1 /* $NetBSD: gencode.c,v 1.8 2015/03/31 21:39:42 christos Exp $ */
2
3 /*#define CHASE_CHAIN*/
4 /*
5 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998
6 * The Regents of the University of California. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that: (1) source code distributions
10 * retain the above copyright notice and this paragraph in its entirety, (2)
11 * distributions including binary code include the above copyright notice and
12 * this paragraph in its entirety in the documentation or other materials
13 * provided with the distribution, and (3) all advertising materials mentioning
14 * features or use of this software display the following acknowledgement:
15 * ``This product includes software developed by the University of California,
16 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
17 * the University nor the names of its contributors may be used to endorse
18 * or promote products derived from this software without specific prior
19 * written permission.
20 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
21 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
22 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
23 */
24
25 #include <sys/cdefs.h>
26 __RCSID("$NetBSD: gencode.c,v 1.8 2015/03/31 21:39:42 christos Exp $");
27
28 #ifdef HAVE_CONFIG_H
29 #include "config.h"
30 #endif
31
32 #ifdef WIN32
33 #include <pcap-stdinc.h>
34 #else /* WIN32 */
35 #if HAVE_INTTYPES_H
36 #include <inttypes.h>
37 #elif HAVE_STDINT_H
38 #include <stdint.h>
39 #endif
40 #ifdef HAVE_SYS_BITYPES_H
41 #include <sys/bitypes.h>
42 #endif
43 #include <sys/types.h>
44 #include <sys/socket.h>
45 #endif /* WIN32 */
46
47 /*
48 * XXX - why was this included even on UNIX?
49 */
50 #ifdef __MINGW32__
51 #include "ip6_misc.h"
52 #endif
53
54 #ifndef WIN32
55
56 #ifdef __NetBSD__
57 #include <sys/param.h>
58 #include <net/dlt.h>
59 #endif
60
61 #include <netinet/in.h>
62 #include <arpa/inet.h>
63
64 #endif /* WIN32 */
65
66 #include <stdlib.h>
67 #include <string.h>
68 #include <memory.h>
69 #include <setjmp.h>
70 #include <stdarg.h>
71
72 #ifdef MSDOS
73 #include "pcap-dos.h"
74 #endif
75
76 #include "pcap-int.h"
77
78 #include "ethertype.h"
79 #include "nlpid.h"
80 #include "llc.h"
81 #include "gencode.h"
82 #include "ieee80211.h"
83 #include "atmuni31.h"
84 #include "sunatmpos.h"
85 #include "ppp.h"
86 #include "pcap/sll.h"
87 #include "pcap/ipnet.h"
88 #include "arcnet.h"
89 #if defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER)
90 #include <linux/types.h>
91 #include <linux/if_packet.h>
92 #include <linux/filter.h>
93 #endif
94 #ifdef HAVE_NET_PFVAR_H
95 #include <sys/socket.h>
96 #include <net/if.h>
97 #include <net/pfvar.h>
98 #include <net/if_pflog.h>
99 #endif
100 #ifndef offsetof
101 #define offsetof(s, e) ((size_t)&((s *)0)->e)
102 #endif
103 #ifdef INET6
104 #ifndef WIN32
105 #include <netdb.h> /* for "struct addrinfo" */
106 #endif /* WIN32 */
107 #endif /*INET6*/
108 #include <pcap/namedb.h>
109
110 #define ETHERMTU 1500
111
112 #ifndef ETHERTYPE_TEB
113 #define ETHERTYPE_TEB 0x6558
114 #endif
115
116 #ifndef IPPROTO_HOPOPTS
117 #define IPPROTO_HOPOPTS 0
118 #endif
119 #ifndef IPPROTO_ROUTING
120 #define IPPROTO_ROUTING 43
121 #endif
122 #ifndef IPPROTO_FRAGMENT
123 #define IPPROTO_FRAGMENT 44
124 #endif
125 #ifndef IPPROTO_DSTOPTS
126 #define IPPROTO_DSTOPTS 60
127 #endif
128 #ifndef IPPROTO_SCTP
129 #define IPPROTO_SCTP 132
130 #endif
131
132 #define GENEVE_PORT 6081
133
134 #ifdef HAVE_OS_PROTO_H
135 #include "os-proto.h"
136 #endif
137
138 #define JMP(c) ((c)|BPF_JMP|BPF_K)
139
140 /* Locals */
141 static jmp_buf top_ctx;
142 static pcap_t *bpf_pcap;
143
144 /* Hack for handling VLAN and MPLS stacks. */
145 #ifdef WIN32
146 static u_int label_stack_depth = (u_int)-1, vlan_stack_depth = (u_int)-1;
147 #else
148 static u_int label_stack_depth = -1U, vlan_stack_depth = -1U;
149 #endif
150
151 /* XXX */
152 static int pcap_fddipad;
153
154 /* VARARGS */
155 void
bpf_error(const char * fmt,...)156 bpf_error(const char *fmt, ...)
157 {
158 va_list ap;
159
160 va_start(ap, fmt);
161 if (bpf_pcap != NULL)
162 (void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE,
163 fmt, ap);
164 va_end(ap);
165 longjmp(top_ctx, 1);
166 /* NOTREACHED */
167 }
168
169 static void init_linktype(pcap_t *);
170
171 static void init_regs(void);
172 static int alloc_reg(void);
173 static void free_reg(int);
174
175 static struct block *root;
176
177 /*
178 * Absolute offsets, which are offsets from the beginning of the raw
179 * packet data, are, in the general case, the sum of a variable value
180 * and a constant value; the variable value may be absent, in which
181 * case the offset is only the constant value, and the constant value
182 * may be zero, in which case the offset is only the variable value.
183 *
184 * bpf_abs_offset is a structure containing all that information:
185 *
186 * is_variable is 1 if there's a variable part.
187 *
188 * constant_part is the constant part of the value, possibly zero;
189 *
190 * if is_variable is 1, reg is the register number for a register
191 * containing the variable value if the register has been assigned,
192 * and -1 otherwise.
193 */
194 typedef struct {
195 int is_variable;
196 u_int constant_part;
197 int reg;
198 } bpf_abs_offset;
199
200 /*
201 * Value passed to gen_load_a() to indicate what the offset argument
202 * is relative to the beginning of.
203 */
204 enum e_offrel {
205 OR_PACKET, /* full packet data */
206 OR_LINKHDR, /* link-layer header */
207 OR_PREVLINKHDR, /* previous link-layer header */
208 OR_LLC, /* 802.2 LLC header */
209 OR_PREVMPLSHDR, /* previous MPLS header */
210 OR_LINKTYPE, /* link-layer type */
211 OR_LINKPL, /* link-layer payload */
212 OR_LINKPL_NOSNAP, /* link-layer payload, with no SNAP header at the link layer */
213 OR_TRAN_IPV4, /* transport-layer header, with IPv4 network layer */
214 OR_TRAN_IPV6 /* transport-layer header, with IPv6 network layer */
215 };
216
217 #ifdef INET6
218 /*
219 * As errors are handled by a longjmp, anything allocated must be freed
220 * in the longjmp handler, so it must be reachable from that handler.
221 * One thing that's allocated is the result of pcap_nametoaddrinfo();
222 * it must be freed with freeaddrinfo(). This variable points to any
223 * addrinfo structure that would need to be freed.
224 */
225 static struct addrinfo *ai;
226 #endif
227
228 /*
229 * We divy out chunks of memory rather than call malloc each time so
230 * we don't have to worry about leaking memory. It's probably
231 * not a big deal if all this memory was wasted but if this ever
232 * goes into a library that would probably not be a good idea.
233 *
234 * XXX - this *is* in a library....
235 */
236 #define NCHUNKS 16
237 #define CHUNK0SIZE 1024
238 struct chunk {
239 u_int n_left;
240 void *m;
241 };
242
243 static struct chunk chunks[NCHUNKS];
244 static int cur_chunk;
245
246 static void *newchunk(u_int);
247 static void freechunks(void);
248 static inline struct block *new_block(int);
249 static inline struct slist *new_stmt(int);
250 static struct block *gen_retblk(int);
251 static inline void syntax(void);
252
253 static void backpatch(struct block *, struct block *);
254 static void merge(struct block *, struct block *);
255 static struct block *gen_cmp(enum e_offrel, u_int, u_int, bpf_int32);
256 static struct block *gen_cmp_gt(enum e_offrel, u_int, u_int, bpf_int32);
257 static struct block *gen_cmp_ge(enum e_offrel, u_int, u_int, bpf_int32);
258 static struct block *gen_cmp_lt(enum e_offrel, u_int, u_int, bpf_int32);
259 static struct block *gen_cmp_le(enum e_offrel, u_int, u_int, bpf_int32);
260 static struct block *gen_mcmp(enum e_offrel, u_int, u_int, bpf_int32,
261 bpf_u_int32);
262 static struct block *gen_bcmp(enum e_offrel, u_int, u_int, const u_char *);
263 static struct block *gen_ncmp(enum e_offrel, bpf_u_int32, bpf_u_int32,
264 bpf_u_int32, bpf_u_int32, int, bpf_int32);
265 static struct slist *gen_load_absoffsetrel(bpf_abs_offset *, u_int, u_int);
266 static struct slist *gen_load_a(enum e_offrel, u_int, u_int);
267 static struct slist *gen_loadx_iphdrlen(void);
268 static struct block *gen_uncond(int);
269 static inline struct block *gen_true(void);
270 static inline struct block *gen_false(void);
271 static struct block *gen_ether_linktype(int);
272 static struct block *gen_ipnet_linktype(int);
273 static struct block *gen_linux_sll_linktype(int);
274 static struct slist *gen_load_prism_llprefixlen(void);
275 static struct slist *gen_load_avs_llprefixlen(void);
276 static struct slist *gen_load_radiotap_llprefixlen(void);
277 static struct slist *gen_load_ppi_llprefixlen(void);
278 static void insert_compute_vloffsets(struct block *);
279 static struct slist *gen_abs_offset_varpart(bpf_abs_offset *);
280 static int ethertype_to_ppptype(int);
281 static struct block *gen_linktype(int);
282 static struct block *gen_snap(bpf_u_int32, bpf_u_int32);
283 static struct block *gen_llc_linktype(int);
284 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int);
285 #ifdef INET6
286 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int);
287 #endif
288 static struct block *gen_ahostop(const u_char *, int);
289 static struct block *gen_ehostop(const u_char *, int);
290 static struct block *gen_fhostop(const u_char *, int);
291 static struct block *gen_thostop(const u_char *, int);
292 static struct block *gen_wlanhostop(const u_char *, int);
293 static struct block *gen_ipfchostop(const u_char *, int);
294 static struct block *gen_dnhostop(bpf_u_int32, int);
295 static struct block *gen_mpls_linktype(int);
296 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int, int);
297 #ifdef INET6
298 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int, int);
299 #endif
300 #ifndef INET6
301 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int);
302 #endif
303 static struct block *gen_ipfrag(void);
304 static struct block *gen_portatom(int, bpf_int32);
305 static struct block *gen_portrangeatom(int, bpf_int32, bpf_int32);
306 static struct block *gen_portatom6(int, bpf_int32);
307 static struct block *gen_portrangeatom6(int, bpf_int32, bpf_int32);
308 struct block *gen_portop(int, int, int);
309 static struct block *gen_port(int, int, int);
310 struct block *gen_portrangeop(int, int, int, int);
311 static struct block *gen_portrange(int, int, int, int);
312 struct block *gen_portop6(int, int, int);
313 static struct block *gen_port6(int, int, int);
314 struct block *gen_portrangeop6(int, int, int, int);
315 static struct block *gen_portrange6(int, int, int, int);
316 static int lookup_proto(const char *, int);
317 static struct block *gen_protochain(int, int, int);
318 static struct block *gen_proto(int, int, int);
319 static struct slist *xfer_to_x(struct arth *);
320 static struct slist *xfer_to_a(struct arth *);
321 static struct block *gen_mac_multicast(int);
322 static struct block *gen_len(int, int);
323 static struct block *gen_check_802_11_data_frame(void);
324 static struct block *gen_geneve_ll_check(void);
325
326 static struct block *gen_ppi_dlt_check(void);
327 static struct block *gen_msg_abbrev(int type);
328
329 static void *
newchunk(n)330 newchunk(n)
331 u_int n;
332 {
333 struct chunk *cp;
334 int k;
335 size_t size;
336
337 #ifndef __NetBSD__
338 /* XXX Round up to nearest long. */
339 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1);
340 #else
341 /* XXX Round up to structure boundary. */
342 n = ALIGN(n);
343 #endif
344
345 cp = &chunks[cur_chunk];
346 if (n > cp->n_left) {
347 ++cp, k = ++cur_chunk;
348 if (k >= NCHUNKS)
349 bpf_error("out of memory");
350 size = CHUNK0SIZE << k;
351 cp->m = (void *)malloc(size);
352 if (cp->m == NULL)
353 bpf_error("out of memory");
354 memset((char *)cp->m, 0, size);
355 cp->n_left = size;
356 if (n > size)
357 bpf_error("out of memory");
358 }
359 cp->n_left -= n;
360 return (void *)((char *)cp->m + cp->n_left);
361 }
362
363 static void
freechunks()364 freechunks()
365 {
366 int i;
367
368 cur_chunk = 0;
369 for (i = 0; i < NCHUNKS; ++i)
370 if (chunks[i].m != NULL) {
371 free(chunks[i].m);
372 chunks[i].m = NULL;
373 }
374 }
375
376 /*
377 * A strdup whose allocations are freed after code generation is over.
378 */
379 char *
sdup(s)380 sdup(s)
381 register const char *s;
382 {
383 int n = strlen(s) + 1;
384 char *cp = newchunk(n);
385
386 strlcpy(cp, s, n);
387 return (cp);
388 }
389
390 static inline struct block *
new_block(code)391 new_block(code)
392 int code;
393 {
394 struct block *p;
395
396 p = (struct block *)newchunk(sizeof(*p));
397 p->s.code = code;
398 p->head = p;
399
400 return p;
401 }
402
403 static inline struct slist *
new_stmt(code)404 new_stmt(code)
405 int code;
406 {
407 struct slist *p;
408
409 p = (struct slist *)newchunk(sizeof(*p));
410 p->s.code = code;
411
412 return p;
413 }
414
415 static struct block *
gen_retblk(v)416 gen_retblk(v)
417 int v;
418 {
419 struct block *b = new_block(BPF_RET|BPF_K);
420
421 b->s.k = v;
422 return b;
423 }
424
425 __dead static inline void
syntax(void)426 syntax(void)
427 {
428 bpf_error("syntax error in filter expression");
429 }
430
431 static bpf_u_int32 netmask;
432 static int snaplen;
433 int no_optimize;
434
435 int
pcap_compile(pcap_t * p,struct bpf_program * program,const char * buf,int optimize,bpf_u_int32 mask)436 pcap_compile(pcap_t *p, struct bpf_program *program,
437 const char *buf, int optimize, bpf_u_int32 mask)
438 {
439 extern int n_errors;
440 const char * volatile xbuf = buf;
441 u_int len;
442 int rc;
443
444 /*
445 * XXX - single-thread this code path with pthread calls on
446 * UN*X, if the platform supports pthreads? If that requires
447 * a separate -lpthread, we might not want to do that.
448 */
449 #ifdef WIN32
450 extern int wsockinit (void);
451 static int done = 0;
452
453 if (!done)
454 wsockinit();
455 done = 1;
456 EnterCriticalSection(&g_PcapCompileCriticalSection);
457 #endif
458
459 /*
460 * If this pcap_t hasn't been activated, it doesn't have a
461 * link-layer type, so we can't use it.
462 */
463 if (!p->activated) {
464 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
465 "not-yet-activated pcap_t passed to pcap_compile");
466 rc = -1;
467 goto quit;
468 }
469 no_optimize = 0;
470 n_errors = 0;
471 root = NULL;
472 bpf_pcap = p;
473 init_regs();
474
475 if (setjmp(top_ctx)) {
476 #ifdef INET6
477 if (ai != NULL) {
478 freeaddrinfo(ai);
479 ai = NULL;
480 }
481 #endif
482 lex_cleanup();
483 freechunks();
484 rc = -1;
485 goto quit;
486 }
487
488 netmask = mask;
489
490 snaplen = pcap_snapshot(p);
491 if (snaplen == 0) {
492 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
493 "snaplen of 0 rejects all packets");
494 rc = -1;
495 goto quit;
496 }
497
498 lex_init(xbuf ? xbuf : "");
499 init_linktype(p);
500 (void)pcap_parse();
501
502 if (n_errors)
503 syntax();
504
505 if (root == NULL)
506 root = gen_retblk(snaplen);
507
508 if (optimize && !no_optimize) {
509 bpf_optimize(&root);
510 if (root == NULL ||
511 (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0))
512 bpf_error("expression rejects all packets");
513 }
514 program->bf_insns = icode_to_fcode(root, &len);
515 program->bf_len = len;
516
517 lex_cleanup();
518 freechunks();
519
520 rc = 0; /* We're all okay */
521
522 quit:
523
524 #ifdef WIN32
525 LeaveCriticalSection(&g_PcapCompileCriticalSection);
526 #endif
527
528 return (rc);
529 }
530
531 /*
532 * entry point for using the compiler with no pcap open
533 * pass in all the stuff that is needed explicitly instead.
534 */
535 int
pcap_compile_nopcap(int snaplen_arg,int linktype_arg,struct bpf_program * program,const char * buf,int optimize,bpf_u_int32 mask)536 pcap_compile_nopcap(int snaplen_arg, int linktype_arg,
537 struct bpf_program *program,
538 const char *buf, int optimize, bpf_u_int32 mask)
539 {
540 pcap_t *p;
541 int ret;
542
543 p = pcap_open_dead(linktype_arg, snaplen_arg);
544 if (p == NULL)
545 return (-1);
546 ret = pcap_compile(p, program, buf, optimize, mask);
547 pcap_close(p);
548 return (ret);
549 }
550
551 /*
552 * Clean up a "struct bpf_program" by freeing all the memory allocated
553 * in it.
554 */
555 void
pcap_freecode(struct bpf_program * program)556 pcap_freecode(struct bpf_program *program)
557 {
558 program->bf_len = 0;
559 if (program->bf_insns != NULL) {
560 free((char *)program->bf_insns);
561 program->bf_insns = NULL;
562 }
563 }
564
565 /*
566 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates
567 * which of the jt and jf fields has been resolved and which is a pointer
568 * back to another unresolved block (or nil). At least one of the fields
569 * in each block is already resolved.
570 */
571 static void
backpatch(list,target)572 backpatch(list, target)
573 struct block *list, *target;
574 {
575 struct block *next;
576
577 while (list) {
578 if (!list->sense) {
579 next = JT(list);
580 JT(list) = target;
581 } else {
582 next = JF(list);
583 JF(list) = target;
584 }
585 list = next;
586 }
587 }
588
589 /*
590 * Merge the lists in b0 and b1, using the 'sense' field to indicate
591 * which of jt and jf is the link.
592 */
593 static void
merge(b0,b1)594 merge(b0, b1)
595 struct block *b0, *b1;
596 {
597 register struct block **p = &b0;
598
599 /* Find end of list. */
600 while (*p)
601 p = !((*p)->sense) ? &JT(*p) : &JF(*p);
602
603 /* Concatenate the lists. */
604 *p = b1;
605 }
606
607 void
finish_parse(p)608 finish_parse(p)
609 struct block *p;
610 {
611 struct block *ppi_dlt_check;
612
613 /*
614 * Insert before the statements of the first (root) block any
615 * statements needed to load the lengths of any variable-length
616 * headers into registers.
617 *
618 * XXX - a fancier strategy would be to insert those before the
619 * statements of all blocks that use those lengths and that
620 * have no predecessors that use them, so that we only compute
621 * the lengths if we need them. There might be even better
622 * approaches than that.
623 *
624 * However, those strategies would be more complicated, and
625 * as we don't generate code to compute a length if the
626 * program has no tests that use the length, and as most
627 * tests will probably use those lengths, we would just
628 * postpone computing the lengths so that it's not done
629 * for tests that fail early, and it's not clear that's
630 * worth the effort.
631 */
632 insert_compute_vloffsets(p->head);
633
634 /*
635 * For DLT_PPI captures, generate a check of the per-packet
636 * DLT value to make sure it's DLT_IEEE802_11.
637 */
638 ppi_dlt_check = gen_ppi_dlt_check();
639 if (ppi_dlt_check != NULL)
640 gen_and(ppi_dlt_check, p);
641
642 backpatch(p, gen_retblk(snaplen));
643 p->sense = !p->sense;
644 backpatch(p, gen_retblk(0));
645 root = p->head;
646 }
647
648 void
gen_and(b0,b1)649 gen_and(b0, b1)
650 struct block *b0, *b1;
651 {
652 backpatch(b0, b1->head);
653 b0->sense = !b0->sense;
654 b1->sense = !b1->sense;
655 merge(b1, b0);
656 b1->sense = !b1->sense;
657 b1->head = b0->head;
658 }
659
660 void
gen_or(b0,b1)661 gen_or(b0, b1)
662 struct block *b0, *b1;
663 {
664 b0->sense = !b0->sense;
665 backpatch(b0, b1->head);
666 b0->sense = !b0->sense;
667 merge(b1, b0);
668 b1->head = b0->head;
669 }
670
671 void
gen_not(b)672 gen_not(b)
673 struct block *b;
674 {
675 b->sense = !b->sense;
676 }
677
678 static struct block *
gen_cmp(offrel,offset,size,v)679 gen_cmp(offrel, offset, size, v)
680 enum e_offrel offrel;
681 u_int offset, size;
682 bpf_int32 v;
683 {
684 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v);
685 }
686
687 static struct block *
gen_cmp_gt(offrel,offset,size,v)688 gen_cmp_gt(offrel, offset, size, v)
689 enum e_offrel offrel;
690 u_int offset, size;
691 bpf_int32 v;
692 {
693 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 0, v);
694 }
695
696 static struct block *
gen_cmp_ge(offrel,offset,size,v)697 gen_cmp_ge(offrel, offset, size, v)
698 enum e_offrel offrel;
699 u_int offset, size;
700 bpf_int32 v;
701 {
702 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 0, v);
703 }
704
705 static struct block *
gen_cmp_lt(offrel,offset,size,v)706 gen_cmp_lt(offrel, offset, size, v)
707 enum e_offrel offrel;
708 u_int offset, size;
709 bpf_int32 v;
710 {
711 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 1, v);
712 }
713
714 static struct block *
gen_cmp_le(offrel,offset,size,v)715 gen_cmp_le(offrel, offset, size, v)
716 enum e_offrel offrel;
717 u_int offset, size;
718 bpf_int32 v;
719 {
720 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 1, v);
721 }
722
723 static struct block *
gen_mcmp(offrel,offset,size,v,mask)724 gen_mcmp(offrel, offset, size, v, mask)
725 enum e_offrel offrel;
726 u_int offset, size;
727 bpf_int32 v;
728 bpf_u_int32 mask;
729 {
730 return gen_ncmp(offrel, offset, size, mask, BPF_JEQ, 0, v);
731 }
732
733 static struct block *
gen_bcmp(offrel,offset,size,v)734 gen_bcmp(offrel, offset, size, v)
735 enum e_offrel offrel;
736 register u_int offset, size;
737 register const u_char *v;
738 {
739 register struct block *b, *tmp;
740
741 b = NULL;
742 while (size >= 4) {
743 register const u_char *p = &v[size - 4];
744 bpf_int32 w = ((bpf_int32)p[0] << 24) |
745 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3];
746
747 tmp = gen_cmp(offrel, offset + size - 4, BPF_W, w);
748 if (b != NULL)
749 gen_and(b, tmp);
750 b = tmp;
751 size -= 4;
752 }
753 while (size >= 2) {
754 register const u_char *p = &v[size - 2];
755 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1];
756
757 tmp = gen_cmp(offrel, offset + size - 2, BPF_H, w);
758 if (b != NULL)
759 gen_and(b, tmp);
760 b = tmp;
761 size -= 2;
762 }
763 if (size > 0) {
764 tmp = gen_cmp(offrel, offset, BPF_B, (bpf_int32)v[0]);
765 if (b != NULL)
766 gen_and(b, tmp);
767 b = tmp;
768 }
769 return b;
770 }
771
772 /*
773 * AND the field of size "size" at offset "offset" relative to the header
774 * specified by "offrel" with "mask", and compare it with the value "v"
775 * with the test specified by "jtype"; if "reverse" is true, the test
776 * should test the opposite of "jtype".
777 */
778 static struct block *
gen_ncmp(offrel,offset,size,mask,jtype,reverse,v)779 gen_ncmp(offrel, offset, size, mask, jtype, reverse, v)
780 enum e_offrel offrel;
781 bpf_int32 v;
782 bpf_u_int32 offset, size, mask, jtype;
783 int reverse;
784 {
785 struct slist *s, *s2;
786 struct block *b;
787
788 s = gen_load_a(offrel, offset, size);
789
790 if (mask != 0xffffffff) {
791 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
792 s2->s.k = mask;
793 sappend(s, s2);
794 }
795
796 b = new_block(JMP(jtype));
797 b->stmts = s;
798 b->s.k = v;
799 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE))
800 gen_not(b);
801 return b;
802 }
803
804 /*
805 * Various code constructs need to know the layout of the packet.
806 * These variables give the necessary offsets from the beginning
807 * of the packet data.
808 */
809
810 /*
811 * Absolute offset of the beginning of the link-layer header.
812 */
813 static bpf_abs_offset off_linkhdr;
814
815 /*
816 * If we're checking a link-layer header for a packet encapsulated in
817 * another protocol layer, this is the equivalent information for the
818 * previous layers' link-layer header from the beginning of the raw
819 * packet data.
820 */
821 static bpf_abs_offset off_prevlinkhdr;
822
823 /*
824 * This is the equivalent information for the outermost layers' link-layer
825 * header.
826 */
827 static bpf_abs_offset off_outermostlinkhdr;
828
829 /*
830 * "Push" the current value of the link-layer header type and link-layer
831 * header offset onto a "stack", and set a new value. (It's not a
832 * full-blown stack; we keep only the top two items.)
833 */
834 #define PUSH_LINKHDR(new_linktype, new_is_variable, new_constant_part, new_reg) \
835 { \
836 prevlinktype = new_linktype; \
837 off_prevlinkhdr = off_linkhdr; \
838 linktype = new_linktype; \
839 off_linkhdr.is_variable = new_is_variable; \
840 off_linkhdr.constant_part = new_constant_part; \
841 off_linkhdr.reg = new_reg; \
842 is_geneve = 0; \
843 }
844
845 /*
846 * Absolute offset of the beginning of the link-layer payload.
847 */
848 static bpf_abs_offset off_linkpl;
849
850 /*
851 * "off_linktype" is the offset to information in the link-layer header
852 * giving the packet type. This is an absolute offset from the beginning
853 * of the packet.
854 *
855 * For Ethernet, it's the offset of the Ethernet type field; this
856 * means that it must have a value that skips VLAN tags.
857 *
858 * For link-layer types that always use 802.2 headers, it's the
859 * offset of the LLC header; this means that it must have a value
860 * that skips VLAN tags.
861 *
862 * For PPP, it's the offset of the PPP type field.
863 *
864 * For Cisco HDLC, it's the offset of the CHDLC type field.
865 *
866 * For BSD loopback, it's the offset of the AF_ value.
867 *
868 * For Linux cooked sockets, it's the offset of the type field.
869 *
870 * off_linktype.constant_part is set to -1 for no encapsulation,
871 * in which case, IP is assumed.
872 */
873 static bpf_abs_offset off_linktype;
874
875 /*
876 * TRUE if the link layer includes an ATM pseudo-header.
877 */
878 static int is_atm = 0;
879
880 /*
881 * TRUE if "geneve" appeared in the filter; it causes us to generate
882 * code that checks for a Geneve header and assume that later filters
883 * apply to the encapsulated payload.
884 */
885 static int is_geneve = 0;
886
887 /*
888 * These are offsets for the ATM pseudo-header.
889 */
890 static u_int off_vpi;
891 static u_int off_vci;
892 static u_int off_proto;
893
894 /*
895 * These are offsets for the MTP2 fields.
896 */
897 static u_int off_li;
898 static u_int off_li_hsl;
899
900 /*
901 * These are offsets for the MTP3 fields.
902 */
903 static u_int off_sio;
904 static u_int off_opc;
905 static u_int off_dpc;
906 static u_int off_sls;
907
908 /*
909 * This is the offset of the first byte after the ATM pseudo_header,
910 * or -1 if there is no ATM pseudo-header.
911 */
912 static u_int off_payload;
913
914 /*
915 * These are offsets to the beginning of the network-layer header.
916 * They are relative to the beginning of the link-layer payload (i.e.,
917 * they don't include off_linkhdr.constant_part or off_linkpl.constant_part).
918 *
919 * If the link layer never uses 802.2 LLC:
920 *
921 * "off_nl" and "off_nl_nosnap" are the same.
922 *
923 * If the link layer always uses 802.2 LLC:
924 *
925 * "off_nl" is the offset if there's a SNAP header following
926 * the 802.2 header;
927 *
928 * "off_nl_nosnap" is the offset if there's no SNAP header.
929 *
930 * If the link layer is Ethernet:
931 *
932 * "off_nl" is the offset if the packet is an Ethernet II packet
933 * (we assume no 802.3+802.2+SNAP);
934 *
935 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet
936 * with an 802.2 header following it.
937 */
938 static u_int off_nl;
939 static u_int off_nl_nosnap;
940
941 static int linktype;
942 static int prevlinktype;
943 static int outermostlinktype;
944
945 static void
init_linktype(p)946 init_linktype(p)
947 pcap_t *p;
948 {
949 pcap_fddipad = p->fddipad;
950
951 /*
952 * We start out with only one link-layer header.
953 */
954 outermostlinktype = pcap_datalink(p);
955 off_outermostlinkhdr.constant_part = 0;
956 off_outermostlinkhdr.is_variable = 0;
957 off_outermostlinkhdr.reg = -1;
958
959 prevlinktype = outermostlinktype;
960 off_prevlinkhdr.constant_part = 0;
961 off_prevlinkhdr.is_variable = 0;
962 off_prevlinkhdr.reg = -1;
963
964 linktype = outermostlinktype;
965 off_linkhdr.constant_part = 0;
966 off_linkhdr.is_variable = 0;
967 off_linkhdr.reg = -1;
968
969 /*
970 * XXX
971 */
972 off_linkpl.constant_part = 0;
973 off_linkpl.is_variable = 0;
974 off_linkpl.reg = -1;
975
976 off_linktype.constant_part = 0;
977 off_linktype.is_variable = 0;
978 off_linktype.reg = -1;
979
980 /*
981 * Assume it's not raw ATM with a pseudo-header, for now.
982 */
983 is_atm = 0;
984 off_vpi = -1;
985 off_vci = -1;
986 off_proto = -1;
987 off_payload = -1;
988
989 /*
990 * And not Geneve.
991 */
992 is_geneve = 0;
993
994 /*
995 * And assume we're not doing SS7.
996 */
997 off_li = -1;
998 off_li_hsl = -1;
999 off_sio = -1;
1000 off_opc = -1;
1001 off_dpc = -1;
1002 off_sls = -1;
1003
1004 label_stack_depth = 0;
1005 vlan_stack_depth = 0;
1006
1007 switch (linktype) {
1008
1009 case DLT_ARCNET:
1010 off_linktype.constant_part = 2;
1011 off_linkpl.constant_part = 6;
1012 off_nl = 0; /* XXX in reality, variable! */
1013 off_nl_nosnap = 0; /* no 802.2 LLC */
1014 break;
1015
1016 case DLT_ARCNET_LINUX:
1017 off_linktype.constant_part = 4;
1018 off_linkpl.constant_part = 8;
1019 off_nl = 0; /* XXX in reality, variable! */
1020 off_nl_nosnap = 0; /* no 802.2 LLC */
1021 break;
1022
1023 case DLT_EN10MB:
1024 off_linktype.constant_part = 12;
1025 off_linkpl.constant_part = 14; /* Ethernet header length */
1026 off_nl = 0; /* Ethernet II */
1027 off_nl_nosnap = 3; /* 802.3+802.2 */
1028 break;
1029
1030 case DLT_SLIP:
1031 /*
1032 * SLIP doesn't have a link level type. The 16 byte
1033 * header is hacked into our SLIP driver.
1034 */
1035 off_linktype.constant_part = -1;
1036 off_linkpl.constant_part = 16;
1037 off_nl = 0;
1038 off_nl_nosnap = 0; /* no 802.2 LLC */
1039 break;
1040
1041 case DLT_SLIP_BSDOS:
1042 /* XXX this may be the same as the DLT_PPP_BSDOS case */
1043 off_linktype.constant_part = -1;
1044 /* XXX end */
1045 off_linkpl.constant_part = 24;
1046 off_nl = 0;
1047 off_nl_nosnap = 0; /* no 802.2 LLC */
1048 break;
1049
1050 case DLT_NULL:
1051 case DLT_LOOP:
1052 off_linktype.constant_part = 0;
1053 off_linkpl.constant_part = 4;
1054 off_nl = 0;
1055 off_nl_nosnap = 0; /* no 802.2 LLC */
1056 break;
1057
1058 case DLT_ENC:
1059 off_linktype.constant_part = 0;
1060 off_linkpl.constant_part = 12;
1061 off_nl = 0;
1062 off_nl_nosnap = 0; /* no 802.2 LLC */
1063 break;
1064
1065 case DLT_PPP:
1066 case DLT_PPP_PPPD:
1067 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */
1068 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */
1069 off_linktype.constant_part = 2; /* skip HDLC-like framing */
1070 off_linkpl.constant_part = 4; /* skip HDLC-like framing and protocol field */
1071 off_nl = 0;
1072 off_nl_nosnap = 0; /* no 802.2 LLC */
1073 break;
1074
1075 case DLT_PPP_ETHER:
1076 /*
1077 * This does no include the Ethernet header, and
1078 * only covers session state.
1079 */
1080 off_linktype.constant_part = 6;
1081 off_linkpl.constant_part = 8;
1082 off_nl = 0;
1083 off_nl_nosnap = 0; /* no 802.2 LLC */
1084 break;
1085
1086 case DLT_PPP_BSDOS:
1087 off_linktype.constant_part = 5;
1088 off_linkpl.constant_part = 24;
1089 off_nl = 0;
1090 off_nl_nosnap = 0; /* no 802.2 LLC */
1091 break;
1092
1093 case DLT_FDDI:
1094 /*
1095 * FDDI doesn't really have a link-level type field.
1096 * We set "off_linktype" to the offset of the LLC header.
1097 *
1098 * To check for Ethernet types, we assume that SSAP = SNAP
1099 * is being used and pick out the encapsulated Ethernet type.
1100 * XXX - should we generate code to check for SNAP?
1101 */
1102 off_linktype.constant_part = 13;
1103 off_linktype.constant_part += pcap_fddipad;
1104 off_linkpl.constant_part = 13; /* FDDI MAC header length */
1105 off_linkpl.constant_part += pcap_fddipad;
1106 off_nl = 8; /* 802.2+SNAP */
1107 off_nl_nosnap = 3; /* 802.2 */
1108 break;
1109
1110 case DLT_IEEE802:
1111 /*
1112 * Token Ring doesn't really have a link-level type field.
1113 * We set "off_linktype" to the offset of the LLC header.
1114 *
1115 * To check for Ethernet types, we assume that SSAP = SNAP
1116 * is being used and pick out the encapsulated Ethernet type.
1117 * XXX - should we generate code to check for SNAP?
1118 *
1119 * XXX - the header is actually variable-length.
1120 * Some various Linux patched versions gave 38
1121 * as "off_linktype" and 40 as "off_nl"; however,
1122 * if a token ring packet has *no* routing
1123 * information, i.e. is not source-routed, the correct
1124 * values are 20 and 22, as they are in the vanilla code.
1125 *
1126 * A packet is source-routed iff the uppermost bit
1127 * of the first byte of the source address, at an
1128 * offset of 8, has the uppermost bit set. If the
1129 * packet is source-routed, the total number of bytes
1130 * of routing information is 2 plus bits 0x1F00 of
1131 * the 16-bit value at an offset of 14 (shifted right
1132 * 8 - figure out which byte that is).
1133 */
1134 off_linktype.constant_part = 14;
1135 off_linkpl.constant_part = 14; /* Token Ring MAC header length */
1136 off_nl = 8; /* 802.2+SNAP */
1137 off_nl_nosnap = 3; /* 802.2 */
1138 break;
1139
1140 case DLT_PRISM_HEADER:
1141 case DLT_IEEE802_11_RADIO_AVS:
1142 case DLT_IEEE802_11_RADIO:
1143 off_linkhdr.is_variable = 1;
1144 /* Fall through, 802.11 doesn't have a variable link
1145 * prefix but is otherwise the same. */
1146
1147 case DLT_IEEE802_11:
1148 /*
1149 * 802.11 doesn't really have a link-level type field.
1150 * We set "off_linktype.constant_part" to the offset of
1151 * the LLC header.
1152 *
1153 * To check for Ethernet types, we assume that SSAP = SNAP
1154 * is being used and pick out the encapsulated Ethernet type.
1155 * XXX - should we generate code to check for SNAP?
1156 *
1157 * We also handle variable-length radio headers here.
1158 * The Prism header is in theory variable-length, but in
1159 * practice it's always 144 bytes long. However, some
1160 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but
1161 * sometimes or always supply an AVS header, so we
1162 * have to check whether the radio header is a Prism
1163 * header or an AVS header, so, in practice, it's
1164 * variable-length.
1165 */
1166 off_linktype.constant_part = 24;
1167 off_linkpl.constant_part = 0; /* link-layer header is variable-length */
1168 off_linkpl.is_variable = 1;
1169 off_nl = 8; /* 802.2+SNAP */
1170 off_nl_nosnap = 3; /* 802.2 */
1171 break;
1172
1173 case DLT_PPI:
1174 /*
1175 * At the moment we treat PPI the same way that we treat
1176 * normal Radiotap encoded packets. The difference is in
1177 * the function that generates the code at the beginning
1178 * to compute the header length. Since this code generator
1179 * of PPI supports bare 802.11 encapsulation only (i.e.
1180 * the encapsulated DLT should be DLT_IEEE802_11) we
1181 * generate code to check for this too.
1182 */
1183 off_linktype.constant_part = 24;
1184 off_linkpl.constant_part = 0; /* link-layer header is variable-length */
1185 off_linkpl.is_variable = 1;
1186 off_linkhdr.is_variable = 1;
1187 off_nl = 8; /* 802.2+SNAP */
1188 off_nl_nosnap = 3; /* 802.2 */
1189 break;
1190
1191 case DLT_ATM_RFC1483:
1192 case DLT_ATM_CLIP: /* Linux ATM defines this */
1193 /*
1194 * assume routed, non-ISO PDUs
1195 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00)
1196 *
1197 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS,
1198 * or PPP with the PPP NLPID (e.g., PPPoA)? The
1199 * latter would presumably be treated the way PPPoE
1200 * should be, so you can do "pppoe and udp port 2049"
1201 * or "pppoa and tcp port 80" and have it check for
1202 * PPPo{A,E} and a PPP protocol of IP and....
1203 */
1204 off_linktype.constant_part = 0;
1205 off_linkpl.constant_part = 0; /* packet begins with LLC header */
1206 off_nl = 8; /* 802.2+SNAP */
1207 off_nl_nosnap = 3; /* 802.2 */
1208 break;
1209
1210 case DLT_SUNATM:
1211 /*
1212 * Full Frontal ATM; you get AALn PDUs with an ATM
1213 * pseudo-header.
1214 */
1215 is_atm = 1;
1216 off_vpi = SUNATM_VPI_POS;
1217 off_vci = SUNATM_VCI_POS;
1218 off_proto = PROTO_POS;
1219 off_payload = SUNATM_PKT_BEGIN_POS;
1220 off_linktype.constant_part = off_payload;
1221 off_linkpl.constant_part = off_payload; /* if LLC-encapsulated */
1222 off_nl = 8; /* 802.2+SNAP */
1223 off_nl_nosnap = 3; /* 802.2 */
1224 break;
1225
1226 case DLT_RAW:
1227 case DLT_IPV4:
1228 case DLT_IPV6:
1229 off_linktype.constant_part = -1;
1230 off_linkpl.constant_part = 0;
1231 off_nl = 0;
1232 off_nl_nosnap = 0; /* no 802.2 LLC */
1233 break;
1234
1235 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */
1236 off_linktype.constant_part = 14;
1237 off_linkpl.constant_part = 16;
1238 off_nl = 0;
1239 off_nl_nosnap = 0; /* no 802.2 LLC */
1240 break;
1241
1242 case DLT_LTALK:
1243 /*
1244 * LocalTalk does have a 1-byte type field in the LLAP header,
1245 * but really it just indicates whether there is a "short" or
1246 * "long" DDP packet following.
1247 */
1248 off_linktype.constant_part = -1;
1249 off_linkpl.constant_part = 0;
1250 off_nl = 0;
1251 off_nl_nosnap = 0; /* no 802.2 LLC */
1252 break;
1253
1254 case DLT_IP_OVER_FC:
1255 /*
1256 * RFC 2625 IP-over-Fibre-Channel doesn't really have a
1257 * link-level type field. We set "off_linktype" to the
1258 * offset of the LLC header.
1259 *
1260 * To check for Ethernet types, we assume that SSAP = SNAP
1261 * is being used and pick out the encapsulated Ethernet type.
1262 * XXX - should we generate code to check for SNAP? RFC
1263 * 2625 says SNAP should be used.
1264 */
1265 off_linktype.constant_part = 16;
1266 off_linkpl.constant_part = 16;
1267 off_nl = 8; /* 802.2+SNAP */
1268 off_nl_nosnap = 3; /* 802.2 */
1269 break;
1270
1271 case DLT_FRELAY:
1272 /*
1273 * XXX - we should set this to handle SNAP-encapsulated
1274 * frames (NLPID of 0x80).
1275 */
1276 off_linktype.constant_part = -1;
1277 off_linkpl.constant_part = 0;
1278 off_nl = 0;
1279 off_nl_nosnap = 0; /* no 802.2 LLC */
1280 break;
1281
1282 /*
1283 * the only BPF-interesting FRF.16 frames are non-control frames;
1284 * Frame Relay has a variable length link-layer
1285 * so lets start with offset 4 for now and increments later on (FIXME);
1286 */
1287 case DLT_MFR:
1288 off_linktype.constant_part = -1;
1289 off_linkpl.constant_part = 0;
1290 off_nl = 4;
1291 off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */
1292 break;
1293
1294 case DLT_APPLE_IP_OVER_IEEE1394:
1295 off_linktype.constant_part = 16;
1296 off_linkpl.constant_part = 18;
1297 off_nl = 0;
1298 off_nl_nosnap = 0; /* no 802.2 LLC */
1299 break;
1300
1301 case DLT_SYMANTEC_FIREWALL:
1302 off_linktype.constant_part = 6;
1303 off_linkpl.constant_part = 44;
1304 off_nl = 0; /* Ethernet II */
1305 off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */
1306 break;
1307
1308 #ifdef HAVE_NET_PFVAR_H
1309 case DLT_PFLOG:
1310 off_linktype.constant_part = 0;
1311 off_linkpl.constant_part = PFLOG_HDRLEN;
1312 off_nl = 0;
1313 off_nl_nosnap = 0; /* no 802.2 LLC */
1314 break;
1315 #endif
1316
1317 case DLT_JUNIPER_MFR:
1318 case DLT_JUNIPER_MLFR:
1319 case DLT_JUNIPER_MLPPP:
1320 case DLT_JUNIPER_PPP:
1321 case DLT_JUNIPER_CHDLC:
1322 case DLT_JUNIPER_FRELAY:
1323 off_linktype.constant_part = 4;
1324 off_linkpl.constant_part = 4;
1325 off_nl = 0;
1326 off_nl_nosnap = -1; /* no 802.2 LLC */
1327 break;
1328
1329 case DLT_JUNIPER_ATM1:
1330 off_linktype.constant_part = 4; /* in reality variable between 4-8 */
1331 off_linkpl.constant_part = 4; /* in reality variable between 4-8 */
1332 off_nl = 0;
1333 off_nl_nosnap = 10;
1334 break;
1335
1336 case DLT_JUNIPER_ATM2:
1337 off_linktype.constant_part = 8; /* in reality variable between 8-12 */
1338 off_linkpl.constant_part = 8; /* in reality variable between 8-12 */
1339 off_nl = 0;
1340 off_nl_nosnap = 10;
1341 break;
1342
1343 /* frames captured on a Juniper PPPoE service PIC
1344 * contain raw ethernet frames */
1345 case DLT_JUNIPER_PPPOE:
1346 case DLT_JUNIPER_ETHER:
1347 off_linkpl.constant_part = 14;
1348 off_linktype.constant_part = 16;
1349 off_nl = 18; /* Ethernet II */
1350 off_nl_nosnap = 21; /* 802.3+802.2 */
1351 break;
1352
1353 case DLT_JUNIPER_PPPOE_ATM:
1354 off_linktype.constant_part = 4;
1355 off_linkpl.constant_part = 6;
1356 off_nl = 0;
1357 off_nl_nosnap = -1; /* no 802.2 LLC */
1358 break;
1359
1360 case DLT_JUNIPER_GGSN:
1361 off_linktype.constant_part = 6;
1362 off_linkpl.constant_part = 12;
1363 off_nl = 0;
1364 off_nl_nosnap = -1; /* no 802.2 LLC */
1365 break;
1366
1367 case DLT_JUNIPER_ES:
1368 off_linktype.constant_part = 6;
1369 off_linkpl.constant_part = -1; /* not really a network layer but raw IP addresses */
1370 off_nl = -1; /* not really a network layer but raw IP addresses */
1371 off_nl_nosnap = -1; /* no 802.2 LLC */
1372 break;
1373
1374 case DLT_JUNIPER_MONITOR:
1375 off_linktype.constant_part = 12;
1376 off_linkpl.constant_part = 12;
1377 off_nl = 0; /* raw IP/IP6 header */
1378 off_nl_nosnap = -1; /* no 802.2 LLC */
1379 break;
1380
1381 case DLT_BACNET_MS_TP:
1382 off_linktype.constant_part = -1;
1383 off_linkpl.constant_part = -1;
1384 off_nl = -1;
1385 off_nl_nosnap = -1;
1386 break;
1387
1388 case DLT_JUNIPER_SERVICES:
1389 off_linktype.constant_part = 12;
1390 off_linkpl.constant_part = -1; /* L3 proto location dep. on cookie type */
1391 off_nl = -1; /* L3 proto location dep. on cookie type */
1392 off_nl_nosnap = -1; /* no 802.2 LLC */
1393 break;
1394
1395 case DLT_JUNIPER_VP:
1396 off_linktype.constant_part = 18;
1397 off_linkpl.constant_part = -1;
1398 off_nl = -1;
1399 off_nl_nosnap = -1;
1400 break;
1401
1402 case DLT_JUNIPER_ST:
1403 off_linktype.constant_part = 18;
1404 off_linkpl.constant_part = -1;
1405 off_nl = -1;
1406 off_nl_nosnap = -1;
1407 break;
1408
1409 case DLT_JUNIPER_ISM:
1410 off_linktype.constant_part = 8;
1411 off_linkpl.constant_part = -1;
1412 off_nl = -1;
1413 off_nl_nosnap = -1;
1414 break;
1415
1416 case DLT_JUNIPER_VS:
1417 case DLT_JUNIPER_SRX_E2E:
1418 case DLT_JUNIPER_FIBRECHANNEL:
1419 case DLT_JUNIPER_ATM_CEMIC:
1420 off_linktype.constant_part = 8;
1421 off_linkpl.constant_part = -1;
1422 off_nl = -1;
1423 off_nl_nosnap = -1;
1424 break;
1425
1426 case DLT_MTP2:
1427 off_li = 2;
1428 off_li_hsl = 4;
1429 off_sio = 3;
1430 off_opc = 4;
1431 off_dpc = 4;
1432 off_sls = 7;
1433 off_linktype.constant_part = -1;
1434 off_linkpl.constant_part = -1;
1435 off_nl = -1;
1436 off_nl_nosnap = -1;
1437 break;
1438
1439 case DLT_MTP2_WITH_PHDR:
1440 off_li = 6;
1441 off_li_hsl = 8;
1442 off_sio = 7;
1443 off_opc = 8;
1444 off_dpc = 8;
1445 off_sls = 11;
1446 off_linktype.constant_part = -1;
1447 off_linkpl.constant_part = -1;
1448 off_nl = -1;
1449 off_nl_nosnap = -1;
1450 break;
1451
1452 case DLT_ERF:
1453 off_li = 22;
1454 off_li_hsl = 24;
1455 off_sio = 23;
1456 off_opc = 24;
1457 off_dpc = 24;
1458 off_sls = 27;
1459 off_linktype.constant_part = -1;
1460 off_linkpl.constant_part = -1;
1461 off_nl = -1;
1462 off_nl_nosnap = -1;
1463 break;
1464
1465 case DLT_PFSYNC:
1466 off_linktype.constant_part = -1;
1467 off_linkpl.constant_part = 4;
1468 off_nl = 0;
1469 off_nl_nosnap = 0;
1470 break;
1471
1472 case DLT_AX25_KISS:
1473 /*
1474 * Currently, only raw "link[N:M]" filtering is supported.
1475 */
1476 off_linktype.constant_part = -1; /* variable, min 15, max 71 steps of 7 */
1477 off_linkpl.constant_part = -1;
1478 off_nl = -1; /* variable, min 16, max 71 steps of 7 */
1479 off_nl_nosnap = -1; /* no 802.2 LLC */
1480 break;
1481
1482 case DLT_IPNET:
1483 off_linktype.constant_part = 1;
1484 off_linkpl.constant_part = 24; /* ipnet header length */
1485 off_nl = 0;
1486 off_nl_nosnap = -1;
1487 break;
1488
1489 case DLT_NETANALYZER:
1490 off_linkhdr.constant_part = 4; /* Ethernet header is past 4-byte pseudo-header */
1491 off_linktype.constant_part = off_linkhdr.constant_part + 12;
1492 off_linkpl.constant_part = off_linkhdr.constant_part + 14; /* pseudo-header+Ethernet header length */
1493 off_nl = 0; /* Ethernet II */
1494 off_nl_nosnap = 3; /* 802.3+802.2 */
1495 break;
1496
1497 case DLT_NETANALYZER_TRANSPARENT:
1498 off_linkhdr.constant_part = 12; /* MAC header is past 4-byte pseudo-header, preamble, and SFD */
1499 off_linktype.constant_part = off_linkhdr.constant_part + 12;
1500 off_linkpl.constant_part = off_linkhdr.constant_part + 14; /* pseudo-header+preamble+SFD+Ethernet header length */
1501 off_nl = 0; /* Ethernet II */
1502 off_nl_nosnap = 3; /* 802.3+802.2 */
1503 break;
1504
1505 default:
1506 /*
1507 * For values in the range in which we've assigned new
1508 * DLT_ values, only raw "link[N:M]" filtering is supported.
1509 */
1510 if (linktype >= DLT_MATCHING_MIN &&
1511 linktype <= DLT_MATCHING_MAX) {
1512 off_linktype.constant_part = -1;
1513 off_linkpl.constant_part = -1;
1514 off_nl = -1;
1515 off_nl_nosnap = -1;
1516 } else {
1517 bpf_error("unknown data link type %d", linktype);
1518 }
1519 break;
1520 }
1521
1522 off_outermostlinkhdr = off_prevlinkhdr = off_linkhdr;
1523 }
1524
1525 /*
1526 * Load a value relative to the specified absolute offset.
1527 */
1528 static struct slist *
gen_load_absoffsetrel(bpf_abs_offset * abs_offset,u_int offset,u_int size)1529 gen_load_absoffsetrel(bpf_abs_offset *abs_offset, u_int offset, u_int size)
1530 {
1531 struct slist *s, *s2;
1532
1533 s = gen_abs_offset_varpart(abs_offset);
1534
1535 /*
1536 * If "s" is non-null, it has code to arrange that the X register
1537 * contains the variable part of the absolute offset, so we
1538 * generate a load relative to that, with an offset of
1539 * abs_offset->constant_part + offset.
1540 *
1541 * Otherwise, we can do an absolute load with an offset of
1542 * abs_offset->constant_part + offset.
1543 */
1544 if (s != NULL) {
1545 /*
1546 * "s" points to a list of statements that puts the
1547 * variable part of the absolute offset into the X register.
1548 * Do an indirect load, to use the X register as an offset.
1549 */
1550 s2 = new_stmt(BPF_LD|BPF_IND|size);
1551 s2->s.k = abs_offset->constant_part + offset;
1552 sappend(s, s2);
1553 } else {
1554 /*
1555 * There is no variable part of the absolute offset, so
1556 * just do an absolute load.
1557 */
1558 s = new_stmt(BPF_LD|BPF_ABS|size);
1559 s->s.k = abs_offset->constant_part + offset;
1560 }
1561 return s;
1562 }
1563
1564 /*
1565 * Load a value relative to the beginning of the specified header.
1566 */
1567 static struct slist *
gen_load_a(offrel,offset,size)1568 gen_load_a(offrel, offset, size)
1569 enum e_offrel offrel;
1570 u_int offset, size;
1571 {
1572 struct slist *s, *s2;
1573
1574 switch (offrel) {
1575
1576 case OR_PACKET:
1577 s = new_stmt(BPF_LD|BPF_ABS|size);
1578 s->s.k = offset;
1579 break;
1580
1581 case OR_LINKHDR:
1582 s = gen_load_absoffsetrel(&off_linkhdr, offset, size);
1583 break;
1584
1585 case OR_PREVLINKHDR:
1586 s = gen_load_absoffsetrel(&off_prevlinkhdr, offset, size);
1587 break;
1588
1589 case OR_LLC:
1590 s = gen_load_absoffsetrel(&off_linkpl, offset, size);
1591 break;
1592
1593 case OR_PREVMPLSHDR:
1594 s = gen_load_absoffsetrel(&off_linkpl, off_nl - 4 + offset, size);
1595 break;
1596
1597 case OR_LINKPL:
1598 s = gen_load_absoffsetrel(&off_linkpl, off_nl + offset, size);
1599 break;
1600
1601 case OR_LINKPL_NOSNAP:
1602 s = gen_load_absoffsetrel(&off_linkpl, off_nl_nosnap + offset, size);
1603 break;
1604
1605 case OR_LINKTYPE:
1606 s = gen_load_absoffsetrel(&off_linktype, offset, size);
1607 break;
1608
1609 case OR_TRAN_IPV4:
1610 /*
1611 * Load the X register with the length of the IPv4 header
1612 * (plus the offset of the link-layer header, if it's
1613 * preceded by a variable-length header such as a radio
1614 * header), in bytes.
1615 */
1616 s = gen_loadx_iphdrlen();
1617
1618 /*
1619 * Load the item at {offset of the link-layer payload} +
1620 * {offset, relative to the start of the link-layer
1621 * paylod, of the IPv4 header} + {length of the IPv4 header} +
1622 * {specified offset}.
1623 *
1624 * If the offset of the link-layer payload is variable,
1625 * the variable part of that offset is included in the
1626 * value in the X register, and we include the constant
1627 * part in the offset of the load.
1628 */
1629 s2 = new_stmt(BPF_LD|BPF_IND|size);
1630 s2->s.k = off_linkpl.constant_part + off_nl + offset;
1631 sappend(s, s2);
1632 break;
1633
1634 case OR_TRAN_IPV6:
1635 s = gen_load_absoffsetrel(&off_linkpl, off_nl + 40 + offset, size);
1636 break;
1637
1638 default:
1639 abort();
1640 return NULL;
1641 }
1642 return s;
1643 }
1644
1645 /*
1646 * Generate code to load into the X register the sum of the length of
1647 * the IPv4 header and the variable part of the offset of the link-layer
1648 * payload.
1649 */
1650 static struct slist *
gen_loadx_iphdrlen()1651 gen_loadx_iphdrlen()
1652 {
1653 struct slist *s, *s2;
1654
1655 s = gen_abs_offset_varpart(&off_linkpl);
1656 if (s != NULL) {
1657 /*
1658 * The offset of the link-layer payload has a variable
1659 * part. "s" points to a list of statements that put
1660 * the variable part of that offset into the X register.
1661 *
1662 * The 4*([k]&0xf) addressing mode can't be used, as we
1663 * don't have a constant offset, so we have to load the
1664 * value in question into the A register and add to it
1665 * the value from the X register.
1666 */
1667 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B);
1668 s2->s.k = off_linkpl.constant_part + off_nl;
1669 sappend(s, s2);
1670 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
1671 s2->s.k = 0xf;
1672 sappend(s, s2);
1673 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
1674 s2->s.k = 2;
1675 sappend(s, s2);
1676
1677 /*
1678 * The A register now contains the length of the IP header.
1679 * We need to add to it the variable part of the offset of
1680 * the link-layer payload, which is still in the X
1681 * register, and move the result into the X register.
1682 */
1683 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
1684 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
1685 } else {
1686 /*
1687 * The offset of the link-layer payload is a constant,
1688 * so no code was generated to load the (non-existent)
1689 * variable part of that offset.
1690 *
1691 * This means we can use the 4*([k]&0xf) addressing
1692 * mode. Load the length of the IPv4 header, which
1693 * is at an offset of off_nl from the beginning of
1694 * the link-layer payload, and thus at an offset of
1695 * off_linkpl.constant_part + off_nl from the beginning
1696 * of the raw packet data, using that addressing mode.
1697 */
1698 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
1699 s->s.k = off_linkpl.constant_part + off_nl;
1700 }
1701 return s;
1702 }
1703
1704 static struct block *
gen_uncond(rsense)1705 gen_uncond(rsense)
1706 int rsense;
1707 {
1708 struct block *b;
1709 struct slist *s;
1710
1711 s = new_stmt(BPF_LD|BPF_IMM);
1712 s->s.k = !rsense;
1713 b = new_block(JMP(BPF_JEQ));
1714 b->stmts = s;
1715
1716 return b;
1717 }
1718
1719 static inline struct block *
gen_true()1720 gen_true()
1721 {
1722 return gen_uncond(1);
1723 }
1724
1725 static inline struct block *
gen_false()1726 gen_false()
1727 {
1728 return gen_uncond(0);
1729 }
1730
1731 /*
1732 * Byte-swap a 32-bit number.
1733 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on
1734 * big-endian platforms.)
1735 */
1736 #define SWAPLONG(y) \
1737 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
1738
1739 /*
1740 * Generate code to match a particular packet type.
1741 *
1742 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1743 * value, if <= ETHERMTU. We use that to determine whether to
1744 * match the type/length field or to check the type/length field for
1745 * a value <= ETHERMTU to see whether it's a type field and then do
1746 * the appropriate test.
1747 */
1748 static struct block *
gen_ether_linktype(proto)1749 gen_ether_linktype(proto)
1750 register int proto;
1751 {
1752 struct block *b0, *b1;
1753
1754 switch (proto) {
1755
1756 case LLCSAP_ISONS:
1757 case LLCSAP_IP:
1758 case LLCSAP_NETBEUI:
1759 /*
1760 * OSI protocols and NetBEUI always use 802.2 encapsulation,
1761 * so we check the DSAP and SSAP.
1762 *
1763 * LLCSAP_IP checks for IP-over-802.2, rather
1764 * than IP-over-Ethernet or IP-over-SNAP.
1765 *
1766 * XXX - should we check both the DSAP and the
1767 * SSAP, like this, or should we check just the
1768 * DSAP, as we do for other types <= ETHERMTU
1769 * (i.e., other SAP values)?
1770 */
1771 b0 = gen_cmp_gt(OR_LINKTYPE, 0, BPF_H, ETHERMTU);
1772 gen_not(b0);
1773 b1 = gen_cmp(OR_LLC, 0, BPF_H, (bpf_int32)
1774 ((proto << 8) | proto));
1775 gen_and(b0, b1);
1776 return b1;
1777
1778 case LLCSAP_IPX:
1779 /*
1780 * Check for;
1781 *
1782 * Ethernet_II frames, which are Ethernet
1783 * frames with a frame type of ETHERTYPE_IPX;
1784 *
1785 * Ethernet_802.3 frames, which are 802.3
1786 * frames (i.e., the type/length field is
1787 * a length field, <= ETHERMTU, rather than
1788 * a type field) with the first two bytes
1789 * after the Ethernet/802.3 header being
1790 * 0xFFFF;
1791 *
1792 * Ethernet_802.2 frames, which are 802.3
1793 * frames with an 802.2 LLC header and
1794 * with the IPX LSAP as the DSAP in the LLC
1795 * header;
1796 *
1797 * Ethernet_SNAP frames, which are 802.3
1798 * frames with an LLC header and a SNAP
1799 * header and with an OUI of 0x000000
1800 * (encapsulated Ethernet) and a protocol
1801 * ID of ETHERTYPE_IPX in the SNAP header.
1802 *
1803 * XXX - should we generate the same code both
1804 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX?
1805 */
1806
1807 /*
1808 * This generates code to check both for the
1809 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3.
1810 */
1811 b0 = gen_cmp(OR_LLC, 0, BPF_B, (bpf_int32)LLCSAP_IPX);
1812 b1 = gen_cmp(OR_LLC, 0, BPF_H, (bpf_int32)0xFFFF);
1813 gen_or(b0, b1);
1814
1815 /*
1816 * Now we add code to check for SNAP frames with
1817 * ETHERTYPE_IPX, i.e. Ethernet_SNAP.
1818 */
1819 b0 = gen_snap(0x000000, ETHERTYPE_IPX);
1820 gen_or(b0, b1);
1821
1822 /*
1823 * Now we generate code to check for 802.3
1824 * frames in general.
1825 */
1826 b0 = gen_cmp_gt(OR_LINKTYPE, 0, BPF_H, ETHERMTU);
1827 gen_not(b0);
1828
1829 /*
1830 * Now add the check for 802.3 frames before the
1831 * check for Ethernet_802.2 and Ethernet_802.3,
1832 * as those checks should only be done on 802.3
1833 * frames, not on Ethernet frames.
1834 */
1835 gen_and(b0, b1);
1836
1837 /*
1838 * Now add the check for Ethernet_II frames, and
1839 * do that before checking for the other frame
1840 * types.
1841 */
1842 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_H, (bpf_int32)ETHERTYPE_IPX);
1843 gen_or(b0, b1);
1844 return b1;
1845
1846 case ETHERTYPE_ATALK:
1847 case ETHERTYPE_AARP:
1848 /*
1849 * EtherTalk (AppleTalk protocols on Ethernet link
1850 * layer) may use 802.2 encapsulation.
1851 */
1852
1853 /*
1854 * Check for 802.2 encapsulation (EtherTalk phase 2?);
1855 * we check for an Ethernet type field less than
1856 * 1500, which means it's an 802.3 length field.
1857 */
1858 b0 = gen_cmp_gt(OR_LINKTYPE, 0, BPF_H, ETHERMTU);
1859 gen_not(b0);
1860
1861 /*
1862 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1863 * SNAP packets with an organization code of
1864 * 0x080007 (Apple, for Appletalk) and a protocol
1865 * type of ETHERTYPE_ATALK (Appletalk).
1866 *
1867 * 802.2-encapsulated ETHERTYPE_AARP packets are
1868 * SNAP packets with an organization code of
1869 * 0x000000 (encapsulated Ethernet) and a protocol
1870 * type of ETHERTYPE_AARP (Appletalk ARP).
1871 */
1872 if (proto == ETHERTYPE_ATALK)
1873 b1 = gen_snap(0x080007, ETHERTYPE_ATALK);
1874 else /* proto == ETHERTYPE_AARP */
1875 b1 = gen_snap(0x000000, ETHERTYPE_AARP);
1876 gen_and(b0, b1);
1877
1878 /*
1879 * Check for Ethernet encapsulation (Ethertalk
1880 * phase 1?); we just check for the Ethernet
1881 * protocol type.
1882 */
1883 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto);
1884
1885 gen_or(b0, b1);
1886 return b1;
1887
1888 default:
1889 if (proto <= ETHERMTU) {
1890 /*
1891 * This is an LLC SAP value, so the frames
1892 * that match would be 802.2 frames.
1893 * Check that the frame is an 802.2 frame
1894 * (i.e., that the length/type field is
1895 * a length field, <= ETHERMTU) and
1896 * then check the DSAP.
1897 */
1898 b0 = gen_cmp_gt(OR_LINKTYPE, 0, BPF_H, ETHERMTU);
1899 gen_not(b0);
1900 b1 = gen_cmp(OR_LINKTYPE, 2, BPF_B, (bpf_int32)proto);
1901 gen_and(b0, b1);
1902 return b1;
1903 } else {
1904 /*
1905 * This is an Ethernet type, so compare
1906 * the length/type field with it (if
1907 * the frame is an 802.2 frame, the length
1908 * field will be <= ETHERMTU, and, as
1909 * "proto" is > ETHERMTU, this test
1910 * will fail and the frame won't match,
1911 * which is what we want).
1912 */
1913 return gen_cmp(OR_LINKTYPE, 0, BPF_H,
1914 (bpf_int32)proto);
1915 }
1916 }
1917 }
1918
1919 /*
1920 * "proto" is an Ethernet type value and for IPNET, if it is not IPv4
1921 * or IPv6 then we have an error.
1922 */
1923 static struct block *
gen_ipnet_linktype(proto)1924 gen_ipnet_linktype(proto)
1925 register int proto;
1926 {
1927 switch (proto) {
1928
1929 case ETHERTYPE_IP:
1930 return gen_cmp(OR_LINKTYPE, 0, BPF_B, (bpf_int32)IPH_AF_INET);
1931 /* NOTREACHED */
1932
1933 case ETHERTYPE_IPV6:
1934 return gen_cmp(OR_LINKTYPE, 0, BPF_B,
1935 (bpf_int32)IPH_AF_INET6);
1936 /* NOTREACHED */
1937
1938 default:
1939 break;
1940 }
1941
1942 return gen_false();
1943 }
1944
1945 /*
1946 * Generate code to match a particular packet type.
1947 *
1948 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1949 * value, if <= ETHERMTU. We use that to determine whether to
1950 * match the type field or to check the type field for the special
1951 * LINUX_SLL_P_802_2 value and then do the appropriate test.
1952 */
1953 static struct block *
gen_linux_sll_linktype(proto)1954 gen_linux_sll_linktype(proto)
1955 register int proto;
1956 {
1957 struct block *b0, *b1;
1958
1959 switch (proto) {
1960
1961 case LLCSAP_ISONS:
1962 case LLCSAP_IP:
1963 case LLCSAP_NETBEUI:
1964 /*
1965 * OSI protocols and NetBEUI always use 802.2 encapsulation,
1966 * so we check the DSAP and SSAP.
1967 *
1968 * LLCSAP_IP checks for IP-over-802.2, rather
1969 * than IP-over-Ethernet or IP-over-SNAP.
1970 *
1971 * XXX - should we check both the DSAP and the
1972 * SSAP, like this, or should we check just the
1973 * DSAP, as we do for other types <= ETHERMTU
1974 * (i.e., other SAP values)?
1975 */
1976 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
1977 b1 = gen_cmp(OR_LLC, 0, BPF_H, (bpf_int32)
1978 ((proto << 8) | proto));
1979 gen_and(b0, b1);
1980 return b1;
1981
1982 case LLCSAP_IPX:
1983 /*
1984 * Ethernet_II frames, which are Ethernet
1985 * frames with a frame type of ETHERTYPE_IPX;
1986 *
1987 * Ethernet_802.3 frames, which have a frame
1988 * type of LINUX_SLL_P_802_3;
1989 *
1990 * Ethernet_802.2 frames, which are 802.3
1991 * frames with an 802.2 LLC header (i.e, have
1992 * a frame type of LINUX_SLL_P_802_2) and
1993 * with the IPX LSAP as the DSAP in the LLC
1994 * header;
1995 *
1996 * Ethernet_SNAP frames, which are 802.3
1997 * frames with an LLC header and a SNAP
1998 * header and with an OUI of 0x000000
1999 * (encapsulated Ethernet) and a protocol
2000 * ID of ETHERTYPE_IPX in the SNAP header.
2001 *
2002 * First, do the checks on LINUX_SLL_P_802_2
2003 * frames; generate the check for either
2004 * Ethernet_802.2 or Ethernet_SNAP frames, and
2005 * then put a check for LINUX_SLL_P_802_2 frames
2006 * before it.
2007 */
2008 b0 = gen_cmp(OR_LLC, 0, BPF_B, (bpf_int32)LLCSAP_IPX);
2009 b1 = gen_snap(0x000000, ETHERTYPE_IPX);
2010 gen_or(b0, b1);
2011 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2012 gen_and(b0, b1);
2013
2014 /*
2015 * Now check for 802.3 frames and OR that with
2016 * the previous test.
2017 */
2018 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_3);
2019 gen_or(b0, b1);
2020
2021 /*
2022 * Now add the check for Ethernet_II frames, and
2023 * do that before checking for the other frame
2024 * types.
2025 */
2026 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_H, (bpf_int32)ETHERTYPE_IPX);
2027 gen_or(b0, b1);
2028 return b1;
2029
2030 case ETHERTYPE_ATALK:
2031 case ETHERTYPE_AARP:
2032 /*
2033 * EtherTalk (AppleTalk protocols on Ethernet link
2034 * layer) may use 802.2 encapsulation.
2035 */
2036
2037 /*
2038 * Check for 802.2 encapsulation (EtherTalk phase 2?);
2039 * we check for the 802.2 protocol type in the
2040 * "Ethernet type" field.
2041 */
2042 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2043
2044 /*
2045 * 802.2-encapsulated ETHERTYPE_ATALK packets are
2046 * SNAP packets with an organization code of
2047 * 0x080007 (Apple, for Appletalk) and a protocol
2048 * type of ETHERTYPE_ATALK (Appletalk).
2049 *
2050 * 802.2-encapsulated ETHERTYPE_AARP packets are
2051 * SNAP packets with an organization code of
2052 * 0x000000 (encapsulated Ethernet) and a protocol
2053 * type of ETHERTYPE_AARP (Appletalk ARP).
2054 */
2055 if (proto == ETHERTYPE_ATALK)
2056 b1 = gen_snap(0x080007, ETHERTYPE_ATALK);
2057 else /* proto == ETHERTYPE_AARP */
2058 b1 = gen_snap(0x000000, ETHERTYPE_AARP);
2059 gen_and(b0, b1);
2060
2061 /*
2062 * Check for Ethernet encapsulation (Ethertalk
2063 * phase 1?); we just check for the Ethernet
2064 * protocol type.
2065 */
2066 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto);
2067
2068 gen_or(b0, b1);
2069 return b1;
2070
2071 default:
2072 if (proto <= ETHERMTU) {
2073 /*
2074 * This is an LLC SAP value, so the frames
2075 * that match would be 802.2 frames.
2076 * Check for the 802.2 protocol type
2077 * in the "Ethernet type" field, and
2078 * then check the DSAP.
2079 */
2080 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2081 b1 = gen_cmp(OR_LINKHDR, off_linkpl.constant_part, BPF_B,
2082 (bpf_int32)proto);
2083 gen_and(b0, b1);
2084 return b1;
2085 } else {
2086 /*
2087 * This is an Ethernet type, so compare
2088 * the length/type field with it (if
2089 * the frame is an 802.2 frame, the length
2090 * field will be <= ETHERMTU, and, as
2091 * "proto" is > ETHERMTU, this test
2092 * will fail and the frame won't match,
2093 * which is what we want).
2094 */
2095 return gen_cmp(OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto);
2096 }
2097 }
2098 }
2099
2100 static struct slist *
gen_load_prism_llprefixlen()2101 gen_load_prism_llprefixlen()
2102 {
2103 struct slist *s1, *s2;
2104 struct slist *sjeq_avs_cookie;
2105 struct slist *sjcommon;
2106
2107 /*
2108 * This code is not compatible with the optimizer, as
2109 * we are generating jmp instructions within a normal
2110 * slist of instructions
2111 */
2112 no_optimize = 1;
2113
2114 /*
2115 * Generate code to load the length of the radio header into
2116 * the register assigned to hold that length, if one has been
2117 * assigned. (If one hasn't been assigned, no code we've
2118 * generated uses that prefix, so we don't need to generate any
2119 * code to load it.)
2120 *
2121 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes
2122 * or always use the AVS header rather than the Prism header.
2123 * We load a 4-byte big-endian value at the beginning of the
2124 * raw packet data, and see whether, when masked with 0xFFFFF000,
2125 * it's equal to 0x80211000. If so, that indicates that it's
2126 * an AVS header (the masked-out bits are the version number).
2127 * Otherwise, it's a Prism header.
2128 *
2129 * XXX - the Prism header is also, in theory, variable-length,
2130 * but no known software generates headers that aren't 144
2131 * bytes long.
2132 */
2133 if (off_linkhdr.reg != -1) {
2134 /*
2135 * Load the cookie.
2136 */
2137 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2138 s1->s.k = 0;
2139
2140 /*
2141 * AND it with 0xFFFFF000.
2142 */
2143 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
2144 s2->s.k = 0xFFFFF000;
2145 sappend(s1, s2);
2146
2147 /*
2148 * Compare with 0x80211000.
2149 */
2150 sjeq_avs_cookie = new_stmt(JMP(BPF_JEQ));
2151 sjeq_avs_cookie->s.k = 0x80211000;
2152 sappend(s1, sjeq_avs_cookie);
2153
2154 /*
2155 * If it's AVS:
2156 *
2157 * The 4 bytes at an offset of 4 from the beginning of
2158 * the AVS header are the length of the AVS header.
2159 * That field is big-endian.
2160 */
2161 s2 = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2162 s2->s.k = 4;
2163 sappend(s1, s2);
2164 sjeq_avs_cookie->s.jt = s2;
2165
2166 /*
2167 * Now jump to the code to allocate a register
2168 * into which to save the header length and
2169 * store the length there. (The "jump always"
2170 * instruction needs to have the k field set;
2171 * it's added to the PC, so, as we're jumping
2172 * over a single instruction, it should be 1.)
2173 */
2174 sjcommon = new_stmt(JMP(BPF_JA));
2175 sjcommon->s.k = 1;
2176 sappend(s1, sjcommon);
2177
2178 /*
2179 * Now for the code that handles the Prism header.
2180 * Just load the length of the Prism header (144)
2181 * into the A register. Have the test for an AVS
2182 * header branch here if we don't have an AVS header.
2183 */
2184 s2 = new_stmt(BPF_LD|BPF_W|BPF_IMM);
2185 s2->s.k = 144;
2186 sappend(s1, s2);
2187 sjeq_avs_cookie->s.jf = s2;
2188
2189 /*
2190 * Now allocate a register to hold that value and store
2191 * it. The code for the AVS header will jump here after
2192 * loading the length of the AVS header.
2193 */
2194 s2 = new_stmt(BPF_ST);
2195 s2->s.k = off_linkhdr.reg;
2196 sappend(s1, s2);
2197 sjcommon->s.jf = s2;
2198
2199 /*
2200 * Now move it into the X register.
2201 */
2202 s2 = new_stmt(BPF_MISC|BPF_TAX);
2203 sappend(s1, s2);
2204
2205 return (s1);
2206 } else
2207 return (NULL);
2208 }
2209
2210 static struct slist *
gen_load_avs_llprefixlen()2211 gen_load_avs_llprefixlen()
2212 {
2213 struct slist *s1, *s2;
2214
2215 /*
2216 * Generate code to load the length of the AVS header into
2217 * the register assigned to hold that length, if one has been
2218 * assigned. (If one hasn't been assigned, no code we've
2219 * generated uses that prefix, so we don't need to generate any
2220 * code to load it.)
2221 */
2222 if (off_linkhdr.reg != -1) {
2223 /*
2224 * The 4 bytes at an offset of 4 from the beginning of
2225 * the AVS header are the length of the AVS header.
2226 * That field is big-endian.
2227 */
2228 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2229 s1->s.k = 4;
2230
2231 /*
2232 * Now allocate a register to hold that value and store
2233 * it.
2234 */
2235 s2 = new_stmt(BPF_ST);
2236 s2->s.k = off_linkhdr.reg;
2237 sappend(s1, s2);
2238
2239 /*
2240 * Now move it into the X register.
2241 */
2242 s2 = new_stmt(BPF_MISC|BPF_TAX);
2243 sappend(s1, s2);
2244
2245 return (s1);
2246 } else
2247 return (NULL);
2248 }
2249
2250 static struct slist *
gen_load_radiotap_llprefixlen()2251 gen_load_radiotap_llprefixlen()
2252 {
2253 struct slist *s1, *s2;
2254
2255 /*
2256 * Generate code to load the length of the radiotap header into
2257 * the register assigned to hold that length, if one has been
2258 * assigned. (If one hasn't been assigned, no code we've
2259 * generated uses that prefix, so we don't need to generate any
2260 * code to load it.)
2261 */
2262 if (off_linkhdr.reg != -1) {
2263 /*
2264 * The 2 bytes at offsets of 2 and 3 from the beginning
2265 * of the radiotap header are the length of the radiotap
2266 * header; unfortunately, it's little-endian, so we have
2267 * to load it a byte at a time and construct the value.
2268 */
2269
2270 /*
2271 * Load the high-order byte, at an offset of 3, shift it
2272 * left a byte, and put the result in the X register.
2273 */
2274 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2275 s1->s.k = 3;
2276 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
2277 sappend(s1, s2);
2278 s2->s.k = 8;
2279 s2 = new_stmt(BPF_MISC|BPF_TAX);
2280 sappend(s1, s2);
2281
2282 /*
2283 * Load the next byte, at an offset of 2, and OR the
2284 * value from the X register into it.
2285 */
2286 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2287 sappend(s1, s2);
2288 s2->s.k = 2;
2289 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X);
2290 sappend(s1, s2);
2291
2292 /*
2293 * Now allocate a register to hold that value and store
2294 * it.
2295 */
2296 s2 = new_stmt(BPF_ST);
2297 s2->s.k = off_linkhdr.reg;
2298 sappend(s1, s2);
2299
2300 /*
2301 * Now move it into the X register.
2302 */
2303 s2 = new_stmt(BPF_MISC|BPF_TAX);
2304 sappend(s1, s2);
2305
2306 return (s1);
2307 } else
2308 return (NULL);
2309 }
2310
2311 /*
2312 * At the moment we treat PPI as normal Radiotap encoded
2313 * packets. The difference is in the function that generates
2314 * the code at the beginning to compute the header length.
2315 * Since this code generator of PPI supports bare 802.11
2316 * encapsulation only (i.e. the encapsulated DLT should be
2317 * DLT_IEEE802_11) we generate code to check for this too;
2318 * that's done in finish_parse().
2319 */
2320 static struct slist *
gen_load_ppi_llprefixlen()2321 gen_load_ppi_llprefixlen()
2322 {
2323 struct slist *s1, *s2;
2324
2325 /*
2326 * Generate code to load the length of the radiotap header
2327 * into the register assigned to hold that length, if one has
2328 * been assigned.
2329 */
2330 if (off_linkhdr.reg != -1) {
2331 /*
2332 * The 2 bytes at offsets of 2 and 3 from the beginning
2333 * of the radiotap header are the length of the radiotap
2334 * header; unfortunately, it's little-endian, so we have
2335 * to load it a byte at a time and construct the value.
2336 */
2337
2338 /*
2339 * Load the high-order byte, at an offset of 3, shift it
2340 * left a byte, and put the result in the X register.
2341 */
2342 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2343 s1->s.k = 3;
2344 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
2345 sappend(s1, s2);
2346 s2->s.k = 8;
2347 s2 = new_stmt(BPF_MISC|BPF_TAX);
2348 sappend(s1, s2);
2349
2350 /*
2351 * Load the next byte, at an offset of 2, and OR the
2352 * value from the X register into it.
2353 */
2354 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2355 sappend(s1, s2);
2356 s2->s.k = 2;
2357 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X);
2358 sappend(s1, s2);
2359
2360 /*
2361 * Now allocate a register to hold that value and store
2362 * it.
2363 */
2364 s2 = new_stmt(BPF_ST);
2365 s2->s.k = off_linkhdr.reg;
2366 sappend(s1, s2);
2367
2368 /*
2369 * Now move it into the X register.
2370 */
2371 s2 = new_stmt(BPF_MISC|BPF_TAX);
2372 sappend(s1, s2);
2373
2374 return (s1);
2375 } else
2376 return (NULL);
2377 }
2378
2379 /*
2380 * Load a value relative to the beginning of the link-layer header after the 802.11
2381 * header, i.e. LLC_SNAP.
2382 * The link-layer header doesn't necessarily begin at the beginning
2383 * of the packet data; there might be a variable-length prefix containing
2384 * radio information.
2385 */
2386 static struct slist *
gen_load_802_11_header_len(struct slist * s,struct slist * snext)2387 gen_load_802_11_header_len(struct slist *s, struct slist *snext)
2388 {
2389 struct slist *s2;
2390 struct slist *sjset_data_frame_1;
2391 struct slist *sjset_data_frame_2;
2392 struct slist *sjset_qos;
2393 struct slist *sjset_radiotap_flags;
2394 struct slist *sjset_radiotap_tsft;
2395 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad;
2396 struct slist *s_roundup;
2397
2398 if (off_linkpl.reg == -1) {
2399 /*
2400 * No register has been assigned to the offset of
2401 * the link-layer payload, which means nobody needs
2402 * it; don't bother computing it - just return
2403 * what we already have.
2404 */
2405 return (s);
2406 }
2407
2408 /*
2409 * This code is not compatible with the optimizer, as
2410 * we are generating jmp instructions within a normal
2411 * slist of instructions
2412 */
2413 no_optimize = 1;
2414
2415 /*
2416 * If "s" is non-null, it has code to arrange that the X register
2417 * contains the length of the prefix preceding the link-layer
2418 * header.
2419 *
2420 * Otherwise, the length of the prefix preceding the link-layer
2421 * header is "off_outermostlinkhdr.constant_part".
2422 */
2423 if (s == NULL) {
2424 /*
2425 * There is no variable-length header preceding the
2426 * link-layer header.
2427 *
2428 * Load the length of the fixed-length prefix preceding
2429 * the link-layer header (if any) into the X register,
2430 * and store it in the off_linkpl.reg register.
2431 * That length is off_outermostlinkhdr.constant_part.
2432 */
2433 s = new_stmt(BPF_LDX|BPF_IMM);
2434 s->s.k = off_outermostlinkhdr.constant_part;
2435 }
2436
2437 /*
2438 * The X register contains the offset of the beginning of the
2439 * link-layer header; add 24, which is the minimum length
2440 * of the MAC header for a data frame, to that, and store it
2441 * in off_linkpl.reg, and then load the Frame Control field,
2442 * which is at the offset in the X register, with an indexed load.
2443 */
2444 s2 = new_stmt(BPF_MISC|BPF_TXA);
2445 sappend(s, s2);
2446 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
2447 s2->s.k = 24;
2448 sappend(s, s2);
2449 s2 = new_stmt(BPF_ST);
2450 s2->s.k = off_linkpl.reg;
2451 sappend(s, s2);
2452
2453 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B);
2454 s2->s.k = 0;
2455 sappend(s, s2);
2456
2457 /*
2458 * Check the Frame Control field to see if this is a data frame;
2459 * a data frame has the 0x08 bit (b3) in that field set and the
2460 * 0x04 bit (b2) clear.
2461 */
2462 sjset_data_frame_1 = new_stmt(JMP(BPF_JSET));
2463 sjset_data_frame_1->s.k = 0x08;
2464 sappend(s, sjset_data_frame_1);
2465
2466 /*
2467 * If b3 is set, test b2, otherwise go to the first statement of
2468 * the rest of the program.
2469 */
2470 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(JMP(BPF_JSET));
2471 sjset_data_frame_2->s.k = 0x04;
2472 sappend(s, sjset_data_frame_2);
2473 sjset_data_frame_1->s.jf = snext;
2474
2475 /*
2476 * If b2 is not set, this is a data frame; test the QoS bit.
2477 * Otherwise, go to the first statement of the rest of the
2478 * program.
2479 */
2480 sjset_data_frame_2->s.jt = snext;
2481 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(JMP(BPF_JSET));
2482 sjset_qos->s.k = 0x80; /* QoS bit */
2483 sappend(s, sjset_qos);
2484
2485 /*
2486 * If it's set, add 2 to off_linkpl.reg, to skip the QoS
2487 * field.
2488 * Otherwise, go to the first statement of the rest of the
2489 * program.
2490 */
2491 sjset_qos->s.jt = s2 = new_stmt(BPF_LD|BPF_MEM);
2492 s2->s.k = off_linkpl.reg;
2493 sappend(s, s2);
2494 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM);
2495 s2->s.k = 2;
2496 sappend(s, s2);
2497 s2 = new_stmt(BPF_ST);
2498 s2->s.k = off_linkpl.reg;
2499 sappend(s, s2);
2500
2501 /*
2502 * If we have a radiotap header, look at it to see whether
2503 * there's Atheros padding between the MAC-layer header
2504 * and the payload.
2505 *
2506 * Note: all of the fields in the radiotap header are
2507 * little-endian, so we byte-swap all of the values
2508 * we test against, as they will be loaded as big-endian
2509 * values.
2510 */
2511 if (linktype == DLT_IEEE802_11_RADIO) {
2512 /*
2513 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set
2514 * in the presence flag?
2515 */
2516 sjset_qos->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_W);
2517 s2->s.k = 4;
2518 sappend(s, s2);
2519
2520 sjset_radiotap_flags = new_stmt(JMP(BPF_JSET));
2521 sjset_radiotap_flags->s.k = SWAPLONG(0x00000002);
2522 sappend(s, sjset_radiotap_flags);
2523
2524 /*
2525 * If not, skip all of this.
2526 */
2527 sjset_radiotap_flags->s.jf = snext;
2528
2529 /*
2530 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set?
2531 */
2532 sjset_radiotap_tsft = sjset_radiotap_flags->s.jt =
2533 new_stmt(JMP(BPF_JSET));
2534 sjset_radiotap_tsft->s.k = SWAPLONG(0x00000001);
2535 sappend(s, sjset_radiotap_tsft);
2536
2537 /*
2538 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is
2539 * at an offset of 16 from the beginning of the raw packet
2540 * data (8 bytes for the radiotap header and 8 bytes for
2541 * the TSFT field).
2542 *
2543 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
2544 * is set.
2545 */
2546 sjset_radiotap_tsft->s.jt = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B);
2547 s2->s.k = 16;
2548 sappend(s, s2);
2549
2550 sjset_tsft_datapad = new_stmt(JMP(BPF_JSET));
2551 sjset_tsft_datapad->s.k = 0x20;
2552 sappend(s, sjset_tsft_datapad);
2553
2554 /*
2555 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is
2556 * at an offset of 8 from the beginning of the raw packet
2557 * data (8 bytes for the radiotap header).
2558 *
2559 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
2560 * is set.
2561 */
2562 sjset_radiotap_tsft->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B);
2563 s2->s.k = 8;
2564 sappend(s, s2);
2565
2566 sjset_notsft_datapad = new_stmt(JMP(BPF_JSET));
2567 sjset_notsft_datapad->s.k = 0x20;
2568 sappend(s, sjset_notsft_datapad);
2569
2570 /*
2571 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is
2572 * set, round the length of the 802.11 header to
2573 * a multiple of 4. Do that by adding 3 and then
2574 * dividing by and multiplying by 4, which we do by
2575 * ANDing with ~3.
2576 */
2577 s_roundup = new_stmt(BPF_LD|BPF_MEM);
2578 s_roundup->s.k = off_linkpl.reg;
2579 sappend(s, s_roundup);
2580 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM);
2581 s2->s.k = 3;
2582 sappend(s, s2);
2583 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_IMM);
2584 s2->s.k = ~3;
2585 sappend(s, s2);
2586 s2 = new_stmt(BPF_ST);
2587 s2->s.k = off_linkpl.reg;
2588 sappend(s, s2);
2589
2590 sjset_tsft_datapad->s.jt = s_roundup;
2591 sjset_tsft_datapad->s.jf = snext;
2592 sjset_notsft_datapad->s.jt = s_roundup;
2593 sjset_notsft_datapad->s.jf = snext;
2594 } else
2595 sjset_qos->s.jf = snext;
2596
2597 return s;
2598 }
2599
2600 static void
insert_compute_vloffsets(b)2601 insert_compute_vloffsets(b)
2602 struct block *b;
2603 {
2604 struct slist *s;
2605
2606 /* There is an implicit dependency between the link
2607 * payload and link header since the payload computation
2608 * includes the variable part of the header. Therefore,
2609 * if nobody else has allocated a register for the link
2610 * header and we need it, do it now. */
2611 if (off_linkpl.reg != -1 && off_linkhdr.is_variable &&
2612 off_linkhdr.reg == -1)
2613 off_linkhdr.reg = alloc_reg();
2614
2615 /*
2616 * For link-layer types that have a variable-length header
2617 * preceding the link-layer header, generate code to load
2618 * the offset of the link-layer header into the register
2619 * assigned to that offset, if any.
2620 *
2621 * XXX - this, and the next switch statement, won't handle
2622 * encapsulation of 802.11 or 802.11+radio information in
2623 * some other protocol stack. That's significantly more
2624 * complicated.
2625 */
2626 switch (outermostlinktype) {
2627
2628 case DLT_PRISM_HEADER:
2629 s = gen_load_prism_llprefixlen();
2630 break;
2631
2632 case DLT_IEEE802_11_RADIO_AVS:
2633 s = gen_load_avs_llprefixlen();
2634 break;
2635
2636 case DLT_IEEE802_11_RADIO:
2637 s = gen_load_radiotap_llprefixlen();
2638 break;
2639
2640 case DLT_PPI:
2641 s = gen_load_ppi_llprefixlen();
2642 break;
2643
2644 default:
2645 s = NULL;
2646 break;
2647 }
2648
2649 /*
2650 * For link-layer types that have a variable-length link-layer
2651 * header, generate code to load the offset of the link-layer
2652 * payload into the register assigned to that offset, if any.
2653 */
2654 switch (outermostlinktype) {
2655
2656 case DLT_IEEE802_11:
2657 case DLT_PRISM_HEADER:
2658 case DLT_IEEE802_11_RADIO_AVS:
2659 case DLT_IEEE802_11_RADIO:
2660 case DLT_PPI:
2661 s = gen_load_802_11_header_len(s, b->stmts);
2662 break;
2663 }
2664
2665 /*
2666 * If we have any offset-loading code, append all the
2667 * existing statements in the block to those statements,
2668 * and make the resulting list the list of statements
2669 * for the block.
2670 */
2671 if (s != NULL) {
2672 sappend(s, b->stmts);
2673 b->stmts = s;
2674 }
2675 }
2676
2677 static struct block *
gen_ppi_dlt_check(void)2678 gen_ppi_dlt_check(void)
2679 {
2680 struct slist *s_load_dlt;
2681 struct block *b;
2682
2683 if (linktype == DLT_PPI)
2684 {
2685 /* Create the statements that check for the DLT
2686 */
2687 s_load_dlt = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2688 s_load_dlt->s.k = 4;
2689
2690 b = new_block(JMP(BPF_JEQ));
2691
2692 b->stmts = s_load_dlt;
2693 b->s.k = SWAPLONG(DLT_IEEE802_11);
2694 }
2695 else
2696 {
2697 b = NULL;
2698 }
2699
2700 return b;
2701 }
2702
2703 /*
2704 * Take an absolute offset, and:
2705 *
2706 * if it has no variable part, return NULL;
2707 *
2708 * if it has a variable part, generate code to load the register
2709 * containing that variable part into the X register, returning
2710 * a pointer to that code - if no register for that offset has
2711 * been allocated, allocate it first.
2712 *
2713 * (The code to set that register will be generated later, but will
2714 * be placed earlier in the code sequence.)
2715 */
2716 static struct slist *
gen_abs_offset_varpart(bpf_abs_offset * off)2717 gen_abs_offset_varpart(bpf_abs_offset *off)
2718 {
2719 struct slist *s;
2720
2721 if (off->is_variable) {
2722 if (off->reg == -1) {
2723 /*
2724 * We haven't yet assigned a register for the
2725 * variable part of the offset of the link-layer
2726 * header; allocate one.
2727 */
2728 off->reg = alloc_reg();
2729 }
2730
2731 /*
2732 * Load the register containing the variable part of the
2733 * offset of the link-layer header into the X register.
2734 */
2735 s = new_stmt(BPF_LDX|BPF_MEM);
2736 s->s.k = off->reg;
2737 return s;
2738 } else {
2739 /*
2740 * That offset isn't variable, there's no variable part,
2741 * so we don't need to generate any code.
2742 */
2743 return NULL;
2744 }
2745 }
2746
2747 /*
2748 * Map an Ethernet type to the equivalent PPP type.
2749 */
2750 static int
ethertype_to_ppptype(proto)2751 ethertype_to_ppptype(proto)
2752 int proto;
2753 {
2754 switch (proto) {
2755
2756 case ETHERTYPE_IP:
2757 proto = PPP_IP;
2758 break;
2759
2760 case ETHERTYPE_IPV6:
2761 proto = PPP_IPV6;
2762 break;
2763
2764 case ETHERTYPE_DN:
2765 proto = PPP_DECNET;
2766 break;
2767
2768 case ETHERTYPE_ATALK:
2769 proto = PPP_APPLE;
2770 break;
2771
2772 case ETHERTYPE_NS:
2773 proto = PPP_NS;
2774 break;
2775
2776 case LLCSAP_ISONS:
2777 proto = PPP_OSI;
2778 break;
2779
2780 case LLCSAP_8021D:
2781 /*
2782 * I'm assuming the "Bridging PDU"s that go
2783 * over PPP are Spanning Tree Protocol
2784 * Bridging PDUs.
2785 */
2786 proto = PPP_BRPDU;
2787 break;
2788
2789 case LLCSAP_IPX:
2790 proto = PPP_IPX;
2791 break;
2792 }
2793 return (proto);
2794 }
2795
2796 /*
2797 * Generate any tests that, for encapsulation of a link-layer packet
2798 * inside another protocol stack, need to be done to check for those
2799 * link-layer packets (and that haven't already been done by a check
2800 * for that encapsulation).
2801 */
2802 static struct block *
gen_prevlinkhdr_check(void)2803 gen_prevlinkhdr_check(void)
2804 {
2805 struct block *b0;
2806
2807 if (is_geneve)
2808 return gen_geneve_ll_check();
2809
2810 switch (prevlinktype) {
2811
2812 case DLT_SUNATM:
2813 /*
2814 * This is LANE-encapsulated Ethernet; check that the LANE
2815 * packet doesn't begin with an LE Control marker, i.e.
2816 * that it's data, not a control message.
2817 *
2818 * (We've already generated a test for LANE.)
2819 */
2820 b0 = gen_cmp(OR_PREVLINKHDR, SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
2821 gen_not(b0);
2822 return b0;
2823
2824 default:
2825 /*
2826 * No such tests are necessary.
2827 */
2828 return NULL;
2829 }
2830 /*NOTREACHED*/
2831 }
2832
2833 /*
2834 * Generate code to match a particular packet type by matching the
2835 * link-layer type field or fields in the 802.2 LLC header.
2836 *
2837 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
2838 * value, if <= ETHERMTU.
2839 */
2840 static struct block *
gen_linktype(proto)2841 gen_linktype(proto)
2842 register int proto;
2843 {
2844 struct block *b0, *b1, *b2;
2845 const char *description;
2846
2847 /* are we checking MPLS-encapsulated packets? */
2848 if (label_stack_depth > 0) {
2849 switch (proto) {
2850 case ETHERTYPE_IP:
2851 case PPP_IP:
2852 /* FIXME add other L3 proto IDs */
2853 return gen_mpls_linktype(Q_IP);
2854
2855 case ETHERTYPE_IPV6:
2856 case PPP_IPV6:
2857 /* FIXME add other L3 proto IDs */
2858 return gen_mpls_linktype(Q_IPV6);
2859
2860 default:
2861 bpf_error("unsupported protocol over mpls");
2862 /* NOTREACHED */
2863 }
2864 }
2865
2866 switch (linktype) {
2867
2868 case DLT_EN10MB:
2869 case DLT_NETANALYZER:
2870 case DLT_NETANALYZER_TRANSPARENT:
2871 /* Geneve has an EtherType regardless of whether there is an
2872 * L2 header. */
2873 if (!is_geneve)
2874 b0 = gen_prevlinkhdr_check();
2875 else
2876 b0 = NULL;
2877
2878 b1 = gen_ether_linktype(proto);
2879 if (b0 != NULL)
2880 gen_and(b0, b1);
2881 return b1;
2882 /*NOTREACHED*/
2883 break;
2884
2885 case DLT_C_HDLC:
2886 switch (proto) {
2887
2888 case LLCSAP_ISONS:
2889 proto = (proto << 8 | LLCSAP_ISONS);
2890 /* fall through */
2891
2892 default:
2893 return gen_cmp(OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto);
2894 /*NOTREACHED*/
2895 break;
2896 }
2897 break;
2898
2899 case DLT_IEEE802_11:
2900 case DLT_PRISM_HEADER:
2901 case DLT_IEEE802_11_RADIO_AVS:
2902 case DLT_IEEE802_11_RADIO:
2903 case DLT_PPI:
2904 /*
2905 * Check that we have a data frame.
2906 */
2907 b0 = gen_check_802_11_data_frame();
2908
2909 /*
2910 * Now check for the specified link-layer type.
2911 */
2912 b1 = gen_llc_linktype(proto);
2913 gen_and(b0, b1);
2914 return b1;
2915 /*NOTREACHED*/
2916 break;
2917
2918 case DLT_FDDI:
2919 /*
2920 * XXX - check for LLC frames.
2921 */
2922 return gen_llc_linktype(proto);
2923 /*NOTREACHED*/
2924 break;
2925
2926 case DLT_IEEE802:
2927 /*
2928 * XXX - check for LLC PDUs, as per IEEE 802.5.
2929 */
2930 return gen_llc_linktype(proto);
2931 /*NOTREACHED*/
2932 break;
2933
2934 case DLT_ATM_RFC1483:
2935 case DLT_ATM_CLIP:
2936 case DLT_IP_OVER_FC:
2937 return gen_llc_linktype(proto);
2938 /*NOTREACHED*/
2939 break;
2940
2941 case DLT_SUNATM:
2942 /*
2943 * Check for an LLC-encapsulated version of this protocol;
2944 * if we were checking for LANE, linktype would no longer
2945 * be DLT_SUNATM.
2946 *
2947 * Check for LLC encapsulation and then check the protocol.
2948 */
2949 b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
2950 b1 = gen_llc_linktype(proto);
2951 gen_and(b0, b1);
2952 return b1;
2953 /*NOTREACHED*/
2954 break;
2955
2956 case DLT_LINUX_SLL:
2957 return gen_linux_sll_linktype(proto);
2958 /*NOTREACHED*/
2959 break;
2960
2961 case DLT_SLIP:
2962 case DLT_SLIP_BSDOS:
2963 case DLT_RAW:
2964 /*
2965 * These types don't provide any type field; packets
2966 * are always IPv4 or IPv6.
2967 *
2968 * XXX - for IPv4, check for a version number of 4, and,
2969 * for IPv6, check for a version number of 6?
2970 */
2971 switch (proto) {
2972
2973 case ETHERTYPE_IP:
2974 /* Check for a version number of 4. */
2975 return gen_mcmp(OR_LINKHDR, 0, BPF_B, 0x40, 0xF0);
2976
2977 case ETHERTYPE_IPV6:
2978 /* Check for a version number of 6. */
2979 return gen_mcmp(OR_LINKHDR, 0, BPF_B, 0x60, 0xF0);
2980
2981 default:
2982 return gen_false(); /* always false */
2983 }
2984 /*NOTREACHED*/
2985 break;
2986
2987 case DLT_IPV4:
2988 /*
2989 * Raw IPv4, so no type field.
2990 */
2991 if (proto == ETHERTYPE_IP)
2992 return gen_true(); /* always true */
2993
2994 /* Checking for something other than IPv4; always false */
2995 return gen_false();
2996 /*NOTREACHED*/
2997 break;
2998
2999 case DLT_IPV6:
3000 /*
3001 * Raw IPv6, so no type field.
3002 */
3003 if (proto == ETHERTYPE_IPV6)
3004 return gen_true(); /* always true */
3005
3006 /* Checking for something other than IPv6; always false */
3007 return gen_false();
3008 /*NOTREACHED*/
3009 break;
3010
3011 case DLT_PPP:
3012 case DLT_PPP_PPPD:
3013 case DLT_PPP_SERIAL:
3014 case DLT_PPP_ETHER:
3015 /*
3016 * We use Ethernet protocol types inside libpcap;
3017 * map them to the corresponding PPP protocol types.
3018 */
3019 proto = ethertype_to_ppptype(proto);
3020 return gen_cmp(OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto);
3021 /*NOTREACHED*/
3022 break;
3023
3024 case DLT_PPP_BSDOS:
3025 /*
3026 * We use Ethernet protocol types inside libpcap;
3027 * map them to the corresponding PPP protocol types.
3028 */
3029 switch (proto) {
3030
3031 case ETHERTYPE_IP:
3032 /*
3033 * Also check for Van Jacobson-compressed IP.
3034 * XXX - do this for other forms of PPP?
3035 */
3036 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_H, PPP_IP);
3037 b1 = gen_cmp(OR_LINKTYPE, 0, BPF_H, PPP_VJC);
3038 gen_or(b0, b1);
3039 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_H, PPP_VJNC);
3040 gen_or(b1, b0);
3041 return b0;
3042
3043 default:
3044 proto = ethertype_to_ppptype(proto);
3045 return gen_cmp(OR_LINKTYPE, 0, BPF_H,
3046 (bpf_int32)proto);
3047 }
3048 /*NOTREACHED*/
3049 break;
3050
3051 case DLT_NULL:
3052 case DLT_LOOP:
3053 case DLT_ENC:
3054 /*
3055 * For DLT_NULL, the link-layer header is a 32-bit
3056 * word containing an AF_ value in *host* byte order,
3057 * and for DLT_ENC, the link-layer header begins
3058 * with a 32-bit work containing an AF_ value in
3059 * host byte order.
3060 *
3061 * In addition, if we're reading a saved capture file,
3062 * the host byte order in the capture may not be the
3063 * same as the host byte order on this machine.
3064 *
3065 * For DLT_LOOP, the link-layer header is a 32-bit
3066 * word containing an AF_ value in *network* byte order.
3067 *
3068 * XXX - AF_ values may, unfortunately, be platform-
3069 * dependent; for example, FreeBSD's AF_INET6 is 24
3070 * whilst NetBSD's and OpenBSD's is 26.
3071 *
3072 * This means that, when reading a capture file, just
3073 * checking for our AF_INET6 value won't work if the
3074 * capture file came from another OS.
3075 */
3076 switch (proto) {
3077
3078 case ETHERTYPE_IP:
3079 proto = AF_INET;
3080 break;
3081
3082 #ifdef INET6
3083 case ETHERTYPE_IPV6:
3084 proto = AF_INET6;
3085 break;
3086 #endif
3087
3088 default:
3089 /*
3090 * Not a type on which we support filtering.
3091 * XXX - support those that have AF_ values
3092 * #defined on this platform, at least?
3093 */
3094 return gen_false();
3095 }
3096
3097 if (linktype == DLT_NULL || linktype == DLT_ENC) {
3098 /*
3099 * The AF_ value is in host byte order, but
3100 * the BPF interpreter will convert it to
3101 * network byte order.
3102 *
3103 * If this is a save file, and it's from a
3104 * machine with the opposite byte order to
3105 * ours, we byte-swap the AF_ value.
3106 *
3107 * Then we run it through "htonl()", and
3108 * generate code to compare against the result.
3109 */
3110 if (bpf_pcap->rfile != NULL && bpf_pcap->swapped)
3111 proto = SWAPLONG(proto);
3112 proto = htonl(proto);
3113 }
3114 return (gen_cmp(OR_LINKHDR, 0, BPF_W, (bpf_int32)proto));
3115
3116 #ifdef HAVE_NET_PFVAR_H
3117 case DLT_PFLOG:
3118 /*
3119 * af field is host byte order in contrast to the rest of
3120 * the packet.
3121 */
3122 if (proto == ETHERTYPE_IP)
3123 return (gen_cmp(OR_LINKHDR, offsetof(struct pfloghdr, af),
3124 BPF_B, (bpf_int32)AF_INET));
3125 else if (proto == ETHERTYPE_IPV6)
3126 return (gen_cmp(OR_LINKHDR, offsetof(struct pfloghdr, af),
3127 BPF_B, (bpf_int32)AF_INET6));
3128 else
3129 return gen_false();
3130 /*NOTREACHED*/
3131 break;
3132 #endif /* HAVE_NET_PFVAR_H */
3133
3134 case DLT_ARCNET:
3135 case DLT_ARCNET_LINUX:
3136 /*
3137 * XXX should we check for first fragment if the protocol
3138 * uses PHDS?
3139 */
3140 switch (proto) {
3141
3142 default:
3143 return gen_false();
3144
3145 case ETHERTYPE_IPV6:
3146 return (gen_cmp(OR_LINKTYPE, 0, BPF_B,
3147 (bpf_int32)ARCTYPE_INET6));
3148
3149 case ETHERTYPE_IP:
3150 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_B,
3151 (bpf_int32)ARCTYPE_IP);
3152 b1 = gen_cmp(OR_LINKTYPE, 0, BPF_B,
3153 (bpf_int32)ARCTYPE_IP_OLD);
3154 gen_or(b0, b1);
3155 return (b1);
3156
3157 case ETHERTYPE_ARP:
3158 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_B,
3159 (bpf_int32)ARCTYPE_ARP);
3160 b1 = gen_cmp(OR_LINKTYPE, 0, BPF_B,
3161 (bpf_int32)ARCTYPE_ARP_OLD);
3162 gen_or(b0, b1);
3163 return (b1);
3164
3165 case ETHERTYPE_REVARP:
3166 return (gen_cmp(OR_LINKTYPE, 0, BPF_B,
3167 (bpf_int32)ARCTYPE_REVARP));
3168
3169 case ETHERTYPE_ATALK:
3170 return (gen_cmp(OR_LINKTYPE, 0, BPF_B,
3171 (bpf_int32)ARCTYPE_ATALK));
3172 }
3173 /*NOTREACHED*/
3174 break;
3175
3176 case DLT_LTALK:
3177 switch (proto) {
3178 case ETHERTYPE_ATALK:
3179 return gen_true();
3180 default:
3181 return gen_false();
3182 }
3183 /*NOTREACHED*/
3184 break;
3185
3186 case DLT_FRELAY:
3187 /*
3188 * XXX - assumes a 2-byte Frame Relay header with
3189 * DLCI and flags. What if the address is longer?
3190 */
3191 switch (proto) {
3192
3193 case ETHERTYPE_IP:
3194 /*
3195 * Check for the special NLPID for IP.
3196 */
3197 return gen_cmp(OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0xcc);
3198
3199 case ETHERTYPE_IPV6:
3200 /*
3201 * Check for the special NLPID for IPv6.
3202 */
3203 return gen_cmp(OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0x8e);
3204
3205 case LLCSAP_ISONS:
3206 /*
3207 * Check for several OSI protocols.
3208 *
3209 * Frame Relay packets typically have an OSI
3210 * NLPID at the beginning; we check for each
3211 * of them.
3212 *
3213 * What we check for is the NLPID and a frame
3214 * control field of UI, i.e. 0x03 followed
3215 * by the NLPID.
3216 */
3217 b0 = gen_cmp(OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO8473_CLNP);
3218 b1 = gen_cmp(OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO9542_ESIS);
3219 b2 = gen_cmp(OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO10589_ISIS);
3220 gen_or(b1, b2);
3221 gen_or(b0, b2);
3222 return b2;
3223
3224 default:
3225 return gen_false();
3226 }
3227 /*NOTREACHED*/
3228 break;
3229
3230 case DLT_MFR:
3231 bpf_error("Multi-link Frame Relay link-layer type filtering not implemented");
3232
3233 case DLT_JUNIPER_MFR:
3234 case DLT_JUNIPER_MLFR:
3235 case DLT_JUNIPER_MLPPP:
3236 case DLT_JUNIPER_ATM1:
3237 case DLT_JUNIPER_ATM2:
3238 case DLT_JUNIPER_PPPOE:
3239 case DLT_JUNIPER_PPPOE_ATM:
3240 case DLT_JUNIPER_GGSN:
3241 case DLT_JUNIPER_ES:
3242 case DLT_JUNIPER_MONITOR:
3243 case DLT_JUNIPER_SERVICES:
3244 case DLT_JUNIPER_ETHER:
3245 case DLT_JUNIPER_PPP:
3246 case DLT_JUNIPER_FRELAY:
3247 case DLT_JUNIPER_CHDLC:
3248 case DLT_JUNIPER_VP:
3249 case DLT_JUNIPER_ST:
3250 case DLT_JUNIPER_ISM:
3251 case DLT_JUNIPER_VS:
3252 case DLT_JUNIPER_SRX_E2E:
3253 case DLT_JUNIPER_FIBRECHANNEL:
3254 case DLT_JUNIPER_ATM_CEMIC:
3255
3256 /* just lets verify the magic number for now -
3257 * on ATM we may have up to 6 different encapsulations on the wire
3258 * and need a lot of heuristics to figure out that the payload
3259 * might be;
3260 *
3261 * FIXME encapsulation specific BPF_ filters
3262 */
3263 return gen_mcmp(OR_LINKHDR, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */
3264
3265 case DLT_BACNET_MS_TP:
3266 return gen_mcmp(OR_LINKHDR, 0, BPF_W, 0x55FF0000, 0xffff0000);
3267
3268 case DLT_IPNET:
3269 return gen_ipnet_linktype(proto);
3270
3271 case DLT_LINUX_IRDA:
3272 bpf_error("IrDA link-layer type filtering not implemented");
3273
3274 case DLT_DOCSIS:
3275 bpf_error("DOCSIS link-layer type filtering not implemented");
3276
3277 case DLT_MTP2:
3278 case DLT_MTP2_WITH_PHDR:
3279 bpf_error("MTP2 link-layer type filtering not implemented");
3280
3281 case DLT_ERF:
3282 bpf_error("ERF link-layer type filtering not implemented");
3283
3284 case DLT_PFSYNC:
3285 bpf_error("PFSYNC link-layer type filtering not implemented");
3286
3287 case DLT_LINUX_LAPD:
3288 bpf_error("LAPD link-layer type filtering not implemented");
3289
3290 case DLT_USB:
3291 case DLT_USB_LINUX:
3292 case DLT_USB_LINUX_MMAPPED:
3293 bpf_error("USB link-layer type filtering not implemented");
3294
3295 case DLT_BLUETOOTH_HCI_H4:
3296 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR:
3297 bpf_error("Bluetooth link-layer type filtering not implemented");
3298
3299 case DLT_CAN20B:
3300 case DLT_CAN_SOCKETCAN:
3301 bpf_error("CAN link-layer type filtering not implemented");
3302
3303 case DLT_IEEE802_15_4:
3304 case DLT_IEEE802_15_4_LINUX:
3305 case DLT_IEEE802_15_4_NONASK_PHY:
3306 case DLT_IEEE802_15_4_NOFCS:
3307 bpf_error("IEEE 802.15.4 link-layer type filtering not implemented");
3308
3309 case DLT_IEEE802_16_MAC_CPS_RADIO:
3310 bpf_error("IEEE 802.16 link-layer type filtering not implemented");
3311
3312 case DLT_SITA:
3313 bpf_error("SITA link-layer type filtering not implemented");
3314
3315 case DLT_RAIF1:
3316 bpf_error("RAIF1 link-layer type filtering not implemented");
3317
3318 case DLT_IPMB:
3319 bpf_error("IPMB link-layer type filtering not implemented");
3320
3321 case DLT_AX25_KISS:
3322 bpf_error("AX.25 link-layer type filtering not implemented");
3323
3324 case DLT_NFLOG:
3325 /* Using the fixed-size NFLOG header it is possible to tell only
3326 * the address family of the packet, other meaningful data is
3327 * either missing or behind TLVs.
3328 */
3329 bpf_error("NFLOG link-layer type filtering not implemented");
3330
3331 default:
3332 /*
3333 * Does this link-layer header type have a field
3334 * indicating the type of the next protocol? If
3335 * so, off_linktype.constant_part will be the offset of that
3336 * field in the packet; if not, it will be -1.
3337 */
3338 if (off_linktype.constant_part != (u_int)-1) {
3339 /*
3340 * Yes; assume it's an Ethernet type. (If
3341 * it's not, it needs to be handled specially
3342 * above.)
3343 */
3344 return gen_cmp(OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto);
3345 } else {
3346 /*
3347 * No; report an error.
3348 */
3349 description = pcap_datalink_val_to_description(linktype);
3350 if (description != NULL) {
3351 bpf_error("%s link-layer type filtering not implemented",
3352 description);
3353 } else {
3354 bpf_error("DLT %u link-layer type filtering not implemented",
3355 linktype);
3356 }
3357 }
3358 break;
3359 }
3360 }
3361
3362 /*
3363 * Check for an LLC SNAP packet with a given organization code and
3364 * protocol type; we check the entire contents of the 802.2 LLC and
3365 * snap headers, checking for DSAP and SSAP of SNAP and a control
3366 * field of 0x03 in the LLC header, and for the specified organization
3367 * code and protocol type in the SNAP header.
3368 */
3369 static struct block *
gen_snap(orgcode,ptype)3370 gen_snap(orgcode, ptype)
3371 bpf_u_int32 orgcode;
3372 bpf_u_int32 ptype;
3373 {
3374 u_char snapblock[8];
3375
3376 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */
3377 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */
3378 snapblock[2] = 0x03; /* control = UI */
3379 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */
3380 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */
3381 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */
3382 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */
3383 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */
3384 return gen_bcmp(OR_LLC, 0, 8, snapblock);
3385 }
3386
3387 /*
3388 * Generate code to match frames with an LLC header.
3389 */
3390 struct block *
gen_llc(void)3391 gen_llc(void)
3392 {
3393 struct block *b0, *b1;
3394
3395 switch (linktype) {
3396
3397 case DLT_EN10MB:
3398 /*
3399 * We check for an Ethernet type field less than
3400 * 1500, which means it's an 802.3 length field.
3401 */
3402 b0 = gen_cmp_gt(OR_LINKTYPE, 0, BPF_H, ETHERMTU);
3403 gen_not(b0);
3404
3405 /*
3406 * Now check for the purported DSAP and SSAP not being
3407 * 0xFF, to rule out NetWare-over-802.3.
3408 */
3409 b1 = gen_cmp(OR_LLC, 0, BPF_H, (bpf_int32)0xFFFF);
3410 gen_not(b1);
3411 gen_and(b0, b1);
3412 return b1;
3413
3414 case DLT_SUNATM:
3415 /*
3416 * We check for LLC traffic.
3417 */
3418 b0 = gen_atmtype_abbrev(A_LLC);
3419 return b0;
3420
3421 case DLT_IEEE802: /* Token Ring */
3422 /*
3423 * XXX - check for LLC frames.
3424 */
3425 return gen_true();
3426
3427 case DLT_FDDI:
3428 /*
3429 * XXX - check for LLC frames.
3430 */
3431 return gen_true();
3432
3433 case DLT_ATM_RFC1483:
3434 /*
3435 * For LLC encapsulation, these are defined to have an
3436 * 802.2 LLC header.
3437 *
3438 * For VC encapsulation, they don't, but there's no
3439 * way to check for that; the protocol used on the VC
3440 * is negotiated out of band.
3441 */
3442 return gen_true();
3443
3444 case DLT_IEEE802_11:
3445 case DLT_PRISM_HEADER:
3446 case DLT_IEEE802_11_RADIO:
3447 case DLT_IEEE802_11_RADIO_AVS:
3448 case DLT_PPI:
3449 /*
3450 * Check that we have a data frame.
3451 */
3452 b0 = gen_check_802_11_data_frame();
3453 return b0;
3454
3455 default:
3456 bpf_error("'llc' not supported for linktype %d", linktype);
3457 /* NOTREACHED */
3458 }
3459 }
3460
3461 struct block *
gen_llc_i(void)3462 gen_llc_i(void)
3463 {
3464 struct block *b0, *b1;
3465 struct slist *s;
3466
3467 /*
3468 * Check whether this is an LLC frame.
3469 */
3470 b0 = gen_llc();
3471
3472 /*
3473 * Load the control byte and test the low-order bit; it must
3474 * be clear for I frames.
3475 */
3476 s = gen_load_a(OR_LLC, 2, BPF_B);
3477 b1 = new_block(JMP(BPF_JSET));
3478 b1->s.k = 0x01;
3479 b1->stmts = s;
3480 gen_not(b1);
3481 gen_and(b0, b1);
3482 return b1;
3483 }
3484
3485 struct block *
gen_llc_s(void)3486 gen_llc_s(void)
3487 {
3488 struct block *b0, *b1;
3489
3490 /*
3491 * Check whether this is an LLC frame.
3492 */
3493 b0 = gen_llc();
3494
3495 /*
3496 * Now compare the low-order 2 bit of the control byte against
3497 * the appropriate value for S frames.
3498 */
3499 b1 = gen_mcmp(OR_LLC, 2, BPF_B, LLC_S_FMT, 0x03);
3500 gen_and(b0, b1);
3501 return b1;
3502 }
3503
3504 struct block *
gen_llc_u(void)3505 gen_llc_u(void)
3506 {
3507 struct block *b0, *b1;
3508
3509 /*
3510 * Check whether this is an LLC frame.
3511 */
3512 b0 = gen_llc();
3513
3514 /*
3515 * Now compare the low-order 2 bit of the control byte against
3516 * the appropriate value for U frames.
3517 */
3518 b1 = gen_mcmp(OR_LLC, 2, BPF_B, LLC_U_FMT, 0x03);
3519 gen_and(b0, b1);
3520 return b1;
3521 }
3522
3523 struct block *
gen_llc_s_subtype(bpf_u_int32 subtype)3524 gen_llc_s_subtype(bpf_u_int32 subtype)
3525 {
3526 struct block *b0, *b1;
3527
3528 /*
3529 * Check whether this is an LLC frame.
3530 */
3531 b0 = gen_llc();
3532
3533 /*
3534 * Now check for an S frame with the appropriate type.
3535 */
3536 b1 = gen_mcmp(OR_LLC, 2, BPF_B, subtype, LLC_S_CMD_MASK);
3537 gen_and(b0, b1);
3538 return b1;
3539 }
3540
3541 struct block *
gen_llc_u_subtype(bpf_u_int32 subtype)3542 gen_llc_u_subtype(bpf_u_int32 subtype)
3543 {
3544 struct block *b0, *b1;
3545
3546 /*
3547 * Check whether this is an LLC frame.
3548 */
3549 b0 = gen_llc();
3550
3551 /*
3552 * Now check for a U frame with the appropriate type.
3553 */
3554 b1 = gen_mcmp(OR_LLC, 2, BPF_B, subtype, LLC_U_CMD_MASK);
3555 gen_and(b0, b1);
3556 return b1;
3557 }
3558
3559 /*
3560 * Generate code to match a particular packet type, for link-layer types
3561 * using 802.2 LLC headers.
3562 *
3563 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used
3564 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues.
3565 *
3566 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
3567 * value, if <= ETHERMTU. We use that to determine whether to
3568 * match the DSAP or both DSAP and LSAP or to check the OUI and
3569 * protocol ID in a SNAP header.
3570 */
3571 static struct block *
gen_llc_linktype(proto)3572 gen_llc_linktype(proto)
3573 int proto;
3574 {
3575 /*
3576 * XXX - handle token-ring variable-length header.
3577 */
3578 switch (proto) {
3579
3580 case LLCSAP_IP:
3581 case LLCSAP_ISONS:
3582 case LLCSAP_NETBEUI:
3583 /*
3584 * XXX - should we check both the DSAP and the
3585 * SSAP, like this, or should we check just the
3586 * DSAP, as we do for other SAP values?
3587 */
3588 return gen_cmp(OR_LLC, 0, BPF_H, (bpf_u_int32)
3589 ((proto << 8) | proto));
3590
3591 case LLCSAP_IPX:
3592 /*
3593 * XXX - are there ever SNAP frames for IPX on
3594 * non-Ethernet 802.x networks?
3595 */
3596 return gen_cmp(OR_LLC, 0, BPF_B,
3597 (bpf_int32)LLCSAP_IPX);
3598
3599 case ETHERTYPE_ATALK:
3600 /*
3601 * 802.2-encapsulated ETHERTYPE_ATALK packets are
3602 * SNAP packets with an organization code of
3603 * 0x080007 (Apple, for Appletalk) and a protocol
3604 * type of ETHERTYPE_ATALK (Appletalk).
3605 *
3606 * XXX - check for an organization code of
3607 * encapsulated Ethernet as well?
3608 */
3609 return gen_snap(0x080007, ETHERTYPE_ATALK);
3610
3611 default:
3612 /*
3613 * XXX - we don't have to check for IPX 802.3
3614 * here, but should we check for the IPX Ethertype?
3615 */
3616 if (proto <= ETHERMTU) {
3617 /*
3618 * This is an LLC SAP value, so check
3619 * the DSAP.
3620 */
3621 return gen_cmp(OR_LLC, 0, BPF_B, (bpf_int32)proto);
3622 } else {
3623 /*
3624 * This is an Ethernet type; we assume that it's
3625 * unlikely that it'll appear in the right place
3626 * at random, and therefore check only the
3627 * location that would hold the Ethernet type
3628 * in a SNAP frame with an organization code of
3629 * 0x000000 (encapsulated Ethernet).
3630 *
3631 * XXX - if we were to check for the SNAP DSAP and
3632 * LSAP, as per XXX, and were also to check for an
3633 * organization code of 0x000000 (encapsulated
3634 * Ethernet), we'd do
3635 *
3636 * return gen_snap(0x000000, proto);
3637 *
3638 * here; for now, we don't, as per the above.
3639 * I don't know whether it's worth the extra CPU
3640 * time to do the right check or not.
3641 */
3642 return gen_cmp(OR_LLC, 6, BPF_H, (bpf_int32)proto);
3643 }
3644 }
3645 }
3646
3647 static struct block *
gen_hostop(addr,mask,dir,proto,src_off,dst_off)3648 gen_hostop(addr, mask, dir, proto, src_off, dst_off)
3649 bpf_u_int32 addr;
3650 bpf_u_int32 mask;
3651 int dir, proto;
3652 u_int src_off, dst_off;
3653 {
3654 struct block *b0, *b1;
3655 u_int offset;
3656
3657 switch (dir) {
3658
3659 case Q_SRC:
3660 offset = src_off;
3661 break;
3662
3663 case Q_DST:
3664 offset = dst_off;
3665 break;
3666
3667 case Q_AND:
3668 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
3669 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
3670 gen_and(b0, b1);
3671 return b1;
3672
3673 case Q_OR:
3674 case Q_DEFAULT:
3675 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
3676 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
3677 gen_or(b0, b1);
3678 return b1;
3679
3680 default:
3681 abort();
3682 }
3683 b0 = gen_linktype(proto);
3684 b1 = gen_mcmp(OR_LINKPL, offset, BPF_W, (bpf_int32)addr, mask);
3685 gen_and(b0, b1);
3686 return b1;
3687 }
3688
3689 #ifdef INET6
3690 static struct block *
gen_hostop6(addr,mask,dir,proto,src_off,dst_off)3691 gen_hostop6(addr, mask, dir, proto, src_off, dst_off)
3692 struct in6_addr *addr;
3693 struct in6_addr *mask;
3694 int dir, proto;
3695 u_int src_off, dst_off;
3696 {
3697 struct block *b0, *b1;
3698 u_int offset;
3699 u_int32_t *a, *m;
3700
3701 switch (dir) {
3702
3703 case Q_SRC:
3704 offset = src_off;
3705 break;
3706
3707 case Q_DST:
3708 offset = dst_off;
3709 break;
3710
3711 case Q_AND:
3712 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
3713 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
3714 gen_and(b0, b1);
3715 return b1;
3716
3717 case Q_OR:
3718 case Q_DEFAULT:
3719 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
3720 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
3721 gen_or(b0, b1);
3722 return b1;
3723
3724 default:
3725 abort();
3726 }
3727 /* this order is important */
3728 a = (u_int32_t *)addr;
3729 m = (u_int32_t *)mask;
3730 b1 = gen_mcmp(OR_LINKPL, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3]));
3731 b0 = gen_mcmp(OR_LINKPL, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2]));
3732 gen_and(b0, b1);
3733 b0 = gen_mcmp(OR_LINKPL, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1]));
3734 gen_and(b0, b1);
3735 b0 = gen_mcmp(OR_LINKPL, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0]));
3736 gen_and(b0, b1);
3737 b0 = gen_linktype(proto);
3738 gen_and(b0, b1);
3739 return b1;
3740 }
3741 #endif
3742
3743 static struct block *
gen_ehostop(eaddr,dir)3744 gen_ehostop(eaddr, dir)
3745 register const u_char *eaddr;
3746 register int dir;
3747 {
3748 register struct block *b0, *b1;
3749
3750 switch (dir) {
3751 case Q_SRC:
3752 return gen_bcmp(OR_LINKHDR, 6, 6, eaddr);
3753
3754 case Q_DST:
3755 return gen_bcmp(OR_LINKHDR, 0, 6, eaddr);
3756
3757 case Q_AND:
3758 b0 = gen_ehostop(eaddr, Q_SRC);
3759 b1 = gen_ehostop(eaddr, Q_DST);
3760 gen_and(b0, b1);
3761 return b1;
3762
3763 case Q_DEFAULT:
3764 case Q_OR:
3765 b0 = gen_ehostop(eaddr, Q_SRC);
3766 b1 = gen_ehostop(eaddr, Q_DST);
3767 gen_or(b0, b1);
3768 return b1;
3769
3770 case Q_ADDR1:
3771 bpf_error("'addr1' is only supported on 802.11 with 802.11 headers");
3772 break;
3773
3774 case Q_ADDR2:
3775 bpf_error("'addr2' is only supported on 802.11 with 802.11 headers");
3776 break;
3777
3778 case Q_ADDR3:
3779 bpf_error("'addr3' is only supported on 802.11 with 802.11 headers");
3780 break;
3781
3782 case Q_ADDR4:
3783 bpf_error("'addr4' is only supported on 802.11 with 802.11 headers");
3784 break;
3785
3786 case Q_RA:
3787 bpf_error("'ra' is only supported on 802.11 with 802.11 headers");
3788 break;
3789
3790 case Q_TA:
3791 bpf_error("'ta' is only supported on 802.11 with 802.11 headers");
3792 break;
3793 }
3794 abort();
3795 /* NOTREACHED */
3796 }
3797
3798 /*
3799 * Like gen_ehostop, but for DLT_FDDI
3800 */
3801 static struct block *
gen_fhostop(eaddr,dir)3802 gen_fhostop(eaddr, dir)
3803 register const u_char *eaddr;
3804 register int dir;
3805 {
3806 struct block *b0, *b1;
3807
3808 switch (dir) {
3809 case Q_SRC:
3810 return gen_bcmp(OR_LINKHDR, 6 + 1 + pcap_fddipad, 6, eaddr);
3811
3812 case Q_DST:
3813 return gen_bcmp(OR_LINKHDR, 0 + 1 + pcap_fddipad, 6, eaddr);
3814
3815 case Q_AND:
3816 b0 = gen_fhostop(eaddr, Q_SRC);
3817 b1 = gen_fhostop(eaddr, Q_DST);
3818 gen_and(b0, b1);
3819 return b1;
3820
3821 case Q_DEFAULT:
3822 case Q_OR:
3823 b0 = gen_fhostop(eaddr, Q_SRC);
3824 b1 = gen_fhostop(eaddr, Q_DST);
3825 gen_or(b0, b1);
3826 return b1;
3827
3828 case Q_ADDR1:
3829 bpf_error("'addr1' is only supported on 802.11");
3830 break;
3831
3832 case Q_ADDR2:
3833 bpf_error("'addr2' is only supported on 802.11");
3834 break;
3835
3836 case Q_ADDR3:
3837 bpf_error("'addr3' is only supported on 802.11");
3838 break;
3839
3840 case Q_ADDR4:
3841 bpf_error("'addr4' is only supported on 802.11");
3842 break;
3843
3844 case Q_RA:
3845 bpf_error("'ra' is only supported on 802.11");
3846 break;
3847
3848 case Q_TA:
3849 bpf_error("'ta' is only supported on 802.11");
3850 break;
3851 }
3852 abort();
3853 /* NOTREACHED */
3854 }
3855
3856 /*
3857 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring)
3858 */
3859 static struct block *
gen_thostop(eaddr,dir)3860 gen_thostop(eaddr, dir)
3861 register const u_char *eaddr;
3862 register int dir;
3863 {
3864 register struct block *b0, *b1;
3865
3866 switch (dir) {
3867 case Q_SRC:
3868 return gen_bcmp(OR_LINKHDR, 8, 6, eaddr);
3869
3870 case Q_DST:
3871 return gen_bcmp(OR_LINKHDR, 2, 6, eaddr);
3872
3873 case Q_AND:
3874 b0 = gen_thostop(eaddr, Q_SRC);
3875 b1 = gen_thostop(eaddr, Q_DST);
3876 gen_and(b0, b1);
3877 return b1;
3878
3879 case Q_DEFAULT:
3880 case Q_OR:
3881 b0 = gen_thostop(eaddr, Q_SRC);
3882 b1 = gen_thostop(eaddr, Q_DST);
3883 gen_or(b0, b1);
3884 return b1;
3885
3886 case Q_ADDR1:
3887 bpf_error("'addr1' is only supported on 802.11");
3888 break;
3889
3890 case Q_ADDR2:
3891 bpf_error("'addr2' is only supported on 802.11");
3892 break;
3893
3894 case Q_ADDR3:
3895 bpf_error("'addr3' is only supported on 802.11");
3896 break;
3897
3898 case Q_ADDR4:
3899 bpf_error("'addr4' is only supported on 802.11");
3900 break;
3901
3902 case Q_RA:
3903 bpf_error("'ra' is only supported on 802.11");
3904 break;
3905
3906 case Q_TA:
3907 bpf_error("'ta' is only supported on 802.11");
3908 break;
3909 }
3910 abort();
3911 /* NOTREACHED */
3912 }
3913
3914 /*
3915 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and
3916 * various 802.11 + radio headers.
3917 */
3918 static struct block *
gen_wlanhostop(eaddr,dir)3919 gen_wlanhostop(eaddr, dir)
3920 register const u_char *eaddr;
3921 register int dir;
3922 {
3923 register struct block *b0, *b1, *b2;
3924 register struct slist *s;
3925
3926 #ifdef ENABLE_WLAN_FILTERING_PATCH
3927 /*
3928 * TODO GV 20070613
3929 * We need to disable the optimizer because the optimizer is buggy
3930 * and wipes out some LD instructions generated by the below
3931 * code to validate the Frame Control bits
3932 */
3933 no_optimize = 1;
3934 #endif /* ENABLE_WLAN_FILTERING_PATCH */
3935
3936 switch (dir) {
3937 case Q_SRC:
3938 /*
3939 * Oh, yuk.
3940 *
3941 * For control frames, there is no SA.
3942 *
3943 * For management frames, SA is at an
3944 * offset of 10 from the beginning of
3945 * the packet.
3946 *
3947 * For data frames, SA is at an offset
3948 * of 10 from the beginning of the packet
3949 * if From DS is clear, at an offset of
3950 * 16 from the beginning of the packet
3951 * if From DS is set and To DS is clear,
3952 * and an offset of 24 from the beginning
3953 * of the packet if From DS is set and To DS
3954 * is set.
3955 */
3956
3957 /*
3958 * Generate the tests to be done for data frames
3959 * with From DS set.
3960 *
3961 * First, check for To DS set, i.e. check "link[1] & 0x01".
3962 */
3963 s = gen_load_a(OR_LINKHDR, 1, BPF_B);
3964 b1 = new_block(JMP(BPF_JSET));
3965 b1->s.k = 0x01; /* To DS */
3966 b1->stmts = s;
3967
3968 /*
3969 * If To DS is set, the SA is at 24.
3970 */
3971 b0 = gen_bcmp(OR_LINKHDR, 24, 6, eaddr);
3972 gen_and(b1, b0);
3973
3974 /*
3975 * Now, check for To DS not set, i.e. check
3976 * "!(link[1] & 0x01)".
3977 */
3978 s = gen_load_a(OR_LINKHDR, 1, BPF_B);
3979 b2 = new_block(JMP(BPF_JSET));
3980 b2->s.k = 0x01; /* To DS */
3981 b2->stmts = s;
3982 gen_not(b2);
3983
3984 /*
3985 * If To DS is not set, the SA is at 16.
3986 */
3987 b1 = gen_bcmp(OR_LINKHDR, 16, 6, eaddr);
3988 gen_and(b2, b1);
3989
3990 /*
3991 * Now OR together the last two checks. That gives
3992 * the complete set of checks for data frames with
3993 * From DS set.
3994 */
3995 gen_or(b1, b0);
3996
3997 /*
3998 * Now check for From DS being set, and AND that with
3999 * the ORed-together checks.
4000 */
4001 s = gen_load_a(OR_LINKHDR, 1, BPF_B);
4002 b1 = new_block(JMP(BPF_JSET));
4003 b1->s.k = 0x02; /* From DS */
4004 b1->stmts = s;
4005 gen_and(b1, b0);
4006
4007 /*
4008 * Now check for data frames with From DS not set.
4009 */
4010 s = gen_load_a(OR_LINKHDR, 1, BPF_B);
4011 b2 = new_block(JMP(BPF_JSET));
4012 b2->s.k = 0x02; /* From DS */
4013 b2->stmts = s;
4014 gen_not(b2);
4015
4016 /*
4017 * If From DS isn't set, the SA is at 10.
4018 */
4019 b1 = gen_bcmp(OR_LINKHDR, 10, 6, eaddr);
4020 gen_and(b2, b1);
4021
4022 /*
4023 * Now OR together the checks for data frames with
4024 * From DS not set and for data frames with From DS
4025 * set; that gives the checks done for data frames.
4026 */
4027 gen_or(b1, b0);
4028
4029 /*
4030 * Now check for a data frame.
4031 * I.e, check "link[0] & 0x08".
4032 */
4033 s = gen_load_a(OR_LINKHDR, 0, BPF_B);
4034 b1 = new_block(JMP(BPF_JSET));
4035 b1->s.k = 0x08;
4036 b1->stmts = s;
4037
4038 /*
4039 * AND that with the checks done for data frames.
4040 */
4041 gen_and(b1, b0);
4042
4043 /*
4044 * If the high-order bit of the type value is 0, this
4045 * is a management frame.
4046 * I.e, check "!(link[0] & 0x08)".
4047 */
4048 s = gen_load_a(OR_LINKHDR, 0, BPF_B);
4049 b2 = new_block(JMP(BPF_JSET));
4050 b2->s.k = 0x08;
4051 b2->stmts = s;
4052 gen_not(b2);
4053
4054 /*
4055 * For management frames, the SA is at 10.
4056 */
4057 b1 = gen_bcmp(OR_LINKHDR, 10, 6, eaddr);
4058 gen_and(b2, b1);
4059
4060 /*
4061 * OR that with the checks done for data frames.
4062 * That gives the checks done for management and
4063 * data frames.
4064 */
4065 gen_or(b1, b0);
4066
4067 /*
4068 * If the low-order bit of the type value is 1,
4069 * this is either a control frame or a frame
4070 * with a reserved type, and thus not a
4071 * frame with an SA.
4072 *
4073 * I.e., check "!(link[0] & 0x04)".
4074 */
4075 s = gen_load_a(OR_LINKHDR, 0, BPF_B);
4076 b1 = new_block(JMP(BPF_JSET));
4077 b1->s.k = 0x04;
4078 b1->stmts = s;
4079 gen_not(b1);
4080
4081 /*
4082 * AND that with the checks for data and management
4083 * frames.
4084 */
4085 gen_and(b1, b0);
4086 return b0;
4087
4088 case Q_DST:
4089 /*
4090 * Oh, yuk.
4091 *
4092 * For control frames, there is no DA.
4093 *
4094 * For management frames, DA is at an
4095 * offset of 4 from the beginning of
4096 * the packet.
4097 *
4098 * For data frames, DA is at an offset
4099 * of 4 from the beginning of the packet
4100 * if To DS is clear and at an offset of
4101 * 16 from the beginning of the packet
4102 * if To DS is set.
4103 */
4104
4105 /*
4106 * Generate the tests to be done for data frames.
4107 *
4108 * First, check for To DS set, i.e. "link[1] & 0x01".
4109 */
4110 s = gen_load_a(OR_LINKHDR, 1, BPF_B);
4111 b1 = new_block(JMP(BPF_JSET));
4112 b1->s.k = 0x01; /* To DS */
4113 b1->stmts = s;
4114
4115 /*
4116 * If To DS is set, the DA is at 16.
4117 */
4118 b0 = gen_bcmp(OR_LINKHDR, 16, 6, eaddr);
4119 gen_and(b1, b0);
4120
4121 /*
4122 * Now, check for To DS not set, i.e. check
4123 * "!(link[1] & 0x01)".
4124 */
4125 s = gen_load_a(OR_LINKHDR, 1, BPF_B);
4126 b2 = new_block(JMP(BPF_JSET));
4127 b2->s.k = 0x01; /* To DS */
4128 b2->stmts = s;
4129 gen_not(b2);
4130
4131 /*
4132 * If To DS is not set, the DA is at 4.
4133 */
4134 b1 = gen_bcmp(OR_LINKHDR, 4, 6, eaddr);
4135 gen_and(b2, b1);
4136
4137 /*
4138 * Now OR together the last two checks. That gives
4139 * the complete set of checks for data frames.
4140 */
4141 gen_or(b1, b0);
4142
4143 /*
4144 * Now check for a data frame.
4145 * I.e, check "link[0] & 0x08".
4146 */
4147 s = gen_load_a(OR_LINKHDR, 0, BPF_B);
4148 b1 = new_block(JMP(BPF_JSET));
4149 b1->s.k = 0x08;
4150 b1->stmts = s;
4151
4152 /*
4153 * AND that with the checks done for data frames.
4154 */
4155 gen_and(b1, b0);
4156
4157 /*
4158 * If the high-order bit of the type value is 0, this
4159 * is a management frame.
4160 * I.e, check "!(link[0] & 0x08)".
4161 */
4162 s = gen_load_a(OR_LINKHDR, 0, BPF_B);
4163 b2 = new_block(JMP(BPF_JSET));
4164 b2->s.k = 0x08;
4165 b2->stmts = s;
4166 gen_not(b2);
4167
4168 /*
4169 * For management frames, the DA is at 4.
4170 */
4171 b1 = gen_bcmp(OR_LINKHDR, 4, 6, eaddr);
4172 gen_and(b2, b1);
4173
4174 /*
4175 * OR that with the checks done for data frames.
4176 * That gives the checks done for management and
4177 * data frames.
4178 */
4179 gen_or(b1, b0);
4180
4181 /*
4182 * If the low-order bit of the type value is 1,
4183 * this is either a control frame or a frame
4184 * with a reserved type, and thus not a
4185 * frame with an SA.
4186 *
4187 * I.e., check "!(link[0] & 0x04)".
4188 */
4189 s = gen_load_a(OR_LINKHDR, 0, BPF_B);
4190 b1 = new_block(JMP(BPF_JSET));
4191 b1->s.k = 0x04;
4192 b1->stmts = s;
4193 gen_not(b1);
4194
4195 /*
4196 * AND that with the checks for data and management
4197 * frames.
4198 */
4199 gen_and(b1, b0);
4200 return b0;
4201
4202 case Q_RA:
4203 /*
4204 * Not present in management frames; addr1 in other
4205 * frames.
4206 */
4207
4208 /*
4209 * If the high-order bit of the type value is 0, this
4210 * is a management frame.
4211 * I.e, check "(link[0] & 0x08)".
4212 */
4213 s = gen_load_a(OR_LINKHDR, 0, BPF_B);
4214 b1 = new_block(JMP(BPF_JSET));
4215 b1->s.k = 0x08;
4216 b1->stmts = s;
4217
4218 /*
4219 * Check addr1.
4220 */
4221 b0 = gen_bcmp(OR_LINKHDR, 4, 6, eaddr);
4222
4223 /*
4224 * AND that with the check of addr1.
4225 */
4226 gen_and(b1, b0);
4227 return (b0);
4228
4229 case Q_TA:
4230 /*
4231 * Not present in management frames; addr2, if present,
4232 * in other frames.
4233 */
4234
4235 /*
4236 * Not present in CTS or ACK control frames.
4237 */
4238 b0 = gen_mcmp(OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4239 IEEE80211_FC0_TYPE_MASK);
4240 gen_not(b0);
4241 b1 = gen_mcmp(OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS,
4242 IEEE80211_FC0_SUBTYPE_MASK);
4243 gen_not(b1);
4244 b2 = gen_mcmp(OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK,
4245 IEEE80211_FC0_SUBTYPE_MASK);
4246 gen_not(b2);
4247 gen_and(b1, b2);
4248 gen_or(b0, b2);
4249
4250 /*
4251 * If the high-order bit of the type value is 0, this
4252 * is a management frame.
4253 * I.e, check "(link[0] & 0x08)".
4254 */
4255 s = gen_load_a(OR_LINKHDR, 0, BPF_B);
4256 b1 = new_block(JMP(BPF_JSET));
4257 b1->s.k = 0x08;
4258 b1->stmts = s;
4259
4260 /*
4261 * AND that with the check for frames other than
4262 * CTS and ACK frames.
4263 */
4264 gen_and(b1, b2);
4265
4266 /*
4267 * Check addr2.
4268 */
4269 b1 = gen_bcmp(OR_LINKHDR, 10, 6, eaddr);
4270 gen_and(b2, b1);
4271 return b1;
4272
4273 /*
4274 * XXX - add BSSID keyword?
4275 */
4276 case Q_ADDR1:
4277 return (gen_bcmp(OR_LINKHDR, 4, 6, eaddr));
4278
4279 case Q_ADDR2:
4280 /*
4281 * Not present in CTS or ACK control frames.
4282 */
4283 b0 = gen_mcmp(OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4284 IEEE80211_FC0_TYPE_MASK);
4285 gen_not(b0);
4286 b1 = gen_mcmp(OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS,
4287 IEEE80211_FC0_SUBTYPE_MASK);
4288 gen_not(b1);
4289 b2 = gen_mcmp(OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK,
4290 IEEE80211_FC0_SUBTYPE_MASK);
4291 gen_not(b2);
4292 gen_and(b1, b2);
4293 gen_or(b0, b2);
4294 b1 = gen_bcmp(OR_LINKHDR, 10, 6, eaddr);
4295 gen_and(b2, b1);
4296 return b1;
4297
4298 case Q_ADDR3:
4299 /*
4300 * Not present in control frames.
4301 */
4302 b0 = gen_mcmp(OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4303 IEEE80211_FC0_TYPE_MASK);
4304 gen_not(b0);
4305 b1 = gen_bcmp(OR_LINKHDR, 16, 6, eaddr);
4306 gen_and(b0, b1);
4307 return b1;
4308
4309 case Q_ADDR4:
4310 /*
4311 * Present only if the direction mask has both "From DS"
4312 * and "To DS" set. Neither control frames nor management
4313 * frames should have both of those set, so we don't
4314 * check the frame type.
4315 */
4316 b0 = gen_mcmp(OR_LINKHDR, 1, BPF_B,
4317 IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK);
4318 b1 = gen_bcmp(OR_LINKHDR, 24, 6, eaddr);
4319 gen_and(b0, b1);
4320 return b1;
4321
4322 case Q_AND:
4323 b0 = gen_wlanhostop(eaddr, Q_SRC);
4324 b1 = gen_wlanhostop(eaddr, Q_DST);
4325 gen_and(b0, b1);
4326 return b1;
4327
4328 case Q_DEFAULT:
4329 case Q_OR:
4330 b0 = gen_wlanhostop(eaddr, Q_SRC);
4331 b1 = gen_wlanhostop(eaddr, Q_DST);
4332 gen_or(b0, b1);
4333 return b1;
4334 }
4335 abort();
4336 /* NOTREACHED */
4337 }
4338
4339 /*
4340 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel.
4341 * (We assume that the addresses are IEEE 48-bit MAC addresses,
4342 * as the RFC states.)
4343 */
4344 static struct block *
gen_ipfchostop(eaddr,dir)4345 gen_ipfchostop(eaddr, dir)
4346 register const u_char *eaddr;
4347 register int dir;
4348 {
4349 register struct block *b0, *b1;
4350
4351 switch (dir) {
4352 case Q_SRC:
4353 return gen_bcmp(OR_LINKHDR, 10, 6, eaddr);
4354
4355 case Q_DST:
4356 return gen_bcmp(OR_LINKHDR, 2, 6, eaddr);
4357
4358 case Q_AND:
4359 b0 = gen_ipfchostop(eaddr, Q_SRC);
4360 b1 = gen_ipfchostop(eaddr, Q_DST);
4361 gen_and(b0, b1);
4362 return b1;
4363
4364 case Q_DEFAULT:
4365 case Q_OR:
4366 b0 = gen_ipfchostop(eaddr, Q_SRC);
4367 b1 = gen_ipfchostop(eaddr, Q_DST);
4368 gen_or(b0, b1);
4369 return b1;
4370
4371 case Q_ADDR1:
4372 bpf_error("'addr1' is only supported on 802.11");
4373 break;
4374
4375 case Q_ADDR2:
4376 bpf_error("'addr2' is only supported on 802.11");
4377 break;
4378
4379 case Q_ADDR3:
4380 bpf_error("'addr3' is only supported on 802.11");
4381 break;
4382
4383 case Q_ADDR4:
4384 bpf_error("'addr4' is only supported on 802.11");
4385 break;
4386
4387 case Q_RA:
4388 bpf_error("'ra' is only supported on 802.11");
4389 break;
4390
4391 case Q_TA:
4392 bpf_error("'ta' is only supported on 802.11");
4393 break;
4394 }
4395 abort();
4396 /* NOTREACHED */
4397 }
4398
4399 /*
4400 * This is quite tricky because there may be pad bytes in front of the
4401 * DECNET header, and then there are two possible data packet formats that
4402 * carry both src and dst addresses, plus 5 packet types in a format that
4403 * carries only the src node, plus 2 types that use a different format and
4404 * also carry just the src node.
4405 *
4406 * Yuck.
4407 *
4408 * Instead of doing those all right, we just look for data packets with
4409 * 0 or 1 bytes of padding. If you want to look at other packets, that
4410 * will require a lot more hacking.
4411 *
4412 * To add support for filtering on DECNET "areas" (network numbers)
4413 * one would want to add a "mask" argument to this routine. That would
4414 * make the filter even more inefficient, although one could be clever
4415 * and not generate masking instructions if the mask is 0xFFFF.
4416 */
4417 static struct block *
gen_dnhostop(addr,dir)4418 gen_dnhostop(addr, dir)
4419 bpf_u_int32 addr;
4420 int dir;
4421 {
4422 struct block *b0, *b1, *b2, *tmp;
4423 u_int offset_lh; /* offset if long header is received */
4424 u_int offset_sh; /* offset if short header is received */
4425
4426 switch (dir) {
4427
4428 case Q_DST:
4429 offset_sh = 1; /* follows flags */
4430 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */
4431 break;
4432
4433 case Q_SRC:
4434 offset_sh = 3; /* follows flags, dstnode */
4435 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */
4436 break;
4437
4438 case Q_AND:
4439 /* Inefficient because we do our Calvinball dance twice */
4440 b0 = gen_dnhostop(addr, Q_SRC);
4441 b1 = gen_dnhostop(addr, Q_DST);
4442 gen_and(b0, b1);
4443 return b1;
4444
4445 case Q_OR:
4446 case Q_DEFAULT:
4447 /* Inefficient because we do our Calvinball dance twice */
4448 b0 = gen_dnhostop(addr, Q_SRC);
4449 b1 = gen_dnhostop(addr, Q_DST);
4450 gen_or(b0, b1);
4451 return b1;
4452
4453 case Q_ISO:
4454 bpf_error("ISO host filtering not implemented");
4455
4456 default:
4457 abort();
4458 }
4459 b0 = gen_linktype(ETHERTYPE_DN);
4460 /* Check for pad = 1, long header case */
4461 tmp = gen_mcmp(OR_LINKPL, 2, BPF_H,
4462 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF));
4463 b1 = gen_cmp(OR_LINKPL, 2 + 1 + offset_lh,
4464 BPF_H, (bpf_int32)ntohs((u_short)addr));
4465 gen_and(tmp, b1);
4466 /* Check for pad = 0, long header case */
4467 tmp = gen_mcmp(OR_LINKPL, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7);
4468 b2 = gen_cmp(OR_LINKPL, 2 + offset_lh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4469 gen_and(tmp, b2);
4470 gen_or(b2, b1);
4471 /* Check for pad = 1, short header case */
4472 tmp = gen_mcmp(OR_LINKPL, 2, BPF_H,
4473 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF));
4474 b2 = gen_cmp(OR_LINKPL, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4475 gen_and(tmp, b2);
4476 gen_or(b2, b1);
4477 /* Check for pad = 0, short header case */
4478 tmp = gen_mcmp(OR_LINKPL, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7);
4479 b2 = gen_cmp(OR_LINKPL, 2 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4480 gen_and(tmp, b2);
4481 gen_or(b2, b1);
4482
4483 /* Combine with test for linktype */
4484 gen_and(b0, b1);
4485 return b1;
4486 }
4487
4488 /*
4489 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets;
4490 * test the bottom-of-stack bit, and then check the version number
4491 * field in the IP header.
4492 */
4493 static struct block *
gen_mpls_linktype(proto)4494 gen_mpls_linktype(proto)
4495 int proto;
4496 {
4497 struct block *b0, *b1;
4498
4499 switch (proto) {
4500
4501 case Q_IP:
4502 /* match the bottom-of-stack bit */
4503 b0 = gen_mcmp(OR_LINKPL, -2, BPF_B, 0x01, 0x01);
4504 /* match the IPv4 version number */
4505 b1 = gen_mcmp(OR_LINKPL, 0, BPF_B, 0x40, 0xf0);
4506 gen_and(b0, b1);
4507 return b1;
4508
4509 case Q_IPV6:
4510 /* match the bottom-of-stack bit */
4511 b0 = gen_mcmp(OR_LINKPL, -2, BPF_B, 0x01, 0x01);
4512 /* match the IPv4 version number */
4513 b1 = gen_mcmp(OR_LINKPL, 0, BPF_B, 0x60, 0xf0);
4514 gen_and(b0, b1);
4515 return b1;
4516
4517 default:
4518 abort();
4519 }
4520 }
4521
4522 static struct block *
gen_host(addr,mask,proto,dir,type)4523 gen_host(addr, mask, proto, dir, type)
4524 bpf_u_int32 addr;
4525 bpf_u_int32 mask;
4526 int proto;
4527 int dir;
4528 int type;
4529 {
4530 struct block *b0, *b1;
4531 const char *typestr;
4532
4533 if (type == Q_NET)
4534 typestr = "net";
4535 else
4536 typestr = "host";
4537
4538 switch (proto) {
4539
4540 case Q_DEFAULT:
4541 b0 = gen_host(addr, mask, Q_IP, dir, type);
4542 /*
4543 * Only check for non-IPv4 addresses if we're not
4544 * checking MPLS-encapsulated packets.
4545 */
4546 if (label_stack_depth == 0) {
4547 b1 = gen_host(addr, mask, Q_ARP, dir, type);
4548 gen_or(b0, b1);
4549 b0 = gen_host(addr, mask, Q_RARP, dir, type);
4550 gen_or(b1, b0);
4551 }
4552 return b0;
4553
4554 case Q_IP:
4555 return gen_hostop(addr, mask, dir, ETHERTYPE_IP, 12, 16);
4556
4557 case Q_RARP:
4558 return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP, 14, 24);
4559
4560 case Q_ARP:
4561 return gen_hostop(addr, mask, dir, ETHERTYPE_ARP, 14, 24);
4562
4563 case Q_TCP:
4564 bpf_error("'tcp' modifier applied to %s", typestr);
4565
4566 case Q_SCTP:
4567 bpf_error("'sctp' modifier applied to %s", typestr);
4568
4569 case Q_UDP:
4570 bpf_error("'udp' modifier applied to %s", typestr);
4571
4572 case Q_ICMP:
4573 bpf_error("'icmp' modifier applied to %s", typestr);
4574
4575 case Q_IGMP:
4576 bpf_error("'igmp' modifier applied to %s", typestr);
4577
4578 case Q_IGRP:
4579 bpf_error("'igrp' modifier applied to %s", typestr);
4580
4581 case Q_PIM:
4582 bpf_error("'pim' modifier applied to %s", typestr);
4583
4584 case Q_VRRP:
4585 bpf_error("'vrrp' modifier applied to %s", typestr);
4586
4587 case Q_CARP:
4588 bpf_error("'carp' modifier applied to %s", typestr);
4589
4590 case Q_ATALK:
4591 bpf_error("ATALK host filtering not implemented");
4592
4593 case Q_AARP:
4594 bpf_error("AARP host filtering not implemented");
4595
4596 case Q_DECNET:
4597 return gen_dnhostop(addr, dir);
4598
4599 case Q_SCA:
4600 bpf_error("SCA host filtering not implemented");
4601
4602 case Q_LAT:
4603 bpf_error("LAT host filtering not implemented");
4604
4605 case Q_MOPDL:
4606 bpf_error("MOPDL host filtering not implemented");
4607
4608 case Q_MOPRC:
4609 bpf_error("MOPRC host filtering not implemented");
4610
4611 case Q_IPV6:
4612 bpf_error("'ip6' modifier applied to ip host");
4613
4614 case Q_ICMPV6:
4615 bpf_error("'icmp6' modifier applied to %s", typestr);
4616
4617 case Q_AH:
4618 bpf_error("'ah' modifier applied to %s", typestr);
4619
4620 case Q_ESP:
4621 bpf_error("'esp' modifier applied to %s", typestr);
4622
4623 case Q_ISO:
4624 bpf_error("ISO host filtering not implemented");
4625
4626 case Q_ESIS:
4627 bpf_error("'esis' modifier applied to %s", typestr);
4628
4629 case Q_ISIS:
4630 bpf_error("'isis' modifier applied to %s", typestr);
4631
4632 case Q_CLNP:
4633 bpf_error("'clnp' modifier applied to %s", typestr);
4634
4635 case Q_STP:
4636 bpf_error("'stp' modifier applied to %s", typestr);
4637
4638 case Q_IPX:
4639 bpf_error("IPX host filtering not implemented");
4640
4641 case Q_NETBEUI:
4642 bpf_error("'netbeui' modifier applied to %s", typestr);
4643
4644 case Q_RADIO:
4645 bpf_error("'radio' modifier applied to %s", typestr);
4646
4647 default:
4648 abort();
4649 }
4650 /* NOTREACHED */
4651 }
4652
4653 #ifdef INET6
4654 static struct block *
gen_host6(addr,mask,proto,dir,type)4655 gen_host6(addr, mask, proto, dir, type)
4656 struct in6_addr *addr;
4657 struct in6_addr *mask;
4658 int proto;
4659 int dir;
4660 int type;
4661 {
4662 const char *typestr;
4663
4664 if (type == Q_NET)
4665 typestr = "net";
4666 else
4667 typestr = "host";
4668
4669 switch (proto) {
4670
4671 case Q_DEFAULT:
4672 return gen_host6(addr, mask, Q_IPV6, dir, type);
4673
4674 case Q_LINK:
4675 bpf_error("link-layer modifier applied to ip6 %s", typestr);
4676
4677 case Q_IP:
4678 bpf_error("'ip' modifier applied to ip6 %s", typestr);
4679
4680 case Q_RARP:
4681 bpf_error("'rarp' modifier applied to ip6 %s", typestr);
4682
4683 case Q_ARP:
4684 bpf_error("'arp' modifier applied to ip6 %s", typestr);
4685
4686 case Q_SCTP:
4687 bpf_error("'sctp' modifier applied to %s", typestr);
4688
4689 case Q_TCP:
4690 bpf_error("'tcp' modifier applied to %s", typestr);
4691
4692 case Q_UDP:
4693 bpf_error("'udp' modifier applied to %s", typestr);
4694
4695 case Q_ICMP:
4696 bpf_error("'icmp' modifier applied to %s", typestr);
4697
4698 case Q_IGMP:
4699 bpf_error("'igmp' modifier applied to %s", typestr);
4700
4701 case Q_IGRP:
4702 bpf_error("'igrp' modifier applied to %s", typestr);
4703
4704 case Q_PIM:
4705 bpf_error("'pim' modifier applied to %s", typestr);
4706
4707 case Q_VRRP:
4708 bpf_error("'vrrp' modifier applied to %s", typestr);
4709
4710 case Q_CARP:
4711 bpf_error("'carp' modifier applied to %s", typestr);
4712
4713 case Q_ATALK:
4714 bpf_error("ATALK host filtering not implemented");
4715
4716 case Q_AARP:
4717 bpf_error("AARP host filtering not implemented");
4718
4719 case Q_DECNET:
4720 bpf_error("'decnet' modifier applied to ip6 %s", typestr);
4721
4722 case Q_SCA:
4723 bpf_error("SCA host filtering not implemented");
4724
4725 case Q_LAT:
4726 bpf_error("LAT host filtering not implemented");
4727
4728 case Q_MOPDL:
4729 bpf_error("MOPDL host filtering not implemented");
4730
4731 case Q_MOPRC:
4732 bpf_error("MOPRC host filtering not implemented");
4733
4734 case Q_IPV6:
4735 return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6, 8, 24);
4736
4737 case Q_ICMPV6:
4738 bpf_error("'icmp6' modifier applied to %s", typestr);
4739
4740 case Q_AH:
4741 bpf_error("'ah' modifier applied to %s", typestr);
4742
4743 case Q_ESP:
4744 bpf_error("'esp' modifier applied to %s", typestr);
4745
4746 case Q_ISO:
4747 bpf_error("ISO host filtering not implemented");
4748
4749 case Q_ESIS:
4750 bpf_error("'esis' modifier applied to %s", typestr);
4751
4752 case Q_ISIS:
4753 bpf_error("'isis' modifier applied to %s", typestr);
4754
4755 case Q_CLNP:
4756 bpf_error("'clnp' modifier applied to %s", typestr);
4757
4758 case Q_STP:
4759 bpf_error("'stp' modifier applied to %s", typestr);
4760
4761 case Q_IPX:
4762 bpf_error("IPX host filtering not implemented");
4763
4764 case Q_NETBEUI:
4765 bpf_error("'netbeui' modifier applied to %s", typestr);
4766
4767 case Q_RADIO:
4768 bpf_error("'radio' modifier applied to %s", typestr);
4769
4770 default:
4771 abort();
4772 }
4773 /* NOTREACHED */
4774 }
4775 #endif
4776
4777 #ifndef INET6
4778 static struct block *
gen_gateway(eaddr,alist,proto,dir)4779 gen_gateway(eaddr, alist, proto, dir)
4780 const u_char *eaddr;
4781 bpf_u_int32 **alist;
4782 int proto;
4783 int dir;
4784 {
4785 struct block *b0, *b1, *tmp;
4786
4787 if (dir != 0)
4788 bpf_error("direction applied to 'gateway'");
4789
4790 switch (proto) {
4791 case Q_DEFAULT:
4792 case Q_IP:
4793 case Q_ARP:
4794 case Q_RARP:
4795 switch (linktype) {
4796 case DLT_EN10MB:
4797 case DLT_NETANALYZER:
4798 case DLT_NETANALYZER_TRANSPARENT:
4799 b1 = gen_prevlinkhdr_check();
4800 b0 = gen_ehostop(eaddr, Q_OR);
4801 if (b1 != NULL)
4802 gen_and(b1, b0);
4803 break;
4804 case DLT_FDDI:
4805 b0 = gen_fhostop(eaddr, Q_OR);
4806 break;
4807 case DLT_IEEE802:
4808 b0 = gen_thostop(eaddr, Q_OR);
4809 break;
4810 case DLT_IEEE802_11:
4811 case DLT_PRISM_HEADER:
4812 case DLT_IEEE802_11_RADIO_AVS:
4813 case DLT_IEEE802_11_RADIO:
4814 case DLT_PPI:
4815 b0 = gen_wlanhostop(eaddr, Q_OR);
4816 break;
4817 case DLT_SUNATM:
4818 /*
4819 * This is LLC-multiplexed traffic; if it were
4820 * LANE, linktype would have been set to
4821 * DLT_EN10MB.
4822 */
4823 bpf_error(
4824 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
4825 break;
4826 case DLT_IP_OVER_FC:
4827 b0 = gen_ipfchostop(eaddr, Q_OR);
4828 break;
4829 default:
4830 bpf_error(
4831 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
4832 }
4833 b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR, Q_HOST);
4834 while (*alist) {
4835 tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR,
4836 Q_HOST);
4837 gen_or(b1, tmp);
4838 b1 = tmp;
4839 }
4840 gen_not(b1);
4841 gen_and(b0, b1);
4842 return b1;
4843 }
4844 bpf_error("illegal modifier of 'gateway'");
4845 /* NOTREACHED */
4846 }
4847 #endif
4848
4849 struct block *
gen_proto_abbrev(proto)4850 gen_proto_abbrev(proto)
4851 int proto;
4852 {
4853 struct block *b0;
4854 struct block *b1;
4855
4856 switch (proto) {
4857
4858 case Q_SCTP:
4859 b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT);
4860 b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT);
4861 gen_or(b0, b1);
4862 break;
4863
4864 case Q_TCP:
4865 b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT);
4866 b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT);
4867 gen_or(b0, b1);
4868 break;
4869
4870 case Q_UDP:
4871 b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT);
4872 b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT);
4873 gen_or(b0, b1);
4874 break;
4875
4876 case Q_ICMP:
4877 b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT);
4878 break;
4879
4880 #ifndef IPPROTO_IGMP
4881 #define IPPROTO_IGMP 2
4882 #endif
4883
4884 case Q_IGMP:
4885 b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT);
4886 break;
4887
4888 #ifndef IPPROTO_IGRP
4889 #define IPPROTO_IGRP 9
4890 #endif
4891 case Q_IGRP:
4892 b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT);
4893 break;
4894
4895 #ifndef IPPROTO_PIM
4896 #define IPPROTO_PIM 103
4897 #endif
4898
4899 case Q_PIM:
4900 b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT);
4901 b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT);
4902 gen_or(b0, b1);
4903 break;
4904
4905 #ifndef IPPROTO_VRRP
4906 #define IPPROTO_VRRP 112
4907 #endif
4908
4909 case Q_VRRP:
4910 b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT);
4911 break;
4912
4913 #ifndef IPPROTO_CARP
4914 #define IPPROTO_CARP 112
4915 #endif
4916
4917 case Q_CARP:
4918 b1 = gen_proto(IPPROTO_CARP, Q_IP, Q_DEFAULT);
4919 break;
4920
4921 case Q_IP:
4922 b1 = gen_linktype(ETHERTYPE_IP);
4923 break;
4924
4925 case Q_ARP:
4926 b1 = gen_linktype(ETHERTYPE_ARP);
4927 break;
4928
4929 case Q_RARP:
4930 b1 = gen_linktype(ETHERTYPE_REVARP);
4931 break;
4932
4933 case Q_LINK:
4934 bpf_error("link layer applied in wrong context");
4935
4936 case Q_ATALK:
4937 b1 = gen_linktype(ETHERTYPE_ATALK);
4938 break;
4939
4940 case Q_AARP:
4941 b1 = gen_linktype(ETHERTYPE_AARP);
4942 break;
4943
4944 case Q_DECNET:
4945 b1 = gen_linktype(ETHERTYPE_DN);
4946 break;
4947
4948 case Q_SCA:
4949 b1 = gen_linktype(ETHERTYPE_SCA);
4950 break;
4951
4952 case Q_LAT:
4953 b1 = gen_linktype(ETHERTYPE_LAT);
4954 break;
4955
4956 case Q_MOPDL:
4957 b1 = gen_linktype(ETHERTYPE_MOPDL);
4958 break;
4959
4960 case Q_MOPRC:
4961 b1 = gen_linktype(ETHERTYPE_MOPRC);
4962 break;
4963
4964 case Q_IPV6:
4965 b1 = gen_linktype(ETHERTYPE_IPV6);
4966 break;
4967
4968 #ifndef IPPROTO_ICMPV6
4969 #define IPPROTO_ICMPV6 58
4970 #endif
4971 case Q_ICMPV6:
4972 b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT);
4973 break;
4974
4975 #ifndef IPPROTO_AH
4976 #define IPPROTO_AH 51
4977 #endif
4978 case Q_AH:
4979 b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT);
4980 b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT);
4981 gen_or(b0, b1);
4982 break;
4983
4984 #ifndef IPPROTO_ESP
4985 #define IPPROTO_ESP 50
4986 #endif
4987 case Q_ESP:
4988 b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT);
4989 b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT);
4990 gen_or(b0, b1);
4991 break;
4992
4993 case Q_ISO:
4994 b1 = gen_linktype(LLCSAP_ISONS);
4995 break;
4996
4997 case Q_ESIS:
4998 b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT);
4999 break;
5000
5001 case Q_ISIS:
5002 b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
5003 break;
5004
5005 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */
5006 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
5007 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
5008 gen_or(b0, b1);
5009 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
5010 gen_or(b0, b1);
5011 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
5012 gen_or(b0, b1);
5013 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
5014 gen_or(b0, b1);
5015 break;
5016
5017 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */
5018 b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
5019 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
5020 gen_or(b0, b1);
5021 b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
5022 gen_or(b0, b1);
5023 b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
5024 gen_or(b0, b1);
5025 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
5026 gen_or(b0, b1);
5027 break;
5028
5029 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */
5030 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
5031 b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
5032 gen_or(b0, b1);
5033 b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT);
5034 gen_or(b0, b1);
5035 break;
5036
5037 case Q_ISIS_LSP:
5038 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
5039 b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
5040 gen_or(b0, b1);
5041 break;
5042
5043 case Q_ISIS_SNP:
5044 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
5045 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
5046 gen_or(b0, b1);
5047 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
5048 gen_or(b0, b1);
5049 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
5050 gen_or(b0, b1);
5051 break;
5052
5053 case Q_ISIS_CSNP:
5054 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
5055 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
5056 gen_or(b0, b1);
5057 break;
5058
5059 case Q_ISIS_PSNP:
5060 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
5061 b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
5062 gen_or(b0, b1);
5063 break;
5064
5065 case Q_CLNP:
5066 b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT);
5067 break;
5068
5069 case Q_STP:
5070 b1 = gen_linktype(LLCSAP_8021D);
5071 break;
5072
5073 case Q_IPX:
5074 b1 = gen_linktype(LLCSAP_IPX);
5075 break;
5076
5077 case Q_NETBEUI:
5078 b1 = gen_linktype(LLCSAP_NETBEUI);
5079 break;
5080
5081 case Q_RADIO:
5082 bpf_error("'radio' is not a valid protocol type");
5083
5084 default:
5085 abort();
5086 }
5087 return b1;
5088 }
5089
5090 static struct block *
gen_ipfrag()5091 gen_ipfrag()
5092 {
5093 struct slist *s;
5094 struct block *b;
5095
5096 /* not IPv4 frag other than the first frag */
5097 s = gen_load_a(OR_LINKPL, 6, BPF_H);
5098 b = new_block(JMP(BPF_JSET));
5099 b->s.k = 0x1fff;
5100 b->stmts = s;
5101 gen_not(b);
5102
5103 return b;
5104 }
5105
5106 /*
5107 * Generate a comparison to a port value in the transport-layer header
5108 * at the specified offset from the beginning of that header.
5109 *
5110 * XXX - this handles a variable-length prefix preceding the link-layer
5111 * header, such as the radiotap or AVS radio prefix, but doesn't handle
5112 * variable-length link-layer headers (such as Token Ring or 802.11
5113 * headers).
5114 */
5115 static struct block *
gen_portatom(off,v)5116 gen_portatom(off, v)
5117 int off;
5118 bpf_int32 v;
5119 {
5120 return gen_cmp(OR_TRAN_IPV4, off, BPF_H, v);
5121 }
5122
5123 static struct block *
gen_portatom6(off,v)5124 gen_portatom6(off, v)
5125 int off;
5126 bpf_int32 v;
5127 {
5128 return gen_cmp(OR_TRAN_IPV6, off, BPF_H, v);
5129 }
5130
5131 struct block *
gen_portop(port,proto,dir)5132 gen_portop(port, proto, dir)
5133 int port, proto, dir;
5134 {
5135 struct block *b0, *b1, *tmp;
5136
5137 /* ip proto 'proto' and not a fragment other than the first fragment */
5138 tmp = gen_cmp(OR_LINKPL, 9, BPF_B, (bpf_int32)proto);
5139 b0 = gen_ipfrag();
5140 gen_and(tmp, b0);
5141
5142 switch (dir) {
5143 case Q_SRC:
5144 b1 = gen_portatom(0, (bpf_int32)port);
5145 break;
5146
5147 case Q_DST:
5148 b1 = gen_portatom(2, (bpf_int32)port);
5149 break;
5150
5151 case Q_OR:
5152 case Q_DEFAULT:
5153 tmp = gen_portatom(0, (bpf_int32)port);
5154 b1 = gen_portatom(2, (bpf_int32)port);
5155 gen_or(tmp, b1);
5156 break;
5157
5158 case Q_AND:
5159 tmp = gen_portatom(0, (bpf_int32)port);
5160 b1 = gen_portatom(2, (bpf_int32)port);
5161 gen_and(tmp, b1);
5162 break;
5163
5164 default:
5165 abort();
5166 }
5167 gen_and(b0, b1);
5168
5169 return b1;
5170 }
5171
5172 static struct block *
gen_port(port,ip_proto,dir)5173 gen_port(port, ip_proto, dir)
5174 int port;
5175 int ip_proto;
5176 int dir;
5177 {
5178 struct block *b0, *b1, *tmp;
5179
5180 /*
5181 * ether proto ip
5182 *
5183 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
5184 * not LLC encapsulation with LLCSAP_IP.
5185 *
5186 * For IEEE 802 networks - which includes 802.5 token ring
5187 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
5188 * says that SNAP encapsulation is used, not LLC encapsulation
5189 * with LLCSAP_IP.
5190 *
5191 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
5192 * RFC 2225 say that SNAP encapsulation is used, not LLC
5193 * encapsulation with LLCSAP_IP.
5194 *
5195 * So we always check for ETHERTYPE_IP.
5196 */
5197 b0 = gen_linktype(ETHERTYPE_IP);
5198
5199 switch (ip_proto) {
5200 case IPPROTO_UDP:
5201 case IPPROTO_TCP:
5202 case IPPROTO_SCTP:
5203 b1 = gen_portop(port, ip_proto, dir);
5204 break;
5205
5206 case PROTO_UNDEF:
5207 tmp = gen_portop(port, IPPROTO_TCP, dir);
5208 b1 = gen_portop(port, IPPROTO_UDP, dir);
5209 gen_or(tmp, b1);
5210 tmp = gen_portop(port, IPPROTO_SCTP, dir);
5211 gen_or(tmp, b1);
5212 break;
5213
5214 default:
5215 abort();
5216 }
5217 gen_and(b0, b1);
5218 return b1;
5219 }
5220
5221 struct block *
gen_portop6(port,proto,dir)5222 gen_portop6(port, proto, dir)
5223 int port, proto, dir;
5224 {
5225 struct block *b0, *b1, *tmp;
5226
5227 /* ip6 proto 'proto' */
5228 /* XXX - catch the first fragment of a fragmented packet? */
5229 b0 = gen_cmp(OR_LINKPL, 6, BPF_B, (bpf_int32)proto);
5230
5231 switch (dir) {
5232 case Q_SRC:
5233 b1 = gen_portatom6(0, (bpf_int32)port);
5234 break;
5235
5236 case Q_DST:
5237 b1 = gen_portatom6(2, (bpf_int32)port);
5238 break;
5239
5240 case Q_OR:
5241 case Q_DEFAULT:
5242 tmp = gen_portatom6(0, (bpf_int32)port);
5243 b1 = gen_portatom6(2, (bpf_int32)port);
5244 gen_or(tmp, b1);
5245 break;
5246
5247 case Q_AND:
5248 tmp = gen_portatom6(0, (bpf_int32)port);
5249 b1 = gen_portatom6(2, (bpf_int32)port);
5250 gen_and(tmp, b1);
5251 break;
5252
5253 default:
5254 abort();
5255 }
5256 gen_and(b0, b1);
5257
5258 return b1;
5259 }
5260
5261 static struct block *
gen_port6(port,ip_proto,dir)5262 gen_port6(port, ip_proto, dir)
5263 int port;
5264 int ip_proto;
5265 int dir;
5266 {
5267 struct block *b0, *b1, *tmp;
5268
5269 /* link proto ip6 */
5270 b0 = gen_linktype(ETHERTYPE_IPV6);
5271
5272 switch (ip_proto) {
5273 case IPPROTO_UDP:
5274 case IPPROTO_TCP:
5275 case IPPROTO_SCTP:
5276 b1 = gen_portop6(port, ip_proto, dir);
5277 break;
5278
5279 case PROTO_UNDEF:
5280 tmp = gen_portop6(port, IPPROTO_TCP, dir);
5281 b1 = gen_portop6(port, IPPROTO_UDP, dir);
5282 gen_or(tmp, b1);
5283 tmp = gen_portop6(port, IPPROTO_SCTP, dir);
5284 gen_or(tmp, b1);
5285 break;
5286
5287 default:
5288 abort();
5289 }
5290 gen_and(b0, b1);
5291 return b1;
5292 }
5293
5294 /* gen_portrange code */
5295 static struct block *
gen_portrangeatom(off,v1,v2)5296 gen_portrangeatom(off, v1, v2)
5297 int off;
5298 bpf_int32 v1, v2;
5299 {
5300 struct block *b1, *b2;
5301
5302 if (v1 > v2) {
5303 /*
5304 * Reverse the order of the ports, so v1 is the lower one.
5305 */
5306 bpf_int32 vtemp;
5307
5308 vtemp = v1;
5309 v1 = v2;
5310 v2 = vtemp;
5311 }
5312
5313 b1 = gen_cmp_ge(OR_TRAN_IPV4, off, BPF_H, v1);
5314 b2 = gen_cmp_le(OR_TRAN_IPV4, off, BPF_H, v2);
5315
5316 gen_and(b1, b2);
5317
5318 return b2;
5319 }
5320
5321 struct block *
gen_portrangeop(port1,port2,proto,dir)5322 gen_portrangeop(port1, port2, proto, dir)
5323 int port1, port2;
5324 int proto;
5325 int dir;
5326 {
5327 struct block *b0, *b1, *tmp;
5328
5329 /* ip proto 'proto' and not a fragment other than the first fragment */
5330 tmp = gen_cmp(OR_LINKPL, 9, BPF_B, (bpf_int32)proto);
5331 b0 = gen_ipfrag();
5332 gen_and(tmp, b0);
5333
5334 switch (dir) {
5335 case Q_SRC:
5336 b1 = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
5337 break;
5338
5339 case Q_DST:
5340 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
5341 break;
5342
5343 case Q_OR:
5344 case Q_DEFAULT:
5345 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
5346 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
5347 gen_or(tmp, b1);
5348 break;
5349
5350 case Q_AND:
5351 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
5352 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
5353 gen_and(tmp, b1);
5354 break;
5355
5356 default:
5357 abort();
5358 }
5359 gen_and(b0, b1);
5360
5361 return b1;
5362 }
5363
5364 static struct block *
gen_portrange(port1,port2,ip_proto,dir)5365 gen_portrange(port1, port2, ip_proto, dir)
5366 int port1, port2;
5367 int ip_proto;
5368 int dir;
5369 {
5370 struct block *b0, *b1, *tmp;
5371
5372 /* link proto ip */
5373 b0 = gen_linktype(ETHERTYPE_IP);
5374
5375 switch (ip_proto) {
5376 case IPPROTO_UDP:
5377 case IPPROTO_TCP:
5378 case IPPROTO_SCTP:
5379 b1 = gen_portrangeop(port1, port2, ip_proto, dir);
5380 break;
5381
5382 case PROTO_UNDEF:
5383 tmp = gen_portrangeop(port1, port2, IPPROTO_TCP, dir);
5384 b1 = gen_portrangeop(port1, port2, IPPROTO_UDP, dir);
5385 gen_or(tmp, b1);
5386 tmp = gen_portrangeop(port1, port2, IPPROTO_SCTP, dir);
5387 gen_or(tmp, b1);
5388 break;
5389
5390 default:
5391 abort();
5392 }
5393 gen_and(b0, b1);
5394 return b1;
5395 }
5396
5397 static struct block *
gen_portrangeatom6(off,v1,v2)5398 gen_portrangeatom6(off, v1, v2)
5399 int off;
5400 bpf_int32 v1, v2;
5401 {
5402 struct block *b1, *b2;
5403
5404 if (v1 > v2) {
5405 /*
5406 * Reverse the order of the ports, so v1 is the lower one.
5407 */
5408 bpf_int32 vtemp;
5409
5410 vtemp = v1;
5411 v1 = v2;
5412 v2 = vtemp;
5413 }
5414
5415 b1 = gen_cmp_ge(OR_TRAN_IPV6, off, BPF_H, v1);
5416 b2 = gen_cmp_le(OR_TRAN_IPV6, off, BPF_H, v2);
5417
5418 gen_and(b1, b2);
5419
5420 return b2;
5421 }
5422
5423 struct block *
gen_portrangeop6(port1,port2,proto,dir)5424 gen_portrangeop6(port1, port2, proto, dir)
5425 int port1, port2;
5426 int proto;
5427 int dir;
5428 {
5429 struct block *b0, *b1, *tmp;
5430
5431 /* ip6 proto 'proto' */
5432 /* XXX - catch the first fragment of a fragmented packet? */
5433 b0 = gen_cmp(OR_LINKPL, 6, BPF_B, (bpf_int32)proto);
5434
5435 switch (dir) {
5436 case Q_SRC:
5437 b1 = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
5438 break;
5439
5440 case Q_DST:
5441 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
5442 break;
5443
5444 case Q_OR:
5445 case Q_DEFAULT:
5446 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
5447 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
5448 gen_or(tmp, b1);
5449 break;
5450
5451 case Q_AND:
5452 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
5453 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
5454 gen_and(tmp, b1);
5455 break;
5456
5457 default:
5458 abort();
5459 }
5460 gen_and(b0, b1);
5461
5462 return b1;
5463 }
5464
5465 static struct block *
gen_portrange6(port1,port2,ip_proto,dir)5466 gen_portrange6(port1, port2, ip_proto, dir)
5467 int port1, port2;
5468 int ip_proto;
5469 int dir;
5470 {
5471 struct block *b0, *b1, *tmp;
5472
5473 /* link proto ip6 */
5474 b0 = gen_linktype(ETHERTYPE_IPV6);
5475
5476 switch (ip_proto) {
5477 case IPPROTO_UDP:
5478 case IPPROTO_TCP:
5479 case IPPROTO_SCTP:
5480 b1 = gen_portrangeop6(port1, port2, ip_proto, dir);
5481 break;
5482
5483 case PROTO_UNDEF:
5484 tmp = gen_portrangeop6(port1, port2, IPPROTO_TCP, dir);
5485 b1 = gen_portrangeop6(port1, port2, IPPROTO_UDP, dir);
5486 gen_or(tmp, b1);
5487 tmp = gen_portrangeop6(port1, port2, IPPROTO_SCTP, dir);
5488 gen_or(tmp, b1);
5489 break;
5490
5491 default:
5492 abort();
5493 }
5494 gen_and(b0, b1);
5495 return b1;
5496 }
5497
5498 static int
lookup_proto(name,proto)5499 lookup_proto(name, proto)
5500 register const char *name;
5501 register int proto;
5502 {
5503 register int v;
5504
5505 switch (proto) {
5506
5507 case Q_DEFAULT:
5508 case Q_IP:
5509 case Q_IPV6:
5510 v = pcap_nametoproto(name);
5511 if (v == PROTO_UNDEF)
5512 bpf_error("unknown ip proto '%s'", name);
5513 break;
5514
5515 case Q_LINK:
5516 /* XXX should look up h/w protocol type based on linktype */
5517 v = pcap_nametoeproto(name);
5518 if (v == PROTO_UNDEF) {
5519 v = pcap_nametollc(name);
5520 if (v == PROTO_UNDEF)
5521 bpf_error("unknown ether proto '%s'", name);
5522 }
5523 break;
5524
5525 case Q_ISO:
5526 if (strcmp(name, "esis") == 0)
5527 v = ISO9542_ESIS;
5528 else if (strcmp(name, "isis") == 0)
5529 v = ISO10589_ISIS;
5530 else if (strcmp(name, "clnp") == 0)
5531 v = ISO8473_CLNP;
5532 else
5533 bpf_error("unknown osi proto '%s'", name);
5534 break;
5535
5536 default:
5537 v = PROTO_UNDEF;
5538 break;
5539 }
5540 return v;
5541 }
5542
5543 #if 0
5544 struct stmt *
5545 gen_joinsp(s, n)
5546 struct stmt **s;
5547 int n;
5548 {
5549 return NULL;
5550 }
5551 #endif
5552
5553 static struct block *
gen_protochain(v,proto,dir)5554 gen_protochain(v, proto, dir)
5555 int v;
5556 int proto;
5557 int dir;
5558 {
5559 #ifdef NO_PROTOCHAIN
5560 return gen_proto(v, proto, dir);
5561 #else
5562 struct block *b0, *b;
5563 struct slist *s[100];
5564 int fix2, fix3, fix4, fix5;
5565 int ahcheck, again, end;
5566 int i, max;
5567 int reg2 = alloc_reg();
5568
5569 memset(s, 0, sizeof(s));
5570 fix2 = fix3 = fix4 = fix5 = 0;
5571
5572 switch (proto) {
5573 case Q_IP:
5574 case Q_IPV6:
5575 break;
5576 case Q_DEFAULT:
5577 b0 = gen_protochain(v, Q_IP, dir);
5578 b = gen_protochain(v, Q_IPV6, dir);
5579 gen_or(b0, b);
5580 return b;
5581 default:
5582 bpf_error("bad protocol applied for 'protochain'");
5583 /*NOTREACHED*/
5584 }
5585
5586 /*
5587 * We don't handle variable-length prefixes before the link-layer
5588 * header, or variable-length link-layer headers, here yet.
5589 * We might want to add BPF instructions to do the protochain
5590 * work, to simplify that and, on platforms that have a BPF
5591 * interpreter with the new instructions, let the filtering
5592 * be done in the kernel. (We already require a modified BPF
5593 * engine to do the protochain stuff, to support backward
5594 * branches, and backward branch support is unlikely to appear
5595 * in kernel BPF engines.)
5596 */
5597 if (off_linkpl.is_variable)
5598 bpf_error("'protochain' not supported with variable length headers");
5599
5600 no_optimize = 1; /*this code is not compatible with optimzer yet */
5601
5602 /*
5603 * s[0] is a dummy entry to protect other BPF insn from damage
5604 * by s[fix] = foo with uninitialized variable "fix". It is somewhat
5605 * hard to find interdependency made by jump table fixup.
5606 */
5607 i = 0;
5608 s[i] = new_stmt(0); /*dummy*/
5609 i++;
5610
5611 switch (proto) {
5612 case Q_IP:
5613 b0 = gen_linktype(ETHERTYPE_IP);
5614
5615 /* A = ip->ip_p */
5616 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
5617 s[i]->s.k = off_linkpl.constant_part + off_nl + 9;
5618 i++;
5619 /* X = ip->ip_hl << 2 */
5620 s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
5621 s[i]->s.k = off_linkpl.constant_part + off_nl;
5622 i++;
5623 break;
5624
5625 case Q_IPV6:
5626 b0 = gen_linktype(ETHERTYPE_IPV6);
5627
5628 /* A = ip6->ip_nxt */
5629 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
5630 s[i]->s.k = off_linkpl.constant_part + off_nl + 6;
5631 i++;
5632 /* X = sizeof(struct ip6_hdr) */
5633 s[i] = new_stmt(BPF_LDX|BPF_IMM);
5634 s[i]->s.k = 40;
5635 i++;
5636 break;
5637
5638 default:
5639 bpf_error("unsupported proto to gen_protochain");
5640 /*NOTREACHED*/
5641 }
5642
5643 /* again: if (A == v) goto end; else fall through; */
5644 again = i;
5645 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5646 s[i]->s.k = v;
5647 s[i]->s.jt = NULL; /*later*/
5648 s[i]->s.jf = NULL; /*update in next stmt*/
5649 fix5 = i;
5650 i++;
5651
5652 #ifndef IPPROTO_NONE
5653 #define IPPROTO_NONE 59
5654 #endif
5655 /* if (A == IPPROTO_NONE) goto end */
5656 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5657 s[i]->s.jt = NULL; /*later*/
5658 s[i]->s.jf = NULL; /*update in next stmt*/
5659 s[i]->s.k = IPPROTO_NONE;
5660 s[fix5]->s.jf = s[i];
5661 fix2 = i;
5662 i++;
5663
5664 if (proto == Q_IPV6) {
5665 int v6start, v6end, v6advance, j;
5666
5667 v6start = i;
5668 /* if (A == IPPROTO_HOPOPTS) goto v6advance */
5669 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5670 s[i]->s.jt = NULL; /*later*/
5671 s[i]->s.jf = NULL; /*update in next stmt*/
5672 s[i]->s.k = IPPROTO_HOPOPTS;
5673 s[fix2]->s.jf = s[i];
5674 i++;
5675 /* if (A == IPPROTO_DSTOPTS) goto v6advance */
5676 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5677 s[i]->s.jt = NULL; /*later*/
5678 s[i]->s.jf = NULL; /*update in next stmt*/
5679 s[i]->s.k = IPPROTO_DSTOPTS;
5680 i++;
5681 /* if (A == IPPROTO_ROUTING) goto v6advance */
5682 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5683 s[i]->s.jt = NULL; /*later*/
5684 s[i]->s.jf = NULL; /*update in next stmt*/
5685 s[i]->s.k = IPPROTO_ROUTING;
5686 i++;
5687 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */
5688 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5689 s[i]->s.jt = NULL; /*later*/
5690 s[i]->s.jf = NULL; /*later*/
5691 s[i]->s.k = IPPROTO_FRAGMENT;
5692 fix3 = i;
5693 v6end = i;
5694 i++;
5695
5696 /* v6advance: */
5697 v6advance = i;
5698
5699 /*
5700 * in short,
5701 * A = P[X + packet head];
5702 * X = X + (P[X + packet head + 1] + 1) * 8;
5703 */
5704 /* A = P[X + packet head] */
5705 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5706 s[i]->s.k = off_linkpl.constant_part + off_nl;
5707 i++;
5708 /* MEM[reg2] = A */
5709 s[i] = new_stmt(BPF_ST);
5710 s[i]->s.k = reg2;
5711 i++;
5712 /* A = P[X + packet head + 1]; */
5713 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5714 s[i]->s.k = off_linkpl.constant_part + off_nl + 1;
5715 i++;
5716 /* A += 1 */
5717 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5718 s[i]->s.k = 1;
5719 i++;
5720 /* A *= 8 */
5721 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
5722 s[i]->s.k = 8;
5723 i++;
5724 /* A += X */
5725 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_X);
5726 s[i]->s.k = 0;
5727 i++;
5728 /* X = A; */
5729 s[i] = new_stmt(BPF_MISC|BPF_TAX);
5730 i++;
5731 /* A = MEM[reg2] */
5732 s[i] = new_stmt(BPF_LD|BPF_MEM);
5733 s[i]->s.k = reg2;
5734 i++;
5735
5736 /* goto again; (must use BPF_JA for backward jump) */
5737 s[i] = new_stmt(BPF_JMP|BPF_JA);
5738 s[i]->s.k = again - i - 1;
5739 s[i - 1]->s.jf = s[i];
5740 i++;
5741
5742 /* fixup */
5743 for (j = v6start; j <= v6end; j++)
5744 s[j]->s.jt = s[v6advance];
5745 } else {
5746 /* nop */
5747 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5748 s[i]->s.k = 0;
5749 s[fix2]->s.jf = s[i];
5750 i++;
5751 }
5752
5753 /* ahcheck: */
5754 ahcheck = i;
5755 /* if (A == IPPROTO_AH) then fall through; else goto end; */
5756 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5757 s[i]->s.jt = NULL; /*later*/
5758 s[i]->s.jf = NULL; /*later*/
5759 s[i]->s.k = IPPROTO_AH;
5760 if (fix3)
5761 s[fix3]->s.jf = s[ahcheck];
5762 fix4 = i;
5763 i++;
5764
5765 /*
5766 * in short,
5767 * A = P[X];
5768 * X = X + (P[X + 1] + 2) * 4;
5769 */
5770 /* A = X */
5771 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
5772 i++;
5773 /* A = P[X + packet head]; */
5774 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5775 s[i]->s.k = off_linkpl.constant_part + off_nl;
5776 i++;
5777 /* MEM[reg2] = A */
5778 s[i] = new_stmt(BPF_ST);
5779 s[i]->s.k = reg2;
5780 i++;
5781 /* A = X */
5782 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
5783 i++;
5784 /* A += 1 */
5785 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5786 s[i]->s.k = 1;
5787 i++;
5788 /* X = A */
5789 s[i] = new_stmt(BPF_MISC|BPF_TAX);
5790 i++;
5791 /* A = P[X + packet head] */
5792 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5793 s[i]->s.k = off_linkpl.constant_part + off_nl;
5794 i++;
5795 /* A += 2 */
5796 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5797 s[i]->s.k = 2;
5798 i++;
5799 /* A *= 4 */
5800 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
5801 s[i]->s.k = 4;
5802 i++;
5803 /* X = A; */
5804 s[i] = new_stmt(BPF_MISC|BPF_TAX);
5805 i++;
5806 /* A = MEM[reg2] */
5807 s[i] = new_stmt(BPF_LD|BPF_MEM);
5808 s[i]->s.k = reg2;
5809 i++;
5810
5811 /* goto again; (must use BPF_JA for backward jump) */
5812 s[i] = new_stmt(BPF_JMP|BPF_JA);
5813 s[i]->s.k = again - i - 1;
5814 i++;
5815
5816 /* end: nop */
5817 end = i;
5818 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5819 s[i]->s.k = 0;
5820 s[fix2]->s.jt = s[end];
5821 s[fix4]->s.jf = s[end];
5822 s[fix5]->s.jt = s[end];
5823 i++;
5824
5825 /*
5826 * make slist chain
5827 */
5828 max = i;
5829 for (i = 0; i < max - 1; i++)
5830 s[i]->next = s[i + 1];
5831 s[max - 1]->next = NULL;
5832
5833 /*
5834 * emit final check
5835 */
5836 b = new_block(JMP(BPF_JEQ));
5837 b->stmts = s[1]; /*remember, s[0] is dummy*/
5838 b->s.k = v;
5839
5840 free_reg(reg2);
5841
5842 gen_and(b0, b);
5843 return b;
5844 #endif
5845 }
5846
5847 static struct block *
gen_check_802_11_data_frame()5848 gen_check_802_11_data_frame()
5849 {
5850 struct slist *s;
5851 struct block *b0, *b1;
5852
5853 /*
5854 * A data frame has the 0x08 bit (b3) in the frame control field set
5855 * and the 0x04 bit (b2) clear.
5856 */
5857 s = gen_load_a(OR_LINKHDR, 0, BPF_B);
5858 b0 = new_block(JMP(BPF_JSET));
5859 b0->s.k = 0x08;
5860 b0->stmts = s;
5861
5862 s = gen_load_a(OR_LINKHDR, 0, BPF_B);
5863 b1 = new_block(JMP(BPF_JSET));
5864 b1->s.k = 0x04;
5865 b1->stmts = s;
5866 gen_not(b1);
5867
5868 gen_and(b1, b0);
5869
5870 return b0;
5871 }
5872
5873 /*
5874 * Generate code that checks whether the packet is a packet for protocol
5875 * <proto> and whether the type field in that protocol's header has
5876 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an
5877 * IP packet and checks the protocol number in the IP header against <v>.
5878 *
5879 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks
5880 * against Q_IP and Q_IPV6.
5881 */
5882 static struct block *
gen_proto(v,proto,dir)5883 gen_proto(v, proto, dir)
5884 int v;
5885 int proto;
5886 int dir;
5887 {
5888 struct block *b0, *b1;
5889 #ifndef CHASE_CHAIN
5890 struct block *b2;
5891 #endif
5892
5893 if (dir != Q_DEFAULT)
5894 bpf_error("direction applied to 'proto'");
5895
5896 switch (proto) {
5897 case Q_DEFAULT:
5898 b0 = gen_proto(v, Q_IP, dir);
5899 b1 = gen_proto(v, Q_IPV6, dir);
5900 gen_or(b0, b1);
5901 return b1;
5902
5903 case Q_IP:
5904 /*
5905 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
5906 * not LLC encapsulation with LLCSAP_IP.
5907 *
5908 * For IEEE 802 networks - which includes 802.5 token ring
5909 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
5910 * says that SNAP encapsulation is used, not LLC encapsulation
5911 * with LLCSAP_IP.
5912 *
5913 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
5914 * RFC 2225 say that SNAP encapsulation is used, not LLC
5915 * encapsulation with LLCSAP_IP.
5916 *
5917 * So we always check for ETHERTYPE_IP.
5918 */
5919 b0 = gen_linktype(ETHERTYPE_IP);
5920 #ifndef CHASE_CHAIN
5921 b1 = gen_cmp(OR_LINKPL, 9, BPF_B, (bpf_int32)v);
5922 #else
5923 b1 = gen_protochain(v, Q_IP);
5924 #endif
5925 gen_and(b0, b1);
5926 return b1;
5927
5928 case Q_ISO:
5929 switch (linktype) {
5930
5931 case DLT_FRELAY:
5932 /*
5933 * Frame Relay packets typically have an OSI
5934 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)"
5935 * generates code to check for all the OSI
5936 * NLPIDs, so calling it and then adding a check
5937 * for the particular NLPID for which we're
5938 * looking is bogus, as we can just check for
5939 * the NLPID.
5940 *
5941 * What we check for is the NLPID and a frame
5942 * control field value of UI, i.e. 0x03 followed
5943 * by the NLPID.
5944 *
5945 * XXX - assumes a 2-byte Frame Relay header with
5946 * DLCI and flags. What if the address is longer?
5947 *
5948 * XXX - what about SNAP-encapsulated frames?
5949 */
5950 return gen_cmp(OR_LINKHDR, 2, BPF_H, (0x03<<8) | v);
5951 /*NOTREACHED*/
5952 break;
5953
5954 case DLT_C_HDLC:
5955 /*
5956 * Cisco uses an Ethertype lookalike - for OSI,
5957 * it's 0xfefe.
5958 */
5959 b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS);
5960 /* OSI in C-HDLC is stuffed with a fudge byte */
5961 b1 = gen_cmp(OR_LINKPL_NOSNAP, 1, BPF_B, (long)v);
5962 gen_and(b0, b1);
5963 return b1;
5964
5965 default:
5966 b0 = gen_linktype(LLCSAP_ISONS);
5967 b1 = gen_cmp(OR_LINKPL_NOSNAP, 0, BPF_B, (long)v);
5968 gen_and(b0, b1);
5969 return b1;
5970 }
5971
5972 case Q_ISIS:
5973 b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
5974 /*
5975 * 4 is the offset of the PDU type relative to the IS-IS
5976 * header.
5977 */
5978 b1 = gen_cmp(OR_LINKPL_NOSNAP, 4, BPF_B, (long)v);
5979 gen_and(b0, b1);
5980 return b1;
5981
5982 case Q_ARP:
5983 bpf_error("arp does not encapsulate another protocol");
5984 /* NOTREACHED */
5985
5986 case Q_RARP:
5987 bpf_error("rarp does not encapsulate another protocol");
5988 /* NOTREACHED */
5989
5990 case Q_ATALK:
5991 bpf_error("atalk encapsulation is not specifiable");
5992 /* NOTREACHED */
5993
5994 case Q_DECNET:
5995 bpf_error("decnet encapsulation is not specifiable");
5996 /* NOTREACHED */
5997
5998 case Q_SCA:
5999 bpf_error("sca does not encapsulate another protocol");
6000 /* NOTREACHED */
6001
6002 case Q_LAT:
6003 bpf_error("lat does not encapsulate another protocol");
6004 /* NOTREACHED */
6005
6006 case Q_MOPRC:
6007 bpf_error("moprc does not encapsulate another protocol");
6008 /* NOTREACHED */
6009
6010 case Q_MOPDL:
6011 bpf_error("mopdl does not encapsulate another protocol");
6012 /* NOTREACHED */
6013
6014 case Q_LINK:
6015 return gen_linktype(v);
6016
6017 case Q_UDP:
6018 bpf_error("'udp proto' is bogus");
6019 /* NOTREACHED */
6020
6021 case Q_TCP:
6022 bpf_error("'tcp proto' is bogus");
6023 /* NOTREACHED */
6024
6025 case Q_SCTP:
6026 bpf_error("'sctp proto' is bogus");
6027 /* NOTREACHED */
6028
6029 case Q_ICMP:
6030 bpf_error("'icmp proto' is bogus");
6031 /* NOTREACHED */
6032
6033 case Q_IGMP:
6034 bpf_error("'igmp proto' is bogus");
6035 /* NOTREACHED */
6036
6037 case Q_IGRP:
6038 bpf_error("'igrp proto' is bogus");
6039 /* NOTREACHED */
6040
6041 case Q_PIM:
6042 bpf_error("'pim proto' is bogus");
6043 /* NOTREACHED */
6044
6045 case Q_VRRP:
6046 bpf_error("'vrrp proto' is bogus");
6047 /* NOTREACHED */
6048
6049 case Q_CARP:
6050 bpf_error("'carp proto' is bogus");
6051 /* NOTREACHED */
6052
6053 case Q_IPV6:
6054 b0 = gen_linktype(ETHERTYPE_IPV6);
6055 #ifndef CHASE_CHAIN
6056 /*
6057 * Also check for a fragment header before the final
6058 * header.
6059 */
6060 b2 = gen_cmp(OR_LINKPL, 6, BPF_B, IPPROTO_FRAGMENT);
6061 b1 = gen_cmp(OR_LINKPL, 40, BPF_B, (bpf_int32)v);
6062 gen_and(b2, b1);
6063 b2 = gen_cmp(OR_LINKPL, 6, BPF_B, (bpf_int32)v);
6064 gen_or(b2, b1);
6065 #else
6066 b1 = gen_protochain(v, Q_IPV6);
6067 #endif
6068 gen_and(b0, b1);
6069 return b1;
6070
6071 case Q_ICMPV6:
6072 bpf_error("'icmp6 proto' is bogus");
6073
6074 case Q_AH:
6075 bpf_error("'ah proto' is bogus");
6076
6077 case Q_ESP:
6078 bpf_error("'ah proto' is bogus");
6079
6080 case Q_STP:
6081 bpf_error("'stp proto' is bogus");
6082
6083 case Q_IPX:
6084 bpf_error("'ipx proto' is bogus");
6085
6086 case Q_NETBEUI:
6087 bpf_error("'netbeui proto' is bogus");
6088
6089 case Q_RADIO:
6090 bpf_error("'radio proto' is bogus");
6091
6092 default:
6093 abort();
6094 /* NOTREACHED */
6095 }
6096 /* NOTREACHED */
6097 }
6098
6099 struct block *
gen_scode(name,q)6100 gen_scode(name, q)
6101 register const char *name;
6102 struct qual q;
6103 {
6104 int proto = q.proto;
6105 int dir = q.dir;
6106 int tproto;
6107 u_char *eaddr;
6108 bpf_u_int32 mask, addr;
6109 #ifndef INET6
6110 bpf_u_int32 **alist;
6111 #else
6112 int tproto6;
6113 struct sockaddr_in *sin4;
6114 struct sockaddr_in6 *sin6;
6115 struct addrinfo *res, *res0;
6116 struct in6_addr mask128;
6117 #endif /*INET6*/
6118 struct block *b, *tmp;
6119 int port, real_proto;
6120 int port1, port2;
6121
6122 switch (q.addr) {
6123
6124 case Q_NET:
6125 addr = pcap_nametonetaddr(name);
6126 if (addr == 0)
6127 bpf_error("unknown network '%s'", name);
6128 /* Left justify network addr and calculate its network mask */
6129 mask = 0xffffffff;
6130 while (addr && (addr & 0xff000000) == 0) {
6131 addr <<= 8;
6132 mask <<= 8;
6133 }
6134 return gen_host(addr, mask, proto, dir, q.addr);
6135
6136 case Q_DEFAULT:
6137 case Q_HOST:
6138 if (proto == Q_LINK) {
6139 switch (linktype) {
6140
6141 case DLT_EN10MB:
6142 case DLT_NETANALYZER:
6143 case DLT_NETANALYZER_TRANSPARENT:
6144 eaddr = pcap_ether_hostton(name);
6145 if (eaddr == NULL)
6146 bpf_error(
6147 "unknown ether host '%s'", name);
6148 tmp = gen_prevlinkhdr_check();
6149 b = gen_ehostop(eaddr, dir);
6150 if (tmp != NULL)
6151 gen_and(tmp, b);
6152 free(eaddr);
6153 return b;
6154
6155 case DLT_FDDI:
6156 eaddr = pcap_ether_hostton(name);
6157 if (eaddr == NULL)
6158 bpf_error(
6159 "unknown FDDI host '%s'", name);
6160 b = gen_fhostop(eaddr, dir);
6161 free(eaddr);
6162 return b;
6163
6164 case DLT_IEEE802:
6165 eaddr = pcap_ether_hostton(name);
6166 if (eaddr == NULL)
6167 bpf_error(
6168 "unknown token ring host '%s'", name);
6169 b = gen_thostop(eaddr, dir);
6170 free(eaddr);
6171 return b;
6172
6173 case DLT_IEEE802_11:
6174 case DLT_PRISM_HEADER:
6175 case DLT_IEEE802_11_RADIO_AVS:
6176 case DLT_IEEE802_11_RADIO:
6177 case DLT_PPI:
6178 eaddr = pcap_ether_hostton(name);
6179 if (eaddr == NULL)
6180 bpf_error(
6181 "unknown 802.11 host '%s'", name);
6182 b = gen_wlanhostop(eaddr, dir);
6183 free(eaddr);
6184 return b;
6185
6186 case DLT_IP_OVER_FC:
6187 eaddr = pcap_ether_hostton(name);
6188 if (eaddr == NULL)
6189 bpf_error(
6190 "unknown Fibre Channel host '%s'", name);
6191 b = gen_ipfchostop(eaddr, dir);
6192 free(eaddr);
6193 return b;
6194 }
6195
6196 bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name");
6197 } else if (proto == Q_DECNET) {
6198 unsigned short dn_addr = __pcap_nametodnaddr(name);
6199 /*
6200 * I don't think DECNET hosts can be multihomed, so
6201 * there is no need to build up a list of addresses
6202 */
6203 return (gen_host(dn_addr, 0, proto, dir, q.addr));
6204 } else {
6205 #ifndef INET6
6206 alist = pcap_nametoaddr(name);
6207 if (alist == NULL || *alist == NULL)
6208 bpf_error("unknown host '%s'", name);
6209 tproto = proto;
6210 if (off_linktype.constant_part == (u_int)-1 &&
6211 tproto == Q_DEFAULT)
6212 tproto = Q_IP;
6213 b = gen_host(**alist++, 0xffffffff, tproto, dir, q.addr);
6214 while (*alist) {
6215 tmp = gen_host(**alist++, 0xffffffff,
6216 tproto, dir, q.addr);
6217 gen_or(b, tmp);
6218 b = tmp;
6219 }
6220 return b;
6221 #else
6222 memset(&mask128, 0xff, sizeof(mask128));
6223 res0 = res = pcap_nametoaddrinfo(name);
6224 if (res == NULL)
6225 bpf_error("unknown host '%s'", name);
6226 ai = res;
6227 b = tmp = NULL;
6228 tproto = tproto6 = proto;
6229 if (off_linktype.constant_part == (u_int)-1 &&
6230 tproto == Q_DEFAULT) {
6231 tproto = Q_IP;
6232 tproto6 = Q_IPV6;
6233 }
6234 for (res = res0; res; res = res->ai_next) {
6235 switch (res->ai_family) {
6236 case AF_INET:
6237 if (tproto == Q_IPV6)
6238 continue;
6239
6240 sin4 = (struct sockaddr_in *)
6241 res->ai_addr;
6242 tmp = gen_host(ntohl(sin4->sin_addr.s_addr),
6243 0xffffffff, tproto, dir, q.addr);
6244 break;
6245 case AF_INET6:
6246 if (tproto6 == Q_IP)
6247 continue;
6248
6249 sin6 = (struct sockaddr_in6 *)
6250 res->ai_addr;
6251 tmp = gen_host6(&sin6->sin6_addr,
6252 &mask128, tproto6, dir, q.addr);
6253 break;
6254 default:
6255 continue;
6256 }
6257 if (b)
6258 gen_or(b, tmp);
6259 b = tmp;
6260 }
6261 ai = NULL;
6262 freeaddrinfo(res0);
6263 if (b == NULL) {
6264 bpf_error("unknown host '%s'%s", name,
6265 (proto == Q_DEFAULT)
6266 ? ""
6267 : " for specified address family");
6268 }
6269 return b;
6270 #endif /*INET6*/
6271 }
6272
6273 case Q_PORT:
6274 if (proto != Q_DEFAULT &&
6275 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
6276 bpf_error("illegal qualifier of 'port'");
6277 if (pcap_nametoport(name, &port, &real_proto) == 0)
6278 bpf_error("unknown port '%s'", name);
6279 if (proto == Q_UDP) {
6280 if (real_proto == IPPROTO_TCP)
6281 bpf_error("port '%s' is tcp", name);
6282 else if (real_proto == IPPROTO_SCTP)
6283 bpf_error("port '%s' is sctp", name);
6284 else
6285 /* override PROTO_UNDEF */
6286 real_proto = IPPROTO_UDP;
6287 }
6288 if (proto == Q_TCP) {
6289 if (real_proto == IPPROTO_UDP)
6290 bpf_error("port '%s' is udp", name);
6291
6292 else if (real_proto == IPPROTO_SCTP)
6293 bpf_error("port '%s' is sctp", name);
6294 else
6295 /* override PROTO_UNDEF */
6296 real_proto = IPPROTO_TCP;
6297 }
6298 if (proto == Q_SCTP) {
6299 if (real_proto == IPPROTO_UDP)
6300 bpf_error("port '%s' is udp", name);
6301
6302 else if (real_proto == IPPROTO_TCP)
6303 bpf_error("port '%s' is tcp", name);
6304 else
6305 /* override PROTO_UNDEF */
6306 real_proto = IPPROTO_SCTP;
6307 }
6308 if (port < 0)
6309 bpf_error("illegal port number %d < 0", port);
6310 if (port > 65535)
6311 bpf_error("illegal port number %d > 65535", port);
6312 b = gen_port(port, real_proto, dir);
6313 gen_or(gen_port6(port, real_proto, dir), b);
6314 return b;
6315
6316 case Q_PORTRANGE:
6317 if (proto != Q_DEFAULT &&
6318 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
6319 bpf_error("illegal qualifier of 'portrange'");
6320 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0)
6321 bpf_error("unknown port in range '%s'", name);
6322 if (proto == Q_UDP) {
6323 if (real_proto == IPPROTO_TCP)
6324 bpf_error("port in range '%s' is tcp", name);
6325 else if (real_proto == IPPROTO_SCTP)
6326 bpf_error("port in range '%s' is sctp", name);
6327 else
6328 /* override PROTO_UNDEF */
6329 real_proto = IPPROTO_UDP;
6330 }
6331 if (proto == Q_TCP) {
6332 if (real_proto == IPPROTO_UDP)
6333 bpf_error("port in range '%s' is udp", name);
6334 else if (real_proto == IPPROTO_SCTP)
6335 bpf_error("port in range '%s' is sctp", name);
6336 else
6337 /* override PROTO_UNDEF */
6338 real_proto = IPPROTO_TCP;
6339 }
6340 if (proto == Q_SCTP) {
6341 if (real_proto == IPPROTO_UDP)
6342 bpf_error("port in range '%s' is udp", name);
6343 else if (real_proto == IPPROTO_TCP)
6344 bpf_error("port in range '%s' is tcp", name);
6345 else
6346 /* override PROTO_UNDEF */
6347 real_proto = IPPROTO_SCTP;
6348 }
6349 if (port1 < 0)
6350 bpf_error("illegal port number %d < 0", port1);
6351 if (port1 > 65535)
6352 bpf_error("illegal port number %d > 65535", port1);
6353 if (port2 < 0)
6354 bpf_error("illegal port number %d < 0", port2);
6355 if (port2 > 65535)
6356 bpf_error("illegal port number %d > 65535", port2);
6357
6358 b = gen_portrange(port1, port2, real_proto, dir);
6359 gen_or(gen_portrange6(port1, port2, real_proto, dir), b);
6360 return b;
6361
6362 case Q_GATEWAY:
6363 #ifndef INET6
6364 eaddr = pcap_ether_hostton(name);
6365 if (eaddr == NULL)
6366 bpf_error("unknown ether host: %s", name);
6367
6368 alist = pcap_nametoaddr(name);
6369 if (alist == NULL || *alist == NULL)
6370 bpf_error("unknown host '%s'", name);
6371 b = gen_gateway(eaddr, alist, proto, dir);
6372 free(eaddr);
6373 return b;
6374 #else
6375 bpf_error("'gateway' not supported in this configuration");
6376 #endif /*INET6*/
6377
6378 case Q_PROTO:
6379 real_proto = lookup_proto(name, proto);
6380 if (real_proto >= 0)
6381 return gen_proto(real_proto, proto, dir);
6382 else
6383 bpf_error("unknown protocol: %s", name);
6384
6385 case Q_PROTOCHAIN:
6386 real_proto = lookup_proto(name, proto);
6387 if (real_proto >= 0)
6388 return gen_protochain(real_proto, proto, dir);
6389 else
6390 bpf_error("unknown protocol: %s", name);
6391
6392 case Q_UNDEF:
6393 syntax();
6394 /* NOTREACHED */
6395 }
6396 abort();
6397 /* NOTREACHED */
6398 }
6399
6400 struct block *
gen_mcode(s1,s2,masklen,q)6401 gen_mcode(s1, s2, masklen, q)
6402 register const char *s1, *s2;
6403 register unsigned int masklen;
6404 struct qual q;
6405 {
6406 register int nlen, mlen;
6407 bpf_u_int32 n, m;
6408
6409 nlen = __pcap_atoin(s1, &n);
6410 /* Promote short ipaddr */
6411 n <<= 32 - nlen;
6412
6413 if (s2 != NULL) {
6414 mlen = __pcap_atoin(s2, &m);
6415 /* Promote short ipaddr */
6416 m <<= 32 - mlen;
6417 if ((n & ~m) != 0)
6418 bpf_error("non-network bits set in \"%s mask %s\"",
6419 s1, s2);
6420 } else {
6421 /* Convert mask len to mask */
6422 if (masklen > 32)
6423 bpf_error("mask length must be <= 32");
6424 if (masklen == 0) {
6425 /*
6426 * X << 32 is not guaranteed by C to be 0; it's
6427 * undefined.
6428 */
6429 m = 0;
6430 } else
6431 m = 0xffffffff << (32 - masklen);
6432 if ((n & ~m) != 0)
6433 bpf_error("non-network bits set in \"%s/%d\"",
6434 s1, masklen);
6435 }
6436
6437 switch (q.addr) {
6438
6439 case Q_NET:
6440 return gen_host(n, m, q.proto, q.dir, q.addr);
6441
6442 default:
6443 bpf_error("Mask syntax for networks only");
6444 /* NOTREACHED */
6445 }
6446 /* NOTREACHED */
6447 return NULL;
6448 }
6449
6450 struct block *
gen_ncode(s,v,q)6451 gen_ncode(s, v, q)
6452 register const char *s;
6453 bpf_u_int32 v;
6454 struct qual q;
6455 {
6456 bpf_u_int32 mask;
6457 int proto = q.proto;
6458 int dir = q.dir;
6459 register int vlen;
6460
6461 if (s == NULL)
6462 vlen = 32;
6463 else if (q.proto == Q_DECNET)
6464 vlen = __pcap_atodn(s, &v);
6465 else
6466 vlen = __pcap_atoin(s, &v);
6467
6468 switch (q.addr) {
6469
6470 case Q_DEFAULT:
6471 case Q_HOST:
6472 case Q_NET:
6473 if (proto == Q_DECNET)
6474 return gen_host(v, 0, proto, dir, q.addr);
6475 else if (proto == Q_LINK) {
6476 bpf_error("illegal link layer address");
6477 } else {
6478 mask = 0xffffffff;
6479 if (s == NULL && q.addr == Q_NET) {
6480 /* Promote short net number */
6481 while (v && (v & 0xff000000) == 0) {
6482 v <<= 8;
6483 mask <<= 8;
6484 }
6485 } else {
6486 /* Promote short ipaddr */
6487 v <<= 32 - vlen;
6488 mask <<= 32 - vlen;
6489 }
6490 return gen_host(v, mask, proto, dir, q.addr);
6491 }
6492
6493 case Q_PORT:
6494 if (proto == Q_UDP)
6495 proto = IPPROTO_UDP;
6496 else if (proto == Q_TCP)
6497 proto = IPPROTO_TCP;
6498 else if (proto == Q_SCTP)
6499 proto = IPPROTO_SCTP;
6500 else if (proto == Q_DEFAULT)
6501 proto = PROTO_UNDEF;
6502 else
6503 bpf_error("illegal qualifier of 'port'");
6504
6505 if (v > 65535)
6506 bpf_error("illegal port number %u > 65535", v);
6507
6508 {
6509 struct block *b;
6510 b = gen_port((int)v, proto, dir);
6511 gen_or(gen_port6((int)v, proto, dir), b);
6512 return b;
6513 }
6514
6515 case Q_PORTRANGE:
6516 if (proto == Q_UDP)
6517 proto = IPPROTO_UDP;
6518 else if (proto == Q_TCP)
6519 proto = IPPROTO_TCP;
6520 else if (proto == Q_SCTP)
6521 proto = IPPROTO_SCTP;
6522 else if (proto == Q_DEFAULT)
6523 proto = PROTO_UNDEF;
6524 else
6525 bpf_error("illegal qualifier of 'portrange'");
6526
6527 if (v > 65535)
6528 bpf_error("illegal port number %u > 65535", v);
6529
6530 {
6531 struct block *b;
6532 b = gen_portrange((int)v, (int)v, proto, dir);
6533 gen_or(gen_portrange6((int)v, (int)v, proto, dir), b);
6534 return b;
6535 }
6536
6537 case Q_GATEWAY:
6538 bpf_error("'gateway' requires a name");
6539 /* NOTREACHED */
6540
6541 case Q_PROTO:
6542 return gen_proto((int)v, proto, dir);
6543
6544 case Q_PROTOCHAIN:
6545 return gen_protochain((int)v, proto, dir);
6546
6547 case Q_UNDEF:
6548 syntax();
6549 /* NOTREACHED */
6550
6551 default:
6552 abort();
6553 /* NOTREACHED */
6554 }
6555 /* NOTREACHED */
6556 }
6557
6558 #ifdef INET6
6559 struct block *
gen_mcode6(s1,s2,masklen,q)6560 gen_mcode6(s1, s2, masklen, q)
6561 register const char *s1, *s2;
6562 register unsigned int masklen;
6563 struct qual q;
6564 {
6565 struct addrinfo *res;
6566 struct in6_addr *addr;
6567 struct in6_addr mask;
6568 struct block *b;
6569 u_int32_t *a, *m;
6570
6571 if (s2)
6572 bpf_error("no mask %s supported", s2);
6573
6574 res = pcap_nametoaddrinfo(s1);
6575 if (!res)
6576 bpf_error("invalid ip6 address %s", s1);
6577 ai = res;
6578 if (res->ai_next)
6579 bpf_error("%s resolved to multiple address", s1);
6580 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
6581
6582 if ((int)sizeof(mask) * 8 < masklen)
6583 bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8));
6584 memset(&mask, 0, sizeof(mask));
6585 memset(&mask, 0xff, masklen / 8);
6586 if (masklen % 8) {
6587 mask.s6_addr[masklen / 8] =
6588 (0xff << (8 - masklen % 8)) & 0xff;
6589 }
6590
6591 a = (u_int32_t *)addr;
6592 m = (u_int32_t *)&mask;
6593 if ((a[0] & ~m[0]) || (a[1] & ~m[1])
6594 || (a[2] & ~m[2]) || (a[3] & ~m[3])) {
6595 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen);
6596 }
6597
6598 switch (q.addr) {
6599
6600 case Q_DEFAULT:
6601 case Q_HOST:
6602 if (masklen != 128)
6603 bpf_error("Mask syntax for networks only");
6604 /* FALLTHROUGH */
6605
6606 case Q_NET:
6607 b = gen_host6(addr, &mask, q.proto, q.dir, q.addr);
6608 ai = NULL;
6609 freeaddrinfo(res);
6610 return b;
6611
6612 default:
6613 bpf_error("invalid qualifier against IPv6 address");
6614 /* NOTREACHED */
6615 }
6616 return NULL;
6617 }
6618 #endif /*INET6*/
6619
6620 struct block *
gen_ecode(eaddr,q)6621 gen_ecode(eaddr, q)
6622 register const u_char *eaddr;
6623 struct qual q;
6624 {
6625 struct block *b, *tmp;
6626
6627 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
6628 switch (linktype) {
6629 case DLT_EN10MB:
6630 case DLT_NETANALYZER:
6631 case DLT_NETANALYZER_TRANSPARENT:
6632 tmp = gen_prevlinkhdr_check();
6633 b = gen_ehostop(eaddr, (int)q.dir);
6634 if (tmp != NULL)
6635 gen_and(tmp, b);
6636 return b;
6637 case DLT_FDDI:
6638 return gen_fhostop(eaddr, (int)q.dir);
6639 case DLT_IEEE802:
6640 return gen_thostop(eaddr, (int)q.dir);
6641 case DLT_IEEE802_11:
6642 case DLT_PRISM_HEADER:
6643 case DLT_IEEE802_11_RADIO_AVS:
6644 case DLT_IEEE802_11_RADIO:
6645 case DLT_PPI:
6646 return gen_wlanhostop(eaddr, (int)q.dir);
6647 case DLT_IP_OVER_FC:
6648 return gen_ipfchostop(eaddr, (int)q.dir);
6649 default:
6650 bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
6651 break;
6652 }
6653 }
6654 bpf_error("ethernet address used in non-ether expression");
6655 /* NOTREACHED */
6656 return NULL;
6657 }
6658
6659 void
sappend(s0,s1)6660 sappend(s0, s1)
6661 struct slist *s0, *s1;
6662 {
6663 /*
6664 * This is definitely not the best way to do this, but the
6665 * lists will rarely get long.
6666 */
6667 while (s0->next)
6668 s0 = s0->next;
6669 s0->next = s1;
6670 }
6671
6672 static struct slist *
xfer_to_x(a)6673 xfer_to_x(a)
6674 struct arth *a;
6675 {
6676 struct slist *s;
6677
6678 s = new_stmt(BPF_LDX|BPF_MEM);
6679 s->s.k = a->regno;
6680 return s;
6681 }
6682
6683 static struct slist *
xfer_to_a(a)6684 xfer_to_a(a)
6685 struct arth *a;
6686 {
6687 struct slist *s;
6688
6689 s = new_stmt(BPF_LD|BPF_MEM);
6690 s->s.k = a->regno;
6691 return s;
6692 }
6693
6694 /*
6695 * Modify "index" to use the value stored into its register as an
6696 * offset relative to the beginning of the header for the protocol
6697 * "proto", and allocate a register and put an item "size" bytes long
6698 * (1, 2, or 4) at that offset into that register, making it the register
6699 * for "index".
6700 */
6701 struct arth *
gen_load(proto,inst,size)6702 gen_load(proto, inst, size)
6703 int proto;
6704 struct arth *inst;
6705 int size;
6706 {
6707 struct slist *s, *tmp;
6708 struct block *b;
6709 int regno = alloc_reg();
6710
6711 free_reg(inst->regno);
6712 switch (size) {
6713
6714 default:
6715 bpf_error("data size must be 1, 2, or 4");
6716
6717 case 1:
6718 size = BPF_B;
6719 break;
6720
6721 case 2:
6722 size = BPF_H;
6723 break;
6724
6725 case 4:
6726 size = BPF_W;
6727 break;
6728 }
6729 switch (proto) {
6730 default:
6731 bpf_error("unsupported index operation");
6732
6733 case Q_RADIO:
6734 /*
6735 * The offset is relative to the beginning of the packet
6736 * data, if we have a radio header. (If we don't, this
6737 * is an error.)
6738 */
6739 if (linktype != DLT_IEEE802_11_RADIO_AVS &&
6740 linktype != DLT_IEEE802_11_RADIO &&
6741 linktype != DLT_PRISM_HEADER)
6742 bpf_error("radio information not present in capture");
6743
6744 /*
6745 * Load into the X register the offset computed into the
6746 * register specified by "index".
6747 */
6748 s = xfer_to_x(inst);
6749
6750 /*
6751 * Load the item at that offset.
6752 */
6753 tmp = new_stmt(BPF_LD|BPF_IND|size);
6754 sappend(s, tmp);
6755 sappend(inst->s, s);
6756 break;
6757
6758 case Q_LINK:
6759 /*
6760 * The offset is relative to the beginning of
6761 * the link-layer header.
6762 *
6763 * XXX - what about ATM LANE? Should the index be
6764 * relative to the beginning of the AAL5 frame, so
6765 * that 0 refers to the beginning of the LE Control
6766 * field, or relative to the beginning of the LAN
6767 * frame, so that 0 refers, for Ethernet LANE, to
6768 * the beginning of the destination address?
6769 */
6770 s = gen_abs_offset_varpart(&off_linkhdr);
6771
6772 /*
6773 * If "s" is non-null, it has code to arrange that the
6774 * X register contains the length of the prefix preceding
6775 * the link-layer header. Add to it the offset computed
6776 * into the register specified by "index", and move that
6777 * into the X register. Otherwise, just load into the X
6778 * register the offset computed into the register specified
6779 * by "index".
6780 */
6781 if (s != NULL) {
6782 sappend(s, xfer_to_a(inst));
6783 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
6784 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
6785 } else
6786 s = xfer_to_x(inst);
6787
6788 /*
6789 * Load the item at the sum of the offset we've put in the
6790 * X register and the offset of the start of the link
6791 * layer header (which is 0 if the radio header is
6792 * variable-length; that header length is what we put
6793 * into the X register and then added to the index).
6794 */
6795 tmp = new_stmt(BPF_LD|BPF_IND|size);
6796 tmp->s.k = off_linkhdr.constant_part;
6797 sappend(s, tmp);
6798 sappend(inst->s, s);
6799 break;
6800
6801 case Q_IP:
6802 case Q_ARP:
6803 case Q_RARP:
6804 case Q_ATALK:
6805 case Q_DECNET:
6806 case Q_SCA:
6807 case Q_LAT:
6808 case Q_MOPRC:
6809 case Q_MOPDL:
6810 case Q_IPV6:
6811 /*
6812 * The offset is relative to the beginning of
6813 * the network-layer header.
6814 * XXX - are there any cases where we want
6815 * off_nl_nosnap?
6816 */
6817 s = gen_abs_offset_varpart(&off_linkpl);
6818
6819 /*
6820 * If "s" is non-null, it has code to arrange that the
6821 * X register contains the variable part of the offset
6822 * of the link-layer payload. Add to it the offset
6823 * computed into the register specified by "index",
6824 * and move that into the X register. Otherwise, just
6825 * load into the X register the offset computed into
6826 * the register specified by "index".
6827 */
6828 if (s != NULL) {
6829 sappend(s, xfer_to_a(inst));
6830 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
6831 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
6832 } else
6833 s = xfer_to_x(inst);
6834
6835 /*
6836 * Load the item at the sum of the offset we've put in the
6837 * X register, the offset of the start of the network
6838 * layer header from the beginning of the link-layer
6839 * payload, and the constant part of the offset of the
6840 * start of the link-layer payload.
6841 */
6842 tmp = new_stmt(BPF_LD|BPF_IND|size);
6843 tmp->s.k = off_linkpl.constant_part + off_nl;
6844 sappend(s, tmp);
6845 sappend(inst->s, s);
6846
6847 /*
6848 * Do the computation only if the packet contains
6849 * the protocol in question.
6850 */
6851 b = gen_proto_abbrev(proto);
6852 if (inst->b)
6853 gen_and(inst->b, b);
6854 inst->b = b;
6855 break;
6856
6857 case Q_SCTP:
6858 case Q_TCP:
6859 case Q_UDP:
6860 case Q_ICMP:
6861 case Q_IGMP:
6862 case Q_IGRP:
6863 case Q_PIM:
6864 case Q_VRRP:
6865 case Q_CARP:
6866 /*
6867 * The offset is relative to the beginning of
6868 * the transport-layer header.
6869 *
6870 * Load the X register with the length of the IPv4 header
6871 * (plus the offset of the link-layer header, if it's
6872 * a variable-length header), in bytes.
6873 *
6874 * XXX - are there any cases where we want
6875 * off_nl_nosnap?
6876 * XXX - we should, if we're built with
6877 * IPv6 support, generate code to load either
6878 * IPv4, IPv6, or both, as appropriate.
6879 */
6880 s = gen_loadx_iphdrlen();
6881
6882 /*
6883 * The X register now contains the sum of the variable
6884 * part of the offset of the link-layer payload and the
6885 * length of the network-layer header.
6886 *
6887 * Load into the A register the offset relative to
6888 * the beginning of the transport layer header,
6889 * add the X register to that, move that to the
6890 * X register, and load with an offset from the
6891 * X register equal to the sum of the constant part of
6892 * the offset of the link-layer payload and the offset,
6893 * relative to the beginning of the link-layer payload,
6894 * of the network-layer header.
6895 */
6896 sappend(s, xfer_to_a(inst));
6897 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
6898 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
6899 sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size));
6900 tmp->s.k = off_linkpl.constant_part + off_nl;
6901 sappend(inst->s, s);
6902
6903 /*
6904 * Do the computation only if the packet contains
6905 * the protocol in question - which is true only
6906 * if this is an IP datagram and is the first or
6907 * only fragment of that datagram.
6908 */
6909 gen_and(gen_proto_abbrev(proto), b = gen_ipfrag());
6910 if (inst->b)
6911 gen_and(inst->b, b);
6912 gen_and(gen_proto_abbrev(Q_IP), b);
6913 inst->b = b;
6914 break;
6915 case Q_ICMPV6:
6916 bpf_error("IPv6 upper-layer protocol is not supported by proto[x]");
6917 /*NOTREACHED*/
6918 }
6919 inst->regno = regno;
6920 s = new_stmt(BPF_ST);
6921 s->s.k = regno;
6922 sappend(inst->s, s);
6923
6924 return inst;
6925 }
6926
6927 struct block *
gen_relation(code,a0,a1,reversed)6928 gen_relation(code, a0, a1, reversed)
6929 int code;
6930 struct arth *a0, *a1;
6931 int reversed;
6932 {
6933 struct slist *s0, *s1, *s2;
6934 struct block *b, *tmp;
6935
6936 s0 = xfer_to_x(a1);
6937 s1 = xfer_to_a(a0);
6938 if (code == BPF_JEQ) {
6939 s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X);
6940 b = new_block(JMP(code));
6941 sappend(s1, s2);
6942 }
6943 else
6944 b = new_block(BPF_JMP|code|BPF_X);
6945 if (reversed)
6946 gen_not(b);
6947
6948 sappend(s0, s1);
6949 sappend(a1->s, s0);
6950 sappend(a0->s, a1->s);
6951
6952 b->stmts = a0->s;
6953
6954 free_reg(a0->regno);
6955 free_reg(a1->regno);
6956
6957 /* 'and' together protocol checks */
6958 if (a0->b) {
6959 if (a1->b) {
6960 gen_and(a0->b, tmp = a1->b);
6961 }
6962 else
6963 tmp = a0->b;
6964 } else
6965 tmp = a1->b;
6966
6967 if (tmp)
6968 gen_and(tmp, b);
6969
6970 return b;
6971 }
6972
6973 struct arth *
gen_loadlen()6974 gen_loadlen()
6975 {
6976 int regno = alloc_reg();
6977 struct arth *a = (struct arth *)newchunk(sizeof(*a));
6978 struct slist *s;
6979
6980 s = new_stmt(BPF_LD|BPF_LEN);
6981 s->next = new_stmt(BPF_ST);
6982 s->next->s.k = regno;
6983 a->s = s;
6984 a->regno = regno;
6985
6986 return a;
6987 }
6988
6989 struct arth *
gen_loadi(val)6990 gen_loadi(val)
6991 int val;
6992 {
6993 struct arth *a;
6994 struct slist *s;
6995 int reg;
6996
6997 a = (struct arth *)newchunk(sizeof(*a));
6998
6999 reg = alloc_reg();
7000
7001 s = new_stmt(BPF_LD|BPF_IMM);
7002 s->s.k = val;
7003 s->next = new_stmt(BPF_ST);
7004 s->next->s.k = reg;
7005 a->s = s;
7006 a->regno = reg;
7007
7008 return a;
7009 }
7010
7011 struct arth *
gen_neg(a)7012 gen_neg(a)
7013 struct arth *a;
7014 {
7015 struct slist *s;
7016
7017 s = xfer_to_a(a);
7018 sappend(a->s, s);
7019 s = new_stmt(BPF_ALU|BPF_NEG);
7020 s->s.k = 0;
7021 sappend(a->s, s);
7022 s = new_stmt(BPF_ST);
7023 s->s.k = a->regno;
7024 sappend(a->s, s);
7025
7026 return a;
7027 }
7028
7029 struct arth *
gen_arth(code,a0,a1)7030 gen_arth(code, a0, a1)
7031 int code;
7032 struct arth *a0, *a1;
7033 {
7034 struct slist *s0, *s1, *s2;
7035
7036 s0 = xfer_to_x(a1);
7037 s1 = xfer_to_a(a0);
7038 s2 = new_stmt(BPF_ALU|BPF_X|code);
7039
7040 sappend(s1, s2);
7041 sappend(s0, s1);
7042 sappend(a1->s, s0);
7043 sappend(a0->s, a1->s);
7044
7045 free_reg(a0->regno);
7046 free_reg(a1->regno);
7047
7048 s0 = new_stmt(BPF_ST);
7049 a0->regno = s0->s.k = alloc_reg();
7050 sappend(a0->s, s0);
7051
7052 return a0;
7053 }
7054
7055 /*
7056 * Here we handle simple allocation of the scratch registers.
7057 * If too many registers are alloc'd, the allocator punts.
7058 */
7059 static int regused[BPF_MEMWORDS];
7060 static int curreg;
7061
7062 /*
7063 * Initialize the table of used registers and the current register.
7064 */
7065 static void
init_regs()7066 init_regs()
7067 {
7068 curreg = 0;
7069 memset(regused, 0, sizeof regused);
7070 }
7071
7072 /*
7073 * Return the next free register.
7074 */
7075 static int
alloc_reg()7076 alloc_reg()
7077 {
7078 int n = BPF_MEMWORDS;
7079
7080 while (--n >= 0) {
7081 if (regused[curreg])
7082 curreg = (curreg + 1) % BPF_MEMWORDS;
7083 else {
7084 regused[curreg] = 1;
7085 return curreg;
7086 }
7087 }
7088 bpf_error("too many registers needed to evaluate expression");
7089 /* NOTREACHED */
7090 return 0;
7091 }
7092
7093 /*
7094 * Return a register to the table so it can
7095 * be used later.
7096 */
7097 static void
free_reg(n)7098 free_reg(n)
7099 int n;
7100 {
7101 regused[n] = 0;
7102 }
7103
7104 static struct block *
gen_len(jmp,n)7105 gen_len(jmp, n)
7106 int jmp, n;
7107 {
7108 struct slist *s;
7109 struct block *b;
7110
7111 s = new_stmt(BPF_LD|BPF_LEN);
7112 b = new_block(JMP(jmp));
7113 b->stmts = s;
7114 b->s.k = n;
7115
7116 return b;
7117 }
7118
7119 struct block *
gen_greater(n)7120 gen_greater(n)
7121 int n;
7122 {
7123 return gen_len(BPF_JGE, n);
7124 }
7125
7126 /*
7127 * Actually, this is less than or equal.
7128 */
7129 struct block *
gen_less(n)7130 gen_less(n)
7131 int n;
7132 {
7133 struct block *b;
7134
7135 b = gen_len(BPF_JGT, n);
7136 gen_not(b);
7137
7138 return b;
7139 }
7140
7141 /*
7142 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to
7143 * the beginning of the link-layer header.
7144 * XXX - that means you can't test values in the radiotap header, but
7145 * as that header is difficult if not impossible to parse generally
7146 * without a loop, that might not be a severe problem. A new keyword
7147 * "radio" could be added for that, although what you'd really want
7148 * would be a way of testing particular radio header values, which
7149 * would generate code appropriate to the radio header in question.
7150 */
7151 struct block *
gen_byteop(op,idx,val)7152 gen_byteop(op, idx, val)
7153 int op, idx, val;
7154 {
7155 struct block *b;
7156 struct slist *s;
7157
7158 switch (op) {
7159 default:
7160 abort();
7161
7162 case '=':
7163 return gen_cmp(OR_LINKHDR, (u_int)idx, BPF_B, (bpf_int32)val);
7164
7165 case '<':
7166 b = gen_cmp_lt(OR_LINKHDR, (u_int)idx, BPF_B, (bpf_int32)val);
7167 return b;
7168
7169 case '>':
7170 b = gen_cmp_gt(OR_LINKHDR, (u_int)idx, BPF_B, (bpf_int32)val);
7171 return b;
7172
7173 case '|':
7174 s = new_stmt(BPF_ALU|BPF_OR|BPF_K);
7175 break;
7176
7177 case '&':
7178 s = new_stmt(BPF_ALU|BPF_AND|BPF_K);
7179 break;
7180 }
7181 s->s.k = val;
7182 b = new_block(JMP(BPF_JEQ));
7183 b->stmts = s;
7184 gen_not(b);
7185
7186 return b;
7187 }
7188
7189 static u_char abroadcast[] = { 0x0 };
7190
7191 struct block *
gen_broadcast(proto)7192 gen_broadcast(proto)
7193 int proto;
7194 {
7195 bpf_u_int32 hostmask;
7196 struct block *b0, *b1, *b2;
7197 static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
7198
7199 switch (proto) {
7200
7201 case Q_DEFAULT:
7202 case Q_LINK:
7203 switch (linktype) {
7204 case DLT_ARCNET:
7205 case DLT_ARCNET_LINUX:
7206 return gen_ahostop(abroadcast, Q_DST);
7207 case DLT_EN10MB:
7208 case DLT_NETANALYZER:
7209 case DLT_NETANALYZER_TRANSPARENT:
7210 b1 = gen_prevlinkhdr_check();
7211 b0 = gen_ehostop(ebroadcast, Q_DST);
7212 if (b1 != NULL)
7213 gen_and(b1, b0);
7214 return b0;
7215 case DLT_FDDI:
7216 return gen_fhostop(ebroadcast, Q_DST);
7217 case DLT_IEEE802:
7218 return gen_thostop(ebroadcast, Q_DST);
7219 case DLT_IEEE802_11:
7220 case DLT_PRISM_HEADER:
7221 case DLT_IEEE802_11_RADIO_AVS:
7222 case DLT_IEEE802_11_RADIO:
7223 case DLT_PPI:
7224 return gen_wlanhostop(ebroadcast, Q_DST);
7225 case DLT_IP_OVER_FC:
7226 return gen_ipfchostop(ebroadcast, Q_DST);
7227 default:
7228 bpf_error("not a broadcast link");
7229 }
7230 break;
7231
7232 case Q_IP:
7233 /*
7234 * We treat a netmask of PCAP_NETMASK_UNKNOWN (0xffffffff)
7235 * as an indication that we don't know the netmask, and fail
7236 * in that case.
7237 */
7238 if (netmask == PCAP_NETMASK_UNKNOWN)
7239 bpf_error("netmask not known, so 'ip broadcast' not supported");
7240 b0 = gen_linktype(ETHERTYPE_IP);
7241 hostmask = ~netmask;
7242 b1 = gen_mcmp(OR_LINKPL, 16, BPF_W, (bpf_int32)0, hostmask);
7243 b2 = gen_mcmp(OR_LINKPL, 16, BPF_W,
7244 (bpf_int32)(~0 & hostmask), hostmask);
7245 gen_or(b1, b2);
7246 gen_and(b0, b2);
7247 return b2;
7248 }
7249 bpf_error("only link-layer/IP broadcast filters supported");
7250 /* NOTREACHED */
7251 return NULL;
7252 }
7253
7254 /*
7255 * Generate code to test the low-order bit of a MAC address (that's
7256 * the bottom bit of the *first* byte).
7257 */
7258 static struct block *
gen_mac_multicast(offset)7259 gen_mac_multicast(offset)
7260 int offset;
7261 {
7262 register struct block *b0;
7263 register struct slist *s;
7264
7265 /* link[offset] & 1 != 0 */
7266 s = gen_load_a(OR_LINKHDR, offset, BPF_B);
7267 b0 = new_block(JMP(BPF_JSET));
7268 b0->s.k = 1;
7269 b0->stmts = s;
7270 return b0;
7271 }
7272
7273 struct block *
gen_multicast(proto)7274 gen_multicast(proto)
7275 int proto;
7276 {
7277 register struct block *b0, *b1, *b2;
7278 register struct slist *s;
7279
7280 switch (proto) {
7281
7282 case Q_DEFAULT:
7283 case Q_LINK:
7284 switch (linktype) {
7285 case DLT_ARCNET:
7286 case DLT_ARCNET_LINUX:
7287 /* all ARCnet multicasts use the same address */
7288 return gen_ahostop(abroadcast, Q_DST);
7289 case DLT_EN10MB:
7290 case DLT_NETANALYZER:
7291 case DLT_NETANALYZER_TRANSPARENT:
7292 b1 = gen_prevlinkhdr_check();
7293 /* ether[0] & 1 != 0 */
7294 b0 = gen_mac_multicast(0);
7295 if (b1 != NULL)
7296 gen_and(b1, b0);
7297 return b0;
7298 case DLT_FDDI:
7299 /*
7300 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX
7301 *
7302 * XXX - was that referring to bit-order issues?
7303 */
7304 /* fddi[1] & 1 != 0 */
7305 return gen_mac_multicast(1);
7306 case DLT_IEEE802:
7307 /* tr[2] & 1 != 0 */
7308 return gen_mac_multicast(2);
7309 case DLT_IEEE802_11:
7310 case DLT_PRISM_HEADER:
7311 case DLT_IEEE802_11_RADIO_AVS:
7312 case DLT_IEEE802_11_RADIO:
7313 case DLT_PPI:
7314 /*
7315 * Oh, yuk.
7316 *
7317 * For control frames, there is no DA.
7318 *
7319 * For management frames, DA is at an
7320 * offset of 4 from the beginning of
7321 * the packet.
7322 *
7323 * For data frames, DA is at an offset
7324 * of 4 from the beginning of the packet
7325 * if To DS is clear and at an offset of
7326 * 16 from the beginning of the packet
7327 * if To DS is set.
7328 */
7329
7330 /*
7331 * Generate the tests to be done for data frames.
7332 *
7333 * First, check for To DS set, i.e. "link[1] & 0x01".
7334 */
7335 s = gen_load_a(OR_LINKHDR, 1, BPF_B);
7336 b1 = new_block(JMP(BPF_JSET));
7337 b1->s.k = 0x01; /* To DS */
7338 b1->stmts = s;
7339
7340 /*
7341 * If To DS is set, the DA is at 16.
7342 */
7343 b0 = gen_mac_multicast(16);
7344 gen_and(b1, b0);
7345
7346 /*
7347 * Now, check for To DS not set, i.e. check
7348 * "!(link[1] & 0x01)".
7349 */
7350 s = gen_load_a(OR_LINKHDR, 1, BPF_B);
7351 b2 = new_block(JMP(BPF_JSET));
7352 b2->s.k = 0x01; /* To DS */
7353 b2->stmts = s;
7354 gen_not(b2);
7355
7356 /*
7357 * If To DS is not set, the DA is at 4.
7358 */
7359 b1 = gen_mac_multicast(4);
7360 gen_and(b2, b1);
7361
7362 /*
7363 * Now OR together the last two checks. That gives
7364 * the complete set of checks for data frames.
7365 */
7366 gen_or(b1, b0);
7367
7368 /*
7369 * Now check for a data frame.
7370 * I.e, check "link[0] & 0x08".
7371 */
7372 s = gen_load_a(OR_LINKHDR, 0, BPF_B);
7373 b1 = new_block(JMP(BPF_JSET));
7374 b1->s.k = 0x08;
7375 b1->stmts = s;
7376
7377 /*
7378 * AND that with the checks done for data frames.
7379 */
7380 gen_and(b1, b0);
7381
7382 /*
7383 * If the high-order bit of the type value is 0, this
7384 * is a management frame.
7385 * I.e, check "!(link[0] & 0x08)".
7386 */
7387 s = gen_load_a(OR_LINKHDR, 0, BPF_B);
7388 b2 = new_block(JMP(BPF_JSET));
7389 b2->s.k = 0x08;
7390 b2->stmts = s;
7391 gen_not(b2);
7392
7393 /*
7394 * For management frames, the DA is at 4.
7395 */
7396 b1 = gen_mac_multicast(4);
7397 gen_and(b2, b1);
7398
7399 /*
7400 * OR that with the checks done for data frames.
7401 * That gives the checks done for management and
7402 * data frames.
7403 */
7404 gen_or(b1, b0);
7405
7406 /*
7407 * If the low-order bit of the type value is 1,
7408 * this is either a control frame or a frame
7409 * with a reserved type, and thus not a
7410 * frame with an SA.
7411 *
7412 * I.e., check "!(link[0] & 0x04)".
7413 */
7414 s = gen_load_a(OR_LINKHDR, 0, BPF_B);
7415 b1 = new_block(JMP(BPF_JSET));
7416 b1->s.k = 0x04;
7417 b1->stmts = s;
7418 gen_not(b1);
7419
7420 /*
7421 * AND that with the checks for data and management
7422 * frames.
7423 */
7424 gen_and(b1, b0);
7425 return b0;
7426 case DLT_IP_OVER_FC:
7427 b0 = gen_mac_multicast(2);
7428 return b0;
7429 default:
7430 break;
7431 }
7432 /* Link not known to support multicasts */
7433 break;
7434
7435 case Q_IP:
7436 b0 = gen_linktype(ETHERTYPE_IP);
7437 b1 = gen_cmp_ge(OR_LINKPL, 16, BPF_B, (bpf_int32)224);
7438 gen_and(b0, b1);
7439 return b1;
7440
7441 case Q_IPV6:
7442 b0 = gen_linktype(ETHERTYPE_IPV6);
7443 b1 = gen_cmp(OR_LINKPL, 24, BPF_B, (bpf_int32)255);
7444 gen_and(b0, b1);
7445 return b1;
7446 }
7447 bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel");
7448 /* NOTREACHED */
7449 return NULL;
7450 }
7451
7452 /*
7453 * Filter on inbound (dir == 0) or outbound (dir == 1) traffic.
7454 * Outbound traffic is sent by this machine, while inbound traffic is
7455 * sent by a remote machine (and may include packets destined for a
7456 * unicast or multicast link-layer address we are not subscribing to).
7457 * These are the same definitions implemented by pcap_setdirection().
7458 * Capturing only unicast traffic destined for this host is probably
7459 * better accomplished using a higher-layer filter.
7460 */
7461 struct block *
gen_inbound(dir)7462 gen_inbound(dir)
7463 int dir;
7464 {
7465 register struct block *b0;
7466
7467 /*
7468 * Only some data link types support inbound/outbound qualifiers.
7469 */
7470 switch (linktype) {
7471 case DLT_SLIP:
7472 b0 = gen_relation(BPF_JEQ,
7473 gen_load(Q_LINK, gen_loadi(0), 1),
7474 gen_loadi(0),
7475 dir);
7476 break;
7477
7478 case DLT_IPNET:
7479 if (dir) {
7480 /* match outgoing packets */
7481 b0 = gen_cmp(OR_LINKHDR, 2, BPF_H, IPNET_OUTBOUND);
7482 } else {
7483 /* match incoming packets */
7484 b0 = gen_cmp(OR_LINKHDR, 2, BPF_H, IPNET_INBOUND);
7485 }
7486 break;
7487
7488 case DLT_LINUX_SLL:
7489 /* match outgoing packets */
7490 b0 = gen_cmp(OR_LINKHDR, 0, BPF_H, LINUX_SLL_OUTGOING);
7491 if (!dir) {
7492 /* to filter on inbound traffic, invert the match */
7493 gen_not(b0);
7494 }
7495 break;
7496
7497 #ifdef HAVE_NET_PFVAR_H
7498 case DLT_PFLOG:
7499 b0 = gen_cmp(OR_LINKHDR, offsetof(struct pfloghdr, dir), BPF_B,
7500 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT));
7501 break;
7502 #endif
7503
7504 case DLT_PPP_PPPD:
7505 if (dir) {
7506 /* match outgoing packets */
7507 b0 = gen_cmp(OR_LINKHDR, 0, BPF_B, PPP_PPPD_OUT);
7508 } else {
7509 /* match incoming packets */
7510 b0 = gen_cmp(OR_LINKHDR, 0, BPF_B, PPP_PPPD_IN);
7511 }
7512 break;
7513
7514 case DLT_JUNIPER_MFR:
7515 case DLT_JUNIPER_MLFR:
7516 case DLT_JUNIPER_MLPPP:
7517 case DLT_JUNIPER_ATM1:
7518 case DLT_JUNIPER_ATM2:
7519 case DLT_JUNIPER_PPPOE:
7520 case DLT_JUNIPER_PPPOE_ATM:
7521 case DLT_JUNIPER_GGSN:
7522 case DLT_JUNIPER_ES:
7523 case DLT_JUNIPER_MONITOR:
7524 case DLT_JUNIPER_SERVICES:
7525 case DLT_JUNIPER_ETHER:
7526 case DLT_JUNIPER_PPP:
7527 case DLT_JUNIPER_FRELAY:
7528 case DLT_JUNIPER_CHDLC:
7529 case DLT_JUNIPER_VP:
7530 case DLT_JUNIPER_ST:
7531 case DLT_JUNIPER_ISM:
7532 case DLT_JUNIPER_VS:
7533 case DLT_JUNIPER_SRX_E2E:
7534 case DLT_JUNIPER_FIBRECHANNEL:
7535 case DLT_JUNIPER_ATM_CEMIC:
7536
7537 /* juniper flags (including direction) are stored
7538 * the byte after the 3-byte magic number */
7539 if (dir) {
7540 /* match outgoing packets */
7541 b0 = gen_mcmp(OR_LINKHDR, 3, BPF_B, 0, 0x01);
7542 } else {
7543 /* match incoming packets */
7544 b0 = gen_mcmp(OR_LINKHDR, 3, BPF_B, 1, 0x01);
7545 }
7546 break;
7547
7548 default:
7549 /*
7550 * If we have packet meta-data indicating a direction,
7551 * check it, otherwise give up as this link-layer type
7552 * has nothing in the packet data.
7553 */
7554 #if defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER)
7555 /*
7556 * This is Linux with PF_PACKET support.
7557 * If this is a *live* capture, we can look at
7558 * special meta-data in the filter expression;
7559 * if it's a savefile, we can't.
7560 */
7561 if (bpf_pcap->rfile != NULL) {
7562 /* We have a FILE *, so this is a savefile */
7563 bpf_error("inbound/outbound not supported on linktype %d when reading savefiles",
7564 linktype);
7565 b0 = NULL;
7566 /* NOTREACHED */
7567 }
7568 /* match outgoing packets */
7569 b0 = gen_cmp(OR_LINKHDR, SKF_AD_OFF + SKF_AD_PKTTYPE, BPF_H,
7570 PACKET_OUTGOING);
7571 if (!dir) {
7572 /* to filter on inbound traffic, invert the match */
7573 gen_not(b0);
7574 }
7575 #else /* defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */
7576 bpf_error("inbound/outbound not supported on linktype %d",
7577 linktype);
7578 b0 = NULL;
7579 /* NOTREACHED */
7580 #endif /* defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */
7581 }
7582 return (b0);
7583 }
7584
7585 #ifdef HAVE_NET_PFVAR_H
7586 /* PF firewall log matched interface */
7587 struct block *
gen_pf_ifname(const char * ifname)7588 gen_pf_ifname(const char *ifname)
7589 {
7590 struct block *b0;
7591 u_int len, off;
7592
7593 if (linktype != DLT_PFLOG) {
7594 bpf_error("ifname supported only on PF linktype");
7595 /* NOTREACHED */
7596 }
7597 len = sizeof(((struct pfloghdr *)0)->ifname);
7598 off = offsetof(struct pfloghdr, ifname);
7599 if (strlen(ifname) >= len) {
7600 bpf_error("ifname interface names can only be %d characters",
7601 len-1);
7602 /* NOTREACHED */
7603 }
7604 b0 = gen_bcmp(OR_LINKHDR, off, strlen(ifname), (const u_char *)ifname);
7605 return (b0);
7606 }
7607
7608 /* PF firewall log ruleset name */
7609 struct block *
gen_pf_ruleset(char * ruleset)7610 gen_pf_ruleset(char *ruleset)
7611 {
7612 struct block *b0;
7613
7614 if (linktype != DLT_PFLOG) {
7615 bpf_error("ruleset supported only on PF linktype");
7616 /* NOTREACHED */
7617 }
7618
7619 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) {
7620 bpf_error("ruleset names can only be %ld characters",
7621 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1));
7622 /* NOTREACHED */
7623 }
7624
7625 b0 = gen_bcmp(OR_LINKHDR, offsetof(struct pfloghdr, ruleset),
7626 strlen(ruleset), (const u_char *)ruleset);
7627 return (b0);
7628 }
7629
7630 /* PF firewall log rule number */
7631 struct block *
gen_pf_rnr(int rnr)7632 gen_pf_rnr(int rnr)
7633 {
7634 struct block *b0;
7635
7636 if (linktype != DLT_PFLOG) {
7637 bpf_error("rnr supported only on PF linktype");
7638 /* NOTREACHED */
7639 }
7640
7641 b0 = gen_cmp(OR_LINKHDR, offsetof(struct pfloghdr, rulenr), BPF_W,
7642 (bpf_int32)rnr);
7643 return (b0);
7644 }
7645
7646 /* PF firewall log sub-rule number */
7647 struct block *
gen_pf_srnr(int srnr)7648 gen_pf_srnr(int srnr)
7649 {
7650 struct block *b0;
7651
7652 if (linktype != DLT_PFLOG) {
7653 bpf_error("srnr supported only on PF linktype");
7654 /* NOTREACHED */
7655 }
7656
7657 b0 = gen_cmp(OR_LINKHDR, offsetof(struct pfloghdr, subrulenr), BPF_W,
7658 (bpf_int32)srnr);
7659 return (b0);
7660 }
7661
7662 /* PF firewall log reason code */
7663 struct block *
gen_pf_reason(int reason)7664 gen_pf_reason(int reason)
7665 {
7666 struct block *b0;
7667
7668 if (linktype != DLT_PFLOG) {
7669 bpf_error("reason supported only on PF linktype");
7670 /* NOTREACHED */
7671 }
7672
7673 b0 = gen_cmp(OR_LINKHDR, offsetof(struct pfloghdr, reason), BPF_B,
7674 (bpf_int32)reason);
7675 return (b0);
7676 }
7677
7678 /* PF firewall log action */
7679 struct block *
gen_pf_action(int action)7680 gen_pf_action(int action)
7681 {
7682 struct block *b0;
7683
7684 if (linktype != DLT_PFLOG) {
7685 bpf_error("action supported only on PF linktype");
7686 /* NOTREACHED */
7687 }
7688
7689 b0 = gen_cmp(OR_LINKHDR, offsetof(struct pfloghdr, action), BPF_B,
7690 (bpf_int32)action);
7691 return (b0);
7692 }
7693 #else /* !HAVE_NET_PFVAR_H */
7694 struct block *
gen_pf_ifname(const char * ifname)7695 gen_pf_ifname(const char *ifname)
7696 {
7697 bpf_error("libpcap was compiled without pf support");
7698 /* NOTREACHED */
7699 return (NULL);
7700 }
7701
7702 struct block *
gen_pf_ruleset(char * ruleset)7703 gen_pf_ruleset(char *ruleset)
7704 {
7705 bpf_error("libpcap was compiled on a machine without pf support");
7706 /* NOTREACHED */
7707 return (NULL);
7708 }
7709
7710 struct block *
gen_pf_rnr(int rnr)7711 gen_pf_rnr(int rnr)
7712 {
7713 bpf_error("libpcap was compiled on a machine without pf support");
7714 /* NOTREACHED */
7715 return (NULL);
7716 }
7717
7718 struct block *
gen_pf_srnr(int srnr)7719 gen_pf_srnr(int srnr)
7720 {
7721 bpf_error("libpcap was compiled on a machine without pf support");
7722 /* NOTREACHED */
7723 return (NULL);
7724 }
7725
7726 struct block *
gen_pf_reason(int reason)7727 gen_pf_reason(int reason)
7728 {
7729 bpf_error("libpcap was compiled on a machine without pf support");
7730 /* NOTREACHED */
7731 return (NULL);
7732 }
7733
7734 struct block *
gen_pf_action(int action)7735 gen_pf_action(int action)
7736 {
7737 bpf_error("libpcap was compiled on a machine without pf support");
7738 /* NOTREACHED */
7739 return (NULL);
7740 }
7741 #endif /* HAVE_NET_PFVAR_H */
7742
7743 /* IEEE 802.11 wireless header */
7744 struct block *
gen_p80211_type(int type,int mask)7745 gen_p80211_type(int type, int mask)
7746 {
7747 struct block *b0;
7748
7749 switch (linktype) {
7750
7751 case DLT_IEEE802_11:
7752 case DLT_PRISM_HEADER:
7753 case DLT_IEEE802_11_RADIO_AVS:
7754 case DLT_IEEE802_11_RADIO:
7755 b0 = gen_mcmp(OR_LINKHDR, 0, BPF_B, (bpf_int32)type,
7756 (bpf_int32)mask);
7757 break;
7758
7759 default:
7760 bpf_error("802.11 link-layer types supported only on 802.11");
7761 /* NOTREACHED */
7762 }
7763
7764 return (b0);
7765 }
7766
7767 struct block *
gen_p80211_fcdir(int fcdir)7768 gen_p80211_fcdir(int fcdir)
7769 {
7770 struct block *b0;
7771
7772 switch (linktype) {
7773
7774 case DLT_IEEE802_11:
7775 case DLT_PRISM_HEADER:
7776 case DLT_IEEE802_11_RADIO_AVS:
7777 case DLT_IEEE802_11_RADIO:
7778 break;
7779
7780 default:
7781 bpf_error("frame direction supported only with 802.11 headers");
7782 /* NOTREACHED */
7783 }
7784
7785 b0 = gen_mcmp(OR_LINKHDR, 1, BPF_B, (bpf_int32)fcdir,
7786 (bpf_u_int32)IEEE80211_FC1_DIR_MASK);
7787
7788 return (b0);
7789 }
7790
7791 struct block *
gen_acode(eaddr,q)7792 gen_acode(eaddr, q)
7793 register const u_char *eaddr;
7794 struct qual q;
7795 {
7796 switch (linktype) {
7797
7798 case DLT_ARCNET:
7799 case DLT_ARCNET_LINUX:
7800 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) &&
7801 q.proto == Q_LINK)
7802 return (gen_ahostop(eaddr, (int)q.dir));
7803 else {
7804 bpf_error("ARCnet address used in non-arc expression");
7805 /* NOTREACHED */
7806 }
7807 break;
7808
7809 default:
7810 bpf_error("aid supported only on ARCnet");
7811 /* NOTREACHED */
7812 }
7813 bpf_error("ARCnet address used in non-arc expression");
7814 /* NOTREACHED */
7815 return NULL;
7816 }
7817
7818 static struct block *
gen_ahostop(eaddr,dir)7819 gen_ahostop(eaddr, dir)
7820 register const u_char *eaddr;
7821 register int dir;
7822 {
7823 register struct block *b0, *b1;
7824
7825 switch (dir) {
7826 /* src comes first, different from Ethernet */
7827 case Q_SRC:
7828 return gen_bcmp(OR_LINKHDR, 0, 1, eaddr);
7829
7830 case Q_DST:
7831 return gen_bcmp(OR_LINKHDR, 1, 1, eaddr);
7832
7833 case Q_AND:
7834 b0 = gen_ahostop(eaddr, Q_SRC);
7835 b1 = gen_ahostop(eaddr, Q_DST);
7836 gen_and(b0, b1);
7837 return b1;
7838
7839 case Q_DEFAULT:
7840 case Q_OR:
7841 b0 = gen_ahostop(eaddr, Q_SRC);
7842 b1 = gen_ahostop(eaddr, Q_DST);
7843 gen_or(b0, b1);
7844 return b1;
7845
7846 case Q_ADDR1:
7847 bpf_error("'addr1' is only supported on 802.11");
7848 break;
7849
7850 case Q_ADDR2:
7851 bpf_error("'addr2' is only supported on 802.11");
7852 break;
7853
7854 case Q_ADDR3:
7855 bpf_error("'addr3' is only supported on 802.11");
7856 break;
7857
7858 case Q_ADDR4:
7859 bpf_error("'addr4' is only supported on 802.11");
7860 break;
7861
7862 case Q_RA:
7863 bpf_error("'ra' is only supported on 802.11");
7864 break;
7865
7866 case Q_TA:
7867 bpf_error("'ta' is only supported on 802.11");
7868 break;
7869 }
7870 abort();
7871 /* NOTREACHED */
7872 }
7873
7874 #if defined(SKF_AD_VLAN_TAG) && defined(SKF_AD_VLAN_TAG_PRESENT)
7875 static struct block *
gen_vlan_bpf_extensions(int vlan_num)7876 gen_vlan_bpf_extensions(int vlan_num)
7877 {
7878 struct block *b0, *b1;
7879 struct slist *s;
7880
7881 /* generate new filter code based on extracting packet
7882 * metadata */
7883 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
7884 s->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT;
7885
7886 b0 = new_block(JMP(BPF_JEQ));
7887 b0->stmts = s;
7888 b0->s.k = 1;
7889
7890 if (vlan_num >= 0) {
7891 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
7892 s->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG;
7893
7894 b1 = new_block(JMP(BPF_JEQ));
7895 b1->stmts = s;
7896 b1->s.k = (bpf_int32) vlan_num;
7897
7898 gen_and(b0,b1);
7899 b0 = b1;
7900 }
7901
7902 return b0;
7903 }
7904 #endif
7905
7906 static struct block *
gen_vlan_no_bpf_extensions(int vlan_num)7907 gen_vlan_no_bpf_extensions(int vlan_num)
7908 {
7909 struct block *b0, *b1;
7910
7911 /* check for VLAN, including QinQ */
7912 b0 = gen_linktype(ETHERTYPE_8021Q);
7913 b1 = gen_linktype(ETHERTYPE_8021QINQ);
7914 gen_or(b0,b1);
7915 b0 = b1;
7916
7917 /* If a specific VLAN is requested, check VLAN id */
7918 if (vlan_num >= 0) {
7919 b1 = gen_mcmp(OR_LINKPL, 0, BPF_H,
7920 (bpf_int32)vlan_num, 0x0fff);
7921 gen_and(b0, b1);
7922 b0 = b1;
7923 }
7924
7925 /*
7926 * The payload follows the full header, including the
7927 * VLAN tags, so skip past this VLAN tag.
7928 */
7929 off_linkpl.constant_part += 4;
7930
7931 /*
7932 * The link-layer type information follows the VLAN tags, so
7933 * skip past this VLAN tag.
7934 */
7935 off_linktype.constant_part += 4;
7936
7937 return b0;
7938 }
7939
7940 /*
7941 * support IEEE 802.1Q VLAN trunk over ethernet
7942 */
7943 struct block *
gen_vlan(vlan_num)7944 gen_vlan(vlan_num)
7945 int vlan_num;
7946 {
7947 struct block *b0;
7948
7949 /* can't check for VLAN-encapsulated packets inside MPLS */
7950 if (label_stack_depth > 0)
7951 bpf_error("no VLAN match after MPLS");
7952
7953 /*
7954 * Check for a VLAN packet, and then change the offsets to point
7955 * to the type and data fields within the VLAN packet. Just
7956 * increment the offsets, so that we can support a hierarchy, e.g.
7957 * "vlan 300 && vlan 200" to capture VLAN 200 encapsulated within
7958 * VLAN 100.
7959 *
7960 * XXX - this is a bit of a kludge. If we were to split the
7961 * compiler into a parser that parses an expression and
7962 * generates an expression tree, and a code generator that
7963 * takes an expression tree (which could come from our
7964 * parser or from some other parser) and generates BPF code,
7965 * we could perhaps make the offsets parameters of routines
7966 * and, in the handler for an "AND" node, pass to subnodes
7967 * other than the VLAN node the adjusted offsets.
7968 *
7969 * This would mean that "vlan" would, instead of changing the
7970 * behavior of *all* tests after it, change only the behavior
7971 * of tests ANDed with it. That would change the documented
7972 * semantics of "vlan", which might break some expressions.
7973 * However, it would mean that "(vlan and ip) or ip" would check
7974 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
7975 * checking only for VLAN-encapsulated IP, so that could still
7976 * be considered worth doing; it wouldn't break expressions
7977 * that are of the form "vlan and ..." or "vlan N and ...",
7978 * which I suspect are the most common expressions involving
7979 * "vlan". "vlan or ..." doesn't necessarily do what the user
7980 * would really want, now, as all the "or ..." tests would
7981 * be done assuming a VLAN, even though the "or" could be viewed
7982 * as meaning "or, if this isn't a VLAN packet...".
7983 */
7984 switch (linktype) {
7985
7986 case DLT_EN10MB:
7987 case DLT_NETANALYZER:
7988 case DLT_NETANALYZER_TRANSPARENT:
7989 #if defined(SKF_AD_VLAN_TAG) && defined(SKF_AD_VLAN_TAG_PRESENT)
7990 /* Verify that this is the outer part of the packet and
7991 * not encapsulated somehow. */
7992 if (vlan_stack_depth == 0 && !off_linkhdr.is_variable &&
7993 off_linkhdr.constant_part ==
7994 off_outermostlinkhdr.constant_part) {
7995 /*
7996 * Do we need special VLAN handling?
7997 */
7998 if (bpf_pcap->bpf_codegen_flags & BPF_SPECIAL_VLAN_HANDLING)
7999 b0 = gen_vlan_bpf_extensions(vlan_num);
8000 else
8001 b0 = gen_vlan_no_bpf_extensions(vlan_num);
8002 } else
8003 #endif
8004 b0 = gen_vlan_no_bpf_extensions(vlan_num);
8005 break;
8006
8007 case DLT_IEEE802_11:
8008 case DLT_PRISM_HEADER:
8009 case DLT_IEEE802_11_RADIO_AVS:
8010 case DLT_IEEE802_11_RADIO:
8011 b0 = gen_vlan_no_bpf_extensions(vlan_num);
8012 break;
8013
8014 default:
8015 bpf_error("no VLAN support for data link type %d",
8016 linktype);
8017 /*NOTREACHED*/
8018 }
8019
8020 vlan_stack_depth++;
8021
8022 return (b0);
8023 }
8024
8025 /*
8026 * support for MPLS
8027 */
8028 struct block *
gen_mpls(label_num)8029 gen_mpls(label_num)
8030 int label_num;
8031 {
8032 struct block *b0, *b1;
8033
8034 if (label_stack_depth > 0) {
8035 /* just match the bottom-of-stack bit clear */
8036 b0 = gen_mcmp(OR_PREVMPLSHDR, 2, BPF_B, 0, 0x01);
8037 } else {
8038 /*
8039 * We're not in an MPLS stack yet, so check the link-layer
8040 * type against MPLS.
8041 */
8042 switch (linktype) {
8043
8044 case DLT_C_HDLC: /* fall through */
8045 case DLT_EN10MB:
8046 case DLT_NETANALYZER:
8047 case DLT_NETANALYZER_TRANSPARENT:
8048 b0 = gen_linktype(ETHERTYPE_MPLS);
8049 break;
8050
8051 case DLT_PPP:
8052 b0 = gen_linktype(PPP_MPLS_UCAST);
8053 break;
8054
8055 /* FIXME add other DLT_s ...
8056 * for Frame-Relay/and ATM this may get messy due to SNAP headers
8057 * leave it for now */
8058
8059 default:
8060 bpf_error("no MPLS support for data link type %d",
8061 linktype);
8062 b0 = NULL;
8063 /*NOTREACHED*/
8064 break;
8065 }
8066 }
8067
8068 /* If a specific MPLS label is requested, check it */
8069 if (label_num >= 0) {
8070 label_num = label_num << 12; /* label is shifted 12 bits on the wire */
8071 b1 = gen_mcmp(OR_LINKPL, 0, BPF_W, (bpf_int32)label_num,
8072 0xfffff000); /* only compare the first 20 bits */
8073 gen_and(b0, b1);
8074 b0 = b1;
8075 }
8076
8077 /*
8078 * Change the offsets to point to the type and data fields within
8079 * the MPLS packet. Just increment the offsets, so that we
8080 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to
8081 * capture packets with an outer label of 100000 and an inner
8082 * label of 1024.
8083 *
8084 * Increment the MPLS stack depth as well; this indicates that
8085 * we're checking MPLS-encapsulated headers, to make sure higher
8086 * level code generators don't try to match against IP-related
8087 * protocols such as Q_ARP, Q_RARP etc.
8088 *
8089 * XXX - this is a bit of a kludge. See comments in gen_vlan().
8090 */
8091 off_nl_nosnap += 4;
8092 off_nl += 4;
8093 label_stack_depth++;
8094 return (b0);
8095 }
8096
8097 /*
8098 * Support PPPOE discovery and session.
8099 */
8100 struct block *
gen_pppoed()8101 gen_pppoed()
8102 {
8103 /* check for PPPoE discovery */
8104 return gen_linktype((bpf_int32)ETHERTYPE_PPPOED);
8105 }
8106
8107 struct block *
gen_pppoes(sess_num)8108 gen_pppoes(sess_num)
8109 int sess_num;
8110 {
8111 struct block *b0, *b1;
8112
8113 /*
8114 * Test against the PPPoE session link-layer type.
8115 */
8116 b0 = gen_linktype((bpf_int32)ETHERTYPE_PPPOES);
8117
8118 /* If a specific session is requested, check PPPoE session id */
8119 if (sess_num >= 0) {
8120 b1 = gen_mcmp(OR_LINKPL, 0, BPF_W,
8121 (bpf_int32)sess_num, 0x0000ffff);
8122 gen_and(b0, b1);
8123 b0 = b1;
8124 }
8125
8126 /*
8127 * Change the offsets to point to the type and data fields within
8128 * the PPP packet, and note that this is PPPoE rather than
8129 * raw PPP.
8130 *
8131 * XXX - this is a bit of a kludge. If we were to split the
8132 * compiler into a parser that parses an expression and
8133 * generates an expression tree, and a code generator that
8134 * takes an expression tree (which could come from our
8135 * parser or from some other parser) and generates BPF code,
8136 * we could perhaps make the offsets parameters of routines
8137 * and, in the handler for an "AND" node, pass to subnodes
8138 * other than the PPPoE node the adjusted offsets.
8139 *
8140 * This would mean that "pppoes" would, instead of changing the
8141 * behavior of *all* tests after it, change only the behavior
8142 * of tests ANDed with it. That would change the documented
8143 * semantics of "pppoes", which might break some expressions.
8144 * However, it would mean that "(pppoes and ip) or ip" would check
8145 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
8146 * checking only for VLAN-encapsulated IP, so that could still
8147 * be considered worth doing; it wouldn't break expressions
8148 * that are of the form "pppoes and ..." which I suspect are the
8149 * most common expressions involving "pppoes". "pppoes or ..."
8150 * doesn't necessarily do what the user would really want, now,
8151 * as all the "or ..." tests would be done assuming PPPoE, even
8152 * though the "or" could be viewed as meaning "or, if this isn't
8153 * a PPPoE packet...".
8154 *
8155 * The "network-layer" protocol is PPPoE, which has a 6-byte
8156 * PPPoE header, followed by a PPP packet.
8157 *
8158 * There is no HDLC encapsulation for the PPP packet (it's
8159 * encapsulated in PPPoES instead), so the link-layer type
8160 * starts at the first byte of the PPP packet. For PPPoE,
8161 * that offset is relative to the beginning of the total
8162 * link-layer payload, including any 802.2 LLC header, so
8163 * it's 6 bytes past off_nl.
8164 */
8165 PUSH_LINKHDR(DLT_PPP, off_linkpl.is_variable,
8166 off_linkpl.constant_part + off_nl + 6, /* 6 bytes past the PPPoE header */
8167 off_linkpl.reg);
8168
8169 off_linktype = off_linkhdr;
8170 off_linkpl.constant_part = off_linkhdr.constant_part + 2;
8171
8172 off_nl = 0;
8173 off_nl_nosnap = 0; /* no 802.2 LLC */
8174
8175 return b0;
8176 }
8177
8178 /* Check that this is Geneve and the VNI is correct if
8179 * specified. Parameterized to handle both IPv4 and IPv6. */
8180 static struct block *
gen_geneve_check(struct block * (* gen_portfn)(int,int,int),enum e_offrel offrel,int vni)8181 gen_geneve_check(struct block *(*gen_portfn)(int, int, int),
8182 enum e_offrel offrel, int vni)
8183 {
8184 struct block *b0, *b1;
8185
8186 b0 = gen_portfn(GENEVE_PORT, IPPROTO_UDP, Q_DST);
8187
8188 /* Check that we are operating on version 0. Otherwise, we
8189 * can't decode the rest of the fields. The version is 2 bits
8190 * in the first byte of the Geneve header. */
8191 b1 = gen_mcmp(offrel, 8, BPF_B, (bpf_int32)0, 0xc0);
8192 gen_and(b0, b1);
8193 b0 = b1;
8194
8195 if (vni >= 0) {
8196 vni <<= 8; /* VNI is in the upper 3 bytes */
8197 b1 = gen_mcmp(offrel, 12, BPF_W, (bpf_int32)vni,
8198 0xffffff00);
8199 gen_and(b0, b1);
8200 b0 = b1;
8201 }
8202
8203 return b0;
8204 }
8205
8206 /* The IPv4 and IPv6 Geneve checks need to do two things:
8207 * - Verify that this actually is Geneve with the right VNI.
8208 * - Place the IP header length (plus variable link prefix if
8209 * needed) into register A to be used later to compute
8210 * the inner packet offsets. */
8211 static struct block *
gen_geneve4(int vni)8212 gen_geneve4(int vni)
8213 {
8214 struct block *b0, *b1;
8215 struct slist *s, *s1;
8216
8217 b0 = gen_geneve_check(gen_port, OR_TRAN_IPV4, vni);
8218
8219 /* Load the IP header length into A. */
8220 s = gen_loadx_iphdrlen();
8221
8222 s1 = new_stmt(BPF_MISC|BPF_TXA);
8223 sappend(s, s1);
8224
8225 /* Forcibly append these statements to the true condition
8226 * of the protocol check by creating a new block that is
8227 * always true and ANDing them. */
8228 b1 = new_block(BPF_JMP|BPF_JEQ|BPF_X);
8229 b1->stmts = s;
8230 b1->s.k = 0;
8231
8232 gen_and(b0, b1);
8233
8234 return b1;
8235 }
8236
8237 static struct block *
gen_geneve6(int vni)8238 gen_geneve6(int vni)
8239 {
8240 struct block *b0, *b1;
8241 struct slist *s, *s1;
8242
8243 b0 = gen_geneve_check(gen_port6, OR_TRAN_IPV6, vni);
8244
8245 /* Load the IP header length. We need to account for a
8246 * variable length link prefix if there is one. */
8247 s = gen_abs_offset_varpart(&off_linkpl);
8248 if (s) {
8249 s1 = new_stmt(BPF_LD|BPF_IMM);
8250 s1->s.k = 40;
8251 sappend(s, s1);
8252
8253 s1 = new_stmt(BPF_ALU|BPF_ADD|BPF_X);
8254 s1->s.k = 0;
8255 sappend(s, s1);
8256 } else {
8257 s = new_stmt(BPF_LD|BPF_IMM);
8258 s->s.k = 40;;
8259 }
8260
8261 /* Forcibly append these statements to the true condition
8262 * of the protocol check by creating a new block that is
8263 * always true and ANDing them. */
8264 s1 = new_stmt(BPF_MISC|BPF_TAX);
8265 sappend(s, s1);
8266
8267 b1 = new_block(BPF_JMP|BPF_JEQ|BPF_X);
8268 b1->stmts = s;
8269 b1->s.k = 0;
8270
8271 gen_and(b0, b1);
8272
8273 return b1;
8274 }
8275
8276 /* We need to store three values based on the Geneve header::
8277 * - The offset of the linktype.
8278 * - The offset of the end of the Geneve header.
8279 * - The offset of the end of the encapsulated MAC header. */
8280 static struct slist *
gen_geneve_offsets(void)8281 gen_geneve_offsets(void)
8282 {
8283 struct slist *s, *s1, *s_proto;
8284
8285 /* First we need to calculate the offset of the Geneve header
8286 * itself. This is composed of the IP header previously calculated
8287 * (include any variable link prefix) and stored in A plus the
8288 * fixed sized headers (fixed link prefix, MAC length, and UDP
8289 * header). */
8290 s = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
8291 s->s.k = off_linkpl.constant_part + off_nl + 8;
8292
8293 /* Stash this in X since we'll need it later. */
8294 s1 = new_stmt(BPF_MISC|BPF_TAX);
8295 sappend(s, s1);
8296
8297 /* The EtherType in Geneve is 2 bytes in. Calculate this and
8298 * store it. */
8299 s1 = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
8300 s1->s.k = 2;
8301 sappend(s, s1);
8302
8303 off_linktype.reg = alloc_reg();
8304 off_linktype.is_variable = 1;
8305 off_linktype.constant_part = 0;
8306
8307 s1 = new_stmt(BPF_ST);
8308 s1->s.k = off_linktype.reg;
8309 sappend(s, s1);
8310
8311 /* Load the Geneve option length and mask and shift to get the
8312 * number of bytes. It is stored in the first byte of the Geneve
8313 * header. */
8314 s1 = new_stmt(BPF_LD|BPF_IND|BPF_B);
8315 s1->s.k = 0;
8316 sappend(s, s1);
8317
8318 s1 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
8319 s1->s.k = 0x3f;
8320 sappend(s, s1);
8321
8322 s1 = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
8323 s1->s.k = 4;
8324 sappend(s, s1);
8325
8326 /* Add in the rest of the Geneve base header. */
8327 s1 = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
8328 s1->s.k = 8;
8329 sappend(s, s1);
8330
8331 /* Add the Geneve header length to its offset and store. */
8332 s1 = new_stmt(BPF_ALU|BPF_ADD|BPF_X);
8333 s1->s.k = 0;
8334 sappend(s, s1);
8335
8336 /* Set the encapsulated type as Ethernet. Even though we may
8337 * not actually have Ethernet inside there are two reasons this
8338 * is useful:
8339 * - The linktype field is always in EtherType format regardless
8340 * of whether it is in Geneve or an inner Ethernet frame.
8341 * - The only link layer that we have specific support for is
8342 * Ethernet. We will confirm that the packet actually is
8343 * Ethernet at runtime before executing these checks. */
8344 PUSH_LINKHDR(DLT_EN10MB, 1, 0, alloc_reg());
8345
8346 s1 = new_stmt(BPF_ST);
8347 s1->s.k = off_linkhdr.reg;
8348 sappend(s, s1);
8349
8350 /* Calculate whether we have an Ethernet header or just raw IP/
8351 * MPLS/etc. If we have Ethernet, advance the end of the MAC offset
8352 * and linktype by 14 bytes so that the network header can be found
8353 * seamlessly. Otherwise, keep what we've calculated already. */
8354
8355 /* We have a bare jmp so we can't use the optimizer. */
8356 no_optimize = 1;
8357
8358 /* Load the EtherType in the Geneve header, 2 bytes in. */
8359 s1 = new_stmt(BPF_LD|BPF_IND|BPF_H);
8360 s1->s.k = 2;
8361 sappend(s, s1);
8362
8363 /* Load X with the end of the Geneve header. */
8364 s1 = new_stmt(BPF_LDX|BPF_MEM);
8365 s1->s.k = off_linkhdr.reg;
8366 sappend(s, s1);
8367
8368 /* Check if the EtherType is Transparent Ethernet Bridging. At the
8369 * end of this check, we should have the total length in X. In
8370 * the non-Ethernet case, it's already there. */
8371 s_proto = new_stmt(JMP(BPF_JEQ));
8372 s_proto->s.k = ETHERTYPE_TEB;
8373 sappend(s, s_proto);
8374
8375 s1 = new_stmt(BPF_MISC|BPF_TXA);
8376 sappend(s, s1);
8377 s_proto->s.jt = s1;
8378
8379 /* Since this is Ethernet, use the EtherType of the payload
8380 * directly as the linktype. Overwrite what we already have. */
8381 s1 = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
8382 s1->s.k = 12;
8383 sappend(s, s1);
8384
8385 s1 = new_stmt(BPF_ST);
8386 s1->s.k = off_linktype.reg;
8387 sappend(s, s1);
8388
8389 /* Advance two bytes further to get the end of the Ethernet
8390 * header. */
8391 s1 = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
8392 s1->s.k = 2;
8393 sappend(s, s1);
8394
8395 /* Move the result to X. */
8396 s1 = new_stmt(BPF_MISC|BPF_TAX);
8397 sappend(s, s1);
8398
8399 /* Store the final result of our linkpl calculation. */
8400 off_linkpl.reg = alloc_reg();
8401 off_linkpl.is_variable = 1;
8402 off_linkpl.constant_part = 0;
8403
8404 s1 = new_stmt(BPF_STX);
8405 s1->s.k = off_linkpl.reg;
8406 sappend(s, s1);
8407 s_proto->s.jf = s1;
8408
8409 off_nl = 0;
8410
8411 return s;
8412 }
8413
8414 /* Check to see if this is a Geneve packet. */
8415 struct block *
gen_geneve(int vni)8416 gen_geneve(int vni)
8417 {
8418 struct block *b0, *b1;
8419 struct slist *s;
8420
8421 b0 = gen_geneve4(vni);
8422 b1 = gen_geneve6(vni);
8423
8424 gen_or(b0, b1);
8425 b0 = b1;
8426
8427 /* Later filters should act on the payload of the Geneve frame,
8428 * update all of the header pointers. Attach this code so that
8429 * it gets executed in the event that the Geneve filter matches. */
8430 s = gen_geneve_offsets();
8431
8432 b1 = gen_true();
8433 sappend(s, b1->stmts);
8434 b1->stmts = s;
8435
8436 gen_and(b0, b1);
8437
8438 is_geneve = 1;
8439
8440 return b1;
8441 }
8442
8443 /* Check that the encapsulated frame has a link layer header
8444 * for Ethernet filters. */
8445 static struct block *
gen_geneve_ll_check()8446 gen_geneve_ll_check()
8447 {
8448 struct block *b0;
8449 struct slist *s, *s1;
8450
8451 /* The easiest way to see if there is a link layer present
8452 * is to check if the link layer header and payload are not
8453 * the same. */
8454
8455 /* Geneve always generates pure variable offsets so we can
8456 * compare only the registers. */
8457 s = new_stmt(BPF_LD|BPF_MEM);
8458 s->s.k = off_linkhdr.reg;
8459
8460 s1 = new_stmt(BPF_LDX|BPF_MEM);
8461 s1->s.k = off_linkpl.reg;
8462 sappend(s, s1);
8463
8464 b0 = new_block(BPF_JMP|BPF_JEQ|BPF_X);
8465 b0->stmts = s;
8466 b0->s.k = 0;
8467 gen_not(b0);
8468
8469 return b0;
8470 }
8471
8472 struct block *
gen_atmfield_code(atmfield,jvalue,jtype,reverse)8473 gen_atmfield_code(atmfield, jvalue, jtype, reverse)
8474 int atmfield;
8475 bpf_int32 jvalue;
8476 bpf_u_int32 jtype;
8477 int reverse;
8478 {
8479 struct block *b0;
8480
8481 switch (atmfield) {
8482
8483 case A_VPI:
8484 if (!is_atm)
8485 bpf_error("'vpi' supported only on raw ATM");
8486 if (off_vpi == (u_int)-1)
8487 abort();
8488 b0 = gen_ncmp(OR_LINKHDR, off_vpi, BPF_B, 0xffffffff, jtype,
8489 reverse, jvalue);
8490 break;
8491
8492 case A_VCI:
8493 if (!is_atm)
8494 bpf_error("'vci' supported only on raw ATM");
8495 if (off_vci == (u_int)-1)
8496 abort();
8497 b0 = gen_ncmp(OR_LINKHDR, off_vci, BPF_H, 0xffffffff, jtype,
8498 reverse, jvalue);
8499 break;
8500
8501 case A_PROTOTYPE:
8502 if (off_proto == (u_int)-1)
8503 abort(); /* XXX - this isn't on FreeBSD */
8504 b0 = gen_ncmp(OR_LINKHDR, off_proto, BPF_B, 0x0f, jtype,
8505 reverse, jvalue);
8506 break;
8507
8508 case A_MSGTYPE:
8509 if (off_payload == (u_int)-1)
8510 abort();
8511 b0 = gen_ncmp(OR_LINKHDR, off_payload + MSG_TYPE_POS, BPF_B,
8512 0xffffffff, jtype, reverse, jvalue);
8513 break;
8514
8515 case A_CALLREFTYPE:
8516 if (!is_atm)
8517 bpf_error("'callref' supported only on raw ATM");
8518 if (off_proto == (u_int)-1)
8519 abort();
8520 b0 = gen_ncmp(OR_LINKHDR, off_proto, BPF_B, 0xffffffff,
8521 jtype, reverse, jvalue);
8522 break;
8523
8524 default:
8525 abort();
8526 }
8527 return b0;
8528 }
8529
8530 struct block *
gen_atmtype_abbrev(type)8531 gen_atmtype_abbrev(type)
8532 int type;
8533 {
8534 struct block *b0, *b1;
8535
8536 switch (type) {
8537
8538 case A_METAC:
8539 /* Get all packets in Meta signalling Circuit */
8540 if (!is_atm)
8541 bpf_error("'metac' supported only on raw ATM");
8542 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8543 b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0);
8544 gen_and(b0, b1);
8545 break;
8546
8547 case A_BCC:
8548 /* Get all packets in Broadcast Circuit*/
8549 if (!is_atm)
8550 bpf_error("'bcc' supported only on raw ATM");
8551 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8552 b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0);
8553 gen_and(b0, b1);
8554 break;
8555
8556 case A_OAMF4SC:
8557 /* Get all cells in Segment OAM F4 circuit*/
8558 if (!is_atm)
8559 bpf_error("'oam4sc' supported only on raw ATM");
8560 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8561 b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
8562 gen_and(b0, b1);
8563 break;
8564
8565 case A_OAMF4EC:
8566 /* Get all cells in End-to-End OAM F4 Circuit*/
8567 if (!is_atm)
8568 bpf_error("'oam4ec' supported only on raw ATM");
8569 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8570 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
8571 gen_and(b0, b1);
8572 break;
8573
8574 case A_SC:
8575 /* Get all packets in connection Signalling Circuit */
8576 if (!is_atm)
8577 bpf_error("'sc' supported only on raw ATM");
8578 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8579 b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0);
8580 gen_and(b0, b1);
8581 break;
8582
8583 case A_ILMIC:
8584 /* Get all packets in ILMI Circuit */
8585 if (!is_atm)
8586 bpf_error("'ilmic' supported only on raw ATM");
8587 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8588 b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0);
8589 gen_and(b0, b1);
8590 break;
8591
8592 case A_LANE:
8593 /* Get all LANE packets */
8594 if (!is_atm)
8595 bpf_error("'lane' supported only on raw ATM");
8596 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0);
8597
8598 /*
8599 * Arrange that all subsequent tests assume LANE
8600 * rather than LLC-encapsulated packets, and set
8601 * the offsets appropriately for LANE-encapsulated
8602 * Ethernet.
8603 *
8604 * We assume LANE means Ethernet, not Token Ring.
8605 */
8606 PUSH_LINKHDR(DLT_EN10MB, 0,
8607 off_payload + 2, /* Ethernet header */
8608 -1);
8609 off_linktype.constant_part = off_linkhdr.constant_part + 12;
8610 off_linkpl.constant_part = off_linkhdr.constant_part + 14; /* Ethernet */
8611 off_nl = 0; /* Ethernet II */
8612 off_nl_nosnap = 3; /* 802.3+802.2 */
8613 break;
8614
8615 case A_LLC:
8616 /* Get all LLC-encapsulated packets */
8617 if (!is_atm)
8618 bpf_error("'llc' supported only on raw ATM");
8619 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
8620 linktype = prevlinktype;
8621 break;
8622
8623 default:
8624 abort();
8625 }
8626 return b1;
8627 }
8628
8629 /*
8630 * Filtering for MTP2 messages based on li value
8631 * FISU, length is null
8632 * LSSU, length is 1 or 2
8633 * MSU, length is 3 or more
8634 * For MTP2_HSL, sequences are on 2 bytes, and length on 9 bits
8635 */
8636 struct block *
gen_mtp2type_abbrev(type)8637 gen_mtp2type_abbrev(type)
8638 int type;
8639 {
8640 struct block *b0, *b1;
8641
8642 switch (type) {
8643
8644 case M_FISU:
8645 if ( (linktype != DLT_MTP2) &&
8646 (linktype != DLT_ERF) &&
8647 (linktype != DLT_MTP2_WITH_PHDR) )
8648 bpf_error("'fisu' supported only on MTP2");
8649 /* gen_ncmp(offrel, offset, size, mask, jtype, reverse, value) */
8650 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JEQ, 0, 0);
8651 break;
8652
8653 case M_LSSU:
8654 if ( (linktype != DLT_MTP2) &&
8655 (linktype != DLT_ERF) &&
8656 (linktype != DLT_MTP2_WITH_PHDR) )
8657 bpf_error("'lssu' supported only on MTP2");
8658 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 1, 2);
8659 b1 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 0);
8660 gen_and(b1, b0);
8661 break;
8662
8663 case M_MSU:
8664 if ( (linktype != DLT_MTP2) &&
8665 (linktype != DLT_ERF) &&
8666 (linktype != DLT_MTP2_WITH_PHDR) )
8667 bpf_error("'msu' supported only on MTP2");
8668 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 2);
8669 break;
8670
8671 case MH_FISU:
8672 if ( (linktype != DLT_MTP2) &&
8673 (linktype != DLT_ERF) &&
8674 (linktype != DLT_MTP2_WITH_PHDR) )
8675 bpf_error("'hfisu' supported only on MTP2_HSL");
8676 /* gen_ncmp(offrel, offset, size, mask, jtype, reverse, value) */
8677 b0 = gen_ncmp(OR_PACKET, off_li_hsl, BPF_H, 0xff80, BPF_JEQ, 0, 0);
8678 break;
8679
8680 case MH_LSSU:
8681 if ( (linktype != DLT_MTP2) &&
8682 (linktype != DLT_ERF) &&
8683 (linktype != DLT_MTP2_WITH_PHDR) )
8684 bpf_error("'hlssu' supported only on MTP2_HSL");
8685 b0 = gen_ncmp(OR_PACKET, off_li_hsl, BPF_H, 0xff80, BPF_JGT, 1, 0x0100);
8686 b1 = gen_ncmp(OR_PACKET, off_li_hsl, BPF_H, 0xff80, BPF_JGT, 0, 0);
8687 gen_and(b1, b0);
8688 break;
8689
8690 case MH_MSU:
8691 if ( (linktype != DLT_MTP2) &&
8692 (linktype != DLT_ERF) &&
8693 (linktype != DLT_MTP2_WITH_PHDR) )
8694 bpf_error("'hmsu' supported only on MTP2_HSL");
8695 b0 = gen_ncmp(OR_PACKET, off_li_hsl, BPF_H, 0xff80, BPF_JGT, 0, 0x0100);
8696 break;
8697
8698 default:
8699 abort();
8700 }
8701 return b0;
8702 }
8703
8704 struct block *
gen_mtp3field_code(mtp3field,jvalue,jtype,reverse)8705 gen_mtp3field_code(mtp3field, jvalue, jtype, reverse)
8706 int mtp3field;
8707 bpf_u_int32 jvalue;
8708 bpf_u_int32 jtype;
8709 int reverse;
8710 {
8711 struct block *b0;
8712 bpf_u_int32 val1 , val2 , val3;
8713 u_int newoff_sio=off_sio;
8714 u_int newoff_opc=off_opc;
8715 u_int newoff_dpc=off_dpc;
8716 u_int newoff_sls=off_sls;
8717
8718 switch (mtp3field) {
8719
8720 case MH_SIO:
8721 newoff_sio += 3; /* offset for MTP2_HSL */
8722 /* FALLTHROUGH */
8723
8724 case M_SIO:
8725 if (off_sio == (u_int)-1)
8726 bpf_error("'sio' supported only on SS7");
8727 /* sio coded on 1 byte so max value 255 */
8728 if(jvalue > 255)
8729 bpf_error("sio value %u too big; max value = 255",
8730 jvalue);
8731 b0 = gen_ncmp(OR_PACKET, newoff_sio, BPF_B, 0xffffffff,
8732 (u_int)jtype, reverse, (u_int)jvalue);
8733 break;
8734
8735 case MH_OPC:
8736 newoff_opc+=3;
8737 case M_OPC:
8738 if (off_opc == (u_int)-1)
8739 bpf_error("'opc' supported only on SS7");
8740 /* opc coded on 14 bits so max value 16383 */
8741 if (jvalue > 16383)
8742 bpf_error("opc value %u too big; max value = 16383",
8743 jvalue);
8744 /* the following instructions are made to convert jvalue
8745 * to the form used to write opc in an ss7 message*/
8746 val1 = jvalue & 0x00003c00;
8747 val1 = val1 >>10;
8748 val2 = jvalue & 0x000003fc;
8749 val2 = val2 <<6;
8750 val3 = jvalue & 0x00000003;
8751 val3 = val3 <<22;
8752 jvalue = val1 + val2 + val3;
8753 b0 = gen_ncmp(OR_PACKET, newoff_opc, BPF_W, 0x00c0ff0f,
8754 (u_int)jtype, reverse, (u_int)jvalue);
8755 break;
8756
8757 case MH_DPC:
8758 newoff_dpc += 3;
8759 /* FALLTHROUGH */
8760
8761 case M_DPC:
8762 if (off_dpc == (u_int)-1)
8763 bpf_error("'dpc' supported only on SS7");
8764 /* dpc coded on 14 bits so max value 16383 */
8765 if (jvalue > 16383)
8766 bpf_error("dpc value %u too big; max value = 16383",
8767 jvalue);
8768 /* the following instructions are made to convert jvalue
8769 * to the forme used to write dpc in an ss7 message*/
8770 val1 = jvalue & 0x000000ff;
8771 val1 = val1 << 24;
8772 val2 = jvalue & 0x00003f00;
8773 val2 = val2 << 8;
8774 jvalue = val1 + val2;
8775 b0 = gen_ncmp(OR_PACKET, newoff_dpc, BPF_W, 0xff3f0000,
8776 (u_int)jtype, reverse, (u_int)jvalue);
8777 break;
8778
8779 case MH_SLS:
8780 newoff_sls+=3;
8781 case M_SLS:
8782 if (off_sls == (u_int)-1)
8783 bpf_error("'sls' supported only on SS7");
8784 /* sls coded on 4 bits so max value 15 */
8785 if (jvalue > 15)
8786 bpf_error("sls value %u too big; max value = 15",
8787 jvalue);
8788 /* the following instruction is made to convert jvalue
8789 * to the forme used to write sls in an ss7 message*/
8790 jvalue = jvalue << 4;
8791 b0 = gen_ncmp(OR_PACKET, newoff_sls, BPF_B, 0xf0,
8792 (u_int)jtype,reverse, (u_int)jvalue);
8793 break;
8794
8795 default:
8796 abort();
8797 }
8798 return b0;
8799 }
8800
8801 static struct block *
gen_msg_abbrev(type)8802 gen_msg_abbrev(type)
8803 int type;
8804 {
8805 struct block *b1;
8806
8807 /*
8808 * Q.2931 signalling protocol messages for handling virtual circuits
8809 * establishment and teardown
8810 */
8811 switch (type) {
8812
8813 case A_SETUP:
8814 b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0);
8815 break;
8816
8817 case A_CALLPROCEED:
8818 b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0);
8819 break;
8820
8821 case A_CONNECT:
8822 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0);
8823 break;
8824
8825 case A_CONNECTACK:
8826 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0);
8827 break;
8828
8829 case A_RELEASE:
8830 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0);
8831 break;
8832
8833 case A_RELEASE_DONE:
8834 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0);
8835 break;
8836
8837 default:
8838 abort();
8839 }
8840 return b1;
8841 }
8842
8843 struct block *
gen_atmmulti_abbrev(type)8844 gen_atmmulti_abbrev(type)
8845 int type;
8846 {
8847 struct block *b0, *b1;
8848
8849 switch (type) {
8850
8851 case A_OAM:
8852 if (!is_atm)
8853 bpf_error("'oam' supported only on raw ATM");
8854 b1 = gen_atmmulti_abbrev(A_OAMF4);
8855 break;
8856
8857 case A_OAMF4:
8858 if (!is_atm)
8859 bpf_error("'oamf4' supported only on raw ATM");
8860 /* OAM F4 type */
8861 b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
8862 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
8863 gen_or(b0, b1);
8864 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8865 gen_and(b0, b1);
8866 break;
8867
8868 case A_CONNECTMSG:
8869 /*
8870 * Get Q.2931 signalling messages for switched
8871 * virtual connection
8872 */
8873 if (!is_atm)
8874 bpf_error("'connectmsg' supported only on raw ATM");
8875 b0 = gen_msg_abbrev(A_SETUP);
8876 b1 = gen_msg_abbrev(A_CALLPROCEED);
8877 gen_or(b0, b1);
8878 b0 = gen_msg_abbrev(A_CONNECT);
8879 gen_or(b0, b1);
8880 b0 = gen_msg_abbrev(A_CONNECTACK);
8881 gen_or(b0, b1);
8882 b0 = gen_msg_abbrev(A_RELEASE);
8883 gen_or(b0, b1);
8884 b0 = gen_msg_abbrev(A_RELEASE_DONE);
8885 gen_or(b0, b1);
8886 b0 = gen_atmtype_abbrev(A_SC);
8887 gen_and(b0, b1);
8888 break;
8889
8890 case A_METACONNECT:
8891 if (!is_atm)
8892 bpf_error("'metaconnect' supported only on raw ATM");
8893 b0 = gen_msg_abbrev(A_SETUP);
8894 b1 = gen_msg_abbrev(A_CALLPROCEED);
8895 gen_or(b0, b1);
8896 b0 = gen_msg_abbrev(A_CONNECT);
8897 gen_or(b0, b1);
8898 b0 = gen_msg_abbrev(A_RELEASE);
8899 gen_or(b0, b1);
8900 b0 = gen_msg_abbrev(A_RELEASE_DONE);
8901 gen_or(b0, b1);
8902 b0 = gen_atmtype_abbrev(A_METAC);
8903 gen_and(b0, b1);
8904 break;
8905
8906 default:
8907 abort();
8908 }
8909 return b1;
8910 }
8911