1 /*#define CHASE_CHAIN*/ 2 /* 3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998 4 * The Regents of the University of California. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that: (1) source code distributions 8 * retain the above copyright notice and this paragraph in its entirety, (2) 9 * distributions including binary code include the above copyright notice and 10 * this paragraph in its entirety in the documentation or other materials 11 * provided with the distribution, and (3) all advertising materials mentioning 12 * features or use of this software display the following acknowledgement: 13 * ``This product includes software developed by the University of California, 14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 15 * the University nor the names of its contributors may be used to endorse 16 * or promote products derived from this software without specific prior 17 * written permission. 18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 21 */ 22 #ifndef lint 23 static const char rcsid[] _U_ = 24 "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.290.2.16 2008-09-22 20:16:01 guy Exp $ (LBL)"; 25 #endif 26 27 #ifdef HAVE_CONFIG_H 28 #include "config.h" 29 #endif 30 31 #ifdef WIN32 32 #include <pcap-stdinc.h> 33 #else /* WIN32 */ 34 #include <sys/types.h> 35 #include <sys/socket.h> 36 #endif /* WIN32 */ 37 38 /* 39 * XXX - why was this included even on UNIX? 40 */ 41 #ifdef __MINGW32__ 42 #include "IP6_misc.h" 43 #endif 44 45 #ifndef WIN32 46 47 #ifdef __NetBSD__ 48 #include <sys/param.h> 49 #endif 50 51 #include <netinet/in.h> 52 53 #endif /* WIN32 */ 54 55 #include <stdlib.h> 56 #include <string.h> 57 #include <memory.h> 58 #include <setjmp.h> 59 #include <stdarg.h> 60 61 #ifdef MSDOS 62 #include "pcap-dos.h" 63 #endif 64 65 #include "pcap-int.h" 66 67 #include "ethertype.h" 68 #include "nlpid.h" 69 #include "llc.h" 70 #include "gencode.h" 71 #include <netproto/802_11/ieee80211.h> 72 #include "atmuni31.h" 73 #include "sunatmpos.h" 74 #include "ppp.h" 75 #include "pcap/sll.h" 76 #include "arcnet.h" 77 #ifdef HAVE_NET_PFVAR_H 78 #include <sys/socket.h> 79 #include <net/if.h> 80 #include <net/if_var.h> 81 #include <net/pf/pfvar.h> 82 #include <net/pf/if_pflog.h> 83 #endif 84 #ifndef offsetof 85 #define offsetof(s, e) ((size_t)&((s *)0)->e) 86 #endif 87 #ifdef INET6 88 #ifndef WIN32 89 #include <netdb.h> /* for "struct addrinfo" */ 90 #endif /* WIN32 */ 91 #endif /*INET6*/ 92 #include <pcap/namedb.h> 93 94 #include <netproto/802_11/ieee80211_radiotap.h> 95 96 #define ETHERMTU 1500 97 98 #ifndef IPPROTO_SCTP 99 #define IPPROTO_SCTP 132 100 #endif 101 102 #ifdef HAVE_OS_PROTO_H 103 #include "os-proto.h" 104 #endif 105 106 #define JMP(c) ((c)|BPF_JMP|BPF_K) 107 108 /* Locals */ 109 static jmp_buf top_ctx; 110 static pcap_t *bpf_pcap; 111 112 /* Hack for updating VLAN, MPLS, and PPPoE offsets. */ 113 #ifdef WIN32 114 static u_int orig_linktype = (u_int)-1, orig_nl = (u_int)-1, label_stack_depth = (u_int)-1; 115 #else 116 static u_int orig_linktype = -1U, orig_nl = -1U, label_stack_depth = -1U; 117 #endif 118 119 /* XXX */ 120 #ifdef PCAP_FDDIPAD 121 static int pcap_fddipad; 122 #endif 123 124 /* VARARGS */ 125 void 126 bpf_error(const char *fmt, ...) 127 { 128 va_list ap; 129 130 va_start(ap, fmt); 131 if (bpf_pcap != NULL) 132 (void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE, 133 fmt, ap); 134 va_end(ap); 135 longjmp(top_ctx, 1); 136 /* NOTREACHED */ 137 } 138 139 static void init_linktype(pcap_t *); 140 141 static void init_regs(void); 142 static int alloc_reg(void); 143 static void free_reg(int); 144 145 static struct block *root; 146 147 /* 148 * Value passed to gen_load_a() to indicate what the offset argument 149 * is relative to. 150 */ 151 enum e_offrel { 152 OR_PACKET, /* relative to the beginning of the packet */ 153 OR_LINK, /* relative to the beginning of the link-layer header */ 154 OR_MACPL, /* relative to the end of the MAC-layer header */ 155 OR_NET, /* relative to the network-layer header */ 156 OR_NET_NOSNAP, /* relative to the network-layer header, with no SNAP header at the link layer */ 157 OR_TRAN_IPV4, /* relative to the transport-layer header, with IPv4 network layer */ 158 OR_TRAN_IPV6 /* relative to the transport-layer header, with IPv6 network layer */ 159 }; 160 161 /* 162 * We divy out chunks of memory rather than call malloc each time so 163 * we don't have to worry about leaking memory. It's probably 164 * not a big deal if all this memory was wasted but if this ever 165 * goes into a library that would probably not be a good idea. 166 * 167 * XXX - this *is* in a library.... 168 */ 169 #define NCHUNKS 16 170 #define CHUNK0SIZE 1024 171 struct chunk { 172 u_int n_left; 173 void *m; 174 }; 175 176 static struct chunk chunks[NCHUNKS]; 177 static int cur_chunk; 178 179 static void *newchunk(u_int); 180 static void freechunks(void); 181 static inline struct block *new_block(int); 182 static inline struct slist *new_stmt(int); 183 static struct block *gen_retblk(int); 184 static inline void syntax(void); 185 186 static void backpatch(struct block *, struct block *); 187 static void merge(struct block *, struct block *); 188 static struct block *gen_cmp(enum e_offrel, u_int, u_int, bpf_int32); 189 static struct block *gen_cmp_gt(enum e_offrel, u_int, u_int, bpf_int32); 190 static struct block *gen_cmp_ge(enum e_offrel, u_int, u_int, bpf_int32); 191 static struct block *gen_cmp_lt(enum e_offrel, u_int, u_int, bpf_int32); 192 static struct block *gen_cmp_le(enum e_offrel, u_int, u_int, bpf_int32); 193 static struct block *gen_mcmp(enum e_offrel, u_int, u_int, bpf_int32, 194 bpf_u_int32); 195 static struct block *gen_bcmp(enum e_offrel, u_int, u_int, const u_char *); 196 static struct block *gen_ncmp(enum e_offrel, bpf_u_int32, bpf_u_int32, 197 bpf_u_int32, bpf_u_int32, int, bpf_int32); 198 static struct slist *gen_load_llrel(u_int, u_int); 199 static struct slist *gen_load_macplrel(u_int, u_int); 200 static struct slist *gen_load_a(enum e_offrel, u_int, u_int); 201 static struct slist *gen_loadx_iphdrlen(void); 202 static struct block *gen_uncond(int); 203 static inline struct block *gen_true(void); 204 static inline struct block *gen_false(void); 205 static struct block *gen_ether_linktype(int); 206 static struct block *gen_linux_sll_linktype(int); 207 static struct slist *gen_load_prism_llprefixlen(void); 208 static struct slist *gen_load_avs_llprefixlen(void); 209 static struct slist *gen_load_radiotap_llprefixlen(void); 210 static struct slist *gen_load_ppi_llprefixlen(void); 211 static void insert_compute_vloffsets(struct block *); 212 static struct slist *gen_llprefixlen(void); 213 static struct slist *gen_off_macpl(void); 214 static int ethertype_to_ppptype(int); 215 static struct block *gen_linktype(int); 216 static struct block *gen_snap(bpf_u_int32, bpf_u_int32); 217 static struct block *gen_llc_linktype(int); 218 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int); 219 #ifdef INET6 220 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int); 221 #endif 222 static struct block *gen_ahostop(const u_char *, int); 223 static struct block *gen_ehostop(const u_char *, int); 224 static struct block *gen_fhostop(const u_char *, int); 225 static struct block *gen_thostop(const u_char *, int); 226 static struct block *gen_wlanhostop(const u_char *, int); 227 static struct block *gen_ipfchostop(const u_char *, int); 228 static struct block *gen_dnhostop(bpf_u_int32, int); 229 static struct block *gen_mpls_linktype(int); 230 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int, int); 231 #ifdef INET6 232 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int, int); 233 #endif 234 #ifndef INET6 235 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int); 236 #endif 237 static struct block *gen_ipfrag(void); 238 static struct block *gen_portatom(int, bpf_int32); 239 static struct block *gen_portrangeatom(int, bpf_int32, bpf_int32); 240 #ifdef INET6 241 static struct block *gen_portatom6(int, bpf_int32); 242 static struct block *gen_portrangeatom6(int, bpf_int32, bpf_int32); 243 #endif 244 struct block *gen_portop(int, int, int); 245 static struct block *gen_port(int, int, int); 246 struct block *gen_portrangeop(int, int, int, int); 247 static struct block *gen_portrange(int, int, int, int); 248 #ifdef INET6 249 struct block *gen_portop6(int, int, int); 250 static struct block *gen_port6(int, int, int); 251 struct block *gen_portrangeop6(int, int, int, int); 252 static struct block *gen_portrange6(int, int, int, int); 253 #endif 254 static int lookup_proto(const char *, int); 255 static struct block *gen_protochain(int, int, int); 256 static struct block *gen_proto(int, int, int); 257 static struct slist *xfer_to_x(struct arth *); 258 static struct slist *xfer_to_a(struct arth *); 259 static struct block *gen_mac_multicast(int); 260 static struct block *gen_len(int, int); 261 static struct block *gen_check_802_11_data_frame(void); 262 263 static struct block *gen_ppi_dlt_check(void); 264 static struct block *gen_msg_abbrev(int type); 265 266 static void * 267 newchunk(n) 268 u_int n; 269 { 270 struct chunk *cp; 271 int k; 272 size_t size; 273 274 #ifndef __NetBSD__ 275 /* XXX Round up to nearest long. */ 276 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1); 277 #else 278 /* XXX Round up to structure boundary. */ 279 n = ALIGN(n); 280 #endif 281 282 cp = &chunks[cur_chunk]; 283 if (n > cp->n_left) { 284 ++cp, k = ++cur_chunk; 285 if (k >= NCHUNKS) 286 bpf_error("out of memory"); 287 size = CHUNK0SIZE << k; 288 cp->m = (void *)malloc(size); 289 if (cp->m == NULL) 290 bpf_error("out of memory"); 291 memset((char *)cp->m, 0, size); 292 cp->n_left = size; 293 if (n > size) 294 bpf_error("out of memory"); 295 } 296 cp->n_left -= n; 297 return (void *)((char *)cp->m + cp->n_left); 298 } 299 300 static void 301 freechunks() 302 { 303 int i; 304 305 cur_chunk = 0; 306 for (i = 0; i < NCHUNKS; ++i) 307 if (chunks[i].m != NULL) { 308 free(chunks[i].m); 309 chunks[i].m = NULL; 310 } 311 } 312 313 /* 314 * A strdup whose allocations are freed after code generation is over. 315 */ 316 char * 317 sdup(s) 318 register const char *s; 319 { 320 int n = strlen(s) + 1; 321 char *cp = newchunk(n); 322 323 strlcpy(cp, s, n); 324 return (cp); 325 } 326 327 static inline struct block * 328 new_block(code) 329 int code; 330 { 331 struct block *p; 332 333 p = (struct block *)newchunk(sizeof(*p)); 334 p->s.code = code; 335 p->head = p; 336 337 return p; 338 } 339 340 static inline struct slist * 341 new_stmt(code) 342 int code; 343 { 344 struct slist *p; 345 346 p = (struct slist *)newchunk(sizeof(*p)); 347 p->s.code = code; 348 349 return p; 350 } 351 352 static struct block * 353 gen_retblk(v) 354 int v; 355 { 356 struct block *b = new_block(BPF_RET|BPF_K); 357 358 b->s.k = v; 359 return b; 360 } 361 362 static inline void 363 syntax() 364 { 365 bpf_error("syntax error in filter expression"); 366 } 367 368 static bpf_u_int32 netmask; 369 static int snaplen; 370 int no_optimize; 371 372 int 373 pcap_compile(pcap_t *p, struct bpf_program *program, 374 const char *buf, int optimize, bpf_u_int32 mask) 375 { 376 extern int n_errors; 377 const char * volatile xbuf = buf; 378 int len; 379 380 no_optimize = 0; 381 n_errors = 0; 382 root = NULL; 383 bpf_pcap = p; 384 init_regs(); 385 if (setjmp(top_ctx)) { 386 lex_cleanup(); 387 freechunks(); 388 return (-1); 389 } 390 391 netmask = mask; 392 393 snaplen = pcap_snapshot(p); 394 if (snaplen == 0) { 395 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 396 "snaplen of 0 rejects all packets"); 397 return -1; 398 } 399 400 lex_init(xbuf ? xbuf : ""); 401 init_linktype(p); 402 (void)pcap_parse(); 403 404 if (n_errors) 405 syntax(); 406 407 if (root == NULL) 408 root = gen_retblk(snaplen); 409 410 if (optimize && !no_optimize) { 411 bpf_optimize(&root); 412 if (root == NULL || 413 (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0)) 414 bpf_error("expression rejects all packets"); 415 } 416 program->bf_insns = icode_to_fcode(root, &len); 417 program->bf_len = len; 418 419 lex_cleanup(); 420 freechunks(); 421 return (0); 422 } 423 424 /* 425 * entry point for using the compiler with no pcap open 426 * pass in all the stuff that is needed explicitly instead. 427 */ 428 int 429 pcap_compile_nopcap(int snaplen_arg, int linktype_arg, 430 struct bpf_program *program, 431 const char *buf, int optimize, bpf_u_int32 mask) 432 { 433 pcap_t *p; 434 int ret; 435 436 p = pcap_open_dead(linktype_arg, snaplen_arg); 437 if (p == NULL) 438 return (-1); 439 ret = pcap_compile(p, program, buf, optimize, mask); 440 pcap_close(p); 441 return (ret); 442 } 443 444 /* 445 * Clean up a "struct bpf_program" by freeing all the memory allocated 446 * in it. 447 */ 448 void 449 pcap_freecode(struct bpf_program *program) 450 { 451 program->bf_len = 0; 452 if (program->bf_insns != NULL) { 453 free((char *)program->bf_insns); 454 program->bf_insns = NULL; 455 } 456 } 457 458 /* 459 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates 460 * which of the jt and jf fields has been resolved and which is a pointer 461 * back to another unresolved block (or nil). At least one of the fields 462 * in each block is already resolved. 463 */ 464 static void 465 backpatch(list, target) 466 struct block *list, *target; 467 { 468 struct block *next; 469 470 while (list) { 471 if (!list->sense) { 472 next = JT(list); 473 JT(list) = target; 474 } else { 475 next = JF(list); 476 JF(list) = target; 477 } 478 list = next; 479 } 480 } 481 482 /* 483 * Merge the lists in b0 and b1, using the 'sense' field to indicate 484 * which of jt and jf is the link. 485 */ 486 static void 487 merge(b0, b1) 488 struct block *b0, *b1; 489 { 490 register struct block **p = &b0; 491 492 /* Find end of list. */ 493 while (*p) 494 p = !((*p)->sense) ? &JT(*p) : &JF(*p); 495 496 /* Concatenate the lists. */ 497 *p = b1; 498 } 499 500 void 501 finish_parse(p) 502 struct block *p; 503 { 504 struct block *ppi_dlt_check; 505 506 /* 507 * Insert before the statements of the first (root) block any 508 * statements needed to load the lengths of any variable-length 509 * headers into registers. 510 * 511 * XXX - a fancier strategy would be to insert those before the 512 * statements of all blocks that use those lengths and that 513 * have no predecessors that use them, so that we only compute 514 * the lengths if we need them. There might be even better 515 * approaches than that. 516 * 517 * However, those strategies would be more complicated, and 518 * as we don't generate code to compute a length if the 519 * program has no tests that use the length, and as most 520 * tests will probably use those lengths, we would just 521 * postpone computing the lengths so that it's not done 522 * for tests that fail early, and it's not clear that's 523 * worth the effort. 524 */ 525 insert_compute_vloffsets(p->head); 526 527 /* 528 * For DLT_PPI captures, generate a check of the per-packet 529 * DLT value to make sure it's DLT_IEEE802_11. 530 */ 531 ppi_dlt_check = gen_ppi_dlt_check(); 532 if (ppi_dlt_check != NULL) 533 gen_and(ppi_dlt_check, p); 534 535 backpatch(p, gen_retblk(snaplen)); 536 p->sense = !p->sense; 537 backpatch(p, gen_retblk(0)); 538 root = p->head; 539 } 540 541 void 542 gen_and(b0, b1) 543 struct block *b0, *b1; 544 { 545 backpatch(b0, b1->head); 546 b0->sense = !b0->sense; 547 b1->sense = !b1->sense; 548 merge(b1, b0); 549 b1->sense = !b1->sense; 550 b1->head = b0->head; 551 } 552 553 void 554 gen_or(b0, b1) 555 struct block *b0, *b1; 556 { 557 b0->sense = !b0->sense; 558 backpatch(b0, b1->head); 559 b0->sense = !b0->sense; 560 merge(b1, b0); 561 b1->head = b0->head; 562 } 563 564 void 565 gen_not(b) 566 struct block *b; 567 { 568 b->sense = !b->sense; 569 } 570 571 static struct block * 572 gen_cmp(offrel, offset, size, v) 573 enum e_offrel offrel; 574 u_int offset, size; 575 bpf_int32 v; 576 { 577 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v); 578 } 579 580 static struct block * 581 gen_cmp_gt(offrel, offset, size, v) 582 enum e_offrel offrel; 583 u_int offset, size; 584 bpf_int32 v; 585 { 586 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 0, v); 587 } 588 589 static struct block * 590 gen_cmp_ge(offrel, offset, size, v) 591 enum e_offrel offrel; 592 u_int offset, size; 593 bpf_int32 v; 594 { 595 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 0, v); 596 } 597 598 static struct block * 599 gen_cmp_lt(offrel, offset, size, v) 600 enum e_offrel offrel; 601 u_int offset, size; 602 bpf_int32 v; 603 { 604 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 1, v); 605 } 606 607 static struct block * 608 gen_cmp_le(offrel, offset, size, v) 609 enum e_offrel offrel; 610 u_int offset, size; 611 bpf_int32 v; 612 { 613 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 1, v); 614 } 615 616 static struct block * 617 gen_mcmp(offrel, offset, size, v, mask) 618 enum e_offrel offrel; 619 u_int offset, size; 620 bpf_int32 v; 621 bpf_u_int32 mask; 622 { 623 return gen_ncmp(offrel, offset, size, mask, BPF_JEQ, 0, v); 624 } 625 626 static struct block * 627 gen_bcmp(offrel, offset, size, v) 628 enum e_offrel offrel; 629 register u_int offset, size; 630 register const u_char *v; 631 { 632 register struct block *b, *tmp; 633 634 b = NULL; 635 while (size >= 4) { 636 register const u_char *p = &v[size - 4]; 637 bpf_int32 w = ((bpf_int32)p[0] << 24) | 638 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3]; 639 640 tmp = gen_cmp(offrel, offset + size - 4, BPF_W, w); 641 if (b != NULL) 642 gen_and(b, tmp); 643 b = tmp; 644 size -= 4; 645 } 646 while (size >= 2) { 647 register const u_char *p = &v[size - 2]; 648 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1]; 649 650 tmp = gen_cmp(offrel, offset + size - 2, BPF_H, w); 651 if (b != NULL) 652 gen_and(b, tmp); 653 b = tmp; 654 size -= 2; 655 } 656 if (size > 0) { 657 tmp = gen_cmp(offrel, offset, BPF_B, (bpf_int32)v[0]); 658 if (b != NULL) 659 gen_and(b, tmp); 660 b = tmp; 661 } 662 return b; 663 } 664 665 /* 666 * AND the field of size "size" at offset "offset" relative to the header 667 * specified by "offrel" with "mask", and compare it with the value "v" 668 * with the test specified by "jtype"; if "reverse" is true, the test 669 * should test the opposite of "jtype". 670 */ 671 static struct block * 672 gen_ncmp(offrel, offset, size, mask, jtype, reverse, v) 673 enum e_offrel offrel; 674 bpf_int32 v; 675 bpf_u_int32 offset, size, mask, jtype; 676 int reverse; 677 { 678 struct slist *s, *s2; 679 struct block *b; 680 681 s = gen_load_a(offrel, offset, size); 682 683 if (mask != 0xffffffff) { 684 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 685 s2->s.k = mask; 686 sappend(s, s2); 687 } 688 689 b = new_block(JMP(jtype)); 690 b->stmts = s; 691 b->s.k = v; 692 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE)) 693 gen_not(b); 694 return b; 695 } 696 697 /* 698 * Various code constructs need to know the layout of the data link 699 * layer. These variables give the necessary offsets from the beginning 700 * of the packet data. 701 */ 702 703 /* 704 * This is the offset of the beginning of the link-layer header from 705 * the beginning of the raw packet data. 706 * 707 * It's usually 0, except for 802.11 with a fixed-length radio header. 708 * (For 802.11 with a variable-length radio header, we have to generate 709 * code to compute that offset; off_ll is 0 in that case.) 710 */ 711 static u_int off_ll; 712 713 /* 714 * If there's a variable-length header preceding the link-layer header, 715 * "reg_off_ll" is the register number for a register containing the 716 * length of that header, and therefore the offset of the link-layer 717 * header from the beginning of the raw packet data. Otherwise, 718 * "reg_off_ll" is -1. 719 */ 720 static int reg_off_ll; 721 722 /* 723 * This is the offset of the beginning of the MAC-layer header from 724 * the beginning of the link-layer header. 725 * It's usually 0, except for ATM LANE, where it's the offset, relative 726 * to the beginning of the raw packet data, of the Ethernet header. 727 */ 728 static u_int off_mac; 729 730 /* 731 * This is the offset of the beginning of the MAC-layer payload, 732 * from the beginning of the raw packet data. 733 * 734 * I.e., it's the sum of the length of the link-layer header (without, 735 * for example, any 802.2 LLC header, so it's the MAC-layer 736 * portion of that header), plus any prefix preceding the 737 * link-layer header. 738 */ 739 static u_int off_macpl; 740 741 /* 742 * This is 1 if the offset of the beginning of the MAC-layer payload 743 * from the beginning of the link-layer header is variable-length. 744 */ 745 static int off_macpl_is_variable; 746 747 /* 748 * If the link layer has variable_length headers, "reg_off_macpl" 749 * is the register number for a register containing the length of the 750 * link-layer header plus the length of any variable-length header 751 * preceding the link-layer header. Otherwise, "reg_off_macpl" 752 * is -1. 753 */ 754 static int reg_off_macpl; 755 756 /* 757 * "off_linktype" is the offset to information in the link-layer header 758 * giving the packet type. This offset is relative to the beginning 759 * of the link-layer header (i.e., it doesn't include off_ll). 760 * 761 * For Ethernet, it's the offset of the Ethernet type field. 762 * 763 * For link-layer types that always use 802.2 headers, it's the 764 * offset of the LLC header. 765 * 766 * For PPP, it's the offset of the PPP type field. 767 * 768 * For Cisco HDLC, it's the offset of the CHDLC type field. 769 * 770 * For BSD loopback, it's the offset of the AF_ value. 771 * 772 * For Linux cooked sockets, it's the offset of the type field. 773 * 774 * It's set to -1 for no encapsulation, in which case, IP is assumed. 775 */ 776 static u_int off_linktype; 777 778 /* 779 * TRUE if "pppoes" appeared in the filter; it causes link-layer type 780 * checks to check the PPP header, assumed to follow a LAN-style link- 781 * layer header and a PPPoE session header. 782 */ 783 static int is_pppoes = 0; 784 785 /* 786 * TRUE if the link layer includes an ATM pseudo-header. 787 */ 788 static int is_atm = 0; 789 790 /* 791 * TRUE if "lane" appeared in the filter; it causes us to generate 792 * code that assumes LANE rather than LLC-encapsulated traffic in SunATM. 793 */ 794 static int is_lane = 0; 795 796 /* 797 * These are offsets for the ATM pseudo-header. 798 */ 799 static u_int off_vpi; 800 static u_int off_vci; 801 static u_int off_proto; 802 803 /* 804 * These are offsets for the MTP2 fields. 805 */ 806 static u_int off_li; 807 808 /* 809 * These are offsets for the MTP3 fields. 810 */ 811 static u_int off_sio; 812 static u_int off_opc; 813 static u_int off_dpc; 814 static u_int off_sls; 815 816 /* 817 * This is the offset of the first byte after the ATM pseudo_header, 818 * or -1 if there is no ATM pseudo-header. 819 */ 820 static u_int off_payload; 821 822 /* 823 * These are offsets to the beginning of the network-layer header. 824 * They are relative to the beginning of the MAC-layer payload (i.e., 825 * they don't include off_ll or off_macpl). 826 * 827 * If the link layer never uses 802.2 LLC: 828 * 829 * "off_nl" and "off_nl_nosnap" are the same. 830 * 831 * If the link layer always uses 802.2 LLC: 832 * 833 * "off_nl" is the offset if there's a SNAP header following 834 * the 802.2 header; 835 * 836 * "off_nl_nosnap" is the offset if there's no SNAP header. 837 * 838 * If the link layer is Ethernet: 839 * 840 * "off_nl" is the offset if the packet is an Ethernet II packet 841 * (we assume no 802.3+802.2+SNAP); 842 * 843 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet 844 * with an 802.2 header following it. 845 */ 846 static u_int off_nl; 847 static u_int off_nl_nosnap; 848 849 static int linktype; 850 851 static void 852 init_linktype(p) 853 pcap_t *p; 854 { 855 linktype = pcap_datalink(p); 856 #ifdef PCAP_FDDIPAD 857 pcap_fddipad = p->fddipad; 858 #endif 859 860 /* 861 * Assume it's not raw ATM with a pseudo-header, for now. 862 */ 863 off_mac = 0; 864 is_atm = 0; 865 is_lane = 0; 866 off_vpi = -1; 867 off_vci = -1; 868 off_proto = -1; 869 off_payload = -1; 870 871 /* 872 * And that we're not doing PPPoE. 873 */ 874 is_pppoes = 0; 875 876 /* 877 * And assume we're not doing SS7. 878 */ 879 off_li = -1; 880 off_sio = -1; 881 off_opc = -1; 882 off_dpc = -1; 883 off_sls = -1; 884 885 /* 886 * Also assume it's not 802.11. 887 */ 888 off_ll = 0; 889 off_macpl = 0; 890 off_macpl_is_variable = 0; 891 892 orig_linktype = -1; 893 orig_nl = -1; 894 label_stack_depth = 0; 895 896 reg_off_ll = -1; 897 reg_off_macpl = -1; 898 899 switch (linktype) { 900 901 case DLT_ARCNET: 902 off_linktype = 2; 903 off_macpl = 6; 904 off_nl = 0; /* XXX in reality, variable! */ 905 off_nl_nosnap = 0; /* no 802.2 LLC */ 906 return; 907 908 case DLT_ARCNET_LINUX: 909 off_linktype = 4; 910 off_macpl = 8; 911 off_nl = 0; /* XXX in reality, variable! */ 912 off_nl_nosnap = 0; /* no 802.2 LLC */ 913 return; 914 915 case DLT_EN10MB: 916 off_linktype = 12; 917 off_macpl = 14; /* Ethernet header length */ 918 off_nl = 0; /* Ethernet II */ 919 off_nl_nosnap = 3; /* 802.3+802.2 */ 920 return; 921 922 case DLT_SLIP: 923 /* 924 * SLIP doesn't have a link level type. The 16 byte 925 * header is hacked into our SLIP driver. 926 */ 927 off_linktype = -1; 928 off_macpl = 16; 929 off_nl = 0; 930 off_nl_nosnap = 0; /* no 802.2 LLC */ 931 return; 932 933 case DLT_SLIP_BSDOS: 934 /* XXX this may be the same as the DLT_PPP_BSDOS case */ 935 off_linktype = -1; 936 /* XXX end */ 937 off_macpl = 24; 938 off_nl = 0; 939 off_nl_nosnap = 0; /* no 802.2 LLC */ 940 return; 941 942 case DLT_NULL: 943 case DLT_LOOP: 944 off_linktype = 0; 945 off_macpl = 4; 946 off_nl = 0; 947 off_nl_nosnap = 0; /* no 802.2 LLC */ 948 return; 949 950 case DLT_ENC: 951 off_linktype = 0; 952 off_macpl = 12; 953 off_nl = 0; 954 off_nl_nosnap = 0; /* no 802.2 LLC */ 955 return; 956 957 case DLT_PPP: 958 case DLT_PPP_PPPD: 959 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */ 960 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */ 961 off_linktype = 2; 962 off_macpl = 4; 963 off_nl = 0; 964 off_nl_nosnap = 0; /* no 802.2 LLC */ 965 return; 966 967 case DLT_PPP_ETHER: 968 /* 969 * This does no include the Ethernet header, and 970 * only covers session state. 971 */ 972 off_linktype = 6; 973 off_macpl = 8; 974 off_nl = 0; 975 off_nl_nosnap = 0; /* no 802.2 LLC */ 976 return; 977 978 case DLT_PPP_BSDOS: 979 off_linktype = 5; 980 off_macpl = 24; 981 off_nl = 0; 982 off_nl_nosnap = 0; /* no 802.2 LLC */ 983 return; 984 985 case DLT_FDDI: 986 /* 987 * FDDI doesn't really have a link-level type field. 988 * We set "off_linktype" to the offset of the LLC header. 989 * 990 * To check for Ethernet types, we assume that SSAP = SNAP 991 * is being used and pick out the encapsulated Ethernet type. 992 * XXX - should we generate code to check for SNAP? 993 */ 994 off_linktype = 13; 995 #ifdef PCAP_FDDIPAD 996 off_linktype += pcap_fddipad; 997 #endif 998 off_macpl = 13; /* FDDI MAC header length */ 999 #ifdef PCAP_FDDIPAD 1000 off_macpl += pcap_fddipad; 1001 #endif 1002 off_nl = 8; /* 802.2+SNAP */ 1003 off_nl_nosnap = 3; /* 802.2 */ 1004 return; 1005 1006 case DLT_IEEE802: 1007 /* 1008 * Token Ring doesn't really have a link-level type field. 1009 * We set "off_linktype" to the offset of the LLC header. 1010 * 1011 * To check for Ethernet types, we assume that SSAP = SNAP 1012 * is being used and pick out the encapsulated Ethernet type. 1013 * XXX - should we generate code to check for SNAP? 1014 * 1015 * XXX - the header is actually variable-length. 1016 * Some various Linux patched versions gave 38 1017 * as "off_linktype" and 40 as "off_nl"; however, 1018 * if a token ring packet has *no* routing 1019 * information, i.e. is not source-routed, the correct 1020 * values are 20 and 22, as they are in the vanilla code. 1021 * 1022 * A packet is source-routed iff the uppermost bit 1023 * of the first byte of the source address, at an 1024 * offset of 8, has the uppermost bit set. If the 1025 * packet is source-routed, the total number of bytes 1026 * of routing information is 2 plus bits 0x1F00 of 1027 * the 16-bit value at an offset of 14 (shifted right 1028 * 8 - figure out which byte that is). 1029 */ 1030 off_linktype = 14; 1031 off_macpl = 14; /* Token Ring MAC header length */ 1032 off_nl = 8; /* 802.2+SNAP */ 1033 off_nl_nosnap = 3; /* 802.2 */ 1034 return; 1035 1036 case DLT_IEEE802_11: 1037 case DLT_PRISM_HEADER: 1038 case DLT_IEEE802_11_RADIO_AVS: 1039 case DLT_IEEE802_11_RADIO: 1040 /* 1041 * 802.11 doesn't really have a link-level type field. 1042 * We set "off_linktype" to the offset of the LLC header. 1043 * 1044 * To check for Ethernet types, we assume that SSAP = SNAP 1045 * is being used and pick out the encapsulated Ethernet type. 1046 * XXX - should we generate code to check for SNAP? 1047 * 1048 * We also handle variable-length radio headers here. 1049 * The Prism header is in theory variable-length, but in 1050 * practice it's always 144 bytes long. However, some 1051 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but 1052 * sometimes or always supply an AVS header, so we 1053 * have to check whether the radio header is a Prism 1054 * header or an AVS header, so, in practice, it's 1055 * variable-length. 1056 */ 1057 off_linktype = 24; 1058 off_macpl = 0; /* link-layer header is variable-length */ 1059 off_macpl_is_variable = 1; 1060 off_nl = 8; /* 802.2+SNAP */ 1061 off_nl_nosnap = 3; /* 802.2 */ 1062 return; 1063 1064 case DLT_PPI: 1065 /* 1066 * At the moment we treat PPI the same way that we treat 1067 * normal Radiotap encoded packets. The difference is in 1068 * the function that generates the code at the beginning 1069 * to compute the header length. Since this code generator 1070 * of PPI supports bare 802.11 encapsulation only (i.e. 1071 * the encapsulated DLT should be DLT_IEEE802_11) we 1072 * generate code to check for this too. 1073 */ 1074 off_linktype = 24; 1075 off_macpl = 0; /* link-layer header is variable-length */ 1076 off_macpl_is_variable = 1; 1077 off_nl = 8; /* 802.2+SNAP */ 1078 off_nl_nosnap = 3; /* 802.2 */ 1079 return; 1080 1081 case DLT_ATM_RFC1483: 1082 case DLT_ATM_CLIP: /* Linux ATM defines this */ 1083 /* 1084 * assume routed, non-ISO PDUs 1085 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00) 1086 * 1087 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS, 1088 * or PPP with the PPP NLPID (e.g., PPPoA)? The 1089 * latter would presumably be treated the way PPPoE 1090 * should be, so you can do "pppoe and udp port 2049" 1091 * or "pppoa and tcp port 80" and have it check for 1092 * PPPo{A,E} and a PPP protocol of IP and.... 1093 */ 1094 off_linktype = 0; 1095 off_macpl = 0; /* packet begins with LLC header */ 1096 off_nl = 8; /* 802.2+SNAP */ 1097 off_nl_nosnap = 3; /* 802.2 */ 1098 return; 1099 1100 case DLT_SUNATM: 1101 /* 1102 * Full Frontal ATM; you get AALn PDUs with an ATM 1103 * pseudo-header. 1104 */ 1105 is_atm = 1; 1106 off_vpi = SUNATM_VPI_POS; 1107 off_vci = SUNATM_VCI_POS; 1108 off_proto = PROTO_POS; 1109 off_mac = -1; /* assume LLC-encapsulated, so no MAC-layer header */ 1110 off_payload = SUNATM_PKT_BEGIN_POS; 1111 off_linktype = off_payload; 1112 off_macpl = off_payload; /* if LLC-encapsulated */ 1113 off_nl = 8; /* 802.2+SNAP */ 1114 off_nl_nosnap = 3; /* 802.2 */ 1115 return; 1116 1117 case DLT_RAW: 1118 off_linktype = -1; 1119 off_macpl = 0; 1120 off_nl = 0; 1121 off_nl_nosnap = 0; /* no 802.2 LLC */ 1122 return; 1123 1124 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */ 1125 off_linktype = 14; 1126 off_macpl = 16; 1127 off_nl = 0; 1128 off_nl_nosnap = 0; /* no 802.2 LLC */ 1129 return; 1130 1131 case DLT_LTALK: 1132 /* 1133 * LocalTalk does have a 1-byte type field in the LLAP header, 1134 * but really it just indicates whether there is a "short" or 1135 * "long" DDP packet following. 1136 */ 1137 off_linktype = -1; 1138 off_macpl = 0; 1139 off_nl = 0; 1140 off_nl_nosnap = 0; /* no 802.2 LLC */ 1141 return; 1142 1143 case DLT_IP_OVER_FC: 1144 /* 1145 * RFC 2625 IP-over-Fibre-Channel doesn't really have a 1146 * link-level type field. We set "off_linktype" to the 1147 * offset of the LLC header. 1148 * 1149 * To check for Ethernet types, we assume that SSAP = SNAP 1150 * is being used and pick out the encapsulated Ethernet type. 1151 * XXX - should we generate code to check for SNAP? RFC 1152 * 2625 says SNAP should be used. 1153 */ 1154 off_linktype = 16; 1155 off_macpl = 16; 1156 off_nl = 8; /* 802.2+SNAP */ 1157 off_nl_nosnap = 3; /* 802.2 */ 1158 return; 1159 1160 case DLT_FRELAY: 1161 /* 1162 * XXX - we should set this to handle SNAP-encapsulated 1163 * frames (NLPID of 0x80). 1164 */ 1165 off_linktype = -1; 1166 off_macpl = 0; 1167 off_nl = 0; 1168 off_nl_nosnap = 0; /* no 802.2 LLC */ 1169 return; 1170 1171 /* 1172 * the only BPF-interesting FRF.16 frames are non-control frames; 1173 * Frame Relay has a variable length link-layer 1174 * so lets start with offset 4 for now and increments later on (FIXME); 1175 */ 1176 case DLT_MFR: 1177 off_linktype = -1; 1178 off_macpl = 0; 1179 off_nl = 4; 1180 off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */ 1181 return; 1182 1183 case DLT_APPLE_IP_OVER_IEEE1394: 1184 off_linktype = 16; 1185 off_macpl = 18; 1186 off_nl = 0; 1187 off_nl_nosnap = 0; /* no 802.2 LLC */ 1188 return; 1189 1190 case DLT_LINUX_IRDA: 1191 /* 1192 * Currently, only raw "link[N:M]" filtering is supported. 1193 */ 1194 off_linktype = -1; 1195 off_macpl = -1; 1196 off_nl = -1; 1197 off_nl_nosnap = -1; 1198 return; 1199 1200 case DLT_DOCSIS: 1201 /* 1202 * Currently, only raw "link[N:M]" filtering is supported. 1203 */ 1204 off_linktype = -1; 1205 off_macpl = -1; 1206 off_nl = -1; 1207 off_nl_nosnap = -1; 1208 return; 1209 1210 case DLT_SYMANTEC_FIREWALL: 1211 off_linktype = 6; 1212 off_macpl = 44; 1213 off_nl = 0; /* Ethernet II */ 1214 off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */ 1215 return; 1216 1217 #ifdef HAVE_NET_PFVAR_H 1218 case DLT_PFLOG: 1219 off_linktype = 0; 1220 off_macpl = PFLOG_HDRLEN; 1221 off_nl = 0; 1222 off_nl_nosnap = 0; /* no 802.2 LLC */ 1223 return; 1224 #endif 1225 1226 case DLT_JUNIPER_MFR: 1227 case DLT_JUNIPER_MLFR: 1228 case DLT_JUNIPER_MLPPP: 1229 case DLT_JUNIPER_PPP: 1230 case DLT_JUNIPER_CHDLC: 1231 case DLT_JUNIPER_FRELAY: 1232 off_linktype = 4; 1233 off_macpl = 4; 1234 off_nl = 0; 1235 off_nl_nosnap = -1; /* no 802.2 LLC */ 1236 return; 1237 1238 case DLT_JUNIPER_ATM1: 1239 off_linktype = 4; /* in reality variable between 4-8 */ 1240 off_macpl = 4; /* in reality variable between 4-8 */ 1241 off_nl = 0; 1242 off_nl_nosnap = 10; 1243 return; 1244 1245 case DLT_JUNIPER_ATM2: 1246 off_linktype = 8; /* in reality variable between 8-12 */ 1247 off_macpl = 8; /* in reality variable between 8-12 */ 1248 off_nl = 0; 1249 off_nl_nosnap = 10; 1250 return; 1251 1252 /* frames captured on a Juniper PPPoE service PIC 1253 * contain raw ethernet frames */ 1254 case DLT_JUNIPER_PPPOE: 1255 case DLT_JUNIPER_ETHER: 1256 off_macpl = 14; 1257 off_linktype = 16; 1258 off_nl = 18; /* Ethernet II */ 1259 off_nl_nosnap = 21; /* 802.3+802.2 */ 1260 return; 1261 1262 case DLT_JUNIPER_PPPOE_ATM: 1263 off_linktype = 4; 1264 off_macpl = 6; 1265 off_nl = 0; 1266 off_nl_nosnap = -1; /* no 802.2 LLC */ 1267 return; 1268 1269 case DLT_JUNIPER_GGSN: 1270 off_linktype = 6; 1271 off_macpl = 12; 1272 off_nl = 0; 1273 off_nl_nosnap = -1; /* no 802.2 LLC */ 1274 return; 1275 1276 case DLT_JUNIPER_ES: 1277 off_linktype = 6; 1278 off_macpl = -1; /* not really a network layer but raw IP addresses */ 1279 off_nl = -1; /* not really a network layer but raw IP addresses */ 1280 off_nl_nosnap = -1; /* no 802.2 LLC */ 1281 return; 1282 1283 case DLT_JUNIPER_MONITOR: 1284 off_linktype = 12; 1285 off_macpl = 12; 1286 off_nl = 0; /* raw IP/IP6 header */ 1287 off_nl_nosnap = -1; /* no 802.2 LLC */ 1288 return; 1289 1290 case DLT_JUNIPER_SERVICES: 1291 off_linktype = 12; 1292 off_macpl = -1; /* L3 proto location dep. on cookie type */ 1293 off_nl = -1; /* L3 proto location dep. on cookie type */ 1294 off_nl_nosnap = -1; /* no 802.2 LLC */ 1295 return; 1296 1297 case DLT_JUNIPER_VP: 1298 off_linktype = 18; 1299 off_macpl = -1; 1300 off_nl = -1; 1301 off_nl_nosnap = -1; 1302 return; 1303 1304 case DLT_JUNIPER_ST: 1305 off_linktype = 18; 1306 off_macpl = -1; 1307 off_nl = -1; 1308 off_nl_nosnap = -1; 1309 return; 1310 1311 case DLT_JUNIPER_ISM: 1312 off_linktype = 8; 1313 off_macpl = -1; 1314 off_nl = -1; 1315 off_nl_nosnap = -1; 1316 return; 1317 1318 case DLT_MTP2: 1319 off_li = 2; 1320 off_sio = 3; 1321 off_opc = 4; 1322 off_dpc = 4; 1323 off_sls = 7; 1324 off_linktype = -1; 1325 off_macpl = -1; 1326 off_nl = -1; 1327 off_nl_nosnap = -1; 1328 return; 1329 1330 case DLT_MTP2_WITH_PHDR: 1331 off_li = 6; 1332 off_sio = 7; 1333 off_opc = 8; 1334 off_dpc = 8; 1335 off_sls = 11; 1336 off_linktype = -1; 1337 off_macpl = -1; 1338 off_nl = -1; 1339 off_nl_nosnap = -1; 1340 return; 1341 1342 case DLT_ERF: 1343 off_li = 22; 1344 off_sio = 23; 1345 off_opc = 24; 1346 off_dpc = 24; 1347 off_sls = 27; 1348 off_linktype = -1; 1349 off_macpl = -1; 1350 off_nl = -1; 1351 off_nl_nosnap = -1; 1352 return; 1353 1354 #ifdef DLT_PFSYNC 1355 case DLT_PFSYNC: 1356 off_linktype = -1; 1357 off_macpl = 4; 1358 off_nl = 0; 1359 off_nl_nosnap = 0; 1360 return; 1361 #endif 1362 1363 case DLT_LINUX_LAPD: 1364 /* 1365 * Currently, only raw "link[N:M]" filtering is supported. 1366 */ 1367 off_linktype = -1; 1368 off_macpl = -1; 1369 off_nl = -1; 1370 off_nl_nosnap = -1; 1371 return; 1372 1373 case DLT_USB: 1374 /* 1375 * Currently, only raw "link[N:M]" filtering is supported. 1376 */ 1377 off_linktype = -1; 1378 off_macpl = -1; 1379 off_nl = -1; 1380 off_nl_nosnap = -1; 1381 return; 1382 1383 case DLT_BLUETOOTH_HCI_H4: 1384 /* 1385 * Currently, only raw "link[N:M]" filtering is supported. 1386 */ 1387 off_linktype = -1; 1388 off_macpl = -1; 1389 off_nl = -1; 1390 off_nl_nosnap = -1; 1391 return; 1392 1393 case DLT_USB_LINUX: 1394 /* 1395 * Currently, only raw "link[N:M]" filtering is supported. 1396 */ 1397 off_linktype = -1; 1398 off_macpl = -1; 1399 off_nl = -1; 1400 off_nl_nosnap = -1; 1401 return; 1402 1403 case DLT_CAN20B: 1404 /* 1405 * Currently, only raw "link[N:M]" filtering is supported. 1406 */ 1407 off_linktype = -1; 1408 off_macpl = -1; 1409 off_nl = -1; 1410 off_nl_nosnap = -1; 1411 return; 1412 1413 case DLT_IEEE802_15_4_LINUX: 1414 /* 1415 * Currently, only raw "link[N:M]" filtering is supported. 1416 */ 1417 off_linktype = -1; 1418 off_macpl = -1; 1419 off_nl = -1; 1420 off_nl_nosnap = -1; 1421 return; 1422 1423 case DLT_IEEE802_16_MAC_CPS_RADIO: 1424 /* 1425 * Currently, only raw "link[N:M]" filtering is supported. 1426 */ 1427 off_linktype = -1; 1428 off_macpl = -1; 1429 off_nl = -1; 1430 off_nl_nosnap = -1; 1431 return; 1432 1433 case DLT_IEEE802_15_4: 1434 /* 1435 * Currently, only raw "link[N:M]" filtering is supported. 1436 */ 1437 off_linktype = -1; 1438 off_macpl = -1; 1439 off_nl = -1; 1440 off_nl_nosnap = -1; 1441 return; 1442 1443 case DLT_SITA: 1444 /* 1445 * Currently, only raw "link[N:M]" filtering is supported. 1446 */ 1447 off_linktype = -1; 1448 off_macpl = -1; 1449 off_nl = -1; 1450 off_nl_nosnap = -1; 1451 return; 1452 1453 case DLT_RAIF1: 1454 /* 1455 * Currently, only raw "link[N:M]" filtering is supported. 1456 */ 1457 off_linktype = -1; 1458 off_macpl = -1; 1459 off_nl = -1; 1460 off_nl_nosnap = -1; 1461 return; 1462 1463 case DLT_IPMB: 1464 /* 1465 * Currently, only raw "link[N:M]" filtering is supported. 1466 */ 1467 off_linktype = -1; 1468 off_macpl = -1; 1469 off_nl = -1; 1470 off_nl_nosnap = -1; 1471 return; 1472 1473 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR: 1474 /* 1475 * Currently, only raw "link[N:M]" filtering is supported. 1476 */ 1477 off_linktype = -1; 1478 off_macpl = -1; 1479 off_nl = -1; 1480 off_nl_nosnap = -1; 1481 return; 1482 1483 case DLT_AX25_KISS: 1484 /* 1485 * Currently, only raw "link[N:M]" filtering is supported. 1486 */ 1487 off_linktype = -1; /* variable, min 15, max 71 steps of 7 */ 1488 off_macpl = -1; 1489 off_nl = -1; /* variable, min 16, max 71 steps of 7 */ 1490 off_nl_nosnap = -1; /* no 802.2 LLC */ 1491 off_mac = 1; /* step over the kiss length byte */ 1492 return; 1493 1494 case DLT_IEEE802_15_4_NONASK_PHY: 1495 /* 1496 * Currently, only raw "link[N:M]" filtering is supported. 1497 */ 1498 off_linktype = -1; 1499 off_macpl = -1; 1500 off_nl = -1; 1501 off_nl_nosnap = -1; 1502 return; 1503 } 1504 bpf_error("unknown data link type %d", linktype); 1505 /* NOTREACHED */ 1506 } 1507 1508 /* 1509 * Load a value relative to the beginning of the link-layer header. 1510 * The link-layer header doesn't necessarily begin at the beginning 1511 * of the packet data; there might be a variable-length prefix containing 1512 * radio information. 1513 */ 1514 static struct slist * 1515 gen_load_llrel(offset, size) 1516 u_int offset, size; 1517 { 1518 struct slist *s, *s2; 1519 1520 s = gen_llprefixlen(); 1521 1522 /* 1523 * If "s" is non-null, it has code to arrange that the X register 1524 * contains the length of the prefix preceding the link-layer 1525 * header. 1526 * 1527 * Otherwise, the length of the prefix preceding the link-layer 1528 * header is "off_ll". 1529 */ 1530 if (s != NULL) { 1531 /* 1532 * There's a variable-length prefix preceding the 1533 * link-layer header. "s" points to a list of statements 1534 * that put the length of that prefix into the X register. 1535 * do an indirect load, to use the X register as an offset. 1536 */ 1537 s2 = new_stmt(BPF_LD|BPF_IND|size); 1538 s2->s.k = offset; 1539 sappend(s, s2); 1540 } else { 1541 /* 1542 * There is no variable-length header preceding the 1543 * link-layer header; add in off_ll, which, if there's 1544 * a fixed-length header preceding the link-layer header, 1545 * is the length of that header. 1546 */ 1547 s = new_stmt(BPF_LD|BPF_ABS|size); 1548 s->s.k = offset + off_ll; 1549 } 1550 return s; 1551 } 1552 1553 /* 1554 * Load a value relative to the beginning of the MAC-layer payload. 1555 */ 1556 static struct slist * 1557 gen_load_macplrel(offset, size) 1558 u_int offset, size; 1559 { 1560 struct slist *s, *s2; 1561 1562 s = gen_off_macpl(); 1563 1564 /* 1565 * If s is non-null, the offset of the MAC-layer payload is 1566 * variable, and s points to a list of instructions that 1567 * arrange that the X register contains that offset. 1568 * 1569 * Otherwise, the offset of the MAC-layer payload is constant, 1570 * and is in off_macpl. 1571 */ 1572 if (s != NULL) { 1573 /* 1574 * The offset of the MAC-layer payload is in the X 1575 * register. Do an indirect load, to use the X register 1576 * as an offset. 1577 */ 1578 s2 = new_stmt(BPF_LD|BPF_IND|size); 1579 s2->s.k = offset; 1580 sappend(s, s2); 1581 } else { 1582 /* 1583 * The offset of the MAC-layer payload is constant, 1584 * and is in off_macpl; load the value at that offset 1585 * plus the specified offset. 1586 */ 1587 s = new_stmt(BPF_LD|BPF_ABS|size); 1588 s->s.k = off_macpl + offset; 1589 } 1590 return s; 1591 } 1592 1593 /* 1594 * Load a value relative to the beginning of the specified header. 1595 */ 1596 static struct slist * 1597 gen_load_a(offrel, offset, size) 1598 enum e_offrel offrel; 1599 u_int offset, size; 1600 { 1601 struct slist *s, *s2; 1602 1603 switch (offrel) { 1604 1605 case OR_PACKET: 1606 s = new_stmt(BPF_LD|BPF_ABS|size); 1607 s->s.k = offset; 1608 break; 1609 1610 case OR_LINK: 1611 s = gen_load_llrel(offset, size); 1612 break; 1613 1614 case OR_MACPL: 1615 s = gen_load_macplrel(offset, size); 1616 break; 1617 1618 case OR_NET: 1619 s = gen_load_macplrel(off_nl + offset, size); 1620 break; 1621 1622 case OR_NET_NOSNAP: 1623 s = gen_load_macplrel(off_nl_nosnap + offset, size); 1624 break; 1625 1626 case OR_TRAN_IPV4: 1627 /* 1628 * Load the X register with the length of the IPv4 header 1629 * (plus the offset of the link-layer header, if it's 1630 * preceded by a variable-length header such as a radio 1631 * header), in bytes. 1632 */ 1633 s = gen_loadx_iphdrlen(); 1634 1635 /* 1636 * Load the item at {offset of the MAC-layer payload} + 1637 * {offset, relative to the start of the MAC-layer 1638 * paylod, of the IPv4 header} + {length of the IPv4 header} + 1639 * {specified offset}. 1640 * 1641 * (If the offset of the MAC-layer payload is variable, 1642 * it's included in the value in the X register, and 1643 * off_macpl is 0.) 1644 */ 1645 s2 = new_stmt(BPF_LD|BPF_IND|size); 1646 s2->s.k = off_macpl + off_nl + offset; 1647 sappend(s, s2); 1648 break; 1649 1650 case OR_TRAN_IPV6: 1651 s = gen_load_macplrel(off_nl + 40 + offset, size); 1652 break; 1653 1654 default: 1655 abort(); 1656 return NULL; 1657 } 1658 return s; 1659 } 1660 1661 /* 1662 * Generate code to load into the X register the sum of the length of 1663 * the IPv4 header and any variable-length header preceding the link-layer 1664 * header. 1665 */ 1666 static struct slist * 1667 gen_loadx_iphdrlen() 1668 { 1669 struct slist *s, *s2; 1670 1671 s = gen_off_macpl(); 1672 if (s != NULL) { 1673 /* 1674 * There's a variable-length prefix preceding the 1675 * link-layer header, or the link-layer header is itself 1676 * variable-length. "s" points to a list of statements 1677 * that put the offset of the MAC-layer payload into 1678 * the X register. 1679 * 1680 * The 4*([k]&0xf) addressing mode can't be used, as we 1681 * don't have a constant offset, so we have to load the 1682 * value in question into the A register and add to it 1683 * the value from the X register. 1684 */ 1685 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B); 1686 s2->s.k = off_nl; 1687 sappend(s, s2); 1688 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 1689 s2->s.k = 0xf; 1690 sappend(s, s2); 1691 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 1692 s2->s.k = 2; 1693 sappend(s, s2); 1694 1695 /* 1696 * The A register now contains the length of the 1697 * IP header. We need to add to it the offset of 1698 * the MAC-layer payload, which is still in the X 1699 * register, and move the result into the X register. 1700 */ 1701 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 1702 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 1703 } else { 1704 /* 1705 * There is no variable-length header preceding the 1706 * link-layer header, and the link-layer header is 1707 * fixed-length; load the length of the IPv4 header, 1708 * which is at an offset of off_nl from the beginning 1709 * of the MAC-layer payload, and thus at an offset 1710 * of off_mac_pl + off_nl from the beginning of the 1711 * raw packet data. 1712 */ 1713 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B); 1714 s->s.k = off_macpl + off_nl; 1715 } 1716 return s; 1717 } 1718 1719 static struct block * 1720 gen_uncond(rsense) 1721 int rsense; 1722 { 1723 struct block *b; 1724 struct slist *s; 1725 1726 s = new_stmt(BPF_LD|BPF_IMM); 1727 s->s.k = !rsense; 1728 b = new_block(JMP(BPF_JEQ)); 1729 b->stmts = s; 1730 1731 return b; 1732 } 1733 1734 static inline struct block * 1735 gen_true() 1736 { 1737 return gen_uncond(1); 1738 } 1739 1740 static inline struct block * 1741 gen_false() 1742 { 1743 return gen_uncond(0); 1744 } 1745 1746 /* 1747 * Byte-swap a 32-bit number. 1748 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on 1749 * big-endian platforms.) 1750 */ 1751 #define SWAPLONG(y) \ 1752 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff)) 1753 1754 /* 1755 * Generate code to match a particular packet type. 1756 * 1757 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1758 * value, if <= ETHERMTU. We use that to determine whether to 1759 * match the type/length field or to check the type/length field for 1760 * a value <= ETHERMTU to see whether it's a type field and then do 1761 * the appropriate test. 1762 */ 1763 static struct block * 1764 gen_ether_linktype(proto) 1765 register int proto; 1766 { 1767 struct block *b0, *b1; 1768 1769 switch (proto) { 1770 1771 case LLCSAP_ISONS: 1772 case LLCSAP_IP: 1773 case LLCSAP_NETBEUI: 1774 /* 1775 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1776 * so we check the DSAP and SSAP. 1777 * 1778 * LLCSAP_IP checks for IP-over-802.2, rather 1779 * than IP-over-Ethernet or IP-over-SNAP. 1780 * 1781 * XXX - should we check both the DSAP and the 1782 * SSAP, like this, or should we check just the 1783 * DSAP, as we do for other types <= ETHERMTU 1784 * (i.e., other SAP values)? 1785 */ 1786 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1787 gen_not(b0); 1788 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32) 1789 ((proto << 8) | proto)); 1790 gen_and(b0, b1); 1791 return b1; 1792 1793 case LLCSAP_IPX: 1794 /* 1795 * Check for; 1796 * 1797 * Ethernet_II frames, which are Ethernet 1798 * frames with a frame type of ETHERTYPE_IPX; 1799 * 1800 * Ethernet_802.3 frames, which are 802.3 1801 * frames (i.e., the type/length field is 1802 * a length field, <= ETHERMTU, rather than 1803 * a type field) with the first two bytes 1804 * after the Ethernet/802.3 header being 1805 * 0xFFFF; 1806 * 1807 * Ethernet_802.2 frames, which are 802.3 1808 * frames with an 802.2 LLC header and 1809 * with the IPX LSAP as the DSAP in the LLC 1810 * header; 1811 * 1812 * Ethernet_SNAP frames, which are 802.3 1813 * frames with an LLC header and a SNAP 1814 * header and with an OUI of 0x000000 1815 * (encapsulated Ethernet) and a protocol 1816 * ID of ETHERTYPE_IPX in the SNAP header. 1817 * 1818 * XXX - should we generate the same code both 1819 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX? 1820 */ 1821 1822 /* 1823 * This generates code to check both for the 1824 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3. 1825 */ 1826 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX); 1827 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)0xFFFF); 1828 gen_or(b0, b1); 1829 1830 /* 1831 * Now we add code to check for SNAP frames with 1832 * ETHERTYPE_IPX, i.e. Ethernet_SNAP. 1833 */ 1834 b0 = gen_snap(0x000000, ETHERTYPE_IPX); 1835 gen_or(b0, b1); 1836 1837 /* 1838 * Now we generate code to check for 802.3 1839 * frames in general. 1840 */ 1841 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1842 gen_not(b0); 1843 1844 /* 1845 * Now add the check for 802.3 frames before the 1846 * check for Ethernet_802.2 and Ethernet_802.3, 1847 * as those checks should only be done on 802.3 1848 * frames, not on Ethernet frames. 1849 */ 1850 gen_and(b0, b1); 1851 1852 /* 1853 * Now add the check for Ethernet_II frames, and 1854 * do that before checking for the other frame 1855 * types. 1856 */ 1857 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 1858 (bpf_int32)ETHERTYPE_IPX); 1859 gen_or(b0, b1); 1860 return b1; 1861 1862 case ETHERTYPE_ATALK: 1863 case ETHERTYPE_AARP: 1864 /* 1865 * EtherTalk (AppleTalk protocols on Ethernet link 1866 * layer) may use 802.2 encapsulation. 1867 */ 1868 1869 /* 1870 * Check for 802.2 encapsulation (EtherTalk phase 2?); 1871 * we check for an Ethernet type field less than 1872 * 1500, which means it's an 802.3 length field. 1873 */ 1874 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1875 gen_not(b0); 1876 1877 /* 1878 * 802.2-encapsulated ETHERTYPE_ATALK packets are 1879 * SNAP packets with an organization code of 1880 * 0x080007 (Apple, for Appletalk) and a protocol 1881 * type of ETHERTYPE_ATALK (Appletalk). 1882 * 1883 * 802.2-encapsulated ETHERTYPE_AARP packets are 1884 * SNAP packets with an organization code of 1885 * 0x000000 (encapsulated Ethernet) and a protocol 1886 * type of ETHERTYPE_AARP (Appletalk ARP). 1887 */ 1888 if (proto == ETHERTYPE_ATALK) 1889 b1 = gen_snap(0x080007, ETHERTYPE_ATALK); 1890 else /* proto == ETHERTYPE_AARP */ 1891 b1 = gen_snap(0x000000, ETHERTYPE_AARP); 1892 gen_and(b0, b1); 1893 1894 /* 1895 * Check for Ethernet encapsulation (Ethertalk 1896 * phase 1?); we just check for the Ethernet 1897 * protocol type. 1898 */ 1899 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 1900 1901 gen_or(b0, b1); 1902 return b1; 1903 1904 default: 1905 if (proto <= ETHERMTU) { 1906 /* 1907 * This is an LLC SAP value, so the frames 1908 * that match would be 802.2 frames. 1909 * Check that the frame is an 802.2 frame 1910 * (i.e., that the length/type field is 1911 * a length field, <= ETHERMTU) and 1912 * then check the DSAP. 1913 */ 1914 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1915 gen_not(b0); 1916 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B, 1917 (bpf_int32)proto); 1918 gen_and(b0, b1); 1919 return b1; 1920 } else { 1921 /* 1922 * This is an Ethernet type, so compare 1923 * the length/type field with it (if 1924 * the frame is an 802.2 frame, the length 1925 * field will be <= ETHERMTU, and, as 1926 * "proto" is > ETHERMTU, this test 1927 * will fail and the frame won't match, 1928 * which is what we want). 1929 */ 1930 return gen_cmp(OR_LINK, off_linktype, BPF_H, 1931 (bpf_int32)proto); 1932 } 1933 } 1934 } 1935 1936 /* 1937 * Generate code to match a particular packet type. 1938 * 1939 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1940 * value, if <= ETHERMTU. We use that to determine whether to 1941 * match the type field or to check the type field for the special 1942 * LINUX_SLL_P_802_2 value and then do the appropriate test. 1943 */ 1944 static struct block * 1945 gen_linux_sll_linktype(proto) 1946 register int proto; 1947 { 1948 struct block *b0, *b1; 1949 1950 switch (proto) { 1951 1952 case LLCSAP_ISONS: 1953 case LLCSAP_IP: 1954 case LLCSAP_NETBEUI: 1955 /* 1956 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1957 * so we check the DSAP and SSAP. 1958 * 1959 * LLCSAP_IP checks for IP-over-802.2, rather 1960 * than IP-over-Ethernet or IP-over-SNAP. 1961 * 1962 * XXX - should we check both the DSAP and the 1963 * SSAP, like this, or should we check just the 1964 * DSAP, as we do for other types <= ETHERMTU 1965 * (i.e., other SAP values)? 1966 */ 1967 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 1968 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32) 1969 ((proto << 8) | proto)); 1970 gen_and(b0, b1); 1971 return b1; 1972 1973 case LLCSAP_IPX: 1974 /* 1975 * Ethernet_II frames, which are Ethernet 1976 * frames with a frame type of ETHERTYPE_IPX; 1977 * 1978 * Ethernet_802.3 frames, which have a frame 1979 * type of LINUX_SLL_P_802_3; 1980 * 1981 * Ethernet_802.2 frames, which are 802.3 1982 * frames with an 802.2 LLC header (i.e, have 1983 * a frame type of LINUX_SLL_P_802_2) and 1984 * with the IPX LSAP as the DSAP in the LLC 1985 * header; 1986 * 1987 * Ethernet_SNAP frames, which are 802.3 1988 * frames with an LLC header and a SNAP 1989 * header and with an OUI of 0x000000 1990 * (encapsulated Ethernet) and a protocol 1991 * ID of ETHERTYPE_IPX in the SNAP header. 1992 * 1993 * First, do the checks on LINUX_SLL_P_802_2 1994 * frames; generate the check for either 1995 * Ethernet_802.2 or Ethernet_SNAP frames, and 1996 * then put a check for LINUX_SLL_P_802_2 frames 1997 * before it. 1998 */ 1999 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX); 2000 b1 = gen_snap(0x000000, ETHERTYPE_IPX); 2001 gen_or(b0, b1); 2002 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 2003 gen_and(b0, b1); 2004 2005 /* 2006 * Now check for 802.3 frames and OR that with 2007 * the previous test. 2008 */ 2009 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_3); 2010 gen_or(b0, b1); 2011 2012 /* 2013 * Now add the check for Ethernet_II frames, and 2014 * do that before checking for the other frame 2015 * types. 2016 */ 2017 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 2018 (bpf_int32)ETHERTYPE_IPX); 2019 gen_or(b0, b1); 2020 return b1; 2021 2022 case ETHERTYPE_ATALK: 2023 case ETHERTYPE_AARP: 2024 /* 2025 * EtherTalk (AppleTalk protocols on Ethernet link 2026 * layer) may use 802.2 encapsulation. 2027 */ 2028 2029 /* 2030 * Check for 802.2 encapsulation (EtherTalk phase 2?); 2031 * we check for the 802.2 protocol type in the 2032 * "Ethernet type" field. 2033 */ 2034 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 2035 2036 /* 2037 * 802.2-encapsulated ETHERTYPE_ATALK packets are 2038 * SNAP packets with an organization code of 2039 * 0x080007 (Apple, for Appletalk) and a protocol 2040 * type of ETHERTYPE_ATALK (Appletalk). 2041 * 2042 * 802.2-encapsulated ETHERTYPE_AARP packets are 2043 * SNAP packets with an organization code of 2044 * 0x000000 (encapsulated Ethernet) and a protocol 2045 * type of ETHERTYPE_AARP (Appletalk ARP). 2046 */ 2047 if (proto == ETHERTYPE_ATALK) 2048 b1 = gen_snap(0x080007, ETHERTYPE_ATALK); 2049 else /* proto == ETHERTYPE_AARP */ 2050 b1 = gen_snap(0x000000, ETHERTYPE_AARP); 2051 gen_and(b0, b1); 2052 2053 /* 2054 * Check for Ethernet encapsulation (Ethertalk 2055 * phase 1?); we just check for the Ethernet 2056 * protocol type. 2057 */ 2058 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 2059 2060 gen_or(b0, b1); 2061 return b1; 2062 2063 default: 2064 if (proto <= ETHERMTU) { 2065 /* 2066 * This is an LLC SAP value, so the frames 2067 * that match would be 802.2 frames. 2068 * Check for the 802.2 protocol type 2069 * in the "Ethernet type" field, and 2070 * then check the DSAP. 2071 */ 2072 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 2073 LINUX_SLL_P_802_2); 2074 b1 = gen_cmp(OR_LINK, off_macpl, BPF_B, 2075 (bpf_int32)proto); 2076 gen_and(b0, b1); 2077 return b1; 2078 } else { 2079 /* 2080 * This is an Ethernet type, so compare 2081 * the length/type field with it (if 2082 * the frame is an 802.2 frame, the length 2083 * field will be <= ETHERMTU, and, as 2084 * "proto" is > ETHERMTU, this test 2085 * will fail and the frame won't match, 2086 * which is what we want). 2087 */ 2088 return gen_cmp(OR_LINK, off_linktype, BPF_H, 2089 (bpf_int32)proto); 2090 } 2091 } 2092 } 2093 2094 static struct slist * 2095 gen_load_prism_llprefixlen() 2096 { 2097 struct slist *s1, *s2; 2098 struct slist *sjeq_avs_cookie; 2099 struct slist *sjcommon; 2100 2101 /* 2102 * This code is not compatible with the optimizer, as 2103 * we are generating jmp instructions within a normal 2104 * slist of instructions 2105 */ 2106 no_optimize = 1; 2107 2108 /* 2109 * Generate code to load the length of the radio header into 2110 * the register assigned to hold that length, if one has been 2111 * assigned. (If one hasn't been assigned, no code we've 2112 * generated uses that prefix, so we don't need to generate any 2113 * code to load it.) 2114 * 2115 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes 2116 * or always use the AVS header rather than the Prism header. 2117 * We load a 4-byte big-endian value at the beginning of the 2118 * raw packet data, and see whether, when masked with 0xFFFFF000, 2119 * it's equal to 0x80211000. If so, that indicates that it's 2120 * an AVS header (the masked-out bits are the version number). 2121 * Otherwise, it's a Prism header. 2122 * 2123 * XXX - the Prism header is also, in theory, variable-length, 2124 * but no known software generates headers that aren't 144 2125 * bytes long. 2126 */ 2127 if (reg_off_ll != -1) { 2128 /* 2129 * Load the cookie. 2130 */ 2131 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2132 s1->s.k = 0; 2133 2134 /* 2135 * AND it with 0xFFFFF000. 2136 */ 2137 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 2138 s2->s.k = 0xFFFFF000; 2139 sappend(s1, s2); 2140 2141 /* 2142 * Compare with 0x80211000. 2143 */ 2144 sjeq_avs_cookie = new_stmt(JMP(BPF_JEQ)); 2145 sjeq_avs_cookie->s.k = 0x80211000; 2146 sappend(s1, sjeq_avs_cookie); 2147 2148 /* 2149 * If it's AVS: 2150 * 2151 * The 4 bytes at an offset of 4 from the beginning of 2152 * the AVS header are the length of the AVS header. 2153 * That field is big-endian. 2154 */ 2155 s2 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2156 s2->s.k = 4; 2157 sappend(s1, s2); 2158 sjeq_avs_cookie->s.jt = s2; 2159 2160 /* 2161 * Now jump to the code to allocate a register 2162 * into which to save the header length and 2163 * store the length there. (The "jump always" 2164 * instruction needs to have the k field set; 2165 * it's added to the PC, so, as we're jumping 2166 * over a single instruction, it should be 1.) 2167 */ 2168 sjcommon = new_stmt(JMP(BPF_JA)); 2169 sjcommon->s.k = 1; 2170 sappend(s1, sjcommon); 2171 2172 /* 2173 * Now for the code that handles the Prism header. 2174 * Just load the length of the Prism header (144) 2175 * into the A register. Have the test for an AVS 2176 * header branch here if we don't have an AVS header. 2177 */ 2178 s2 = new_stmt(BPF_LD|BPF_W|BPF_IMM); 2179 s2->s.k = 144; 2180 sappend(s1, s2); 2181 sjeq_avs_cookie->s.jf = s2; 2182 2183 /* 2184 * Now allocate a register to hold that value and store 2185 * it. The code for the AVS header will jump here after 2186 * loading the length of the AVS header. 2187 */ 2188 s2 = new_stmt(BPF_ST); 2189 s2->s.k = reg_off_ll; 2190 sappend(s1, s2); 2191 sjcommon->s.jf = s2; 2192 2193 /* 2194 * Now move it into the X register. 2195 */ 2196 s2 = new_stmt(BPF_MISC|BPF_TAX); 2197 sappend(s1, s2); 2198 2199 return (s1); 2200 } else 2201 return (NULL); 2202 } 2203 2204 static struct slist * 2205 gen_load_avs_llprefixlen() 2206 { 2207 struct slist *s1, *s2; 2208 2209 /* 2210 * Generate code to load the length of the AVS header into 2211 * the register assigned to hold that length, if one has been 2212 * assigned. (If one hasn't been assigned, no code we've 2213 * generated uses that prefix, so we don't need to generate any 2214 * code to load it.) 2215 */ 2216 if (reg_off_ll != -1) { 2217 /* 2218 * The 4 bytes at an offset of 4 from the beginning of 2219 * the AVS header are the length of the AVS header. 2220 * That field is big-endian. 2221 */ 2222 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2223 s1->s.k = 4; 2224 2225 /* 2226 * Now allocate a register to hold that value and store 2227 * it. 2228 */ 2229 s2 = new_stmt(BPF_ST); 2230 s2->s.k = reg_off_ll; 2231 sappend(s1, s2); 2232 2233 /* 2234 * Now move it into the X register. 2235 */ 2236 s2 = new_stmt(BPF_MISC|BPF_TAX); 2237 sappend(s1, s2); 2238 2239 return (s1); 2240 } else 2241 return (NULL); 2242 } 2243 2244 static struct slist * 2245 gen_load_radiotap_llprefixlen() 2246 { 2247 struct slist *s1, *s2; 2248 2249 /* 2250 * Generate code to load the length of the radiotap header into 2251 * the register assigned to hold that length, if one has been 2252 * assigned. (If one hasn't been assigned, no code we've 2253 * generated uses that prefix, so we don't need to generate any 2254 * code to load it.) 2255 */ 2256 if (reg_off_ll != -1) { 2257 /* 2258 * The 2 bytes at offsets of 2 and 3 from the beginning 2259 * of the radiotap header are the length of the radiotap 2260 * header; unfortunately, it's little-endian, so we have 2261 * to load it a byte at a time and construct the value. 2262 */ 2263 2264 /* 2265 * Load the high-order byte, at an offset of 3, shift it 2266 * left a byte, and put the result in the X register. 2267 */ 2268 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2269 s1->s.k = 3; 2270 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 2271 sappend(s1, s2); 2272 s2->s.k = 8; 2273 s2 = new_stmt(BPF_MISC|BPF_TAX); 2274 sappend(s1, s2); 2275 2276 /* 2277 * Load the next byte, at an offset of 2, and OR the 2278 * value from the X register into it. 2279 */ 2280 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2281 sappend(s1, s2); 2282 s2->s.k = 2; 2283 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X); 2284 sappend(s1, s2); 2285 2286 /* 2287 * Now allocate a register to hold that value and store 2288 * it. 2289 */ 2290 s2 = new_stmt(BPF_ST); 2291 s2->s.k = reg_off_ll; 2292 sappend(s1, s2); 2293 2294 /* 2295 * Now move it into the X register. 2296 */ 2297 s2 = new_stmt(BPF_MISC|BPF_TAX); 2298 sappend(s1, s2); 2299 2300 return (s1); 2301 } else 2302 return (NULL); 2303 } 2304 2305 /* 2306 * At the moment we treat PPI as normal Radiotap encoded 2307 * packets. The difference is in the function that generates 2308 * the code at the beginning to compute the header length. 2309 * Since this code generator of PPI supports bare 802.11 2310 * encapsulation only (i.e. the encapsulated DLT should be 2311 * DLT_IEEE802_11) we generate code to check for this too; 2312 * that's done in finish_parse(). 2313 */ 2314 static struct slist * 2315 gen_load_ppi_llprefixlen() 2316 { 2317 struct slist *s1, *s2; 2318 2319 /* 2320 * Generate code to load the length of the radiotap header 2321 * into the register assigned to hold that length, if one has 2322 * been assigned. 2323 */ 2324 if (reg_off_ll != -1) { 2325 /* 2326 * The 2 bytes at offsets of 2 and 3 from the beginning 2327 * of the radiotap header are the length of the radiotap 2328 * header; unfortunately, it's little-endian, so we have 2329 * to load it a byte at a time and construct the value. 2330 */ 2331 2332 /* 2333 * Load the high-order byte, at an offset of 3, shift it 2334 * left a byte, and put the result in the X register. 2335 */ 2336 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2337 s1->s.k = 3; 2338 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 2339 sappend(s1, s2); 2340 s2->s.k = 8; 2341 s2 = new_stmt(BPF_MISC|BPF_TAX); 2342 sappend(s1, s2); 2343 2344 /* 2345 * Load the next byte, at an offset of 2, and OR the 2346 * value from the X register into it. 2347 */ 2348 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2349 sappend(s1, s2); 2350 s2->s.k = 2; 2351 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X); 2352 sappend(s1, s2); 2353 2354 /* 2355 * Now allocate a register to hold that value and store 2356 * it. 2357 */ 2358 s2 = new_stmt(BPF_ST); 2359 s2->s.k = reg_off_ll; 2360 sappend(s1, s2); 2361 2362 /* 2363 * Now move it into the X register. 2364 */ 2365 s2 = new_stmt(BPF_MISC|BPF_TAX); 2366 sappend(s1, s2); 2367 2368 return (s1); 2369 } else 2370 return (NULL); 2371 } 2372 2373 /* 2374 * Load a value relative to the beginning of the link-layer header after the 802.11 2375 * header, i.e. LLC_SNAP. 2376 * The link-layer header doesn't necessarily begin at the beginning 2377 * of the packet data; there might be a variable-length prefix containing 2378 * radio information. 2379 */ 2380 static struct slist * 2381 gen_load_802_11_header_len(struct slist *s, struct slist *snext) 2382 { 2383 struct slist *s2; 2384 struct slist *sjset_data_frame_1; 2385 struct slist *sjset_data_frame_2; 2386 struct slist *sjset_qos; 2387 struct slist *sjset_radiotap_flags; 2388 struct slist *sjset_radiotap_tsft; 2389 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad; 2390 struct slist *s_roundup; 2391 2392 if (reg_off_macpl == -1) { 2393 /* 2394 * No register has been assigned to the offset of 2395 * the MAC-layer payload, which means nobody needs 2396 * it; don't bother computing it - just return 2397 * what we already have. 2398 */ 2399 return (s); 2400 } 2401 2402 /* 2403 * This code is not compatible with the optimizer, as 2404 * we are generating jmp instructions within a normal 2405 * slist of instructions 2406 */ 2407 no_optimize = 1; 2408 2409 /* 2410 * If "s" is non-null, it has code to arrange that the X register 2411 * contains the length of the prefix preceding the link-layer 2412 * header. 2413 * 2414 * Otherwise, the length of the prefix preceding the link-layer 2415 * header is "off_ll". 2416 */ 2417 if (s == NULL) { 2418 /* 2419 * There is no variable-length header preceding the 2420 * link-layer header. 2421 * 2422 * Load the length of the fixed-length prefix preceding 2423 * the link-layer header (if any) into the X register, 2424 * and store it in the reg_off_macpl register. 2425 * That length is off_ll. 2426 */ 2427 s = new_stmt(BPF_LDX|BPF_IMM); 2428 s->s.k = off_ll; 2429 } 2430 2431 /* 2432 * The X register contains the offset of the beginning of the 2433 * link-layer header; add 24, which is the minimum length 2434 * of the MAC header for a data frame, to that, and store it 2435 * in reg_off_macpl, and then load the Frame Control field, 2436 * which is at the offset in the X register, with an indexed load. 2437 */ 2438 s2 = new_stmt(BPF_MISC|BPF_TXA); 2439 sappend(s, s2); 2440 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 2441 s2->s.k = 24; 2442 sappend(s, s2); 2443 s2 = new_stmt(BPF_ST); 2444 s2->s.k = reg_off_macpl; 2445 sappend(s, s2); 2446 2447 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B); 2448 s2->s.k = 0; 2449 sappend(s, s2); 2450 2451 /* 2452 * Check the Frame Control field to see if this is a data frame; 2453 * a data frame has the 0x08 bit (b3) in that field set and the 2454 * 0x04 bit (b2) clear. 2455 */ 2456 sjset_data_frame_1 = new_stmt(JMP(BPF_JSET)); 2457 sjset_data_frame_1->s.k = 0x08; 2458 sappend(s, sjset_data_frame_1); 2459 2460 /* 2461 * If b3 is set, test b2, otherwise go to the first statement of 2462 * the rest of the program. 2463 */ 2464 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(JMP(BPF_JSET)); 2465 sjset_data_frame_2->s.k = 0x04; 2466 sappend(s, sjset_data_frame_2); 2467 sjset_data_frame_1->s.jf = snext; 2468 2469 /* 2470 * If b2 is not set, this is a data frame; test the QoS bit. 2471 * Otherwise, go to the first statement of the rest of the 2472 * program. 2473 */ 2474 sjset_data_frame_2->s.jt = snext; 2475 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(JMP(BPF_JSET)); 2476 sjset_qos->s.k = 0x80; /* QoS bit */ 2477 sappend(s, sjset_qos); 2478 2479 /* 2480 * If it's set, add 2 to reg_off_macpl, to skip the QoS 2481 * field. 2482 * Otherwise, go to the first statement of the rest of the 2483 * program. 2484 */ 2485 sjset_qos->s.jt = s2 = new_stmt(BPF_LD|BPF_MEM); 2486 s2->s.k = reg_off_macpl; 2487 sappend(s, s2); 2488 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM); 2489 s2->s.k = 2; 2490 sappend(s, s2); 2491 s2 = new_stmt(BPF_ST); 2492 s2->s.k = reg_off_macpl; 2493 sappend(s, s2); 2494 2495 /* 2496 * If we have a radiotap header, look at it to see whether 2497 * there's Atheros padding between the MAC-layer header 2498 * and the payload. 2499 * 2500 * Note: all of the fields in the radiotap header are 2501 * little-endian, so we byte-swap all of the values 2502 * we test against, as they will be loaded as big-endian 2503 * values. 2504 */ 2505 if (linktype == DLT_IEEE802_11_RADIO) { 2506 /* 2507 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set 2508 * in the presence flag? 2509 */ 2510 sjset_qos->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_W); 2511 s2->s.k = 4; 2512 sappend(s, s2); 2513 2514 sjset_radiotap_flags = new_stmt(JMP(BPF_JSET)); 2515 sjset_radiotap_flags->s.k = SWAPLONG(0x00000002); 2516 sappend(s, sjset_radiotap_flags); 2517 2518 /* 2519 * If not, skip all of this. 2520 */ 2521 sjset_radiotap_flags->s.jf = snext; 2522 2523 /* 2524 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set? 2525 */ 2526 sjset_radiotap_tsft = sjset_radiotap_flags->s.jt = 2527 new_stmt(JMP(BPF_JSET)); 2528 sjset_radiotap_tsft->s.k = SWAPLONG(0x00000001); 2529 sappend(s, sjset_radiotap_tsft); 2530 2531 /* 2532 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is 2533 * at an offset of 16 from the beginning of the raw packet 2534 * data (8 bytes for the radiotap header and 8 bytes for 2535 * the TSFT field). 2536 * 2537 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2538 * is set. 2539 */ 2540 sjset_radiotap_tsft->s.jt = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B); 2541 s2->s.k = 16; 2542 sappend(s, s2); 2543 2544 sjset_tsft_datapad = new_stmt(JMP(BPF_JSET)); 2545 sjset_tsft_datapad->s.k = 0x20; 2546 sappend(s, sjset_tsft_datapad); 2547 2548 /* 2549 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is 2550 * at an offset of 8 from the beginning of the raw packet 2551 * data (8 bytes for the radiotap header). 2552 * 2553 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2554 * is set. 2555 */ 2556 sjset_radiotap_tsft->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B); 2557 s2->s.k = 8; 2558 sappend(s, s2); 2559 2560 sjset_notsft_datapad = new_stmt(JMP(BPF_JSET)); 2561 sjset_notsft_datapad->s.k = 0x20; 2562 sappend(s, sjset_notsft_datapad); 2563 2564 /* 2565 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is 2566 * set, round the length of the 802.11 header to 2567 * a multiple of 4. Do that by adding 3 and then 2568 * dividing by and multiplying by 4, which we do by 2569 * ANDing with ~3. 2570 */ 2571 s_roundup = new_stmt(BPF_LD|BPF_MEM); 2572 s_roundup->s.k = reg_off_macpl; 2573 sappend(s, s_roundup); 2574 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM); 2575 s2->s.k = 3; 2576 sappend(s, s2); 2577 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_IMM); 2578 s2->s.k = ~3; 2579 sappend(s, s2); 2580 s2 = new_stmt(BPF_ST); 2581 s2->s.k = reg_off_macpl; 2582 sappend(s, s2); 2583 2584 sjset_tsft_datapad->s.jt = s_roundup; 2585 sjset_tsft_datapad->s.jf = snext; 2586 sjset_notsft_datapad->s.jt = s_roundup; 2587 sjset_notsft_datapad->s.jf = snext; 2588 } else 2589 sjset_qos->s.jf = snext; 2590 2591 return s; 2592 } 2593 2594 static void 2595 insert_compute_vloffsets(b) 2596 struct block *b; 2597 { 2598 struct slist *s; 2599 2600 /* 2601 * For link-layer types that have a variable-length header 2602 * preceding the link-layer header, generate code to load 2603 * the offset of the link-layer header into the register 2604 * assigned to that offset, if any. 2605 */ 2606 switch (linktype) { 2607 2608 case DLT_PRISM_HEADER: 2609 s = gen_load_prism_llprefixlen(); 2610 break; 2611 2612 case DLT_IEEE802_11_RADIO_AVS: 2613 s = gen_load_avs_llprefixlen(); 2614 break; 2615 2616 case DLT_IEEE802_11_RADIO: 2617 s = gen_load_radiotap_llprefixlen(); 2618 break; 2619 2620 case DLT_PPI: 2621 s = gen_load_ppi_llprefixlen(); 2622 break; 2623 2624 default: 2625 s = NULL; 2626 break; 2627 } 2628 2629 /* 2630 * For link-layer types that have a variable-length link-layer 2631 * header, generate code to load the offset of the MAC-layer 2632 * payload into the register assigned to that offset, if any. 2633 */ 2634 switch (linktype) { 2635 2636 case DLT_IEEE802_11: 2637 case DLT_PRISM_HEADER: 2638 case DLT_IEEE802_11_RADIO_AVS: 2639 case DLT_IEEE802_11_RADIO: 2640 case DLT_PPI: 2641 s = gen_load_802_11_header_len(s, b->stmts); 2642 break; 2643 } 2644 2645 /* 2646 * If we have any offset-loading code, append all the 2647 * existing statements in the block to those statements, 2648 * and make the resulting list the list of statements 2649 * for the block. 2650 */ 2651 if (s != NULL) { 2652 sappend(s, b->stmts); 2653 b->stmts = s; 2654 } 2655 } 2656 2657 static struct block * 2658 gen_ppi_dlt_check(void) 2659 { 2660 struct slist *s_load_dlt; 2661 struct block *b; 2662 2663 if (linktype == DLT_PPI) 2664 { 2665 /* Create the statements that check for the DLT 2666 */ 2667 s_load_dlt = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2668 s_load_dlt->s.k = 4; 2669 2670 b = new_block(JMP(BPF_JEQ)); 2671 2672 b->stmts = s_load_dlt; 2673 b->s.k = SWAPLONG(DLT_IEEE802_11); 2674 } 2675 else 2676 { 2677 b = NULL; 2678 } 2679 2680 return b; 2681 } 2682 2683 static struct slist * 2684 gen_prism_llprefixlen(void) 2685 { 2686 struct slist *s; 2687 2688 if (reg_off_ll == -1) { 2689 /* 2690 * We haven't yet assigned a register for the length 2691 * of the radio header; allocate one. 2692 */ 2693 reg_off_ll = alloc_reg(); 2694 } 2695 2696 /* 2697 * Load the register containing the radio length 2698 * into the X register. 2699 */ 2700 s = new_stmt(BPF_LDX|BPF_MEM); 2701 s->s.k = reg_off_ll; 2702 return s; 2703 } 2704 2705 static struct slist * 2706 gen_avs_llprefixlen(void) 2707 { 2708 struct slist *s; 2709 2710 if (reg_off_ll == -1) { 2711 /* 2712 * We haven't yet assigned a register for the length 2713 * of the AVS header; allocate one. 2714 */ 2715 reg_off_ll = alloc_reg(); 2716 } 2717 2718 /* 2719 * Load the register containing the AVS length 2720 * into the X register. 2721 */ 2722 s = new_stmt(BPF_LDX|BPF_MEM); 2723 s->s.k = reg_off_ll; 2724 return s; 2725 } 2726 2727 static struct slist * 2728 gen_radiotap_llprefixlen(void) 2729 { 2730 struct slist *s; 2731 2732 if (reg_off_ll == -1) { 2733 /* 2734 * We haven't yet assigned a register for the length 2735 * of the radiotap header; allocate one. 2736 */ 2737 reg_off_ll = alloc_reg(); 2738 } 2739 2740 /* 2741 * Load the register containing the radiotap length 2742 * into the X register. 2743 */ 2744 s = new_stmt(BPF_LDX|BPF_MEM); 2745 s->s.k = reg_off_ll; 2746 return s; 2747 } 2748 2749 /* 2750 * At the moment we treat PPI as normal Radiotap encoded 2751 * packets. The difference is in the function that generates 2752 * the code at the beginning to compute the header length. 2753 * Since this code generator of PPI supports bare 802.11 2754 * encapsulation only (i.e. the encapsulated DLT should be 2755 * DLT_IEEE802_11) we generate code to check for this too. 2756 */ 2757 static struct slist * 2758 gen_ppi_llprefixlen(void) 2759 { 2760 struct slist *s; 2761 2762 if (reg_off_ll == -1) { 2763 /* 2764 * We haven't yet assigned a register for the length 2765 * of the radiotap header; allocate one. 2766 */ 2767 reg_off_ll = alloc_reg(); 2768 } 2769 2770 /* 2771 * Load the register containing the PPI length 2772 * into the X register. 2773 */ 2774 s = new_stmt(BPF_LDX|BPF_MEM); 2775 s->s.k = reg_off_ll; 2776 return s; 2777 } 2778 2779 /* 2780 * Generate code to compute the link-layer header length, if necessary, 2781 * putting it into the X register, and to return either a pointer to a 2782 * "struct slist" for the list of statements in that code, or NULL if 2783 * no code is necessary. 2784 */ 2785 static struct slist * 2786 gen_llprefixlen(void) 2787 { 2788 switch (linktype) { 2789 2790 case DLT_PRISM_HEADER: 2791 return gen_prism_llprefixlen(); 2792 2793 case DLT_IEEE802_11_RADIO_AVS: 2794 return gen_avs_llprefixlen(); 2795 2796 case DLT_IEEE802_11_RADIO: 2797 return gen_radiotap_llprefixlen(); 2798 2799 case DLT_PPI: 2800 return gen_ppi_llprefixlen(); 2801 2802 default: 2803 return NULL; 2804 } 2805 } 2806 2807 /* 2808 * Generate code to load the register containing the offset of the 2809 * MAC-layer payload into the X register; if no register for that offset 2810 * has been allocated, allocate it first. 2811 */ 2812 static struct slist * 2813 gen_off_macpl(void) 2814 { 2815 struct slist *s; 2816 2817 if (off_macpl_is_variable) { 2818 if (reg_off_macpl == -1) { 2819 /* 2820 * We haven't yet assigned a register for the offset 2821 * of the MAC-layer payload; allocate one. 2822 */ 2823 reg_off_macpl = alloc_reg(); 2824 } 2825 2826 /* 2827 * Load the register containing the offset of the MAC-layer 2828 * payload into the X register. 2829 */ 2830 s = new_stmt(BPF_LDX|BPF_MEM); 2831 s->s.k = reg_off_macpl; 2832 return s; 2833 } else { 2834 /* 2835 * That offset isn't variable, so we don't need to 2836 * generate any code. 2837 */ 2838 return NULL; 2839 } 2840 } 2841 2842 /* 2843 * Map an Ethernet type to the equivalent PPP type. 2844 */ 2845 static int 2846 ethertype_to_ppptype(proto) 2847 int proto; 2848 { 2849 switch (proto) { 2850 2851 case ETHERTYPE_IP: 2852 proto = PPP_IP; 2853 break; 2854 2855 #ifdef INET6 2856 case ETHERTYPE_IPV6: 2857 proto = PPP_IPV6; 2858 break; 2859 #endif 2860 2861 case ETHERTYPE_DN: 2862 proto = PPP_DECNET; 2863 break; 2864 2865 case ETHERTYPE_ATALK: 2866 proto = PPP_APPLE; 2867 break; 2868 2869 case ETHERTYPE_NS: 2870 proto = PPP_NS; 2871 break; 2872 2873 case LLCSAP_ISONS: 2874 proto = PPP_OSI; 2875 break; 2876 2877 case LLCSAP_8021D: 2878 /* 2879 * I'm assuming the "Bridging PDU"s that go 2880 * over PPP are Spanning Tree Protocol 2881 * Bridging PDUs. 2882 */ 2883 proto = PPP_BRPDU; 2884 break; 2885 2886 case LLCSAP_IPX: 2887 proto = PPP_IPX; 2888 break; 2889 } 2890 return (proto); 2891 } 2892 2893 /* 2894 * Generate code to match a particular packet type by matching the 2895 * link-layer type field or fields in the 802.2 LLC header. 2896 * 2897 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 2898 * value, if <= ETHERMTU. 2899 */ 2900 static struct block * 2901 gen_linktype(proto) 2902 register int proto; 2903 { 2904 struct block *b0, *b1, *b2; 2905 2906 /* are we checking MPLS-encapsulated packets? */ 2907 if (label_stack_depth > 0) { 2908 switch (proto) { 2909 case ETHERTYPE_IP: 2910 case PPP_IP: 2911 /* FIXME add other L3 proto IDs */ 2912 return gen_mpls_linktype(Q_IP); 2913 2914 case ETHERTYPE_IPV6: 2915 case PPP_IPV6: 2916 /* FIXME add other L3 proto IDs */ 2917 return gen_mpls_linktype(Q_IPV6); 2918 2919 default: 2920 bpf_error("unsupported protocol over mpls"); 2921 /* NOTREACHED */ 2922 } 2923 } 2924 2925 /* 2926 * Are we testing PPPoE packets? 2927 */ 2928 if (is_pppoes) { 2929 /* 2930 * The PPPoE session header is part of the 2931 * MAC-layer payload, so all references 2932 * should be relative to the beginning of 2933 * that payload. 2934 */ 2935 2936 /* 2937 * We use Ethernet protocol types inside libpcap; 2938 * map them to the corresponding PPP protocol types. 2939 */ 2940 proto = ethertype_to_ppptype(proto); 2941 return gen_cmp(OR_MACPL, off_linktype, BPF_H, (bpf_int32)proto); 2942 } 2943 2944 switch (linktype) { 2945 2946 case DLT_EN10MB: 2947 return gen_ether_linktype(proto); 2948 /*NOTREACHED*/ 2949 break; 2950 2951 case DLT_C_HDLC: 2952 switch (proto) { 2953 2954 case LLCSAP_ISONS: 2955 proto = (proto << 8 | LLCSAP_ISONS); 2956 /* fall through */ 2957 2958 default: 2959 return gen_cmp(OR_LINK, off_linktype, BPF_H, 2960 (bpf_int32)proto); 2961 /*NOTREACHED*/ 2962 break; 2963 } 2964 break; 2965 2966 case DLT_IEEE802_11: 2967 case DLT_PRISM_HEADER: 2968 case DLT_IEEE802_11_RADIO_AVS: 2969 case DLT_IEEE802_11_RADIO: 2970 case DLT_PPI: 2971 /* 2972 * Check that we have a data frame. 2973 */ 2974 b0 = gen_check_802_11_data_frame(); 2975 2976 /* 2977 * Now check for the specified link-layer type. 2978 */ 2979 b1 = gen_llc_linktype(proto); 2980 gen_and(b0, b1); 2981 return b1; 2982 /*NOTREACHED*/ 2983 break; 2984 2985 case DLT_FDDI: 2986 /* 2987 * XXX - check for asynchronous frames, as per RFC 1103. 2988 */ 2989 return gen_llc_linktype(proto); 2990 /*NOTREACHED*/ 2991 break; 2992 2993 case DLT_IEEE802: 2994 /* 2995 * XXX - check for LLC PDUs, as per IEEE 802.5. 2996 */ 2997 return gen_llc_linktype(proto); 2998 /*NOTREACHED*/ 2999 break; 3000 3001 case DLT_ATM_RFC1483: 3002 case DLT_ATM_CLIP: 3003 case DLT_IP_OVER_FC: 3004 return gen_llc_linktype(proto); 3005 /*NOTREACHED*/ 3006 break; 3007 3008 case DLT_SUNATM: 3009 /* 3010 * If "is_lane" is set, check for a LANE-encapsulated 3011 * version of this protocol, otherwise check for an 3012 * LLC-encapsulated version of this protocol. 3013 * 3014 * We assume LANE means Ethernet, not Token Ring. 3015 */ 3016 if (is_lane) { 3017 /* 3018 * Check that the packet doesn't begin with an 3019 * LE Control marker. (We've already generated 3020 * a test for LANE.) 3021 */ 3022 b0 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 3023 0xFF00); 3024 gen_not(b0); 3025 3026 /* 3027 * Now generate an Ethernet test. 3028 */ 3029 b1 = gen_ether_linktype(proto); 3030 gen_and(b0, b1); 3031 return b1; 3032 } else { 3033 /* 3034 * Check for LLC encapsulation and then check the 3035 * protocol. 3036 */ 3037 b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 3038 b1 = gen_llc_linktype(proto); 3039 gen_and(b0, b1); 3040 return b1; 3041 } 3042 /*NOTREACHED*/ 3043 break; 3044 3045 case DLT_LINUX_SLL: 3046 return gen_linux_sll_linktype(proto); 3047 /*NOTREACHED*/ 3048 break; 3049 3050 case DLT_SLIP: 3051 case DLT_SLIP_BSDOS: 3052 case DLT_RAW: 3053 /* 3054 * These types don't provide any type field; packets 3055 * are always IPv4 or IPv6. 3056 * 3057 * XXX - for IPv4, check for a version number of 4, and, 3058 * for IPv6, check for a version number of 6? 3059 */ 3060 switch (proto) { 3061 3062 case ETHERTYPE_IP: 3063 /* Check for a version number of 4. */ 3064 return gen_mcmp(OR_LINK, 0, BPF_B, 0x40, 0xF0); 3065 #ifdef INET6 3066 case ETHERTYPE_IPV6: 3067 /* Check for a version number of 6. */ 3068 return gen_mcmp(OR_LINK, 0, BPF_B, 0x60, 0xF0); 3069 #endif 3070 3071 default: 3072 return gen_false(); /* always false */ 3073 } 3074 /*NOTREACHED*/ 3075 break; 3076 3077 case DLT_PPP: 3078 case DLT_PPP_PPPD: 3079 case DLT_PPP_SERIAL: 3080 case DLT_PPP_ETHER: 3081 /* 3082 * We use Ethernet protocol types inside libpcap; 3083 * map them to the corresponding PPP protocol types. 3084 */ 3085 proto = ethertype_to_ppptype(proto); 3086 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 3087 /*NOTREACHED*/ 3088 break; 3089 3090 case DLT_PPP_BSDOS: 3091 /* 3092 * We use Ethernet protocol types inside libpcap; 3093 * map them to the corresponding PPP protocol types. 3094 */ 3095 switch (proto) { 3096 3097 case ETHERTYPE_IP: 3098 /* 3099 * Also check for Van Jacobson-compressed IP. 3100 * XXX - do this for other forms of PPP? 3101 */ 3102 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_IP); 3103 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJC); 3104 gen_or(b0, b1); 3105 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJNC); 3106 gen_or(b1, b0); 3107 return b0; 3108 3109 default: 3110 proto = ethertype_to_ppptype(proto); 3111 return gen_cmp(OR_LINK, off_linktype, BPF_H, 3112 (bpf_int32)proto); 3113 } 3114 /*NOTREACHED*/ 3115 break; 3116 3117 case DLT_NULL: 3118 case DLT_LOOP: 3119 case DLT_ENC: 3120 /* 3121 * For DLT_NULL, the link-layer header is a 32-bit 3122 * word containing an AF_ value in *host* byte order, 3123 * and for DLT_ENC, the link-layer header begins 3124 * with a 32-bit work containing an AF_ value in 3125 * host byte order. 3126 * 3127 * In addition, if we're reading a saved capture file, 3128 * the host byte order in the capture may not be the 3129 * same as the host byte order on this machine. 3130 * 3131 * For DLT_LOOP, the link-layer header is a 32-bit 3132 * word containing an AF_ value in *network* byte order. 3133 * 3134 * XXX - AF_ values may, unfortunately, be platform- 3135 * dependent; for example, FreeBSD's AF_INET6 is 24 3136 * whilst NetBSD's and OpenBSD's is 26. 3137 * 3138 * This means that, when reading a capture file, just 3139 * checking for our AF_INET6 value won't work if the 3140 * capture file came from another OS. 3141 */ 3142 switch (proto) { 3143 3144 case ETHERTYPE_IP: 3145 proto = AF_INET; 3146 break; 3147 3148 #ifdef INET6 3149 case ETHERTYPE_IPV6: 3150 proto = AF_INET6; 3151 break; 3152 #endif 3153 3154 default: 3155 /* 3156 * Not a type on which we support filtering. 3157 * XXX - support those that have AF_ values 3158 * #defined on this platform, at least? 3159 */ 3160 return gen_false(); 3161 } 3162 3163 if (linktype == DLT_NULL || linktype == DLT_ENC) { 3164 /* 3165 * The AF_ value is in host byte order, but 3166 * the BPF interpreter will convert it to 3167 * network byte order. 3168 * 3169 * If this is a save file, and it's from a 3170 * machine with the opposite byte order to 3171 * ours, we byte-swap the AF_ value. 3172 * 3173 * Then we run it through "htonl()", and 3174 * generate code to compare against the result. 3175 */ 3176 if (bpf_pcap->sf.rfile != NULL && 3177 bpf_pcap->sf.swapped) 3178 proto = SWAPLONG(proto); 3179 proto = htonl(proto); 3180 } 3181 return (gen_cmp(OR_LINK, 0, BPF_W, (bpf_int32)proto)); 3182 3183 #ifdef HAVE_NET_PFVAR_H 3184 case DLT_PFLOG: 3185 /* 3186 * af field is host byte order in contrast to the rest of 3187 * the packet. 3188 */ 3189 if (proto == ETHERTYPE_IP) 3190 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af), 3191 BPF_B, (bpf_int32)AF_INET)); 3192 #ifdef INET6 3193 else if (proto == ETHERTYPE_IPV6) 3194 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af), 3195 BPF_B, (bpf_int32)AF_INET6)); 3196 #endif /* INET6 */ 3197 else 3198 return gen_false(); 3199 /*NOTREACHED*/ 3200 break; 3201 #endif /* HAVE_NET_PFVAR_H */ 3202 3203 case DLT_ARCNET: 3204 case DLT_ARCNET_LINUX: 3205 /* 3206 * XXX should we check for first fragment if the protocol 3207 * uses PHDS? 3208 */ 3209 switch (proto) { 3210 3211 default: 3212 return gen_false(); 3213 3214 #ifdef INET6 3215 case ETHERTYPE_IPV6: 3216 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 3217 (bpf_int32)ARCTYPE_INET6)); 3218 #endif /* INET6 */ 3219 3220 case ETHERTYPE_IP: 3221 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3222 (bpf_int32)ARCTYPE_IP); 3223 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3224 (bpf_int32)ARCTYPE_IP_OLD); 3225 gen_or(b0, b1); 3226 return (b1); 3227 3228 case ETHERTYPE_ARP: 3229 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3230 (bpf_int32)ARCTYPE_ARP); 3231 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3232 (bpf_int32)ARCTYPE_ARP_OLD); 3233 gen_or(b0, b1); 3234 return (b1); 3235 3236 case ETHERTYPE_REVARP: 3237 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 3238 (bpf_int32)ARCTYPE_REVARP)); 3239 3240 case ETHERTYPE_ATALK: 3241 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 3242 (bpf_int32)ARCTYPE_ATALK)); 3243 } 3244 /*NOTREACHED*/ 3245 break; 3246 3247 case DLT_LTALK: 3248 switch (proto) { 3249 case ETHERTYPE_ATALK: 3250 return gen_true(); 3251 default: 3252 return gen_false(); 3253 } 3254 /*NOTREACHED*/ 3255 break; 3256 3257 case DLT_FRELAY: 3258 /* 3259 * XXX - assumes a 2-byte Frame Relay header with 3260 * DLCI and flags. What if the address is longer? 3261 */ 3262 switch (proto) { 3263 3264 case ETHERTYPE_IP: 3265 /* 3266 * Check for the special NLPID for IP. 3267 */ 3268 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0xcc); 3269 3270 #ifdef INET6 3271 case ETHERTYPE_IPV6: 3272 /* 3273 * Check for the special NLPID for IPv6. 3274 */ 3275 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0x8e); 3276 #endif 3277 3278 case LLCSAP_ISONS: 3279 /* 3280 * Check for several OSI protocols. 3281 * 3282 * Frame Relay packets typically have an OSI 3283 * NLPID at the beginning; we check for each 3284 * of them. 3285 * 3286 * What we check for is the NLPID and a frame 3287 * control field of UI, i.e. 0x03 followed 3288 * by the NLPID. 3289 */ 3290 b0 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO8473_CLNP); 3291 b1 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO9542_ESIS); 3292 b2 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO10589_ISIS); 3293 gen_or(b1, b2); 3294 gen_or(b0, b2); 3295 return b2; 3296 3297 default: 3298 return gen_false(); 3299 } 3300 /*NOTREACHED*/ 3301 break; 3302 3303 case DLT_MFR: 3304 bpf_error("Multi-link Frame Relay link-layer type filtering not implemented"); 3305 3306 case DLT_JUNIPER_MFR: 3307 case DLT_JUNIPER_MLFR: 3308 case DLT_JUNIPER_MLPPP: 3309 case DLT_JUNIPER_ATM1: 3310 case DLT_JUNIPER_ATM2: 3311 case DLT_JUNIPER_PPPOE: 3312 case DLT_JUNIPER_PPPOE_ATM: 3313 case DLT_JUNIPER_GGSN: 3314 case DLT_JUNIPER_ES: 3315 case DLT_JUNIPER_MONITOR: 3316 case DLT_JUNIPER_SERVICES: 3317 case DLT_JUNIPER_ETHER: 3318 case DLT_JUNIPER_PPP: 3319 case DLT_JUNIPER_FRELAY: 3320 case DLT_JUNIPER_CHDLC: 3321 case DLT_JUNIPER_VP: 3322 case DLT_JUNIPER_ST: 3323 case DLT_JUNIPER_ISM: 3324 /* just lets verify the magic number for now - 3325 * on ATM we may have up to 6 different encapsulations on the wire 3326 * and need a lot of heuristics to figure out that the payload 3327 * might be; 3328 * 3329 * FIXME encapsulation specific BPF_ filters 3330 */ 3331 return gen_mcmp(OR_LINK, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */ 3332 3333 case DLT_LINUX_IRDA: 3334 bpf_error("IrDA link-layer type filtering not implemented"); 3335 3336 case DLT_DOCSIS: 3337 bpf_error("DOCSIS link-layer type filtering not implemented"); 3338 3339 case DLT_MTP2: 3340 case DLT_MTP2_WITH_PHDR: 3341 bpf_error("MTP2 link-layer type filtering not implemented"); 3342 3343 case DLT_ERF: 3344 bpf_error("ERF link-layer type filtering not implemented"); 3345 3346 #ifdef DLT_PFSYNC 3347 case DLT_PFSYNC: 3348 bpf_error("PFSYNC link-layer type filtering not implemented"); 3349 #endif 3350 3351 case DLT_LINUX_LAPD: 3352 bpf_error("LAPD link-layer type filtering not implemented"); 3353 3354 case DLT_USB: 3355 case DLT_USB_LINUX: 3356 bpf_error("USB link-layer type filtering not implemented"); 3357 3358 case DLT_BLUETOOTH_HCI_H4: 3359 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR: 3360 bpf_error("Bluetooth link-layer type filtering not implemented"); 3361 3362 case DLT_CAN20B: 3363 bpf_error("CAN20B link-layer type filtering not implemented"); 3364 3365 case DLT_IEEE802_15_4: 3366 case DLT_IEEE802_15_4_LINUX: 3367 case DLT_IEEE802_15_4_NONASK_PHY: 3368 bpf_error("IEEE 802.15.4 link-layer type filtering not implemented"); 3369 3370 case DLT_IEEE802_16_MAC_CPS_RADIO: 3371 bpf_error("IEEE 802.16 link-layer type filtering not implemented"); 3372 3373 case DLT_SITA: 3374 bpf_error("SITA link-layer type filtering not implemented"); 3375 3376 case DLT_RAIF1: 3377 bpf_error("RAIF1 link-layer type filtering not implemented"); 3378 3379 case DLT_IPMB: 3380 bpf_error("IPMB link-layer type filtering not implemented"); 3381 3382 case DLT_AX25_KISS: 3383 bpf_error("AX.25 link-layer type filtering not implemented"); 3384 } 3385 3386 /* 3387 * All the types that have no encapsulation should either be 3388 * handled as DLT_SLIP, DLT_SLIP_BSDOS, and DLT_RAW are, if 3389 * all packets are IP packets, or should be handled in some 3390 * special case, if none of them are (if some are and some 3391 * aren't, the lack of encapsulation is a problem, as we'd 3392 * have to find some other way of determining the packet type). 3393 * 3394 * Therefore, if "off_linktype" is -1, there's an error. 3395 */ 3396 if (off_linktype == (u_int)-1) 3397 abort(); 3398 3399 /* 3400 * Any type not handled above should always have an Ethernet 3401 * type at an offset of "off_linktype". 3402 */ 3403 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 3404 } 3405 3406 /* 3407 * Check for an LLC SNAP packet with a given organization code and 3408 * protocol type; we check the entire contents of the 802.2 LLC and 3409 * snap headers, checking for DSAP and SSAP of SNAP and a control 3410 * field of 0x03 in the LLC header, and for the specified organization 3411 * code and protocol type in the SNAP header. 3412 */ 3413 static struct block * 3414 gen_snap(orgcode, ptype) 3415 bpf_u_int32 orgcode; 3416 bpf_u_int32 ptype; 3417 { 3418 u_char snapblock[8]; 3419 3420 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */ 3421 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */ 3422 snapblock[2] = 0x03; /* control = UI */ 3423 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */ 3424 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */ 3425 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */ 3426 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */ 3427 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */ 3428 return gen_bcmp(OR_MACPL, 0, 8, snapblock); 3429 } 3430 3431 /* 3432 * Generate code to match a particular packet type, for link-layer types 3433 * using 802.2 LLC headers. 3434 * 3435 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used 3436 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues. 3437 * 3438 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 3439 * value, if <= ETHERMTU. We use that to determine whether to 3440 * match the DSAP or both DSAP and LSAP or to check the OUI and 3441 * protocol ID in a SNAP header. 3442 */ 3443 static struct block * 3444 gen_llc_linktype(proto) 3445 int proto; 3446 { 3447 /* 3448 * XXX - handle token-ring variable-length header. 3449 */ 3450 switch (proto) { 3451 3452 case LLCSAP_IP: 3453 case LLCSAP_ISONS: 3454 case LLCSAP_NETBEUI: 3455 /* 3456 * XXX - should we check both the DSAP and the 3457 * SSAP, like this, or should we check just the 3458 * DSAP, as we do for other types <= ETHERMTU 3459 * (i.e., other SAP values)? 3460 */ 3461 return gen_cmp(OR_MACPL, 0, BPF_H, (bpf_u_int32) 3462 ((proto << 8) | proto)); 3463 3464 case LLCSAP_IPX: 3465 /* 3466 * XXX - are there ever SNAP frames for IPX on 3467 * non-Ethernet 802.x networks? 3468 */ 3469 return gen_cmp(OR_MACPL, 0, BPF_B, 3470 (bpf_int32)LLCSAP_IPX); 3471 3472 case ETHERTYPE_ATALK: 3473 /* 3474 * 802.2-encapsulated ETHERTYPE_ATALK packets are 3475 * SNAP packets with an organization code of 3476 * 0x080007 (Apple, for Appletalk) and a protocol 3477 * type of ETHERTYPE_ATALK (Appletalk). 3478 * 3479 * XXX - check for an organization code of 3480 * encapsulated Ethernet as well? 3481 */ 3482 return gen_snap(0x080007, ETHERTYPE_ATALK); 3483 3484 default: 3485 /* 3486 * XXX - we don't have to check for IPX 802.3 3487 * here, but should we check for the IPX Ethertype? 3488 */ 3489 if (proto <= ETHERMTU) { 3490 /* 3491 * This is an LLC SAP value, so check 3492 * the DSAP. 3493 */ 3494 return gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)proto); 3495 } else { 3496 /* 3497 * This is an Ethernet type; we assume that it's 3498 * unlikely that it'll appear in the right place 3499 * at random, and therefore check only the 3500 * location that would hold the Ethernet type 3501 * in a SNAP frame with an organization code of 3502 * 0x000000 (encapsulated Ethernet). 3503 * 3504 * XXX - if we were to check for the SNAP DSAP and 3505 * LSAP, as per XXX, and were also to check for an 3506 * organization code of 0x000000 (encapsulated 3507 * Ethernet), we'd do 3508 * 3509 * return gen_snap(0x000000, proto); 3510 * 3511 * here; for now, we don't, as per the above. 3512 * I don't know whether it's worth the extra CPU 3513 * time to do the right check or not. 3514 */ 3515 return gen_cmp(OR_MACPL, 6, BPF_H, (bpf_int32)proto); 3516 } 3517 } 3518 } 3519 3520 static struct block * 3521 gen_hostop(addr, mask, dir, proto, src_off, dst_off) 3522 bpf_u_int32 addr; 3523 bpf_u_int32 mask; 3524 int dir, proto; 3525 u_int src_off, dst_off; 3526 { 3527 struct block *b0, *b1; 3528 u_int offset; 3529 3530 switch (dir) { 3531 3532 case Q_SRC: 3533 offset = src_off; 3534 break; 3535 3536 case Q_DST: 3537 offset = dst_off; 3538 break; 3539 3540 case Q_AND: 3541 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off); 3542 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off); 3543 gen_and(b0, b1); 3544 return b1; 3545 3546 case Q_OR: 3547 case Q_DEFAULT: 3548 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off); 3549 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off); 3550 gen_or(b0, b1); 3551 return b1; 3552 3553 default: 3554 abort(); 3555 } 3556 b0 = gen_linktype(proto); 3557 b1 = gen_mcmp(OR_NET, offset, BPF_W, (bpf_int32)addr, mask); 3558 gen_and(b0, b1); 3559 return b1; 3560 } 3561 3562 #ifdef INET6 3563 static struct block * 3564 gen_hostop6(addr, mask, dir, proto, src_off, dst_off) 3565 struct in6_addr *addr; 3566 struct in6_addr *mask; 3567 int dir, proto; 3568 u_int src_off, dst_off; 3569 { 3570 struct block *b0, *b1; 3571 u_int offset; 3572 u_int32_t *a, *m; 3573 3574 switch (dir) { 3575 3576 case Q_SRC: 3577 offset = src_off; 3578 break; 3579 3580 case Q_DST: 3581 offset = dst_off; 3582 break; 3583 3584 case Q_AND: 3585 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off); 3586 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off); 3587 gen_and(b0, b1); 3588 return b1; 3589 3590 case Q_OR: 3591 case Q_DEFAULT: 3592 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off); 3593 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off); 3594 gen_or(b0, b1); 3595 return b1; 3596 3597 default: 3598 abort(); 3599 } 3600 /* this order is important */ 3601 a = (u_int32_t *)addr; 3602 m = (u_int32_t *)mask; 3603 b1 = gen_mcmp(OR_NET, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3])); 3604 b0 = gen_mcmp(OR_NET, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2])); 3605 gen_and(b0, b1); 3606 b0 = gen_mcmp(OR_NET, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1])); 3607 gen_and(b0, b1); 3608 b0 = gen_mcmp(OR_NET, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0])); 3609 gen_and(b0, b1); 3610 b0 = gen_linktype(proto); 3611 gen_and(b0, b1); 3612 return b1; 3613 } 3614 #endif /*INET6*/ 3615 3616 static struct block * 3617 gen_ehostop(eaddr, dir) 3618 register const u_char *eaddr; 3619 register int dir; 3620 { 3621 register struct block *b0, *b1; 3622 3623 switch (dir) { 3624 case Q_SRC: 3625 return gen_bcmp(OR_LINK, off_mac + 6, 6, eaddr); 3626 3627 case Q_DST: 3628 return gen_bcmp(OR_LINK, off_mac + 0, 6, eaddr); 3629 3630 case Q_AND: 3631 b0 = gen_ehostop(eaddr, Q_SRC); 3632 b1 = gen_ehostop(eaddr, Q_DST); 3633 gen_and(b0, b1); 3634 return b1; 3635 3636 case Q_DEFAULT: 3637 case Q_OR: 3638 b0 = gen_ehostop(eaddr, Q_SRC); 3639 b1 = gen_ehostop(eaddr, Q_DST); 3640 gen_or(b0, b1); 3641 return b1; 3642 } 3643 abort(); 3644 /* NOTREACHED */ 3645 } 3646 3647 /* 3648 * Like gen_ehostop, but for DLT_FDDI 3649 */ 3650 static struct block * 3651 gen_fhostop(eaddr, dir) 3652 register const u_char *eaddr; 3653 register int dir; 3654 { 3655 struct block *b0, *b1; 3656 3657 switch (dir) { 3658 case Q_SRC: 3659 #ifdef PCAP_FDDIPAD 3660 return gen_bcmp(OR_LINK, 6 + 1 + pcap_fddipad, 6, eaddr); 3661 #else 3662 return gen_bcmp(OR_LINK, 6 + 1, 6, eaddr); 3663 #endif 3664 3665 case Q_DST: 3666 #ifdef PCAP_FDDIPAD 3667 return gen_bcmp(OR_LINK, 0 + 1 + pcap_fddipad, 6, eaddr); 3668 #else 3669 return gen_bcmp(OR_LINK, 0 + 1, 6, eaddr); 3670 #endif 3671 3672 case Q_AND: 3673 b0 = gen_fhostop(eaddr, Q_SRC); 3674 b1 = gen_fhostop(eaddr, Q_DST); 3675 gen_and(b0, b1); 3676 return b1; 3677 3678 case Q_DEFAULT: 3679 case Q_OR: 3680 b0 = gen_fhostop(eaddr, Q_SRC); 3681 b1 = gen_fhostop(eaddr, Q_DST); 3682 gen_or(b0, b1); 3683 return b1; 3684 } 3685 abort(); 3686 /* NOTREACHED */ 3687 } 3688 3689 /* 3690 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring) 3691 */ 3692 static struct block * 3693 gen_thostop(eaddr, dir) 3694 register const u_char *eaddr; 3695 register int dir; 3696 { 3697 register struct block *b0, *b1; 3698 3699 switch (dir) { 3700 case Q_SRC: 3701 return gen_bcmp(OR_LINK, 8, 6, eaddr); 3702 3703 case Q_DST: 3704 return gen_bcmp(OR_LINK, 2, 6, eaddr); 3705 3706 case Q_AND: 3707 b0 = gen_thostop(eaddr, Q_SRC); 3708 b1 = gen_thostop(eaddr, Q_DST); 3709 gen_and(b0, b1); 3710 return b1; 3711 3712 case Q_DEFAULT: 3713 case Q_OR: 3714 b0 = gen_thostop(eaddr, Q_SRC); 3715 b1 = gen_thostop(eaddr, Q_DST); 3716 gen_or(b0, b1); 3717 return b1; 3718 } 3719 abort(); 3720 /* NOTREACHED */ 3721 } 3722 3723 /* 3724 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and 3725 * various 802.11 + radio headers. 3726 */ 3727 static struct block * 3728 gen_wlanhostop(eaddr, dir) 3729 register const u_char *eaddr; 3730 register int dir; 3731 { 3732 register struct block *b0, *b1, *b2; 3733 register struct slist *s; 3734 3735 #ifdef ENABLE_WLAN_FILTERING_PATCH 3736 /* 3737 * TODO GV 20070613 3738 * We need to disable the optimizer because the optimizer is buggy 3739 * and wipes out some LD instructions generated by the below 3740 * code to validate the Frame Control bits 3741 */ 3742 no_optimize = 1; 3743 #endif /* ENABLE_WLAN_FILTERING_PATCH */ 3744 3745 switch (dir) { 3746 case Q_SRC: 3747 /* 3748 * Oh, yuk. 3749 * 3750 * For control frames, there is no SA. 3751 * 3752 * For management frames, SA is at an 3753 * offset of 10 from the beginning of 3754 * the packet. 3755 * 3756 * For data frames, SA is at an offset 3757 * of 10 from the beginning of the packet 3758 * if From DS is clear, at an offset of 3759 * 16 from the beginning of the packet 3760 * if From DS is set and To DS is clear, 3761 * and an offset of 24 from the beginning 3762 * of the packet if From DS is set and To DS 3763 * is set. 3764 */ 3765 3766 /* 3767 * Generate the tests to be done for data frames 3768 * with From DS set. 3769 * 3770 * First, check for To DS set, i.e. check "link[1] & 0x01". 3771 */ 3772 s = gen_load_a(OR_LINK, 1, BPF_B); 3773 b1 = new_block(JMP(BPF_JSET)); 3774 b1->s.k = 0x01; /* To DS */ 3775 b1->stmts = s; 3776 3777 /* 3778 * If To DS is set, the SA is at 24. 3779 */ 3780 b0 = gen_bcmp(OR_LINK, 24, 6, eaddr); 3781 gen_and(b1, b0); 3782 3783 /* 3784 * Now, check for To DS not set, i.e. check 3785 * "!(link[1] & 0x01)". 3786 */ 3787 s = gen_load_a(OR_LINK, 1, BPF_B); 3788 b2 = new_block(JMP(BPF_JSET)); 3789 b2->s.k = 0x01; /* To DS */ 3790 b2->stmts = s; 3791 gen_not(b2); 3792 3793 /* 3794 * If To DS is not set, the SA is at 16. 3795 */ 3796 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr); 3797 gen_and(b2, b1); 3798 3799 /* 3800 * Now OR together the last two checks. That gives 3801 * the complete set of checks for data frames with 3802 * From DS set. 3803 */ 3804 gen_or(b1, b0); 3805 3806 /* 3807 * Now check for From DS being set, and AND that with 3808 * the ORed-together checks. 3809 */ 3810 s = gen_load_a(OR_LINK, 1, BPF_B); 3811 b1 = new_block(JMP(BPF_JSET)); 3812 b1->s.k = 0x02; /* From DS */ 3813 b1->stmts = s; 3814 gen_and(b1, b0); 3815 3816 /* 3817 * Now check for data frames with From DS not set. 3818 */ 3819 s = gen_load_a(OR_LINK, 1, BPF_B); 3820 b2 = new_block(JMP(BPF_JSET)); 3821 b2->s.k = 0x02; /* From DS */ 3822 b2->stmts = s; 3823 gen_not(b2); 3824 3825 /* 3826 * If From DS isn't set, the SA is at 10. 3827 */ 3828 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 3829 gen_and(b2, b1); 3830 3831 /* 3832 * Now OR together the checks for data frames with 3833 * From DS not set and for data frames with From DS 3834 * set; that gives the checks done for data frames. 3835 */ 3836 gen_or(b1, b0); 3837 3838 /* 3839 * Now check for a data frame. 3840 * I.e, check "link[0] & 0x08". 3841 */ 3842 s = gen_load_a(OR_LINK, 0, BPF_B); 3843 b1 = new_block(JMP(BPF_JSET)); 3844 b1->s.k = 0x08; 3845 b1->stmts = s; 3846 3847 /* 3848 * AND that with the checks done for data frames. 3849 */ 3850 gen_and(b1, b0); 3851 3852 /* 3853 * If the high-order bit of the type value is 0, this 3854 * is a management frame. 3855 * I.e, check "!(link[0] & 0x08)". 3856 */ 3857 s = gen_load_a(OR_LINK, 0, BPF_B); 3858 b2 = new_block(JMP(BPF_JSET)); 3859 b2->s.k = 0x08; 3860 b2->stmts = s; 3861 gen_not(b2); 3862 3863 /* 3864 * For management frames, the SA is at 10. 3865 */ 3866 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 3867 gen_and(b2, b1); 3868 3869 /* 3870 * OR that with the checks done for data frames. 3871 * That gives the checks done for management and 3872 * data frames. 3873 */ 3874 gen_or(b1, b0); 3875 3876 /* 3877 * If the low-order bit of the type value is 1, 3878 * this is either a control frame or a frame 3879 * with a reserved type, and thus not a 3880 * frame with an SA. 3881 * 3882 * I.e., check "!(link[0] & 0x04)". 3883 */ 3884 s = gen_load_a(OR_LINK, 0, BPF_B); 3885 b1 = new_block(JMP(BPF_JSET)); 3886 b1->s.k = 0x04; 3887 b1->stmts = s; 3888 gen_not(b1); 3889 3890 /* 3891 * AND that with the checks for data and management 3892 * frames. 3893 */ 3894 gen_and(b1, b0); 3895 return b0; 3896 3897 case Q_DST: 3898 /* 3899 * Oh, yuk. 3900 * 3901 * For control frames, there is no DA. 3902 * 3903 * For management frames, DA is at an 3904 * offset of 4 from the beginning of 3905 * the packet. 3906 * 3907 * For data frames, DA is at an offset 3908 * of 4 from the beginning of the packet 3909 * if To DS is clear and at an offset of 3910 * 16 from the beginning of the packet 3911 * if To DS is set. 3912 */ 3913 3914 /* 3915 * Generate the tests to be done for data frames. 3916 * 3917 * First, check for To DS set, i.e. "link[1] & 0x01". 3918 */ 3919 s = gen_load_a(OR_LINK, 1, BPF_B); 3920 b1 = new_block(JMP(BPF_JSET)); 3921 b1->s.k = 0x01; /* To DS */ 3922 b1->stmts = s; 3923 3924 /* 3925 * If To DS is set, the DA is at 16. 3926 */ 3927 b0 = gen_bcmp(OR_LINK, 16, 6, eaddr); 3928 gen_and(b1, b0); 3929 3930 /* 3931 * Now, check for To DS not set, i.e. check 3932 * "!(link[1] & 0x01)". 3933 */ 3934 s = gen_load_a(OR_LINK, 1, BPF_B); 3935 b2 = new_block(JMP(BPF_JSET)); 3936 b2->s.k = 0x01; /* To DS */ 3937 b2->stmts = s; 3938 gen_not(b2); 3939 3940 /* 3941 * If To DS is not set, the DA is at 4. 3942 */ 3943 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr); 3944 gen_and(b2, b1); 3945 3946 /* 3947 * Now OR together the last two checks. That gives 3948 * the complete set of checks for data frames. 3949 */ 3950 gen_or(b1, b0); 3951 3952 /* 3953 * Now check for a data frame. 3954 * I.e, check "link[0] & 0x08". 3955 */ 3956 s = gen_load_a(OR_LINK, 0, BPF_B); 3957 b1 = new_block(JMP(BPF_JSET)); 3958 b1->s.k = 0x08; 3959 b1->stmts = s; 3960 3961 /* 3962 * AND that with the checks done for data frames. 3963 */ 3964 gen_and(b1, b0); 3965 3966 /* 3967 * If the high-order bit of the type value is 0, this 3968 * is a management frame. 3969 * I.e, check "!(link[0] & 0x08)". 3970 */ 3971 s = gen_load_a(OR_LINK, 0, BPF_B); 3972 b2 = new_block(JMP(BPF_JSET)); 3973 b2->s.k = 0x08; 3974 b2->stmts = s; 3975 gen_not(b2); 3976 3977 /* 3978 * For management frames, the DA is at 4. 3979 */ 3980 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr); 3981 gen_and(b2, b1); 3982 3983 /* 3984 * OR that with the checks done for data frames. 3985 * That gives the checks done for management and 3986 * data frames. 3987 */ 3988 gen_or(b1, b0); 3989 3990 /* 3991 * If the low-order bit of the type value is 1, 3992 * this is either a control frame or a frame 3993 * with a reserved type, and thus not a 3994 * frame with an SA. 3995 * 3996 * I.e., check "!(link[0] & 0x04)". 3997 */ 3998 s = gen_load_a(OR_LINK, 0, BPF_B); 3999 b1 = new_block(JMP(BPF_JSET)); 4000 b1->s.k = 0x04; 4001 b1->stmts = s; 4002 gen_not(b1); 4003 4004 /* 4005 * AND that with the checks for data and management 4006 * frames. 4007 */ 4008 gen_and(b1, b0); 4009 return b0; 4010 4011 /* 4012 * XXX - add RA, TA, and BSSID keywords? 4013 */ 4014 case Q_ADDR1: 4015 return (gen_bcmp(OR_LINK, 4, 6, eaddr)); 4016 4017 case Q_ADDR2: 4018 /* 4019 * Not present in CTS or ACK control frames. 4020 */ 4021 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4022 IEEE80211_FC0_TYPE_MASK); 4023 gen_not(b0); 4024 b1 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS, 4025 IEEE80211_FC0_SUBTYPE_MASK); 4026 gen_not(b1); 4027 b2 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK, 4028 IEEE80211_FC0_SUBTYPE_MASK); 4029 gen_not(b2); 4030 gen_and(b1, b2); 4031 gen_or(b0, b2); 4032 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 4033 gen_and(b2, b1); 4034 return b1; 4035 4036 case Q_ADDR3: 4037 /* 4038 * Not present in control frames. 4039 */ 4040 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4041 IEEE80211_FC0_TYPE_MASK); 4042 gen_not(b0); 4043 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr); 4044 gen_and(b0, b1); 4045 return b1; 4046 4047 case Q_ADDR4: 4048 /* 4049 * Present only if the direction mask has both "From DS" 4050 * and "To DS" set. Neither control frames nor management 4051 * frames should have both of those set, so we don't 4052 * check the frame type. 4053 */ 4054 b0 = gen_mcmp(OR_LINK, 1, BPF_B, 4055 IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK); 4056 b1 = gen_bcmp(OR_LINK, 24, 6, eaddr); 4057 gen_and(b0, b1); 4058 return b1; 4059 4060 case Q_AND: 4061 b0 = gen_wlanhostop(eaddr, Q_SRC); 4062 b1 = gen_wlanhostop(eaddr, Q_DST); 4063 gen_and(b0, b1); 4064 return b1; 4065 4066 case Q_DEFAULT: 4067 case Q_OR: 4068 b0 = gen_wlanhostop(eaddr, Q_SRC); 4069 b1 = gen_wlanhostop(eaddr, Q_DST); 4070 gen_or(b0, b1); 4071 return b1; 4072 } 4073 abort(); 4074 /* NOTREACHED */ 4075 } 4076 4077 /* 4078 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel. 4079 * (We assume that the addresses are IEEE 48-bit MAC addresses, 4080 * as the RFC states.) 4081 */ 4082 static struct block * 4083 gen_ipfchostop(eaddr, dir) 4084 register const u_char *eaddr; 4085 register int dir; 4086 { 4087 register struct block *b0, *b1; 4088 4089 switch (dir) { 4090 case Q_SRC: 4091 return gen_bcmp(OR_LINK, 10, 6, eaddr); 4092 4093 case Q_DST: 4094 return gen_bcmp(OR_LINK, 2, 6, eaddr); 4095 4096 case Q_AND: 4097 b0 = gen_ipfchostop(eaddr, Q_SRC); 4098 b1 = gen_ipfchostop(eaddr, Q_DST); 4099 gen_and(b0, b1); 4100 return b1; 4101 4102 case Q_DEFAULT: 4103 case Q_OR: 4104 b0 = gen_ipfchostop(eaddr, Q_SRC); 4105 b1 = gen_ipfchostop(eaddr, Q_DST); 4106 gen_or(b0, b1); 4107 return b1; 4108 } 4109 abort(); 4110 /* NOTREACHED */ 4111 } 4112 4113 /* 4114 * This is quite tricky because there may be pad bytes in front of the 4115 * DECNET header, and then there are two possible data packet formats that 4116 * carry both src and dst addresses, plus 5 packet types in a format that 4117 * carries only the src node, plus 2 types that use a different format and 4118 * also carry just the src node. 4119 * 4120 * Yuck. 4121 * 4122 * Instead of doing those all right, we just look for data packets with 4123 * 0 or 1 bytes of padding. If you want to look at other packets, that 4124 * will require a lot more hacking. 4125 * 4126 * To add support for filtering on DECNET "areas" (network numbers) 4127 * one would want to add a "mask" argument to this routine. That would 4128 * make the filter even more inefficient, although one could be clever 4129 * and not generate masking instructions if the mask is 0xFFFF. 4130 */ 4131 static struct block * 4132 gen_dnhostop(addr, dir) 4133 bpf_u_int32 addr; 4134 int dir; 4135 { 4136 struct block *b0, *b1, *b2, *tmp; 4137 u_int offset_lh; /* offset if long header is received */ 4138 u_int offset_sh; /* offset if short header is received */ 4139 4140 switch (dir) { 4141 4142 case Q_DST: 4143 offset_sh = 1; /* follows flags */ 4144 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */ 4145 break; 4146 4147 case Q_SRC: 4148 offset_sh = 3; /* follows flags, dstnode */ 4149 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */ 4150 break; 4151 4152 case Q_AND: 4153 /* Inefficient because we do our Calvinball dance twice */ 4154 b0 = gen_dnhostop(addr, Q_SRC); 4155 b1 = gen_dnhostop(addr, Q_DST); 4156 gen_and(b0, b1); 4157 return b1; 4158 4159 case Q_OR: 4160 case Q_DEFAULT: 4161 /* Inefficient because we do our Calvinball dance twice */ 4162 b0 = gen_dnhostop(addr, Q_SRC); 4163 b1 = gen_dnhostop(addr, Q_DST); 4164 gen_or(b0, b1); 4165 return b1; 4166 4167 case Q_ISO: 4168 bpf_error("ISO host filtering not implemented"); 4169 4170 default: 4171 abort(); 4172 } 4173 b0 = gen_linktype(ETHERTYPE_DN); 4174 /* Check for pad = 1, long header case */ 4175 tmp = gen_mcmp(OR_NET, 2, BPF_H, 4176 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF)); 4177 b1 = gen_cmp(OR_NET, 2 + 1 + offset_lh, 4178 BPF_H, (bpf_int32)ntohs((u_short)addr)); 4179 gen_and(tmp, b1); 4180 /* Check for pad = 0, long header case */ 4181 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7); 4182 b2 = gen_cmp(OR_NET, 2 + offset_lh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4183 gen_and(tmp, b2); 4184 gen_or(b2, b1); 4185 /* Check for pad = 1, short header case */ 4186 tmp = gen_mcmp(OR_NET, 2, BPF_H, 4187 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF)); 4188 b2 = gen_cmp(OR_NET, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4189 gen_and(tmp, b2); 4190 gen_or(b2, b1); 4191 /* Check for pad = 0, short header case */ 4192 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7); 4193 b2 = gen_cmp(OR_NET, 2 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4194 gen_and(tmp, b2); 4195 gen_or(b2, b1); 4196 4197 /* Combine with test for linktype */ 4198 gen_and(b0, b1); 4199 return b1; 4200 } 4201 4202 /* 4203 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets; 4204 * test the bottom-of-stack bit, and then check the version number 4205 * field in the IP header. 4206 */ 4207 static struct block * 4208 gen_mpls_linktype(proto) 4209 int proto; 4210 { 4211 struct block *b0, *b1; 4212 4213 switch (proto) { 4214 4215 case Q_IP: 4216 /* match the bottom-of-stack bit */ 4217 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01); 4218 /* match the IPv4 version number */ 4219 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x40, 0xf0); 4220 gen_and(b0, b1); 4221 return b1; 4222 4223 case Q_IPV6: 4224 /* match the bottom-of-stack bit */ 4225 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01); 4226 /* match the IPv4 version number */ 4227 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x60, 0xf0); 4228 gen_and(b0, b1); 4229 return b1; 4230 4231 default: 4232 abort(); 4233 } 4234 } 4235 4236 static struct block * 4237 gen_host(addr, mask, proto, dir, type) 4238 bpf_u_int32 addr; 4239 bpf_u_int32 mask; 4240 int proto; 4241 int dir; 4242 int type; 4243 { 4244 struct block *b0, *b1; 4245 const char *typestr; 4246 4247 if (type == Q_NET) 4248 typestr = "net"; 4249 else 4250 typestr = "host"; 4251 4252 switch (proto) { 4253 4254 case Q_DEFAULT: 4255 b0 = gen_host(addr, mask, Q_IP, dir, type); 4256 /* 4257 * Only check for non-IPv4 addresses if we're not 4258 * checking MPLS-encapsulated packets. 4259 */ 4260 if (label_stack_depth == 0) { 4261 b1 = gen_host(addr, mask, Q_ARP, dir, type); 4262 gen_or(b0, b1); 4263 b0 = gen_host(addr, mask, Q_RARP, dir, type); 4264 gen_or(b1, b0); 4265 } 4266 return b0; 4267 4268 case Q_IP: 4269 return gen_hostop(addr, mask, dir, ETHERTYPE_IP, 12, 16); 4270 4271 case Q_RARP: 4272 return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP, 14, 24); 4273 4274 case Q_ARP: 4275 return gen_hostop(addr, mask, dir, ETHERTYPE_ARP, 14, 24); 4276 4277 case Q_TCP: 4278 bpf_error("'tcp' modifier applied to %s", typestr); 4279 4280 case Q_SCTP: 4281 bpf_error("'sctp' modifier applied to %s", typestr); 4282 4283 case Q_UDP: 4284 bpf_error("'udp' modifier applied to %s", typestr); 4285 4286 case Q_ICMP: 4287 bpf_error("'icmp' modifier applied to %s", typestr); 4288 4289 case Q_IGMP: 4290 bpf_error("'igmp' modifier applied to %s", typestr); 4291 4292 case Q_IGRP: 4293 bpf_error("'igrp' modifier applied to %s", typestr); 4294 4295 case Q_PIM: 4296 bpf_error("'pim' modifier applied to %s", typestr); 4297 4298 case Q_VRRP: 4299 bpf_error("'vrrp' modifier applied to %s", typestr); 4300 4301 case Q_ATALK: 4302 bpf_error("ATALK host filtering not implemented"); 4303 4304 case Q_AARP: 4305 bpf_error("AARP host filtering not implemented"); 4306 4307 case Q_DECNET: 4308 return gen_dnhostop(addr, dir); 4309 4310 case Q_SCA: 4311 bpf_error("SCA host filtering not implemented"); 4312 4313 case Q_LAT: 4314 bpf_error("LAT host filtering not implemented"); 4315 4316 case Q_MOPDL: 4317 bpf_error("MOPDL host filtering not implemented"); 4318 4319 case Q_MOPRC: 4320 bpf_error("MOPRC host filtering not implemented"); 4321 4322 #ifdef INET6 4323 case Q_IPV6: 4324 bpf_error("'ip6' modifier applied to ip host"); 4325 4326 case Q_ICMPV6: 4327 bpf_error("'icmp6' modifier applied to %s", typestr); 4328 #endif /* INET6 */ 4329 4330 case Q_AH: 4331 bpf_error("'ah' modifier applied to %s", typestr); 4332 4333 case Q_ESP: 4334 bpf_error("'esp' modifier applied to %s", typestr); 4335 4336 case Q_ISO: 4337 bpf_error("ISO host filtering not implemented"); 4338 4339 case Q_ESIS: 4340 bpf_error("'esis' modifier applied to %s", typestr); 4341 4342 case Q_ISIS: 4343 bpf_error("'isis' modifier applied to %s", typestr); 4344 4345 case Q_CLNP: 4346 bpf_error("'clnp' modifier applied to %s", typestr); 4347 4348 case Q_STP: 4349 bpf_error("'stp' modifier applied to %s", typestr); 4350 4351 case Q_IPX: 4352 bpf_error("IPX host filtering not implemented"); 4353 4354 case Q_NETBEUI: 4355 bpf_error("'netbeui' modifier applied to %s", typestr); 4356 4357 case Q_RADIO: 4358 bpf_error("'radio' modifier applied to %s", typestr); 4359 4360 default: 4361 abort(); 4362 } 4363 /* NOTREACHED */ 4364 } 4365 4366 #ifdef INET6 4367 static struct block * 4368 gen_host6(addr, mask, proto, dir, type) 4369 struct in6_addr *addr; 4370 struct in6_addr *mask; 4371 int proto; 4372 int dir; 4373 int type; 4374 { 4375 const char *typestr; 4376 4377 if (type == Q_NET) 4378 typestr = "net"; 4379 else 4380 typestr = "host"; 4381 4382 switch (proto) { 4383 4384 case Q_DEFAULT: 4385 return gen_host6(addr, mask, Q_IPV6, dir, type); 4386 4387 case Q_IP: 4388 bpf_error("'ip' modifier applied to ip6 %s", typestr); 4389 4390 case Q_RARP: 4391 bpf_error("'rarp' modifier applied to ip6 %s", typestr); 4392 4393 case Q_ARP: 4394 bpf_error("'arp' modifier applied to ip6 %s", typestr); 4395 4396 case Q_SCTP: 4397 bpf_error("'sctp' modifier applied to %s", typestr); 4398 4399 case Q_TCP: 4400 bpf_error("'tcp' modifier applied to %s", typestr); 4401 4402 case Q_UDP: 4403 bpf_error("'udp' modifier applied to %s", typestr); 4404 4405 case Q_ICMP: 4406 bpf_error("'icmp' modifier applied to %s", typestr); 4407 4408 case Q_IGMP: 4409 bpf_error("'igmp' modifier applied to %s", typestr); 4410 4411 case Q_IGRP: 4412 bpf_error("'igrp' modifier applied to %s", typestr); 4413 4414 case Q_PIM: 4415 bpf_error("'pim' modifier applied to %s", typestr); 4416 4417 case Q_VRRP: 4418 bpf_error("'vrrp' modifier applied to %s", typestr); 4419 4420 case Q_ATALK: 4421 bpf_error("ATALK host filtering not implemented"); 4422 4423 case Q_AARP: 4424 bpf_error("AARP host filtering not implemented"); 4425 4426 case Q_DECNET: 4427 bpf_error("'decnet' modifier applied to ip6 %s", typestr); 4428 4429 case Q_SCA: 4430 bpf_error("SCA host filtering not implemented"); 4431 4432 case Q_LAT: 4433 bpf_error("LAT host filtering not implemented"); 4434 4435 case Q_MOPDL: 4436 bpf_error("MOPDL host filtering not implemented"); 4437 4438 case Q_MOPRC: 4439 bpf_error("MOPRC host filtering not implemented"); 4440 4441 case Q_IPV6: 4442 return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6, 8, 24); 4443 4444 case Q_ICMPV6: 4445 bpf_error("'icmp6' modifier applied to %s", typestr); 4446 4447 case Q_AH: 4448 bpf_error("'ah' modifier applied to %s", typestr); 4449 4450 case Q_ESP: 4451 bpf_error("'esp' modifier applied to %s", typestr); 4452 4453 case Q_ISO: 4454 bpf_error("ISO host filtering not implemented"); 4455 4456 case Q_ESIS: 4457 bpf_error("'esis' modifier applied to %s", typestr); 4458 4459 case Q_ISIS: 4460 bpf_error("'isis' modifier applied to %s", typestr); 4461 4462 case Q_CLNP: 4463 bpf_error("'clnp' modifier applied to %s", typestr); 4464 4465 case Q_STP: 4466 bpf_error("'stp' modifier applied to %s", typestr); 4467 4468 case Q_IPX: 4469 bpf_error("IPX host filtering not implemented"); 4470 4471 case Q_NETBEUI: 4472 bpf_error("'netbeui' modifier applied to %s", typestr); 4473 4474 case Q_RADIO: 4475 bpf_error("'radio' modifier applied to %s", typestr); 4476 4477 default: 4478 abort(); 4479 } 4480 /* NOTREACHED */ 4481 } 4482 #endif /*INET6*/ 4483 4484 #ifndef INET6 4485 static struct block * 4486 gen_gateway(eaddr, alist, proto, dir) 4487 const u_char *eaddr; 4488 bpf_u_int32 **alist; 4489 int proto; 4490 int dir; 4491 { 4492 struct block *b0, *b1, *tmp; 4493 4494 if (dir != 0) 4495 bpf_error("direction applied to 'gateway'"); 4496 4497 switch (proto) { 4498 case Q_DEFAULT: 4499 case Q_IP: 4500 case Q_ARP: 4501 case Q_RARP: 4502 switch (linktype) { 4503 case DLT_EN10MB: 4504 b0 = gen_ehostop(eaddr, Q_OR); 4505 break; 4506 case DLT_FDDI: 4507 b0 = gen_fhostop(eaddr, Q_OR); 4508 break; 4509 case DLT_IEEE802: 4510 b0 = gen_thostop(eaddr, Q_OR); 4511 break; 4512 case DLT_IEEE802_11: 4513 case DLT_PRISM_HEADER: 4514 case DLT_IEEE802_11_RADIO_AVS: 4515 case DLT_IEEE802_11_RADIO: 4516 case DLT_PPI: 4517 b0 = gen_wlanhostop(eaddr, Q_OR); 4518 break; 4519 case DLT_SUNATM: 4520 if (is_lane) { 4521 /* 4522 * Check that the packet doesn't begin with an 4523 * LE Control marker. (We've already generated 4524 * a test for LANE.) 4525 */ 4526 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 4527 BPF_H, 0xFF00); 4528 gen_not(b1); 4529 4530 /* 4531 * Now check the MAC address. 4532 */ 4533 b0 = gen_ehostop(eaddr, Q_OR); 4534 gen_and(b1, b0); 4535 } 4536 break; 4537 case DLT_IP_OVER_FC: 4538 b0 = gen_ipfchostop(eaddr, Q_OR); 4539 break; 4540 default: 4541 bpf_error( 4542 "'gateway' supported only on ethernet/FDDI/token ring/802.11/Fibre Channel"); 4543 } 4544 b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR, Q_HOST); 4545 while (*alist) { 4546 tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR, 4547 Q_HOST); 4548 gen_or(b1, tmp); 4549 b1 = tmp; 4550 } 4551 gen_not(b1); 4552 gen_and(b0, b1); 4553 return b1; 4554 } 4555 bpf_error("illegal modifier of 'gateway'"); 4556 /* NOTREACHED */ 4557 } 4558 #endif 4559 4560 struct block * 4561 gen_proto_abbrev(proto) 4562 int proto; 4563 { 4564 struct block *b0; 4565 struct block *b1; 4566 4567 switch (proto) { 4568 4569 case Q_SCTP: 4570 b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT); 4571 #ifdef INET6 4572 b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT); 4573 gen_or(b0, b1); 4574 #endif 4575 break; 4576 4577 case Q_TCP: 4578 b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT); 4579 #ifdef INET6 4580 b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT); 4581 gen_or(b0, b1); 4582 #endif 4583 break; 4584 4585 case Q_UDP: 4586 b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT); 4587 #ifdef INET6 4588 b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT); 4589 gen_or(b0, b1); 4590 #endif 4591 break; 4592 4593 case Q_ICMP: 4594 b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT); 4595 break; 4596 4597 #ifndef IPPROTO_IGMP 4598 #define IPPROTO_IGMP 2 4599 #endif 4600 4601 case Q_IGMP: 4602 b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT); 4603 break; 4604 4605 #ifndef IPPROTO_IGRP 4606 #define IPPROTO_IGRP 9 4607 #endif 4608 case Q_IGRP: 4609 b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT); 4610 break; 4611 4612 #ifndef IPPROTO_PIM 4613 #define IPPROTO_PIM 103 4614 #endif 4615 4616 case Q_PIM: 4617 b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT); 4618 #ifdef INET6 4619 b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT); 4620 gen_or(b0, b1); 4621 #endif 4622 break; 4623 4624 #ifndef IPPROTO_VRRP 4625 #define IPPROTO_VRRP 112 4626 #endif 4627 4628 case Q_VRRP: 4629 b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT); 4630 break; 4631 4632 case Q_IP: 4633 b1 = gen_linktype(ETHERTYPE_IP); 4634 break; 4635 4636 case Q_ARP: 4637 b1 = gen_linktype(ETHERTYPE_ARP); 4638 break; 4639 4640 case Q_RARP: 4641 b1 = gen_linktype(ETHERTYPE_REVARP); 4642 break; 4643 4644 case Q_LINK: 4645 bpf_error("link layer applied in wrong context"); 4646 4647 case Q_ATALK: 4648 b1 = gen_linktype(ETHERTYPE_ATALK); 4649 break; 4650 4651 case Q_AARP: 4652 b1 = gen_linktype(ETHERTYPE_AARP); 4653 break; 4654 4655 case Q_DECNET: 4656 b1 = gen_linktype(ETHERTYPE_DN); 4657 break; 4658 4659 case Q_SCA: 4660 b1 = gen_linktype(ETHERTYPE_SCA); 4661 break; 4662 4663 case Q_LAT: 4664 b1 = gen_linktype(ETHERTYPE_LAT); 4665 break; 4666 4667 case Q_MOPDL: 4668 b1 = gen_linktype(ETHERTYPE_MOPDL); 4669 break; 4670 4671 case Q_MOPRC: 4672 b1 = gen_linktype(ETHERTYPE_MOPRC); 4673 break; 4674 4675 #ifdef INET6 4676 case Q_IPV6: 4677 b1 = gen_linktype(ETHERTYPE_IPV6); 4678 break; 4679 4680 #ifndef IPPROTO_ICMPV6 4681 #define IPPROTO_ICMPV6 58 4682 #endif 4683 case Q_ICMPV6: 4684 b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT); 4685 break; 4686 #endif /* INET6 */ 4687 4688 #ifndef IPPROTO_AH 4689 #define IPPROTO_AH 51 4690 #endif 4691 case Q_AH: 4692 b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT); 4693 #ifdef INET6 4694 b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT); 4695 gen_or(b0, b1); 4696 #endif 4697 break; 4698 4699 #ifndef IPPROTO_ESP 4700 #define IPPROTO_ESP 50 4701 #endif 4702 case Q_ESP: 4703 b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT); 4704 #ifdef INET6 4705 b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT); 4706 gen_or(b0, b1); 4707 #endif 4708 break; 4709 4710 case Q_ISO: 4711 b1 = gen_linktype(LLCSAP_ISONS); 4712 break; 4713 4714 case Q_ESIS: 4715 b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT); 4716 break; 4717 4718 case Q_ISIS: 4719 b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT); 4720 break; 4721 4722 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */ 4723 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 4724 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 4725 gen_or(b0, b1); 4726 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 4727 gen_or(b0, b1); 4728 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 4729 gen_or(b0, b1); 4730 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 4731 gen_or(b0, b1); 4732 break; 4733 4734 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */ 4735 b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 4736 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 4737 gen_or(b0, b1); 4738 b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 4739 gen_or(b0, b1); 4740 b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 4741 gen_or(b0, b1); 4742 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 4743 gen_or(b0, b1); 4744 break; 4745 4746 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */ 4747 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 4748 b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 4749 gen_or(b0, b1); 4750 b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); 4751 gen_or(b0, b1); 4752 break; 4753 4754 case Q_ISIS_LSP: 4755 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 4756 b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 4757 gen_or(b0, b1); 4758 break; 4759 4760 case Q_ISIS_SNP: 4761 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 4762 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 4763 gen_or(b0, b1); 4764 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 4765 gen_or(b0, b1); 4766 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 4767 gen_or(b0, b1); 4768 break; 4769 4770 case Q_ISIS_CSNP: 4771 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 4772 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 4773 gen_or(b0, b1); 4774 break; 4775 4776 case Q_ISIS_PSNP: 4777 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 4778 b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 4779 gen_or(b0, b1); 4780 break; 4781 4782 case Q_CLNP: 4783 b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT); 4784 break; 4785 4786 case Q_STP: 4787 b1 = gen_linktype(LLCSAP_8021D); 4788 break; 4789 4790 case Q_IPX: 4791 b1 = gen_linktype(LLCSAP_IPX); 4792 break; 4793 4794 case Q_NETBEUI: 4795 b1 = gen_linktype(LLCSAP_NETBEUI); 4796 break; 4797 4798 case Q_RADIO: 4799 bpf_error("'radio' is not a valid protocol type"); 4800 4801 default: 4802 abort(); 4803 } 4804 return b1; 4805 } 4806 4807 static struct block * 4808 gen_ipfrag() 4809 { 4810 struct slist *s; 4811 struct block *b; 4812 4813 /* not ip frag */ 4814 s = gen_load_a(OR_NET, 6, BPF_H); 4815 b = new_block(JMP(BPF_JSET)); 4816 b->s.k = 0x1fff; 4817 b->stmts = s; 4818 gen_not(b); 4819 4820 return b; 4821 } 4822 4823 /* 4824 * Generate a comparison to a port value in the transport-layer header 4825 * at the specified offset from the beginning of that header. 4826 * 4827 * XXX - this handles a variable-length prefix preceding the link-layer 4828 * header, such as the radiotap or AVS radio prefix, but doesn't handle 4829 * variable-length link-layer headers (such as Token Ring or 802.11 4830 * headers). 4831 */ 4832 static struct block * 4833 gen_portatom(off, v) 4834 int off; 4835 bpf_int32 v; 4836 { 4837 return gen_cmp(OR_TRAN_IPV4, off, BPF_H, v); 4838 } 4839 4840 #ifdef INET6 4841 static struct block * 4842 gen_portatom6(off, v) 4843 int off; 4844 bpf_int32 v; 4845 { 4846 return gen_cmp(OR_TRAN_IPV6, off, BPF_H, v); 4847 } 4848 #endif/*INET6*/ 4849 4850 struct block * 4851 gen_portop(port, proto, dir) 4852 int port, proto, dir; 4853 { 4854 struct block *b0, *b1, *tmp; 4855 4856 /* ip proto 'proto' */ 4857 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto); 4858 b0 = gen_ipfrag(); 4859 gen_and(tmp, b0); 4860 4861 switch (dir) { 4862 case Q_SRC: 4863 b1 = gen_portatom(0, (bpf_int32)port); 4864 break; 4865 4866 case Q_DST: 4867 b1 = gen_portatom(2, (bpf_int32)port); 4868 break; 4869 4870 case Q_OR: 4871 case Q_DEFAULT: 4872 tmp = gen_portatom(0, (bpf_int32)port); 4873 b1 = gen_portatom(2, (bpf_int32)port); 4874 gen_or(tmp, b1); 4875 break; 4876 4877 case Q_AND: 4878 tmp = gen_portatom(0, (bpf_int32)port); 4879 b1 = gen_portatom(2, (bpf_int32)port); 4880 gen_and(tmp, b1); 4881 break; 4882 4883 default: 4884 abort(); 4885 } 4886 gen_and(b0, b1); 4887 4888 return b1; 4889 } 4890 4891 static struct block * 4892 gen_port(port, ip_proto, dir) 4893 int port; 4894 int ip_proto; 4895 int dir; 4896 { 4897 struct block *b0, *b1, *tmp; 4898 4899 /* 4900 * ether proto ip 4901 * 4902 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 4903 * not LLC encapsulation with LLCSAP_IP. 4904 * 4905 * For IEEE 802 networks - which includes 802.5 token ring 4906 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 4907 * says that SNAP encapsulation is used, not LLC encapsulation 4908 * with LLCSAP_IP. 4909 * 4910 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 4911 * RFC 2225 say that SNAP encapsulation is used, not LLC 4912 * encapsulation with LLCSAP_IP. 4913 * 4914 * So we always check for ETHERTYPE_IP. 4915 */ 4916 b0 = gen_linktype(ETHERTYPE_IP); 4917 4918 switch (ip_proto) { 4919 case IPPROTO_UDP: 4920 case IPPROTO_TCP: 4921 case IPPROTO_SCTP: 4922 b1 = gen_portop(port, ip_proto, dir); 4923 break; 4924 4925 case PROTO_UNDEF: 4926 tmp = gen_portop(port, IPPROTO_TCP, dir); 4927 b1 = gen_portop(port, IPPROTO_UDP, dir); 4928 gen_or(tmp, b1); 4929 tmp = gen_portop(port, IPPROTO_SCTP, dir); 4930 gen_or(tmp, b1); 4931 break; 4932 4933 default: 4934 abort(); 4935 } 4936 gen_and(b0, b1); 4937 return b1; 4938 } 4939 4940 #ifdef INET6 4941 struct block * 4942 gen_portop6(port, proto, dir) 4943 int port, proto, dir; 4944 { 4945 struct block *b0, *b1, *tmp; 4946 4947 /* ip6 proto 'proto' */ 4948 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto); 4949 4950 switch (dir) { 4951 case Q_SRC: 4952 b1 = gen_portatom6(0, (bpf_int32)port); 4953 break; 4954 4955 case Q_DST: 4956 b1 = gen_portatom6(2, (bpf_int32)port); 4957 break; 4958 4959 case Q_OR: 4960 case Q_DEFAULT: 4961 tmp = gen_portatom6(0, (bpf_int32)port); 4962 b1 = gen_portatom6(2, (bpf_int32)port); 4963 gen_or(tmp, b1); 4964 break; 4965 4966 case Q_AND: 4967 tmp = gen_portatom6(0, (bpf_int32)port); 4968 b1 = gen_portatom6(2, (bpf_int32)port); 4969 gen_and(tmp, b1); 4970 break; 4971 4972 default: 4973 abort(); 4974 } 4975 gen_and(b0, b1); 4976 4977 return b1; 4978 } 4979 4980 static struct block * 4981 gen_port6(port, ip_proto, dir) 4982 int port; 4983 int ip_proto; 4984 int dir; 4985 { 4986 struct block *b0, *b1, *tmp; 4987 4988 /* link proto ip6 */ 4989 b0 = gen_linktype(ETHERTYPE_IPV6); 4990 4991 switch (ip_proto) { 4992 case IPPROTO_UDP: 4993 case IPPROTO_TCP: 4994 case IPPROTO_SCTP: 4995 b1 = gen_portop6(port, ip_proto, dir); 4996 break; 4997 4998 case PROTO_UNDEF: 4999 tmp = gen_portop6(port, IPPROTO_TCP, dir); 5000 b1 = gen_portop6(port, IPPROTO_UDP, dir); 5001 gen_or(tmp, b1); 5002 tmp = gen_portop6(port, IPPROTO_SCTP, dir); 5003 gen_or(tmp, b1); 5004 break; 5005 5006 default: 5007 abort(); 5008 } 5009 gen_and(b0, b1); 5010 return b1; 5011 } 5012 #endif /* INET6 */ 5013 5014 /* gen_portrange code */ 5015 static struct block * 5016 gen_portrangeatom(off, v1, v2) 5017 int off; 5018 bpf_int32 v1, v2; 5019 { 5020 struct block *b1, *b2; 5021 5022 if (v1 > v2) { 5023 /* 5024 * Reverse the order of the ports, so v1 is the lower one. 5025 */ 5026 bpf_int32 vtemp; 5027 5028 vtemp = v1; 5029 v1 = v2; 5030 v2 = vtemp; 5031 } 5032 5033 b1 = gen_cmp_ge(OR_TRAN_IPV4, off, BPF_H, v1); 5034 b2 = gen_cmp_le(OR_TRAN_IPV4, off, BPF_H, v2); 5035 5036 gen_and(b1, b2); 5037 5038 return b2; 5039 } 5040 5041 struct block * 5042 gen_portrangeop(port1, port2, proto, dir) 5043 int port1, port2; 5044 int proto; 5045 int dir; 5046 { 5047 struct block *b0, *b1, *tmp; 5048 5049 /* ip proto 'proto' */ 5050 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto); 5051 b0 = gen_ipfrag(); 5052 gen_and(tmp, b0); 5053 5054 switch (dir) { 5055 case Q_SRC: 5056 b1 = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5057 break; 5058 5059 case Q_DST: 5060 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5061 break; 5062 5063 case Q_OR: 5064 case Q_DEFAULT: 5065 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5066 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5067 gen_or(tmp, b1); 5068 break; 5069 5070 case Q_AND: 5071 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5072 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5073 gen_and(tmp, b1); 5074 break; 5075 5076 default: 5077 abort(); 5078 } 5079 gen_and(b0, b1); 5080 5081 return b1; 5082 } 5083 5084 static struct block * 5085 gen_portrange(port1, port2, ip_proto, dir) 5086 int port1, port2; 5087 int ip_proto; 5088 int dir; 5089 { 5090 struct block *b0, *b1, *tmp; 5091 5092 /* link proto ip */ 5093 b0 = gen_linktype(ETHERTYPE_IP); 5094 5095 switch (ip_proto) { 5096 case IPPROTO_UDP: 5097 case IPPROTO_TCP: 5098 case IPPROTO_SCTP: 5099 b1 = gen_portrangeop(port1, port2, ip_proto, dir); 5100 break; 5101 5102 case PROTO_UNDEF: 5103 tmp = gen_portrangeop(port1, port2, IPPROTO_TCP, dir); 5104 b1 = gen_portrangeop(port1, port2, IPPROTO_UDP, dir); 5105 gen_or(tmp, b1); 5106 tmp = gen_portrangeop(port1, port2, IPPROTO_SCTP, dir); 5107 gen_or(tmp, b1); 5108 break; 5109 5110 default: 5111 abort(); 5112 } 5113 gen_and(b0, b1); 5114 return b1; 5115 } 5116 5117 #ifdef INET6 5118 static struct block * 5119 gen_portrangeatom6(off, v1, v2) 5120 int off; 5121 bpf_int32 v1, v2; 5122 { 5123 struct block *b1, *b2; 5124 5125 if (v1 > v2) { 5126 /* 5127 * Reverse the order of the ports, so v1 is the lower one. 5128 */ 5129 bpf_int32 vtemp; 5130 5131 vtemp = v1; 5132 v1 = v2; 5133 v2 = vtemp; 5134 } 5135 5136 b1 = gen_cmp_ge(OR_TRAN_IPV6, off, BPF_H, v1); 5137 b2 = gen_cmp_le(OR_TRAN_IPV6, off, BPF_H, v2); 5138 5139 gen_and(b1, b2); 5140 5141 return b2; 5142 } 5143 5144 struct block * 5145 gen_portrangeop6(port1, port2, proto, dir) 5146 int port1, port2; 5147 int proto; 5148 int dir; 5149 { 5150 struct block *b0, *b1, *tmp; 5151 5152 /* ip6 proto 'proto' */ 5153 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto); 5154 5155 switch (dir) { 5156 case Q_SRC: 5157 b1 = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5158 break; 5159 5160 case Q_DST: 5161 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5162 break; 5163 5164 case Q_OR: 5165 case Q_DEFAULT: 5166 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5167 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5168 gen_or(tmp, b1); 5169 break; 5170 5171 case Q_AND: 5172 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5173 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5174 gen_and(tmp, b1); 5175 break; 5176 5177 default: 5178 abort(); 5179 } 5180 gen_and(b0, b1); 5181 5182 return b1; 5183 } 5184 5185 static struct block * 5186 gen_portrange6(port1, port2, ip_proto, dir) 5187 int port1, port2; 5188 int ip_proto; 5189 int dir; 5190 { 5191 struct block *b0, *b1, *tmp; 5192 5193 /* link proto ip6 */ 5194 b0 = gen_linktype(ETHERTYPE_IPV6); 5195 5196 switch (ip_proto) { 5197 case IPPROTO_UDP: 5198 case IPPROTO_TCP: 5199 case IPPROTO_SCTP: 5200 b1 = gen_portrangeop6(port1, port2, ip_proto, dir); 5201 break; 5202 5203 case PROTO_UNDEF: 5204 tmp = gen_portrangeop6(port1, port2, IPPROTO_TCP, dir); 5205 b1 = gen_portrangeop6(port1, port2, IPPROTO_UDP, dir); 5206 gen_or(tmp, b1); 5207 tmp = gen_portrangeop6(port1, port2, IPPROTO_SCTP, dir); 5208 gen_or(tmp, b1); 5209 break; 5210 5211 default: 5212 abort(); 5213 } 5214 gen_and(b0, b1); 5215 return b1; 5216 } 5217 #endif /* INET6 */ 5218 5219 static int 5220 lookup_proto(name, proto) 5221 register const char *name; 5222 register int proto; 5223 { 5224 register int v; 5225 5226 switch (proto) { 5227 5228 case Q_DEFAULT: 5229 case Q_IP: 5230 case Q_IPV6: 5231 v = pcap_nametoproto(name); 5232 if (v == PROTO_UNDEF) 5233 bpf_error("unknown ip proto '%s'", name); 5234 break; 5235 5236 case Q_LINK: 5237 /* XXX should look up h/w protocol type based on linktype */ 5238 v = pcap_nametoeproto(name); 5239 if (v == PROTO_UNDEF) { 5240 v = pcap_nametollc(name); 5241 if (v == PROTO_UNDEF) 5242 bpf_error("unknown ether proto '%s'", name); 5243 } 5244 break; 5245 5246 case Q_ISO: 5247 if (strcmp(name, "esis") == 0) 5248 v = ISO9542_ESIS; 5249 else if (strcmp(name, "isis") == 0) 5250 v = ISO10589_ISIS; 5251 else if (strcmp(name, "clnp") == 0) 5252 v = ISO8473_CLNP; 5253 else 5254 bpf_error("unknown osi proto '%s'", name); 5255 break; 5256 5257 default: 5258 v = PROTO_UNDEF; 5259 break; 5260 } 5261 return v; 5262 } 5263 5264 #if 0 5265 struct stmt * 5266 gen_joinsp(s, n) 5267 struct stmt **s; 5268 int n; 5269 { 5270 return NULL; 5271 } 5272 #endif 5273 5274 static struct block * 5275 gen_protochain(v, proto, dir) 5276 int v; 5277 int proto; 5278 int dir; 5279 { 5280 #ifdef NO_PROTOCHAIN 5281 return gen_proto(v, proto, dir); 5282 #else 5283 struct block *b0, *b; 5284 struct slist *s[100]; 5285 int fix2, fix3, fix4, fix5; 5286 int ahcheck, again, end; 5287 int i, max; 5288 int reg2 = alloc_reg(); 5289 5290 memset(s, 0, sizeof(s)); 5291 fix2 = fix3 = fix4 = fix5 = 0; 5292 5293 switch (proto) { 5294 case Q_IP: 5295 case Q_IPV6: 5296 break; 5297 case Q_DEFAULT: 5298 b0 = gen_protochain(v, Q_IP, dir); 5299 b = gen_protochain(v, Q_IPV6, dir); 5300 gen_or(b0, b); 5301 return b; 5302 default: 5303 bpf_error("bad protocol applied for 'protochain'"); 5304 /*NOTREACHED*/ 5305 } 5306 5307 /* 5308 * We don't handle variable-length prefixes before the link-layer 5309 * header, or variable-length link-layer headers, here yet. 5310 * We might want to add BPF instructions to do the protochain 5311 * work, to simplify that and, on platforms that have a BPF 5312 * interpreter with the new instructions, let the filtering 5313 * be done in the kernel. (We already require a modified BPF 5314 * engine to do the protochain stuff, to support backward 5315 * branches, and backward branch support is unlikely to appear 5316 * in kernel BPF engines.) 5317 */ 5318 switch (linktype) { 5319 5320 case DLT_IEEE802_11: 5321 case DLT_PRISM_HEADER: 5322 case DLT_IEEE802_11_RADIO_AVS: 5323 case DLT_IEEE802_11_RADIO: 5324 case DLT_PPI: 5325 bpf_error("'protochain' not supported with 802.11"); 5326 } 5327 5328 no_optimize = 1; /*this code is not compatible with optimzer yet */ 5329 5330 /* 5331 * s[0] is a dummy entry to protect other BPF insn from damage 5332 * by s[fix] = foo with uninitialized variable "fix". It is somewhat 5333 * hard to find interdependency made by jump table fixup. 5334 */ 5335 i = 0; 5336 s[i] = new_stmt(0); /*dummy*/ 5337 i++; 5338 5339 switch (proto) { 5340 case Q_IP: 5341 b0 = gen_linktype(ETHERTYPE_IP); 5342 5343 /* A = ip->ip_p */ 5344 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B); 5345 s[i]->s.k = off_macpl + off_nl + 9; 5346 i++; 5347 /* X = ip->ip_hl << 2 */ 5348 s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B); 5349 s[i]->s.k = off_macpl + off_nl; 5350 i++; 5351 break; 5352 #ifdef INET6 5353 case Q_IPV6: 5354 b0 = gen_linktype(ETHERTYPE_IPV6); 5355 5356 /* A = ip6->ip_nxt */ 5357 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B); 5358 s[i]->s.k = off_macpl + off_nl + 6; 5359 i++; 5360 /* X = sizeof(struct ip6_hdr) */ 5361 s[i] = new_stmt(BPF_LDX|BPF_IMM); 5362 s[i]->s.k = 40; 5363 i++; 5364 break; 5365 #endif 5366 default: 5367 bpf_error("unsupported proto to gen_protochain"); 5368 /*NOTREACHED*/ 5369 } 5370 5371 /* again: if (A == v) goto end; else fall through; */ 5372 again = i; 5373 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5374 s[i]->s.k = v; 5375 s[i]->s.jt = NULL; /*later*/ 5376 s[i]->s.jf = NULL; /*update in next stmt*/ 5377 fix5 = i; 5378 i++; 5379 5380 #ifndef IPPROTO_NONE 5381 #define IPPROTO_NONE 59 5382 #endif 5383 /* if (A == IPPROTO_NONE) goto end */ 5384 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5385 s[i]->s.jt = NULL; /*later*/ 5386 s[i]->s.jf = NULL; /*update in next stmt*/ 5387 s[i]->s.k = IPPROTO_NONE; 5388 s[fix5]->s.jf = s[i]; 5389 fix2 = i; 5390 i++; 5391 5392 #ifdef INET6 5393 if (proto == Q_IPV6) { 5394 int v6start, v6end, v6advance, j; 5395 5396 v6start = i; 5397 /* if (A == IPPROTO_HOPOPTS) goto v6advance */ 5398 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5399 s[i]->s.jt = NULL; /*later*/ 5400 s[i]->s.jf = NULL; /*update in next stmt*/ 5401 s[i]->s.k = IPPROTO_HOPOPTS; 5402 s[fix2]->s.jf = s[i]; 5403 i++; 5404 /* if (A == IPPROTO_DSTOPTS) goto v6advance */ 5405 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5406 s[i]->s.jt = NULL; /*later*/ 5407 s[i]->s.jf = NULL; /*update in next stmt*/ 5408 s[i]->s.k = IPPROTO_DSTOPTS; 5409 i++; 5410 /* if (A == IPPROTO_ROUTING) goto v6advance */ 5411 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5412 s[i]->s.jt = NULL; /*later*/ 5413 s[i]->s.jf = NULL; /*update in next stmt*/ 5414 s[i]->s.k = IPPROTO_ROUTING; 5415 i++; 5416 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */ 5417 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5418 s[i]->s.jt = NULL; /*later*/ 5419 s[i]->s.jf = NULL; /*later*/ 5420 s[i]->s.k = IPPROTO_FRAGMENT; 5421 fix3 = i; 5422 v6end = i; 5423 i++; 5424 5425 /* v6advance: */ 5426 v6advance = i; 5427 5428 /* 5429 * in short, 5430 * A = P[X]; 5431 * X = X + (P[X + 1] + 1) * 8; 5432 */ 5433 /* A = X */ 5434 s[i] = new_stmt(BPF_MISC|BPF_TXA); 5435 i++; 5436 /* A = P[X + packet head] */ 5437 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5438 s[i]->s.k = off_macpl + off_nl; 5439 i++; 5440 /* MEM[reg2] = A */ 5441 s[i] = new_stmt(BPF_ST); 5442 s[i]->s.k = reg2; 5443 i++; 5444 /* A = X */ 5445 s[i] = new_stmt(BPF_MISC|BPF_TXA); 5446 i++; 5447 /* A += 1 */ 5448 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5449 s[i]->s.k = 1; 5450 i++; 5451 /* X = A */ 5452 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5453 i++; 5454 /* A = P[X + packet head]; */ 5455 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5456 s[i]->s.k = off_macpl + off_nl; 5457 i++; 5458 /* A += 1 */ 5459 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5460 s[i]->s.k = 1; 5461 i++; 5462 /* A *= 8 */ 5463 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K); 5464 s[i]->s.k = 8; 5465 i++; 5466 /* X = A; */ 5467 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5468 i++; 5469 /* A = MEM[reg2] */ 5470 s[i] = new_stmt(BPF_LD|BPF_MEM); 5471 s[i]->s.k = reg2; 5472 i++; 5473 5474 /* goto again; (must use BPF_JA for backward jump) */ 5475 s[i] = new_stmt(BPF_JMP|BPF_JA); 5476 s[i]->s.k = again - i - 1; 5477 s[i - 1]->s.jf = s[i]; 5478 i++; 5479 5480 /* fixup */ 5481 for (j = v6start; j <= v6end; j++) 5482 s[j]->s.jt = s[v6advance]; 5483 } else 5484 #endif 5485 { 5486 /* nop */ 5487 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5488 s[i]->s.k = 0; 5489 s[fix2]->s.jf = s[i]; 5490 i++; 5491 } 5492 5493 /* ahcheck: */ 5494 ahcheck = i; 5495 /* if (A == IPPROTO_AH) then fall through; else goto end; */ 5496 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5497 s[i]->s.jt = NULL; /*later*/ 5498 s[i]->s.jf = NULL; /*later*/ 5499 s[i]->s.k = IPPROTO_AH; 5500 if (fix3) 5501 s[fix3]->s.jf = s[ahcheck]; 5502 fix4 = i; 5503 i++; 5504 5505 /* 5506 * in short, 5507 * A = P[X]; 5508 * X = X + (P[X + 1] + 2) * 4; 5509 */ 5510 /* A = X */ 5511 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA); 5512 i++; 5513 /* A = P[X + packet head]; */ 5514 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5515 s[i]->s.k = off_macpl + off_nl; 5516 i++; 5517 /* MEM[reg2] = A */ 5518 s[i] = new_stmt(BPF_ST); 5519 s[i]->s.k = reg2; 5520 i++; 5521 /* A = X */ 5522 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA); 5523 i++; 5524 /* A += 1 */ 5525 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5526 s[i]->s.k = 1; 5527 i++; 5528 /* X = A */ 5529 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5530 i++; 5531 /* A = P[X + packet head] */ 5532 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5533 s[i]->s.k = off_macpl + off_nl; 5534 i++; 5535 /* A += 2 */ 5536 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5537 s[i]->s.k = 2; 5538 i++; 5539 /* A *= 4 */ 5540 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K); 5541 s[i]->s.k = 4; 5542 i++; 5543 /* X = A; */ 5544 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5545 i++; 5546 /* A = MEM[reg2] */ 5547 s[i] = new_stmt(BPF_LD|BPF_MEM); 5548 s[i]->s.k = reg2; 5549 i++; 5550 5551 /* goto again; (must use BPF_JA for backward jump) */ 5552 s[i] = new_stmt(BPF_JMP|BPF_JA); 5553 s[i]->s.k = again - i - 1; 5554 i++; 5555 5556 /* end: nop */ 5557 end = i; 5558 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5559 s[i]->s.k = 0; 5560 s[fix2]->s.jt = s[end]; 5561 s[fix4]->s.jf = s[end]; 5562 s[fix5]->s.jt = s[end]; 5563 i++; 5564 5565 /* 5566 * make slist chain 5567 */ 5568 max = i; 5569 for (i = 0; i < max - 1; i++) 5570 s[i]->next = s[i + 1]; 5571 s[max - 1]->next = NULL; 5572 5573 /* 5574 * emit final check 5575 */ 5576 b = new_block(JMP(BPF_JEQ)); 5577 b->stmts = s[1]; /*remember, s[0] is dummy*/ 5578 b->s.k = v; 5579 5580 free_reg(reg2); 5581 5582 gen_and(b0, b); 5583 return b; 5584 #endif 5585 } 5586 5587 static struct block * 5588 gen_check_802_11_data_frame() 5589 { 5590 struct slist *s; 5591 struct block *b0, *b1; 5592 5593 /* 5594 * A data frame has the 0x08 bit (b3) in the frame control field set 5595 * and the 0x04 bit (b2) clear. 5596 */ 5597 s = gen_load_a(OR_LINK, 0, BPF_B); 5598 b0 = new_block(JMP(BPF_JSET)); 5599 b0->s.k = 0x08; 5600 b0->stmts = s; 5601 5602 s = gen_load_a(OR_LINK, 0, BPF_B); 5603 b1 = new_block(JMP(BPF_JSET)); 5604 b1->s.k = 0x04; 5605 b1->stmts = s; 5606 gen_not(b1); 5607 5608 gen_and(b1, b0); 5609 5610 return b0; 5611 } 5612 5613 /* 5614 * Generate code that checks whether the packet is a packet for protocol 5615 * <proto> and whether the type field in that protocol's header has 5616 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an 5617 * IP packet and checks the protocol number in the IP header against <v>. 5618 * 5619 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks 5620 * against Q_IP and Q_IPV6. 5621 */ 5622 static struct block * 5623 gen_proto(v, proto, dir) 5624 int v; 5625 int proto; 5626 int dir; 5627 { 5628 struct block *b0, *b1; 5629 5630 if (dir != Q_DEFAULT) 5631 bpf_error("direction applied to 'proto'"); 5632 5633 switch (proto) { 5634 case Q_DEFAULT: 5635 #ifdef INET6 5636 b0 = gen_proto(v, Q_IP, dir); 5637 b1 = gen_proto(v, Q_IPV6, dir); 5638 gen_or(b0, b1); 5639 return b1; 5640 #else 5641 /*FALLTHROUGH*/ 5642 #endif 5643 case Q_IP: 5644 /* 5645 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 5646 * not LLC encapsulation with LLCSAP_IP. 5647 * 5648 * For IEEE 802 networks - which includes 802.5 token ring 5649 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 5650 * says that SNAP encapsulation is used, not LLC encapsulation 5651 * with LLCSAP_IP. 5652 * 5653 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 5654 * RFC 2225 say that SNAP encapsulation is used, not LLC 5655 * encapsulation with LLCSAP_IP. 5656 * 5657 * So we always check for ETHERTYPE_IP. 5658 */ 5659 b0 = gen_linktype(ETHERTYPE_IP); 5660 #ifndef CHASE_CHAIN 5661 b1 = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)v); 5662 #else 5663 b1 = gen_protochain(v, Q_IP); 5664 #endif 5665 gen_and(b0, b1); 5666 return b1; 5667 5668 case Q_ISO: 5669 switch (linktype) { 5670 5671 case DLT_FRELAY: 5672 /* 5673 * Frame Relay packets typically have an OSI 5674 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)" 5675 * generates code to check for all the OSI 5676 * NLPIDs, so calling it and then adding a check 5677 * for the particular NLPID for which we're 5678 * looking is bogus, as we can just check for 5679 * the NLPID. 5680 * 5681 * What we check for is the NLPID and a frame 5682 * control field value of UI, i.e. 0x03 followed 5683 * by the NLPID. 5684 * 5685 * XXX - assumes a 2-byte Frame Relay header with 5686 * DLCI and flags. What if the address is longer? 5687 * 5688 * XXX - what about SNAP-encapsulated frames? 5689 */ 5690 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | v); 5691 /*NOTREACHED*/ 5692 break; 5693 5694 case DLT_C_HDLC: 5695 /* 5696 * Cisco uses an Ethertype lookalike - for OSI, 5697 * it's 0xfefe. 5698 */ 5699 b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS); 5700 /* OSI in C-HDLC is stuffed with a fudge byte */ 5701 b1 = gen_cmp(OR_NET_NOSNAP, 1, BPF_B, (long)v); 5702 gen_and(b0, b1); 5703 return b1; 5704 5705 default: 5706 b0 = gen_linktype(LLCSAP_ISONS); 5707 b1 = gen_cmp(OR_NET_NOSNAP, 0, BPF_B, (long)v); 5708 gen_and(b0, b1); 5709 return b1; 5710 } 5711 5712 case Q_ISIS: 5713 b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT); 5714 /* 5715 * 4 is the offset of the PDU type relative to the IS-IS 5716 * header. 5717 */ 5718 b1 = gen_cmp(OR_NET_NOSNAP, 4, BPF_B, (long)v); 5719 gen_and(b0, b1); 5720 return b1; 5721 5722 case Q_ARP: 5723 bpf_error("arp does not encapsulate another protocol"); 5724 /* NOTREACHED */ 5725 5726 case Q_RARP: 5727 bpf_error("rarp does not encapsulate another protocol"); 5728 /* NOTREACHED */ 5729 5730 case Q_ATALK: 5731 bpf_error("atalk encapsulation is not specifiable"); 5732 /* NOTREACHED */ 5733 5734 case Q_DECNET: 5735 bpf_error("decnet encapsulation is not specifiable"); 5736 /* NOTREACHED */ 5737 5738 case Q_SCA: 5739 bpf_error("sca does not encapsulate another protocol"); 5740 /* NOTREACHED */ 5741 5742 case Q_LAT: 5743 bpf_error("lat does not encapsulate another protocol"); 5744 /* NOTREACHED */ 5745 5746 case Q_MOPRC: 5747 bpf_error("moprc does not encapsulate another protocol"); 5748 /* NOTREACHED */ 5749 5750 case Q_MOPDL: 5751 bpf_error("mopdl does not encapsulate another protocol"); 5752 /* NOTREACHED */ 5753 5754 case Q_LINK: 5755 return gen_linktype(v); 5756 5757 case Q_UDP: 5758 bpf_error("'udp proto' is bogus"); 5759 /* NOTREACHED */ 5760 5761 case Q_TCP: 5762 bpf_error("'tcp proto' is bogus"); 5763 /* NOTREACHED */ 5764 5765 case Q_SCTP: 5766 bpf_error("'sctp proto' is bogus"); 5767 /* NOTREACHED */ 5768 5769 case Q_ICMP: 5770 bpf_error("'icmp proto' is bogus"); 5771 /* NOTREACHED */ 5772 5773 case Q_IGMP: 5774 bpf_error("'igmp proto' is bogus"); 5775 /* NOTREACHED */ 5776 5777 case Q_IGRP: 5778 bpf_error("'igrp proto' is bogus"); 5779 /* NOTREACHED */ 5780 5781 case Q_PIM: 5782 bpf_error("'pim proto' is bogus"); 5783 /* NOTREACHED */ 5784 5785 case Q_VRRP: 5786 bpf_error("'vrrp proto' is bogus"); 5787 /* NOTREACHED */ 5788 5789 #ifdef INET6 5790 case Q_IPV6: 5791 b0 = gen_linktype(ETHERTYPE_IPV6); 5792 #ifndef CHASE_CHAIN 5793 b1 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)v); 5794 #else 5795 b1 = gen_protochain(v, Q_IPV6); 5796 #endif 5797 gen_and(b0, b1); 5798 return b1; 5799 5800 case Q_ICMPV6: 5801 bpf_error("'icmp6 proto' is bogus"); 5802 #endif /* INET6 */ 5803 5804 case Q_AH: 5805 bpf_error("'ah proto' is bogus"); 5806 5807 case Q_ESP: 5808 bpf_error("'ah proto' is bogus"); 5809 5810 case Q_STP: 5811 bpf_error("'stp proto' is bogus"); 5812 5813 case Q_IPX: 5814 bpf_error("'ipx proto' is bogus"); 5815 5816 case Q_NETBEUI: 5817 bpf_error("'netbeui proto' is bogus"); 5818 5819 case Q_RADIO: 5820 bpf_error("'radio proto' is bogus"); 5821 5822 default: 5823 abort(); 5824 /* NOTREACHED */ 5825 } 5826 /* NOTREACHED */ 5827 } 5828 5829 struct block * 5830 gen_scode(name, q) 5831 register const char *name; 5832 struct qual q; 5833 { 5834 int proto = q.proto; 5835 int dir = q.dir; 5836 int tproto; 5837 u_char *eaddr; 5838 bpf_u_int32 mask, addr; 5839 #ifndef INET6 5840 bpf_u_int32 **alist; 5841 #else 5842 int tproto6; 5843 struct sockaddr_in *sin4; 5844 struct sockaddr_in6 *sin6; 5845 struct addrinfo *res, *res0; 5846 struct in6_addr mask128; 5847 #endif /*INET6*/ 5848 struct block *b, *tmp; 5849 int port, real_proto; 5850 int port1, port2; 5851 5852 switch (q.addr) { 5853 5854 case Q_NET: 5855 addr = pcap_nametonetaddr(name); 5856 if (addr == 0) 5857 bpf_error("unknown network '%s'", name); 5858 /* Left justify network addr and calculate its network mask */ 5859 mask = 0xffffffff; 5860 while (addr && (addr & 0xff000000) == 0) { 5861 addr <<= 8; 5862 mask <<= 8; 5863 } 5864 return gen_host(addr, mask, proto, dir, q.addr); 5865 5866 case Q_DEFAULT: 5867 case Q_HOST: 5868 if (proto == Q_LINK) { 5869 switch (linktype) { 5870 5871 case DLT_EN10MB: 5872 eaddr = pcap_ether_hostton(name); 5873 if (eaddr == NULL) 5874 bpf_error( 5875 "unknown ether host '%s'", name); 5876 b = gen_ehostop(eaddr, dir); 5877 free(eaddr); 5878 return b; 5879 5880 case DLT_FDDI: 5881 eaddr = pcap_ether_hostton(name); 5882 if (eaddr == NULL) 5883 bpf_error( 5884 "unknown FDDI host '%s'", name); 5885 b = gen_fhostop(eaddr, dir); 5886 free(eaddr); 5887 return b; 5888 5889 case DLT_IEEE802: 5890 eaddr = pcap_ether_hostton(name); 5891 if (eaddr == NULL) 5892 bpf_error( 5893 "unknown token ring host '%s'", name); 5894 b = gen_thostop(eaddr, dir); 5895 free(eaddr); 5896 return b; 5897 5898 case DLT_IEEE802_11: 5899 case DLT_PRISM_HEADER: 5900 case DLT_IEEE802_11_RADIO_AVS: 5901 case DLT_IEEE802_11_RADIO: 5902 case DLT_PPI: 5903 eaddr = pcap_ether_hostton(name); 5904 if (eaddr == NULL) 5905 bpf_error( 5906 "unknown 802.11 host '%s'", name); 5907 b = gen_wlanhostop(eaddr, dir); 5908 free(eaddr); 5909 return b; 5910 5911 case DLT_IP_OVER_FC: 5912 eaddr = pcap_ether_hostton(name); 5913 if (eaddr == NULL) 5914 bpf_error( 5915 "unknown Fibre Channel host '%s'", name); 5916 b = gen_ipfchostop(eaddr, dir); 5917 free(eaddr); 5918 return b; 5919 5920 case DLT_SUNATM: 5921 if (!is_lane) 5922 break; 5923 5924 /* 5925 * Check that the packet doesn't begin 5926 * with an LE Control marker. (We've 5927 * already generated a test for LANE.) 5928 */ 5929 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 5930 BPF_H, 0xFF00); 5931 gen_not(tmp); 5932 5933 eaddr = pcap_ether_hostton(name); 5934 if (eaddr == NULL) 5935 bpf_error( 5936 "unknown ether host '%s'", name); 5937 b = gen_ehostop(eaddr, dir); 5938 gen_and(tmp, b); 5939 free(eaddr); 5940 return b; 5941 } 5942 5943 bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name"); 5944 } else if (proto == Q_DECNET) { 5945 unsigned short dn_addr = __pcap_nametodnaddr(name); 5946 /* 5947 * I don't think DECNET hosts can be multihomed, so 5948 * there is no need to build up a list of addresses 5949 */ 5950 return (gen_host(dn_addr, 0, proto, dir, q.addr)); 5951 } else { 5952 #ifndef INET6 5953 alist = pcap_nametoaddr(name); 5954 if (alist == NULL || *alist == NULL) 5955 bpf_error("unknown host '%s'", name); 5956 tproto = proto; 5957 if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT) 5958 tproto = Q_IP; 5959 b = gen_host(**alist++, 0xffffffff, tproto, dir, q.addr); 5960 while (*alist) { 5961 tmp = gen_host(**alist++, 0xffffffff, 5962 tproto, dir, q.addr); 5963 gen_or(b, tmp); 5964 b = tmp; 5965 } 5966 return b; 5967 #else 5968 memset(&mask128, 0xff, sizeof(mask128)); 5969 res0 = res = pcap_nametoaddrinfo(name); 5970 if (res == NULL) 5971 bpf_error("unknown host '%s'", name); 5972 b = tmp = NULL; 5973 tproto = tproto6 = proto; 5974 if (off_linktype == -1 && tproto == Q_DEFAULT) { 5975 tproto = Q_IP; 5976 tproto6 = Q_IPV6; 5977 } 5978 for (res = res0; res; res = res->ai_next) { 5979 switch (res->ai_family) { 5980 case AF_INET: 5981 if (tproto == Q_IPV6) 5982 continue; 5983 5984 sin4 = (struct sockaddr_in *) 5985 res->ai_addr; 5986 tmp = gen_host(ntohl(sin4->sin_addr.s_addr), 5987 0xffffffff, tproto, dir, q.addr); 5988 break; 5989 case AF_INET6: 5990 if (tproto6 == Q_IP) 5991 continue; 5992 5993 sin6 = (struct sockaddr_in6 *) 5994 res->ai_addr; 5995 tmp = gen_host6(&sin6->sin6_addr, 5996 &mask128, tproto6, dir, q.addr); 5997 break; 5998 default: 5999 continue; 6000 } 6001 if (b) 6002 gen_or(b, tmp); 6003 b = tmp; 6004 } 6005 freeaddrinfo(res0); 6006 if (b == NULL) { 6007 bpf_error("unknown host '%s'%s", name, 6008 (proto == Q_DEFAULT) 6009 ? "" 6010 : " for specified address family"); 6011 } 6012 return b; 6013 #endif /*INET6*/ 6014 } 6015 6016 case Q_PORT: 6017 if (proto != Q_DEFAULT && 6018 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6019 bpf_error("illegal qualifier of 'port'"); 6020 if (pcap_nametoport(name, &port, &real_proto) == 0) 6021 bpf_error("unknown port '%s'", name); 6022 if (proto == Q_UDP) { 6023 if (real_proto == IPPROTO_TCP) 6024 bpf_error("port '%s' is tcp", name); 6025 else if (real_proto == IPPROTO_SCTP) 6026 bpf_error("port '%s' is sctp", name); 6027 else 6028 /* override PROTO_UNDEF */ 6029 real_proto = IPPROTO_UDP; 6030 } 6031 if (proto == Q_TCP) { 6032 if (real_proto == IPPROTO_UDP) 6033 bpf_error("port '%s' is udp", name); 6034 6035 else if (real_proto == IPPROTO_SCTP) 6036 bpf_error("port '%s' is sctp", name); 6037 else 6038 /* override PROTO_UNDEF */ 6039 real_proto = IPPROTO_TCP; 6040 } 6041 if (proto == Q_SCTP) { 6042 if (real_proto == IPPROTO_UDP) 6043 bpf_error("port '%s' is udp", name); 6044 6045 else if (real_proto == IPPROTO_TCP) 6046 bpf_error("port '%s' is tcp", name); 6047 else 6048 /* override PROTO_UNDEF */ 6049 real_proto = IPPROTO_SCTP; 6050 } 6051 #ifndef INET6 6052 return gen_port(port, real_proto, dir); 6053 #else 6054 b = gen_port(port, real_proto, dir); 6055 gen_or(gen_port6(port, real_proto, dir), b); 6056 return b; 6057 #endif /* INET6 */ 6058 6059 case Q_PORTRANGE: 6060 if (proto != Q_DEFAULT && 6061 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6062 bpf_error("illegal qualifier of 'portrange'"); 6063 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0) 6064 bpf_error("unknown port in range '%s'", name); 6065 if (proto == Q_UDP) { 6066 if (real_proto == IPPROTO_TCP) 6067 bpf_error("port in range '%s' is tcp", name); 6068 else if (real_proto == IPPROTO_SCTP) 6069 bpf_error("port in range '%s' is sctp", name); 6070 else 6071 /* override PROTO_UNDEF */ 6072 real_proto = IPPROTO_UDP; 6073 } 6074 if (proto == Q_TCP) { 6075 if (real_proto == IPPROTO_UDP) 6076 bpf_error("port in range '%s' is udp", name); 6077 else if (real_proto == IPPROTO_SCTP) 6078 bpf_error("port in range '%s' is sctp", name); 6079 else 6080 /* override PROTO_UNDEF */ 6081 real_proto = IPPROTO_TCP; 6082 } 6083 if (proto == Q_SCTP) { 6084 if (real_proto == IPPROTO_UDP) 6085 bpf_error("port in range '%s' is udp", name); 6086 else if (real_proto == IPPROTO_TCP) 6087 bpf_error("port in range '%s' is tcp", name); 6088 else 6089 /* override PROTO_UNDEF */ 6090 real_proto = IPPROTO_SCTP; 6091 } 6092 #ifndef INET6 6093 return gen_portrange(port1, port2, real_proto, dir); 6094 #else 6095 b = gen_portrange(port1, port2, real_proto, dir); 6096 gen_or(gen_portrange6(port1, port2, real_proto, dir), b); 6097 return b; 6098 #endif /* INET6 */ 6099 6100 case Q_GATEWAY: 6101 #ifndef INET6 6102 eaddr = pcap_ether_hostton(name); 6103 if (eaddr == NULL) 6104 bpf_error("unknown ether host: %s", name); 6105 6106 alist = pcap_nametoaddr(name); 6107 if (alist == NULL || *alist == NULL) 6108 bpf_error("unknown host '%s'", name); 6109 b = gen_gateway(eaddr, alist, proto, dir); 6110 free(eaddr); 6111 return b; 6112 #else 6113 bpf_error("'gateway' not supported in this configuration"); 6114 #endif /*INET6*/ 6115 6116 case Q_PROTO: 6117 real_proto = lookup_proto(name, proto); 6118 if (real_proto >= 0) 6119 return gen_proto(real_proto, proto, dir); 6120 else 6121 bpf_error("unknown protocol: %s", name); 6122 6123 case Q_PROTOCHAIN: 6124 real_proto = lookup_proto(name, proto); 6125 if (real_proto >= 0) 6126 return gen_protochain(real_proto, proto, dir); 6127 else 6128 bpf_error("unknown protocol: %s", name); 6129 6130 case Q_UNDEF: 6131 syntax(); 6132 /* NOTREACHED */ 6133 } 6134 abort(); 6135 /* NOTREACHED */ 6136 } 6137 6138 struct block * 6139 gen_mcode(s1, s2, masklen, q) 6140 register const char *s1, *s2; 6141 register int masklen; 6142 struct qual q; 6143 { 6144 register int nlen, mlen; 6145 bpf_u_int32 n, m; 6146 6147 nlen = __pcap_atoin(s1, &n); 6148 /* Promote short ipaddr */ 6149 n <<= 32 - nlen; 6150 6151 if (s2 != NULL) { 6152 mlen = __pcap_atoin(s2, &m); 6153 /* Promote short ipaddr */ 6154 m <<= 32 - mlen; 6155 if ((n & ~m) != 0) 6156 bpf_error("non-network bits set in \"%s mask %s\"", 6157 s1, s2); 6158 } else { 6159 /* Convert mask len to mask */ 6160 if (masklen > 32) 6161 bpf_error("mask length must be <= 32"); 6162 if (masklen == 0) { 6163 /* 6164 * X << 32 is not guaranteed by C to be 0; it's 6165 * undefined. 6166 */ 6167 m = 0; 6168 } else 6169 m = 0xffffffff << (32 - masklen); 6170 if ((n & ~m) != 0) 6171 bpf_error("non-network bits set in \"%s/%d\"", 6172 s1, masklen); 6173 } 6174 6175 switch (q.addr) { 6176 6177 case Q_NET: 6178 return gen_host(n, m, q.proto, q.dir, q.addr); 6179 6180 default: 6181 bpf_error("Mask syntax for networks only"); 6182 /* NOTREACHED */ 6183 } 6184 /* NOTREACHED */ 6185 return NULL; 6186 } 6187 6188 struct block * 6189 gen_ncode(s, v, q) 6190 register const char *s; 6191 bpf_u_int32 v; 6192 struct qual q; 6193 { 6194 bpf_u_int32 mask; 6195 int proto = q.proto; 6196 int dir = q.dir; 6197 register int vlen; 6198 6199 if (s == NULL) 6200 vlen = 32; 6201 else if (q.proto == Q_DECNET) 6202 vlen = __pcap_atodn(s, &v); 6203 else 6204 vlen = __pcap_atoin(s, &v); 6205 6206 switch (q.addr) { 6207 6208 case Q_DEFAULT: 6209 case Q_HOST: 6210 case Q_NET: 6211 if (proto == Q_DECNET) 6212 return gen_host(v, 0, proto, dir, q.addr); 6213 else if (proto == Q_LINK) { 6214 bpf_error("illegal link layer address"); 6215 } else { 6216 mask = 0xffffffff; 6217 if (s == NULL && q.addr == Q_NET) { 6218 /* Promote short net number */ 6219 while (v && (v & 0xff000000) == 0) { 6220 v <<= 8; 6221 mask <<= 8; 6222 } 6223 } else { 6224 /* Promote short ipaddr */ 6225 v <<= 32 - vlen; 6226 mask <<= 32 - vlen; 6227 } 6228 return gen_host(v, mask, proto, dir, q.addr); 6229 } 6230 6231 case Q_PORT: 6232 if (proto == Q_UDP) 6233 proto = IPPROTO_UDP; 6234 else if (proto == Q_TCP) 6235 proto = IPPROTO_TCP; 6236 else if (proto == Q_SCTP) 6237 proto = IPPROTO_SCTP; 6238 else if (proto == Q_DEFAULT) 6239 proto = PROTO_UNDEF; 6240 else 6241 bpf_error("illegal qualifier of 'port'"); 6242 6243 #ifndef INET6 6244 return gen_port((int)v, proto, dir); 6245 #else 6246 { 6247 struct block *b; 6248 b = gen_port((int)v, proto, dir); 6249 gen_or(gen_port6((int)v, proto, dir), b); 6250 return b; 6251 } 6252 #endif /* INET6 */ 6253 6254 case Q_PORTRANGE: 6255 if (proto == Q_UDP) 6256 proto = IPPROTO_UDP; 6257 else if (proto == Q_TCP) 6258 proto = IPPROTO_TCP; 6259 else if (proto == Q_SCTP) 6260 proto = IPPROTO_SCTP; 6261 else if (proto == Q_DEFAULT) 6262 proto = PROTO_UNDEF; 6263 else 6264 bpf_error("illegal qualifier of 'portrange'"); 6265 6266 #ifndef INET6 6267 return gen_portrange((int)v, (int)v, proto, dir); 6268 #else 6269 { 6270 struct block *b; 6271 b = gen_portrange((int)v, (int)v, proto, dir); 6272 gen_or(gen_portrange6((int)v, (int)v, proto, dir), b); 6273 return b; 6274 } 6275 #endif /* INET6 */ 6276 6277 case Q_GATEWAY: 6278 bpf_error("'gateway' requires a name"); 6279 /* NOTREACHED */ 6280 6281 case Q_PROTO: 6282 return gen_proto((int)v, proto, dir); 6283 6284 case Q_PROTOCHAIN: 6285 return gen_protochain((int)v, proto, dir); 6286 6287 case Q_UNDEF: 6288 syntax(); 6289 /* NOTREACHED */ 6290 6291 default: 6292 abort(); 6293 /* NOTREACHED */ 6294 } 6295 /* NOTREACHED */ 6296 } 6297 6298 #ifdef INET6 6299 struct block * 6300 gen_mcode6(s1, s2, masklen, q) 6301 register const char *s1, *s2; 6302 register int masklen; 6303 struct qual q; 6304 { 6305 struct addrinfo *res; 6306 struct in6_addr *addr; 6307 struct in6_addr mask; 6308 struct block *b; 6309 u_int32_t *a, *m; 6310 6311 if (s2) 6312 bpf_error("no mask %s supported", s2); 6313 6314 res = pcap_nametoaddrinfo(s1); 6315 if (!res) 6316 bpf_error("invalid ip6 address %s", s1); 6317 if (res->ai_next) 6318 bpf_error("%s resolved to multiple address", s1); 6319 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr; 6320 6321 if (sizeof(mask) * 8 < masklen) 6322 bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8)); 6323 memset(&mask, 0, sizeof(mask)); 6324 memset(&mask, 0xff, masklen / 8); 6325 if (masklen % 8) { 6326 mask.s6_addr[masklen / 8] = 6327 (0xff << (8 - masklen % 8)) & 0xff; 6328 } 6329 6330 a = (u_int32_t *)addr; 6331 m = (u_int32_t *)&mask; 6332 if ((a[0] & ~m[0]) || (a[1] & ~m[1]) 6333 || (a[2] & ~m[2]) || (a[3] & ~m[3])) { 6334 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen); 6335 } 6336 6337 switch (q.addr) { 6338 6339 case Q_DEFAULT: 6340 case Q_HOST: 6341 if (masklen != 128) 6342 bpf_error("Mask syntax for networks only"); 6343 /* FALLTHROUGH */ 6344 6345 case Q_NET: 6346 b = gen_host6(addr, &mask, q.proto, q.dir, q.addr); 6347 freeaddrinfo(res); 6348 return b; 6349 6350 default: 6351 bpf_error("invalid qualifier against IPv6 address"); 6352 /* NOTREACHED */ 6353 } 6354 return NULL; 6355 } 6356 #endif /*INET6*/ 6357 6358 struct block * 6359 gen_ecode(eaddr, q) 6360 register const u_char *eaddr; 6361 struct qual q; 6362 { 6363 struct block *b, *tmp; 6364 6365 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) { 6366 switch (linktype) { 6367 case DLT_EN10MB: 6368 return gen_ehostop(eaddr, (int)q.dir); 6369 case DLT_FDDI: 6370 return gen_fhostop(eaddr, (int)q.dir); 6371 case DLT_IEEE802: 6372 return gen_thostop(eaddr, (int)q.dir); 6373 case DLT_IEEE802_11: 6374 case DLT_PRISM_HEADER: 6375 case DLT_IEEE802_11_RADIO_AVS: 6376 case DLT_IEEE802_11_RADIO: 6377 case DLT_PPI: 6378 return gen_wlanhostop(eaddr, (int)q.dir); 6379 case DLT_SUNATM: 6380 if (is_lane) { 6381 /* 6382 * Check that the packet doesn't begin with an 6383 * LE Control marker. (We've already generated 6384 * a test for LANE.) 6385 */ 6386 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 6387 0xFF00); 6388 gen_not(tmp); 6389 6390 /* 6391 * Now check the MAC address. 6392 */ 6393 b = gen_ehostop(eaddr, (int)q.dir); 6394 gen_and(tmp, b); 6395 return b; 6396 } 6397 break; 6398 case DLT_IP_OVER_FC: 6399 return gen_ipfchostop(eaddr, (int)q.dir); 6400 default: 6401 bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 6402 break; 6403 } 6404 } 6405 bpf_error("ethernet address used in non-ether expression"); 6406 /* NOTREACHED */ 6407 return NULL; 6408 } 6409 6410 void 6411 sappend(s0, s1) 6412 struct slist *s0, *s1; 6413 { 6414 /* 6415 * This is definitely not the best way to do this, but the 6416 * lists will rarely get long. 6417 */ 6418 while (s0->next) 6419 s0 = s0->next; 6420 s0->next = s1; 6421 } 6422 6423 static struct slist * 6424 xfer_to_x(a) 6425 struct arth *a; 6426 { 6427 struct slist *s; 6428 6429 s = new_stmt(BPF_LDX|BPF_MEM); 6430 s->s.k = a->regno; 6431 return s; 6432 } 6433 6434 static struct slist * 6435 xfer_to_a(a) 6436 struct arth *a; 6437 { 6438 struct slist *s; 6439 6440 s = new_stmt(BPF_LD|BPF_MEM); 6441 s->s.k = a->regno; 6442 return s; 6443 } 6444 6445 /* 6446 * Modify "index" to use the value stored into its register as an 6447 * offset relative to the beginning of the header for the protocol 6448 * "proto", and allocate a register and put an item "size" bytes long 6449 * (1, 2, or 4) at that offset into that register, making it the register 6450 * for "index". 6451 */ 6452 struct arth * 6453 gen_load(proto, inst, size) 6454 int proto; 6455 struct arth *inst; 6456 int size; 6457 { 6458 struct slist *s, *tmp; 6459 struct block *b; 6460 int regno = alloc_reg(); 6461 6462 free_reg(inst->regno); 6463 switch (size) { 6464 6465 default: 6466 bpf_error("data size must be 1, 2, or 4"); 6467 6468 case 1: 6469 size = BPF_B; 6470 break; 6471 6472 case 2: 6473 size = BPF_H; 6474 break; 6475 6476 case 4: 6477 size = BPF_W; 6478 break; 6479 } 6480 switch (proto) { 6481 default: 6482 bpf_error("unsupported index operation"); 6483 6484 case Q_RADIO: 6485 /* 6486 * The offset is relative to the beginning of the packet 6487 * data, if we have a radio header. (If we don't, this 6488 * is an error.) 6489 */ 6490 if (linktype != DLT_IEEE802_11_RADIO_AVS && 6491 linktype != DLT_IEEE802_11_RADIO && 6492 linktype != DLT_PRISM_HEADER) 6493 bpf_error("radio information not present in capture"); 6494 6495 /* 6496 * Load into the X register the offset computed into the 6497 * register specifed by "index". 6498 */ 6499 s = xfer_to_x(inst); 6500 6501 /* 6502 * Load the item at that offset. 6503 */ 6504 tmp = new_stmt(BPF_LD|BPF_IND|size); 6505 sappend(s, tmp); 6506 sappend(inst->s, s); 6507 break; 6508 6509 case Q_LINK: 6510 /* 6511 * The offset is relative to the beginning of 6512 * the link-layer header. 6513 * 6514 * XXX - what about ATM LANE? Should the index be 6515 * relative to the beginning of the AAL5 frame, so 6516 * that 0 refers to the beginning of the LE Control 6517 * field, or relative to the beginning of the LAN 6518 * frame, so that 0 refers, for Ethernet LANE, to 6519 * the beginning of the destination address? 6520 */ 6521 s = gen_llprefixlen(); 6522 6523 /* 6524 * If "s" is non-null, it has code to arrange that the 6525 * X register contains the length of the prefix preceding 6526 * the link-layer header. Add to it the offset computed 6527 * into the register specified by "index", and move that 6528 * into the X register. Otherwise, just load into the X 6529 * register the offset computed into the register specifed 6530 * by "index". 6531 */ 6532 if (s != NULL) { 6533 sappend(s, xfer_to_a(inst)); 6534 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 6535 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 6536 } else 6537 s = xfer_to_x(inst); 6538 6539 /* 6540 * Load the item at the sum of the offset we've put in the 6541 * X register and the offset of the start of the link 6542 * layer header (which is 0 if the radio header is 6543 * variable-length; that header length is what we put 6544 * into the X register and then added to the index). 6545 */ 6546 tmp = new_stmt(BPF_LD|BPF_IND|size); 6547 tmp->s.k = off_ll; 6548 sappend(s, tmp); 6549 sappend(inst->s, s); 6550 break; 6551 6552 case Q_IP: 6553 case Q_ARP: 6554 case Q_RARP: 6555 case Q_ATALK: 6556 case Q_DECNET: 6557 case Q_SCA: 6558 case Q_LAT: 6559 case Q_MOPRC: 6560 case Q_MOPDL: 6561 #ifdef INET6 6562 case Q_IPV6: 6563 #endif 6564 /* 6565 * The offset is relative to the beginning of 6566 * the network-layer header. 6567 * XXX - are there any cases where we want 6568 * off_nl_nosnap? 6569 */ 6570 s = gen_off_macpl(); 6571 6572 /* 6573 * If "s" is non-null, it has code to arrange that the 6574 * X register contains the offset of the MAC-layer 6575 * payload. Add to it the offset computed into the 6576 * register specified by "index", and move that into 6577 * the X register. Otherwise, just load into the X 6578 * register the offset computed into the register specifed 6579 * by "index". 6580 */ 6581 if (s != NULL) { 6582 sappend(s, xfer_to_a(inst)); 6583 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 6584 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 6585 } else 6586 s = xfer_to_x(inst); 6587 6588 /* 6589 * Load the item at the sum of the offset we've put in the 6590 * X register, the offset of the start of the network 6591 * layer header from the beginning of the MAC-layer 6592 * payload, and the purported offset of the start of the 6593 * MAC-layer payload (which might be 0 if there's a 6594 * variable-length prefix before the link-layer header 6595 * or the link-layer header itself is variable-length; 6596 * the variable-length offset of the start of the 6597 * MAC-layer payload is what we put into the X register 6598 * and then added to the index). 6599 */ 6600 tmp = new_stmt(BPF_LD|BPF_IND|size); 6601 tmp->s.k = off_macpl + off_nl; 6602 sappend(s, tmp); 6603 sappend(inst->s, s); 6604 6605 /* 6606 * Do the computation only if the packet contains 6607 * the protocol in question. 6608 */ 6609 b = gen_proto_abbrev(proto); 6610 if (inst->b) 6611 gen_and(inst->b, b); 6612 inst->b = b; 6613 break; 6614 6615 case Q_SCTP: 6616 case Q_TCP: 6617 case Q_UDP: 6618 case Q_ICMP: 6619 case Q_IGMP: 6620 case Q_IGRP: 6621 case Q_PIM: 6622 case Q_VRRP: 6623 /* 6624 * The offset is relative to the beginning of 6625 * the transport-layer header. 6626 * 6627 * Load the X register with the length of the IPv4 header 6628 * (plus the offset of the link-layer header, if it's 6629 * a variable-length header), in bytes. 6630 * 6631 * XXX - are there any cases where we want 6632 * off_nl_nosnap? 6633 * XXX - we should, if we're built with 6634 * IPv6 support, generate code to load either 6635 * IPv4, IPv6, or both, as appropriate. 6636 */ 6637 s = gen_loadx_iphdrlen(); 6638 6639 /* 6640 * The X register now contains the sum of the length 6641 * of any variable-length header preceding the link-layer 6642 * header, any variable-length link-layer header, and the 6643 * length of the network-layer header. 6644 * 6645 * Load into the A register the offset relative to 6646 * the beginning of the transport layer header, 6647 * add the X register to that, move that to the 6648 * X register, and load with an offset from the 6649 * X register equal to the offset of the network 6650 * layer header relative to the beginning of 6651 * the MAC-layer payload plus the fixed-length 6652 * portion of the offset of the MAC-layer payload 6653 * from the beginning of the raw packet data. 6654 */ 6655 sappend(s, xfer_to_a(inst)); 6656 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 6657 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 6658 sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size)); 6659 tmp->s.k = off_macpl + off_nl; 6660 sappend(inst->s, s); 6661 6662 /* 6663 * Do the computation only if the packet contains 6664 * the protocol in question - which is true only 6665 * if this is an IP datagram and is the first or 6666 * only fragment of that datagram. 6667 */ 6668 gen_and(gen_proto_abbrev(proto), b = gen_ipfrag()); 6669 if (inst->b) 6670 gen_and(inst->b, b); 6671 #ifdef INET6 6672 gen_and(gen_proto_abbrev(Q_IP), b); 6673 #endif 6674 inst->b = b; 6675 break; 6676 #ifdef INET6 6677 case Q_ICMPV6: 6678 bpf_error("IPv6 upper-layer protocol is not supported by proto[x]"); 6679 /*NOTREACHED*/ 6680 #endif 6681 } 6682 inst->regno = regno; 6683 s = new_stmt(BPF_ST); 6684 s->s.k = regno; 6685 sappend(inst->s, s); 6686 6687 return inst; 6688 } 6689 6690 struct block * 6691 gen_relation(code, a0, a1, reversed) 6692 int code; 6693 struct arth *a0, *a1; 6694 int reversed; 6695 { 6696 struct slist *s0, *s1, *s2; 6697 struct block *b, *tmp; 6698 6699 s0 = xfer_to_x(a1); 6700 s1 = xfer_to_a(a0); 6701 if (code == BPF_JEQ) { 6702 s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X); 6703 b = new_block(JMP(code)); 6704 sappend(s1, s2); 6705 } 6706 else 6707 b = new_block(BPF_JMP|code|BPF_X); 6708 if (reversed) 6709 gen_not(b); 6710 6711 sappend(s0, s1); 6712 sappend(a1->s, s0); 6713 sappend(a0->s, a1->s); 6714 6715 b->stmts = a0->s; 6716 6717 free_reg(a0->regno); 6718 free_reg(a1->regno); 6719 6720 /* 'and' together protocol checks */ 6721 if (a0->b) { 6722 if (a1->b) { 6723 gen_and(a0->b, tmp = a1->b); 6724 } 6725 else 6726 tmp = a0->b; 6727 } else 6728 tmp = a1->b; 6729 6730 if (tmp) 6731 gen_and(tmp, b); 6732 6733 return b; 6734 } 6735 6736 struct arth * 6737 gen_loadlen() 6738 { 6739 int regno = alloc_reg(); 6740 struct arth *a = (struct arth *)newchunk(sizeof(*a)); 6741 struct slist *s; 6742 6743 s = new_stmt(BPF_LD|BPF_LEN); 6744 s->next = new_stmt(BPF_ST); 6745 s->next->s.k = regno; 6746 a->s = s; 6747 a->regno = regno; 6748 6749 return a; 6750 } 6751 6752 struct arth * 6753 gen_loadi(val) 6754 int val; 6755 { 6756 struct arth *a; 6757 struct slist *s; 6758 int reg; 6759 6760 a = (struct arth *)newchunk(sizeof(*a)); 6761 6762 reg = alloc_reg(); 6763 6764 s = new_stmt(BPF_LD|BPF_IMM); 6765 s->s.k = val; 6766 s->next = new_stmt(BPF_ST); 6767 s->next->s.k = reg; 6768 a->s = s; 6769 a->regno = reg; 6770 6771 return a; 6772 } 6773 6774 struct arth * 6775 gen_neg(a) 6776 struct arth *a; 6777 { 6778 struct slist *s; 6779 6780 s = xfer_to_a(a); 6781 sappend(a->s, s); 6782 s = new_stmt(BPF_ALU|BPF_NEG); 6783 s->s.k = 0; 6784 sappend(a->s, s); 6785 s = new_stmt(BPF_ST); 6786 s->s.k = a->regno; 6787 sappend(a->s, s); 6788 6789 return a; 6790 } 6791 6792 struct arth * 6793 gen_arth(code, a0, a1) 6794 int code; 6795 struct arth *a0, *a1; 6796 { 6797 struct slist *s0, *s1, *s2; 6798 6799 s0 = xfer_to_x(a1); 6800 s1 = xfer_to_a(a0); 6801 s2 = new_stmt(BPF_ALU|BPF_X|code); 6802 6803 sappend(s1, s2); 6804 sappend(s0, s1); 6805 sappend(a1->s, s0); 6806 sappend(a0->s, a1->s); 6807 6808 free_reg(a0->regno); 6809 free_reg(a1->regno); 6810 6811 s0 = new_stmt(BPF_ST); 6812 a0->regno = s0->s.k = alloc_reg(); 6813 sappend(a0->s, s0); 6814 6815 return a0; 6816 } 6817 6818 /* 6819 * Here we handle simple allocation of the scratch registers. 6820 * If too many registers are alloc'd, the allocator punts. 6821 */ 6822 static int regused[BPF_MEMWORDS]; 6823 static int curreg; 6824 6825 /* 6826 * Initialize the table of used registers and the current register. 6827 */ 6828 static void 6829 init_regs() 6830 { 6831 curreg = 0; 6832 memset(regused, 0, sizeof regused); 6833 } 6834 6835 /* 6836 * Return the next free register. 6837 */ 6838 static int 6839 alloc_reg() 6840 { 6841 int n = BPF_MEMWORDS; 6842 6843 while (--n >= 0) { 6844 if (regused[curreg]) 6845 curreg = (curreg + 1) % BPF_MEMWORDS; 6846 else { 6847 regused[curreg] = 1; 6848 return curreg; 6849 } 6850 } 6851 bpf_error("too many registers needed to evaluate expression"); 6852 /* NOTREACHED */ 6853 return 0; 6854 } 6855 6856 /* 6857 * Return a register to the table so it can 6858 * be used later. 6859 */ 6860 static void 6861 free_reg(n) 6862 int n; 6863 { 6864 regused[n] = 0; 6865 } 6866 6867 static struct block * 6868 gen_len(jmp, n) 6869 int jmp, n; 6870 { 6871 struct slist *s; 6872 struct block *b; 6873 6874 s = new_stmt(BPF_LD|BPF_LEN); 6875 b = new_block(JMP(jmp)); 6876 b->stmts = s; 6877 b->s.k = n; 6878 6879 return b; 6880 } 6881 6882 struct block * 6883 gen_greater(n) 6884 int n; 6885 { 6886 return gen_len(BPF_JGE, n); 6887 } 6888 6889 /* 6890 * Actually, this is less than or equal. 6891 */ 6892 struct block * 6893 gen_less(n) 6894 int n; 6895 { 6896 struct block *b; 6897 6898 b = gen_len(BPF_JGT, n); 6899 gen_not(b); 6900 6901 return b; 6902 } 6903 6904 /* 6905 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to 6906 * the beginning of the link-layer header. 6907 * XXX - that means you can't test values in the radiotap header, but 6908 * as that header is difficult if not impossible to parse generally 6909 * without a loop, that might not be a severe problem. A new keyword 6910 * "radio" could be added for that, although what you'd really want 6911 * would be a way of testing particular radio header values, which 6912 * would generate code appropriate to the radio header in question. 6913 */ 6914 struct block * 6915 gen_byteop(op, idx, val) 6916 int op, idx, val; 6917 { 6918 struct block *b; 6919 struct slist *s; 6920 6921 switch (op) { 6922 default: 6923 abort(); 6924 6925 case '=': 6926 return gen_cmp(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 6927 6928 case '<': 6929 b = gen_cmp_lt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 6930 return b; 6931 6932 case '>': 6933 b = gen_cmp_gt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 6934 return b; 6935 6936 case '|': 6937 s = new_stmt(BPF_ALU|BPF_OR|BPF_K); 6938 break; 6939 6940 case '&': 6941 s = new_stmt(BPF_ALU|BPF_AND|BPF_K); 6942 break; 6943 } 6944 s->s.k = val; 6945 b = new_block(JMP(BPF_JEQ)); 6946 b->stmts = s; 6947 gen_not(b); 6948 6949 return b; 6950 } 6951 6952 static u_char abroadcast[] = { 0x0 }; 6953 6954 struct block * 6955 gen_broadcast(proto) 6956 int proto; 6957 { 6958 bpf_u_int32 hostmask; 6959 struct block *b0, *b1, *b2; 6960 static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; 6961 6962 switch (proto) { 6963 6964 case Q_DEFAULT: 6965 case Q_LINK: 6966 switch (linktype) { 6967 case DLT_ARCNET: 6968 case DLT_ARCNET_LINUX: 6969 return gen_ahostop(abroadcast, Q_DST); 6970 case DLT_EN10MB: 6971 return gen_ehostop(ebroadcast, Q_DST); 6972 case DLT_FDDI: 6973 return gen_fhostop(ebroadcast, Q_DST); 6974 case DLT_IEEE802: 6975 return gen_thostop(ebroadcast, Q_DST); 6976 case DLT_IEEE802_11: 6977 case DLT_PRISM_HEADER: 6978 case DLT_IEEE802_11_RADIO_AVS: 6979 case DLT_IEEE802_11_RADIO: 6980 case DLT_PPI: 6981 return gen_wlanhostop(ebroadcast, Q_DST); 6982 case DLT_IP_OVER_FC: 6983 return gen_ipfchostop(ebroadcast, Q_DST); 6984 case DLT_SUNATM: 6985 if (is_lane) { 6986 /* 6987 * Check that the packet doesn't begin with an 6988 * LE Control marker. (We've already generated 6989 * a test for LANE.) 6990 */ 6991 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 6992 BPF_H, 0xFF00); 6993 gen_not(b1); 6994 6995 /* 6996 * Now check the MAC address. 6997 */ 6998 b0 = gen_ehostop(ebroadcast, Q_DST); 6999 gen_and(b1, b0); 7000 return b0; 7001 } 7002 break; 7003 default: 7004 bpf_error("not a broadcast link"); 7005 } 7006 break; 7007 7008 case Q_IP: 7009 b0 = gen_linktype(ETHERTYPE_IP); 7010 hostmask = ~netmask; 7011 b1 = gen_mcmp(OR_NET, 16, BPF_W, (bpf_int32)0, hostmask); 7012 b2 = gen_mcmp(OR_NET, 16, BPF_W, 7013 (bpf_int32)(~0 & hostmask), hostmask); 7014 gen_or(b1, b2); 7015 gen_and(b0, b2); 7016 return b2; 7017 } 7018 bpf_error("only link-layer/IP broadcast filters supported"); 7019 /* NOTREACHED */ 7020 return NULL; 7021 } 7022 7023 /* 7024 * Generate code to test the low-order bit of a MAC address (that's 7025 * the bottom bit of the *first* byte). 7026 */ 7027 static struct block * 7028 gen_mac_multicast(offset) 7029 int offset; 7030 { 7031 register struct block *b0; 7032 register struct slist *s; 7033 7034 /* link[offset] & 1 != 0 */ 7035 s = gen_load_a(OR_LINK, offset, BPF_B); 7036 b0 = new_block(JMP(BPF_JSET)); 7037 b0->s.k = 1; 7038 b0->stmts = s; 7039 return b0; 7040 } 7041 7042 struct block * 7043 gen_multicast(proto) 7044 int proto; 7045 { 7046 register struct block *b0, *b1, *b2; 7047 register struct slist *s; 7048 7049 switch (proto) { 7050 7051 case Q_DEFAULT: 7052 case Q_LINK: 7053 switch (linktype) { 7054 case DLT_ARCNET: 7055 case DLT_ARCNET_LINUX: 7056 /* all ARCnet multicasts use the same address */ 7057 return gen_ahostop(abroadcast, Q_DST); 7058 case DLT_EN10MB: 7059 /* ether[0] & 1 != 0 */ 7060 return gen_mac_multicast(0); 7061 case DLT_FDDI: 7062 /* 7063 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX 7064 * 7065 * XXX - was that referring to bit-order issues? 7066 */ 7067 /* fddi[1] & 1 != 0 */ 7068 return gen_mac_multicast(1); 7069 case DLT_IEEE802: 7070 /* tr[2] & 1 != 0 */ 7071 return gen_mac_multicast(2); 7072 case DLT_IEEE802_11: 7073 case DLT_PRISM_HEADER: 7074 case DLT_IEEE802_11_RADIO_AVS: 7075 case DLT_IEEE802_11_RADIO: 7076 case DLT_PPI: 7077 /* 7078 * Oh, yuk. 7079 * 7080 * For control frames, there is no DA. 7081 * 7082 * For management frames, DA is at an 7083 * offset of 4 from the beginning of 7084 * the packet. 7085 * 7086 * For data frames, DA is at an offset 7087 * of 4 from the beginning of the packet 7088 * if To DS is clear and at an offset of 7089 * 16 from the beginning of the packet 7090 * if To DS is set. 7091 */ 7092 7093 /* 7094 * Generate the tests to be done for data frames. 7095 * 7096 * First, check for To DS set, i.e. "link[1] & 0x01". 7097 */ 7098 s = gen_load_a(OR_LINK, 1, BPF_B); 7099 b1 = new_block(JMP(BPF_JSET)); 7100 b1->s.k = 0x01; /* To DS */ 7101 b1->stmts = s; 7102 7103 /* 7104 * If To DS is set, the DA is at 16. 7105 */ 7106 b0 = gen_mac_multicast(16); 7107 gen_and(b1, b0); 7108 7109 /* 7110 * Now, check for To DS not set, i.e. check 7111 * "!(link[1] & 0x01)". 7112 */ 7113 s = gen_load_a(OR_LINK, 1, BPF_B); 7114 b2 = new_block(JMP(BPF_JSET)); 7115 b2->s.k = 0x01; /* To DS */ 7116 b2->stmts = s; 7117 gen_not(b2); 7118 7119 /* 7120 * If To DS is not set, the DA is at 4. 7121 */ 7122 b1 = gen_mac_multicast(4); 7123 gen_and(b2, b1); 7124 7125 /* 7126 * Now OR together the last two checks. That gives 7127 * the complete set of checks for data frames. 7128 */ 7129 gen_or(b1, b0); 7130 7131 /* 7132 * Now check for a data frame. 7133 * I.e, check "link[0] & 0x08". 7134 */ 7135 s = gen_load_a(OR_LINK, 0, BPF_B); 7136 b1 = new_block(JMP(BPF_JSET)); 7137 b1->s.k = 0x08; 7138 b1->stmts = s; 7139 7140 /* 7141 * AND that with the checks done for data frames. 7142 */ 7143 gen_and(b1, b0); 7144 7145 /* 7146 * If the high-order bit of the type value is 0, this 7147 * is a management frame. 7148 * I.e, check "!(link[0] & 0x08)". 7149 */ 7150 s = gen_load_a(OR_LINK, 0, BPF_B); 7151 b2 = new_block(JMP(BPF_JSET)); 7152 b2->s.k = 0x08; 7153 b2->stmts = s; 7154 gen_not(b2); 7155 7156 /* 7157 * For management frames, the DA is at 4. 7158 */ 7159 b1 = gen_mac_multicast(4); 7160 gen_and(b2, b1); 7161 7162 /* 7163 * OR that with the checks done for data frames. 7164 * That gives the checks done for management and 7165 * data frames. 7166 */ 7167 gen_or(b1, b0); 7168 7169 /* 7170 * If the low-order bit of the type value is 1, 7171 * this is either a control frame or a frame 7172 * with a reserved type, and thus not a 7173 * frame with an SA. 7174 * 7175 * I.e., check "!(link[0] & 0x04)". 7176 */ 7177 s = gen_load_a(OR_LINK, 0, BPF_B); 7178 b1 = new_block(JMP(BPF_JSET)); 7179 b1->s.k = 0x04; 7180 b1->stmts = s; 7181 gen_not(b1); 7182 7183 /* 7184 * AND that with the checks for data and management 7185 * frames. 7186 */ 7187 gen_and(b1, b0); 7188 return b0; 7189 case DLT_IP_OVER_FC: 7190 b0 = gen_mac_multicast(2); 7191 return b0; 7192 case DLT_SUNATM: 7193 if (is_lane) { 7194 /* 7195 * Check that the packet doesn't begin with an 7196 * LE Control marker. (We've already generated 7197 * a test for LANE.) 7198 */ 7199 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 7200 BPF_H, 0xFF00); 7201 gen_not(b1); 7202 7203 /* ether[off_mac] & 1 != 0 */ 7204 b0 = gen_mac_multicast(off_mac); 7205 gen_and(b1, b0); 7206 return b0; 7207 } 7208 break; 7209 default: 7210 break; 7211 } 7212 /* Link not known to support multicasts */ 7213 break; 7214 7215 case Q_IP: 7216 b0 = gen_linktype(ETHERTYPE_IP); 7217 b1 = gen_cmp_ge(OR_NET, 16, BPF_B, (bpf_int32)224); 7218 gen_and(b0, b1); 7219 return b1; 7220 7221 #ifdef INET6 7222 case Q_IPV6: 7223 b0 = gen_linktype(ETHERTYPE_IPV6); 7224 b1 = gen_cmp(OR_NET, 24, BPF_B, (bpf_int32)255); 7225 gen_and(b0, b1); 7226 return b1; 7227 #endif /* INET6 */ 7228 } 7229 bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel"); 7230 /* NOTREACHED */ 7231 return NULL; 7232 } 7233 7234 /* 7235 * generate command for inbound/outbound. It's here so we can 7236 * make it link-type specific. 'dir' = 0 implies "inbound", 7237 * = 1 implies "outbound". 7238 */ 7239 struct block * 7240 gen_inbound(dir) 7241 int dir; 7242 { 7243 register struct block *b0; 7244 7245 /* 7246 * Only some data link types support inbound/outbound qualifiers. 7247 */ 7248 switch (linktype) { 7249 case DLT_SLIP: 7250 b0 = gen_relation(BPF_JEQ, 7251 gen_load(Q_LINK, gen_loadi(0), 1), 7252 gen_loadi(0), 7253 dir); 7254 break; 7255 7256 case DLT_LINUX_SLL: 7257 if (dir) { 7258 /* 7259 * Match packets sent by this machine. 7260 */ 7261 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_OUTGOING); 7262 } else { 7263 /* 7264 * Match packets sent to this machine. 7265 * (No broadcast or multicast packets, or 7266 * packets sent to some other machine and 7267 * received promiscuously.) 7268 * 7269 * XXX - packets sent to other machines probably 7270 * shouldn't be matched, but what about broadcast 7271 * or multicast packets we received? 7272 */ 7273 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_HOST); 7274 } 7275 break; 7276 7277 #ifdef HAVE_NET_PFVAR_H 7278 case DLT_PFLOG: 7279 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, dir), BPF_B, 7280 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT)); 7281 break; 7282 #endif 7283 7284 case DLT_PPP_PPPD: 7285 if (dir) { 7286 /* match outgoing packets */ 7287 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_OUT); 7288 } else { 7289 /* match incoming packets */ 7290 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_IN); 7291 } 7292 break; 7293 7294 case DLT_JUNIPER_MFR: 7295 case DLT_JUNIPER_MLFR: 7296 case DLT_JUNIPER_MLPPP: 7297 case DLT_JUNIPER_ATM1: 7298 case DLT_JUNIPER_ATM2: 7299 case DLT_JUNIPER_PPPOE: 7300 case DLT_JUNIPER_PPPOE_ATM: 7301 case DLT_JUNIPER_GGSN: 7302 case DLT_JUNIPER_ES: 7303 case DLT_JUNIPER_MONITOR: 7304 case DLT_JUNIPER_SERVICES: 7305 case DLT_JUNIPER_ETHER: 7306 case DLT_JUNIPER_PPP: 7307 case DLT_JUNIPER_FRELAY: 7308 case DLT_JUNIPER_CHDLC: 7309 case DLT_JUNIPER_VP: 7310 case DLT_JUNIPER_ST: 7311 case DLT_JUNIPER_ISM: 7312 /* juniper flags (including direction) are stored 7313 * the byte after the 3-byte magic number */ 7314 if (dir) { 7315 /* match outgoing packets */ 7316 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 0, 0x01); 7317 } else { 7318 /* match incoming packets */ 7319 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 1, 0x01); 7320 } 7321 break; 7322 7323 default: 7324 bpf_error("inbound/outbound not supported on linktype %d", 7325 linktype); 7326 b0 = NULL; 7327 /* NOTREACHED */ 7328 } 7329 return (b0); 7330 } 7331 7332 #ifdef HAVE_NET_PFVAR_H 7333 /* PF firewall log matched interface */ 7334 struct block * 7335 gen_pf_ifname(const char *ifname) 7336 { 7337 struct block *b0; 7338 u_int len, off; 7339 7340 if (linktype != DLT_PFLOG) { 7341 bpf_error("ifname supported only on PF linktype"); 7342 /* NOTREACHED */ 7343 } 7344 len = sizeof(((struct pfloghdr *)0)->ifname); 7345 off = offsetof(struct pfloghdr, ifname); 7346 if (strlen(ifname) >= len) { 7347 bpf_error("ifname interface names can only be %d characters", 7348 len-1); 7349 /* NOTREACHED */ 7350 } 7351 b0 = gen_bcmp(OR_LINK, off, strlen(ifname), (const u_char *)ifname); 7352 return (b0); 7353 } 7354 7355 /* PF firewall log ruleset name */ 7356 struct block * 7357 gen_pf_ruleset(char *ruleset) 7358 { 7359 struct block *b0; 7360 7361 if (linktype != DLT_PFLOG) { 7362 bpf_error("ruleset supported only on PF linktype"); 7363 /* NOTREACHED */ 7364 } 7365 7366 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) { 7367 bpf_error("ruleset names can only be %ld characters", 7368 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1)); 7369 /* NOTREACHED */ 7370 } 7371 7372 b0 = gen_bcmp(OR_LINK, offsetof(struct pfloghdr, ruleset), 7373 strlen(ruleset), (const u_char *)ruleset); 7374 return (b0); 7375 } 7376 7377 /* PF firewall log rule number */ 7378 struct block * 7379 gen_pf_rnr(int rnr) 7380 { 7381 struct block *b0; 7382 7383 if (linktype != DLT_PFLOG) { 7384 bpf_error("rnr supported only on PF linktype"); 7385 /* NOTREACHED */ 7386 } 7387 7388 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, rulenr), BPF_W, 7389 (bpf_int32)rnr); 7390 return (b0); 7391 } 7392 7393 /* PF firewall log sub-rule number */ 7394 struct block * 7395 gen_pf_srnr(int srnr) 7396 { 7397 struct block *b0; 7398 7399 if (linktype != DLT_PFLOG) { 7400 bpf_error("srnr supported only on PF linktype"); 7401 /* NOTREACHED */ 7402 } 7403 7404 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, subrulenr), BPF_W, 7405 (bpf_int32)srnr); 7406 return (b0); 7407 } 7408 7409 /* PF firewall log reason code */ 7410 struct block * 7411 gen_pf_reason(int reason) 7412 { 7413 struct block *b0; 7414 7415 if (linktype != DLT_PFLOG) { 7416 bpf_error("reason supported only on PF linktype"); 7417 /* NOTREACHED */ 7418 } 7419 7420 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, reason), BPF_B, 7421 (bpf_int32)reason); 7422 return (b0); 7423 } 7424 7425 /* PF firewall log action */ 7426 struct block * 7427 gen_pf_action(int action) 7428 { 7429 struct block *b0; 7430 7431 if (linktype != DLT_PFLOG) { 7432 bpf_error("action supported only on PF linktype"); 7433 /* NOTREACHED */ 7434 } 7435 7436 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, action), BPF_B, 7437 (bpf_int32)action); 7438 return (b0); 7439 } 7440 #else /* !HAVE_NET_PFVAR_H */ 7441 struct block * 7442 gen_pf_ifname(const char *ifname) 7443 { 7444 bpf_error("libpcap was compiled without pf support"); 7445 /* NOTREACHED */ 7446 return (NULL); 7447 } 7448 7449 struct block * 7450 gen_pf_ruleset(char *ruleset) 7451 { 7452 bpf_error("libpcap was compiled on a machine without pf support"); 7453 /* NOTREACHED */ 7454 return (NULL); 7455 } 7456 7457 struct block * 7458 gen_pf_rnr(int rnr) 7459 { 7460 bpf_error("libpcap was compiled on a machine without pf support"); 7461 /* NOTREACHED */ 7462 return (NULL); 7463 } 7464 7465 struct block * 7466 gen_pf_srnr(int srnr) 7467 { 7468 bpf_error("libpcap was compiled on a machine without pf support"); 7469 /* NOTREACHED */ 7470 return (NULL); 7471 } 7472 7473 struct block * 7474 gen_pf_reason(int reason) 7475 { 7476 bpf_error("libpcap was compiled on a machine without pf support"); 7477 /* NOTREACHED */ 7478 return (NULL); 7479 } 7480 7481 struct block * 7482 gen_pf_action(int action) 7483 { 7484 bpf_error("libpcap was compiled on a machine without pf support"); 7485 /* NOTREACHED */ 7486 return (NULL); 7487 } 7488 #endif /* HAVE_NET_PFVAR_H */ 7489 7490 /* IEEE 802.11 wireless header */ 7491 struct block * 7492 gen_p80211_type(int type, int mask) 7493 { 7494 struct block *b0; 7495 7496 switch (linktype) { 7497 7498 case DLT_IEEE802_11: 7499 case DLT_PRISM_HEADER: 7500 case DLT_IEEE802_11_RADIO_AVS: 7501 case DLT_IEEE802_11_RADIO: 7502 b0 = gen_mcmp(OR_LINK, 0, BPF_B, (bpf_int32)type, 7503 (bpf_int32)mask); 7504 break; 7505 7506 default: 7507 bpf_error("802.11 link-layer types supported only on 802.11"); 7508 /* NOTREACHED */ 7509 } 7510 7511 return (b0); 7512 } 7513 7514 struct block * 7515 gen_p80211_fcdir(int fcdir) 7516 { 7517 struct block *b0; 7518 7519 switch (linktype) { 7520 7521 case DLT_IEEE802_11: 7522 case DLT_PRISM_HEADER: 7523 case DLT_IEEE802_11_RADIO_AVS: 7524 case DLT_IEEE802_11_RADIO: 7525 break; 7526 7527 default: 7528 bpf_error("frame direction supported only with 802.11 headers"); 7529 /* NOTREACHED */ 7530 } 7531 7532 b0 = gen_mcmp(OR_LINK, 1, BPF_B, (bpf_int32)fcdir, 7533 (bpf_u_int32)IEEE80211_FC1_DIR_MASK); 7534 7535 return (b0); 7536 } 7537 7538 struct block * 7539 gen_acode(eaddr, q) 7540 register const u_char *eaddr; 7541 struct qual q; 7542 { 7543 switch (linktype) { 7544 7545 case DLT_ARCNET: 7546 case DLT_ARCNET_LINUX: 7547 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && 7548 q.proto == Q_LINK) 7549 return (gen_ahostop(eaddr, (int)q.dir)); 7550 else { 7551 bpf_error("ARCnet address used in non-arc expression"); 7552 /* NOTREACHED */ 7553 } 7554 break; 7555 7556 default: 7557 bpf_error("aid supported only on ARCnet"); 7558 /* NOTREACHED */ 7559 } 7560 bpf_error("ARCnet address used in non-arc expression"); 7561 /* NOTREACHED */ 7562 return NULL; 7563 } 7564 7565 static struct block * 7566 gen_ahostop(eaddr, dir) 7567 register const u_char *eaddr; 7568 register int dir; 7569 { 7570 register struct block *b0, *b1; 7571 7572 switch (dir) { 7573 /* src comes first, different from Ethernet */ 7574 case Q_SRC: 7575 return gen_bcmp(OR_LINK, 0, 1, eaddr); 7576 7577 case Q_DST: 7578 return gen_bcmp(OR_LINK, 1, 1, eaddr); 7579 7580 case Q_AND: 7581 b0 = gen_ahostop(eaddr, Q_SRC); 7582 b1 = gen_ahostop(eaddr, Q_DST); 7583 gen_and(b0, b1); 7584 return b1; 7585 7586 case Q_DEFAULT: 7587 case Q_OR: 7588 b0 = gen_ahostop(eaddr, Q_SRC); 7589 b1 = gen_ahostop(eaddr, Q_DST); 7590 gen_or(b0, b1); 7591 return b1; 7592 } 7593 abort(); 7594 /* NOTREACHED */ 7595 } 7596 7597 /* 7598 * support IEEE 802.1Q VLAN trunk over ethernet 7599 */ 7600 struct block * 7601 gen_vlan(vlan_num) 7602 int vlan_num; 7603 { 7604 struct block *b0, *b1; 7605 7606 /* can't check for VLAN-encapsulated packets inside MPLS */ 7607 if (label_stack_depth > 0) 7608 bpf_error("no VLAN match after MPLS"); 7609 7610 /* 7611 * Check for a VLAN packet, and then change the offsets to point 7612 * to the type and data fields within the VLAN packet. Just 7613 * increment the offsets, so that we can support a hierarchy, e.g. 7614 * "vlan 300 && vlan 200" to capture VLAN 200 encapsulated within 7615 * VLAN 100. 7616 * 7617 * XXX - this is a bit of a kludge. If we were to split the 7618 * compiler into a parser that parses an expression and 7619 * generates an expression tree, and a code generator that 7620 * takes an expression tree (which could come from our 7621 * parser or from some other parser) and generates BPF code, 7622 * we could perhaps make the offsets parameters of routines 7623 * and, in the handler for an "AND" node, pass to subnodes 7624 * other than the VLAN node the adjusted offsets. 7625 * 7626 * This would mean that "vlan" would, instead of changing the 7627 * behavior of *all* tests after it, change only the behavior 7628 * of tests ANDed with it. That would change the documented 7629 * semantics of "vlan", which might break some expressions. 7630 * However, it would mean that "(vlan and ip) or ip" would check 7631 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 7632 * checking only for VLAN-encapsulated IP, so that could still 7633 * be considered worth doing; it wouldn't break expressions 7634 * that are of the form "vlan and ..." or "vlan N and ...", 7635 * which I suspect are the most common expressions involving 7636 * "vlan". "vlan or ..." doesn't necessarily do what the user 7637 * would really want, now, as all the "or ..." tests would 7638 * be done assuming a VLAN, even though the "or" could be viewed 7639 * as meaning "or, if this isn't a VLAN packet...". 7640 */ 7641 orig_nl = off_nl; 7642 7643 switch (linktype) { 7644 7645 case DLT_EN10MB: 7646 /* check for VLAN */ 7647 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 7648 (bpf_int32)ETHERTYPE_8021Q); 7649 7650 /* If a specific VLAN is requested, check VLAN id */ 7651 if (vlan_num >= 0) { 7652 b1 = gen_mcmp(OR_MACPL, 0, BPF_H, 7653 (bpf_int32)vlan_num, 0x0fff); 7654 gen_and(b0, b1); 7655 b0 = b1; 7656 } 7657 7658 off_macpl += 4; 7659 off_linktype += 4; 7660 #if 0 7661 off_nl_nosnap += 4; 7662 off_nl += 4; 7663 #endif 7664 break; 7665 7666 default: 7667 bpf_error("no VLAN support for data link type %d", 7668 linktype); 7669 /*NOTREACHED*/ 7670 } 7671 7672 return (b0); 7673 } 7674 7675 /* 7676 * support for MPLS 7677 */ 7678 struct block * 7679 gen_mpls(label_num) 7680 int label_num; 7681 { 7682 struct block *b0,*b1; 7683 7684 /* 7685 * Change the offsets to point to the type and data fields within 7686 * the MPLS packet. Just increment the offsets, so that we 7687 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to 7688 * capture packets with an outer label of 100000 and an inner 7689 * label of 1024. 7690 * 7691 * XXX - this is a bit of a kludge. See comments in gen_vlan(). 7692 */ 7693 orig_nl = off_nl; 7694 7695 if (label_stack_depth > 0) { 7696 /* just match the bottom-of-stack bit clear */ 7697 b0 = gen_mcmp(OR_MACPL, orig_nl-2, BPF_B, 0, 0x01); 7698 } else { 7699 /* 7700 * Indicate that we're checking MPLS-encapsulated headers, 7701 * to make sure higher level code generators don't try to 7702 * match against IP-related protocols such as Q_ARP, Q_RARP 7703 * etc. 7704 */ 7705 switch (linktype) { 7706 7707 case DLT_C_HDLC: /* fall through */ 7708 case DLT_EN10MB: 7709 b0 = gen_linktype(ETHERTYPE_MPLS); 7710 break; 7711 7712 case DLT_PPP: 7713 b0 = gen_linktype(PPP_MPLS_UCAST); 7714 break; 7715 7716 /* FIXME add other DLT_s ... 7717 * for Frame-Relay/and ATM this may get messy due to SNAP headers 7718 * leave it for now */ 7719 7720 default: 7721 bpf_error("no MPLS support for data link type %d", 7722 linktype); 7723 b0 = NULL; 7724 /*NOTREACHED*/ 7725 break; 7726 } 7727 } 7728 7729 /* If a specific MPLS label is requested, check it */ 7730 if (label_num >= 0) { 7731 label_num = label_num << 12; /* label is shifted 12 bits on the wire */ 7732 b1 = gen_mcmp(OR_MACPL, orig_nl, BPF_W, (bpf_int32)label_num, 7733 0xfffff000); /* only compare the first 20 bits */ 7734 gen_and(b0, b1); 7735 b0 = b1; 7736 } 7737 7738 off_nl_nosnap += 4; 7739 off_nl += 4; 7740 label_stack_depth++; 7741 return (b0); 7742 } 7743 7744 /* 7745 * Support PPPOE discovery and session. 7746 */ 7747 struct block * 7748 gen_pppoed() 7749 { 7750 /* check for PPPoE discovery */ 7751 return gen_linktype((bpf_int32)ETHERTYPE_PPPOED); 7752 } 7753 7754 struct block * 7755 gen_pppoes() 7756 { 7757 struct block *b0; 7758 7759 /* 7760 * Test against the PPPoE session link-layer type. 7761 */ 7762 b0 = gen_linktype((bpf_int32)ETHERTYPE_PPPOES); 7763 7764 /* 7765 * Change the offsets to point to the type and data fields within 7766 * the PPP packet, and note that this is PPPoE rather than 7767 * raw PPP. 7768 * 7769 * XXX - this is a bit of a kludge. If we were to split the 7770 * compiler into a parser that parses an expression and 7771 * generates an expression tree, and a code generator that 7772 * takes an expression tree (which could come from our 7773 * parser or from some other parser) and generates BPF code, 7774 * we could perhaps make the offsets parameters of routines 7775 * and, in the handler for an "AND" node, pass to subnodes 7776 * other than the PPPoE node the adjusted offsets. 7777 * 7778 * This would mean that "pppoes" would, instead of changing the 7779 * behavior of *all* tests after it, change only the behavior 7780 * of tests ANDed with it. That would change the documented 7781 * semantics of "pppoes", which might break some expressions. 7782 * However, it would mean that "(pppoes and ip) or ip" would check 7783 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 7784 * checking only for VLAN-encapsulated IP, so that could still 7785 * be considered worth doing; it wouldn't break expressions 7786 * that are of the form "pppoes and ..." which I suspect are the 7787 * most common expressions involving "pppoes". "pppoes or ..." 7788 * doesn't necessarily do what the user would really want, now, 7789 * as all the "or ..." tests would be done assuming PPPoE, even 7790 * though the "or" could be viewed as meaning "or, if this isn't 7791 * a PPPoE packet...". 7792 */ 7793 orig_linktype = off_linktype; /* save original values */ 7794 orig_nl = off_nl; 7795 is_pppoes = 1; 7796 7797 /* 7798 * The "network-layer" protocol is PPPoE, which has a 6-byte 7799 * PPPoE header, followed by a PPP packet. 7800 * 7801 * There is no HDLC encapsulation for the PPP packet (it's 7802 * encapsulated in PPPoES instead), so the link-layer type 7803 * starts at the first byte of the PPP packet. For PPPoE, 7804 * that offset is relative to the beginning of the total 7805 * link-layer payload, including any 802.2 LLC header, so 7806 * it's 6 bytes past off_nl. 7807 */ 7808 off_linktype = off_nl + 6; 7809 7810 /* 7811 * The network-layer offsets are relative to the beginning 7812 * of the MAC-layer payload; that's past the 6-byte 7813 * PPPoE header and the 2-byte PPP header. 7814 */ 7815 off_nl = 6+2; 7816 off_nl_nosnap = 6+2; 7817 7818 return b0; 7819 } 7820 7821 struct block * 7822 gen_atmfield_code(atmfield, jvalue, jtype, reverse) 7823 int atmfield; 7824 bpf_int32 jvalue; 7825 bpf_u_int32 jtype; 7826 int reverse; 7827 { 7828 struct block *b0; 7829 7830 switch (atmfield) { 7831 7832 case A_VPI: 7833 if (!is_atm) 7834 bpf_error("'vpi' supported only on raw ATM"); 7835 if (off_vpi == (u_int)-1) 7836 abort(); 7837 b0 = gen_ncmp(OR_LINK, off_vpi, BPF_B, 0xffffffff, jtype, 7838 reverse, jvalue); 7839 break; 7840 7841 case A_VCI: 7842 if (!is_atm) 7843 bpf_error("'vci' supported only on raw ATM"); 7844 if (off_vci == (u_int)-1) 7845 abort(); 7846 b0 = gen_ncmp(OR_LINK, off_vci, BPF_H, 0xffffffff, jtype, 7847 reverse, jvalue); 7848 break; 7849 7850 case A_PROTOTYPE: 7851 if (off_proto == (u_int)-1) 7852 abort(); /* XXX - this isn't on FreeBSD */ 7853 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0x0f, jtype, 7854 reverse, jvalue); 7855 break; 7856 7857 case A_MSGTYPE: 7858 if (off_payload == (u_int)-1) 7859 abort(); 7860 b0 = gen_ncmp(OR_LINK, off_payload + MSG_TYPE_POS, BPF_B, 7861 0xffffffff, jtype, reverse, jvalue); 7862 break; 7863 7864 case A_CALLREFTYPE: 7865 if (!is_atm) 7866 bpf_error("'callref' supported only on raw ATM"); 7867 if (off_proto == (u_int)-1) 7868 abort(); 7869 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0xffffffff, 7870 jtype, reverse, jvalue); 7871 break; 7872 7873 default: 7874 abort(); 7875 } 7876 return b0; 7877 } 7878 7879 struct block * 7880 gen_atmtype_abbrev(type) 7881 int type; 7882 { 7883 struct block *b0, *b1; 7884 7885 switch (type) { 7886 7887 case A_METAC: 7888 /* Get all packets in Meta signalling Circuit */ 7889 if (!is_atm) 7890 bpf_error("'metac' supported only on raw ATM"); 7891 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 7892 b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0); 7893 gen_and(b0, b1); 7894 break; 7895 7896 case A_BCC: 7897 /* Get all packets in Broadcast Circuit*/ 7898 if (!is_atm) 7899 bpf_error("'bcc' supported only on raw ATM"); 7900 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 7901 b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0); 7902 gen_and(b0, b1); 7903 break; 7904 7905 case A_OAMF4SC: 7906 /* Get all cells in Segment OAM F4 circuit*/ 7907 if (!is_atm) 7908 bpf_error("'oam4sc' supported only on raw ATM"); 7909 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 7910 b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0); 7911 gen_and(b0, b1); 7912 break; 7913 7914 case A_OAMF4EC: 7915 /* Get all cells in End-to-End OAM F4 Circuit*/ 7916 if (!is_atm) 7917 bpf_error("'oam4ec' supported only on raw ATM"); 7918 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 7919 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0); 7920 gen_and(b0, b1); 7921 break; 7922 7923 case A_SC: 7924 /* Get all packets in connection Signalling Circuit */ 7925 if (!is_atm) 7926 bpf_error("'sc' supported only on raw ATM"); 7927 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 7928 b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0); 7929 gen_and(b0, b1); 7930 break; 7931 7932 case A_ILMIC: 7933 /* Get all packets in ILMI Circuit */ 7934 if (!is_atm) 7935 bpf_error("'ilmic' supported only on raw ATM"); 7936 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 7937 b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0); 7938 gen_and(b0, b1); 7939 break; 7940 7941 case A_LANE: 7942 /* Get all LANE packets */ 7943 if (!is_atm) 7944 bpf_error("'lane' supported only on raw ATM"); 7945 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0); 7946 7947 /* 7948 * Arrange that all subsequent tests assume LANE 7949 * rather than LLC-encapsulated packets, and set 7950 * the offsets appropriately for LANE-encapsulated 7951 * Ethernet. 7952 * 7953 * "off_mac" is the offset of the Ethernet header, 7954 * which is 2 bytes past the ATM pseudo-header 7955 * (skipping the pseudo-header and 2-byte LE Client 7956 * field). The other offsets are Ethernet offsets 7957 * relative to "off_mac". 7958 */ 7959 is_lane = 1; 7960 off_mac = off_payload + 2; /* MAC header */ 7961 off_linktype = off_mac + 12; 7962 off_macpl = off_mac + 14; /* Ethernet */ 7963 off_nl = 0; /* Ethernet II */ 7964 off_nl_nosnap = 3; /* 802.3+802.2 */ 7965 break; 7966 7967 case A_LLC: 7968 /* Get all LLC-encapsulated packets */ 7969 if (!is_atm) 7970 bpf_error("'llc' supported only on raw ATM"); 7971 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 7972 is_lane = 0; 7973 break; 7974 7975 default: 7976 abort(); 7977 } 7978 return b1; 7979 } 7980 7981 /* 7982 * Filtering for MTP2 messages based on li value 7983 * FISU, length is null 7984 * LSSU, length is 1 or 2 7985 * MSU, length is 3 or more 7986 */ 7987 struct block * 7988 gen_mtp2type_abbrev(type) 7989 int type; 7990 { 7991 struct block *b0, *b1; 7992 7993 switch (type) { 7994 7995 case M_FISU: 7996 if ( (linktype != DLT_MTP2) && 7997 (linktype != DLT_ERF) && 7998 (linktype != DLT_MTP2_WITH_PHDR) ) 7999 bpf_error("'fisu' supported only on MTP2"); 8000 /* gen_ncmp(offrel, offset, size, mask, jtype, reverse, value) */ 8001 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JEQ, 0, 0); 8002 break; 8003 8004 case M_LSSU: 8005 if ( (linktype != DLT_MTP2) && 8006 (linktype != DLT_ERF) && 8007 (linktype != DLT_MTP2_WITH_PHDR) ) 8008 bpf_error("'lssu' supported only on MTP2"); 8009 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 1, 2); 8010 b1 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 0); 8011 gen_and(b1, b0); 8012 break; 8013 8014 case M_MSU: 8015 if ( (linktype != DLT_MTP2) && 8016 (linktype != DLT_ERF) && 8017 (linktype != DLT_MTP2_WITH_PHDR) ) 8018 bpf_error("'msu' supported only on MTP2"); 8019 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 2); 8020 break; 8021 8022 default: 8023 abort(); 8024 } 8025 return b0; 8026 } 8027 8028 struct block * 8029 gen_mtp3field_code(mtp3field, jvalue, jtype, reverse) 8030 int mtp3field; 8031 bpf_u_int32 jvalue; 8032 bpf_u_int32 jtype; 8033 int reverse; 8034 { 8035 struct block *b0; 8036 bpf_u_int32 val1 , val2 , val3; 8037 8038 switch (mtp3field) { 8039 8040 case M_SIO: 8041 if (off_sio == (u_int)-1) 8042 bpf_error("'sio' supported only on SS7"); 8043 /* sio coded on 1 byte so max value 255 */ 8044 if(jvalue > 255) 8045 bpf_error("sio value %u too big; max value = 255", 8046 jvalue); 8047 b0 = gen_ncmp(OR_PACKET, off_sio, BPF_B, 0xffffffff, 8048 (u_int)jtype, reverse, (u_int)jvalue); 8049 break; 8050 8051 case M_OPC: 8052 if (off_opc == (u_int)-1) 8053 bpf_error("'opc' supported only on SS7"); 8054 /* opc coded on 14 bits so max value 16383 */ 8055 if (jvalue > 16383) 8056 bpf_error("opc value %u too big; max value = 16383", 8057 jvalue); 8058 /* the following instructions are made to convert jvalue 8059 * to the form used to write opc in an ss7 message*/ 8060 val1 = jvalue & 0x00003c00; 8061 val1 = val1 >>10; 8062 val2 = jvalue & 0x000003fc; 8063 val2 = val2 <<6; 8064 val3 = jvalue & 0x00000003; 8065 val3 = val3 <<22; 8066 jvalue = val1 + val2 + val3; 8067 b0 = gen_ncmp(OR_PACKET, off_opc, BPF_W, 0x00c0ff0f, 8068 (u_int)jtype, reverse, (u_int)jvalue); 8069 break; 8070 8071 case M_DPC: 8072 if (off_dpc == (u_int)-1) 8073 bpf_error("'dpc' supported only on SS7"); 8074 /* dpc coded on 14 bits so max value 16383 */ 8075 if (jvalue > 16383) 8076 bpf_error("dpc value %u too big; max value = 16383", 8077 jvalue); 8078 /* the following instructions are made to convert jvalue 8079 * to the forme used to write dpc in an ss7 message*/ 8080 val1 = jvalue & 0x000000ff; 8081 val1 = val1 << 24; 8082 val2 = jvalue & 0x00003f00; 8083 val2 = val2 << 8; 8084 jvalue = val1 + val2; 8085 b0 = gen_ncmp(OR_PACKET, off_dpc, BPF_W, 0xff3f0000, 8086 (u_int)jtype, reverse, (u_int)jvalue); 8087 break; 8088 8089 case M_SLS: 8090 if (off_sls == (u_int)-1) 8091 bpf_error("'sls' supported only on SS7"); 8092 /* sls coded on 4 bits so max value 15 */ 8093 if (jvalue > 15) 8094 bpf_error("sls value %u too big; max value = 15", 8095 jvalue); 8096 /* the following instruction is made to convert jvalue 8097 * to the forme used to write sls in an ss7 message*/ 8098 jvalue = jvalue << 4; 8099 b0 = gen_ncmp(OR_PACKET, off_sls, BPF_B, 0xf0, 8100 (u_int)jtype,reverse, (u_int)jvalue); 8101 break; 8102 8103 default: 8104 abort(); 8105 } 8106 return b0; 8107 } 8108 8109 static struct block * 8110 gen_msg_abbrev(type) 8111 int type; 8112 { 8113 struct block *b1; 8114 8115 /* 8116 * Q.2931 signalling protocol messages for handling virtual circuits 8117 * establishment and teardown 8118 */ 8119 switch (type) { 8120 8121 case A_SETUP: 8122 b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0); 8123 break; 8124 8125 case A_CALLPROCEED: 8126 b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0); 8127 break; 8128 8129 case A_CONNECT: 8130 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0); 8131 break; 8132 8133 case A_CONNECTACK: 8134 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0); 8135 break; 8136 8137 case A_RELEASE: 8138 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0); 8139 break; 8140 8141 case A_RELEASE_DONE: 8142 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0); 8143 break; 8144 8145 default: 8146 abort(); 8147 } 8148 return b1; 8149 } 8150 8151 struct block * 8152 gen_atmmulti_abbrev(type) 8153 int type; 8154 { 8155 struct block *b0, *b1; 8156 8157 switch (type) { 8158 8159 case A_OAM: 8160 if (!is_atm) 8161 bpf_error("'oam' supported only on raw ATM"); 8162 b1 = gen_atmmulti_abbrev(A_OAMF4); 8163 break; 8164 8165 case A_OAMF4: 8166 if (!is_atm) 8167 bpf_error("'oamf4' supported only on raw ATM"); 8168 /* OAM F4 type */ 8169 b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0); 8170 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0); 8171 gen_or(b0, b1); 8172 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8173 gen_and(b0, b1); 8174 break; 8175 8176 case A_CONNECTMSG: 8177 /* 8178 * Get Q.2931 signalling messages for switched 8179 * virtual connection 8180 */ 8181 if (!is_atm) 8182 bpf_error("'connectmsg' supported only on raw ATM"); 8183 b0 = gen_msg_abbrev(A_SETUP); 8184 b1 = gen_msg_abbrev(A_CALLPROCEED); 8185 gen_or(b0, b1); 8186 b0 = gen_msg_abbrev(A_CONNECT); 8187 gen_or(b0, b1); 8188 b0 = gen_msg_abbrev(A_CONNECTACK); 8189 gen_or(b0, b1); 8190 b0 = gen_msg_abbrev(A_RELEASE); 8191 gen_or(b0, b1); 8192 b0 = gen_msg_abbrev(A_RELEASE_DONE); 8193 gen_or(b0, b1); 8194 b0 = gen_atmtype_abbrev(A_SC); 8195 gen_and(b0, b1); 8196 break; 8197 8198 case A_METACONNECT: 8199 if (!is_atm) 8200 bpf_error("'metaconnect' supported only on raw ATM"); 8201 b0 = gen_msg_abbrev(A_SETUP); 8202 b1 = gen_msg_abbrev(A_CALLPROCEED); 8203 gen_or(b0, b1); 8204 b0 = gen_msg_abbrev(A_CONNECT); 8205 gen_or(b0, b1); 8206 b0 = gen_msg_abbrev(A_RELEASE); 8207 gen_or(b0, b1); 8208 b0 = gen_msg_abbrev(A_RELEASE_DONE); 8209 gen_or(b0, b1); 8210 b0 = gen_atmtype_abbrev(A_METAC); 8211 gen_and(b0, b1); 8212 break; 8213 8214 default: 8215 abort(); 8216 } 8217 return b1; 8218 } 8219