 9 4800 #endif 4801 case Q_IGRP: 4802 b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT); 4803 break; 4804 4805 #ifndef IPPROTO_PIM 4806 #define IPPROTO_PIM 103 4807 #endif 4808 4809 case Q_PIM: 4810 b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT); 4811 #ifdef INET6 4812 b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT); 4813 gen_or(b0, b1); 4814 #endif 4815 break; 4816 4817 #ifndef IPPROTO_VRRP 4818 #define IPPROTO_VRRP 112 4819 #endif 4820 4821 case Q_VRRP: 4822 b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT); 4823 break; 4824 4825 #ifndef IPPROTO_CARP 4826 #define IPPROTO_CARP 112 4827 #endif 4828 4829 case Q_CARP: 4830 b1 = gen_proto(IPPROTO_CARP, Q_IP, Q_DEFAULT); 4831 break; 4832 4833 case Q_IP: 4834 b1 = gen_linktype(ETHERTYPE_IP); 4835 break; 4836 4837 case Q_ARP: 4838 b1 = gen_linktype(ETHERTYPE_ARP); 4839 break; 4840 4841 case Q_RARP: 4842 b1 = gen_linktype(ETHERTYPE_REVARP); 4843 break; 4844 4845 case Q_LINK: 4846 bpf_error("link layer applied in wrong context"); 4847 4848 case Q_ATALK: 4849 b1 = gen_linktype(ETHERTYPE_ATALK); 4850 break; 4851 4852 case Q_AARP: 4853 b1 = gen_linktype(ETHERTYPE_AARP); 4854 break; 4855 4856 case Q_DECNET: 4857 b1 = gen_linktype(ETHERTYPE_DN); 4858 break; 4859 4860 case Q_SCA: 4861 b1 = gen_linktype(ETHERTYPE_SCA); 4862 break; 4863 4864 case Q_LAT: 4865 b1 = gen_linktype(ETHERTYPE_LAT); 4866 break; 4867 4868 case Q_MOPDL: 4869 b1 = gen_linktype(ETHERTYPE_MOPDL); 4870 break; 4871 4872 case Q_MOPRC: 4873 b1 = gen_linktype(ETHERTYPE_MOPRC); 4874 break; 4875 4876 #ifdef INET6 4877 case Q_IPV6: 4878 b1 = gen_linktype(ETHERTYPE_IPV6); 4879 break; 4880 4881 #ifndef IPPROTO_ICMPV6 4882 #define IPPROTO_ICMPV6 58 4883 #endif 4884 case Q_ICMPV6: 4885 b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT); 4886 break; 4887 #endif /* INET6 */ 4888 4889 #ifndef IPPROTO_AH 4890 #define IPPROTO_AH 51 4891 #endif 4892 case Q_AH: 4893 b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT); 4894 #ifdef INET6 4895 b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT); 4896 gen_or(b0, b1); 4897 #endif 4898 break; 4899 4900 #ifndef IPPROTO_ESP 4901 #define IPPROTO_ESP 50 4902 #endif 4903 case Q_ESP: 4904 b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT); 4905 #ifdef INET6 4906 b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT); 4907 gen_or(b0, b1); 4908 #endif 4909 break; 4910 4911 case Q_ISO: 4912 b1 = gen_linktype(LLCSAP_ISONS); 4913 break; 4914 4915 case Q_ESIS: 4916 b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT); 4917 break; 4918 4919 case Q_ISIS: 4920 b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT); 4921 break; 4922 4923 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */ 4924 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 4925 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 4926 gen_or(b0, b1); 4927 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 4928 gen_or(b0, b1); 4929 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 4930 gen_or(b0, b1); 4931 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 4932 gen_or(b0, b1); 4933 break; 4934 4935 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */ 4936 b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 4937 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 4938 gen_or(b0, b1); 4939 b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 4940 gen_or(b0, b1); 4941 b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 4942 gen_or(b0, b1); 4943 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 4944 gen_or(b0, b1); 4945 break; 4946 4947 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */ 4948 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 4949 b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 4950 gen_or(b0, b1); 4951 b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); 4952 gen_or(b0, b1); 4953 break; 4954 4955 case Q_ISIS_LSP: 4956 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 4957 b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 4958 gen_or(b0, b1); 4959 break; 4960 4961 case Q_ISIS_SNP: 4962 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 4963 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 4964 gen_or(b0, b1); 4965 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 4966 gen_or(b0, b1); 4967 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 4968 gen_or(b0, b1); 4969 break; 4970 4971 case Q_ISIS_CSNP: 4972 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 4973 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 4974 gen_or(b0, b1); 4975 break; 4976 4977 case Q_ISIS_PSNP: 4978 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 4979 b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 4980 gen_or(b0, b1); 4981 break; 4982 4983 case Q_CLNP: 4984 b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT); 4985 break; 4986 4987 case Q_STP: 4988 b1 = gen_linktype(LLCSAP_8021D); 4989 break; 4990 4991 case Q_IPX: 4992 b1 = gen_linktype(LLCSAP_IPX); 4993 break; 4994 4995 case Q_NETBEUI: 4996 b1 = gen_linktype(LLCSAP_NETBEUI); 4997 break; 4998 4999 case Q_RADIO: 5000 bpf_error("'radio' is not a valid protocol type"); 5001 5002 default: 5003 abort(); 5004 } 5005 return b1; 5006 } 5007 5008 static struct block * 5009 gen_ipfrag() 5010 { 5011 struct slist *s; 5012 struct block *b; 5013 5014 /* not IPv4 frag other than the first frag */ 5015 s = gen_load_a(OR_NET, 6, BPF_H); 5016 b = new_block(JMP(BPF_JSET)); 5017 b->s.k = 0x1fff; 5018 b->stmts = s; 5019 gen_not(b); 5020 5021 return b; 5022 } 5023 5024 /* 5025 * Generate a comparison to a port value in the transport-layer header 5026 * at the specified offset from the beginning of that header. 5027 * 5028 * XXX - this handles a variable-length prefix preceding the link-layer 5029 * header, such as the radiotap or AVS radio prefix, but doesn't handle 5030 * variable-length link-layer headers (such as Token Ring or 802.11 5031 * headers). 5032 */ 5033 static struct block * 5034 gen_portatom(off, v) 5035 int off; 5036 bpf_int32 v; 5037 { 5038 return gen_cmp(OR_TRAN_IPV4, off, BPF_H, v); 5039 } 5040 5041 #ifdef INET6 5042 static struct block * 5043 gen_portatom6(off, v) 5044 int off; 5045 bpf_int32 v; 5046 { 5047 return gen_cmp(OR_TRAN_IPV6, off, BPF_H, v); 5048 } 5049 #endif/*INET6*/ 5050 5051 struct block * 5052 gen_portop(port, proto, dir) 5053 int port, proto, dir; 5054 { 5055 struct block *b0, *b1, *tmp; 5056 5057 /* ip proto 'proto' and not a fragment other than the first fragment */ 5058 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto); 5059 b0 = gen_ipfrag(); 5060 gen_and(tmp, b0); 5061 5062 switch (dir) { 5063 case Q_SRC: 5064 b1 = gen_portatom(0, (bpf_int32)port); 5065 break; 5066 5067 case Q_DST: 5068 b1 = gen_portatom(2, (bpf_int32)port); 5069 break; 5070 5071 case Q_OR: 5072 case Q_DEFAULT: 5073 tmp = gen_portatom(0, (bpf_int32)port); 5074 b1 = gen_portatom(2, (bpf_int32)port); 5075 gen_or(tmp, b1); 5076 break; 5077 5078 case Q_AND: 5079 tmp = gen_portatom(0, (bpf_int32)port); 5080 b1 = gen_portatom(2, (bpf_int32)port); 5081 gen_and(tmp, b1); 5082 break; 5083 5084 default: 5085 abort(); 5086 } 5087 gen_and(b0, b1); 5088 5089 return b1; 5090 } 5091 5092 static struct block * 5093 gen_port(port, ip_proto, dir) 5094 int port; 5095 int ip_proto; 5096 int dir; 5097 { 5098 struct block *b0, *b1, *tmp; 5099 5100 /* 5101 * ether proto ip 5102 * 5103 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 5104 * not LLC encapsulation with LLCSAP_IP. 5105 * 5106 * For IEEE 802 networks - which includes 802.5 token ring 5107 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 5108 * says that SNAP encapsulation is used, not LLC encapsulation 5109 * with LLCSAP_IP. 5110 * 5111 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 5112 * RFC 2225 say that SNAP encapsulation is used, not LLC 5113 * encapsulation with LLCSAP_IP. 5114 * 5115 * So we always check for ETHERTYPE_IP. 5116 */ 5117 b0 = gen_linktype(ETHERTYPE_IP); 5118 5119 switch (ip_proto) { 5120 case IPPROTO_UDP: 5121 case IPPROTO_TCP: 5122 case IPPROTO_SCTP: 5123 b1 = gen_portop(port, ip_proto, dir); 5124 break; 5125 5126 case PROTO_UNDEF: 5127 tmp = gen_portop(port, IPPROTO_TCP, dir); 5128 b1 = gen_portop(port, IPPROTO_UDP, dir); 5129 gen_or(tmp, b1); 5130 tmp = gen_portop(port, IPPROTO_SCTP, dir); 5131 gen_or(tmp, b1); 5132 break; 5133 5134 default: 5135 abort(); 5136 } 5137 gen_and(b0, b1); 5138 return b1; 5139 } 5140 5141 #ifdef INET6 5142 struct block * 5143 gen_portop6(port, proto, dir) 5144 int port, proto, dir; 5145 { 5146 struct block *b0, *b1, *tmp; 5147 5148 /* ip6 proto 'proto' */ 5149 /* XXX - catch the first fragment of a fragmented packet? */ 5150 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto); 5151 5152 switch (dir) { 5153 case Q_SRC: 5154 b1 = gen_portatom6(0, (bpf_int32)port); 5155 break; 5156 5157 case Q_DST: 5158 b1 = gen_portatom6(2, (bpf_int32)port); 5159 break; 5160 5161 case Q_OR: 5162 case Q_DEFAULT: 5163 tmp = gen_portatom6(0, (bpf_int32)port); 5164 b1 = gen_portatom6(2, (bpf_int32)port); 5165 gen_or(tmp, b1); 5166 break; 5167 5168 case Q_AND: 5169 tmp = gen_portatom6(0, (bpf_int32)port); 5170 b1 = gen_portatom6(2, (bpf_int32)port); 5171 gen_and(tmp, b1); 5172 break; 5173 5174 default: 5175 abort(); 5176 } 5177 gen_and(b0, b1); 5178 5179 return b1; 5180 } 5181 5182 static struct block * 5183 gen_port6(port, ip_proto, dir) 5184 int port; 5185 int ip_proto; 5186 int dir; 5187 { 5188 struct block *b0, *b1, *tmp; 5189 5190 /* link proto ip6 */ 5191 b0 = gen_linktype(ETHERTYPE_IPV6); 5192 5193 switch (ip_proto) { 5194 case IPPROTO_UDP: 5195 case IPPROTO_TCP: 5196 case IPPROTO_SCTP: 5197 b1 = gen_portop6(port, ip_proto, dir); 5198 break; 5199 5200 case PROTO_UNDEF: 5201 tmp = gen_portop6(port, IPPROTO_TCP, dir); 5202 b1 = gen_portop6(port, IPPROTO_UDP, dir); 5203 gen_or(tmp, b1); 5204 tmp = gen_portop6(port, IPPROTO_SCTP, dir); 5205 gen_or(tmp, b1); 5206 break; 5207 5208 default: 5209 abort(); 5210 } 5211 gen_and(b0, b1); 5212 return b1; 5213 } 5214 #endif /* INET6 */ 5215 5216 /* gen_portrange code */ 5217 static struct block * 5218 gen_portrangeatom(off, v1, v2) 5219 int off; 5220 bpf_int32 v1, v2; 5221 { 5222 struct block *b1, *b2; 5223 5224 if (v1 > v2) { 5225 /* 5226 * Reverse the order of the ports, so v1 is the lower one. 5227 */ 5228 bpf_int32 vtemp; 5229 5230 vtemp = v1; 5231 v1 = v2; 5232 v2 = vtemp; 5233 } 5234 5235 b1 = gen_cmp_ge(OR_TRAN_IPV4, off, BPF_H, v1); 5236 b2 = gen_cmp_le(OR_TRAN_IPV4, off, BPF_H, v2); 5237 5238 gen_and(b1, b2); 5239 5240 return b2; 5241 } 5242 5243 struct block * 5244 gen_portrangeop(port1, port2, proto, dir) 5245 int port1, port2; 5246 int proto; 5247 int dir; 5248 { 5249 struct block *b0, *b1, *tmp; 5250 5251 /* ip proto 'proto' and not a fragment other than the first fragment */ 5252 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto); 5253 b0 = gen_ipfrag(); 5254 gen_and(tmp, b0); 5255 5256 switch (dir) { 5257 case Q_SRC: 5258 b1 = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5259 break; 5260 5261 case Q_DST: 5262 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5263 break; 5264 5265 case Q_OR: 5266 case Q_DEFAULT: 5267 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5268 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5269 gen_or(tmp, b1); 5270 break; 5271 5272 case Q_AND: 5273 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5274 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5275 gen_and(tmp, b1); 5276 break; 5277 5278 default: 5279 abort(); 5280 } 5281 gen_and(b0, b1); 5282 5283 return b1; 5284 } 5285 5286 static struct block * 5287 gen_portrange(port1, port2, ip_proto, dir) 5288 int port1, port2; 5289 int ip_proto; 5290 int dir; 5291 { 5292 struct block *b0, *b1, *tmp; 5293 5294 /* link proto ip */ 5295 b0 = gen_linktype(ETHERTYPE_IP); 5296 5297 switch (ip_proto) { 5298 case IPPROTO_UDP: 5299 case IPPROTO_TCP: 5300 case IPPROTO_SCTP: 5301 b1 = gen_portrangeop(port1, port2, ip_proto, dir); 5302 break; 5303 5304 case PROTO_UNDEF: 5305 tmp = gen_portrangeop(port1, port2, IPPROTO_TCP, dir); 5306 b1 = gen_portrangeop(port1, port2, IPPROTO_UDP, dir); 5307 gen_or(tmp, b1); 5308 tmp = gen_portrangeop(port1, port2, IPPROTO_SCTP, dir); 5309 gen_or(tmp, b1); 5310 break; 5311 5312 default: 5313 abort(); 5314 } 5315 gen_and(b0, b1); 5316 return b1; 5317 } 5318 5319 #ifdef INET6 5320 static struct block * 5321 gen_portrangeatom6(off, v1, v2) 5322 int off; 5323 bpf_int32 v1, v2; 5324 { 5325 struct block *b1, *b2; 5326 5327 if (v1 > v2) { 5328 /* 5329 * Reverse the order of the ports, so v1 is the lower one. 5330 */ 5331 bpf_int32 vtemp; 5332 5333 vtemp = v1; 5334 v1 = v2; 5335 v2 = vtemp; 5336 } 5337 5338 b1 = gen_cmp_ge(OR_TRAN_IPV6, off, BPF_H, v1); 5339 b2 = gen_cmp_le(OR_TRAN_IPV6, off, BPF_H, v2); 5340 5341 gen_and(b1, b2); 5342 5343 return b2; 5344 } 5345 5346 struct block * 5347 gen_portrangeop6(port1, port2, proto, dir) 5348 int port1, port2; 5349 int proto; 5350 int dir; 5351 { 5352 struct block *b0, *b1, *tmp; 5353 5354 /* ip6 proto 'proto' */ 5355 /* XXX - catch the first fragment of a fragmented packet? */ 5356 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto); 5357 5358 switch (dir) { 5359 case Q_SRC: 5360 b1 = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5361 break; 5362 5363 case Q_DST: 5364 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5365 break; 5366 5367 case Q_OR: 5368 case Q_DEFAULT: 5369 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5370 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5371 gen_or(tmp, b1); 5372 break; 5373 5374 case Q_AND: 5375 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5376 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5377 gen_and(tmp, b1); 5378 break; 5379 5380 default: 5381 abort(); 5382 } 5383 gen_and(b0, b1); 5384 5385 return b1; 5386 } 5387 5388 static struct block * 5389 gen_portrange6(port1, port2, ip_proto, dir) 5390 int port1, port2; 5391 int ip_proto; 5392 int dir; 5393 { 5394 struct block *b0, *b1, *tmp; 5395 5396 /* link proto ip6 */ 5397 b0 = gen_linktype(ETHERTYPE_IPV6); 5398 5399 switch (ip_proto) { 5400 case IPPROTO_UDP: 5401 case IPPROTO_TCP: 5402 case IPPROTO_SCTP: 5403 b1 = gen_portrangeop6(port1, port2, ip_proto, dir); 5404 break; 5405 5406 case PROTO_UNDEF: 5407 tmp = gen_portrangeop6(port1, port2, IPPROTO_TCP, dir); 5408 b1 = gen_portrangeop6(port1, port2, IPPROTO_UDP, dir); 5409 gen_or(tmp, b1); 5410 tmp = gen_portrangeop6(port1, port2, IPPROTO_SCTP, dir); 5411 gen_or(tmp, b1); 5412 break; 5413 5414 default: 5415 abort(); 5416 } 5417 gen_and(b0, b1); 5418 return b1; 5419 } 5420 #endif /* INET6 */ 5421 5422 static int 5423 lookup_proto(name, proto) 5424 register const char *name; 5425 register int proto; 5426 { 5427 register int v; 5428 5429 switch (proto) { 5430 5431 case Q_DEFAULT: 5432 case Q_IP: 5433 case Q_IPV6: 5434 v = pcap_nametoproto(name); 5435 if (v == PROTO_UNDEF) 5436 bpf_error("unknown ip proto '%s'", name); 5437 break; 5438 5439 case Q_LINK: 5440 /* XXX should look up h/w protocol type based on linktype */ 5441 v = pcap_nametoeproto(name); 5442 if (v == PROTO_UNDEF) { 5443 v = pcap_nametollc(name); 5444 if (v == PROTO_UNDEF) 5445 bpf_error("unknown ether proto '%s'", name); 5446 } 5447 break; 5448 5449 case Q_ISO: 5450 if (strcmp(name, "esis") == 0) 5451 v = ISO9542_ESIS; 5452 else if (strcmp(name, "isis") == 0) 5453 v = ISO10589_ISIS; 5454 else if (strcmp(name, "clnp") == 0) 5455 v = ISO8473_CLNP; 5456 else 5457 bpf_error("unknown osi proto '%s'", name); 5458 break; 5459 5460 default: 5461 v = PROTO_UNDEF; 5462 break; 5463 } 5464 return v; 5465 } 5466 5467 #if 0 5468 struct stmt * 5469 gen_joinsp(s, n) 5470 struct stmt **s; 5471 int n; 5472 { 5473 return NULL; 5474 } 5475 #endif 5476 5477 static struct block * 5478 gen_protochain(v, proto, dir) 5479 int v; 5480 int proto; 5481 int dir; 5482 { 5483 #ifdef NO_PROTOCHAIN 5484 return gen_proto(v, proto, dir); 5485 #else 5486 struct block *b0, *b; 5487 struct slist *s[100]; 5488 int fix2, fix3, fix4, fix5; 5489 int ahcheck, again, end; 5490 int i, max; 5491 int reg2 = alloc_reg(); 5492 5493 memset(s, 0, sizeof(s)); 5494 fix2 = fix3 = fix4 = fix5 = 0; 5495 5496 switch (proto) { 5497 case Q_IP: 5498 case Q_IPV6: 5499 break; 5500 case Q_DEFAULT: 5501 b0 = gen_protochain(v, Q_IP, dir); 5502 b = gen_protochain(v, Q_IPV6, dir); 5503 gen_or(b0, b); 5504 return b; 5505 default: 5506 bpf_error("bad protocol applied for 'protochain'"); 5507 /*NOTREACHED*/ 5508 } 5509 5510 /* 5511 * We don't handle variable-length prefixes before the link-layer 5512 * header, or variable-length link-layer headers, here yet. 5513 * We might want to add BPF instructions to do the protochain 5514 * work, to simplify that and, on platforms that have a BPF 5515 * interpreter with the new instructions, let the filtering 5516 * be done in the kernel. (We already require a modified BPF 5517 * engine to do the protochain stuff, to support backward 5518 * branches, and backward branch support is unlikely to appear 5519 * in kernel BPF engines.) 5520 */ 5521 switch (linktype) { 5522 5523 case DLT_IEEE802_11: 5524 case DLT_PRISM_HEADER: 5525 case DLT_IEEE802_11_RADIO_AVS: 5526 case DLT_IEEE802_11_RADIO: 5527 case DLT_PPI: 5528 bpf_error("'protochain' not supported with 802.11"); 5529 } 5530 5531 no_optimize = 1; /*this code is not compatible with optimzer yet */ 5532 5533 /* 5534 * s[0] is a dummy entry to protect other BPF insn from damage 5535 * by s[fix] = foo with uninitialized variable "fix". It is somewhat 5536 * hard to find interdependency made by jump table fixup. 5537 */ 5538 i = 0; 5539 s[i] = new_stmt(0); /*dummy*/ 5540 i++; 5541 5542 switch (proto) { 5543 case Q_IP: 5544 b0 = gen_linktype(ETHERTYPE_IP); 5545 5546 /* A = ip->ip_p */ 5547 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B); 5548 s[i]->s.k = off_macpl + off_nl + 9; 5549 i++; 5550 /* X = ip->ip_hl << 2 */ 5551 s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B); 5552 s[i]->s.k = off_macpl + off_nl; 5553 i++; 5554 break; 5555 #ifdef INET6 5556 case Q_IPV6: 5557 b0 = gen_linktype(ETHERTYPE_IPV6); 5558 5559 /* A = ip6->ip_nxt */ 5560 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B); 5561 s[i]->s.k = off_macpl + off_nl + 6; 5562 i++; 5563 /* X = sizeof(struct ip6_hdr) */ 5564 s[i] = new_stmt(BPF_LDX|BPF_IMM); 5565 s[i]->s.k = 40; 5566 i++; 5567 break; 5568 #endif 5569 default: 5570 bpf_error("unsupported proto to gen_protochain"); 5571 /*NOTREACHED*/ 5572 } 5573 5574 /* again: if (A == v) goto end; else fall through; */ 5575 again = i; 5576 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5577 s[i]->s.k = v; 5578 s[i]->s.jt = NULL; /*later*/ 5579 s[i]->s.jf = NULL; /*update in next stmt*/ 5580 fix5 = i; 5581 i++; 5582 5583 #ifndef IPPROTO_NONE 5584 #define IPPROTO_NONE 59 5585 #endif 5586 /* if (A == IPPROTO_NONE) goto end */ 5587 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5588 s[i]->s.jt = NULL; /*later*/ 5589 s[i]->s.jf = NULL; /*update in next stmt*/ 5590 s[i]->s.k = IPPROTO_NONE; 5591 s[fix5]->s.jf = s[i]; 5592 fix2 = i; 5593 i++; 5594 5595 #ifdef INET6 5596 if (proto == Q_IPV6) { 5597 int v6start, v6end, v6advance, j; 5598 5599 v6start = i; 5600 /* if (A == IPPROTO_HOPOPTS) goto v6advance */ 5601 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5602 s[i]->s.jt = NULL; /*later*/ 5603 s[i]->s.jf = NULL; /*update in next stmt*/ 5604 s[i]->s.k = IPPROTO_HOPOPTS; 5605 s[fix2]->s.jf = s[i]; 5606 i++; 5607 /* if (A == IPPROTO_DSTOPTS) goto v6advance */ 5608 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5609 s[i]->s.jt = NULL; /*later*/ 5610 s[i]->s.jf = NULL; /*update in next stmt*/ 5611 s[i]->s.k = IPPROTO_DSTOPTS; 5612 i++; 5613 /* if (A == IPPROTO_ROUTING) goto v6advance */ 5614 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5615 s[i]->s.jt = NULL; /*later*/ 5616 s[i]->s.jf = NULL; /*update in next stmt*/ 5617 s[i]->s.k = IPPROTO_ROUTING; 5618 i++; 5619 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */ 5620 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5621 s[i]->s.jt = NULL; /*later*/ 5622 s[i]->s.jf = NULL; /*later*/ 5623 s[i]->s.k = IPPROTO_FRAGMENT; 5624 fix3 = i; 5625 v6end = i; 5626 i++; 5627 5628 /* v6advance: */ 5629 v6advance = i; 5630 5631 /* 5632 * in short, 5633 * A = P[X + packet head]; 5634 * X = X + (P[X + packet head + 1] + 1) * 8; 5635 */ 5636 /* A = P[X + packet head] */ 5637 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5638 s[i]->s.k = off_macpl + off_nl; 5639 i++; 5640 /* MEM[reg2] = A */ 5641 s[i] = new_stmt(BPF_ST); 5642 s[i]->s.k = reg2; 5643 i++; 5644 /* A = P[X + packet head + 1]; */ 5645 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5646 s[i]->s.k = off_macpl + off_nl + 1; 5647 i++; 5648 /* A += 1 */ 5649 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5650 s[i]->s.k = 1; 5651 i++; 5652 /* A *= 8 */ 5653 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K); 5654 s[i]->s.k = 8; 5655 i++; 5656 /* A += X */ 5657 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_X); 5658 s[i]->s.k = 0; 5659 i++; 5660 /* X = A; */ 5661 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5662 i++; 5663 /* A = MEM[reg2] */ 5664 s[i] = new_stmt(BPF_LD|BPF_MEM); 5665 s[i]->s.k = reg2; 5666 i++; 5667 5668 /* goto again; (must use BPF_JA for backward jump) */ 5669 s[i] = new_stmt(BPF_JMP|BPF_JA); 5670 s[i]->s.k = again - i - 1; 5671 s[i - 1]->s.jf = s[i]; 5672 i++; 5673 5674 /* fixup */ 5675 for (j = v6start; j <= v6end; j++) 5676 s[j]->s.jt = s[v6advance]; 5677 } else 5678 #endif 5679 { 5680 /* nop */ 5681 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5682 s[i]->s.k = 0; 5683 s[fix2]->s.jf = s[i]; 5684 i++; 5685 } 5686 5687 /* ahcheck: */ 5688 ahcheck = i; 5689 /* if (A == IPPROTO_AH) then fall through; else goto end; */ 5690 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5691 s[i]->s.jt = NULL; /*later*/ 5692 s[i]->s.jf = NULL; /*later*/ 5693 s[i]->s.k = IPPROTO_AH; 5694 if (fix3) 5695 s[fix3]->s.jf = s[ahcheck]; 5696 fix4 = i; 5697 i++; 5698 5699 /* 5700 * in short, 5701 * A = P[X]; 5702 * X = X + (P[X + 1] + 2) * 4; 5703 */ 5704 /* A = X */ 5705 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA); 5706 i++; 5707 /* A = P[X + packet head]; */ 5708 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5709 s[i]->s.k = off_macpl + off_nl; 5710 i++; 5711 /* MEM[reg2] = A */ 5712 s[i] = new_stmt(BPF_ST); 5713 s[i]->s.k = reg2; 5714 i++; 5715 /* A = X */ 5716 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA); 5717 i++; 5718 /* A += 1 */ 5719 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5720 s[i]->s.k = 1; 5721 i++; 5722 /* X = A */ 5723 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5724 i++; 5725 /* A = P[X + packet head] */ 5726 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5727 s[i]->s.k = off_macpl + off_nl; 5728 i++; 5729 /* A += 2 */ 5730 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5731 s[i]->s.k = 2; 5732 i++; 5733 /* A *= 4 */ 5734 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K); 5735 s[i]->s.k = 4; 5736 i++; 5737 /* X = A; */ 5738 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5739 i++; 5740 /* A = MEM[reg2] */ 5741 s[i] = new_stmt(BPF_LD|BPF_MEM); 5742 s[i]->s.k = reg2; 5743 i++; 5744 5745 /* goto again; (must use BPF_JA for backward jump) */ 5746 s[i] = new_stmt(BPF_JMP|BPF_JA); 5747 s[i]->s.k = again - i - 1; 5748 i++; 5749 5750 /* end: nop */ 5751 end = i; 5752 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5753 s[i]->s.k = 0; 5754 s[fix2]->s.jt = s[end]; 5755 s[fix4]->s.jf = s[end]; 5756 s[fix5]->s.jt = s[end]; 5757 i++; 5758 5759 /* 5760 * make slist chain 5761 */ 5762 max = i; 5763 for (i = 0; i < max - 1; i++) 5764 s[i]->next = s[i + 1]; 5765 s[max - 1]->next = NULL; 5766 5767 /* 5768 * emit final check 5769 */ 5770 b = new_block(JMP(BPF_JEQ)); 5771 b->stmts = s[1]; /*remember, s[0] is dummy*/ 5772 b->s.k = v; 5773 5774 free_reg(reg2); 5775 5776 gen_and(b0, b); 5777 return b; 5778 #endif 5779 } 5780 5781 static struct block * 5782 gen_check_802_11_data_frame() 5783 { 5784 struct slist *s; 5785 struct block *b0, *b1; 5786 5787 /* 5788 * A data frame has the 0x08 bit (b3) in the frame control field set 5789 * and the 0x04 bit (b2) clear. 5790 */ 5791 s = gen_load_a(OR_LINK, 0, BPF_B); 5792 b0 = new_block(JMP(BPF_JSET)); 5793 b0->s.k = 0x08; 5794 b0->stmts = s; 5795 5796 s = gen_load_a(OR_LINK, 0, BPF_B); 5797 b1 = new_block(JMP(BPF_JSET)); 5798 b1->s.k = 0x04; 5799 b1->stmts = s; 5800 gen_not(b1); 5801 5802 gen_and(b1, b0); 5803 5804 return b0; 5805 } 5806 5807 /* 5808 * Generate code that checks whether the packet is a packet for protocol 5809 * <proto> and whether the type field in that protocol's header has 5810 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an 5811 * IP packet and checks the protocol number in the IP header against <v>. 5812 * 5813 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks 5814 * against Q_IP and Q_IPV6. 5815 */ 5816 static struct block * 5817 gen_proto(v, proto, dir) 5818 int v; 5819 int proto; 5820 int dir; 5821 { 5822 struct block *b0, *b1; 5823 #ifdef INET6 5824 #ifndef CHASE_CHAIN 5825 struct block *b2; 5826 #endif 5827 #endif 5828 5829 if (dir != Q_DEFAULT) 5830 bpf_error("direction applied to 'proto'"); 5831 5832 switch (proto) { 5833 case Q_DEFAULT: 5834 #ifdef INET6 5835 b0 = gen_proto(v, Q_IP, dir); 5836 b1 = gen_proto(v, Q_IPV6, dir); 5837 gen_or(b0, b1); 5838 return b1; 5839 #else 5840 /*FALLTHROUGH*/ 5841 #endif 5842 case Q_IP: 5843 /* 5844 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 5845 * not LLC encapsulation with LLCSAP_IP. 5846 * 5847 * For IEEE 802 networks - which includes 802.5 token ring 5848 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 5849 * says that SNAP encapsulation is used, not LLC encapsulation 5850 * with LLCSAP_IP. 5851 * 5852 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 5853 * RFC 2225 say that SNAP encapsulation is used, not LLC 5854 * encapsulation with LLCSAP_IP. 5855 * 5856 * So we always check for ETHERTYPE_IP. 5857 */ 5858 b0 = gen_linktype(ETHERTYPE_IP); 5859 #ifndef CHASE_CHAIN 5860 b1 = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)v); 5861 #else 5862 b1 = gen_protochain(v, Q_IP); 5863 #endif 5864 gen_and(b0, b1); 5865 return b1; 5866 5867 case Q_ISO: 5868 switch (linktype) { 5869 5870 case DLT_FRELAY: 5871 /* 5872 * Frame Relay packets typically have an OSI 5873 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)" 5874 * generates code to check for all the OSI 5875 * NLPIDs, so calling it and then adding a check 5876 * for the particular NLPID for which we're 5877 * looking is bogus, as we can just check for 5878 * the NLPID. 5879 * 5880 * What we check for is the NLPID and a frame 5881 * control field value of UI, i.e. 0x03 followed 5882 * by the NLPID. 5883 * 5884 * XXX - assumes a 2-byte Frame Relay header with 5885 * DLCI and flags. What if the address is longer? 5886 * 5887 * XXX - what about SNAP-encapsulated frames? 5888 */ 5889 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | v); 5890 /*NOTREACHED*/ 5891 break; 5892 5893 case DLT_C_HDLC: 5894 /* 5895 * Cisco uses an Ethertype lookalike - for OSI, 5896 * it's 0xfefe. 5897 */ 5898 b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS); 5899 /* OSI in C-HDLC is stuffed with a fudge byte */ 5900 b1 = gen_cmp(OR_NET_NOSNAP, 1, BPF_B, (long)v); 5901 gen_and(b0, b1); 5902 return b1; 5903 5904 default: 5905 b0 = gen_linktype(LLCSAP_ISONS); 5906 b1 = gen_cmp(OR_NET_NOSNAP, 0, BPF_B, (long)v); 5907 gen_and(b0, b1); 5908 return b1; 5909 } 5910 5911 case Q_ISIS: 5912 b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT); 5913 /* 5914 * 4 is the offset of the PDU type relative to the IS-IS 5915 * header. 5916 */ 5917 b1 = gen_cmp(OR_NET_NOSNAP, 4, BPF_B, (long)v); 5918 gen_and(b0, b1); 5919 return b1; 5920 5921 case Q_ARP: 5922 bpf_error("arp does not encapsulate another protocol"); 5923 /* NOTREACHED */ 5924 5925 case Q_RARP: 5926 bpf_error("rarp does not encapsulate another protocol"); 5927 /* NOTREACHED */ 5928 5929 case Q_ATALK: 5930 bpf_error("atalk encapsulation is not specifiable"); 5931 /* NOTREACHED */ 5932 5933 case Q_DECNET: 5934 bpf_error("decnet encapsulation is not specifiable"); 5935 /* NOTREACHED */ 5936 5937 case Q_SCA: 5938 bpf_error("sca does not encapsulate another protocol"); 5939 /* NOTREACHED */ 5940 5941 case Q_LAT: 5942 bpf_error("lat does not encapsulate another protocol"); 5943 /* NOTREACHED */ 5944 5945 case Q_MOPRC: 5946 bpf_error("moprc does not encapsulate another protocol"); 5947 /* NOTREACHED */ 5948 5949 case Q_MOPDL: 5950 bpf_error("mopdl does not encapsulate another protocol"); 5951 /* NOTREACHED */ 5952 5953 case Q_LINK: 5954 return gen_linktype(v); 5955 5956 case Q_UDP: 5957 bpf_error("'udp proto' is bogus"); 5958 /* NOTREACHED */ 5959 5960 case Q_TCP: 5961 bpf_error("'tcp proto' is bogus"); 5962 /* NOTREACHED */ 5963 5964 case Q_SCTP: 5965 bpf_error("'sctp proto' is bogus"); 5966 /* NOTREACHED */ 5967 5968 case Q_ICMP: 5969 bpf_error("'icmp proto' is bogus"); 5970 /* NOTREACHED */ 5971 5972 case Q_IGMP: 5973 bpf_error("'igmp proto' is bogus"); 5974 /* NOTREACHED */ 5975 5976 case Q_IGRP: 5977 bpf_error("'igrp proto' is bogus"); 5978 /* NOTREACHED */ 5979 5980 case Q_PIM: 5981 bpf_error("'pim proto' is bogus"); 5982 /* NOTREACHED */ 5983 5984 case Q_VRRP: 5985 bpf_error("'vrrp proto' is bogus"); 5986 /* NOTREACHED */ 5987 5988 case Q_CARP: 5989 bpf_error("'carp proto' is bogus"); 5990 /* NOTREACHED */ 5991 5992 #ifdef INET6 5993 case Q_IPV6: 5994 b0 = gen_linktype(ETHERTYPE_IPV6); 5995 #ifndef CHASE_CHAIN 5996 /* 5997 * Also check for a fragment header before the final 5998 * header. 5999 */ 6000 b2 = gen_cmp(OR_NET, 6, BPF_B, IPPROTO_FRAGMENT); 6001 b1 = gen_cmp(OR_NET, 40, BPF_B, (bpf_int32)v); 6002 gen_and(b2, b1); 6003 b2 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)v); 6004 gen_or(b2, b1); 6005 #else 6006 b1 = gen_protochain(v, Q_IPV6); 6007 #endif 6008 gen_and(b0, b1); 6009 return b1; 6010 6011 case Q_ICMPV6: 6012 bpf_error("'icmp6 proto' is bogus"); 6013 #endif /* INET6 */ 6014 6015 case Q_AH: 6016 bpf_error("'ah proto' is bogus"); 6017 6018 case Q_ESP: 6019 bpf_error("'ah proto' is bogus"); 6020 6021 case Q_STP: 6022 bpf_error("'stp proto' is bogus"); 6023 6024 case Q_IPX: 6025 bpf_error("'ipx proto' is bogus"); 6026 6027 case Q_NETBEUI: 6028 bpf_error("'netbeui proto' is bogus"); 6029 6030 case Q_RADIO: 6031 bpf_error("'radio proto' is bogus"); 6032 6033 default: 6034 abort(); 6035 /* NOTREACHED */ 6036 } 6037 /* NOTREACHED */ 6038 } 6039 6040 struct block * 6041 gen_scode(name, q) 6042 register const char *name; 6043 struct qual q; 6044 { 6045 int proto = q.proto; 6046 int dir = q.dir; 6047 int tproto; 6048 u_char *eaddr; 6049 bpf_u_int32 mask, addr; 6050 #ifndef INET6 6051 bpf_u_int32 **alist; 6052 #else 6053 int tproto6; 6054 struct sockaddr_in *sin4; 6055 struct sockaddr_in6 *sin6; 6056 struct addrinfo *res, *res0; 6057 struct in6_addr mask128; 6058 #endif /*INET6*/ 6059 struct block *b, *tmp; 6060 int port, real_proto; 6061 int port1, port2; 6062 6063 switch (q.addr) { 6064 6065 case Q_NET: 6066 addr = pcap_nametonetaddr(name); 6067 if (addr == 0) 6068 bpf_error("unknown network '%s'", name); 6069 /* Left justify network addr and calculate its network mask */ 6070 mask = 0xffffffff; 6071 while (addr && (addr & 0xff000000) == 0) { 6072 addr <<= 8; 6073 mask <<= 8; 6074 } 6075 return gen_host(addr, mask, proto, dir, q.addr); 6076 6077 case Q_DEFAULT: 6078 case Q_HOST: 6079 if (proto == Q_LINK) { 6080 switch (linktype) { 6081 6082 case DLT_EN10MB: 6083 case DLT_NETANALYZER: 6084 case DLT_NETANALYZER_TRANSPARENT: 6085 eaddr = pcap_ether_hostton(name); 6086 if (eaddr == NULL) 6087 bpf_error( 6088 "unknown ether host '%s'", name); 6089 b = gen_ehostop(eaddr, dir); 6090 free(eaddr); 6091 return b; 6092 6093 case DLT_FDDI: 6094 eaddr = pcap_ether_hostton(name); 6095 if (eaddr == NULL) 6096 bpf_error( 6097 "unknown FDDI host '%s'", name); 6098 b = gen_fhostop(eaddr, dir); 6099 free(eaddr); 6100 return b; 6101 6102 case DLT_IEEE802: 6103 eaddr = pcap_ether_hostton(name); 6104 if (eaddr == NULL) 6105 bpf_error( 6106 "unknown token ring host '%s'", name); 6107 b = gen_thostop(eaddr, dir); 6108 free(eaddr); 6109 return b; 6110 6111 case DLT_IEEE802_11: 6112 case DLT_PRISM_HEADER: 6113 case DLT_IEEE802_11_RADIO_AVS: 6114 case DLT_IEEE802_11_RADIO: 6115 case DLT_PPI: 6116 eaddr = pcap_ether_hostton(name); 6117 if (eaddr == NULL) 6118 bpf_error( 6119 "unknown 802.11 host '%s'", name); 6120 b = gen_wlanhostop(eaddr, dir); 6121 free(eaddr); 6122 return b; 6123 6124 case DLT_IP_OVER_FC: 6125 eaddr = pcap_ether_hostton(name); 6126 if (eaddr == NULL) 6127 bpf_error( 6128 "unknown Fibre Channel host '%s'", name); 6129 b = gen_ipfchostop(eaddr, dir); 6130 free(eaddr); 6131 return b; 6132 6133 case DLT_SUNATM: 6134 if (!is_lane) 6135 break; 6136 6137 /* 6138 * Check that the packet doesn't begin 6139 * with an LE Control marker. (We've 6140 * already generated a test for LANE.) 6141 */ 6142 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 6143 BPF_H, 0xFF00); 6144 gen_not(tmp); 6145 6146 eaddr = pcap_ether_hostton(name); 6147 if (eaddr == NULL) 6148 bpf_error( 6149 "unknown ether host '%s'", name); 6150 b = gen_ehostop(eaddr, dir); 6151 gen_and(tmp, b); 6152 free(eaddr); 6153 return b; 6154 } 6155 6156 bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name"); 6157 } else if (proto == Q_DECNET) { 6158 unsigned short dn_addr = __pcap_nametodnaddr(name); 6159 /* 6160 * I don't think DECNET hosts can be multihomed, so 6161 * there is no need to build up a list of addresses 6162 */ 6163 return (gen_host(dn_addr, 0, proto, dir, q.addr)); 6164 } else { 6165 #ifndef INET6 6166 alist = pcap_nametoaddr(name); 6167 if (alist == NULL || *alist == NULL) 6168 bpf_error("unknown host '%s'", name); 6169 tproto = proto; 6170 if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT) 6171 tproto = Q_IP; 6172 b = gen_host(**alist++, 0xffffffff, tproto, dir, q.addr); 6173 while (*alist) { 6174 tmp = gen_host(**alist++, 0xffffffff, 6175 tproto, dir, q.addr); 6176 gen_or(b, tmp); 6177 b = tmp; 6178 } 6179 return b; 6180 #else 6181 memset(&mask128, 0xff, sizeof(mask128)); 6182 res0 = res = pcap_nametoaddrinfo(name); 6183 if (res == NULL) 6184 bpf_error("unknown host '%s'", name); 6185 ai = res; 6186 b = tmp = NULL; 6187 tproto = tproto6 = proto; 6188 if (off_linktype == -1 && tproto == Q_DEFAULT) { 6189 tproto = Q_IP; 6190 tproto6 = Q_IPV6; 6191 } 6192 for (res = res0; res; res = res->ai_next) { 6193 switch (res->ai_family) { 6194 case AF_INET: 6195 if (tproto == Q_IPV6) 6196 continue; 6197 6198 sin4 = (struct sockaddr_in *) 6199 res->ai_addr; 6200 tmp = gen_host(ntohl(sin4->sin_addr.s_addr), 6201 0xffffffff, tproto, dir, q.addr); 6202 break; 6203 case AF_INET6: 6204 if (tproto6 == Q_IP) 6205 continue; 6206 6207 sin6 = (struct sockaddr_in6 *) 6208 res->ai_addr; 6209 tmp = gen_host6(&sin6->sin6_addr, 6210 &mask128, tproto6, dir, q.addr); 6211 break; 6212 default: 6213 continue; 6214 } 6215 if (b) 6216 gen_or(b, tmp); 6217 b = tmp; 6218 } 6219 ai = NULL; 6220 freeaddrinfo(res0); 6221 if (b == NULL) { 6222 bpf_error("unknown host '%s'%s", name, 6223 (proto == Q_DEFAULT) 6224 ? "" 6225 : " for specified address family"); 6226 } 6227 return b; 6228 #endif /*INET6*/ 6229 } 6230 6231 case Q_PORT: 6232 if (proto != Q_DEFAULT && 6233 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6234 bpf_error("illegal qualifier of 'port'"); 6235 if (pcap_nametoport(name, &port, &real_proto) == 0) 6236 bpf_error("unknown port '%s'", name); 6237 if (proto == Q_UDP) { 6238 if (real_proto == IPPROTO_TCP) 6239 bpf_error("port '%s' is tcp", name); 6240 else if (real_proto == IPPROTO_SCTP) 6241 bpf_error("port '%s' is sctp", name); 6242 else 6243 /* override PROTO_UNDEF */ 6244 real_proto = IPPROTO_UDP; 6245 } 6246 if (proto == Q_TCP) { 6247 if (real_proto == IPPROTO_UDP) 6248 bpf_error("port '%s' is udp", name); 6249 6250 else if (real_proto == IPPROTO_SCTP) 6251 bpf_error("port '%s' is sctp", name); 6252 else 6253 /* override PROTO_UNDEF */ 6254 real_proto = IPPROTO_TCP; 6255 } 6256 if (proto == Q_SCTP) { 6257 if (real_proto == IPPROTO_UDP) 6258 bpf_error("port '%s' is udp", name); 6259 6260 else if (real_proto == IPPROTO_TCP) 6261 bpf_error("port '%s' is tcp", name); 6262 else 6263 /* override PROTO_UNDEF */ 6264 real_proto = IPPROTO_SCTP; 6265 } 6266 if (port < 0) 6267 bpf_error("illegal port number %d < 0", port); 6268 if (port > 65535) 6269 bpf_error("illegal port number %d > 65535", port); 6270 #ifndef INET6 6271 return gen_port(port, real_proto, dir); 6272 #else 6273 b = gen_port(port, real_proto, dir); 6274 gen_or(gen_port6(port, real_proto, dir), b); 6275 return b; 6276 #endif /* INET6 */ 6277 6278 case Q_PORTRANGE: 6279 if (proto != Q_DEFAULT && 6280 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6281 bpf_error("illegal qualifier of 'portrange'"); 6282 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0) 6283 bpf_error("unknown port in range '%s'", name); 6284 if (proto == Q_UDP) { 6285 if (real_proto == IPPROTO_TCP) 6286 bpf_error("port in range '%s' is tcp", name); 6287 else if (real_proto == IPPROTO_SCTP) 6288 bpf_error("port in range '%s' is sctp", name); 6289 else 6290 /* override PROTO_UNDEF */ 6291 real_proto = IPPROTO_UDP; 6292 } 6293 if (proto == Q_TCP) { 6294 if (real_proto == IPPROTO_UDP) 6295 bpf_error("port in range '%s' is udp", name); 6296 else if (real_proto == IPPROTO_SCTP) 6297 bpf_error("port in range '%s' is sctp", name); 6298 else 6299 /* override PROTO_UNDEF */ 6300 real_proto = IPPROTO_TCP; 6301 } 6302 if (proto == Q_SCTP) { 6303 if (real_proto == IPPROTO_UDP) 6304 bpf_error("port in range '%s' is udp", name); 6305 else if (real_proto == IPPROTO_TCP) 6306 bpf_error("port in range '%s' is tcp", name); 6307 else 6308 /* override PROTO_UNDEF */ 6309 real_proto = IPPROTO_SCTP; 6310 } 6311 if (port1 < 0) 6312 bpf_error("illegal port number %d < 0", port1); 6313 if (port1 > 65535) 6314 bpf_error("illegal port number %d > 65535", port1); 6315 if (port2 < 0) 6316 bpf_error("illegal port number %d < 0", port2); 6317 if (port2 > 65535) 6318 bpf_error("illegal port number %d > 65535", port2); 6319 6320 #ifndef INET6 6321 return gen_portrange(port1, port2, real_proto, dir); 6322 #else 6323 b = gen_portrange(port1, port2, real_proto, dir); 6324 gen_or(gen_portrange6(port1, port2, real_proto, dir), b); 6325 return b; 6326 #endif /* INET6 */ 6327 6328 case Q_GATEWAY: 6329 #ifndef INET6 6330 eaddr = pcap_ether_hostton(name); 6331 if (eaddr == NULL) 6332 bpf_error("unknown ether host: %s", name); 6333 6334 alist = pcap_nametoaddr(name); 6335 if (alist == NULL || *alist == NULL) 6336 bpf_error("unknown host '%s'", name); 6337 b = gen_gateway(eaddr, alist, proto, dir); 6338 free(eaddr); 6339 return b; 6340 #else 6341 bpf_error("'gateway' not supported in this configuration"); 6342 #endif /*INET6*/ 6343 6344 case Q_PROTO: 6345 real_proto = lookup_proto(name, proto); 6346 if (real_proto >= 0) 6347 return gen_proto(real_proto, proto, dir); 6348 else 6349 bpf_error("unknown protocol: %s", name); 6350 6351 case Q_PROTOCHAIN: 6352 real_proto = lookup_proto(name, proto); 6353 if (real_proto >= 0) 6354 return gen_protochain(real_proto, proto, dir); 6355 else 6356 bpf_error("unknown protocol: %s", name); 6357 6358 case Q_UNDEF: 6359 syntax(); 6360 /* NOTREACHED */ 6361 } 6362 abort(); 6363 /* NOTREACHED */ 6364 } 6365 6366 struct block * 6367 gen_mcode(s1, s2, masklen, q) 6368 register const char *s1, *s2; 6369 register int masklen; 6370 struct qual q; 6371 { 6372 register int nlen, mlen; 6373 bpf_u_int32 n, m; 6374 6375 nlen = __pcap_atoin(s1, &n); 6376 /* Promote short ipaddr */ 6377 n <<= 32 - nlen; 6378 6379 if (s2 != NULL) { 6380 mlen = __pcap_atoin(s2, &m); 6381 /* Promote short ipaddr */ 6382 m <<= 32 - mlen; 6383 if ((n & ~m) != 0) 6384 bpf_error("non-network bits set in \"%s mask %s\"", 6385 s1, s2); 6386 } else { 6387 /* Convert mask len to mask */ 6388 if (masklen > 32) 6389 bpf_error("mask length must be <= 32"); 6390 if (masklen == 0) { 6391 /* 6392 * X << 32 is not guaranteed by C to be 0; it's 6393 * undefined. 6394 */ 6395 m = 0; 6396 } else 6397 m = 0xffffffff << (32 - masklen); 6398 if ((n & ~m) != 0) 6399 bpf_error("non-network bits set in \"%s/%d\"", 6400 s1, masklen); 6401 } 6402 6403 switch (q.addr) { 6404 6405 case Q_NET: 6406 return gen_host(n, m, q.proto, q.dir, q.addr); 6407 6408 default: 6409 bpf_error("Mask syntax for networks only"); 6410 /* NOTREACHED */ 6411 } 6412 /* NOTREACHED */ 6413 return NULL; 6414 } 6415 6416 struct block * 6417 gen_ncode(s, v, q) 6418 register const char *s; 6419 bpf_u_int32 v; 6420 struct qual q; 6421 { 6422 bpf_u_int32 mask; 6423 int proto = q.proto; 6424 int dir = q.dir; 6425 register int vlen; 6426 6427 if (s == NULL) 6428 vlen = 32; 6429 else if (q.proto == Q_DECNET) 6430 vlen = __pcap_atodn(s, &v); 6431 else 6432 vlen = __pcap_atoin(s, &v); 6433 6434 switch (q.addr) { 6435 6436 case Q_DEFAULT: 6437 case Q_HOST: 6438 case Q_NET: 6439 if (proto == Q_DECNET) 6440 return gen_host(v, 0, proto, dir, q.addr); 6441 else if (proto == Q_LINK) { 6442 bpf_error("illegal link layer address"); 6443 } else { 6444 mask = 0xffffffff; 6445 if (s == NULL && q.addr == Q_NET) { 6446 /* Promote short net number */ 6447 while (v && (v & 0xff000000) == 0) { 6448 v <<= 8; 6449 mask <<= 8; 6450 } 6451 } else { 6452 /* Promote short ipaddr */ 6453 v <<= 32 - vlen; 6454 mask <<= 32 - vlen; 6455 } 6456 return gen_host(v, mask, proto, dir, q.addr); 6457 } 6458 6459 case Q_PORT: 6460 if (proto == Q_UDP) 6461 proto = IPPROTO_UDP; 6462 else if (proto == Q_TCP) 6463 proto = IPPROTO_TCP; 6464 else if (proto == Q_SCTP) 6465 proto = IPPROTO_SCTP; 6466 else if (proto == Q_DEFAULT) 6467 proto = PROTO_UNDEF; 6468 else 6469 bpf_error("illegal qualifier of 'port'"); 6470 6471 if (v > 65535) 6472 bpf_error("illegal port number %u > 65535", v); 6473 6474 #ifndef INET6 6475 return gen_port((int)v, proto, dir); 6476 #else 6477 { 6478 struct block *b; 6479 b = gen_port((int)v, proto, dir); 6480 gen_or(gen_port6((int)v, proto, dir), b); 6481 return b; 6482 } 6483 #endif /* INET6 */ 6484 6485 case Q_PORTRANGE: 6486 if (proto == Q_UDP) 6487 proto = IPPROTO_UDP; 6488 else if (proto == Q_TCP) 6489 proto = IPPROTO_TCP; 6490 else if (proto == Q_SCTP) 6491 proto = IPPROTO_SCTP; 6492 else if (proto == Q_DEFAULT) 6493 proto = PROTO_UNDEF; 6494 else 6495 bpf_error("illegal qualifier of 'portrange'"); 6496 6497 if (v > 65535) 6498 bpf_error("illegal port number %u > 65535", v); 6499 6500 #ifndef INET6 6501 return gen_portrange((int)v, (int)v, proto, dir); 6502 #else 6503 { 6504 struct block *b; 6505 b = gen_portrange((int)v, (int)v, proto, dir); 6506 gen_or(gen_portrange6((int)v, (int)v, proto, dir), b); 6507 return b; 6508 } 6509 #endif /* INET6 */ 6510 6511 case Q_GATEWAY: 6512 bpf_error("'gateway' requires a name"); 6513 /* NOTREACHED */ 6514 6515 case Q_PROTO: 6516 return gen_proto((int)v, proto, dir); 6517 6518 case Q_PROTOCHAIN: 6519 return gen_protochain((int)v, proto, dir); 6520 6521 case Q_UNDEF: 6522 syntax(); 6523 /* NOTREACHED */ 6524 6525 default: 6526 abort(); 6527 /* NOTREACHED */ 6528 } 6529 /* NOTREACHED */ 6530 } 6531 6532 #ifdef INET6 6533 struct block * 6534 gen_mcode6(s1, s2, masklen, q) 6535 register const char *s1, *s2; 6536 register int masklen; 6537 struct qual q; 6538 { 6539 struct addrinfo *res; 6540 struct in6_addr *addr; 6541 struct in6_addr mask; 6542 struct block *b; 6543 u_int32_t *a, *m; 6544 6545 if (s2) 6546 bpf_error("no mask %s supported", s2); 6547 6548 res = pcap_nametoaddrinfo(s1); 6549 if (!res) 6550 bpf_error("invalid ip6 address %s", s1); 6551 ai = res; 6552 if (res->ai_next) 6553 bpf_error("%s resolved to multiple address", s1); 6554 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr; 6555 6556 if (sizeof(mask) * 8 < masklen) 6557 bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8)); 6558 memset(&mask, 0, sizeof(mask)); 6559 memset(&mask, 0xff, masklen / 8); 6560 if (masklen % 8) { 6561 mask.s6_addr[masklen / 8] = 6562 (0xff << (8 - masklen % 8)) & 0xff; 6563 } 6564 6565 a = (u_int32_t *)addr; 6566 m = (u_int32_t *)&mask; 6567 if ((a[0] & ~m[0]) || (a[1] & ~m[1]) 6568 || (a[2] & ~m[2]) || (a[3] & ~m[3])) { 6569 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen); 6570 } 6571 6572 switch (q.addr) { 6573 6574 case Q_DEFAULT: 6575 case Q_HOST: 6576 if (masklen != 128) 6577 bpf_error("Mask syntax for networks only"); 6578 /* FALLTHROUGH */ 6579 6580 case Q_NET: 6581 b = gen_host6(addr, &mask, q.proto, q.dir, q.addr); 6582 ai = NULL; 6583 freeaddrinfo(res); 6584 return b; 6585 6586 default: 6587 bpf_error("invalid qualifier against IPv6 address"); 6588 /* NOTREACHED */ 6589 } 6590 return NULL; 6591 } 6592 #endif /*INET6*/ 6593 6594 struct block * 6595 gen_ecode(eaddr, q) 6596 register const u_char *eaddr; 6597 struct qual q; 6598 { 6599 struct block *b, *tmp; 6600 6601 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) { 6602 switch (linktype) { 6603 case DLT_EN10MB: 6604 case DLT_NETANALYZER: 6605 case DLT_NETANALYZER_TRANSPARENT: 6606 return gen_ehostop(eaddr, (int)q.dir); 6607 case DLT_FDDI: 6608 return gen_fhostop(eaddr, (int)q.dir); 6609 case DLT_IEEE802: 6610 return gen_thostop(eaddr, (int)q.dir); 6611 case DLT_IEEE802_11: 6612 case DLT_PRISM_HEADER: 6613 case DLT_IEEE802_11_RADIO_AVS: 6614 case DLT_IEEE802_11_RADIO: 6615 case DLT_PPI: 6616 return gen_wlanhostop(eaddr, (int)q.dir); 6617 case DLT_SUNATM: 6618 if (is_lane) { 6619 /* 6620 * Check that the packet doesn't begin with an 6621 * LE Control marker. (We've already generated 6622 * a test for LANE.) 6623 */ 6624 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 6625 0xFF00); 6626 gen_not(tmp); 6627 6628 /* 6629 * Now check the MAC address. 6630 */ 6631 b = gen_ehostop(eaddr, (int)q.dir); 6632 gen_and(tmp, b); 6633 return b; 6634 } 6635 break; 6636 case DLT_IP_OVER_FC: 6637 return gen_ipfchostop(eaddr, (int)q.dir); 6638 default: 6639 bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 6640 break; 6641 } 6642 } 6643 bpf_error("ethernet address used in non-ether expression"); 6644 /* NOTREACHED */ 6645 return NULL; 6646 } 6647 6648 void 6649 sappend(s0, s1) 6650 struct slist *s0, *s1; 6651 { 6652 /* 6653 * This is definitely not the best way to do this, but the 6654 * lists will rarely get long. 6655 */ 6656 while (s0->next) 6657 s0 = s0->next; 6658 s0->next = s1; 6659 } 6660 6661 static struct slist * 6662 xfer_to_x(a) 6663 struct arth *a; 6664 { 6665 struct slist *s; 6666 6667 s = new_stmt(BPF_LDX|BPF_MEM); 6668 s->s.k = a->regno; 6669 return s; 6670 } 6671 6672 static struct slist * 6673 xfer_to_a(a) 6674 struct arth *a; 6675 { 6676 struct slist *s; 6677 6678 s = new_stmt(BPF_LD|BPF_MEM); 6679 s->s.k = a->regno; 6680 return s; 6681 } 6682 6683 /* 6684 * Modify "index" to use the value stored into its register as an 6685 * offset relative to the beginning of the header for the protocol 6686 * "proto", and allocate a register and put an item "size" bytes long 6687 * (1, 2, or 4) at that offset into that register, making it the register 6688 * for "index". 6689 */ 6690 struct arth * 6691 gen_load(proto, inst, size) 6692 int proto; 6693 struct arth *inst; 6694 int size; 6695 { 6696 struct slist *s, *tmp; 6697 struct block *b; 6698 int regno = alloc_reg(); 6699 6700 free_reg(inst->regno); 6701 switch (size) { 6702 6703 default: 6704 bpf_error("data size must be 1, 2, or 4"); 6705 6706 case 1: 6707 size = BPF_B; 6708 break; 6709 6710 case 2: 6711 size = BPF_H; 6712 break; 6713 6714 case 4: 6715 size = BPF_W; 6716 break; 6717 } 6718 switch (proto) { 6719 default: 6720 bpf_error("unsupported index operation"); 6721 6722 case Q_RADIO: 6723 /* 6724 * The offset is relative to the beginning of the packet 6725 * data, if we have a radio header. (If we don't, this 6726 * is an error.) 6727 */ 6728 if (linktype != DLT_IEEE802_11_RADIO_AVS && 6729 linktype != DLT_IEEE802_11_RADIO && 6730 linktype != DLT_PRISM_HEADER) 6731 bpf_error("radio information not present in capture"); 6732 6733 /* 6734 * Load into the X register the offset computed into the 6735 * register specified by "index". 6736 */ 6737 s = xfer_to_x(inst); 6738 6739 /* 6740 * Load the item at that offset. 6741 */ 6742 tmp = new_stmt(BPF_LD|BPF_IND|size); 6743 sappend(s, tmp); 6744 sappend(inst->s, s); 6745 break; 6746 6747 case Q_LINK: 6748 /* 6749 * The offset is relative to the beginning of 6750 * the link-layer header. 6751 * 6752 * XXX - what about ATM LANE? Should the index be 6753 * relative to the beginning of the AAL5 frame, so 6754 * that 0 refers to the beginning of the LE Control 6755 * field, or relative to the beginning of the LAN 6756 * frame, so that 0 refers, for Ethernet LANE, to 6757 * the beginning of the destination address? 6758 */ 6759 s = gen_llprefixlen(); 6760 6761 /* 6762 * If "s" is non-null, it has code to arrange that the 6763 * X register contains the length of the prefix preceding 6764 * the link-layer header. Add to it the offset computed 6765 * into the register specified by "index", and move that 6766 * into the X register. Otherwise, just load into the X 6767 * register the offset computed into the register specified 6768 * by "index". 6769 */ 6770 if (s != NULL) { 6771 sappend(s, xfer_to_a(inst)); 6772 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 6773 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 6774 } else 6775 s = xfer_to_x(inst); 6776 6777 /* 6778 * Load the item at the sum of the offset we've put in the 6779 * X register and the offset of the start of the link 6780 * layer header (which is 0 if the radio header is 6781 * variable-length; that header length is what we put 6782 * into the X register and then added to the index). 6783 */ 6784 tmp = new_stmt(BPF_LD|BPF_IND|size); 6785 tmp->s.k = off_ll; 6786 sappend(s, tmp); 6787 sappend(inst->s, s); 6788 break; 6789 6790 case Q_IP: 6791 case Q_ARP: 6792 case Q_RARP: 6793 case Q_ATALK: 6794 case Q_DECNET: 6795 case Q_SCA: 6796 case Q_LAT: 6797 case Q_MOPRC: 6798 case Q_MOPDL: 6799 #ifdef INET6 6800 case Q_IPV6: 6801 #endif 6802 /* 6803 * The offset is relative to the beginning of 6804 * the network-layer header. 6805 * XXX - are there any cases where we want 6806 * off_nl_nosnap? 6807 */ 6808 s = gen_off_macpl(); 6809 6810 /* 6811 * If "s" is non-null, it has code to arrange that the 6812 * X register contains the offset of the MAC-layer 6813 * payload. Add to it the offset computed into the 6814 * register specified by "index", and move that into 6815 * the X register. Otherwise, just load into the X 6816 * register the offset computed into the register specified 6817 * by "index". 6818 */ 6819 if (s != NULL) { 6820 sappend(s, xfer_to_a(inst)); 6821 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 6822 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 6823 } else 6824 s = xfer_to_x(inst); 6825 6826 /* 6827 * Load the item at the sum of the offset we've put in the 6828 * X register, the offset of the start of the network 6829 * layer header from the beginning of the MAC-layer 6830 * payload, and the purported offset of the start of the 6831 * MAC-layer payload (which might be 0 if there's a 6832 * variable-length prefix before the link-layer header 6833 * or the link-layer header itself is variable-length; 6834 * the variable-length offset of the start of the 6835 * MAC-layer payload is what we put into the X register 6836 * and then added to the index). 6837 */ 6838 tmp = new_stmt(BPF_LD|BPF_IND|size); 6839 tmp->s.k = off_macpl + off_nl; 6840 sappend(s, tmp); 6841 sappend(inst->s, s); 6842 6843 /* 6844 * Do the computation only if the packet contains 6845 * the protocol in question. 6846 */ 6847 b = gen_proto_abbrev(proto); 6848 if (inst->b) 6849 gen_and(inst->b, b); 6850 inst->b = b; 6851 break; 6852 6853 case Q_SCTP: 6854 case Q_TCP: 6855 case Q_UDP: 6856 case Q_ICMP: 6857 case Q_IGMP: 6858 case Q_IGRP: 6859 case Q_PIM: 6860 case Q_VRRP: 6861 case Q_CARP: 6862 /* 6863 * The offset is relative to the beginning of 6864 * the transport-layer header. 6865 * 6866 * Load the X register with the length of the IPv4 header 6867 * (plus the offset of the link-layer header, if it's 6868 * a variable-length header), in bytes. 6869 * 6870 * XXX - are there any cases where we want 6871 * off_nl_nosnap? 6872 * XXX - we should, if we're built with 6873 * IPv6 support, generate code to load either 6874 * IPv4, IPv6, or both, as appropriate. 6875 */ 6876 s = gen_loadx_iphdrlen(); 6877 6878 /* 6879 * The X register now contains the sum of the length 6880 * of any variable-length header preceding the link-layer 6881 * header, any variable-length link-layer header, and the 6882 * length of the network-layer header. 6883 * 6884 * Load into the A register the offset relative to 6885 * the beginning of the transport layer header, 6886 * add the X register to that, move that to the 6887 * X register, and load with an offset from the 6888 * X register equal to the offset of the network 6889 * layer header relative to the beginning of 6890 * the MAC-layer payload plus the fixed-length 6891 * portion of the offset of the MAC-layer payload 6892 * from the beginning of the raw packet data. 6893 */ 6894 sappend(s, xfer_to_a(inst)); 6895 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 6896 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 6897 sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size)); 6898 tmp->s.k = off_macpl + off_nl; 6899 sappend(inst->s, s); 6900 6901 /* 6902 * Do the computation only if the packet contains 6903 * the protocol in question - which is true only 6904 * if this is an IP datagram and is the first or 6905 * only fragment of that datagram. 6906 */ 6907 gen_and(gen_proto_abbrev(proto), b = gen_ipfrag()); 6908 if (inst->b) 6909 gen_and(inst->b, b); 6910 #ifdef INET6 6911 gen_and(gen_proto_abbrev(Q_IP), b); 6912 #endif 6913 inst->b = b; 6914 break; 6915 #ifdef INET6 6916 case Q_ICMPV6: 6917 bpf_error("IPv6 upper-layer protocol is not supported by proto[x]"); 6918 /*NOTREACHED*/ 6919 #endif 6920 } 6921 inst->regno = regno; 6922 s = new_stmt(BPF_ST); 6923 s->s.k = regno; 6924 sappend(inst->s, s); 6925 6926 return inst; 6927 } 6928 6929 struct block * 6930 gen_relation(code, a0, a1, reversed) 6931 int code; 6932 struct arth *a0, *a1; 6933 int reversed; 6934 { 6935 struct slist *s0, *s1, *s2; 6936 struct block *b, *tmp; 6937 6938 s0 = xfer_to_x(a1); 6939 s1 = xfer_to_a(a0); 6940 if (code == BPF_JEQ) { 6941 s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X); 6942 b = new_block(JMP(code)); 6943 sappend(s1, s2); 6944 } 6945 else 6946 b = new_block(BPF_JMP|code|BPF_X); 6947 if (reversed) 6948 gen_not(b); 6949 6950 sappend(s0, s1); 6951 sappend(a1->s, s0); 6952 sappend(a0->s, a1->s); 6953 6954 b->stmts = a0->s; 6955 6956 free_reg(a0->regno); 6957 free_reg(a1->regno); 6958 6959 /* 'and' together protocol checks */ 6960 if (a0->b) { 6961 if (a1->b) { 6962 gen_and(a0->b, tmp = a1->b); 6963 } 6964 else 6965 tmp = a0->b; 6966 } else 6967 tmp = a1->b; 6968 6969 if (tmp) 6970 gen_and(tmp, b); 6971 6972 return b; 6973 } 6974 6975 struct arth * 6976 gen_loadlen() 6977 { 6978 int regno = alloc_reg(); 6979 struct arth *a = (struct arth *)newchunk(sizeof(*a)); 6980 struct slist *s; 6981 6982 s = new_stmt(BPF_LD|BPF_LEN); 6983 s->next = new_stmt(BPF_ST); 6984 s->next->s.k = regno; 6985 a->s = s; 6986 a->regno = regno; 6987 6988 return a; 6989 } 6990 6991 struct arth * 6992 gen_loadi(val) 6993 int val; 6994 { 6995 struct arth *a; 6996 struct slist *s; 6997 int reg; 6998 6999 a = (struct arth *)newchunk(sizeof(*a)); 7000 7001 reg = alloc_reg(); 7002 7003 s = new_stmt(BPF_LD|BPF_IMM); 7004 s->s.k = val; 7005 s->next = new_stmt(BPF_ST); 7006 s->next->s.k = reg; 7007 a->s = s; 7008 a->regno = reg; 7009 7010 return a; 7011 } 7012 7013 struct arth * 7014 gen_neg(a) 7015 struct arth *a; 7016 { 7017 struct slist *s; 7018 7019 s = xfer_to_a(a); 7020 sappend(a->s, s); 7021 s = new_stmt(BPF_ALU|BPF_NEG); 7022 s->s.k = 0; 7023 sappend(a->s, s); 7024 s = new_stmt(BPF_ST); 7025 s->s.k = a->regno; 7026 sappend(a->s, s); 7027 7028 return a; 7029 } 7030 7031 struct arth * 7032 gen_arth(code, a0, a1) 7033 int code; 7034 struct arth *a0, *a1; 7035 { 7036 struct slist *s0, *s1, *s2; 7037 7038 s0 = xfer_to_x(a1); 7039 s1 = xfer_to_a(a0); 7040 s2 = new_stmt(BPF_ALU|BPF_X|code); 7041 7042 sappend(s1, s2); 7043 sappend(s0, s1); 7044 sappend(a1->s, s0); 7045 sappend(a0->s, a1->s); 7046 7047 free_reg(a0->regno); 7048 free_reg(a1->regno); 7049 7050 s0 = new_stmt(BPF_ST); 7051 a0->regno = s0->s.k = alloc_reg(); 7052 sappend(a0->s, s0); 7053 7054 return a0; 7055 } 7056 7057 /* 7058 * Here we handle simple allocation of the scratch registers. 7059 * If too many registers are alloc'd, the allocator punts. 7060 */ 7061 static int regused[BPF_MEMWORDS]; 7062 static int curreg; 7063 7064 /* 7065 * Initialize the table of used registers and the current register. 7066 */ 7067 static void 7068 init_regs() 7069 { 7070 curreg = 0; 7071 memset(regused, 0, sizeof regused); 7072 } 7073 7074 /* 7075 * Return the next free register. 7076 */ 7077 static int 7078 alloc_reg() 7079 { 7080 int n = BPF_MEMWORDS; 7081 7082 while (--n >= 0) { 7083 if (regused[curreg]) 7084 curreg = (curreg + 1) % BPF_MEMWORDS; 7085 else { 7086 regused[curreg] = 1; 7087 return curreg; 7088 } 7089 } 7090 bpf_error("too many registers needed to evaluate expression"); 7091 /* NOTREACHED */ 7092 return 0; 7093 } 7094 7095 /* 7096 * Return a register to the table so it can 7097 * be used later. 7098 */ 7099 static void 7100 free_reg(n) 7101 int n; 7102 { 7103 regused[n] = 0; 7104 } 7105 7106 static struct block * 7107 gen_len(jmp, n) 7108 int jmp, n; 7109 { 7110 struct slist *s; 7111 struct block *b; 7112 7113 s = new_stmt(BPF_LD|BPF_LEN); 7114 b = new_block(JMP(jmp)); 7115 b->stmts = s; 7116 b->s.k = n; 7117 7118 return b; 7119 } 7120 7121 struct block * 7122 gen_greater(n) 7123 int n; 7124 { 7125 return gen_len(BPF_JGE, n); 7126 } 7127 7128 /* 7129 * Actually, this is less than or equal. 7130 */ 7131 struct block * 7132 gen_less(n) 7133 int n; 7134 { 7135 struct block *b; 7136 7137 b = gen_len(BPF_JGT, n); 7138 gen_not(b); 7139 7140 return b; 7141 } 7142 7143 /* 7144 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to 7145 * the beginning of the link-layer header. 7146 * XXX - that means you can't test values in the radiotap header, but 7147 * as that header is difficult if not impossible to parse generally 7148 * without a loop, that might not be a severe problem. A new keyword 7149 * "radio" could be added for that, although what you'd really want 7150 * would be a way of testing particular radio header values, which 7151 * would generate code appropriate to the radio header in question. 7152 */ 7153 struct block * 7154 gen_byteop(op, idx, val) 7155 int op, idx, val; 7156 { 7157 struct block *b; 7158 struct slist *s; 7159 7160 switch (op) { 7161 default: 7162 abort(); 7163 7164 case '=': 7165 return gen_cmp(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 7166 7167 case '<': 7168 b = gen_cmp_lt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 7169 return b; 7170 7171 case '>': 7172 b = gen_cmp_gt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 7173 return b; 7174 7175 case '|': 7176 s = new_stmt(BPF_ALU|BPF_OR|BPF_K); 7177 break; 7178 7179 case '&': 7180 s = new_stmt(BPF_ALU|BPF_AND|BPF_K); 7181 break; 7182 } 7183 s->s.k = val; 7184 b = new_block(JMP(BPF_JEQ)); 7185 b->stmts = s; 7186 gen_not(b); 7187 7188 return b; 7189 } 7190 7191 static u_char abroadcast[] = { 0x0 }; 7192 7193 struct block * 7194 gen_broadcast(proto) 7195 int proto; 7196 { 7197 bpf_u_int32 hostmask; 7198 struct block *b0, *b1, *b2; 7199 static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; 7200 7201 switch (proto) { 7202 7203 case Q_DEFAULT: 7204 case Q_LINK: 7205 switch (linktype) { 7206 case DLT_ARCNET: 7207 case DLT_ARCNET_LINUX: 7208 return gen_ahostop(abroadcast, Q_DST); 7209 case DLT_EN10MB: 7210 case DLT_NETANALYZER: 7211 case DLT_NETANALYZER_TRANSPARENT: 7212 return gen_ehostop(ebroadcast, Q_DST); 7213 case DLT_FDDI: 7214 return gen_fhostop(ebroadcast, Q_DST); 7215 case DLT_IEEE802: 7216 return gen_thostop(ebroadcast, Q_DST); 7217 case DLT_IEEE802_11: 7218 case DLT_PRISM_HEADER: 7219 case DLT_IEEE802_11_RADIO_AVS: 7220 case DLT_IEEE802_11_RADIO: 7221 case DLT_PPI: 7222 return gen_wlanhostop(ebroadcast, Q_DST); 7223 case DLT_IP_OVER_FC: 7224 return gen_ipfchostop(ebroadcast, Q_DST); 7225 case DLT_SUNATM: 7226 if (is_lane) { 7227 /* 7228 * Check that the packet doesn't begin with an 7229 * LE Control marker. (We've already generated 7230 * a test for LANE.) 7231 */ 7232 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 7233 BPF_H, 0xFF00); 7234 gen_not(b1); 7235 7236 /* 7237 * Now check the MAC address. 7238 */ 7239 b0 = gen_ehostop(ebroadcast, Q_DST); 7240 gen_and(b1, b0); 7241 return b0; 7242 } 7243 break; 7244 default: 7245 bpf_error("not a broadcast link"); 7246 } 7247 break; 7248 7249 case Q_IP: 7250 /* 7251 * We treat a netmask of PCAP_NETMASK_UNKNOWN (0xffffffff) 7252 * as an indication that we don't know the netmask, and fail 7253 * in that case. 7254 */ 7255 if (netmask == PCAP_NETMASK_UNKNOWN) 7256 bpf_error("netmask not known, so 'ip broadcast' not supported"); 7257 b0 = gen_linktype(ETHERTYPE_IP); 7258 hostmask = ~netmask; 7259 b1 = gen_mcmp(OR_NET, 16, BPF_W, (bpf_int32)0, hostmask); 7260 b2 = gen_mcmp(OR_NET, 16, BPF_W, 7261 (bpf_int32)(~0 & hostmask), hostmask); 7262 gen_or(b1, b2); 7263 gen_and(b0, b2); 7264 return b2; 7265 } 7266 bpf_error("only link-layer/IP broadcast filters supported"); 7267 /* NOTREACHED */ 7268 return NULL; 7269 } 7270 7271 /* 7272 * Generate code to test the low-order bit of a MAC address (that's 7273 * the bottom bit of the *first* byte). 7274 */ 7275 static struct block * 7276 gen_mac_multicast(offset) 7277 int offset; 7278 { 7279 register struct block *b0; 7280 register struct slist *s; 7281 7282 /* link[offset] & 1 != 0 */ 7283 s = gen_load_a(OR_LINK, offset, BPF_B); 7284 b0 = new_block(JMP(BPF_JSET)); 7285 b0->s.k = 1; 7286 b0->stmts = s; 7287 return b0; 7288 } 7289 7290 struct block * 7291 gen_multicast(proto) 7292 int proto; 7293 { 7294 register struct block *b0, *b1, *b2; 7295 register struct slist *s; 7296 7297 switch (proto) { 7298 7299 case Q_DEFAULT: 7300 case Q_LINK: 7301 switch (linktype) { 7302 case DLT_ARCNET: 7303 case DLT_ARCNET_LINUX: 7304 /* all ARCnet multicasts use the same address */ 7305 return gen_ahostop(abroadcast, Q_DST); 7306 case DLT_EN10MB: 7307 case DLT_NETANALYZER: 7308 case DLT_NETANALYZER_TRANSPARENT: 7309 /* ether[0] & 1 != 0 */ 7310 return gen_mac_multicast(0); 7311 case DLT_FDDI: 7312 /* 7313 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX 7314 * 7315 * XXX - was that referring to bit-order issues? 7316 */ 7317 /* fddi[1] & 1 != 0 */ 7318 return gen_mac_multicast(1); 7319 case DLT_IEEE802: 7320 /* tr[2] & 1 != 0 */ 7321 return gen_mac_multicast(2); 7322 case DLT_IEEE802_11: 7323 case DLT_PRISM_HEADER: 7324 case DLT_IEEE802_11_RADIO_AVS: 7325 case DLT_IEEE802_11_RADIO: 7326 case DLT_PPI: 7327 /* 7328 * Oh, yuk. 7329 * 7330 * For control frames, there is no DA. 7331 * 7332 * For management frames, DA is at an 7333 * offset of 4 from the beginning of 7334 * the packet. 7335 * 7336 * For data frames, DA is at an offset 7337 * of 4 from the beginning of the packet 7338 * if To DS is clear and at an offset of 7339 * 16 from the beginning of the packet 7340 * if To DS is set. 7341 */ 7342 7343 /* 7344 * Generate the tests to be done for data frames. 7345 * 7346 * First, check for To DS set, i.e. "link[1] & 0x01". 7347 */ 7348 s = gen_load_a(OR_LINK, 1, BPF_B); 7349 b1 = new_block(JMP(BPF_JSET)); 7350 b1->s.k = 0x01; /* To DS */ 7351 b1->stmts = s; 7352 7353 /* 7354 * If To DS is set, the DA is at 16. 7355 */ 7356 b0 = gen_mac_multicast(16); 7357 gen_and(b1, b0); 7358 7359 /* 7360 * Now, check for To DS not set, i.e. check 7361 * "!(link[1] & 0x01)". 7362 */ 7363 s = gen_load_a(OR_LINK, 1, BPF_B); 7364 b2 = new_block(JMP(BPF_JSET)); 7365 b2->s.k = 0x01; /* To DS */ 7366 b2->stmts = s; 7367 gen_not(b2); 7368 7369 /* 7370 * If To DS is not set, the DA is at 4. 7371 */ 7372 b1 = gen_mac_multicast(4); 7373 gen_and(b2, b1); 7374 7375 /* 7376 * Now OR together the last two checks. That gives 7377 * the complete set of checks for data frames. 7378 */ 7379 gen_or(b1, b0); 7380 7381 /* 7382 * Now check for a data frame. 7383 * I.e, check "link[0] & 0x08". 7384 */ 7385 s = gen_load_a(OR_LINK, 0, BPF_B); 7386 b1 = new_block(JMP(BPF_JSET)); 7387 b1->s.k = 0x08; 7388 b1->stmts = s; 7389 7390 /* 7391 * AND that with the checks done for data frames. 7392 */ 7393 gen_and(b1, b0); 7394 7395 /* 7396 * If the high-order bit of the type value is 0, this 7397 * is a management frame. 7398 * I.e, check "!(link[0] & 0x08)". 7399 */ 7400 s = gen_load_a(OR_LINK, 0, BPF_B); 7401 b2 = new_block(JMP(BPF_JSET)); 7402 b2->s.k = 0x08; 7403 b2->stmts = s; 7404 gen_not(b2); 7405 7406 /* 7407 * For management frames, the DA is at 4. 7408 */ 7409 b1 = gen_mac_multicast(4); 7410 gen_and(b2, b1); 7411 7412 /* 7413 * OR that with the checks done for data frames. 7414 * That gives the checks done for management and 7415 * data frames. 7416 */ 7417 gen_or(b1, b0); 7418 7419 /* 7420 * If the low-order bit of the type value is 1, 7421 * this is either a control frame or a frame 7422 * with a reserved type, and thus not a 7423 * frame with an SA. 7424 * 7425 * I.e., check "!(link[0] & 0x04)". 7426 */ 7427 s = gen_load_a(OR_LINK, 0, BPF_B); 7428 b1 = new_block(JMP(BPF_JSET)); 7429 b1->s.k = 0x04; 7430 b1->stmts = s; 7431 gen_not(b1); 7432 7433 /* 7434 * AND that with the checks for data and management 7435 * frames. 7436 */ 7437 gen_and(b1, b0); 7438 return b0; 7439 case DLT_IP_OVER_FC: 7440 b0 = gen_mac_multicast(2); 7441 return b0; 7442 case DLT_SUNATM: 7443 if (is_lane) { 7444 /* 7445 * Check that the packet doesn't begin with an 7446 * LE Control marker. (We've already generated 7447 * a test for LANE.) 7448 */ 7449 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 7450 BPF_H, 0xFF00); 7451 gen_not(b1); 7452 7453 /* ether[off_mac] & 1 != 0 */ 7454 b0 = gen_mac_multicast(off_mac); 7455 gen_and(b1, b0); 7456 return b0; 7457 } 7458 break; 7459 default: 7460 break; 7461 } 7462 /* Link not known to support multicasts */ 7463 break; 7464 7465 case Q_IP: 7466 b0 = gen_linktype(ETHERTYPE_IP); 7467 b1 = gen_cmp_ge(OR_NET, 16, BPF_B, (bpf_int32)224); 7468 gen_and(b0, b1); 7469 return b1; 7470 7471 #ifdef INET6 7472 case Q_IPV6: 7473 b0 = gen_linktype(ETHERTYPE_IPV6); 7474 b1 = gen_cmp(OR_NET, 24, BPF_B, (bpf_int32)255); 7475 gen_and(b0, b1); 7476 return b1; 7477 #endif /* INET6 */ 7478 } 7479 bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel"); 7480 /* NOTREACHED */ 7481 return NULL; 7482 } 7483 7484 /* 7485 * Filter on inbound (dir == 0) or outbound (dir == 1) traffic. 7486 * Outbound traffic is sent by this machine, while inbound traffic is 7487 * sent by a remote machine (and may include packets destined for a 7488 * unicast or multicast link-layer address we are not subscribing to). 7489 * These are the same definitions implemented by pcap_setdirection(). 7490 * Capturing only unicast traffic destined for this host is probably 7491 * better accomplished using a higher-layer filter. 7492 */ 7493 struct block * 7494 gen_inbound(dir) 7495 int dir; 7496 { 7497 register struct block *b0; 7498 7499 /* 7500 * Only some data link types support inbound/outbound qualifiers. 7501 */ 7502 switch (linktype) { 7503 case DLT_SLIP: 7504 b0 = gen_relation(BPF_JEQ, 7505 gen_load(Q_LINK, gen_loadi(0), 1), 7506 gen_loadi(0), 7507 dir); 7508 break; 7509 7510 case DLT_IPNET: 7511 if (dir) { 7512 /* match outgoing packets */ 7513 b0 = gen_cmp(OR_LINK, 2, BPF_H, IPNET_OUTBOUND); 7514 } else { 7515 /* match incoming packets */ 7516 b0 = gen_cmp(OR_LINK, 2, BPF_H, IPNET_INBOUND); 7517 } 7518 break; 7519 7520 case DLT_LINUX_SLL: 7521 /* match outgoing packets */ 7522 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_OUTGOING); 7523 if (!dir) { 7524 /* to filter on inbound traffic, invert the match */ 7525 gen_not(b0); 7526 } 7527 break; 7528 7529 #ifdef HAVE_NET_PFVAR_H 7530 case DLT_PFLOG: 7531 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, dir), BPF_B, 7532 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT)); 7533 break; 7534 #endif 7535 7536 case DLT_PPP_PPPD: 7537 if (dir) { 7538 /* match outgoing packets */ 7539 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_OUT); 7540 } else { 7541 /* match incoming packets */ 7542 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_IN); 7543 } 7544 break; 7545 7546 case DLT_JUNIPER_MFR: 7547 case DLT_JUNIPER_MLFR: 7548 case DLT_JUNIPER_MLPPP: 7549 case DLT_JUNIPER_ATM1: 7550 case DLT_JUNIPER_ATM2: 7551 case DLT_JUNIPER_PPPOE: 7552 case DLT_JUNIPER_PPPOE_ATM: 7553 case DLT_JUNIPER_GGSN: 7554 case DLT_JUNIPER_ES: 7555 case DLT_JUNIPER_MONITOR: 7556 case DLT_JUNIPER_SERVICES: 7557 case DLT_JUNIPER_ETHER: 7558 case DLT_JUNIPER_PPP: 7559 case DLT_JUNIPER_FRELAY: 7560 case DLT_JUNIPER_CHDLC: 7561 case DLT_JUNIPER_VP: 7562 case DLT_JUNIPER_ST: 7563 case DLT_JUNIPER_ISM: 7564 case DLT_JUNIPER_VS: 7565 case DLT_JUNIPER_SRX_E2E: 7566 case DLT_JUNIPER_FIBRECHANNEL: 7567 case DLT_JUNIPER_ATM_CEMIC: 7568 7569 /* juniper flags (including direction) are stored 7570 * the byte after the 3-byte magic number */ 7571 if (dir) { 7572 /* match outgoing packets */ 7573 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 0, 0x01); 7574 } else { 7575 /* match incoming packets */ 7576 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 1, 0x01); 7577 } 7578 break; 7579 7580 default: 7581 /* 7582 * If we have packet meta-data indicating a direction, 7583 * check it, otherwise give up as this link-layer type 7584 * has nothing in the packet data. 7585 */ 7586 #if defined(PF_PACKET) && defined(SO_ATTACH_FILTER) 7587 /* 7588 * We infer that this is Linux with PF_PACKET support. 7589 * If this is a *live* capture, we can look at 7590 * special meta-data in the filter expression; 7591 * if it's a savefile, we can't. 7592 */ 7593 if (bpf_pcap->sf.rfile != NULL) { 7594 /* We have a FILE *, so this is a savefile */ 7595 bpf_error("inbound/outbound not supported on linktype %d when reading savefiles", 7596 linktype); 7597 b0 = NULL; 7598 /* NOTREACHED */ 7599 } 7600 /* match outgoing packets */ 7601 b0 = gen_cmp(OR_LINK, SKF_AD_OFF + SKF_AD_PKTTYPE, BPF_H, 7602 PACKET_OUTGOING); 7603 if (!dir) { 7604 /* to filter on inbound traffic, invert the match */ 7605 gen_not(b0); 7606 } 7607 #else /* defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */ 7608 bpf_error("inbound/outbound not supported on linktype %d", 7609 linktype); 7610 b0 = NULL; 7611 /* NOTREACHED */ 7612 #endif /* defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */ 7613 } 7614 return (b0); 7615 } 7616 7617 #ifdef HAVE_NET_PFVAR_H 7618 /* PF firewall log matched interface */ 7619 struct block * 7620 gen_pf_ifname(const char *ifname) 7621 { 7622 struct block *b0; 7623 u_int len, off; 7624 7625 if (linktype != DLT_PFLOG) { 7626 bpf_error("ifname supported only on PF linktype"); 7627 /* NOTREACHED */ 7628 } 7629 len = sizeof(((struct pfloghdr *)0)->ifname); 7630 off = offsetof(struct pfloghdr, ifname); 7631 if (strlen(ifname) >= len) { 7632 bpf_error("ifname interface names can only be %d characters", 7633 len-1); 7634 /* NOTREACHED */ 7635 } 7636 b0 = gen_bcmp(OR_LINK, off, strlen(ifname), (const u_char *)ifname); 7637 return (b0); 7638 } 7639 7640 /* PF firewall log ruleset name */ 7641 struct block * 7642 gen_pf_ruleset(char *ruleset) 7643 { 7644 struct block *b0; 7645 7646 if (linktype != DLT_PFLOG) { 7647 bpf_error("ruleset supported only on PF linktype"); 7648 /* NOTREACHED */ 7649 } 7650 7651 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) { 7652 bpf_error("ruleset names can only be %ld characters", 7653 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1)); 7654 /* NOTREACHED */ 7655 } 7656 7657 b0 = gen_bcmp(OR_LINK, offsetof(struct pfloghdr, ruleset), 7658 strlen(ruleset), (const u_char *)ruleset); 7659 return (b0); 7660 } 7661 7662 /* PF firewall log rule number */ 7663 struct block * 7664 gen_pf_rnr(int rnr) 7665 { 7666 struct block *b0; 7667 7668 if (linktype != DLT_PFLOG) { 7669 bpf_error("rnr supported only on PF linktype"); 7670 /* NOTREACHED */ 7671 } 7672 7673 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, rulenr), BPF_W, 7674 (bpf_int32)rnr); 7675 return (b0); 7676 } 7677 7678 /* PF firewall log sub-rule number */ 7679 struct block * 7680 gen_pf_srnr(int srnr) 7681 { 7682 struct block *b0; 7683 7684 if (linktype != DLT_PFLOG) { 7685 bpf_error("srnr supported only on PF linktype"); 7686 /* NOTREACHED */ 7687 } 7688 7689 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, subrulenr), BPF_W, 7690 (bpf_int32)srnr); 7691 return (b0); 7692 } 7693 7694 /* PF firewall log reason code */ 7695 struct block * 7696 gen_pf_reason(int reason) 7697 { 7698 struct block *b0; 7699 7700 if (linktype != DLT_PFLOG) { 7701 bpf_error("reason supported only on PF linktype"); 7702 /* NOTREACHED */ 7703 } 7704 7705 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, reason), BPF_B, 7706 (bpf_int32)reason); 7707 return (b0); 7708 } 7709 7710 /* PF firewall log action */ 7711 struct block * 7712 gen_pf_action(int action) 7713 { 7714 struct block *b0; 7715 7716 if (linktype != DLT_PFLOG) { 7717 bpf_error("action supported only on PF linktype"); 7718 /* NOTREACHED */ 7719 } 7720 7721 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, action), BPF_B, 7722 (bpf_int32)action); 7723 return (b0); 7724 } 7725 #else /* !HAVE_NET_PFVAR_H */ 7726 struct block * 7727 gen_pf_ifname(const char *ifname) 7728 { 7729 bpf_error("libpcap was compiled without pf support"); 7730 /* NOTREACHED */ 7731 return (NULL); 7732 } 7733 7734 struct block * 7735 gen_pf_ruleset(char *ruleset) 7736 { 7737 bpf_error("libpcap was compiled on a machine without pf support"); 7738 /* NOTREACHED */ 7739 return (NULL); 7740 } 7741 7742 struct block * 7743 gen_pf_rnr(int rnr) 7744 { 7745 bpf_error("libpcap was compiled on a machine without pf support"); 7746 /* NOTREACHED */ 7747 return (NULL); 7748 } 7749 7750 struct block * 7751 gen_pf_srnr(int srnr) 7752 { 7753 bpf_error("libpcap was compiled on a machine without pf support"); 7754 /* NOTREACHED */ 7755 return (NULL); 7756 } 7757 7758 struct block * 7759 gen_pf_reason(int reason) 7760 { 7761 bpf_error("libpcap was compiled on a machine without pf support"); 7762 /* NOTREACHED */ 7763 return (NULL); 7764 } 7765 7766 struct block * 7767 gen_pf_action(int action) 7768 { 7769 bpf_error("libpcap was compiled on a machine without pf support"); 7770 /* NOTREACHED */ 7771 return (NULL); 7772 } 7773 #endif /* HAVE_NET_PFVAR_H */ 7774 7775 /* IEEE 802.11 wireless header */ 7776 struct block * 7777 gen_p80211_type(int type, int mask) 7778 { 7779 struct block *b0; 7780 7781 switch (linktype) { 7782 7783 case DLT_IEEE802_11: 7784 case DLT_PRISM_HEADER: 7785 case DLT_IEEE802_11_RADIO_AVS: 7786 case DLT_IEEE802_11_RADIO: 7787 b0 = gen_mcmp(OR_LINK, 0, BPF_B, (bpf_int32)type, 7788 (bpf_int32)mask); 7789 break; 7790 7791 default: 7792 bpf_error("802.11 link-layer types supported only on 802.11"); 7793 /* NOTREACHED */ 7794 } 7795 7796 return (b0); 7797 } 7798 7799 struct block * 7800 gen_p80211_fcdir(int fcdir) 7801 { 7802 struct block *b0; 7803 7804 switch (linktype) { 7805 7806 case DLT_IEEE802_11: 7807 case DLT_PRISM_HEADER: 7808 case DLT_IEEE802_11_RADIO_AVS: 7809 case DLT_IEEE802_11_RADIO: 7810 break; 7811 7812 default: 7813 bpf_error("frame direction supported only with 802.11 headers"); 7814 /* NOTREACHED */ 7815 } 7816 7817 b0 = gen_mcmp(OR_LINK, 1, BPF_B, (bpf_int32)fcdir, 7818 (bpf_u_int32)IEEE80211_FC1_DIR_MASK); 7819 7820 return (b0); 7821 } 7822 7823 struct block * 7824 gen_acode(eaddr, q) 7825 register const u_char *eaddr; 7826 struct qual q; 7827 { 7828 switch (linktype) { 7829 7830 case DLT_ARCNET: 7831 case DLT_ARCNET_LINUX: 7832 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && 7833 q.proto == Q_LINK) 7834 return (gen_ahostop(eaddr, (int)q.dir)); 7835 else { 7836 bpf_error("ARCnet address used in non-arc expression"); 7837 /* NOTREACHED */ 7838 } 7839 break; 7840 7841 default: 7842 bpf_error("aid supported only on ARCnet"); 7843 /* NOTREACHED */ 7844 } 7845 bpf_error("ARCnet address used in non-arc expression"); 7846 /* NOTREACHED */ 7847 return NULL; 7848 } 7849 7850 static struct block * 7851 gen_ahostop(eaddr, dir) 7852 register const u_char *eaddr; 7853 register int dir; 7854 { 7855 register struct block *b0, *b1; 7856 7857 switch (dir) { 7858 /* src comes first, different from Ethernet */ 7859 case Q_SRC: 7860 return gen_bcmp(OR_LINK, 0, 1, eaddr); 7861 7862 case Q_DST: 7863 return gen_bcmp(OR_LINK, 1, 1, eaddr); 7864 7865 case Q_AND: 7866 b0 = gen_ahostop(eaddr, Q_SRC); 7867 b1 = gen_ahostop(eaddr, Q_DST); 7868 gen_and(b0, b1); 7869 return b1; 7870 7871 case Q_DEFAULT: 7872 case Q_OR: 7873 b0 = gen_ahostop(eaddr, Q_SRC); 7874 b1 = gen_ahostop(eaddr, Q_DST); 7875 gen_or(b0, b1); 7876 return b1; 7877 7878 case Q_ADDR1: 7879 bpf_error("'addr1' is only supported on 802.11"); 7880 break; 7881 7882 case Q_ADDR2: 7883 bpf_error("'addr2' is only supported on 802.11"); 7884 break; 7885 7886 case Q_ADDR3: 7887 bpf_error("'addr3' is only supported on 802.11"); 7888 break; 7889 7890 case Q_ADDR4: 7891 bpf_error("'addr4' is only supported on 802.11"); 7892 break; 7893 7894 case Q_RA: 7895 bpf_error("'ra' is only supported on 802.11"); 7896 break; 7897 7898 case Q_TA: 7899 bpf_error("'ta' is only supported on 802.11"); 7900 break; 7901 } 7902 abort(); 7903 /* NOTREACHED */ 7904 } 7905 7906 /* 7907 * support IEEE 802.1Q VLAN trunk over ethernet 7908 */ 7909 struct block * 7910 gen_vlan(vlan_num) 7911 int vlan_num; 7912 { 7913 struct block *b0, *b1; 7914 7915 /* can't check for VLAN-encapsulated packets inside MPLS */ 7916 if (label_stack_depth > 0) 7917 bpf_error("no VLAN match after MPLS"); 7918 7919 /* 7920 * Check for a VLAN packet, and then change the offsets to point 7921 * to the type and data fields within the VLAN packet. Just 7922 * increment the offsets, so that we can support a hierarchy, e.g. 7923 * "vlan 300 && vlan 200" to capture VLAN 200 encapsulated within 7924 * VLAN 100. 7925 * 7926 * XXX - this is a bit of a kludge. If we were to split the 7927 * compiler into a parser that parses an expression and 7928 * generates an expression tree, and a code generator that 7929 * takes an expression tree (which could come from our 7930 * parser or from some other parser) and generates BPF code, 7931 * we could perhaps make the offsets parameters of routines 7932 * and, in the handler for an "AND" node, pass to subnodes 7933 * other than the VLAN node the adjusted offsets. 7934 * 7935 * This would mean that "vlan" would, instead of changing the 7936 * behavior of *all* tests after it, change only the behavior 7937 * of tests ANDed with it. That would change the documented 7938 * semantics of "vlan", which might break some expressions. 7939 * However, it would mean that "(vlan and ip) or ip" would check 7940 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 7941 * checking only for VLAN-encapsulated IP, so that could still 7942 * be considered worth doing; it wouldn't break expressions 7943 * that are of the form "vlan and ..." or "vlan N and ...", 7944 * which I suspect are the most common expressions involving 7945 * "vlan". "vlan or ..." doesn't necessarily do what the user 7946 * would really want, now, as all the "or ..." tests would 7947 * be done assuming a VLAN, even though the "or" could be viewed 7948 * as meaning "or, if this isn't a VLAN packet...". 7949 */ 7950 orig_nl = off_nl; 7951 7952 switch (linktype) { 7953 7954 case DLT_EN10MB: 7955 case DLT_NETANALYZER: 7956 case DLT_NETANALYZER_TRANSPARENT: 7957 /* check for VLAN, including QinQ */ 7958 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 7959 (bpf_int32)ETHERTYPE_8021Q); 7960 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, 7961 (bpf_int32)ETHERTYPE_8021QINQ); 7962 gen_or(b0,b1); 7963 b0 = b1; 7964 7965 /* If a specific VLAN is requested, check VLAN id */ 7966 if (vlan_num >= 0) { 7967 b1 = gen_mcmp(OR_MACPL, 0, BPF_H, 7968 (bpf_int32)vlan_num, 0x0fff); 7969 gen_and(b0, b1); 7970 b0 = b1; 7971 } 7972 7973 off_macpl += 4; 7974 off_linktype += 4; 7975 #if 0 7976 off_nl_nosnap += 4; 7977 off_nl += 4; 7978 #endif 7979 break; 7980 7981 default: 7982 bpf_error("no VLAN support for data link type %d", 7983 linktype); 7984 /*NOTREACHED*/ 7985 } 7986 7987 return (b0); 7988 } 7989 7990 /* 7991 * support for MPLS 7992 */ 7993 struct block * 7994 gen_mpls(label_num) 7995 int label_num; 7996 { 7997 struct block *b0,*b1; 7998 7999 /* 8000 * Change the offsets to point to the type and data fields within 8001 * the MPLS packet. Just increment the offsets, so that we 8002 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to 8003 * capture packets with an outer label of 100000 and an inner 8004 * label of 1024. 8005 * 8006 * XXX - this is a bit of a kludge. See comments in gen_vlan(). 8007 */ 8008 orig_nl = off_nl; 8009 8010 if (label_stack_depth > 0) { 8011 /* just match the bottom-of-stack bit clear */ 8012 b0 = gen_mcmp(OR_MACPL, orig_nl-2, BPF_B, 0, 0x01); 8013 } else { 8014 /* 8015 * Indicate that we're checking MPLS-encapsulated headers, 8016 * to make sure higher level code generators don't try to 8017 * match against IP-related protocols such as Q_ARP, Q_RARP 8018 * etc. 8019 */ 8020 switch (linktype) { 8021 8022 case DLT_C_HDLC: /* fall through */ 8023 case DLT_EN10MB: 8024 case DLT_NETANALYZER: 8025 case DLT_NETANALYZER_TRANSPARENT: 8026 b0 = gen_linktype(ETHERTYPE_MPLS); 8027 break; 8028 8029 case DLT_PPP: 8030 b0 = gen_linktype(PPP_MPLS_UCAST); 8031 break; 8032 8033 /* FIXME add other DLT_s ... 8034 * for Frame-Relay/and ATM this may get messy due to SNAP headers 8035 * leave it for now */ 8036 8037 default: 8038 bpf_error("no MPLS support for data link type %d", 8039 linktype); 8040 b0 = NULL; 8041 /*NOTREACHED*/ 8042 break; 8043 } 8044 } 8045 8046 /* If a specific MPLS label is requested, check it */ 8047 if (label_num >= 0) { 8048 label_num = label_num << 12; /* label is shifted 12 bits on the wire */ 8049 b1 = gen_mcmp(OR_MACPL, orig_nl, BPF_W, (bpf_int32)label_num, 8050 0xfffff000); /* only compare the first 20 bits */ 8051 gen_and(b0, b1); 8052 b0 = b1; 8053 } 8054 8055 off_nl_nosnap += 4; 8056 off_nl += 4; 8057 label_stack_depth++; 8058 return (b0); 8059 } 8060 8061 /* 8062 * Support PPPOE discovery and session. 8063 */ 8064 struct block * 8065 gen_pppoed() 8066 { 8067 /* check for PPPoE discovery */ 8068 return gen_linktype((bpf_int32)ETHERTYPE_PPPOED); 8069 } 8070 8071 struct block * 8072 gen_pppoes() 8073 { 8074 struct block *b0; 8075 8076 /* 8077 * Test against the PPPoE session link-layer type. 8078 */ 8079 b0 = gen_linktype((bpf_int32)ETHERTYPE_PPPOES); 8080 8081 /* 8082 * Change the offsets to point to the type and data fields within 8083 * the PPP packet, and note that this is PPPoE rather than 8084 * raw PPP. 8085 * 8086 * XXX - this is a bit of a kludge. If we were to split the 8087 * compiler into a parser that parses an expression and 8088 * generates an expression tree, and a code generator that 8089 * takes an expression tree (which could come from our 8090 * parser or from some other parser) and generates BPF code, 8091 * we could perhaps make the offsets parameters of routines 8092 * and, in the handler for an "AND" node, pass to subnodes 8093 * other than the PPPoE node the adjusted offsets. 8094 * 8095 * This would mean that "pppoes" would, instead of changing the 8096 * behavior of *all* tests after it, change only the behavior 8097 * of tests ANDed with it. That would change the documented 8098 * semantics of "pppoes", which might break some expressions. 8099 * However, it would mean that "(pppoes and ip) or ip" would check 8100 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 8101 * checking only for VLAN-encapsulated IP, so that could still 8102 * be considered worth doing; it wouldn't break expressions 8103 * that are of the form "pppoes and ..." which I suspect are the 8104 * most common expressions involving "pppoes". "pppoes or ..." 8105 * doesn't necessarily do what the user would really want, now, 8106 * as all the "or ..." tests would be done assuming PPPoE, even 8107 * though the "or" could be viewed as meaning "or, if this isn't 8108 * a PPPoE packet...". 8109 */ 8110 orig_linktype = off_linktype; /* save original values */ 8111 orig_nl = off_nl; 8112 is_pppoes = 1; 8113 8114 /* 8115 * The "network-layer" protocol is PPPoE, which has a 6-byte 8116 * PPPoE header, followed by a PPP packet. 8117 * 8118 * There is no HDLC encapsulation for the PPP packet (it's 8119 * encapsulated in PPPoES instead), so the link-layer type 8120 * starts at the first byte of the PPP packet. For PPPoE, 8121 * that offset is relative to the beginning of the total 8122 * link-layer payload, including any 802.2 LLC header, so 8123 * it's 6 bytes past off_nl. 8124 */ 8125 off_linktype = off_nl + 6; 8126 8127 /* 8128 * The network-layer offsets are relative to the beginning 8129 * of the MAC-layer payload; that's past the 6-byte 8130 * PPPoE header and the 2-byte PPP header. 8131 */ 8132 off_nl = 6+2; 8133 off_nl_nosnap = 6+2; 8134 8135 return b0; 8136 } 8137 8138 struct block * 8139 gen_atmfield_code(atmfield, jvalue, jtype, reverse) 8140 int atmfield; 8141 bpf_int32 jvalue; 8142 bpf_u_int32 jtype; 8143 int reverse; 8144 { 8145 struct block *b0; 8146 8147 switch (atmfield) { 8148 8149 case A_VPI: 8150 if (!is_atm) 8151 bpf_error("'vpi' supported only on raw ATM"); 8152 if (off_vpi == (u_int)-1) 8153 abort(); 8154 b0 = gen_ncmp(OR_LINK, off_vpi, BPF_B, 0xffffffff, jtype, 8155 reverse, jvalue); 8156 break; 8157 8158 case A_VCI: 8159 if (!is_atm) 8160 bpf_error("'vci' supported only on raw ATM"); 8161 if (off_vci == (u_int)-1) 8162 abort(); 8163 b0 = gen_ncmp(OR_LINK, off_vci, BPF_H, 0xffffffff, jtype, 8164 reverse, jvalue); 8165 break; 8166 8167 case A_PROTOTYPE: 8168 if (off_proto == (u_int)-1) 8169 abort(); /* XXX - this isn't on FreeBSD */ 8170 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0x0f, jtype, 8171 reverse, jvalue); 8172 break; 8173 8174 case A_MSGTYPE: 8175 if (off_payload == (u_int)-1) 8176 abort(); 8177 b0 = gen_ncmp(OR_LINK, off_payload + MSG_TYPE_POS, BPF_B, 8178 0xffffffff, jtype, reverse, jvalue); 8179 break; 8180 8181 case A_CALLREFTYPE: 8182 if (!is_atm) 8183 bpf_error("'callref' supported only on raw ATM"); 8184 if (off_proto == (u_int)-1) 8185 abort(); 8186 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0xffffffff, 8187 jtype, reverse, jvalue); 8188 break; 8189 8190 default: 8191 abort(); 8192 } 8193 return b0; 8194 } 8195 8196 struct block * 8197 gen_atmtype_abbrev(type) 8198 int type; 8199 { 8200 struct block *b0, *b1; 8201 8202 switch (type) { 8203 8204 case A_METAC: 8205 /* Get all packets in Meta signalling Circuit */ 8206 if (!is_atm) 8207 bpf_error("'metac' supported only on raw ATM"); 8208 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8209 b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0); 8210 gen_and(b0, b1); 8211 break; 8212 8213 case A_BCC: 8214 /* Get all packets in Broadcast Circuit*/ 8215 if (!is_atm) 8216 bpf_error("'bcc' supported only on raw ATM"); 8217 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8218 b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0); 8219 gen_and(b0, b1); 8220 break; 8221 8222 case A_OAMF4SC: 8223 /* Get all cells in Segment OAM F4 circuit*/ 8224 if (!is_atm) 8225 bpf_error("'oam4sc' supported only on raw ATM"); 8226 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8227 b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0); 8228 gen_and(b0, b1); 8229 break; 8230 8231 case A_OAMF4EC: 8232 /* Get all cells in End-to-End OAM F4 Circuit*/ 8233 if (!is_atm) 8234 bpf_error("'oam4ec' supported only on raw ATM"); 8235 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8236 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0); 8237 gen_and(b0, b1); 8238 break; 8239 8240 case A_SC: 8241 /* Get all packets in connection Signalling Circuit */ 8242 if (!is_atm) 8243 bpf_error("'sc' supported only on raw ATM"); 8244 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8245 b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0); 8246 gen_and(b0, b1); 8247 break; 8248 8249 case A_ILMIC: 8250 /* Get all packets in ILMI Circuit */ 8251 if (!is_atm) 8252 bpf_error("'ilmic' supported only on raw ATM"); 8253 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8254 b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0); 8255 gen_and(b0, b1); 8256 break; 8257 8258 case A_LANE: 8259 /* Get all LANE packets */ 8260 if (!is_atm) 8261 bpf_error("'lane' supported only on raw ATM"); 8262 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0); 8263 8264 /* 8265 * Arrange that all subsequent tests assume LANE 8266 * rather than LLC-encapsulated packets, and set 8267 * the offsets appropriately for LANE-encapsulated 8268 * Ethernet. 8269 * 8270 * "off_mac" is the offset of the Ethernet header, 8271 * which is 2 bytes past the ATM pseudo-header 8272 * (skipping the pseudo-header and 2-byte LE Client 8273 * field). The other offsets are Ethernet offsets 8274 * relative to "off_mac". 8275 */ 8276 is_lane = 1; 8277 off_mac = off_payload + 2; /* MAC header */ 8278 off_linktype = off_mac + 12; 8279 off_macpl = off_mac + 14; /* Ethernet */ 8280 off_nl = 0; /* Ethernet II */ 8281 off_nl_nosnap = 3; /* 802.3+802.2 */ 8282 break; 8283 8284 case A_LLC: 8285 /* Get all LLC-encapsulated packets */ 8286 if (!is_atm) 8287 bpf_error("'llc' supported only on raw ATM"); 8288 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 8289 is_lane = 0; 8290 break; 8291 8292 default: 8293 abort(); 8294 } 8295 return b1; 8296 } 8297 8298 /* 8299 * Filtering for MTP2 messages based on li value 8300 * FISU, length is null 8301 * LSSU, length is 1 or 2 8302 * MSU, length is 3 or more 8303 */ 8304 struct block * 8305 gen_mtp2type_abbrev(type) 8306 int type; 8307 { 8308 struct block *b0, *b1; 8309 8310 switch (type) { 8311 8312 case M_FISU: 8313 if ( (linktype != DLT_MTP2) && 8314 (linktype != DLT_ERF) && 8315 (linktype != DLT_MTP2_WITH_PHDR) ) 8316 bpf_error("'fisu' supported only on MTP2"); 8317 /* gen_ncmp(offrel, offset, size, mask, jtype, reverse, value) */ 8318 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JEQ, 0, 0); 8319 break; 8320 8321 case M_LSSU: 8322 if ( (linktype != DLT_MTP2) && 8323 (linktype != DLT_ERF) && 8324 (linktype != DLT_MTP2_WITH_PHDR) ) 8325 bpf_error("'lssu' supported only on MTP2"); 8326 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 1, 2); 8327 b1 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 0); 8328 gen_and(b1, b0); 8329 break; 8330 8331 case M_MSU: 8332 if ( (linktype != DLT_MTP2) && 8333 (linktype != DLT_ERF) && 8334 (linktype != DLT_MTP2_WITH_PHDR) ) 8335 bpf_error("'msu' supported only on MTP2"); 8336 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 2); 8337 break; 8338 8339 default: 8340 abort(); 8341 } 8342 return b0; 8343 } 8344 8345 struct block * 8346 gen_mtp3field_code(mtp3field, jvalue, jtype, reverse) 8347 int mtp3field; 8348 bpf_u_int32 jvalue; 8349 bpf_u_int32 jtype; 8350 int reverse; 8351 { 8352 struct block *b0; 8353 bpf_u_int32 val1 , val2 , val3; 8354 8355 switch (mtp3field) { 8356 8357 case M_SIO: 8358 if (off_sio == (u_int)-1) 8359 bpf_error("'sio' supported only on SS7"); 8360 /* sio coded on 1 byte so max value 255 */ 8361 if(jvalue > 255) 8362 bpf_error("sio value %u too big; max value = 255", 8363 jvalue); 8364 b0 = gen_ncmp(OR_PACKET, off_sio, BPF_B, 0xffffffff, 8365 (u_int)jtype, reverse, (u_int)jvalue); 8366 break; 8367 8368 case M_OPC: 8369 if (off_opc == (u_int)-1) 8370 bpf_error("'opc' supported only on SS7"); 8371 /* opc coded on 14 bits so max value 16383 */ 8372 if (jvalue > 16383) 8373 bpf_error("opc value %u too big; max value = 16383", 8374 jvalue); 8375 /* the following instructions are made to convert jvalue 8376 * to the form used to write opc in an ss7 message*/ 8377 val1 = jvalue & 0x00003c00; 8378 val1 = val1 >>10; 8379 val2 = jvalue & 0x000003fc; 8380 val2 = val2 <<6; 8381 val3 = jvalue & 0x00000003; 8382 val3 = val3 <<22; 8383 jvalue = val1 + val2 + val3; 8384 b0 = gen_ncmp(OR_PACKET, off_opc, BPF_W, 0x00c0ff0f, 8385 (u_int)jtype, reverse, (u_int)jvalue); 8386 break; 8387 8388 case M_DPC: 8389 if (off_dpc == (u_int)-1) 8390 bpf_error("'dpc' supported only on SS7"); 8391 /* dpc coded on 14 bits so max value 16383 */ 8392 if (jvalue > 16383) 8393 bpf_error("dpc value %u too big; max value = 16383", 8394 jvalue); 8395 /* the following instructions are made to convert jvalue 8396 * to the forme used to write dpc in an ss7 message*/ 8397 val1 = jvalue & 0x000000ff; 8398 val1 = val1 << 24; 8399 val2 = jvalue & 0x00003f00; 8400 val2 = val2 << 8; 8401 jvalue = val1 + val2; 8402 b0 = gen_ncmp(OR_PACKET, off_dpc, BPF_W, 0xff3f0000, 8403 (u_int)jtype, reverse, (u_int)jvalue); 8404 break; 8405 8406 case M_SLS: 8407 if (off_sls == (u_int)-1) 8408 bpf_error("'sls' supported only on SS7"); 8409 /* sls coded on 4 bits so max value 15 */ 8410 if (jvalue > 15) 8411 bpf_error("sls value %u too big; max value = 15", 8412 jvalue); 8413 /* the following instruction is made to convert jvalue 8414 * to the forme used to write sls in an ss7 message*/ 8415 jvalue = jvalue << 4; 8416 b0 = gen_ncmp(OR_PACKET, off_sls, BPF_B, 0xf0, 8417 (u_int)jtype,reverse, (u_int)jvalue); 8418 break; 8419 8420 default: 8421 abort(); 8422 } 8423 return b0; 8424 } 8425 8426 static struct block * 8427 gen_msg_abbrev(type) 8428 int type; 8429 { 8430 struct block *b1; 8431 8432 /* 8433 * Q.2931 signalling protocol messages for handling virtual circuits 8434 * establishment and teardown 8435 */ 8436 switch (type) { 8437 8438 case A_SETUP: 8439 b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0); 8440 break; 8441 8442 case A_CALLPROCEED: 8443 b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0); 8444 break; 8445 8446 case A_CONNECT: 8447 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0); 8448 break; 8449 8450 case A_CONNECTACK: 8451 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0); 8452 break; 8453 8454 case A_RELEASE: 8455 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0); 8456 break; 8457 8458 case A_RELEASE_DONE: 8459 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0); 8460 break; 8461 8462 default: 8463 abort(); 8464 } 8465 return b1; 8466 } 8467 8468 struct block * 8469 gen_atmmulti_abbrev(type) 8470 int type; 8471 { 8472 struct block *b0, *b1; 8473 8474 switch (type) { 8475 8476 case A_OAM: 8477 if (!is_atm) 8478 bpf_error("'oam' supported only on raw ATM"); 8479 b1 = gen_atmmulti_abbrev(A_OAMF4); 8480 break; 8481 8482 case A_OAMF4: 8483 if (!is_atm) 8484 bpf_error("'oamf4' supported only on raw ATM"); 8485 /* OAM F4 type */ 8486 b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0); 8487 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0); 8488 gen_or(b0, b1); 8489 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8490 gen_and(b0, b1); 8491 break; 8492 8493 case A_CONNECTMSG: 8494 /* 8495 * Get Q.2931 signalling messages for switched 8496 * virtual connection 8497 */ 8498 if (!is_atm) 8499 bpf_error("'connectmsg' supported only on raw ATM"); 8500 b0 = gen_msg_abbrev(A_SETUP); 8501 b1 = gen_msg_abbrev(A_CALLPROCEED); 8502 gen_or(b0, b1); 8503 b0 = gen_msg_abbrev(A_CONNECT); 8504 gen_or(b0, b1); 8505 b0 = gen_msg_abbrev(A_CONNECTACK); 8506 gen_or(b0, b1); 8507 b0 = gen_msg_abbrev(A_RELEASE); 8508 gen_or(b0, b1); 8509 b0 = gen_msg_abbrev(A_RELEASE_DONE); 8510 gen_or(b0, b1); 8511 b0 = gen_atmtype_abbrev(A_SC); 8512 gen_and(b0, b1); 8513 break; 8514 8515 case A_METACONNECT: 8516 if (!is_atm) 8517 bpf_error("'metaconnect' supported only on raw ATM"); 8518 b0 = gen_msg_abbrev(A_SETUP); 8519 b1 = gen_msg_abbrev(A_CALLPROCEED); 8520 gen_or(b0, b1); 8521 b0 = gen_msg_abbrev(A_CONNECT); 8522 gen_or(b0, b1); 8523 b0 = gen_msg_abbrev(A_RELEASE); 8524 gen_or(b0, b1); 8525 b0 = gen_msg_abbrev(A_RELEASE_DONE); 8526 gen_or(b0, b1); 8527 b0 = gen_atmtype_abbrev(A_METAC); 8528 gen_and(b0, b1); 8529 break; 8530 8531 default: 8532 abort(); 8533 } 8534 return b1; 8535 } 8536